netqmail-1.05 doesn't send emails using ssl. Trying to test the qmail server with: openssl s_client -connect localhost:25 -starttls smtp Using ssldumo I receive: CONNECTED(00000003) 21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596: Reproducible: Always Steps to Reproduce: 1.create certificate with /var/qmail/bin/mkservercert 2. start svscan 3.use "openssl s_client -connect localhost:25 -starttls smtp" to test the installation Actual Results: Using ssldump: CONNECTED(00000003) 21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596: The output of claws-mail protocol log window: Connecting to SMTP server: localhost ... [11:02:51] SMTP< 220 service2.cerm.unifi.it ESMTP [11:02:51] ESMTP> EHLO service2.cerm.unifi.it [11:02:51] ESMTP< 250-service2.cerm.unifi.it [11:02:51] ESMTP< 250-STARTTLS [11:02:51] ESMTP< 250-PIPELINING [11:02:51] ESMTP< 250-8BITMIME [11:02:51] ESMTP< 250-SIZE 0 [11:02:51] ESMTP< 250 AUTH LOGIN PLAIN CRAM-MD5 [11:02:51] ESMTP> STARTTLS [11:02:51] ESMTP< 220 ready for tls ** couldn't start TLS session *** Error occurred while sending the message. Expected Results: Sends email using a secure channel To solve the problem I run the following commands: openssl ciphers > /var/qmail/control/tlsclientciphers openssl ciphers > /var/qmail/control/tlsserverciphers
Works for me. Please give more details on how to reproduce it. Because, when done as supposed (and described when emerging), it works.
Portage 2.1.2-r13 (default-linux/x86/2006.1, gcc-4.1.2, glibc-2.5-r0, 2.6.20-gentoo i686) ================================================================= System uname: 2.6.20-gentoo i686 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 02 Mar 2007 10:00:08 +0000 dev-java/java-config: 1.3.7, 2.0.31-r3 dev-lang/python: 2.4.4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.20-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" DISTDIR="/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.unina.it/pub/linux/distributions/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LINGUAS="en it" MAKEOPTS="-j3" PKGDIR="/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="4kstacks X alsa apm avi bash-completion berkdb bitmap-fonts cairo cli cracklib crypt cups dbus dri dvd dvdread encode exif flac foomaticdb fortran gdbm gif glep gpg gphoto2 gpm gtk2 hal hpn iconv imap imlib inotify ipv6 isdnlog jpeg libg++ libwww mad midi mikmod mod motif mp3 mpeg mplayer ncurses nls nptl nptlonly nsplugin oggvorbis opengl oss pam pcre pdf pdflib perl png postgres ppds pppd python qt4 quicktime readline reflection scanner sdk sdl session slang sndfile spell spl ssl svga tcpd tk truetype truetype-fonts type1-fonts unicode usb x86 xml2 xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en it" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS - dev-libs/openssl 0.9.8e(15:44:16 03/02/07)(-bindist -emacs -sse2 -test zlib) My steps: 1) emerge netqmail-1.05-r5 2) emerge --config =mail-mta/netqmail-1.05-r5 3) edited servercert.cnf 4) create the certificate 5) start services 6) configurated claws-mail to use localhost like mail server using auth cram-md5 and startls 7) I'm unable to send email cause "** couldn't start TLS session" reported in the log window of claws-mail 8) emerge ssldump 9) start "ssldump -i eth0" 10) execute "openssl s_client -connect localhost:25 -starttls smtp" 11) on the ssldump window I see "CONNECTED(00000003) 21702:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:596"
Please add the output of "emerge -pv mail-mta/netqmail".
(In reply to comment #3) > Please add the output of "emerge -pv mail-mta/netqmail". > [ebuild R ] mail-mta/netqmail-1.05-r5 USE="ssl -gencertdaily -highvolume -mailwrapper -noauthcram -qmail-spp -vanilla" 0 kB
(In reply to comment #4) > [ebuild R ] mail-mta/netqmail-1.05-r5 Can you please try with -r4? There have been changes in between which might affect SSL. You don't use QMAIL_PATCH_DIR, do you?
(In reply to comment #5) > (In reply to comment #4) > > [ebuild R ] mail-mta/netqmail-1.05-r5 > > Can you please try with -r4? There have been changes in between which might > affect SSL. You don't use QMAIL_PATCH_DIR, do you? > After the problems with -r5 I tried the -r4 with the same results. I don't use QMAIL_PATCH_DIR.
Seems that the "bug" affect only my "~x86" system. On another machine "x86" the netqmail-1.05-r4 works fine using all features.
(In reply to comment #7) > Seems that the "bug" affect only my "~x86" system. On another machine "x86" the > netqmail-1.05-r4 works fine using all features. I was able to reproduce it on a ~ppc system. Installing openssl-0.9.8d helps. It must have been a change between upstream's openssl-0.9.8d and 0.9.8e which causes this bug. This is just an update about the status, I don't have a fix yet.
I had a similar issue when I installed mail-mta/netqmail-1.05-r5 and dev-libs/openssl-0.9.8e. I had to create the file: /var/qmail/control/tlsserverciphers With that on 1 (!) line: DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC-SHA:NULL-MD5:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:RC4-MD5:DHE-DSS-RC4-SHA:ADH-AES128-SHA:ADH-AES256-SHA:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:AES128-SHA Of course I don't know which ciphers there are good and which are crap, but if tls negotiation fails because of a bad cipher list, then the emails are never going to be sent (talk about bad behaviour...) hammer ~ # emerge -pv netqmail [ebuild R ] mail-mta/netqmail-1.05-r5 USE="highvolume mailwrapper ssl -gencertdaily -noauthcram -qmail-spp -vanilla" 0 kB [ebuild R ] dev-libs/openssl-0.9.8e USE="(sse2) zlib -bindist -emacs -test" 0 kB This is on ~amd64 and similarly on ~x86
(In reply to comment #9) > I had to create the file: > /var/qmail/control/tlsserverciphers > > With that on 1 (!) line: > DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC-SHA:NULL-MD5:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:RC4-MD5:DHE-DSS-RC4-SHA:ADH-AES128-SHA:ADH-AES256-SHA:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:AES128-SHA I know this appears to "work", but I'm unsure whether it's the correct solution. If you've any other idea, please tell me. Maybe I should write an e-mail to the qmail list.
(In reply to comment #10) > I know this appears to "work", but I'm unsure whether it's the correct > solution. If you've any other idea, please tell me. Maybe I should write an > e-mail to the qmail list. > Actually I've just noticed that at the very end of the first bug report there is: To solve the problem I run the following commands: openssl ciphers > /var/qmail/control/tlsclientciphers openssl ciphers > /var/qmail/control/tlsserverciphers
*** Bug 173296 has been marked as a duplicate of this bug. ***
Unfortunately, this issue was not fixed by the bumped SSL patch. I'll try to write to the qmail mailing list. If someone else has a way to solve it *without* writing config/tls{client,server}ciphers, please speak up.
I added a patch to -r7. As it seems, someone forgot to pass a parameter to control_readfile. Please give me some feedback so I can send the patch to upstream.
(In reply to comment #14) > I added a patch to -r7. ... seems doesn't honor -ssl flag. emerge -u netqmail failed: * Applying 1.05-r7-sslfix.diff ... * Failed Patch: 1.05-r7-sslfix.diff ! from /var/tmp/portage/mail-mta/netqmail-1.05-r7/temp/1.05-r7-sslfix.diff-15627.out Hunk #1 FAILED at 965.
(In reply to comment #15) > seems doesn't honor -ssl flag. emerge -u netqmail failed: Fixed in CVS.
(In reply to comment #14) > Please give me some feedback so I can send the patch to upstream. No response and upstream applied it. Closing.
*** Bug 177525 has been marked as a duplicate of this bug. ***
07 May 2007; Michael Hanselmann <hansmi@gentoo.org> netqmail-1.05-r8.ebuild: Stable on hppa, ppc, sparc, x86. Fixes problem with OpenSSL 0.9.8e Arches: can you please mark netqmail-1.05-r8 stable? Current keywords: ~alpha ~amd64 ~arm hppa ~ia64 ~m68k ~mips ppc ~ppc64 ~s390 ~sh sparc x86 Target keywords: alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86
ia64 stable
ppc64 stable
amd64 done.
alpha stable
Closing wrt http://www.gentoo.org/news/20080210-mips-experimental-arch.xml
