Qmail with SSL/TLS

Dear guys,

I’m not sure about that: Is it possible to activate TLS/SSL encryption for qmail through the InterWorx Panel? Currently I can only use STARTTLS and I wondering if anyone got this running without hacking the qmail (smtp2) config directly.

Maybe there is a discussion already running in this forum? Please give me a hint. :confused:

Thanks
Sebastian

Hi Sebastian

SSL/TLS works lovely and from memory I think it defaults to this setting.

To check, goto nodeworx services mail server MTA I think from memory.

I’m sorry, you have not given where your only seeing starttls, which I’m thinking is from your mail client your using.

There are a few things which can determine the type of connection, irrespective of your setting in qmail, such as your type of SSL in use, ie self generated or purchased, if purchased, is it single or multi domain, your ciphers in use etc…

I think you may have self generated SSL and therefore in your email client, you will first have to accept the cert before the mail client will use SSL

Also, firewalls maybe blocking the ports which you may want to check.

I hope that helps a little and if you post back with more details of your issue, it may become clearer to understand and give you a better pointer, but I’m sorry if I’m wrong.

Many thanks

John

Hi John,

thanks for your advice! You are right, I’m testing again Mozilla Thunderbird, but I’m using an purchased certificate from Thawte which works fantastic with POP3s and IMAP4s. I attached some screen from InterWorx and Thunderbird. Hope you will see my mistake.

This is my configuration within InterWorx.

This is the configuration of SMTPs in Thunderbird.

This is the error message from Thunderbird.

If I’m telneting the mailserver I should get another message (IMHO):

[[email protected] ~]$ telnet my.mailserver.com 587
Trying nnn.nnn.nnn.nnn…
Connected to my.mailserver.com.
Escape character is ‘^]’.
220 my.mailserver.com InterWorx-CP SMTP Server ESMTP

Normally with SSL/TLS it should look like this:

[[email protected] ~]$ telnet my.mailserver.com 587
Trying nnn.nnn.nnn.nnn…
Connected to my.mailserver.com.
Escape character is ‘^]’.

:frowning: Thanks!!!

screen2.png

screen3.png

Hi Sebastian

I am sorry, I was wrong after checking this morning on our email clients we use, and in TB, all our clients use TLS or startTLS. I am sorry, too many years with SSL as main protocol.

SSL smtp is no longer a method to be used, and if you read the links below, you will see port 465 has been revoked, and 587 used.

I always believed TLS was a better solution to SSL, and SSL protocols are been slowly been replaced with TLS, with strong advice to drop SSL protocols if possible, however, there are reasons why SSL protocols are still in use (we still use SSL v3, RC4 for some clients who have not updated their systems fully).

I hope that helps a little

Many thanks

John



Hi John,

thanks for your reply! I know the discussion between TLS and SSL and yes your right, TLS is the better solution. :slight_smile: But I’m wondering how to enable qmail via InterWorx to work with TLS encryption on port 587. My TB rejects the connection, as shown in the screenshots and my shell output.

But I’d like to offer native TLS on port 587 and it seems that I did something wrong. Actually I haven’t any clue … maybe I have to update my qmail via yum?

[[email protected]]# yum info qmail
Installed Packages
Name : qmail
Arch : x86_64
Epoch : 5
Version : 1.03
Release : 442.rhe6x.iworx.jms.chkuser.esmtpa.ipv6.isoc
Size : 1.1 M
Repo : installed
From repo : interworx-cp-rhe6x
Summary : Qmail Mail Transfer Agent
URL : http://www.qmail.org/

Any comment and idea is welcome!!

Hi Sebastian

Many thanks, but I don’t think you have done anything wrong, unless you have changed any conf yourself.

I think you just need to set TB to starttls and if you cert does not match, accept the cert, which should then work lovely.

If you clean your qmail as you suggested, it should work as before.

Are you using v7 TB

I hope that helps

Many thanks

John

Dear John,

I’m using TB 22 and 24, but I did also some probes with an old KMail. :slight_smile: Could you please check via “telnet ip.of.your.server port” if your InterWorxs starts TLS nativly? If yes, something in my configuration didn’t work as aspected, because actually the SMTP dialog starts in clear text until i send the starttls command.

Thank you very much!

Sebastian

Hi Sebastian

Many thanks, and please see below my connection details.

StartTLS does first make an unsecured connection, then upgrades to secured, which if set correctly, you send auth through only after secured connection has been completed. (you can see this in my connection as below).

However, that said, TB will silently drop to unsecured connection if server cannot secure, and not prompt the user, which to my mind, is a failingon the part of TB, not IW.

If you want to PM me your domain, I’ll run a test from here and post back to you, either on forum (with domain and server blanked) or I can PM you result.

I hope that’s alright and has helped a little

Many thanks

John

208.<–220 ***************************** SMTP Server READY ESMTP

495.–>EHLO from.com

496.<–250-***************************** SMTP Server READY

250-STARTTLS

250-SIZE 52428800

250-PIPELINING

250 8BITMIME

607.–>STARTTLS

607.<–220 ready for tls

1185.***Finished negotiating SSL - algorithm is SSL_RSA_WITH_RC4_128_MD5
1186.–>EHLO from.com

1186.<–250-***************************** SMTP Server READY

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-SIZE 52428800

250-PIPELINING

250 8BITMIME

1296.–>MAIL FROM: <[email protected]>

1297.<–503 AUTH first (#5.5.1)

1401.–>RCPT TO: <[email protected]>

1402.<–503 MAIL first (#5.5.1)

1506.–>DATA

1507.<–503 MAIL first (#5.5.1)

1611.–>From: [email protected]

1612.–>To: [email protected]

1612.–>Subject: test email

1613.–>

1613.–>One line test message.

1613.–>.

1614.<–502 unimplemented (#5.5.1)

1716.–>QUIT

1717.<–502 unimplemented (#5.5.1)

502 unimplemented (#5.5.1)

502 unimplemented (#5.5.1)

502 unimplemented (#5.5.1)

502 unimplemented (#5.5.1)

221 ***************************** SMTP Server READY