Dear guys,
I’m not sure about that: Is it possible to activate TLS/SSL encryption for qmail through the InterWorx Panel? Currently I can only use STARTTLS and I wondering if anyone got this running without hacking the qmail (smtp2) config directly.
Maybe there is a discussion already running in this forum? Please give me a hint. 
Thanks
Sebastian
Hi Sebastian
SSL/TLS works lovely and from memory I think it defaults to this setting.
To check, goto nodeworx services mail server MTA I think from memory.
I’m sorry, you have not given where your only seeing starttls, which I’m thinking is from your mail client your using.
There are a few things which can determine the type of connection, irrespective of your setting in qmail, such as your type of SSL in use, ie self generated or purchased, if purchased, is it single or multi domain, your ciphers in use etc…
I think you may have self generated SSL and therefore in your email client, you will first have to accept the cert before the mail client will use SSL
Also, firewalls maybe blocking the ports which you may want to check.
I hope that helps a little and if you post back with more details of your issue, it may become clearer to understand and give you a better pointer, but I’m sorry if I’m wrong.
Many thanks
John
Hi John,
thanks for your advice! You are right, I’m testing again Mozilla Thunderbird, but I’m using an purchased certificate from Thawte which works fantastic with POP3s and IMAP4s. I attached some screen from InterWorx and Thunderbird. Hope you will see my mistake.
This is my configuration within InterWorx.
This is the configuration of SMTPs in Thunderbird.
This is the error message from Thunderbird.
If I’m telneting the mailserver I should get another message (IMHO):
[me@myhost ~]$ telnet my.mailserver.com 587
Trying nnn.nnn.nnn.nnn…
Connected to my.mailserver.com.
Escape character is ‘^]’.
220 my.mailserver.com InterWorx-CP SMTP Server ESMTP
Normally with SSL/TLS it should look like this:
[me@myhost ~]$ telnet my.mailserver.com 587
Trying nnn.nnn.nnn.nnn…
Connected to my.mailserver.com.
Escape character is ‘^]’.
Thanks!!!
Hi Sebastian
I am sorry, I was wrong after checking this morning on our email clients we use, and in TB, all our clients use TLS or startTLS. I am sorry, too many years with SSL as main protocol.
SSL smtp is no longer a method to be used, and if you read the links below, you will see port 465 has been revoked, and 587 used.
I always believed TLS was a better solution to SSL, and SSL protocols are been slowly been replaced with TLS, with strong advice to drop SSL protocols if possible, however, there are reasons why SSL protocols are still in use (we still use SSL v3, RC4 for some clients who have not updated their systems fully).
I hope that helps a little
Many thanks
John
Hi John,
thanks for your reply! I know the discussion between TLS and SSL and yes your right, TLS is the better solution. 
But I’m wondering how to enable qmail via InterWorx to work with TLS encryption on port 587. My TB rejects the connection, as shown in the screenshots and my shell output.
But I’d like to offer native TLS on port 587 and it seems that I did something wrong. Actually I haven’t any clue … maybe I have to update my qmail via yum?
[me@my]# yum info qmail
Installed Packages
Name : qmail
Arch : x86_64
Epoch : 5
Version : 1.03
Release : 442.rhe6x.iworx.jms.chkuser.esmtpa.ipv6.isoc
Size : 1.1 M
Repo : installed
From repo : interworx-cp-rhe6x
Summary : Qmail Mail Transfer Agent
URL : http://www.qmail.org/
Any comment and idea is welcome!!
Hi Sebastian
Many thanks, but I don’t think you have done anything wrong, unless you have changed any conf yourself.
I think you just need to set TB to starttls and if you cert does not match, accept the cert, which should then work lovely.
If you clean your qmail as you suggested, it should work as before.
Are you using v7 TB
I hope that helps
Many thanks
John
Dear John,
I’m using TB 22 and 24, but I did also some probes with an old KMail. Could you please check via “telnet ip.of.your.server port” if your InterWorxs starts TLS nativly? If yes, something in my configuration didn’t work as aspected, because actually the SMTP dialog starts in clear text until i send the starttls command.
Thank you very much!
Sebastian
Hi Sebastian
Many thanks, and please see below my connection details.
StartTLS does first make an unsecured connection, then upgrades to secured, which if set correctly, you send auth through only after secured connection has been completed. (you can see this in my connection as below).
However, that said, TB will silently drop to unsecured connection if server cannot secure, and not prompt the user, which to my mind, is a failingon the part of TB, not IW.
If you want to PM me your domain, I’ll run a test from here and post back to you, either on forum (with domain and server blanked) or I can PM you result.
I hope that’s alright and has helped a little
Many thanks
John
208.<–220 ***************************** SMTP Server READY ESMTP
495.–>EHLO from.com
496.<–250-***************************** SMTP Server READY
250-STARTTLS
250-SIZE 52428800
250-PIPELINING
250 8BITMIME
607.–>STARTTLS
607.<–220 ready for tls
1185.***Finished negotiating SSL - algorithm is SSL_RSA_WITH_RC4_128_MD5
1186.–>EHLO from.com
1186.<–250-***************************** SMTP Server READY
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-SIZE 52428800
250-PIPELINING
250 8BITMIME
1296.–>MAIL FROM: <sender@from.com>
1297.<–503 AUTH first (#5.5.1)
1401.–>RCPT TO: <addressee@sendto.com>
1402.<–503 MAIL first (#5.5.1)
1506.–>DATA
1507.<–503 MAIL first (#5.5.1)
1611.–>From: sender@from.com
1612.–>To: addressee@sendto.com
1612.–>Subject: test email
1613.–>
1613.–>One line test message.
1613.–>.
1614.<–502 unimplemented (#5.5.1)
1716.–>QUIT
1717.<–502 unimplemented (#5.5.1)
502 unimplemented (#5.5.1)
502 unimplemented (#5.5.1)
502 unimplemented (#5.5.1)
502 unimplemented (#5.5.1)
221 ***************************** SMTP Server READY
