Hi Sam, is it possible that the problem is because of missing "dh keys"? I think (!) spamdyke don't use or call something like this here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the 'notes' part so cipher with EDHE:DE won't work.
My server/openssl is fine because the orginal qmail-tls works with cipher EDHE_DH"! So the problem is the tls handling of spamdyke?! 2013/9/8 Sam Clippinger <[email protected]> > Hmmm... I think you may be beyond the edge of my expertise, but I'll > certainly try to help if I can. spamdyke uses the OpenSSL library to > handle SSL and TLS, so anything that works with OpenSSL on the command line > should work with spamdyke as well. The option "tls-cipher-list" serves the > same function as the "-cipher" option to "openssl". spamdyke just takes > the text it's given and passes it to the SSL_CTX_set_cipher_list() function > in the OpenSSL library before the connection is established. The ciphers > you give should be ones listed when you run "openssl ciphers" from the > command line, I'm not sure how it handles abbreviations. > > It's possible the problem is actually within openssl's SMTP client. If > it's not starting the SMTP connection and asking for TLS correctly, the > client could be sending encrypted text while the server is still in > plaintext mode or vice-versa. That would yield some strange error messages > on both sides. > > I think I would suggest configuring spamdyke on port 465 with "tls-level" > set to "smtps" and the "tls-cipher-list" option set to your specific > ciphers. Then use this command to connect and test (substitute your > ciphers as appropriate): > openssl s_client -quiet -cipher "EXP-RC4-MD5" -connect localhost:465 > If it connects and you see the "220" greeting banner, it's working. If > you see an "alert handshake failure", you've probably selected a cipher the > server doesn't support. > > -- Sam Clippinger > > > > > On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: > > Hi :-) > > These days where the NSA is watching us I decided to make my server as > secure as possible. > For qmail it means to use TLS with strong encryption - openssl with "- > ciphers "EDHS:DE" for example. > > The original QMAIL without spamdyke works fine: > openssl s_client -starttls smtp -connect localhost:25 > shows me this: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-GCM-SHA384 > Great! > > Now I enable spamdyke and test it again... > Protocol : TLSv1.2 > Cipher : AES256-GCM-SHA384 > > Ok, not that good... maybe just a wrong cipher list? So I specified it a > little bit more (works fine with qmail only): > openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' > > Ups, an error: > CONNECTED(00000003) > 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 > alert handshake failure:s23_clnt.c:741: > > I already tried to add "dhparam" to the qmail servercert > (mentioned here > http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) > but that didnt't change anything... > > > I also tested with "tls-cipher-list" param at the conf file - same error. > And at the maillog this: > A protocol or library failure occurred, error:140E6118:lib(20):func( > 230):reason(280) > > Is it possible that there's a bug in spamdyke with strong encryption? > > Thanks for your help, > Marc > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > >
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
