Thursday, July 20, 2017

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME
If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Session-ID-ctx:
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

6 comments:

Tocy said...

This thing is crashing:
qmail-remote.c: In function ‘quit’:
qmail-remote.c:269:24: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~
qmail-remote.c:269:34: error: ‘SSL_ST_BEFORE’ undeclared (first use in this func tion)
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~~~~~~~~~~~~
qmail-remote.c:269:34: note: each undeclared identifier is reported only once fo r each function it appears in
qmail-remote.c:270:15: error: ‘SSL_ST_OK’ undeclared (first use in this function )
if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
^~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:505:60: error: dereferencing pointer to incomplete type ‘X509_NAM E_ENTRY {aka struct X509_name_entry_st}’
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
^~
qmail-remote.c: In function ‘main’:
qmail-remote.c:697:7: warning: implicit declaration of function ‘chdir’ [-Wimpli cit-function-declaration]
if (chdir(auto_qmail) == -1) temp_chdir();
^~~~~
qmail-remote.c:737:21: warning: implicit declaration of function ‘getpid’ [-Wimp licit-function-declaration]
random = now() + (getpid() << 16);
^~~~~~
qmail-remote.c:779:5: warning: implicit declaration of function ‘close’ [-Wimpli cit-function-declaration]
close(smtpfd);
^~~~~
Makefile:1466: recipe for target 'qmail-remote.o' failed
make[1]: *** [qmail-remote.o] Error 1

Any idea how to fix it?
Thanks

Nikolay Hristov said...

Looks like you are trying to build it with latest openssl 1.1.x which need fixes. It builds ok with older pre 1.1.x versions - like 1.0.x, 0.9.x. Can you try it with 1.0.x version of openssl?

Tocy said...

I think it is the gcc-6 compiler issue. Looks like the variables need to be declared in a different way from what I read in the error and the code.

Tocy said...

I maj wsichki patches za TLS idwat ot edno mqsto zashtoto deklaraciqta za
int state = ssl ? ssl->state : SSL_ST_BEFORE; e edna i syshta nawsqkyde.

Nikolay Hristov said...

100% проблемът е, че си с новия SSL. API-то на OpenSSL 1.1.x e съвсем различно и всички програми им трябва преработка. Тоя пач е стар и се компилира без проблем ако инсталираш (за Debian примерно) стария libssl-dev, който се казва libssl1.0-dev и би трябвало да стане.

Ето ти пример за подобен проблем с друга програма, която ползва ssl. https://github.com/DinoTools/dionaea/issues/90

Tocy said...

Praw beshe. Compilira se s libssl1.0-dev. Mersi za pomoshta.

Cheers,