/certificate /test |
1. qmail/tls
Gmailにメールを送る予定はないが、そろそろ試しておく時期かも。-- ToshinoriMaeno 2023-12-09 12:44:28
Qmail-TLS patch https://inoa.net/qmail-tls/
- provide a server certificate in /var/qmail/control/servercert.pem. "make cert" makes a self-signed certificate. (できた。) "make cert-req" makes a certificate request. Note: you can add the CA certificate and intermediate certs to the end of servercert.pem. Send req.pem to your CA to obtain signed_req.pem, and do: cat signed_req.pem >> /var/qmail/control/servercert.pem - replace qmail-smtpd and/or qmail-remote binary - verify operation (header information should show something like "Received [..] with (DHE-RSA-AES256-SHA encrypted) SMTP;")
Optional:
- when DEBUG is defined, some extra TLS info will be logged - qmail-remote will authenticate with the certificate in /var/qmail/control/clientcert.pem. By preference this is the same as servercert.pem, where nsCertType should be == server,client or be a generic certificate (no usage specified). - when a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem, this key will be used instead of (slow) on-the-fly generation by qmail-smtpd. Idem for 2048 DH param in control/dh2048.pem. `make tmprsadh` does this. Periodical replacement can be done by crontab: 01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1 - server authentication: qmail-remote requires authentication from servers for which /var/qmail/control/tlshosts/host.dom.ain.pem exists. The .pem file contains the validating CA certificates. One of the dNSName or the CommonName attributes have to match. WARNING: this option may cause mail to be delayed, bounced, doublebounced, and lost. If /var/qmail/control/tlshosts/exhaustivelist is present, the lists of hosts in /var/qmail/control/tlshosts is an exhaustive list of hosts TLS is tried on. If /var/qmail/control/notlshosts/host.dom.ain is present, no TLS is tried on this host. - client authentication: when relay rules would reject an incoming mail, qmail-smtpd can allow the mail based on a presented cert. Certs are verified against a CA list in /var/qmail/control/clientca.pem (eg. from http://curl.haxx.se/ca/cacert.pem) and the cert email-address has to match a line in /var/qmail/control/tlsclients. This email-address is logged in the headers. CRLs can be provided through /var/qmail/control/clientcrl.pem. - cipher selection: qmail-remote: openssl cipher string (`man ciphers`) read from /var/qmail/control/tlsclientciphers qmail-smtpd: openssl cipher string read from TLSCIPHERS environment variable (can vary based on client IP address e.g.) or if that is not available /var/qmail/control/tlsserverciphers - smtps (deprecated SMTP over TLS via port 465): qmail-remote: when connecting to port 465 qmail-smtpd: when SMTPS environment variable is not empty
Caveats: - do a `make clean` after patching - binaries dynamically linked with current openssl versions need recompilation when the shared openssl libs are upgraded. - this patch could conflict with other patches (notably those replacing \n with \r\n, which is a bad idea on encrypted links). - needs working /dev/urandom (or EGD for openssl versions >0.9.7) for seeding random number generator. - packagers should make sure that installing without a valid servercert is impossible - when applied in combination with AUTH patch, AUTH patch should be applied first and first part of this patch will fail. This error can be ignored. Packagers should cut the first 12 lines of this patch to make a happy patch - `make tmprsadh` is recommended (or should I say required), otherwise DH generation can be unpredictably slow - some need "-I/usr/kerberos/include" to be added in conf-cc
1.1. history
CONTROL FILES clientcert.pem SSL certificate that is used to authenticate with the remote server during a TLS session. notlshosts/<FQDN> qmail-remote will not try TLS on servers for which this file exists (<FQDN> is the fully-qualified domain name of the server). (tlshosts/<FQDN>.pem takes precedence over this file however). tlsclientciphers A set of OpenSSL client cipher strings. Multiple ciphers contained in a string should be separated by a colon. tlshosts/<FQDN>.pem qmail-remote requires TLS authentication from servers for which this certificate exists (<FQDN> is the fully-qualified domain name of the server). One of the dNSName or the CommonName attributes have to match. WARNING: this option may cause mail to be delayed, bounced, doublebounced, or lost. tlshosts/exhaustivelist if this file exists no TLS will be tried on hosts other than those for which a file tlshosts/<FQDN>.pem exists.