qmail mit TLS 1.3

qmail variants

s/qmail
qmail-ldap, by André Oppermann (LinkedIn, Xing)
Life With qmail-ldap

freshports.org

qmail
qmail-tls: Secure, reliable, and fast MTA for UNIX systems with TLS support

$ pkg info netqmail-tls
netqmail-tls-1.06.20110119_1
Name           : netqmail-tls
Version        : 1.06.20110119_1
Installed on   : Fri Dec 11 10:59:23 2015 CET
Origin         : mail/qmail-tls
Architecture   : freebsd:10:x86:64
Prefix         : /var/qmail
Categories     : mail
Licenses       :
Maintainer     : erdgeist@erdgeist.org
WWW            : http://inoa.net/qmail-tls/
Comment        : Secure, reliable, and fast MTA for UNIX systems with TLS support
Options        :
        BIG_CONCURRENCY_PATCH: off
        BIG_TODO_PATCH : on
        BLOCKEXEC_PATCH: on
        DISCBOUNCES_PATCH: off
        DNS_CNAME      : on
        DOCS           : on
        EXTTODO_PATCH  : off
        LOCALTIME_PATCH: off
        MAILDIRQUOTA_PATCH: off
        OUTGOINGIP_PATCH: on
        QEXTRA         : off
        QMTPC_PATCH    : off
        RCDLINK        : off
        SMTP_AUTH_PATCH: off
        SPF_PATCH      : off
        TLS_DEBUG      : off
Annotations    :
Flat size      : 1.06MiB
Description    :
What is is: [excerpt taken from tls patch]

Frederik Vermeulen <qmail-tls at inoa.net> 20021228
http://inoa.net/qmail/qmail-1.03-tls.patch

This patch implements RFC2487 in qmail. This means you can
get SSL or TLS encrypted and authenticated SMTP between
the MTAs and between MTA and an MUA like Netscape4.5 TM.
The code is considered experimental.

WWW: http://inoa.net/qmail-tls/

# tail /var/log/qmail/current | tai64nlocal
2021-07-09 16:13:31.006863500 status: local 1/10 remote 0/20
2021-07-09 16:13:31.020170500 delivery 47043: success: did_0+0+1/
2021-07-09 16:13:31.020288500 status: local 0/10 remote 0/20
2021-07-09 16:13:31.020361500 end msg 963489

2021-07-09 16:37:34.013898500 new msg 963470
2021-07-09 16:37:34.013922500 info msg 963470: bytes 2686 from <XXX> qp 17787 uid 89
2021-07-09 16:37:34.398681500 starting delivery 47044: msg 963470 to remote XXX@hotmail.com
2021-07-09 16:37:34.398686500 status: local 0/10 remote 1/20
2021-07-09 16:37:35.411841500 delivery 47044: deferral: TLS_connect_failed;_connected_to_104.47.73.161./
2021-07-09 16:37:35.411846500 status: local 0/10 remote 0/20

2021-07-09 16:44:15.431323500 starting delivery 47045: msg 963470 to remote XXX@hotmail.com
2021-07-09 16:44:15.431328500 status: local 0/10 remote 1/20
2021-07-09 16:44:15.841424500 delivery 47045: deferral: TLS_connect_failed;_connected_to_104.47.17.161./
2021-07-09 16:44:15.841460500 status: local 0/10 remote 0/20

2021-07-09 17:04:15.098384500 starting delivery 47047: msg 963470 to remote XXX@hotmail.com
2021-07-09 17:04:15.098390500 status: local 0/10 remote 1/20
2021-07-09 17:04:15.289859500 delivery 47047: deferral: TLS_connect_failed;_connected_to_104.47.10.33./
2021-07-09 17:04:15.289889500 status: local 0/10 remote 0/20

qmail mit TLS

smtp-auth + qmail-tls + forcetls patch for qmail, May 8, 2020
Patching qmail, June 19, 2021

Was ist TLS

SMTP and Transport Layer Security (TLS) [Tutorial]

Microsoft unterstützt TLS 1.0 nicht mehr!

TLS connect failed
SSL/TLS connection issue troubleshooting test tools
Can’t establish a TLS connection to a remote mail server in Exchange Online or Exchange Server
TLS negotiating failed
Office 365 to enforce TLS 1.2 per October 15, 2020
Checking security protocols and ciphers on your Exchange servers
Rehash: How to Fix the SSL/TLS Handshake Failed Error

SSL/TLS connection issue troubleshooting guide
SSL/TLS connection issue troubleshooting test tools

SMTP MTA STS

SMTP MTA STS (Strict Transport Security)
MTA-STS gestaltet Mail-Versand und -Empfang sicherer
STARTTLS: MTA-STS

OpenSSL

E-Mail-Verschlüsselung austesten
When was TLS 1.2 support added to OpenSSL?

# openssl version
OpenSSL 1.0.1p-freebsd 9 Jul 2015

SSL/TLS Client

From ns3.te-clan.ch
$ openssl s_client -host mail.te-clan.ch -port 25 -starttls smtp
CONNECTED(00000003)
ehlo test
depth=0 C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch
verify return:1
---
Certificate chain
 0 s:C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch
   i:C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch
issuer=C = CH, ST = ZH, L = Winterthur, O = tE-clan Server, CN = Andreas Bachmann, emailAddress = bachi@te-clan.ch

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1600 bytes and written 542 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 0b f4 09 ef 02 07 df bc-b9 fa bd d0 f6 21 af 69   .............!.i
    0010 - [...]
    00a0 - ff 5d 6f 73 8d 1b 75 59-bf dd 9b a6 d8 b2 01 71   .]os..uY.......q
    Start Time: 1625840075
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
250 8BITMIME
250-ns2.te-clan.ch250-AUTH LOGIN PLAIN CRAM-MD5
250-PIPELINING
250 8BITMIME
read:errno=0
From ns3.te-clan.ch
$ openssl s_client -host 104.47.74.33 -port 25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = mail.protection.outlook.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = mail.protection.outlook.com
   i:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
 1 s:C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = mail.protection.outlook.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3852 bytes and written 519 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1625840474
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8
From ns2.te-clan.ch
$ openssl s_client -host 104.47.74.33 -port 25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = mail.protection.outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=mail.protection.outlook.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
---
No client certificate CA names sent
---
SSL handshake has read 3847 bytes and written 502 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1625840680
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8

OpenSSL Cookbook

Testing Protocols that Upgrade to TLS

When used with HTTP, TLS wraps the entire plain-text communication channel to form HTTPS. Some other protocols start off as plaintext, but then they upgrade to encryption. If you want to test such a protocol, you’ll have to tell OpenSSL which protocol it is so that it can upgrade on your behalf. Provide the protocol information using the -starttls switch. For example:

$ openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp
At the time of writing, the supported protocols in recent OpenSSL releases are smtp, pop3, imap, ftp, xmpp, xmpp-server, irc, postgres, mysql, lmtp, nntp, sieve, and ldap. There is less choice with OpenSSL 1.0.2g: smtp, pop3, imap, ftp, and xmpp.

Some protocols require the client to provide their names. For example, for SMTP, OpenSSL will use mail.example.com by default, but you can specify the correct value with the -name switch. If you’re testing XMPP, you may need to specify the correct server name; you can do this with the -xmpphost switch.

s/qmail

Linked: Erwin Hoffmann
github.com/wavemechanics/sqmail-port
Installing s/qmail
FreeBSD Port: qmail-spamcontrol-1.03.2731_2

IndiMail

IndiMail is a Secure, Reliable, Efficient Messaging Platform which provides you everything needed in a modern messaging server – ESMTP, IMAP, POP3, QMTP, QMQP and many other features. IndiMail gives you speeds that are faster than most MTAs. The flexibility provided by IndiMail’s authentication methods allow any IMAP/POP3 server to be used with IndiMail. IndiMail is built for speed and flexibility. You can download the source or use the binary RPM generated by openSUSE Build Service.
IndiMail
IndiMail
github.com/mbhangui/indimail-mta

sslscan

github.com/rbsec/sslscan
sslscan Fast SSL port scanner

C:\Users\andreas\Downloads\sslscan-win-2.0.10>sslscan.exe --starttls-smtp mail.xyz.abc:25
Version: 2.0.10 Windows 64-bit (Mingw)
OpenSSL 1.1.1e-dev  xx XXX xxxx

Connected to x.x.x.x

Testing SSL server mail.xyz.abc on port 25 using SNI name mail.xyz.abc

  SSL/TLS Protocols:
SSLv2     enabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  56 bits   TLS_RSA_WITH_DES_CBC_SHA
Preferred TLSv1.1  56 bits   TLS_RSA_WITH_DES_CBC_SHA
Preferred TLSv1.1  56 bits   TLS_DHE_RSA_WITH_DES_CBC_SHA
Preferred TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  56 bits   TLS_RSA_WITH_DES_CBC_SHA

  SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength:    1024

Subject:  Andreas Bachmann
Issuer:   Andreas Bachmann

Not valid before: Apr 22 11:27:56 2019 GMT
Not valid after:  Apr 20 11:27:56 2024 GMT

Leave a Reply

Your email address will not be published. Required fields are marked *