Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Qmaild fails on TLS conversations
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ddoherty03
n00b
n00b


Joined: 24 Feb 2004
Posts: 38
PostPosted: Sat Jun 04, 2005 9:49 am    Post subject: Qmaild fails on TLS conversations Reply with quote
I have qmail installed and it has ssl tls enabled.

When I look at the log file, however, all the messages sent via tls have an exit code of 256.

If I telnet to the server, it claims to support tls.

Can anyone give me some hints on diagnosing this?

I would much appreciate any help.
Back to top
View user's profile Send private message
ddoherty03
n00b
n00b


Joined: 24 Feb 2004
Posts: 38
PostPosted: Tue Jun 07, 2005 8:32 pm    Post subject: Qmail TLS Handshake Problem Reply with quote
My earlier post elicited no bits, perhaps not enough there for people to chew on.

After googling, I fell on trying to run strace on an openssl dialogue with my local host:

Code:

strace -p 1234 -ff -o /tmp/qmail-remote.strace


The resulted in the following output:
Code:

<snip>
munmap(0xb7fea000, 4096)                = 0
open("/etc/hosts", O_RDONLY)            = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=878, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fea000
read(3, "# /etc/hosts:  This file describ"..., 4096) = 878
close(3)                                = 0
munmap(0xb7fea000, 4096)                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 4), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fea000
write(1, "CONNECTED(00000003)\n", 20CONNECTED(00000003)
)   = 20
read(3, "220 jupiter.ddoherty.net ESMTP\r\n", 8192) = 32
write(3, "STARTTLS\r\n", 10)            = 10
read(3, "220 ready for tls\r\n", 8192)  = 19
select(4, [3], [3], NULL, NULL)         = 1 (out [3])
time(NULL)                              = 1118175661
brk(0x80e1000)                          = 0x80e1000
open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 4
select(5, [4], NULL, NULL, {0, 10000})  = 1 (in [4], left {0, 10000})
read(4, "\221\365\246\325\326|~\247\330\22b\4\30\22f\7\266{~\262"..., 32) = 32
close(4)                                = 0
getuid32()                              = 0
time(NULL)                              = 1118175661
write(3, "\200\222\1\3\1\0i\0\0\0 \0\0009\0\0008\0\0005\0\0\26\0"..., 148) = 148
read(3, "", 7)                          = 0
write(2, "22496:error:140790E5:SSL routine"..., 8322496:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
) = 83
shutdown(3, 0 /* receive */)            = 0
close(3)                                = 0
brk(0x80d3000)                          = 0x80d3000
munmap(0xb7fea000, 4096)                = 0
exit_group(0)


It looks like it is failing on a write to file 3 (exit status 148, right?), which seems to be the socket connection to the server (which I surmise from the "connect(3,...) call up a few lines there.

Anybody else see anything that would explain why my smtp is not handshaking properly under TLS?

Again, I would appreciate any thoughts.
[/code]
Back to top
View user's profile Send private message
powderedtoastdude
n00b
n00b


Joined: 09 Jan 2005
Posts: 28
PostPosted: Thu Jun 09, 2005 12:29 am    Post subject: Me too Reply with quote
I was seeing the same behavior, inexplicably until just now. I have "ssl" in my use flags and a good /var/qmail/control/servercert.pem. I presume you do too. Ethereal to the rescue. I captured a session with a "port 25" filter and the answer just jumped out at me like a sore thumb (mixed metaphors aside).

In my case, I'm using simscan as the program called by the QMAILQUEUE feature. In my /var/qmail/supervise/run file, for some reason I had a line like "export SIMSCAN_DEBUG=2". In my ethereal capture, I was alarmed to see this debug output sent during the SMTP conversation as responses to the client! Naturally that borks up the TLS conversation. Removing the debug env var and restarting qmail fixed me up nicely.

So, if you're not using simscan, just make sure nothing in the chain is outputting anything weird at the wrong time into the conversation. Use ethereal to help you find it.

Now I just have to figure out why SMTP AUTH still isn't working. :?
Back to top
View user's profile Send private message
ddoherty03
n00b
n00b


Joined: 24 Feb 2004
Posts: 38
PostPosted: Thu Jun 16, 2005 4:17 pm    Post subject: Ethereal Testing Reply with quote
Thanks for the tip. I had not thought about watching the conversation.

I'll give it a try when I get home.
Back to top
View user's profile Send private message
ddoherty03
n00b
n00b


Joined: 24 Feb 2004
Posts: 38
PostPosted: Thu Jun 16, 2005 9:30 pm    Post subject: OK, Does this mean anything to anybody? Reply with quote
The reason I think I have SSL problems is that I get a failure from the following test program:
Code:
$ openssl s_client -connect localhost:25 -starttls smtp


Which results in the following:
Code:
CONNECTED(00000003)
25192:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:


Could this mean a certificate problem? I don't think so: would it not say something like bad certificate if that were the
case?

I believe this is what the traced process was from above, which I failed to include.

I did the ethereal test and saw nothing strange. (By the way, tethereal is handy to know about when you're trying
to diagnose a remote server).

Thanks for any help.
Back to top
View user's profile Send private message
beamernz
n00b
n00b


Joined: 27 Nov 2004
Posts: 2
PostPosted: Tue Aug 23, 2005 1:28 am    Post subject: Reply with quote
I am having the exact same problem - did you manage tor resolve?
Back to top
View user's profile Send private message
ddoherty03
n00b
n00b


Joined: 24 Feb 2004
Posts: 38
PostPosted: Tue Aug 23, 2005 2:18 pm    Post subject: qmail TLS woes Reply with quote
I wish I could say I had an elegant solution. One of the few times, the Gentoo forums have not come through for me.

I took the expedient of removing ssl capability from qmail with the following line in /etc/portage/package.use:

mail-mta/qmail -ssl

Then I did

emerge --unmerge qmail
emerge -uv qmail

And I don't have the problem (or encrypted e-mail connection) anymore. On the other hand, I'm not a very interesting person, nor are my e-mails, so perhaps ssl was overkill for me anyway.

Good luck, and post if you find a solution better than punting!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy