## page was copied from DnsTemplate
##master-page:HelpTemplate

<<Navigation(children,1)>>

<<TableOfContents()>>

[[qmail/ssl]]  [[/test]]  [[/certificate]]

= qmail/tls =

Gmailにメールを送る予定はないが、そろそろ試しておく時期かも。-- ToshinoriMaeno <<DateTime(2023-12-09T21:44:28+0900)>>


Qmail-TLS patch
https://inoa.net/qmail-tls/

{{{
- provide a server certificate in /var/qmail/control/servercert.pem.
     "make cert" makes a self-signed certificate. (できた。)

         "make cert-req" makes a certificate request.
         Note: you can add the CA certificate and intermediate
         certs to the end of servercert.pem.

Send req.pem to your CA to obtain signed_req.pem, and do:
cat signed_req.pem >> /var/qmail/control/servercert.pem

- replace qmail-smtpd and/or qmail-remote binary
- verify operation (header information should show something like
 "Received [..] with (DHE-RSA-AES256-SHA encrypted) SMTP;")
}}}


Optional: 
{{{
- when DEBUG is defined, some extra TLS info will be logged
          - qmail-remote will authenticate with the certificate in
            /var/qmail/control/clientcert.pem. By preference this is
            the same as servercert.pem, where nsCertType should be 
            == server,client or be a generic certificate (no usage specified). 
- when a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem,
            this key will be used instead of (slow) on-the-fly generation by
            qmail-smtpd. Idem for 2048 DH param in control/dh2048.pem.
            `make tmprsadh` does this.
            Periodical replacement can be done by crontab:
            01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
- server authentication:
            qmail-remote requires authentication from servers for which
            /var/qmail/control/tlshosts/host.dom.ain.pem exists.

            The .pem file contains the validating CA certificates.
            One of the dNSName or the CommonName attributes have to match.
            WARNING: this option may cause mail to be delayed, bounced,
            doublebounced, and lost.

            If /var/qmail/control/tlshosts/exhaustivelist is present,
            the lists of hosts in /var/qmail/control/tlshosts is
            an exhaustive list of hosts TLS is tried on.
            If /var/qmail/control/notlshosts/host.dom.ain is present,
            no TLS is tried on this host.

- client authentication:
            when relay rules would reject an incoming mail, 
            qmail-smtpd can allow the mail based on a presented cert.
            Certs are verified against a CA list in 
            /var/qmail/control/clientca.pem (eg. from
            http://curl.haxx.se/ca/cacert.pem)
            and the cert email-address has to match a line in
            /var/qmail/control/tlsclients. This email-address is logged
            in the headers. CRLs can be provided through 
            /var/qmail/control/clientcrl.pem.

- cipher selection:
            qmail-remote: 
              openssl cipher string (`man ciphers`) read from 
              /var/qmail/control/tlsclientciphers
            qmail-smtpd: 
              openssl cipher string read from TLSCIPHERS environment variable
              (can vary based on client IP address e.g.)
              or if that is not available /var/qmail/control/tlsserverciphers
- smtps (deprecated SMTP over TLS via port 465):
            qmail-remote: when connecting to port 465 
            qmail-smtpd: when SMTPS environment variable is not empty
}}}

{{{
Caveats: - do a `make clean` after patching
         - binaries dynamically linked with current openssl versions need
           recompilation when the shared openssl libs are upgraded.
         - this patch could conflict with other patches (notably those
           replacing \n with \r\n, which is a bad idea on encrypted links).

         - needs working /dev/urandom (or EGD for openssl versions >0.9.7)
           for seeding random number generator.
         - packagers should make sure that installing without a valid 
           servercert is impossible
         - when applied in combination with AUTH patch, AUTH patch
           should be applied first and first part of this patch
           will fail. This error can be ignored. Packagers should
           cut the first 12 lines of this patch to make a happy
           patch
         - `make tmprsadh` is recommended (or should I say required), 
           otherwise DH generation can be unpredictably slow
         - some need "-I/usr/kerberos/include" to be added in conf-cc

}}}
== history ==
{{{

CONTROL FILES
       clientcert.pem
            SSL certificate that is used to authenticate with the
            remote server during a TLS session.

       notlshosts/<FQDN>
            qmail-remote  will  not  try TLS on servers for which
            this  file  exists  (<FQDN>  is  the  fully-qualified
            domain  name  of  the  server).  (tlshosts/<FQDN>.pem
            takes precedence over this file however).

       tlsclientciphers
            A  set  of  OpenSSL  client  cipher strings. Multiple
            ciphers contained in a string should be separated  by
            a colon.

       tlshosts/<FQDN>.pem
            qmail-remote requires TLS authentication from servers
            for which this  certificate  exists  (<FQDN>  is  the
            fully-qualified  domain  name  of the server). One of
            the dNSName or  the  CommonName  attributes  have  to
            match.

            WARNING:  this  option  may cause mail to be delayed,
            bounced, doublebounced, or lost.

       tlshosts/exhaustivelist
            if this file exists no TLS will  be  tried  on  hosts
            other than those for which a file tlshosts/<FQDN>.pem
            exists.

}}}
----
CategoryDns CategoryWatch CategoryTemplate