* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 0:45 kokamoto
2018-03-23 13:38 ` Steve Simon
0 siblings, 1 reply; 9+ messages in thread
From: kokamoto @ 2018-03-23 0:45 UTC (permalink / raw)
To: 9front
Our provider does not support STARTTLS, but only tls encripted communication for secure mail.
I checked /sys/src/cmd/upas/smtp, and guess we need some funtion in hello() around:
if(tryauth && (encrypted || insecure) &&
(cistrncmp(s, "250 AUTH", strlen("250 AUTH")) == 0 ||
cistrncmp(s, "250-AUTH", strlen("250 AUTH")) == 0)){
ret = doauth(s + strlen("250 AUTH "));
s_free(r);
return ret;
}
<=======here=====
}
Am I wrong?
Kenji
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
2018-03-23 0:45 [9front] /sys/lib/tls or /sys/lib/ssl kokamoto
@ 2018-03-23 13:38 ` Steve Simon
0 siblings, 0 replies; 9+ messages in thread
From: Steve Simon @ 2018-03-23 13:38 UTC (permalink / raw)
To: 9front
i have never used it but i think tou just need to wrap tlsclient around smtpd to do raw tls smtp (rather than ehlo style)
-Steve
> On 23 Mar 2018, at 00:45, kokamoto@hera.eonet.ne.jp wrote:
>
> Our provider does not support STARTTLS, but only tls encripted communication for secure mail.
> I checked /sys/src/cmd/upas/smtp, and guess we need some funtion in hello() around:
>
> if(tryauth && (encrypted || insecure) &&
> (cistrncmp(s, "250 AUTH", strlen("250 AUTH")) == 0 ||
> cistrncmp(s, "250-AUTH", strlen("250 AUTH")) == 0)){
> ret = doauth(s + strlen("250 AUTH "));
> s_free(r);
> return ret;
> }
> <=======here=====
> }
>
> Am I wrong?
>
> Kenji
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24 3:54 kokamoto
0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24 3:54 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 124 bytes --]
Sorry, sorry.
I sent the previous mail through amtpauth(port 587) misstakenly.
I'll keep silent until I solve this.
Kenji
[-- Attachment #2: Type: message/rfc822, Size: 1928 bytes --]
From: kokamoto@hera.eonet.ne.jp
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Sat, 24 Mar 2018 11:25:56 +0900
Message-ID: <13810025520ACDBEDA2853CE185033B8@hera.eonet.ne.jp>
>ey.rsa | auth/pemencode CERTIFICATE > key.pem
key.pem should be mail.pem
Sorry
Kenji
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24 2:25 kokamoto
0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24 2:25 UTC (permalink / raw)
To: 9front
>ey.rsa | auth/pemencode CERTIFICATE > key.pem
key.pem should be mail.pem
Sorry
Kenji
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24 2:21 kokamoto
0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24 2:21 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 265 bytes --]
I think I've done this!
This mail is using smtps protocol.
I added terms in the command to make mail.pem like:
auth/rsa2x509 'C=JP CN=*.jitaku.localdomain, user=kokamoto%hera.eonet.ne.jp, !password=xxxxx' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem
Kenji
[-- Attachment #2: Type: message/rfc822, Size: 6679 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 906 bytes --]
Sorry to make noise.
My 9front version has that option, and I used that option like:
/mail/lib/remotemail
exec /bin/upas/smtp -s -t -d -h hera.eonet.ne.jp -g 192.168.11.1 -u kokamoto%hera.eonet.ne.jp tcp!smtps.eonet.ne.jp!465 $sender $* >[2] /mail/tmp/smtp.err
I got the /mail/lib/smtp.err like:
send ClientHello
version: 0303
....
recv ServerHello
version: 0303
....
recv Certificate
<1751>....
....
<1105>....
....
recv ServerHelloDone
tls secrets
send HClientKeyExchange
....
send HFinished
b57615488264d5de988f4af3
recv HFinished
4c3f70ee45cef0269479e4ac
Fri Mar 23 09:05:47 JST 2018 connect to tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello:
QUIT
220 mailauthmsa11.mozu.eo.k-opti.ad.jp ESMTP Fri, 23 Mar 2018 09:05:47 +0900
/sys/log/smtp.fail is:
ci5dell Mar 23 09:05:47 delivery at tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello failed:
Kenji
[-- Attachment #2.1.2: Type: message/rfc822, Size: 3616 bytes --]
[-- Attachment #2.1.2.1.1: Type: text/plain, Size: 112 bytes --]
Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.
Kenji
[-- Attachment #2.1.2.1.2: Type: message/rfc822, Size: 1330 bytes --]
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>
you mean the -t flag?
smtp(8):
-t preemtively establish TLS connection before SMTP hand-
shake (SMTPS).
--
cinap
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 23:51 kokamoto
0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-23 23:51 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 906 bytes --]
Sorry to make noise.
My 9front version has that option, and I used that option like:
/mail/lib/remotemail
exec /bin/upas/smtp -s -t -d -h hera.eonet.ne.jp -g 192.168.11.1 -u kokamoto%hera.eonet.ne.jp tcp!smtps.eonet.ne.jp!465 $sender $* >[2] /mail/tmp/smtp.err
I got the /mail/lib/smtp.err like:
send ClientHello
version: 0303
....
recv ServerHello
version: 0303
....
recv Certificate
<1751>....
....
<1105>....
....
recv ServerHelloDone
tls secrets
send HClientKeyExchange
....
send HFinished
b57615488264d5de988f4af3
recv HFinished
4c3f70ee45cef0269479e4ac
Fri Mar 23 09:05:47 JST 2018 connect to tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello:
QUIT
220 mailauthmsa11.mozu.eo.k-opti.ad.jp ESMTP Fri, 23 Mar 2018 09:05:47 +0900
/sys/log/smtp.fail is:
ci5dell Mar 23 09:05:47 delivery at tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello failed:
Kenji
[-- Attachment #2: Type: message/rfc822, Size: 3616 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 112 bytes --]
Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.
Kenji
[-- Attachment #2.1.2: Type: message/rfc822, Size: 1330 bytes --]
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>
you mean the -t flag?
smtp(8):
-t preemtively establish TLS connection before SMTP hand-
shake (SMTPS).
--
cinap
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 23:37 kokamoto
0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-23 23:37 UTC (permalink / raw)
To: 9front
[-- Attachment #1: Type: text/plain, Size: 112 bytes --]
Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.
Kenji
[-- Attachment #2: Type: message/rfc822, Size: 1330 bytes --]
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>
you mean the -t flag?
smtp(8):
-t preemtively establish TLS connection before SMTP hand-
shake (SMTPS).
--
cinap
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 13:50 cinap_lenrek
0 siblings, 0 replies; 9+ messages in thread
From: cinap_lenrek @ 2018-03-23 13:50 UTC (permalink / raw)
To: 9front
you mean the -t flag?
smtp(8):
-t preemtively establish TLS connection before SMTP hand-
shake (SMTPS).
--
cinap
^ permalink raw reply [flat|nested] 9+ messages in thread
* /sys/lib/tls or /sys/lib/ssl
@ 2018-03-20 5:13 Dr.Kenji Okamoto
2018-03-20 13:11 ` [9front] " Steve Simon
0 siblings, 1 reply; 9+ messages in thread
From: Dr.Kenji Okamoto @ 2018-03-20 5:13 UTC (permalink / raw)
To: 9front
I'm now trying to setup email to our smtps(port 465) server.
Now I have a question how to use /sys/lib/tls or /sys/lib/ssl.
What is difference between the two?
Kenji
====from my new OpenBSD 6.2 PC====
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
2018-03-20 5:13 Dr.Kenji Okamoto
@ 2018-03-20 13:11 ` Steve Simon
0 siblings, 0 replies; 9+ messages in thread
From: Steve Simon @ 2018-03-20 13:11 UTC (permalink / raw)
To: 9front
Hi Kenji,
I believe /sys/lib/ssl is just historic, smtpd still uses it as the default
place to find TLS/SSL certificates but I override it on the command line on my server.
My /rc/bin/service/tcp465 contains
exec /bin/tlssrv -c /sys/lib/tls/mail.pem -l ssmtpd -r `{cat $3/remote} /bin/upas/smtpd -a -g -n $3
I wrote some notes on how to generate a new certificate as my self-signed one expired a year or so ago.
--------------------------------------
make a safe (not backed up) place to work
ramfs
cd /tmp
generate a key pair
auth/rsagen -b 2048 -t 'service=tls role=client owner=*' > key.rsa
generate a certificate
auth/rsa2x509 'C=GB CN=*.mydomain.dom' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem
you can check your certificate using the web interface:
https://certlogik.com
Update your secstore - used for sending email
auth/secstore -G factotum > factotum.old
grep -v 'service=tls role=client owner=*' factotum.old > factotum
cat key.rsa >> factotum
diff factotum factotum.old
auth/secstore -p factotum
Update bootes secstore - used by imap4d and pop3d
auth/secstore -G factotum > factotum.old
grep -v 'service=tls role=client owner=*' factotum.old > factotum
cat key.rsa >> factotum
diff factotum factotum.old
auth/secstore -p factotum
install the certificate here to allow httpd to speak https
cp key.pem /usr/web/sitename.pem
chmod 644 /usr/web/sitename.pem
install the certificate here to allow smtpd to speak EHLO
cp key.pem /sys/lib/tls/mail
chmod 644 /sys/lib/tls/mail
reboot server so it re-reads bootes factotum
you can check check email is working using:
https://www.checktls.com/perl/live/TestReceiver.pl
-Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-03-24 3:54 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-23 0:45 [9front] /sys/lib/tls or /sys/lib/ssl kokamoto
2018-03-23 13:38 ` Steve Simon
-- strict thread matches above, loose matches on Subject: below --
2018-03-24 3:54 kokamoto
2018-03-24 2:25 kokamoto
2018-03-24 2:21 kokamoto
2018-03-23 23:51 kokamoto
2018-03-23 23:37 kokamoto
2018-03-23 13:50 cinap_lenrek
2018-03-20 5:13 Dr.Kenji Okamoto
2018-03-20 13:11 ` [9front] " Steve Simon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).