Re: [9front] /sys/lib/tls or /sys/lib/ssl

9front - general discussion about 9front
 help / color / mirror / Atom feed

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 23:51 kokamoto
  0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-23 23:51 UTC (permalink / raw)
  To: 9front

[-- Attachment #1: Type: text/plain, Size: 906 bytes --]

Sorry to make noise.
My 9front version has that option, and I used that option like:
/mail/lib/remotemail
exec /bin/upas/smtp -s -t -d -h hera.eonet.ne.jp -g 192.168.11.1 -u kokamoto%hera.eonet.ne.jp tcp!smtps.eonet.ne.jp!465 $sender $* >[2] /mail/tmp/smtp.err

I got the /mail/lib/smtp.err like:
send ClientHello
	version: 0303
....

recv ServerHello
	version: 0303

....

recv Certificate
	<1751>....
....
	<1105>....
....
recv ServerHelloDone

tls secrets

send HClientKeyExchange
....
send HFinished
b57615488264d5de988f4af3

recv HFinished
4c3f70ee45cef0269479e4ac

Fri Mar 23 09:05:47 JST 2018 connect to tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello:

QUIT
220 mailauthmsa11.mozu.eo.k-opti.ad.jp ESMTP Fri, 23 Mar 2018 09:05:47 +0900

/sys/log/smtp.fail is:
ci5dell Mar 23 09:05:47 delivery  at tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello failed: 

Kenji

[-- Attachment #2: Type: message/rfc822, Size: 3616 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 112 bytes --]

Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.

Kenji

[-- Attachment #2.1.2: Type: message/rfc822, Size: 1330 bytes --]

From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>

you mean the -t flag?

smtp(8):

          -t preemtively establish TLS connection before SMTP hand-
             shake (SMTPS).

--
cinap

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24  3:54 kokamoto
  0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24  3:54 UTC (permalink / raw)
  To: 9front

[-- Attachment #1: Type: text/plain, Size: 124 bytes --]

Sorry, sorry.
I sent the previous mail through amtpauth(port 587) misstakenly.

I'll keep silent until I solve this.

Kenji

[-- Attachment #2: Type: message/rfc822, Size: 1928 bytes --]

From: kokamoto@hera.eonet.ne.jp
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Sat, 24 Mar 2018 11:25:56 +0900
Message-ID: <13810025520ACDBEDA2853CE185033B8@hera.eonet.ne.jp>

>ey.rsa | auth/pemencode CERTIFICATE > key.pem

key.pem should be mail.pem

Sorry

Kenji

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24  2:25 kokamoto
  0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24  2:25 UTC (permalink / raw)
  To: 9front

>ey.rsa | auth/pemencode CERTIFICATE > key.pem

key.pem should be mail.pem

Sorry

Kenji



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-24  2:21 kokamoto
  0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-24  2:21 UTC (permalink / raw)
  To: 9front

[-- Attachment #1: Type: text/plain, Size: 265 bytes --]

I think I've done this!

This mail is using smtps protocol.
I added terms in the command to make mail.pem like:
auth/rsa2x509 'C=JP CN=*.jitaku.localdomain, user=kokamoto%hera.eonet.ne.jp, !password=xxxxx' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem

Kenji

[-- Attachment #2: Type: message/rfc822, Size: 6679 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 906 bytes --]

Sorry to make noise.
My 9front version has that option, and I used that option like:
/mail/lib/remotemail
exec /bin/upas/smtp -s -t -d -h hera.eonet.ne.jp -g 192.168.11.1 -u kokamoto%hera.eonet.ne.jp tcp!smtps.eonet.ne.jp!465 $sender $* >[2] /mail/tmp/smtp.err

I got the /mail/lib/smtp.err like:
send ClientHello
	version: 0303
....

recv ServerHello
	version: 0303

....

recv Certificate
	<1751>....
....
	<1105>....
....
recv ServerHelloDone

tls secrets

send HClientKeyExchange
....
send HFinished
b57615488264d5de988f4af3

recv HFinished
4c3f70ee45cef0269479e4ac

Fri Mar 23 09:05:47 JST 2018 connect to tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello:

QUIT

220 mailauthmsa11.mozu.eo.k-opti.ad.jp ESMTP Fri, 23 Mar 2018 09:05:47 +0900


/sys/log/smtp.fail is:
ci5dell Mar 23 09:05:47 delivery  at tcp!smtps.eonet.ne.jp!465 (smtps.eonet.ne.jp:203.140.81.13) hello failed: 

Kenji

[-- Attachment #2.1.2: Type: message/rfc822, Size: 3616 bytes --]

[-- Attachment #2.1.2.1.1: Type: text/plain, Size: 112 bytes --]

Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.

Kenji

[-- Attachment #2.1.2.1.2: Type: message/rfc822, Size: 1330 bytes --]

From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>

you mean the -t flag?

smtp(8):

          -t preemtively establish TLS connection before SMTP hand-
             shake (SMTPS).

--
cinap

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 23:37 kokamoto
  0 siblings, 0 replies; 9+ messages in thread
From: kokamoto @ 2018-03-23 23:37 UTC (permalink / raw)
  To: 9front

[-- Attachment #1: Type: text/plain, Size: 112 bytes --]

Yes, that's it.
However, the upas version I have has not that -t option.
I may have to update my 9front.

Kenji

[-- Attachment #2: Type: message/rfc822, Size: 1330 bytes --]

From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] /sys/lib/tls or /sys/lib/ssl
Date: Fri, 23 Mar 2018 14:50:43 +0100
Message-ID: <1E2BB63F66411DA87ECB578BB1CF2162@felloff.net>

you mean the -t flag?

smtp(8):

          -t preemtively establish TLS connection before SMTP hand-
             shake (SMTPS).

--
cinap

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23 13:50 cinap_lenrek
  0 siblings, 0 replies; 9+ messages in thread
From: cinap_lenrek @ 2018-03-23 13:50 UTC (permalink / raw)
  To: 9front

you mean the -t flag?

smtp(8):

          -t preemtively establish TLS connection before SMTP hand-
             shake (SMTPS).

--
cinap


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
  2018-03-23  0:45 kokamoto
@ 2018-03-23 13:38 ` Steve Simon
  0 siblings, 0 replies; 9+ messages in thread
From: Steve Simon @ 2018-03-23 13:38 UTC (permalink / raw)
  To: 9front

i have never used it but i think tou just need to wrap tlsclient around smtpd to do raw tls smtp (rather than ehlo style)

-Steve


> On 23 Mar 2018, at 00:45, kokamoto@hera.eonet.ne.jp wrote:
> 
> Our provider does not support STARTTLS, but only tls encripted communication for secure mail.
> I checked /sys/src/cmd/upas/smtp, and guess we need some funtion in hello() around:
> 
>        if(tryauth && (encrypted || insecure) &&
>            (cistrncmp(s, "250 AUTH", strlen("250 AUTH")) == 0 ||
>             cistrncmp(s, "250-AUTH", strlen("250 AUTH")) == 0)){
>            ret = doauth(s + strlen("250 AUTH "));
>            s_free(r);
>            return ret;
>        }
>            <=======here=====
>    }
> 
> Am I wrong?
> 
> Kenji



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
@ 2018-03-23  0:45 kokamoto
  2018-03-23 13:38 ` Steve Simon
  0 siblings, 1 reply; 9+ messages in thread
From: kokamoto @ 2018-03-23  0:45 UTC (permalink / raw)
  To: 9front

Our provider does not support STARTTLS, but only tls encripted communication for secure mail.
I checked /sys/src/cmd/upas/smtp, and guess we need some funtion in hello() around:

		if(tryauth && (encrypted || insecure) &&
		    (cistrncmp(s, "250 AUTH", strlen("250 AUTH")) == 0 ||
		     cistrncmp(s, "250-AUTH", strlen("250 AUTH")) == 0)){
			ret = doauth(s + strlen("250 AUTH "));
			s_free(r);
			return ret;
		}
			<=======here=====
	}

Am I wrong?

Kenji



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] /sys/lib/tls or /sys/lib/ssl
  2018-03-20  5:13 Dr.Kenji Okamoto
@ 2018-03-20 13:11 ` Steve Simon
  0 siblings, 0 replies; 9+ messages in thread
From: Steve Simon @ 2018-03-20 13:11 UTC (permalink / raw)
  To: 9front

Hi Kenji,

I believe /sys/lib/ssl is just historic, smtpd still uses it as the default
place to find TLS/SSL certificates but I override it on the command line on my server.

My /rc/bin/service/tcp465 contains

	exec /bin/tlssrv -c /sys/lib/tls/mail.pem -l ssmtpd -r `{cat $3/remote} /bin/upas/smtpd -a -g -n $3

I wrote some notes on how to generate a new certificate as my self-signed one expired a year or so ago.

--------------------------------------
make a safe (not backed up) place to work
	ramfs
	cd /tmp

generate a key pair

	auth/rsagen -b 2048 -t 'service=tls role=client owner=*' > key.rsa

generate a certificate 

	auth/rsa2x509 'C=GB CN=*.mydomain.dom' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem

you can check your certificate using the web interface:

	https://certlogik.com

Update your secstore - used for sending email

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum


Update bootes secstore - used by imap4d and pop3d

	auth/secstore -G factotum > factotum.old
	grep -v 'service=tls role=client owner=*' factotum.old > factotum
	cat key.rsa >> factotum
	diff factotum factotum.old
	auth/secstore -p factotum

install the certificate here to allow httpd to speak https

	cp key.pem /usr/web/sitename.pem
	chmod 644 /usr/web/sitename.pem

install the certificate here to allow smtpd to speak EHLO 

	cp key.pem /sys/lib/tls/mail
	chmod 644 /sys/lib/tls/mail

reboot server so it re-reads bootes factotum

you can check check email is working using:

	https://www.checktls.com/perl/live/TestReceiver.pl


-Steve


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2018-03-24  3:54 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-23 23:51 [9front] /sys/lib/tls or /sys/lib/ssl kokamoto
  -- strict thread matches above, loose matches on Subject: below --
2018-03-24  3:54 kokamoto
2018-03-24  2:25 kokamoto
2018-03-24  2:21 kokamoto
2018-03-23 23:37 kokamoto
2018-03-23 13:50 cinap_lenrek
2018-03-23  0:45 kokamoto
2018-03-23 13:38 ` Steve Simon
2018-03-20  5:13 Dr.Kenji Okamoto
2018-03-20 13:11 ` [9front] " Steve Simon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).