Software
Articles
qmail
Window Maker
Cfengine
No Machine
UNIX profile
Rants
Blog
3D
Photos
OpenSSL
CV
Contact

OpenSSL notes

STARTTLS in qmail
=================
You will need the qmail-tls patch:
http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch


What the patch does, part 1
---------------------------
qmail-smtpd will accept the STARTTLS command.  This lets clients speak 
SMTP/SSL to the server.  Everything up to STARTTLS is unencrypted but 
after STARTTLS occurs the session is encrypted.

For this to work you need to make a certificate (RSA has been tested) 
for qmail-smtpd.  Assuming you have a CA cert in /etc/ssl/certs and 
that you have changed to that directory (see README.openssl for more 
details), do this:

    openssl req -new -nodes -out qmail.csr -keyout qmail.key
    ./sign.sh qmail.csr
    cat qmail.key qmail.crt > ~qmaild/control/servercert.pem
    chown qmaild.qmail ~qmaild/control/servercert.pem
    chmod 400 ~qmaild/control/servercert.pem

OK what was all that about?

First up we generated a new certificate signing request (and key to go with it) 
using openssl req.  The -nodes option is used to prevent the certificate blurb 
from being encrypted.  Next we signed the key and then copied it to the qmail 
controls directory.

qmail-smtpd will expect to find a file called servercert.pem containing a 
private key and matching certificate (IN THAT ORDER).  This is different to 
apache and OpenLDAP which require you to specify the key and cert in separate 
files.  Note that using the cat command as described above will leave you with 
a whole bunch of certificate blurb in between the key and certificate (ie 
between -----END RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE-----).  You 
may safely trash this text if you like.

You can test this out by telnetting to port 25 on the mail server and typing 
starttls.  You should see "220 ready for tls" after which qmail will expect 
encoded stuff.
Netscape or some other MUA that supports STARTTLS should also work at this 
point.


    BIG IMPORTANT WARNING:

    STARTTLS won't work if you use fixcrio or some other program that helps 
    out those broken clients and servers out there that violate the SMTP 
    specs by not sending CRLF properly.  You must choose whether to support 
    buggy clients or secure clients.



What the patch does, part 2
---------------------------
qmail-remote is also patched, and will attempt to negotiate STARTTLS with 
remote servers.  For this to work you need a signed cert called clientcert.pem 
in the controls directory.  Making such a cert is no harder than making the 
server cert.  You may even choose to just link() the two files if you wish.

     openssl req -new -nodes -out qmail.csr -keyout qmail.key
    ./sign.sh qmail.csr
    cat qmail.key qmail.crt > ~qmailr/control/clientcert.pem
    chown qmailr.qmail ~qmailr/control/clientcert.pem
    chmod 400 ~qmailr/control/clientcert.pem
   
As with the server cert, you are at liberty to nuke the certificate blurb 
plaintext.

Outgoing mail will be ssl tunnelled if possible.  Note that it is not an error 
if the remote server doesn't support STARTTLS, UNLESS you put its certificate 
in a file called fqdn.pem where fqdn is the fqdn of the server in question.


What the patch does, part 3
---------------------------
So far we've got qmail receiving mail over an encrypted channel.  This is of 
course utterly useless in practical terms because the mail will probably only 
be relayed out through an unencrypted link anyway, and even if it isn't it will 
probably be read via POP3.

We can, however, do something more useful with this patch.  You can also tell 
qmail-smtpd to accept mail for relaying when a client connects with a kosher 
certificate.  We need to do two things.  First, append the certificate of the 
CA that signed the client's cert to clientca.pem.  If you used your own ca.crt 
to sign other clientcert.pem files for clients to use when they connect to 
your qmail-smtpd, it is sufficient to do this:

    cp ca.crt ~qmaild/control/clientca.pem

Otherwise you will have to get the cert from the CA and append it to 
clientca.pem.

Secondly, you must add the email address associated with the client's cert to 
tlsclients in the control directory.  If the client entered the email address 
of relaying@domain.com when creating the certificate signing request, you must 
add relaying@domain.com to tlsclients.