smtp-auth + qmail-tls (starttls) + forcetls patch for qmail

Submitted by roberto puzzanghera on Mon, 02/11/2013 - 22:50

I have put into a package the latest version of the following patches for netqmail-1.06. You may be interested to the combined patch I have put together here.

qmail-smtp

Provides cram-md5, login, plain authentication support.

qmail-tls

Implements SSL or TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.

force-tls

Optionally gets qmail to require TLS before authentication to improve security.

Usage

wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/roberto-netqmail-1.06_auth_tls_force-tls.patch-xxxx.xx.xx
wget http://qmail.org/netqmail-1.06.tar.gz
tar xzf netqmail-1.06.tar.gz
cd netqmail-1.06
chown -R root.root .
patch < ../roberto-netqmail-1.06_auth_tls_force-tls.patch-2012.10.28
make
make setup check

Forcing STARTTLS

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values different from 0 or no declaration at all will force the TLS before the auth.

Managing auth options

You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.

Be aware that you have to export SMTPAUTH in you run file.

Comments

Forcetls Question

Submitted by Jacekalex (not verified) on Thu, 10/06/2011 - 10:22.

HI

I have question about forcetls patch:

telnet localhost 25
Trying 127.0.0.1...
Connected to box.
Escape character is '^]'.
220 domain.com ESMTP
ehlo box
250-domain.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 67108864
250 AUTH LOGIN PLAIN CRAM-MD5
auth login
538 auth not available without TLS (#5.3.3)
quit
221 domain.com
Connection closed by foreign host.

If forcetls is active, why not offer authentication server in an unencrypted connection?

swaks -t user@domain.com -f test@domain.com -s localhost -p25 -au test@domain.com -ap password
=== Trying localhost:25...
=== Connected to localhost.
<- 220 domain.com ESMTP
-> EHLO localhost.localdomain
<- 250-domain.com
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 AUTH LOGIN PLAIN CRAM-MD5
-> AUTH CRAM-MD5
<** 538 auth not available without TLS (#5.3.3)
-> AUTH LOGIN
<** 538 auth not available without TLS (#5.3.3)
-> AUTH PLAIN AHRlc3RAZG9tYWluLmNvbQBwYXNzd29yZA==
<** 538 auth not available without TLS (#5.3.3)
*** No authentication type succeeded
-> QUIT
<- 221 wampir7.pl
=== Connection closed with remote host

Auth TLS not available without a password, and so it was sent in clear text, when you try to AUTH PLAIN authentication.
Is this a correct and meaningful?

The correct solution - gmail.com:

telnet smtp.gmail.com 25
Trying 74.125.79.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 mx.google.com ESMTP a10sm4909715een.6
ehlo gmail.com
250-mx.google.com at your service, [83.230.14.219]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
auth login
530 5.7.0 Must issue a STARTTLS command first. a10sm4909715een.6
quit
221 2.0.0 closing connection a10sm4909715een.6
Connection closed by foreign host.

The server does not provide authorization for connection without encryption:

swaks -t user@domain.com -f test@gmail.com -s smtp.gmail.com -p25 -au test@gmail.com -ap password
=== Trying smtp.gmail.com:25...
=== Connected to smtp.gmail.com.
<- 220 mx.google.com ESMTP h3sm1449764eea.7
-> EHLO localhost.localdomain
<- 250-mx.google.com at your service, [83.230.14.219]
<- 250-SIZE 35882577
<- 250-8BITMIME
<- 250-STARTTLS
<- 250 ENHANCEDSTATUSCODES
*** Host did not advertise authentication
-> QUIT
<- 221 2.0.0 closing connection h3sm1449764eea.7
=== Connection closed with remote host.

No attempt was made AUTH PLAIN authentication, the password is safe.
Is such a solution is correct? Does it make sense?

In my opinion gmail has the correct solution to prevent sending an unencrypted password in the AUTH PLAIN.

Can you make a patch forcetls similar change in the future?

 

Cheers

I have adjusted the force-tls

Submitted by roberto puzzanghera on Thu, 10/06/2011 - 23:38.

I have adjusted the force-tls patch accordingly. Now the program simply does an exit instead of a return if STARTTLS is not provided when required.


Yes, I agree.

Submitted by roberto puzzanghera on Thu, 10/06/2011 - 21:26.

Yes, I agree. This is a point where the patch deserves some improvement. I'll fix it when I have some time.

Thanks a lot for the contribution.