AMaViSd-new TLS Support Question

Klaus Tachtler klaus at tachtler.net
Mon Oct 26 12:00:31 CET 2015


Hi,

FIRST, thank you Patrick for the link to the patch, BUT that doesn't  
solve the problem:

_WARN:  
*******************************************************************\n  
Using the default of SSL_verif
y_mode of SSL_VERIFY_NONE for client\n is deprecated! Please set  
SSL_verify_mode to SSL_VERIFY_PEER\n together with  
SSL_ca_file|SSL_ca_path for verification.
\n If you really don't want to verify the certificate and keep the\n  
connection open to Man-In-The-Middle attacks please set\n  
SSL_verify_mode explicitly to
SSL_VERIFY_NONE in your  
application.\n*******************************************************************\n  at /usr/sbin/amavisd line  
8406.

Now I take the patch from Markus Benning to enable right use of TLS,  
and ADD A FEW LINES, to solve the above described problem.

I'm NOT a perl programmer, and I don't want to destroy the great work  
what was done to build AMaViS in the past. So I post my patch here,  
that people who knows more than I about AMaViS and perl to make things  
right or better.

So please keep an eye on my work:

The patch was based on the latest AMaViS package from EPEL for CentOS-7:

Name        : amavisd-new
Arch        : noarch
Version     : 2.10.1
Release     : 4.el7
Size        : 3.1 M
Repo        : installed
 From repo   : epel

----- PATCH to solve SSL_verify_mode problem - START -----

--- /usr/sbin/amavisd.orig	2014-10-26 01:06:00.000000000 +0200
+++ /usr/sbin/amavisd	2015-10-26 10:09:45.868759224 +0100
@@ -388,6 +388,8 @@
        $smtp_connection_cache_on_demand $smtp_connection_cache_enable
        $smtpd_recipient_limit
        $smtpd_tls_cert_file $smtpd_tls_key_file
+      $smtpd_tls_cipher_list $smtpd_tls_version $smtpd_tls_verify_mode
+      $smtpd_tls_CAfile $smtpd_tls_honor_cipher_order $smtpd_dh_params_file
        $enforce_smtpd_message_size_limit_64kb_min
        $MAXLEVELS $MAXFILES
        $MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
@@ -407,6 +409,7 @@
        @dkim_signing_keys_list @dkim_signing_keys_storage
        $file $altermime $enable_anomy_sanitizer
      )],
+    'tls_client' => [qw( $smtp_tls_cipher_list $smtp_tls_version  
$smtp_tls_verify_mode $smtp_tls_CAfile)],
      'sa' =>  # global SpamAssassin settings
      [qw(
        $spamcontrol_obj $sa_num_instances
@@ -512,7 +515,7 @@
      )],
    );
    Exporter::export_tags qw(dynamic_confvars confvars sa platform
-                      hidden_confvars legacy_dynamic_confvars  
legacy_confvars);
+                      hidden_confvars legacy_dynamic_confvars  
legacy_confvars tls_client);
    1;
  } # BEGIN

@@ -1013,6 +1016,19 @@
    $smtpd_tls_cert_file = undef;     # e.g. "$MYHOME/cert/amavisd-cert.pem"
    $smtpd_tls_key_file  = undef;     # e.g. "$MYHOME/cert/amavisd-key.pem"

+  # see  
https://metacpan.org/pod/distribution/IO-Socket-SSL/lib/IO/Socket/SSL.pod#SSL_version
+  $smtpd_tls_cipher_list = undef;  # SSL_cipher_list
+  $smtpd_tls_version = undef;  # SSL_version
+  $smtpd_tls_CAfile = undef;   # SSL_ca_file
+  $smtpd_tls_verify_mode = undef;   # SSL_verify_mode
+  $smtpd_tls_honor_cipher_order = undef; # SSL_honor_cipher_order
+  $smtpd_dh_params_file = undef;   # SSL_dh_file
+
+  $smtp_tls_cipher_list = undef;   # SSL_cipher_list
+  $smtp_tls_version = undef;   # SSL_version
+  $smtp_tls_CAfile = undef;    # SSL_client_ca_file
+  $smtp_tls_verify_mode = undef;   # SSL_verify_mode
+
    $dkim_minimum_key_bits = 1024;    # min acceptable DKIM key size (in bits)
                                      # for whitelisting

@@ -7934,7 +7950,7 @@
    use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
    $VERSION = '2.404';
    @ISA = qw(Exporter);
-  import Amavis::Conf qw(:platform);
+  import Amavis::Conf qw(:platform :tls_client);
    import Amavis::Util qw(ll do_log min max minmax idn_to_ascii);
  }

@@ -8389,6 +8405,14 @@
    IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
      SSL_error_trap =>
        sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+    defined $smtp_tls_verify_mode ?
+      ( SSL_verify_mode => $smtp_tls_verify_mode ) : (),
+    defined $smtp_tls_version ?
+      ( SSL_version => $smtp_tls_version ) : (),
+    defined $smtp_tls_cipher_list ?
+      ( SSL_cipher_list => $smtp_tls_cipher_list ) : (),
+    defined $smtp_tls_CAfile ?
+      ( SSL_client_ca_file => $smtp_tls_CAfile ) : (),
      %params,
    ) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
    $self->{last_event} = 'ssl-upgrade';
@@ -21943,6 +21967,18 @@
                SSL_passwd_cb => sub { 'example' },
                SSL_key_file  => $smtpd_tls_key_file,
                SSL_cert_file => $smtpd_tls_cert_file,
+	        defined $smtpd_tls_verify_mode ?
+              ( SSL_verify_mode => $smtpd_tls_verify_mode ) : (),
+	        defined $smtpd_tls_version ?
+              ( SSL_version => $smtpd_tls_version ) : (),
+                defined $smtpd_tls_cipher_list ?
+              ( SSL_cipher_list => $smtpd_tls_cipher_list ) : (),
+                defined $smtpd_tls_CAfile ?
+              ( SSL_ca_file => $smtpd_tls_CAfile ) : (),
+                defined $smtpd_tls_honor_cipher_order ?
+              ( SSL_honor_cipher_order =>  
$smtpd_tls_honor_cipher_order ) : (),
+                defined $smtpd_dh_params_file ?
+              ( SSL_dh_file => $smtpd_dh_params_file ) : (),
              ) or die "Error upgrading socket to SSL: ".
                       IO::Socket::SSL::errstr();
              if ($self->{smtp_inpbuf} ne '') {

----- PATCH to solve SSL_verify_mode problem - END -----

Thank's to everybody who was watching this
Klaus Tachtler.


--

------------------------------------------
e-Mail  : klaus at tachtler.net
Homepage: http://www.tachtler.net
DokuWiki: http://www.dokuwiki.tachtler.net
------------------------------------------



More information about the amavis-users mailing list