AMaViSd-new TLS Support Question
Klaus Tachtler
klaus at tachtler.net
Mon Oct 26 12:00:31 CET 2015
Hi,
FIRST, thank you Patrick for the link to the patch, BUT that doesn't
solve the problem:
_WARN:
*******************************************************************\n
Using the default of SSL_verif
y_mode of SSL_VERIFY_NONE for client\n is deprecated! Please set
SSL_verify_mode to SSL_VERIFY_PEER\n together with
SSL_ca_file|SSL_ca_path for verification.
\n If you really don't want to verify the certificate and keep the\n
connection open to Man-In-The-Middle attacks please set\n
SSL_verify_mode explicitly to
SSL_VERIFY_NONE in your
application.\n*******************************************************************\n at /usr/sbin/amavisd line
8406.
Now I take the patch from Markus Benning to enable right use of TLS,
and ADD A FEW LINES, to solve the above described problem.
I'm NOT a perl programmer, and I don't want to destroy the great work
what was done to build AMaViS in the past. So I post my patch here,
that people who knows more than I about AMaViS and perl to make things
right or better.
So please keep an eye on my work:
The patch was based on the latest AMaViS package from EPEL for CentOS-7:
Name : amavisd-new
Arch : noarch
Version : 2.10.1
Release : 4.el7
Size : 3.1 M
Repo : installed
From repo : epel
----- PATCH to solve SSL_verify_mode problem - START -----
--- /usr/sbin/amavisd.orig 2014-10-26 01:06:00.000000000 +0200
+++ /usr/sbin/amavisd 2015-10-26 10:09:45.868759224 +0100
@@ -388,6 +388,8 @@
$smtp_connection_cache_on_demand $smtp_connection_cache_enable
$smtpd_recipient_limit
$smtpd_tls_cert_file $smtpd_tls_key_file
+ $smtpd_tls_cipher_list $smtpd_tls_version $smtpd_tls_verify_mode
+ $smtpd_tls_CAfile $smtpd_tls_honor_cipher_order $smtpd_dh_params_file
$enforce_smtpd_message_size_limit_64kb_min
$MAXLEVELS $MAXFILES
$MIN_EXPANSION_QUOTA $MIN_EXPANSION_FACTOR
@@ -407,6 +409,7 @@
@dkim_signing_keys_list @dkim_signing_keys_storage
$file $altermime $enable_anomy_sanitizer
)],
+ 'tls_client' => [qw( $smtp_tls_cipher_list $smtp_tls_version
$smtp_tls_verify_mode $smtp_tls_CAfile)],
'sa' => # global SpamAssassin settings
[qw(
$spamcontrol_obj $sa_num_instances
@@ -512,7 +515,7 @@
)],
);
Exporter::export_tags qw(dynamic_confvars confvars sa platform
- hidden_confvars legacy_dynamic_confvars
legacy_confvars);
+ hidden_confvars legacy_dynamic_confvars
legacy_confvars tls_client);
1;
} # BEGIN
@@ -1013,6 +1016,19 @@
$smtpd_tls_cert_file = undef; # e.g. "$MYHOME/cert/amavisd-cert.pem"
$smtpd_tls_key_file = undef; # e.g. "$MYHOME/cert/amavisd-key.pem"
+ # see
https://metacpan.org/pod/distribution/IO-Socket-SSL/lib/IO/Socket/SSL.pod#SSL_version
+ $smtpd_tls_cipher_list = undef; # SSL_cipher_list
+ $smtpd_tls_version = undef; # SSL_version
+ $smtpd_tls_CAfile = undef; # SSL_ca_file
+ $smtpd_tls_verify_mode = undef; # SSL_verify_mode
+ $smtpd_tls_honor_cipher_order = undef; # SSL_honor_cipher_order
+ $smtpd_dh_params_file = undef; # SSL_dh_file
+
+ $smtp_tls_cipher_list = undef; # SSL_cipher_list
+ $smtp_tls_version = undef; # SSL_version
+ $smtp_tls_CAfile = undef; # SSL_client_ca_file
+ $smtp_tls_verify_mode = undef; # SSL_verify_mode
+
$dkim_minimum_key_bits = 1024; # min acceptable DKIM key size (in bits)
# for whitelisting
@@ -7934,7 +7950,7 @@
use vars qw(@ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $VERSION);
$VERSION = '2.404';
@ISA = qw(Exporter);
- import Amavis::Conf qw(:platform);
+ import Amavis::Conf qw(:platform :tls_client);
import Amavis::Util qw(ll do_log min max minmax idn_to_ascii);
}
@@ -8389,6 +8405,14 @@
IO::Socket::SSL->start_SSL($sock, SSL_session_cache => $ssl_cache,
SSL_error_trap =>
sub { my($sock,$msg)=@_; do_log(-2,"Error on socket: %s",$msg) },
+ defined $smtp_tls_verify_mode ?
+ ( SSL_verify_mode => $smtp_tls_verify_mode ) : (),
+ defined $smtp_tls_version ?
+ ( SSL_version => $smtp_tls_version ) : (),
+ defined $smtp_tls_cipher_list ?
+ ( SSL_cipher_list => $smtp_tls_cipher_list ) : (),
+ defined $smtp_tls_CAfile ?
+ ( SSL_client_ca_file => $smtp_tls_CAfile ) : (),
%params,
) or die "Error upgrading socket to SSL: ".IO::Socket::SSL::errstr();
$self->{last_event} = 'ssl-upgrade';
@@ -21943,6 +21967,18 @@
SSL_passwd_cb => sub { 'example' },
SSL_key_file => $smtpd_tls_key_file,
SSL_cert_file => $smtpd_tls_cert_file,
+ defined $smtpd_tls_verify_mode ?
+ ( SSL_verify_mode => $smtpd_tls_verify_mode ) : (),
+ defined $smtpd_tls_version ?
+ ( SSL_version => $smtpd_tls_version ) : (),
+ defined $smtpd_tls_cipher_list ?
+ ( SSL_cipher_list => $smtpd_tls_cipher_list ) : (),
+ defined $smtpd_tls_CAfile ?
+ ( SSL_ca_file => $smtpd_tls_CAfile ) : (),
+ defined $smtpd_tls_honor_cipher_order ?
+ ( SSL_honor_cipher_order =>
$smtpd_tls_honor_cipher_order ) : (),
+ defined $smtpd_dh_params_file ?
+ ( SSL_dh_file => $smtpd_dh_params_file ) : (),
) or die "Error upgrading socket to SSL: ".
IO::Socket::SSL::errstr();
if ($self->{smtp_inpbuf} ne '') {
----- PATCH to solve SSL_verify_mode problem - END -----
Thank's to everybody who was watching this
Klaus Tachtler.
--
------------------------------------------
e-Mail : klaus at tachtler.net
Homepage: http://www.tachtler.net
DokuWiki: http://www.dokuwiki.tachtler.net
------------------------------------------
More information about the amavis-users
mailing list