OpenSSL Upgrade Breaks SMTP

[joseph]

Using Mail::Toaster 4.10 -

Yesterday I upgraded OpenSSL from 0.9.7 to 0.9.8e, and it seems to have broken smtp SSL services.  Standard smtp and submission work, but any attempts at an SSL handshake on those ports bomb out.

I've recompiled ucspi via toaster_setup.pl -s ucspi.  Stopped and restarted services, didn't seem to fix anything.

IMAP-SSL and POP3-SSL seem to be functioning as intended.

[root@kyogi]:/usr/ports/sysutils/ucspi-tcp# openssl s_client -connect kyogi.net:587
CONNECTED(00000003)
3127:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:

Any thoughts?

[jerm]

Someome please correct me if i'm wrong here, but doesn't ssl upgrade require a qmail recompile?  I think i ran into the same thing once upon a time.

toaster_setup -s qmail

should fix it.

[matt]

Jerm is right, you just also recompile qmail.

But as mentioned on the  mailing list weeks ago, openssl 0.9.8e has changed some internal APIs that break the TLS patches we are using for qmail. Don't upgrade to 0.9.8e.

[TheGillis]

I did some debugging and found out that the problem is a programming error in netqmail. I wrote a detailed explanation on my site explaining the problem and the fix at http://www.thegillis.net/index.php?option=com_content&task=view&id=41&Itemid=31. I supply a patch at that location for the code.

There is also a simple workaround. Create the file tlsserverciphers in the (qmail home)/control folder. The file should contain one line with the word DEFAULT in it.

Hope this helps.

Brain Gillis
http://www.thegillis.net/
brian@thegillis.net