Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-mail/qmail/files/1.03-r10/tls-patch.txt
diff options
context:
space:
mode:
Diffstat (limited to 'net-mail/qmail/files/1.03-r10/tls-patch.txt')
-rw-r--r--net-mail/qmail/files/1.03-r10/tls-patch.txt105
1 files changed, 0 insertions, 105 deletions
diff --git a/net-mail/qmail/files/1.03-r10/tls-patch.txt b/net-mail/qmail/files/1.03-r10/tls-patch.txt
deleted file mode 100644
index 11b29a778f89..000000000000
--- a/net-mail/qmail/files/1.03-r10/tls-patch.txt
+++ /dev/null
@@ -1,105 +0,0 @@
-Frederik Vermeulen <qmail-tls akrul inoa.net> 20021228
-http://inoa.net/qmail/qmail-1.03-tls.patch
-
-This patch implements RFC2487 in qmail. This means you can
-get SSL or TLS encrypted and authenticated SMTP between
-the MTAs and from MUA to MTA.
-The code is considered experimental (but has worked for
-many since its first release on 1999-03-21).
-
-Usage: - install OpenSSL-0.9.6g http://www.openssl.org/
- (any 0.9.6 version is presumed to work)
- - apply patch to qmail-1.03 http://www.qmail.org/
- The patches to qmail-remote.c
- and qmail-smtpd.c can be applied separately.
- - provide a server certificate in /var/qmail/control/servercert.pem.
- "make cert" makes a self-signed certificate.
- "make cert-req" makes a certificate request.
- Note: you can add the CA certificate and intermediate
- certs to the end of servercert.pem.
- - replace qmail-smtpd and/or qmail-remote binary
- - verify operation (header information should show
- something like
- "Received [..] with DES-CBC3-SHA encrypted SMTP;")
- If you don't have a server to test with, you can test
- by sending mail to tag-ping@tbs-internet.com,
- which will bounce your mail.
-
-Optional: - when DEBUG is defined, some extra TLS info will be logged
- - qmail-remote will authenticate with the certificate in
- /var/qmail/control/clientcert.pem. By preference this is
- the same as servercert.pem, where nsCertType should be
- == server,client or be a generic certificate (no usage specified).
- - when a 512 RSA key is provided in /var/qmail/control/rsa512.pem,
- this key will be used instead of on-the-fly generation by
- qmail-smtpd. Periodical replacement can be done by crontab:
- 01 01 * * * umask 0077; /usr/local/ssl/bin/openssl genrsa \
- -out /var/qmail/control/rsa512.new 512 > /dev/null 2>&1 &&\
- chown qmaild:qmail /var/qmail/control/rsa512.new && /bin/mv -f \
- /var/qmail/control/rsa512.new /var/qmail/control/rsa512.pem
- - server authentication:
- qmail-remote requires authentication from servers for which
- /var/qmail/control/tlshosts/host.dom.ain.pem exists.
- The .pem file contains the validating CA certificates
- (or self-signed server certificate).
- CommonName has to match.
- WARNING: this option may cause mail to be delayed, bounced,
- doublebounced, and lost.
- - client authentication:
- when relay rules would reject an incoming mail,
- qmail-smtpd can allow the mail based on a presented cert.
- Certs are verified against a CA list in
- /var/qmail/control/clientca.pem (eg. http://www.modssl.org/
- source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.sslcfg/ca-bundle.crt)
- and the cert email-address has to match a line in
- /var/qmail/control/tlsclients. This email-address is logged
- in the headers.
- - cipher selection:
- qmail-remote:
- openssl cipher string (`man ciphers`) read from
- /var/qmail/control/tlsclientciphers
- qmail-smtpd:
- openssl cipher string read from TLSCIPHERS environment variable
- (can vary based on client IP address e.g.)
- or if that is not available /var/qmail/control/tlsserverciphers
- - smtps (deprecated SMTP over TLS via port 465):
- qmail-remote: when connecting to port 465
- qmail-smtpd: when SMTPS environment variable is not empty
-
-Caveats: - do a `make clean` after patching
- - binaries dynamically linked with current openssl versions need
- recompilation when the shared openssl libs are upgraded.
- - this patch could conflict with other patches (notably those
- replacing \n with \r\n, which is a bad idea on encrypted links).
- - some broken servers have a problem with TLSv1 compatibility.
- Uncomment the line where we set the SSL_OP_NO_TLSv1 option.
- - needs working /dev/urandom (or EGD for openssl versions >0.9.7)
- for seeding random number generator.
- - packagers should make sure that installing without a valid
- servercert is impossible
- - when applied in combination with AUTH patch, AUTH patch
- should be applied first and first part of this patch
- will fail. This error can be ignored. Packagers should
- cut the first 12 lines of this patch to make a happy
- patch
-
-Copyright: GPL
- Links with OpenSSL
- Inspiration and code from examples in SSLeay (E. Young
- <eay@cryptsoft.com> and T. Hudson <tjh@cryptsoft.com>),
- stunnel (M. Trojnara <mtrojnar@ddc.daewoo.com.pl>),
- Postfix/TLS (L. Jaenicke <Lutz.Jaenicke@aet.tu-cottbus.de>),
- modssl (R. Engelschall <rse@engelschall.com>),
- openssl examples of E. Rescorla <ekr@rtfm.com>.
- Debug code, tlscipher selection, many feature suggestions,
- French docs https://www.TBS-internet.com/ssl/qmail-tls.html
- from Jean-Philippe Donnio <tag-ssl@tbs-internet.com>.
- Openssl usage consulting from B. M"oller <bmoeller@acm.org>.
- Bug report from A. Dustman <adustman@comstar.net>.
- Ssl_timeoutio functions (non-blocking io, timeouts), smtps,
- auth, qmtp, mxps patch compatibility, man pages, code cleanup,
- improved error reporting, RFC2595 server identity check
- from A. Meltzer <albertikm (a) hotmail.com>.
- Bug report from Niall Richard Murphy, Tim Helton.
-
-Bug reports: mailto:<jos-tls@kotnet.org>