On Friday, May 18 at 03:09 PM, quoth Alex Kirk:
while (and a lot of CPU). Create those files and update them
regularly (per the documentation that comes with the SSL patch),
and it'll be *much* faster.
Here's my question: I have /var/qmail/control/clientcert.pem and
/var/qmail/control/servercert.pem, but not dk512.pem and dh1024.pem. In
fact, I'd never seen those two file names previous to today. Are you
absolutely certain that I need files with those names, or would the ones I
have work?
From the patch's documentation:
when a 512 bit RSA key is provided in /var/qmail/control/rsa512.pem,
this key will be used instead of (slow) on-the-fly generation by
qmail-smtpd. Idem for 512 and 1024 DH params in control/dh512.pem
and control/dh1024.pem. `make tmprsadh` does this.
Periodical replacement can be done by crontab:
01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
He says it's "slow", but what he meant to say is "glacially
'eat-your-CPU-alive' slow" (I've had this problem before on one of my
servers).
and I am authenticating to my relay server. To be honest, I forget
exactly which patch I used for that...I got it working very late at night
after several hours of poking at it and trying different patches, and I
was so confused by the time I finished I just threw my hands up and said
"thank goodness it works!" Looks like I have a "qmail-remote-auth.patch"
in my Qmail source directory, so that's probably it.
Mmm... yich. Well, if it works for you, cool. (It liked breaking on me.)
It's probably got a few dozen little bugs in there, and possibly a
security flaw or two---so if you have the time, I highly recommend looking
into fixing it.
::Sigh:: I'll put it on my list. I'd love to fix it -- it's a horribly
buggy patch -- but it may be a while before I find the time. Of course, if
anyone reading this wants to pay me to fix it (the work would still be
GPL/BSD/whatever open license it currently is), I'll prioritize it. ;-)
HEH. :D Yup, I a similar experience. I found a few bugs and submitted
them back to Dr. Hoffmann (who is currently maintaining it), but after
a while I gave up and found another way of getting my mail to relay (I
didn't have a ton of free time to debug it).
Technically, if it works for you, then it's probably fine, as long as
you trust the server you're relaying through.
No such luck. I've already had the mail client I'm using now
configured to use TLS, so I turned on top and sent a message to the
misbehaving server. No rogue processes at all -- I didn't even see a
new qmail-smtpd before the message was delivered. So I'm pretty sure
it's not just a STARTTLS thing.
Hmmm.... well, before I say things are conclusive, do that openssl
check I gave you.
~Kyle
--
Of course it's the same old story. Truth usually is the same old
story.
-- Margaret Thatcher
pgpcwqNZaIkLe.pgp
Description: PGP signature
|