-
Notifications
You must be signed in to change notification settings - Fork 75
Install.Starttls
Connect to QP with netcat.
nc mail.example.com 25(00)
Netcat should return the output of QP, and it will look like this:
220 mail.example.com ESMTP qpsmtpd 0.92 ready; send us your mail, but not your spam.
Send this command to QP:
EHLO mypc.example.com
And the server will respond with something like:
250-mail.example.com Hi mypc.example.com [192.nn.nn.nnn]
250-PIPELINING
250-8BITMIME
250 AUTH PLAIN LOGIN CRAM-MD5
And now end the connection with the QUIT verb:
QUIT
221 mail.example.com closing connection. Have a wonderful day.
If your server advertised STARTTLS, then you are done. If it did not, continue setting up STARTTLS.
Generate a set of self-signed SSL certificates:
cd ~smtpd/smtpd
perl plugins/tls_cert
mv ssl config
If you have a purchased SSL certificate already, you can modify the tls configuration in config/plugins, or just copy the SSL cert files into the default location:
cd ~smtpd/smtpd/config/ssl
cat /my/ssl/cert.crt > qpsmtpd-server.crt
cat /my/ssl/ca.crt >> qpsmtpd-server.crt
cat /my/ssl/cert.key > qpsmtpd-server.key
cd ~smtpd/smtpd
sed -I .bak -E -e 's/#tls/tls/' config/plugins
Restart QP:
svc -t ~smtpd/smtpd
If you are still setting up QP, just Control-C to stop QP and manually start the ./run file again.
Connect to QP again with netcat, and confirm that your server is now advertising STARTTLS.
% nc mail.example.com 2500
220 mail.example.com ESMTP qpsmtpd 0.92 ready; send us your mail, but not your spam.
EHLO mypc.example.com
250-mail.example.com Hi matt.tnpi.net [192.nn.nn.nn]
250-PIPELINING
250-8BITMIME
250 STARTTLS
quit
221 mail.example.com closing connection. Have a wonderful day.
Notice now that the previous authentication mechanisms are gone! When SSL is enabled, authentication is not advertised unless the connection is secure. This is a VERY good default, but it can be changed by editing config/tls_before_auth.
This opens up a new connection to the server with encryption, using openssl:
openssl s_client -connect mail.example.com:25(00) -starttls smtp
That command opens a connection to the mail server, issues the STARTTLS command, and then upgrades the connection to SSL. The server certificate will scroll by, and you should be presented with this:
250 STARTTLS
Continue the SMTP conversation as before:
EHLO mypc.example.com
250-mail.example.com Hi [192.nn.nn.nnn] [10.nn.nn.nnn]
250-PIPELINING
250-8BITMIME
250 AUTH PLAIN LOGIN CRAM-MD5
QUIT
221 mail.example.com closing connection. Have a wonderful day.
closed
Voila, secure connections are working! You can return to the main Install page.