Debugging encrypted SMTP connections

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I am running netqmail with TLS patch and need to debug the SMTP Traffic
on an encryptec connection. Usually I use recordio which writes the
network traffic to the logfile, but this alsow works before encryption
takes place.

Is there any convenient way to get the data from qmail-smtp after its
decrypted? Or is there a flag to temporary turn off TLS, preferrably
just for a special host.

TIA

Oliver
- --
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkq1Zt8ACgkQyrew3TmFFyFcoQCfaPZb7LSP0OxRH8qcE2HOZhRg
CicAnAm4NC6PQuejFpYUmVEdtoH8xcU9
=AOC7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sunday, September 20 at 01:18 AM, quoth Oliver Welter:
> Is there any convenient way to get the data from qmail-smtp after
> its decrypted?

Unfortunately, not really. That's one of the benefits of some of the
other TLS solutions (i.e. ucspi-tcp-ssl).

> Or is there a flag to temporary turn off TLS, preferrably just for a
> special host.

For inbound? Assuming you're using Frederick Vermeulen's SSL patch,
nope. :(

What problem are you trying to solve? Maybe there's another way to
solve it.

~Kyle
- --
In the game of life and evolution there are three players at the
table: Human Beings,  Nature, and Machines. I am firmly on the side of
Nature. But Nature, I suspect, is on the side of the Machines.
                                                       -- George Dyson
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIVAwUBSrYknCuveozR/AWeAQjU0BAAheYUt93tThCfKme9jSS4JI+Oa3B4X1DQ
gIRyxjlD3CBdChylrMMyi7LGnwIlGBLg/CD28YxjQHormvMuBZXWpA+Rkm4LTD2d
uEZAjsQuhhvnuh0yxPehCmUk042Naxqqiwtt0ebGRmtuF0Rdk7eVGxNpriwQCilk
ECWafNRflI1Qqq9qRCSuL5CX2GSHEJRXICl9CYPWF/g90FgfMMxGbQb951AKFZIZ
TdnmXJYfvtQi6eLN+D6+QvbaB/RDJXnbukIiWdmhJEH8mN7zgBbNtU3AVVBdOATi
y0HtOqSDgoeBQUtgEUqrRwWbHgITAEIHmbHSo+9y2nEflLpJizbhUknrQH3m5N4Q
Nvxx+kPbW3mPY1jDUX/gPsZ3LV+vSsr5QEM7AGmKoqMjS0nb+ElxRJGflCzchQP4
/1cD+UNzGmsbHTlyEL65H5tAubN9nwa3TOuwxoPHbmCq0rjJKVQEfHqTstCBjv1V
bd80oUReTabf0hdufKu5kLVgZgVvakZcx9pF427haNyXXac2Yw99GXRue+VxChGi
tpuR5I3/mL2WdLqMUHchPvJ2e2RwE18J4sE4ZrSxFfBzTQH3rYS0qvDgkus24Ssu
fAD1/SgvC+jORxyLKeTMf2HzndiZI1CJwvhyK24pIJnHGkLeFpqdUOVick9YHQwz
57p94QaDdN4=
=U8ZL
-----END PGP SIGNATURE-----

On 09/20/2009 11:18 AM, Oliver Welter wrote:
>
> Is there any convenient way to get the data from qmail-smtp after its
> decrypted? Or is there a flag to temporary turn off TLS, preferrably
> just for a special host.
>

Can't you just disable TLS (eg by renaming the server cert) during your
testing?


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kyle,

> What problem are you trying to solve? Maybe there's another way to
> solve it.

I have a problem with one special sender - its some kind of stupid
newsletter solution, sending the same email now since 17 days approx 500
times. The sender blames, that my server always terminates the
connection with an error and they therefore keep sending the message
again and again.

All I can see in the qmail-smtp logs is a nice "tcpserver status 0" on
each delivery, the message is delivered to the users mailbox with
headers looking good. I am running qmail-scanner from the
qmail-queue-patch but cant see any errors here.

I meanwhile set the sender on my blacklist and assume the fault is on
their side - honestly, sending the same mail for 500 times is not
acceptable, even if my server does weird things.

Oliver
- --
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkq2hpoACgkQyrew3TmFFyFO7QCfWfbqHZSgrxUBiIA/ekKHzJ39
7bsAn3ie84Jmov7JBeIou3mCSrXCrwx7
=rbMr
-----END PGP SIGNATURE-----

Hi Oliver,

maybe it is worthwhile to try a different TLS solution for qmail.

Within SPAMCONTROL you have TLS/STARTTLS on the server side.
However, you need to install ucspi-tls (from superscript) as well.

It allows you to define, a per-connection setting of TLS.
And perhaps, it will provide a solution for your problem.

BTW: What mailing list you are referring to ?

regards.
--eh.

--On Sonntag, September 20, 2009 21:46:38 +0200 Oliver Welter
<mail@...> wrote:



Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/

On 09/21/2009 07:46 AM, Oliver Welter wrote:
>
> All I can see in the qmail-smtp logs is a nice "tcpserver status 0" on
> each delivery, the message is delivered to the users mailbox with
> headers looking good. I am running qmail-scanner from the
> qmail-queue-patch but cant see any errors here.

Here's a guess. Take a look at your qmail-scanner debug logs -
/var/spool/qscan/qmail-queue.log. See how long that message takes to
process. Then check your tcpserver logs, see how long the client stayed
connected. See if the former is longer than the latter.

I guessing you're going to find that either your AV or Spamassassin is
taking a long time to process the message (eg 4+ minutes), and the
offending SMTP client is non-RFC compliant (RFC1123 to be precise) and
is "hanging up" before Qmail-Scanner finishes. So you end up with Q-S
delivering the message, but the client thinking something went wrong and
it retries: end result: loop.

Solution: either make your system process the message faster, or get
them to re-evaluate their SMTP timeout (it's supposed to be at least 10
minutes)

But that's a guess of course.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

At 9:46 PM 9/20/09, Oliver Welter wrote:
>I have a problem with one special sender - its some kind of stupid
>newsletter solution, sending the same email now since 17 days approx 500
>times. The sender blames, that my server always terminates the
>connection with an error and they therefore keep sending the message
>again and again.


Ask the sender to be more specific about what he thinks your server
is doing.  If he says your sender "terminates the connection with an
error", he should be able to provide the error message or return code
that it is allegedly sending him.

Hi Erwin,

> maybe it is worthwhile to try a different TLS solution for qmail.
>
> Within SPAMCONTROL you have TLS/STARTTLS on the server side.
> However, you need to install ucspi-tls (from superscript) as well.

Hm, as I am a lazy guy I run the config shipped by gentoo which uses the
TLS/SMTPAUTH patch from shupp.org. As I didnt see any problems so far,
its hard to spend some extra time to go away from that...

> BTW: What mailing list you are referring to ?

Its a private newsletter tool, I dont know what software is running there.

Oliver

> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/

--
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721

Hi Jason,

Jason Haar schrieb:
Surely a good one but unfortunately a wrong one:

Tue, 15 Sep 2009 03:25:45 CEST:13958: clamdscan: finished scan in
0.269144 secs
Tue, 15 Sep 2009 03:25:45 CEST:13958: SA: message too big (488710) - skip it

Oliver
--
Protect your environment -  close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF  8168 CAB7 B0DD 3985 1721