Merge pull request #11 from sagredo-dev/fix-dh_key_too_small

Fix dh key too small
sagredo-dev · Oct 26, 2024 · b3dad6c · b3dad6c
2 parents 65d72bb + 306346d
commit b3dad6c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -12,11 +12,13 @@ This distribution of qmail puts together netqmail-1.06 with the following patche
   by Krysztof Dabrowski and Bjoern Kalkbrenner.
   It provides cram-md5, login, plain authentication support for qmail-smtpd and qmail-remote.
   http://www.fehcom.de/qmail/smtpauth.html##PATCHES
-* Frederik Vermeulen's qmail-tls patch v. 20231230
-  implements SSL or TLS encrypted and authenticated SMTP.
-  The key is now 4096 bit long and the cert will be owned by vpopmail:vchkpw
+* Frederik Vermeulen's qmail-tls patch v. 20231230  
+  implements SSL or TLS encrypted and authenticated SMTP.  
+  The key is now 4096 bit long and the cert will be owned by vpopmail:vchkpw  
+  Patched to dinamically touch control/notlshosts/<fqdn> if control/notlshosts_auto contains any
+  number greater than 0 in order to skip the TLS connection for remote servers with an obsolete TLS version.  
+  The file update_tmprsadh was modified to chown all .pem files to vpopmail.  
   http://inoa.net/qmail-tls/
-  The file update_tmprsadh was modified to chown all .pem files to vpopmail.
 * Marcel Telka's force-tls patch v. 2016.05.15
   optionally gets qmail to require TLS before authentication to improve security.
   You have to declare FORCETLS=0 if you want to allow the auth without TLS

diff --git a/hier.c b/hier.c
@@ -40,6 +40,7 @@ void hier()
 
   d(auto_qmail,"control",auto_uido,auto_gidq,0755);
   d(auto_qmail,"control/cache",auto_uidv,auto_gidv,0755);
+  d(auto_qmail,"control/notlshosts",auto_uidr,auto_gidq,0755);
   d(auto_qmail,"users",auto_uido,auto_gidq,0755);
   d(auto_qmail,"bin",auto_uido,auto_gidq,0755);
   d(auto_qmail,"boot",auto_uido,auto_gidq,0755);

diff --git a/qmail-remote.c b/qmail-remote.c
@@ -1,3 +1,4 @@
+#include <pwd.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -375,6 +376,26 @@ char *partner_fqdn = 0;
 # define TLS_QUIT quit(ssl ? "; connected to " : "; connecting to ", "")
 void tls_quit(const char *s1, const char *s2)
 {
+  /*
+     touch control/notlshosts/<fqdn> if control/notlshosts_auto contains any
+     number greater than 0 in order to skip the TLS connection for remote
+     servers with an obsolete TLS version.
+     Thanks Alexandre Fonceca
+   */
+  unsigned long i = 0;
+  if (control_readint(&i,"control/notlshosts_auto") && i) {
+    struct passwd *info = getpwuid(getuid()); // get qmail dir
+    FILE *fp;
+    char acfcommand[1200];
+    sprintf(acfcommand, "/bin/touch %s/control/notlshosts/'%s'", info->pw_dir, partner_fqdn);
+    fp = popen(acfcommand, "r");
+    if (fp == NULL) {
+      out("Failed to run touch command ");
+      exit(1);
+    }
+    pclose(fp);
+  }
+  /* end skip TLS patch */
   out((char *)s1); if (s2) { out(": "); out((char *)s2); } TLS_QUIT;
 }
 # define tls_quit_error(s) tls_quit(s, ssl_error())