Re: [courier-users] invalid UIDNEXT value
What I just said. This is IMAP's ugly side. There's only one, very specific way, to implement IMAP on the client that has any reasonable chance of working with every IMAP server in existence. And it's not very obvious what it should be, not obvious at all. You can't rely on UIDNEXT. You can't rely on half the stuff in RFC 3501, because you don't have a lot of guarantees to go on. What is your policy regarding Courier's implementation of IMAP? Support only bare minimum required features, or add new RFCs, even though they are optional? -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] invalid UIDNEXT value
On 2015-04-02 12:59, Sam Varshavchik wrote: Anders Le Chevalier writes: What I just said. This is IMAP's ugly side. There's only one, very specific way, to implement IMAP on the client that has any reasonable chance of working with every IMAP server in existence. And it's not very obvious what it should be, not obvious at all. You can't rely on UIDNEXT. You can't rely on half the stuff in RFC 3501, because you don't have a lot of guarantees to go on. What is your policy regarding Courier's implementation of IMAP? Support only bare minimum required features, or add new RFCs, even though they are optional? There are no formal policies written in stone. What gets done is a combination of what I want to get done, for whatever reason, together with anything reasonable that someone else wants to get done, and writes a reasonable patch for it. Is there a reason in avoiding supporting optional features from new RFCs? I.E. supporting users who might want or need these features? ~A -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Slow sending out port 587
On 2014-12-16 07:20, Mark Constable wrote: ... Bonus question, aside from fail2ban, has anyone got any rules for iptables to block/drop on an OS level any courier-related authdaemon logins and these port 25 access attempts? I used fail2ban some time ago. If you want to block failed authentications you could do something like this: failregex = error,relay\=HOST,msg\=\535 You can test this with: ~# fail2ban-regex -v courier.log error,relay=HOST,msg=\535 This would match log lines like this: Dec 16 16:44:43 mail courieresmtpd: error,relay=:::91.81.64.210,msg=535 Authentication failed.,cmd: AUTH LOGIN amlt jim It is excellent for server performance and bandwidth to add DROP lines for these in iptables. Look at other forms of failure, such as relaying, dns or error commands too. I guess it might be possible to have some iptables rules that parse the data stream to courier for the response - but is that really more efficient than fail2ban? ~A -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] StartSSL SHA-2 x509 certificates with Courier
On 2014-05-02 12:59, Sam Varshavchik wrote: Anders Le Chevalier writes: On 2014-05-02 02:11, Sam Varshavchik wrote: Anders Le Chevalier writes: I checked with openssl s_client -connect domain.com:993 and got the following error: CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 C = SE, CN = domain.com, emailAddress = domain@domainsbyproxy.com verify return:1 140576163956368:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 140576163956368:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 140576163956368:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1812: What could this padding check failure be? Repeat the experiment using mkimapdcert-generated key. If the error persists, this would point to a general gnutls-openssl incompatilibity. The self-signed certs created with mkimapdcert do work. I have also tried # openssl x509 -in startcom-domain.com.crt -text -noout which displays the certificate correctly with no warnings or errors. Then it has to be the order and/or the format of the certificate and/or the private key, in the certificate file. Make sure that the private key is not password-protected. I converted the individual pem files to der files and then back to pem again with openssl and added them all to a single pem file and now it seems to work. The pem file that seems to work contains: KEY CERT CA-Intermediary ~A -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] StartSSL SHA-2 x509 certificates with Courier
I created a private key with GnuTLS certtool and had it signed by StartSSL. When I try to use the signed certificate all connections to courier (smtp or imap) fail with Decrypt errors. The log file has lines like imapd-ssl: Decrypt error and esmtpd-ssl: Decrypt error Tested with GnuTLS 3.2.13 and 3.3.1 and courier-0.71. The private key was generated as such: # certtool --generate-privkey --rsa --pkcs8 --pkcs-cipher aes-256 --bits 4096 --outfile server-privkey.pk8 # certtool --generate-request --load-privkey server-privkey.pk8 --template template.cfg --hash SHA512 --outfile server-privkey.csr The resulting .csr certificate request was successfully accepted by StartSSL.com control panel and a new signed certificate in PEM format was generated. in /etc/courier/imapd-ssl I have: TLS_CERTFILE=/usr/share/courier/domain.com.pem I have added certificate first then the private (decrypted) key in the domain.com.pem file. and vice versa. But it doesn't seem to work. Are there any limitations to the type of hash or other features of the certificates that are supported by courier? The following two matches: # openssl req -noout -modulus -in server-privkey.csr | openssl md5 # openssl x509 -noout -modulus -in startcom-server.crt | openssl md5 Should I put something else inside the TLS_CERTFILE ? Is the order of the key, cert, intermediary CA and root CA important in the PEM file? Regards, ~A -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] StartSSL SHA-2 x509 certificates with Courier
On 2014-05-01 16:36, Hanno Böck wrote: On Thu, 01 May 2014 15:13:29 +0200 Anders Le Chevalier and...@lechevalier.se wrote: Are there any limitations to the type of hash or other features of the certificates that are supported by courier? I'm not aware of any and I'm using startssl certs successfuly with my servers. That is good news :) Should I put something else inside the TLS_CERTFILE ? Is the order of the key, cert, intermediary CA and root CA important in the PEM file? The order matters. First Cert, then intermediate. You shouldn't put the root in at all. What about the key? I suppose the unencrypted key needs to be included in the PEM file? The default self-signed certs (mkimapdcert) are created as such: -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- Regards, ~A -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] StartSSL SHA-2 x509 certificates with Courier
On 2014-05-01 17:07, Anders Le Chevalier wrote: On 2014-05-01 16:36, Hanno Böck wrote: On Thu, 01 May 2014 15:13:29 +0200 Anders Le Chevalier and...@lechevalier.se wrote: Are there any limitations to the type of hash or other features of the certificates that are supported by courier? I'm not aware of any and I'm using startssl certs successfuly with my servers. That is good news :) Should I put something else inside the TLS_CERTFILE ? Is the order of the key, cert, intermediary CA and root CA important in the PEM file? The order matters. First Cert, then intermediate. You shouldn't put the root in at all. What about the key? I suppose the unencrypted key needs to be included in the PEM file? The default self-signed certs (mkimapdcert) are created as such: -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- I checked with openssl s_client -connect domain.com:993 and got the following error: CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 C = SE, CN = domain.com, emailAddress = domain@domainsbyproxy.com verify return:1 140576163956368:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 140576163956368:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 140576163956368:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1812: What could this padding check failure be? ~A -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] StartSSL SHA-2 x509 certificates with Courier
On 2014-05-02 02:11, Sam Varshavchik wrote: Anders Le Chevalier writes: I checked with openssl s_client -connect domain.com:993 and got the following error: CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 C = SE, CN = domain.com, emailAddress = domain@domainsbyproxy.com verify return:1 140576163956368:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 140576163956368:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 140576163956368:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1812: What could this padding check failure be? Repeat the experiment using mkimapdcert-generated key. If the error persists, this would point to a general gnutls-openssl incompatilibity. The self-signed certs created with mkimapdcert do work. I have also tried # openssl x509 -in startcom-domain.com.crt -text -noout which displays the certificate correctly with no warnings or errors. ~A -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
On 2014-03-05 08:07, Mark Constable wrote: On 03/05/14 15:31, Anders Le Chevalier wrote: Mar 5 06:08:05 e350 authdaemond: zero rows returned Mar 5 06:08:05 e350 authdaemond: no password available to compare Mar 5 06:08:05 e350 authdaemond: authmysql: REJECT - try next module Mar 5 06:08:05 e350 authdaemond: FAIL, all modules rejected That's normal if the SQL command failed for some other reason. Thanks for the feedback. I see that I was not very clear in my message. What I meant was that after disabling all modules other than authmysql, then it all works as expected. This was in reference to the message I replied to from Kristian... Removing authshadow from authdaemonrc prevented me from sending email, so it's back in.. So, now, with only authhmysql it seems I have no more segfaults. I can send and receive emails, both from a shell and normal mail clients. In fact, the ip 74.118.193.227 I used as an example is responsible for hundreds of attempts to spam my server with various email addresses, things that might have lead to the segfaults before. ~A -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
On 2014-03-04 09:01, Kristian Duus Østergaard wrote: On 2014-03-04 06:43, Anders Le Chevalier wrote: Yes, I recall that episode. crypt() was returning a null pointer. What's happening is that the primary authentication module is not one of the system authentication modules. It might be authpam, or one of the database or ldap modules. When authentication requests fail, this falls through to the next available authentication module, authshadow or authpwd, which attempt to use crypt() which fails and returns a null pointer. The easy way to fix this is to simply remove authshadow and authpwd from the authmodulelist setting in the authdaemonrc configuration file. They're broken, and they'll never work. I have disabled all modules except mysql in authdaemonrc. Perhaps this will help. ~A Anders are you sure you have modified the correct authdaemonrc ? I found out that I have a leftover /etc/courier/authdaemonrc the one that needs modifying is : /etc/courier/authlib/authdaemonrc I have now removed authshadow from my system, and I will let you know if it removes the error tomorrow. Regards Kristian Thanks. Yes, I did change the correct file. I have only one module loaded: authmodulelist=authmysql This is also visible in the mail log when someone is trying to logon. Note the last two lines: # Mar 5 05:59:31 e350 courieresmtpd: error,relay=:::74.118.193.227,msg=535 Authentication failed.,cmd: AUTH Mar 5 05:59:39 e350 courieresmtpd: RSET Mar 5 06:08:04 e350 courieresmtpd: started,ip=[:::74.118.193.227] Mar 5 06:08:04 e350 courieresmtpd: EHLO localhost.localdomain Mar 5 06:08:04 e350 courieresmtpd: STARTTLS Mar 5 06:08:04 e350 courieresmtpd: EHLO localhost.localdomain Mar 5 06:08:05 e350 courieresmtpd: AUTH LOGIN Mar 5 06:08:05 e350 authdaemond: received auth request, service=esmtp, authtype=login Mar 5 06:08:05 e350 authdaemond: authmysql: trying this module Mar 5 06:08:05 e350 authdaemond: authmysqllib: connected. Versions: header 50170, client 50170, server 50170 Mar 5 06:08:05 e350 authdaemond: Install of a character set for MySQL: utf8 Mar 5 06:08:05 e350 authdaemond: SQL query: SELECT id, crypt, clear, uid, gid, home, maildir, , name, FROM passwd WHERE id = 'a...@siwnet.net' Mar 5 06:08:05 e350 authdaemond: zero rows returned Mar 5 06:08:05 e350 authdaemond: no password available to compare Mar 5 06:08:05 e350 authdaemond: authmysql: REJECT - try next module Mar 5 06:08:05 e350 authdaemond: FAIL, all modules rejected # -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
On 2014-03-04 01:03, Sam Varshavchik wrote: Kristian Duus Østergaard writes: I've seen the same with my courier-mta on Gentoo. What I found in my search but haven't had time to try out is that there's an old thread about not using libcrypt because it gives the above errors. On my installation I have the crypt USE-flag set on courier and I think it may be the cause of the problem. That's very interesting. I do have libgrypt-1.5.3 installed, and looking on bugs.gentoo.org (https://bugs.gentoo.org/show_bug.cgi?id=501284) there seems to be something borked and flawed with all versions prior to 1.6. libcrypt-1.6 is hard masked, so I have not looked to unmask previously. I'll look at it. Maybe Bernt can elaborate on what exactly is triggered with the crypt USE-flag? Just a bunch of random thoughts. Yes, I recall that episode. crypt() was returning a null pointer. What's happening is that the primary authentication module is not one of the system authentication modules. It might be authpam, or one of the database or ldap modules. When authentication requests fail, this falls through to the next available authentication module, authshadow or authpwd, which attempt to use crypt() which fails and returns a null pointer. The easy way to fix this is to simply remove authshadow and authpwd from the authmodulelist setting in the authdaemonrc configuration file. They're broken, and they'll never work. I have disabled all modules except mysql in authdaemonrc. Perhaps this will help. ~A -- Subversion Kills Productivity. Get off Subversion Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
On 2014-02-28 01:32, Sam Varshavchik wrote: Anders Le Chevalier writes: I have encountered an odd bug the last few weeks where authdaemond causes segfaults in libc. I'll post the log at the end of the message. ... Compile courier-authlib with the -g flag, adjust ulimit to enable core dumps, the backtrace from the coredump should be helpful. Looks like a failed authentication attempt is causing this. Some kind of an error handling problem, it looks like. Thanks, I have done that, but also upgraded to courier-authlib-0.66.1. I will see if the error occurs again and report back if it does. ~A -- Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
On 2014-03-02 12:17, Anders Le Chevalier wrote: On 2014-02-28 01:32, Sam Varshavchik wrote: Anders Le Chevalier writes: I have encountered an odd bug the last few weeks where authdaemond causes segfaults in libc. I'll post the log at the end of the message. ... Compile courier-authlib with the -g flag, adjust ulimit to enable core dumps, the backtrace from the coredump should be helpful. Looks like a failed authentication attempt is causing this. Some kind of an error handling problem, it looks like. Thanks, I have done that, but also upgraded to courier-authlib-0.66.1. I will see if the error occurs again and report back if it does. OK, the segfault is happening with new version of authlib too: # dmesg [Mar 2 17:37] authdaemond[6641]: segfault at 0 ip 7ff07103a42a sp 77c4d818 error 4 in libc-2.18.so[7ff070f16000+19d000] Seems that I have lots attempts on my server: # mail log Mar 2 17:31:10 e350 courieresmtpd: started,ip=[:::89.216.21.136] Mar 2 17:31:10 e350 courieresmtpd: error,relay=:::89.216.21.136,msg=535 Authentication failed.,cmd: AUTH Mar 2 17:31:10 e350 authdaemond: stopping authdaemond children Mar 2 17:31:10 e350 authdaemond: restarting authdaemond children Mar 2 17:31:10 e350 authdaemond: modules=authmysql authuserdb authpwd authshadow authcustom authpipe, daemons=5 Mar 2 17:31:10 e350 authdaemond: Uninstalling authmysql Mar 2 17:31:10 e350 authdaemond: Uninstalling authuserdb Mar 2 17:31:10 e350 authdaemond: Uninstalling authpwd Mar 2 17:31:10 e350 authdaemond: Uninstalling authshadow Mar 2 17:31:10 e350 authdaemond: Uninstalling authcustom Mar 2 17:31:10 e350 authdaemond: Uninstalling authpipe Mar 2 17:31:10 e350 authdaemond: Installing libauthmysql Mar 2 17:31:11 e350 authdaemond: Installation complete: authmysql Mar 2 17:31:11 e350 authdaemond: Installing libauthuserdb Mar 2 17:31:11 e350 authdaemond: Installation complete: authuserdb Mar 2 17:31:11 e350 authdaemond: Installing libauthpwd Mar 2 17:31:11 e350 authdaemond: Installation complete: authpwd Mar 2 17:31:11 e350 authdaemond: Installing libauthshadow Mar 2 17:31:11 e350 authdaemond: Installation complete: authshadow Mar 2 17:31:11 e350 authdaemond: Installing libauthcustom Mar 2 17:31:11 e350 authdaemond: Installation complete: authcustom Mar 2 17:31:11 e350 authdaemond: Installing libauthpipe Mar 2 17:31:11 e350 authdaemond: Installation complete: authpipe Mar 2 17:31:18 e350 courieresmtpd: error,relay=:::89.216.21.136,msg=writev: Connection reset by peer,cmd: AUTH LOGIN bGRhcA== Mar 2 17:31:18 e350 courieresmtpd: error,relay=:::89.216.21.136,msg=writev: Connection reset by peer,cmd: AUTH LOGIN bGRhcA== Mar 2 17:40:51 e350 courieresmtpd: started,ip=[:::186.215.174.252] Mar 2 17:40:52 e350 courieresmtpd: error,relay=:::186.215.174.252,msg=535 Authentication failed.,cmd: AUTH Mar 2 17:41:00 e350 courieresmtpd: error,relay=:::186.215.174.252,msg=535 Authentication failed.,cmd: AUTH Mar 2 17:41:16 e350 courieresmtpd: error,relay=:::186.215.174.252,msg=535 Authentication failed.,cmd: AUTH Mar 2 17:41:48 e350 courieresmtpd: error,relay=:::186.215.174.252,msg=writev: Connection reset by peer,cmd: AUTH LOGIN d2ViMQ== I forgot to set ulimit -c to enable core dumps so I'll restart again with this set, and hopefully I can get some useful data. -- Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so
I have encountered an odd bug the last few weeks where authdaemond causes segfaults in libc. I'll post the log at the end of the message. I am using Gentoo with: mail-mta/courier-0.71 net-libs/courier-authlib-0.65.0-r3 sys-libs/glibc-2.18-r1 (I have tried with default 2.17 with same segfault error) sys-devel/gcc-4.8.2 (CFLAGS=-O2 -pipe -fomit-frame-pointer -march=native -mtune=native -msse3) It seems as now and then something happens to cause the mailserver and/or authdaemond to restart over and over and cause segfaults as you can see from the logs below. I rebooted the server 2 days ago and I had no more segfaults since 9am on 25th. I have seen these errors before, and they seem to group or come in spurts like this. What can I do to debug this and find the root cause? I have tried to reinstall/recompile the entire system (emerge -e world) and no errors were discovered. Seems like the IP (89.248.172.46) trying to connect unsuccessfully is part of the same block as a spam/hacking network: http://www.ipillion.com/ip/89.248.172.172 Could the IP be behind some odd communication towards the server, causing authdaemond to crash? Does not seem good at all if it is the case. ~A ### ## dmesg: complete log: http://pastebin.com/ZAwq0Y4U ### [Feb25 03:12] authdaemond[2456]: segfault at 0 ip 7f7af8a20084 sp 7fff503eca98 error 4 in libc-2.18.so[7f7af88fb000+19d000] [ +16.189321] authdaemond[23534]: segfault at 0 ip 7f7af8a20084 sp ### ## mail.log: one hour of maillog: http://pastebin.com/dyeTJzww ### Feb 25 03:10:12 e350 courieresmtpd: started,ip=[:::89.248.172.46] Feb 25 03:10:12 e350 courieresmtpd: started,ip=[:::89.248.172.46] Feb 25 03:10:13 e350 courieresmtpd: error,relay=:::89.248.172.46,msg=535 Authentication failed.,cmd: AUTH Feb 25 03:10:21 e350 courieresmtpd: error,relay=:::89.248.172.46,msg=535 Authentication failed.,cmd: AUTH Feb 25 03:10:21 e350 authdaemond: stopping authdaemond children Feb 25 03:10:21 e350 authdaemond: restarting authdaemond children Feb 25 03:10:21 e350 authdaemond: modules=authmysql authuserdb authpwd authshadow authcustom authpipe, daemons=5 Feb 25 03:10:21 e350 authdaemond: Uninstalling authmysql Feb 25 03:10:21 e350 authdaemond: Uninstalling authuserdb Feb 25 03:10:21 e350 authdaemond: Uninstalling authpwd Feb 25 03:10:21 e350 authdaemond: Uninstalling authshadow Feb 25 03:10:21 e350 authdaemond: Uninstalling authcustom Feb 25 03:10:21 e350 authdaemond: Uninstalling authpipe Feb 25 03:10:21 e350 authdaemond: Installing libauthmysql Feb 25 03:10:21 e350 authdaemond: Installation complete: authmysql Feb 25 03:10:21 e350 authdaemond: Installing libauthuserdb Feb 25 03:10:21 e350 authdaemond: Installation complete: authuserdb Feb 25 03:10:21 e350 authdaemond: Installing libauthpwd Feb 25 03:10:21 e350 authdaemond: Installation complete: authpwd Feb 25 03:10:21 e350 authdaemond: Installing libauthshadow Feb 25 03:10:21 e350 authdaemond: Installation complete: authshadow Feb 25 03:10:21 e350 authdaemond: Installing libauthcustom Feb 25 03:10:21 e350 authdaemond: Installation complete: authcustom Feb 25 03:10:21 e350 authdaemond: Installing libauthpipe Feb 25 03:10:21 e350 authdaemond: Installation complete: authpipe Feb 25 03:10:37 e350 courieresmtpd: error,relay=:::89.248.172.46,msg=535 Authentication failed.,cmd: AUTH Feb 25 03:10:37 e350 authdaemond: stopping authdaemond children Feb 25 03:10:37 e350 authdaemond: restarting authdaemond children Feb 25 03:10:37 e350 authdaemond: modules=authmysql authuserdb authpwd authshadow authcustom authpipe, daemons=5 Feb 25 03:10:37 e350 authdaemond: Uninstalling authmysql Feb 25 03:10:37 e350 authdaemond: Uninstalling authuserdb Feb 25 03:10:37 e350 authdaemond: Uninstalling authpwd Feb 25 03:10:37 e350 authdaemond: Uninstalling authshadow Feb 25 03:10:37 e350 authdaemond: Uninstalling authcustom Feb 25 03:10:37 e350 authdaemond: Uninstalling authpipe Feb 25 03:10:37 e350 authdaemond: Installing libauthmysql Feb 25 03:10:37 e350 authdaemond: Installation complete: authmysql Feb 25 03:10:37 e350 authdaemond: Installing libauthuserdb Feb 25 03:10:37 e350 authdaemond: Installation complete: authuserdb Feb 25 03:10:37 e350 authdaemond: Installing libauthpwd Feb 25 03:10:37 e350 authdaemond: Installation complete: authpwd Feb 25 03:10:37 e350 authdaemond: Installing libauthshadow Feb 25 03:10:37 e350 authdaemond: Installation complete: authshadow Feb 25 03:10:37 e350 authdaemond: Installing libauthcustom Feb 25 03:10:37 e350 authdaemond: Installation complete: authcustom Feb 25 03:10:37 e350 authdaemond: Installing libauthpipe Feb 25 03:10:37 e350 authdaemond: Installation complete: authpipe Feb 25 03:11:09 e350 courieresmtpd: error,relay=:::89.248.172.46,msg=535 Authentication failed.,cmd: AUTH Feb 25 03:11:09 e350 authdaemond: stopping authdaemond children Feb 25 03:11:09 e350 authdaemond:
[courier-users] pythonfilter-1.8 and googlegroups.com
Hi! I seem to have a problem with googlegroups.com and the pythonfilter-1.8 greylist module. the default is to block ip by 300 seconds. However, googlegroups.com seem to use multiple ips, and so the greylisting doesn't count down the seconds remaining. Is there anyway around this, other than removing greylisting, like doing greylisting on from? Looks like this in the maillog: Jan 18 14:37:50 e350 courieresmtpd: error,relay=2607:f8b0:400c:c02::240,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 14:49:27 e350 courieresmtpd: error,relay=2607:f8b0:400d:c00::23a,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 15:16:44 e350 courieresmtpd: error,relay=2607:f8b0:400e:c02::237,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:04:00 e350 courieresmtpd: error,relay=2607:f8b0:400e:c02::238,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:04:43 e350 courieresmtpd: error,relay=2607:f8b0:4003:c02::239,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:08:17 e350 courieresmtpd: error,relay=2607:f8b0:400c:c01::23c,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:12:54 e350 courieresmtpd: error,relay=2607:f8b0:400e:c03::23d,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:19:43 e350 courieresmtpd: error,relay=2607:f8b0:4001:c03::23c,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:28:41 e350 courieresmtpd: error,relay=2607:f8b0:4002:c01::239,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:38:32 e350 courieresmtpd: error,relay=2607:f8b0:4003:c02::23e,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 16:38:35 e350 courieresmtpd: error,relay=2607:f8b0:4001:c03::23d,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:03:07 e350 courieresmtpd: error,relay=2607:f8b0:4002:c02::23d,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:06:49 e350 courieresmtpd: error,relay=2607:f8b0:400c:c03::239,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:08:24 e350 courieresmtpd: error,relay=2607:f8b0:400e:c01::23d,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:08:33 e350 courieresmtpd: error,relay=2607:f8b0:4003:c02::238,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:08:39 e350 courieresmtpd: error,relay=2607:f8b0:4002:c01::23a,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:14:44 e350 courieresmtpd: error,relay=2607:f8b0:400e:c01::240,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:15:01 e350 courieresmtpd: error,relay=2607:f8b0:4002:c01::23d,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:16:09 e350 courieresmtpd: error,relay=2607:f8b0:400e:c02::240,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 Jan 18 17:16:37 e350 courieresmtpd: error,relay=2607:f8b0:400c:c01::240,from=nore...@googlegroups.com: 451 4.7.1 Greylisting in action, please come back in 00:05:00 ~A smime.p7s Description: S/MIME Cryptographic Signature -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Document Courier as complete email solution (on Gentoo)
Is there a complete step-by-step guide, including configuration examples of courier as a complete email solution out there? With complete, I mean ESMTP, IMAP/POP, virtual mail, DKIM, Spam filtering and virus checking. I'd like to put one of these guides together for the Gentoo wiki, but I have found little complete or recent documentation. (yes http://www.courier-mta.org/install.html and various docs are complete - but not easy to follow) All guides on Gentoo wiki today only contains the courier-imap part, for example https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server or http://wiki.gentoo.org/wiki/Virtual_mail_hosting_with_qmail, and both of them seems unnecessary complicated for the task of an email server. Thanks. ~A -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] TLS/SSL session logging
How would I go about logging TLS/SSL details such as ciphers, key exchange and mac's negotiated with clients or other servers with courier? This would be very useful to create statistics over what minimum security is used by clients etc... ~A -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Priority of Ciphers
On 2013-09-11 03:20, Sam Varshavchik wrote: Anders writes: « HTML content follows » Thank you. I will check that man page - I was looking at the couriertls docs and didn't see this. One note though. I do not want to disable RC4, but only keep it as fallback. Is that possible? The authoritative documentation is here: http://www.gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings Actually, looks like the keyword for RC4 would be ARCFOUR-128. Reading what it says here, if you add a keyword to remove it, then add it, it should end up being the last cipher in the preference list. So: NORMAL:-CTYPE-OPENPGP:-ARCFOUR-128:+ARCFOUR-128 Haven't tried it myself. Looks weird, but, according to how I parse the docs, that's what it should be. Although this doesn't fail, it still doesn't change the RC4-SHA that Courier/ESMTPD uses against Gmail. Look at the following email header: Received: from mail.tnonline.net by mx.google.com with ESMTPS id pw1si236926lbb.136.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Granted, TLSv1.2 is supposed to be safe against the published attacks, so it might be OK anyway Still would be nice to know why Courier/GnuTLS doesn't choose highest supported cipher? Would the TLS_PRIORITY options work for IMAP (imapd-ssl) too? I have tried to use SECURE128/192 instead of NORMAL, but I can't connect at all then - with any client or openssl s_client. ~A -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Priority of Ciphers
On 2013-09-11 08:52, Matthias Wimmer wrote: Hi Anders, El 2013-09-11 08:05:30, Anders escribió: Although this doesn't fail, it still doesn't change the RC4-SHA that Courier/ESMTPD uses against Gmail. Look at the following email header: Received: from mail.tnonline.net by mx.google.com with ESMTPS id pw1si236926lbb.136.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Granted, TLSv1.2 is supposed to be safe against the published attacks, so it might be OK anyway Still would be nice to know why Courier/GnuTLS doesn't choose highest supported cipher? TLS works in a way that one side suggests ciphers in order of preference. The other side than compares this list to the ciphers it supports itself and selects one. Normally its the client (connecting side) that suggests, and the server (connected side) that selects. As the server selects the cipher, it may honor the precedence proposed by the client, but it may also decide to follow its own policy. (GnuTLS has for this the keyword „%SERVER_PRECEDENCE“ which can also be added to the cipher list.) If Google has a policy of prefering RC4 in any case when the client supports this algorithm, you cannot force them to not select this algorithm other than completely removing it from your list. (The reason why they might push usage of RC4 is an attack against SSL/TLS called „BEAST“. Using RC4 is the algorithm supported by TLS 1.0, that is able to resist this attack on all SSL/TLS implementations.) Regards, Matthias Yes, I read about BEAST attacks, and others too. Though is seems as BEAST is easier to perform than the RC4 attacks, I am not liking it much. For example here in Sweden all traffic exiting/entering the country is logged and stored by our intelligence agecy. It is easy enough for them to gather enough (millions-billions) of data to perform RC4 decryption. I bet this is the case with all nation-wide survailance these days. Can we make courier force the use of the highest protocol available? Is that what the %SERVER_PRECEDENCE option is for? One example is that when Courier sends email to Gmail it uses TLS1.2, but when Gmail sends to Courier it uses TLS1.0: Sending to gmail: Received: from mail.tnonline.net by mx.google.com with ESMTPS id pw1si236926lbb.136.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Receiving from gmail: Received: from mail-bk0-x234.google.com (mail-bk0-x234.google.com [2a00:1450:4008:c01::234]) (TLS: TLS1.0,128bits,RSA_ARCFOUR_SHA1) A side note, I wonder why courier doesn't use IPv6 by default? ~A -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Rate limiting
I have not tried it, but I think pythonfilter runs on all relayed email, even outgoing? There is a setting whitelist_auth which could be disabled and ratelimit enabled... Mark Constable ma...@renta.net wrote: Just a request to anyone who may have a working outgoing rate limiting solution and would be willing to share the method and recipe/howto to make it work. We've had 4 compromised user accounts in as many weeks and if wasn't for SOURCE_ADDRESS and being able to a swap server IPs we'd really be in trouble. Each time somewhere between 20k and 60k spams went out before we manually blocked the users account. If this keeps up then some kind of fancy SMS based alert system might be needed but in any case if there was some way to rate limit the outgoing messages then that would help enormously. We can send about 30K to 40K messages per hour so even a 1 second delay between ALL outgoing messages would cut that down to 10% of a possible spam deluge and probably not really affect our normal clients outgoing mail flow. Being able to exponentially back off the incoming rate of authenticated (ports 587/465) relayed messages would be even better, and the same for general incoming messages on port 25 too for that matter. Being to do so per user would be a dream but even global system wide rate limiting would be better than none at all. I know using the filtering system has been suggested as the way to go but it will take me another 1/4 to 1/2 a year to come up with anything so I'm making it clear that if anyone has got a solution they can share then please do so, if you can spare the time. This is one of the few areas where postfix really does have an advantage... ~ postconf | sort | grep rate amavis_destination_rate_delay = $default_destination_rate_delay anvil_rate_time_unit = 60s bsmtp_destination_rate_delay = $default_destination_rate_delay default_destination_rate_delay = 0s dovecot_destination_rate_delay = $default_destination_rate_delay error_destination_rate_delay = $default_destination_rate_delay ifmail_destination_rate_delay = $default_destination_rate_delay lmtp_destination_rate_delay = $default_destination_rate_delay local_destination_rate_delay = $default_destination_rate_delay maildrop_destination_rate_delay = $default_destination_rate_delay mailman_destination_rate_delay = $default_destination_rate_delay relay_destination_rate_delay = $default_destination_rate_delay retry_destination_rate_delay = $default_destination_rate_delay scalemail-backend_destination_rate_delay = $default_destination_rate_delay smtpd_client_connection_rate_limit = 0 smtpd_client_message_rate_limit = 100 smtpd_client_new_tls_session_rate_limit = 0 smtpd_client_recipient_rate_limit = 0 smtp_destination_rate_delay = $default_destination_rate_delay uucp_destination_rate_delay = $default_destination_rate_delay virtual_destination_rate_delay = $default_destination_rate_delay -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Priority of Ciphers
Since RC4/ARCFOUR has been in the news as breakable I was wondering if it is possible to have courier prioritize AES in favour of RCA if supported? For example, gmail uses RC4 by default, but does support AES: # openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher: ECDHE-RSA-RC4-SHA # openssl s_client -cipher AES128-SHA -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher: AES128-SHA I have tried to set TLS_PRIORITY=AES256-SHA256:NORMAL:-CTYPE-OPENPGP or TLS_PRIORITY=AES-256-CBC:NORMAL:-CTYPE-OPENPGP or to both esmtpd and esmtpd-msa but then I cannot connect at all (using openssl to my courier server). If I leave default NORMAL:-CTYPE-OPENPGP it works: # openssl s_client -connect localhost:587 -starttls smtp Protocol : TLSv1.2 Cipher: AES256-SHA256 So, what I am trying to achieve is to prioritize some ciphers before others, even for normal smtp courier-other host (like gmail). How should I use the TLS_PRIORITY setting properly do this? I have tried to use ciphers and ciphersuites from gnutls-cli -l. Courier is compiled with with gnutls # ldd /usr/bin/couriertls libgnutls.so.26 = /usr/lib64/libgnutls.so.26 (0x7fe78b212000) libgnutls-extra.so.26 = /usr/lib64/libgnutls-extra.so.26 (0x7fe78b008000) # gnutls-cli -l Cipher suites: TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0 TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0 TLS_ANON_DH_AES_128_CBC_SHA256 0x00, 0x6c TLS1.2 TLS_ANON_DH_AES_256_CBC_SHA256 0x00, 0x6d TLS1.2 TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0 TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0 TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0 TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0 TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0 TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.2 TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0 TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0 TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 Certificate types: CTYPE-X.509, CTYPE-OPENPGP Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2 Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, MAC-NULL Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK Compression: COMP-LZO, COMP-DEFLATE, COMP-NULL Public Key Systems: RSA, DSA PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD2 ~A -- -- How ServiceNow helps IT people transform IT departments: 1.
Re: [courier-users] Priority of Ciphers
Thank you. I will check that man page - I was looking at the couriertls docs and didn't see this. One note though. I do not want to disable RC4, but only keep it as fallback. Is that possible? ~A Sam Varshavchik mr...@courier-mta.com wrote: Anders writes: Since RC4/ARCFOUR has been in the news as breakable I was wondering if it is possible to have courier prioritize AES in favour of RCA if supported? For example, gmail uses RC4 by default, but does support AES: # openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher: ECDHE-RSA-RC4-SHA # openssl s_client -cipher AES128-SHA -connect gmail-smtp-in.l.google.com:25 -starttls smtp Protocol : TLSv1.2 Cipher: AES128-SHA I have tried to set TLS_PRIORITY=AES256-SHA256:NORMAL:-CTYPE-OPENPGP or TLS_PRIORITY=AES-256-CBC:NORMAL:-CTYPE-OPENPGP or to both esmtpd and esmtpd-msa but then I cannot connect at all (using openssl to my courier server). If I leave default NORMAL:-CTYPE-OPENPGP it works: # openssl s_client -connect localhost:587 -starttls smtp Protocol : TLSv1.2 Cipher: AES256-SHA256 So, what I am trying to achieve is to prioritize some ciphers before others, even for normal smtp courier-other host (like gmail). How should I use the TLS_PRIORITY setting properly do this? I have tried to use ciphers and ciphersuites from gnutls-cli -l. Courier is compiled with with gnutls For gnutls, its cipher priority configuration is documented in its man pages: http://manpages.courier-mta.org/htmlman3/gnutls_priority_init.3.html If you want to exclude RC4, try NORMAL:-CTYPE-OPENPGP:-RC4 -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=5127iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to block a local user from sending email?
On 2013-09-05 03:07, Jeff Potter wrote: Thanks, Alessandro -- looking through the documentation, I'm missing where it defines what valid sources are for enablefiltering -- I tried courierd, courierlocal and local, but no luck. If it helps, here's the received header. Thanks for any insight! -Jeff Received: from localhost (localhost [127.0.0.1]) (uid 501) by some-hostname-here with local; Wed, 04 Sep 2013 21:04:15 -0400 id 00370289.5227D88F.5763 How about using iptables and rate-limit? and log+reject the (uid) when exceeded? something like : -m state --state NEW -m recent --set -m state --state NEW -m recent --update --seconds 3600 --hitcount 100 -j NFLOG --nflog-prefix SMTP count exceeded -m state --state NEW -m recent --update --seconds 3600 --hitcount 100 -j REJECT ~A -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to block a local user from sending email?
On 2013-09-07 08:17, Mark Constable wrote: On 07/09/13 16:10, Anders wrote: How about using iptables and rate-limit? and log+reject the (uid) when exceeded? something like : -m state --state NEW -m recent --set -m state --state NEW -m recent --update --seconds 3600 --hitcount 100 -j NFLOG --nflog-prefix SMTP count exceeded -m state --state NEW -m recent --update --seconds 3600 --hitcount 100 -j REJECT I really like this idea. If anyone gets something like this to actually work would they mind posting a complete working example please. Just a question, does locally originating smtp (mail) actually pass through the network before courier gets it? I.e local socket or something like that. Then it would be easy to do. Otherwise we only see the outgoing mail leaving/relayed by courier. Possibly, L7 filters could scan the outgoing mail, detect the UID and apply rate limiting. ~A -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] IMAP in general use
On 2013-08-21 16:35, Bowie Bailey wrote: K-9 Mail works well for me. Is there a problem with the standard Email.apk that is usually included in Android? A (less secure?) variant is available here: http://forum.xda-developers.com/showthread.php?t=1965468 -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Courier forward
Not sure which backend FS you used, but perhaps you should look into something with snapshotting possibility. That would make backups easy and manageable. Another option is to run each server in its on VM, enabling snapshotting and rolling back each configuration pretty easy too. ~A On 2013-08-20 01:07, Harry Duncan wrote: Might help if you actually said what your current email system is, and what mail storage it uses, and what your new mail system is and what its mail storage is going to be. I am about to embark on a similar exercise to migrate a fairly old courier-mta system to a brand spanking new couter-mta system. Going from courier to courier is going to make the job easier. My current courier-mta uses an LDAP backend, maildir storage, and is wall to wall courier, but all on the one machine. What I plan on doing is: 1) Setup a new ldap server on a separate machine, migrate the ldap tree to that, reconfigure authldaprc to point to the new ldap server, and then stop ldap on the current mta. 2) Deploy a fileserver, and share the storage by NFS. Mount the NFS into the current mail server. Rsync the maildir folder to the NFS location. 3) Need to review relatively recent postings by Sam to the courier-imap mailing list about what has to be done to avoid NFS issues, make those changes to the current email system, then pick a night to switch, pick an off peak hour, stop mta, rsync again, and then re-mount the NFS share into the directory tree on the current MTA where it currently expects to find the users homedirs to deliver mail to, then restart the MTA. Should be a relatively short operation. 4) Deploy my new courier-mta server to include mta, pop, imap, sqwebmail and smtp, configure authlib against the LDAP server, mount the NFS storage so that the new MTA can deliver to the same directory structure. 5) Test the new MTA, and when happy that its going to work out, make the necessary DNS changes to send mail to the new MTA instead of the old. 6) Let the old MTA run side by side with the new for the duration of the DNS change which in my case will be purposely short for the exercise, and when I'm happy that the old MTA is not going to receive any new email for delivery, and when I am happy that it has emptied all its queues, then shut it down. Job done. For me I'll now have a mailsystem where storage, ldap, and mailservices are on three distinct servers instead of all on one server, and where the MTA software is more up to date, and in a better condition for ongoing maintenance. Assuming nobody is going to point out other glaring holes in my strategy, my only other todo's will be to review my original deploy notes, and the more recent deploy notes for a small MTA that put in for a customer (something which brought back a lot of memories, highly recommend it). The last time I had to migrate an email system, I was migrating from a SuSE boxed product which was an integration of postfix, cyrus, skyrixgreen, ldap and a whole other bunch of chewing gum and scotch tape. That one I migrated in a fairly tedious manner using an IMAP client. Have to say, I have never looked back since migrating from that system to courier-mta. At the time there was a lot of FUD about courier-mta, but the system looked good, and my experience with its stability and service since is such that I'd be hard pushed to look any other direction now other than a complete wall to wall courier system. ymmv HTH Harry. On Mon, Aug 19, 2013 at 4:23 PM, Michael Chonlahan michael.chonla...@okcareertech.org mailto:michael.chonla...@okcareertech.org wrote: We are looking at going to a new email system but want to forward current email to the new system need some help setting this up. -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Virtual or meta folders with Courier IMAP?
On 2013-08-15 02:05, Sam Varshavchik wrote: Anders writes: Hi Is there any way with Courier IMAP to implement server-side virtual folders based on meta keywords, such as the Search Folders in Thunderbird or Outlook? The short answer is: no. I guess one way to do this would be using symbolic/hard links between various emails and folders. But that would not be easy to set-up in a safe way (what if a user moves email, etc). Now that part is not really an issue. Hard links are fine. An IMAP server never writes into an existing file. What you really want to do here is that any time a mail gets delivered to a mailbox, search it, and move/hard link the message file into one or more additional folders. An IMAP server provides access to mail in existing folders. How mail gets there is not something that it really cares about. So, this would not be in scope of the IMAP server. A side issue is how to manage these folders. I suppose you could have the IMAP server create and delete these folders. I suppose you can create a folder called INBOX.Labels.Fizzbin. The IMAP server will create this folder. Then, I suppose you can install a mail delivery agent that automatically knows about folders, and I suppose you can have it look at all INBOX.Labels.label folders, take all of them, all of their keywords, and automatically hardlink each message that it delivers to the mailbox into the appropriate folder. I suppose that's technically doable. There are a couple of side issues to consider. Namely locking – making sure that things don't fall apart when the IMAP server tries to delete a Labels folder that something is about to be hardlinked into. Also, an IMAP client can manually upload a message into a server's folder, this is used mainly by IMAP clients to save a copy of sent mail, in the sent mails folder. This would short-circuit the mail delivery agent altogether. And of course there's the issue of searching itself, to consider. Searching is a mess. You have MIME encoding issues to consider (quoted printable), and character set transcoding (if you are searching using the UTF-8 codeset, you certainly want to be able to find your keyword in a message that uses the ISO-8859-15 codeset). Not to mention that there two separate encoding standards for non-Latin characters in mail headers, depending on which mail header it is. So, again, the short answer is no. Technically, it's possible. Everything is possible, given enough free time, and incentive. But, for now, it's no. It is not just up to maildrop (in this case) to filter into various folders, since it should be possible to create new INBOX.Labels.newLabel and filter existing emails... So somehow the control over this have to stay with the IMAP server or perhaps through an extension/plug-in type control interface to it? Thanks for your reply. I will settle for the fact that this is impossible for now. Perhaps IMAP will one day evolve a little :) ~A -- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Virtual or meta folders with Courier IMAP?
Hi Is there any way with Courier IMAP to implement server-side virtual folders based on meta keywords, such as the Search Folders in Thunderbird or Outlook? Client side search folders are not really useful since many clients do not support them and are not portable (i.e bring the settings with me). For example I use probably 4-5 different clients to access the same emails during the week, and I can't be sure that I will use the same client all the time. Only server software using this AFAIK is Gmail Labels. Exchange supports them, but only storing the settings of search folders in a flat view, not the results. I guess one way to do this would be using symbolic/hard links between various emails and folders. But that would not be easy to set-up in a safe way (what if a user moves email, etc). Thanks. ~A -- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with 2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter dkim=fail while SpamAssassin says DKIM=pass
So far, since I got zdkimfilter to work properly I have recieved som dkim=pass (usually from gmail) and some dkim=fails.. All seems ok. By chance I compared the dkim=fail against what SpamAssassin said: == courier log Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: verified: dkim=fail (id=@dkim-reputation.org, body hash mismatch, stat=1) rep=0 Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: response: 250 Ok. Jul 26 21:45:47 e350 courierd: newmsg,id=00C804FC.51F2D1E6.3235: dns; repsys.dkim-reputation.org (repsys.dkim-reputation.org [:::46.4.178.182]) Jul 26 21:45:47 e350 courierd: started,id=00C804FC.51F2D1E6.3235,from=www-d...@dkim-reputation.org,module=local,host=and...@lechevalier.se!!8!12!/var/mail/domains/lechevalier.se/anders!!,addr=and...@lechevalier.se Jul 26 21:45:47 e350 courierd: Waiting. shutdown time=none, wakeup time=none, queuedelivering=1, inprogress=1 Jul 26 21:45:47 e350 courierlocal: id=00C804FC.51F2D1E6.3235,from=www-d...@dkim-reputation.org,addr=and...@lechevalier.se,size=14751,success: Message delivered. Jul 26 21:45:47 e350 courierd: completed,id=00C804FC.51F2D1E6.3235 == == SpamAssassin log Jul 26 21:45:43 e350 spamd[19824]: spamd: processing message 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org for mail:8 Jul 26 21:45:47 e350 spamd[19824]: spamd: clean message (1.8/5.0) for mail:8 in 3.8 seconds, 14419 bytes. Jul 26 21:45:47 e350 spamd[19824]: spamd: result: . 1 - BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE scantime=3.8,size=14419,user=mail,uid=8,required_score=5.0,rhost=e350.lan.lechevalier.se,raddr=127.0.0.1,rport=48478,mid=5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org,bayes=0.499952,autolearn=no == What does body hash mismatch mean? Perhaps there are some headers not checked by SA but are checked with zdkimfilter? Spamassassin is run through pythonfilter-1.8. I believe pythonfilter might be run first as it is doing greyfiltering. Are the added headers from SpamAssassin the culprit? These are the headers from the email above == Delivered-To: and...@lechevalier.se Return-Path: www-d...@dkim-reputation.org Authentication-Results: e350; dkim=fail (body hash mismatch) header.i=@dkim-reputation.org X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on e350.lan.lechevalier.se X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE autolearn=no version=3.3.2 Received: from repsys.dkim-reputation.org (repsys.dkim-reputation.org [:::46.4.178.182]) by e350 with ESMTP; Fri, 26 Jul 2013 21:45:42 +0200 id 00C804FC.51F2D1E6.3235 Received-SPF: none (Address does not pass the Sender Policy Framework) SPF=MAILFROM; sender=www-d...@dkim-reputation.org; remoteip=:::46.4.178.182; remotehost=repsys.dkim-reputation.org; helo=repsys.dkim-reputation.org; receiver=mail.tnonline.net; Received: from repsys.dkim-reputation.org (localhost [127.0.0.1]) by repsys.dkim-reputation.org (Postfix) with ESMTP id 5C210398384 for and...@lechevalier.se; Fri, 26 Jul 2013 21:38:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=dkim-reputation.org; h=to :subject:date:from:reply-to:message-id:mime-version:content-type ; s=default; bh=Zbv3XTgeAhngG+jukxXJGBaEkcA=; b=eYMOEw2x9oUjhWgh MMBsrGuxNzz8MH8OAPpf7aRWvn0LtSBc93wXeSFqIe1LginJBp0VuGR9OaReUNH8 3D7ZRo/b03lPv9FWilixpc3vYEmlMIdSxUxbrY2uKrao/DsMoc3+xOlPppRRZPZa MnbvRRZodqNEmyLAaGu626ME9Hc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=dkim-reputation.org; h=to:subject :date:from:reply-to:message-id:mime-version:content-type; q=dns; s=default; b=I/0X89H+UeDCXaLgwxI33JhjCuIIJpgfPtuzWK0XZyTCybtFX6 A6SfGecLWCPZpm2XofNtD4wkWMdfK7X4H9NFKWkgem5lUdapGKWFmFsdazDh+TPM FoU77hgQr1eiljuaUq9C4WpuERorZxyn3jP7UG3DMATnZNxSgCBCY/LdM= Received: by repsys.dkim-reputation.org (Postfix, from userid 33) id 5497B3983D1; Fri, 26 Jul 2013 21:38:30 +0200 (CEST) To: and...@lechevalier.se Subject: Proposal for DKIM-Reputation-Project [f688b566190ceed5d63f440b7dc3b38e67d68b04] Date: Fri, 26 Jul 2013 19:38:30 + From: DKIM Reputation Project i...@dkim-reputation.org Reply-to: DKIM Reputation Project submit-dom...@dkim-reputation.org Message-ID: 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/related; type=text/html; boundary=b1_5873b4b23ff3d57de56472c8c0240f9e Received-SPF: none
Re: [courier-users] zdkimfilter
Hi, I'll comment in-line. I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 Thank you very much. ~A On 2013-07-24 11:13, Alessandro Vesely wrote: Hi, On Wed 24/Jul/2013 00:17:17 +0200 Anders wrote: So, now comes to testing it all... To summarize, no mails are signed because I think that zdkimfilter can't find anything suitable to match domain/selector against. What can be the cause? I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. What is a control record, and where/how do I find how they are created and looks like? I have a test.mail file == Message-ID: 51eee029.8070...@lechevalier.se Date: Tue, 23 Jul 2013 21:57:29 +0200 From: Anders and...@lechevalier.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: anders crimsoncott...@gmail.com Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit test == I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[27854]: started child DEBUG: zfilter: zdkimfilter[27854]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[27854]:id=dkimsign: not signing for postmaster: no domain INFO: zfilter: zdkimfilter[27854]:id=dkimsign: response: 250 not filtered. == What is the mismatched library versions? dkimsign doesn't see the domain in FROM: or Message-ID: fields. Is this normal? I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? zdkimfilter.conf: == all_mode = Y verbose = 8 domain_keys = /etc/courier/filters/keys selector = s == That looks fine. A default_domain = lechevalier.se would be needed only if it is needed for Courier too. That is, if your Courier user id is anders rather than and...@lechevalier.se. No, default domain would not work since courier is providing email for several different domain names. But, each user must login with the full email address. Login is over TLS or SSL connection. I have a symlink /etc/courier/filters/keys/lechevalier.se - s.private Correct. So, when sending emails, I get only the following in my mail log: == Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]: started child Jul 24 00:09:42 e350
Re: [courier-users] zdkimfilter
On 2013-07-24 18:10, Alessandro Vesely wrote: On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: I'll comment in-line. Yup :-) I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 I haven't been able to find that version --see below. I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. So do I. What is a control record, and where/how do I find how they are created and looks like? Control files only exist in the mail queue. They are named Cnnn and correspond to the Dnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. Should I downgrade opendkim-2.2.2? # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. No all users must authenticate to be able to send emails (relaying denied otherwise). It could be that my courier config is completely wrong, should I post it here? In that case, which of the config files are interresting for you? Output from sending a test email from and...@lechevalier.se to crimsoncott...@gmail.com. At least from= is clearly defined in the log file. There is a key_choice_header parameter that can be tweaked in order to derive the signing
Re: [courier-users] zdkimfilter
Alright, it works now. Here is what I did: * Install zdkimfilter-1.1 (perhaps not needed, but still) * fix permissions on /etc/courier/filters/keys to be accessible by courier user * add ESMTPAUTH=PLAIN LOGIN to esmptd-msa... Now it seems to work, both for verifying and signing! yay :) ~A On 2013-07-24 20:51, Anders wrote: On 2013-07-24 18:10, Alessandro Vesely wrote: On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: I'll comment in-line. Yup :-) I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 I haven't been able to find that version --see below. I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. So do I. What is a control record, and where/how do I find how they are created and looks like? Control files only exist in the mail queue. They are named Cnnn and correspond to the Dnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. Should I downgrade opendkim-2.2.2? # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. No all users must authenticate to be able to send emails (relaying denied otherwise). It could be that my courier config is completely
Re: [courier-users] zdkimfilter
On 2013-07-24 21:25, Alessandro Vesely wrote: On Wed 24/Jul/2013 20:51:06 +0200 Anders wrote: On 2013-07-24 18:10, Alessandro Vesely wrote: The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. It won't get things better. Knowing the source of the bad built is only useful for reporting the bug where it belongs to. Have now tried zdkimfilter-1.2 the same segfault happens. Otherwise it works to sign outgoing and verify incoming emails. Should I downgrade opendkim-2.2.2? I'd expect that will avoid the segmentation fault. Can you still find it? Yes, it did resolve the issue. tar -xzvf opendkim-2.2.2.tar.gz ./configure make make install reinstall zdkimfilter-1.2 (emerge zdkimfilter) We'd need to change the code slightly to obtain such feature. Seems like a possible future feature, but I do want authentication, so the problem must be my courier setup. That the best option, IMHO. I must say I am at loss about the the auth=userid@domain. Never seen it in my logs... I do use port 587 with TLS and authentication with username/password to submit email. Perhaps here is where my problem is and I need to correct sigh =( I do not want relayclient based on IP, though that is needed for some local scripting stuff, but not my normal users since we should do auth... I added DEBUG_LOGIN=1 to authdaemondrc and I see authentication when logging in with imap, but nothing when submitting on smtp... Not sure where to look now. any ideas? Thanks! It should be configured in esmtpd-msa, and run its own couriertcpd that listens on that port. It is now, and that works nice. Not sure why the setting got missing - probably due to upgrading too many times and not checking... Thanks for pointing it out. ~ A -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter
Thanks! I reset my configs and followed Jérôme's installation tips from the previous emails. It seems as something was odd with my bind config. Apparently, I had to split the _domainkey TXT into several segments, or bind would't add it. So, now comes to testing it all... To summarize, no mails are signed because I think that zdkimfilter can't find anything suitable to match domain/selector against. What can be the cause? I have a test.mail file == Message-ID: 51eee029.8070...@lechevalier.se Date: Tue, 23 Jul 2013 21:57:29 +0200 From: Anders and...@lechevalier.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: anders crimsoncott...@gmail.com Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit test == I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[27854]: started child DEBUG: zfilter: zdkimfilter[27854]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[27854]:id=dkimsign: not signing for postmaster: no domain INFO: zfilter: zdkimfilter[27854]:id=dkimsign: response: 250 not filtered. == What is the mismatched library versions? dkimsign doesn't see the domain in FROM: or Message-ID: fields. Is this normal? I run dkimsign --domain lechevalier.se test.mail and get the following output: == WARN: zfilter: zdkimfilter[28454]:Mismatched library versions: compile=0X2020200 link=0X2080400 INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[28455]: started child DEBUG: zfilter: zdkimfilter[28455]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[28455]:id=dkimsign: signing for postmas...@lechevalier.se with domain lechevalier.se, selector s INFO: zfilter: zdkimfilter[28455]:id=dkimsign: response: 250 Ok. == Now this seems to work fine. test.mail now has the DKIM signature added. zdkimfilter.conf: == all_mode = Y verbose = 8 domain_keys = /etc/courier/filters/keys selector = s == I have a symlink /etc/courier/filters/keys/lechevalier.se - s.private So, when sending emails, I get only the following in my mail log: == Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]: started child Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:reading 2 names completed by first call Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:id=00C81E83.51EEFF26.720B: response: 250 not filtered. == I'm at a loss now what could be the root cause here. How can I debug this problem? It seems as the verbosity in the log is too low, even though I have verbosity=8. ~A On 2013-07-23 12:54, Alessandro Vesely wrote: Hi Anders, On Sun 21/Jul/2013 13:23:16 +0200 Anders wrote: Can someone contribute with some example configuration files for zdkimfilter and courier, especially for signing outgoing mail. something like this zone-file snippet? beta._domainkey IN TXT ( v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZmBE7vUMFfhxq pHw46gf55UmKH1B7zsiHD7n/R/mnvdvKabvosrHhcAhuDZcf1hr+8Co LTOr6/rUiJXmJoPeq4d3daD+EeUfNIFov6lDgKuBpxNFTuw6spOpX63 xTh9cu7g+6ABQUEnzQmLULdImvcq91g1E9QK7SaEO2aYiXwIDAQAB ) _adsp._domainkey IN TXT dkim=unknown I have tried to follow the information from the zdkimfilter website The old site contained more step-by-step stuff, much of which is still valid, in particular: http://www.tana.it/sw/zdkimfilter/v-0.5.shtml#setup and the man/config files but I can't get it to work, not even off-line checking/testing against self-generated dkim certs with dkimsign. Does the test suite work? (`make check') It should leave plenty of diagnostic data if it fails. Otherwise you can use the -d (--debug) option to avoid deleting test data, e.g. cd tests ./testsuite -d 4 Then, looking at the test files left ls testsuite.dir/04 might help you figuring out why your checking doesn't work as well. Hth -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo
Re: [courier-users] Courier 20120305 build released
Hi, Since I upgraded, pythonfilter-1,8 has stopped functioning. Is there a known compatibility issue? I do not see anything in the logs that the filter is even being considered/used. Regards, Anders On 2013-03-06 03:15, Sam Varshavchik wrote: Download: http://www.courier-mta.org/download.php Changes: • Fixes a quoting problem in the new Authentication-Results: header. • Added DNS blacklist/whitelist support for IPv6 addresses. • Add support for SMTPS (encrypted SMTP over port 465) to the ESMTP client (smarthost). ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Courier 20120305 build released
I found the problem. The /var/run/courier was not created with correct owner by the init.d script (Gentoo). /run and /var/run are on tmpfs since a while back in Gentoo so it has to be created with correct permission and user/group by the init.d scripts. On 2013-04-26 09:18, Anders wrote: Hi, Since I upgraded, pythonfilter-1,8 has stopped functioning. Is there a known compatibility issue? I do not see anything in the logs that the filter is even being considered/used. Regards, Anders On 2013-03-06 03:15, Sam Varshavchik wrote: Download: http://www.courier-mta.org/download.php Changes: • Fixes a quoting problem in the new Authentication-Results: header. • Added DNS blacklist/whitelist support for IPv6 addresses. • Add support for SMTPS (encrypted SMTP over port 465) to the ESMTP client (smarthost). ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] DKIM support i Courier ESMTP
On 2012-07-17 14:25, Matthias Wimmer wrote: Hi Alessandro, Alessandro Vesely schrieb am 2012-07-17 09:48:56: I don't think zdkimfilter has many users, as you are the first one on this list who complains about its lack of new releases. It does need an update, for VBR. That method is still logged as x-vbr even though it is standardized now, and one cannot configure a list of trusted vouchers. In addition, MySQL statistics --designed after OpenDKIM's collection http://www.opendkim.org/stats.html -- are now obsolete. I am using zdkimfilter. And beside that it uses an older version of opendkim it works very well. Never had any troubles with it. Hello, Which version of OpenDKIM are you using? I am Gentoo based and available versions are 2.4.3 and 2.5.2-r1 plus unstable (2.6.0 2.6.1 2.6.3 2.6.4) Regards, Anders Regards, Matthias -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] DKIM support i Courier ESMTP
Hello, Are there any plans for DKIM support in Courier ESTMP? I've been looking at both links from http://www.courier-mta.org/links.html and they are outdated; zdkimfilter seem to rely on an old version of OpenDKIM and the perl filter link seems dead. One other possibillity I saw was to use a SMTP proxy, such as DKIMProxy (http://sourceforge.net/projects/dkimproxy/) or ASSP/Anti-Spam SMTP Proxy (http://sourceforge.net/projects/assp/). DKIMProxy seems simplest, but hasn't been updated in a year. Thanks for any thoughts. //Anders -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] DKIM support i Courier ESMTP
Hi, Thanks for the reply. Indeed as a milter it would work fine, especially with sendmail and such. I was looking at this possibility earlier too. However, I am using Courier ESMTP on my system right now and I prefer not changing this. Regards, Anders On 2012-07-17 00:21, x...@padimail.de wrote: Hi, it's fairly easy to use DKIM with Postfix. OpenDKIM can simply be used as a milter. I'm using Arch Linux so I use https://wiki.archlinux.org/index.php/OpenDKIM but any search engine with Postfix and OpenDKIM shoud help. Regards Am 16.07.2012 23:43, schrieb Anders: Hello, Are there any plans for DKIM support in Courier ESTMP? I've been looking at both links from http://www.courier-mta.org/links.html and they are outdated; zdkimfilter seem to rely on an old version of OpenDKIM and the perl filter link seems dead. One other possibillity I saw was to use a SMTP proxy, such as DKIMProxy (http://sourceforge.net/projects/dkimproxy/) or ASSP/Anti-Spam SMTP Proxy (http://sourceforge.net/projects/assp/). DKIMProxy seems simplest, but hasn't been updated in a year. Thanks for any thoughts. //Anders -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Authdaemon.Mysql and NT hashes
Hi list, To make a single sign on solution I was thinking of using Samba and Courier-imap. Both of theese should use a MySQL backend to look up password and other information about the user. Both of theese applications works great by itself but I would like them to use the same password field in the database and Courier-imap doesn't seem to support the microsoft way of encrypting passwords. I found out that: The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it. What kind of encrytion does the authdaemon.mysql support? I know it likes MD5 hashes Would it be possible to add a feature to Courier-imap that makes it read MD4 hashes?? Thank you! Kind Regards, Anders --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] disable cram-md5 with smtp relay
Hello, Is there any way of forcing courier esmtp to authenticate itself to a remote esmtp server using PLAIN, even when the remote server advertises CRAM-MD5 as one of the possible authentication methods? Setting ESMTPAUTH=PLAIN in esmtpd didn't seem to do the trick even after restarting courier (courier still tries to use cram-md5). The reason I ask is because my current setup (Courier 0.40.1) relays all mail through another mail server which advertises CRAM-MD5 but has a broken cram-md5 implementation. /Anders --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Re: Enhanced authpgsql module
Sam Varshavchik wrote: Anders K. Pedersen writes: Almost - and that is, what I'm doing. But I need to allow clients with Netscape to use $ in stead of @ in their usernames, and if I were to If the client is incapale of using the '@' character in login IDs, then the logical answer is to fix this bug, instead of hacking the server. Yes, in an ideal world, but that isn't the solution my customer wants. But even though you don't like that part of the patch, please consider the other parts of it - the customized SELECT clause doesn't work, if your usernames aren't of the form user@domain. Regards, Anders K. Pedersen --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Enhanced authpgsql module
Tim Hunter wrote: Wouldn't it be easier to create a view in postgres? Almost - and that is, what I'm doing. But I need to allow clients with Netscape to use $ in stead of @ in their usernames, and if I were to do that with views alone, I'd have to duplicate all entries, which is not very effective. But with PGSQL_SELECT_CLAUSE, I can simply do a SELECT fields ... FROM view WHERE username = replace($(username), '$', '@'); which runs much faster. I tried various approaches with the original courier-imap-1.7.0 code, but none of it worked, so I fixed the issues I found. Currently, I don't actually need authpgsql to handle different domain separators, but I may be able to make a query optimization later on with it. Regards, Anders K. Pedersen --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: Webmail on seperate box
Does sqwebmail have to run on the same machine as the courier mail server? I did a bit of a workaround on that; I have only one public IP address but wanted my mailserver to be seperate from my webserver. What I ended up doing was running an Apache server on the mailserver that's configured only to run sqwebmail. Then on the webserver, I use the Apache mod_proxy module (see http://httpd.apache.org/docs/mod/mod_proxy.html ) to pass along webmail requests to the Apache running on the mailserver. Not quite what you were looking for perhaps, but it's one way of having access to sqwebmail from another server... /Anders Samuel Penn writes: Hi, Does sqwebmail have to run on the same machine as the courier mail server? I'd like to have webmail running on an OpenBSD box, with Courier running on a different (Linux) box. I don't want to mount network drives between the two machines. Is this possible? If not, does anyone have suggestions for a webmail system which will talk to a courier (IMAP) mail server? Cheers. -- Be seeing you, Sam. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: Webmail: File.bin
I have a very interesting situation. Whenever we use webmail to attach a binary file, the file is renamed to File.bin on the other end. I saw this when sending file attachments with sqwebmail 3.4.0 to Yahoo mail accounts. After upgrading to sqwebmail 3.4.1 however, file attachments have the correct filenames in Yahoo mail. /Anders List Manager writes: Greetings! I have a very interesting situation. Whenever we use webmail to attach a binary file, the file is renamed to File.bin on the other end. This makes it extremely difficult for the non-savvy users to know what was being sent. This happens on two different courier installs...both RedHat 8.0 Has anyone seen this? Any feedback would be much appreciated. Keith Willis Talon Computer Cons. Inc. http://www.taloncc.com --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] seting up user accounts and virtual domains....
Anders Widman wrote: am stuck at creating user accounts and virtual domains. I have got the webadmin CFI working, and added the virtual domains to Locally hosted domains. Check whether these domains appear in /etc/courier/locals . If they do, you need system accounts for the users of those domains. Virtual domains whose users do not have system accounts should only appear in hosteddomains and esmtpacceptmailfor. Courier installed per default in /usr/lib/courier for me.. and the ./etc/hosteddomains and ./etc/esmtpacceptmailfor folders contain one file each with only the hosted domains listed in it. That doesn't answer the question whether your virtual domains are in /etc/courier/locals . But what exactly should I do with the users? Should they have normal system (unix/linux) accounts or not? In both cases, how do I create a user for a specific domain? I don't think you want system accounts. If you have that, then the user name will take precedence over the domain name and all mail to anders@dom1, anders@dom2, anders@dom3 will be delivered to the system user anders, no matter what you do. If you want the domains to be really virtual, get them out of locals, keep them in hosteddomains and esmtpacceptmailfor, run makehosteddomains, put them in aliases, run makealiases and make sure you have the proper .courier files in the proper places. Alternatively you might opt for the userdb way of doing things; man userdb. Yes, I followed the usedb hint and I think I got it to work. I can now login via pop3 and check mail. But now my problem is that I cannot send mail. I get 450 Service temporarily unavailable when trying to send mail via SMTP service. Also the webmail CGI accepts the username and password for each virtual domain I configured a user, but then I get a Internal server error from Apache. I started courier like this: ./sbin/courier start ./sbin/esmptd start ./sbin/pop3d start ./libexec/authlib/authdaemond start This is the entire maillog after this: Oct 7 14:20:15 www courierd: Loading STATIC transport module libraries. Oct 7 14:20:15 www courierd: Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Installing [0/0] Oct 7 14:20:15 www courierd: Installing uucp Oct 7 14:20:15 www courierd: Installed: module.uucp - Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Installing local Oct 7 14:20:15 www courierd: Installed: module.local - Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Installing fax Oct 7 14:20:15 www courierd: Installed: module.fax - Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Installing esmtp Oct 7 14:20:15 www courierd: Installed: module.esmtp - Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Installing dsn Oct 7 14:20:15 www courierd: Installed: module.dsn - Courier 0.39.3 Copyright 1999-2002 Double Precision, Inc. Oct 7 14:20:15 www courierd: Initializing uucp Oct 7 14:20:15 www courierd: Initializing local Oct 7 14:20:15 www courierd: Initializing fax Oct 7 14:20:15 www courierd: Initializing esmtp Oct 7 14:20:15 www courierd: Initializing dsn Oct 7 14:20:15 www courierd: Started ./courieruucp, pid=10639, maxdels=4, maxhost=4, maxrcpt=16 Oct 7 14:20:15 www courierd: Started ./courierlocal, pid=10640, maxdels=10, maxhost=4, maxrcpt=1 Oct 7 14:20:15 www courierd: Started ./courierfax, pid=10641, maxdels=1, maxhost=1, maxrcpt=1 Oct 7 14:20:15 www courierd: Started ./courieresmtp, pid=10642, maxdels=40, maxhost=4, maxrcpt=100 Oct 7 14:20:15 www courierd: Started ./courierdsn, pid=10643, maxdels=4, maxhost=1, maxrcpt=1 Oct 7 14:20:15 www courierd: queuelo=200, queuehi=400 Oct 7 14:20:15 www courierd: Purging /usr/lib/courier/var/msgq Oct 7 14:20:15 www courierd: Purging /usr/lib/courier/var/msgs Oct 7 14:20:15 www courierd: Waiting. shutdown time=Mon Oct 7 15:20:15 2002, wakeup time=Mon Oct 7 15:20:15 2002, queuedelivering=0, inprogress=0 Now I tried to connect to read and send mail: Oct 7 14:21:17 www pop3d: Connection, ip=[:::192.168.0.98] Oct 7 14:21:21 www courieresmtpd: started,ip=[:::192.168.0.98] Oct 7 14:21:21 www submit: authdaemon: s_connect() failed: Connection refused Oct 7 14:21:21 www courieresmtpd: error,relay=:::192.168.0.98,ident=Gatak,from=[EMAIL PROTECTED],to=[EMAIL PROTECTED]: 450 Service temporarily unavailable. Oct 7 14:21:22 www pop3d: LOGIN FAILED, ip=[:::192.168.0.98] Oct 7 14:22:06 www courieresmtpd: started,ip=[:::192.168.0.98] Oct 7 14:22:06 www courieresmtpd: error,relay=:::192.168.0.98,ident=Gatak,from=[EMAIL PROTECTED],to=[EMAIL PROTECTED]: 450 Service temporarily unavailable. What is the problem? Also, where does the ident=Gatak come from? Is the esmtp server trying to connect to the clients ident servers? (Not all has
Re: [courier-users] seting up user accounts and virtual domains....
On Sun, Oct 06, 2002 at 09:33:41PM +0200, Anders Widman wrote: Hello, I have been trying to configure Courier for POP, SMTP and webmail access. So far I have got everything installed and running, but I am stuck at creating user accounts and virtual domains. I have got the webadmin CFI working, and added the virtual domains to Locally hosted domains. Also, they show up in the drop-down menu when loging on to webmail. The problem seems to actually get the user accounts to work, or I have missed something else? If you go directly to the courier-imap homepage you will see a link called Documentation or some such. Simply click the link called userdb. It has a very good example on howto do this. The only thing I found is http://www.courier-mta.org/FAQ.html#virtual and I already tried to follow this guide. I also verified the pop3d is the one from courier (/usr/lib/courier/sbin/pop3d). Now my question you say you have webmail working. Check the rights of the cgi-bin binary named sqwebmail for me please. Let me know what that is? -r-sr-xr-x1 courier courier 24302 Oct 6 18:26 webadmin -r-sr-xr-x1 courier courier 2599552 Oct 6 18:26 webmail Secondly please check and see if you have 2 instances of authdaemond? These are the processes belonging to courier after starting courier, estmpd and authdeamon: 3359 root 17 0 964 832 832 S 0.0 0.8 0:01 authdaemond.pgs 5074 root 15 0 596 596 512 S 0.0 0.6 0:00 couriertcpd 5078 root 15 0 412 412 356 S 0.0 0.4 0:00 courierlogger 5092 root 22 0 592 592 508 S 0.0 0.6 0:00 couriertcpd 5097 root 23 0 260 260 216 S 0.0 0.2 0:00 courierlogger 5293 root 16 0 800 800 748 S 0.0 0.8 0:00 courierd 5306 courier 18 0 624 624 536 S 0.0 0.6 0:00 couriertcpd 5309 courier 19 0 260 260 216 S 0.0 0.2 0:00 courierlogger 6556 uucp 16 0 468 468 412 S 0.0 0.4 0:00 courieruucp 6557 root 17 0 332 332 280 S 0.0 0.3 0:00 courierlocal 6558 root 17 0 324 324 280 S 0.0 0.3 0:00 courierfax 6559 courier 16 0 400 400 340 S 0.0 0.4 0:00 courieresmtp 6560 courier 17 0 408 408 356 S 0.0 0.4 0:00 courierdsn I am interested as am having diff getting webmail to authenticate correctly. Currently I cannot log-on to webmail (though webadmin works) as the user accounts do not work. This is my main problem. THX Best Regards, [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] seting up user accounts and virtual domains....
Anders Widman wrote: am stuck at creating user accounts and virtual domains. I have got the webadmin CFI working, and added the virtual domains to Locally hosted domains. Check whether these domains appear in /etc/courier/locals . If they do, you need system accounts for the users of those domains. Virtual domains whose users do not have system accounts should only appear in hosteddomains and esmtpacceptmailfor. Courier installed per default in /usr/lib/courier for me.. and the ./etc/hosteddomains and ./etc/esmtpacceptmailfor folders contain one file each with only the hosted domains listed in it. But what exactly should I do with the users? Should they have normal system (unix/linux) accounts or not? In both cases, how do I create a user for a specific domain? - Anders Z --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Re: maildrop and virtual accounts problem
Heh, I had the exact same problem; spent a whole day scratching my head till I came across a post in the archives that mentioned that setting the 'maildir' field to an empty value in the MySql passwd table would make it work. I tried it and filtering suddenly worked perfectly. In my MySql table I at first had for example: home - '/home/mailuser/vuser1' maildir - '/home/mailuser/vuser1/Maildir' I changed so I now have the following: home - '/home/mailuser/vuser1' maildir - '' And filtering now works great; don't know why though, but there are others I'm sure who do.. Cheers /Anders PS. I would like to take this opportunity to thank everbody who made Courier Mail possible. I've just gotten Courier Mail running a few days ago for our small company, and am extremely pleased with it. This is really a great package! Francisco Solsona writes: Hello all, We have a good number of virtual mail accounts (courier mail + MySQL + sqwebmail + IMAP + ESMTP + SSL + etc.), and everything is working fine, except for the filtering part. Users can create filter rules through the web interface, but maildrop does not use those filters: courierd says: DEFAULTDELIVERY=| /usr/local/bin/maildrop virtual user foo's maildirfilterconfig says: MAILDIRFILTER=../.mailfilter MAILDIR=./Maildir and yet everything goes to the default mailbox of virtual user foo. I'm pretty sure we're using the maildrop that comes with the whole courier suite, so it should be using the information (UID/GID of the real account, home, and maildir) from the passwd table in MySQL, right? or am I missing some incantation? TIA, --Francisco P.S. I did a search on the list's archives, and found a lot of messages on this issue, but none of those help. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
