Bug#698732: dspam external map does not work with TLS enabled
Hi I noticed Weezy has been released. Did the fixes for DSPAM make it in? Thanks Jason On Apr 11, 2013, at 4:04 PM, Thomas Preud'homme robo...@debian.org wrote: Le jeudi 11 avril 2013 10:59:28, Jason Johnson a écrit : Wonderful. Tranks for your help! For now I would need a special repo for it. I'm currently using DSPAM in Squeeze via the backports repo. Alright, I'll provide you a version you can upgrade from backport without using the version from wheezy. Thanks again, Jason I'll keep you informed. Best regards, Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698732: dspam external map does not work with TLS enabled
Le mercredi 29 mai 2013 08:16:24, Jason a écrit : Hi I noticed Weezy has been released. Did the fixes for DSPAM make it in? Not this one. As said before I don't intend to add this patch to the packaging as long as upstream don't accept it. Since the project seems a bit silent these days, I wouldn't hold my breath. Besides, the patch was made during the freeze before the release and such a patch couldn't have been accepted at this stage because it doesn't fix an issue serious enough. I've just (finally) built the package and uploaded it to my personal repository if you want to try. To use my repository, add the following line to your sources.list (or add a file containing this line in /etc/apt/sources.list.d): deb [ arch=amd64 ] http://people.debian.org/~robotux/pkgs/ unstable main That means only packages for the amd64 architecture are available. If you need i386, please let me know. The version of the packages contained in this repository are chosen so that when/if the packages will be uploaded to the Debian official archive, it will migrate seamlessly to them. Before installing anything, you should check the PGP key that signs the archive. Run all the following steps (1-4) as root 1) First, import the key in a new keyring (robotux.gpg): gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/robotux.gpg --recv- keys E851CC9AE4743BA4 2) Then check the signature of this key is fine. It's signed by my key which is in the debian keyring containing the keys of debian developers so we need to install the debian keyring: aptitude install debian-keyring 3) gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/robotux.gpg -- keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs E851CC9AE4743BA4 if a ! (exclamation mark) follows sig it means the signature was correctly verified. You should have 2 signatures, the self signature and the one from my Debian Developer's key: sig!3E4743BA4 2013-03-29 Thomas Preud'homme APT archive robo...@debian.org sig! BD52529E 2013-03-29 Thomas Preud'homme (RoboTux) robo...@celest.fr You can then proceed and import the key in the apt keyring: 4) gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/robotux.gpg -- export E851CC9AE4743BA4 | apt-key add - You can now update your apt database and upgrade dspam: aptitude update aptitude safe-upgrade Best regards, Thomas signature.asc Description: This is a digitally signed message part.
Bug#698732: dspam external map does not work with TLS enabled
Wonderful. Tranks for your help! For now I would need a special repo for it. I'm currently using DSPAM in Squeeze via the backports repo. Thanks again, Jason Sent from my iPad On 07.04.2013, at 16:10, Thomas Preud'homme robo...@debian.org wrote: Le samedi 2 mars 2013 09:34:32, Jason a écrit : I think we've already figured it out. The problem is that DSPAM currently only supports TLS via STARTTLS but I'm using ldaps which is a different protocol. I would have submitted a patch already but I currently don't have a Linux dev environment to do the build on (only a server which, for security reasons I don't want things like compilers on). I think *you* had already figured it out ;) All that needs to happen is the field where you specify ldap or database needs to also accept ldaps and put what ever is in that field as the schema. Then the ldap library will do the right thing. So here's the patch. I'll open a bug upstream to ask them to integrate it. Don't expect miracles though: the last commit in the upstream git repository was in august 2012. If nobody answer within 2 months, I might consider to include it in Debian anyway given the small size of the patch (most of the diff is just increasing the indentation). Any testing on your side would be appreciated. I can provide you deb packages in my personal repository if you need. Best regards, Thomas add_ldaps_support_for_external_lookup.patch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698732: dspam external map does not work with TLS enabled
Le jeudi 11 avril 2013 10:59:28, Jason Johnson a écrit : Wonderful. Tranks for your help! For now I would need a special repo for it. I'm currently using DSPAM in Squeeze via the backports repo. Alright, I'll provide you a version you can upgrade from backport without using the version from wheezy. Thanks again, Jason I'll keep you informed. Best regards, Thomas signature.asc Description: This is a digitally signed message part.
Bug#698732: dspam external map does not work with TLS enabled
Le samedi 2 mars 2013 09:34:32, Jason a écrit :
I think we've already figured it out. The problem is that DSPAM currently
only supports TLS via STARTTLS but I'm using ldaps which is a different
protocol. I would have submitted a patch already but I currently don't
have a Linux dev environment to do the build on (only a server which, for
security reasons I don't want things like compilers on).
I think *you* had already figured it out ;)
All that needs to happen is the field where you specify ldap or
database needs to also accept ldaps and put what ever is in that field
as the schema. Then the ldap library will do the right thing.
So here's the patch. I'll open a bug upstream to ask them to integrate it.
Don't expect miracles though: the last commit in the upstream git repository
was in august 2012. If nobody answer within 2 months, I might consider to
include it in Debian anyway given the small size of the patch (most of the
diff is just increasing the indentation).
Any testing on your side would be appreciated. I can provide you deb packages
in my personal repository if you need.
Best regards,
Thomas
diff --git a/src/external_lookup.c b/src/external_lookup.c
index 4f8e10e..eaf48e0 100644
--- a/src/external_lookup.c
+++ b/src/external_lookup.c
@@ -164,7 +164,7 @@ ldap_lookup(config_t agent_config, const char *username, char *external_uid)
struct timeval ldaptimeout = {.tv_sec = BIND_TIMEOUT, .tv_usec = 0};
int i, rc=0, num_entries=0;
char *transcoded_query = NULL;
- char *ldap_uri = NULL;
+ char *ldap_uris[2] = {NULL, NULL}; // 0 = ldap, 1 = ldaps
char *end_ptr;
char *ldap_host = _ds_read_attribute(agent_config, ExtLookupServer);
char *port = _ds_read_attribute(agent_config, ExtLookupPort);
@@ -249,30 +249,43 @@ ldap_lookup(config_t agent_config, const char *username, char *external_uid)
url.lud_port = ldap_port;
url.lud_scope = LDAP_SCOPE_SUBTREE;
- ldap_uri = ldap_url_desc2str( url );
- }
+ ldap_uris[0] = ldap_url_desc2str( url );
- rc = ldap_initialize( ld, ldap_uri );
- if( rc != LDAP_SUCCESS ) {
- LOG(LOG_ERR, External Lookup: Could not create LDAP session handle for URI=%s (%d): %s\n, ldap_uri, rc, ldap_err2string(rc));
- return NULL;
- }
+ url.lud_scheme = ldaps;
+ url.lud_host = ldap_host;
+ url.lud_port = ldap_port;
+ url.lud_scope = LDAP_SCOPE_SUBTREE;
- if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, ldap_version ) != LDAP_OPT_SUCCESS ) {
- LOG(LOG_ERR, External Lookup: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n, ldap_version );
- return NULL;
+ ldap_uris[1] = ldap_url_desc2str( url );
}
- /* use TLS if configured */
- if ( _ds_match_attribute(agent_config, ExtLookupCrypto, tls )) {
- if (ldap_version != 3) {
- LOG(LOG_ERR, External Lookup: TLS only supported with LDAP protocol version 3);
+ /* Try ldap then ldaps */
+ for (i = 0; i 2; i++) {
+ rc = ldap_initialize( ld, ldap_uris[i] );
+ if( rc != LDAP_SUCCESS ) {
+ LOG(LOG_ERR, External Lookup: Could not create LDAP session handle for URI=%s (%d): %s\n, ldap_uris[i], rc, ldap_err2string(rc));
return NULL;
}
- if ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
- LOG(LOG_ERR, External Lookup: %s: %s (%d), ERR_EXT_LOOKUP_INIT_FAIL, strerror(errno), errno);
+
+ if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, ldap_version ) != LDAP_OPT_SUCCESS ) {
+ LOG(LOG_ERR, External Lookup: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n, ldap_version );
return NULL;
}
+
+ /* use TLS if configured */
+ if ( _ds_match_attribute(agent_config, ExtLookupCrypto, tls )) {
+ if (ldap_version != 3) {
+LOG(LOG_ERR, External Lookup: TLS only supported with LDAP protocol version 3);
+return NULL;
+ }
+ if ( ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
+if (!i)
+ continue;
+LOG(LOG_ERR, External Lookup: %s: %s (%d), ERR_EXT_LOOKUP_INIT_FAIL, strerror(errno), errno);
+return NULL;
+ }
+ }
+ break;
}
/* schedules alarm */
signature.asc
Description: This is a digitally signed message part.
Bug#698732: dspam external map does not work with TLS enabled
I think we've already figured it out. The problem is that DSPAM currently only supports TLS via STARTTLS but I'm using ldaps which is a different protocol. I would have submitted a patch already but I currently don't have a Linux dev environment to do the build on (only a server which, for security reasons I don't want things like compilers on). All that needs to happen is the field where you specify ldap or database needs to also accept ldaps and put what ever is in that field as the schema. Then the ldap library will do the right thing. Sent from my iPhone On Feb 22, 2013, at 8:03 PM, Thomas Preud'homme robo...@debian.org wrote: Le samedi 2 février 2013 22:25:51, Jason Johnson a écrit : I've just tried another test here and seen what looks like a problem. If I point spam to an openssl test connection it fails in the following way. root@myserver:~# openssl s_server -accept 989 -cert /etc/ssl/certs/myserver_ldap_cert.pem -key /etc/ssl/private/myserver_ldap_key.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 7447:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578: shutting down SSL CONNECTION CLOSED ACCEPT This looks like DSPAM doesn't speak the right protocol, no? Hi Jason, sorry for the delay. Could you run the same test by adding -msg (hopefully - debug won't be needed). I'd like to see what are the messages sent by dspam. Thanks a lot. Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698732: dspam external map does not work with TLS enabled
Le samedi 2 février 2013 22:25:51, Jason Johnson a écrit : I've just tried another test here and seen what looks like a problem. If I point spam to an openssl test connection it fails in the following way. root@myserver:~# openssl s_server -accept 989 -cert /etc/ssl/certs/myserver_ldap_cert.pem -key /etc/ssl/private/myserver_ldap_key.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 7447:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578: shutting down SSL CONNECTION CLOSED ACCEPT This looks like DSPAM doesn't speak the right protocol, no? Hi Jason, sorry for the delay. Could you run the same test by adding -msg (hopefully - debug won't be needed). I'd like to see what are the messages sent by dspam. Thanks a lot. Thomas signature.asc Description: This is a digitally signed message part.
Bug#698732: dspam external map does not work with TLS enabled
I've just tried another test here and seen what looks like a problem. If I point spam to an openssl test connection it fails in the following way. root@myserver:~# openssl s_server -accept 989 -cert /etc/ssl/certs/myserver_ldap_cert.pem -key /etc/ssl/private/myserver_ldap_key.pem Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 7447:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578: shutting down SSL CONNECTION CLOSED ACCEPT This looks like DSPAM doesn't speak the right protocol, no?
Bug#698732: dspam external map does not work with TLS enabled
Le mardi 22 janvier 2013 22:19:30, vous avez écrit : Package: dspam Version: 3.10.2+dfsg-5 I am trying to use the LDAP external user verification mechanism for DSPAM but the connection fails with a negotiation failure. I am able to use the same DM and password via the command line LDAP tools, but DSPAM itself will not connect. I have the certificate information in the system wide ldap.conf file so DSPAM should be able to see it. I am using the latest Debian stable and DSPAM via the backports repository. The TLS negotiation failure message comes from openldap, not dspam. Could you attach the relevant configuration file (extlookup.conf) and the command line you used outside dspam. Best regards, Thomas Preud'homme signature.asc Description: This is a digitally signed message part.
Bug#698732: dspam external map does not work with TLS enabled
Yes, I described the log message from openldap because DSPAM doesn't produce one. It simply comes back with no mapping found as seen below. extlookup.conf: ExtLookup on ExtLookupMode strict ExtLookupDriver ldap ExtLookupServer localhost ExtLookupPort 636 ExtLookupDB ou=people,dc=home,dc=lan ExtLookupQuery ((objectClass=posixAccount)(uid=%u)) ExtLookupLDAPAttribute uid ExtLookupLDAPScope sub ExtLookupLDAPVersion 3 ExtLookupLogin cn=dspamadm,ou=administrators,dc=home,dc=lan ExtLookupPassword myPassword ExtLookupCryptox tls log files: == /var/log/debug == Dec 13 11:53:30 myserver slapd[2030]: conn=1000 fd=11 ACCEPT from IP= 127.0.0.1:56251 (IP=0.0.0.0:636) == /var/log/syslog == Dec 13 11:53:30 myserver slapd[2030]: conn=1000 fd=11 closed (TLS negotiation failure) Dec 13 11:53:30 myserver dspam[1977]: External Lookup: Backend initialization failure: Can't contact LDAP server command line: root@myserver:/etc/dspam# ldapsearch -b 'ou=people,dc=home,dc=lan' -x -H ldaps://localhost -W -D cn= dspamadm,ou=administrators,dc=home,dc=lan ((objectClass=posixAccount)(uid=jason)) uid Enter LDAP Password: # extended LDIF # # LDAPv3 # base ou=people,dc=home,dc=lan with scope subtree # filter: ((objectClass=posixAccount)(uid=jason)) # requesting: uid # # jason, people, home.lan dn: uid=jason,ou=people,dc=home,dc=lan uid: jason # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Thanks Jason On Wed, Jan 23, 2013 at 4:21 PM, Thomas Preud'homme robo...@debian.orgwrote: Le mardi 22 janvier 2013 22:19:30, vous avez écrit : Package: dspam Version: 3.10.2+dfsg-5 I am trying to use the LDAP external user verification mechanism for DSPAM but the connection fails with a negotiation failure. I am able to use the same DM and password via the command line LDAP tools, but DSPAM itself will not connect. I have the certificate information in the system wide ldap.conf file so DSPAM should be able to see it. I am using the latest Debian stable and DSPAM via the backports repository. The TLS negotiation failure message comes from openldap, not dspam. Could you attach the relevant configuration file (extlookup.conf) and the command line you used outside dspam. Best regards, Thomas Preud'homme
Bug#698732: dspam external map does not work with TLS enabled
Oh sorry, it doesn't say no mapping found it says Backend initialization failure: Can't contact LDAP server as per the log file section of my previous mail. On Thu, Jan 24, 2013 at 8:44 AM, Jason Johnson jason.johnson@gmail.comwrote: Yes, I described the log message from openldap because DSPAM doesn't produce one. It simply comes back with no mapping found as seen below. extlookup.conf: ExtLookup on ExtLookupMode strict ExtLookupDriver ldap ExtLookupServer localhost ExtLookupPort 636 ExtLookupDB ou=people,dc=home,dc=lan ExtLookupQuery ((objectClass=posixAccount)(uid=%u)) ExtLookupLDAPAttribute uid ExtLookupLDAPScope sub ExtLookupLDAPVersion 3 ExtLookupLogin cn=dspamadm,ou=administrators,dc=home,dc=lan ExtLookupPassword myPassword ExtLookupCryptox tls log files: == /var/log/debug == Dec 13 11:53:30 myserver slapd[2030]: conn=1000 fd=11 ACCEPT from IP= 127.0.0.1:56251 (IP=0.0.0.0:636) == /var/log/syslog == Dec 13 11:53:30 myserver slapd[2030]: conn=1000 fd=11 closed (TLS negotiation failure) Dec 13 11:53:30 myserver dspam[1977]: External Lookup: Backend initialization failure: Can't contact LDAP server command line: root@myserver:/etc/dspam# ldapsearch -b 'ou=people,dc=home,dc=lan' -x -H ldaps://localhost -W -D cn= dspamadm,ou=administrators,dc=home,dc=lan ((objectClass=posixAccount)(uid=jason)) uid Enter LDAP Password: # extended LDIF # # LDAPv3 # base ou=people,dc=home,dc=lan with scope subtree # filter: ((objectClass=posixAccount)(uid=jason)) # requesting: uid # # jason, people, home.lan dn: uid=jason,ou=people,dc=home,dc=lan uid: jason # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Thanks Jason On Wed, Jan 23, 2013 at 4:21 PM, Thomas Preud'homme robo...@debian.orgwrote: Le mardi 22 janvier 2013 22:19:30, vous avez écrit : Package: dspam Version: 3.10.2+dfsg-5 I am trying to use the LDAP external user verification mechanism for DSPAM but the connection fails with a negotiation failure. I am able to use the same DM and password via the command line LDAP tools, but DSPAM itself will not connect. I have the certificate information in the system wide ldap.conf file so DSPAM should be able to see it. I am using the latest Debian stable and DSPAM via the backports repository. The TLS negotiation failure message comes from openldap, not dspam. Could you attach the relevant configuration file (extlookup.conf) and the command line you used outside dspam. Best regards, Thomas Preud'homme
