Re: ot: how to t/s TBird problems ?

2022-10-12 Thread Jim Popovitch 
On Fri, 1665532449-12-31 at 00:00 +, Voytek Eymont wrote:
> Received: from 125.168.124.3
> (SquirrelMail authenticated user voy...@sbt.net.au)
> by geko.sbt.net.au with HTTP; Wed, 12 Oct 2022 11:12:43 +1100
> Message-ID:
<28778ae2850dfc7fcf20b1dceff94876.squir...@geko.sbt.net.au>
> Date: 1665532450
> Subject: ot: how to t/s TBird problems ?
> From: "Voytek Eymont" 
> To: dovecot@dovecot.org
> User-Agent: SquirrelMail/1.5.2 [SVN]
> MIME-Version: 1.0


Why is your "Date:" header set to 1665532450?


-Jim P.

Re: ot: how to t/s TBird problems ?

2022-10-12 Thread Joseph Tam 
> I recently upgraded my Thunderbird email client and have experienced
> problems since.
> It appears that when Tbird polls for new messages it gets held up
> waiting for a response from the server
> I'm using POP port 995.
> Any ideas as to why I'm having a problem ?
> ---
>
> how to investigate such issue ?

I suspect you'll need to do session logging e.g.

protocol pop3 {
...
rawlog_dir = /writable/logdir/%u
}

then

mkdir /writable/logdir/user
chmod 0777 /writable/logdir/user

to obtain session transcripts of what server/client are doing.

I don't see any obvious errors from the logs that indicate any failure.
I do see the INBOX is rather large so maybe a timeout is involved.

Joseph Tam

Re: Dovecot mail-crypt webmail can't read encrypted messages

2022-10-12 Thread spi 


Am 12.10.22 um 15:21 schrieb Stuart Henderson:

On 2022-10-11, Bernardo Reino  wrote:

Please please stop top-posting. Makes a mess of everything!

I think everything that can be said in this thread, already has been said...

But not by everybody...

--
Cheers
spi

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-10-12 Thread Dave McGuire 

On 10/11/22 07:42, hi@zakaria.website wrote:

Another update yet with a solution.

I found the causing issue with DKIM and DMARC failure when a signed 
email pass through mailing list such as dovecot as I expected, it has 
nothing to do with the mailing list but it's to do with DKIM signing 
headers set. It's due to one of or several headers in the DKIM signing 
set, getting added or modified after signing at dovecot end.


Anyhow, here is the DKIM signing headers set in this mailing list, that 
it should work and it will prevent the batch of DMARC emails and bad 
signature from happening again.


from:from:reply-to:date:date:message-id:message-id:to:to:cc:
  mime-version:mime-version:content-type:content-type:
  in-reply-to:in-reply-to:references:references
  Please forgive me for jumping in, but I just noticed this.  I (like 
many others) have issues with mailing lists and the flurry of DMARC 
emails after posting.  I'm using OpenDKIM.  There's a lot of material 
out there about proper configuration of DKIM, but nothing really 
definitive, with lots of "it depends on your requirements" type of 
noncommittal crap.  Email use cases don't differ THAT much.


  So does what you said above mean that you've come up with a working 
configuration to address the issue of mailing lists causing DKIM to barf 
due to header modifications?  If so, can you tell me more about 
specifically what you're doing, like which headers you're signing and 
how?  I've been at my wits' end with this for some time; DKIM (and SPF 
etc etc) seem to be really quite awful overall.


Thanks,
-Dave

--
Dave McGuire, AK4HZ
New Kensington, PA

Re: Dovecot mail-crypt webmail can't read encrypted messages

2022-10-12 Thread Stuart Henderson 
On 2022-10-11, Bernardo Reino  wrote:
> Please please stop top-posting. Makes a mess of everything!

I think everything that can be said in this thread, already has been said...

Re: SNI Config

2022-10-12 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



much appreciated for the response

maybe a feature down the road??





Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 10/12/2022 8:12 AM, Aki Tuomi wrote:


Hi!

The pipe syntax has never worked, no idea why you think it would have. 
Unfortunately at the moment, files are your best option. I do understand the 
annoyance.

Aki


On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) 
 wrote:

  
ok thanks for your input


I finally tracked down the issue

It was how i was loading the certificates in the first place

that being said (and i must have missed this) 2.3.18 seems to allow
importing a cert from a program

thus sni config

local_name mail.paulkudla.net {
ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
}

would work instead of file pipes from individual text files.


#local_name mail.paulkudla.net {
#  ssl_key =http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 10/11/2022 12:46 PM, Jochen Bern wrote:


On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:

ok according to
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
SAN is not a valid option along with CN


... I don't see that being said in the page you refer to?

Anyhow, "stop giving a CN, use SANs instead" is a rather recent
development coming from the CA/Browser Forum - and IIUC still not a
*requirement*, not even for web browsers/servers. I would be surprised
if OpenSSL (already) were trying to enforce that policy.

Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?


$ openssl s_client -connect outlook.office365.com:993 -showcerts |
openssl x509 -noout -text

[...]

     Subject: C = US, ST = Washington, L = Redmond, O = Microsoft
Corporation, CN = outlook.com

[...]

     X509v3 Subject Alternative Name:
DNS:*.clo.footprintdns.com, DNS:*.hotmail.com,
DNS:*.internal.outlook.com, [...]


... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get
indigestion over.


Upoin further testing thunderbird seems to be locking onto the primary
domain (*.scom.ca) of the server skipp any sni setup ??


You might want to get a network trace of your Thunderbird talking to the
server to see what cert actually is presented by the server, and
ideally, what domain is requested by SNI (if at all). That all happens
before the connection starts to be encrypted, so you should be able to
read it (say, with Wireshark) without having to crack any crypto ...

Kind regards,

Re: SNI Config

2022-10-12 Thread Aki Tuomi 
Hi!

The pipe syntax has never worked, no idea why you think it would have. 
Unfortunately at the moment, files are your best option. I do understand the 
annoyance.

Aki

> On 12/10/2022 13:54 EEST Paul Kudla (SCOM.CA Internet Services Inc.) 
>  wrote:
> 
>  
> ok thanks for your input
> 
> I finally tracked down the issue
> 
> It was how i was loading the certificates in the first place
> 
> that being said (and i must have missed this) 2.3.18 seems to allow 
> importing a cert from a program
> 
> thus sni config
> 
> local_name mail.paulkudla.net {
>ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
>ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
>ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
> }
> 
> would work instead of file pipes from individual text files.
> 
> 
> #local_name mail.paulkudla.net {
> #  ssl_key = #  ssl_cert = #  ssl_ca = #}
> 
> 2.3.19 apparently no longer supports this?
> 
> aki is there a way to pipe the cert from a program file (as indicated above)
> 
> I am sure you can appreciate generating files for 1000+ ssl certs can 
> become a nightmare management wise
> 
> either that or a pgsql select ?
> 
> I have gone back to text files in the mean time ?
> 
> 
> 
> Happy Wednesday !!!
> Thanks - paul
> 
> Paul Kudla
> 
> 
> Scom.ca Internet Services 
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
> 
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email p...@scom.ca
> 
> On 10/11/2022 12:46 PM, Jochen Bern wrote:
> > 
> > On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
> >> ok according to
> >> https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
> >> SAN is not a valid option along with CN
> > 
> > ... I don't see that being said in the page you refer to?
> > 
> > Anyhow, "stop giving a CN, use SANs instead" is a rather recent 
> > development coming from the CA/Browser Forum - and IIUC still not a 
> > *requirement*, not even for web browsers/servers. I would be surprised 
> > if OpenSSL (already) were trying to enforce that policy.
> > 
> > Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?
> > 
> >> $ openssl s_client -connect outlook.office365.com:993 -showcerts | 
> >> openssl x509 -noout -text
> > [...]
> >>     Subject: C = US, ST = Washington, L = Redmond, O = Microsoft 
> >> Corporation, CN = outlook.com
> > [...]
> >>     X509v3 Subject Alternative Name: 
> >> DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, 
> >> DNS:*.internal.outlook.com, [...]
> > 
> > ... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get 
> > indigestion over.
> > 
> >> Upoin further testing thunderbird seems to be locking onto the primary 
> >> domain (*.scom.ca) of the server skipp any sni setup ??
> > 
> > You might want to get a network trace of your Thunderbird talking to the 
> > server to see what cert actually is presented by the server, and 
> > ideally, what domain is requested by SNI (if at all). That all happens 
> > before the connection starts to be encrypted, so you should be able to 
> > read it (say, with Wireshark) without having to crack any crypto ...
> > 
> > Kind regards,

Re: SNI Config

2022-10-12 Thread Paul Kudla (SCOM.CA Internet Services Inc.) 



ok thanks for your input

I finally tracked down the issue

It was how i was loading the certificates in the first place

that being said (and i must have missed this) 2.3.18 seems to allow 
importing a cert from a program


thus sni config

local_name mail.paulkudla.net {
  ssl_key =/programs/common/getssl.cert -k mail.paulkudla.net -q yes
  ssl_cert =/programs/common/getssl.cert -r mail.paulkudla.net -q yes
  ssl_ca =/programs/common/getssl.cert -i mail.paulkudla.net -q yes
}

would work instead of file pipes from individual text files.


#local_name mail.paulkudla.net {
#  ssl_key =I am sure you can appreciate generating files for 1000+ ssl certs can 
become a nightmare management wise


either that or a pgsql select ?

I have gone back to text files in the mean time ?



Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 10/11/2022 12:46 PM, Jochen Bern wrote:


On 11.10.22 17:46, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:

ok according to
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
SAN is not a valid option along with CN


... I don't see that being said in the page you refer to?

Anyhow, "stop giving a CN, use SANs instead" is a rather recent 
development coming from the CA/Browser Forum - and IIUC still not a 
*requirement*, not even for web browsers/servers. I would be surprised 
if OpenSSL (already) were trying to enforce that policy.


Hmmm, what's our company's "IMAPS server" throwing at my TB again ... ?

$ openssl s_client -connect outlook.office365.com:993 -showcerts | 
openssl x509 -noout -text

[...]
    Subject: C = US, ST = Washington, L = Redmond, O = Microsoft 
Corporation, CN = outlook.com

[...]
    X509v3 Subject Alternative Name: 
DNS:*.clo.footprintdns.com, DNS:*.hotmail.com, 
DNS:*.internal.outlook.com, [...]


... yeah, no, nothing that Thunderbird (from 69-ish to 102) should get 
indigestion over.


Upoin further testing thunderbird seems to be locking onto the primary 
domain (*.scom.ca) of the server skipp any sni setup ??


You might want to get a network trace of your Thunderbird talking to the 
server to see what cert actually is presented by the server, and 
ideally, what domain is requested by SNI (if at all). That all happens 
before the connection starts to be encrypted, so you should be able to 
read it (say, with Wireshark) without having to crack any crypto ...


Kind regards,