Re: Fixing broken UTF-8 handling with MySQL driver

[Felix Zandanel]

 Am 12.03.2015 um 14:55 schrieb Timo Sirainen t...@iki.fi:
 
 On 11 Mar 2015, at 21:31, Felix Zandanel fe...@zandanel.me wrote:
 
 Although my MySQL installation is set up to use UTF-8 as the default charset 
 on every level (config, database, table and field), and the character_set_* 
 runtime variables all yield the value utf8, it still seems that the mysql 
 client library must be instructed to actually use UTF-8 explicitly. Adding 
 the following statement to driver_mysql_connect() fixes the issue for me:
 
 mysql_options(db-mysql, MYSQL_SET_CHARSET_NAME, utf8);
 
 I think you can also add to /etc/my.cnf :
 
 [client]
 default-character-set = utf8

Sorry for the late reply. You were so right, that simple line did the trick. My 
fault, I didn't read the whole charset documentation of MySQL. It's a shame 
that UTF-8 isn't the default setting.

Anyway, as dovecot's internals expect all input strings to be UTF-8, wouldn't 
it be useful to enforce UTF-8 in the database drivers? Using anything else than 
ASCII / UTF-8 for dovecot's MySQL connections doesn't really make sense, I 
think. Also, a default-character-set = utf8 line in my.cnf is a system wide 
configuration, which might break other software interacting with MySQL—in 
theory.




signature.asc
Description: Message signed with OpenPGP using GPGMail

Fixing broken UTF-8 handling with MySQL driver

[Felix Zandanel]

Hi,

I noticed that dovecot's MySQL driver doesn't play well with UTF-8 encoded 
strings. I presume this issue has been around for a while. However, it still 
fails with the current release candidate 2.2.16-rc1.

I have been using the sieve extdata plugin with a MySQL-backed dict to retrieve 
a folder name that is then passed to fileinto:

fileinto :create ${extdata.folder_name_drafts};

Whenever this dict returned a string with non-7byte characters, a line such as 
the following popped up in sieve.log. (This example query should return 
Entwürfe.)

error: folder name specified for fileinto command is not utf-8: Entw?rfe.

Although my MySQL installation is set up to use UTF-8 as the default charset on 
every level (config, database, table and field), and the character_set_* 
runtime variables all yield the value utf8, it still seems that the mysql 
client library must be instructed to actually use UTF-8 explicitly. Adding the 
following statement to driver_mysql_connect() fixes the issue for me:

mysql_options(db-mysql, MYSQL_SET_CHARSET_NAME, utf8);

I checked this against mysql 5.5.41.

Regards,
Felix



mysql_utf8.patch
Description: Binary data

Re: IP drop list

[Felix Zandanel]

 Am 01.03.2015 um 10:25 schrieb Reindl Harald h.rei...@thelounge.net:
 Am 01.03.2015 um 08:53 schrieb Jim Pazarena:
 I wonder if there is an easy way to provide dovecot a flat text file of
 ipv4 #'s which should be ignored or dropped?
 
 I have accumulated 45,000+ IPs which routinely try dictionary and
 12345678 password attempts. The file is too big to create firewall
 drops, and I don't want to compile with wrappers *if* dovecot has an
 easy ability to do this. If dovecot could parse a flat text file of IPs
 and drop connections it would sure put a dent in these attempts.
 
 hence i asked month ago for RBL support because such lists are easy to feed 
 into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use 
 fail2ban and what not irrelevant if there is already a local dnsbl


I absolutely agree with Harald Reindl's findings on the advantages of DNSBL, 
but you have to see the big picture. Though I’ll speak about DNSBL a lot in 
this text, this is about blocking IPs in general.

In my opinion, the *only* valid setup to use DNSBL are MTAs that accept mail 
from unauthenticated clients. That is because in such scenarios there are 
several heuristics you can safely use to distinguish the good from the bad. One 
of the most important aspects has to do with the distinction between mail 
submission and transmission. If you don’t want an open relay, you normally let 
your users authenticate before they can submit their mail.

In any other case it’s safe to assume that the client is another MTA wanting to 
push a message over to you. We are talking about server systems here, not end 
users. Servers that should have a valid hostname, a static IP with no NAT in 
between etc. Blocking one IP in this case *should* really only block that one 
bad computer system. In the end, it’s perfectly OK to block clients that are 
either not authenticated, have no valid hostname, use dynamically assigned IPs 
etc. from accessing your MTA. Once having checked that one may put single IPs 
on a private block list to speed things up.

In the case of HTTP, IMAP, etc. things are not so easy. Just think about NAT 
and CGN. You as a service provider *can* never know that there’s no collateral 
damage when you block an IP address. Every single IP out there could be a 
gateway to a private or even carrier grade network with hundreds or thousands 
of computers behind it. Some of them might be infected by malware or controlled 
by a bad guy. Some others might be those your clients use to download their 
mail. You’d lock them all out—just because you want to safe some server 
resources? Is it really worth it?

Imagine one of your customers traveling abroad, using unusual POPs to access 
your dovecot instance. If the gateway IP that your server sees is blocked, you 
lock out your own customer. It’s the old tale.

Some words of advice:

(1) There’s no point in listing thousands of IPs without proper TTL. And that 
TTL should be short! If there really were 45 000 single /32 IPs that were 
behaving rude at some point in the past, how can you be sure these addresses 
are still doing so? Moreover, with IPv4 addresses being rare and IPv6 only 
being deployed slowly, CGN happens to be used more often than in the past. Even 
with IPv6, where prefixes were initially meant to be static, there are many 
ISPs that don’t give their line customers static IPv6 prefixes. That means 
attackers as well as your customers might end up using many different addresses 
over time.

(2) If you run your own block list and were to add another IP, there should be 
sufficient knowledge about the origin of the attack. Always check the RIR whois 
databases, look at the delegated address range the IP is in, the country, the 
owner of the network, hostnames... Monitor your log files and try to detect 
patterns. [Honestly, I’d not be willing to invest the time ;-) ]

(3) Use a scoring system. If there are other DNSBLs that list the IP or network 
in question, the likelihood of causing more harm than good is a bit lower than 
if you are the only one suffering an attack. Community based DNSBLs are 
commonly a good thing.

You see, blocking IPs just because it’s simple and effective (for the moment) 
might not be what you want. I’d rather let my users choose stronger passwords, 
strongly enforce TLS and scale up my server systems to handle the bad traffic. 
Surely, it depends on your own case, just don’t be naïve and think that 
blocking IPs is a general solution to anything nowadays. It might very well 
work for you if you don’t have a lot of customers, though.

Speaking about dovecot, I doubt direct DNSBL integration will happen upstream 
because dovecot already supports access lookups. You can use dovecot's tcpwrap 
and configure your /etc/hosts.deny to lookup an external ACL program that in 
turn consults your DNSBL. See man hosts_options, section RUNNING OTHER 
COMMANDS. Look for »aclexec«.[1] I guess that should get you on track. Just be 
warned that 

Re: IP drop list

[Felix Zandanel]

 Am 04.03.2015 um 20:31 schrieb Reindl Harald h.rei...@thelounge.net:
 
  In the case of HTTP, IMAP, etc. things are not so easy.
  Just think about NAT and CGN
 
 that don't matter
 
 if i blacklist a client because he starts a dictionary attack in SMTP i want 
 it also bock on IMAP without use a dozen of different tools because teh via 
 IMAP now catched account password will be used for send spam later when the 
 SMTP RBL entry expires


That’s the point why DNSBLs are good: You can use them for many different 
services at once. However, the idea is to block attackers before they are able 
to succeed identifying a valid login credential AND not to block your customers 
that expect a service that just works. This is a trade off. If both the 
attacker (or a malware infected computer etc.) and your valid user sit behind 
the same CGN gateway then it does matter and that scenario is not uncommon.

Blocking a rude boy for some time from continuing with the attack will likely 
cause him to stop entirely, at least for a much longer time than you blocking 
the address. If he proceeds afterwards, then you have no other choice than 
blocking the IP for longer anyway and maybe tell your users you are suffering 
an attack.

I am not against block lists. I just say their use should be justified as they 
may decrease overall service quality as well. There is another solution for 
auth based services: As soon as you detect a possible attack (# auth reqs  x 
etc.), keep the connection open, slow it down and just never let it succeed 
regardless of the credentials provided. This is done on a per-connection basis. 
No block list needed. Can be accomplished with fail2ban and iptables and 
therefore uses minimal server resources.

Cheers,
Felix



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Per-protocol ssl_protocols settings

[Felix Zandanel]

I performed a quick test and it seems that the ssl_protocols setting is 
per-IP only and shared among all listeners defined for that address.  As you 
want this setting to be active for one specific inet_listener only (with port 
10995 in your case), dovecot would have to permit the ssl_protocols directive 
in that scope, which it doesn’t.

As a workaround I suggest using a special, unused loopback address to which you 
can apply the distinct SSL settings. You could use iptables/NAT to forward all 
incoming traffic originating from your external IP on port 10995 to 
127.0.0.2:10995 for example. Then configure the POP3 service with an 
inet_listener for 127.0.0.2:10995 and use the local directive to set up the 
SSL protocols without touching global settings:

local 127.0.0.2 {
   ssl_protocols = !SSLv2
}

Regards,
Felix Zandanel


 Am 09.02.2015 um 11:33 schrieb Gionatan Danti g.da...@assyoma.it:
 
 Sorry for the bump...
 
 Anyone know if it is possible to have multiple protocols instances with 
 different ssl_protocols settings?
 
 Regards.
 
 On 07/02/15 00:03, Gionatan Danti wrote:
 Hi all,
 anyone with some ideas?
 
 Thanks.
 
 Il 2015-02-02 23:08 Gionatan Danti ha scritto:
 Hi all,
 I have a question regarding the ssl_protocols parameter.
 
 I understand that editing the 10-ssl.conf file I can set the
 ssl_protocols variable as required.
 At the same time, I can edit a single protocol file (eg: 20-pop3.conf)
 to set the ssl_protocols for a specific protocol/listener.
 
 I wander if (and how) I can create a different listener for another
 POP3 instance, for example listening on port 10995, and using another
 ssl_protocol setting.
 
 In short, I would like to create a different, firewalled pop3s service
 enabling the SSLv3 stack, while disabling it at system-wide settings.
 
 I am able to successfully create a new listener for port 10995, but I
 don't understand how to associate the ssl_protocols value to the new
 listener. Simply putting the ssl_protocols value into the listener
 section give me a configuration error.
 
 Thank you all.
 
 
 -- 
 Danti Gionatan
 Supporto Tecnico
 Assyoma S.r.l. - www.assyoma.it
 email: g.da...@assyoma.it - i...@assyoma.it
 GPG public key ID: FF5F32A8