Re: Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)
Dnia 18.09.2022 o godz. 10:09:34 Stuart Henderson pisze: > > The CA/Browser Forum baseline requirements say that certificates must > include subjectAlternativeName. This doesn't strictly apply to non-browser > applications but it does mean that all CA-issued certs can be relied upon > to have SAN. > > RFC 6125 6.4.4 says that clients must not check CN if the identifiers > used in subjectAlternativeName are present. So for certs following the > baseline requirements, checking CN is redundant. It also says that > clients *may* check CN but it's not required. > > There are differences in handling of name constraints between certs > using just CN and those using SAN. Name constraints don't really work > for certs using CN (by adding dc= components to the Subject, you can > comply with the directoryNameconstraints that apply to Subject > while providing a CN that is not in the expected domain). The dNSName > constraint applicable to SAN doesn't have this problem. > > So there's a good reason to avoid using CN when checking the name: it > gives defence against a CA or sub-CA with a trusted but constrained root > certificate that goes rogue. > > Practically this means you need to make sure that if you use self- > signed or internal CA certificates you include subjectAlternativeName > otherwise they won't work with some client software. If you use public > CA-signed certs you typically don't need to do this yourself because > the CA adds SAN if missing from the CSR (their only other option is > to reject issuance). I have a question regarding this: I always understood (maybe wrong) SAN as literally *alternate* DNS names for the server in addition to its basic, "canonical" DNS name, which was specified in the CN. For example if the server is example.com, but it also can be accessed as www.example.com (and both names have A records resolving to the same IP adddress), I put example.com into CN and www.example.com into SAN. >From what you have written above, I cannot figure out if this is correct, or maybe should I put both names example.com and www.example.com into SAN (in addition to example.com being in CN)? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Outlook 365 MUA produces dovecot changing filename on some mailbox
Dnia 12.09.2022 o godz. 12:30:29 John Stoffel pisze: > Sure, 'ls -l' doesn't do any sorting, it just reads the directory > information as returned from the disk and show you the results. If > you want it by time, you need to do: > > ls -ltr > > to have the newest files be at the end. 'ls' (and 'ls -l' as well) by default sorts files alphabetically. It has always been so. For unsorted list, one needs to use 'ls -lU' (that applies to GNU version of 'ls'; other versions may not recognize the '-U' switch). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Is this safe?
Dnia 25.08.2022 o godz. 10:48:47 dove...@ptld.com pisze: > > Now for my 2 cents; > Why? Not all clients keep active connections open to IMAP between fetching > mail and then sending to submission. > Postfix can validate user/pass credentials with dovecot when accepting mail > for submission. > Why add extra moving parts to your system instead of just using the built in > auth checking for submission mail? Why? Exactly to not allow the connecting client to even go to AUTH phase if it's not a "regular" user accessing mail on this server. My server is a very small server and from what I see in the logs, all mail clients that connect to it open IMAP connection first and then keep it opened throughout the session. If you know of a commonly used client that does not behave this way, please let me know - I will try it. Of course I do use AUTH checking via Dovecot in Postfix, but the intent is - as I mentioned above - to don't even proceed to the AUTH phase. Recently I experience authentication attacks that are highly distributed. There are almost no IP addresses that repeat, so I can't use fail2ban or other method to block "repeated offenders", as there are none :). It looks so that some IP address is connecting to submission service, tries AUTH on some user, and disconnects. Then another IP connects and is trying the same, *on the same user*. And the last part is what worries me. Until now I have seen a lot of AUTH attacks but these were against random usernames that didn't even exist on my server. But now they started targeting actual users. So there is a chance they will possibly crack a password if this will continue for a long time. While I see these attacks on submission service, on the contrary I see virtually no attempts to actually login into the IMAP service (except legitimate users of course). Hence the idea for checking IMAP-before-SMTP :). SMTP AUTH is of course still in place, this is just an extra step that rejects the connection right away if the client does not have an IMAP connection already established. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Is this safe?
Hello, I asked about this a few days ago, but since nobody answered in that thread, I'd like to bring it up again as a separate thread. Maybe somebody answers... I have written a policy service for Postfix that checks whether the connecting IP address has currently an IMAP session open. For this, it needs to access the socket /var/run/dovecot/anvil. But by default, this socket is accessible only for root, and I obviously DON'T want my service to run as root: srw--- 1 root root 0 May 22 2020 /var/run/dovecot/anvil By modifying Dovecot configuration I was able to chnge the permissions on that socket to: srw-rw 1 root dovecot 0 Aug 21 20:47 /var/run/dovecot/anvil Then my service can run under the user "dovecot" and access the socket. Here's my question: did I create any security risk by changing the socket permissions like above and running my service under "dovecot" user? Or will it be better that I create a special user dedicated only for this service and run the service under that user? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Get a list of currently active IMAP connections?
Dnia 20.08.2022 o godz. 19:34:03 Jaroslaw Rafa pisze:
> I have one more question regarding this.
>
> My service needs to access the socket /var/run/dovecot/anvil. The problem is
> that this socket (at least on my system) has permissions only for root:
>
> srw--- 1 root root 0 May 22 2020 /var/run/dovecot/anvil
>
> And I don't think it's a good idea to run my service as root. Is it possible
> to add permission to this socket for another user? If yes, what should I
> change in Dovecot config?
Well, documentation is not very clear on this, but by trial and error I was
able to change /var/run/dovecot/anvil socket permissions to:
srw-rw 1 root dovecot 0 Aug 21 20:47 /var/run/dovecot/anvil
by putting the following lines into Dovecot configuration:
# this is needed for Postfix IMAP-before-SMTP policy service to access anvil
service anvil {
unix_listener anvil {
user = root
group = dovecot
mode = 0660
}
}
Then my service can run under the user "dovecot" and access anvil.
So I'd like to ask - do I create any security risk by changing the anvil
socket permissions like above and running my service under "dovecot" user?
Or is it better that I create a special user dedicated only for this service
and run the service under that user?
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Get a list of currently active IMAP connections?
Dnia 16.08.2022 o godz. 23:54:00 Jaroslaw Rafa pisze: > > It's an interesting option, but after looking into "doveadm" source code I > was able to reimplement the query that "doveadm who" does with a few lines > of simple Perl code. It's exactly what I want, as it can be easily > integrated into a policy service written in Perl. I have one more question regarding this. My service needs to access the socket /var/run/dovecot/anvil. The problem is that this socket (at least on my system) has permissions only for root: srw--- 1 root root 0 May 22 2020 /var/run/dovecot/anvil And I don't think it's a good idea to run my service as root. Is it possible to add permission to this socket for another user? If yes, what should I change in Dovecot config? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Get a list of currently active IMAP connections?
Dnia 16.08.2022 o godz. 23:37:05 Aki Tuomi pisze:
>
> doveadm_password = secret
>
> service doveadm {
> inet_listener http {
> port = 8080
> }
> }
>
> should allow you to use `who` command over HTTP API.
It's an interesting option, but after looking into "doveadm" source code I
was able to reimplement the query that "doveadm who" does with a few lines
of simple Perl code. It's exactly what I want, as it can be easily
integrated into a policy service written in Perl.
Thanks again for pointing me in the right direction.
If anybody is interested, here's the code:
#!/usr/bin/perl
use IO::Socket::UNIX qw( SOCK_STREAM );
$sockpath="/var/run/dovecot/anvil";
my $socket = IO::Socket::UNIX->new(
Type => SOCK_STREAM,
Peer => $sockpath,
)
or die("Can't connect to $sockpath");
$ANVIL_HANDSHAKE="VERSION\tanvil\t1\t0\n";
$ANVIL_CMD=$ANVIL_HANDSHAKE."CONNECT-DUMP\n";
$socket->send($ANVIL_CMD) or die "Socket write error";
$socket->recv($buffer, 65536, 0) or die "Socket read error";
chomp($buffer);
close($socket);
@lines=split(/\n/, $buffer);
foreach $line (@lines) {
#print "$line\n";
if ($line =~ m#^imap/([0-9A-Fa-f.:]+)/([^\t]+)\t#) {
print "IP=$1 user=$2\n";
}
}
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Get a list of currently active IMAP connections?
Dnia 16.08.2022 o godz. 23:19:14 Aki Tuomi pisze: > Have you tried `doveadm who`? Why haven't I found it in the documentation? I was really searching... :) Thank you! But this still requires launching an external executable for each connection request. Optimal solution would be to get it via some socket, or something like this... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Get a list of currently active IMAP connections?
Hello Dovecot community, I have a question: is it possible to programmatically get from Dovecot a list of currently active IMAP sessions (with IP addresses)? Via a plugin or something? Or just check if there is an IMAP session currently open from a particular IP address, with true/false type answer? I'm planning to implement a policy service for *Postfix* that will revive the old "POP before SMTP" authorization concept (only it will be "IMAP before SMTP" this time). This policy service will reject connections to mail submission ports (465, 587) - without even going to SMTP AUTH phase - unless the connecting IP address has currently an IMAP session open to Dovecot, to mitigate SMTP AUTH attacks. But for this I need some way to check from within this policy service if the particular IP address has a connection open or not. It could be of course obtained by scanning Dovecot logs, but this involves quite a large overhead. Therefore I'm looking for the way to get this information directly from Dovecot's current state. Can you advise me of any way to do this? Or maybe someone has already written such a piece of software and it is available somewhere on the Net? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
