Re: Dovecot book for a newbie

2021-07-07 Thread li...@lazygranch.com 



On Wed, 07 Jul 2021 10:04:06 -0700
techli...@phpcoderusa.com wrote:

> 
> 
> Hi,
> 
> Please recommend a Dovecot book for a newbie... I have a fair amount
> of Linux PHP hosting experience - LAMP virtual host configurations.
> I'm new to BIND, Postfix, and Dovecot.
> 
> I'm running Ubuntu 20.04lts.
> 
> I have a test server almost working.  Can send but not receive.
> Would like to understand more.  I'm guessing it is a Zone (MX) / SSL
> / Client configuration issue.
> 
> Thanks in advance!!
> 

I used this person's blog when I set up my servers. Unfortunately he
only has guides for centos and freebsd but it is worth checking out. I
think the odds of me setting up an email server from just the manuals
would be zero, keyword me. But ubuntu verses centos should just be a
packaging issue.

https://blog.andreev.it/?p=1975

I recall it being correct put not complete regarding postfix. I don't
recall any Dovecot issue. It is 99% there. What I like is the guide
provides a test at each step.

I advise you to start out small and add features later or never. After
being hacked via RoundCube when I used a hosting service I am a firm
believer in keeping the attack surface small. If this is a personal
server (as is mine) I wouldn't even bother with spamassasin. You can
stop much spam simply via Postfix. What this guide lacks is a number of
milters for postfix required for DKIM and DMARC. Also I would set up
the server using "submission" (port 587) since that allows for
geofencing all the email ports other than 25, again presuming this is a
personal server where geofencing would be appropriate.

There are a number of websites that can test your email server. For
instance you wouldn't want to mistakenly be an open relay. They will
also help with verifying all the identification features are proper.
The deal with an email server is you need to look legit because the
world is out to block you. In fact there are some ISPs that will simply
reject your email until you contact them to get "allow listed". Some
like Spectrum will never accept email from some VPS. [Sheer
incompetence.]

Lastly my personal philosophy is to make no element of the email server
programmable via a browser. I do everything via ssh and cli. This makes
life hard for the hackers.

Re: CVE-2021-33515: SMTP Submission service STARTTLS injection

2021-06-22 Thread li...@lazygranch.com 



On Mon, 21 Jun 2021 13:51:30 +0200
Timo Sirainen  wrote:

> Open-Xchange Security Advisory 2021-06-21
> 
> Product: Dovecot
> Vendor: OX Software GmbH
> Internal reference: DOV-4583 (Bug ID)
> Vulnerability type: CWE-74: Failure to Sanitize Data into a Different
> Plane ('Injection') Vulnerable version: 2.3.0-2.3.14
> Vulnerable component: submission
> Report confidence: Confirmed
> Solution status: Fixed by Vendor
> Fixed version: 2.3.14.1
> Vendor notification: 2021-05-21
> Solution date: 2021-05-22
> Public disclosure: 2021-06-21
> CVE reference: CVE-2021-33515
> CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
> Researcher credit: Fabian Ising and Damian Poddebniak of Münster
> University of Applied Sciences
> 
> Vulnerability Details:
> 
> On-path attacker could inject plaintext commands before STARTTLS
> negotiation that would be executed after STARTTLS finished with the
> client. Only the SMTP submission service is affected.
> 
> Risk:
> 
> Attacker can potentially steal user credentials and mails. The
> attacker needs to have sending permissions on the submission server
> (a valid username and password).
> 
> Workaround:
> 
> None.
> 
> Solution:
> 
> Operators should update to 2.3.14.1 or later version.
> 

Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is
this OK?

This is my personal server, hence all the accounts are mine, so it
isn't like I am going to hack myself.

Re: no shared cipher openssl

2020-11-16 Thread li...@lazygranch.com 



On Sun, 15 Nov 2020 17:31:07 -0500
Mike Schroeder  wrote:

> CentOS 7
> Dovecot 2.2.36
> 
> Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth
> attempts in 0 secs):
> user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking:
> SSL_accept() failed:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher,
> session=<>
> 
> Was working fine for over a year, until the cert expired and I
> replaced it. I've tried the good cert I have for https and I used the
> Dovecot.org script to generate a self-signed certificate.
> 
> 10-ssl.conf
> ## SSL settings
> #ssl = required
> ssl = yes
> #ssl = no
> ssl_cert =  ssl_key =   #ssl_ca =
> #ssl_require_crl = yes
> #ssl_client_ca_dir =
> #ssl_client_ca_file =
> #ssl_verify_client_cert = no
> #ssl_cert_username_field = commonName
> #ssl_dh_parameters_length = 1024
> #ssl_protocols = !SSLv3
> 
> # SSL ciphers to use
> # ols values  ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
> ssl_cipher_list =
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:
> !RC4:!ADH:!LOW@STRENGTH
> 
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
> 
> # Prefer the server's order of ciphers over client's.
> #ssl_prefer_server_ciphers = no
> # SSL crypto device to use, for valid values run "openssl engine"
> #ssl_crypto_device =
> 
> # SSL extra options. Currently supported options are:
> #   no_compression - Disable compression.
> #   no_ticket - Disable SSL session tickets.
> #ssl_options =
> 
> ===
> # openssl x509 -dates -in mydomain.com.crt
> notBefore=Nov 11 16:31:35 2020 GMT
> notAfter=Nov 11 16:31:35 2022 GMT
> -BEGIN CERTIFICATE-
>  :
> ===
>  # openssl pkey -in mydomain.com.key
> -BEGIN PRIVATE KEY-
>   :
> 
> Thanks for taking a look.  Any ideas on what I should do next to
> debug?
> 
> Mike

I remembered this problem was posted and still had the reply post from
Viktor. This may or may not be relevant. A search on this text will
probably drag up the whole thread.
---
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
support ECDSA.  You'd need an additional RSA certificate to interoperate
with their sending MTA's limited STARTTLS cipher/protocol repertoire.
--

When this thread went around I looked at my logs and found some no
auth complaints on my dovecot log. I believe they were trying to use
the sslv3 to hack my server. Or at least see if it is hackable. Since
my email server is a personal one and the attack was from a hosting
company, I blocked server IP space.

The weird thing I get your error now myself but not consistently. Here
is an example.
---
Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): 
user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: 
SSL alert number 46, session=
Nov 16 04:18:37 imap-login: Info: Login: user=, 
method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, 
session=

However the problem isn't present at the moment.

10-ssl ssl = no but dovecot still reads certs

2017-06-16 Thread li...@lazygranch.com 
I'm bringing up a new email server starting without TLS initially. In
10-ssl.conf I set ssl = no, but the default ssl_cert and ssl_key
lines are not commented out. I got the obvious error message:
--
doveconf: Fatal: Error in configuration
file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't
open file /etc/ssl/certs/dovecot.pem: No such file or
directory /usr/local/etc/rc.d/dovecot: WARNING: failed to start dovecot
--

No big deal, but I don't remember this being an issue the last time I
set up a server. You would think if ssl=no, the ssl_cert and ssl_key
files would not be opened.

Re: Problem with Dovecot and BlackBerry

2017-04-05 Thread li...@lazygranch.com 
On Tue, 04 Apr 2017 11:07:26 +
Luca Bertoncello  wrote:

> Hi all,
> 
> i've got a strange behaviour with a BlackBerry Classic Phone (BBOS  
> 10.3.2.2876) in combination with Dovecot 2.2.13 while trying to
> fetch mails.
> 
> Before burying myself into debugging sessions, i try to get an  
> understanding if the following is a Client- or a Server-specific
> error in the behaviour:
> 
> CIGA8 UID FETCH 10009:10035 (UID FLAGS) (CHANGEDSINCE NOMODSEQ)
> CIGA8 BAD Error in IMAP command UID FETCH: Invalid CHANGEDSINCE
> modseq.
> 
> Following the full conversation.
> 
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
> ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5
> AUTH=CRAM-MD5] Dovecot on xxx ready.
> CIGA1 CAPABILITY
> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5
> CIGA1 OK Pre-login capabilities listed, post-login capabilities have
> more. CIGA2 ID ("os" "BlackBerry 10" "os-version" "10.3.2.2876"
> "vendor" "rim" "device" "Classic" "name" "bbimap")
> * ID ("name" "Dovecot")
> CIGA2 OK ID completed.
> CIGA3 LOGIN xxx xxx
> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
> THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT
> CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
> QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
> SPECIAL-USE BINARY MOVE CIGA3 OK Logged in
> CIGA4 CAPABILITY
> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS
> THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT
> CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
> QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
> SPECIAL-USE BINARY MOVE CIGA4 OK Capability completed.
> CIGA5 LIST "" ""
> * LIST (\Noselect) "." ""
> CIGA5 OK List completed.
> CIGA6 LIST "" "*"
> * LIST (\HasNoChildren) "." folder_a
> * LIST (\HasNoChildren) "." folder_b
> * LIST (\HasNoChildren) "." folder_c
> * LIST (\HasNoChildren) "." sent-mail
> * LIST (\HasNoChildren) "." folder_d
> * LIST (\HasNoChildren) "." folder_e
> * LIST (\HasNoChildren \Trash) "." Trash
> * LIST (\HasNoChildren \Drafts) "." Drafts
> * LIST (\HasNoChildren) "." folder_f
> * LIST (\HasNoChildren) "." folder_g
> * LIST (\HasNoChildren) "." INBOX
> CIGA6 OK List completed.
> CIGA7 SELECT INBOX (CONDSTORE)
> * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
> * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]  
> Flags permitted.
> * 7 EXISTS
> * 0 RECENT
> * OK [UIDVALIDITY 1391686038] UIDs valid
> * OK [UIDNEXT 10036] Predicted next UID
> * OK [HIGHESTMODSEQ 1608] Highest
> CIGA7 OK [READ-WRITE] Select completed (0.000 secs).
> CIGA8 UID FETCH 10009:10035 (UID FLAGS) (CHANGEDSINCE NOMODSEQ)
> CIGA8 BAD Error in IMAP command UID FETCH: Invalid CHANGEDSINCE
> modseq. CIGA9 LOGOUT
> * BYE Logging out
> CIGA9 OK Logout completed.
> 
> 
> Thanks in advance!
> 
> Luca Bertoncello
> (lucab...@lucabert.de)

Is that the dovecot.log file?

Here is what  I get:

# dovecot --version
2.2.28 (bed8434)

bbos 10.3.3.2205


Sanitized log file below. I'd appreciate the moderator removing my post
if I let something slip.

Apr 06 04:01:02 imap-login: Info: Login: user=, 
method=PLAIN, rip=myip, lip=myserver, mpid=77887, TLS, session=
Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Added userdb setting: 
plugin/=yes
Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Effective uid=1003, gid=1003, 
home=/var/mail/vhosts/mydomain.com/me
Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Namespace inbox: type=private, 
prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes 
location=maildir:~
Apr 06 04:01:02 imap(m...@mydomain.com): Debug: maildir++: 
root=/var/mail/vhosts/mydomain.com/me, index=, indexpvt=, control=, 
inbox=/var/mail/vhosts/mydomain.com/me, alt=
Apr 06 04:01:04 auth: Debug: client in: AUTH1   PLAIN   service=imap
secured session=differentcharslip=myserver rip=myip   lport=143
rport=47037 local_name=www.mydomain.com   resp=lotsofchars= (previous 
base64 data may contain sensitive data)

OP/PSA: Net Systems Research mail port diddlers

2017-01-05 Thread li...@lazygranch.com 
http://netsystemsresearch.com/

dovecot.log.1.bz2:Jan 05 17:28:15 pop3-login: Info: Disconnected (no auth 
attempts in 3 secs): user=<>, rip=169.54.233.124, lip=MYIP, TLS handshaking: 
Disconnected, session=

Their "research" pokes your email ports. Block if you want or
participate in the (cough cough) research.

IP addresses and opt-out email address on webpage.