Re: Dovecot book for a newbie
On Wed, 07 Jul 2021 10:04:06 -0700 techli...@phpcoderusa.com wrote: > > > Hi, > > Please recommend a Dovecot book for a newbie... I have a fair amount > of Linux PHP hosting experience - LAMP virtual host configurations. > I'm new to BIND, Postfix, and Dovecot. > > I'm running Ubuntu 20.04lts. > > I have a test server almost working. Can send but not receive. > Would like to understand more. I'm guessing it is a Zone (MX) / SSL > / Client configuration issue. > > Thanks in advance!! > I used this person's blog when I set up my servers. Unfortunately he only has guides for centos and freebsd but it is worth checking out. I think the odds of me setting up an email server from just the manuals would be zero, keyword me. But ubuntu verses centos should just be a packaging issue. https://blog.andreev.it/?p=1975 I recall it being correct put not complete regarding postfix. I don't recall any Dovecot issue. It is 99% there. What I like is the guide provides a test at each step. I advise you to start out small and add features later or never. After being hacked via RoundCube when I used a hosting service I am a firm believer in keeping the attack surface small. If this is a personal server (as is mine) I wouldn't even bother with spamassasin. You can stop much spam simply via Postfix. What this guide lacks is a number of milters for postfix required for DKIM and DMARC. Also I would set up the server using "submission" (port 587) since that allows for geofencing all the email ports other than 25, again presuming this is a personal server where geofencing would be appropriate. There are a number of websites that can test your email server. For instance you wouldn't want to mistakenly be an open relay. They will also help with verifying all the identification features are proper. The deal with an email server is you need to look legit because the world is out to block you. In fact there are some ISPs that will simply reject your email until you contact them to get "allow listed". Some like Spectrum will never accept email from some VPS. [Sheer incompetence.] Lastly my personal philosophy is to make no element of the email server programmable via a browser. I do everything via ssh and cli. This makes life hard for the hackers.
Re: CVE-2021-33515: SMTP Submission service STARTTLS injection
On Mon, 21 Jun 2021 13:51:30 +0200 Timo Sirainen wrote: > Open-Xchange Security Advisory 2021-06-21 > > Product: Dovecot > Vendor: OX Software GmbH > Internal reference: DOV-4583 (Bug ID) > Vulnerability type: CWE-74: Failure to Sanitize Data into a Different > Plane ('Injection') Vulnerable version: 2.3.0-2.3.14 > Vulnerable component: submission > Report confidence: Confirmed > Solution status: Fixed by Vendor > Fixed version: 2.3.14.1 > Vendor notification: 2021-05-21 > Solution date: 2021-05-22 > Public disclosure: 2021-06-21 > CVE reference: CVE-2021-33515 > CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) > Researcher credit: Fabian Ising and Damian Poddebniak of Münster > University of Applied Sciences > > Vulnerability Details: > > On-path attacker could inject plaintext commands before STARTTLS > negotiation that would be executed after STARTTLS finished with the > client. Only the SMTP submission service is affected. > > Risk: > > Attacker can potentially steal user credentials and mails. The > attacker needs to have sending permissions on the submission server > (a valid username and password). > > Workaround: > > None. > > Solution: > > Operators should update to 2.3.14.1 or later version. > Centos 7 has no repo with 2.3.15. I am using 2.2.36 (1f10bfa63). Is this OK? This is my personal server, hence all the accounts are mine, so it isn't like I am going to hack myself.
Re: no shared cipher openssl
On Sun, 15 Nov 2020 17:31:07 -0500 Mike Schroeder wrote: > CentOS 7 > Dovecot 2.2.36 > > Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth > attempts in 0 secs): > user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: > SSL_accept() failed: > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, > session=<> > > Was working fine for over a year, until the cert expired and I > replaced it. I've tried the good cert I have for https and I used the > Dovecot.org script to generate a self-signed certificate. > > 10-ssl.conf > ## SSL settings > #ssl = required > ssl = yes > #ssl = no > ssl_cert = ssl_key = #ssl_ca = > #ssl_require_crl = yes > #ssl_client_ca_dir = > #ssl_client_ca_file = > #ssl_verify_client_cert = no > #ssl_cert_username_field = commonName > #ssl_dh_parameters_length = 1024 > #ssl_protocols = !SSLv3 > > # SSL ciphers to use > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > ssl_cipher_list = > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: > !RC4:!ADH:!LOW@STRENGTH > > # Prefer the server's order of ciphers over client's. > #ssl_prefer_server_ciphers = no > > # Prefer the server's order of ciphers over client's. > #ssl_prefer_server_ciphers = no > # SSL crypto device to use, for valid values run "openssl engine" > #ssl_crypto_device = > > # SSL extra options. Currently supported options are: > # no_compression - Disable compression. > # no_ticket - Disable SSL session tickets. > #ssl_options = > > === > # openssl x509 -dates -in mydomain.com.crt > notBefore=Nov 11 16:31:35 2020 GMT > notAfter=Nov 11 16:31:35 2022 GMT > -BEGIN CERTIFICATE- > : > === > # openssl pkey -in mydomain.com.key > -BEGIN PRIVATE KEY- > : > > Thanks for taking a look. Any ideas on what I should do next to > debug? > > Mike I remembered this problem was posted and still had the reply post from Viktor. This may or may not be relevant. A search on this text will probably drag up the whole thread. --- Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) support ECDSA. You'd need an additional RSA certificate to interoperate with their sending MTA's limited STARTTLS cipher/protocol repertoire. -- When this thread went around I looked at my logs and found some no auth complaints on my dovecot log. I believe they were trying to use the sslv3 to hack my server. Or at least see if it is hackable. Since my email server is a personal one and the attack was from a hosting company, I blocked server IP space. The weird thing I get your error now myself but not consistently. Here is an example. --- Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Nov 16 04:18:37 imap-login: Info: Login: user=, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session= However the problem isn't present at the moment.
10-ssl ssl = no but dovecot still reads certs
I'm bringing up a new email server starting without TLS initially. In 10-ssl.conf I set ssl = no, but the default ssl_cert and ssl_key lines are not commented out. I got the obvious error message: -- doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem: No such file or directory /usr/local/etc/rc.d/dovecot: WARNING: failed to start dovecot -- No big deal, but I don't remember this being an issue the last time I set up a server. You would think if ssl=no, the ssl_cert and ssl_key files would not be opened.
Re: Problem with Dovecot and BlackBerry
On Tue, 04 Apr 2017 11:07:26 + Luca Bertoncellowrote: > Hi all, > > i've got a strange behaviour with a BlackBerry Classic Phone (BBOS > 10.3.2.2876) in combination with Dovecot 2.2.13 while trying to > fetch mails. > > Before burying myself into debugging sessions, i try to get an > understanding if the following is a Client- or a Server-specific > error in the behaviour: > > CIGA8 UID FETCH 10009:10035 (UID FLAGS) (CHANGEDSINCE NOMODSEQ) > CIGA8 BAD Error in IMAP command UID FETCH: Invalid CHANGEDSINCE > modseq. > > Following the full conversation. > > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID > ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 > AUTH=CRAM-MD5] Dovecot on xxx ready. > CIGA1 CAPABILITY > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 > CIGA1 OK Pre-login capabilities listed, post-login capabilities have > more. CIGA2 ID ("os" "BlackBerry 10" "os-version" "10.3.2.2876" > "vendor" "rim" "device" "Classic" "name" "bbimap") > * ID ("name" "Dovecot") > CIGA2 OK ID completed. > CIGA3 LOGIN xxx xxx > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS > THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT > CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE > QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS > SPECIAL-USE BINARY MOVE CIGA3 OK Logged in > CIGA4 CAPABILITY > * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS > THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT > CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE > QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS > SPECIAL-USE BINARY MOVE CIGA4 OK Capability completed. > CIGA5 LIST "" "" > * LIST (\Noselect) "." "" > CIGA5 OK List completed. > CIGA6 LIST "" "*" > * LIST (\HasNoChildren) "." folder_a > * LIST (\HasNoChildren) "." folder_b > * LIST (\HasNoChildren) "." folder_c > * LIST (\HasNoChildren) "." sent-mail > * LIST (\HasNoChildren) "." folder_d > * LIST (\HasNoChildren) "." folder_e > * LIST (\HasNoChildren \Trash) "." Trash > * LIST (\HasNoChildren \Drafts) "." Drafts > * LIST (\HasNoChildren) "." folder_f > * LIST (\HasNoChildren) "." folder_g > * LIST (\HasNoChildren) "." INBOX > CIGA6 OK List completed. > CIGA7 SELECT INBOX (CONDSTORE) > * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) > * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] > Flags permitted. > * 7 EXISTS > * 0 RECENT > * OK [UIDVALIDITY 1391686038] UIDs valid > * OK [UIDNEXT 10036] Predicted next UID > * OK [HIGHESTMODSEQ 1608] Highest > CIGA7 OK [READ-WRITE] Select completed (0.000 secs). > CIGA8 UID FETCH 10009:10035 (UID FLAGS) (CHANGEDSINCE NOMODSEQ) > CIGA8 BAD Error in IMAP command UID FETCH: Invalid CHANGEDSINCE > modseq. CIGA9 LOGOUT > * BYE Logging out > CIGA9 OK Logout completed. > > > Thanks in advance! > > Luca Bertoncello > (lucab...@lucabert.de) Is that the dovecot.log file? Here is what I get: # dovecot --version 2.2.28 (bed8434) bbos 10.3.3.2205 Sanitized log file below. I'd appreciate the moderator removing my post if I let something slip. Apr 06 04:01:02 imap-login: Info: Login: user= , method=PLAIN, rip=myip, lip=myserver, mpid=77887, TLS, session= Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Added userdb setting: plugin/=yes Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Effective uid=1003, gid=1003, home=/var/mail/vhosts/mydomain.com/me Apr 06 04:01:02 imap(m...@mydomain.com): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~ Apr 06 04:01:02 imap(m...@mydomain.com): Debug: maildir++: root=/var/mail/vhosts/mydomain.com/me, index=, indexpvt=, control=, inbox=/var/mail/vhosts/mydomain.com/me, alt= Apr 06 04:01:04 auth: Debug: client in: AUTH1 PLAIN service=imap secured session=differentcharslip=myserver rip=myip lport=143 rport=47037 local_name=www.mydomain.com resp=lotsofchars= (previous base64 data may contain sensitive data)
OP/PSA: Net Systems Research mail port diddlers
http://netsystemsresearch.com/ dovecot.log.1.bz2:Jan 05 17:28:15 pop3-login: Info: Disconnected (no auth attempts in 3 secs): user=<>, rip=169.54.233.124, lip=MYIP, TLS handshaking: Disconnected, session= Their "research" pokes your email ports. Block if you want or participate in the (cough cough) research. IP addresses and opt-out email address on webpage.