Re: cyrus 2.4.17 TLS woes
On 01/15/2015 10:04 AM, Wolfgang Breyha wrote: Maybe https://bettercrypto.org/ is of help. Thanks for both writing and sharing that document. Unfortunately it only has this to say about cyrus-imap: - Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended If you still want to force strong encryption use tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+\ aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!\ eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\ SHA:CAMELLIA128-SHA:AES128-SHA - OK, but then what is the default? The imapd.conf man page only tells us this: tls_cipher_list: DEFAULT I guess my real concern is recent SSL exploits. Maybe if I'm only using STARTTLS this isn't a worry anyway? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.4.17 TLS woes
Patrick Goetz wrote on 15/01/15 13:34: Does anyone have a secure, functional cipher list entry they'd like to share? Maybe https://bettercrypto.org/ is of help. This document includes not only cyrus-imapd. Greetings, Wolfgang -- Wolfgang Breyha wbre...@gmx.net | http://www.blafasel.at/ Vienna University Computer Center | Austria Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
cyrus 2.4.17 -- file descriptor limit set to -1?
I'm firing up cyrus 2.4.17 for the first time on a new platform (Arch linux w/ systemd) and noticed the following error message (running journalctl -u cyrus-master): Jan 15 04:08:50 ibis cyrus/master[701]: setrlimit: Unable to set file descriptors limit to -1: Operation not permitted Jan 15 04:08:50 ibis cyrus/master[701]: retrying with 4096 (current max) Apparently the cyrus master process is trying to set the file descriptor limit to -1? Is it even legal to use -1 as infinity in this context? According to the setrlimit man page: The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit: an unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability) may make arbitrary changes to either limit value. The value RLIM_INFINITY denotes no limit on a resource (both in the structure returned by getrlimit() and in the structure passed to setrlimit()). BTW, off topic and perhaps feeding some trolls, I'm really liking systemd so far; in part because it's alerting me to minor misconfiguration errors that I've had around for years but wasn't aware of. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.4.17 -- file descriptor limit set to -1?
RLIM_INFINITY is defined as ~0ULL, at least on my system. If it's cast to a signed value, that will come out at -1, no? My problem with systemd isn't that it doesn't work, it's that it's all-pervasive and viral, and forces people who've been using standard unix mechanisms for 20 years to learn something completely different for no visible concrete advantage. As a user rather than a sysadmin it seems I have to spend most of my time learning new ways to do exactly the same things without gaining anything. Frankly I'm past the point where I want to fiddle with Linux for hours to make it do what I want. But that seems to be the Linux Way these days, see eg ip vs ifconfig, iptables vs ipchains, c c c. On 15 January 2015 at 11:04, Patrick Goetz pgo...@mail.utexas.edu wrote: I'm firing up cyrus 2.4.17 for the first time on a new platform (Arch linux w/ systemd) and noticed the following error message (running journalctl -u cyrus-master): Jan 15 04:08:50 ibis cyrus/master[701]: setrlimit: Unable to set file descriptors limit to -1: Operation not permitted Jan 15 04:08:50 ibis cyrus/master[701]: retrying with 4096 (current max) Apparently the cyrus master process is trying to set the file descriptor limit to -1? Is it even legal to use -1 as infinity in this context? According to the setrlimit man page: The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit: an unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process (under Linux: one with the CAP_SYS_RESOURCE capability) may make arbitrary changes to either limit value. The value RLIM_INFINITY denotes no limit on a resource (both in the structure returned by getrlimit() and in the structure passed to setrlimit()). BTW, off topic and perhaps feeding some trolls, I'm really liking systemd so far; in part because it's alerting me to minor misconfiguration errors that I've had around for years but wasn't aware of. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
cyrus 2.4.17 TLS woes
So, perhaps unsurprisingly, TLS is giving me problems. I'm trying to enforce allowplaintext: no and am running into some issues with ciphers. I started with this cipher list: tls_cipher_list: TLSv1.2+HIGH:!aNULL:@STRENGTH and got this error: no shared cipher in SSL_accept() - fail After a little googling I tried: tls_cipher_list: !SSlv2:!SSLv3:!aNULL:@STRENGTH Something like that apparently works for dovecot, but just failed completely: TLS server engine: cannot load cipher list '!SSlv2:!SSLv3:!aNULL:@STRENGTH' Does anyone have a secure, functional cipher list entry they'd like to share? Also, different problem. I noticed this in previous installations of cyrus, but just ignored the error, as everything was working. Every time I run imtest (or when a TLS connection is made) the following error is logged: TLS server engine: No CA file specified. Client side certs may not work I created a self-signed certificate + private key file as per the instructions given in the documentation (more or less), and set tls_cert_file: /etc/cyrus/private/cyrus.pem Thinking the system might also need access to CA certificates for some reason, I then also set a valid CA cert path: tls_ca_path: /etc/ssl/certs All the file permissions are correct, as far as I can tell (i.e. the cert/key file is owned by cyrus with umask 600, in a folder owned by cyrus with umask 700. Any idea why cyrus is giving this error message and how to get rid of it? Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: cyrus 2.4.17 TLS woes
On 15 Jan 2015, at 12:34, Patrick Goetz pgo...@mail.utexas.edu wrote: Does anyone have a secure, functional cipher list entry they'd like to share? I’m using the following on 2.4.17-caldav-b10 tls_cipher_list:TLSv1+HIGH:!aNull:@STRENGTH Functional yes; I won’t make any promises about secure, as I’m sure someone more enlightened would correct me! cheers - Marty Lee e: ma...@maui-systems.co.uk Technical Directorv: +44 845 869 2661 Maui Systems Ltd f: +44 871 433 8922 Scotland, UK w: http://www.maui-systems.co.uk signature.asc Description: Message signed with OpenPGP using GPGMail Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
