Re: lmtp authentication ignored with tls enabled
Am Montag, den 20.07.2015, 03:21 +0200 schrieb Marcus Schopen: Hi, I'm trying to deliver mails via lmtp/tcp from sendmail to cyrus running on another machine. sendmail.mc: -- define(`confLOCAL_MAILER', `cyrusv2')dnl define(`CYRUSV2_MAILER_ARGS', `TCP imap.domain.de 2003')dnl -- Without an authentication line in /etc/mail/access -- AuthInfo:imap.domain.de I:lmtp-admin P:pass M:DIGEST-MD5 -- I'm getting the following error: -- Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234: to=postmas...@domain.de, delay=00:02:43, xdelay=00:00:03, mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx], dsn=4.0.0, stat=Deferred: 430 Authentication required -- This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with proper authentication. Good. But after setting tls_cert_file und tls_key_file in imapd.conf to get an encrypted connection the lmtp authentication is completely ignored and mails are going through even without any AuthInfo in /etc/mail/access: cyrus log: -- Jul 20 03:08:06 imap cyrus/lmtp[3875]: accepted connection Jul 20 03:08:06 imap cyrus/lmtp[3875]: connection from [xx.xx.xx.xx] Jul 20 03:08:06 imap cyrus/lmtp[3875]: imapd:Loading hard-coded DH parameters Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete - wait Jul 20 03:08:06 imap cyrus/lmtp[3875]: Doing a peer verify Jul 20 03:08:06 cyrus/lmtp[3875]: last message repeated 2 times Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete - wait Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() succeeded - done Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_check: 201507200108.t6k185ov005...@test.domain.de user.test Mon, 20 Jul 2015 03:08:05 +0200 0 Jul 20 03:08:06 imap cyrus/lmtp[3875]: Delivered: 201507200108.t6k185ov005...@test.domain.de to mailbox: user.test Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_mark: 201507200108.t6k185ov005...@test.domain.de user.test Mon, 20 Jul 2015 03:08:05 +0200 1437354486 48 Jul 20 03:08:06 imap cyrus/lmtp[3875]: USAGE test user: 0.033640 sys: 0.005606 -- /etc/imapd.conf: -- configdirectory: /var/lib/cyrus proc_path: /run/cyrus/proc mboxname_lockpath: /run/cyrus/lock defaultpartition: default partition-default: /var/spool/cyrus/mail partition-news: /var/spool/cyrus/news newsspool: /var/spool/news altnamespace: no unixhierarchysep: no lmtp_downcase_rcpt: yes admins: cyrus lmtp_admins: lmtp-admin allowanonymouslogin: no popminpoll: 1 autocreatequota: 0 umask: 077 sieveusehomedir: false sievedir: /var/spool/sieve hashimapspool: true allowplaintext: yes sasl_minimum_layer: 0 sasl_pwcheck_method: auxprop sasl_auto_transition: no tls_cert_file: /etc/ssl/domain/imap.crt tls_key_file: /etc/ssl/domain/imap.key tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp idlesocket: /var/run/cyrus/socket/idle notifysocket: /var/run/cyrus/socket/notify syslog_prefix: cyrus -- cyrus.conf: - lmtp cmd=lmtpd listen=2003 prefork=4 maxchild=20 lmtpunix cmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=0 maxchild=20 - Any ideas? Setting lmtp_tls_cert_file and to lmtp_tls_key_file to disabled activates lmtp authentication again. But how do I force lmtp authentication with lmtp_tls enabled? Seems to me like a security problem, if lmtp with enabled tls accepts connections from everywhere?! The only way I see to get more security is a lmtp connection between sendmail and cyrus over e.g. openvpn or hosts.allow/deny or iptables configuraiton with lmtp_tls enabled. Ciao Marcus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp authentication ignored with tls enabled
On 07/20/15 03:21 +0200, Marcus Schopen wrote: sendmail.mc: -- AuthInfo:imap.domain.de I:lmtp-admin P:pass M:DIGEST-MD5 -- Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234: to=postmas...@domain.de, delay=00:02:43, xdelay=00:00:03, mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx], dsn=4.0.0, stat=Deferred: 430 Authentication required -- This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with proper authentication. Good. But after setting tls_cert_file und tls_key_file in imapd.conf to get an encrypted connection the lmtp authentication is completely ignored and mails are going through even without any AuthInfo in /etc/mail/access: Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de It appears you may be performing sasl EXTERNAL authentication. Your auth-facility syslog should confirm that. Configuring a restricted mechanism list would prevent that from happening: lmtp_sasl_mech_list: digestmd5 /etc/imapd.conf: -- lmtp_downcase_rcpt: yes admins: cyrus lmtp_admins: lmtp-admin allowplaintext: yes sasl_minimum_layer: 0 sasl_pwcheck_method: auxprop sasl_auto_transition: no tls_cert_file: /etc/ssl/domain/imap.crt tls_key_file: /etc/ssl/domain/imap.key tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt tls_ca_path: /etc/ssl/certs tls_session_timeout: 1440 tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH lmtpsocket: /var/run/cyrus/socket/lmtp cyrus.conf: lmtp cmd=lmtpd listen=2003 prefork=4 maxchild=20 lmtpunix cmd=lmtpd listen=/var/run/cyrus/socket/lmtp prefork=0 maxchild=20 -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp authentication ignored with tls enabled
Hi Dan, Am Montag, den 20.07.2015, 08:33 -0500 schrieb Dan White: It appears you may be performing sasl EXTERNAL authentication. Your auth-facility syslog should confirm that. How do I do that? Configuring a restricted mechanism list would prevent that from happening: lmtp_sasl_mech_list: digestmd5 I set lmtp_sasl_mech_list: DIGEST-MD5 to imapd.conf. Connected to localhost. Escape character is '^]'. 220 roz Cyrus LMTP v2.4.12-Debian-2.4.12-2 server ready lhlo e 250-roz 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250-STARTTLS 250-AUTH DIGEST-MD5 250 IGNOREQUOTA But has no effect. As soon as tls is actived, mails are delivered without using LMTP_AUTH. Ciao! Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: lmtp authentication ignored with tls enabled
On 07/20/15 19:15 +0200, Marcus Schopen wrote: Hi Dan, Am Montag, den 20.07.2015, 08:33 -0500 schrieb Dan White: It appears you may be performing sasl EXTERNAL authentication. Your auth-facility syslog should confirm that. How do I do that? libsasl logs to the auth facility. Check your syslog configuration for where that logs to, but on some systems, it's in /var/log/auth.log. You may need to increase the syslog logging level (auth.*) and/or increase the sasl debug level with 'sasl_log_level: 7' in imapd.conf to get the appropriate debug information. Configuring a restricted mechanism list would prevent that from happening: lmtp_sasl_mech_list: digestmd5 I set lmtp_sasl_mech_list: DIGEST-MD5 to imapd.conf. Connected to localhost. Escape character is '^]'. 220 roz Cyrus LMTP v2.4.12-Debian-2.4.12-2 server ready lhlo e 250-roz 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-SIZE 250-STARTTLS 250-AUTH DIGEST-MD5 250 IGNOREQUOTA But has no effect. As soon as tls is actived, mails are delivered without using LMTP_AUTH. -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
