Re: LDAP auth and ptloader
Sorry for the delay, I was busy with other projects. :/
On 26.04.19 10:03, ellie timoney wrote:
> Hi Sven,
>
> I don't know much about running it in a production capacity, but our
> test suite sets up the following for LDAP pts:
>
> imapd.conf:
> ...
> ptloader_sock: /path/to/some/socket
> auth_mech: pts
> pts_module: ldap
> ...
>
> cyrus.conf:
> SERVICES {
> ...
> ptloader cmd="ptloader" listen="/path/to/some/socket"
> ...
> }
>
> Does this get you going?
It starts now, and according to the log, ptloader is initialized, but it
doesn't find any LDAP groups, and I can't really figure out why – it
just silently fails to find any groups (so users can't access shared
folders), with no indication in the logs as to why, even with
debug/chatty both enabled.
Groups *do* work with pts disabled and libpam-winbind resolving them as
native groups, so they *should* be set up correctly, I think.
Relevant settings:
> # These make no difference
> #debug: 1
> #chatty: 1
>
> # Same as in sample, path correct
> #auth_mech: pts
> pts_module: ldap
> ptloader_sock: /var/run/cyrus/socket/pts
>
> # Work, verified with s_client
> ldap_uri: ldaps://graz-dc-sem.ad.tao.at/
> ldap_ca_file: /usr/local/share/ca-certificates/tao-ad-ca.crt
> ldap_verify_peer: yes
>
> ldap_version: 3
> ldap_sasl: 0
> ldap_bind_dn: CN=some_user,CN=Users,DC=ad,DC=tao,DC=at
> ldap_password: some_password
> # Seems to work up to here, wrong password results in a ptloader error
> # message. Correct password results in no output?
>
> ldap_base:CN=Users,DC=ad,DC=tao,DC=at
> ldap_group_base: CN=Users,DC=ad,DC=tao,DC=at
> ldap_member_base: CN=Users,DC=ad,DC=tao,DC=at
>
> # These SHOULD work, and do work with ldapsearch, but silently fail?
> ldap_group_filter: (&(|(cn=%u)(sAMAccountName=%u))(objectClass=group))
> ldap_member_attribute: memberUid
> ldap_user_attribute: uid
> ldap_filter: (uid=%u)
Is there another way to get ptloader to spit out debug information and
pinpoint what's not set up correctly?
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwe...@tao.at | ☎ +43 680 301 7167
TAO Digital | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz| https://www.tao-digital.at
signature.asc
Description: OpenPGP digital signature
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: LDAP auth and ptloader
This has nothing to do with my problem. Please stop spamming. On 23.04.19 13:56, Willem Offermans wrote: > Dear Cyrus friends and Sven, > > A reason to look for authentication by radius. > But maybe this should go to feature request. > > > Wiel Offermans > wil...@offermans.rompen.nl <mailto:wil...@offermans.rompen.nl> > > > > >> On 23 Apr 2019, at 13:50, Sven Schwedas > <mailto:sven.schwe...@tao.at>> wrote: >> >> On 23.04.19 13:43, Willem Offermans wrote: >>> Dear Cyrus Friends and Sven, >>> >>> I don’t know if this is of any help. >>> >>> I have setup saslauthd to do LDAP authentication of Cyrus. >> >> That's what I want to get away from, because saslauthd cannot handle >> groups, and I need to maintain PAM LDAP auth in parallel just to handle >> that. >> >> -- >> Mit freundlichen Grüßen, / Best Regards, >> Sven Schwedas, Systemadministrator >> ✉ sven.schwe...@tao.at <mailto:sven.schwe...@tao.at> | ☎ +43 680 301 7167 >> TAO Digital | Teil der TAO Beratungs- & Management GmbH >> Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach >> A8020 Graz | https://www.tao-digital.at >> > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: LDAP auth and ptloader
On 23.04.19 13:43, Willem Offermans wrote: > Dear Cyrus Friends and Sven, > > I don’t know if this is of any help. > > I have setup saslauthd to do LDAP authentication of Cyrus. That's what I want to get away from, because saslauthd cannot handle groups, and I need to maintain PAM LDAP auth in parallel just to handle that. -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
LDAP auth and ptloader
I'm trying to set up direct LDAP auth via auth_meth=pts, but on start I always get "ptload(): can't connect to ptloader server: No such file or directory" as error. The directory for ptloader_sock exists and is the same as for all other sockets, so there shouldn't be any permission problems with the socket. I suppose I need to somehow manually start up ptloader via cyrus.conf, but there's no documentation and nothing I can find in the mailing list archives as to *how*? What am I missing? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Cyrus (Sieve) and external programs
On 2018-05-28 16:41, Pedro silva wrote: > Hello, > > I'm trying to set up a spam learning system, and I would like to pipe > email places in (for example) the SPAM folder to an external program. > > I have cyrus 2.4.17 > > Does any one know how or if this is possible in cyrus (or sieve)? If you want to (read only) process data already received to train your spam filter, just use the individual mail files in cyrus' spool. If you want to act on mails being received and possibly delete/redirect them, you normally want hook into your MTA, not cyrus/sieve. -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Mailbox inaccessible after setaclmailbox with invalid identifier
After running `setaclmailbox some/mailbox "group:name with spaces" all`, all attempts to access the mailbox in any way either result in an "Invalid identifier" error message, or can't even find the mailbox. deleteaclmailbox with exactly the same parameters as set doesn't help (same "invalid identifier" error); cyrreconstruct doesn't even find the mailbox. Deliveries are deferred as well. Any ideas how I can recover the mailbox without rolling back the whole server to an older backup? (Cyrus 2.5.10 on Debian stretch, if that matters.) -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Size of partition.
On 2018-04-27 14:33, Albert Shih wrote: > Hi, > > Some question about the grow speed of the size of > > /var/imap > > because I would put that partition on SSD, and SSD are expensive. I would > like to know what would be the ratio between the size of mailbox and > /var/imap. I don't think there's a fixed ratio; it's too dependent on how much you use features like quotas and ACLs (and other DB-using features) and how large you allow individual mailboxes to grow. We need about 0.5 megabyte _per user_ for /var/imap; how much mailbox space the users get doesn't really matter for it. > On my new server I have ~20-25To space for the mailbox. How much /var/imap > should I get. > > Regards. > -- > Albert SHIH > DIO bâtiment 15 > Observatoire de Paris > xmpp: j...@obspm.fr > Heure local/Local time: > Fri Apr 27 14:30:44 CEST 2018 > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwe...@tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz| https://www.tao-digital.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Cyrus 2.5: ACLs won't recognize some groups
We have a cyrus server that's joined to an AD domain via winbind. Group enumeration and expansion is enabled inside winbind, so getgrent(3) delivers correct membership data for all groups. (Tested via getent group as well as a small C program just to make sure.) User A is in groups B and C; both have lowercase-only names without spaces or any other non-letter characters in them. If I use group:B in ACLs, A can access the mailbox. If I use group:C, A can't. It's a bit hard to pin down just what change could be responsible for this – the server was updated from wheezy to jessie to stretch in one migration, and to fix some unrelated Samba issues, group C had to be deleted and recreated (with the same name and GID and users and everything else getgrent cares about; it's working for file ACLs just fine and there's no difference in the getent group output to before). Any ideas where to look at for debugging this? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwe...@tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167 Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: group acl with winbind
On 2015-04-08 12:28, Luca Olivetti wrote: El 08/04/15 a les 10:11, Sven Schwedas ha escrit: Winbind uses a socket in /tmp/.winbindd but in the systemd unit file there's a PrivateTmp=true which effectively hides the socket from cyrus. Changing it to false solves the problem. I think it would be better to change the winbindd socket directory # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Unknown parameter encountered: winbindd socket directory Ignoring unknown parameter winbindd socket directory It's supported in 4.1+, I don't know which version started supporting it. Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions setting in the smb.conf, as your changes to the unit file will probably be overwritten at some point (and PrivateTmp is useful for *actual* temp files, which the socket isn't…). I used a unit file in /etc/systemd/system which includes the original one then overrides PrivateTmp Bye -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: group acl with winbind
On 2015-04-08 09:14, Luca Olivetti wrote: El 07/04/15 a les 18:10, Dan White ha escrit: On 04/07/15 17:50 +0200, Luca Olivetti wrote: El 07/04/15 a les 17:31, Dan White ha escrit: localhost sam m_sist group:m_sist lrw setaclmailbox: group:m_sist: lrw: Invalid identifier localhost Could this be a permissions problem? Can the cyrus user successfully execute the getent command? Yes, it can $ sudo su -s /bin/bash cyrus $ whoami cyrus $ getent group | grep m_sist m_sist:x:674:ojeda,luca,calmet,rafa,oscar I'm at a loss to explain that behavior. You may need to trace/debug to get to the bottom of it: http://members.sange.fi/~atehwa/vc/packaging/cyrus-imapd/debian/README.Debian.debug Thank you, that was useful (duh, why didn't I think of it?). It turns out that the culprit was.systemd (or better, the systemd unit file provided by my distro). Winbind uses a socket in /tmp/.winbindd but in the systemd unit file there's a PrivateTmp=true which effectively hides the socket from cyrus. Changing it to false solves the problem. I think it would be better to change the winbindd socket directory setting in the smb.conf, as your changes to the unit file will probably be overwritten at some point (and PrivateTmp is useful for *actual* temp files, which the socket isn't…). Bye -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: group acl with winbind
On 2015-04-07 16:28, Luca Olivetti wrote: I'm currently using cyrus-imapd 2.4.17 and sssd to obtain nss groups from an openldap server. I have some group acl which are currently working fine. I'm testing the migration to samba4 as an active directory domain controller and I'm trying to use winbind instead of sssd (which works perfectly btw). The problem is that with winbind group acls don't work. Group enumeration (a pain to configure) works: $ getent group | grep m_sist m_sist:x:674:ojeda,luca,calmet,rafa,oscar But I cannot set acl on that group: $ cyradm -u cyrus localhost Password: localhost sam m_sist group:m_sist lrw setaclmailbox: group:m_sist: lrw: Invalid identifier localhost Meanwhile I have winbindd running in the foregroung and the above sam command will cause no messages at all (i.e. it seems it isn't querying winbindd for group information) If I change nsswitch back to sssd (which is pulling data from the same samba4 server) and restart cyrus, it works: $ cyradm -u cyrus localhost Password: localhost sam m_sist group:m_sist lrw localhost The simple solution is to use sssd and forget about winbind, but I'm curious: why one works and the other doesn't giving that group enumeration works with both? 1. Are you running cyrus on a Domain Controller, or on a normal member server? 2. Which winbind/samba version(s) do you use? 3. smb.conf for the cyrus server? Bye -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: CRAM-MD5 with saslauthd
On 2015-03-12 17:42, Geoff Winkless wrote: On 12 March 2015 at 16:04, Vladislav Kurz vladislav.k...@webstep.net mailto:vladislav.k...@webstep.netwrote: __ On Thursday 12 of March 2015 Ram r...@netcore.co.in mailto:r...@netcore.co.in wrote: You need access to plaintext passwords for CRAM/DIGEST-MD5. LDAP and saslauthd do not provide that. How can I use CRAM-MD5 with passwords stored in LDAP (in MD5 format ) then ? I need to disable plain login methods and cannot store passwords in plain text too. I'm afraid you are trying to do impossible things. Read more about how cram-md5 works. You can eforce ssl/tls encryption and use plain/login auth. The definition of plain text doesn't mean that it cannot be stored in a retrievable form. You could make a fairly simple patch to retrieve the ciphertext from a ROT13 store, as an extreme example :) AD supports an (AES-based, I think?) reversible encryption option for their LDAP passwords. This might be the sanest venue for this kind of feature. G Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: deleting emails directly
On 2015-03-04 11:04, hw wrote: Hi, can I remove or delete emails from the imap directory directly (with rm) without screwing things up? I think cyrreconstruct can be used in such cases, but it's certainly not the recommended way to delete mails. I'm running a virus scan over the spool directory and wonder how to get those messages removed within which a virus has been found. The easiest way would be to let the virus scanner do this, and the virus scanner doesn't use IMAP. Wouldn't it be safer to integrate the virus scanner in your MTA's processing pipeline, /before/ delivering it to clients that might automatically download the viruses before your file-based virus scanner has a chance to delete it? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: annotation_definitions and other options in imapd.conf
On 2014-12-03 13:38, Patrick Goetz wrote: This is from the imapd.conf man page: annotation_definitions: none File containing external (third-party) annotation definitions. - Does anyone have any idea what this means or what this is used for? IMAP annotations are described here: http://tools.ietf.org/html/rfc5257 Given it needs client support to be useful at all, probably a case of don't touch it if you don't already know what it means, or were explicitly instructed to. Also, there are any number of options in imapd.conf that don't make any sense to me. For example, auth_mech: - Isn't this handled by SASL? Apparently this can be used to bypass sasl and directly use LDAP/Kerberos for authentication. autocreatequota: If nonzero, normal users may create their own IMAP accounts by creating the mailbox INBOX. The user's quota is set to the value if it is positive, otherwise the user has unlimited quota. - How can you create an INBOX if you don't already have an IMAP account? If you use SASL to plug in external user sources, you can have an IMAP account without already having an inbox. This allows users to create one themselves, otherwise an admin needs to create them for the users (which should be the normal case, to ensure mails are properly received before the user's first login…). defaultacl: anyone lrs The Access Control List (ACL) placed on a newly-created (non-user) mailbox that does not have a parent mailbox. - That sounds interesting; how does one go about creating a non-user mailbox? Via Cyrus' perl module or cyradm, e.g. implicit_owner_rights: lkxa: The implicit Access Control List (ACL) for the owner of a mailbox. - Why wouldn't the default include t? It seems weird that owners can deleted mailboxes but not messages by default. The owner can't even see mails by default! Those are all _administrative_ rights, content access has to be enabled manually (so an administrative account can create user mailboxes without accidentally getting access to their mails, I suppose). ldap_* options - Again, I thought all authentication is handled by SASL? Should be. The (mostly undocumented) PTLoader thingie allows plugging in alternative methods (see above). In the debian version of /etc/cyrus.con, this comment appears: # this is only necessary if idlemethod is set to idled in imapd.conf #idled cmd=idled - idlemethod is not a listed option in `man imapd.conf` It's Debian specific, cf. /usr/share/doc/cyrus-common/README.Debian.gz -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: How to prevent SSLv3/Poodle attack?
On 2014-10-15 18:03, lst_ho...@kwsoft.de wrote: Unfortunately it looks like Cyrus can not disable SSLv3 protocol without disabling ciphers also used in TLSv1.x, no? You can't disable it manually until Kristian's patch is merged, but with Ubuntu's default cipher list I'm unable to establish an SSLv3 session (while TLS v1.0 works). Mayhaps SSLv3 support was already broken before and nobody noticed? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: How to prevent SSLv3/Poodle attack?
On 2014-10-15 18:20, Geoff Winkless wrote: Well the only thing new about POODLE versus previous known vulnerabilities is the way to manipulate the known vulnerability to gain the session cookie, which you can then re-use to log on to the site for yourself without needing to authenticate. I think the more important new concept is that arbitrary sessions can be downgraded to use a known vulnerable cipher/protocol version, even if more secure are available and servers/clients use cipher suite pinning and all the other tricks we came up with to mitigate BEAST et. al. This makes the current add new protocols for secure clients, but keep backwards compatibility anyway approach for handling SSL much more dangerous. There's no such thing as a session cookie in IMAP, so I'd be very surprised to see it usable. That doesn't mean that IMAP/SSL3 is secure, it just means it's no less secure today than it was 10 years ago. The current exploit is quite HTTP(S) specific and I can't think of a way to apply it to IMAP, but it's probably not the last SSL3 problem. https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html is really good description, read especially the bit above The workaround. Hope this helps Geoff On 15 October 2014 17:03, lst_ho...@kwsoft.de mailto:lst_ho...@kwsoft.de wrote: Zitat von Geoff Winkless cy...@geoff.dj mailto:cy...@geoff.dj: Genuine question: is it shown that POODLE impacts on IMAPS? I don't see how POODLE could affect an IMAPS session, since it only works if you can MITM a non-SSL session on the user's browser and force it to request the same target page over and over. Cheers Geoff As said i'm still reading on the details, so thanks for the pointer. Nonetheless it might be time to give up on SSLv3 because of protocol design errors/weakness. Unfortunately it looks like Cyrus can not disable SSLv3 protocol without disabling ciphers also used in TLSv1.x, no? Regards Andreas Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: How to prevent SSLv3/Poodle attack?
On 2014-10-15 16:11, lst_ho...@kwsoft.de wrote: Hello, as of today a new exploit against SSL has been revelead which is a protocol weakness of ancient SSLv3. The common advice is to disable SSLv3 so the question is how to do this with Cyrus without doing too much damage. The first idea is of course to do something like tls_cipher_list: ALL:-SSLv3:-SSLv2 As TLSv1.0, 1.1 and SSLv3 seem share their cipher suites, disabling SSLv3 ciphers not only disables SSLv3, but also all TLS versions except 1.2, which sadly still breaks a lot of clients. in imapd.conf. But i wonder if this is the correct fix because our default from Ubuntu 12.04 looks like this: tls_cipher_list: TLSv1+HIGH:!aNull:@STRENGTH This should be sufficient to disable SSLv3, have you tested your server? (e.g. openssl s_client -ssl3 -starttls imap -connect host:143) -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Verifying replication state
Hi all, Is there a way to quickly verify that replication is working (for e.g. nagios monitoring)? It seems that file differences in e.g. cyrus.index happen even when replication succeeds, and parsing the whole mail log for error messages seems a bit overkill. -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
Given that a physical root can bypass any and every ACL, encrypting messages (upon receiving, e.g.) is the only remotely plausible way to prevent access. And even then the admin could sniff all SMTP traffic and copy messages before encryption, so you'd need to monitor him anyway. Why again does someone you trust so little have root access to anything more sensitive than a calculator? ;-) On 2014-01-31 17:47, Fabio S. Schmidt wrote: Hi Dan ! Thanks for the answer ! I'm trying to prevent local access from a physical administrator. Even if looged as root should be impossible to read the messages on the Cyrus partitions. Other emails stores that I have dealt with also stores the messages in files. Blackman and Goetz, Thanks for the reply, but my problem is that not all messages will be encrypted at the source. AND EVEN if the message is encrypted we want to prevent the access from a physical administrator. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Reverting failover
Hello, If I understand correctly, failover is simply done by pointing clients to the replica (e.g. moving public IP)? We can assume that only one server is ever accessed by clients (both IMAP and SMTP/LMTP), they only have access to the public IP, which is switched over manually. How do I then migrate the data over to the master once it's running again? • Is master-master replication possible in this case? • If not, how do I move the data back to the master? Shut down the replica and rsync the spool back to the master? -- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Reverting failover
Hi, On 18.04.2013 11:24, Janne Peltonen wrote: Hi! On Thu, Apr 18, 2013 at 10:45:03AM +0200, Sven Schwedas wrote: If I understand correctly, failover is simply done by pointing clients to the replica (e.g. moving public IP)? More or less. You'll also have to make sure sync_server is no longer running on the replica but all the other relevant services are, so that users can connect. We can assume that only one server is ever accessed by clients (both IMAP and SMTP/LMTP), they only have access to the public IP, which is switched over manually. Ok. But as an added security measure, you should still make sure that the sync_server isn't running on the replica-as-master. (And sync_client shouldn't be running on the original master.) Ah, okay. How do I then migrate the data over to the master once it's running again? • Is master-master replication possible in this case? I gather it is only supported in the forthcoming 2.5 release. Too bad. :( • If not, how do I move the data back to the master? Shut down the replica and rsync the spool back to the master? You could do that, I guess, but that would result in quite a downtime. We simply run the master as the replica for a while (sync_server running on the original master and sync_client on the original replica), force a sync to all users and shared folders and then switch the IPs back. (To be more exact, each 'role change' (switching of master/replica roles and reverting to original) consists of 1) force syncronisation 3) manually run any remaining synclogs How do I do that / what's the difference between forced sync and a manual sync log run? 4) shut down current replica 5) change ip 6) start master services in what used to be replica 7) make sure everything appears to be ok 8) start sync_server in what used to be master) HTH -- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Reverting failover
Hi, On 18.04.2013 12:18, Janne Peltonen wrote: Hi! On Thu, Apr 18, 2013 at 11:59:31AM +0200, Sven Schwedas wrote: 1) force syncronisation 3) manually run any remaining synclogs How do I do that / what's the difference between forced sync and a manual sync log run? I mean that in the first case, you give a list of all your users (and shared mailboxes) to the sync_client command, using -u and -m operating modes, respectively. See man sync_client, note also the -f option. You can skip this step if you trust that your replica is completely up-to-date. There might have been some glitches in the replication at a point or another, so I prefer to synchronize all users and shared folders just before the role change, just in case. YMMV. The manual sync log run means that you just check if there are any outstanding entries left in configdir/sync/log (where configdir is typically /var/lib/imap) and if there are, you run the sync_client for that log file using mode -r. Like sync_client -r -f /var/lib/imap/sync/log. You see, when you shut down Cyrus at step 2, there might've been some new sync events generated by imapd/lmtpd/pop3d that the background-running sync_client didn't have time to handle before it was shut down. Okay, thanks. I'll simulate a failover and try those steps. --Janne -- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
