Hello,
we've been using perdition as a pop3/pop3s/imap/imaps proxy for about
four years now, first with Debian Sarge package and now under Etch.
And throughout this time I've seen pop3s (and from the looks of it
the same happens with imaps) processes stuck in connect, like this:
---
16836 ? S 5:31 0 120 32179 2204 0.0 perdition.pop3s
28070 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
7782 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
24468 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
14180 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
13503 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
---
They never die off, keep the connection open, there is no traffic and the
other end might be long gone. Last trace in the logs is always like this:
---
Feb 5 22:05:16 pp11 perdition[7782]: Connect: hi.mi.ts.u->203.216.5.113
---
It must be something related to the SSL'ness of these service, since I'm
not seeing this happening ever for imap/pop3. Alas a lot of people do use
TLS with those, so it's not a generic SSL issue. Maybe the master process
could kick a child handling connections in the head after "timeout"
seconds in connect state?
If more information is needed I can try to provide it, but note that with a
rate of roughly 35 pops per second I'm a bit weary to turn on
debugging. ^_-
This may or may not be related to another SSL related issue, which will
be for the sake of making searches in the archive more likely to find good
keywords in a separate mail.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
http://www.gol.com/
Hi all,
I'm new to perdition world, and I am obviously having problems in
configuration.
I'm trying to configure an authentication on LDAP, I read that perdition
can do what I need. But the problem is here: how can I set up a connection
to the LDAP?
I've tried with the perrdition.conf file setting up the -M and -m
parameters, but it seems that the library is not linked.
I compiled perdition with PAM, SSL and LDAP support before installing it on
my Ubuntu 10.10 machine, but this is still not working...
Can you give me some hint?
I attach at the message the log that console give me back; note that I have
problems when I activate the authentication_in parameter, because without
it perdition works like a perfect proxy without give me back errors.
Here's the log:
Nov 25 16:59:27 riccardopb perdition[11355]: version=1.18, add_domain="",
authenticate_in=on, authenticate_timeout=1800, bind_address="",
capability="UIDL USER", client_server_specification=off,
config_file="/usr/local/etc/perdition/perdition.pop3.conf",
connection_limit=0, connection_logging=on, connect_relog=300, debug=on,
domain_delimiter="@", explicit_domain="", group="riccardo", inetd_mode=off,
listen_port="3000", log_facility="mail", log_passwd="never",
login_disabled=off, lower_case="",
map_library="/usr/local/lib/libperditiondb_ldap.so",
map_library_opt="ldap://127.0.0.1:389/ou=mailbox,dc=example,dc=com?username,mailhost,port?one?(uid=%25s)",
no_bind_banner=off, no_daemon=off, no_lookup=off, nodename="riccardopb",
ok_line="A lei", outgoing_port="995", outgoing_server="pop.gmail.com",
pid_file="/home/riccardo/Scrivania/perdition.pop3.pid", protocol="POP3",
server_resp_line=off, strip_domain="", timeout=1800, username="riccardo",
username_from_database=off, query_key="", quiet=off, ssl_mode="ssl_all",
ssl_ca_file="", ssl_ca_path="/usr/local/etc/perdition/perdition.ca/",
ssl_ca_accept_self_signed="on",
ssl_cert_file="/usr/local/etc/perdition/perdition.crt.pem",
ssl_cert_accept_expired="on", ssl_cert_not_yet_valid="on",
ssl_cert_self_signed="on", ssl_cert_verify_depth=9,
ssl_key_file="/usr/local/etc/perdition/perdition.key.pem",
ssl_listen_ciphers="", ssl_outgoing_ciphers="", ssl_no_cert_verify="on",
ssl_no_cn_verify="on", (ssl_mask=0x00000000) (mask=0x00060000 00000000)#012
Nov 25 16:59:41 riccardopb perdition[11360]: Connect: 127.0.0.1->127.0.0.1
Nov 25 16:59:54 riccardopb perdition[11360]: __perdition_ssl_connection:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Nov 25 16:59:54 riccardopb perdition[11360]: __perdition_ssl_connection:
SSL_accept
Nov 25 16:59:54 riccardopb perdition[11360]: __perdition_ssl_connection: no
shared ciphers?
Nov 25 16:59:54 riccardopb perdition[11360]:
perdition_ssl_server_connection: perdition_ssl_connection
Nov 25 16:59:54 riccardopb perdition[11360]: main:
perdition_ssl_server_connection SSL
Nov 25 16:59:54 riccardopb perdition[11360]: Fatal error establishing SSL
connection to client
Thank you very much for your attention and help.
Hi Haw,
On 11/19/2010 01:34 AM, Haw Loeung wrote:
> Hello Hugo,
>
> On Fri, 19 Nov 2010 12:42:30 am Hugo Monteiro wrote:
>
>> Hello list,
>>
>> We have perdition working for both POPS and IMAPS, using an LDAP
>> backend. Everything has been working fine and we are very glad that
>> there is such a fine product in the OSS world.
>> Now we have the special need to redirect a small set of email
>> accounts, that don't exist in the LDAP tree, to another storage
>> server. I started looking at the popmap feature and we would like to
>> use the regular expression backend, but we've run into trouble.
>>
>> my popmap.re file looks like
>>
>> redir-.*: mailbak2.domain.com:995
>>
>> This allows us to redirect every account on the form of
>> redir-username to an alternate server. But using this will not allow
>> us to use the LDAP backend also.
>>
>> Is there any way to make perdition fallback in any of the cases? i.e.
>> .. either try redir-.* and perform the redirect if matches, doing
>> the ldap lookup otherwise, or perform the ldap lookup and next try
>> the popmap, in the case ldap returned no entries.
>>
>> I have also tried a global redirection, in the form of .*:
>> mailbak2.domain.com:995 and redirection only worked for POP
>> connections, not IMAP. Did i miss anything, or is this supposed to
>> work for IMAP only?
>>
>>
> We had this requirement when we needed to migrate mailboxes for entire
> domains on different mail systems onto ours.
>
> We managed to achieve this by using the following in the Perdition
> configuration:
>
> query_key \\U,+default@\\d
>
> So if the user doesn't exist in LDAP, it would try to look for
> "+default@<domain>".
>
> We would then have an LDAP record something along these lines:
>
> dn: uid=+default@<domain>, ...
> uid: +default@<domain>
> cn: +default@<domain>
> mailLocalAddress: +default@<domain>
> mailHost:<old-server>
>
>
Thank you for your input.
I already suspected that i would have to use LDAP to be able to validate
the user, but i'd like it to be a last resort effort.
As for my concerns regarding IMAP. Can you confirm that i will be able
to apply those rules both for POP and IMAP? I'm asking because the
mapping i tried with popmap only worked for POP access.
Regards,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
Hello list,
We have perdition working for both POPS and IMAPS, using an LDAP
backend. Everything has been working fine and we are very glad that
there is such a fine product in the OSS world.
Now we have the special need to redirect a small set of email accounts,
that don't exist in the LDAP tree, to another storage server.
I started looking at the popmap feature and we would like to use the
regular expression backend, but we've run into trouble.
my popmap.re file looks like
redir-.*: mailbak2.domain.com:995
This allows us to redirect every account on the form of redir-username
to an alternate server. But using this will not allow us to use the LDAP
backend also.
Is there any way to make perdition fallback in any of the cases? i.e. ..
either try redir-.* and perform the redirect if matches, doing the ldap
lookup otherwise, or perform the ldap lookup and next try the popmap, in
the case ldap returned no entries.
I have also tried a global redirection, in the form of .*:
mailbak2.domain.com:995 and redirection only worked for POP connections,
not IMAP. Did i miss anything, or is this supposed to work for IMAP only?
Thanks in advance,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
Hello,
I tried to run perdition on my ubuntu Server.
I encountered the following Problem:
The pidfile does not exist immediately after the perdition process
detaches itself from Terminal.
If the init-script waits for a second, everything is fine again.
I think the pidfile should be created before the process detaches.
Probably moving lines 533-541 ( /* Create PID file */) in perdition.c
some lines higher, starting at line 522, will do.
But I´m not good enough in coding in C to be sure. I even don´t know if
there are other Implications in changing this behavior.
kind regards,
Bjoern Schrader
> On Fri, Nov 12, 2010 at 01:28:29PM -0600, john(a)tconl.com wrote:
>> I have to login twice after each logout using squirrelmail located on
>> the
>> same server as perdition. The mail stores are on two other servers.
>>
>> I am left with this on squirrelmail after first aatempt:
>>
>> SquirrelMail version 1.4.8-5.el5.centos.10
>> By the SquirrelMail Project Team
>> ERROR
>> Your session has expired, but will be resumed after logging in again.
>> Go to the login page
>
> Hi John,
>
> I wonder if the problem you are seeing relates to the bug
> fixed by the following patch which was included in 1.19-rc3.
My current config is using:
perdition-1.18
Do I need to upgrade the library if upgrading to 1.19-rc3?
>
> # HG changeset patch
> # User Simon Horman <horms(a)verge.net.au>
> # Date 1280280523 -32400
> # Node ID 6d85be38374c6aed3532219443370b95bf0cd128
> # Parent 8fc81b8203539801a0900c7e133ccb198c60cd3e
> ssl: Set session_id
>
> This allows session re-negoatiation to work
> in conjunction with the verification of client certificates.
>
> In particular, it allows Thunderbird 3.1 to connect to perdition using
> TLS.
>
> An alternate work-around is to disable all certificate verification using
> --ssl_no_client_cert_verify or disable client certificate verification
> using --ssl_no_cert_verify (introduced in 1.19-rc1).
>
> This relates to Mozilla Bug #575915
> https://bugzilla.mozilla.org/show_bug.cgi?id=575915
>
> Tested-by: John Feuerstein <john(a)feurix.com>
> Signed-off-by: Simon Horman <horms(a)verge.net.au>
>
> diff -r 8fc81b820353 -r 6d85be38374c perdition/ssl.c
> --- a/perdition/ssl.c Mon Jul 26 15:29:04 2010 +0900
> +++ b/perdition/ssl.c Wed Jul 28 10:28:43 2010 +0900
> @@ -528,6 +528,14 @@
> return NULL;
> }
>
> + /* Set context for session */
> + if (!SSL_CTX_set_session_id_context(ssl_ctx,
> + (unsigned char *)PACKAGE,
> + strlen(PACKAGE))) {
> + VANESSA_LOGGER_DEBUG("SSL_CTX_set_session_id_context");
> + goto err;
> + }
> +
> /*
> * Set the available ciphers
> */
>
I have to login twice after each logout using squirrelmail located on the
same server as perdition. The mail stores are on two other servers.
I am left with this on squirrelmail after first aatempt:
SquirrelMail version 1.4.8-5.el5.centos.10
By the SquirrelMail Project Team
ERROR
Your session has expired, but will be resumed after logging in again.
Go to the login page
Here is my logfile:
Nov 12 12:31:22 perdi perdition[3994]: version=1.18, add_domain="",
authenticate_in=off, authenticate_timeout=1800, bind_address="",
capability="IMAP4 IMAP4REV1", client_server_specification=off,
config_file="/usr/local/etc/perdition/perdition.imap4.conf",
connection_limit=0, connection_logging=on, connect_relog=300, debug=on,
domain_delimiter="@", explicit_domain="", group="users", inetd_mode=on,
listen_port="143", log_facility="mail", log_passwd="always",
login_disabled=off, lower_case="",
map_library="/usr/local/lib/libperditiondb_mysql.so.0",
map_library_opt="localhost:3306:dbPerdition:tblPerdition:perdition:mypasswd",
no_bind_banner=off, no_daemon=off, no_lookup=off,
nodename="perdi.server.com", ok_line="You are so in", outgoing_port="143",
outgoing_server="", pid_file="/usr/local/var/run/perdition.imap4",
protocol="IMAP4", server_resp_line=on, strip_domain="", timeout=1800,
username="nobody", username_from_database=off, query_key="", quiet=off,
ssl_mode="", ssl_ca_file="", ssl_ca_path="/usr/local/etc
Nov 12 12:31:22 perdi perdition[3994]: vanessa_socket_daemon_setid: uid=99
euid=99 gid=100 egid=100
Nov 12 12:31:22 perdi perdition[3994]: Connect: 127.0.0.1->127.0.0.1
inetd_pid=3515
Nov 12 12:31:22 perdi perdition[3994]: SELF: "* OK IMAP4 Ready
perdi.mydomain.com 0001f9c7\r\n"
Nov 12 12:31:22 perdi perdition[3994]: CLIENT: "A001 LOGIN \"john\"
\"myPass\"\r\n"
Nov 12 12:31:22 perdi perdition[3994]: username_add_domain:
username_add_domain 0 1
Nov 12 12:31:22 perdi perdition[3994]: username_add_domain:
username_add_domain 0 4
Nov 12 12:31:22 perdi perdition[3994]: REAL: "* OK [CAPABILITY IMAP4REV1
I18NLEVEL=1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS] thor.tconl.com
IMAP4rev1 2007e.404 at Fri, 12 Nov 2010 12:31:34 -0600 (CST)\r\n"
Nov 12 12:31:22 perdi perdition[3994]: SELF: "flim07 CAPABILITY\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "* CAPABILITY IMAP4REV1
I18NLEVEL=1 LITERAL+ IDLE UIDPLUS NAMESPACE CHILDREN MAILBOX-REFERRALS
BINARY UNSELECT ESEARCH WITHIN SCAN SORT THREAD=REFERENCES
THREAD=ORDEREDSUBJECT MULTIAPPEND SASL-IR LOGIN-REFERRALS
STARTTLS\r\nflim07 OK CAPABILITY completed\r\n"
Nov 12 12:31:22 perdi perdition[3994]: SELF: "flim08 LOGIN {4}\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "+ Ready for argument\r\n"
Nov 12 12:31:22 perdi perdition[3994]: SELF: "john {8}\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "+ Ready for argument\r\n"
Nov 12 12:31:22 perdi perdition[3994]: SELF: "myPass\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "flim08 OK [CAPABILITY
IMAP4REV1 I18NLEVEL=1 LITERAL+ IDLE UIDPLUS NAMESPACE CHILDREN
MAILBOX-REFERRALS BINARY UNSELECT ESEARCH WITHIN SCAN SORT
THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User john
authenticated\r\n"
Nov 12 12:31:22 perdi perdition[3994]: SELF: "A001 OK [CAPABILITY
IMAP4REV1 I18NLEVEL=1 LITERAL+ IDLE UIDPLUS NAMESPACE CHILDREN
MAILBOX-REFERRALS BINARY UNSELECT ESEARCH WITHIN SCAN SORT
THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User john
authenticated\r\n"
Nov 12 12:31:22 perdi perdition[3994]: Auth: 127.0.0.1->127.0.0.1
user="john" passwd="myPass" server="perdi.mydomain.com" port="143"
status="ok"
Nov 12 12:31:22 perdi perdition[3994]: CLIENT: "A002 CAPABILITY\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "* CAPABILITY IMAP4REV1
I18NLEVEL=1 LITERAL+ IDLE UIDPLUS NAMESPACE CHILDREN MAILBOX-REFERRALS
BINARY UNSELECT ESEARCH WITHIN SCAN SORT THREAD=REFERENCES
THREAD=ORDEREDSUBJECT MULTIAPPEND SASL-IR LOGIN-REFERRALS STARTTLS\r\nA002
OK CAPABILITY completed\r\n"
Nov 12 12:31:22 perdi perdition[3994]: CLIENT: "A003 NAMESPACE\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "* NAMESPACE ((\"\"
\"/\")(\"#mhinbox\" NIL)(\"#mh/\" \"/\")) ((\"~\" \"/\")) ((\"#shared/\"
\"/\")(\"#ftp/\" \"/\")(\"#news.\" \".\")(\"#public/\" \"/\"))\r\nA003 OK
NAMESPACE completed\r\n"
Nov 12 12:31:22 perdi perdition[3994]: CLIENT: "A004 LOGOUT\r\n"
Nov 12 12:31:22 perdi perdition[3994]: REAL: "* BYE perdi.mydomain.com
IMAP4rev1 server terminating connection\r\nA004 OK LOGOUT completed\r\n"
Nov 12 12:31:22 perdi perdition[3994]: Close: 127.0.0.1->127.0.0.1
user="john" received=46 sent=494