we've been using perdition as a pop3/pop3s/imap/imaps proxy for about
four years now, first with Debian Sarge package and now under Etch.
And throughout this time I've seen pop3s (and from the looks of it
the same happens with imaps) processes stuck in connect, like this:
16836 ? S 5:31 0 120 32179 2204 0.0 perdition.pop3s
28070 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
7782 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
24468 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
14180 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
13503 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
They never die off, keep the connection open, there is no traffic and the
other end might be long gone. Last trace in the logs is always like this:
Feb 5 22:05:16 pp11 perdition: Connect: hi.mi.ts.u->184.108.40.206
It must be something related to the SSL'ness of these service, since I'm
not seeing this happening ever for imap/pop3. Alas a lot of people do use
TLS with those, so it's not a generic SSL issue. Maybe the master process
could kick a child handling connections in the head after "timeout"
seconds in connect state?
If more information is needed I can try to provide it, but note that with a
rate of roughly 35 pops per second I'm a bit weary to turn on
This may or may not be related to another SSL related issue, which will
be for the sake of making searches in the archive more likely to find good
keywords in a separate mail.
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
we're just in the process of moving from perdition 1.17-5 to 1.18-2 and we can't get the add_domain feature to work anymore. It seems to want to use the ip address that the connection is coming from rather than the ip address that it is connecting to. If I put the senders ip address in the hosts file then it all works, but obviously this isn't really helpful. I've had a bit of a look in the code to see if I could see anything, but I'm no coder and it seems like the kind of feature that if broken would have a lot of people noticing.
Am I missing something simple, is there a new config option, and old one that need removing or is it really possible that this is broken?
In both cases we're using the supported version from Ubuntu (from Dapper LTS to lucid (10.04) LTS).
Any help really appreciated, trying to get the changeover between versions done as soon as we can.
I checked the documentation of Perdition and I am not sure if the
following scenario can be implemented.
A Client (e.g. Outlook/TB) connects to a Perdition imap/pop proxy.
The proxy itself connects in turn to the real imap/pop server using the
credentials provided by client (possible switch of user_name).
Before an email gets delivered to the client, it will be processed by a
filter program which does some gpg processing (sig verification,
decryption), which is fully transparent for the client.
Can such a scenario be implemented with Perdition (ideally I would like
to write the filter program in perl :-) ).
I'm in the process of deploying a perdition imap proxy to an exchange
server. ATM there is a M$ proxy server installed that i wish to replace.
All clients, Outlook in a vast majority, have SPA enabled that
translates to NTLM auth. I have changed the CAPABILITY string to meet
exchanges CAPs and i'm also not doing any authentication_in, i.e. all
auth is performed in the backend exchange server.
... But it's not working. I can see in the logs the following:
Dec 7 11:16:10 mail-proxy perdition: SSL connection using AES256-SHA
Dec 7 11:16:10 mail-proxy perdition: SELF: "* OK IMAP4 Ready
Dec 7 11:16:10 mail-proxy perdition: CLIENT: "1 capability\r\n"
Dec 7 11:16:10 mail-proxy perdition: SELF: "* CAPABILITY IMAP4
IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE NAMESPACE LITERAL+\r\n"
Dec 7 11:16:10 mail-proxy perdition: SELF: "1 OK CAPABILITY\r\n"
Dec 7 11:16:10 mail-proxy perdition: CLIENT: "3 authenticate
Dec 7 11:16:10 mail-proxy perdition: SELF: "3 NO AUTHENTICATE
mechanism not supported, mate\r\n"
Is this type of connection not supported at all, or am i missing anything?
Note: Not supporting this type of authentication will turn into a major
helpdesk overhead since there will be a lot of clients to be reconfigured.
fct.unl.pt:~# cat .signature
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
I'm new to perdition world, and I am obviously having problems in
I'm trying to configure an authentication on LDAP, I read that perdition
can do what I need. But the problem is here: how can I set up a connection
to the LDAP?
I've tried with the perrdition.conf file setting up the -M and -m
parameters, but it seems that the library is not linked.
I compiled perdition with PAM, SSL and LDAP support before installing it on
my Ubuntu 10.10 machine, but this is still not working...
Can you give me some hint?
I attach at the message the log that console give me back; note that I have
problems when I activate the authentication_in parameter, because without
it perdition works like a perfect proxy without give me back errors.
Here's the log:
Nov 25 16:59:27 riccardopb perdition: version=1.18, add_domain="",
authenticate_in=on, authenticate_timeout=1800, bind_address="",
capability="UIDL USER", client_server_specification=off,
connection_limit=0, connection_logging=on, connect_relog=300, debug=on,
domain_delimiter="@", explicit_domain="", group="riccardo", inetd_mode=off,
listen_port="3000", log_facility="mail", log_passwd="never",
no_bind_banner=off, no_daemon=off, no_lookup=off, nodename="riccardopb",
ok_line="A lei", outgoing_port="995", outgoing_server="pop.gmail.com",
server_resp_line=off, strip_domain="", timeout=1800, username="riccardo",
username_from_database=off, query_key="", quiet=off, ssl_mode="ssl_all",
ssl_listen_ciphers="", ssl_outgoing_ciphers="", ssl_no_cert_verify="on",
ssl_no_cn_verify="on", (ssl_mask=0x00000000) (mask=0x00060000 00000000)#012
Nov 25 16:59:41 riccardopb perdition: Connect: 127.0.0.1->127.0.0.1
Nov 25 16:59:54 riccardopb perdition: __perdition_ssl_connection:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Nov 25 16:59:54 riccardopb perdition: __perdition_ssl_connection:
Nov 25 16:59:54 riccardopb perdition: __perdition_ssl_connection: no
Nov 25 16:59:54 riccardopb perdition:
Nov 25 16:59:54 riccardopb perdition: main:
Nov 25 16:59:54 riccardopb perdition: Fatal error establishing SSL
connection to client
Thank you very much for your attention and help.