When we originally implemented perdition v1.17 on RHEL4 several years
ago we had a customized the /etc/pam.d/perdition file to use the
pam_access.so module so we could lock out accounts for
administrative/maintenance purposes. This worked well for many years.
Within the last year we upgraded to RHEL5 and perdition 1.19rc4 and then
rc5. It would appear that since this update perdition no longer seems to
pay any sort of attention to the contents of the pam file and will
always assume success. Nothing seems to be logged either unlike before.
Although we are now compiling perdition to be located in /usr/perdition
with it's conf files in /etc/perdition I don't see how that would affect
pam operations, at least I would think it shouldn't. ldd on perdition
does show pam libraries being linked. Any ideas?
thanks,
David
--
David Severance
Enterprise Unix Services
Office of Information Technology
(949) 824-7552
sev(a)uci.edu
Hi Matthias.
This is the output that we get when we tried to connect to prediction
(port 995) via openssl:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
We have setup a cert_file with the three certificates:
---Begin Certificate---
our certificate
---End Certificate---
---Begin Certificate---
intermediate certificate
---End Certificate---
---Begin Certificate---
root certificate
---End Certificate---
Also we test using ssl_ca_chain file, and ssl_ca_path and nothing works.
Every test produces the same errors.
Thx for your help.
Hi all.
We have a problem configuring Perdition in a way to handle properly the
SSL verification path.
In our scenario we have 3 certificates, ours, intermediate and root. We
configure the option ssl_cachain_file pointing to a file with the 3
concatenated and does not work. Then we've configured ssl_cert file
pointing to our certificate, ssl_ca to the intermediate and ssl_ca_path
to the directory containing root and it does not work too.
The option ssl_key_file is pointing to the file containing our's
certificate private key.
Any ideas?
Hello,
we've been using perdition as a pop3/pop3s/imap/imaps proxy for about
four years now, first with Debian Sarge package and now under Etch.
And throughout this time I've seen pop3s (and from the looks of it
the same happens with imaps) processes stuck in connect, like this:
---
16836 ? S 5:31 0 120 32179 2204 0.0 perdition.pop3s
28070 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
7782 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
24468 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
14180 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
13503 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
---
They never die off, keep the connection open, there is no traffic and the
other end might be long gone. Last trace in the logs is always like this:
---
Feb 5 22:05:16 pp11 perdition[7782]: Connect: hi.mi.ts.u->203.216.5.113
---
It must be something related to the SSL'ness of these service, since I'm
not seeing this happening ever for imap/pop3. Alas a lot of people do use
TLS with those, so it's not a generic SSL issue. Maybe the master process
could kick a child handling connections in the head after "timeout"
seconds in connect state?
If more information is needed I can try to provide it, but note that with a
rate of roughly 35 pops per second I'm a bit weary to turn on
debugging. ^_-
This may or may not be related to another SSL related issue, which will
be for the sake of making searches in the archive more likely to find good
keywords in a separate mail.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
http://www.gol.com/
