Perdition-users September 2014

perdition-users@vergenet.net

1 participants
2 discussions

by Steven Kelbley

Hi all, hoping you might be able to help me out. I have a Perdition proxy server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16) backend mailstores based on an LDAP query. Everything works fine except for securing the connection between Perdition and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY string. STARTTLS works perfectly fine connecting from the Perdition server to the Cyrus server using both "imtest" and "openssl s_client". The certs are all signed by a separate test CA I set up the other day and work fine otherwise. I've posted the log and relevant Perdition configs below, and I’ve tested the backend servers individually to ensure STARTTLS is working fine on Cyrus’ end. Have I messed something up? ##/var/log/maillog## Sep 3 10:23:34 perdition-host perdition[20007]: Connect: client.example.com -> perdition.example.com Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* OK IMAP4 Ready perdition.example.com 00021e71\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "1 STARTTLS\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "1 OK Begin TLS negotiation now\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SSL connection using AES256-GCM-SHA384 Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \" user-test(a)email.example.com\" \"password\"" Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 1 0x260e0b4 Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 4 0x260e0b4 Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07 CAPABILITY\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is set, but the real-server does not have the STARTTLS capability, connection will not be encrypted Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07 CAPABILITY\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim08 LOGIN {37}\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1 Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response login Sep 3 10:23:34 perdition-host perdition[20007]: SELF: " user-test(a)email.example.com {9}\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go ahead\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "password\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go ahead\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1 Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response passwd Sep 3 10:23:34 perdition-host perdition[20007]: main: protocol->out_authenticate -1 Sep 3 10:23:34 perdition-host perdition[20007]: Fatal error authenticating user. Exiting child. ##/etc/sysconfig/perdition## RUN_PERDITION=yes POP3=no POP3S=no IMAP4=no IMAP4S=yes ##/usr/etc/perdition/perdition_imap4s.conf## (All left default except following options:) connection_logging debug listen_port 143 map_library /usr/lib/libperditiondb_ldap.so.0 map_library_opt "ldap:<redacted>" ok_line Connected to perdition IMAP proxy. protocol IMAP4S outgoing_port 143 pid_file /var/run/perdition/perdition.imap4s.pid timeout 60 ssl_mode tls_all ssl_ca_file /etc/pki/tls/certs/ca.crt ssl_ca_accept_self_signed ssl_cert_file /etc/pki/tls/private/host_perdition.crt ssl_cert_accept_self_signed ssl_key_file /etc/pki/tls/private/host_perdition.key Thanks in advance for any help, I’ve spent a good amount of time stuck on this issue. Steven Kelbley

9 years, 7 months

Perdition not recognizing STARTTLS?

by Steven Kelbley

Hi all, hoping you might be able to help me out. I have a Perdition proxy server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16) backend mailstores based on an LDAP query. Everything works fine except for securing the connection between Perdition and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY string. STARTTLS works perfectly fine connecting from the Perdition server to the Cyrus server using both "imtest" and "openssl s_client". The certs are all signed by a separate test CA I set up the other day and work fine otherwise. I've posted the log and relevant Perdition configs below, and I’ve tested the backend servers individually to ensure STARTTLS is working fine on Cyrus’ end. Have I messed something up? ##/var/log/maillog## Sep 3 10:23:34 perdition-host perdition[20007]: Connect: client.example.com -> perdition.example.com Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* OK IMAP4 Ready perdition.example.com 00021e71\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "1 STARTTLS\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "1 OK Begin TLS negotiation now\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SSL connection using AES256-GCM-SHA384 Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \" user-test(a)email.example.com\" \"password\"" Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 1 0x260e0b4 Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 4 0x260e0b4 Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07 CAPABILITY\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is set, but the real-server does not have the STARTTLS capability, connection will not be encrypted Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07 CAPABILITY\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim08 LOGIN {37}\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1 Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response login Sep 3 10:23:34 perdition-host perdition[20007]: SELF: " user-test(a)email.example.com {9}\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go ahead\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "password\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go ahead\r\n" Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1 Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response passwd Sep 3 10:23:34 perdition-host perdition[20007]: main: protocol->out_authenticate -1 Sep 3 10:23:34 perdition-host perdition[20007]: Fatal error authenticating user. Exiting child. ##/etc/sysconfig/perdition## RUN_PERDITION=yes POP3=no POP3S=no IMAP4=no IMAP4S=yes ##/usr/etc/perdition/perdition_imap4s.conf## (All left default except following options:) connection_logging debug listen_port 143 map_library /usr/lib/libperditiondb_ldap.so.0 map_library_opt "ldap:<ldap_url_here>" ok_line Connected to perdition IMAP proxy. protocol IMAP4S outgoing_port 143 pid_file /var/run/perdition/perdition.imap4s.pid timeout 60 ssl_mode tls_all ssl_ca_file /etc/pki/tls/certs/ca.crt ssl_ca_accept_self_signed ssl_cert_file /etc/pki/tls/private/host_perdition.crt ssl_cert_accept_self_signed ssl_key_file /etc/pki/tls/private/host_perdition.key Thanks in advance for any help, I’ve spent a good amount of time stuck on this issue. Steven Kelbley

9 years, 7 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Perdition-users September 2014