Hi all, hoping you might be able to help me out. I have a Perdition proxy
server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16)
backend mailstores based on an LDAP query. Everything works fine except for
securing the connection between Perdition and Cyrus; somehow Perdition is
seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY
string. STARTTLS works perfectly fine connecting from the Perdition server
to the Cyrus server using both "imtest" and "openssl s_client".
The certs are all signed by a separate test CA I set up the other day and
work fine otherwise. I've posted the log and relevant Perdition configs
below, and I’ve tested the backend servers individually to ensure STARTTLS
is working fine on Cyrus’ end. Have I messed something up?
##/var/log/maillog##
Sep 3 10:23:34 perdition-host perdition[20007]: Connect:
client.example.com -> perdition.example.com
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* OK IMAP4
Ready perdition.example.com 00021e71\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "1
STARTTLS\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "1 OK Begin
TLS negotiation now\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SSL connection using
AES256-GCM-SHA384
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \"
user-test(a)email.example.com\" \"password\""
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain:
username_add_domain 0 1 0x260e0b4
Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain:
username_add_domain 0 4 0x260e0b4
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* OK
[CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07
CAPABILITY\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is
set, but the real-server does not have the STARTTLS capability, connection
will not be encrypted
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07
CAPABILITY\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK
Completed\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim08 LOGIN
{37}\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK
Completed\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response:
invalid tag from server 1
Sep 3 10:23:34 perdition-host perdition[20007]:
imap4_out_authenticate: imap4_out_response login
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "
user-test(a)email.example.com {9}\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go
ahead\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "password\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go
ahead\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response:
invalid tag from server 1
Sep 3 10:23:34 perdition-host perdition[20007]:
imap4_out_authenticate: imap4_out_response passwd
Sep 3 10:23:34 perdition-host perdition[20007]: main:
protocol->out_authenticate -1
Sep 3 10:23:34 perdition-host perdition[20007]: Fatal error
authenticating user. Exiting child.
##/etc/sysconfig/perdition##
RUN_PERDITION=yes
POP3=no
POP3S=no
IMAP4=no
IMAP4S=yes
##/usr/etc/perdition/perdition_imap4s.conf##
(All left default except following options:)
connection_logging
debug
listen_port 143
map_library /usr/lib/libperditiondb_ldap.so.0
map_library_opt "ldap:<redacted>"
ok_line Connected to perdition IMAP proxy.
protocol IMAP4S
outgoing_port 143
pid_file /var/run/perdition/perdition.imap4s.pid
timeout 60
ssl_mode tls_all
ssl_ca_file /etc/pki/tls/certs/ca.crt
ssl_ca_accept_self_signed
ssl_cert_file /etc/pki/tls/private/host_perdition.crt
ssl_cert_accept_self_signed
ssl_key_file /etc/pki/tls/private/host_perdition.key
Thanks in advance for any help, I’ve spent a good amount of time stuck on
this issue.
Steven Kelbley
Hi all, hoping you might be able to help me out.
I have a Perdition proxy server (v1.17.1-1) setup to forward users to one
of two Cyrus (v2.3.16) backend mailstores based on an LDAP query.
Everything works fine except for securing the connection between Perdition
and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in
the mail server's CAPABILITY string. STARTTLS works perfectly fine
connecting from the Perdition server to the Cyrus server using both
"imtest" and "openssl s_client".
The certs are all signed by a separate test CA I set up the other day and
work fine otherwise. I've posted the log and relevant Perdition configs
below, and I’ve tested the backend servers individually to ensure STARTTLS
is working fine on Cyrus’ end. Have I messed something up?
##/var/log/maillog##
Sep 3 10:23:34 perdition-host perdition[20007]: Connect:
client.example.com -> perdition.example.com
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* OK IMAP4
Ready perdition.example.com 00021e71\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "1
STARTTLS\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "1 OK Begin
TLS negotiation now\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SSL connection using
AES256-GCM-SHA384
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \"
user-test(a)email.example.com\" \"password\""
Sep 3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain:
username_add_domain 0 1 0x260e0b4
Sep 3 10:23:34 perdition-host perdition[20007]: username_add_domain:
username_add_domain 0 4 0x260e0b4
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* OK
[CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN
SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07
CAPABILITY\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is
set, but the real-server does not have the STARTTLS capability, connection
will not be encrypted
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim07
CAPABILITY\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK
Completed\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "flim08 LOGIN
{37}\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK
Completed\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "* CAPABILITY
IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR
COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE
SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response:
invalid tag from server 1
Sep 3 10:23:34 perdition-host perdition[20007]:
imap4_out_authenticate: imap4_out_response login
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "
user-test(a)email.example.com {9}\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go
ahead\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: SELF: "password\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: REAL: "+ go
ahead\r\n"
Sep 3 10:23:34 perdition-host perdition[20007]: imap4_out_response:
invalid tag from server 1
Sep 3 10:23:34 perdition-host perdition[20007]:
imap4_out_authenticate: imap4_out_response passwd
Sep 3 10:23:34 perdition-host perdition[20007]: main:
protocol->out_authenticate -1
Sep 3 10:23:34 perdition-host perdition[20007]: Fatal error
authenticating user. Exiting child.
##/etc/sysconfig/perdition##
RUN_PERDITION=yes
POP3=no
POP3S=no
IMAP4=no
IMAP4S=yes
##/usr/etc/perdition/perdition_imap4s.conf##
(All left default except following options:)
connection_logging
debug
listen_port 143
map_library /usr/lib/libperditiondb_ldap.so.0
map_library_opt "ldap:<ldap_url_here>"
ok_line Connected to perdition IMAP proxy.
protocol IMAP4S
outgoing_port 143
pid_file /var/run/perdition/perdition.imap4s.pid
timeout 60
ssl_mode tls_all
ssl_ca_file /etc/pki/tls/certs/ca.crt
ssl_ca_accept_self_signed
ssl_cert_file /etc/pki/tls/private/host_perdition.crt
ssl_cert_accept_self_signed
ssl_key_file /etc/pki/tls/private/host_perdition.key
Thanks in advance for any help, I’ve spent a good amount of time stuck on
this issue.
Steven Kelbley