Perdition-users

perdition-users@vergenet.net

327 discussions

[SECURITY] ssl_outgoing_ciphers not applied to STARTTLS connections

by Daniel Kahn Gillmor

Perdition(8) says: --ssl_outgoing_ciphers STRING: Cipher list when making outgoing SSL or TLS connections as per ciphers(1). If empty ("") then openssl's default will be used. (default "") However, this is only the case for outgoing connections that do not use STARTTLS (the perdition terminology is confusing here, since what it calls "TLS" actually means "start as cleartext, negotiate to encrypted via STARTTLS" and what it calls "SSL" actually means "start SSL or TLS session, run service inside that"). Here's the fix: diff -r 046a7b19cd5b perdition/perdition.c --- a/perdition/perdition.c Thu Nov 07 21:23:31 2013 -0500 +++ b/perdition/perdition.c Thu Nov 07 21:49:39 2013 -0500 @@ -985,7 +985,7 @@ else if((opt.ssl_mode & SSL_MODE_TLS_OUTGOING) && (status & PROTOCOL_S_STARTTLS)) { server_io=perdition_ssl_client_connection(server_io, opt.ssl_ca_file, - opt.ssl_ca_path, opt.ssl_listen_ciphers, servername); + opt.ssl_ca_path, opt.ssl_outgoing_ciphers, servername); if(!server_io) { VANESSA_LOGGER_DEBUG("perdition_ssl_connection outgoing"); VANESSA_LOGGER_ERR("Fatal error establishing SSL connection"); This is a security concern because it means that perdition is not obeying the specifications of the administrator, and may accept weaker ciphersuites than instructed on its backhaul connections. Consider the case where an administrator wants to offer relatively promiscuous IMAP connections to their end users -- if the user's MUA only has some weak cipher suite or cleartext IMAP, we want to accept the weak ciphersuite as better than nothing. However, the admin's backend IMAP servers are all under her control, and she knows that they are capable of stronger ciphersuites. in this case, ssl_listen_ciphers will allow weak ciphers, and ssl_outgoing_ciphers will be strict and require high security, to at least protect the link between perdition and the backend IMAP server. However, if this outgoing connection happens to use IMAP+STARTTLS instead of IMAPS, the bug described here will offer weak ciphersuites to the backend IMAP server. Regards, --dkg

10 years, 6 months

enable ephemeral Diffie-Hellman (aka EDH or DHE)

by Daniel Kahn Gillmor

Hi Perdition folks-- I just noticed that when i operate perdition as a server offering TLS, clients are unable to select an ephemeral Diffie-Hellman key exchange mechanism (also known as EDH or DHE). Since DHE is the most widely-supported TLS key exchange mechanism to provide Perfect Forward Secrecy (PFS), it seems like something perdition might want. The patch below enables DHE support for perdition. By default, it looks for a PEM-encoded DH PARAMETERS section in the server's certificate file. I've also added a configuration option (--ssl_dh_params_file) which can be used to specify a separate file for the DH params if desired. With the patch and --ssl_dh_params_file explicitly declared, perdition will throw an error if no DH parameters could be loaded. if --ssl_dh_params_file isn't declared, it just tries to load DH params From the cert file and carries on without DHE if no params can be found. Another alternative could be to embed a default set of DH parameters into perdition itself, if no parameters can be loaded. I didn't implement that, but could do so if it is desired. Please let me know. Also attached is a simple test script (reliant on gnutls-bin for setup) that can be run from a built perdition source tree; if the built version of perdition supports DHE, the script will leave the user in an IMAP session with a test server (no backend attached, basically only LOGOUT works). If the built version of perdition doesn't work, then the script will terminate. Either way, copious diagnostic output is produced. I'd be happy to have this feature adopted by perdition upstream, since i have users of perdition who actively want to configure their MUAs to use some PFS-enabled ciphersuite. The patch is made against changeset 913:384a78e5951a. Please let me know if there are changes you'd like to see, or if there is anything that i should update to make the patch more acceptable for inclusion upstream. Thanks for perdition, --dkg

10 years, 6 months

Perdition Configuration Question

by Pradeep Nambiar

I am trying to set up perdition to proxy POP3S for some domains. I have a main server (server1) serving domain1.com I have another mail server (server2) serving domain2.com I want to setup perdition on server1 so that all POP3S request is proxied to server2 for domain2.com I setup perdition.pop3s to listen on 996 I have setup popmap.re with the following rule .*(a)domain1.com: localhost:995 .*(a)domain2.com: server2:995 I am trying to retrieve e-mail for user(a)domain1.com I am not able to get this to work. I keep getting "vanessa_socket_client_src_open: connect: Connection refused" "-ERR failed: Could not connect to the server\r\n" Since perdition is on server1 and proxying to localhost, I am not sure why the connection is being refused? Any pointers would be greatly appreciated.

10 years, 7 months

installation problems on FreeBSD

by jv1940＠centrum.cz

Hello all, I have problems with installation of Perdition on FreeBSD 9.1 I tried ports at first but I am receving various errors such as: In case of port 1.17 dlopen of "/usr/local/lib/libperditiondb_posix_regex.so.0" failed In case of compiling from source port 1.18: /usr/bin/ld: /usr/local/lib/libcdb.a(cdb_seek.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC /usr/local/lib/libcdb.a: could not read symbols: Bad value *** [libperditiondb_cdb.la] Error code 1 1 error *** [all-recursive] Error code 1 1 error *** [all-recursive] Error code 1 1 error *** [all-recursive] Error code 1 1 error *** [all] Error code 2 1 error ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** [do-build] Error code 1 Stop in /basejail/usr/ports/mail/perdition. *** [build] Error code 1 Stop in /basejail/usr/ports/mail/perdition. This error above I see even if I compile perdition from source downloaded from http://horms.net/projects/perdition/download/ (I tried both 1.18 and 1.19-rc5) If I use parameters --enable-static --disable-gdbm --disable-cdb, compilation finishes without any error but if I run: perdition -f /usr/local/etc/perdition/perdition.conf -d it just did not start. Does anyone here has some suggestion what am I doing wrong? Thanks a lot. JV

10 years, 8 months

Perdition CLOSE-WAIT a lot of times

by Pandu Poluan

Hello! I was running Perdition on my server, but we often see connections ending in CLOSE-WAIT state, needing to kill the involved processes to clear. Is there a timeout somewhere that I forgot to set, resulting in this behavior? Or, what could be the cause of these whole bunch of CLOSE-WAITs? Here's some info on my system: uname -a Linux mail-3 3.2.0-52-virtual #78-Ubuntu SMP Fri Jul 26 16:45:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux dpkg-query --list perdition Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-=================================-=================================-================================================================================== ii perdition 1.19~rc4-4build1 POP3 and IMAP4 Proxy server Thank you for your assistance. Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pepoluan.tumblr.com • Linked-In : http://id.linkedin.com/in/pepoluan

10 years, 8 months

keeping the outbound connection connected when client disconnects

by Rick Mombassa

I am looking for a solution where I need to connect multiple times over time to a 3rd party POP3 SSL server using my webmail interface, but that server only allows me to connect 5 times in 15 minutes. Meaning: I am looking for a solution where the outbound (real server) connection stays established even though the inbound connection (client) temporarily goes away. imapproxy provides such functionality but cannot be used for other reasons. Perdition looks like a good solution, but whenever the client terminates the connection, the associated process terminates as well. On the other hand I see config parameters such as "timeout" that lead me to the assumption it could be possible to set up what I need. Any advise appreciated. Thanks, Rick

10 years, 8 months

Perdition support for LDAP Authentication?

by Todd Taylor

Perdition Pros... I'm trying to integrate Perdition 1.19rc5 into an existing LDAP/ADAM farm for popmap lookup on Redhat 5.6. Unfortunately, Anonymous and Simple bind do not work as they only seem to support SASL mechanisms. Does Perdition support SASL authentication with LDAP? If so, can anyone provide any guidance or links for formulating the LDAP binding url? Thanks in advance, Todd

10 years, 9 months

perdition mysql - no query in mysql.log

by Maxime Poitevineau-Millin

Hello, We have an issue with perdition. When I try with telnet to login there is an error : NO failed: Could not determine server In syslog : Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: username_add_domain: username_add_domain 0 1 Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: dbserver_get: mysql_connect: Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: getserver: do_dbserver_get Jul 29 01:32:04 MailServer1 perdition.imap4[9334]: SELF: "a1 NO failed: Could not determine server\r\n" Jul 29 01:32:04 MailServer1 perdition.imap4[9334]: Auth: 78.219.65.150:61694 ->192.168.2.40:143 client-secure=plaintext authorisation_id=NONE authentication_id="contact(a)test.xxxx" passwd="test" server="(null):imap2" protocol=IMAP4 server-secure=plaintext status="failed: Could not determine server" My conf : connection_logging debug log_facility mail imap_capability IMAP4 IMAP4REV1 LITERAL+ log_passwd always map_library /usr/lib/libperditiondb_mysql.so.0 map_library_opt "localhost:3306:dbPerdition:tblPerdition:perdition:perdition:user:servername:port" username_from_database I log every query in mysql.log but when I try to login there is no query in mysql log. Could you help me ? ___ [image: dipia] Maxime Poitevineau-Millin - *M* : 06 33 17 64 28 * T : *03 80 40 33 46 - *F* : 04 84 25 03 63

10 years, 9 months

HOWTO: perdition 1.19r5 on Solaris w/ Sun Studio 12.3 compiler

by Mark Ashley

A bit of butchery is needed to get 1.19.r5 going on Solaris. This post is for the archives. perdition/db/daemon headers include str.h and managesieve_write.h which leads to: Undefined first referenced symbol in file managesieve_write client.o strcasedelimword client.o perd_str_write client.o The problem with str.h is the strcaseword function is in the header, not in the .c file. I had to fix that. Otherwise the header files have been included where they are required, not globally. There's no mkdtemp on Solaris < 11 so we substitute mktemp and mkdir configure doesn't use the mysql libraries when testing for mysql_real_connect, so it fails. strcasestr is not on Solaris 10 but is on Solaris 11. I renamed perditions' version to perd_strcasestr so it doesn't matter what O.S. you compile on. The Makefile LDFLAGS has -rdynamic which is Linux only. Our ldap schema is in /usr/local/etc/openldap which isn't tested for. The perdition/db/ldap/Makefile hardcodes install which ends up using /etc/install on Solaris, that's not good. The perdition/db/ldap/Makefile ignores $prefix when installing the schema. cd /var/tmp rm -rf perdition-1.19-rc5 untgz /usr/local/src/net/perdition-1.19-rc5.tar.gz cd perdition-1.19-rc5 tail -7 perdition/str.h | head -6 >> perdition/str.c perl -pe '($. == 12273) && s%-lmysqlclient%-L/usr/local/mysql/lib -lmysqlclient%' -i configure perl -pe 's%/usr/local/openldap/etc/schema%/usr/local/etc/openldap/schema%' -i configure perl -pe 's%strcasestr%perd_strcasestr%' -i perdition/str.h perl -pe 's%strcasestr%perd_strcasestr%' -i perdition/str.c perl -pe 's%mkdtemp$sock.dir$%mktemp$sock.dir$ \|\| mkdir$sock.dir, 0700 )%' -i perdition/db/daemon/client.c perl -pe 's%mkdtemp\(sock.dir$%mktemp$sock.dir$ \|\| mkdir\(sock.dir, 0700 )%' -i perdition/db/daemon/perditiondb_daemon.c perl -pe "s%types.h%types.h>\n#include <sys/stat.h%" -i perdition/db/daemon/client.c perl -pe "s%types.h%types.h>\n#include <sys/stat.h%" -i perdition/db/daemon/perditiondb_daemon.c perl -pe 's%str_write%perd_str_write%' -i perdition/str.h perl -pe 's%static inline%%' -i perdition/str.c perl -pe 's%str_write%perd_str_write%' -i perdition/str.c perl -pe 's%str_write%perd_str_write%' -i perdition/managesieve_write.h perl -pe 's%str_write%perd_str_write%' -i perdition/managesieve_write.c perl -pe 's%^perdition_LDFLAGS =.*%perdition_LDFLAGS=%' -i perdition/Makefile.in perl -pe 's%^#include "managesieve_write.h"%%' -i perdition/options.h perl -pe '(394 .. 398) && s%^.*%%' -i perdition/str.h perl -pe 's%^#endif.*%const char *strcaseword(const char *haystack, const char *needle);\n#endif%' -i perdition/str.h perl -pe 's%perdition_globals%perdition_globals.h\"\n#include \"managesieve_write%' -i perdition/options.c cp /usr/local/lib/libtool . ./configure --prefix=/usr/local \ --disable-silent-rules \ --with-libidn=/usr/local \ --with-ssl-includes=/usr/local/include \ --with-ssl-libraries=/usr/local/lib \ --with-mysql-includes=/usr/local/mysql/include \ --with-mysql-libraries=/usr/local/mysql/lib \ --with-odbc-includes=/usr/local/include \ --with-odbc-libraries=/usr/local/lib \ --with-ldap-includes=/usr/local/include \ --with-ldap-libraries=/usr/local/lib perl -pe 's%install -m%/usr/local/bin/ginstall -m%' -i perdition/db/ldap/Makefile gmake gmake install These packages are now on the Solaris package archive: vanessa-adt.0.0.9.SPARC.64bit.Solaris.10.pkg vanessa-adt.0.0.9.i86pc.Solaris.10.pkg vanessa-adt.0.0.9.i86pc.Solaris.11.pkg vanessa-logger.0.0.10.SPARC.64bit.Solaris.10.pkg vanessa-logger.0.0.10.i86pc.Solaris.10.pkg vanessa-logger.0.0.10.i86pc.Solaris.11.pkg vanessa-socket.0.0.12.SPARC.64bit.Solaris.10.pkg vanessa-socket.0.0.12.i86pc.Solaris.10.pkg vanessa-socket.0.0.12.i86pc.Solaris.11.pkg popt.1.14.SPARC.64bit.Solaris.10.pkg popt.1.14.i86pc.Solaris.10.pkg popt.1.14.i86pc.Solaris.11.pkg perdition.1.19.r5.SPARC.64bit.Solaris.10.pkg perdition.1.19.r5.i86pc.Solaris.10.pkg perdition.1.19.r5.i86pc.Solaris.11.pkg ta, Mark. http://www.ibiblio.org/pub/packages/solaris/sparc/

10 years, 10 months

Perdition: Handling partial host name returned from pop map

by Todd Taylor

Perdition folks, I'm investigating implementing the latest version of Perdition Proxy for a client where the popmap would be provided using LDAP. User/Domain routes are already stored in LDAP, with limited information. Perdition will be servicing POP/POPS and IMAP/IMAPS. They will have multiple load balanced proxies to multiple unique mail platforms. The users are going through a migration, so their target will change and there is not a 1:1 mapping between old to new targets. At the moment, each user is connecting with a target pod specific FQDN. The client is reluctant to add additional LDAP attributes unless absolutely necessary. They currently have the partial hostname of the user's target mail platform stored in LDAP, as 'pod1'. For all connections to work, I believe I'll need a full hostname (ie, pop.pod1.platformdomain.com and imap.pod1.platformdomain.com) that matches the cert on the target platform interface. I'm sure I could use DNS for to resolve 'pod1' to the target platform IP. However, I don't think it will help for SSL connections, presenting perdition with an SSL challenge during connection to the target. Given the above, I have a couple questions for those with any thoughts or experiences: 1) Can I configure Perdition to ignore the cert errors when connecting to the target? 2) If (1) can be done, can I simply using DNS to deal with the partial hostname? 3) Assuming above doesn't work, is there a nifty way to 'fix up' the hostname returned from the popmap? Is it possible to prefix 'pop.' and append '.domain.com' to the value returned? 4) Would you recommend: a. One Perdition farm listening to all user connections and routing to any target farm -or- b. Perdition farms per Pod/FQDN, allowing for a default route while also providing a means of routing to other pods. Much thanks, Todd

10 years, 10 months

← Newer
1
...
4
5
6
7
8
9
10
...
33
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Perdition-users