Perdition(8) says:
--ssl_outgoing_ciphers STRING:
Cipher list when making outgoing SSL or TLS connections as
per ciphers(1). If empty ("") then openssl's default will
be used. (default "")
However, this is only the case for outgoing connections that do not use
STARTTLS (the perdition terminology is confusing here, since what it
calls "TLS" actually means "start as cleartext, negotiate to encrypted
via STARTTLS" and what it calls "SSL" actually means "start SSL or TLS
session, run service inside that").
Here's the fix:
diff -r 046a7b19cd5b perdition/perdition.c
--- a/perdition/perdition.c Thu Nov 07 21:23:31 2013 -0500
+++ b/perdition/perdition.c Thu Nov 07 21:49:39 2013 -0500
@@ -985,7 +985,7 @@
else if((opt.ssl_mode & SSL_MODE_TLS_OUTGOING) &&
(status & PROTOCOL_S_STARTTLS)) {
server_io=perdition_ssl_client_connection(server_io, opt.ssl_ca_file,
- opt.ssl_ca_path, opt.ssl_listen_ciphers, servername);
+ opt.ssl_ca_path, opt.ssl_outgoing_ciphers, servername);
if(!server_io) {
VANESSA_LOGGER_DEBUG("perdition_ssl_connection outgoing");
VANESSA_LOGGER_ERR("Fatal error establishing SSL connection");
This is a security concern because it means that perdition is not
obeying the specifications of the administrator, and may accept weaker
ciphersuites than instructed on its backhaul connections.
Consider the case where an administrator wants to offer relatively
promiscuous IMAP connections to their end users -- if the user's MUA
only has some weak cipher suite or cleartext IMAP, we want to accept the
weak ciphersuite as better than nothing. However, the admin's backend
IMAP servers are all under her control, and she knows that they are
capable of stronger ciphersuites. in this case, ssl_listen_ciphers will
allow weak ciphers, and ssl_outgoing_ciphers will be strict and require
high security, to at least protect the link between perdition and the
backend IMAP server.
However, if this outgoing connection happens to use IMAP+STARTTLS
instead of IMAPS, the bug described here will offer weak ciphersuites to
the backend IMAP server.
Regards,
--dkg
Hi Perdition folks--
I just noticed that when i operate perdition as a server offering TLS,
clients are unable to select an ephemeral Diffie-Hellman key exchange
mechanism (also known as EDH or DHE). Since DHE is the most
widely-supported TLS key exchange mechanism to provide Perfect Forward
Secrecy (PFS), it seems like something perdition might want.
The patch below enables DHE support for perdition. By default, it looks
for a PEM-encoded DH PARAMETERS section in the server's certificate
file. I've also added a configuration option (--ssl_dh_params_file)
which can be used to specify a separate file for the DH params if
desired.
With the patch and --ssl_dh_params_file explicitly declared, perdition
will throw an error if no DH parameters could be loaded. if
--ssl_dh_params_file isn't declared, it just tries to load DH params
From the cert file and carries on without DHE if no params can be found.
Another alternative could be to embed a default set of DH parameters
into perdition itself, if no parameters can be loaded. I didn't
implement that, but could do so if it is desired. Please let me know.
Also attached is a simple test script (reliant on gnutls-bin for setup)
that can be run from a built perdition source tree; if the built version
of perdition supports DHE, the script will leave the user in an IMAP
session with a test server (no backend attached, basically only LOGOUT
works). If the built version of perdition doesn't work, then the script
will terminate. Either way, copious diagnostic output is produced.
I'd be happy to have this feature adopted by perdition upstream, since i
have users of perdition who actively want to configure their MUAs to use
some PFS-enabled ciphersuite.
The patch is made against changeset 913:384a78e5951a.
Please let me know if there are changes you'd like to see, or if there
is anything that i should update to make the patch more acceptable for
inclusion upstream.
Thanks for perdition,
--dkg
I am trying to set up perdition to proxy POP3S for some domains.
I have a main server (server1) serving domain1.com
I have another mail server (server2) serving domain2.com
I want to setup perdition on server1 so that all POP3S request is proxied
to server2 for domain2.com
I setup perdition.pop3s to listen on 996
I have setup popmap.re with the following rule
.*(a)domain1.com: localhost:995
.*(a)domain2.com: server2:995
I am trying to retrieve e-mail for user(a)domain1.com
I am not able to get this to work. I keep getting
"vanessa_socket_client_src_open: connect: Connection refused"
"-ERR failed: Could not connect to the server\r\n"
Since perdition is on server1 and proxying to localhost, I am not sure why
the connection is being refused?
Any pointers would be greatly appreciated.
Hello all,
I have problems with installation of Perdition on FreeBSD 9.1
I tried ports at first but I am receving various errors such as:
In case of port 1.17
dlopen of "/usr/local/lib/libperditiondb_posix_regex.so.0" failed
In case of compiling from source port 1.18:
/usr/bin/ld: /usr/local/lib/libcdb.a(cdb_seek.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
/usr/local/lib/libcdb.a: could not read symbols: Bad value
*** [libperditiondb_cdb.la] Error code 1
1 error
*** [all-recursive] Error code 1
1 error
*** [all-recursive] Error code 1
1 error
*** [all-recursive] Error code 1
1 error
*** [all] Error code 2
1 error
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** [do-build] Error code 1
Stop in /basejail/usr/ports/mail/perdition.
*** [build] Error code 1
Stop in /basejail/usr/ports/mail/perdition.
This error above I see even if I compile perdition from source downloaded from http://horms.net/projects/perdition/download/ (I tried both 1.18 and 1.19-rc5)
If I use parameters --enable-static --disable-gdbm --disable-cdb, compilation finishes without any error but if I run:
perdition -f /usr/local/etc/perdition/perdition.conf -d
it just did not start.
Does anyone here has some suggestion what am I doing wrong?
Thanks a lot.
JV
Hello!
I was running Perdition on my server, but we often see connections
ending in CLOSE-WAIT state, needing to kill the involved processes to
clear.
Is there a timeout somewhere that I forgot to set, resulting in this
behavior? Or, what could be the cause of these whole bunch of
CLOSE-WAITs?
Here's some info on my system:
uname -a
Linux mail-3 3.2.0-52-virtual #78-Ubuntu SMP Fri Jul 26 16:45:00 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux
dpkg-query --list perdition
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-=================================-=================================-==================================================================================
ii perdition 1.19~rc4-4build1
POP3 and IMAP4 Proxy server
Thank you for your assistance.
Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~
• LOPSA Member #15248
• Blog : http://pepoluan.tumblr.com
• Linked-In : http://id.linkedin.com/in/pepoluan
I am looking for a solution where I need to connect multiple times over
time to a 3rd party POP3 SSL server using my webmail interface, but that
server only allows me to connect 5 times in 15 minutes.
Meaning: I am looking for a solution where the outbound (real server)
connection stays established even though the inbound connection (client)
temporarily goes away. imapproxy provides such functionality but cannot
be used for other reasons.
Perdition looks like a good solution, but whenever the client terminates
the connection, the associated process terminates as well. On the other
hand I see config parameters such as "timeout" that lead me to the
assumption it could be possible to set up what I need.
Any advise appreciated.
Thanks,
Rick
Perdition Pros...
I'm trying to integrate Perdition 1.19rc5 into an existing LDAP/ADAM farm for popmap lookup on Redhat 5.6. Unfortunately, Anonymous and Simple bind do not work as they only seem to support SASL mechanisms. Does Perdition support SASL authentication with LDAP? If so, can anyone provide any guidance or links for formulating the LDAP binding url?
Thanks in advance,
Todd
Hello,
We have an issue with perdition. When I try with telnet to login there is
an error : NO failed: Could not determine server
In syslog :
Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: username_add_domain:
username_add_domain 0 1
Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: dbserver_get:
mysql_connect:
Jul 29 01:32:01 MailServer1 perdition.imap4[9334]: getserver:
do_dbserver_get
Jul 29 01:32:04 MailServer1 perdition.imap4[9334]: SELF: "a1 NO failed:
Could not determine server\r\n"
Jul 29 01:32:04 MailServer1 perdition.imap4[9334]: Auth: 78.219.65.150:61694
->192.168.2.40:143 client-secure=plaintext authorisation_id=NONE
authentication_id="contact(a)test.xxxx" passwd="test" server="(null):imap2"
protocol=IMAP4 server-secure=plaintext status="failed: Could not determine
server"
My conf :
connection_logging
debug
log_facility mail
imap_capability IMAP4 IMAP4REV1 LITERAL+
log_passwd always
map_library /usr/lib/libperditiondb_mysql.so.0
map_library_opt
"localhost:3306:dbPerdition:tblPerdition:perdition:perdition:user:servername:port"
username_from_database
I log every query in mysql.log but when I try to login there is no query in
mysql log.
Could you help me ?
___
[image: dipia]
Maxime Poitevineau-Millin - *M* : 06 33 17 64 28
* T : *03 80 40 33 46 - *F* : 04 84 25 03 63
A bit of butchery is needed to get 1.19.r5 going on Solaris. This post is
for the archives.
perdition/db/daemon headers include str.h and managesieve_write.h which
leads to:
Undefined first referenced
symbol in file
managesieve_write client.o
strcasedelimword client.o
perd_str_write client.o
The problem with str.h is the strcaseword function is in the header, not in
the .c file. I had to fix that. Otherwise the header files have been
included where they are required, not globally.
There's no mkdtemp on Solaris < 11 so we substitute mktemp and mkdir
configure doesn't use the mysql libraries when testing for
mysql_real_connect, so it fails.
strcasestr is not on Solaris 10 but is on Solaris 11. I renamed perditions'
version to perd_strcasestr so it doesn't matter what O.S. you compile on.
The Makefile LDFLAGS has -rdynamic which is Linux only.
Our ldap schema is in /usr/local/etc/openldap which isn't tested for.
The perdition/db/ldap/Makefile hardcodes install which ends up using
/etc/install on Solaris, that's not good.
The perdition/db/ldap/Makefile ignores $prefix when installing the schema.
cd /var/tmp
rm -rf perdition-1.19-rc5
untgz /usr/local/src/net/perdition-1.19-rc5.tar.gz
cd perdition-1.19-rc5
tail -7 perdition/str.h | head -6 >> perdition/str.c
perl -pe '($. == 12273) && s%-lmysqlclient%-L/usr/local/mysql/lib
-lmysqlclient%' -i configure
perl -pe
's%/usr/local/openldap/etc/schema%/usr/local/etc/openldap/schema%' -i
configure
perl -pe
's%strcasestr%perd_strcasestr%' -i
perdition/str.h
perl -pe
's%strcasestr%perd_strcasestr%' -i
perdition/str.c
perl -pe 's%mkdtemp\(sock.dir\)%mktemp\(sock.dir\) \|\|
mkdir\(sock.dir, 0700 )%' -i perdition/db/daemon/client.c
perl -pe 's%mkdtemp\(sock.dir\)%mktemp\(sock.dir\) \|\|
mkdir\(sock.dir, 0700 )%' -i perdition/db/daemon/perditiondb_daemon.c
perl -pe "s%types.h%types.h>\n#include
<sys/stat.h%" -i perdition/db/daemon/client.c
perl -pe "s%types.h%types.h>\n#include
<sys/stat.h%" -i
perdition/db/daemon/perditiondb_daemon.c
perl -pe
's%str_write%perd_str_write%' -i
perdition/str.h
perl -pe 's%static
inline%%' -i
perdition/str.c
perl -pe
's%str_write%perd_str_write%' -i
perdition/str.c
perl -pe
's%str_write%perd_str_write%' -i
perdition/managesieve_write.h
perl -pe
's%str_write%perd_str_write%' -i
perdition/managesieve_write.c
perl -pe 's%^perdition_LDFLAGS
=.*%perdition_LDFLAGS=%' -i perdition/Makefile.in
perl -pe 's%^#include
"managesieve_write.h"%%' -i
perdition/options.h
perl -pe '(394 .. 398) &&
s%^.*%%' -i perdition/str.h
perl -pe 's%^#endif.*%const char *strcaseword(const char *haystack,
const char *needle);\n#endif%' -i perdition/str.h
perl -pe 's%perdition_globals%perdition_globals.h\"\n#include
\"managesieve_write%' -i perdition/options.c
cp /usr/local/lib/libtool .
./configure --prefix=/usr/local \
--disable-silent-rules \
--with-libidn=/usr/local \
--with-ssl-includes=/usr/local/include \
--with-ssl-libraries=/usr/local/lib \
--with-mysql-includes=/usr/local/mysql/include \
--with-mysql-libraries=/usr/local/mysql/lib \
--with-odbc-includes=/usr/local/include \
--with-odbc-libraries=/usr/local/lib \
--with-ldap-includes=/usr/local/include \
--with-ldap-libraries=/usr/local/lib
perl -pe 's%install -m%/usr/local/bin/ginstall
-m%' -i perdition/db/ldap/Makefile
gmake
gmake install
These packages are now on the Solaris package archive:
vanessa-adt.0.0.9.SPARC.64bit.Solaris.10.pkg
vanessa-adt.0.0.9.i86pc.Solaris.10.pkg
vanessa-adt.0.0.9.i86pc.Solaris.11.pkg
vanessa-logger.0.0.10.SPARC.64bit.Solaris.10.pkg
vanessa-logger.0.0.10.i86pc.Solaris.10.pkg
vanessa-logger.0.0.10.i86pc.Solaris.11.pkg
vanessa-socket.0.0.12.SPARC.64bit.Solaris.10.pkg
vanessa-socket.0.0.12.i86pc.Solaris.10.pkg
vanessa-socket.0.0.12.i86pc.Solaris.11.pkg
popt.1.14.SPARC.64bit.Solaris.10.pkg
popt.1.14.i86pc.Solaris.10.pkg
popt.1.14.i86pc.Solaris.11.pkg
perdition.1.19.r5.SPARC.64bit.Solaris.10.pkg
perdition.1.19.r5.i86pc.Solaris.10.pkg
perdition.1.19.r5.i86pc.Solaris.11.pkg
ta,
Mark.
http://www.ibiblio.org/pub/packages/solaris/sparc/
Perdition folks,
I'm investigating implementing the latest version of Perdition Proxy for a client where the popmap would be provided using LDAP. User/Domain routes are already stored in LDAP, with limited information. Perdition will be servicing POP/POPS and IMAP/IMAPS. They will have multiple load balanced proxies to multiple unique mail platforms. The users are going through a migration, so their target will change and there is not a 1:1 mapping between old to new targets. At the moment, each user is connecting with a target pod specific FQDN.
The client is reluctant to add additional LDAP attributes unless absolutely necessary. They currently have the partial hostname of the user's target mail platform stored in LDAP, as 'pod1'. For all connections to work, I believe I'll need a full hostname (ie, pop.pod1.platformdomain.com and imap.pod1.platformdomain.com) that matches the cert on the target platform interface. I'm sure I could use DNS for to resolve 'pod1' to the target platform IP. However, I don't think it will help for SSL connections, presenting perdition with an SSL challenge during connection to the target.
Given the above, I have a couple questions for those with any thoughts or experiences:
1) Can I configure Perdition to ignore the cert errors when connecting to the target?
2) If (1) can be done, can I simply using DNS to deal with the partial hostname?
3) Assuming above doesn't work, is there a nifty way to 'fix up' the hostname returned from the popmap? Is it possible to prefix 'pop.' and append '.domain.com' to the value returned?
4) Would you recommend:
a. One Perdition farm listening to all user connections and routing to any target farm -or-
b. Perdition farms per Pod/FQDN, allowing for a default route while also providing a means of routing to other pods.
Much thanks,
Todd