2010/11/25 Simon Horman <horms@verge.net.au>

Hi Riccardo,

On Thu, Nov 25, 2010 at 04:46:47PM +0000, riccardo.milo@gmail.com wrote:
> Hi all,
> I'm new to perdition world, and I am obviously having problems in
> configuration.
> I'm trying to configure an authentication on LDAP, I read that
> perdition can do what I need. But the problem is here: how can I set
> up a connection to the LDAP?
> I've tried with the perrdition.conf file setting up the -M and -m
> parameters, but it seems that the library is not linked.
> I compiled perdition with PAM, SSL and LDAP support before
> installing it on my Ubuntu 10.10 machine, but this is still not
> working...
> Can you give me some hint?
> I attach at the message the log that console give me back; note that
> I have problems when I activate the authentication_in parameter,
> because without it perdition works like a perfect proxy without give
> me back errors.

Using authentication_in shouldn't be necessary unless
you want perdition to authenticate usernames and passwords.

> Here's the log:
>
> Nov 25 16:59:27 riccardopb perdition[11355]: version=1.18,
> add_domain="", authenticate_in=on, authenticate_timeout=1800,
> bind_address="", capability="UIDL USER",
> client_server_specification=off,
> config_file="/usr/local/etc/perdition/perdition.pop3.conf",
> connection_limit=0, connection_logging=on, connect_relog=300,
> debug=on, domain_delimiter="@", explicit_domain="",
> group="riccardo", inetd_mode=off, listen_port="3000",
> log_facility="mail", log_passwd="never", login_disabled=off,
> lower_case="", map_library="/usr/local/lib/libperditiondb_ldap.so", map_library_opt="ldap://127.0.0.1:389/ou=mailbox,dc=example,dc=com?username,mailhost,port?one?(uid=%25s)",
> no_bind_banner=off, no_daemon=off, no_lookup=off,
> nodename="riccardopb", ok_line="A lei", outgoing_port="995",
> outgoing_server="pop.gmail.com",
> pid_file="/home/riccardo/Scrivania/perdition.pop3.pid",
> protocol="POP3", server_resp_line=off, strip_domain="",
> timeout=1800, username="riccardo", username_from_database=off,
> query_key="", quiet=off, ssl_mode="ssl_all", ssl_ca_file="",
> ssl_ca_path="/usr/local/etc/perdition/perdition.ca/",
> ssl_ca_accept_self_signed="on",
> ssl_cert_file="/usr/local/etc/perdition/perdition.crt.pem",
> ssl_cert_accept_expired="on", ssl_cert_not_yet_valid="on",
> ssl_cert_self_signed="on", ssl_cert_verify_depth=9,
> ssl_key_file="/usr/local/etc/perdition/perdition.key.pem",
> ssl_listen_ciphers="", ssl_outgoing_ciphers="",
> ssl_no_cert_verify="on", ssl_no_cn_verify="on",
> (ssl_mask=0x00000000) (mask=0x00060000 00000000)#012
> Nov 25 16:59:41 riccardopb perdition[11360]: Connect: 127.0.0.1->127.0.0.1
> Nov 25 16:59:54 riccardopb perdition[11360]:
> __perdition_ssl_connection: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol

This seems to indicate that the client has connected using plain-text
instead of using SSLv3 or TLSv1.

You should be able to get the same result by telneting to port 995
on the server running perdition and entering a line of text (any text)
into telnet.

To test SSL I find that the openssl s_client can be useful.

e.g.

openssl s_client -connect localhost:995 -msg

> Nov 25 16:59:54 riccardopb perdition[11360]:
> __perdition_ssl_connection: SSL_accept
> Nov 25 16:59:54 riccardopb perdition[11360]:
> __perdition_ssl_connection: no shared ciphers?
> Nov 25 16:59:54 riccardopb perdition[11360]:
> perdition_ssl_server_connection: perdition_ssl_connection
> Nov 25 16:59:54 riccardopb perdition[11360]: main:
> perdition_ssl_server_connection SSL
> Nov 25 16:59:54 riccardopb perdition[11360]: Fatal error
> establishing SSL connection to client
>
> Thank you very much for your attention and help.