Alexander Lehmann | 28 Oct 13:11 2014
Picon

problems when enabling tls only for pop3s/imaps

Following the poodle issue I disabled SSLv3 in my courier mail server by setting

TLS_PROTOCOL=TLS1

According the sslscan this disables all sslv3 connections, but allows tls1 connections on port 993. This works for most mail software, but is apparently failing for different versions of Outlook and Outlook Express.

I assume that Outlook in Windows XP will not support tls since it is too old, but it seems that newer Outlook versions do not work either.

I am currently using 4.8, maybe that is too old.


Thanks, Alexander

--
------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Zenon Panoussis | 26 Oct 12:02 2014
Picon

RHEL7: Mail stays in spool, courierd isn't running


I had courier-0.73.1 running happily on an SL 6.5 box until the
other day when the box broke down. Motherboard, the whole machine
had to be replaced, completely different hardware, hence I couldn't
restore the entire system from backup. So I took the opportunity to
upgrade to Centos 7. Compiled courier-0.73.2 on the new system,
copied my /etc/courier from backup, done.

Or so I thought. My log started filling with entries like
  courieresmtpd: started,ip=[::ffff:91.227.208.147]
and then nothing. Mail was arriving, but it wasn't being delivered.
Vanishing into thin air, it seemed, until I found it in the spool.

Imapd was working fine and existing mailboxes were available, which
means that authlib was working fine and all paths and permissions
were fine. Nothing had changed there anyway, so they should be.

Having ripped most of my hair off, I realised that although courierd
was starting, it wasn't running. Then I tried strace and found the
reason:

[pid 30489] open("/etc/sysconfig/i18n", O_RDONLY) = -1 ENOENT (No such file or directory)

Some bright head (probably the same who thought systemd is a good
replacement for sysvinit) decided to rename /etc/sysconfig/i18n
to /etc/locale.conf.

Solution: edit /etc/courier/courierd accordningly to source the
file from its new location.

This cost me endless hours of barking up a forest of wrong trees,
so I hope that posting it will save others the same ordeal.

BTW, if you're planning a similar upgrade, take also into account
that UIDs 500-999 which were previously assigned to users, are now
reserved for system accounts. There's good potential for weird
troubles there too.

Z

------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Lindsay Haisley | 24 Oct 21:51 2014

Custom address blocking

I'm dealing with some issues regarding migration of mailing lists and
would like to know if there's a quick way to set a custom 500 class
block for a specific address in courier with a custom message - kind of
the reverse of "courier clear user <at> domain".  This would return an error
after "rcpt to" something like:

550 Mailing list <mylist <at> frobniz.com> out of service for maintenance.  Please try again later.

I can usually figure this stuff out but I'm strapped for time and
thought maybe Sam or someone could shoot me a quick 'n easy solution.

--

-- 
Lindsay Haisley       | "UNIX is user-friendly, it just
FMP Computer Services |       chooses its friends."
512-259-1190          |          -- Andreas Bogk
http://www.fmp.com    |

------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Tomáš Drbohlav | 9 Oct 15:20 2014
Picon

iconv charset name bug

  Hello,

I have noticed (= crashed into) apparent typo in maildir/maildirinfo.c. 
In function maildir_info_imapmunge(...) (line +/- 861) there is charset 
specified like 'utf8' but that is not valid IANA nor GNU libiconv (sic!) 
understood charset. Is it possible to change it to "UTF-8"? Bug  is 
visible only while using shared folders (it spits out only 'Invalid 
arguments' system error).

I am ready to deliver any details needed to fix it.

Many thanks to authors of Courier Imap, we are long time and happy users!

Yours,

  Tomas Drbohlav

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Mark Constable | 3 Oct 04:12 2014
Picon

MYSQL_MAILDIR_FIELD missing

courier-imap 4.15-1 and courier-authdaemon 0.66.1 on Ubuntu 14.10

I can't for the life of me figure out why MYSQL_MAILDIR_FIELD / maildir
is not returning a value?

Oct  3 11:59:41 netserva authdaemond: SQL query: SELECT username, "", password, uid, gid, homedir, "",
quota, "", "" FROM mail_users WHERE username = 'markc <at> netserva.goldcoast.org'
Oct  3 11:59:41 netserva authdaemond: Authenticated: sysusername=<null>, sysuserid=1, sysgroupid=1,
homedir=/var/customers/mail/, address=markc <at> netserva.goldcoast.org, fullname=<null>,
maildir=<null>, quota=100000000S, options=<null>
Oct  3 11:59:41 netserva authdaemond: Authenticated: clearpasswd=xxxxxxxx, passwd=<null>

~ cat /etc/courier/authmysqlrc
MYSQL_CLEAR_PWFIELD     password
MYSQL_DATABASE          netserva
MYSQL_GID_FIELD         gid
MYSQL_HOME_FIELD        homedir
MYSQL_LOGIN_FIELD       username
MYSQL_MAILDIR_FIELD     maildir
MYSQL_PASSWORD          xxxxxxxx
MYSQL_PORT              3306
MYSQL_QUOTA_FIELD       quota
MYSQL_SERVER            127.0.0.1
MYSQL_UID_FIELD         uid
MYSQL_USERNAME          netserva
MYSQL_USER_TABLE        mail_users

~ mysql -BNe "explain mail_users" netserva
id      int(11) NO      PRI     NULL    auto_increment
email   varchar(255)    NO      UNI
username        varchar(255)    NO
password        varchar(128)    NO
password_enc    varchar(128)    NO
uid     int(11) NO              0
gid     int(11) NO              0
homedir varchar(255)    NO
maildir varchar(255)    NO
postfix enum('Y','N')   NO              Y
domainid        int(11) NO              0
customerid      int(11) NO              0
quota   varchar(15)     NO              0
pop3    tinyint(1)      NO              1
imap    tinyint(1)      NO              1
mboxsize        bigint(30)      NO              0

~ mysql -BNe "select homedir,maildir from mail_users" netserva
/var/customers/mail/    markc/netserva.goldcoast.org/markc/Maildir

~ ll /var/customers/mail/markc/netserva.goldcoast.org/markc/Maildir
total 0
drwx------ 1 daemon daemon 0 Oct  3 11:28 cur/
drwx------ 1 daemon daemon 0 Oct  3 11:28 new/
drwx------ 1 daemon daemon 0 Oct  3 11:28 tmp/

~ grep DEFAULT /etc/courier/courierd (truncated)
courierd:DEFAULTDELIVERY="| /usr/bin/maildrop"
courierd:MAILDROPDEFAULT=./Maildir

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Bernd Prünster | 30 Sep 00:11 2014

Prevent fake sender for mail not leaving server

Hello,

I am a bit puzzled by a "shortcoming" of my courier configuration.

My configuration:
Auth is not required (obviously to allow for receiving mail from other 
servers), but unauthenticated relaying is disabled (to prevent spammers 
from using my server).
Authentication itself is only possible over secure connections (SSL/TLS) 
and I have an SPF record (SoftFail*) in place and I employ spamassassin 
-- so far so good.

Now I have noticed that it is possible to connect to my server via SMTP 
(obviously) and send mail to any valid account configured on the server 
(also comprehensible). Now if the "mail from:" reads
something <at> <a foreign domain> and this domain has no SPF record in place, 
it is not my place to worry. I was, however, wondering if it is possible 
to prevent courier from accepting e-mails having an address  <at> <my domain> 
declared in "mail from:". Currently spamassassin kicks in and correctly 
flags such mails as spam (SPF check also fails) but I was wondering if 
it is possible to make courier reject such mails directly.

Best Regards,
Bernd

* I cannot employ a stricter SPF record (HardFail) as other mail servers 
are often configured in very bad ways, which would make forwarded mails 
bounce. Yahoo is a prime example of this behaviour, forcing me to only 
employ SoftFail. GMail on the other hand, does some clever header 
rewriting and causes no problems.

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Sam Varshavchik | 25 Sep 00:42 2014

Bash shell security issue - CVE-2014-6271

There was a security issue disclosed today regarding the bash shell. Fixes  
to bash should already be available on most platforms, or will be available  
shortly.

My initial analysis is that servers running Courier would only be exploitable  
using this bash security issue if $HOME/.courier-default or $HOME/.courier- 
[prefix]-default delivery scripts installed (also the equivalent default  
scripts in the global aliasdir, as well).

Note that couriermlm uses -default files. So, if you are unable to  
immediately patch your affected version of bash, you should consider  
temporarily shutting down your mailing lists, and turning off any other - 
default delivery files you have; until such time as you can update bash.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Lindsay Haisley | 24 Sep 22:22 2014

smtpaccess question

What is the order of processing and precedence of address blocks
in /etc/courier/smtpaccess/* ?  It looks to me as if a more specific
block, either whitelist or reject, trumps a more general block so that a
reject of 192.168.1.0/24 followed - or preceded - by a whitelist of
192.168.1.16 would block everything in the larger block EXCEPT the
whitelisted address.  Is this the case?  If not, what's the rule?

Is there any precedence of a directive depending on which file  it's
found in in /etc/courier/smtpaccess?  Do the directives in one file take
precedence over the directives in another?

I would assume, since the whole directory is processed into a
single .dat file with makesmtpaccess, that the same rule applies
regardless of which file a directive may be found in.

--

-- 
Lindsay Haisley       | "UNIX is user-friendly, it just
FMP Computer Services |       chooses its friends."
512-259-1190          |          -- Andreas Bogk
http://www.fmp.com    |

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Jeff Potter | 24 Sep 14:37 2014

Remove Received headers in outgoing authed email?


Hi List,

How do we remove the initial Received header in outgoing email from our servers, or at least mask out the IP
address of our sending user?

We have an instance of smtpd running specifically for authenticated users (AUTH_REQUIRED=1). I looked
through mailing lists; no luck; and I tried TCPDOPTS="-nodnslookup -noidentlookup”, but also no luck.

Thanks,
Jeff
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Hanno Böck | 24 Sep 10:47 2014
Picon

new release?

I'd like to get the spf-related fixes and generally a new courier
version pushed to Gentoo.
I can do this with the snapshot, however I'd prefer a real release.
Sam, can you make a new release based on the latest snapshot?

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Bowie Bailey | 23 Sep 20:35 2014

courier-unicode

Is the courier-unicode package actually in use yet?  I don't see any 
reference to it as a dependency in the courier or courier-authlib spec 
files and the installation instructions on the website say that it's 
needed as of 0.74.

If it is already in use, do I need to rebuild courier and 
courier-authlib after updating it?

--

-- 
Bowie

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Gmane