Robert Hensel | 22 Apr 16:00 2015
Picon

[debian]courier-imap with STARTTLS together with courier-imap-ssl

Hi guys,

I'm want to set up courier-imap with STARTTLS running side-by-side with courier-imapd-ssl. So that users are able to connect to 143 with STARTTLS, but also to 993 with TLS.

Both are doing fine on their own, but it seems that when I start courier-imap-ssl, support for STARTTLS drops automatically from courier-imap. Is that something specific to how debian is set up or is it courier? Because I can't really find out from the init scripts (included below).

Here's what happens:

$telnet testbox 143
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for

$service courier-imap-ssl start

$telnet testbox 143
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.

Also weird is that when I connect from localhost, I still get the STARTTLS option. Only outside connections don't get that option anymore.
telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.


init script courier-imap-ssl:
/usr/bin/env - /bin/sh -c " . ${sysconfdir}/imapd ; \
                . ${sysconfdir}/imapd-ssl ; \
                IMAP_TLS=1 ; export IMAP_TLS ; \
                `sed -n '/^#/d;/=/p' <${sysconfdir}/imapd | \
                        sed 's/=.*//;s/^/export /;s/$/;/'`
                `sed -n '/^#/d;/=/p' <${sysconfdir}/imapd-ssl | \
                        sed 's/=.*//;s/^/export /;s/$/;/'`
                PROXY_HOSTNAME=$PROXY_HOSTNAME ; \
                /usr/sbin/courierlogger -pid=$SSLPIDFILE -start $SSLLOGGEROPTS \
                $TCPD -address=$SSLADDRESS \
                        -maxprocs=$MAXDAEMONS -maxperip=$MAXPERIP \
                        $TCPDOPTS \
                        $SSLPORT $COURIERTLS -server -tcpd \
                        ${libexecdir}/courier/imaplogin \
                                ${bindir}/imapd $MAILDIRPATH"

init script courier-imap:
                /usr/bin/env - /bin/sh -c " set -a; \
                bindir=${bindir}; \
                . ${sysconfdir}/imapd; \
                if [ "$SSLCONFIG" ]; then . ${sysconfdir}/imapd-ssl; fi; \
                IMAP_STARTTLS=$IMAPDSTARTTLS ; export IMAP_STARTTLS ; \
                PROXY_HOSTNAME=$PROXY_HOSTNAME;
                TLS_PROTOCOL=$TLS_STARTTLS_PROTOCOL ; \
                /usr/sbin/courierlogger -pid=$PIDFILE -start $LOGGEROPTS \
                $TCPD -address=$ADDRESS \
                        -maxprocs=$MAXDAEMONS -maxperip=$MAXPERIP \
                        $TCPDOPTS \
                        $PORT ${libexecdir}/courier/imaplogin \
                                ${bindir}/imapd $MAILDIRPATH"


-robert
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Alessandro Vesely | 21 Apr 18:48 2015
Picon

zdkimfilter 1.5 with DMARC support

RFC 7489 was published last month.  Using zdkimfilter 1.5 it is easy to meet
DMARC minimum implementation requirements --section 8 of the RFC.  That section
stresses the ability to send and receive reports, which is the most noteworthy
addition with respect to ADSP.  It makes mail servers of different domains
interact with one another.  Now, I'm not so clever as to tell exactly what
should be memorized and for how long, but I'm more and more convinced that a
database of peers is necessary for SMTP to operate sensibly.

Personally, I BCC outgoing DMARC reports to myself, and read them using the
XSLT at http://www.tana.it/sw/dmarc-xsl/.  When I get the feeling that only
phishes fail DMARC check, I enable DMARC for that domain.  ADSP can be enabled
 per domain too, in the new version.  In the other cases, when DMARC fails
amiss, I'm comforted that remote domains hear my voice, however statistically
irrelevant it may be.  For incoming reports, there is no way to publish
per-domain policies, so there's not much to decide.  I'm open to suggestions.

Version 1.5 also fixes a couple of issues, long From:, garbled logs.  There are
some additional requirements, see release notes.

Feel like giving it a try?
http://www.tana.it/sw/zdkimfilter/

Ale

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Adam Augustine | 17 Apr 01:20 2015

CentOS 7 rpmbuild -ta possibly unimportant errors?

I am running "rpmbuild -ta courier-0.74.1.tar.bz2" on CentOS 7 fully 
updated. I have satisfied all the dependencies as far as I can tell and 
while the build appears to complete successfully (all the RPMs are build 
properly), I do see a number of errors and warnings in the build. 
Assuming the warnings are fine, here is a sampling the errors:

Making install in libs/pcp
Making install in po
chown: changing ownership of

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/var/spool/courier/calendar/localcache': 
Operation not permitted
chgrp: changing group of

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/var/spool/courier/calendar/public': 
Operation not permitted
chgrp: changing group of

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/var/spool/courier/calendar/private': 
Operation not permitted
chgrp: changing group of

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/var/spool/courier/calendar/localcache': 
Operation not permitted
chgrp: changing group of

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/var/spool/courier/calendar': 
Operation not permitted
<snip>
extracting debug info from 
/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/share/sqwebmail/ldapsearch
extracting debug info from 
/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/libexec/courier/sqwebpasswd
extracting debug info from 
/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/libexec/courier/modules/uucp/courieruucp
objcopy: unable to copy file

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/libexec/courier/modules/uucp/courieruucp'; 
reason: Permission denied
extracting debug info from 
/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/libexec/courier/modules/local/courierlocal
objcopy: unable to copy file

'/home/buildacct/rpm/BUILDROOT/courier-0.74.1-1.el7.centos.x86_64/usr/lib/courier/libexec/courier/modules/local/courierlocal'; 
reason: Permission denied
<snip>

Are these anything to worry about?

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Lindsay Haisley | 14 Apr 19:16 2015

Bad DNS pythonfilter

I've modified Gordon Messmer's ratelimit.py to look for emails using
name servers frequently used by spammers and rate-limit accordingly.

Spamming operations frequently switch IP addresses and address groups,
and use a near-infinite number of domain names, often obtained from
registries that offer 'name tasting' - free trials of names which can be
used and abandoned at no cost.  Since most receiving MTAs require that
the domain names of originating servers, as given in the HELO SMTP
greeting, must resolve.  For this, spammers need name servers which will
handle name resolution for them and their options for usable name
servers are far more limited.

The baddns.py module is a variation on Gordon Messmer's ratelimit.py
pythonfilter module for the Courier SMTP server which applies
rate-limiting based on a lookup of the name servers for a domain name,
comparing the discovered name servers with a list of name servers known
to be used by spammers.

This pythonfilter module is available in a tarball (with a README) at
<http://www.fmp.com/courier-pythonfilter-baddns.tar.gz>

Suggestions and/or criticisms are welcome.  I'm using this module here
and it's proving to be VERY effective :)

--

-- 
Lindsay Haisley       | "UNIX is user-friendly, it just
FMP Computer Services |       chooses its friends."
512-259-1190          |          -- Andreas Bogk
http://www.fmp.com    |

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Szépe Viktor | 11 Apr 21:10 2015
Picon

Forwarding mail with SPF


Good morning!

When a local address - having no local delivery - is forwarded to  
another mail server which strictly checks SPF,
it could be that the sender's domain has "-all" in SPF thus it is not  
possible to forward that message.
BTW it causes backscatter.

On forwarding Courier MTA sets MAIL FROM: to the same address as in  
the original message's From: header (or the original MAIL FROM:, I do  
not know) and this - the forwarding - mail server is not on the  
allowed hosts' list in SPF.

Could we have a new option for setting a fixed MAIL FROM: on  
forwarding to make forwarding possible in these cases?

Thank you!!

Szépe Viktor
--

-- 
+36-20-4242498  sms <at> szepe.net  skype: szepe.viktor
Budapest, XX. kerület

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Ryta Kashemire | 9 Apr 10:54 2015
Picon

Compiling Courier with ssl

Hi All

I would like to install/ compile courier with SSL as my inbound email MTA. I would like to do some reading before i get to it...Please send me any links, read ups, articles etc that you think would be of help

Thanks in advance

Regards

Ritah
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Mark Constable | 1 Apr 14:37 2015
Picon

invalid UIDNEXT value

I have no idea if this is a "real" bug or not but there seems to be a lot of these
in my local desktop logfile output from Kmail which uses the so called akonadi backend to fetch IMAP
messages. This is a FWIW.

akonadi_imap_resource_0(2620) RetrieveItemsTask::onFinalSelectDone: Server bug: Your IMAP Server
delivered an invalid UIDNEXT value. This is a known problem with Courier IMAP.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

PICCORO McKAY Lenz | 26 Mar 23:01 2015
Picon

webmlmd error: list is owned by root!

i have installed webmlmd and created a list in /home/list/users, then list in rc config file

when restarted a message of error out in console:

Restarting webmlmd daemon: /home/lists/users: is owned by root!

the manpage are very squeak around how to setup, many of the steps are very focused to the mta?

there's a more focused case use of how-to around the coureir mail list manager?

i want to install coureir mail list manager with pam only!

Lenz McKAY Gerardo (PICCORO)
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Lindsay Haisley | 22 Mar 00:09 2015

Final patch on ratelimit.py

Based on a bit of research and information from Sam, here's my final
submission of a unified diff patch against ratelimit.py.  This fixes two
problems:

1.  When limitNetwork = True, the IP address is now properly parsed from
the Received-From-MTA string for both v4 and v6 addresses and an
identifier for /24 (v4) or /48 (v6) address groups is generated.

2.  When limitNetwork = True, the address identifier is used internally
to identify network matches, but the full Received-From-MTA string is
now returned from the module for logging and the SMTP dialog.

Gordon, this is in your ballpark now.  I've got it working the way it
should and I'm not going to mess with it anymore :)  I'd suggest that
unless you see something nasty, this patch should be incorporated into
the next release of ratelimit.py

Sincere thanks to both Gordon Messmer and Sam Varshavchik.

--- ratelimit.py-1.9.orig	2015-03-18 10:41:48.000000000 -0500
+++ ratelimit.py		2015-03-19 13:12:10.000000000 -0500
 <at>  <at>  -65,12 +65,14  <at>  <at> 
         return '451 Internal failure locating control files'

     if limitNetwork:
-        if '.' in sender:
+        if '.' in sender[sender.rindex("["):]:
             # For IPv4, use the first three octets
-            sender = sender[:sender.rindex('.')]
+            senderID = sender[sender.rindex("["):sender.rindex('.')]
         else:
             # For IPv6, expand the address and then use the first three hextets
-            sender = courier.config.explodeIP6(sender)[:14]
+            senderID = courier.config.explodeIP6(sender)[sender.rindex("["):][:16] 
+    else:
+        senderID = sender

     _sendersLock.acquire()
     try:
 <at>  <at>  -87,16 +89,16  <at>  <at> 
         # First, add this connection to the bucket:
         if not _senders.has_key(now):
             _senders[now] = {}
-        if not _senders[now].has_key(sender):
-            _senders[now][sender] = 1
+        if not _senders[now].has_key(senderID):
+            _senders[now][senderID] = 1
         else:
-            _senders[now][sender] = _senders[now][sender] + 1
+            _senders[now][senderID] = _senders[now][senderID] + 1

         # Now count the number of connections from this sender
         connections = 0
         for i in range(0, interval):
-            if _senders.has_key(now - i) and _senders[now - i].has_key(sender):
-                connections = connections + _senders[now - i][sender]
+            if _senders.has_key(now - i) and _senders[now - i].has_key(senderID):
+                connections = connections + _senders[now - i][senderID]

         # If the connection count is higher than the maxConnections setting,
         # return a soft failure.

--

-- 
Lindsay Haisley       | "Real programmers use butterflies"
FMP Computer Services |
512-259-1190          |       - xkcd
http://www.fmp.com    |

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Lindsay Haisley | 21 Mar 21:12 2015

"Received-From-MTA" information

I'm looking at Gordon Messmer's new (1.9) ratelimit.py module for his
excellent pythonfilter suite.

Ratelimit.py pulls information about the origin of an email from the
Received-From-MTA data for it stored locally.  This information is
defined in RFC 1894.  The first field in this data is the mta-name-type,
which is "dns" in all the mails I've seen accepted by courier.  The
second field, mta-name, is formatted according to RFC 3461 (9.3)
defining the format for the "dns" mta-name-type as:

	MTA names of type "dns" SHOULD be valid Internet domain names.
        If such domain names are not available, a domain-literal
        containing the internet protocol address is acceptable.  Such
        domain names generally conform to the following syntax:

                domain = real-domain / domain-literal

                real-domain = sub-domain *("." sub-domain)

                sub-domain = atom

                domain-literal = "[" 1*3DIGIT 3("." 1*3DIGIT) "]"

        where "atom" and "DIGIT" are defined in [2].

Gordon's ratelimit.py from courier-pythonfilter-1.9 is optionally
network-aware, but if the network-aware code is to work properly it MUST
assume that the Received-From-MTA data is purely of the form
domain-literal, as defined above, without real-domain data, which is
optional ("SHOULD") but always present in what I see here.

Received-From-MTA data here is always of the form:

    dns; real-domain (domain-literal)

or

    dns; real-domain (real-domain domain-literal)

Under what condition(s) in the courier configuration is this true?  Is
this version-dependent?  Is there a courier config setting under which
this is simply:

    dns; (domain-literal)

... as requrired by ratelimit.py 1.9?

It would be good to know if perhaps Gordon and I are looking at
different courier behaviors before I make further suggestions about his
code.  As courier is configured here, ratelimit.py requires patching to
be network aware, but this may not always be the case if courier is
configured differently.

--

-- 
Lindsay Haisley       | "The only unchanging certainty
FMP Computer Services |    is the certainty of change"
512-259-1190          |
http://www.fmp.com    | - Ancient wisdom, all cultures

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Lindsay Haisley | 21 Mar 18:03 2015

pythonfilter module precedence question

I'm using pythonfilter modules whitelist_relayclients, spamassassin and
ratelimit for a server installation of courier.  If I whitelist IP
address ranges using webadmin in Inbound ESMTP under "Manual netblock
blacklist/whitelist" is this sufficient to exempt these addresses from
ratelimiting, or do I need to tag these addresses with RELAYCLIENT as
well to exempt them?

I'd rather not do this, since there's no reason to allow them to relay
off of our server, but I want them exempted from the ratelimit and
spamassassin modules.

--

-- 
Lindsay Haisley       | "UNIX is user-friendly, it just
FMP Computer Services |       chooses its friends."
512-259-1190          |          -- Andreas Bogk
http://www.fmp.com    |

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Gmane