Gordon Messmer | 27 Feb 20:05 2015
Picon

Re: TLS1_1 or higher ONLY?

Please keep replies on the list.  I can't give you authoritative 
answers, and right now I'm the only one seeing your messages.

Courier's rpms build against GnuTLS by default (under "mock"), so I 
don't have an installation similar enough to yours to test specific 
settings.

On 02/27/2015 10:54 AM, Gerald Drouillard wrote:
> It does not matter what I put in for the TLS_PROTOCOL= TLSv1.1 or
> TLSv1.2 or -no_tls1 or TLS1_1 I will always get TLS1 only.  Below is
> the relevant POP settings but it is the same for IMAP.
>
> POP3DSSLSTART=0
> POP3_STARTTLS=YES
> POP3_TLS_REQUIRED=1
>
> #Moz "Intermediate" settings
> TLS_CIPHER_LIST="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
>
> TLS_PROTOCOL=TLS1
> TLS_STARTTLS_PROTOCOL=TLS1

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
(Continue reading)

Gordon Messmer | 27 Feb 19:13 2015
Picon

Re: TLS1_1 or higher ONLY?

On 02/27/2015 09:45 AM, Gerald Drouillard wrote:
>>
>   ldd /usr/bin/couriertls
>          libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
> (0x00007f6c68c62000)

So, that's OpenSSL.  The documentation in the file you're editing 
indicates that "TLSv1.1" and "TLSv1.2" are valid settings for OpenSSL. 
It doesn't indicate whether multiple values can be set.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Hanno Böck | 27 Feb 18:46 2015
Picon

file /usr/include/unicode.h collides with libunicode

Hi Sam,

courier-unicode installs a file
/usr/include/unicode.h

I just got a bug report from a Gentoo user that this causes trouble.
There is a library libunicode that wants to install a file with the
same name:
https://bugs.gentoo.org/show_bug.cgi?id=541422

Can you rename that file to something less generic? This will need some
careful update strategy (should update courier-unicode and everything
that uses it at the same time with the change), but I think it would
avoid trouble in the future.

I propose to just name it courier-unicode.h, that'll probably avoid any
confusion.

cu, Hanno
--

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
(Continue reading)

Gordon Messmer | 27 Feb 18:33 2015
Picon

Re: TLS1_1 or higher ONLY?

On 02/27/2015 09:25 AM, Gerald Drouillard wrote:
> It is Ubuntu 14.04.  I am not 100% sure how they compiled it.  Is there
> a test I can do to confirm what the backend is?

Depending on where couriertls is installed:

$ ldd /usr/lib/courier/bin/couriertls

You'll either see libgnutls.so.<version> in the output, or 
libssl.so.<version>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Gerald Drouillard | 27 Feb 16:16 2015

TLS1_1 or higher ONLY?

Seems that a recent PCI scan is encouraging the use of TLS 1.1 or higher 
because of the BEAST attack.
Tried many settings and noticed that setting the TLS_PROTOCOL to 
anything disables 1.1 and 1.2.  Tried many things including
TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"

Anybody have any luck?

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Mark Constable | 25 Feb 13:21 2015
Picon

Aliasing

I have a 3rd party app that produces a reply-to address like this...

ciab+605e46207a16cd9170493949c2684fb1-new <at> renta.net

What would be the best alias method to land this in the mailbox of
ciab <at> renta.net? If not an alias, any possible workarounds like pipe
to command or smtp/rcptfilter suggestions?

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Sam Varshavchik | 25 Feb 14:28 2015

Courier 20150224

New builds of courier and courier-imap packages.

Download: http://www.courier-mta.org/download.html

Changes:

• Added a makeimapaccess script, implementing an access file for the IMAP  
server, like makesmtpaccess implements one for SMTP.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Ángel González | 22 Feb 19:05 2015
Picon

Passing the remote ip to authdaemond

I would like to have available in the authdaemon the remote ip which is
attempting the authentication.

This could be implemented in the AUTH request as a fifth line containing
"remoteip remoteport localip localport [\n]"

Not so sure if/how to implement it for PRE and PASSWD, though.

What do you think about the proposal?

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Picon

first TLS then noTLS and verify in mail.log

Hello  <at> ll,

I have to configure courier-mta that it firstly try to encrypt with tls 
and when it fails then without tls like the following postfix-statement 
does:

smtp_tls_security_level=may

Is this possible with courier-mta? I am so confused by many 
configuration files and many things I have to consider.

Config file esmtpd-ssl gives me information that the esmtpd.pem must not 
be world readable. At the moment esmtpd.pem is a softlink to the real 
certificate file which is not world-readable anymore. Is this ok?

Relevant lines in esmtpd-ssl
AUTH_REQUIRED="0"
SSLPORT=465
ESMTPDSSLSTART="NO"

Is this configured in config file esmtproutes? here just contains:
: /SECURITY=NONE

Is there also a way to verify email-communication in mail.log? Could 
please some one post such a tls-secured communication from your mail.log?

Cheers

Michael

(Continue reading)

Bernd Plagge | 16 Feb 15:11 2015
Picon

courier doc - HTML5

Hi,

I did a bit research and found this:
Authoring and Producing books in (X)HTML5:
http://www.balisage.net/Proceedings/vol10/html/Kleinfeld01/BalisageVol10-Kleinfeld01.html#d29596e776

The author suggests to use HTML5 for authoring and to convert from HTML5 to other formats.

and
stylesheets for creating HTML5 from xml:
https://github.com/bbcarchdev/docbook-html5

This is an approach to use the "normal" xml files to create HTML5.

Maybe you find this useful,
Bernd

On Mon, 16 Feb 2015 12:18:30 +0000
courier-users-request <at> lists.sourceforge.net wrote:

> Mark Constable writes:
> 
> > I've tried making my buttons even bigger but PageSpeed still won't gimme
> > 100. See size tap targets (passes everything else)...
> >
> > https://developers.google.com/speed/pagespeed/insights/? 
> > url=https://renta.net/courier  
> 
> It looks to me like the issue is not horizontal spacing, but vertical  
> spacing.
(Continue reading)

Hanno Böck | 16 Feb 13:47 2015
Picon

[PATCH] make testsuite work with user without a default shell

Hi,

I noted that the test suite currently fails in Gentoo. The reason is
that it is executed with a user without a default shell and one of the
maildrop tests will fail with that.

This can be fixed by explicitly setting the SHELL variable in the
respective test to /bin/sh, therefore making the test suite more robust
in uncommon environments. See attached patch, please apply.

cu,
--

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
(Continue reading)


Gmane