Mark Constable | 2 Sep 04:33 2014
Picon

authdaemond password debugging

a) server running Debian 6 w/ courier-authdaemon 0.63.0-3
b) server running Ubuntu 14.04 w/ courier-authdaemon 0.63.0-6ubuntu1

b) server provides the below when a password fails...

Sep  2 11:35:45 s2 authdaemond:
  supplied password 'user_pw' does not match passwd 'db_pw'

a) does not provide the above line even though both have almost exactly
the same settings.

Why is a) not providing the 'does not match' line for failed passwords?

a) egrep -v "^(#|$)" authdaemonrc | sort
authdaemonvar=/var/run/courier/authdaemon
authmodulelist="authmysql"
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
daemons=20
DEBUG_LOGIN=2
DEFAULTOPTIONS=""
LOGGEROPTS=""

b) egrep -v "^(#|$)" authdaemonrc | sort
authdaemonvar=/var/run/courier/authdaemon
authmodulelist="authmysql"
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"
daemons=5
DEBUG_LOGIN=2
DEFAULTOPTIONS=""
LOGGEROPTS=""
(Continue reading)

Harald Wolf | 31 Aug 17:13 2014
Picon

rcptfilter - smtpfilter with local and remote recipients, You are (not) whitelisted

Hi.

 

I got a special problem

I use /etc/courier/maildroprcs/rcptfilter and tried to use /etc/courier/maildroprcs/smtpfilter.

 

In rcptfilter I end with EXITCODE 99  and in most cases smtpfilter starts.

 

But: if there is as mail with almost one local hosted mailaddress and one on another mailserver I always got

You are whitelisted by this recipient … Please try again later OR

You are whitelisted by this recipient … Please try again later

 

and smtpfilter wasn’t started.

 

The message depends if the first recipient is a local or a remote address.

 

I googled around for a couple of days and I think the problem is in submit.c

 

I’m no c-programmer – but for me it looks, as if the whole mail is classified as „whitelisted“ = local recipient
and „not_whitelisted“ = remote recipient.

The first check works fine and the second check with the second recipient results in an error.

 

As as workaround I don’t use smtpfilter quite now – but if possible I would like to reject spam
instead of just mark it (and send it to my customers).

 

Any help available?

 

2434.     int    rc=handlerp.listcount == 1 ? handlerp.ret_code:

2435.            do_receipient_filter(&rwi, &riv, errmsg);

2436.

2437.        if (rc)

2438.        {

2439.            if (rc != 99)    return (errmsg);

2440.

2441.            /*

2442.            ** Return code 99 -- nonwhitelisted recipient subject

2443.            ** to spam filtering.

2444.            */

2445.            if (my_rcptinfo->whitelisted_only)

2446.            {

2447.                errmsg=you_are_not_whitelisted;

2448.                return (errmsg);

2449.            }

2450.            my_rcptinfo->nonwhitelisted_only=1;

2451.        }

2452.        else

2453.        {

2454.            /*

2455.            ** Return code 0 - whitelisted recipient.

2456.            */

2457.            if (my_rcptinfo->nonwhitelisted_only)

2458.            {

2459.                errmsg=you_are_whitelisted;

2460.                return (errmsg);

2461.            }

2462.            my_rcptinfo->whitelisted_only=1;

2463.        }

2464.

2465.        // Good address, but should we add it to the list of

2466.        // recipients?  Figure out what should be the key to check

2467.        // for a duplicate address.

2468.        //

2469.        // DSN: NEVER, use module<nl>host<nl>addr, should get rid

2470.        //      of the most number of duplicate addresses

2471.        //

2472.        // Every case, use module<nl>host<nl>addr<nl>orecipient.

 


Mit freundlichen Gruessen
DIC-Online Wolf & Co. KG

Harald Wolf

Geschaeftsfuehrer
Tel:+43/(0)512/341033-0
Fax:+43/(0)512/341033-19
http://www.dic.at
mailto:harald.wolf <at> dic-online.eu

Register-Gericht: Innsbruck

Firmenbuch-Nr.: FN 146723 w

DVR-NR: 0865729

 

Anmerkung:

Diese Nachricht und alle Anhänge sind Eigentum von DIC-Online Wolf & Co. KG und nur für die angegebene Person oder Organisation bestimmt. Wenn Sie diese Nachricht irrtümlich erhalten, informieren Sie bitte den Absender per E-Mail und löschen Sie die Nachricht. Wenn Sie nicht der vorgesehene Empfänger sind, dürfen Sie diese Nachricht oder die Anhänge weder ganz noch teilweise verwenden, kopieren oder sonst wie weiterverbreiten.

 

Notice:

This message and any attachments are the property of DIC-Online Wolf & Co. KG and are intended solely for the named recipients or entity to whom this message is addressed. If you have received this message in error please inform the sender via e-mail and destroy the message. If you are not the intended recipient you are not allowed to use, copy or disclose the contents or attachments in whole or in part.

 

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Mark Constable | 29 Aug 12:49 2014
Picon

Latest Courier Ubuntu PPA Available

Thanks to Ondřej Surý Ubuntu 12.04, 14.04 and 14.10 users can
now install the latest courier packages directly from a PPA.

https://launchpad.net/~ondrej/+archive/ubuntu/courier

courier-authlib 0.66.1
courier-mta 0.73.1
courier-imap 4.15-1

But no courier-authlib-sqlite package so I'll CC Ondřej.

Issues can be filed here so if anyone has a patch to also create
a courier-authlib-sqlite debian package then please post it to...

https://github.com/oerdnj/deb.sury.org/issues

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Ángel González | 18 Aug 19:11 2014
Picon

[PATCH] Support different path locations for the xsl stylesheets.

This adds support for the location used by Debian/Ubuntu.
---
 docbook/manpages.in  |   55 ++++++++++++++++++++++++++++++++++++++++++++++++++
 docbook/manpages.xsl |   55 --------------------------------------------------
 docbook/sgml2html    |   15 ++++++++++++++
 docbook/sgml2man     |   16 ++++++++++++++-
 4 files changed, 85 insertions(+), 56 deletions(-)
 create mode 100644 docbook/manpages.in
 delete mode 100644 docbook/manpages.xsl

diff --git a/docbook/manpages.in b/docbook/manpages.in
new file mode 100644
index 0000000..3d378d4
--- /dev/null
+++ b/docbook/manpages.in
 <at>  <at>  -0,0 +1,55  <at>  <at> 
+<?xml version='1.0'?>
+<xsl:stylesheet  
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+<xsl:include href="/usr/share/sgml/docbook/xsl-stylesheets/xhtml/onechunk.xsl"/>
+
+<xsl:param name="html.stylesheet" select="'style.css'"/>
+<xsl:param name="admon.graphics" select="0"/>
+
+<xsl:param name="use.id.as.filename" select="1"/>
+
+<xsl:param name="funcsynopsis.style">ansi</xsl:param>
+
+<xsl:param name="table.borders.with.css" select="1" />
+
+<xsl:param name="default.table.frame" select="'collapse'" />
+<xsl:param name="table.cell.border.style" select="''" />
+<xsl:param name="table.cell.border.thickness" select="''" />
+<xsl:param name="table.cell.border.color" select="''" />
+<xsl:param name="emphasis.propagates.style" select="1" />
+<xsl:param name="para.propagates.style" select="1" />
+<xsl:param name="entry.propagates.style" select="1" />
+
+<xsl:param name="part.autolabel" select="0" />
+<xsl:param name="section.autolabel" select="0" />
+<xsl:param name="chapter.autolabel" select="0" />
+
+<xsl:template name="user.head.content">
+
+   <link rel='stylesheet' type='text/css' href='manpage.css' />
+   <meta name="MSSmartTagsPreventParsing" content="TRUE" />
+   <link rel="icon" href="icon.gif" type="image/gif" />
+    <xsl:comment>
+
+Copyright 1998 - 2009 Double Precision, Inc.  See COPYING for distribution
+information.
+
+</xsl:comment>
+</xsl:template>
+
+<!-- Bug fix 1.76.1 -->
+<xsl:template match="funcdef/function" mode="ansi-tabular">
+  <xsl:choose>
+    <xsl:when test="$funcsynopsis.decoration != 0">
+      <strong xmlns="http://www.w3.org/1999/xhtml"
+              xmlns:xslo="http://www.w3.org/1999/XSL/Transform"><xsl:apply-templates mode="ansi-nontabular"/></strong>
+    </xsl:when>
+    <xsl:otherwise>
+      <xsl:apply-templates mode="kr-tabular"/>
+    </xsl:otherwise>
+  </xsl:choose>
+</xsl:template>
+
+</xsl:stylesheet>
+
diff --git a/docbook/manpages.xsl b/docbook/manpages.xsl
deleted file mode 100644
index 3d378d4..0000000
--- a/docbook/manpages.xsl
+++ /dev/null
 <at>  <at>  -1,55 +0,0  <at>  <at> 
-<?xml version='1.0'?>
-<xsl:stylesheet  
-    xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-<xsl:include href="/usr/share/sgml/docbook/xsl-stylesheets/xhtml/onechunk.xsl"/>
-
-<xsl:param name="html.stylesheet" select="'style.css'"/>
-<xsl:param name="admon.graphics" select="0"/>
-
-<xsl:param name="use.id.as.filename" select="1"/>
-
-<xsl:param name="funcsynopsis.style">ansi</xsl:param>
-
-<xsl:param name="table.borders.with.css" select="1" />
-
-<xsl:param name="default.table.frame" select="'collapse'" />
-<xsl:param name="table.cell.border.style" select="''" />
-<xsl:param name="table.cell.border.thickness" select="''" />
-<xsl:param name="table.cell.border.color" select="''" />
-<xsl:param name="emphasis.propagates.style" select="1" />
-<xsl:param name="para.propagates.style" select="1" />
-<xsl:param name="entry.propagates.style" select="1" />
-
-<xsl:param name="part.autolabel" select="0" />
-<xsl:param name="section.autolabel" select="0" />
-<xsl:param name="chapter.autolabel" select="0" />
-
-<xsl:template name="user.head.content">
-
-   <link rel='stylesheet' type='text/css' href='manpage.css' />
-   <meta name="MSSmartTagsPreventParsing" content="TRUE" />
-   <link rel="icon" href="icon.gif" type="image/gif" />
-    <xsl:comment>
-
-Copyright 1998 - 2009 Double Precision, Inc.  See COPYING for distribution
-information.
-
-</xsl:comment>
-</xsl:template>
-
-<!-- Bug fix 1.76.1 -->
-<xsl:template match="funcdef/function" mode="ansi-tabular">
-  <xsl:choose>
-    <xsl:when test="$funcsynopsis.decoration != 0">
-      <strong xmlns="http://www.w3.org/1999/xhtml"
-              xmlns:xslo="http://www.w3.org/1999/XSL/Transform"><xsl:apply-templates mode="ansi-nontabular"/></strong>
-    </xsl:when>
-    <xsl:otherwise>
-      <xsl:apply-templates mode="kr-tabular"/>
-    </xsl:otherwise>
-  </xsl:choose>
-</xsl:template>
-
-</xsl:stylesheet>
-
diff --git a/docbook/sgml2html b/docbook/sgml2html
index 6040700..73da461 100755
--- a/docbook/sgml2html
+++ b/docbook/sgml2html
 <at>  <at>  -14,6 +14,21  <at>  <at>  fi

 rm -rf $dstfile.tmp
 mkdir $dstfile.tmp
+
+ONECHUNK=""
+# sgml/docbook/xsl-stylesheets used by Fedora, xml/docbook/stylesheet by Debian/Ubuntu
+for xslfile in /usr/share/sgml/docbook/xsl-stylesheets/xhtml/onechunk.xsl
/usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml/onechunk.xsl; do
+ if [ -f "$xslfile" ]; then
+   ONECHUNK="$xslfile"
+   break
+ fi
+done
+if [ -z "$ONECHUNK" ]; then
+ echo >&2 onechunk.xsl stylesheet not found. Please edit docbook/sgml2html
+ exit 1
+fi
+
+sed 's|^\(<xsl:include href="\)[^"]*/onechunk.xsl\("/>\)|'"\1$ONECHUNK\2|" `dirname
$0`/manpages.in > `dirname $0`/manpages.xsl
 xsltproc -o $dstfile.tmp/ `dirname $0`/manpages.xsl $srcfile || exit 1
 xsltproc `dirname $0`/fixhtml.xsl $dstfile.tmp/* >$dstfile.tmp2 || exit 1
 rm -rf $dstfile.tmp
diff --git a/docbook/sgml2man b/docbook/sgml2man
index a7f71e2..fef7719 100755
--- a/docbook/sgml2man
+++ b/docbook/sgml2man
 <at>  <at>  -14,7 +14,21  <at>  <at>  fi

 rm -rf $dstfile.tmpdir
 mkdir -p $dstfile.tmpdir
-xsltproc --nonet -o $dstfile.tmpdir/
/usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl $srcfile
+
+DOCBOOK_XSL=""
+# sgml/docbook/xsl-stylesheets used by Fedora, xml/docbook/stylesheet by Debian/Ubuntu
+for xslfile in /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl; do
+ if [ -f "$xslfile" ]; then
+   DOCBOOK_XSL="$xslfile"
+   break
+ fi
+done
+if [ -z "$DOCBOOK_XSL" ]; then
+ echo >&2 docbook.xsl stylesheet not found. Please edit docbook/sgml2man
+ exit 1
+fi
+
+xsltproc --nonet -o $dstfile.tmpdir/ "$DOCBOOK_XSL" $srcfile

 for f in $dstfile.tmpdir/*
 do
--

-- 
1.7.10.4

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Xepher | 20 Aug 01:07 2014
Picon

[PATCH] SPF "include" recursion handled improperly

I noticed that courier was rejecting mail from 192.168.5.5 (NOTE: 
addresses/domains anonymized) with "517 SPF fail example <at> example1.com: 
Address does not pass the Sender Policy Framework" even though the SPF 
for that domain passes all SPF check tools, such as the ones at 
http://tools.bevhost.com/spf/ http://www.kitterman.com/spf/validate.html 
and http://vamsoft.com/support/tools/spf-policy-tester

The domain in question uses the "include" mechanism in its SPF record, 
and the included domain uses the "mx" mechanism. According to the RFC at 
http://www.ietf.org/rfc/rfc4408.txt "include" should basically initiate 
a new SPF lookup with <current-domain> changed to that of the included 
domain. To the best of my understanding, the resolution chain should 
basically go like this.

# dig -t txt example1.com +short
"v=spf1 include:example2.com -all"

# dig -t txt example2.com +short
"v=spf1 mx ~all"

# dig -t mx example2.com +short
10 mail.example2.com.

# dig -t A mail.example2.com +short
192.168.5.5

However, when looking up the mx record, Courier always pulls the domain 
component from the mailfrom portion (which, unlike info.current_domain, 
does NOT change when recursively calling lookup()), meaning it does a 
lookup for mx entries for example1.com, instead of example2.com in the 
third step, and the SPF check results in a "fail" instead of "pass" at 
that point, since outbound mail is a different server than inbound mail 
for example1.com. That is, it does this for the second and third steps:

# dig -t mx example1.com +short
10 smtp.example3.com

# dig -t A smtp.example3.com +short
192.168.200.200

As that obviously doesn't match 192.168.5.5 it falls to "-all" from the 
initial record and fails, rejecting what should be a valid message.

I've attached a patch (spf-recursive.patch) which, I believe, properly 
resolves the issue. However, as the current SPF tests provided with 
courier (./testspf -test=1) do not work (the DNS records used are no 
longer configured with SPF as far as I can tell) I don't have proper 
unit tests. It's also possible that I (and several of the testing tools) 
are misunderstanding the RFC, but I don't believe that is the case.

Please let me know if any further details are needed.

Thanks,
--Xepher
Attachment (spf-recursive.patch): text/x-patch, 539 bytes
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
sergio | 15 Aug 16:18 2014
Picon

CourierMTA+StartSSL Free Certificate=no shared cipher

Hello all courier users!
I've successfully installed Courier 0.66.1 on Ubuntu 12.04. All is 
working perfectly, but when I add free certificate from StartSSL and try 
to use for imap and smtp I've got error

courieresmtpd: courieresmtpd: STARTTLS failed: couriertls: connect: 
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

So maybe you can help to find error in openssl or maybe tell me about 
really correct way to install my certificate in courier.

I'll be grateful for any help.

--

-- 
sergio   bortsov

------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Mark Constable | 15 Aug 15:40 2014
Picon

Separate service passwords

Most of our brute force password attacks are against our pop service
and some of our breaches are where gullible clients respond to various
claims about "give us your details or you will lose your account",
of which some recent spams were even branded with our domainname so
they would always look convincing to 1% or 2% of our clients.

Once the users pop/imap details are uncovered then they are used to
access the smtp ports to send out authenticated mail. Now we notice
there is a recent tendency to send out very slowly from a large range
of IPs (a botnet, particularly from south america) so the obvious
pump and dump of yesteryear is not detected and can go on for weeks
until we manually notice suspicious behaviour in the mail logs. The
only good thing about this recent trend, to stealthily send out spam
at roughly the frequency of a human, does not land us on a blacklist.

Anyway, one thing that would help mitigate this is to have separate
passwords for pop, imap and smtp servers and maybe even different ones
for each port in use.

Just to be able to have a two passwords, one for incoming mail and
a different one for outgoing mail, could make a difference so any
suggestions how to allow our clients to use different passwords for
the different courier-authdaemon family of services?

------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Lisa Muir | 10 Aug 19:17 2014
Picon

Install guide changes was... Re: Auto-Re: IMAP/SSL and ESMTP/SSL


On Sun, Aug 10, 2014 at 12:46 PM, Charles Parkinson <charlieparkinson88 <at> yahoo.co.uk> wrote:
 
I like the neatness of the courier approach, however the install doc could do with a little comment to define the syntax / spec, say a small standalone section on cert formats.

Just some further feedback from a first time installer of courier, it would have been helpful if the install document had pointed out the glaringly obvious fact that I needed to shutdown any existing smtp services on the host before starting courier for the first time. It was a forehead thumper for sure, which I worked out with the help of the list archives, but a simple one liner reminder to disable this would have been useful!!

If changes to the install guide are being considered, I always add find when it comes to enabling the images in sqwebmail that the easiest way is to add a line to the apache configuration file which says:

  Alias /webmail "/usr/lib/courier/share/sqwebmail/images/"

is handier that symlinks or copies as suggested by the install guide, simply because I have to refer to the apache conf file to find where to symlink to, or where to copy to, so when in that file, its cleaner to just add a virtual directory directive.

Lisa.

------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Charles Parkinson | 10 Aug 04:21 2014
Picon

Re: Auto-Re: IMAP/SSL and ESMTP/SSL

On 10/08/14 01:54, Sam Varshavchik wrote:
> Charles Parkinson writes:
>
>> Nowhere in the guide does it say where to install the private key for
>> the imap / smtp services, nor can I see it in the configuration files
>> referenced. Without the private key, how will any of these services
>> decrypt messages encrypted with the key contained in the public
>> key certificate?
>
> It's the same file. The PEM formats allows you to concatenate all
> the pieces in one file. The certificate file contains both the private
> key, and the certificate, in the PEM format

Ok, so that makes sense except for the fact that a CSR sent to a commercial CA should never contain the private key, so the resulting PEM encoded cert received in return will not contain the concatenated key pair.

is that an exercise for the courier-mta admin to take the DER encoded private key, concatenate it with the DER encoded public key cert received from the ca, and PEM encode it? or do we pem encode the private DER and concat it with the pem encoding received from the CA?  and in either case, what is the syntax that Courier-mta expects inside that pem file to id the private key? should it be a block of pem which decodes with headers, or headers delimiting the pem blocks?

Charles.



------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Charles Parkinson | 10 Aug 02:23 2014
Picon

IMAP/SSL and ESMTP/SSL

Hi,

I've been reading the install guide for courier-mta on the website, and I am a little confused by the configuration of the SSL features. In each case it appears from the install guide that all you need is a digital certificate in pem format to be in the correct location.

My understanding of how SSL works is that the client will use that certificate to obtain the servers public key, which it will use to encrypt a session key, which the server must then decrypt with its private key. The session key is used for the duration of the information exchange once it is known to both parties.

Nowhere in the guide does it say where to install the private key for the imap / smtp services, nor can I see it in the configuration files referenced. Without the private key, how will any of these services decrypt messages encrypted with the key contained in the public key certificate?

Am i missing something in how the protocol works or is there ju-ju afoot? I just fail to see how the server is ever going to be able to decrypt a message encrypted with the key contained in the certificate, which is the whole purpose of having a digital certificate, the basis of trust to enable shared secrets...

Charles.
------------------------------------------------------------------------------
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Lisa Muir | 8 Aug 10:53 2014
Picon

Offline maildir reader

Hi Guys,

GOing to be decommisioing a bunch of email accounts for an organisation today as we migrate them from an old courier server to a new one. All the accounts were accessed as IMAP accounts.

Told them I would put the old maildirs onto the office nas so that they'd have them, and they asked the obvious question, what would they open them with.

This office actually has a couple of Linux desktops, a bunch of windows desktops a few ios / android devices, which should make the solution easier if there is a good solution for just one of those platforms.

Anybody dealt with this before and got any solutions they find works good?

Lisa.


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
courier-users mailing list
courier-users <at> lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Gmane