Xavier Garcia | 31 Oct 14:31 2014
Picon

Re: Disabling SSLv3

Hi,

AFAIK, this enables STARTTLS in the port instead of starting a
purely encrypted connection.

nc -vv imapproxy01i 993
Connection to imapproxy01i 993 port [tcp/imaps] succeeded!
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES
* MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE
* LOGIN-REFERRALS STARTTLS LOGINDISABLED] perdition ready on
* imapproxy01i 00028de7

I haven't tested but I think this may not change the list of
accepted cyphers. After reading the manual and some messages in
the list, it seems that all references to TLS in the
configuration are aiming at STARTTLS and the only way to change
the valid ciphers is with *ssl_listen_ciphers* and
*ssl_outgoing_ciphers*. Am I mistaken?

Regards,

Xavier Garcia

On Fri, Oct 31, 2014 at 02:10:42PM +0100, LE SAOUT Mael wrote:
> Hi all,
> 
> I have to disable it in /etc/sysconfig/perdition :
> POP3S_FLAGS="--outgoing_port 110 --ssl_mode tls_listen,tls_listen_force"
> IMAP4S_FLAGS="--outgoing_port 143 --ssl_mode tls_listen,tls_listen_force"
> 
(Continue reading)

Xavier Garcia | 31 Oct 13:59 2014
Picon

Disabling SSLv3

Dear all,

I am trying to disable SSLv3  on perdition 2.0-1.x86_64
It is running in a RHEL 6.5 clone and it was compiled with the SPEC files.

In theory, I should apply the following configuration but it also
disables TLSv1 and TLSv1.1, being TLSv1.2 still available.

---
ssl_listen_ciphers "ALL:!SSLv2:!SSLv3"
---

I don't know much about cryptography but I
guess it makes sense because I obtain the same result in all my
boxes (RHEL 6.5 , Fedora and FreeBSD 10) when I execute:

openssl ciphers -v 'ALL:!SSLv2:!SSLv3'

What would be the best way to disable SSLv2 and SSLv3 for incoming and
outgoing connections?

Regards,

Xavier Garcia
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users

(Continue reading)

Eivind Olsen | 24 Oct 15:23 2014
Picon

Weird issue with Perdition 2.1 to MS Exchange

Hello.

I'm currently trying to understand some issue I see with Perdition
connecting to MS Exchange.

For some reason some commands seem to do nothing, while they work fine if
used directly and not going through Perdition (version 2.1 running on
RHEL7 btw).

Here's what I see when I do a packet capture on the traffic going from the
server running Perdition (MS exchange = lines starting with S, and
perdition on the lines starting with C):

S: * OK The Microsoft Exchange IMAP4 service is ready.
C: flim07 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN STARTTLS
UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
S: flim07 OK CAPABILITY completed.
C: flim08 LOGIN {7}
S: + Ready for additional command text.
C: use-rna {20}
S: + Ready for additional command text.
C: thisISaLoNgPasswordd
S: flim08 OK LOGIN completed.
C: A002 SELECT "INBOX"
...and here it just seems to hang, no traffic is returned...

If I go to the server running Perdition and run these commands manually
with the help of "telnet msexchangeserver 143", they seem to work fine:

(Continue reading)

润青杨 | 21 Oct 17:08 2014
Picon

perdition have some ssl security problems

Hi guys,
Recently, our group are trying to find ssl security problems by static anlysis. Now we have find some problems in perdition and report this bugs to the launchpad, but we haven't receive any responses.
Could you please take a look at this bug:
https://bugs.launchpad.net/ubuntu/+source/perdition/+bug/1380304
Thanks,
Rainkin
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Vincent Fox | 15 Oct 23:03 2014
Picon

Poodle?

Hi,

Just catching up to this SSLv3 "Poodle" vulnerability.

Should I do anything with my Perdition config?

Thanks

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users

Steven Kelbley | 3 Sep 22:37 2014
Picon

Perdition not recognizing STARTTLS?


Hi all, hoping you might be able to help me out.

I have a Perdition proxy server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16) backend mailstores based on an LDAP query. Everything works fine except for securing the connection between Perdition and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY string. STARTTLS works perfectly fine connecting from the Perdition server to the Cyrus server using both "imtest" and "openssl s_client".

The certs are all signed by a separate test CA I set up the other day and work fine otherwise. I've posted the log and relevant Perdition configs below, and I’ve tested the backend servers individually to ensure STARTTLS is working fine on Cyrus’ end. Have I messed something up?

##/var/log/maillog##

    Sep  3 10:23:34 perdition-host perdition[20007]: Connect: client.example.com -> perdition.example.com

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* OK IMAP4 Ready perdition.example.com 00021e71\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "1 STARTTLS\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "1 OK Begin TLS negotiation now\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SSL connection using AES256-GCM-SHA384

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \"user-test <at> email.example.com\" \"password\""

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 1 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 4 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is set, but the real-server does not have the STARTTLS capability, connection will not be encrypted

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim08 LOGIN {37}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response login

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "user-test <at> email.example.com {9}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "password\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response passwd

    Sep  3 10:23:34 perdition-host perdition[20007]: main: protocol->out_authenticate -1

    Sep  3 10:23:34 perdition-host perdition[20007]: Fatal error authenticating user. Exiting child.

##/etc/sysconfig/perdition##

    RUN_PERDITION=yes

    POP3=no

    POP3S=no

    IMAP4=no

    IMAP4S=yes

##/usr/etc/perdition/perdition_imap4s.conf##

    (All left default except following options:)

    connection_logging

    debug

    listen_port 143

    map_library /usr/lib/libperditiondb_ldap.so.0

    map_library_opt "ldap:<ldap_url_here>"

    ok_line Connected to perdition IMAP proxy.

    protocol IMAP4S

    outgoing_port 143

    pid_file /var/run/perdition/perdition.imap4s.pid

    timeout 60

    ssl_mode tls_all

    ssl_ca_file /etc/pki/tls/certs/ca.crt

    ssl_ca_accept_self_signed

    ssl_cert_file /etc/pki/tls/private/host_perdition.crt

    ssl_cert_accept_self_signed

    ssl_key_file /etc/pki/tls/private/host_perdition.key

Thanks in advance for any help, I’ve spent a good amount of time stuck on this issue.

Steven Kelbley

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Steven Kelbley | 3 Sep 22:56 2014
Picon

Perdition not recognizing STARTTLS


Hi all, hoping you might be able to help me out. I have a Perdition proxy server (v1.17.1-1) setup to forward users to one of two Cyrus (v2.3.16) backend mailstores based on an LDAP query. Everything works fine except for securing the connection between Perdition and Cyrus; somehow Perdition is seemingly ignoring the STARTTLS entry in the mail server's CAPABILITY string. STARTTLS works perfectly fine connecting from the Perdition server to the Cyrus server using both "imtest" and "openssl s_client".

The certs are all signed by a separate test CA I set up the other day and work fine otherwise. I've posted the log and relevant Perdition configs below, and I’ve tested the backend servers individually to ensure STARTTLS is working fine on Cyrus’ end. Have I messed something up?

##/var/log/maillog##

    Sep  3 10:23:34 perdition-host perdition[20007]: Connect: client.example.com -> perdition.example.com

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* OK IMAP4 Ready perdition.example.com 00021e71\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "1 STARTTLS\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "1 OK Begin TLS negotiation now\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SSL connection using AES256-GCM-SHA384

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "2 login \"user-test <at> email.example.com\" \"password\""

    Sep  3 10:23:34 perdition-host perdition[20007]: CLIENT: "\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 1 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: username_add_domain: username_add_domain 0 4 0x260e0b4

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE] server ready\r\n* OK [ALERT] Cyrus01\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: tls_outgoing_force is set, but the real-server does not have the STARTTLS capability, connection will not be encrypted

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim07 CAPABILITY\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "flim08 LOGIN {37}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\nflim07 OK Completed\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR COMPRESS=DEFLATE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE URLAUTH\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response login

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "user-test <at> email.example.com {9}\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: SELF:   "password\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: REAL:   "+ go ahead\r\n"

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_response: invalid tag from server 1

    Sep  3 10:23:34 perdition-host perdition[20007]: imap4_out_authenticate: imap4_out_response passwd

    Sep  3 10:23:34 perdition-host perdition[20007]: main: protocol->out_authenticate -1

    Sep  3 10:23:34 perdition-host perdition[20007]: Fatal error authenticating user. Exiting child.

##/etc/sysconfig/perdition##

    RUN_PERDITION=yes

    POP3=no

    POP3S=no

    IMAP4=no

    IMAP4S=yes

##/usr/etc/perdition/perdition_imap4s.conf##

    (All left default except following options:)

    connection_logging

    debug

    listen_port 143

    map_library /usr/lib/libperditiondb_ldap.so.0

    map_library_opt "ldap:<redacted>"

    ok_line Connected to perdition IMAP proxy.

    protocol IMAP4S

    outgoing_port 143

    pid_file /var/run/perdition/perdition.imap4s.pid

    timeout 60

    ssl_mode tls_all

    ssl_ca_file /etc/pki/tls/certs/ca.crt

    ssl_ca_accept_self_signed

    ssl_cert_file /etc/pki/tls/private/host_perdition.crt

    ssl_cert_accept_self_signed

    ssl_key_file /etc/pki/tls/private/host_perdition.key

Thanks in advance for any help, I’ve spent a good amount of time stuck on this issue.

Steven Kelbley

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Steve Campbell | 8 Jul 17:43 2014

I need to know what this error is telling me

new installation of perdition. I use the same file and content on my 
popmap as I do on a working production server.

I see in my maillogs the following error:

Fatal Error reading authentication information from client 
127.0.0.1:43557->127.0.0.1:143: Exiting child

It seems that perdition can't read my popmap file to get the redirection 
to the imap server.

Can someone explain what the message is really telling me, please?

Thanks

steve campbell
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users

Steve Campbell | 3 Jul 21:42 2014

missing library on latest install

I'm trying to install perdition on a new Centos 6.5 server. I'm using 
the rpms from opensuse repo mentioned on the downloads page.

Upon startup, I getting the following message:

Starting perdition services (IMAP4): dlopen of 
"/usr/lib/libperditiondb_gdbm.so" failed

I'm not sure where this library comes from and there aren't any 
libperdition rpms that seem to provide this library.

Can anyone set me straight, please? Thanks

steve campbell
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users

István Király | 1 Jul 20:29 2014
Picon

saslauthd and perdition

Hello List(s), ...

When using saslauthd for authentication with a remote imap server, in this case perdition IMAP4, there seems to be a compatibility issue.

After LOGIN, perdition is sending the CAPABILITY tag before the OK.
saslauthd expects an OK, but receives the CAPABILITY first and then closes the connection.

saslauthd[8454] :do_auth         : auth failure: [user=x <at> test.d250.hu] [service=imap] [realm=]
[mech=rimap] [reason=[ALERT] Unexpected response from remote authentication server]

I was able to alter the last lines of auth_rimap.c, and hack this out, but this should be implemented properly.

I assume, perdition behaves standard compliant within the IMAP4 protocol, however it could send the combined "a OK [CAPABILITY ... ]" as dovecot does. Is there a technical reason for the two separate messages? I was not able to manipulate this behavior with configuration arguments.

saslauthd on the other hand could read the CAPABILITY tag, skip it, and process the next tag to read an OK, and then close the connection, with the Unexpected response error eventually.

I'm not sure which is the more standard compliant approach, but if my assumption is correct, auth_rimap.c should be modified for increased compatibility.

Thank you, ...
Greetings,

--
Király István
+36 209 753 758

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Vincent Fox | 12 Jun 20:43 2014
Picon

Perdition 2.1 status?

Hi,

I have been using Perdition 1.19rc5 for a while, have had sporadic 
complaints
about POP that I think could be Perdition.

I noticed 2.1 is out since February, is anyone using it, and can comment 
on stability?

I don't see any RPM for it for RHEL6/OEL6, they all seem to be the 
1.19rc5 I have now.
I previously built using the source RPM.  Anyone happen to have one?

Thanks!

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users


Gmane