Roman Meng | 26 May 13:21 2016

Disabling SSLv3 - Testing

Hi Simon & Matthias

Thanks for your great work! We're currently testing the version from the
mercurial repository and it works so far without any issue (SUSE Linux
Enterprise Server 11SP4). As it seems to be very stable (after some tests)
we deployed it to our productive environment with a current workload of
about 5000 concurrent user to further test the stability. We'll still keep
an eye on it... 

Kind regards

Perdition-users mailing list
Perdition-users <at>
Simon Horman | 11 May 02:50 2016

[PATCH 0/3 v2] Configuration of more SSL/TLS protocol optitions


this short series allows the configuration of more SSL/TLS protocol
options at run time.

* Provides options to set the minimum and maximum SSL/TLS protocol version.
  The new default is that SSLv3 and earlier are disabled.
  SSLv2 may not be enabled.

* Provides an options to allow compression.
  The new default is that compression is disabled.

* Provides an option to disable server cipher preference.
  The new default is to set server cipher preference.

Thanks to Matthias Hunstock for his patch which provided the basis for this

Review and testing would be appreciated.

Changes since RFT (v1):
* Enforce SSLv3 minimum version
* Add compression and server cipher preference patches

Perdition-users mailing list
Perdition-users <at>
Jack Snodgrass | 4 Mar 22:15 2016

default server answer when using mysql lookups

I have got perdition 2.1 setup and configured to do mysql lookups.

IF a user is not found...

.... status="failed: Could not determine server"

I'd like to have a default/fallback server to use.

Is that possible... I was thinking that maybe a mapping from: might work.. but it doesn't seem like it looks at BOTH the mysql entry and the entry.

I am wanting to be able to ONLY list in the mysql table certain users that are on 1 imap server and have all other request go to our main imap server.

Thanks - jack

jack - Southlake Texas -

Perdition-users mailing list
Perdition-users <at>
Vincent Fox | 3 Mar 20:11 2016

SSL drown vulnerability?


I am just reading up on Drown SSL vulnerability.  What is

everyone doing with regards to locking down Perdition?


Perdition-users mailing list
Perdition-users <at>
Joe Pruett | 28 Dec 23:47 2015

ipv6 question

i have a system that has both ipv4 and ipv6 addresses configured in dns,
but if i use that name as the bind address for perdition, it seems to
only bind to the v6 version. for now i have hacked things by using
separate names, but i'd like to have a single name for both v4 and v6.
am i missing some obvious way to force perdition to listen to both?

Perdition-users mailing list
Perdition-users <at>
Stephen Liu | 25 Dec 11:17 2015

How to sort out ONE fixed IP serving several VMs

Hi all,

I have following problem:

Host       Ubuntu 14.04 desktop
VMs       Ubuntu 14.04 desktop/server edition

I have several websites running on VMs, each with its own domain/subdomain and internal IP address.  But I have only one Fixed IP/External IP. 

Could Perdition help me out?  If YES please advise where can I find relevant document of its setup?

All VMs are Apache server running WordPress.  My problem is I have only ONE Fixed IP.  I can create many internal IPs on router.

Several years ago I made use of Perdition to setup several mail servers on VMs but served with only ONE Fixed IP.  It worked seamlessly.  All emails were delivered to their own servers.  Maybe I can dig up the respective documents on my database.  But I have no idea whether it also work on web-server?


Perdition-users mailing list
Perdition-users <at>
Miguel Castellanos | 28 Nov 15:25 2015

Unable to get mail from and

Hello everyone!

I have successfully set up a perdition server which acts as a proxy to pop3 servers running in virtual machines.

I use the pop3s protocol to get the emails.

I can get mail using Thunderbird in Linux and Outlook in Windows, however and cannot communicate with the perdition server:

Please take a look at the perdition log file:

perdition.pop3s[15859]: Connect:>X.X.X.X:995
perdition.pop3s[15859]: SSL connection using AES256-SHA
perdition.pop3s[15859]: SELF:   "+OK POP3 perditon ready on X.X.X.X 0002937a\r\n"
perdition.pop3s[15859]: CLIENT: ""
perdition.pop3s[15859]: token_read: token_fill_buffer
perdition.pop3s[15859]: read_line: token_read
perdition.pop3s[15859]: pop3_in_get_auth: read_line
perdition.pop3s[15859]: main: protocol->in_get_auth
perdition.pop3s[15859]: Fatal Error reading authentication information from client>X.X.X.X:995: Exiting child

It seems that the SSL connection works (SSL connection using AES256-SHA) but and are not able to authenticate. works fine when connecting directly to dovecot but fails when going through perdition.

Thanks in advance for any help you may provide.

Here is my pop3s configuration file:

map_library /usr/lib64/
bind_address X.X.X.X.X
timeout 10
ssl_key_file /CA/mail/private/email.key
ssl_cert_file /CA/mail/certs/email.crt
ssl_mode ssl_listen
listen_port 995
protocol POP3
log_passwd  always
map_library_opt /etc/perdition/

Thanks a lot for your time and help.

Perdition-users mailing list
Perdition-users <at>
AURELIEN DELCROIX | 24 Nov 15:06 2015

Chain perdition server

Hi all,

I Would like to know if it's possible to chain perdition server between them. For example I have some server on my LAN who have to POP some gmail box. In order to secure the access I would like to install two perdition servers : the first one in the LAN and the second one in DMZ (Server->Perdition_LAN->Perdition_DMZ->Gmail server).
I have successfully installed the server on the DMZ and it works, but when the one the LAN try to reach it, Ive got the following message  : 
Perdition perdition.pop3[1461]: Fatal Error reading authentication information from client> Exiting child
I've got the same configuration on the two server except the outgoing_server, and I'm using POP3S with self signed certificate.

Can you help me please ?

Thanks !


Perdition-users mailing list
Perdition-users <at>
Christophe Ségui | 24 Oct 13:48 2015

Setting PFS with perdition

Hi list,

Is there a way to configure DH and EC params with perdition ?


Perdition-users mailing list
Perdition-users <at>
Paul Dudley | 23 Sep 08:29 2015

Additional ports - same protocol

Hi all,
This is similar to a question I asked a few weeks ago. Is it possible to set perdition to listen to multiple ports for the same protocol?
Below is an extract of our perdition.conf file. This file is basically set to all the default settings.
# l|listen_port PORT_NUMBER|PORT_NAME:
# Port to listen on.
# (default "protocol dependent")
#l 110
#listen_port 110
For the "listen_port" parameter can you have multiple ports separated by a comma or have multiple listen_port entries?
The perdition --help command shows that we are running perdition version 1.17.1
  Paul Dudley
  pdudley <at>
-- -- - Email service worth paying for. Try it for free
Perdition-users mailing list
Perdition-users <at>
Epiontis IT | 28 Aug 17:20 2015

Disabling SSLv3

Hello Xavier,

did you have any success disabling SSLv3? I would like to disable any old ciphers and turn on Forward Secrecy. Do you have experience with this and perdition?

Thank you,

From: Xavier Garcia <xavi.garcia <at>>
Subject: Re: Disabling SSLv3
Newsgroups: gmane.mail.perdition.user
Date: 2014-10-31 13:31:23 GMT (43 weeks, 1 hour and 45 minutes ago)
Hi, AFAIK, this enables STARTTLS in the port instead of starting a purely encrypted connection. nc -vv imapproxy01i 993 Connection to imapproxy01i 993 port [tcp/imaps] succeeded! * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES * MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE * LOGIN-REFERRALS STARTTLS LOGINDISABLED] perdition ready on * imapproxy01i 00028de7 I haven't tested but I think this may not change the list of accepted cyphers. After reading the manual and some messages in the list, it seems that all references to TLS in the configuration are aiming at STARTTLS and the only way to change the valid ciphers is with *ssl_listen_ciphers* and *ssl_outgoing_ciphers*. Am I mistaken? Regards, Xavier Garcia On Fri, Oct 31, 2014 at 02:10:42PM +0100, LE SAOUT Mael wrote: > Hi all, > > I have to disable it in /etc/sysconfig/perdition : > POP3S_FLAGS="--outgoing_port 110 --ssl_mode tls_listen,tls_listen_force" > IMAP4S_FLAGS="--outgoing_port 143 --ssl_mode tls_listen,tls_listen_force" > > Hope it will help you. > > Regards > > Mael > > -----Message d'origine----- > De?: perdition-users-bounces <at> [mailto:perdition-users-bounces <at>] De la part de Xavier Garcia > Envoy??: vendredi 31 octobre 2014 13:59 > ??: perdition-users <at> > Objet?: [PERDITION-USERS] Disabling SSLv3 > > Dear all, > > I am trying to disable SSLv3 on perdition 2.0-1.x86_64 It is running in a RHEL 6.5 clone and it was compiled with the SPEC files. > > In theory, I should apply the following configuration but it also disables TLSv1 and TLSv1.1, being TLSv1.2 still available. > > --- > ssl_listen_ciphers "ALL:!SSLv2:!SSLv3" > --- > > I don't know much about cryptography but I guess it makes sense because I obtain the same result in all my boxes (RHEL 6.5 , Fedora and FreeBSD 10) when I execute: > > openssl ciphers -v 'ALL:!SSLv2:!SSLv3' > > > What would be the best way to disable SSLv2 and SSLv3 for incoming and outgoing connections? > > Regards, > > Xavier Garcia > ______________________________________________ > Perdition-users mailing list > Perdition-users <at> > > > ---- ______________________________________________ Perdition-users mailing list Perdition-users <at>
Perdition-users mailing list
Perdition-users <at>