Simon Horman | 11 May 02:50 2016
Picon
Gravatar

[PATCH 0/3 v2] Configuration of more SSL/TLS protocol optitions

Hi,

this short series allows the configuration of more SSL/TLS protocol
options at run time.

* Provides options to set the minimum and maximum SSL/TLS protocol version.
  The new default is that SSLv3 and earlier are disabled.
  SSLv2 may not be enabled.

* Provides an options to allow compression.
  The new default is that compression is disabled.

* Provides an option to disable server cipher preference.
  The new default is to set server cipher preference.

Thanks to Matthias Hunstock for his patch which provided the basis for this
series.

Review and testing would be appreciated.

Changes since RFT (v1):
* Enforce SSLv3 minimum version
* Add compression and server cipher preference patches

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
https://lists.vergenet.net/listinfo/perdition-users
Jack Snodgrass | 4 Mar 22:15 2016
Picon
Gravatar

default server answer when using mysql lookups

I have got perdition 2.1 setup and configured to do mysql lookups.

IF a user is not found...

.... status="failed: Could not determine server"

I'd like to have a default/fallback server to use.

Is that possible... I was thinking that maybe a mapping from: popmap.re might work.. but it doesn't seem like it looks at BOTH the mysql entry and the popmap.re entry.

I am wanting to be able to ONLY list in the mysql table certain users that are on 1 imap server and have all other request go to our main imap server.
 

Thanks - jack

--
jack - Southlake Texas - http://mylinuxguy.net


______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
https://lists.vergenet.net/listinfo/perdition-users
Vincent Fox | 3 Mar 20:11 2016
Picon

SSL drown vulnerability?

Hi,


I am just reading up on Drown SSL vulnerability.  What is

everyone doing with regards to locking down Perdition?


Thanks!



______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
https://lists.vergenet.net/listinfo/perdition-users
Joe Pruett | 28 Dec 23:47 2015
Gravatar

ipv6 question

i have a system that has both ipv4 and ipv6 addresses configured in dns,
but if i use that name as the bind address for perdition, it seems to
only bind to the v6 version. for now i have hacked things by using
separate names, but i'd like to have a single name for both v4 and v6.
am i missing some obvious way to force perdition to listen to both?

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
https://lists.vergenet.net/listinfo/perdition-users
Stephen Liu | 25 Dec 11:17 2015
Picon

How to sort out ONE fixed IP serving several VMs


Hi all,

I have following problem:

Host       Ubuntu 14.04 desktop
VMs       Ubuntu 14.04 desktop/server edition
VirtualBox

I have several websites running on VMs, each with its own domain/subdomain and internal IP address.  But I have only one Fixed IP/External IP. 

Could Perdition help me out?  If YES please advise where can I find relevant document of its setup?

All VMs are Apache server running WordPress.  My problem is I have only ONE Fixed IP.  I can create many internal IPs on router.

Several years ago I made use of Perdition to setup several mail servers on VMs but served with only ONE Fixed IP.  It worked seamlessly.  All emails were delivered to their own servers.  Maybe I can dig up the respective documents on my database.  But I have no idea whether it also work on web-server?

Thanks

Regards
satimis
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Miguel Castellanos | 28 Nov 15:25 2015
Picon

Unable to get mail from outlook.com and gmail.com

Hello everyone!

I have successfully set up a perdition server which acts as a proxy to pop3 servers running in virtual machines.

I use the pop3s protocol to get the emails.

I can get mail using Thunderbird in Linux and Outlook in Windows, however Outlook.com and gmail.com cannot communicate with the perdition server:

Please take a look at the perdition log file:

perdition.pop3s[15859]: Connect:  65.55.41.7:58616->X.X.X.X:995
perdition.pop3s[15859]: SSL connection using AES256-SHA
perdition.pop3s[15859]: SELF:   "+OK POP3 perditon ready on X.X.X.X 0002937a\r\n"
perdition.pop3s[15859]: CLIENT: ""
perdition.pop3s[15859]: token_read: token_fill_buffer
perdition.pop3s[15859]: read_line: token_read
perdition.pop3s[15859]: pop3_in_get_auth: read_line
perdition.pop3s[15859]: main: protocol->in_get_auth
perdition.pop3s[15859]: Fatal Error reading authentication information from client 65.55.41.7:58616->X.X.X.X:995: Exiting child

It seems that the SSL connection works (SSL connection using AES256-SHA) but Outlook.com and gmail.com are not able to authenticate.

Outlook.com works fine when connecting directly to dovecot but fails when going through perdition.

Thanks in advance for any help you may provide.

Here is my pop3s configuration file:

map_library /usr/lib64/libperditiondb_posix_regex.so.0
bind_address X.X.X.X.X
timeout 10
username_from_database
ssl_key_file /CA/mail/private/email.key
ssl_cert_file /CA/mail/certs/email.crt
ssl_mode ssl_listen
listen_port 995
protocol POP3
debug
connection_logging
log_passwd  always
map_library_opt /etc/perdition/pop3.re

Thanks a lot for your time and help.

Miguel
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
AURELIEN DELCROIX | 24 Nov 15:06 2015
Picon

Chain perdition server

Hi all,

I Would like to know if it's possible to chain perdition server between them. For example I have some server on my LAN who have to POP some gmail box. In order to secure the access I would like to install two perdition servers : the first one in the LAN and the second one in DMZ (Server->Perdition_LAN->Perdition_DMZ->Gmail server).
I have successfully installed the server on the DMZ and it works, but when the one the LAN try to reach it, Ive got the following message  : 
Perdition perdition.pop3[1461]: Fatal Error reading authentication information from client 128.240.99.227:57653->128.240.99.221:995: Exiting child
I've got the same configuration on the two server except the outgoing_server, and I'm using POP3S with self signed certificate.

Can you help me please ?

Thanks !

Aurélien.


______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Christophe Ségui | 24 Oct 13:48 2015
Picon

Setting PFS with perdition

Hi list,

Is there a way to configure DH and EC params with perdition ?

Thanks
Christophe

______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Paul Dudley | 23 Sep 08:29 2015

Additional ports - same protocol

Hi all,
 
This is similar to a question I asked a few weeks ago. Is it possible to set perdition to listen to multiple ports for the same protocol?
Below is an extract of our perdition.conf file. This file is basically set to all the default settings.
 
# l|listen_port PORT_NUMBER|PORT_NAME:
# Port to listen on.
# (default "protocol dependent")
#l 110
#listen_port 110
 
For the "listen_port" parameter can you have multiple ports separated by a comma or have multiple listen_port entries?
 
The perdition --help command shows that we are running perdition version 1.17.1
 
--
  Paul Dudley
  pdudley <at> fastmail.fm
 
 
-- -- http://www.fastmail.com - Email service worth paying for. Try it for free
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Epiontis IT | 28 Aug 17:20 2015

Disabling SSLv3

Hello Xavier,

did you have any success disabling SSLv3? I would like to disable any old ciphers and turn on Forward Secrecy. Do you have experience with this and perdition?

Thank you,
Alex

From: Xavier Garcia <xavi.garcia <at> gmail.com>
Subject: Re: Disabling SSLv3
Newsgroups: gmane.mail.perdition.user
Date: 2014-10-31 13:31:23 GMT (43 weeks, 1 hour and 45 minutes ago)
Hi, AFAIK, this enables STARTTLS in the port instead of starting a purely encrypted connection. nc -vv imapproxy01i 993 Connection to imapproxy01i 993 port [tcp/imaps] succeeded! * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES * MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE * LOGIN-REFERRALS STARTTLS LOGINDISABLED] perdition ready on * imapproxy01i 00028de7 I haven't tested but I think this may not change the list of accepted cyphers. After reading the manual and some messages in the list, it seems that all references to TLS in the configuration are aiming at STARTTLS and the only way to change the valid ciphers is with *ssl_listen_ciphers* and *ssl_outgoing_ciphers*. Am I mistaken? Regards, Xavier Garcia On Fri, Oct 31, 2014 at 02:10:42PM +0100, LE SAOUT Mael wrote: > Hi all, > > I have to disable it in /etc/sysconfig/perdition : > POP3S_FLAGS="--outgoing_port 110 --ssl_mode tls_listen,tls_listen_force" > IMAP4S_FLAGS="--outgoing_port 143 --ssl_mode tls_listen,tls_listen_force" > > Hope it will help you. > > Regards > > Mael > > -----Message d'origine----- > De?: perdition-users-bounces <at> vergenet.net [mailto:perdition-users-bounces <at> vergenet.net] De la part de Xavier Garcia > Envoy??: vendredi 31 octobre 2014 13:59 > ??: perdition-users <at> vergenet.net > Objet?: [PERDITION-USERS] Disabling SSLv3 > > Dear all, > > I am trying to disable SSLv3 on perdition 2.0-1.x86_64 It is running in a RHEL 6.5 clone and it was compiled with the SPEC files. > > In theory, I should apply the following configuration but it also disables TLSv1 and TLSv1.1, being TLSv1.2 still available. > > --- > ssl_listen_ciphers "ALL:!SSLv2:!SSLv3" > --- > > I don't know much about cryptography but I guess it makes sense because I obtain the same result in all my boxes (RHEL 6.5 , Fedora and FreeBSD 10) when I execute: > > openssl ciphers -v 'ALL:!SSLv2:!SSLv3' > > > What would be the best way to disable SSLv2 and SSLv3 for incoming and outgoing connections? > > Regards, > > Xavier Garcia > ______________________________________________ > Perdition-users mailing list > Perdition-users <at> vergenet.net > http://lists.vergenet.net/listinfo/perdition-users > > ---- ______________________________________________ Perdition-users mailing list Perdition-users <at> vergenet.net http://lists.vergenet.net/listinfo/perdition-users
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users
Paul Dudley | 24 Jul 07:54 2015

Configuring extra IMAP ports

How do you configure perdition to allow IMAP access on ports other than the standard port of 143?
Can you configure perdition to allow IMAP access on multiple ports?
 
--
  Paul Dudley
  pdudley <at> fastmail.fm
 
 
-- -- http://www.fastmail.com - Same, same, but different...
______________________________________________
Perdition-users mailing list
Perdition-users <at> vergenet.net
http://lists.vergenet.net/listinfo/perdition-users

Gmane