Alan Mosca [Aluminati] | 13 Sep 18:05 2006
Picon

STARTTLS in IMAP4 capability?


Hello,
 I was wondering if perdition supports STARTTLS and how to achieve it.
It is proxying to servers that do support it, and I have set STARTTLS in
imap_capability , but for some strange reason it's not advertising it
anyway. Any ideas?

Thank you very much

Alan.
Vincent Fox | 19 Sep 18:28 2006
Picon

perdition: Re-Authentication Failure

I have a load-balanced pool of 4 Perdition servers setup.

Sometimes I see this error in my logs:
Auth:......status="failed: Re-Authentication Failure"

What are it's most likely causes?

Looking through the logs a particular account might work fine and then 
this pops up and then next try it's okay again.  I don't see anything on 
the POP/IMAP backends which are UWash that looks suspicious.

--

-- 
Perdition - http://www.vergenet.net/linux/perdition/
To UNSUBSCRIBE, email to lisa <at> vergenet.net, with a body:
unsubscribe perdition-users your-email-address <at> some.domain
where "your-email-address <at> some.domain" is YOUR email address.

Imri Zvik | 20 Sep 07:43 2006
Picon

Re: perdition: Re-Authentication Failure

Your backend servers are rejecting the authentication request. You can
turn on verbose debugging and you will see the whole session with the
backend.

-----Original Message-----
From: perdition-users-owner <at> vergenet.net
[mailto:perdition-users-owner <at> vergenet.net] On Behalf Of Vincent Fox
Sent: Tuesday, September 19, 2006 7:28 PM
To: perdition-users <at> vergenet.net
Subject: [PERDITION-USERS] perdition: Re-Authentication Failure

I have a load-balanced pool of 4 Perdition servers setup.

Sometimes I see this error in my logs:
Auth:......status="failed: Re-Authentication Failure"

What are it's most likely causes?

Looking through the logs a particular account might work fine and then 
this pops up and then next try it's okay again.  I don't see anything on

the POP/IMAP backends which are UWash that looks suspicious.

-- 
Perdition - http://www.vergenet.net/linux/perdition/
To UNSUBSCRIBE, email to lisa <at> vergenet.net, with a body:
unsubscribe perdition-users your-email-address <at> some.domain
where "your-email-address <at> some.domain" is YOUR email address.

--

-- 
(Continue reading)

musashi75 | 26 Sep 15:15 2006
Picon

LDAP Answer

Hello all!

It's my first post here, so I hope I'll be clear :)
I'm encoutering issues when configuring Perdition to act as
IMAPs Proxy with LDAP authentication.

The context:
Perdition is configured as IMAPs proxy with PAM support and
works well.
But now, I have to put in place authentication based on
existing LDAP server. The LDAP server on which I have to send
my requests is an Active Directory server. Thus, the fields in
the schema are'nt standard (there is no mailhost for example).

I want the authentication task to be done by Perdition proxy,
during the LDAP check, and not by IMAPs back-end server. I
don't know if it is possible. 

Here's the sum-up of my perdition.conf file:

######################################################################
# perdition.conf
#
######################################################################

connection_logging

debug

M /usr/lib/libperditiondb_ldap.so.0
(Continue reading)

musashi | 29 Sep 16:36 2006
Picon

Re: LDAP Question

Hello again,

I find some way to configure Perdition to force local authentication before processing mails by activating the option 'authenticate_in' and using pam_ldap module in /etc/pam.d/perdition.

Afterwards, I configure the client LDAP file in /etc/ldap.conf (RedHat, in Debian it's /etc/pam_ldap.conf) with activating specifics AD mapping options and it works well.

But now, I have to put in place an alternate configuration based on a openldap back-end server and I'm in trouble.

I got following logs after log in with valid credentials:

Sep 29 15:34:01 perdition[21714]: Connect: sender->destination
Sep 29 15:34:01 perdition[21714]: SSL connection using AES256-SHA
Sep 29 15:34:01 perdition[21714]: SELF:   "* OK IMAP4 Ready test.domain.com 0001d62d\r\n"
Sep 29 15:34:01 perdition[21714]: CLIENT: "1 capability\r\n"
Sep 29 15:34:01 perdition[21714]: SELF:   "* CAPABILITY IMAP4 IMAP4REV1\r\n"
Sep 29 15:34:01 perdition[21714]: SELF:   "1 OK CAPABILITY\r\n"
Sep 29 15:34:04 perdition[21714]: CLIENT: "2 login \"john_doe\" \"*****\"\r\n"
Sep 29 15:34:04 perdition[21714]: username_add_domain: username_add_domain 0 1 0x95b3864
Sep 29 15:34:04 perdition[21714]: getserver: do_dbserver_get
Sep 29 15:34:04 perdition[21714]: username_add_domain: username_add_domain 0 2 0x95b3864
Sep 29 15:34:04 perdition[21714]: do_pam_authentication: do_pam_authentication: pam_acct_mgmt: User account has expired
Sep 29 15:34:07 perdition[21714]: SELF:   "2 NO Authentication failure\r\n"
Sep 29 15:34:07 perdition[21714]: main: protocol->in_authenticate
Sep 29 15:34:07 perdition[21714]: Local authentication failure for client: Allowing retry.
Sep 29 15:34:07 perdition[21714]: Auth: 194.98.82.129->10.48.185.103 user="john_doe" server="imap.domain.com" port="143" status="failed: local authentication failure"

I made some tcpdump capture and see a request with a strange LDAP control that seems to be an account expiration test :

No.     Time        Source                Destination           Protocol Info
     11 0.014328    10.48.185.103         10.49.64.25           TCP      36705 > ldap [ACK] Seq=135 Ack=570 Win=6492 Len=0

Frame 11 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: HewlettP_4d:ef:bf (00:0d:9d:4d:ef:bf), Dst: NokiaInt_80:b3:e2 (00:a0:8e:80:b3:e2)
Internet Protocol, Src: 10.48.185.103 (10.48.185.103), Dst: 10.49.64.25 (10.49.64.25)
Transmission Control Protocol, Src Port: 36705 (36705), Dst Port: ldap (389), Seq: 135, Ack: 570, Len: 0

No.     Time        Source                Destination           Protocol Info
     12 0.014506    10.48.185.103         10.49.64.25           LDAP     MsgId=3 Bind Request, DN=uid=john_cyber,ou=People,dc=corp,dc=domain,dc=com

Frame 12 (159 bytes on wire, 159 bytes captured)
Ethernet II, Src: HewlettP_4d:ef:bf (00:0d:9d:4d:ef:bf), Dst: NokiaInt_80:b3:e2 (00:a0:8e:80:b3:e2)
Internet Protocol, Src: 10.48.185.103 (10.48.185.103), Dst: 10.49.64.25 (10.49.64.25)
Transmission Control Protocol, Src Port: 36705 (36705), Dst Port: ldap (389), Seq: 135, Ack: 570, Len: 105
Lightweight Directory Access Protocol
    LDAP Message, Bind Request
        Message Id: 3
        Message Type: Bind Request (0x00)
        Message Length: 67
        Response In: 13
        Version: 3
        DN: uid=john_cyber,ou=People,dc=corp,dc=domain,dc=com
        Auth Type: Simple (0x00)
        Password: ********
        LDAP Controls
            LDAP Control
                Control OID: 1.3.6.1.4.1.42.2.27.8.5.1

No.     Time        Source                Destination           Protocol Info
     13 0.019250    10.49.64.25           10.48.185.103         LDAP     MsgId=3 Bind Result

Frame 13 (103 bytes on wire, 103 bytes captured)
Ethernet II, Src: NokiaInt_80:b3:e2 (00:a0:8e:80:b3:e2), Dst: HewlettP_4d:ef:bf (00:0d:9d:4d:ef:bf)
Internet Protocol, Src: 10.49.64.25 (10.49.64.25), Dst: 10.48.185.103 (10.48.185.103)
Transmission Control Protocol, Src Port: ldap (389), Dst Port: 36705 (36705), Seq: 570, Ack: 240, Len: 49
Lightweight Directory Access Protocol
    LDAP Message, Bind Result
        Message Id: 3
        Message Type: Bind Result (0x01)
        Message Length: 7
        Response To: 12
        Time: 0.004744000 seconds
        Result Code: success (0x00)
        Matched DN: (null)
        Error Message: (null)
        LDAP Controls
            LDAP Control
                Control OID: 1.3.6.1.4.1.42.2.27.8.5.1
                Control Value: 30000008

I know that I'm not in a PAM specialized forum, so my question is : does everyone has already put in place a similar architecture, with an authentication on the proxy side using LDAP?

Thanks in advance for your help!

Jérôme


musashi75 a écrit :
Hello all! It's my first post here, so I hope I'll be clear :) I'm encoutering issues when configuring Perdition to act as IMAPs Proxy with LDAP authentication. The context: Perdition is configured as IMAPs proxy with PAM support and works well. But now, I have to put in place authentication based on existing LDAP server. The LDAP server on which I have to send my requests is an Active Directory server. Thus, the fields in the schema are'nt standard (there is no mailhost for example). I want the authentication task to be done by Perdition proxy, during the LDAP check, and not by IMAPs back-end server. I don't know if it is possible. Here's the sum-up of my perdition.conf file: ###################################################################### # perdition.conf # ###################################################################### connection_logging debug M /usr/lib/libperditiondb_ldap.so.0 m ldap://X.X.X.X/ou=Utilisateurs,dc=domain,dc=com? \ sAMAccountName?sub?(sAMAccountName=%s)?!bindname=cn=Jerome%20LEJEAU%2cou=Utilisateurs%2cdc=domain%2cdc=com,x-bindpw=***** P IMAP4S outgoing_server imaps.domain.com:993 ###################################################################### With this configuration, when I try to reach a mailbox, here're the logs: Sep 26 14:42:58 jlj-laptop perdition[16141]: Connect: 127.0.0.1->127.0.0.1 Sep 26 14:42:58 jlj-laptop perdition[16141]: SSL connection using AES256-SHA Sep 26 14:42:58 jlj-laptop perdition[16141]: SELF: "* OK IMAP4 Ready jlj-laptop 000218ff\r\n" Sep 26 14:42:58 jlj-laptop perdition[16141]: CLIENT: "1 capability\r\n" Sep 26 14:42:58 jlj-laptop perdition[16141]: SELF: "* CAPABILITY IMAP4 IMAP4REV1\r\n" Sep 26 14:42:58 jlj-laptop perdition[16141]: SELF: "1 OK CAPABILITY\r\n" Sep 26 14:42:58 jlj-laptop perdition[16141]: CLIENT: "2 login \"jlj\" \"*****\"\r\n" Sep 26 14:42:58 jlj-laptop perdition[16141]: username_add_domain: username_add_domain 0 1 0x807bfac Sep 26 14:42:58 jlj-laptop perdition[16141]: vanessa_socket_host_in_addr: gethostbyname (jlj): Unknown host Sep 26 14:42:58 jlj-laptop perdition[16141]: vanessa_socket_host_port_sockaddr_in: vanessa_socket_host_in_addr Sep 26 14:42:58 jlj-laptop perdition[16141]: vanessa_socket_client_src_open: vanessa_socket_host_port_sockaddr_in to Sep 26 14:42:58 jlj-laptop perdition[16141]: main: vanessa_socket_client_open Sep 26 14:43:01 jlj-laptop perdition[16141]: SELF: "2 NO Could not connect to server\r\n" Sep 26 14:43:01 jlj-laptop perdition[16141]: Auth: 127.0.0.1->127.0.0.1 user="jlj" server="jlj" port="993" status="failed: Could not connect to server" I've try many things. I got a different behaviour when I put %25s in the LDAP request: Sep 26 15:08:13 jlj-laptop perdition[16855]: Connect: 127.0.0.1->127.0.0.1 Sep 26 15:08:13 jlj-laptop perdition[16855]: SSL connection using AES256-SHA Sep 26 15:08:13 jlj-laptop perdition[16855]: SELF: "* OK IMAP4 Ready jlj-laptop 00021966\r\n" Sep 26 15:08:13 jlj-laptop perdition[16855]: CLIENT: "1 capability\r\n" Sep 26 15:08:13 jlj-laptop perdition[16855]: SELF: "* CAPABILITY IMAP4 IMAP4REV1\r\n" Sep 26 15:08:13 jlj-laptop perdition[16855]: SELF: "1 OK CAPABILITY\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: CLIENT: "2 login \"jlj\" \"******\"\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: username_add_domain: username_add_domain 0 1 0x807bfbc Sep 26 15:08:20 jlj-laptop perdition[16855]: dbserver_get: ldap_first_entry Sep 26 15:08:20 jlj-laptop perdition[16855]: depth:0 cert:"/C=FR/ST=IDF/L=Paris/O=DOMAIN/OU=IT/CN=imaps.domain.com" Sep 26 15:08:20 jlj-laptop perdition[16855]: warning: self signed certificate Sep 26 15:08:20 jlj-laptop perdition[16855]: depth:0 cert:"/C=FR/ST=IDF/L=Paris/O=DOMAIN/OU=IT/CN=imaps.domain.com" Sep 26 15:08:20 jlj-laptop perdition[16855]: warning: self signed certificate Sep 26 15:08:20 jlj-laptop perdition[16855]: SSL connection using AES256-SHA Sep 26 15:08:20 jlj-laptop perdition[16855]: subject: /C=FR/ST=IDF/L=Paris/O=DOMAIN/OU=IT/CN=imaps.domain.com Sep 26 15:08:20 jlj-laptop perdition[16855]: issuer: /C=FR/ST=IDF/L=Paris/O=DOMAIN/OU=IT/CN=imaps.domain.com Sep 26 15:08:20 jlj-laptop perdition[16855]: warning: self signed certificate Sep 26 15:08:20 jlj-laptop perdition[16855]: username_add_domain: username_add_domain 0 4 0x807bfbc Sep 26 15:08:20 jlj-laptop perdition[16855]: REAL: "* OK Le serveur IMAP4rev1 Microsoft Exchange Server 2003 version 6.5.7638.1 (imaps.domain.com) est pr\352t.\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: SELF: "flim07 CAPABILITY\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: REAL: "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN AUTH=NTLM\r\nflim07 OK CAPABILITY completed.\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: SELF: "flim08 LOGIN {3}\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: REAL: "+ Ready for additional command text.\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: SELF: "jlj {12}\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: REAL: "+ Ready for additional command text.\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: SELF: "******\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: REAL: "flim08 OK LOGIN completed.\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: SELF: "2 OK You are so in\r\n" Sep 26 15:08:20 jlj-laptop perdition[16855]: Auth: 127.0.0.1->127.0.0.1 user="jlj" server="imaps.domain.com" port="993" status="ok" This time, the authentication is performed by the back-end IMAPs Exchange Server. The aim is to have an authentication on the Perdition proxy, and then to replay the credentials to the IMAP back-end server only if the user is LDAP authenticated. I hope someone can help me :) Regards, Jérôme LEJEAU Security IT Consultant Accédez au courrier électronique de La Poste sur www.laposte.net ou sur 3615 LAPOSTENET (0,34€ TTC /mn) 1 Giga de stockage gratuit – Antispam et antivirus intégrés


Gmane