Davide Libenzi | 10 Dec 05:12 2006

Re: SMTP=ESSL


On Sun, 10 Dec 2006, CLEMENT Francis wrote:

> Excuse me for my ignorance, but I didn't read in IMAP RFC's (any version)
> that SSL IS required !?!?
> SSL seems to be only on request by STARTTLS command as for smtp.

RFC3501:

"In addition, client and server implementations MUST implement the
 STARTTLS, LOGINDISABLED, and AUTH=PLAIN (described in [IMAP-TLS])
 capabilities."

> My current problem is the ESSL error rejecting connections and peer seems to
> not go back again in 'normal' mode so mails are not delivered to my
> customers, so how to correct the issue with 1.24 ?
> Do I need to generate key/cert pair ?

Yes.

> Doing so will end ESSL errors and Xmail will start negotiate with a incoming
> server sending STARTTLS ?

ESSL is an internal error in that case. Create the key&cert and will be 
fine.

- Davide

-
To unsubscribe from this list: send the line "unsubscribe xmail" in
(Continue reading)

Davide Libenzi | 10 Dec 05:14 2006

Re: 1.24-pre09 ...


On Sat, 9 Dec 2006, Rene Rivera wrote:

> 
> Davide Libenzi wrote:
> > Even if I make XMail configurable from that POV, it'll mean that the user 
> > you're running XMail on, must be able to read them. And if such user must 
> > be able to read them, it means that if XMail is compromised, your files 
> > are readable too. At that point you can simply symlink them.
> 
> It's not the xmail executable I'm worried about. I trust that you do a 
> much better job at securing xmail than the most of the other software I 
> have on the machine. It's the MAIL_ROOT directory itself I worry about. 
> After all given how xmail is structured I have to run it as root anyway 
> (I've never been able to make it run as a restricted user). The problem 
> is that to make other tools that access the mail files directly work, 
> the MAILR_ROOT ends up being readable by a wider audience than root. 

Ohhh, that is pretty bad. The mailusers.tab file is definitely critical.

- Davide

-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to ecartis <at> xmailserver.org
For general help: send the line "help" in the body of a message to
ecartis <at> xmailserver.org

Francesco Vertova | 10 Dec 10:29 2006
Picon

Re: SMTP=ESSL


At 18.51 09/12/06, you wrote:

>Also, MUAs talks SSL only if you configure them to do so

Eudora, for one, will try STARTTLS by default, and won't try only if 
you configure it to do so. No big deal, but don't tell me: tell my users.

Ciao, Francesco

-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to ecartis <at> xmailserver.org
For general help: send the line "help" in the body of a message to
ecartis <at> xmailserver.org

Rob Arends | 11 Dec 00:11 2006
Picon

Re: SMTP=ESSL


Davide, as you mention here:

| "In addition, client and server implementations MUST implement the
|  STARTTLS, LOGINDISABLED, and AUTH=PLAIN (described in [IMAP-TLS])
|  capabilities."

The SSL requirement is with IMAP-TLS,   There is also IMAP (no TLS), and
SMTP and POP3 without TLS.
Why does xmail supporting IMAP-TLS, force all other protocols to support
TLS?

Rob :-)

--------------------------------------------------------
> From: Davide Libenzi <davidel <at> xmailserver.org>
> Subject: Re: SMTP=ESSL
> Newsgroups: gmane.mail.xmail.general
> Date: 2006-12-10 04:12:26 GMT (18 hours and 36 minutes ago)
> 
> 
> On Sun, 10 Dec 2006, CLEMENT Francis wrote:
> 
> > Excuse me for my ignorance, but I didn't read in IMAP RFC's (any
version)
> > that SSL IS required !?!?
> > SSL seems to be only on request by STARTTLS command as for smtp.
> 
> RFC3501:
> 
(Continue reading)

Rob Arends | 11 Dec 00:33 2006
Picon

Re: 1.24-pre07 ...


Davide, an excerpt from your own emails regarding key/cert files:

> you MUST create them, in order to have SSL support to work.

So I read that, as you don't need them if you don't want SSL to work.
Right now 1.24 *doesn't* work if I don't have key/cert files. I *don't* want
SSL yet.

Please make all SSL capabilities dependant on successful finding of key/cert
files.

Thanks, Rob :-)

-----------------------------------------------------
> From: Davide Libenzi <davidel <at> xmailserver.org>
> Subject: Re: 1.24-pre07 ...
> Newsgroups: gmane.mail.xmail.general
> Date: 2006-12-06 18:33:49 GMT
> 
> 
> On Wed, 6 Dec 2006, Davide Libenzi wrote:
> 
> > > Also for Davide: apparently 1.24 does not complain if there are no 
> > > server.key or server.cert in $MAIL_ROOT, they are only required if 
> > > SSL enabled I think.
> > 
> > That should be really created by you, like described in the doc. Maybe I

> > need to add to the doc the you MUST create them, in order to have SSL 
(Continue reading)

Davide Libenzi | 11 Dec 00:46 2006

Re: SMTP=ESSL


On Mon, 11 Dec 2006, Rob Arends wrote:

> 
> Davide, as you mention here:
> 
> | "In addition, client and server implementations MUST implement the
> |  STARTTLS, LOGINDISABLED, and AUTH=PLAIN (described in [IMAP-TLS])
> |  capabilities."
> 
> The SSL requirement is with IMAP-TLS,   There is also IMAP (no TLS), and
> SMTP and POP3 without TLS.
> Why does xmail supporting IMAP-TLS, force all other protocols to support
> TLS?

RFC3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1

      6.1.1. CAPABILITY Command

      Client and server implementations MUST implement the STARTTLS,
      LOGINDISABLED, and AUTH=PLAIN (described in [IMAP-TLS])
      capabilities.

Are you trolling or what? Because, you know, I prefer to spend my time 
coding.

- Davide

-
To unsubscribe from this list: send the line "unsubscribe xmail" in
(Continue reading)

Manuel Martin | 11 Dec 10:37 2006
Picon

Re: SMTP=ESSL


Hello people, 

> -----Original Message-----
> From: xmail-bounce <at> xmailserver.org 
> [mailto:xmail-bounce <at> xmailserver.org] On Behalf Of Francesco Vertova
> Sent: Saturday, December 09, 2006 12:15 PM
> To: xmail <at> xmailserver.org
> Subject: [xmail] Re: SMTP=ESSL
> - MUA's will bitch that it is "bad" for various reasons, and ask 
> users if they want to accept it,
> - users will pest about WTF is going on, and I don't want to quarrel 
> with them unless I do want SSL (and I don't, at the moment).
> - much less I want to address a certificate authority just to stop 
> users from pesting about something I don't need
> 
> So, yes, I can only upgrade to 1.24 if there is a way to enable 
> SSL-related features only when needed, and disable them otherwise. We 
> already have AllowSmtpVRFY and  AllowSmtpETRN in server.tab, what 
> about adding AllowSmtpSTARTTLS and AllowPop3STLS?

If I get it correctly I see another problem:
I (and I am not the only one I suppose) use some sort of "transparent
proxy"-service(s) to intercept and inspect traffic which is doomed once a
spammer/virus can force its way through by forcing Xmail to accept an
encrypted session (again, to my understanding it is not possible to deny such
a request). Examples are AV-Gateways or SMTP-Proxies like ASSP.

That would be a grave problem for me, and perhaps one for others which
haven't realized that yet :-)
(Continue reading)

CLEMENT Francis | 11 Dec 12:01 2006

Re: SMTP=ESSL


>-----Message d'origine-----
>De : xmail-bounce <at> xmailserver.org
>[mailto:xmail-bounce <at> xmailserver.org]De la part de Davide Libenzi
>Envoyé : lundi 11 décembre 2006 00:47
>À : xmail <at> xmailserver.org
>Objet : [xmail] Re: SMTP=ESSL
>
>
>
>On Mon, 11 Dec 2006, Rob Arends wrote:
>
>> 
>> Davide, as you mention here:
>> 
>> | "In addition, client and server implementations MUST implement the
>> |  STARTTLS, LOGINDISABLED, and AUTH=PLAIN (described in [IMAP-TLS])
>> |  capabilities."
>> 
>> The SSL requirement is with IMAP-TLS,   There is also IMAP 
>(no TLS), and
>> SMTP and POP3 without TLS.
>> Why does xmail supporting IMAP-TLS, force all other 
>protocols to support
>> TLS?
>
>RFC3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
>
>      6.1.1. CAPABILITY Command
>
(Continue reading)

Yasuhiko Kamata | 11 Dec 12:17 2006
Picon

Re: Mail address validation on 1.23


Hi Davide,

On Tue, 5 Dec 2006 23:04:20 +0900
Yasuhiko Kamata <belphegor <at> belbel.or.jp> wrote:

> On Mon, 4 Dec 2006 15:18:58 -0800 (PST)
> Davide Libenzi <davidel <at> xmailserver.org> wrote:
> 
> > > > Kamata-san, that you for the report, but I'm not going to change
> > > > the code. Since you have the code, please apply the small patch
> > > > over your server if you like.
> > > 
> > > Ok, I understood. If so, how about "quoted string" described in
> > > 3.4.1 (RFC2822) ?
> > > For example,
> > > RCPT TO:<a..b <at> example.org> -> RCPT TO:<"a..b" <at> example.org> .
> > 
> > That would not change the picture, since the mail client does not
> > quote the string, does it?
> 
> Surely mail client does not quote. So the user should do instead.
> But current XMail does not interpret a double quote as a special
> (that is, quotes will contain RFC2822 incompatible string) character.
> 
> The quoted string is described in section 3.4.1 "Addr-spec
> specification", RFC2822.
> 
> Thanks,
> 
(Continue reading)

Edinilson J. Santos | 11 Dec 12:46 2006
Picon

smtp.ipprop alternative


Davide, is it very difficult to implement a version of smtp.ipprop that uses 
reverse dns (something like you do with spammers.tab and spam-address.tab) ?

Here we are in trouble with some servers that are listed in some black lists 
and uses a large range of ips (yahoogroups for example).

Regards

Edinilson
---------------------------------------------------------
ATINET-Professional Web Hosting
Tel Voz: (0xx11) 4412-0876
http://www.atinet.com.br

-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to ecartis <at> xmailserver.org
For general help: send the line "help" in the body of a message to
ecartis <at> xmailserver.org


Gmane