[opensuse] Authentication Question Cyrus-Imap / Postfix
Dear list, after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated. I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire. If I configure my Thunderbird mail client to work with Postfix on port 587, STARTTLS and non encrypted passwords, everything seems to work fine. My problem results from Cyrus and everything seems to work if I send out the passwords in plain and over the wire (no encryption at all). Unfortunately, as far as I get it, I am not able to establish a secure connection via STARTTLS or SSL/TLS. The thunderbird client always loses its connection. Here are some details about my configuration: $> cat /etc/imapd.conf <<<< SNIP allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN sasl_auxprop_plugin: sasldb tls_ca_file: /etc/postfix/certs/cacert.pem tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem tls_key_file: /etc/postfix/certs/mailkey.pem <<<< $>cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login $> cat /etc/cyrus.conf START { recover cmd="ctl_cyrusdb -r" idled cmd="idled" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 } Whenever I try to connect via thunderbird, the following messages appear: $> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally Hope that somebody is able to help. Thank you in advance. Best regards Thomas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thomas Etheber wrote:
Dear list,
after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated.
I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire.
Just fyi - I'm using postfix+dovecot on port 587 and 143+993 (respectively), the above works fine, so your problem should be just a matter of configuration. [big snip]
Whenever I try to connect via thunderbird, the following messages appear:
$> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally
There is probably a debug flag for imaps that would give us some more information? -- Per Jessen, Zürich (10.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,
after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated.
I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire.
If I configure my Thunderbird mail client to work with Postfix on port 587, STARTTLS and non encrypted passwords, everything seems to work fine. My problem results from Cyrus and everything seems to work if I send out the passwords in plain and over the wire (no encryption at all). Unfortunately, as far as I get it, I am not able to establish a secure connection via STARTTLS or SSL/TLS. The thunderbird client always loses its connection.
Here are some details about my configuration:
$> cat /etc/imapd.conf <<<< SNIP allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN sasl_auxprop_plugin: sasldb tls_ca_file: /etc/postfix/certs/cacert.pem tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem tls_key_file: /etc/postfix/certs/mailkey.pem <<<<
$>cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login
$> cat /etc/cyrus.conf START { recover cmd="ctl_cyrusdb -r" idled cmd="idled" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 }
Whenever I try to connect via thunderbird, the following messages appear:
$> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally
Hope that somebody is able to help.
Thank you in advance.
Best regards Thomas
I had this problem. Make sure you add the user cyrus to have read access to your certificate, and maybe read access to your private key too. That fixed it for me. I use STARTTLS on port 143. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 12.04.2012 16:02, schrieb Jim Flanagan:
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,
after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated.
I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire.
If I configure my Thunderbird mail client to work with Postfix on port 587, STARTTLS and non encrypted passwords, everything seems to work fine. My problem results from Cyrus and everything seems to work if I send out the passwords in plain and over the wire (no encryption at all). Unfortunately, as far as I get it, I am not able to establish a secure connection via STARTTLS or SSL/TLS. The thunderbird client always loses its connection.
Here are some details about my configuration:
$> cat /etc/imapd.conf <<<< SNIP allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN sasl_auxprop_plugin: sasldb tls_ca_file: /etc/postfix/certs/cacert.pem tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem tls_key_file: /etc/postfix/certs/mailkey.pem <<<<
$>cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login
$> cat /etc/cyrus.conf START { recover cmd="ctl_cyrusdb -r" idled cmd="idled" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 }
Whenever I try to connect via thunderbird, the following messages appear:
$> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally
Hope that somebody is able to help.
Thank you in advance.
Best regards Thomas
I had this problem. Make sure you add the user cyrus to have read access to your certificate, and maybe read access to your private key too. That fixed it for me. I use STARTTLS on port 143.
Jim F
@Per Jessen: Thank you for your hints. I had a short look at the cyrus documentation and wasn't able to find a debug flag. @Jim Flanagan: Yes, it really solves this problem. I just added a $> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem As I had a lot of trouble creating a self signed certificate, I decided to follow a tutorial after all, which explicitly states:
These files represent your server private key and public certificate. Because you created the private key without encrypting it, you must protect it by using permissions that are as restrictive as possible. Use the following commands to make sure it is owned and readable only by the root account.
Does any one know, whether the changed user rights are a potential secuirty concern? Thank's to all. Best, Thomas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I had this problem. Make sure you add the user cyrus to have read access to your certificate, and maybe read access to your private key too. That fixed it for me. I use STARTTLS on port 143. @Per Jessen: Thank you for your hints. I had a short look at the cyrus documentation and wasn't able to find a debug flag. @Jim Flanagan: Yes, it really solves this problem. I just added a $> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem Does any one know, whether the changed user rights are a potential secuirty concern?
Yes, huge. There is never ever any reason a *key* file should be world readable. If you have /etc/ssl/some.key that needs to be readable by user cyrus and user mail then - chmod 000 /etc/ssl/some.key setfacl -m u:mail:r /etc/ssl/some.key setfacl -m u:cyrus:r /etc/ssl/some.key -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 12.04.2012 20:26, schrieb Adam Tauno Williams:
$> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem Does any one know, whether the changed user rights are a potential secuirty concern?
Yes, huge. There is never ever any reason a *key* file should be world readable.
If you have /etc/ssl/some.key that needs to be readable by user cyrus and user mail then -
chmod 000 /etc/ssl/some.key setfacl -m u:mail:r /etc/ssl/some.key setfacl -m u:cyrus:r /etc/ssl/some.key
Thank's Adam Tauno Williams, I was a bit suspicious too, but hadn't thought of providing separate read/right access for special users. I hadn't mounted the fs having setfacl support, so I opted to add a separate group: groupadd ssl usermod -A mail,ssl postfix usermod -A postfix,ssl cyrus chown postfix:ssl mailkey.pem chmod 440 mailkey.pem -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/13/12 2:44 AM, Thomas Etheber wrote:
Am 12.04.2012 20:26, schrieb Adam Tauno Williams:
$> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem Does any one know, whether the changed user rights are a potential secuirty concern?
Yes, huge. There is never ever any reason a *key* file should be world readable.
If you have /etc/ssl/some.key that needs to be readable by user cyrus and user mail then -
chmod 000 /etc/ssl/some.key setfacl -m u:mail:r /etc/ssl/some.key setfacl -m u:cyrus:r /etc/ssl/some.key
Thank's Adam Tauno Williams, I was a bit suspicious too, but hadn't thought of providing separate read/right access for special users.
I hadn't mounted the fs having setfacl support, so I opted to add a separate group:
groupadd ssl usermod -A mail,ssl postfix usermod -A postfix,ssl cyrus chown postfix:ssl mailkey.pem chmod 440 mailkey.pem
I used doplhin file manager. Right click your file, go to permissions, then advanced. Add user "cyrus", and uncheck write and executable. Leave read checked for "cyrus". Pretty easy. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/12/12 9:15 AM, Thomas Etheber wrote:
Am 12.04.2012 16:02, schrieb Jim Flanagan:
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,
after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated.
I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire.
If I configure my Thunderbird mail client to work with Postfix on port 587, STARTTLS and non encrypted passwords, everything seems to work fine. My problem results from Cyrus and everything seems to work if I send out the passwords in plain and over the wire (no encryption at all). Unfortunately, as far as I get it, I am not able to establish a secure connection via STARTTLS or SSL/TLS. The thunderbird client always loses its connection.
Here are some details about my configuration:
$> cat /etc/imapd.conf <<<< SNIP allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN sasl_auxprop_plugin: sasldb tls_ca_file: /etc/postfix/certs/cacert.pem tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem tls_key_file: /etc/postfix/certs/mailkey.pem <<<<
$>cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login
$> cat /etc/cyrus.conf START { recover cmd="ctl_cyrusdb -r" idled cmd="idled" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 }
Whenever I try to connect via thunderbird, the following messages appear:
$> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally
Hope that somebody is able to help.
Thank you in advance.
Best regards Thomas
I had this problem. Make sure you add the user cyrus to have read access to your certificate, and maybe read access to your private key too. That fixed it for me. I use STARTTLS on port 143.
Jim F
@Per Jessen: Thank you for your hints. I had a short look at the cyrus documentation and wasn't able to find a debug flag.
@Jim Flanagan: Yes, it really solves this problem. I just added a
$> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem
As I had a lot of trouble creating a self signed certificate, I decided to follow a tutorial after all, which explicitly states:
These files represent your server private key and public certificate. Because you created the private key without encrypting it, you must protect it by using permissions that are as restrictive as possible. Use the following commands to make sure it is owned and readable only by the root account.
Does any one know, whether the changed user rights are a potential secuirty concern?
Thank's to all.
Best, Thomas
Yes, you do not want any read or write access by any user except those actuallly needed. Good advise in other posts. I used to use a self signed cert, but now you can get a free cert signed by some companies. This has the advantage of your clients not having to import your cert of having to click accept each time they check their mail. I use startssl.com. Look in the ssl docs, make a csr from your private key. Go the startssl.com and create an account. They will give you a cert (different from your server cert) that will authenticate you to log on to their system. Then submit your csr. They will sign it. Save that signed cert to a file for you mail server (and www too if you want). Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Adam Tauno Williams -
Jim Flanagan -
Per Jessen -
Thomas Etheber