Am 12.04.2012 16:02, schrieb Jim Flanagan:
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,
after reading several posts and websites, I finally got stuck with my configuration on a openSUSE 11.4 box and help in any form is highly appreciated.
I want to make sure that both SMTP (on submission port: 587) and IMAPs (on port: 993) services are working with encryption, so that no clear text passwords are send over the wire.
If I configure my Thunderbird mail client to work with Postfix on port 587, STARTTLS and non encrypted passwords, everything seems to work fine. My problem results from Cyrus and everything seems to work if I send out the passwords in plain and over the wire (no encryption at all). Unfortunately, as far as I get it, I am not able to establish a secure connection via STARTTLS or SSL/TLS. The thunderbird client always loses its connection.
Here are some details about my configuration:
$> cat /etc/imapd.conf <<<< SNIP allowplaintext: yes sasl_pwcheck_method: auxprop sasl_mech_list: PLAIN LOGIN sasl_auxprop_plugin: sasldb tls_ca_file: /etc/postfix/certs/cacert.pem tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem tls_key_file: /etc/postfix/certs/mailkey.pem <<<<
$>cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login
$> cat /etc/cyrus.conf START { recover cmd="ctl_cyrusdb -r" idled cmd="idled" } SERVICES { imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0 sieve cmd="timsieved" listen="sieve" prefork=0 lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0 } EVENTS { checkpoint cmd="ctl_cyrusdb -c" period=30 delprune cmd="cyr_expire -E 3" at=0400 tlsprune cmd="tls_prune" at=0400 }
Whenever I try to connect via thunderbird, the following messages appear:
$> tail /var/log/messages Apr 12 15:22:42 hostXYZ imaps[32135]: executed Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening /var/lib/imap/user_deny.db: No such file or directory Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles still open at environment close Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle: /var/lib/imap/tls_sessions.db Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75 Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY state: terminated abnormally
Hope that somebody is able to help.
Thank you in advance.
Best regards Thomas
I had this problem. Make sure you add the user cyrus to have read access to your certificate, and maybe read access to your private key too. That fixed it for me. I use STARTTLS on port 143.
Jim F
These files represent your server private key and public certificate. Because you created the private key without encrypting it, you must
@Per Jessen: Thank you for your hints. I had a short look at the cyrus documentation and wasn't able to find a debug flag. @Jim Flanagan: Yes, it really solves this problem. I just added a $> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem As I had a lot of trouble creating a self signed certificate, I decided to follow a tutorial after all, which explicitly states: protect it by using permissions that are as restrictive as possible. Use the following commands to make sure it is owned and readable only by the root account.
Does any one know, whether the changed user rights are a potential secuirty concern? Thank's to all. Best, Thomas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org