[Arriba] [Todas las Listas]

Re: [opensuse] Authentication Cuestión Cyrus-Imap / Postfix

To: opensuse@xxxxxxxxxxxx
Subject: Re: [opensuse] Authentication Cuestión Cyrus-Imap / Postfix
From: Thomas Etheber <etheber@xxxxxx>
Date: Thu, 12 Apr 2012 16:15:04 +0200
Delivered-to: opensuse@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 12 Apr 2012 10:15:39 -0400
Envelope-to: traductor@xxxxxxxxxxx
In-reply-to: <>
List-archive: <>
List-help: <>
List-owner: <>
List-post: <>
List-subscribe: <>
List-unsubscribe: <>
Mailing-list: contact opensuse+help@xxxxxxxxxxxx; run by mlmmj
References: <> <>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv: Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
Soy 12.04.2012 16:02, *schrieb *Jim *Flanagan:
En 4/12/12 8:30 AM, Thomas *Etheber escribió:
*Dear lista,

después de leer varios correos y *websites, finalmente conseguí enganchado con mi
configuración en un *openSUSE 11.4 cajas y la ayuda en cualquier forma es altamente

Quiero hacer seguro que #ambos SMTP (en puerto de sumisión: 587) y *IMAPs
(en puerto: 993) los servicios están trabajando con encriptación, de modo que #ninguno contraseñas
de texto claras son envía sobre el cable.

Si configuro mi *Thunderbird cliente de correo para trabajar con *Postfix en puerto
587, *STARTTLS y no *encrypted contraseñas, todo parece para trabajar
bien. Mis resultados de problema de Cyrus y todo parece para trabajar si envío fuera de las contraseñas en sencillo y sobre el cable (ninguna encriptación nada).
Desafortunadamente, cuando lejos cuando lo consigo, no soy capaz de establecer una
conexión segura *via *STARTTLS o TLS/de SSL. El *thunderbird el cliente siempre
pierde su conexión.

Aquí es algunos detalles sobre mi configuración:

$> gato /*etc/*imapd.*conf
<<<< *SNIP
*allowplaintext: Sí
*sasl_*pwcheck_método: *auxprop
*sasl_*mech_lista: LLANURA *LOGIN
*sasl_*auxprop_*plugin: *sasldb
*tls_*ca_archivo: /*etc/*postfix/*certs/*cacert.*pem
*tls_*cert_Archivo: /*etc/*postfix/*certs/el correo_firmó_*cert.*pem
*tls_Archivoclave: /*etc/*postfix/*certs/*mailkey.*pem

$>Gato /*etc/*sasl2/*smtpd.*conf
*pwcheck_Método: *auxprop
*auxprop_*plugin: *sasldb
*mech_lista: sencillo *login

$> gato /*etc/*cyrus.*conf
#verbcj *cmd="*ctl_*cyrusdb -*r"
*idled *cmd="*idled"
#unknown{^*imap *cmd="*imapd" escucha="*imap" *prefork=0
*imaps *cmd="*imapd -*s" escuchar="*imaps" *prefork=0
*sieve *cmd="*timsieved" escucha="*sieve" *prefork=0
*lmtpunix *cmd="*lmtpd" escucha="/*var/*lib/*imap/*socket/*lmtp" *prefork=num_nom
Am 12.04.2012 16:02, schrieb Jim Flanagan:
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,

after reading several posts and websites, I finally got stuck with my
configuration on a openSUSE 11.4 box and help in any form is highly

I want to make sure that both SMTP (on submission port: 587) and IMAPs
(on port: 993) services are working with encryption, so that no clear
text passwords are send over the wire.

If I configure my Thunderbird mail client to work with Postfix on port
587, STARTTLS and non encrypted passwords, everything seems to work
fine. My problem results from Cyrus and everything seems to work if I
send out the passwords in plain and over the wire (no encryption at
all). Unfortunately, as far as I get it, I am not able to establish a
secure connection via STARTTLS or SSL/TLS. The thunderbird client always
loses its connection.

Here are some details about my configuration:

$> cat /etc/imapd.conf
<<<< SNIP
allowplaintext: yes
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN
sasl_auxprop_plugin: sasldb
tls_ca_file: /etc/postfix/certs/cacert.pem
tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem
tls_key_file: /etc/postfix/certs/mailkey.pem

$>cat /etc/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login

$> cat /etc/cyrus.conf
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400

Whenever I try to connect via thunderbird, the following messages appear:

$> tail /var/log/messages
Apr 12 15:22:42 hostXYZ imaps[32135]: executed
Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening
/var/lib/imap/user_deny.db: No such file or directory
Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection
Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles
still open at environment close
Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle:
Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75
Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY
state: terminated abnormally

Hope that somebody is able to help.

Thank you in advance.

Best regards

I had this problem. Make sure you add the user cyrus to have read access
to your certificate, and maybe read access to your private key too. That
fixed it for me. I use STARTTLS on port 143.

Jim F

@Per Jessen: Thank you for your hints. I had a short look at the cyrus documentation and wasn't able to find a debug flag.

@Jim Flanagan: Yes, it really solves this problem. I just added a

$> chmod 444 /etc/postfix/certs/mailkey.pem
$> ll /etc/postfix/certs/mailkey.pem
-r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem

As I had a lot of trouble creating a self signed certificate, I decided to follow a tutorial after all, which explicitly states:

These files represent your server private key and public certificate. Because you created the private key without encrypting it, you must protect it by using permissions that are as restrictive as possible. Use the following commands to make sure it is owned and readable only
by the root account.

Does any one know, whether the changed user rights are a potential secuirty concern?

Thank's to all.


To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

<Anterior por Tema] Tema Actual [Siguiente por Tema>