[Arriba] [Todas las Listas]

Re: [opensuse] Authentication Cuestión Cyrus-Imap / Postfix

To: opensuse@xxxxxxxxxxxx
Subject: Re: [opensuse] Authentication Cuestión Cyrus-Imap / Postfix
From: Jim Flanagan <linuxjim@xxxxxxxxxx>
Date: Fri, 13 Apr 2012 06:56:21 -0500
Delivered-to: opensuse@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 13 Apr 2012 07:56:43 -0400
Envelope-to: traductor@xxxxxxxxxxx
In-reply-to: <>
List-archive: <>
List-help: <>
List-owner: <>
List-post: <>
List-subscribe: <>
List-unsubscribe: <>
Mailing-list: contact opensuse+help@xxxxxxxxxxxx; run by mlmmj
References: <> <> <>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
En 4/12/12 9:15 AM, Thomas *Etheber escribió:
Soy 12.04.2012 16:02, *schrieb *Jim *Flanagan:
En 4/12/12 8:30 AM, Thomas *Etheber escribió:
*Dear lista,

después de leer varios correos y *websites, finalmente conseguí enganchado con mi
configuración en un *openSUSE 11.4 cajas y la ayuda en cualquier forma es altamente

Quiero hacer seguro que #ambos SMTP (en puerto de sumisión: 587) y *IMAPs
(en puerto: 993) los servicios están trabajando con encriptación, de modo que #ninguno contraseñas
de texto claras son envía sobre el cable.

Si configuro mi *Thunderbird cliente de correo para trabajar con *Postfix en puerto
587, *STARTTLS y no *encrypted contraseñas, todo parece para trabajar
bien. Mis resultados de problema de Cyrus y todo parece para trabajar si envío fuera de las contraseñas en sencillo y sobre el cable (ninguna encriptación nada).
Desafortunadamente, cuando lejos cuando lo consigo, no soy capaz de establecer una
conexión segura *via *STARTTLS o TLS/de SSL. El *thunderbird el cliente siempre
pierde su conexión.

Aquí es algunos detalles sobre mi configuración:

$> gato /*etc/*imapd.*conf
<<<< *SNIP
*allowplaintext: Sí
*sasl_*pwcheck_método: *auxprop
*sasl_*mech_lista: LLANURA *LOGIN
*sasl_*auxprop_*plugin: *sasldb
*tls_*ca_archivo: /*etc/*postfix/*certs/*cacert.*pem
*tls_*cert_Archivo: /*etc/*postfix/*certs/el correo_firmó_*cert.*pem
*tls_Archivoclave: /*etc/*postfix/*certs/*mailkey.*pem

$>Gato /*etc/*sasl2/*smtpd.*conf
*pwcheck_Método: *auxprop
*auxprop_*plugin: *sasldb
*mech_lista: sencillo *login

$> gato /*etc/*cyrus.*conf
#verbcj *cmd="*ctl_*cyrusdb -*r"
*idled *cmd="*idled"
#unknown{^*imap *cmd="*imapd" escucha="*imap" *prefork=0
*imaps *cmd="*imapd -*s" escuchar="*imaps" *prefork=0
*sieve *cmd="*timsieved" escucha="*sieve" *prefork=0
*lmtpunix *cmd="*lmtpd" escucha="/*var/*lib/*imap/*socket/*lmtp" *prefork=num_nom
On 4/12/12 9:15 AM, Thomas Etheber wrote:
Am 12.04.2012 16:02, schrieb Jim Flanagan:
On 4/12/12 8:30 AM, Thomas Etheber wrote:
Dear list,

after reading several posts and websites, I finally got stuck with my
configuration on a openSUSE 11.4 box and help in any form is highly

I want to make sure that both SMTP (on submission port: 587) and IMAPs
(on port: 993) services are working with encryption, so that no clear
text passwords are send over the wire.

If I configure my Thunderbird mail client to work with Postfix on port
587, STARTTLS and non encrypted passwords, everything seems to work
fine. My problem results from Cyrus and everything seems to work if I
send out the passwords in plain and over the wire (no encryption at
all). Unfortunately, as far as I get it, I am not able to establish a
secure connection via STARTTLS or SSL/TLS. The thunderbird client always
loses its connection.

Here are some details about my configuration:

$> cat /etc/imapd.conf
<<<< SNIP
allowplaintext: yes
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN
sasl_auxprop_plugin: sasldb
tls_ca_file: /etc/postfix/certs/cacert.pem
tls_cert_file: /etc/postfix/certs/mail_signed_cert.pem
tls_key_file: /etc/postfix/certs/mailkey.pem

$>cat /etc/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login

$> cat /etc/cyrus.conf
recover cmd="ctl_cyrusdb -r"
idled cmd="idled"
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0
checkpoint cmd="ctl_cyrusdb -c" period=30
delprune cmd="cyr_expire -E 3" at=0400
tlsprune cmd="tls_prune" at=0400

Whenever I try to connect via thunderbird, the following messages

$> tail /var/log/messages
Apr 12 15:22:42 hostXYZ imaps[32135]: executed
Apr 12 15:22:42 hostXYZ imaps[32135]: IOERROR: opening
/var/lib/imap/user_deny.db: No such file or directory
Apr 12 15:22:42 hostXYZ imaps[32135]: accepted connection
Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Database handles
still open at environment close
Apr 12 15:22:42 hostXYZ imaps[32135]: DBERROR db4: Open database handle:
Apr 12 15:22:42 hostXYZ master[32114]: process 32135 exited, status 75
Apr 12 15:22:42 hostXYZ master[32114]: service imaps pid 32135 in BUSY
state: terminated abnormally

Hope that somebody is able to help.

Thank you in advance.

Best regards

I had this problem. Make sure you add the user cyrus to have read access
to your certificate, and maybe read access to your private key too. That
fixed it for me. I use STARTTLS on port 143.

Jim F

@Per Jessen: Thank you for your hints. I had a short look at the cyrus
documentation and wasn't able to find a debug flag.

@Jim Flanagan: Yes, it really solves this problem. I just added a

$> chmod 444 /etc/postfix/certs/mailkey.pem
$> ll /etc/postfix/certs/mailkey.pem
-r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem

As I had a lot of trouble creating a self signed certificate, I decided
to follow a tutorial after all, which explicitly states:

These files represent your server private key and public certificate.
Because you created the private key without encrypting it, you must
protect it by using permissions that are as restrictive as possible. Use
the following commands to make sure it is owned and readable only
by the root account.

Does any one know, whether the changed user rights are a potential
secuirty concern?

Thank's to all.


Yes, you do not want any read or write access by any user except those actuallly needed. Good advise in other posts.

I used to use a self signed cert, but now you can get a free cert signed by some companies. This has the advantage of your clients not having to import your cert of having to click accept each time they check their mail.

I use Look in the ssl docs, make a csr from your private key. Go the and create an account. They will give you a cert (different from your server cert) that will authenticate you to log on to their system. Then submit your csr. They will sign it. Save that signed cert to a file for you mail server (and www too if you want).

Jim F
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

<Anterior por Tema] Tema Actual [Siguiente por Tema>