Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
Ted Mittelstaedt
tedm at toybox.placo.com
Fri Feb 17 04:11:44 PST 2006
Hi Greg,
It is true there's a lot of software available but I have found
over the years that a lot of the packages are good, and will work
equally well on the back end. Most of the older ones have matured
to the point that a rather common selection criteria is "I chose
that because that's what all my friends are running"
You really won't know what works the best unless you try all of
the packages, and nobody has the time for that. So what you have
to do is just pick one based on whatever sketchy research you turn
up and spend some time on it, after a few months you will know if it's
going to work for you or not. Most times it will work OK for you
so your choice becomes one of which is better: knowing a few packages
well, or a lot of packages not very well.
A hobbiest/amateur is better off knowing a lot of packages not
very well, because their fun is in trying out new things and learning
how different things are done. But a manager of a production system
is in the other boat, they need to know a few packages very, very
well. You need to be aware of which kind of person your taking advice
from.
IMHO RedHat isn't much good unless you go the full meal deal
and buy a support contract from RedHat. If you are upgrading from
old 7/9 RH and you want to keep the RH universe, and you don't
want to buy into support, then go to CentOS.
Frankly I feel that one of the big problems with Linux right
now is they are missing the boat on SATA RAID big time, and I
mean really, really big time. Most server-quality motherboards
these days come with RAID0/1 SATA chipsets, and disk drives are
so cheap now that even people putting together little crummy servers
are going mirrored SATA disks. But Linux has ignored this, claiming
it's the responsibility of the manufacturers to write drivers, and
most of them haven't. The Linux people all seem to think it's
perfectly OK to go buy an Intel motherboard with onboard ICH7R
RAID and disable that and drop $200 into a 3ware RAID card and
plug that into the motherboard if you have the nerve to run
RAID on anything other than a Real SCSI RAID array. Fine, let
them delude themselves, it just puts Linux further and further
away from the server arena. Most Linux distros have terrible
or nonexistent support for Promise RAID cards as well, once again,
really short-sighted.
Anyway, getting back to your situation. We run SSL imap and
pop3, with uw-imap. I recommend this route since it allows
people to hit their maibox with both pop3 and imap and not
get a lot of funny messages about popping down the placeholder
message. uw-imap used to have a problem with really big e-mails
years ago, it would swap itself to death building the tempfiles,
this was fixed years ago.
We run SMTP AUTH but we don't run SSL SMTP. Why? Because
way too many customers out there still run elderly versions of
e-mail clients that can't handle SSL SMTP. If I was doing up a
mailserver for a corporation I might consider SSL SMTP, but
frankly, I think the idea that someone's going to sniff your
password is highly overrated. Most people set their e-mail
clients up to permanently save the password so there goes your
security right out the window. And your foolish if you let people
use the same userID and password for the mailserver. What I'm
doing these days is setting up the users with full name
userIDs. For example userID ted.mittelstaedt, password goglafrich.
Or some such. e-mail addy then becomes ted.mittelstaedt at example.com
Needless to say this userID is only present on the mailserver
and nowhere else, same with the password. A cracker already
can get the targets full name by calling the companies directory
assistance line or off their business card, so they gain
no new information item by breaking this userID. And these
userIDs and passwords are too long to be suceptable to a spammers
dictionary attack. Particularly if the employee is popping the
mail off the server, if the attacker gets the userID and password
they are generally going to only be able to get a few pieces of
mail out of the server.
You can argue it however you want but today with ethernet switches
being as cheap as they are, even a malevolent employee on a corporate
network is going to have a hard time sniffing passwords on a decent
net. Anything they do to convince the switches to stop being switches
is going to bring the network to it's knees and attract a lot of
attention quick. I discount most of those scenarios as provable
in the lab, but useless in real life.
In real life the preferred attack vector is to insert a keyboard
logger on the users desktop, which is rediculously easy, all you
have to do is wait for Microsoft's patch tuesday, reverse engineer
the patches to see what they patched, and write a worm to take
advantage of that hole, and drop a keyboard logger when it infects.
That buypasses all the SSL horseshit and if you want to get fancy
you can scan the users system for the outlook files and extract the
saved password from outlooks ini files, it's not like Microsoft
encrypts it or anything. The worm leaves a back door and you scan
the internet looking for the back doors. You will find plenty to
keep yourself busy. We see customers that have had this done to
them almost every day. By contrast I've never once seen a customer
with an employee who wasn't a network administrator that knew what
a packet sniffer was and how to use it. As far as WEP is concerned
the trade rags constantly claim how insecure it is and how easy it is
to brute force crack and obtain keys - once again, this is laboratory
stuff, it's not visible in the real world. In the real world there
are so many unsecured wireless networks in the average city that
a cracker that turns on a wireless promiscious sniffer is going to
see 3-4 networks, 3/4 of which are wide open, no matter where they
go. What incentive is there to crack? And that's just the people
dumb enough to leave SSID broadcasting turned on.
Anyway, one last note for you. No matter what you use, just
about all the instructions out there tell you to create a self-signed
certificate for imap/ssl smtp/etc. do not do this! The Microsoft
e-mail clients can't handle this. What you want to do is create a
root certificate, then create certificates for all your https servers,
your secure imap and pop servers, your ssl smtp, you name it. Sign
all of them with the root CA. Then, insert the root CA into the
list of trusted root CA's in the Microsoft browser on the client, and
from that point on the Microsoft clients don't think you are running
self-signed certificates anymore and do not whine, bitch and complain
and you don't have to fumble around inserting a bunch of self-signed
certificates for every little service you run into all your clients.
That is for example how you get Outlook to speak SSL without paying
Verisign. A lot of people fooling with self-signed certs have discovered
to their dismay that only outlook express can have a self-signed
cert installed, regular outlook from ms office cannot.
Ted
>-----Original Message-----
>From: Greg Groth [mailto:ggroth99 at hotmail.com]
>Sent: Tuesday, February 14, 2006 8:14 AM
>To: tedm at toybox.placo.com; joe at netmusician.org
>Cc: freebsd-questions at freebsd.org
>Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
>
>
>
>
>>From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
>>To: "Joe Auty" <joe at netmusician.org>, "Kirk Davis" <Kirk.Davis at epsb.ca>
>>CC: "Greg Groth" <ggroth99 at hotmail.com>,
><freebsd-questions at freebsd.org>
>>Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
>>Date: Tue, 14 Feb 2006 00:34:28 -0800
>>
>>
>>I'm sure glad that this message didn't pass through my work mailserver
>>so that it's didn't see it, since my work e-mail inbox has
>16383 messages
>>in it (the limit that Outlook can display in IMAP mode) and is 412
>>megabytes
>>in size, and performance is perfectly fine both with Outlook and
>>Horde/IMP.
>>
>>I wouldn't want my mailserver reading it and thinking that it's OK to
>>slack off.
>>
>> And yes I know I need to delete
>>some messages, speak to the hand if your going to make that crack.
>>
>>This is imap-uw/sendmail.
>>
>>Perhaps you might consider that since you haven't run imap-uw in
>>a while that your no longer qualified to make claims about it? Or
>>perhaps
>>you never had it setup properly? Or perhaps your hardware was slow?
>>
>>Nothing is wrong with Postfix / Courier-IMAP but nothing is
>wrong either
>>with sendmail / uw-imap.
>>
>>Ted
>>
>> >-----Original Message-----
>> >From: owner-freebsd-questions at freebsd.org
>> >[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Joe Auty
>> >Sent: Monday, February 13, 2006 1:53 PM
>> >To: Kirk Davis
>> >Cc: Greg Groth; freebsd-questions at freebsd.org
>> >Subject: Re: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
>> >
>> >
>> >Hey Greg,
>> >
>> >Sorry if this completely throws a monkey wrench into your plans, but
>> >I feel inspired to interject since I once had a nearly identical
>> >setup as you...
>> >
>> >I switched to Postfix and Courier-IMAP since I found that performance
>> >of large mailboxes in IMAP-UW was pretty poor, especially over web-
>> >based email where messages are not cached. I switched to Postfix
>> >because it is so much more simple and straight forward than Sendmail.
>> >You should have no problems switching to Postfix, since it is
>> >basically Sendmail with a nicer wrapper/configuration.
>> >
>> >Just food for thought.
>
>I appreciate both of your comments, as I have stated I am new
>to BSD. Part
>of my problem is the huge amount of software available, and no
>good way to
>determine what will work better for my situation. Perhaps if I
>explain my
>situation, it would help some. We've been running Sendmail and a
>POP-Before-SMTP script for the last 6 years on a Redhat box. I
>think it
>started out on 5.2, and was up to 7.3 when it crashed 3 weeks
>ago. I had
>been planning to upgrade the server, and had a new box ready to
>go, but I
>had stalled on the OS. I didn't want to go down the Redhat
>route because of
>strictly personal issues that are more opinions than fact, and a friend
>suggest FreeBSD.
>
>The server crash pretty much forced my hand, and my goal was to
>replicate
>what we had in place ASAP. Because of my (limited) knowledge
>of Sendmail, I
>went that route as I know nothing of the alternatives. I went
>with IMAP-UW
>because not because of anything I had read, but because I was
>attempting to
>get the POP-Before-SMTP port to work (which it didn't - long
>story), and
>IMAP-UW seemed a good alternative as it is a POP and IMAP
>server and was
>easily configured in POP-Before-SMTP.
>
>Since I could not find a POP-Before-SMTP solution that I could get to
>operate (I had problems with POP-Before-SMTP, and DRAC before
>throwing in
>the towel), I decided to switch to SMTP-AUTH. So here's my
>situation, we
>have about 25 users on the server. I need POP and IMAP that
>will operate
>with and without SSL, and SMTP that can handle SMTP-AUTH with
>and without
>SSL. Out of the 25 users, I have 3 that are email packrats, and have
>between 2-4 gigs of email apiece. They are currently using POP
>on Outlook
>Express, but will be switching over to IMAP on Thunderbird in the near
>future (I also have 5 users that I'm not sure what client they
>are using,
>we're hosting their domain - long story). Our office peronnel will be
>migrating to IMAP, using SSL when out of the office, and plain
>text when in.
> The five users in which we are hosting their email will
>remain on POP, and
>although SSL would be nice, I want the ability to offer plain
>text in case I
>run into client issues. Similar circumstances for SMTP, I can relay by
>domain for users on our network, and would like to use
>SMTP-AUTH for off-ste
>users. SSL preferred, but offer plain text in case of client
>issues. Last
>issue would be something that will play nice with SquirrelMail.
>
>Although I'm very familiar with administering Sendmail
>(starting, stopping,
>backing up, running makemaps), configuring is another story.
>While SMTP is
>pretty much running as stable as it ever has, I still have
>issues from time
>to time. For instance I am sending this from Hotmail as this list is
>currently bouncing email from my server because of some error I
>have not
>investigated yet. At this moment I am pretty much open to
>anything, but I
>don't have a good way of evaluating different options other
>than trial and
>error (and I'm kind of short on time). I know that a lot of
>times it comes
>down to peronal taste (my reason for dumping Redhat), but
>sometimes there
>are specific issues that will make a certain solution better
>than others.
>Based off of my stated needs and my current issues (Sendmail
>configuration),
>is there a better solution, or is what I have now pretty much
>the same as
>other alternatives for my specfic needs?
>
>Thank you both for your attention to this matter.
>
>Greg Groth
>
>
>>From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
>>To: "Joe Auty" <joe at netmusician.org>, "Kirk Davis" <Kirk.Davis at epsb.ca>
>>CC: "Greg Groth" <ggroth99 at hotmail.com>,
><freebsd-questions at freebsd.org>
>>Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
>>Date: Tue, 14 Feb 2006 00:34:28 -0800
>>
>>
>>I'm sure glad that this message didn't pass through my work mailserver
>>so that it's didn't see it, since my work e-mail inbox has
>16383 messages
>>in it (the limit that Outlook can display in IMAP mode) and is 412
>>megabytes
>>in size, and performance is perfectly fine both with Outlook and
>>Horde/IMP.
>>
>>I wouldn't want my mailserver reading it and thinking that it's OK to
>>slack off.
>>
>> And yes I know I need to delete
>>some messages, speak to the hand if your going to make that crack.
>>
>>This is imap-uw/sendmail.
>>
>>Perhaps you might consider that since you haven't run imap-uw in
>>a while that your no longer qualified to make claims about it? Or
>>perhaps
>>you never had it setup properly? Or perhaps your hardware was slow?
>>
>>Nothing is wrong with Postfix / Courier-IMAP but nothing is
>wrong either
>>with sendmail / uw-imap.
>>
>>Ted
>>
>> >-----Original Message-----
>> >From: owner-freebsd-questions at freebsd.org
>> >[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Joe Auty
>> >Sent: Monday, February 13, 2006 1:53 PM
>> >To: Kirk Davis
>> >Cc: Greg Groth; freebsd-questions at freebsd.org
>> >Subject: Re: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems
>> >
>> >
>> >Hey Greg,
>> >
>> >Sorry if this completely throws a monkey wrench into your plans, but
>> >I feel inspired to interject since I once had a nearly identical
>> >setup as you...
>> >
>> >I switched to Postfix and Courier-IMAP since I found that performance
>> >of large mailboxes in IMAP-UW was pretty poor, especially over web-
>> >based email where messages are not cached. I switched to Postfix
>> >because it is so much more simple and straight forward than Sendmail.
>> >You should have no problems switching to Postfix, since it is
>> >basically Sendmail with a nicer wrapper/configuration.
>> >
>> >Just food for thought.
>> >
>> >
>> >On Feb 13, 2006, at 4:25 PM, Kirk Davis wrote:
>> >
>> >> Hi Greg,
>> >>
>> >>> I'm trying to set up a FreeBSD 6.0 box as a mail server, and while
>> >>> everything seems to be working OK for the most part, I have
>> >>> run into two
>> >>> issues that I cannot resolve (I'm new to BSD, please bear
>> >>> with me). Install
>> >>> went as follows: Installed via FTP last night along with
>> >>> "src - Sources for
>> >>> everything",
>> >>>
>> >>> IMAP-UW was compiled via ports with WITH_SSL_AND_PLAINTEXT
>> >>> enabled (same for
>> >>> cclient), OpenSSL, Cyrus-SASL2 & Cyrus-SASL2-saslauthd were
>> >>> compiled via
>> >>> ports with no flags.
>> >>>
>> >>> Sendmail was installed with the base install and recompiled
>> >>> (after SASL2 was
>> >>> up and running) with the following options added to make.conf:
>> >>>
>> >>> # SASL (cyrus-sasl v2) sendmail build flags...
>> >>> SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
>> >>> SENDMAIL_LDFLAGS=-L/usr/local/lib
>> >>> SENDMAIL_LDADD=-lsasl2
>> >>> # Adding to enable alternate port (smtps) for sendmail...
>> >>> SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL
>> >>>
>> >>> I followed the instructions I found at
>> >>> http://www.bsdconspiracy.net/howto/sendmail.html, and had no
>> >>> problems with
>> >>> the install except for Sendmail. After recompiling sendmail,
>> >>> I added the
>> >>> following lines to the mail.server.mc file:
>> >>>
>> >>> define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
>> >>> TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
>> >>> define(`CERT_DIR', `/etc/mail/certs')dnl
>> >>> define(`confCACERT_PATH', `CERT_DIR')dnl
>> >>> define(`confCACERT', `CERT_DIR/mycert.pem')dnl
>> >>> define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
>> >>> define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
>> >>> define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
>> >>> define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl
>> >>> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
>> >>
>> >> This is your problem. The above line sets up the Sendmail
>daemon to
>> >> listen on port 25 but the standard mc file distributed with FreeBSD
>> >> also
>> >> sets up a DAEMON port (it's at the end of the MC file).
>> >>
>> >> Here is what my DAEMON_OPTIONS lines look like. These
>should be the
>> >> only DAEMON_OPTIONS lines in the mc file.
>> >> dnl Enable for both IPv4 and IPv6 (optional)
>> >> DAEMON_OPTIONS(`Name=IPv4, Family=inet')
>> >> DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
>> >> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>> >>
>> >>
>> >>> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>> >>>
>> >>> After running (in /etc/mail) "make clean", "make cf", "make
>> >>> install", "make
>> >>> restart", SMTP no longer works, and I find the following in
>> >>> maillog and
>> >>> messages
>> >>>
>> >>> Feb 12 20:25:55 mail sm-mta[1213]: daemon IPv4: problem
>> >>> creating SMTP socket
>> >>> Feb 12 20:26:00 mail sm-mta[1213]: NOQUEUE: SYSERR(root):
>> >>> opendaemonsocket:
>> >>> daemon IPv4: cannot bind: Address already in use
>> >>>
>> >>> When I try and stop sendmail, I get a message that the pid
>> >>> for Sendmail
>> >>> cannot be found. I end up killing the missing Sendmail
>daemon using
>> >>> KSysGuard
>> >>>
>> >>> If I remove this line - "DAEMON_OPTIONS(`Port=smtp,
>> >>> Name=MTA')dnl" from the
>> >>> mail.server.mc file, make cf, make install, make restart,
>> >>> sendmail starts
>> >>> normally. When trying to access from another machine on my
>> >>> network, I can
>> >>> only connect on port 25 without a secure connection (I'm
>> >>> using Thunderbird
>> >>> for this), although SMTP-AUTH is working correctly.
>> >>
>> >> Have you tried to setup your mail client to connect to
>port 465? This
>> >> is the smtps (SMTP SSL) port.
>> >>
>> >>
>> >>> Any ideas on what I might need to do to get SSL / SMTP-AUTH
>> >>> working on SMTP?
>> >>> I took a look at the instructions in the handbook, but they
>> >>> were written
>> >>> for SASL1. Running netstat shows smtps listening on 465, but
>> >>> when I try to
>> >>> telnet to that port, the server drops the connection.
>> >>
>> >> Hmm... It should connect but you will not see anything since it is
>> >> expecting an SSL connection.
>> >>
>> >>> My second problem is rather simple, after I create an IMAP
>> >>> folder, I am
>> >>> unable to delete it using a remote client. Thunderbird
>> >>> responds with "The
>> >>> mail server responded: RENAME failed: Can't create mailbox node
>> >>> /home/User/Trash/: File exists. Nothing shows up in any of
>> >>> the server logs
>> >>> though.
>> >>
>> >> I have not seen this problem although I have it setup for
>an office of
>> >> Outlook users. I would check the permissions on the folders in the
>> >> user
>> >> home directory. This is where the IMAP user forlders are by
>> >> default. I
>> >> usually setup the clients to use the base imap if Mail and then
>> >> create a
>> >> Mail directory in the user home directory. That way the
>mail folders
>> >> don't get messed up with the user stuff.
>> >>
>> >>>
>> >>> Hopefully this is the right list for these questions, if not,
>> >>> could someone
>> >>> please direct me to the correct one? Any advice anyone can
>> >>> give me on
>> >>> either of these problems would be greatly appreciated.
>> >>>
>> >>
>> >> ---- Kirk
>> >> Kirk Davis
>> >> Senior Network Analyst, ITS
>> >> Edmonton Public Schools
>> >> 1-780-429-8308
>> >> _______________________________________________
>> >> freebsd-questions at freebsd.org mailing list
>> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> >> To unsubscribe, send any mail to "freebsd-questions-
>> >> unsubscribe at freebsd.org"
>> >
>> >_______________________________________________
>> >freebsd-questions at freebsd.org mailing list
>> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> >To unsubscribe, send any mail to
>> >"freebsd-questions-unsubscribe at freebsd.org"
>> >
>> >--
>> >No virus found in this incoming message.
>> >Checked by AVG Free Edition.
>> >Version: 7.1.375 / Virus Database: 267.15.6/258 - Release Date:
>> >2/13/2006
>> >
>>
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today -
>it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.375 / Virus Database: 267.15.10/262 - Release
>Date: 2/16/2006
>
More information about the freebsd-questions
mailing list