Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Brendan Kearney 
On 11/16/23 10:56 AM, Paul Kudla wrote:

 Ok a few things about IP blocks

 If they are portable they can move from country to country ??

 without any real notice.

 the ip that triggered all this says it is allocated from NL
 (Neatherlands) but physicaly exists in Hawii ?

 No list will ever be 100% acurate

 I did find this link that displays by country but then you have to
 click the country understanding that some sub nets are split out by
 class "A" / "B" & "C"

 A whole class "A" for example can be split into many subclasses thus
 point difference ranges to different countries.

 https://www.nirsoft.net/countryip/

 maybe write a python program to grab and make a table of ip addresses
 ?

 it has a link to download a csv so some kind of loop striping out the
 country links would probably be ok and then download the csv file and
 create a full csv file.

 then use that for your firewall keeping in mind it needs to be
 updated regularly.

 I did look around as arin net is responsible for all of this but
 could not find a list there either.

 https://www.arin.net/reference/

 Airn Net is mainly responsible for allocating blocks but not really
 responsible for where they might get used.

 same with other whois databases around the globe.

 also note IPV6 is also out there now and adds a whole new layer to
 all of this.






 Have A Happy Thursday !!!

 Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


 Scom.ca Internet Services <http://www.scom.ca>
 004-1009 Byron Street South
 Whitby, Ontario - Canada
 L1N 4S3

 Toronto 416.642.7266
 Main 1.866.411.7266
 Fax 1.888.892.7266
     Email p...@scom.ca

 On 11/16/2023 9:31 AM, Brendan Kearney wrote:
  On 11/16/23 9:05 AM, Nick Lockheart wrote:
   Are there publicly available lists of IP ranges
   by region?

   There's no reason for any IP outside of North
   America to be contacting Postfix
   on Submission (587) or IMAP, since these are
   employee only services.

   If not for mobile phones, we could really close
   it off.


   On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla
   wrote:

     Good day to all .

     Just adding to the conversation with how I
   had to deal with this
     years ago.

     Basically hacks to any server are an issue
   today but it is cat &
     mouse
     trying to track all of this.

     That being said using the reported ip
   address below, I patched
     postfix
     to log the ip address in one syslog pass
   (to id the sasl user account
     +
     ip etc)

     Along with the above dovecot logging is
   verbose (dovecot already does

     all access in one line - ie ip address,
   username (email address) etc)

     combining the two I run my own ip address
   firewall tracking system
     based
     on the syslogging in real time.

     For Example :

    
   
__

     # ipinfo 104.156.155.21

     IP Status for   :
   104.156.155.21

     IP Status : IPv4
     NS Lookup (Forward) :
   104.156.155.21
     NS Lookup (Reverse) : None

     IP Blacklisted Status   : Found
   104.156.155. for
     104.156.155.21
     [D] {Asterisk}
     Last Program    : sshd

     Ip Location Info for    :
   104.156.155.21

     No Ip Information Found

     (ie ip location lookup failed / does not
   exist for this ip ?)

    
   
__

     basically the ip address block was found in
   my firewall so something,

     someone etc has tried to hack one of my
   servers

     in the case of scom.ca i run an asterisk
   server and since the
     asterisk
     is noted someone tried hacking that one as
   well.

     Basically i run a database that tracks and

Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?

2023-11-16 Thread Brendan Kearney 

On 11/16/23 9:05 AM, Nick Lockheart wrote:

Are there publicly available lists of IP ranges by region?

There's no reason for any IP outside of North America to be contacting Postfix
on Submission (587) or IMAP, since these are employee only services.

If not for mobile phones, we could really close it off.


On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:

  Good day to all .

  Just adding to the conversation with how I had to deal with this
  years ago.

  Basically hacks to any server are an issue today but it is cat &
  mouse
  trying to track all of this.

  That being said using the reported ip address below, I patched
  postfix
  to log the ip address in one syslog pass (to id the sasl user account
  +
  ip etc)

  Along with the above dovecot logging is verbose (dovecot already does

  all access in one line - ie ip address, username (email address) etc)

  combining the two I run my own ip address firewall tracking system
  based
  on the syslogging in real time.

  For Example :

  __

  # ipinfo 104.156.155.21

  IP Status for   : 104.156.155.21

  IP Status : IPv4
  NS Lookup (Forward) : 104.156.155.21
  NS Lookup (Reverse) : None

  IP Blacklisted Status   : Found 104.156.155. for
  104.156.155.21
  [D] {Asterisk}
  Last Program    : sshd

  Ip Location Info for    : 104.156.155.21

  No Ip Information Found

  (ie ip location lookup failed / does not exist for this ip ?)

  __

  basically the ip address block was found in my firewall so something,

  someone etc has tried to hack one of my servers

  in the case of scom.ca i run an asterisk server and since the
  asterisk
  is noted someone tried hacking that one as well.

  Basically i run a database that tracks and updates all firewall in
  real
  time.

  Running FreeBSD I use PF and asterisk is linux based so i use the
  iptables and update every 10 minutes.

  Only time now a days I get involved if a customer calls and complains

  they are not getting emails etc ...

  That happens a few times a year.

  Again just an FYI

  This reply was more to indicate all email servers (and anything
  attached
  to the internet) really need to run some sort of automated ip
  firewall
  when username password hacks occur, no reverse ip address etc etc etc


  Food for thought.


  Have A Happy Thursday !!!

  Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)


  Scom.ca Internet Services 
  004-1009 Byron Street South
  Whitby, Ontario - Canada
  L1N 4S3

  Toronto 416.642.7266
  Main 1.866.411.7266
  Fax 1.888.892.7266
  Email p...@scom.ca

  On 11/15/2023 5:53 PM, Simon B wrote:


   On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
wrote:
     There is a network claiming to be a security company,
   however the
     activity appears to be a little more malicious, and
   appears to be
     attempting buffer overflows against POP-SSL
   services.. (and other
     attacks).

     https://www.abuseipdb.com/check/104.156.155.21

     Just thought it would be worth mentioning, you might
   want to keep an
     eye
     out for traffic from this company...

     Might want to make up your own mind, or maybe someone
   has more
     information, but enough of a red flag, that thought
   it warranted
     posting
     on the list.

     Not sure yet if it is Dovecot, or the SSL libraries
   they are
     attempting
     to break, but using a variety of SSL/TLS methods and
   connections...

   They are not interested in dovecot per se.  They scan for
   TLS vulnerabilities,
   mostly.

     Anyone with more information?

     NetRange:       104.156.155.0 - 104.156.155.255
     CIDR:           104.156.155.0/24
     NetName:        ACDRESEARCH
     NetHandle:      NET-104-156-155-0-1
     Parent:         NET104 (NET-104-0-0-0-0)
     NetType:        Direct Allocation
     OriginAS:
     Organization:   Academy of Internet Research Limited
   Liability
     Company
     (AIRLL)
     RegDate:        2022-01-07
     Updated:        2022-01-07
     Ref:            https://rdap.arin.net/registry/ip/

Re: Redundant Database, Pgsql ?

2023-02-23 Thread Brendan Kearney 
i didnt pick up on the fact that this was auth stuff, and not indexes 
(indices?) or other data.  LDAP is a hierarchical database, where the 
relationship between data is forced into a superior/subordinate 
structure.  if you ask enough people, they will say that LDAP is not an 
authentication platform, but a database.  i tend to agree, and have put 
Kerberos and LDAP together as my AuthN/Z suite.  Kerberos is truly an 
AuthN protocol, and when i can point something at it i do.  i store my 
Kerberos data in LDAP, and run n-way multi-primary replication. MIT 
Kerberos does not have an event based replication means, only 
time/schedule based.  LDAP has an event based replication mechanism, so 
when data changes all the nodes in the cluster get an immediate 
replicated update.  OpenLDAP can also proxy AuthN events to Kerberos 
with a few specific configurations set, and the password field being set 
to a specific string, {SASL}user@domain. this way something that talks 
LDAP, can point to LDAP for AuthN, and be proxied to back Kerberos.  to 
me, this maintains the ever important "single source of the truth" for 
credentials.


I run LDAP behind a HAProxy VIP too, for load balancing purposes and 
transparent failover, so apps see less impact when failures occur.  load 
balancing allows me to scale out (handle more requests in a given unit 
of time), and be fault tolerant.  take a box out of the mix for updates, 
reboots, maintenance, whatever and not interrupt processing.  i load 
balance nearly every stateful protocol, whenever possible.  i anycast 
most stateless protocols, too, as a means of load sharing.  by having 
more than one instance available to do the same work, you greatly reduce 
the "hair on fire" calls in the middle of the night, or at least shorten 
the Mean Time to Recovery.


On 2/23/23 12:55 AM, Nikolai Lusan wrote:

On Wed, 2023-02-22 at 11:08 +, Marc wrote:
> I don't even get what the advatages are of doing this with sql. If you
> use local replicated ldap and use local credential caching then your
> master ldap can go down without issues, even the local caching handle
> some local slapd issues.

Going to have to +1 this. LDAP also does multi-master replication, which
can make failover easier via DNS (like with a round robin for
ldap.mydomain), or multiple LDAP dictionaries for dovecot. The [big]
problem with OSS Postgres is that it only does master/slave replication,
with no plans to add multi-master replication to the code base (there is
Percona and 2ndQuadrant, but for small outfits, and individual there is
a price barrier there). Personally I love PGSQL as a DB, but for SSO I
use LDAP - because that's what it's designed for (i.e. read more than
written).


> I guess the local caching is also faster. Afaik were databases not
> designed for this purpose and a better fit is ldap.

This is totally true. RDBMS were not designed with this kind of use in
mind, LDAP was - it is, after all, a directory service. So unless your
auth stuff is part of some larger DB "thing" the directory type
solutions are not suitable for (how many table joins, or other extensive
SQL actions are taking place on that DB) then LDAP is the better way to
go, and extending LDAP with custom schemas is simple - just grab an IANA
number for you, or your organisation, so that you don't trample on any
other schema out there. I have a custom schema that I use for
postfix/dovecot - it's simple, quick, and efficient without the DB
overhead ... and I get the multi-master replication in OpenLDAP.

Re: Redundant Database, Pgsql ?

2023-02-22 Thread Brendan Kearney 

think about this, you have connect= host=host1 host=host2 ...

when host1 fails, you must kick that host while it is down, each and 
every single time you want a new connection to the database. there is no 
record saying that box is down, no logic in the app saying i've already 
tried that box, so avoid it for "some period of time".  you have to 
attempt a connection to it, since it is listed first in your connection 
parameters.  you have to get an error back or wait for a timeout period 
to occur, and then move onto the next box.


have you ever faced a DNS resolution issue, where DNS was not working 
and everything slowed to a crawl because of it?  similar kind of delays 
in processing here.  you have to have an error or timeout occur before 
you move onto the next configured box.  when you are dealing with high 
volume production environments, this is not a scaled solution.


with load balancing, you have an active connection from your app to the 
database VIP.  then there is a secondary connection from the load 
balancer to the database host in the pool.  when that connection dies 
and goes away, the app retries the connection to VIP and is 
automatically assigned to a different, alive and available host in the 
pool.  no waiting for an error or timeout to occur, and then trying the 
next host in the config.


when you put the infrastructure together properly, no human intervention 
is required to mark a box down and not send traffic to it.  as i said:


it requires a bit of supporting infrastructure to get it all working, 
but you wind up with a */highly-available, fault tolerant PostgreSQL 
footprint with automatic failover./*


by having the load balancer keep track of which hosts are alive and 
available, you dont have any guess work as to which host to connect to.  
the app just has to retry the connection.  once a host is marked down by 
the load balancer, no traffic will be sent to it until it passes a 
health check. the health checking with PostgreSQL is the ETCd and 
Patroni pieces.  those two processes are critical in the chain.  with 
the health of the boxes and processes handled, knowing which PG host is 
the active R/W one is simple.  when failure occurs, there is an election 
process to promote one of the standby hosts to the active R/W node, and 
that is reported up to the load balancer through the Patroni -> ETCd 
chain.  all new connections wind up going to the newly elected active 
R/W node in the pool.

*//*

On 2/22/23 5:29 AM, David White wrote:

If I understand open source Postgres correctly, though, this setup basically 
requires that the application be read-only, or at least be intelligent enough 
not to attempt to write to a host if it has failed over to it, right? Don't you 
have to have human intervention to actually fail the master / primary over for 
write purposes?

Sent with Proton Mail secure email.

--- Original Message ---
On Tuesday, February 21st, 2023 at 10:28 PM, Marcus Jodorf  
wrote:



On 2/21/23 18:04, Lars Schotte wrote:


Yes, that looks nice, I am going to try that too.

Because every other option is based on some other software,
like relayd or nginx, it is all possible, but adds complexity.

The best would be to have it inside connection string.

/etc/dovecot/dovecot-sql.conf.ext:

...
connect= host=host1 host=host2 dbname= user= password=

I'm using that since pretty much 2006 - if I'm not mistaken - on my
little servers. Simply works.

If one server is not reachable you just get an error log entry in
mail.err that connect failed to the database that is down.
But that is all - dovecot keeps working as normal.

BTW: Same with postfix. Simply list an additional fallback and it just
works.

Best,

Marcus

Re: Redundant Database, Pgsql ?

2023-02-21 Thread Brendan Kearney 
let me preface all of this by saying i dont have PostgreSQL running in 
any fashion, but have come across footprints that are standing in a 
Production environment.


are you running a single primary R/W node, with multiple secondary R/O 
nodes?  from what i have seen/heard, PG does not really have a well 
documented and currently support n-way multi-primary R/W load balancing 
mechanism.  that said, some effort did exist but may no longer be supported.


i have seen a HA footprint of PG setup with HAProxy, PostgreSQL, ETCd 
and Patroni.  HAProxy handles the Virtual IP (VIP) and can be setup as 
HA with VRRP running between the HAProxy nodes.  ETCd is setup with 3 
nodes, all monitoring the "active" status of the PostgreSQL nodes via 
Patroni.  Patroni runs on each PG node, watching the status of the PG 
instances for failures.  PG runs with one node in the "active" state, 
and replicates to the secondary nodes running in the "standby" state.


when the primary node encounters an issue, Patroni idenitifies that the 
node is no longer able to process, and ETCd records the updated status.  
HAProxy polls ETCd and is notified of the event, and marks the 
previously "active" member as down or in standby state.  by election 
process, the standby nodes promote a node to the active state, and the 
Patroni -> ETCd -> HAProxy chain picks up the new active node.


it requires a bit of supporting infrastructure to get it all working, 
but you wind up with a highly-available, fault tolerant PostgreSQL 
footprint with automatic failover.  the caveat is that you only have a 
single R/W instance at any one point.  this could be a performance 
bottleneck in high volume environments.


some links that may shed light on what and how:

https://wiki.postgresql.org/wiki/Replication,_Clustering,_and_Connection_Pooling
https://patroni.readthedocs.io/en/latest/
https://www.percona.com/blog/postgresql-ha-with-patroni-your-turn-to-test-failure-scenarios/
https://arctype.com/blog/postgres-patroni/

i do have a n-way multi-primary MariaDB footprint running with HAProxy, 
MariaDB and Galera running.  Each MariaDB instance is R/W and can take a 
write event, and then replicate the event to the other cluster members.  
the VIP on HAProxy for port 3306 has all three cluster members load 
balanced using least connections.  on the same VIP, but using a 
different port (3316, 3326, 3336) i have a backend for each of the 
individual cluster members, so i can isolate and troubleshoot each node 
separately.


in the PostgreSQL footprints i have come across, a similar setup using 
other ports has been used for access to the R/O nodes in the cluster.  
this can allow for queries, instead of writes, and reporting functionality.


best of luck,

brendan kearney

On 2/21/23 4:02 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:


yes that seems to be the approach

i setup a dns entry and pointed to 3 servers

it does work round robin (ie from main, secondary etc) but that is ok

at least it is working when i take the main server offline for 
maintenance !





Happy Tuesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 2023-02-19 12:56 p.m., Benny Pedersen wrote:


Paul Kudla skrev den 2023-02-19 16:01:

May I please get some guidance on what to add to talk to another
postgresql server (i have 6 replicated servers so would probably want
a couple worst case issue)


change host=localhost to host=some-other-hostname-with-multiple-ips :)

then dovecot with timeout and test next server ip

there might be more to it, but i think this is how to do it

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Brendan Kearney 
presumably, you would have the same database parameters on different 
hosts, so only adding an additional "host=" parameter should suffice.  i 
would only add the additional parameters that are unique or different, 
and that should work.


connect = "host= host= dbname= 
user= password="


sorry to hear your going to test this in Prod. :(

On 8/30/22 6:10 PM, Jack Snodgrass wrote:



I prefer to use a 2 db approach where I specify 2 different Database 
servers as opposed to HAproxy.



I see on: 
https://doc.dovecot.org/configuration_manual/authentication/sql where 
it says:


*You can add multiple host parameters to the SQL connect string. 
Dovecot will do round robin load balancing between them. If one of 
them goes down, the others will handle the traffic.*


it would be really nice if that was expanded opon in the docs I am 
not sure WHO to ask that that be clarified.


I currently have:

connect = "host= dbname= user= 
password="


... would I use:

connect = "host= dbname= user= 
password= host= dbname= user= 
password="


and the system would just see host/host, dbname/dbname user/user 
password/password and automatically map the correct 
dbname/user/password to the correct host or it is assumed that the 2nd 
host is the only thing that changes and the dbname/user/password are 
the same? or do I use:


connect = "host= dbname= user= 
password= host2= dbname2= user2= 
password2="


to specify the host and host2 info?


"You can add multiple host parameters to the SQL connect string." is a 
bit lacking in info when you think about the possibility of having a 
different user/pass or dbname for the 2nd host instance.


I am going to play around with this on my production box... but having 
a bit more info in the docs would be preferred.



- jack



On 8/30/22 07:57 AM, Brendan Kearney wrote:


per https://doc.dovecot.org/configuration_manual/authentication/sql/, 
you can add more than one "host=" parameter in the "connect" 
directive, and leave dovecot to do round-robin load balancing.  there 
will probably be a delay in processing while a failed database 
connection attempt times out.


or you can use a load balanced database footprint, using something 
like haproxy.  its not as simple as putting multiple databases behind 
haproxy and calling it done.  i use mariadb, which via galera, can do 
multi-primary HA, where all 3 primary instances can take write or 
read events.  you need to configure each mariadb instance with galara 
replication and then setup haproxy to properly attach to the 
databases and perform a service check.


postgresql or other databases may require different mechanisms to 
achieve fault tolerant HA.


On 8/30/22 4:18 AM, Sami Ketola wrote:




On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:


I am using this file:

dovecot-sql.conf.ext

and in there  I have a

connect = "host= dbname= user= 
password="



My  was down and I lost mail access for a few days before 
I realized that there was an issue.  How can I specify a backup 
server so that if my primary sql server goes down, a backup sql 
server will be queried?




Use haproxy.

Sami



--
jack - Southlake Texas - mylinuxguy.net 
<http://url7179.mylinuxguy.net/ls/click?upn=qw3mUGlvypxOIEjnzoVznaPhh1QZR9rdwcvCQ0qavLA-3DUiiX_5qhfSnrBXIaXI7rIewPfzICYfubUoDIKRg6-2F2vb7-2BoHPlQu-2FfbGVKyxQX-2F2MK4nxxMgskp-2B7lkCgnLNSC-2BkHg-2BIZivmGnYzgw6K5Dw5Rkff8q-2FIoZHz2vWzOlfXpUNTznP1U4-2FAL3aStk0Rg0h6GpRg4at3NFRAD3w1S5-2B-2BXy4ne0c-2FXuQOKNksIOpgzzBd5FuBUlJpA0KfWocho2TNHnA-3D-3D>

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Brendan Kearney 
per https://doc.dovecot.org/configuration_manual/authentication/sql/, 
you can add more than one "host=" parameter in the "connect" directive, 
and leave dovecot to do round-robin load balancing. there will probably 
be a delay in processing while a failed database connection attempt 
times out.


or you can use a load balanced database footprint, using something like 
haproxy.  its not as simple as putting multiple databases behind haproxy 
and calling it done.  i use mariadb, which via galera, can do 
multi-primary HA, where all 3 primary instances can take write or read 
events.  you need to configure each mariadb instance with galara 
replication and then setup haproxy to properly attach to the databases 
and perform a service check.


postgresql or other databases may require different mechanisms to 
achieve fault tolerant HA.


On 8/30/22 4:18 AM, Sami Ketola wrote:




On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:


I am using this file:

dovecot-sql.conf.ext

and in there  I have a

connect = "host= dbname= user= 
password="



My  was down and I lost mail access for a few days before I 
realized that there was an issue.  How can I specify a backup server 
so that if my primary sql server goes down, a backup sql server will 
be queried?




Use haproxy.

Sami

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

2016-07-06 Thread Brendan Kearney 

On 07/04/2016 03:58 PM, Mark Foley wrote:

Brendan - yes, go ahead and send that doc directly to my email address. I've 
got Maildir
folders going, but not nfs; and I'm curious about your load balance.

THX --Mark

-Original Message-

Date: Mon, 04 Jul 2016 10:40:06 -0400
From: Brendan Kearney <bpk...@gmail.com>
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On 07/04/2016 03:30 AM, Mark Foley wrote:

Actually, I see that you used host.domain.name further down. That's a good 
substitute for mail.hprs.local.

Also, not to be a literary critic, but it might not hurt to show an example 
keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't exactly know 
how to "make sure:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
 --
 1 imap/host.domain.name@MYREALM (des-cbc-crc)  (0x232616c2a4fd08f7)
 1 imap/host.domain.name@MYREALM (des-cbc-md5)  (0x232616c2a4fd08f7)
 1 imap/host.domain.name@MYREALM (arcfour-hmac)  
(0x9dae89a221dc374a39f560833

--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:


http://wiki2.dovecot.org/Authentication/Kerberos

It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: mail.hprs.local.  
Not that I care,
no one can get to that, but it might be clearer to those of us who 
uncomprehendingly
monkey-type things from wiki's when we don't fully understand.  Perhaps 
something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- 
something like that.
Not sure what is best; just don't want to imply that they HAVE TO use 
mail.hprs.local.


I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
I have to set up some kind of test environment to find out why it bugs.

I'm going to give my brain a rest for a bit before I resume tilting at the NTML 
windmill! I'll
check back with the list to see if you've come up with anything.


Aki

Again, thanks for all your help.

--Mark

-Original Message-

Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
To: dovecot@dovecot.org
From: Aki Tuomi <aki.tu...@dovecot.fi>
Organization: Dovecot Oy
Date: Mon, 4 Jul 2016 08:54:27 +0300
On 04.07.2016 07:44, Mark Foley wrote:

After a over a year and a half struggling to get Dovecot to do either NTLM or 
GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all 
those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his patience in 
working this
through with me.  Although my purpose was for Dovecot to authenticate mail 
clients, the
configuration settings needed were on the Samba side.  I hope a variation of 
these instructions
can eventually make it into:

http://wiki2.dovecot.org/Authentication/Kerberos



It has been now updated.

I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
I have to set up some kind of test environment to find out why it bugs.

Aki


i have a document that i had written, recording each of the changes
needed to each of the files to be modified, in order to have dovecot
authenticate against kerberos and authorize against ldap.  in addition,
the use of nfs for maildir mailboxes and load balanced nuances are
covered.  the doc is in odt format (libre office writer), and i have
attempted to post it to this mailing list, but it was quarantined.

if there is any interest in the doc, reach out to me.  i welcome input
and feedback on it.

brendan


replied off list as my doc is quarantined for size.

having re-read the doc, nfs is not specifically mentioned.  the default 
storage dir (or the one i specified), /var/spool/dovecot, is automounted 
to a nas share i have.  my export on the nas looks like the below:


/export/dovecot server[1-2].bpk2.com(rw,sync) mail.bpk2.com(rw,sync)

i normally run sec=krb5p in addition to the rw,sync options, but i do 
not believe a way exists to have the maildir mounted with a credential set.


the mount on the mailserver looks like the below:

nas.bpk2.com:/export/dovecot on /var/spool/dovecot type nfs 
(rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.88.3,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=192.168.88.3)


with the nas exporting the nfs share, and sssd managing the automount, 
the fact that th

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

2016-07-05 Thread Brendan Kearney 

On 07/04/2016 02:40 PM, Aki Tuomi wrote:



On 04.07.2016 17:40, Brendan Kearney wrote:

On 07/04/2016 03:30 AM, Mark Foley wrote:
Actually, I see that you used host.domain.name further down. That's 
a good substitute for mail.hprs.local.


Also, not to be a literary critic, but it might not hurt to show an 
example keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't 
exactly know how to "make sure:


$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
 
--

1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (arcfour-hmac) 
(0x9dae89a221dc374a39f560833


--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
GSSAPI config]


On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> 
wrote:



http://wiki2.dovecot.org/Authentication/Kerberos

It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: 
mail.hprs.local.  Not that I care,
no one can get to that, but it might be clearer to those of us who 
uncomprehendingly
monkey-type things from wiki's when we don't fully understand. 
Perhaps something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or 
myLocalFDQN -- something like that.
Not sure what is best; just don't want to imply that they HAVE TO 
use mail.hprs.local.


I had a look at the NTLM mechanism, it *should* support SSP and 
NTLMv2.
I have to set up some kind of test environment to find out why it 
bugs.
I'm going to give my brain a rest for a bit before I resume tilting 
at the NTML windmill! I'll

check back with the list to see if you've come up with anything.


Aki

Again, thanks for all your help.

--Mark

-Original Message-
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for 
GSSAPI config]

To: dovecot@dovecot.org
From: Aki Tuomi <aki.tu...@dovecot.fi>
Organization: Dovecot Oy
Date: Mon, 4 Jul 2016 08:54:27 +0300
On 04.07.2016 07:44, Mark Foley wrote:
After a over a year and a half struggling to get Dovecot to do 
either NTLM or GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it! 
Thanks to all those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom 
Talpey especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his 
patience in working this
through with me.  Although my purpose was for Dovecot to 
authenticate mail clients, the
configuration settings needed were on the Samba side.  I hope a 
variation of these instructions

can eventually make it into:

http://wiki2.dovecot.org/Authentication/Kerberos



It has been now updated.

I had a look at the NTLM mechanism, it *should* support SSP and 
NTLMv2.
I have to set up some kind of test environment to find out why it 
bugs.


Aki

i have a document that i had written, recording each of the changes 
needed to each of the files to be modified, in order to have dovecot 
authenticate against kerberos and authorize against ldap.  in 
addition, the use of nfs for maildir mailboxes and load balanced 
nuances are covered.  the doc is in odt format (libre office writer), 
and i have attempted to post it to this mailing list, but it was 
quarantined.


if there is any interest in the doc, reach out to me.  i welcome 
input and feedback on it.


brendan


I would very much like to have a copy, please.

Aki

replied off list, as my doc is quarantined due to size.

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

2016-07-04 Thread Brendan Kearney 

On 07/04/2016 03:30 AM, Mark Foley wrote:

Actually, I see that you used host.domain.name further down. That's a good 
substitute for mail.hprs.local.

Also, not to be a literary critic, but it might not hurt to show an example 
keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't exactly know 
how to "make sure:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
 --
1 imap/host.domain.name@MYREALM (des-cbc-crc)  (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (des-cbc-md5)  (0x232616c2a4fd08f7)
1 imap/host.domain.name@MYREALM (arcfour-hmac)  (0x9dae89a221dc374a39f560833

--Mark

-Original Message-
From: Mark Foley 
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi  wrote:


http://wiki2.dovecot.org/Authentication/Kerberos

It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: mail.hprs.local.  
Not that I care,
no one can get to that, but it might be clearer to those of us who 
uncomprehendingly
monkey-type things from wiki's when we don't fully understand.  Perhaps 
something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- 
something like that.
Not sure what is best; just don't want to imply that they HAVE TO use 
mail.hprs.local.


I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
I have to set up some kind of test environment to find out why it bugs.

I'm going to give my brain a rest for a bit before I resume tilting at the NTML 
windmill! I'll
check back with the list to see if you've come up with anything.


Aki

Again, thanks for all your help.

--Mark

-Original Message-

Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
To: dovecot@dovecot.org
From: Aki Tuomi 
Organization: Dovecot Oy
Date: Mon, 4 Jul 2016 08:54:27 +0300
On 04.07.2016 07:44, Mark Foley wrote:

After a over a year and a half struggling to get Dovecot to do either NTLM or 
GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all 
those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his patience in 
working this
through with me.  Although my purpose was for Dovecot to authenticate mail 
clients, the
configuration settings needed were on the Samba side.  I hope a variation of 
these instructions
can eventually make it into:

http://wiki2.dovecot.org/Authentication/Kerberos



It has been now updated.

I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
I have to set up some kind of test environment to find out why it bugs.

Aki

i have a document that i had written, recording each of the changes 
needed to each of the files to be modified, in order to have dovecot 
authenticate against kerberos and authorize against ldap.  in addition, 
the use of nfs for maildir mailboxes and load balanced nuances are 
covered.  the doc is in odt format (libre office writer), and i have 
attempted to post it to this mailing list, but it was quarantined.


if there is any interest in the doc, reach out to me.  i welcome input 
and feedback on it.


brendan

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

2016-06-29 Thread brendan kearney 
The last log line shows "user=<>".  This indicates no credentials were
presented.  If the rip field matches the client ip you tested from, I would
bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
pulled for the authentication.
On Jun 28, 2016 11:33 PM, "Mark Foley"  wrote:

> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi,
> and restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in
> maillog, and mail is
> delivered successfully to the other domain users having PLAIN
> authentication. That's a big
> step. In examining my original config.log output I apparently did not have
> --with-gssapi enabled.
>
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still
> cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
>
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be
> used for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory:
> /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush
> data [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
> finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6
> secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS,
> session=
>
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as
> shown in previous
> messages below.
>
> Closer! --Mark
>
> -Original Message-
> From: Mark Foley 
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
> example]
>
> Aki, you wrote:
>
> > Doh. Seems your dovecot isn't compiled with gssapi support? Can you
> compile it yourself?
> >
> > I'll try to check status of NTLM this week.
>
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
>
> I do have the Dovecot sources and will peruse the possible options after I
> send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24.
> Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows
> nothing obvious
> realated to gssapi)
>
> --Mark
>
> -Original Message-
> > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> > From: aki.tu...@dovecot.fi
> > To: dovecot@dovecot.org
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config
> example]
> >
> > > On

Re: Mailboxes on NFS or iSCSI

2016-06-22 Thread brendan kearney 
I chose nfs for my env because I wanted multiple load balanced instances of
dovecot to be able to access the mailbox files.  If you use iscsi,  you
will need to pin the user to the dovecot instance that has the LUN
mounted.  For me, scalability and single point of failure was lost or
lessened when using iscsi.
On Jun 22, 2016 10:41 AM, "Miloslav Hůla"  wrote:

> Hello,
>
> we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured
> with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on
> local 1.2TB RAID, it's about 5310 accounts.
>
> We are slowly getting out of space and we are considering to move
> Mailboxes onto Netapp disk array with two independent network connections.
>
> Are there some pitfalls? Not sure we should use NTP or iSCSI mounts (both
> open implementations are not so shiny).
>
> Thanks for sharing any experiences.
>
> Kind regards, Milo
>

Re: sieve and authentication

2016-01-20 Thread brendan kearney 
While that may be true, the RoundCubeMail plugin cannot talk to sieve,
either.
On Jan 19, 2016 11:24 PM, "Tim" <t...@slowb.ro> wrote:

> On 20/01/16 12:15, Brendan Kearney wrote:
>
>> when i telnet to the sieve instance running with dovecot, i see that SASL
>> is supported, but i cannot get thunderbird to connect to the sieve
>> instance.  it seems that i am not providing the right auth methods for
>> sieve to work.
>>
>> "IMPLEMENTATION" "Dovecot Pigeonhole"
>> "SIEVE" "fileinto reject envelope encoded-character vacation subaddress
>> comparator-i;ascii-numeric relational regex imap4flags copy include
>> variables body enotify environment mailbox date index ihave duplicate"
>> "NOTIFY" "mailto"
>> "SASL" ""
>> "STARTTLS"
>> "VERSION" "1.0"
>> OK "Dovecot ready."
>>
>> i am setup with gssapi and pain auth mechanisms and want to leverage
>> Kerberos / SASL for authentication.  what do i need to enable (and where)
>> to get sieve working in a MUA?  i tried adding the digest-md5 mechanism to
>> the auth_mechanisms directive, but that does not work with Kerberos (or
>> maybe my implementation of Kerberos in my environment).
>>
>> any ideas where i should be looking?
>>
>> thanks
>>
>> brendan
>>
>
> You can't use the Sieve plugin in the addon store. (Its buggy)
>
> Test with the latest one on github.
>
> https://github.com/thsmi/sieve/blob/master/nightly/README.md
>
> Cheers,
>

sieve and authentication

2016-01-19 Thread Brendan Kearney 
when i telnet to the sieve instance running with dovecot, i see that 
SASL is supported, but i cannot get thunderbird to connect to the sieve 
instance.  it seems that i am not providing the right auth methods for 
sieve to work.


"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date index ihave duplicate"

"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."

i am setup with gssapi and pain auth mechanisms and want to leverage 
Kerberos / SASL for authentication.  what do i need to enable (and 
where) to get sieve working in a MUA?  i tried adding the digest-md5 
mechanism to the auth_mechanisms directive, but that does not work with 
Kerberos (or maybe my implementation of Kerberos in my environment).


any ideas where i should be looking?

thanks

brendan

SASL binds

2016-01-01 Thread Brendan Kearney 
i am looking to get SASL binds working in Dovecot for userdb lookups, 
and i am not sure what i might be doing wrong.


Dovecot version - 2.2.19 running on Fedora 22.  MIT Kerberos and 
OpenLDAP are being used.


my LDAP configs:
uris = ldap://server1.bpk2.com ldap://server2.bpk2.com
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = BPK2.COM
sasl_authz_id = imap/imap.bpk2@bpk2.com
base = dc=bpk2,dc=com

the above results in the below error logs:
Jan 01 13:56:58 mail auth[16747]: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (No Kerberos 
credentials available)
Jan 01 13:56:58 mail dovecot[16722]: auth-worker(16747): Error: LDAP: 
binding failed (dn (none)): Local error, SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (No Kerberos credentials available)


i am assuming the keytab, /etc/dovecot/dovecot.keytab would be used to 
bind to the directory, but i am not sure.  the auth_krb5_keytab 
directive is set with the absolute path and keytab name.  is there 
something i am missing, such as a /etc/sasl2/dovecot.conf file?


in the directory, i am mapping the Kerberos ID to LDAP user object as such:

uid=imap\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth 
uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com


if i change the sasl_authz_id to 
uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com, and restart dovecot, i 
still get the same error.


can anyone shed light on where i am going wrong?

thanks in advance,

brendan