On Mon, 2003-12-15 at 01:16, Peter Stuge wrote:
> On Sun, Dec 14, 2003 at 10:58:06PM -0800, AthlonRob wrote:
> > The box is a Slackware 8.1 box with GCC 2.95. I couldn't get it
> > compiled on there, even with GCC 3.2.1,
>
> You probably need to tell configure about where to find needed libraries and
> include files. Send us the end of the output where it fails.
Ah, sorry, I meant to do that, but halfway through the email, I got
something working I couldn't get working before, so I deleted half the
email and rewrote it... forgetting that output.
GCC 2.95 failure:
make[2]: Entering directory `/home/rob/bincimap-1.2.3/src'
source='address.cc' object='address.o' libtool=no \
depfile='.deps/address.Po' tmpdepfile='.deps/address.TPo' \
depmode=gcc /bin/sh ../depcomp \
g++ -DHAVE_CONFIG_H -I. -I. -I.. -g -O2 -Wall -fno-exceptions -O2 -c
-o address.o `test -f 'address.cc' || echo './'`address.cc
In file included from
/usr/lib/gcc-lib/i386-slackware-linux/2.95.3/../../../../include/g++-3/stl_algobase.h:52,
from
/usr/lib/gcc-lib/i386-slackware-linux/2.95.3/../../../../include/g++-3/vector:30,
from convert.h:41,
from address.cc:39:
/usr/lib/gcc-lib/i386-slackware-linux/2.95.3/include/new.h:6: new: No
such file or directory
make[2]: *** [address.o] Error 1
make[2]: Leaving directory `/home/rob/bincimap-1.2.3/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/rob/bincimap-1.2.3'
make: *** [all] Error 2
GCC 3.2.1 failure:
Awe hell, I don't know what I did earlier, it isn't working at all
now... says C++ compiler cannot create executables. Oh well... it's
working with my static binary.
> > I copied over the config file, made a .pem (BTW, as far as I've seen, RH
> > is the only one who does the cd /usr/share/ssl/certs && make), put them
> > in /usr/etc, added lines to /etc/inetd.conf, HUP'd inetd, and tried to
> > connect. No go. :-\
>
> See http://lifewithbincimap.org/index.php/Main/InstallingBincIMAP for two
> guides on how to make a certificate authority for creating your own
> certificates.
I have access to a RH box... I just used that to create the .pem file as
per the documentation. :-)
> > It's like it doesn't see the configuration file. I modified it to call
> > tcpd first:
> >
> > imap2 stream tcp nowait root /usr/sbin/tcpd /usr/bin/bincimap-up
> > --conf=/usr/etc/bincimap.conf --logtype=syslog -- /bin/checkpassword
> > /usr/bin/bincimapd
> >
> > And now I'm able to at least login plaintext like.
> >
> > However, now I want to get SSL/TLS working so I can safely open it up to
> > the web. Here I'm definitely running in to problems.
>
> I suggest you check out daemontools and ucspi-tcp. daemontools and Slackware
> have been known to like each other on previous installations I've made. :)
AFAICT, inetd and tcpd are doing a fine job... I see no need for
daemontools... which I keep hearing icky things about. :-)
> > I don't know how to do TLS interactively from openssl or telnet, so
>
> See the FAQ and the mailing list archive.
>
> openssl s_client -help
I got it... something is definitely b0rk3d with my setup...
> > ...so I'm basically not getting any useful output. :-(
>
> Did you set a passphrase for the private key in the Binc cert? Take it out.
> There's currently no way to specify the passphrase, hence Binc wont be able
> to load the cert.
Nope, no passphrase. :-)
> > Dec 14 22:51:25 linuxbox bincimap-up[31626]: Error initializing Binc
> > IMAP: SSL negotiation failed: SSL error: cipher list undefined
> >
> > The bincimap.conf file can be found at http://rob.axpr.net/bincimap.conf
> > FWIW.
>
> Hm, did you change the cipher list from the sample config?
> Try using what's shown in my DIYCA guide..
I just ran through the whole DIYCA guide... whew, that took a little
while....
I'm getting the same results after doing that as with before:
[EMAIL PROTECTED] rob $ openssl s_client -connect axpr.net:993 -crlf
CONNECTED(00000003)
write:errno=104
[EMAIL PROTECTED] rob $ openssl s_client -tls1 -connect axpr.net:993 -crlf
CONNECTED(00000003)
write:errno=104
[EMAIL PROTECTED] rob $ openssl s_client -tls1 -connect axpr.net:222 -crlf
CONNECTED(00000003)
30696:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286:
[EMAIL PROTECTED] rob $ openssl s_client -connect axpr.net:222 -crlf
CONNECTED(00000003)
30697:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:470:
I think that about covers my connection options. Port 222 is w/o the --ssl
and port 993 is with the --ssl switch.
The logs to match up with those connections (in order):
Dec 15 09:55:53 linuxbox bincimap-up[5482]: Error initializing Binc IMAP: SSL
negotiation failed: SSL error: cipher list undefined
Dec 15 09:56:04 linuxbox bincimap-up[5484]: Error initializing Binc IMAP: SSL
negotiation failed: SSL error: cipher list undefined
Dec 15 09:56:14 linuxbox bincimap-up[5485]: Client connected to Binc IMAP from ?Dec 15
09:56:14 linuxbox bincimap-up[5485]: Client disconnected
Dec 15 09:56:14 linuxbox bincimap-up[5485]: Unprivileged stub shutting down - read:0
bytes, wrote:0 bytes.
Dec 15 09:56:24 linuxbox bincimap-up[5486]: Client connected to Binc IMAP from ?Dec 15
09:56:24 linuxbox bincimap-up[5486]: Client disconnected
Dec 15 09:56:24 linuxbox bincimap-up[5486]: Unprivileged stub shutting down - read:0
bytes, wrote:0 bytes.
Something is definitely still b0rk3d :-\
> Furthermore, I don't know whether Binc requires access to the CA cert in
> order to run or not, but entering the filename wont hurt, that's for sure.
> (OpenSSL doesn't care, Binc might, although shouldn't when verify peer=no.)
Yeah, I adjusted it to closely match (different locations) your DIY
guide's SSL{} section.
> > 1) Verify I can use Postfix and regular Maildir boxes with Binc
>
> Yes. (<rant>Note that procmail can't make more than 10 deliveries of the
> same mail to the same folder - after that it breaks. Also, procmail doesn't
> use correct filenames for delivering to Maildirs, exactly because it's
> possible to deliver a message more than once to the same folder, and the
> didn't want to fork() per delivery, I guess. Blech, the procmail code is
> awful.</rant>)
I'm not using procmail to deliver messages system-wide... so that isn't
a concern. Individual users (I do) can certainly use it by setting up a
.forward if they wish to... and I suppose most of 'em do (just a few
techy friends using the server for email)....
> > 2) Figure out how to get TLS and SSL working
>
> The openssl tool is your friend. openssl help and openssl command -help.
> You could also, and I suggest you do, read one or both of the CA guides on
> LWBI even if you don't intend to set up your own CA, to get to know openssl
> a little better.
I think I know it a bit better, and feel good for it... but things are
still not going anywhere. I don't understand why I'm getting this
'cipher list undefined' error... suppose I could look in the source and
see where it comes from...
> > 3) Provide a few pointers for future googlers running Slackware/Postfix
>
> I'm also a slackware->gentoo user. Dunno. Still think I prefer Slackware on
> a server.. But I'm not sure. Oh well, that's another discussion.
Yeah, Slackware for the server, Gentoo for the laptop, Slackware for the
workstation... :-)
Rob
