Re: v2.2.20 release candidate released

2015-12-08 Thread Gedalya 

On 12/06/2015 07:19 AM, Gerhard Wiesinger wrote:
Session tickets are broken by DESIGN as they violate PFS (Perfect 
Forward Secrecy). If you can steal one AES key (all session tickets 
are encrypted for server lifetime with only one key) you can decrypt 
ALL sessions ever made with session tickets for the future.


I'm in no way an expert or an authority, but it is my understanding that 
there being only one key for the server's lifetime is not exactly by 
design, rather (sloppy) implementation. See [0] as an example of at 
least a discussion on key rotation or even smooth rollover.
Perhaps in a perfect world, those who don't find a session cache 
suitable could instead use a better implementation of session tickets. 
Until of course someone takes security shaming to the next level and 
declares session tickets unconditionally evil. Notably, Qualys isn't 
doing that yet. Even Google is currently otherwise engaged. 
Superficially speaking, both approaches sound like a matter of securing 
server memory space and rotating things out frequently.


[0] http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004373.html

Re: v2.2.20 release candidate released

2015-12-06 Thread Gerhard Wiesinger 

On 06.12.2015 13:10, Timo Sirainen wrote:

On 05 Dec 2015, at 11:32, Gerhard Wiesinger  wrote:

Is it possible to configure the secure session caching mechanism?
e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx

I remember hearing about various security vulnerabilities in that earlier.. I 
guess they're fixed now then, unless people find more ways to exploit it. 
Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 
servers, because most clients don't connect all that often. Or I guess it might 
help some clients that create multiple connections immediately.

Then again, we are planning on adding some HTTP(S)-based services to Dovecot 
and there it would likely be more useful. So I guess it gets implemented at 
some point.




Session tickets are broken by DESIGN as they violate PFS (Perfect 
Forward Secrecy). If you can steal one AES key (all session tickets are 
encrypted for server lifetime with only one key) you can decrypt ALL 
sessions ever made with session tickets for the future. This violates 
PFS (Perfect Forward Secrecy) as only server side "parameters" are 
relevant from now on.


Yes, session caching should reduce server load on multiple connections.

See e.g. https://community.qualys.com/thread/15768

Therefore it would be great if you could implement the secure session 
caching mechanism.


As Gedalya mentioned OCSP would be great, too.

Ciao,
Gerhard

Re: v2.2.20 release candidate released

2015-12-06 Thread Timo Sirainen 
On 05 Dec 2015, at 11:32, Gerhard Wiesinger  wrote:
> 
> Is it possible to configure the secure session caching mechanism?
> e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx

I remember hearing about various security vulnerabilities in that earlier.. I 
guess they're fixed now then, unless people find more ways to exploit it. 
Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 
servers, because most clients don't connect all that often. Or I guess it might 
help some clients that create multiple connections immediately.

Then again, we are planning on adding some HTTP(S)-based services to Dovecot 
and there it would likely be more useful. So I guess it gets implemented at 
some point.

Re: v2.2.20 release candidate released

2015-12-05 Thread Gedalya 

On 12/05/2015 04:32 AM, Gerhard Wiesinger wrote:

like in nginx


And OCSP Stapling would be nice too :-)

Re: v2.2.20 release candidate released

2015-12-05 Thread Gerhard Wiesinger 

On 03.12.2015 14:51, Timo Sirainen wrote:

http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz.sig

v2.2.20 probably will be released tomorrow or maybe during weekend.

  + ssl_options: Added support for no_ticket



Hello TImo,

great to see that inseucre session tickets (violating PFS) can be disabled.

Is it possible to configure the secure session caching mechanism?
e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx

Thnx.

Ciao,
Gerhard

Re: v2.2.20 release candidate released

2015-12-04 Thread James 

On 03/12/2015 13:51, Timo Sirainen wrote:


http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz


I see a clash with the pigeonhole 0.4.9 preventing compilation of 
pigeonhole.


"sieve-settings.c", line 14: identifier redeclared: t_str_trim
	current : static function(pointer to const char) returning pointer to 
const char
	previous: function(pointer to const char, pointer to const char) 
returning pointer to const char : "/.../dovecot/strfuncs.h", line 60




pigeonhole src/lib-sieve/sieve-settings.c line 13 says:
// FIXME: add to dovecot

Looks like it's added to dovecot but not removed from pigeonhole.



Otherwise it is working for me, I am using 2.2.20.rc1 on a lightly 
loaded Solaris 10 system.

Re: v2.2.20 release candidate released

2015-12-04 Thread Sami Ketola 

> On 04 Dec 2015, at 11:41, James  wrote:
> 
> pigeonhole src/lib-sieve/sieve-settings.c line 13 says:
> // FIXME: add to dovecot
> 
> Looks like it's added to dovecot but not removed from pigeonhole.
> 

Stephan will soon release pigeonhole 0.4.10rc for dovecot 2.2.20 that will fix 
this issue.

Sami

Re: v2.2.20 release candidate released

2015-12-04 Thread Sami Ketola 

> On 04 Dec 2015, at 11:41, James  wrote:
> 
> pigeonhole src/lib-sieve/sieve-settings.c line 13 says:
> // FIXME: add to dovecot
> 
> Looks like it's added to dovecot but not removed from pigeonhole.
> 

Stephan will soon release pigeonhole 0.4.10rc for dovecot 2.2.20 that will fix 
this issue.

Sami

Re: [Dovecot-news] v2.2.20 release candidate released

2015-12-03 Thread Timo Sirainen 

> On 03 Dec 2015, at 16:09, Thomas Leuxner  wrote:
> 
> * Timo Sirainen  2015.12.03 14:51:
> 
>> + Added mailbox { autoexpunge= } setting. See
>>   http://wiki2.dovecot.org/MailboxSettings for details.
> 
> namespace inbox {
>  mailbox Trash {
>autoexpunge = 5 days
>special_use = \Trash
>  }
> }
> 
> I'm using autoexpunge on the Trash mailbox. Looking at the wiki text I'm 
> unclear on how to limit it to a specific service:
> 
>> So it may be better to explicitly enable this only inside protocol imap, 
>> pop3 and maybe lmtp.

namespace inbox {
  mailbox Trash {
special_use = \Trash
  }
}

protocol imap {
  namespace inbox {
mailbox Trash {
  autoexpunge = 5 days
}
  }
}

If you want it for other protocols, you'll unfortunately have to just 
copy the entire block.

v2.2.20 release candidate released

2015-12-03 Thread Timo Sirainen 
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz.sig

v2.2.20 probably will be released tomorrow or maybe during weekend.

 + Added mailbox { autoexpunge= } setting. See
   http://wiki2.dovecot.org/MailboxSettings for details.
 + ssl_options: Added support for no_ticket
 + imap/pop3/managesieve-login: Added postlogin_socket=path passdb extra
   field. This allows replacing the default service
   imap/pop3/managesieve {} settings for specific users (e.g. running
   their imap process via valgrind or strace).
 + doveadm fetch: Added date.sent/received/saved.unixtime
 + fs-posix: Added mode=auto parameter to set the created files' and
   directories' mode based on the parent dir if it has setgid-bit.
 + director: Support backends having hostnames, which makes it possible
   to verify their SSL certificates.
 - director: Directors' state became desynchronized if doveadm director
   commands were used to modify the same backend in multiple directors
   at the same time with conflicting changes. This fix includes some
   extra checks, which makes sure that if such a conflict still happens
   it's automatically fixed. In some situations such an automatic fix
   may now be unnecessarily triggered and an error logged.
 - director: Backend tags weren't working correctly.
 - ldap: tls_* settings weren't used for ldaps URIs.
 - ldap, mysql: Fixed setting connect timeout.
 - auth: userdb lookups via auth-worker couldn't change username
 - dsync: Fixed handling deleted directories. Make sure we don't go to
   infinite mailbox renaming loop.
 - imap: Fixed crash in NOTIFY when there were watched namespaces that
   didn't support NOTIFY.
 - imap: After SETMETADATA was used, various commands (especially FETCH)
   could have started hanging when their output was large.
 - stats: Idle sessions weren't refreshed often enough, causing stats
   process to forget them and log errors about unknown sessions when
   they were updated later.
 - stats: Fixed "Duplicate session ID" errors when LMTP delivered to
   multiple recipients and fts_autoindex=yes.
 - zlib plugin: Fixed copying causing cache corruption when zlib_save
   wasn't set, but the source message was compressed.
 - fts-solr: Fixed escaping Solr query parameters.

Re: [Dovecot-news] v2.2.20 release candidate released

2015-12-03 Thread Thomas Leuxner 
* Timo Sirainen  2015.12.03 15:27:

> protocol imap {
>   namespace inbox {
> mailbox Trash {
>   autoexpunge = 5 days
> }
>   }
> }

Thanks.


signature.asc
Description: Digital signature

Re: [Dovecot-news] v2.2.20 release candidate released

2015-12-03 Thread Thomas Leuxner 
* Timo Sirainen  2015.12.03 14:51:

>  + Added mailbox { autoexpunge= } setting. See
>http://wiki2.dovecot.org/MailboxSettings for details.

namespace inbox {
  mailbox Trash {
autoexpunge = 5 days
special_use = \Trash
  }
}

I'm using autoexpunge on the Trash mailbox. Looking at the wiki text I'm 
unclear on how to limit it to a specific service:

>So it may be better to explicitly enable this only inside protocol imap, pop3 
>and maybe lmtp.

Regards
Thomas


signature.asc
Description: Digital signature