Re: Problems with SSL [SOLVED]

2016-11-30 Thread Infraestructura TIC - UNNOBA via Info-cyrus 
Thanks, Michael.


El 30/11/16 a las 06:03, Michael Menge via Info-cyrus escribió:
> Hi,
>
>
> Quoting Infraestructura TIC - UNNOBA via Info-cyrus
> :
>
>> Hello!
>> I'm using cyrus on Debian vm for several years but now, SSL starts to
>> fail:
>>
>> Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
>> hard-coded DH parameters
>> Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
>> failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]
>>
>> I tried with self-signed certificates, and third-party ones, but the
>> result is the same.
>> I spent two days trying to figure out what happened, without results.
>>
>> #openssl s_client -connect mail.server.test:993 -crlf -state
>> CONNECTED(0003)
>> SSL_connect:before SSL initialization
>> SSL_connect:SSLv3/TLS write client hello
>> SSL3 alert read:fatal:handshake failure
>> SSL_connect:error in SSLv3/TLS write client hello
>> 140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
>> alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
>> 40
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 176 bytes
>> Verification: OK
>> ---
>> New, (NONE), Cipher is (NONE)
>
> I believe the server and client have no SSL/TLS version and/or Cipher
> in common and
> therefore can't establish an encrypted connection.
>
> Some time ago i found an ssl server test suite
> https://github.com/drwetter/testssl.sh
> witch tries to do what https://www.ssllabs.com/ does for web servers
> but for all protocols
> and server not reachable form the internet.
>
> You might want to check your server with ./testssl.sh
> mail.server.test:993
>

I tried with testssl.sh and sslscan and both tools informed that TLS was
not working on Cyrus.

"  TLS renegotiation:
   Secure session renegotiation supported"

and

"
 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)

 SSLv2   not offered (OK)
 SSLv3   not offered (OK)
 TLS 1   not offered
 TLS 1.1 not offered
 *TLS 1.2 not offered*
 SPDY/NPN(SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN  (HTTP/2 is a HTTP protocol and thus not tested here)

"


I solved it by specifying ciphers in this way (in /etc/imapd.conf):

tls_ciphers:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA

instead of

tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH


And now, TLS 1.2 is working.

Thanks!








>
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol  : TLSv1.2
>> Cipher: 
>> Session-ID:
>> Session-ID-ctx:
>> Master-Key:
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1480435442
>> Timeout   : 7200 (sec)
>> Verify return code: 0 (ok)
>> Extended master secret: no
>> ---
>>
>>
>> I'm using this versions:
>>
>> cyrus-admin   2.5.10-2
>> cyrus-clients 2.5.10-2
>> cyrus-common  2.5.10-2
>> cyrus-doc 2.5.10-2
>> cyrus-imapd   2.5.10-2
>> cyrus-murder  2.5.10-2
>> cyrus-pop3d   2.5.10-2
>> cyrus-replication 2.5.10-2
>>
>>
>>
>> Both, certificate and key, are accesibles by user cyrus. Certificate is
>> up-to-date.
>>
>> This is the config:
>>
>> $sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
>> [...]
>> tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
>> tls_client_ca_dir: /etc/ssl/certs
>> tls_client_ca_file: /etc/ssl/certs/cyrus.pem
>> tls_server_cert: /etc/ssl/certs/cyrus.pem
>> tls_server_key: /etc/ssl/private/cyrus.key
>> tls_session_timeout: 0
>> [...]
>>
>>
>> And before I declared myself "I'm completely lost", I was watching
>> entropy ... but is ok.
>>
>> #cat /proc/sys/kernel/random/entropy_avail
>> 2354
>>
>>
>>
>> ¿Any suggestions?
>>
>> Thanks in advance!
>>
>>
>>
>> Javier.-
>>
>>
>> 
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
>
> 
>
> M.MengeTel.: (49) 7071/29-70316
> Universität Tübingen   Fax.: (49) 7071/29-5912
> Zentrum für Datenverarbeitung  mail:
> michael.me...@zdv.uni-tuebingen.de
> Wächterstraße 76
> 72074 Tübingen
>
> 
>

Re: Did calculating the quota change from 2.3 to 2.5?

2016-11-30 Thread Adam Tauno Williams via Info-cyrus 
> > If you use imapsync, it doesn't know about that, and will upload
> > the same message twice. 2.5 doesn't have the smarts to recognise
> > that it's the same message.
> imapsync can only sync mail the old server knows about. And in the
> end there is more quota used on the new server!?
> The only explanation is the quota on the old server is broken, isn't
> it?

No, IMAP doesn't know about deduplication;  so imapsync between two
servers dededuplicates.  imapsync may also repair damaged or missing
message headers - meaning the messages are no longer are the same - so
a tool like hardlinks will not return you to the same count in du as on
the old server.

And then there is the [virtuous] issue of delayed expunge.

-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Did calculating the quota change from 2.3 to 2.5?

2016-11-30 Thread Marc Patermann via Info-cyrus 

Bron,

Am 29.11.2016 um 22:18 Uhr schrieb Bron Gondwana:

Quota is a sum of byte sizes of raw unexpunged messages. It doesn't
deduplicate. Likely issue is incorrect quota_mailbox_used in the
cyrus.index header on 2.3. a reconstruct will fix those, then quota
-f again.

Does not change anything.


It's not related to du.

The problem with imapsync is that it doesn't handle single instance
store. If you have copied messages or delivered then into multiple
mailboxes with sieve, they will have hard links on disk.

If you use imapsync, it doesn't know about that, and will upload the
same message twice. 2.5 doesn't have the smarts to recognise that
it's the same message.
imapsync can only sync mail the old server knows about. And in the end 
there is more quota used on the new server!?


The only explanation is the quota on the old server is broken, isn't it?

Marc

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: Problems with SSL

2016-11-30 Thread Michael Menge via Info-cyrus 

Hi,


Quoting Infraestructura TIC - UNNOBA via Info-cyrus  
:



Hello!
I'm using cyrus on Debian vm for several years but now, SSL starts to fail:

Nov 29 13:05:58 server1 cyrus/imaps[9595]: inittls: Loading
hard-coded DH parameters
Nov 29 13:05:58 server1 cyrus/imaps[9595]: imaps TLS negotiation
failed: [2801:0:140:f42:f3fa:b0b2:4ab1:8d10]

I tried with self-signed certificates, and third-party ones, but the
result is the same.
I spent two days trying to figure out what happened, without results.

#openssl s_client -connect mail.server.test:993 -crlf -state
CONNECTED(0003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv3/TLS write client hello
140019483313280:error:14094410:SSL routines:ssl3_read_bytes:sslv3
alert handshake failure:ssl/record/rec_layer_s3.c:1388:SSL alert number
40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)


I believe the server and client have no SSL/TLS version and/or Cipher  
in common and

therefore can't establish an encrypted connection.

Some time ago i found an ssl server test suite  
https://github.com/drwetter/testssl.sh
witch tries to do what https://www.ssllabs.com/ does for web servers  
but for all protocols

and server not reachable form the internet.

You might want to check your server with ./testssl.sh mail.server.test:993



Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480435442
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---


I'm using this versions:

cyrus-admin   2.5.10-2
cyrus-clients 2.5.10-2
cyrus-common  2.5.10-2
cyrus-doc 2.5.10-2
cyrus-imapd   2.5.10-2
cyrus-murder  2.5.10-2
cyrus-pop3d   2.5.10-2
cyrus-replication 2.5.10-2



Both, certificate and key, are accesibles by user cyrus. Certificate is
up-to-date.

This is the config:

$sudo -u cyrus /usr/lib/cyrus/bin/cyr_info  conf
[...]
tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
tls_client_ca_dir: /etc/ssl/certs
tls_client_ca_file: /etc/ssl/certs/cyrus.pem
tls_server_cert: /etc/ssl/certs/cyrus.pem
tls_server_key: /etc/ssl/private/cyrus.key
tls_session_timeout: 0
[...]


And before I declared myself "I'm completely lost", I was watching
entropy ... but is ok.

#cat /proc/sys/kernel/random/entropy_avail
2354



¿Any suggestions?

Thanks in advance!



Javier.-



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus





M.MengeTel.: (49) 7071/29-70316
Universität Tübingen   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung  mail:  
michael.me...@zdv.uni-tuebingen.de

Wächterstraße 76
72074 Tübingen


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus