Re: [courier-users] Blocking Brute Force Auth Attacks

[Gordon Messmer]

On 07/08/2016 03:04 PM, Alexei Batyr' wrote:
>
> Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and
> successfully use them in brute force and other attacks.

I'd expect so.  I didn't recommend TLS as a measure against brute-force 
attacks, I recommended it to protect passwords from leaking on untrusted 
networks.  Authentication should always be done on a secure channel.

> Account locking seems not a good idea: attacker could easily and quickly
> block all known to him user accounts on particular server.

And yet, temporary lockout is still a fairly standard practice.  The 
lockouts don't need to be very long to be effective if your passwords 
aren't based on dictionary words.

> Fail2ban blocks
> attacker's IPs instead, leaving legitimate user access to his mail.

Yes, fail2ban is a good tool and I advocate its use.  However, it should 
be noted that fail2ban does not support IPv6, so attackers can use that 
network to avoid blacklisting for now.

Your toolbox should have more than one tool.


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[SZÉPE Viktor]

You may discover some networks that are malicious (shadow nets)
I maintain a list of these
https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets

Use the shell scripts provided. And take a look at iptables rule  
counters weekly so you know how successful they are.

Chain myattackers-ipset (1 references)
  pkts bytes target prot opt in out source
destination
 0 0 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set spidernet src reject-with  
icmp-port-unreachable
   240 12305 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set sks-lugan src reject-with  
icmp-port-unreachable
   249 11847 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set shodan-io src reject-with  
icmp-port-unreachable
   105  4280 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set security-scorecard src reject-with  
icmp-port-unreachable
 140 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set mirtelematiki src reject-with  
icmp-port-unreachable
 0 0 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set lu-root src reject-with  
icmp-port-unreachable
 0 0 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set leonlundberg src reject-with  
icmp-port-unreachable
 3   120 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set hostkey src reject-with  
icmp-port-unreachable
13   672 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set ering.pl src reject-with  
icmp-port-unreachable
17   680 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set elan.pl src reject-with  
icmp-port-unreachable
  1002 40883 REJECT all  --  *  *   0.0.0.0/0 
0.0.0.0/0match-set ecatel src reject-with  
icmp-port-unreachable
4657K 1595M RETURN all  --  *  *   0.0.0.0/00.0.0.0/0

For example ecatel could have 1002 Courier authentication attacks  
without these rules.




Idézem/Quoting Alexei Batyr' :

> Gordon Messmer writes:
>
>> Authentication over plain text is only allowed if ESMTPAUTH is set in
>> etc/courier/esmtpd.  To maintain password security, that setting should
>> be empty.  Instead, use ESMTPAUTH_TLS to enable authentication only
>> after TLS is initialized.
>
> Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and
> successfully use them in brute force and other attacks.
>
>> I wrote earlier that protecting authentication with encryption would
>> leave you with only tools like fail2ban.  I should have mentioned that
>> the other good option is using an authentication backend that'll lock
>> accounts temporarily when there are repeated auth failures.
>
> Account locking seems not a good idea: attacker could easily and quickly
> block all known to him user accounts on particular server. Fail2ban blocks
> attacker's IPs instead, leaving legitimate user access to his mail.
> Probably better solution would be a similar blocking at MTA level, without
> log parsing and firing firewall rules.
>
> Just FYI: fail2ban block list of my relatively small mail server (approx.
> 350 users) now contains more than 1500 IPs. Additional advantage - reducing
> overall load to the server because blocked botnet members never more make
> continuous connections to the MTA.
>
> --
> Alexei.
>
> --
> Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> ___
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users



SZÉPE Viktor
-- 
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület





--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[SZÉPE Viktor]

Please consider reading and understanding these Courier ban rules:

https://github.com/szepeviktor/debian-server-tools/tree/master/security/fail2ban-conf/filter.d


Idézem/Quoting Sam Varshavchik :

> Nathan Harris writes:
>
>> For a while now our server has been seeing a lot of brute force
>> authentication attacks.  Of course the source of these attacks is
>> constantly changing.  My firewall (pfSense) is running Snort and I am
>> using the following custom rules to help.
>>
>> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute
>> force attack"; content:"535 Authentication failed."; nocase;
>> classtype:attempted-user; threshold:type threshold, track by_src, count
>> 2, seconds 60; sid:1000500; rev:6;)
>>
>> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR
>> potential spam or malware bot"; content:"502 ESMTP command error";
>> nocase; classtype:policy-violation; threshold:type threshold, track
>> by_src, count 2, seconds 60; sid:1000501; rev:4;)
>>
>> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS
>> potential spam or malware bot"; content:"511 https://www.spamhaus.org;;
>> nocase; classtype:policy-violation; threshold:type threshold, track
>> by_src, count 1, seconds 60; sid:1000502; rev:4;)
>>
>> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected
>> spam or malware bot"; content:"554 Mail rejected - spam detected";
>> nocase; classtype:policy-violation; threshold:type threshold, track
>> by_src, count 1, seconds 60; sid:1000503; rev:2;)
>>
>> This is working fairly well.  However, it would also be good to
>> immediately block an IPs when an invalid user name is specified.  I have
>> looked at Fail2Ban which does a similar operation to what I'm doing
>> (except on the mail server's firewall).  Is there anything more
>> sophisticated or a better approach to solving this problem?
>
> You should check the timestamps in the maillog. Courier's automatic  
> tarpitting and rate limit is pretty good at keeping things under  
> control.
>
> Also, check whether or not you really need to enable authenticated  
> SMTP on port 25. In most cases you can turn this off completely, and  
> use only authenticated SMTP on port 587.
>
> Just last month, on another mailing list one unfortunate soul  
> discovered that he was succesfully dictionary-attacked, and had a  
> queue-full of spam.
>
> No tarpitting will help. fail2ban will work generally well, but it  
> won't be fool-proof.



SZÉPE Viktor
-- 
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület





--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Alexei Batyr']

Gordon Messmer writes:

> Authentication over plain text is only allowed if ESMTPAUTH is set in
> etc/courier/esmtpd.  To maintain password security, that setting should
> be empty.  Instead, use ESMTPAUTH_TLS to enable authentication only
> after TLS is initialized.

Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and  
successfully use them in brute force and other attacks.

> I wrote earlier that protecting authentication with encryption would
> leave you with only tools like fail2ban.  I should have mentioned that
> the other good option is using an authentication backend that'll lock
> accounts temporarily when there are repeated auth failures.

Account locking seems not a good idea: attacker could easily and quickly  
block all known to him user accounts on particular server. Fail2ban blocks  
attacker's IPs instead, leaving legitimate user access to his mail.  
Probably better solution would be a similar blocking at MTA level, without  
log parsing and firing firewall rules.

Just FYI: fail2ban block list of my relatively small mail server (approx.  
350 users) now contains more than 1500 IPs. Additional advantage - reducing  
overall load to the server because blocked botnet members never more make  
continuous connections to the MTA.

-- 
Alexei.

--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Sam Varshavchik]

Nathan Harris writes:



On 7/8/2016 10:58 AM, Gordon Messmer wrote:
> On 07/08/2016 06:49 AM, Nathan Harris wrote:
>> Is there anything more
>> sophisticated or a better approach to solving this problem?
> I'd recommend that you not allow authentication on any non-encrypted
> protocols, and that'll only leave log analysis tools like fail2ban as
> options.
>

Gordon, first let me start with a big thank you for pythonfilter which I
have used for years.  As far as rejecting/disabling smtp authentication,
I was not aware there was a setting for this.


Set ESMTPAUTH and ESMTPAUTH_TLS to an empty string, in the esmtpd  
configuration file.


Before doing that, copy the current settings to the esmtpd-msa configuration  
file, its CUSTOM section is for that; so that authenticated smtp is still  
enabled on port 587.





pgpOXWDLV0lpc.pgp
Description: PGP signature
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Sam Varshavchik]

Nathan Harris writes:


For a while now our server has been seeing a lot of brute force
authentication attacks.  Of course the source of these attacks is
constantly changing.  My firewall (pfSense) is running Snort and I am
using the following custom rules to help.

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute
force attack"; content:"535 Authentication failed."; nocase;
classtype:attempted-user; threshold:type threshold, track by_src, count
2, seconds 60; sid:1000500; rev:6;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR
potential spam or malware bot"; content:"502 ESMTP command error";
nocase; classtype:policy-violation; threshold:type threshold, track
by_src, count 2, seconds 60; sid:1000501; rev:4;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS
potential spam or malware bot"; content:"511 https://www.spamhaus.org;;
nocase; classtype:policy-violation; threshold:type threshold, track
by_src, count 1, seconds 60; sid:1000502; rev:4;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected
spam or malware bot"; content:"554 Mail rejected - spam detected";
nocase; classtype:policy-violation; threshold:type threshold, track
by_src, count 1, seconds 60; sid:1000503; rev:2;)

This is working fairly well.  However, it would also be good to
immediately block an IPs when an invalid user name is specified.  I have
looked at Fail2Ban which does a similar operation to what I'm doing
(except on the mail server's firewall).  Is there anything more
sophisticated or a better approach to solving this problem?


You should check the timestamps in the maillog. Courier's automatic  
tarpitting and rate limit is pretty good at keeping things under control.


Also, check whether or not you really need to enable authenticated SMTP on  
port 25. In most cases you can turn this off completely, and use only  
authenticated SMTP on port 587.


Just last month, on another mailing list one unfortunate soul discovered  
that he was succesfully dictionary-attacked, and had a queue-full of spam.


No tarpitting will help. fail2ban will work generally well, but it won't be  
fool-proof.




pgpEc0GfuDjE6.pgp
Description: PGP signature
--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Nathan Harris]

On 7/8/2016 2:23 PM, Gordon Messmer wrote:
>
>> As far as rejecting/disabling smtp authentication, I was not aware there was 
>> a setting for this.
> Authentication over plain text is only allowed if ESMTPAUTH is set in
> etc/courier/esmtpd.  To maintain password security, that setting should
> be empty.  Instead, use ESMTPAUTH_TLS to enable authentication only
> after TLS is initialized.

In a world where everything supports TLS now this is good advice. I'm 
feeling my age that I didn't even think of this.

> I wrote earlier that protecting authentication with encryption would
> leave you with only tools like fail2ban.  I should have mentioned that
> the other good option is using an authentication backend that'll lock
> accounts temporarily when there are repeated auth failures.
>

I am using PAM, so I'll research what is possible.  Thanks again.


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Gordon Messmer]

On 07/08/2016 09:54 AM, Nathan Harris wrote:
> Gordon, first let me start with a big thank you for pythonfilter which I
> have used for years.

Cool.  Glad to hear it!

> As far as rejecting/disabling smtp authentication, I was not aware there was 
> a setting for this.



Authentication over plain text is only allowed if ESMTPAUTH is set in 
etc/courier/esmtpd.  To maintain password security, that setting should 
be empty.  Instead, use ESMTPAUTH_TLS to enable authentication only 
after TLS is initialized.

I wrote earlier that protecting authentication with encryption would 
leave you with only tools like fail2ban.  I should have mentioned that 
the other good option is using an authentication backend that'll lock 
accounts temporarily when there are repeated auth failures.


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Nathan Harris]

On 7/8/2016 10:58 AM, Gordon Messmer wrote:
> On 07/08/2016 06:49 AM, Nathan Harris wrote:
>> Is there anything more
>> sophisticated or a better approach to solving this problem?
> I'd recommend that you not allow authentication on any non-encrypted
> protocols, and that'll only leave log analysis tools like fail2ban as
> options.
>

Gordon, first let me start with a big thank you for pythonfilter which I 
have used for years.  As far as rejecting/disabling smtp authentication, 
I was not aware there was a setting for this.


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Blocking Brute Force Auth Attacks

[Gordon Messmer]

On 07/08/2016 06:49 AM, Nathan Harris wrote:
> Is there anything more
> sophisticated or a better approach to solving this problem?


I'd recommend that you not allow authentication on any non-encrypted 
protocols, and that'll only leave log analysis tools like fail2ban as 
options.


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Vhost certificates

[Bowie Bailey]

On 7/8/2016 10:03 AM, Matus UHLAR - fantomas wrote:
> On 08.07.16 16:38, Mark Constable wrote:
>> FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL
>> (letsencrypt) certificate and it worked!
>>
>> All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN
>> to the right combined privkey.pem + fullchain.pem for the particular
>> vhost and Thunderbird worked perfectly.
>>
>> Brilliant! Thank you Sam :-)
>>
>> Just checked, Outlook for Android did not work. Anyone know of an Android
>> mail app that might work with IMAP/ESMTP SNA?
> do you mean, SNI?

That makes more sense.

K-9 Mail supports SNI in it's unstable branch (v 5.108 on), but it 
hasn't yet made it to the stable version available on Google Play.

-- 
Bowie

--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Blocking Brute Force Auth Attacks

[Nathan Harris]

For a while now our server has been seeing a lot of brute force 
authentication attacks.  Of course the source of these attacks is 
constantly changing.  My firewall (pfSense) is running Snort and I am 
using the following custom rules to help.

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute 
force attack"; content:"535 Authentication failed."; nocase; 
classtype:attempted-user; threshold:type threshold, track by_src, count 
2, seconds 60; sid:1000500; rev:6;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR 
potential spam or malware bot"; content:"502 ESMTP command error"; 
nocase; classtype:policy-violation; threshold:type threshold, track 
by_src, count 2, seconds 60; sid:1000501; rev:4;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS 
potential spam or malware bot"; content:"511 https://www.spamhaus.org;; 
nocase; classtype:policy-violation; threshold:type threshold, track 
by_src, count 1, seconds 60; sid:1000502; rev:4;)

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected 
spam or malware bot"; content:"554 Mail rejected - spam detected"; 
nocase; classtype:policy-violation; threshold:type threshold, track 
by_src, count 1, seconds 60; sid:1000503; rev:2;)

This is working fairly well.  However, it would also be good to 
immediately block an IPs when an invalid user name is specified.  I have 
looked at Fail2Ban which does a similar operation to what I'm doing 
(except on the mail server's firewall).  Is there anything more 
sophisticated or a better approach to solving this problem?

-Nathan


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Vhost certificates

[Matus UHLAR - fantomas]

On 08.07.16 16:38, Mark Constable wrote:
>FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL
>(letsencrypt) certificate and it worked!
>
>All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN
>to the right combined privkey.pem + fullchain.pem for the particular
>vhost and Thunderbird worked perfectly.
>
>Brilliant! Thank you Sam :-)
>
>Just checked, Outlook for Android did not work. Anyone know of an Android
>mail app that might work with IMAP/ESMTP SNA?

do you mean, SNI?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have. 

--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Vhost certificates

[Bowie Bailey]

On 7/8/2016 2:38 AM, Mark Constable wrote:
> FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL
> (letsencrypt) certificate and it worked!
>
> All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN
> to the right combined privkey.pem + fullchain.pem for the particular
> vhost and Thunderbird worked perfectly.
>
> Brilliant! Thank you Sam :-)
>
> Just checked, Outlook for Android did not work. Anyone know of an Android
> mail app that might work with IMAP/ESMTP SNA?

Don't know about SNA, but K-9 Mail works great with my Courier IMAP server.

-- 
Bowie

--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Vhost certificates

[Mark Constable]

FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL
(letsencrypt) certificate and it worked!

All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN
to the right combined privkey.pem + fullchain.pem for the particular
vhost and Thunderbird worked perfectly.

Brilliant! Thank you Sam :-)

Just checked, Outlook for Android did not work. Anyone know of an Android
mail app that might work with IMAP/ESMTP SNA?


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users