Re: [courier-users] Error message from Remote Server
On 2017-01-27 15:13:39 Gordon Messmer hacked into the keyboard: > On 01/27/2017 02:59 PM, Michelle Konzack wrote: > > <<< 500 couriertls: connect: error:14094410:SSL > > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > > What TLS settings have you specified in /etc/courier/courierd? [ c 'grep TLS /etc/courier/courierd' ]-- ESMTP_USE_STARTTLS=1 COURIERTLS=/usr/bin/couriertls ESMTP_TLS_VERIFY_DOMAIN=0 TLS_PROTOCOL=TLS1 TLS_TRUSTCERTS=/usr/lib/courier/rootcerts TLS_VERIFYPEER=NONE Thanks andnice weekend -- Michelle KonzackITSystems GNU/Linux Developer 0033-6-61925193 signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Error message from Remote Server
Michelle Konzack writes: Your message to the following recipients cannot be delivered: : biscmail.cv.net [167.206.112.38]: >>> STARTTLS <<< 500 couriertls: connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure : biscmail.cv.net [167.206.112.38]: >>> STARTTLS <<< 500 couriertls: connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure --- If your message was also sent to additional recipients, their delivery status is not included in this report. You may or may not receive other delivery status notifications for additional recipients. The original message follows as a separate attachment. 8<-- I have never gotten such error message. with the exception of TLS1 things which I have removed last year already and for my understanding is, that SSLv3 was negotiated with and failed. If I can not contact them by EMail I have to do an expensiv long distance call. The actual text of the error message comes from OpenSSL, and it is very misleading. Ignore the "sslv3" part of it. OpenSSL uses internal routines named "sslv3" that will autonegotiate the protocol level with the peer. As I recall, you are using a relative older version of Courier. Since then, the OpenSSL API have been updated, and the default settings in the current version of Courier's configuration files will be sufficient to negotiate any protocol that's common to both the client and the server. Also, the current version of Courier should handle TLS negotiation failures automatically. The unsent message will not initially bounce, and the next connection attempt will not attempt to negotiate TLS with the remote server. pgpp1ssVKT9ho.pgp Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Error message from Remote Server
On 01/27/2017 02:59 PM, Michelle Konzack wrote: > <<< 500 couriertls: connect: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure What TLS settings have you specified in /etc/courier/courierd? -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Error message from Remote Server
Idézem/Quoting Michelle Konzack : > Good evening, > > I have contacted the abuse@ from an ISP, where a range of 8 IP adrresses > attacking my servers (on all protocols) and now I get this from my > courier: > > 8<-- > This is a delivery status notification from mail.tamay-dogan.net, > running the Courier mail server, version 0.68.2. > > The original message was received on Fri, 27 Jan 2017 23:45:43 +0100 > from localhost (localhost [127.0.0.1]) > > --- > >UNDELIVERABLE MAIL > > Your message to the following recipients cannot be delivered: > > : > biscmail.cv.net [167.206.112.38]: > >>> STARTTLS > <<< 500 couriertls: connect: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > > : > biscmail.cv.net [167.206.112.38]: > >>> STARTTLS > <<< 500 couriertls: connect: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > > --- > > If your message was also sent to additional recipients, their delivery > status is not included in this report. You may or may not receive > other delivery status notifications for additional recipients. > > The original message follows as a separate attachment. > 8<-- > > I have never gotten such error message. > > with the exception of TLS1 things which I have removed last year already > and for my understanding is, that SSLv3 was negotiated with > and failed. If I can not contact them by EMail I have to do an expensiv > long distance call. > > Any suggestions? $ openssl s_client -connect biscmail.cv.net:25 -starttls smtp (my openssl is v1.0.2h) ... Cipher: RC4-MD5 ... Maybe RC4-MD5 is not supported by your Courier installation which very good. You may disable encryption in /etc/courier/esmtproutes cv.net:biscmail.cv.net /SECURITY=NONE All the best! SZÉPE Viktor https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Error message from Remote Server
Good evening, I have contacted the abuse@ from an ISP, where a range of 8 IP adrresses attacking my servers (on all protocols) and now I get this from my courier: 8<-- This is a delivery status notification from mail.tamay-dogan.net, running the Courier mail server, version 0.68.2. The original message was received on Fri, 27 Jan 2017 23:45:43 +0100 from localhost (localhost [127.0.0.1]) --- UNDELIVERABLE MAIL Your message to the following recipients cannot be delivered: : biscmail.cv.net [167.206.112.38]: >>> STARTTLS <<< 500 couriertls: connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure : biscmail.cv.net [167.206.112.38]: >>> STARTTLS <<< 500 couriertls: connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure --- If your message was also sent to additional recipients, their delivery status is not included in this report. You may or may not receive other delivery status notifications for additional recipients. The original message follows as a separate attachment. 8<-- I have never gotten such error message. with the exception of TLS1 things which I have removed last year already and for my understanding is, that SSLv3 was negotiated with and failed. If I can not contact them by EMail I have to do an expensiv long distance call. Any suggestions? -- Michelle KonzackITSystems GNU/Linux Developer 0033-6-61925193 signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Date (YEAR) in /var/log/mail.log
On 2017-01-27 08:34:01 Sam Varshavchik hacked into the keyboard: > That's something that's syslog's territory. syslog generates the > timestamps in /var/log files. > > >I was greping all configs, but found noting. > > > >Any suggestions? > > http://stackoverflow.com/questions/5065592/adding-year-in-the-syslog-message-linux F..k! -- I am hit by the strftime() problem! The Debian rsyslogd does not support it! > Courier is quite resilient to dictionary attacks. The combination of > a default max limit of four connections from the same IP address, > and aggressive tarpitting quickly kills most dictionary attacks > before they go very far. I will look into it -- Michelle KonzackITSystems GNU/Linux Developer 0033-6-61925193 signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SASL for authpipe -- a sticky note for Courier Authlib
On Thu 26/Jan/2017 12:28:41 +0100 Sam Varshavchik wrote: >> [edited context] >> The main difficulty is to get the sources for the include files: >> >> I include courierauth.h and courierauthsasl.h from authlib-devel. But >> I also need: >> >> #include"cramlib.h" // for auth_cram_callback >> >> In addition, I also need auth.h, because cramlib.h includes it (it >> would suffice to declare "struct authinfo;" to avoid the inclusion). >> All file names in include_HEADER start with "courier", so renaming >> cramlib.h would be in order if this issue is ever addressed. >>> >>> These exported functions are meant to be used for developing authentication >>> clients, not servers. >>> >>> Looks like all you need are the functions in cramlib.h >> >> Yes, and the structure defined in hmac.h. I trimmed the text above so as to >> make it more likely to fit on a sticky note, for the next release of authlib, >> whenever it comes. > > I don't follow – what's still left in hmac.h that needs to be visible, when > using only the exported functions from cramlib.h? My bad. I was reasoning in terms of my existing authProg, where the caller is greedy for tokenizing, like so: if ((service = strtok(buf, "\n")) != NULL && strcmp(service, "esmtp") == 0 && (authtype = strtok(NULL, "\n")) != NULL && (p1 = strtok(NULL, "\n")) != NULL && (p2 = strtok(NULL, "\n")) != NULL) { if (strcmp(authtype, "login") == 0) rtc = do_login(p1, p2); else if (strncmp(authtype, "cram-", 5) == 0) rtc = do_cram(authtype + 5, p1, p2); // [...] That extra tokenization can be easily removed. Even if the authtype token is needed, e.g. to learn what type of cram the user chose, it can be examined upon return from auth_get_cram(). > The definition of hmac_hashinfo doesn't appear to need to be visible. The > pointer to it will be initialized by auth_get_cram(). Correct. In fact, my do_cram() becomes much shorter that way. Ale -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Date (YEAR) in /var/log/mail.log
Michelle Konzack writes: Hallo, I run currently an analyzer over the /var/log/mail.log* file from the last 12 years ;-) and now I run into trouble, because the prefixing date has no YEAR stamp. Is there a possibility to change this? That's something that's syslog's territory. syslog generates the timestamps in /var/log files. I was greping all configs, but found noting. Any suggestions? http://stackoverflow.com/questions/5065592/adding-year-in-the-syslog-message- linux I really would like to know, which login/password they try... However, over the last 12 years there where NEVER a singel account compromised. Maybe I am BOFH, but forcing users to better passwords is unfortunately neccesary, since I do not want to bother (have no time for it) with compromised accounts. Courier is quite resilient to dictionary attacks. The combination of a default max limit of four connections from the same IP address, and aggressive tarpitting quickly kills most dictionary attacks before they go very far. pgpq9HCtt6cmJ.pgp Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Date (YEAR) in /var/log/mail.log
Hallo, I run currently an analyzer over the /var/log/mail.log* file from the last 12 years ;-) and now I run into trouble, because the prefixing date has no YEAR stamp. Is there a possibility to change this? I was greping all configs, but found noting. Any suggestions? Note: It seems, this year is the year of Dictionary attacks! 2006 16751 2007 33190 2008 91753 2009111654 2010216972 2011360219 2012498317 2013159974 2014137438 2015 89118 2016 56713 2017753816 in only 17 days or if you want 2296800 secs --> all 3.047 seconds a dictionary attempt I really would like to know, which login/password they try... However, over the last 12 years there where NEVER a singel account compromised. Maybe I am BOFH, but forcing users to better passwords is unfortunately neccesary, since I do not want to bother (have no time for it) with compromised accounts. Thanks Michelle -- Michelle KonzackITSystems GNU/Linux Developer 0033-6-61925193 signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Courier, PayPal and STARTTLS
Greg Earle writes: I was expecting an incoming e-mail from PayPal but noticed these errors in my syslog when it tried to deliver it: Jan 26 01:11:28 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::173.0.84.227] Jan 26 01:11:28 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:11:38 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::66.211.168.231] Jan 26 01:11:39 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:31:28 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::173.0.84.228] Jan 26 01:31:29 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:31:39 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::66.211.168.231] Jan 26 01:31:39 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number A Google search showed an old thread on here where Sam responded, saying to set TLS_PROTOCOL to "TLS1" in both "esmtpd" and "esmtpd-ssl". But that's what I've already got mine set to: isolar:1:1100 [/opt/courier/etc] # grep ^TLS_P esmtpd esmtpd-ssl esmtpd:TLS_PROTOCOL=TLS1 esmtpd-ssl:TLS_PROTOCOL=TLS1 So what do I do? Is there some trickery I can put into smtpaccess/default to make them not try to do STARTTLS or something? Or some other file? Remove the TLS_PROTOCOL setting entirely, and have it fall back to the default setting. pgpqWTP8I_Yhs.pgp Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Courier, PayPal and STARTTLS
Idézem/Quoting Greg Earle : > I was expecting an incoming e-mail from PayPal but noticed these errors > in my syslog when it tried to deliver it: > > Jan 26 01:11:28 isolar courieresmtpd: [ID 702911 mail.info] > started,ip=[:::173.0.84.227] > Jan 26 01:11:28 isolar courieresmtpd: [ID 952582 mail.error] > courieresmtpd: STARTTLS failed: couriertls: connect: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > Jan 26 01:11:38 isolar courieresmtpd: [ID 702911 mail.info] > started,ip=[:::66.211.168.231] > Jan 26 01:11:39 isolar courieresmtpd: [ID 952582 mail.error] > courieresmtpd: STARTTLS failed: couriertls: connect: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > Jan 26 01:31:28 isolar courieresmtpd: [ID 702911 mail.info] > started,ip=[:::173.0.84.228] > Jan 26 01:31:29 isolar courieresmtpd: [ID 952582 mail.error] > courieresmtpd: STARTTLS failed: couriertls: connect: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > Jan 26 01:31:39 isolar courieresmtpd: [ID 702911 mail.info] > started,ip=[:::66.211.168.231] > Jan 26 01:31:39 isolar courieresmtpd: [ID 952582 mail.error] > courieresmtpd: STARTTLS failed: couriertls: connect: > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > A Google search showed an old thread on here where Sam responded, saying > to set TLS_PROTOCOL to "TLS1" in both "esmtpd" and "esmtpd-ssl". But > that's what I've already got mine set to: > > isolar:1:1100 [/opt/courier/etc] # grep ^TLS_P esmtpd esmtpd-ssl > esmtpd:TLS_PROTOCOL=TLS1 > esmtpd-ssl:TLS_PROTOCOL=TLS1 > > So what do I do? Is there some trickery I can put into smtpaccess/default > to make them not try to do STARTTLS or something? Or some other file? > > I already have some entries for PayPal in there: > > isolar:1:1107 [/opt/courier/etc] # egrep > PayPal\|173.0.84\|66.211.168 smtpaccess/default > # PayPal has their machines crossed > 66.211.168.231 allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 > 173.0.84.225allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 > 173.0.84.226allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 > 173.0.84.227allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 > 173.0.84.228allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 > > I don't want to switch back to TLS_PROTOCOL=SSL23 just to suit PayPal ... Hello Greg! In /etc/courier/esmtproutes you may instruct Courier to deliver without STARTTLS txtlocal.co.uk:mx1.emailsrvr.com,25 /SECURITY=REQUIRED In your case - reception - try setting TLS_CIPHER_LIST according to https://mozilla.github.io/server-side-tls/ssl-config-generator/ (set your OpenSSL version) and make sure TLS_CERTFILE points to a valid certificate $ openssl x509 -in $TLS_CERTFILE -noout -text It does not hurt to have a proper certificate. https://github.com/veeti/manuale All the best! SZÉPE Viktor https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Courier, PayPal and STARTTLS
I was expecting an incoming e-mail from PayPal but noticed these errors in my syslog when it tried to deliver it: Jan 26 01:11:28 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::173.0.84.227] Jan 26 01:11:28 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:11:38 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::66.211.168.231] Jan 26 01:11:39 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:31:28 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::173.0.84.228] Jan 26 01:31:29 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Jan 26 01:31:39 isolar courieresmtpd: [ID 702911 mail.info] started,ip=[:::66.211.168.231] Jan 26 01:31:39 isolar courieresmtpd: [ID 952582 mail.error] courieresmtpd: STARTTLS failed: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number A Google search showed an old thread on here where Sam responded, saying to set TLS_PROTOCOL to "TLS1" in both "esmtpd" and "esmtpd-ssl". But that's what I've already got mine set to: isolar:1:1100 [/opt/courier/etc] # grep ^TLS_P esmtpd esmtpd-ssl esmtpd:TLS_PROTOCOL=TLS1 esmtpd-ssl:TLS_PROTOCOL=TLS1 So what do I do? Is there some trickery I can put into smtpaccess/default to make them not try to do STARTTLS or something? Or some other file? I already have some entries for PayPal in there: isolar:1:1107 [/opt/courier/etc] # egrep PayPal\|173.0.84\|66.211.168 smtpaccess/default # PayPal has their machines crossed 66.211.168.231 allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 173.0.84.225allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 173.0.84.226allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 173.0.84.227allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 173.0.84.228allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0 I don't want to switch back to TLS_PROTOCOL=SSL23 just to suit PayPal ... - Greg -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users