Re: [courier-users] Preferred OS for Courier mail server
Hi, I'm more or less maintaining the gentoo packages. On Sun, 8 Jan 2017 08:44:47 +0100 Dan Johansson <dan.johans...@bluewin.ch> wrote: > Yes, I agree that normally Gentoo has quite new packages, but some > packages - like courier - lag somewhat behind. > E.g. these are the "stable" version in portage at the moment: > mail-mta/courier 0.75.0 (current is 0.76.3) I wanted to bump a while ago, but the 0.76.3 had some issues for which I sent patches (which sam has included, but not released yet). Sam: Can we have a 0.76.4 or 0.77.0? I can include the patches, but if possible I try to avoid that and stick with unpatched upstream releases. > net-libs/courier-unicode 1.3 (current is 1.4) We have 1.4 in testing. I'll put that into stable together with the next courier version. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [patch] fix new/delete mismatch
In the file maildrop.C there is a variable n that gets allocated with
char *n=new char [keywords_s - p + 1];
and deallocated with
delete n;
This is not correct, allocations with new (type) [size] must be
deallocated with delete [] name. So it must be "delete [] n" instead.
See attached patch, please apply.
These kinds of issues can be found by testing with address sanitizer
(-fsanitize=address in cflags).
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--- a/libs/maildrop/maildir.C 2015-12-19 18:09:18.0 +0100
+++ b/libs/maildrop/maildir.C 2016-09-19 14:23:44.899471296 +0200
@@ -254,11 +254,11 @@
if (libmail_kwmSetName(, kwm, n) < 0)
{
- delete n;
+ delete [] n;
libmail_kwmDestroy(kwm);
throw strerror(errno);
}
-delete n;
+delete [] n;
}
char *tmpkname, *newkname;
pgpoU79FgJ4L1.pgp
Description: OpenPGP digital signature
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [patch] fix duplicate definition of sqwebmail_content_charset in courier
Hi, The variable sqwebmail_content_charset is defined twice, in sqwebmail.c and gpg.c. One of them should be declared as extern. By default gcc is lax on these things and allows duplicate global definitions. However it is not correct and gcc can be switched to a more strict mode with the flag -fno-common. See attached patch, it'll declare the variable as extern in gpg.c. Please apply. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 --- a/libs/sqwebmail/gpg.c 2015-02-27 20:13:32.0 +0100 +++ b/libs/sqwebmail/gpg.c 2016-09-19 13:54:15.389533196 +0200 @@ -36,7 +36,7 @@ extern void output_scriptptrget(); extern void print_attrencodedlen(const char *, size_t, int, FILE *); extern void print_safe(const char *); -const char *sqwebmail_content_charset; +extern const char *sqwebmail_content_charset; static char gpgerrbuf[1024]; pgpsE5XGTiLUJ.pgp Description: OpenPGP digital signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] addcr name collission - can we rename it?
On Tue, 13 Sep 2016 08:29:49 -0400 Sam Varshavchik <mr...@courier-mta.com> wrote: > courier's addcr was historically intended to replace addcr from > ucspi-tcp. > > This is not the only binary in Courier that intentionally replaces > some other tool's functionality. > > Another one is preline, that intentionally provides the same > functionality as procmail's getline. Why is that not a conflict? That's much less problematic, because it has another name. (my procmail installation has no getline, not sure why). > A solution that's usually used elsewhere is to simply put Courier's > bindir somewhere else, and then add it to the system shells' default > PATHs. That's the default configure setting, bindir > is /usr/lib/courier/bin. > > Would that work here? I'd find that a very unclean solution, so I'd rather like to avoid it. Right now we simply don't allow parallel installation of courier and ucspi-tcp, and if you're set on keeping addcr with this name I think we'll keep it that way. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 pgpca5xTE_S9a.pgp Description: OpenPGP digital signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] addcr name collission - can we rename it?
Hi, There's a very old bug in the Gentoo bug tracker that there's a name collission between the courier and the ucspi-tcp package: https://bugs.gentoo.org/show_bug.cgi?id=223155 There are similar bug reports in plenty of other distributions: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476489 https://bugs.archlinux.org/task/9116 Debian has solved this with a complicated construction using multiple alternatives, archlinux and gentoo simply by avoiding to install both packages in parallel. From what I can see the main purpose of the addcr command is that it internally is used by the smtpd code. So I think this could probably be renamed without causing too much trouble. Sam, do you think we can change addcr to another name, e.g. caddcr, addcr-courier, addcr.courier or whatever you feel is most suitable? ucspi-tcp is very old and I doubt it'll be changed, yet it still seems popular. And unlike the courier tool I think the ucspi-tcp tool isn't primarily meant to be used internally, so renaming it would cause more complications. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 pgpWWPx2_3xID.pgp Description: OpenPGP digital signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] MTA STS / transport security
Hi, In the IETF there is currently some discussion to get new standards on its way called MTA STS [1] (previously SMTP STS) and MUA STS[2] (previously DEEP). Their intent is to get authenticated transport encrypted TLS working for the email ecosystem. I find the MUA part less interesting, because one can already resolve this manually by enforcing TLS connections and verifying certificates, but the MTA part could fix an important loophole of email insecurity. Right now as you probably all know especially connections between two mail servers can use encryption via STARTTLS, but the certificates are often self-signed, don't match the hostname etc. and also the encryption commands can just be stripped away by an active attacker. The rough way it works is that a policy URL is published via DNS and can then be fetched over HTTPS. The details are of course a bit complicated, as it's a nontrivial problem. I wanted to bring this up because obviously courier might be a project interested in implementing this. Also right now would be the right time if people want to influence the standards process and discuss whether they have any concerns or ideas about this. The discussions happen in the TLS UTA working [3]. [1] https://tools.ietf.org/html/draft-brotman-mta-sts-00 [2] https://tools.ietf.org/html/draft-ietf-uta-email-deep-05 [3] https://www.ietf.org/mailman/listinfo/uta -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgp4mviWvZ1GO.pgp Description: OpenPGP digital signature -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] avoid invalid memory read in courier-authlib / authgetconfig
Hi,
I tested courier and courier-authlib compiled with address sanitizer.
This uncovered an out of bounds memory access in the file
authgetconfig.c in courier-authlib:
if (memcmp(p, env, l) == 0 &&
The problem here is that p might actually be shorter than l and thus
this reads invalid memory.
One possible fix (and probably the easiest) is to use strncmp instead.
See attached patch.
This is very similar to an issue I reported previously that got fixed
here:
https://github.com/svarshavchik/courier-libs/commit/174541a2e670c0ee70fd2fb3116209f96ecc173e
Please apply patch.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
--- a/authgetconfig.c 2013-08-25 20:44:47.0 +0200
+++ b/authgetconfig.c 2015-11-14 19:08:02.909325278 +0100
@@ -76,7 +76,7 @@
for (i=0; i<configauth_size; )
{
p=configauth+i;
- if (memcmp(p, env, l) == 0 &&
+ if (strncmp(p, env, l) == 0 &&
isspace((int)(unsigned char)p[l]))
{
p += l;
pgp57eEKKIJsH.pgp
Description: OpenPGP digital signature
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [patch] disable warnings regarding format string security
Hi,
Current gcc versions have a feature that warns when non-literal
strings are used as format strings (-Wformat-security). Fixing these
warnings can protect against possible format string vulnerabilities.
Such a warning is not by default a sign of a vulnerability, because in
many situations the strings are not attacker-controlled. However it is
still good coding practice to change them all not to throw a warning.
See here for more info:
https://fedoraproject.org/wiki/Format-Security-FAQ
Some distributions plan to enable -Wformat-security by default.
Attached patch will fix two instances of this warning in courier.
Please apply.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
diff -Naur a/libs/sqwebmail/pcp.c b/libs/sqwebmail/pcp.c
--- a/libs/sqwebmail/pcp.c 2013-08-25 20:46:53.0 +0200
+++ b/libs/sqwebmail/pcp.c 2015-05-12 11:46:12.302206143 +0200
@@ -1518,7 +1518,7 @@
printf(/span/tdtd width=\30\nbsp;/tdtd width=\100%%\span class=\tt\);
if (p-address strcmp(p-address, @))
{
-printf(getarg(CONFLICTERR2));
+printf(%s, getarg(CONFLICTERR2));
print_safe(p-address);
}
else
diff -Naur a/libs/sqwebmail/sqwebmail.c b/libs/sqwebmail/sqwebmail.c
--- a/libs/sqwebmail/sqwebmail.c 2013-11-25 03:02:39.0 +0100
+++ b/libs/sqwebmail/sqwebmail.c 2015-05-12 11:46:14.218206288 +0200
@@ -1097,7 +1097,7 @@
c=strchr(c, '.');
if (c)
{
- printf(sep);
+ printf(%s, sep);
print_safe(c+1);
}
}
pgp4WkgJeqnMN.pgp
Description: OpenPGP digital signature
--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] file /usr/include/unicode.h collides with libunicode
Hi Sam, courier-unicode installs a file /usr/include/unicode.h I just got a bug report from a Gentoo user that this causes trouble. There is a library libunicode that wants to install a file with the same name: https://bugs.gentoo.org/show_bug.cgi?id=541422 Can you rename that file to something less generic? This will need some careful update strategy (should update courier-unicode and everything that uses it at the same time with the change), but I think it would avoid trouble in the future. I propose to just name it courier-unicode.h, that'll probably avoid any confusion. cu, Hanno -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpH2aBE61zzc.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] file /usr/include/unicode.h collides with libunicode
On Fri, 27 Feb 2015 18:46:23 +0100 Hanno Böck ha...@hboeck.de wrote: courier-unicode installs a file /usr/include/unicode.h Addition: It's more than that, /usr/lib/libuncode.* also collides. So I think both should be renamed (something like /usr/lib/libunicode-courier.* or /usr/lib/libcourier-unicode.*) cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpeChYou0aTH.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] make testsuite work with user without a default shell
Hi, I noted that the test suite currently fails in Gentoo. The reason is that it is executed with a user without a default shell and one of the maildrop tests will fail with that. This can be fixed by explicitly setting the SHELL variable in the respective test to /bin/sh, therefore making the test suite more robust in uncommon environments. See attached patch, please apply. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 --- courier-0.74.1-plain/libs/maildrop/testsuite2 2013-08-30 02:36:07.0 +0200 +++ courier-0.74.1/libs/maildrop/testsuite2 2015-02-16 13:22:37.455698929 +0100 @@ -232,7 +232,8 @@ for f in testsuite?.filter do -echo 'xfilter cat' t +echo SHELL=/bin/sh t +echo 'xfilter cat' t cat $f t chmod 600 t mv -f t $f pgpqSmuAWpcP1.pgp Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] fix implicit declaration in testlookup.c
Hi,
Compiling courier 0.74.1 throws a warning about an implicit declaration
of the function
rfc1035_spf_gettxt_n
in the file testlookup.c.
This can easily be fixed by adding an explicit declaration. See
attached patch, please apply.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
--- courier-0.74.1/libs/rfc1035/testlookup.c 2014-11-04 13:15:00.0 +0100
+++ courier-0.74.1-1/libs/rfc1035/testlookup.c 2015-02-16 13:36:14.455760592 +0100
@@ -41,6 +41,9 @@
extern char rfc1035_spf_gettxt(const char *current_domain,
char *buf);
+extern char rfc1035_spf_gettxt_n(const char *current_domain,
+ char **buf);
+
static void spflookup(const char *current_domain)
{
pgpK6qo2jLLLf.pgp
Description: OpenPGP digital signature
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Ports, SSL and STARTTLS for ESMTP
On Sun, 08 Feb 2015 15:55:27 -0500 Justin Vallon justinval...@gmail.com wrote: I am on this list for courier-imap, but I use postfix for SMTP. Postfix has an option to only allow auth over under SSL (smtpd_tls_auth_only=yes # only allow auth under ssl). So, I believe this can be enforced on the (Postfix) server-side. Is there an equivalent for courier smtpd? There is, but that's not the point. The attacker can still intercept the connection. It needs to be enforced on the client as well. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpG69WNmKCc7.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Ports, SSL and STARTTLS for ESMTP
On Sun, 08 Feb 2015 16:39:17 -0500 Justin Vallon justinval...@gmail.com wrote: AUTH is only allowed under SSL. Mail can only be sent (relayed) after AUTH. Therefore, if the MITM prevents the client from STARTTLS'ing, the server will not allow mail to be sent. Unencrypted mail will not be sent. The attacker can speak STARTTLS to the server and plain text to the client. And has a full MitM-attack. The TLS level authentication is only in one direction - the server authenticates itself to the client, but not the other way round (there are in theory TLS client certificates, but usually nobody uses them). -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgptVJPY5ZU6F.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Ports, SSL and STARTTLS for ESMTP
On Sat, 7 Feb 2015 09:54:43 -0500 Jeff Potter jpotter-cour...@codepuppy.com wrote: I’d support such a project, but based on my experience with my users, the ones for whom it would help wouldn’t care about it or understand the need. I’ve started recommending to my clients to use port 465 by default. I'm not talking about educating users. I talk about educating mail client developers that they ship sane defaults. They should make it impossible to accidently have an unencrypted connection. Probably they should even make it impossible to do unencrypted connections at all. But not sure this is the right place to discuss it, hope we don't annoy others with offtopic discussions. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpnBeaRtwE9z.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Ports, SSL and STARTTLS for ESMTP
On Sat, 7 Feb 2015 08:40:07 -0500 Jeff Potter jpotter-cour...@codepuppy.com wrote: 465 has the benefit that the STARTTLS keyword can’t be MITM stripped. That's kinda the thing: STARTTLS doesn't really make that much sense any more in a world where we essentially want to deprecate non-crypto-logins. Mail settings with starttls if available should be considered dangerous. If they use starttls they need to fixate that and make sure it can't be randomly removed. (would be worth having a project checking various mailclients for that) -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpkan5C_z16K.pgp Description: OpenPGP digital signature -- Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] New versions of courier, courier-imap, sqwebmail, maildrop, and cone packages released
Hi sam, unfortunately this introduced another linking order issue. See attached patch. (you probably only need the Makefile.am part and can auto-generate the Makefile.in part) To avoid these in the future you could try to build courier with LDFLAGS=-Wl,--as-needed in the future. (if it helps: you can also ask me to do so if you're about to release new versions) cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 diff -Naur courier-0.74.0/libs/gpglib/Makefile.am courier-0.74.0-1/libs/gpglib/Makefile.am --- courier-0.74.0/libs/gpglib/Makefile.am 2014-12-04 03:31:09.0 +0100 +++ courier-0.74.0-1/libs/gpglib/Makefile.am 2014-12-14 02:18:25.599274395 +0100 @@ -18,7 +18,7 @@ testgpg_SOURCES=testgpg.c testgpg_DEPENDENCIES=libgpg.la ../numlib/libnumlib.la -testgpg_LDADD= -lunicode $(testgpg_DEPENDENCIES) +testgpg_LDADD= $(testgpg_DEPENDENCIES) -lunicode testgpg_LDFLAGS=-static mimegpg_SOURCES=mimegpg.c diff -Naur courier-0.74.0/libs/gpglib/Makefile.in courier-0.74.0-1/libs/gpglib/Makefile.in --- courier-0.74.0/libs/gpglib/Makefile.in 2014-12-13 15:26:42.0 +0100 +++ courier-0.74.0-1/libs/gpglib/Makefile.in 2014-12-14 02:18:35.512275143 +0100 @@ -335,7 +335,7 @@ testgpg_SOURCES = testgpg.c testgpg_DEPENDENCIES = libgpg.la ../numlib/libnumlib.la -testgpg_LDADD = -lunicode $(testgpg_DEPENDENCIES) +testgpg_LDADD = $(testgpg_DEPENDENCIES) -lunicode testgpg_LDFLAGS = -static mimegpg_SOURCES = mimegpg.c mimegpg_LDADD = libgpg.la ../rfc2045/librfc2045.la ../rfc822/librfc822.la \ pgptFl35Vd9Jq.pgp Description: OpenPGP digital signature -- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Courier and rfc 4408 spf
Am Tue, 4 Nov 2014 13:23:25 +0100 schrieb Matus UHLAR - fantomas uh...@fantomas.sk: you should be glad you are receiving neutral, the SPF checker at http://www.kitterman.com/spf/validate.html gives something different: Results - PermError SPF Permanent Error: Too many DNS lookups I get this for all my domains. They use a single include for spf. I don't think that's unreasonable. Looks to me as this tool is broken, not the spf config. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Build 20141122 of courier and courier-imap packages
Am Wed, 22 Oct 2014 23:26:16 -0400 schrieb Sam Varshavchik mr...@courier-mta.com: Download: http://www.courier-mta.org/download.html Quote: 22-Oct-2014 20141122courier-0.73.2.20141122.tar.bz2 20141122? On my calendar it's october. Package from the future? :-) -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
On Fri, 19 Sep 2014 20:56:26 -0400 Sam Varshavchik mr...@courier-mta.com wrote: I just ran a test, and on a medium-powered server, it took 2 minutes to generate a 2048-bit parameter. That's not too bad, I suppose. A new install will have to generate that the first time the server gets started, and things will pretty much come to a halt, until that's done and over with. Will have to make that prominent, somewhere… If you're worried about generation time: DH parameters are neither secret nor is there a problem in sharing the same parameters amongst several hosts. From a cryptographic perspective there wouldn't be a problem in pre-generating one set of DH params and shipping them as the default with all courier installations. Btw, is there currently a way of using ECDH-ciphersuites with courier? -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
Hi, I recently tried to test the latest courier snapshots (due to the spf fixes) on one of our servers, however it doesn't really work. When I try to connect with openssl to the smtp-port (25) via starttls I seem to get a connection, however it's instantly terminated. I see this in the logs: Sep 19 17:56:45 backup1 courieresmtpd: courieresmtpd: STARTTLS failed: couriertls: /etc/ssl/private/courier.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line I saw that just recently someone had the same error and it was caused by Windows/DOS-style End of Line-Characters: http://georgik.sinusgear.com/2014/07/24/couriertls-etccourieresmtpd-pem-error0906d06cpem-routinespem_read_biono-start-line/ However I checked, my cert/pem-file has no windows-eol-chars. Is there anything else that has changed regarding cert parsing? It's just the cert and the key concatenated, nothing special. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
On Fri, 19 Sep 2014 18:50:51 -0400 Sam Varshavchik mr...@courier-mta.com wrote: The certificate file is getting rejected by the OpenSSL library. That's where this error is coming from. I now found out what is wrong. It seems courier now needs dh params either in the pem file or separately via TLS_DHPARAMS. We didn't have them in our config yet. However, while looking at this I found something worrying: It seems the mkdhparams script defaults to 768 bit and the mkesmtpd script defaults to 512 bit DH params. That's completely and utterly insecure. It's insecure in a way that this is practically breakable on a normal home PC these days. I'd strongly advise to raise these defaults to 2048, which is a reasonable value these days. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [patch] fix linking variables in module.esmtp
Hello Sam, attached is a patch which fixes mostly the same issue as the patch for lunicode I sent a few days ago. It moves library linking from LDFLAGS to LDADD where it belongs. I found this during huting for another issue. It doesn't seem to cause compile failures at the moment, but it should be fixed nevertheless. Please apply, patch is against courier git. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 diff -Naur courier-upstream.git/courier/courier/module.esmtp/Makefile.am courier-courier.git/courier/courier/module.esmtp/Makefile.am --- courier-upstream.git/courier/courier/module.esmtp/Makefile.am 2014-09-17 12:42:08.629144334 +0200 +++ courier-courier.git/courier/courier/module.esmtp/Makefile.am 2014-09-17 12:42:56.087551022 +0200 @@ -93,9 +93,9 @@ courieresmtpd_DEPENDENCIES=$(courieresmtp_DEPENDENCIES) \ ../../libs/tcpd/libspipe.la -courieresmtpd_LDADD=$(commonLDADD) ../../libs/tcpd/libspipe.la -courieresmtpd_LDFLAGS=`@COURIERAUTHCONFIG@ --ldflags` \ - -lcourierauthsasl -lcourierauth +courieresmtpd_LDADD=$(commonLDADD) ../../libs/tcpd/libspipe.la \ + -lcourierauthsasl -lcourierauth +courieresmtpd_LDFLAGS=`@COURIERAUTHCONFIG@ --ldflags` addcr_SOURCES=addcr.c signature.asc Description: PGP signature -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] fix linking order with -lunicode
Hello, The current Makefiles of courier add -lunicode to the LDFLAGS variable at a few places. This is wrong. Libs should never be added to LDFLAGS. This causes the build process to proceed with the wrong linking order which will sometimes fail. Such bugs usually don't cause issues unless one uses the ld-parameter --as-needed. Many linux distributions do this by default these days, so it's better to have the linking order correct. See attached patch. It's against the courier-libs git repo. Please apply. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 diff -Naur courier-libs/gpglib/Makefile.am courier-libs1/gpglib/Makefile.am --- courier-libs/gpglib/Makefile.am 2014-09-12 15:05:52.760628218 +0200 +++ courier-libs1/gpglib/Makefile.am 2014-09-12 15:07:53.739115778 +0200 @@ -17,9 +17,9 @@ sign.c tempname.c tempname.h testgpg_SOURCES=testgpg.c -testgpg_LDADD=libgpg.la ../numlib/libnumlib.la +testgpg_LDADD=libgpg.la ../numlib/libnumlib.la -lunicode testgpg_DEPENDENCIES=$(testgpg_LDADD) -testgpg_LDFLAGS=-static -lunicode +testgpg_LDFLAGS=-static mimegpg_SOURCES=mimegpg.c mimegpg_LDADD=libgpg.la ../rfc2045/librfc2045.la ../rfc822/librfc822.la \ diff -Naur courier-libs/rfc2045/Makefile.am courier-libs1/rfc2045/Makefile.am --- courier-libs/rfc2045/Makefile.am 2014-09-12 15:05:52.814627543 +0200 +++ courier-libs1/rfc2045/Makefile.am 2014-09-12 15:07:14.767602989 +0200 @@ -31,24 +31,23 @@ reformime_SOURCES=reformime.c reformime_LDADD = librfc2045.la ../rfc822/libencode.la ../rfc822/librfc822.la \ - ../numlib/libnumlib.la + ../numlib/libnumlib.la -lunicode reformime_DEPENDENCIES = $(reformime_LDADD) -reformime_LDFLAGS=-static -lunicode +reformime_LDFLAGS=-static makemime_SOURCES=makemime.c -makemime_LDADD = ../rfc822/libencode.la ../rfc822/librfc822.la librfc2045.la ../numlib/libnumlib.la +makemime_LDADD = ../rfc822/libencode.la ../rfc822/librfc822.la librfc2045.la ../numlib/libnumlib.la -lunicode makemime_DEPENDENCIES=$(makemime_LDADD) -makemime_LDFLAGS=-static -lunicode +makemime_LDFLAGS=-static headercheck_SOURCES=headercheck.c -headercheck_LDADD=librfc2045.la ../rfc822/librfc822.la ../numlib/libnumlib.la +headercheck_LDADD=librfc2045.la ../rfc822/librfc822.la ../numlib/libnumlib.la -lunicode headercheck_DEPENDENCIES=$(headercheck_LDADD) -headercheck_LDFLAGS=-static -lunicode +headercheck_LDFLAGS=-static testrfc3676parser_SOURCES=testrfc3676parser.c -testrfc3676parser_LDADD=librfc2045.la +testrfc3676parser_LDADD=librfc2045.la -lunicode testrfc3676parser_DEPENDENCIES=$(testrfc3676parser_LDADD) -testrfc3676parser_LDFLAGS=-lunicode if HAVE_SGML reformime.html: reformime.sgml ../docbook/sgml2html signature.asc Description: PGP signature -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] OpenSSL crash with STARTTLS in Courier
On Sun, 04 May 2014 13:05:30 -0500 Lindsay Haisley fmouse-cour...@fmp.com wrote: So it looks as if the issue here is that courier is using only SSL/TLS v2 or v3. If I spec TLS v1 to couriertls I get, with no errors: There is no TLS v2 or v3 (only legacy SSL v2/3, but that's not used in SMTP, because it doesn't know stattls). The later versions are numbered TLS v1.1 and v1.2. I'd like to configure courier to use TLS1 as a fallback in cases such as this. Is this possible? This is possible and it is the default. Courier also does that. Every TLS app that conforms to standards does that. Usually what happens is something like this: * Client: Server, I'd like to connect with TLS 1.2 * Server: Sorry, I can't do that, let's use TLS 1.0 * Client: Okay, let's use TLS 1.0 Now what happens sometimes is that servers are unable to proceed if they're connected with a tls version they don't support. So they don't answer at all. As far as I can remember, the Facebook-API had such a problem when TLS 1.2 first appeared in openssl. However, this is always a bug on the server side. Every correct implementation of TLS 1.0 can handle this gracefully. So mx.nv.net is using broken hardware or software. Tell them. There's nothing you can do about it except not supporting newer and better crypto standards (which really should not be an option if you're serious). -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] StartSSL SHA-2 x509 certificates with Courier
On Thu, 01 May 2014 15:13:29 +0200 Anders Le Chevalier and...@lechevalier.se wrote: Are there any limitations to the type of hash or other features of the certificates that are supported by courier? I'm not aware of any and I'm using startssl certs successfuly with my servers. Should I put something else inside the TLS_CERTFILE ? Is the order of the key, cert, intermediary CA and root CA important in the PEM file? The order matters. First Cert, then intermediate. You shouldn't put the root in at all. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free. http://p.sf.net/sfu/SauceLabs___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] LOGGEROPT and esmtpd
On Mon, 07 Apr 2014 19:29:58 -0400 Sam Varshavchik mr...@courier-mta.com wrote: courierlogger captures error messages from its managed process, and sends them to syslog. The entire emstp server talks to syslog directly, that's why it's different. This is not something that can be changed trivially, since big chunks of code are also used when sendmail gets invoked from the command line, where standard error is already serving its traditional role, and logging should, truly, go to syslog. I see. Then probably a different approach might be easier: Providing an option to change the name under that esmtpd gets logged into syslog. I think basically changing this line courieresmtpd.c:clog_open_syslog(courieresmtpd); from a hardcoded string to something configurable would do, right? -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] LOGGEROPT and esmtpd
On Thu, 10 Apr 2014 12:48:34 +0200
Hanno Böck ha...@hboeck.de wrote:
I see.
Then probably a different approach might be easier: Providing an
option to change the name under that esmtpd gets logged into syslog.
I think basically changing this line
courieresmtpd.c: clog_open_syslog(courieresmtpd);
from a hardcoded string to something configurable would do, right?
Quick and dirty patch attached that does this.
Sam, do you think you'd commit something like this?
--
Hanno Böck
http://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: BBB51E42
diff -Naur courier-0.73.1/courier/module.esmtp/courieresmtpd.c courier-0.73.1-1/courier/module.esmtp/courieresmtpd.c
--- courier-0.73.1/courier/module.esmtp/courieresmtpd.c 2013-09-25 13:05:52.0 +0200
+++ courier-0.73.1-1/courier/module.esmtp/courieresmtpd.c 2014-04-10 12:50:55.454025200 +0200
@@ -1063,7 +1063,11 @@
if (p *p config_has_vhost(p))
config_set_local_vhost(p);
- clog_open_syslog(courieresmtpd);
+ if ( getenv(LOGNAME) ) {
+ clog_open_syslog(getenv(LOGNAME));
+ } else {
+ clog_open_syslog(courieresmtpd);
+ }
if ((p=getenv(ESMTP_TLS)) atoi(p))
{
signature.asc
Description: PGP signature
--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] LOGGEROPT and esmtpd
Hello, I'd like to separate log files from the various esmtpds (25, 465, 587), so I can see which one gets used how often by my users. However, I currently don't see any easy way to do so. The pop3d and imapd config files and start scripts have a variable LOGGEROPTS in their configfile that gets passed to courierlogger. However, the esmtpd startup script seems a bit different and doesn't call the logger directly. Is there a reason why LOGGEROPTS is not available for esmtpd? Sam, could this be changed for the next version? cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] [PATCH] courier should use DESTDIR on test ! -w commands
Sam, attached you'll find a patch that changes all instances of test -w / test ! -w in couriers Makefiles. courier-fix-root-check-svn.diff.gz is against latest courier svn and excludes all files not in svn (that are generated by autotools) Can you apply this one? -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ courier-fix-root-check-svn.diff.gz Description: GNU Zip compressed data signature.asc Description: PGP signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] [PATCH] courier should use DESTDIR on test ! -w commands
On Fri, 15 Jun 2012 08:33:22 -0400
Sam Varshavchik mr...@courier-mta.com wrote:
I don't see how it could possibly work. With the change applied, the
install command becomes:
/bin/install -c `test `id -u` != 0 || echo -o daemon -g daemon`
I see your point - my fault, I did it correct for Makefile.in, but
wrong for Makefile.am.
See attached patch - rediffed against 0.68.2, tested and this time
hopefully correct.
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http://www.hboeck.de/
diff -Naur courier-0.68.2-orig/courier/module.esmtp/Makefile.am courier-0.68.2/courier/module.esmtp/Makefile.am
--- courier-0.68.2-orig/courier/module.esmtp/Makefile.am 2012-06-07 17:54:47.0 +0200
+++ courier-0.68.2/courier/module.esmtp/Makefile.am 2012-06-16 23:01:51.363589115 +0200
@@ -32,7 +32,7 @@
touch $@
module_PROGRAMS=courieresmtp courieresmtpd addcr
-INSTALL=@INSTALL@ `test ! -w /etc || echo -o @mailuser@ -g @mailgroup@`
+INSTALL=@INSTALL@ `test \`id -u\` != 0 || echo -o @mailuser@ -g @mailgroup@`
INSTALL_PROGRAM=${INSTALL} -m 550
EXTRA_DIST=courier.config staticlist.c esmtp.authpam.dist esmtpd.cnf.gnutls
diff -Naur courier-0.68.2-orig/courier/module.esmtp/Makefile.in courier-0.68.2/courier/module.esmtp/Makefile.in
--- courier-0.68.2-orig/courier/module.esmtp/Makefile.in 2012-06-07 17:54:50.0 +0200
+++ courier-0.68.2/courier/module.esmtp/Makefile.in 2012-06-16 23:01:51.479587666 +0200
@@ -195,7 +195,7 @@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
-INSTALL = @INSTALL@ `test ! -w /etc || echo -o @mailuser@ -g @mailgroup@`
+INSTALL = @INSTALL@ `test \`id -u\` != 0 || echo -o @mailuser@ -g @mailgroup@`
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = ${INSTALL} -m 550
INSTALL_SCRIPT = @INSTALL_SCRIPT@
signature.asc
Description: PGP signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] [PATCH] courier should use DESTDIR on test ! -w commands
Hi Sam, On Thu, 07 Jun 2012 19:06:08 -0400 Sam Varshavchik mr...@courier-mta.com wrote: Hanno Böck writes: So the correct way should be another test for root, e.g. test `id -u` != 0 I've prepared a patch. This is for both Makefile.in and Makefile.am to avoid the need for autotools, however the first one gets generated automatically, only the second one probably needs to be applied to courier. Please note however that this fixes the issue ONLY for module.esmtp, although it seems to be prevalent all over the couriere Makefile.am files. I wanted first to discuss if this is the correct approach to fix it. If you're okay with that, I'll send you further patches for the others. Although the intent seems to be ok, the patch itself does not really work. Can you be more specific? At my local tests, it worked. What's the issue with it? What do you think the best approach to check for root would be? Also, if you're preparing an automated package build, this isn't really needed. Running 'make install-perms' from the top level directory produces a very nicely-formatted file, permissions.dat, that lists all the files that get installed, and what their permissions should be. You should use that to prepare your package. This seems to me like a workaround rather than a fix. Better than nothing, but still, I'd rather like see the makefile to check for root in a more correct way. -- Hanno Böck mail/jabber: ha...@hboeck.de GPG: BBB51E42 http://www.hboeck.de/ signature.asc Description: PGP signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] courier should use DESTDIR on test ! -w commands
Hello,
It just took me some time to dig into an issue I had with courier on
Gentoo.
The problem was that certain executables like courieresmtpd were not
installed with the correct user/group settings.
I found that this line was the cause of the problem:
INSTALL=@INSTALL@ `test ! -w /etc || echo -o @mailuser@ -g @mailgroup@`
(in ./courier/module.esmtp/Makefile.am)
This tests if there's write access to /etc and decides that it can
chown then.
However, the Gentoo sandbox system, although running with root
permissions, prevents write access to /tmp.
So the correct way should be another test for root, e.g.
test `id -u` != 0
I've prepared a patch.
This is for both Makefile.in and Makefile.am to avoid the need for
autotools, however the first one gets generated automatically, only the
second one probably needs to be applied to courier.
Please note however that this fixes the issue ONLY for module.esmtp, although
it seems to be
prevalent all over the couriere Makefile.am files. I wanted first to
discuss if this is the correct approach to fix it. If you're okay with
that, I'll send you further patches for the others.
--
Hanno Böck mail/jabber: ha...@hboeck.de
GPG: BBB51E42 http://www.hboeck.de/
diff -u courier-0.68.1/courier/module.esmtp/Makefile.am courier-0.68.1-1/courier/module.esmtp/Makefile.am
--- courier-0.68.1/courier/module.esmtp/Makefile.am 2011-04-04 15:01:20.0 +0200
+++ courier-0.68.1-1/courier/module.esmtp/Makefile.am 2012-06-07 13:53:12.846012841 +0200
@@ -32,7 +32,7 @@
touch $@
module_PROGRAMS=courieresmtp courieresmtpd addcr
-INSTALL=@INSTALL@ `test ! -w /etc || echo -o @mailuser@ -g @mailgroup@`
+INSTALL=@INSTALL@ `test `id -u` != 0 || echo -o @mailuser@ -g @mailgroup@`
INSTALL_PROGRAM=${INSTALL} -m 550
EXTRA_DIST=courier.config staticlist.c esmtp.authpam.dist esmtpd.cnf.gnutls
diff -u courier-0.68.1/courier/module.esmtp/Makefile.in courier-0.68.1-1/courier/module.esmtp/Makefile.in
--- courier-0.68.1/courier/module.esmtp/Makefile.in 2011-11-13 02:50:30.0 +0100
+++ courier-0.68.1-1/courier/module.esmtp/Makefile.in 2012-06-07 13:52:51.098284711 +0200
@@ -185,7 +185,7 @@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
-INSTALL = @INSTALL@ `test ! -w /etc || echo -o @mailuser@ -g @mailgroup@`
+INSTALL = @INSTALL@ `test \`id -u\` != 0 || echo -o @mailuser@ -g @mailgroup@`
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = ${INSTALL} -m 550
INSTALL_SCRIPT = @INSTALL_SCRIPT@
signature.asc
Description: PGP signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Request for a new release?
Hi Sam, Can you make a new release out of the latest courier snapshot? (I'm personally mostly interested in the make check fix from 06-28, as this is stopping gentoo stabilization - yes, I could backport or just use the snap, but it'd be nicer to have a release ;-) cu, Hanno -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] courier-authlib: bundled libltdl contains security issues
Hi, courier-authlib bundles libltdl version 2.2.6. This version has security issues: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 This probably does not affect many users, because courier-authlib uses the system-wide libltdl if it's available. Anyway, the bundled version should probably get an update. Alternatively you could just throw away the bundled version and require libltdl to be installed system wide. Bundling librarys is a bad idea anyway imho (due to security issues like this one). -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] option to disable tarpitting
Courier does so-called tarpitting on connections that are considered spam.
That means it keeps the tcp connection open for a while and is meant to eat
ressources from spammers.
We had the problem on our servers that it was eating too much of our
ressources. Also I'm unsure if this is generally a useful idea. But others may
have a different opinion on that, so I think this should be made optional.
See attached patch, adds an option TARPIT to esmtpd config.
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de
http://schokokeks.org - professional webhosting
diff -Naur courier-0.64.0/courier/module.esmtp/courieresmtpd.c courier-0.64.0-1/courier/module.esmtp/courieresmtpd.c
--- courier-0.64.0/courier/module.esmtp/courieresmtpd.c 2009-08-23 12:26:34.0 +0200
+++ courier-0.64.0-1/courier/module.esmtp/courieresmtpd.c 2010-01-31 19:46:52.0 +0100
@@ -81,10 +81,14 @@
static void tarpit()
{
- sleep(teergrube);
- teergrube *= 2;
- if (teergrube MAX_TEERGRUBE)
- teergrube=MAX_TEERGRUBE;
+ const char *p;
+ if ((p=getenv(TARPIT)) atoi(p))
+ {
+ sleep(teergrube);
+ teergrube *= 2;
+ if (teergrube MAX_TEERGRUBE)
+ teergrube=MAX_TEERGRUBE;
+ }
}
void iov_logerror(const char *q, const char *p)
diff -Naur courier-0.64.0/courier/module.esmtp/esmtpd.dist.in courier-0.64.0-1/courier/module.esmtp/esmtpd.dist.in
--- courier-0.64.0/courier/module.esmtp/esmtpd.dist.in 2009-08-13 00:25:49.0 +0200
+++ courier-0.64.0-1/courier/module.esmtp/esmtpd.dist.in 2010-01-31 19:41:17.0 +0100
@@ -51,6 +51,12 @@
BOFHNOVRFY=0
+##NAME: TARPIT:1
+#
+# Set TARPIT to 0 to disable tarpitting
+
+TARPIT=1
+
##NAME: NOADDMSGID:0
#
# The following environment variables keep Courier from adding
diff -Naur courier-0.64.0/courier/module.esmtp/esmtpd-ssl.dist.in courier-0.64.0-1/courier/module.esmtp/esmtpd-ssl.dist.in
--- courier-0.64.0/courier/module.esmtp/esmtpd-ssl.dist.in 2009-08-13 00:25:49.0 +0200
+++ courier-0.64.0-1/courier/module.esmtp/esmtpd-ssl.dist.in 2010-01-31 19:41:49.0 +0100
@@ -44,6 +44,12 @@
BOFHNOVRFY=0
+##NAME: TARPIT:1
+#
+# Set TARPIT to 0 to disable tarpitting
+
+TARPIT=1
+
##NAME: NOADDMSGID:0
#
# The following environment variables keep Courier from adding
signature.asc
Description: This is a digitally signed message part.
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] maxrcpts soft and hard?
Hi, While investigating a kmail problem, I noticed that our courier server sends the error code 431 Too many recipients. if there are maxrcpts receipients in a mail. Now, 4xx error codes are for temporary errors. I found this piece of code in courier: courier/submit.C- std::cout (max_bofh_ishard courier/submit.C:? 531 Too many recipients. courier/submit.C:: 431 Too many recipients.) courier/submit.C- std::endl std::flush; Now, I don't understand that. It seems one can set hard and soft limits for maxrcpts (although I don't find anything documented about it). What should that mean? What's a soft limit for maxrcpts? A 4xx error should mean for the user that just sending the same mail later again will work (RFC 2821), so from what I can see, it should always be 531. If I'm wrong, please explain me why. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. -- Come build with us! The BlackBerryreg; Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9#45;12, 2009. Register now#33; http://p.sf.net/sfu/devconf___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] disable aNULL-ciphers, maybe enable medium ciphers
Hi, On some investigation of my servers, I found that my common ssl cipher string enables the aNULL-ciphers. Those are ciphers without any authentication of the server certificate and their usage is discouraged. Bernd Wurst told me that our cipher string (we're maintaining the server together) got once used as the default for courier, so you probably have that problem as well ;-) Beside, the current default string in courier disables the medium ciphers (which are mainly 128 bit ciphers). I think they're perfectly okay and it's quite questionable if the high ciphers are an improvement (e.g. the recent theoretical aes attacks only work on the 256bit version, not the 128 one). So I'm providing you two patches and ask that you apply at least one. courier-0.62.2-sslcipherstring-anull.diff : disable aNULL courier-0.62.2-sslcipherstring-anull-medium.diff : disable aNULL and enable MEDIUM -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://schokokeks.org - professional webhosting diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in --- courier-0.62.2/courier/courierd.dist.in 2008-07-13 16:54:48.0 +0200 +++ courier-0.62.2-sslstring/courier/courierd.dist.in 2009-08-12 16:28:52.0 +0200 @@ -269,7 +269,7 @@ # # OpenSSL: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength # # To enable SSL2, remove the obvious !SSLv2 part from the above list. # diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in --- courier-0.62.2/courier/module.esmtp/esmtpd.dist.in 2009-06-02 05:04:25.0 +0200 +++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd.dist.in 2009-08-12 16:28:52.0 +0200 @@ -139,7 +139,7 @@ # When using the SSL23 protocol setting (see above), the following setting # should turn off SSL2 (leaving just SSL3 and TLS1) and all anonymous ciphers: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength # # GnuTLS: # diff -Naur courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in --- courier-0.62.2/courier/module.esmtp/esmtpd-ssl.dist.in 2008-07-12 22:17:24.0 +0200 +++ courier-0.62.2-sslstring/courier/module.esmtp/esmtpd-ssl.dist.in 2009-08-12 16:28:52.0 +0200 @@ -163,7 +163,7 @@ # # OpenSSL: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength # # To enable SSL2, remove the obvious !SSLv2 part from the above list. # diff -Naur courier-0.62.2/imap/imapd-ssl.dist.in courier-0.62.2-sslstring/imap/imapd-ssl.dist.in --- courier-0.62.2/imap/imapd-ssl.dist.in 2008-07-12 22:17:24.0 +0200 +++ courier-0.62.2-sslstring/imap/imapd-ssl.dist.in 2009-08-12 16:28:52.0 +0200 @@ -147,7 +147,7 @@ # # OpenSSL: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength # # To enable SSL2, remove the obvious !SSLv2 part from the above list. # diff -Naur courier-0.62.2/imap/pop3d-ssl.dist.in courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in --- courier-0.62.2/imap/pop3d-ssl.dist.in 2008-07-12 22:17:25.0 +0200 +++ courier-0.62.2-sslstring/imap/pop3d-ssl.dist.in 2009-08-12 16:28:52.0 +0200 @@ -134,7 +134,7 @@ # # OpenSSL: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength # # To enable SSL2, remove the obvious !SSLv2 part from the above list. # diff -Naur courier-0.62.2/tcpd/libcouriertls.c courier-0.62.2-sslstring/tcpd/libcouriertls.c --- courier-0.62.2/tcpd/libcouriertls.c 2009-06-27 18:32:50.0 +0200 +++ courier-0.62.2-sslstring/tcpd/libcouriertls.c 2009-08-12 16:28:52.0 +0200 @@ -567,7 +567,7 @@ SSL_CTX_set_options(ctx, SSL_OP_ALL); if (!ssl_cipher_list) - ssl_cipher_list=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength; + ssl_cipher_list=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!an...@strength; SSL_CTX_set_cipher_list(ctx, ssl_cipher_list); SSL_CTX_set_timeout(ctx, session_timeout); diff -Naur courier-0.62.2/courier/courierd.dist.in courier-0.62.2-sslstring/courier/courierd.dist.in --- courier-0.62.2/courier/courierd.dist.in 2008-07-13 16:54:48.0 +0200 +++ courier-0.62.2-sslstring/courier/courierd.dist.in 2009-08-12 16:29:57.0 +0200 @@ -269,7 +269,7 @@ # # OpenSSL: # -# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!n...@strength +# TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2
[courier-users] [PATCH] add additional dirs to authmigrate.in
This patch is taken from gentoo linux, adds some additional dirs to authmigrate in courier-authlib (against latest 0.62.2), shouldn't hurt to apply. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de --- courier-authlib-0.62.2-orig/authmigrate.in 2008-07-21 02:37:45.0 +0200 +++ courier-authlib-0.62.2/authmigrate.in 2009-02-22 17:32:44.0 +0100 @@ -18,6 +18,8 @@ rc=0 for dir in /etc/courier \ + /etc/courier/authlib \ + /etc/courier-imap \ /usr/lib/courier/etc \ /usr/lib/courier-imap/etc \ /usr/local/etc \ signature.asc Description: This is a digitally signed message part. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] [PATCH] add additional dirs to authmigrate.in
Am Sonntag 22 Februar 2009 schrieb Sam Varshavchik: Yes, but I'm shocked that this is even needed in the first place. Who's still running 0.48? I don't know if it is - this patch is probably pretty old and I just want to reduce the amount of patches in the package. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de signature.asc Description: This is a digitally signed message part. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] [PATCH] Add destdir support to authmigrate.in in courier-authlib
Hi, Attached patch adds the DESTDIR variable to some places so installing into DESTDIR works. Please apply. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] --- authmigrate.in.orig 2008-07-21 01:58:52.0 +0200 +++ authmigrate.in 2008-07-21 02:07:30.0 +0200 @@ -71,11 +71,11 @@ return $rc } -chk_file authdaemonrc @authdaemonrc@ -chk_file authmysqlrc @authmysqlrc@ -chk_file authpgsqlrc @authpgsqlrc@ -chk_file authldaprc @authldaprc@ -chk_file userdb @userdb@ +chk_file authdaemonrc [EMAIL PROTECTED]@ +chk_file authmysqlrc [EMAIL PROTECTED]@ +chk_file authpgsqlrc [EMAIL PROTECTED]@ +chk_file authldaprc [EMAIL PROTECTED]@ +chk_file userdb [EMAIL PROTECTED]@ if test $? = 1 then signature.asc Description: This is a digitally signed message part. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] courier compilation fails with --as-needed
courier (0.58 and all older versions I've tested) fails with Linking when using LDFLAGS=-Wl,--as-needed. Reproducible with LDFLAGS=-Wl,--as-needed ./configure LDFLAGS=-Wl,--as-needed make --as-needed tells the linker to only link libraries with functions that are actually in use. Failure usually means that the linking order is wrong at some place. I didn't find a bugtracker for courier, so I'm posting it here. Output: make[1]: Entering directory `/tmp/courier-0.58.0/tcpd' make all-am make[2]: Entering directory `/tmp/courier-0.58.0/tcpd' /bin/sh ./libtool --tag=CC --mode=link gcc -I./.. -I.. -Wall -g -O2 -static -Wl,--as-needed -o couriertcpd argparse.o tcpd.o tcpdaccess.o tcpremoteinfo.o libspipe.la ../rfc1035/librfc1035.a ../gdbmobj/libgdbmobj.la ../liblock/liblock.la ../numlib/libnumlib.la ../waitlib/libwaitlib.a ../soxwrap/libsoxwrap.a ../md5/libmd5.la ../random128/librandom128.la -Wl,-lgdbm gcc -I./.. -I.. -Wall -g -O2 -Wl,--as-needed -o couriertcpd argparse.o tcpd.o tcpdaccess.o tcpremoteinfo.o -Wl,-lgdbm ./.libs/libspipe.a ../rfc1035/librfc1035.a ../gdbmobj/.libs/libgdbmobj.a ../liblock/.libs/liblock.a ../numlib/.libs/libnumlib.a ../waitlib/libwaitlib.a ../soxwrap/libsoxwrap.a ../md5/.libs/libmd5.a ../random128/.libs/librandom128.a ../gdbmobj/.libs/libgdbmobj.a(gdbmobj.o): In function `gdbm_dofetch': /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:173: undefined reference to `gdbm_fetch' ../gdbmobj/.libs/libgdbmobj.a(gdbmobj.o): In function `gdbmobj_exists': /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:110: undefined reference to `gdbm_exists' ../gdbmobj/.libs/libgdbmobj.a(gdbmobj.o): In function `gdbmobj_store': /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:96: undefined reference to `gdbm_store' ../gdbmobj/.libs/libgdbmobj.a(gdbmobj.o): In function `gdbmobj_close': /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:33: undefined reference to `gdbm_close' ../gdbmobj/.libs/libgdbmobj.a(gdbmobj.o): In function `gdbmobj_open': /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:63: undefined reference to `gdbm_open' /tmp/courier-0.58.0/gdbmobj/gdbmobj.c:70: undefined reference to `gdbm_fdesc' collect2: ld returned 1 exit status make[2]: *** [couriertcpd] Error 1 make[2]: Leaving directory `/tmp/courier-0.58.0/tcpd' make[1]: *** [all] Error 2 make[1]: Leaving directory `/tmp/courier-0.58.0/tcpd' make: *** [all-recursive] Error 1 -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
