Re: sslv3 alert certificate unknown in SSL_accept() -> fail

2017-05-20 Thread Anton via Info-cyrus 
Hi Marcus!
Problem looks like java app cannot validate new cert. Check ssl_store for your 
java based mail gate. Are there CA and Intermediate SSL Certificates for your 
new 256ssl cert in mail gate ssl store?

> Hi,
> 
> today I changed my SSL certificates to "sha256WithRSAEncryption",
> because Thunderbird started complaining about me old SHA1
> certificates. ;) One pop3s client (it's a kind of java based mailgate)
> causes a lot of these errors, not at each connect, but on about two of
> 140 mailbox connects within 5 minutes:
> 
> 
> mail log:
> --
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete ->
> wait
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate
> unknown in SSL_accept() -> fail
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed:
> ppp-xx-xx-xx-xx.domain.de [xx.xx.xx.xx]
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error:
> tls_start_servertls() failed
> May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0>
> dele=<0>
> --
> 
> error log:
> --
> May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error:
> tls_start_servertls() failed
> --
> 
> If I check pop3s with my Thunderbird or other clients everything is
> fine. SSL checker e.g. on https://decoder.link/sslchecker doesn't show
> any errors and it's only this one pop3 client, which causes this error.
> 
> I didn't changed anything in imap.conf, but replacing cert files and
> reload imapd
> 
> tls_cert_file
> tls_key_file
> tls_ca_file
> 
> tls_cipher_list is unchanged:
> tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> 
> Is the client sending a client certificate, which my server doesn't
> like? But I don't ask for any client certificates.
> 
> System: cyrus 2.4.12
> 
> Ciao
> Marcus
> 
> 
> 
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


smime.p7s
Description: S/MIME cryptographic signature

Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

sslv3 alert certificate unknown in SSL_accept() -> fail

2017-05-20 Thread Marcus Schopen 
Hi,

today I changed my SSL certificates to "sha256WithRSAEncryption",
because Thunderbird started complaining about me old SHA1
certificates. ;) One pop3s client (it's a kind of java based mailgate)
causes a lot of these errors, not at each connect, but on about two of
140 mailbox connects within 5 minutes:


mail log:
--
May 20 23:14:02 mailserv cyrus/pop3s[17825]: accepted connection
May 20 23:14:02 mailserv cyrus/pop3s[17825]: SSL_accept() incomplete ->
wait
May 20 23:14:02 mailserv cyrus/pop3s[17825]: sslv3 alert certificate
unknown in SSL_accept() -> fail
May 20 23:14:02 mailserv cyrus/pop3s[17825]: pop3s failed:
ppp-xx-xx-xx-xx.domain.de [xx.xx.xx.xx]
May 20 23:14:02 mailserv cyrus/pop3s[17825]: Fatal error:
tls_start_servertls() failed
May 20 23:14:02 mailserv cyrus/pop3s[17825]: counts: retr=<0> top=<0>
dele=<0>
--

error log:
--
May 20 23:12:07 mailserv cyrus/pop3s[17838]: Fatal error:
tls_start_servertls() failed
--

If I check pop3s with my Thunderbird or other clients everything is
fine. SSL checker e.g. on https://decoder.link/sslchecker doesn't show
any errors and it's only this one pop3 client, which causes this error.

I didn't changed anything in imap.conf, but replacing cert files and
reload imapd

tls_cert_file
tls_key_file
tls_ca_file

tls_cipher_list is unchanged:
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

Is the client sending a client certificate, which my server doesn't
like? But I don't ask for any client certificates.

System: cyrus 2.4.12

Ciao
Marcus



Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: lmtpd segfaults after update to 2.4.19, seems it wants to act as proxy

2017-05-20 Thread Simon Matter 
>
> Quoting Simon Matter :
>
>> Hi,
>>
>> I'm resending this with new subject and one again attached the straces
>> of
>> a delivery with 2.4.18 and 2.4.19.
>>
> I've just updated our cyrus-imapd rpms from 2.4.18 -> 2.4.19. All
>> seems well with just some small changes to the build.
>
> However, I just can't get it to work: lmtpd segfaults on mail
> delivery.
>
> The logs show something like this:
> May 17 14:21:42 mh1 kernel: lmtpd[7433]: segfault at 5ebc24d7 ip
>> 7f216292973b sp 7ffe5ebc1f58 error 4 in
> lmtpd[7f21628c1000+169000]
> May 17 14:21:42 mh1 master[7423]: process 7433 exited, signaled to
> death
> by 11
>
> First I've rebuilt without some of the custom patches in the package
> like
> the autocreate patches. But without a change.
>
> I've then straced an lmtpd during mail delivery, once with 2.4.18 and
>> once
> with 2.4.19 in the hope to find something. The traces are attached.
>
> I see that there were quite some change concerning lmtp, does anyone
>> of the developers have an idea where the problem in lmtpd changes
>> could be?

 It turns out that lmtpd wants to act as proxy, because only then it
>> creates the spoolfile in /tmp/. But why?
 Regards,
 Simon

>>>
>>> Are you running a murder setup? Can you produce a coredump and brovide
>>> a
>> backtrace with symbols loaded?
>>
>> Hi,
>>
>> I did two things meanwhile:
>>
>> 1) Built a completely vanilla cyrus-imapd-2.4.19 without any patches to
>> make sure it's not anything wrong with additional patches. The crash was
>> the same.
>>
>> 2) Ran the normal build with an unstripped "lmtpd" binary and produced
>> core and backtrace. So below:
>>
>> Core was generated by `lmtpd'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  strlcpy (dst=0x7ffaa64e00d0 "", src=0x5d73c6c7 > out
>> of bounds>, len=1024) at xstrlcpy.c:65
>> 65   if ((dst[n] = src[n]) == '\0') break;
>> Missing separate debuginfos, use: debuginfo-install
>> cyrus-sasl-gssapi-2.1.23-15.el6_6.2.x86_64
>> cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
>> cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
>> cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64 db4-4.7.25-22.el6.x86_64
>> glibc-2.12-1.209.el6_9.1.x86_64 keyutils-libs-1.4-5.el6.x86_64
>> krb5-libs-1.10.3-65.el6.x86_64 libcom_err-1.41.12-23.el6.x86_64
>> libselinux-2.0.94-7.el6.x86_64
>> nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64
>> openssl-1.0.1e-57.el6.x86_64 pcre-7.8-7.el6.x86_64
>> tcp_wrappers-libs-7.6-58.el6.x86_64 zlib-1.2.3-29.el6.x86_64
>> (gdb) bt
>> #0  strlcpy (dst=0x7ffaa64e00d0 "", src=0x5d73c6c7 > out
>> of bounds>, len=1024) at xstrlcpy.c:65
>> #1  0x7ffaa5150c2e in proxy_adddest (dlist=0x7ffc5d73c288,
>> rcpt=0x7ffaa64d26d0 "si...@imap.bi.corp.invoca.ch", rcpt_num=0,
>> server=0x5d73c6c7 , authas=0x0) at
>> proxy.c:81
>
> here the bt is already in the wrong path and server has not been set
> wich leads to the SIGSEV
>
>> #2  0x7ffaa514fbae in deliver (msgdata=0x7ffaa64d0950, authuser=0x0,
>> authstate=0x7ffc5d73c280) at lmtpd.c:749
>
> This is the point where the wrong path is taken.
>
>
> r = mlookup(namebuf, , NULL, NULL);
> if (!r && server) {
>  /* remote mailbox */
>  proxy_adddest(, rcpt, n, server, authuser);
>  status[n] = nosieve;
> }
>
> mlookup did return something that is not 0, and server has not been set
> in mlookup. In 2.4.17 there has was "if (server) *server = NULL;"

Hi Michael,

Thanks a lot for pointing me into the right direction. Indeed attached
patch makes it work for me.

I don't know if this is the proper fix for the issue. Hopefully someone
who knows better than me can comment.

Regards,
Simon--- cyrus-imapd-2.4.19/imap/lmtpd.c.orig	2017-05-15 07:43:30.0 +0200
+++ cyrus-imapd-2.4.19/imap/lmtpd.c	2017-05-20 08:36:47.629758869 +0200
@@ -392,6 +392,8 @@
 char *c;
 struct mboxlist_entry mbentry;
 
+if (server) *server = NULL;
+
 /* do a local lookup and kick the slave if necessary */
 r = mboxlist_lookup(name, , tid);
 if (r == IMAP_MAILBOX_NONEXISTENT && config_mupdate_server) {
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus