Date: Fri, 17 Feb 2006 04:11:15 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Greg Groth" <ggroth99@hotmail.com>, <joe@netmusician.org> Cc: freebsd-questions@freebsd.org Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems Message-ID: <LOBBIFDAGNMAMLGJJCKNIEGJFDAA.tedm@toybox.placo.com> In-Reply-To: <BAY14-F21565646685AA52D1117BACE060@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Greg, It is true there's a lot of software available but I have found over the years that a lot of the packages are good, and will work equally well on the back end. Most of the older ones have matured to the point that a rather common selection criteria is "I chose that because that's what all my friends are running" You really won't know what works the best unless you try all of the packages, and nobody has the time for that. So what you have to do is just pick one based on whatever sketchy research you turn up and spend some time on it, after a few months you will know if it's going to work for you or not. Most times it will work OK for you so your choice becomes one of which is better: knowing a few packages well, or a lot of packages not very well. A hobbiest/amateur is better off knowing a lot of packages not very well, because their fun is in trying out new things and learning how different things are done. But a manager of a production system is in the other boat, they need to know a few packages very, very well. You need to be aware of which kind of person your taking advice from. IMHO RedHat isn't much good unless you go the full meal deal and buy a support contract from RedHat. If you are upgrading from old 7/9 RH and you want to keep the RH universe, and you don't want to buy into support, then go to CentOS. Frankly I feel that one of the big problems with Linux right now is they are missing the boat on SATA RAID big time, and I mean really, really big time. Most server-quality motherboards these days come with RAID0/1 SATA chipsets, and disk drives are so cheap now that even people putting together little crummy servers are going mirrored SATA disks. But Linux has ignored this, claiming it's the responsibility of the manufacturers to write drivers, and most of them haven't. The Linux people all seem to think it's perfectly OK to go buy an Intel motherboard with onboard ICH7R RAID and disable that and drop $200 into a 3ware RAID card and plug that into the motherboard if you have the nerve to run RAID on anything other than a Real SCSI RAID array. Fine, let them delude themselves, it just puts Linux further and further away from the server arena. Most Linux distros have terrible or nonexistent support for Promise RAID cards as well, once again, really short-sighted. Anyway, getting back to your situation. We run SSL imap and pop3, with uw-imap. I recommend this route since it allows people to hit their maibox with both pop3 and imap and not get a lot of funny messages about popping down the placeholder message. uw-imap used to have a problem with really big e-mails years ago, it would swap itself to death building the tempfiles, this was fixed years ago. We run SMTP AUTH but we don't run SSL SMTP. Why? Because way too many customers out there still run elderly versions of e-mail clients that can't handle SSL SMTP. If I was doing up a mailserver for a corporation I might consider SSL SMTP, but frankly, I think the idea that someone's going to sniff your password is highly overrated. Most people set their e-mail clients up to permanently save the password so there goes your security right out the window. And your foolish if you let people use the same userID and password for the mailserver. What I'm doing these days is setting up the users with full name userIDs. For example userID ted.mittelstaedt, password goglafrich. Or some such. e-mail addy then becomes ted.mittelstaedt@example.com Needless to say this userID is only present on the mailserver and nowhere else, same with the password. A cracker already can get the targets full name by calling the companies directory assistance line or off their business card, so they gain no new information item by breaking this userID. And these userIDs and passwords are too long to be suceptable to a spammers dictionary attack. Particularly if the employee is popping the mail off the server, if the attacker gets the userID and password they are generally going to only be able to get a few pieces of mail out of the server. You can argue it however you want but today with ethernet switches being as cheap as they are, even a malevolent employee on a corporate network is going to have a hard time sniffing passwords on a decent net. Anything they do to convince the switches to stop being switches is going to bring the network to it's knees and attract a lot of attention quick. I discount most of those scenarios as provable in the lab, but useless in real life. In real life the preferred attack vector is to insert a keyboard logger on the users desktop, which is rediculously easy, all you have to do is wait for Microsoft's patch tuesday, reverse engineer the patches to see what they patched, and write a worm to take advantage of that hole, and drop a keyboard logger when it infects. That buypasses all the SSL horseshit and if you want to get fancy you can scan the users system for the outlook files and extract the saved password from outlooks ini files, it's not like Microsoft encrypts it or anything. The worm leaves a back door and you scan the internet looking for the back doors. You will find plenty to keep yourself busy. We see customers that have had this done to them almost every day. By contrast I've never once seen a customer with an employee who wasn't a network administrator that knew what a packet sniffer was and how to use it. As far as WEP is concerned the trade rags constantly claim how insecure it is and how easy it is to brute force crack and obtain keys - once again, this is laboratory stuff, it's not visible in the real world. In the real world there are so many unsecured wireless networks in the average city that a cracker that turns on a wireless promiscious sniffer is going to see 3-4 networks, 3/4 of which are wide open, no matter where they go. What incentive is there to crack? And that's just the people dumb enough to leave SSID broadcasting turned on. Anyway, one last note for you. No matter what you use, just about all the instructions out there tell you to create a self-signed certificate for imap/ssl smtp/etc. do not do this! The Microsoft e-mail clients can't handle this. What you want to do is create a root certificate, then create certificates for all your https servers, your secure imap and pop servers, your ssl smtp, you name it. Sign all of them with the root CA. Then, insert the root CA into the list of trusted root CA's in the Microsoft browser on the client, and from that point on the Microsoft clients don't think you are running self-signed certificates anymore and do not whine, bitch and complain and you don't have to fumble around inserting a bunch of self-signed certificates for every little service you run into all your clients. That is for example how you get Outlook to speak SSL without paying Verisign. A lot of people fooling with self-signed certs have discovered to their dismay that only outlook express can have a self-signed cert installed, regular outlook from ms office cannot. Ted >-----Original Message----- >From: Greg Groth [mailto:ggroth99@hotmail.com] >Sent: Tuesday, February 14, 2006 8:14 AM >To: tedm@toybox.placo.com; joe@netmusician.org >Cc: freebsd-questions@freebsd.org >Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems > > > > >>From: "Ted Mittelstaedt" <tedm@toybox.placo.com> >>To: "Joe Auty" <joe@netmusician.org>, "Kirk Davis" <Kirk.Davis@epsb.ca> >>CC: "Greg Groth" <ggroth99@hotmail.com>, ><freebsd-questions@freebsd.org> >>Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems >>Date: Tue, 14 Feb 2006 00:34:28 -0800 >> >> >>I'm sure glad that this message didn't pass through my work mailserver >>so that it's didn't see it, since my work e-mail inbox has >16383 messages >>in it (the limit that Outlook can display in IMAP mode) and is 412 >>megabytes >>in size, and performance is perfectly fine both with Outlook and >>Horde/IMP. >> >>I wouldn't want my mailserver reading it and thinking that it's OK to >>slack off. >> >> And yes I know I need to delete >>some messages, speak to the hand if your going to make that crack. >> >>This is imap-uw/sendmail. >> >>Perhaps you might consider that since you haven't run imap-uw in >>a while that your no longer qualified to make claims about it? Or >>perhaps >>you never had it setup properly? Or perhaps your hardware was slow? >> >>Nothing is wrong with Postfix / Courier-IMAP but nothing is >wrong either >>with sendmail / uw-imap. >> >>Ted >> >> >-----Original Message----- >> >From: owner-freebsd-questions@freebsd.org >> >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Joe Auty >> >Sent: Monday, February 13, 2006 1:53 PM >> >To: Kirk Davis >> >Cc: Greg Groth; freebsd-questions@freebsd.org >> >Subject: Re: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems >> > >> > >> >Hey Greg, >> > >> >Sorry if this completely throws a monkey wrench into your plans, but >> >I feel inspired to interject since I once had a nearly identical >> >setup as you... >> > >> >I switched to Postfix and Courier-IMAP since I found that performance >> >of large mailboxes in IMAP-UW was pretty poor, especially over web- >> >based email where messages are not cached. I switched to Postfix >> >because it is so much more simple and straight forward than Sendmail. >> >You should have no problems switching to Postfix, since it is >> >basically Sendmail with a nicer wrapper/configuration. >> > >> >Just food for thought. > >I appreciate both of your comments, as I have stated I am new >to BSD. Part >of my problem is the huge amount of software available, and no >good way to >determine what will work better for my situation. Perhaps if I >explain my >situation, it would help some. We've been running Sendmail and a >POP-Before-SMTP script for the last 6 years on a Redhat box. I >think it >started out on 5.2, and was up to 7.3 when it crashed 3 weeks >ago. I had >been planning to upgrade the server, and had a new box ready to >go, but I >had stalled on the OS. I didn't want to go down the Redhat >route because of >strictly personal issues that are more opinions than fact, and a friend >suggest FreeBSD. > >The server crash pretty much forced my hand, and my goal was to >replicate >what we had in place ASAP. Because of my (limited) knowledge >of Sendmail, I >went that route as I know nothing of the alternatives. I went >with IMAP-UW >because not because of anything I had read, but because I was >attempting to >get the POP-Before-SMTP port to work (which it didn't - long >story), and >IMAP-UW seemed a good alternative as it is a POP and IMAP >server and was >easily configured in POP-Before-SMTP. > >Since I could not find a POP-Before-SMTP solution that I could get to >operate (I had problems with POP-Before-SMTP, and DRAC before >throwing in >the towel), I decided to switch to SMTP-AUTH. So here's my >situation, we >have about 25 users on the server. I need POP and IMAP that >will operate >with and without SSL, and SMTP that can handle SMTP-AUTH with >and without >SSL. Out of the 25 users, I have 3 that are email packrats, and have >between 2-4 gigs of email apiece. They are currently using POP >on Outlook >Express, but will be switching over to IMAP on Thunderbird in the near >future (I also have 5 users that I'm not sure what client they >are using, >we're hosting their domain - long story). Our office peronnel will be >migrating to IMAP, using SSL when out of the office, and plain >text when in. > The five users in which we are hosting their email will >remain on POP, and >although SSL would be nice, I want the ability to offer plain >text in case I >run into client issues. Similar circumstances for SMTP, I can relay by >domain for users on our network, and would like to use >SMTP-AUTH for off-ste >users. SSL preferred, but offer plain text in case of client >issues. Last >issue would be something that will play nice with SquirrelMail. > >Although I'm very familiar with administering Sendmail >(starting, stopping, >backing up, running makemaps), configuring is another story. >While SMTP is >pretty much running as stable as it ever has, I still have >issues from time >to time. For instance I am sending this from Hotmail as this list is >currently bouncing email from my server because of some error I >have not >investigated yet. At this moment I am pretty much open to >anything, but I >don't have a good way of evaluating different options other >than trial and >error (and I'm kind of short on time). I know that a lot of >times it comes >down to peronal taste (my reason for dumping Redhat), but >sometimes there >are specific issues that will make a certain solution better >than others. >Based off of my stated needs and my current issues (Sendmail >configuration), >is there a better solution, or is what I have now pretty much >the same as >other alternatives for my specfic needs? > >Thank you both for your attention to this matter. > >Greg Groth > > >>From: "Ted Mittelstaedt" <tedm@toybox.placo.com> >>To: "Joe Auty" <joe@netmusician.org>, "Kirk Davis" <Kirk.Davis@epsb.ca> >>CC: "Greg Groth" <ggroth99@hotmail.com>, ><freebsd-questions@freebsd.org> >>Subject: RE: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems >>Date: Tue, 14 Feb 2006 00:34:28 -0800 >> >> >>I'm sure glad that this message didn't pass through my work mailserver >>so that it's didn't see it, since my work e-mail inbox has >16383 messages >>in it (the limit that Outlook can display in IMAP mode) and is 412 >>megabytes >>in size, and performance is perfectly fine both with Outlook and >>Horde/IMP. >> >>I wouldn't want my mailserver reading it and thinking that it's OK to >>slack off. >> >> And yes I know I need to delete >>some messages, speak to the hand if your going to make that crack. >> >>This is imap-uw/sendmail. >> >>Perhaps you might consider that since you haven't run imap-uw in >>a while that your no longer qualified to make claims about it? Or >>perhaps >>you never had it setup properly? Or perhaps your hardware was slow? >> >>Nothing is wrong with Postfix / Courier-IMAP but nothing is >wrong either >>with sendmail / uw-imap. >> >>Ted >> >> >-----Original Message----- >> >From: owner-freebsd-questions@freebsd.org >> >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Joe Auty >> >Sent: Monday, February 13, 2006 1:53 PM >> >To: Kirk Davis >> >Cc: Greg Groth; freebsd-questions@freebsd.org >> >Subject: Re: Sendmail - IMAP-UW - Cyrus-SASL2 - SMTPAUTH problems >> > >> > >> >Hey Greg, >> > >> >Sorry if this completely throws a monkey wrench into your plans, but >> >I feel inspired to interject since I once had a nearly identical >> >setup as you... >> > >> >I switched to Postfix and Courier-IMAP since I found that performance >> >of large mailboxes in IMAP-UW was pretty poor, especially over web- >> >based email where messages are not cached. I switched to Postfix >> >because it is so much more simple and straight forward than Sendmail. >> >You should have no problems switching to Postfix, since it is >> >basically Sendmail with a nicer wrapper/configuration. >> > >> >Just food for thought. >> > >> > >> >On Feb 13, 2006, at 4:25 PM, Kirk Davis wrote: >> > >> >> Hi Greg, >> >> >> >>> I'm trying to set up a FreeBSD 6.0 box as a mail server, and while >> >>> everything seems to be working OK for the most part, I have >> >>> run into two >> >>> issues that I cannot resolve (I'm new to BSD, please bear >> >>> with me). Install >> >>> went as follows: Installed via FTP last night along with >> >>> "src - Sources for >> >>> everything", >> >>> >> >>> IMAP-UW was compiled via ports with WITH_SSL_AND_PLAINTEXT >> >>> enabled (same for >> >>> cclient), OpenSSL, Cyrus-SASL2 & Cyrus-SASL2-saslauthd were >> >>> compiled via >> >>> ports with no flags. >> >>> >> >>> Sendmail was installed with the base install and recompiled >> >>> (after SASL2 was >> >>> up and running) with the following options added to make.conf: >> >>> >> >>> # SASL (cyrus-sasl v2) sendmail build flags... >> >>> SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2 >> >>> SENDMAIL_LDFLAGS=-L/usr/local/lib >> >>> SENDMAIL_LDADD=-lsasl2 >> >>> # Adding to enable alternate port (smtps) for sendmail... >> >>> SENDMAIL_CFLAGS+= -D_FFR_SMTP_SSL >> >>> >> >>> I followed the instructions I found at >> >>> http://www.bsdconspiracy.net/howto/sendmail.html, and had no >> >>> problems with >> >>> the install except for Sendmail. After recompiling sendmail, >> >>> I added the >> >>> following lines to the mail.server.mc file: >> >>> >> >>> define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl >> >>> TRUST_AUTH_MECH(`PLAIN LOGIN')dnl >> >>> define(`CERT_DIR', `/etc/mail/certs')dnl >> >>> define(`confCACERT_PATH', `CERT_DIR')dnl >> >>> define(`confCACERT', `CERT_DIR/mycert.pem')dnl >> >>> define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl >> >>> define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl >> >>> define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl >> >>> define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl >> >>> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl >> >> >> >> This is your problem. The above line sets up the Sendmail >daemon to >> >> listen on port 25 but the standard mc file distributed with FreeBSD >> >> also >> >> sets up a DAEMON port (it's at the end of the MC file). >> >> >> >> Here is what my DAEMON_OPTIONS lines look like. These >should be the >> >> only DAEMON_OPTIONS lines in the mc file. >> >> dnl Enable for both IPv4 and IPv6 (optional) >> >> DAEMON_OPTIONS(`Name=IPv4, Family=inet') >> >> DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O') >> >> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl >> >> >> >> >> >>> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl >> >>> >> >>> After running (in /etc/mail) "make clean", "make cf", "make >> >>> install", "make >> >>> restart", SMTP no longer works, and I find the following in >> >>> maillog and >> >>> messages >> >>> >> >>> Feb 12 20:25:55 mail sm-mta[1213]: daemon IPv4: problem >> >>> creating SMTP socket >> >>> Feb 12 20:26:00 mail sm-mta[1213]: NOQUEUE: SYSERR(root): >> >>> opendaemonsocket: >> >>> daemon IPv4: cannot bind: Address already in use >> >>> >> >>> When I try and stop sendmail, I get a message that the pid >> >>> for Sendmail >> >>> cannot be found. I end up killing the missing Sendmail >daemon using >> >>> KSysGuard >> >>> >> >>> If I remove this line - "DAEMON_OPTIONS(`Port=smtp, >> >>> Name=MTA')dnl" from the >> >>> mail.server.mc file, make cf, make install, make restart, >> >>> sendmail starts >> >>> normally. When trying to access from another machine on my >> >>> network, I can >> >>> only connect on port 25 without a secure connection (I'm >> >>> using Thunderbird >> >>> for this), although SMTP-AUTH is working correctly. >> >> >> >> Have you tried to setup your mail client to connect to >port 465? This >> >> is the smtps (SMTP SSL) port. >> >> >> >> >> >>> Any ideas on what I might need to do to get SSL / SMTP-AUTH >> >>> working on SMTP? >> >>> I took a look at the instructions in the handbook, but they >> >>> were written >> >>> for SASL1. Running netstat shows smtps listening on 465, but >> >>> when I try to >> >>> telnet to that port, the server drops the connection. >> >> >> >> Hmm... It should connect but you will not see anything since it is >> >> expecting an SSL connection. >> >> >> >>> My second problem is rather simple, after I create an IMAP >> >>> folder, I am >> >>> unable to delete it using a remote client. Thunderbird >> >>> responds with "The >> >>> mail server responded: RENAME failed: Can't create mailbox node >> >>> /home/User/Trash/: File exists. Nothing shows up in any of >> >>> the server logs >> >>> though. >> >> >> >> I have not seen this problem although I have it setup for >an office of >> >> Outlook users. I would check the permissions on the folders in the >> >> user >> >> home directory. This is where the IMAP user forlders are by >> >> default. I >> >> usually setup the clients to use the base imap if Mail and then >> >> create a >> >> Mail directory in the user home directory. That way the >mail folders >> >> don't get messed up with the user stuff. >> >> >> >>> >> >>> Hopefully this is the right list for these questions, if not, >> >>> could someone >> >>> please direct me to the correct one? Any advice anyone can >> >>> give me on >> >>> either of these problems would be greatly appreciated. >> >>> >> >> >> >> ---- Kirk >> >> Kirk Davis >> >> Senior Network Analyst, ITS >> >> Edmonton Public Schools >> >> 1-780-429-8308 >> >> _______________________________________________ >> >> freebsd-questions@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> >> To unsubscribe, send any mail to "freebsd-questions- >> >> unsubscribe@freebsd.org" >> > >> >_______________________________________________ >> >freebsd-questions@freebsd.org mailing list >> >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> >To unsubscribe, send any mail to >> >"freebsd-questions-unsubscribe@freebsd.org" >> > >> >-- >> >No virus found in this incoming message. >> >Checked by AVG Free Edition. >> >Version: 7.1.375 / Virus Database: 267.15.6/258 - Release Date: >> >2/13/2006 >> > >> > >_________________________________________________________________ >Express yourself instantly with MSN Messenger! Download today - >it's FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.375 / Virus Database: 267.15.10/262 - Release >Date: 2/16/2006 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNIEGJFDAA.tedm>