Am Montag, den 20.07.2015, 03:21 +0200 schrieb Marcus Schopen: > Hi, > > I'm trying to deliver mails via lmtp/tcp from sendmail to cyrus running > on another machine. > > sendmail.mc: > -------------- > define(`confLOCAL_MAILER', `cyrusv2')dnl > define(`CYRUSV2_MAILER_ARGS', `TCP imap.domain.de 2003')dnl > -------------- > > Without an authentication line in /etc/mail/access > > -------------- > AuthInfo:imap.domain.de "I:lmtp-admin" "P:pass" "M:DIGEST-MD5" > -------------- > > I'm getting the following error: > > -------------- > Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234: > to=<postmaster@xxxxxxxxx>, delay=00:02:43, xdelay=00:00:03, > mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx], > dsn=4.0.0, stat=Deferred: 430 Authentication required > -------------- > > This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin > to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with > proper authentication. Good. > > But after setting tls_cert_file und tls_key_file in imapd.conf to get an > encrypted connection the lmtp authentication is completely ignored and > mails are going through even without any AuthInfo in /etc/mail/access: > > cyrus log: > -------------- > Jul 20 03:08:06 imap cyrus/lmtp[3875]: accepted connection > Jul 20 03:08:06 imap cyrus/lmtp[3875]: connection from [xx.xx.xx.xx] > Jul 20 03:08:06 imap cyrus/lmtp[3875]: imapd:Loading hard-coded DH > parameters > Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete -> wait > Jul 20 03:08:06 imap cyrus/lmtp[3875]: Doing a peer verify > Jul 20 03:08:06 cyrus/lmtp[3875]: last message repeated 2 times > Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete -> wait > Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() succeeded -> done > Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate > Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de > Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher > DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de > Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_check: > <201507200108.t6K185oV005737@xxxxxxxxxxxxxx> user.test Mon, > 20 Jul 2015 03:08:05 +0200 0 > Jul 20 03:08:06 imap cyrus/lmtp[3875]: Delivered: > <201507200108.t6K185oV005737@xxxxxxxxxxxxxx> to mailbox: user.test > Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_mark: > <201507200108.t6K185oV005737@xxxxxxxxxxxxxx> user.test Mon, > 20 Jul 2015 03:08:05 +0200 1437354486 48 > Jul 20 03:08:06 imap cyrus/lmtp[3875]: USAGE test user: 0.033640 sys: > 0.005606 > -------------- > > /etc/imapd.conf: > -------------- > configdirectory: /var/lib/cyrus > proc_path: /run/cyrus/proc > mboxname_lockpath: /run/cyrus/lock > defaultpartition: default > partition-default: /var/spool/cyrus/mail > partition-news: /var/spool/cyrus/news > newsspool: /var/spool/news > altnamespace: no > unixhierarchysep: no > lmtp_downcase_rcpt: yes > admins: cyrus > lmtp_admins: lmtp-admin > allowanonymouslogin: no > popminpoll: 1 > autocreatequota: 0 > umask: 077 > sieveusehomedir: false > sievedir: /var/spool/sieve > hashimapspool: true > allowplaintext: yes > sasl_minimum_layer: 0 > sasl_pwcheck_method: auxprop > sasl_auto_transition: no > tls_cert_file: /etc/ssl/domain/imap.crt > tls_key_file: /etc/ssl/domain/imap.key > tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt > tls_ca_path: /etc/ssl/certs > tls_session_timeout: 1440 > tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH > lmtpsocket: /var/run/cyrus/socket/lmtp > idlesocket: /var/run/cyrus/socket/idle > notifysocket: /var/run/cyrus/socket/notify > syslog_prefix: cyrus > -------------- > > cyrus.conf: > ------------- > lmtp cmd="lmtpd" listen="2003" prefork=4 maxchild=20 > lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 > maxchild=20 > ------------- > > Any ideas? Setting lmtp_tls_cert_file and to lmtp_tls_key_file to "disabled" activates lmtp authentication again. But how do I force lmtp authentication with lmtp_tls enabled? Seems to me like a security problem, if lmtp with enabled tls accepts connections from everywhere?! The only way I see to get more security is a lmtp connection between sendmail and cyrus over e.g. openvpn or hosts.allow/deny or iptables configuraiton with lmtp_tls enabled. Ciao Marcus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
