/var/log/console.log, and looky that, there's imap and pop3 errors! I guess I wasn't thinking real clearly yesterday to not check the logs. Also of course, check
Jan 15 21:02:28 pedicel kernel: Jan 15 21:02:28 pedicel pop3: [pop3d] error initializing TLS
Jan 15 21:02:28 pedicel kernel: Jan 15 21:02:28 pedicel imaps: unable to get certificate from '[path omitted]
Jan 15 21:02:28 pedicel kernel: Jan 15 21:02:28 pedicel imaps: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
When I changed this over to the new cert, I got mildly useful log
errors similar to the above. It helpfully says "may be a cert/key
mismatch?" which is totally misleading, it was actually a simple unix
filesystem permissions problem. To determine this, I temporarily made
the cert and key file world read. Everything started working, yay!
So I then changed it to group readable, and added
/etc/group. Note! At this
writing, this does not fix it - I have no explanation why
adding cyrus to mail group does not work - at this time the damn key
file remains world-read as I don't have time to mess with it
Oh, and to find out what user a daemon is running as, do
I have cyrus/sasl installed and running. I am set up in Thunderbird
and am able to access mailboxes, but ONLY VIA POP3. I
have not configured a
cyrus account, or created
the individual accounts. I have added the accounts
saslpasswd2. This is enough for POP3, but
is not enough for IMAP. The symptoms are that when trying to set up
an imap mail account, Thunderbird will pop up a notification something
to the effect of "no such mailbox". Yet POP3 works just fine.
Now go to a writeup on how to make IMAP work, and you'll find you must do some more. Setting up Cyrus IMAP Server - FreeBSD at pbdigital.org.
Define password for cyrus account:
[new passwd twice]
While you're at it, define password for additional accounts using same method as above.
Create cyrus admin account:
cyradm -u cyrus [your server]
You may start bumping into permissions problems - note that these are not standard unix file permissions - here's a helpful page: lrswipkxtecda in Cyrus at serverfault.com.
Create that users mailbox in IMAP world:
Add any other users using same method.
Doing this above, simply gave me a "permission denied" error. I fixed this by going back into
commenting in the "admins" line and giving the value "cyrus".
Start rant here: I'm still really annoyed at how much extra crap has to be done for each user. I should not have to add each user to sasl for access, and I should not have to add them each to imap. I thought I had configured sasl to work directly off the users in passwd - evidently not. End rant.
OTP unavailable because can't read/write key database /etc/opiekeys: permission denied
/usr/ports/security/cyrus-sasl2. Do a
make configand deselect the OTP option. You may have to monkey around with
make deinstall, then
make install. This seems to have fixed this problem.
maillogI've been seeing:
sm-mta: STARTTLS=client: file[path hidden]
/ov_chain.txt unsafe: Permission denied
sendmailis lying to you. This is not the actual path being handed to the file open call. This is the path called out in the config file, which is then concatenated to another config parm. Specifically:
define(`CERT_DIR', `[path hidden]
CACERT_PATHto create a fullpath to the file. When there is an error, it does not display the actual path it was trying to open (which would have made the problem immediately obvious), but instead simply displays the value of one of the two parms. LAME!
Oh, and lastly, the cert dir permissions are owner=root, group=mail, world=no access. I had added mailnull and others to group mail, but it seems those are unnecessary. (See above 2023016 - you do want to add "cyrus" to the "mail" group.
imap: IDLE: error sending message INIT to idled for mailbox user.xxxxxxxxx
: No such file or directory. Falling back to polling every 60 seconds
idledwas running. Check that
/usr/local/etc/cyrus.confhas the line:
service saslauthd restart, but it did not start the idled daemon. I then just rebooted the server and it did start up, so I am not sure who needed to be restarted to make this happen.
Been having a helluva time getting customers to be able
to send through my server. Finally got it working, here's some of the
details, who knows which parts are needed.
Just setting pswd for their username alone is not sufficient, you'll simply get bad password errors when trying to send.
Their Thunderbird SMTP settings should be:
Server Name: smtp.[customer-domain]
Connection security: STARTTLS
Authentication method: Normal password
User Name: [customer-username]
No domain on username.
kernel: sonewconn: pcb 0x275fad94: Listen queue overflow: 16 already in queue awaiting acceptance (2 occurrences)
/boot/loader.conf-- the above command always showed the default of 128.) I tried setting it on the running system with:
rc.conf. Doing a
ps ax | grep cyrusI determined that the actual executable is 'master'.
/etc/mail/accessas rejects, but it hasn't made any difference to them, they're not checking their error return and giving up even though they're now getting "access denied" instead of "unknow user/pswd". In the future I'll get around to getting 'ipfw' working again, and add 'fail2ban'.
Mar 9 11:04:11 rachis sm-mta: STARTTLS=client: file[path omitted for security]
.key unsafe: Group readable file
BTW: We need the file group-readable as we are sharing it with
imap/cyrus and with Apache.
I was getting the following in
Mar 7 11:59:19 rachis kernel: Mar 7 11:59:19 rachis imaps: imaps: required OpenSSL options not present
Mar 7 11:59:19 rachis kernel: Mar 7 11:59:19 rachis imaps: Fatal error: imaps: required OpenSSL options not present
Mar 7 11:59:19 rachis kernel: Mar 7 11:59:19 rachis master: process type:SERVICE name:imaps path:/usr/local/cyrus/libexec/imapd age:0.063s pid:2696 exited, status 75
This is expected, as I have
pop3s enabled. Now it's time to actually get TLS working...
I set the following in
tls_server_cert: [same as .mc file
tls_server_key: [same as .mc file
tls_server_ca_file: [same as .mc file
tls_server_ca_dir: [same as .mc file
service imapd restart, now
console.log log I'm getting:
unable to get certificate from '[path omitted for security]'
unable to get private key from '[path omitted for security]'
I double-checked my pathnames, they were correct. I checked the directory permissions for the certs, they're fairly tight - this is enforced by sendmail. Just to find out if this could be the problem, I noted the file permissions on the cert file and cert key file (they were 640), and changed to 644 (world read), then did restart. Now no error in log, and client allows me to set TLS, yay! So the problem is indeed file permissions. chmod back to 640. To fix this I just had to add user
And in the cert dir:
chgrp mail [the 4 files called out above in imapd.conf]
Note that it did not bitch when I neglected to make the 'ca file' accessible, so this may not be used - I've chgrp'ed it too in order to avoid possible unseen future problems.
pkg install cyrus-imap30
/usr/local/etc/imap.conf, leave most stuff as default, make following changes:
loginrealms:[all your domains that read email via pop3/imap]
admins: cyrus(see above 20230115)
sasl_pwcheck_method: auxprop saslauthd
sasl_mech_list: cram-md5 digest-md5
service imapd start
By adding it, there's now a message in the log, that indicates this is not a valid option, and proceeds to list all the valid options, yay!
But again, of course, none of the remaining options seem to be related to my current problems, namely:
Client address "22.214.171.124" not listed for its host name "no-reverse-dns-configured.com"
firstname.lastname@example.org at 126.96.36.199 (188.8.131.52): -ERR [AUTH] Password supplied for "email@example.com" is incorrect.
Both of these errors are of absolutely no use to me, in both cases it's just another bullshit dictionary attack that I can do nothing about - I simply don't even want to hear about it.
Skip popper, use imap. Yeah, I know, some old customers are too difficult to move to imap...
Sorry, I did not document my original install of popper (I used qpopper for some reason, now lost to time), and imap.
I'm getting logspam from qpopper and imap. Starting to document the
attempts here to reduce the problem.
If you don't have it already, you may want to find a sample
imapd.conf file from the ports tree, and make
changes, or simply add the following to a new file:
I don't know yet if this works, but I wanted to document so I wouldn't forget it.
qpopper is incredibly noisy, contantly jamming your syslog full of logspam. The problem with this is that it's basically a silent DOS attack. Each day I get emails from the system to alert me of problems, but I don't see real problems due to the tens of thousands of lines of bogus email login attempts. There's nothing I can do about it, there's creeps all over the planet constantly trying to get in - that's just the way things are. Yes, I should be worried, but the only thing I could do would be to block by IP address, which is constantly changing. Nope - just disable these error messages so you can see the rest of the log.
Note that the first 3 lines get rid of specific errors, the last line simply says to put qpopper output into
# 20181206 MikeL
# config file for qpopper
set debug = false
set statistics = false
set reverse-lookup = false
set log-facility = mail
/var/log/maillog, which is already so obscenely noisy that a little bit more won't matter.
qpopper: zzzz at zzz.zzz.zzz.zzz (zzz.zzz.zzz.zzz): -ERR [SYS/TEMP] POP authentication DB not available (user zzzz): No such file or directory (2)
Stats: zzz 2 5731 0 0 zzzz.domain.com zzz.zzz.zzz.zzz
This is eliminated by the statistics line.
I'm not sure if debug=false is helping.
Note that if you're running popper under
need simply edit the config file. It is read each time an email
comes in as it's a fresh program startup. Otherwise, of course,
you'll need to do a popper restart.
Popper is the program that allows client email programs to fetch their email from this server -- the old way; via POP3. I've not messed with IMAP, so don't even ask.
First time only
] cd /usr/ports/mail/popper ] make
] make install
pop3 stream tcp nowait root /usr/local/libexec/popper popper
ps -axand find 'inetd', then do a 'kill -HUP ###' that pid.