Kolab 3.2 - SASL unable to open Berkeley

Markus Bernhardt markus.bernhardt at me.com
Do Mai 15 11:13:25 CEST 2014


Hallo Uwe,

die Fehlermeldungen bezüglich SASL habe ich mir noch nicht angesehen.

Kannst Du mal bitte die folgenden Kommandos auf der Maschine absetzen:

SSL:
openssl s_client -showcerts -connect localhost:443
openssl s_client -showcerts -connect localhost:636
openssl s_client -showcerts -connect localhost:993
openssl s_client -showcerts -connect localhost:995

START TLS:
openssl s_client -showcerts -starttls smtp -connect localhost:25
openssl s_client -showcerts -starttls pop3 -connect localhost:110
openssl s_client -showcerts -starttls imap -connect localhost:143
openssl s_client -showcerts -starttls smtp -connect localhost:587

Du solltest überall die richtigen Zertifikate angezeigt bekommen.

Zusätzlich ist es übrigens eine gute Idee die verwendeten Ciphers zu härten.

---

Ich kopier Dir mal mein Installationsprotokoll ans Ende. Vielleicht hilft das ja. Wichtig dabei ist, dass wir intern Zertifikate unsere eigenen CA und nur für den extern erreichbaren SMTP (postfix) ein offizielles EssentailSSL Zertifikat von Comodo verwenden. Also nicht wundern.

Cheers,
Markus

Kolab mit SSL absichern

Gruppe ssl-cert

[root at mail ~]# groupadd ssl-cert

[root at mail ~]# usermod -a -G ssl-cert mail

[root at mail ~]# usermod -a -G ssl-cert postfix

[root at mail ~]# usermod -a -G ssl-cert cyrus

Install certs

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key /etc/pki/tls/private/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt /etc/pki/tls/certs/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Root\ CA/keys-renamed/SCMB-GmbH-Root-CA.crt /etc/pki/tls/certs/

[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA.crt /etc/pki/tls/certs/

Build bundles

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*.crt /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key > /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.bundle.pem

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.*.crt > /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem

Fix rights

[root at mail ~]# chown root:ssl-cert /etc/pki/tls/private/SCMB-*

[root at mail ~]# chmod 440 /etc/pki/tls/private/SCMB-*

CA bundle

[root at mail ~]# cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.orig

[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.crt >> /etc/pki/tls/certs/ca-bundle.crt

Cyrus IMAPD

[root at mail ~]# sed -r -i -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt|g' -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key|g' -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem|g' /etc/imapd.conf

[root at mail ~]# service cyrus-imapd restart

[root at mail ~]# openssl s_client -showcerts -connect localhost:993

Postfix

[root at mail ~]# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/EssentialSSLCA-2-mail.scmb.de.key

[root at mail ~]# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/EssentialSSLCA-2-mail.scmb.de.crt

[root at mail ~]# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/EssentialSSLCA-2.chain.pem

[root at mail ~]# service postfix restart

Apache

[root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"

[root at mail ~]# certutil -d /etc/httpd/alias -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"

[root at mail ~]# certutil -D -d /etc/httpd/alias -n "Server-Cert"

[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo

[root at mail ~]# echo "foo" > /tmp/foo

[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null

[root at mail ~]# rm /tmp/foo

[root at mail ~]# rm /tmp/example.p12

[root at mail ~]# certutil -L -d /etc/httpd/alias

[root at mail ~]# certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"

[root at mail ~]# sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf

[root at mail ~]# cat >> /etc/httpd/conf/httpd.conf << EOF

 

<VirtualHost _default_:80>

    RewriteEngine On

    RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [R=301,L]

</VirtualHost>

EOF

[root at mail ~]# service httpd restart

[root at mail ~]# openssl s_client -showcerts -connect localhost:443

389 Directory Server

[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"

[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A  -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"

[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo

[root at mail ~]# echo "foo" > /tmp/foo

[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-mail/ -w /tmp/foo -k /dev/null

[root at mail ~]# rm /tmp/foo

[root at mail ~]# rm /tmp/example.p12

[root at mail ~]# certutil -L -d /etc/dirsrv/slapd-mail/

[root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory Manager" -W

Enter LDAP Password:

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: on

-

replace: nsSSLClientAuth

nsSSLClientAuth: allowed

-

add: nsSSL3Ciphers

nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,

 +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,

 +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,

 +tls_rsa_export1024_with_des_cbc_sha

 

dn: cn=config

changetype: modify

add: nsslapd-security

nsslapd-security: on

-

replace: nsslapd-ssl-check-hostname

nsslapd-ssl-check-hostname: off

-

replace: nsslapd-secureport

nsslapd-secureport: 636

 

dn: cn=RSA,cn=encryption,cn=config

changetype: add

objectclass: top

objectclass: nsEncryptionModule

cn: RSA

nsSSLPersonalitySSL: Server-Cert

nsSSLToken: internal (software)

nsSSLActivation: on

 

[root at mail ~]# openssl s_client -showcerts -connect localhost:636

[root at mail ~]# ldapsearch -x -H ldap://localhost -b "cn=kolab,cn=config" -D "cn=Directory Manager" -W

Harden SSL Ciphers

[root at mail ~]# grep NSSCipherSuite /etc/httpd/conf.d/nss.conf

NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha

 

[root at mail ~]# service httpd restart

[root at mail ~]# sslscan --no-failed localhost:443

 

[root at mail ~]# ldapmodify -x -h localhost -p 389     -D "cn=Directory Manager" -W

Enter LDAP Password:

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

-

replace: nsSSL2

nsSSL2: off

-

replace: nsSSL3Ciphers

nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha

[root at mail ~]# service dirsrv restart

[root at mail ~]# sslscan --no-failed localhost:636

 

[root at mail ~]# grep tls_cipher /etc/imapd.conf

tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

[root at mail ~]# service cyrus-imapd restart

[root at mail ~]# sslscan --no-failed localhost:993

Kolab CLI

[root at mail ~]# sed -r -i -e '/api_url/d' -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://mail.intranet.scmb.de/kolab-webadmin/api#g" /etc/kolab/kolab.conf

Roundcube

[root at mail ~]# sed -i -e '/kolab_ssl/d' /etc/roundcubemail/libkolab.inc.php

[root at mail ~]# sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php

[root at mail ~]# sed -i -e '/^?>/d' /etc/roundcubemail/config.inc.php

[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF

\$config['kolab_http_request'] = array(

        'ssl_verify_peer'       => true,

        'ssl_verify_host'       => true,

        'ssl_cafile'            => '/etc/pki/tls/certs/ca-bundle.crt'

);

EOF

[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF\$config['calendar_caldav_url']             = "https://mail.intranet.scmb.de/iRony/calendars/%u/%i";

\$config['kolab_addressbook_carddav_url']   = 'https://mail.intranet.scmb.de/iRony/addressbooks/%u/%i';

EOF

 

Fix indenting and php close tag at the end of /etc/roundcubemail/config.inc.php!

 

ipTables

[root at mail ~]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT

#-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT





Am 15.05.2014 um 09:09 schrieb IG BEB GmbH (Herr Treber) <treber at beb-weimar.de>:

> Hallo Markus,
> die Datei setup_mta.py hatte ich schon angepasst.
> Hab nun auch noch folgendes Problem:
> Bei der Kontoeinrichtung mit Thunderbird als Mailclient bekomme ich einfach
> kein Zugang zu Kolab, bringt immer Benutzername oder Kennwort falsch.
> Egal welchen Port oder welche Verschlüsselung ich wähle.
> 
> Das Protokoll maillog bringt diese Fehlermeldung:
> May 15 09:00:27 web imaps[4343]: Fatal error: tls_start_servertls() failed
> May 15 09:00:27 web master[3122]: process type:SERVICE name:imaps path:/usr/lib/cyrus-imapd/imapd age:25.271s pid:4343 signaled to death by signal 6 (Aborted, core dumped)
> May 15 09:03:05 web postfix/smtpd[5028]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/smtpd[5028]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/submission/smtpd[5027]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/smtpd[5028]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/submission/smtpd[5027]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: lost connection after CONNECT from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: lost connection after CONNECT from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: disconnect from unknown[192.168.1.13]
> May 15 09:03:09 web imap[3404]: STARTTLS negotiation failed: localhost [192.168.1.13]
> May 15 09:03:10 web imap[3404]: Connection reset by peer, closing connection
> May 15 09:03:10 web imap[5026]: STARTTLS negotiation failed: localhost [192.168.1.13]
> May 15 09:03:10 web imap[5026]: Connection reset by peer, closing connection
> 
> Hängt das irgendwie zusammen?
> Muss der Dienst saslauthd von CentOS laufen oder übernimmt das kolab-saslauthd.
> Fragen über Fragen.
> 
> Kennt sich da jemand aus?
> 
> Danke.
> Uwe
> ------------- 
> 
> Am 14.05.2014 22:20, schrieb Markus Bernhardt:
>> Hi,
>> 
>> ich habe genau das gleiche Setup am Laufen.
>> 
>> Folgende Fehler habe ich auch im Log:
>> May 14 21:50:14 mail lmtpunix[32137]: ptload(): bad response from ptloader server: identifier not found
>> May 14 21:50:14 mail lmtpunix[32137]: ptload failed for markus^bernhardt at scmb.de
>> May 14 22:00:01 mail imaps[8801]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>> 
>> Aber nicht den ersten:
>> > May 14 13:58:15 web ptloader[3603]: LDAP search for domain failed.
>> 
>> Bei mir im Log:
>> May 14 04:30:01 mail ptloader[25396]: starting: ptloader.c,v git2.5+0
>> 
>> Hast Du eigentlich den Fix für https://issues.kolab.org/show_bug.cgi?id=2864 drin?
>> [root at mail ~]# vi /usr/lib/python2.6/site-packages/pykolab/setup/setup_mta.py
>>         if os.path.isdir('/etc/amavisd'):
>>             fp = open('/etc/amavisd/amavisd.conf', 'w')
>>             fp.write(t.__str__())
>>             fp.close()
>>         elif os.path.isdir('/etc/amavis'):
>>             fp = open('/etc/amavis/amavisd.conf', 'w')
>>             fp.write(t.__str__())
>>             fp.close()
>> 
>> Hoffe das hilft evtl. irgendwie.
>> 
>> Cheers,
>> Markus
>> 
>> Am 14.05.2014 um 14:02 schrieb IG BEB GmbH (Herr Treber) <treber at beb-weimar.de>:
>> 
>>> Hallo,
>>> 
>>> habe mal Kolab 3.2 auf CentOS 6.5 installiert.
>>> Installation verlief problemlos. 
>>> Nutzer angelegt und per Roundcubemail eingeloggt.
>>> 
>>> Der Zugriff zu Rondcubemail dauert recht lang.
>>> 
>>> Hängt das evtl. damit zusammen und wie ist das zu lösen?
>>> 
>>> Im Protokoll maillog steht
>>> May 14 13:58:15 web ptloader[3603]: LDAP search for domain failed.
>>> May 14 13:58:15 web imap[5178]: ptload(): bad response from ptloader server: identifier not found
>>> May 14 13:58:15 web imap[5178]: ptload failed: but canonified user.name at beb-weimar.de -> user.name at beb-weimar.de
>>> May 14 13:58:15 web imap[5178]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>>> May 14 13:58:15 web imap[5178]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>>> May 14 13:58:15 web imap[5178]: login: localhost [::1] user.name at beb-weimar.de PLAIN+TLS User logged in SESSIONID=<web.beb-weimar.de-5178-1400068694-1>
>>> May 14 13:58:16 web imap[5178]: USAGE user^name at beb-weimar.de user: 0.015997 sys: 0.007998
>>> May 14 13:58:17 web imap[4967]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>>> May 14 13:58:17 web imap[5187]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>>> 
>>> Der Username wird einmal mit "." und "^" dargestellt?
>>> 
>>> Kennt sich da jemand aus?
>>> -- 
>>> Danke
>>> Uwe
>>> _______________________________________________
>>> users-de mailing list
>>> users-de at lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users-de
>> 
> 
> _______________________________________________
> users-de mailing list
> users-de at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users-de

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.kolab.org/pipermail/users-de/attachments/20140515/4caf421b/attachment-0001.html>


Mehr Informationen über die Mailingliste users-de