Kolab 3.4 - Problem when securing installation

Brady, Mike mike.brady at devnull.net.nz
Wed Nov 25 21:56:36 CET 2015


 

On 2015-11-26 06:42, Philip Trickett (List) wrote: 

> On 25/11/15 17:18, Brady, Mike wrote: 
> 
>> Phil 
>> 
>> I am going need some more details on what you have done. 
>> 
>> I am assuming: 
>> 
>> * Install OS and Kolab
>> * Run setup-kolab
>> * Migrate LDAP Data
>> * Migrate IMAP Data
>> 
>> If this is what you did, when you migrated the LDAP data did you either exclude everything in ou=Special Users,dc=your,dc=domain or change the passwords in all the configuration files? 
>> 
>> Mike
> Hi Mike,
> 
> I pretty much followed those steps, but I cheated slightly ;)
> 
> I did steps 1 & 2, for setup-kolab, I used the configuration passwords from the original server on the new server, to save having to change passwords, then I migrated all the LDAP data from the old server.
> 
> I then migrated the IMAP data, by rsyncing /var/lib/imap and /var/spool/imap from the old server (during this time, cyrus-imapd was shutdown, as well as the directory server etc.) 
> 
> Once I had done this, I logged in to roundcube on a couple of the accounts, and checked a few messages etc. which showed up fine with no errors.
> 
> Then I proceeded to follow the guide to secure the installation, and after this, logging in give a mailbox not found.
> 
> However, on looking at logs and firebug, I can only see the successful login to cyrus from roundcube, and no errors are returned, so I am a bit stumped by this.
> 
> There is a bit of a log excerpt below of the login process:
> 
> tail -f /var/log/maillog /var/log/httpd/ssl_access_log /var/log/httpd/ssl_error_log
> ==> /var/log/maillog <==
> Nov 25 17:29:55 mail imap[3785]: USAGE philip.trickett at example.org user: 0.009205 sys: 0.005508
> Nov 25 17:29:55 mail imap[3786]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:29:55 mail imap[3786]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3786-1448472595-1-1905125910673132224>
> Nov 25 17:29:55 mail imap[3786]: USAGE philip.trickett at example.org user: 0.009059 sys: 0.006039
> Nov 25 17:29:57 mail imap[3783]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:29:57 mail imap[3783]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3783-1448472597-1-4950283356597843003>
> Nov 25 17:29:57 mail imap[3785]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:29:57 mail imap[3785]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3785-1448472597-1-9158458248579971895>
> Nov 25 17:29:57 mail imap[3783]: USAGE philip.trickett at example.org user: 0.008515 sys: 0.006386
> Nov 25 17:29:57 mail imap[3785]: USAGE philip.trickett at example.org user: 0.000567 sys: 0.003450
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:12:52:14 +0000] "GET /roundcubemail/35fe554a98f8ebb6/?_task=mail&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1448455935036&_action=list&_=1448455934624 HTTP/1.1" 200 933
> 192.168.156.30 - - [25/Nov/2015:12:52:15 +0000] "GET /roundcubemail/assets/program/resources/blank.tif HTTP/1.1" 200 270
> 192.168.156.23 - philip.trickett at example.org [25/Nov/2015:12:53:15 +0000] "GET /chwala//api/?method=authenticate&version=2 HTTP/1.1" 200 128
> 192.168.156.30 - - [25/Nov/2015:12:53:14 +0000] "POST /roundcubemail/35fe554a98f8ebb6/?_task=mail&_action=refresh HTTP/1.1" 200 186
> 192.168.156.30 - - [25/Nov/2015:17:29:43 +0000] "GET /roundcubemail/ HTTP/1.1" 200 7124
> 192.168.156.30 - - [25/Nov/2015:17:29:54 +0000] "POST /roundcubemail/?_task=login HTTP/1.1" 302 -
> 192.168.156.30 - - [25/Nov/2015:17:29:55 +0000] "GET /roundcubemail/63350724609ca0f3/?_task=mail HTTP/1.1" 200 55032
> 192.168.156.30 - - [25/Nov/2015:17:29:57 +0000] "GET /roundcubemail/assets/program/resources/blank.tif HTTP/1.1" 200 270
> 192.168.156.30 - - [25/Nov/2015:17:29:57 +0000] "GET /roundcubemail/63350724609ca0f3/?_task=mail&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1448472597825&_action=list&_=1448472597435 HTTP/1.1" 200 933
> 192.168.156.30 - - [25/Nov/2015:17:29:57 +0000] "GET /roundcubemail/63350724609ca0f3/?_task=mail&_remote=1&_unlock=0&_action=getunread&_=1448472597436 HTTP/1.1" 200 75
> 
> ==> /var/log/maillog <==
> Nov 25 17:30:57 mail imap[3782]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:30:57 mail imap[3782]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3782-1448472657-1-14027085326122907929>
> Nov 25 17:30:57 mail imap[3783]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:30:57 mail imap[3783]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3783-1448472657-1-7942227074731681134>
> Nov 25 17:30:57 mail imap[3783]: USAGE philip.trickett at example.org user: 0.002896 sys: 0.001913
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.23 - philip.trickett at example.org [25/Nov/2015:17:30:57 +0000] "GET /chwala//api/?method=authenticate&version=2 HTTP/1.1" 200 128
> 
> ==> /var/log/maillog <==
> Nov 25 17:30:58 mail imap[3782]: USAGE philip.trickett at example.org user: 0.009165 sys: 0.006415
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:17:30:57 +0000] "POST /roundcubemail/63350724609ca0f3/?_task=mail&_action=refresh HTTP/1.1" 200 186
> 192.168.156.30 - - [25/Nov/2015:17:31:01 +0000] "GET /roundcubemail/63350724609ca0f3/?_task=logout&_token=8cfe772e7b2535db746bbaafb49449ba HTTP/1.1" 200 5936
> 
> ==> /var/log/maillog <==
> Nov 25 17:31:13 mail imap[4897]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:31:13 mail imap[4897]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-4897-1448472673-1-655763290223196110>
> Nov 25 17:31:13 mail imap[4897]: USAGE philip.trickett at example.org user: 0.009506 sys: 0.003168
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:17:31:13 +0000] "POST /roundcubemail/63350724609ca0f3/?_task=login HTTP/1.1" 302 -
> 
> ==> /var/log/maillog <==
> Nov 25 17:31:13 mail imap[3783]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:31:13 mail imap[3783]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3783-1448472673-1-6058572438371252881>
> Nov 25 17:31:13 mail imap[3783]: USAGE philip.trickett at example.org user: 0.003986 sys: 0.001599
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:17:31:13 +0000] "GET /roundcubemail/1b8c245e42d4ac37/?_task=mail HTTP/1.1" 200 55032
> 192.168.156.30 - - [25/Nov/2015:17:31:15 +0000] "GET /roundcubemail/assets/program/resources/blank.tif HTTP/1.1" 200 270
> 
> ==> /var/log/maillog <==
> Nov 25 17:31:15 mail imap[4897]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:31:15 mail imap[3785]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits new) no authentication
> Nov 25 17:31:15 mail imap[4897]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-4897-1448472675-1-12513764351967823944>
> Nov 25 17:31:15 mail imap[3785]: login: localhost.localdomain [127.0.0.1] philip.trickett at example.org PLAIN+TLS User logged in SESSIONID=<mail2-3785-1448472675-1-17553890062648386401>
> Nov 25 17:31:15 mail imap[3785]: USAGE philip.trickett at example.org user: 0.003053 sys: 0.002034
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:17:31:15 +0000] "GET /roundcubemail/1b8c245e42d4ac37/?_task=mail&_remote=1&_unlock=0&_action=getunread&_=1448472675540 HTTP/1.1" 200 75
> 
> ==> /var/log/maillog <==
> Nov 25 17:31:15 mail imap[4897]: USAGE philip.trickett at example.org user: 0.003734 sys: 0.002348
> 
> ==> /var/log/httpd/ssl_access_log <==
> 192.168.156.30 - - [25/Nov/2015:17:31:15 +0000] "GET /roundcubemail/1b8c245e42d4ac37/?_task=mail&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1448472675929&_action=list&_=1448472675539 HTTP/1.1" 200 933

Phil 

I am running out of ideas as well. 

Have a look in the LDAP logs to see if everything is as expected.   

Otherwise start backing out the security changes one at a time. 

I have to admit that I haven't followed the security howto exactly.  I
am ok with stuff that stays inside the box not being encrypted so a I
have separate TLS/nonTLS IMAP configurations for IMAP and haven't
enabled TLS on LDAP.  Makes things faster as well doing this. 

Mike 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20151126/26ed877e/attachment.html>


More information about the users mailing list