Kolab 3.2 - SASL unable to open Berkeley
Markus Bernhardt
markus.bernhardt at me.com
Do Mai 15 11:13:25 CEST 2014
Hallo Uwe,
die Fehlermeldungen bezüglich SASL habe ich mir noch nicht angesehen.
Kannst Du mal bitte die folgenden Kommandos auf der Maschine absetzen:
SSL:
openssl s_client -showcerts -connect localhost:443
openssl s_client -showcerts -connect localhost:636
openssl s_client -showcerts -connect localhost:993
openssl s_client -showcerts -connect localhost:995
START TLS:
openssl s_client -showcerts -starttls smtp -connect localhost:25
openssl s_client -showcerts -starttls pop3 -connect localhost:110
openssl s_client -showcerts -starttls imap -connect localhost:143
openssl s_client -showcerts -starttls smtp -connect localhost:587
Du solltest überall die richtigen Zertifikate angezeigt bekommen.
Zusätzlich ist es übrigens eine gute Idee die verwendeten Ciphers zu härten.
---
Ich kopier Dir mal mein Installationsprotokoll ans Ende. Vielleicht hilft das ja. Wichtig dabei ist, dass wir intern Zertifikate unsere eigenen CA und nur für den extern erreichbaren SMTP (postfix) ein offizielles EssentailSSL Zertifikat von Comodo verwenden. Also nicht wundern.
Cheers,
Markus
Kolab mit SSL absichern
Gruppe ssl-cert
[root at mail ~]# groupadd ssl-cert
[root at mail ~]# usermod -a -G ssl-cert mail
[root at mail ~]# usermod -a -G ssl-cert postfix
[root at mail ~]# usermod -a -G ssl-cert cyrus
Install certs
[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key /etc/pki/tls/private/
[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt /etc/pki/tls/certs/
[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Root\ CA/keys-renamed/SCMB-GmbH-Root-CA.crt /etc/pki/tls/certs/
[root at mail ~]# cp certificate-authorities/SCMB\ GmbH\ Intranet\ CA/keys-renamed/SCMB-GmbH-Intranet-CA.crt /etc/pki/tls/certs/
Build bundles
[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*.crt /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key > /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.bundle.pem
[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.*.crt > /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem
Fix rights
[root at mail ~]# chown root:ssl-cert /etc/pki/tls/private/SCMB-*
[root at mail ~]# chmod 440 /etc/pki/tls/private/SCMB-*
CA bundle
[root at mail ~]# cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.orig
[root at mail ~]# cat /etc/pki/tls/certs/SCMB-GmbH-*CA.crt >> /etc/pki/tls/certs/ca-bundle.crt
Cyrus IMAPD
[root at mail ~]# sed -r -i -e 's|^tls_cert_file:.*|tls_cert_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt|g' -e 's|^tls_key_file:.*|tls_key_file: /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key|g' -e 's|^tls_ca_file:.*|tls_ca_file: /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.chain.pem|g' /etc/imapd.conf
[root at mail ~]# service cyrus-imapd restart
[root at mail ~]# openssl s_client -showcerts -connect localhost:993
Postfix
[root at mail ~]# postconf -e smtpd_tls_key_file=/etc/pki/tls/private/EssentialSSLCA-2-mail.scmb.de.key
[root at mail ~]# postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/EssentialSSLCA-2-mail.scmb.de.crt
[root at mail ~]# postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/EssentialSSLCA-2.chain.pem
[root at mail ~]# service postfix restart
Apache
[root at mail ~]# certutil -d /etc/httpd/alias -A -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"
[root at mail ~]# certutil -d /etc/httpd/alias -A -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"
[root at mail ~]# certutil -D -d /etc/httpd/alias -n "Server-Cert"
[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo
[root at mail ~]# echo "foo" > /tmp/foo
[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/httpd/alias -w /tmp/foo -k /dev/null
[root at mail ~]# rm /tmp/foo
[root at mail ~]# rm /tmp/example.p12
[root at mail ~]# certutil -L -d /etc/httpd/alias
[root at mail ~]# certutil -V -u V -d /etc/httpd/alias -n "Server-Cert"
[root at mail ~]# sed -i -e 's/8443/443/' /etc/httpd/conf.d/nss.conf
[root at mail ~]# cat >> /etc/httpd/conf/httpd.conf << EOF
<VirtualHost _default_:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [R=301,L]
</VirtualHost>
EOF
[root at mail ~]# service httpd restart
[root at mail ~]# openssl s_client -showcerts -connect localhost:443
389 Directory Server
[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA.crt -n "SCMB GmbH Intranet Certification Authority"
[root at mail ~]# certutil -d /etc/dirsrv/slapd-mail/ -A -t "CT,," -i /etc/pki/tls/certs/SCMB-GmbH-Root-CA.crt -n "SCMB GmbH Root Certification Authority"
[root at mail ~]# openssl pkcs12 -export -in /etc/pki/tls/certs/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.crt -inkey /etc/pki/tls/private/SCMB-GmbH-Intranet-CA-mail.intranet.scmb.de.key -out /tmp/example.p12 -name Server-Cert -passout pass:foo
[root at mail ~]# echo "foo" > /tmp/foo
[root at mail ~]# pk12util -i /tmp/example.p12 -d /etc/dirsrv/slapd-mail/ -w /tmp/foo -k /dev/null
[root at mail ~]# rm /tmp/foo
[root at mail ~]# rm /tmp/example.p12
[root at mail ~]# certutil -L -d /etc/dirsrv/slapd-mail/
[root at mail ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -W
Enter LDAP Password:
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_sha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: 636
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
[root at mail ~]# openssl s_client -showcerts -connect localhost:636
[root at mail ~]# ldapsearch -x -H ldap://localhost -b "cn=kolab,cn=config" -D "cn=Directory Manager" -W
Harden SSL Ciphers
[root at mail ~]# grep NSSCipherSuite /etc/httpd/conf.d/nss.conf
NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
[root at mail ~]# service httpd restart
[root at mail ~]# sslscan --no-failed localhost:443
[root at mail ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -W
Enter LDAP Password:
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
-
replace: nsSSL3Ciphers
nsSSL3Ciphers: -rc4,-rc4export,-rc2,-rc2export,-des,-desede3,-rsa_rc4_128_md5,-rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,+rsa_fips_3des_sha,+fips_3des_sha,-rsa_fips_des_sha,-fips_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-tls_rsa_export1024_with_rc4_56_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha,-rsa_des_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-dhe_dss_des_sha,+dhe_dss_3des_sha,-dhe_rsa_des_sha,+dhe_rsa_3des_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_dhe_dss_aes_256_sha,+tls_dhe_rsa_aes_256_sha,-tls_dhe_dss_1024_rc4_sha,-tls_dhe_dss_rc4_128_sha
[root at mail ~]# service dirsrv restart
[root at mail ~]# sslscan --no-failed localhost:636
[root at mail ~]# grep tls_cipher /etc/imapd.conf
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
[root at mail ~]# service cyrus-imapd restart
[root at mail ~]# sslscan --no-failed localhost:993
Kolab CLI
[root at mail ~]# sed -r -i -e '/api_url/d' -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://mail.intranet.scmb.de/kolab-webadmin/api#g" /etc/kolab/kolab.conf
Roundcube
[root at mail ~]# sed -i -e '/kolab_ssl/d' /etc/roundcubemail/libkolab.inc.php
[root at mail ~]# sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php
[root at mail ~]# sed -i -e '/^?>/d' /etc/roundcubemail/config.inc.php
[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF
\$config['kolab_http_request'] = array(
'ssl_verify_peer' => true,
'ssl_verify_host' => true,
'ssl_cafile' => '/etc/pki/tls/certs/ca-bundle.crt'
);
EOF
[root at mail ~]# cat >> /etc/roundcubemail/config.inc.php << EOF\$config['calendar_caldav_url'] = "https://mail.intranet.scmb.de/iRony/calendars/%u/%i";
\$config['kolab_addressbook_carddav_url'] = 'https://mail.intranet.scmb.de/iRony/addressbooks/%u/%i';
EOF
Fix indenting and php close tag at the end of /etc/roundcubemail/config.inc.php!
ipTables
[root at mail ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Am 15.05.2014 um 09:09 schrieb IG BEB GmbH (Herr Treber) <treber at beb-weimar.de>:
> Hallo Markus,
> die Datei setup_mta.py hatte ich schon angepasst.
> Hab nun auch noch folgendes Problem:
> Bei der Kontoeinrichtung mit Thunderbird als Mailclient bekomme ich einfach
> kein Zugang zu Kolab, bringt immer Benutzername oder Kennwort falsch.
> Egal welchen Port oder welche Verschlüsselung ich wähle.
>
> Das Protokoll maillog bringt diese Fehlermeldung:
> May 15 09:00:27 web imaps[4343]: Fatal error: tls_start_servertls() failed
> May 15 09:00:27 web master[3122]: process type:SERVICE name:imaps path:/usr/lib/cyrus-imapd/imapd age:25.271s pid:4343 signaled to death by signal 6 (Aborted, core dumped)
> May 15 09:03:05 web postfix/smtpd[5028]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/smtpd[5028]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/submission/smtpd[5027]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/smtpd[5028]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: warning: 192.168.1.13: address not listed for hostname localhost
> May 15 09:03:05 web postfix/submission/smtpd[5027]: connect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: lost connection after CONNECT from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/submission/smtpd[5027]: disconnect from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: lost connection after CONNECT from unknown[192.168.1.13]
> May 15 09:03:05 web postfix/smtpd[5028]: disconnect from unknown[192.168.1.13]
> May 15 09:03:09 web imap[3404]: STARTTLS negotiation failed: localhost [192.168.1.13]
> May 15 09:03:10 web imap[3404]: Connection reset by peer, closing connection
> May 15 09:03:10 web imap[5026]: STARTTLS negotiation failed: localhost [192.168.1.13]
> May 15 09:03:10 web imap[5026]: Connection reset by peer, closing connection
>
> Hängt das irgendwie zusammen?
> Muss der Dienst saslauthd von CentOS laufen oder übernimmt das kolab-saslauthd.
> Fragen über Fragen.
>
> Kennt sich da jemand aus?
>
> Danke.
> Uwe
> -------------
>
> Am 14.05.2014 22:20, schrieb Markus Bernhardt:
>> Hi,
>>
>> ich habe genau das gleiche Setup am Laufen.
>>
>> Folgende Fehler habe ich auch im Log:
>> May 14 21:50:14 mail lmtpunix[32137]: ptload(): bad response from ptloader server: identifier not found
>> May 14 21:50:14 mail lmtpunix[32137]: ptload failed for markus^bernhardt at scmb.de
>> May 14 22:00:01 mail imaps[8801]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>>
>> Aber nicht den ersten:
>> > May 14 13:58:15 web ptloader[3603]: LDAP search for domain failed.
>>
>> Bei mir im Log:
>> May 14 04:30:01 mail ptloader[25396]: starting: ptloader.c,v git2.5+0
>>
>> Hast Du eigentlich den Fix für https://issues.kolab.org/show_bug.cgi?id=2864 drin?
>> [root at mail ~]# vi /usr/lib/python2.6/site-packages/pykolab/setup/setup_mta.py
>> if os.path.isdir('/etc/amavisd'):
>> fp = open('/etc/amavisd/amavisd.conf', 'w')
>> fp.write(t.__str__())
>> fp.close()
>> elif os.path.isdir('/etc/amavis'):
>> fp = open('/etc/amavis/amavisd.conf', 'w')
>> fp.write(t.__str__())
>> fp.close()
>>
>> Hoffe das hilft evtl. irgendwie.
>>
>> Cheers,
>> Markus
>>
>> Am 14.05.2014 um 14:02 schrieb IG BEB GmbH (Herr Treber) <treber at beb-weimar.de>:
>>
>>> Hallo,
>>>
>>> habe mal Kolab 3.2 auf CentOS 6.5 installiert.
>>> Installation verlief problemlos.
>>> Nutzer angelegt und per Roundcubemail eingeloggt.
>>>
>>> Der Zugriff zu Rondcubemail dauert recht lang.
>>>
>>> Hängt das evtl. damit zusammen und wie ist das zu lösen?
>>>
>>> Im Protokoll maillog steht
>>> May 14 13:58:15 web ptloader[3603]: LDAP search for domain failed.
>>> May 14 13:58:15 web imap[5178]: ptload(): bad response from ptloader server: identifier not found
>>> May 14 13:58:15 web imap[5178]: ptload failed: but canonified user.name at beb-weimar.de -> user.name at beb-weimar.de
>>> May 14 13:58:15 web imap[5178]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>>> May 14 13:58:15 web imap[5178]: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory
>>> May 14 13:58:15 web imap[5178]: login: localhost [::1] user.name at beb-weimar.de PLAIN+TLS User logged in SESSIONID=<web.beb-weimar.de-5178-1400068694-1>
>>> May 14 13:58:16 web imap[5178]: USAGE user^name at beb-weimar.de user: 0.015997 sys: 0.007998
>>> May 14 13:58:17 web imap[4967]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>>> May 14 13:58:17 web imap[5187]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication
>>>
>>> Der Username wird einmal mit "." und "^" dargestellt?
>>>
>>> Kennt sich da jemand aus?
>>> --
>>> Danke
>>> Uwe
>>> _______________________________________________
>>> users-de mailing list
>>> users-de at lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users-de
>>
>
> _______________________________________________
> users-de mailing list
> users-de at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users-de
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.kolab.org/pipermail/users-de/attachments/20140515/4caf421b/attachment-0001.html>
Mehr Informationen über die Mailingliste users-de