lmtp authentication ignored with tls enabled

Marcus Schopen lists at localguru.de
Mon Jul 20 06:46:07 EDT 2015 

Am Montag, den 20.07.2015, 03:21 +0200 schrieb Marcus Schopen:
> Hi,
> 
> I'm trying to deliver mails via lmtp/tcp from sendmail to cyrus running
> on another machine.
> 
> sendmail.mc:
> --------------
> define(`confLOCAL_MAILER', `cyrusv2')dnl
> define(`CYRUSV2_MAILER_ARGS', `TCP imap.domain.de 2003')dnl
> --------------
> 
> Without an authentication line in /etc/mail/access
> 
> --------------
> AuthInfo:imap.domain.de "I:lmtp-admin" "P:pass" "M:DIGEST-MD5"
> --------------
> 
> I'm getting the following error:
> 
> --------------
> Jul 20 02:19:01 mail sendmail[5368]: t6K0GIKP005234:
> to=<postmaster at domain.de>, delay=00:02:43, xdelay=00:00:03,
> mailer=cyrusv2, pri=211679, relay=imap.domain.de. [xx.xx.xx.xx],
> dsn=4.0.0, stat=Deferred: 430 Authentication required
> --------------
> 
> This is correct. Adding AuthInfo to /etc/mail/access and add lmtp-admin
> to sasldb2 on cyrus side mails are delivered via lmtp to cyrus with
> proper authentication. Good.
> 
> But after setting tls_cert_file und tls_key_file in imapd.conf to get an
> encrypted connection the lmtp authentication is completely ignored and
> mails are going through even without any AuthInfo in /etc/mail/access:
> 
> cyrus log:
> --------------
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: accepted connection
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: connection from [xx.xx.xx.xx]
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: imapd:Loading hard-coded DH
> parameters
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete -> wait
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: Doing a peer verify
> Jul 20 03:08:06  cyrus/lmtp[3875]: last message repeated 2 times
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() incomplete -> wait
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: SSL_accept() succeeded -> done
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: received client certificate
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: subject=/CN=server.domain.de
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: starttls: TLSv1.2 with cipher
> DHE-RSA-AES256-SHA (256/256 bits new) authenticated as server.domain.de
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_check:
> <201507200108.t6K185oV005737 at test.domain.de> user.test             Mon,
> 20 Jul 2015 03:08:05 +0200          0
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: Delivered:
> <201507200108.t6K185oV005737 at test.domain.de> to mailbox: user.test
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: duplicate_mark:
> <201507200108.t6K185oV005737 at test.domain.de> user.test             Mon,
> 20 Jul 2015 03:08:05 +0200          1437354486 48
> Jul 20 03:08:06 imap cyrus/lmtp[3875]: USAGE test user: 0.033640 sys:
> 0.005606
> --------------
> 
> /etc/imapd.conf:
> --------------
> configdirectory: /var/lib/cyrus
> proc_path: /run/cyrus/proc
> mboxname_lockpath: /run/cyrus/lock
> defaultpartition: default
> partition-default: /var/spool/cyrus/mail
> partition-news: /var/spool/cyrus/news
> newsspool: /var/spool/news
> altnamespace: no
> unixhierarchysep: no
> lmtp_downcase_rcpt: yes
> admins: cyrus
> lmtp_admins: lmtp-admin
> allowanonymouslogin: no
> popminpoll: 1
> autocreatequota: 0
> umask: 077
> sieveusehomedir: false
> sievedir: /var/spool/sieve
> hashimapspool: true
> allowplaintext: yes
> sasl_minimum_layer: 0
> sasl_pwcheck_method: auxprop
> sasl_auto_transition: no
> tls_cert_file: /etc/ssl/domain/imap.crt
> tls_key_file: /etc/ssl/domain/imap.key
> tls_ca_file: /etc/ssl/domain/cacert_org-class3.crt
> tls_ca_path: /etc/ssl/certs
> tls_session_timeout: 1440
> tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
> lmtpsocket: /var/run/cyrus/socket/lmtp
> idlesocket: /var/run/cyrus/socket/idle
> notifysocket: /var/run/cyrus/socket/notify
> syslog_prefix: cyrus
> --------------
> 
> cyrus.conf:
> -------------
> lmtp		cmd="lmtpd" listen="2003" prefork=4 maxchild=20
> lmtpunix	cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0
> maxchild=20
> -------------
> 
> Any ideas?


Setting lmtp_tls_cert_file and to lmtp_tls_key_file to "disabled"
activates lmtp authentication again. But how do I force lmtp
authentication with lmtp_tls enabled? Seems to me like a security
problem, if lmtp with enabled tls accepts connections from everywhere?!
The only way I see to get more security is a lmtp connection between
sendmail and cyrus over e.g. openvpn or hosts.allow/deny or iptables
configuraiton with lmtp_tls enabled.

Ciao
Marcus

More information about the Info-cyrus mailing list