Hello,
Our security department scanned the ciphermail gateway and is seeing issues that need to be fixed:
* I've replaced the web GUI certificate (done that many times), but the old certificate appears still to be in use for SMTP. This certificate is now expired.
How can the MTA be configured to use the new certificate?
* I'm using an appliance VM image (V4.3.0-1, with the latest updates), and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites
How can those old protocols/ciphers be disabled?
More issues are found, but I'll focus on these issues first.
Met vriendelijke groet / Regards,
Michel Erdmann
System: Ubuntu 20.04 LTS, Ciphermail 4.11, MySQL 8.0
Hello,
I have set up a new Ciphermail system following the documentation, especially the chapter about using MySQL/MariaDB instead of Postgres.
/usr/share/djigzo/conf/database/hibernate.mysql.connection.xml contains the correct credentials, I have checked this more than once and tested it successfully with "mysql--password=... -u djigzo -h localhost djigzo"
BTW, the password only contains alphanumeric characters
Nevertheless, I get the following error. What confuses me most, is the line "Caused by: java.sql.SQLException: Access denied for user 'djigzo'@'localhost' (using password: NO)". Why isn't the application using the password?
28 May 2021 08:50:39 | INFO C3P0 using driver: org.mariadb.jdbc.Driver at URL: jdbc:mysql://127.0.0.1:3306/djigzo (org.hibernate.connection.C3P0ConnectionProvider) [Phoenix-Monitor]
28 May 2021 08:50:39 | INFO Connection properties: {password=****, autocommit=false, user=djigzo} (org.hibernate.connection.C3P0ConnectionProvider) [Phoenix-Monitor]
28 May 2021 08:50:39 | INFO autocommit mode: false (org.hibernate.connection.C3P0ConnectionProvider) [Phoenix-Monitor]
28 May 2021 08:50:39 | INFO MLog clients using log4j logging. (com.mchange.v2.log.MLog) [Phoenix-Monitor]
28 May 2021 08:50:39 | INFO Initializing c3p0-0.9.1.2 [built 21-May-2007 15:04:56; debug? true; trace: 10] (com.mchange.v2.c3p0.C3P0Registry) [Phoenix-Monitor]
28 May 2021 08:50:39 | INFO Initializing c3p0 pool... com.mchange.v2.c3p0.PoolBackedDataSource@3bb1c3ba [ connectionPoolDataSource -> com.mchange.v2.c3p0.WrapperConnectionPoolDataSource@3bdee
ce0 [ acquireIncrement -> 3, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -
> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, debugUnreturnedConnectionStackTraces -> false, factoryClassLocation -
> null, forceIgnoreUnresolvedTransactions -> false, identityToken -> z8kfsxah1dfo9ci132vr21|7754e457, idleConnectionTestPeriod -> 0, initialPoolSize -> 5, maxAdministrativeTaskTime -> 0, maxCo
nnectionAge -> 0, maxIdleTime -> 1800, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 50, maxStatements -> 50, maxStatementsPerConnection -> 0, minPoolSize -> 5, nestedDataSource -> com.mch
ange.v2.c3p0.DriverManagerDataSource@f911567e [ description -> null, driverClass -> null, factoryClassLocation -> null, identityToken -> z8kfsxah1dfo9ci132vr21|51d17efa, jdbcUrl -> jdbc:mysql:
//127.0.0.1:3306/djigzo, properties -> {password=******, autocommit=false, user=******} ], preferredTestQuery -> null, propertyCycle -> 0, testConnectionOnCheckin -> false, testConnectionOnChe
ckout -> false, unreturnedConnectionTimeout -> 0, usesTraditionalReflectiveProxies -> false; userOverrides: {} ], dataSourceName -> null, factoryClassLocation -> null, identityToken -> z8kfsxa
h1dfo9ci132vr21|6ce1283, numHelperThreads -> 3 ] (com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource) [Phoenix-Monitor]
28 May 2021 08:50:59 | WARN com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@7fe7deaf -- APPARENT DEADLOCK!!! Creating emergency threads for unassigned pending tasks! (co
m.mchange.v2.async.ThreadPoolAsynchronousRunner) [Timer-0]
28 May 2021 08:50:59 | WARN com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@7fe7deaf -- APPARENT DEADLOCK!!! Complete Status:
Managed Threads: 3
Active Threads: 3
Active Tasks:
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@71ce8712 (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#1)
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@167672f (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#2)
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@95e8b91 (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#0)
Pending Tasks:
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@5032ca57
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@55413154
Pool thread stack traces:
Thread[com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#1,5,main]
java.base(a)11.0.11/java.lang.Thread.sleep(Native Method)
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:1805)
com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:547)
Thread[com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#2,5,main]
java.base(a)11.0.11/java.lang.Thread.sleep(Native Method)
com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:1805)
com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:547)
Thread[com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#0,5,main]
(com.mchange.v2.async.ThreadPoolAsynchronousRunner) [Timer-0]
28 May 2021 08:51:08 | WARN com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@95e8b91 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: (com.mchange.v2.resourcepool.BasicResourcePool) [com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#0]
java.sql.SQLInvalidAuthorizationSpecException: Access denied for user 'djigzo'@'localhost' (using password: NO)
at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:173)
at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110)
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1115)
at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:502)
at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:154)
at org.mariadb.jdbc.Driver.connect(Driver.java:86)
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:134)
at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:182)
at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:171)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:137)
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1014)
at com.mchange.v2.resourcepool.BasicResourcePool.access$800(BasicResourcePool.java:32)
at com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask.run(BasicResourcePool.java:1810)
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:547)
Caused by: java.sql.SQLException: Access denied for user 'djigzo'@'localhost' (using password: NO)
Current charset is UTF-8. If password has been set using other charset, consider using option 'passwordCharacterEncoding'
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.authentication(AbstractConnectProtocol.java:862)
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:785)
Thanks for any hints and suggestion,
Regards,
Stefan
I’m attempting to evaluate Ciphermail and I’m running info this "mail for domain.corp loops back to myself”
My goal is to set up Ciphermail as an internal mail server just for testing.
So, I have
testmail.mx.domain.corp
domain.corp’s MX record is set to:
dig @192.168.10.10 mx domain.corp
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @192.168.10.10 mx domain.corp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59536
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3c201885a57bfe1393fbf7a2609f79469962e84c4c0b267e (good)
;; QUESTION SECTION:
;domain.corp. IN MX
;; ANSWER SECTION:
domain.corp. 300 IN MX 0 testmail.mx.domain.corp.
;; AUTHORITY SECTION:
domain.corp. 300 IN NS 192.168.10.10.
;; ADDITIONAL SECTION:
testmail.mx.domain.corp. 300 IN A 192.168.100.20
;; Query time: 1 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Sat May 15 00:33:26 PDT 2021
;; MSG SIZE rcvd: 136
My main.cf looks like this:
# postfix main config for CipherMail
# setting starting with djigzo_ will be overwritten when applying the MTA settings
djigzo_myhostname = testmail.mx.domain.corp
djigzo_mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
djigzo_mynetworks = 192.168.10.0/24, 192.168.100.0/24, 127.0.0.0/8
djigzo_relayhost =
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = domain.corp, mx.domain.corp, testmail.mx.domain.corp
djigzo_before_filter_message_size_limit = 10240000
djigzo_calculated_after_filter_message_size_limit = 30720000
djigzo_after_filter_message_size_limit = ${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = testmail.mx.domain.corp
djigzo_relay_transport_host =
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 92160000
# The internet hostname of this mail system
myhostname = ${djigzo_myhostname}
# The list of domains that are delivered via the $local_transport mail delivery transport
mydestination = ${djigzo_mydestination}
# The list of "trusted" remote SMTP clients that have more privileges than "strangers".
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}
# What destination domains (and subdomains thereof) this system will relay mail to.
relay_domains = ${djigzo_relay_domains}
# What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern.
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
# The hostname to send in the SMTP EHLO or HELO command.
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
# The default mail delivery transport and next-hop destination for remote delivery to domains listed with $relay_domains
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
# The next-hop destination of non-local mail
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
# Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
${djigzo_rbl_clients}
${djigzo_reject_unverified_recipient? reject_unverified_recipient}
# The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unverified_recipient restriction
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
# disable DSN and ETRN ESMTP announce
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn
# reject all ETRN
smtpd_etrn_restrictions = reject
# disable local delivery
local_transport = error:local mail delivery is disabled
local_recipient_maps =
# forward local system accounts
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#virtual_alias_maps = hash:/etc/postfix/virtual-aliases
# The maximal size in bytes of a message, including envelope information.
message_size_limit = ${djigzo_after_filter_message_size_limit}
# The maximal size of any local(8) individual mailbox or maildir file
mailbox_size_limit = ${djigzo_mailbox_size_limit}
# The minimal amount of free space in bytes in the queue file system that is needed to receive mail
queue_minfree = ${djigzo_calculated_queue_minfree}
# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32
# forward incoming email to the Mail Processing Agent (MPA)
content_filter = djigzo:[127.0.0.1]:10025
# filter email headers
#header_checks = pcre:/etc/postfix/header-checks
# server side TLS configuration
#smtpd_tls_cert_file = /etc/postfix/tls.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 1
# disable low grade ciphers to prevent FREAK attack
#smtpd_tls_exclude_ciphers = aNULL, EXPORT, LOW
# client side TLS configuration
#smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_security_level = may
#smtp_tls_loglevel = 1
#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
#smtp_sasl_type = cyrus
#smtp_sasl_security_options =
# The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail.
mail_name = CipherMail
# The text that follows the 220 status code in the SMTP greeting banner.
# You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname ESMTP $mail_name
# The time after which the sender receives a copy of the message headers of mail that is still queued.
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information.
# appending .domain is the MUA's job.
append_dot_mydomain = no
biff = no
recipient_delimiter = +
# list of error classes that are reported to the postmaster. Set to empty by default as it can be result in mail floods
# if there is some Postfix error.
notify_classes =
# enable long, non-repeating, queue IDs. The benefit of non-repeating names is simpler logfile analysis
enable_long_queue_ids = yes
# the address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client will try first, when a destination has
# IPv6 and IPv4 addresses with equal MX preference.
smtp_address_preference = ipv4
When I send mail from an internal machine:
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: connect from macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: 4Fhxz26x1wz59DQp: client=macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/cleanup[39461]: 4Fhxz26x1wz59DQp: message-id=<20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:14 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz26x1wz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>, size=560, nrcpt=1 (queue active)
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: disconnect from macbook-pro.adifferentdomain.intra[192.168.10.95] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39462]: 4Fhxz26x1wz59DQp: to=<jeremy(a)domain.corp>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.09, delays=0.01/0/0.04/0.04, dsn=2.6.0, status=sent (250 2.6.0 Message received)
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz26x1wz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: connect from localhost[127.0.0.1]
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: 4Fhxz31K2Fz59DQp: client=localhost[127.0.0.1], orig_client=macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39464]: 4Fhxz31K2Fz59DQp: message-id=<20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31K2Fz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>, size=773, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39449]: 4Fhxz31K2Fz59DQp: to=<jeremy(a)domain.corp>, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=5.4.6, status=bounced (mail for domain.corp loops back to myself)
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39461]: 4Fhxz31TYhz59DR5: message-id=<4Fhxz31TYhz59DR5(a)testmail.mx.domain.corp>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31TYhz59DR5: from=<>, size=2701, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/bounce[39465]: 4Fhxz31K2Fz59DQp: sender non-delivery notification: 4Fhxz31TYhz59DR5
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31K2Fz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/error[39466]: 4Fhxz31TYhz59DR5: to=<jeremy(a)macbook-pro.adifferentdomain.intra>, relay=none, delay=0.01, delays=0/0/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to macbook-pro.adifferentdomain.intra[192.168.10.95]:25: Connection refused)
I’m not sure what I’m doing wrong. I basically want mail to be delivered to the Ciphermail host for user jeremy.
Thanks
-jeremy