Issue with Roundcube on Postfix, Dovecot, MySQL - mysql

I am seasoned with Ubuntu, Apache and MySQL but new to the email server world and an looking for some troubleshooting tips with my server configuration.
I am running Ubuntu 14.04 with Postfix, Dovecot and MySQL as instructed in this tutorial: https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin
with the exception of spamassassin.
I then installed postfixadmin to provide a graphical means of configuring my virtual postfix users/domains.
Thereafter I installed Roundcube as instructed in this tutorial: http://www.unixmen.com/install-configure-roundcube-webmail-ubuntu/ with the exception of the version (I am using 1.1.4). Everything checks out; I can Telnet into my mail server with accounts created using postfixadmin and can verify the mailbox(es) exists. The server receives email from external domains and can send as well. However, when I attempt to login to a verified user account via-Roundcube it fails. I have tried and tried again to find what is missing and have hit a wall.
Any suggestions would be greatly appreciated.
Best Regards,
-Joe

To debug, I would double check that RC is configured correctly to communicate with dovecot: this is the piece of software that is going to handle the authentication. To verify the software settings, one could switch on the debugging of both RC and dovecot.
Check RC configuration files to make sure that it is set up to connect to the right server and port. These settings can be found either in 'config.inc.php' or in 'defaults.inc.php' under the 'config' directory of RC. Look for IMAP section and the following strings:
$config['default_host'] = 'tls://localhost';
$config['default_port'] = 143;
$config['imap_auth_type'] = null;
Pay special attention to the 'tls://' ('ssl://') prefixes -- these control the usage of encryption during negotiation with IMAP server (tls issues STARTTLS command while connecting on a standard port, and ssl expects connection to be encrypted from the very start and thus is generally used to connect to a dedicated 'encryped' port): for the purposes of debugging one might want to disable encryption altogether. I would propose to use the same hostname and port as were used for telnetting.
If these settings seem to be right, one can proceed to debugging of IMAP connection from RC to dovecot. To enable debugging, edit defaults.inc.php once again:
$config['debug_level'] = 1;
$config['log_driver'] = 'syslog';
$config['syslog_id'] = 'roundcube';
$config['syslog_facility'] = LOG_MAIL;
$config['log_logins'] = true;
$config['imap_debug'] = true;
This would direct debug information of RC IMAP negotiation with dovecot to /var/log/mail.log, where you most probably would be able to identify the problem.

Related

MySQL TLS verification via OpenSSL Fails

I have my MySQL instance configured to use TLS. I have verified this by intentionally using untrusted certificates and watching the clients fail to connect (with an appropriate error message) and then restarting the MySQL service with trusted certificates configured and having the clients connect successfully.
I wanted to do a final check using openssl's s_client but I can't get it to work. When I execute the command below, I get an error saying "SSL23_GET_SERVER_Hello:unknown protocol" followed by "no peer certificate available" followed by some more text. However, when I use the same command against a TLS-enabled Tomcat instance and against the Remote Desktop port, I am able to establish the connection and view the server's certificate. What am I doing wrong? Does MySQL do some extra pre-negotiation before the TLS handshake starts?
openssl s_client -showcerts -connect host:port
While MySQL may use TLS, it isn't the total outside layer. There is a small amount of preamble that occurs before TLS starts. The openssl command line isn't aware of this.
Use the mysql client with its TLS options to test the client certificate.
I marked the response from #danblack correct as he did answer the question. However, I want to provide more information in case it helps anyone else. The
small amount of preamble that occurs before TLS starts
that he refers to can be found on GitHub here.

Connect to MySql database with OpenSSL while on localhost

The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.

Which SMTP server settings should be visible to the customer when deploying the app?

My web application is installed on many customer servers and the app needs to send emails via SMTP. Email smtp server is configured by the customer via a text (Properties) file.
I am having trouble deciding which settings should be included in the file. For some servers it is enough to let customer specify the following:
mail.smtp.host =
mail.smtp.auth =
mail.smtp.user =
mail.smtp.pass =
mail.from =
But which settings will cover vast majority of servers, so I have no worries that some setting will be missing?
An obvious approach would be to look at other mailers like Thunderbird or Outlook and see what configuration options they provide.
You definitely need an option that controls the use of SSL, which has three values:
Make a plain text connection
Make a plain text connection and then switch to an SSL connection using the STARTTLS command
Make an SSL connection to start with
These correspond to various settings of the mail.smtp.ssl.enable and mail.smtp.starttls.enable properties.
If you haven't already, you should look at all the properties described in the javadocs for the com.sun.mail.smtp package.
mail.smtp.auth should always be set to true.
That should get you started.
You may also want to let them specify the port.
Usually the following are used:
25 for SMTP
465 for SSL
587 for TLS

Secure Remote mySQL Connection

Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.

How do I configure SQL Server 2005 Reporting Services (SSRS) to email a report via a remote SMTP server?

How do I configure SSRS/Windows Server 2003, so that I can setup email delivery via a remote SMTP server that requires username and password.
I can configure SSRS with an SMTP address and other parameters, but nowhere is it possible to configure it with smtp username and password.
I have hunted around, but can only find vague reference to setting up some sort of relay, to cover up the bizarre lack of smtp functionality that SSRS has out of the box.
Any ideas?
Here are the steps to set this up using only Microsoft SSRS/Windows Server 2003 components.
1) Install SMTP server in Add/Remove programs / App Server / IIS
In IIS Manager:
2) add the domain (as a remote type) you will be sending as such as yourwebsite.com
3) Under Default SMTP Virtual Server properties / delivery tab / advaced button, add your remote smtp server in the smart host field.
4) Under Default SMTP Virtual Server properties / delivery tab / Outbound security button, choose Basic Authentication, user name = SMTP user name, password = SMTP password
In the rsreportserver.config file (sql drive:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer):
5) Populate <SMTPServer>x.x.x.x</SMTPServer> with the IP of the machine where you just setup the SMTP server.
6) Populate <From>you#yourwebserver.com</From>
7) Change this one to false <SendEmailToUserAlias>False</SendEmailToUserAlias>
8) Lastly, make sure you setup the domain as a permitted host such as this:
<PermittedHosts> <HostName>yourwebsite.com</HostName></PermittedHosts>
As far as why SMTP basic authenication isn't supported directly in SSRS seems to be by design. The best explaination I could find was here on this MSDN forum:
As one poster here mentions, there is a Microsoft Connect ticket open for people who are requesting this functionality.
For sure you have already solved this issue, but let me put here an additional information so others that have this same problem, like me, can solve it by following this how to that Tom Willwerth post.
To solve this issue of SMTP relay just follow the steps above, but be sure to do an additional step, that can be called:
4-a) On Access tab, choose Relay and select "All except the below" on Select which computer may relay through this virtual server:
This will allow all connections to send through this smtp, but be aware that the smtp server will relay anyone who connects to it. If you want to restrict this relay, than you choose "Only the list below" and add the machine you want to relay on.
For more detailed information on this, you can see the source where i found this information on:
http://businessintelligencechronicles.blogspot.com/2010/08/configure-reporting-services-to-use.html
And another thing, the step 8) isn't necessary .
Hope it can be helpful to others and thank you for the information, it helps and now i think one can solve this issue just by following this steps on this link.
Regards
Ps: sorry for the mistakes
This might help you a little: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\rsreportserver.config contains all of the configurations settings in the . I don't see exactly what you want so you'll probably have to perform some relay tricks.