IMAP-nopass not working anymore

Noobtellabrot · 2024-07-01T14:36:35+00:00

For archiving purposes, we have set up IMAP access without a password as described here: https://community.grommunio.com/d/349-geloschte-objekte-wiederherste...

crpb

Noobtellabrot Jul 02 14:38:44 dev-srv02-gm imap[1837]: [listener]: failed to create socket [*]:143: Permission denied

Isn't that port already in use?

EDIT: i guess you need to set a port so it won't use the default port ¯\_(ツ)_/¯

EDIT2: ss -lp 'sport = 143' which should show the standard gromox-imap services process: systemctl status gromox-imap |grep PID

Thats why i used

imap2='20143'                # the port for imap
imaps='20993'                # the post for imap over ssl/tls

Noobtellabrot

crpb Isn't that port already in use?

Yes, but I don't want to use this port for IMAP nopass.

I used your default config.

#!/bin/sh
export LANG=C
umask 0022

# VARS
instance='z_archiver'        # prefix  z_ so it won't bother us with normal work
imap2='20143'                # the port for imap
imaps='20993'                # the post for imap over ssl/tls
archiveserver='192.168.100.3'      # Put in the IP of your mailstore/whatever

gromoxdir='/etc/gromox'
archivedir=${gromoxdir}/${instance}
fileGid="$(grommunio-admin config get mconf.fileGid)"
fileUid="$(grommunio-admin config get mconf.fileUid)"


if [ "$1" = "install" ]; then
  # Gromox
  mkdir --parents ${archivedir}
  cat > ${archivedir}/imap.cfg << EOT
$(grep -E '^(imap_support_starttls|default_domain|imap_(certificate|private_key)_path)' ${gromoxdir}/imap.cfg)
imap_listen_port=${imap2}
listen_ssl_port=${imaps}
config_file_path=${archivedir}:/etc/gromox
imap_log_level=5
EOT

  cat > ${archivedir}/authmgr.cfg << EOT
auth_backend_selection=allow_all
EOT

  chown -Rf "${fileUid}:${fileGid}" ${archivedir}


  # FirewallD
  firewall-cmd --permanent --new-zone=${instance}
  firewall-cmd --permanent --zone=${instance} --add-source=${archiveserver}/32
  firewall-cmd --permanent --zone=${instance} --add-port=${imap2}/tcp
  firewall-cmd --permanent --zone=${instance} --add-port=${imaps}/tcp
  firewall-cmd --reload
  firewall-cmd --info-zone=${instance}


  # SystemD
  systemctl cat gromox-imap.service |awk '/^ExecStart/ {$0=$0" -c '${archivedir}'/imap.cfg"} 1' > /etc/systemd/system/gromox-imap-${instance}.service
  systemctl daemon-reload
  systemctl --now enable gromox-imap-${instance}.service

  return 0
elif [ "$1" = "uninstall" ]; then
  systemctl --now disable gromox-imap-${instance}.service
  rm /etc/systemd/system/gromox-imap-${instance}.service
  systemctl daemon-reload
  rm -rfi $archivedir
  firewall-cmd --permanent --delete-zone=${instance}
  firewall-cmd --reload
  return 0
else
  cat << EOT
Possible commands: $0 install|uninstall
The current settings are:
  INSTANCENAME=$instance
  ARCHIVESERVER=$archiveserver
  IMAP_PORT=$imap2
  IMAP_SSL_PORT=$imaps

To change them run: editor $0
EOT
fi

crpb

Yeah, somehow something changed? o_0.

That script worked when i wrote it. Now it seems the port-declarations are ignored and in the man i don't find that imap_support_starttls anymore but imap_support_tls.
And even when manually starting it wants 143/993 o_0

grom-test-2:~ # man imap |grep -A2 _port
              This flag controls whether clients must utilize TLS, either by way of implicit TLS (cf. imap_listen_tls_port), or through the STARTTLS command.
              Default: false

--
       imap_listen_port
              The TCP port to expose the IMAP protocol service on. (The IP address is fixed to the wildcard address.)
              Default: 143
--
       imap_listen_tls_port
              The TCP port to expose implicit-TLS IMAP protocol service (IMAPS) on. (The IP address is fixed to the wildcard address.)
              Default: (unset)
grom-test-2:~ # grep port /etc/gromox/z_archiver/imap.cfg
imap_support_tls=true
imap_listen_port=20143
#listen_ssl_port=20993
imap_listen_tls_port=20993
grom-test-2:~ # rpm -qa gromox
gromox-2.30.0.f0a485f-lp155.1.1.x86_64

grom-test-2:~ # /usr/libexec/gromox/imap -c /etc/gromox/z_archiver/imap.cfg

gromox-imap 2.30.0.f0a485f (pid 14431 uid 0)

[system]: host ID is grom-test-2
[system]: one thread is in charge of 20 contexts
[system]: threads pool initial threads number is 5
[imap]: context average memory is 128k
[imap]: context maximum memory is 2048k
[imap]: context average mitem number is 65536
[imap]: imap socket read write timeout is 3min
[imap]: imap session autologout time is 30min
[imap]: maximum authentication failure times is 10
[imap]: block client 1min when authentication failure count is exceeded
[imap]: TLS support enabled
[system]: system TLS listening port 20993
system: maximum file descriptors: 524288
Reexecing /usr/libexec/gromox/imap

gromox-imap 2.30.0.f0a485f (pid 14431 uid 479)

[system]: host ID is grom-test-2
[system]: one thread is in charge of 20 contexts
[system]: threads pool initial threads number is 5
[imap]: context average memory is 128k
[imap]: context maximum memory is 2048k
[imap]: context average mitem number is 65536
[imap]: imap socket read write timeout is 3min
[imap]: imap session autologout time is 30min
[imap]: maximum authentication failure times is 10
[imap]: block client 1min when authentication failure count is exceeded
[imap]: TLS support enabled
[system]: system TLS listening port 993
[listener]: failed to create socket [*]:143: Permission denied
[system]: fail to start listener

@jengelh @mwilliams Hä?

Well, that "Reexecing /usr/libexec/gromox/imap" is confusing me

And now i looked at https://github.com/grommunio/gromox/blob/prime/mra/imap/main.cpp#L119-L151 but it didn't really helped me..
at least now i understand which port is what.. kinda... i guess it's just backwards compatibility.

https://github.com/grommunio/gromox/blob/prime/mra/imap/main.cpp#L144C1-L145C57

crpb

WalterH

That doesn't really matter if we are not thinking about hardening systemd services.

As shown above in the logs /usr/libexec/gromox-imap restarts itself when not startet as user gromox.

crpb Reexecing /usr/libexec/gromox/imap

gromox-imap 2.30.0.f0a485f (pid 14431 uid 479)

That uid part 🙈

I will not remove it from my script because i don't care about ports < 1024.

And if we are talking hardening/security we need to begin writing stuff like this....
(I have only played around with the admin-api and grommunio-index restrictions for now.. but just as an example...)

grom-test-2:/etc/systemd/system # systemctl cat grommunio-admin-api.service
# /usr/lib/systemd/system/grommunio-admin-api.service
[Unit]
Description=grommunio admin api
After=grommunio-admin-api.socket
Requires=grommunio-admin-api.socket

[Service]
WorkingDirectory=/usr/share/grommunio-admin-api/
ExecStart=/usr/sbin/uwsgi --ini /usr/share/grommunio-admin-api/api-config.ini
User=grommunio
Group=nginx
SupplementaryGroups=grommunio
Restart=on-failure
KillSignal=SIGINT
Type=notify
NotifyAccess=all

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/grommunio-admin-api.service.d/override.conf
# HINTS https://github.com/cyberitsolutions/prisonpc-systemd-lockdown by trent

[Unit]
Requires=mysql.service
After=mysql.service
[Service]
#Group=gromoxcf
#SupplementaryGroups=nginx
CapabilityBoundingSet=
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ProtectClock=yes
ProtectKernelLogs=yes
DevicePolicy=closed
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
SystemCallArchitectures=native
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
#UMask=0077
ReadWritePaths=/run /var/log /etc/gromox /var/lib/gromox
ReadOnlyPaths=/
grom-test-2:/etc/systemd/system # systemd-analyze security grommunio-admin-api.service
  NAME                                                        DESCRIPTION                                                        EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                0.5
✓ User=/DynamicUser=                                          Service runs under a static non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service cannot change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has no administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has no ptrace() debugging abilities
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                   0.3
✗ RestrictNamespaces=~CLONE_NEWUSER                           Service may create user namespaces                                      0.3
✓ RestrictAddressFamilies=~…                                  Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service cannot override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_SYS_MODULE                       Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO                        Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock
✗ DeviceAllow=                                                Service has a device ACL with some special devices                      0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                        0.2
✓ KeyringMode=                                                Service doesn't share key material with other services
✓ NoNewPrivileges=                                            Service processes cannot acquire new privileges
✗ NotifyAccess=                                               Service child processes may alter service state                         0.2
✓ PrivateDevices=                                             Service has no access to hardware devices
✓ PrivateMounts=                                              Service cannot install system mounts
✓ PrivateTmp=                                                 Service has no access to other software's temporary files
✓ PrivateUsers=                                               Service does not have access to other users
✓ ProtectClock=                                               Service cannot write to the hardware clock or system clock
✓ ProtectControlGroups=                                       Service cannot modify the control group file system
✓ ProtectHome=                                                Service has no access to home directories
✓ ProtectKernelLogs=                                          Service cannot read from or write to the kernel log ring buffer
✓ ProtectKernelModules=                                       Service cannot load or read kernel modules
✓ ProtectKernelTunables=                                      Service cannot alter kernel tunables (/proc/sys, …)
✗ ProtectProc=                                                Service has full access to process tree (/proc hidepid=)                0.2
✓ ProtectSystem=                                              Service has strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET                          Service cannot allocate packet sockets
✗ RestrictSUIDSGID=                                           Service may create SUID/SGID files                                      0.2
✓ SystemCallArchitectures=                                    Service may execute system calls only with native ABI
✗ SystemCallFilter=~@clock                                    Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@debug                                    Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@module                                   Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@mount                                    Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@raw-io                                   Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@reboot                                   Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@swap                                     Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@privileged                               Service does not filter system calls                                    0.2
✗ SystemCallFilter=~@resources                                Service does not filter system calls                                    0.2
✓ AmbientCapabilities=                                        Service process does not receive ambient capabilities
✓ CapabilityBoundingSet=~CAP_AUDIT_*                          Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL                             Service cannot send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD                            Service cannot create device nodes
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges
✓ CapabilityBoundingSet=~CAP_SYSLOG                           Service has no access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has no privileges to change resource use parameters
✗ RestrictNamespaces=~CLONE_NEWCGROUP                         Service may create cgroup namespaces                                    0.1
✗ RestrictNamespaces=~CLONE_NEWIPC                            Service may create IPC namespaces                                       0.1
✗ RestrictNamespaces=~CLONE_NEWNET                            Service may create network namespaces                                   0.1
✗ RestrictNamespaces=~CLONE_NEWNS                             Service may create file system namespaces                               0.1
✗ RestrictNamespaces=~CLONE_NEWPID                            Service may create process namespaces                                   0.1
✓ RestrictRealtime=                                           Service realtime scheduling access is restricted
✗ SystemCallFilter=~@cpu-emulation                            Service does not filter system calls                                    0.1
✗ SystemCallFilter=~@obsolete                                 Service does not filter system calls                                    0.1
✓ RestrictAddressFamilies=~AF_NETLINK                         Service cannot allocate netlink sockets
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                           0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                  0.1
✓ CapabilityBoundingSet=~CAP_MAC_*                            Service cannot adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT                         Service cannot issue reboot()
✓ Delegate=                                                   Service does not maintain its own delegated control group subtree
✗ LockPersonality=                                            Service may change ABI personality                                      0.1
✓ MemoryDenyWriteExecute=                                     Service cannot create writable executable memory mappings
✗ RemoveIPC=                                                  Service user may leave SysV IPC objects around                          0.1
✗ RestrictNamespaces=~CLONE_NEWUTS                            Service may create hostname namespaces                                  0.1
✗ UMask=                                                      Files created by service are world-readable by default                  0.1
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK                         Service cannot lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service cannot issue chroot()
✗ ProtectHostname=                                            Service may change system host/domainname                               0.1
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service cannot establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE                            Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service cannot program timers that wake up the system
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                      0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)      0.1

→ Overall exposure level for grommunio-admin-api.service: 4.0 OK 🙂

I usually use those shenanigangs with something like a uwsgi python app because web-developers are either behind with the security updates or using bleeding edge crap which nobody wants to run with too many permissions..

crpb

I think i found the problem..
When that rexec (for user gromox) happens the config file paramater is discarded somehow.

@Noobtellabrot
I updated the script

The gromox-imap-$FOO.service now uses User=gromox Group=gromox to get around that problem

crpb

FYI, the described problem will be fixed in gromox-2.30-20-gaef56e412

Noobtellabrot

Thank you.

One question:
Why can't I use port 994?
This port is not used by any other service.

ss -lp 'sport = 994'
Netid          State          Recv-Q          Send-Q                    Local Address:Port                     Peer Address:Port          Process

Your default ports 20143 and 20993 work.
The following message appears when I want to use port 994:
[listener]: failed to create socket [*]:994: Permission denied

Before the update, everything worked with this port.

crpb

Hmm... it might be that those ports (lower 1024) are not available for users. Maybe this will work again when that fix of gromox is installed and the User=gromox,Group=gromox is removed again.

WalterH

crpb User=gromox,Group=gromox is removed again.

For security reasons, I assume the will not be removed.

Noobtellabrot

All right. I'll keep an eye on it.

Do you know when the update will be available in the supported repo?

crpb

Noobtellabrot Do you know when the update will be available in the supported repo?

no idea :>