You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by cryptearth <cr...@cryptearth.de> on 2020/09/28 10:11:07 UTC
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
Hey there,
Matt here again.
I just wanted to give a small follow up to my own topic after some testing.
As described, it took a few steps to get James 3.5 working on my freshly
updated OpenSUSE Leap 15.2. After I made some changes in some config
files, replace BouncyCastle with the current version and added the
current mariadb-jdbc driver I was able to copy over the user table from
my root to my local home backup and gave it a test. All went fine and my
local backup now runs on 3.5 as nothin happend. Now it's time to copy
over the big mail data table and then update my root server (oh boy,
this will be fun).
So, if anyone needs some help getting current James versions run on
current opensuse systems I'm happy to offer help as far as I can provide it.
May I add a question:
As I noted in my initial mail, MD5 is still the default hash algo for
passwords. Although James uses a derbyDB by default I guess using full
blown SQL server isn't that far off from common use case. As we all keep
reading about big databases leaked (often due to not secured
master-slave replication) I may suggest for the next build that this
should be changed to SHA-256 to prevent leaks due to weak MD5 if
someone's database gets leaked.
So long,
Matt
Am 20.08.2020 um 23:31 schrieb cryptearth:
> Hey there all,
>
> Matt here.
> So I upgraded my server from openSUSE 15.1 to new released 15.2. It
> comes with quite some recent versions of the required stuff: Java 11,
> MariaDB 10.4, maven and git are finally part of the main repository -
> so, I thought: Yes, should be a walk in the park. Well, as about since
> the first time I tried James back in 3.0.0-RC5 on openSUSE 42.x (don't
> know which one it was, could had been even some 13.x version) it also
> wasn't as easy this time.
>
> The initial build worked without issues, no fiddle around with ulimit.
> The config worked as smooth as I'm used to. But then, my old friend
> the "index too large" error happend. I had this with MariaDB 10.2 and
> had to use 10.3 from mariadb repos. I had to do the same here: Instead
> of using 10.4 from opensuse repos I had to switch to 10.5 from mariadb
> repos. It seems to be an issue with the version on opensuse repos -
> may I should report this to them.
> So, I got James up and running, but as I tested StartTLS I encountered
> another issue. I narrowed it down to the BouncyCastle version 1.62. It
> somehow fails to do the TLS1.3 handshake. I upgraded to the current
> 1.66 version and it worked without issues. I don't know why James is
> shipped with such an old BC version, as even when 3.5 became final a
> newer BC version was already available. I guess a new BC version is
> something that should be part of the 3.6 branch.
>
> Oh, another side-note: As I looked through the configs I've seen that
> MD5 is still the default hashing algo, it should be changed to at
> least SHA-256 to prevent leaks with unsecure database configurations.
>
> Now I have to re-add all my domains and users and fully test it with
> IPv4 and IPv6 and TLS and such. If I encounter other issues I'll
> report back.
>
> So long ...
>
> Matt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
Posted by Tellier Benoit <bt...@apache.org>.
Le 28/09/2020 à 17:11, cryptearth a écrit :
> Hey there,
>
> Matt here again.
>
> I just wanted to give a small follow up to my own topic after some
> testing.
> As described, it took a few steps to get James 3.5 working on my
> freshly updated OpenSUSE Leap 15.2. After I made some changes in some
> config files, replace BouncyCastle with the current version and added
> the current mariadb-jdbc driver I was able to copy over the user table
> from my root to my local home backup and gave it a test. All went fine
> and my local backup now runs on 3.5 as nothin happend. Now it's time
> to copy over the big mail data table and then update my root server
> (oh boy, this will be fun).
\o/
> So, if anyone needs some help getting current James versions run on
> current opensuse systems I'm happy to offer help as far as I can
> provide it.
Thank you!
>
> May I add a question:
> As I noted in my initial mail, MD5 is still the default hash algo for
> passwords. Although James uses a derbyDB by default I guess using full
> blown SQL server isn't that far off from common use case. As we all
> keep reading about big databases leaked (often due to not secured
> master-slave replication) I may suggest for the next build that this
> should be changed to SHA-256 to prevent leaks due to weak MD5 if
> someone's database gets leaked.
+1, let's switch default configuration to something more secure.
Do you want to give the configuration change a shot?
Regards,
Benoit Tellier
>
> So long,
>
> Matt
>
> Am 20.08.2020 um 23:31 schrieb cryptearth:
>> Hey there all,
>>
>> Matt here.
>> So I upgraded my server from openSUSE 15.1 to new released 15.2. It
>> comes with quite some recent versions of the required stuff: Java 11,
>> MariaDB 10.4, maven and git are finally part of the main repository -
>> so, I thought: Yes, should be a walk in the park. Well, as about
>> since the first time I tried James back in 3.0.0-RC5 on openSUSE 42.x
>> (don't know which one it was, could had been even some 13.x version)
>> it also wasn't as easy this time.
>>
>> The initial build worked without issues, no fiddle around with
>> ulimit. The config worked as smooth as I'm used to. But then, my old
>> friend the "index too large" error happend. I had this with MariaDB
>> 10.2 and had to use 10.3 from mariadb repos. I had to do the same
>> here: Instead of using 10.4 from opensuse repos I had to switch to
>> 10.5 from mariadb repos. It seems to be an issue with the version on
>> opensuse repos - may I should report this to them.
>> So, I got James up and running, but as I tested StartTLS I
>> encountered another issue. I narrowed it down to the BouncyCastle
>> version 1.62. It somehow fails to do the TLS1.3 handshake. I upgraded
>> to the current 1.66 version and it worked without issues. I don't
>> know why James is shipped with such an old BC version, as even when
>> 3.5 became final a newer BC version was already available. I guess a
>> new BC version is something that should be part of the 3.6 branch.
>>
>> Oh, another side-note: As I looked through the configs I've seen that
>> MD5 is still the default hashing algo, it should be changed to at
>> least SHA-256 to prevent leaks with unsecure database configurations.
>>
>> Now I have to re-add all my domains and users and fully test it with
>> IPv4 and IPv6 and TLS and such. If I encounter other issues I'll
>> report back.
>>
>> So long ...
>>
>> Matt
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org