Last Change: 27. Jan. 2020 LDAP clients with SSL/TLS support for Linux and Windows ======================================================= LDAP servers, especially Microsoft Active Directory, can allow and/or enforce a secured client connection. Papageno programs with LDAP queries are SMTP gateway and driver (gendrv) and the test programs gdrestest and sgrestest. Starting with version 6.0.3.0 these are built with OpenSSL support. Files included in patch: Linux: bin/gdrestest bin/sgrestest bin/libcrypto.so.1.0.1e bin/libssl.so.10 driver/gendrv/bin/gendrv, capidrv.dll, mdmdrv.dll, smsdrv.dll, screxe gateway/smtp/daemon, gateway, restest (hard link) etc/sandboxrun Windows: bin/gdrestest.exe bin/sgrestest.exe bin/libcrypto-1_1.dll bin/libssl-1_1.dll driver/gendrv/bin/gendrv.exe, capidrv.dll, mdmdrv.dll, smsdrv.dll, screxe.exe libcint.dll gateway/smtp/daemon.exe, gateway.exe, restext.exe, umgwrep.exe, readme, README.TXT 1. Libraries: ------------- At runtime the appropriate shared libraries ssl and crypto must be found and loaded. The files are delivered in (FAXROOT)/bin (see above). Windows: libcrypto-1_1.dll libssl-1_1.dll On Windows, libraries are searched for in the PATH, so all dependencies are satisfied without further action ($FAXROOT/bin has always been in the PATH). (continue with 2. Configuration Certificates) Linux: Test that Libs are found: ------------------------- sgrestest or gdrestest (without arguments, returns usage) Build engine is CentOS6.9, which determines the version of openssl used. libcrypto.so.10 and libssl.so.10 point as softlink to the actual libraries. On some systems these files are part of the system scope. For CentOS 6 and 7 they can be installed (yum install openssl-lib:i686) (continue with 2. Configuration Certificates) For Ubuntu (14.04 and later), libssl:i386 must be installed because of additional dependencies. (apt-get install libssl:i368) The version of OpenSSL does not fit, so the libraries from $FAXROOT/bin are needed. 1.1 Publication of the Libraries: ---------------------------------- In order for the driver or SMTP gateway to start, the libraries must be found. 1.1.1 Option 1: Inclusion of the libraries in /etc/ld.so.cache Root rights are required for setup. You need the FAXROOT. (as comfax) echo $FAXROOT (as root) FAXROOT=/path/to/faxroot (as shown above) echo $FAXROOT/bin >/etc/ld.so.conf.d/papageno.conf ldconfig LD_LIBRARY_PATH is not required, a restart of the Lambda is not necessary. If this is not desired, there is another possibility if smtp/daemon does not require root privileges (because of port 25). 1.1.2 Option 2: LD_LIBRARY_PATH and restart of Lambda Server No root privileges are required for setup, but this method is only sufficient if the smtp/daemon is not root and has the S-bit (setuid) set. The Env LD_LIBRARY_PATH=$FAXROOT/bin is used This environment variable must be set and exported before starting the Lambda, e.g. in comfaxdefault. In the future it will be set by the lambda server (procmon), but this is not part of the patch. sandboxrun must also set the LD_LIBRARY_PATH and therefore is part of the patch. 2. Configuration Certificates ----------------------------- When connecting via TLS, the client receives a certificate from the server. The client now looks for a suitable root certificate to check the validity of the server certificate. 2.1 Configuration via Papageno Alpha Userconf Set the absolute path to the root certificate for gateway and driver. Example for the SMTP gateway: SG_LDCERT /etc/ssl/certs/vpcdc01.pem The driver searches for GD_LDCERT or SG_LDCERT. (continue with 3. Configuration Encryption type) 2.2 ldap.conf Alternatively, you can use ldap.conf NOTE: If you are already using Openldap for another product on the Papageno machine, you should not change the existing ldap.conf to avoid disturbing the working connections. Use SG_LDCERT. Linux: /etc/ldap/ldap.conf and /etc/openldap/ldap.conf are automatically searched and read. Windows: c:\OpenSSL\ldap\ldap.conf and c:\OpenLDAP\sysconf\ldap.conf are automatically searched and read. If this file has or should have a different location or name, you can specify it using the environment variable LDCONF or configure it in the gateway or driver. Example: LDCONF=/usr/local/openssl/ldap/ldap.conf Note: LDCONF cannot be used if the smtp/daemon requires root privileges (because of port 25). ldap.conf --------- (See Linux Man Page) You need (minimum) one entry that points to the root certificate that matches the server. TLS_CACERT or, more generally, an entry that points to the directory of all root certificates: TLS_CACERTDIR You can obtain the root certificate from the operator of the LDAP/AD. Note: if you use TLS_CACERTDIR, you must execute the openssl command c_rehash for the new certificate. Optionally, you can waive checking the certificate for the time being. We strongly recommend this ONLY as a PREVIOUS EMERGENCY REMEDY. TLS_REQCERT allow accepts the connection even if the certificate cannot (yet) be verified. Note for Linux: The command ldapsearch is built (at least for Ubuntu and Debian) with GNU-TLS. Unfortunately, GNU-TLS interprets ldap.conf slightly differently than openssl. The easiest way to test it is to use sgrestest (see below). 3. Configuration Encryption type -------------------------------- Basically there are two ways to establish a secure connection: ldaps via port 636 or ldap with startTLS. SMTP gateway: SG_LDTYPE ldaps or SG_LDTYPE startTLS The default value is ldap. The driver searches for GD_LDTYPE or SG_LDTYPE. Note that SG_LDH/GD_LDH must contain exactly the server name that the certificate specifies. This is generally the FQDN. IP addresses are usually not accepted during the certificate check. The default ports are chosen automatically. 4. Encryption test ------------------ To confirm that everything is set up correctly, use sgrestest or gdrestest. Example: sgrestest -a test@domain -v [test with startTLS] 10. 1.20 14:59:39 gwconfig.cpp(208):C: getting configuration data... 10. 1.20 14:59:39 gwconfig.cpp(266):D: Host = myhost 10. 1.20 14:59:39 gwconfig.cpp(267):D: User = smtpgw 10. 1.20 14:59:39 gwconfig.cpp(268):D: MyName = myhost 10. 1.20 14:59:39 resolver.cpp(378):D: using LDAP ldap_url_parse_ext(ldap://vpcdc01.vipcomag.local:389) .... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /DC=local/DC=vipcomag/CN=vipcomag-VPCDC01-CA, issuer: /DC=local/DC=vipcomag/CN=vipcomag-VPCDC01-CA TLS certificate verification: depth: 0, err: 0, subject: /CN=vpcdc01.vipcomag.local, issuer: /DC=local/DC=vipcomag/CN=vipcomag-VPCDC01-CA TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ... If LDTYPE=ldaps is set, only the URL changes: ldap_url_parse_ext(ldaps://vpcdc01.vipcomag.local:636) The TLS trace proves that the connection was encrypted. If the server certificate cannot be verified, error messages are displayed here. Check SG_LDCERT or TLS_CACERT.