Hello, Is this tutorial : http://www.howtoforge.com/how-to-configure-pureftpd-to-accept-tls-sessions-on-debian-lenny also works for Debian Squeeze? Thanks
Hi Guys First, thank you very much for your site. It is awesome, as ISPConfig is too. I really appreciate all the work of you. Thanks! I am really new in root server business, but with your site I got my "Perfect ISPConfig Server" working. Now, I have some problems (lots according to this topic so I write here), some others. First: I followed the TSL steps already in the tutorial and tried it again with the link provided here. However FileZilla times-out. I have absolutly no idea why and how I can fix this. If you could give me a hint here? Since I am, as I said, very new to this business please tell me which logs you need since I have no idea Second: How do I enable IMAP over SSL? I got it running with normal IMAP but not with SSL. What do I have to do? Third: In general I would like to run ISPConfig/RoundCube/phpMyAdmin over SSL. My situation is the following: I set up my server according to the "Perfect Server" and followed also the "Extendind the perfect server" tutorial. OS is Debain 6 64-bit. I use those IP's as nameserver: 31.214.136.34 + 31.214.136.35 The "primary domain" is rackster.ch, where everything works on. I would also like to install SSL for the domain itself. https://www.rackster.ch. Is this possible? Since I always used rackster.ch during the tutorials I had to use * as IP in ISPConfig for Domain Setup as I wanted this domain to have it's own directory as a client has (ssl, web etc.) Now, I signed a SSL Cert with GlobalSign. Can I use this with all services? (TSL/IMAP SSL/WEBSITE)? Thank you very very much for your help as I really don't know how I should fix all this by my own. Kindly Regards, Michel
What are the outputs of Code: netstat -tap and Code: iptables -L ? Is the server located in a data center, or do you run it at home (behind a router)?
Hi Falko Thanks for helping The server is located in a data center. Here is the output of netstat -tap: Code: Aktive Internetverbindungen (Server und stehende Verbindungen) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:sunrpc *:* LISTEN 1686/portmap tcp 0 0 *:50000 *:* LISTEN 24067/perl tcp 0 0 *:ftp *:* LISTEN 3531/pure-ftpd (SER tcp 0 0 31.214.136.62:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.61:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.60:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.59:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.58:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.57:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.56:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.55:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.54:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.53:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.52:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.51:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.50:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.49:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.48:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.47:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.46:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.45:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.44:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.43:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.42:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.41:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.40:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.39:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.38:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.37:domain *:* LISTEN 6262/named tcp 0 0 mail.rackster.ch:domain *:* LISTEN 6262/named tcp 0 0 31.214.136.35:domain *:* LISTEN 6262/named tcp 0 0 rs1500001.ffm.mt:domain *:* LISTEN 6262/named tcp 0 0 localhost:domain *:* LISTEN 6262/named tcp 0 0 localhost:953 *:* LISTEN 6262/named tcp 0 0 *:smtp *:* LISTEN 3115/master tcp 0 0 *:48002 *:* LISTEN 1698/rpc.statd tcp 0 0 *:50022 *:* LISTEN 25725/sshd tcp 0 0 localhost:10024 *:* LISTEN 1321/amavisd (ch1-a tcp 0 0 localhost:10025 *:* LISTEN 3115/master tcp 0 0 localhost:mysql *:* LISTEN 2584/mysqld tcp 53 0 localhost:58190 localhost:10025 CLOSE_WAIT 1321/amavisd (ch1-a tcp 0 0 localhost:mysql localhost:34845 VERBUNDEN 2584/mysqld tcp 0 1176 rs1500001.ffm.mte:50022 zux221-139-219.ad:58051 VERBUNDEN 2674/0 tcp 0 0 localhost:34845 localhost:mysql VERBUNDEN 1321/amavisd (ch1-a tcp6 0 0 [::]:pop3 [::]:* LISTEN 2016/couriertcpd tcp6 0 0 [::]:imap2 [::]:* LISTEN 2061/couriertcpd tcp6 0 0 [::]:http-alt [::]:* LISTEN 1012/apache2 tcp6 0 0 [::]:www [::]:* LISTEN 1012/apache2 tcp6 0 0 [::]:tproxy [::]:* LISTEN 1012/apache2 tcp6 0 0 [::]:ftp [::]:* LISTEN 3531/pure-ftpd (SER tcp6 0 0 [::]:domain [::]:* LISTEN 6262/named tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 6262/named tcp6 0 0 [::]:https [::]:* LISTEN 1012/apache2 tcp6 0 0 [::]:imaps [::]:* LISTEN 21793/couriertcpd tcp6 0 0 [::]:pop3s [::]:* LISTEN 21815/couriertcpd tcp6 0 0 [::]:50022 [::]:* LISTEN 25725/sshd And this for iptables -L: Code: Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- base-address.mcast.net/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (14 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:imap2 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:http-alt PAROLE tcp -- anywhere anywhere tcp dpt:tproxy PAROLE tcp -- anywhere anywhere tcp dpt:webmin PAROLE tcp -- anywhere anywhere tcp dpt:50000 PAROLE tcp -- anywhere anywhere tcp dpt:50022 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain fail2ban-courierimap (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierimaps (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3 (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-courierpop3s (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-roundcube (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-sasl (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (0 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-webmin-auth (0 references) target prot opt source destination RETURN all -- anywhere anywhere Regards, Michel
Ok, regarding IMAPS, you must allow port 993 in your firewall (995 if you want to use POP3S also). Regarding FTP, did you try active and passive mode in your FTP client? Firewall settings and netstat output seem to be ok.
Hi falko IMAP/POP is now working fine, thank you very much for the help. With FTP I tried both, active and passive - with different FTP clients etc. :S Transmit on Mac is saying: Server meldete: I won't open a connection to 192.168.1.13 (only to 81.221.139.219) Fehler -162: PORT failed Thanks, Michel
Hi Falko I tried from outside my LAN, still no success. The FTP Clients are stocking after: Entering Passive Mode Would it help if I would create you an FTP User so you can check? Kindly Regards, Michel
Try adding this in your tls config: Code: TLSOptions NoCertRequest NoSessionReuseRequired Transmit doesn't keep itself to the "correct" rules about tls usage, it doesn't reuse it's tls session, but requests a new one. proftpd doesn't allow that by default. adding "TLSOptions NoCertRequest NoSessionReuseRequired" and you will be able to connect with transmit.
Hey Mark I am using pure ftp and not pro ftp, so I don't think this will work? Here what FileZilla is showing me: Code: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- Antwort: 220-You are user number 2 of 50 allowed. Antwort: 220-Local time is now 03:06. Server port: 21. Antwort: 220-This is a private system - No anonymous login Antwort: 220-IPv6 connections are also welcome on this server. Antwort: 220 You will be disconnected after 15 minutes of inactivity. Befehl: AUTH TLS Antwort: 234 AUTH TLS OK. Status: Initialisiere TLS... Status: Überprüfe Zertifikat... Befehl: USER mkaeser0001 Status: TLS/SSL-Verbindung hergestellt. Antwort: 331 User mkaeser0001 OK. Password required Befehl: PASS ******************** Antwort: 230-User mkaeser0001 has group access to: client2 sshusers Antwort: 230 OK. Current restricted directory is / Befehl: SYST Antwort: 215 UNIX Type: L8 Befehl: FEAT Antwort: 211-Extensions supported: Antwort: EPRT Antwort: IDLE Antwort: MDTM Antwort: SIZE Antwort: REST STREAM Antwort: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; Antwort: MLSD Antwort: AUTH TLS Antwort: PBSZ Antwort: PROT Antwort: UTF8 Antwort: ESTA Antwort: PASV Antwort: EPSV Antwort: SPSV Antwort: ESTP Antwort: 211 End. Befehl: OPTS UTF8 ON Antwort: 200 OK, UTF-8 enabled Befehl: PBSZ 0 Antwort: 200 PBSZ=0 Befehl: PROT P Antwort: 200 Data protection level set to "private" Status: Verbunden Status: Empfange Verzeichnisinhalt... Befehl: PWD Antwort: 257 "/" is your current location Befehl: TYPE I Antwort: 200 TYPE is now 8-bit binary Befehl: PASV Antwort: 227 Entering Passive Mode (31,214,136,39,208,121) Befehl: MLSD Fehler: Zeitüberschreitung der Verbindung Fehler: Verzeichnisinhalt konnte nicht empfangen werden I think my whole server is holy crap -.- ;D was also trying to install varnish as a reverse proxy but that didn't work (yeah we let this beside for now.)
Can you disable the firewall for testing purposes and test again (active/passive and from inside/outside your network)?