HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   How To Configure PureFTPd To Accept TLS Sessions On Debian Squeeze (http://www.howtoforge.com/forums/showthread.php?t=53516)

GarGamel55 23rd July 2011 14:07

How To Configure PureFTPd To Accept TLS Sessions On Debian Squeeze
 
Hello,

Is this tutorial : http://www.howtoforge.com/how-to-con...n-debian-lenny also works for Debian Squeeze?

Thanks

falko 24th July 2011 19:27

Yes, it should work for Squeeze as well. :)

MaddinXx 30th July 2011 14:49

Hi Guys

First, thank you very much for your site. It is awesome, as ISPConfig is too. I really appreciate all the work of you. Thanks!

I am really new in root server business, but with your site I got my "Perfect ISPConfig Server" working. Now, I have some problems (lots according to this topic so I write here), some others.

First: I followed the TSL steps already in the tutorial and tried it again with the link provided here. However FileZilla times-out. I have absolutly no idea why and how I can fix this.

If you could give me a hint here?

Since I am, as I said, very new to this business please tell me which logs you need since I have no idea :)

Second: How do I enable IMAP over SSL? I got it running with normal IMAP but not with SSL. What do I have to do?

Third: In general I would like to run ISPConfig/RoundCube/phpMyAdmin over SSL.

My situation is the following: I set up my server according to the "Perfect Server" and followed also the "Extendind the perfect server" tutorial. OS is Debain 6 64-bit.

I use those IP's as nameserver:

31.214.136.34 + 31.214.136.35

The "primary domain" is rackster.ch, where everything works on. I would also like to install SSL for the domain itself. https://www.rackster.ch.

Is this possible? Since I always used rackster.ch during the tutorials I had to use * as IP in ISPConfig for Domain Setup as I wanted this domain to have it's own directory as a client has (ssl, web etc.)

Now, I signed a SSL Cert with GlobalSign. Can I use this with all services? (TSL/IMAP SSL/WEBSITE)?

Thank you very very much for your help as I really don't know how I should fix all this by my own.

Kindly Regards,
Michel

falko 31st July 2011 12:36

Quote:

Originally Posted by MaddinXx (Post 260621)
First: I followed the TSL steps already in the tutorial and tried it again with the link provided here. However FileZilla times-out. I have absolutly no idea why and how I can fix this.

If you could give me a hint here?

What are the outputs of
Code:

netstat -tap
and
Code:

iptables -L
? Is the server located in a data center, or do you run it at home (behind a router)?

MaddinXx 31st July 2011 12:41

Hi Falko

Thanks for helping :) The server is located in a data center.

Here is the output of netstat -tap:
Code:

Aktive Internetverbindungen (Server und stehende Verbindungen)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 *:sunrpc                *:*                    LISTEN      1686/portmap
tcp        0      0 *:50000                *:*                    LISTEN      24067/perl
tcp        0      0 *:ftp                  *:*                    LISTEN      3531/pure-ftpd (SER
tcp        0      0 31.214.136.62:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.61:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.60:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.59:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.58:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.57:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.56:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.55:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.54:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.53:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.52:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.51:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.50:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.49:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.48:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.47:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.46:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.45:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.44:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.43:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.42:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.41:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.40:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.39:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.38:domain    *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.37:domain    *:*                    LISTEN      6262/named
tcp        0      0 mail.rackster.ch:domain *:*                    LISTEN      6262/named
tcp        0      0 31.214.136.35:domain    *:*                    LISTEN      6262/named
tcp        0      0 rs1500001.ffm.mt:domain *:*                    LISTEN      6262/named
tcp        0      0 localhost:domain        *:*                    LISTEN      6262/named
tcp        0      0 localhost:953          *:*                    LISTEN      6262/named
tcp        0      0 *:smtp                  *:*                    LISTEN      3115/master
tcp        0      0 *:48002                *:*                    LISTEN      1698/rpc.statd
tcp        0      0 *:50022                *:*                    LISTEN      25725/sshd
tcp        0      0 localhost:10024        *:*                    LISTEN      1321/amavisd (ch1-a
tcp        0      0 localhost:10025        *:*                    LISTEN      3115/master
tcp        0      0 localhost:mysql        *:*                    LISTEN      2584/mysqld
tcp      53      0 localhost:58190        localhost:10025        CLOSE_WAIT  1321/amavisd (ch1-a
tcp        0      0 localhost:mysql        localhost:34845        VERBUNDEN  2584/mysqld
tcp        0  1176 rs1500001.ffm.mte:50022 zux221-139-219.ad:58051 VERBUNDEN  2674/0
tcp        0      0 localhost:34845        localhost:mysql        VERBUNDEN  1321/amavisd (ch1-a
tcp6      0      0 [::]:pop3              [::]:*                  LISTEN      2016/couriertcpd
tcp6      0      0 [::]:imap2              [::]:*                  LISTEN      2061/couriertcpd
tcp6      0      0 [::]:http-alt          [::]:*                  LISTEN      1012/apache2
tcp6      0      0 [::]:www                [::]:*                  LISTEN      1012/apache2
tcp6      0      0 [::]:tproxy            [::]:*                  LISTEN      1012/apache2
tcp6      0      0 [::]:ftp                [::]:*                  LISTEN      3531/pure-ftpd (SER
tcp6      0      0 [::]:domain            [::]:*                  LISTEN      6262/named
tcp6      0      0 ip6-localhost:953      [::]:*                  LISTEN      6262/named
tcp6      0      0 [::]:https              [::]:*                  LISTEN      1012/apache2
tcp6      0      0 [::]:imaps              [::]:*                  LISTEN      21793/couriertcpd
tcp6      0      0 [::]:pop3s              [::]:*                  LISTEN      21815/couriertcpd
tcp6      0      0 [::]:50022              [::]:*                  LISTEN      25725/sshd

And this for iptables -L:
Code:

Chain INPUT (policy DROP)
target    prot opt source              destination
DROP      tcp  --  anywhere            loopback/8
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere
DROP      all  --  base-address.mcast.net/4  anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain FORWARD (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
DROP      all  --  anywhere            anywhere

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere
PUB_OUT    all  --  anywhere            anywhere

Chain INT_IN (0 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain INT_OUT (0 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere
ACCEPT    all  --  anywhere            anywhere

Chain PAROLE (14 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere

Chain PUB_IN (4 references)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ftp-data
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:ftp
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:smtp
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:domain
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:www
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:pop3
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:imap2
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:https
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:mysql
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:http-alt
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:tproxy
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:webmin
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:50000
PAROLE    tcp  --  anywhere            anywhere            tcp dpt:50022
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
ACCEPT    udp  --  anywhere            anywhere            udp dpt:mysql
DROP      icmp --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

Chain PUB_OUT (4 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere

Chain fail2ban-courierimap (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-courierimaps (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-courierpop3 (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-courierpop3s (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-pureftpd (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-roundcube (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-sasl (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-ssh (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Chain fail2ban-webmin-auth (0 references)
target    prot opt source              destination
RETURN    all  --  anywhere            anywhere

Regards,
Michel

falko 1st August 2011 09:46

Ok, regarding IMAPS, you must allow port 993 in your firewall (995 if you want to use POP3S also).

Regarding FTP, did you try active and passive mode in your FTP client? Firewall settings and netstat output seem to be ok.

MaddinXx 1st August 2011 20:37

Hi falko :)

IMAP/POP is now working fine, thank you very much for the help.

With FTP I tried both, active and passive - with different FTP clients etc. :S

Transmit on Mac is saying:

Server meldete: I won't open a connection to 192.168.1.13 (only to 81.221.139.219)

Fehler -162: PORT failed

Thanks,
Michel

falko 2nd August 2011 10:43

Did you try from within and from outside your LAN?

MaddinXx 5th August 2011 12:44

Hi Falko

I tried from outside my LAN, still no success. The FTP Clients are stocking after:

Entering Passive Mode

Would it help if I would create you an FTP User so you can check?

Kindly Regards,
Michel

Mark_NL 5th August 2011 16:14

Quote:

Originally Posted by MaddinXx (Post 260711)
Hi falko :)
With FTP I tried both, active and passive - with different FTP clients etc. :S

Transmit on Mac is saying:

Server meldete: I won't open a connection to 192.168.1.13 (only to 81.221.139.219)

Fehler -162: PORT failed

Try adding this in your tls config:
Code:

TLSOptions                              NoCertRequest NoSessionReuseRequired
Transmit doesn't keep itself to the "correct" rules about tls usage, it doesn't reuse it's tls session, but requests a new one. proftpd doesn't allow that by default.
adding "TLSOptions NoCertRequest NoSessionReuseRequired" and you will be able to connect with transmit.


All times are GMT +2. The time now is 23:38.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.