[SOLVED] POPS3 Can't connect to <mailhost>

Moderator: crythias

Post Reply
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

[SOLVED] POPS3 Can't connect to <mailhost>

Post by tupson »

For the last year, my POP3 settings have been working as intended; up until the middle of November. I didn't even realize it until I manually opened my Help Desk mailbox and saw that I had over 100 unread/pop3 messages show up in my Help Desk Appliance.

I went and looked at my PostMaster Account and it is valid with all the correct information still. But it will not connect.

I removed and readded the account, with the same issue. I have searched this error and random options/solutions didn't help my issue.

The only updates to this appliance (and/or changes) since deployment that have occurred are the defaulted auto-updates applied to the appliance.

The appliance can ping my mail server just fine and my domain controller just fine.

This is the error I receive:

Backend ERROR: OTRS-CGI-16 Perl: 5.20.2 OS: linux Time: Wed Jan 3 13:31:25 2018 Message: POP3S: Can't connect to host.upson.cc RemoteAddress: 127.0.0.1 RequestURI: /otrs/index.pl?Action=AdminMailAccount;Subaction=Run;ID=1;ChallengeToken=75PMxsgD62kG6nLNOSzZNGEsNrYAYDqE; Traceback (1463): Module: Kernel::System::MailAccount::POP3::Fetch (OTRS 3.3.18) Line: 138 Module: Kernel::System::MailAccount::MailAccountFetch (OTRS 3.3.18) Line: 450 Module: Kernel::Modules::AdminMailAccount::Run (OTRS 3.3.18) Line: 62 Module: Kernel::System::Web::InterfaceAgent::Run (OTRS 3.3.18) Line: 914 Module: ModPerl::ROOT::ModPerl::Registry::usr_share_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 40 Module: (eval) (v1.99) Line: 207 Module: ModPerl::RegistryCooker::run (v1.99) Line: 207 Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173 Module: ModPerl::Registry::handler (v1.99) Line: 32
Last edited by tupson on 05 Jan 2018, 22:06, edited 1 time in total.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

I assume that some things were changed on the mailserver, so the old and outdated version of OTRS which you are using can not connect any more.

So the best way to solve the issue is to migrate to a newer and supported version of OTRS. Actual version is OTRS 6.0.3
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

jojo,

i find that hard to believe. I also have this same appliance installed in another environment, that also runs Microsoft Exchange 2013 (Cumulative Update 18) and is working as intended (OTRS 3.3.18) utilizing POP3S on a Windows 2012 R2 server node.

no firewall in between mailhost and appliance either, so it isnt a firewall issue.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

I am also using the TurnKey GNU OTRS appliance bundle that comes preloaded with necessary components and auto-updates, etc (non-linux user) Is there a version of this some where for the version you speak of?
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

as the appliance will not change anything on its own, there is no cause within the OTRS part.

You might contact the vendor of the appliance, but as fas as I know there is no active maintenance on any of the appliances which were available.

If you have no Linux skills a fully hosted and managed platform should be the best way to go
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by root »

Hi,

Did you tried to reach out the mail server from the linux shell via telnet host pop3s?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

root wrote:Hi,

Did you tried to reach out the mail server from the linux shell via telnet host pop3s?

- Roy
how do i do that?
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by root »

tupson wrote: how do i do that?
You have to login via the VM's console or via a ssh client.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

root wrote:
tupson wrote: how do i do that?
You have to login via the VM's console or via a ssh client.

- Roy
I logged into the console and via puTTy (ssh) to the appliance IP, but "telnet" doesnt appear to be a locla command.

How should I call it up? Also, I use POP3 (995), so does telnet still work for that port?
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

However, I will say, my BlackBerry Classic connects to e-mail via POP3, so I know it isnt a matter of a port being unavailable for use. There is no internal firewall of items on the same LAN, but the port is open for external connections.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by root »

tupson wrote:
root wrote:
tupson wrote: how do i do that?
You have to login via the VM's console or via a ssh client.

- Roy
I logged into the console and via puTTy (ssh) to the appliance IP, but "telnet" doesnt appear to be a locla command.

How should I call it up? Also, I use POP3 (995), so does telnet still work for that port?
openssl s_client -connect host:port
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by root »

tupson wrote:However, I will say, my BlackBerry Classic connects to e-mail via POP3, so I know it isnt a matter of a port being unavailable for use. There is no internal firewall of items on the same LAN, but the port is open for external connections.
This only says that the port if available from your BlackBerry. Maybe the appliance has DNS problems or sth else.
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

response below:

root@localhost ~# openssl s_client -connect localhost.upson.cc:995
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1514995724
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

it would appear i can talk to my mail server via 995. now what?
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

Upgrade to a newer version
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

root wrote:This only says that the port if available from your BlackBerry. Maybe the appliance has DNS problems or sth else.
I tried by IP Address as well to eliminate DNS, same error.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

jojo wrote:Upgrade to a newer version
i would agree if my other appliances with the same configuration(s) were failing. this should not be the solution.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

It is the solution as.
- Perl modules are outdated and might not work with the SSL settings on your Mailsystem
- Linux system of the appliance is most likely outdated and vulnerable to a lot of exploits
- OTRS instance is outdated and has > 10 vulnerabilities, some of them also not fixed in the last version of 3.3. (3.3.20) as 3.3. is out of support

As nobody changed your OTRS instance only a change on the other system could be the cause. So revert the change or upgrade your OTRS instance.
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

Whats interesting, is I tested starting the IMAP service and using the same credentials and it works?!

What gives!!
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

FYI...

RESOLVED: https://support.microsoft.com/en-us/hel ... 3-or-excha

Apparently, after an Exchange cumulative update, the PopProxy status was set to "Inactive" thus caused this issue. Manually activating it resumed my POP3S access via appliance.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

tupson wrote:FYI...

RESOLVED: https://support.microsoft.com/en-us/hel ... 3-or-excha

Apparently, after an Exchange cumulative update, the PopProxy status was set to "Inactive" thus caused this issue. Manually activating it resumed my POP3S access via appliance.

As I already stated in my first response...
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

Yes, something changed (a service halted and needed to be started) that isn't obvious to the eye... not changed to the point of OTRS being so out of date and not able to function any longer; hence my original reply. That isn't troubleshooting (help); that is passing the buck without an attempt to assist.

However, I continued to research the issue (considering it still works regardless of its legacy build) and found the fix.

I appreciate you taking the time on responding in general; which enabled me to look into this further myself; but (IMO) help isn't pushing a migration/upgrade on someone.

It's obvious my build/preference is not to-date, but that does not mean it isn't operational and cannot be troubleshot. I am certain everyone in this world all currently do not drive a 2018 vehicle... but it still gets them from A to B safely. And when there is a problem, the technician doesn't say "you have an old car, the only fix to this brake pad being worn down is to buy a new car."

Happy New Year.
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

actually you are driving a car without security belts and brakes... (to stay in your words)
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
tupson
Znuny advanced
Posts: 133
Joined: 07 Oct 2015, 05:54
Znuny Version: 7.0.2
Real Name: Tony
Company: Upson Productions, LLC
Location: DC

Re: POPS3 Can't connect to <mailhost>

Post by tupson »

Not so sure that is 100% accurate... the "TurnKey" OTRS Appliance I run is within Debian packing policy; at which, is still updated daily with security/patch updates.

I asked this question with TurnKey previously (as I saw it was behind) and one of the TurnKey Dev's answered with:

"Due to Debian packaging policy unless under specific circumstance; once software is accepted into the the Debian "main" stable repository (actually it's during the testing freeze to be precise) that version of that particular software does not get updated. This means that packaged software can often be years old.

The plus side of that though, is that makes Debian rock solid stable. All the moving parts have been tested together so (usually) everything "just works"! Security fixes are backported to keep the software secure. Because the software is patched without updating the version, you can be assured that the security updates are safe and generally don't break things. To be fair there have been edge cases where stuff has broken, but that is usually when the effort to backport security patches is too much so a newer version is introduced. Because of this we enable auto security updates by default.

That means that while we use software from the Debian repos, you can generally "set and forget" it. If you install software from upstream, you then need to monitor for security updates and manually install them each time they come out (and possibly deal with the results if something goes wrong).

So generally if software is available within the Debian repos we'll use it. Although we will consider using upstream (non-packaged) software if there is a good reason (e.g. perhaps the software is ridiculously old and missing important features? Perhaps there are significant bugs which have been fixed in newer version?) Obviously if it's not packaged then that's a very good reason! :)

So short answer to your question is, no we don't currently plan to update the version of OTRS within v14.x. I see that Debian testing currently has v5.0.x so v15.x will most likely have that version.

When we release v15.0 OTRS appliance you can then decide whether you want to upgrade your existing server (there may be some v15.0 features you'll need to manually include if you want them). Or use TKLBAM to migrate your data and then make adjustments as need be to ensure that everything works as it should. The beauty of the second option is that you can test the migration in a VM first to make sure everything is exactly as it needs to be before you do the upgrade "for real"."

So in essence, as far as it is used in my environments; it is safe and secure. They are planning to go to v5x within their next v15 OTRS Core Appliance release (they released their v14.2 in April of 2017 - https://www.turnkeylinux.org/blog/v14.2 ... ase?page=5). It isn't all the way up to v6 yet, but it is still consistently patched; which makes the version(s) used secure and safe.

https://www.turnkeylinux.org/otrs
Tony :mrgreen:
OTRS version installed: v7.0.2 (.rpm)
OS: CENTOS7 (latest updates via -yum install)
OS: Ubuntu 20.04.3 (latest apt-get upgrades)
GURU: Microsoft & VMware Environments
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: POPS3 Can't connect to <mailhost>

Post by jojo »

it is not secure as we as vendor and producer are not creating any patches for OTRS 3.3. neither does the Debian project.
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
JeremyDavisTKL
Znuny newbie
Posts: 2
Joined: 05 Jan 2018, 00:54
Znuny Version: 3.3.18
Real Name: Jeremy Davis
Company: TurnKey Linux

Re: [SOLVED] POPS3 Can't connect to <mailhost>

Post by JeremyDavisTKL »

Hi jojo,

My name is Jeremy and I work with TurnKey.

I'd like to respectfully disagree with your understanding of Debian packaging and security policy. I have been quite closely involved with a few Debian Developers so have had an inside view. Whilst I can't personally speak explicitly for the OTRS package, I know that when need be, both the Security Team and the LTS team do develop inhouse security patches for software that is no longer supported by upstream. When possible and relevant (probably not in the case of OTRS itself), that is often done in collaboration with other distros, such as RedHat/CentOS. If software is affected by serious security issues and a patch is too hard to develop inhouse, Debian will issue a final security warning and remove the package from the repositories.

A backported patch provided by Debian (but not OTRS) can be demonstrated by the security update to the Debian Jessie OTRS package (OTRS v3.3.18) last December. According to the changelog a patch was applied to resolve CVE-2017-17476 aka OSA-2017-10. As you can see, whilst you did not release a patch for v3.3, the patch you did release was backported for the v3.3 package by the Debian Security team and applied as a security update.

Having said that, if you are aware of any known and unpatched security issues related the OTRS Debian package(s), I would love to hear about them. If there is any evidence that serious security issues are unpatched in Debian, I will follow up directly with the Debian Security team. If they don't have a legitimate rationale for why it's unpatched, then I would certainly be willing to reconsider our plan to continue using the OTRS Debian package.

While I'm here, I also noticed that OTRS explicitly recommend not using the Debian package: "Important Please install OTRS from source, and do not use the OTRS packages that Debian/Ubuntu provides" (source). Are you aware of what the rationale for that advice is? Is it based on the above misunderstanding? Or does OTRS just not like users using older versions of OTRS? Or is there some other rationale that I may not have considered? I'd be really interested to understand better.

Thanks again for your input, especially helping out our mutual user, tupson.

Regards,
Jeremy
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: [SOLVED] POPS3 Can't connect to <mailhost>

Post by jojo »

Hi Jeremy,
JeremyDavisTKL wrote: I'd like to respectfully disagree with your understanding of Debian packaging and security policy. I have been quite closely involved with a few Debian Developers so have had an inside view.
We as vendor only provide security patches and bugfixes for supported versions and I doubt that the debian maintainers would watch every commit in newer versions of the software packages and would be able to consider if it might be security related. What would happen if the two maintainers are on vacation or just stop to work on the package (which already happened some years ago with the otrs debian package)?
JeremyDavisTKL wrote: A backported patch provided by Debian (but not OTRS) can be demonstrated by the security update to the Debian Jessie OTRS package (OTRS v3.3.18) last December. According to the changelog a patch was applied to resolve CVE-2017-17476 aka OSA-2017-10. As you can see, whilst you did not release a patch for v3.3, the patch you did release was backported for the v3.3 package by the Debian Security team and applied as a security update.
This might be the case for this 1 OSA, but still there is no guarantee that they will do it for future security announcements and also that they will be able to deliver it in a short time frame.

JeremyDavisTKL wrote: Having said that, if you are aware of any known and unpatched security issues related the OTRS Debian package(s), I would love to hear about them. If there is any evidence that serious security issues are unpatched in Debian, I will follow up directly with the Debian Security team. If they don't have a legitimate rationale for why it's unpatched, then I would certainly be willing to reconsider our plan to continue using the OTRS Debian package.
Based on our policy we will only disclose vulnerabilities with a fix or workaround as official OTRS Security Announcement on our webpage and only for supported versions.
JeremyDavisTKL wrote: While I'm here, I also noticed that OTRS explicitly recommend not using the Debian package: "Important Please install OTRS from source, and do not use the OTRS packages that Debian/Ubuntu provides" (source). Are you aware of what the rationale for that advice is? Is it based on the above misunderstanding? Or does OTRS just not like users using older versions of OTRS? Or is there some other rationale that I may not have considered? I'd be really interested to understand better.
The Debian packages are kind of strange as they break the OTRS file system hierarchie, do not ship all included 3rd party libaries which might cause issues as everything packaged by OTRS is known to work together. So using 3rd party installation packages would cause issues in supporting the solution. Also the debian packages do not contain all of the official bugfixes (3.3.18 with additional patches, compared to the official 3.3.20).

OTRS 3.3. was released more than 4 years ago, in todays software world an eternity. The concept of debian stable was ok about 10-15 years ago (I used my first debian 18 years ago) but quality of software improved a lot over the time in general. OTRS is not an open source project where additional packaging and quality assurance might be needed but is a vendor driven software with a paid development team.

For my own projects I also use Debian based systems, but mainly because of the good Perl support, for mission critcal software like OTRS, databases etc I typically stick to the official packages of the vendor.

Regards

Jens
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
JeremyDavisTKL
Znuny newbie
Posts: 2
Joined: 05 Jan 2018, 00:54
Znuny Version: 3.3.18
Real Name: Jeremy Davis
Company: TurnKey Linux

Re: [SOLVED] POPS3 Can't connect to <mailhost>

Post by JeremyDavisTKL »

Hi Jens / jojo

Apologies on my slow response. I missed it previously. Thanks to tupson for the bump!

I'll keep this brief. I did just write a fairly extensive reply, but I just lost it due to my browser timing out (argh!). Anyway brief is probably better! :lol:

It sounds to me like you aren't aware of how Debian works. Please let me explain my understanding: The package maintainer is only responsible for uploading new versions to unstable (which will automatically migrate to testing assuming it passes QA tests). Once a release moves to stable, then the Debian Security team are responsible for security on all the packages. That includes triage, and developing patches, either backporting from upstream, or on occasions, developing them for software which is no longer supported upstream. Other options are removing the software from the repos (fairly rare in my experience, at least prior to LTS) or on the odd occasion a new version will be imported. Currently the Debian Security team has 11 full time members, as well as a number of "assistant members" (generally sec team members in training). They are often supported by package maintainers and upstream developers, as well as Security teams from other distros.

Out of interest, I just checked all the 2017 CVEs relating to OTRS and all are patched in Debian Jessie (currently oldstable) as well as Debian Stretch (stable).

I really trust the Debian Security team. They're not perfect, but in my experience they do an incredible job. The best outcomes always occur when they work closely with package maintainers, other distro sec teams and upstream developers.

Having said all that, if you guys provided your own Debian packages (even if they don't comply with the Debian FHS), ideally via an apt repo (to make update super easy) then we'd certainly consider using them. As it currently stands, the requirement to install from source does make using the Debian repo package much more appealing.
Post Reply