E-mail logging over SSL on ASA?

Similar Messages

• ASA mail logging 716001

  Dears,
          i configured logging list contains messages 716001 and 716002.
  i configured the mail logging to send this list , but i received only 716002 and didn't receive 716001 on my mail.
  ASA version is 9.0(3) on ASA5520.
  Thanks,

  Hi,
  They seem to be of the same "logging" level which is 6 = Informational so that should not be the problem.
  I imagine that you have checked the output of "show run logging" and confirmed that the other syslog ID has NOT been disabled globally?
  Can you see both Syslog IDs in some other logging destination like ASDM or Syslog Server?
  - Jouni

• POP3 OVER SSL using Oracle service using E-mail Transport

  Hi All,
  I am trying to connect an e-mail inbox using Oracle service bus . But i am trying to use POP3 over SSL .
  using POP3 i am able to connect . Any help .
  Thanks
  Phani

  Please refer -
  How to send email from OSB with Mail server that requires SSL or STARTTLS
  Regards,
  Anuj

• PRoblem In Sending Mail OVER SSL

  HI All,
  I am using java mail api to send email using gmail smtp server address.And my application is running over SSL.
  My Client is running in tomcat application and server side code is in Jboss.
  I have written a code to send email and that code is der in client side , i mean in tomcat.
  I am getting one error given below::
  nested exception is:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc
  eption: PKIX path building failed: sun.security.provider.certpath.SunCertPathBui
  lderException: unable to find valid certification path to requested target
  And given below my code ::
  Properties props = new Properties();
  System.out.println("Inside simple mail");
  props.setProperty("mail.transport.protocol","smtp");
  props.setProperty("mail.smtp.host","smtp.gmail.com");
  System.out.println("Port is set");
  props.setProperty("mail.user","xxxx");
  props.setProperty("mail.password","xxxx");
  props.put("mail.smtp.auth","true");
  *// props.put("mail.smtp.ssl.enable","true");*
  props.put("mail.smtp.starttls.enable","true");
  *// props.put("mail.smtp.socketFactory.class","javax.net.ssl.SSLSocketFactory");*
  MailSSLSocketFactory sf = new MailSSLSocketFactory();
  *     sf.setTrustAllHosts(true);*
  *     props.put("mail.smtp.ssl.socketFactory", sf);*
  *     BasicAuthenticator auth = new BasicAuthenticator();      *
  *     auth.getPasswordAuthentication();*
  Session mailSession = Session.getDefaultInstance(props, auth);
  mailSession.setDebug(true);
  MimeMessage message = new MimeMessage(mailSession);
  message.setSubject("Testing javamail plain");
  message.setContent("This is a test", "text/plain");
  *// message.setFrom(new InternetAddress())*
  message.addRecipient(Message.RecipientType.TO,
  new InternetAddress(pToMailId));
  Address add = new InternetAddress("xxxx");
  message.setFrom(add);
  System.out.println("Before connect");
  Transport.send(message);
  Can anyone help me out on this...
  Thanks in advance...
  Regards
  Deba

  Hi Thanks for the response...
  once again i ve tried but same problem...
  my code is below ::
  String host = "smtp.gmail.com";
                 String username = "[email protected]";
                 String password = "xxxx";
                 Properties props = new Properties();
                 props.put("mail.smtp.auth", "true");
                 props.put("mail.smtp.starttls.enable", "true");
                 props.put("mail.smtp.host", "smtp.gmail.com");
                 props.put("mail.transport.protocol", "smtp");
                 props.put("mail.smtp.auth", "true");
                 BasicAuthenticator auth = new BasicAuthenticator();
                 PasswordAuthentication lPasswordAuthentication = auth.getPasswordAuthentication();
                 Session session = Session.getDefaultInstance(props, auth);
                 session.setDebug(true);
                 Message msg = new MimeMessage(session);
                 InternetAddress addressFrom = new InternetAddress("[email protected]");
                 msg.setFrom(addressFrom);
                 InternetAddress addressTo = new InternetAddress(pToMailId);
                 msg.addRecipient(Message.RecipientType.TO, addressTo);
                 msg.setSubject("subject");
                 msg.setContent("message", "text/html");
                 Transport.send(msg);

• Verizon "flips switch" that has killed Pegasus mail over SSL

  Last night Verizon email.administrators "flipped a switch" that has killed the use of Pegasus mail over SSL using TCP ports 465 and 995 as Verizon suggests we use.
  I have experienced this and so has every other Pegasus Mail user who is on Verizon email. 
  There are posts on Usenet and posts on the Pegasus Forums
  Thus the problem is not just me but ANYONE who is using Pegasus mail with the Verizon email server using...
  # Incoming mail server (POP3): incoming.verizon.net
  # Incoming Server Port Numbers: 995
  # Outgoing mail server (SMTP): outgoing.verizon.net
  # Outgoing Server Port Numbers: 465 Why is this important?
  # Your Verizon Online user name
  # Your Verizon Online password
  # Make sure "This server requires a secure connection (SSL)" is checked.
  The Lithium Software sux !!

  Might be a bug in Pegasus related to TLS 1.1/1.2 security.  Based on someones post over at the site you pointed to looks like its not picking up the entire key.  Microsoft made changes in the support modules to fix a bug earlier this year and it causes the key to be split over transmissions.  Almost the same thing happend for web pages, including Verizons, when that change went in. 

• How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

  Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
  Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

  Solved it by some (a lot) of fiddling.
  Turns out it's not a bug in the iPhone, it's a feature.
  Here's how to make it work.
  DOVECOT
  If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
  More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
  So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
  1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
  service imap-login {
    inet_listener imap {
      port = --your port # here--
    inet_listener imaps {
      port = 0
      ssl = yes
  This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
  2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
  ssl = required
  This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
  3. In /etc/dovecot/conf.d/10-auth.conf set
  disable_plaintext_auth = yes
  This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
  When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
  Don't forget service dovecot restart.
  To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
  telnet your.host.name.here yourimapsportnumber
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
  Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
  a STARTTLS
  a OK Begin TLS negotiation now.
  (The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
  Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
  openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
  . OK Pre-login capabilities listed, post-login capabilities have more.
  You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
  a capability
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
  a login username password
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
  a OK Logged in
  POSTFIX
  Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
  1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
  2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt
  3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
  smtpd_tls_auth_only = yes
  Don't forget postfix reload.
  To test if this works, issue the following telnet and wait for the server's greeting:
  telnet your.host.name.here yoursmtpsportnumber
  220 your.host.name ESMTP Postfix (Ubuntu)
  Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
  ehlo your.host.name.here
  250-STARTTLS
  Then issue starttls and wait for the server's confirmation:
  starttls
  220 2.0.0 Ready to start TLS
  Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
  CERTIFICATES
  You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
  basicConstraints = critical,CA:true
  keyUsage = critical, cRLSign, keyCertSign
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
  basicConstraints=CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  subjectAltName = DNS:your.domain.name.here
  issuerAltName=issuer:copy
  Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
  You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
  Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
  IN CLOSING...
  With all this, you can read and send email from your iPhone.
  Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

• Virtual Mail Setup - imapd-ssl error unknown protocol

  Hi,
  I have been relentlessly trying to setup my first email server and I think that I am almost there. I have been following the guide at:
  https://wiki.archlinux.org/index.php/Simple_Virtual_User_Mail_System
  I have followed it step by step and I'm 99% sure that I didn't miss a thing when setting it up.
  However, I cannot login to my roundcube mail. It just times out.
  This is the error that pops up in /var/log/mail.log:
  mail imapd-ssl: couriertls: accept: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
  this is the contents of /etc/authlib/authmysqlrc:
  ##VERSION: $Id: authmysqlrc,v 1.20 2007/10/07 02:50:45 mrsam Exp $
  # Copyright 2000-2007 Double Precision, Inc. See COPYING for
  # distribution information.
  # Do not alter lines that begin with ##, they are used when upgrading
  # this configuration.
  # authmysqlrc created from authmysqlrc.dist by sysconftool
  # DO NOT INSTALL THIS FILE with world read permissions. This file
  # might contain the MySQL admin password!
  # Each line in this file must follow the following format:
  # field[spaces|tabs]value
  # That is, the name of the field, followed by spaces or tabs, followed by
  # field value. Trailing spaces are prohibited.
  ##NAME: LOCATION:0
  # The server name, userid, and password used to log in.
  MYSQL_SERVER localhost
  MYSQL_USERNAME postfix_user
  MYSQL_PASSWORD *******MY PASSWORD*******
  ##NAME: SSLINFO:0
  # The SSL information.
  # To use SSL-encrypted connections, define the following variables (available
  # in MySQL 4.0, or higher):
  # MYSQL_SSL_KEY /path/to/file
  # MYSQL_SSL_CERT /path/to/file
  # MYSQL_SSL_CACERT /path/to/file
  # MYSQL_SSL_CAPATH /path/to/file
  # MYSQL_SSL_CIPHERS ALL:!DES
  ##NAME: MYSQL_SOCKET:0
  # MYSQL_SOCKET can be used with MySQL version 3.22 or later, it specifies the
  # filesystem pipe used for the connection
  # MYSQL_SOCKET /var/mysql/mysql.sock
  ##NAME: MYSQL_PORT:0
  # MYSQL_PORT can be used with MySQL version 3.22 or later to specify a port to
  # connect to.
  MYSQL_PORT 3306
  ##NAME: MYSQL_OPT:0
  # Leave MYSQL_OPT as 0, unless you know what you're doing.
  MYSQL_OPT 0
  ##NAME: MYSQL_DATABASE:0
  # The name of the MySQL database we will open:
  MYSQL_DATABASE postfix_db
  #NAME: MYSQL_CHARACTER_SET:0
  # This is optional. MYSQL_CHARACTER_SET installs a character set. This option
  # can be used with MySQL version 4.1 or later. MySQL supports 70+ collations
  # for 30+ character sets. See MySQL documentations for more detalis.
  # MYSQL_CHARACTER_SET latin1
  ##NAME: MYSQL_USER_TABLE:0
  # The name of the table containing your user data. See README.authmysqlrc
  # for the required fields in this table.
  MYSQL_USER_TABLE mailbox
  ##NAME: MYSQL_CRYPT_PWFIELD:0
  # Either MYSQL_CRYPT_PWFIELD or MYSQL_CLEAR_PWFIELD must be defined. Both
  # are OK too. crypted passwords go into MYSQL_CRYPT_PWFIELD, cleartext
  # passwords go into MYSQL_CLEAR_PWFIELD. Cleartext passwords allow
  # CRAM-MD5 authentication to be implemented.
  MYSQL_CRYPT_PWFIELD password
  ##NAME: MYSQL_CLEAR_PWFIELD:0
  # MYSQL_CLEAR_PWFIELD clear
  ##NAME: MYSQL_DEFAULT_DOMAIN:0
  # If DEFAULT_DOMAIN is defined, and someone tries to log in as 'user',
  # we will look up 'user@DEFAULT_DOMAIN' instead.
  # DEFAULT_DOMAIN example.com
  ##NAME: MYSQL_UID_FIELD:0
  # Other fields in the mysql table:
  # MYSQL_UID_FIELD - contains the numerical userid of the account
  MYSQL_UID_FIELD 5000
  ##NAME: MYSQL_GID_FIELD:0
  # Numerical groupid of the account
  MYSQL_GID_FIELD 5000
  ##NAME: MYSQL_LOGIN_FIELD:0
  # The login id, default is id. Basically the query is:
  # SELECT MYSQL_UID_FIELD, MYSQL_GID_FIELD, ... WHERE id='loginid'
  MYSQL_LOGIN_FIELD username
  ##NAME: MYSQL_HOME_FIELD:0
  MYSQL_HOME_FIELD "/home/vmail"
  ##NAME: MYSQL_NAME_FIELD:0
  # The user's name (optional)
  MYSQL_NAME_FIELD name
  ##NAME: MYSQL_MAILDIR_FIELD:0
  # This is an optional field, and can be used to specify an arbitrary
  # location of the maildir for the account, which normally defaults to
  # $HOME/Maildir (where $HOME is read from MYSQL_HOME_FIELD).
  # You still need to provide a MYSQL_HOME_FIELD, even if you uncomment this
  # out.
  MYSQL_MAILDIR_FIELD maildir
  ##NAME: MYSQL_DEFAULTDELIVERY:0
  # Courier mail server only: optional field specifies custom mail delivery
  # instructions for this account (if defined) -- essentially overrides
  # DEFAULTDELIVERY from ${sysconfdir}/courierd
  # MYSQL_DEFAULTDELIVERY defaultdelivery
  ##NAME: MYSQL_QUOTA_FIELD:0
  # Define MYSQL_QUOTA_FIELD to be the name of the field that can optionally
  # specify a maildir quota. See README.maildirquota for more information
  MYSQL_QUOTA_FIELD quota
  ##NAME: MYSQL_AUXOPTIONS:0
  # Auxiliary options. The MYSQL_AUXOPTIONS field should be a char field that
  # contains a single string consisting of comma-separated "ATTRIBUTE=NAME"
  # pairs. These names are additional attributes that define various per-account
  # "options", as given in INSTALL's description of the "Account OPTIONS"
  # setting.
  # MYSQL_AUXOPTIONS_FIELD auxoptions
  # You might want to try something like this, if you'd like to use a bunch
  # of individual fields, instead of a single text blob:
  # MYSQL_AUXOPTIONS_FIELD CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail,",sharedgroup=",sharedgroup)
  # This will let you define fields called "disableimap", etc, with the end result
  # being something that the OPTIONS parser understands.
  ##NAME: MYSQL_WHERE_CLAUSE:0
  # This is optional, MYSQL_WHERE_CLAUSE can be basically set to an arbitrary
  # fixed string that is appended to the WHERE clause of our query
  # MYSQL_WHERE_CLAUSE server='mailhost.example.com'
  ##NAME: MYSQL_SELECT_CLAUSE:0
  # (EXPERIMENTAL)
  # This is optional, MYSQL_SELECT_CLAUSE can be set when you have a database,
  # which is structuraly different from proposed. The fixed string will
  # be used to do a SELECT operation on database, which should return fields
  # in order specified bellow:
  # username, cryptpw, clearpw, uid, gid, home, maildir, quota, fullname, options
  # The username field should include the domain (see example below).
  # Enabling this option causes ignorance of any other field-related
  # options, excluding default domain.
  # There are two variables, which you can use. Substitution will be made
  # for them, so you can put entered username (local part) and domain name
  # in the right place of your query. These variables are:
  # $(local_part), $(domain), $(service)
  # If a $(domain) is empty (not given by the remote user) the default domain
  # name is used in its place.
  # $(service) will expand out to the service being authenticated: imap, imaps,
  # pop3 or pop3s. Courier mail server only: service will also expand out to
  # "courier", when searching for local mail account's location. In this case,
  # if the "maildir" field is not empty it will be used in place of
  # DEFAULTDELIVERY. Courier mail server will also use esmtp when doing
  # authenticated ESMTP.
  # This example is a little bit modified adaptation of vmail-sql
  # database scheme:
  # MYSQL_SELECT_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \
  # CONCAT('{MD5}', popbox.password_hash), \
  # popbox.clearpw, \
  # domain.uid, \
  # domain.gid, \
  # CONCAT(domain.path, '/', popbox.mbox_name), \
  # domain.quota, \
  # CONCAT("disableimap=",disableimap,",disablepop3=", \
  # disablepop3,",disablewebmail=",disablewebmail, \
  # ",sharedgroup=",sharedgroup) \
  # FROM popbox, domain \
  # WHERE popbox.local_part = '$(local_part)' \
  # AND popbox.domain_name = '$(domain)' \
  # AND popbox.domain_name = domain.domain_name
  ##NAME: MYSQL_ENUMERATE_CLAUSE:1
  # {EXPERIMENTAL}
  # Optional custom SQL query used to enumerate accounts for authenumerate,
  # in order to compile a list of accounts for shared folders. The query
  # should return the following fields: name, uid, gid, homedir, maildir, options
  # Example:
  # MYSQL_ENUMERATE_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \
  # domain.uid, \
  # domain.gid, \
  # CONCAT(domain.path, '/', popbox.mbox_name), \
  # CONCAT('sharedgroup=', sharedgroup) \
  # FROM popbox, domain \
  # WHERE popbox.local_part = '$(local_part)' \
  # AND popbox.domain_name = '$(domain)' \
  # AND popbox.domain_name = domain.domain_name
  ##NAME: MYSQL_CHPASS_CLAUSE:0
  # (EXPERIMENTAL)
  # This is optional, MYSQL_CHPASS_CLAUSE can be set when you have a database,
  # which is structuraly different from proposed. The fixed string will
  # be used to do an UPDATE operation on database. In other words, it is
  # used, when changing password.
  # There are four variables, which you can use. Substitution will be made
  # for them, so you can put entered username (local part) and domain name
  # in the right place of your query. There variables are:
  # $(local_part) , $(domain) , $(newpass) , $(newpass_crypt)
  # If a $(domain) is empty (not given by the remote user) the default domain
  # name is used in its place.
  # $(newpass) contains plain password
  # $(newpass_crypt) contains its crypted form
  # MYSQL_CHPASS_CLAUSE UPDATE popbox \
  # SET clearpw='$(newpass)', \
  # password_hash='$(newpass_crypt)' \
  # WHERE local_part='$(local_part)' \
  # AND domain_name='$(domain)'
  I have been reading around about that error to no avail.
  i have extension=openssl.so uncommented in /etc/php/php.ini and round cube says my openssl is fine.
  Any help would be much appreciated!
  kush
  Last edited by kush (2012-01-05 16:49:18)

  Hey Kush I am having the same issue, did you ever get it working???

• Connecting to a remote OpenLDAP server over SSL.

  I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
  I've created a CA with a self-signed certificate.
  I used that CA to create a server and client certificate.
  The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
  The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
  ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
  Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
  I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
  It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
  The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
  My Mac Console shows something even more bizare, though:
  11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
  My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
  Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
  Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
  TLSVerifyClient never
  (And of course, the client:)
  TLS_REQCERT demand
  Message was edited by: lhunath

  By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
  * ldapsearchext - initiate an ldap search operation.
  * Parameters:
  * ld LDAP descriptor
  int
  ldapsearchext(
  LDAP *ld,
  assert( ld != NULL );

• BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6

  We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
  <Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
  wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
  tboundMessageContext.java:310)
  at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  Truncated. see log file for complete stacktrace
  javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  Truncated. see log file for complete stacktrace
  This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
  After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
  Thanks.
  Matt
  Edited by: user6946981 on Sep 17, 2009 7:58 AM

  Are you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
  I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
  Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way.

• AD Password Sync connector 9.1.1 With OIM 11g R2 - ERROR OVER SSL

  I have set up AD password sync with from AD to OIM 11G R2
  The password syncs from AD to OIM 11G R2 on non ssl port 389.
  But if fails on SSL Port 636.
  Errors in OIMMain.Log:_
  Debug [10/11/2012 10:49:34 AM] Inside ConnectToADSI
  Debug [10/11/2012 10:49:34 AM]
  ldap_connect failed with
  Debug [10/11/2012 10:49:34 AM] Server Down
  Debug [10/11/2012 10:49:34 AM]
  Steps Carried Out thus far:_
  AD is up and running.
  Configured AD Password Sync Connector on 636 and selected ssl.
  Created Certificate on OIM host, configured custom identity key store on weblogic. Restarted Weblogic.
  Imported Certificate to AD. After this, restarted the AD
  I can Telnet port 636 from OIM Box and also connect to AD through LDAP Browser on 636 and view OU and CN, so this seems fine.
  Provisioning from OIM through Connector Server to AD works over SSL and this works fine.
  Help would be appreciated.
  Many Thanks

  This question is now been fixed.
  Instead of explicitly stating 636 for SSL,
  Use the same port 389 for ssl and also configured oim port to be 140001 which is the ssl port for oim in the configuration of OIM Password Sync.
  Export Certificates from AD to java security keystore and to weblogic keystore
  Export .pem certificate created on OIM host machine to AD.
  Restart weblogic, oim and AD
  Everything would work fine.
  For all the other information, refer to doc.
  Thanks

• FTP/File Sender Adapter over SSL - 500 Illegal PORT command.

  Hello Experts!
  I'm trying to configure FTP Sender Adapter over SSL. This is the configuration I'm using:
  Server: server01
  Port: 21
  Data Connection: Active
  Timeout: 100
  Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
  Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
  I have imported ftp server certificate into TrustedCAs key store. When the sender adapter tries to connect it receives the error 500 Illegal PORT command when getting files list.
  This is an excerpt of the logs of connection steps:
  #Plain##ftp server returns reply '220 Restricted Access. All Actions are monitored.'#
  #Plain##Detected 'AUTH TLS' command: Preparing TLS/SSL connection upgrade#
  #Plain##'AUTH TLS' successful: Upgrading control channel to TLS/SSL#
  #Plain##ftp server returns reply '234 Proceed with negotiation.'#
  #Plain##ftp server returns reply '331 Please specify the password.'#
  #Plain##ftp server returns reply '230 Login successful.'#
  #Plain##ftp server returns reply '200 PBSZ set to 0.'#
  #Plain##ftp server returns reply '200 PROT now Private.'#
  #Plain##ftp server returns reply '215 UNIX Type: L8'#
  #Plain##ftp server returns reply '200 Switching to ASCII mode.'#
  #Plain##ftp server returns reply '250 Directory successfully changed.'#
  #Plain##ftp server returns reply '500 Illegal PORT command.'#
  Does anybody know how to solve it?
  Thank you in advance!
  Roger Allué i Vall

  Ok! This is the maximum i could obtain:
  Fri Dec 11 15:28:12 2009 [pid 15206] FTP response: Client "10.58.42.108", "220 Restricted Access. All Actions are monitored."
  Fri Dec 11 15:28:12 2009 [pid 15206] FTP command: Client "10.58.42.108", "AUTH TLS"
  Fri Dec 11 15:28:12 2009 [pid 15206] FTP response: Client "10.58.42.108", "234 Proceed with negotiation."
  Fri Dec 11 15:28:12 2009 [pid 15206] FTP command: Client "10.58.42.108", "USER iubsint"
  Fri Dec 11 15:28:12 2009 [pid 15206] [iubsint] FTP response: Client "10.58.42.108", "331 Please specify the password."
  Fri Dec 11 15:28:12 2009 [pid 15206] [iubsint] FTP command: Client "10.58.42.108", "PASS <password>"
  Fri Dec 11 15:28:12 2009 [pid 15205] [iubsint] OK LOGIN: Client "10.58.42.108"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "230 Login successful."
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PBSZ 0"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 PBSZ set to 0."
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PROT P"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 PROT now Private."
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "SYST"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "215 UNIX Type: L8"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "TYPE I"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 Switching to Binary mode."
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "CWD /interfaces"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "250 Directory successfully changed."
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,45,108,159,112"
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "500 Illegal PORT command."
  I think we found the problem though. FTP Administrator says this is wrong:
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,45,108,159,112"
  it should be
  Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,42,108,159,112"
  Something is making SAP PI to take a wrong ip address (This server has two).
  I'll let you know if we solve it!!
  Thank you!!!

• LC + ActiveDirectory + LDAP over SSL = doesn't work

  Hi,
  I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
  German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
  On server.log, I got this:
  2011-11-12 00:51:28,202 INFO  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
          at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
          at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
          at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:619)
  Do you have some Idea?
  cu Floh

  I have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
  // Dynamically set JSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Dynamically set the property that JSSE uses to identify
  // the keystore that holds trusted root certificates
  System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
  ssf = new LDAPJSSESecureSocketFactory();
  // Set the socket factory as the default for all future connections
  LDAPConnection.setSocketFactory(ssf);

• FTP over SSL connectivity in File Adapter

  Hi All,
    I request your suggestion on my problem.  I have a scenario idoc to file where I am connecting to my vendor server throught SFTP (Ftp over SSL).  In this my vendor specifically told that to obtain secure FTP connectivity to their server they require a pre-approved Secure FTP client be used to access the service.
  So as per this requirement first our XI server need to coneect to the pre-approved client and the connectivity will happen to the vender server.  He list the pre-approved client as below
  *Cleo Lexicom 2.1
  *TrailBlazer ZMOD FTP Client V3R1 PTF Level PFT3100034
  *QualEDI for Windows, 32-bit version
  *Ascential DataStage TX, Release 7.5
  *Future 3 - Advanced Communication Module Plus (ACM Plus)
  *eBridge FTPS Communicator for GXS version 5.3
  *Ipswitch Inc's WS_FTP Professional version 8.02.
  ·Robo-FTP version 3.2
  Please let me know will this be possible from our file adapter.  Currently as per this requirement we open up the port of XI server for SFTP connecvity but through this we can have host to host connection over SFTP and not sure whether we can connect to client software and from their to vendor sever.
  Kindly needful your suggestion/solution on this.
  Regards,
  Dhill

  Hi,
    Thank you,  Yes I have used FTPS only please find the below details given in the communication channel.
  <b>FTP Connection Parameters</b>
  Server: ServerName
  Port : 6366 (specified by vendor)
  Data connection : Passive
  Timeout(secs) : 65
  Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
  Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
  Keystore: service_ssl
  X-509 Certificate and Private Key: ssl-credentials
  User Name : Vendor user name
  Password: Vendor given password
  Connect Mode: Permanantly
  Transfer Mode: Text
  Maximum Concurrency: 1
  and also as per he list given by vendeor we can use *Ipswitch Inc's WS_FTP Professional version 8.02.
  <b>Note:</b> We have Deploying the SAP Java Cryptographic Toolkit and also CA certificate used to sign the server certificate added to the TrustedCAs keystore view.
  So If possible i request you to kindly provide the details how we need to specify the client software between our XI server and Vender server as you mentioned in your solution.
  Please let me know your mail id, i will forward the screenshot of my communication channel.
  Kindly appreciate your help on this.
  Regards,
  Dhill.

• Connect MQ V6.0 from MQ adapter over SSL in BPEL 10g

  Hi All,
  I'm trying to connect to a remote MQ using MQ Adapter from my BPEL(10g) process. I'm able to deploy the process successfully after adding the jars file in server.xml.
  My process is a poller one it just dequeue the message upon any message arrival.
  But its not picking up the message in spite of having numerous message in queue,in log its showing ,
  Failed to create QueueManager.
  +[ManagedConnectionImpl] Error while creating QueueManager: "MQW1". [Caused by: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
  Refer WebSphere MQ Reference Manual for Reason Code 2,397 and fix the cause of the error. Contact oracle support if error is not fixable.
  +[Caused by: CC=2;RC=2397;AMQ9641: *Remote CipherSpec error for channel* 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
  +; nested exception is:+
  +     ORABPEL-12511+
  I've got the SSL Cipher suite =SSL_RSA_WITH_3DES_EDE_CBC_SHA from client but don't know where to set that property.
  Would anyone let me know the procedures of invoking MQ over SSL in BPEL 10g.
  Thanks in Advance,
  Shreekanta

  I'm looking for exact property need to be set for SSL in Oracle MQ adapter.
  It would be very helpful if Oracle have some standard docs.

• Errors in mail logs - Launchd

  My mail error log is full of these. It adds a new one every 10 seconds. Any idea how to stop it?
  Main log -
  Jul 1 03:07:09 mikeg com.apple.launchd[1] (org.postfix.master[23236]): Exited with exit code: 1
  Jul 1 03:07:09 mikeg com.apple.launchd[1] (org.postfix.master): Throttling respawn: Will start in 9 seconds
  Mail.log -
  Jul 1 03:09:58 mikeg postfix/master[23287]: fatal: chdir /private/var/spool/postfix: No such file or directory
  Jul 1 03:10:09 mikeg postfix/master[23290]: fatal: chdir /private/var/spool/postfix: No such file or directory
  Jul 1 03:10:19 mikeg postfix/master[23291]: fatal: chdir /private/var/spool/postfix: No such file or directory
  Jul 1 03:10:29 mikeg postfix/master[23294]: fatal: chdir /private/var/spool/postfix: No such file or directory

  Dan F wrote:
  I may have caused it at some point when i was messing with some different mailing packages for newsletter management.
  Here's the output -
  0 drwxr-xr-x 4 root wheel 136 Mar 7 09:39 .
  0 drwxr-xr-x 25 root wheel 850 Jan 12 12:14 ..
  0 drwxrwxrwx 2 nobody nobody 68 Mar 7 09:39 PDFMaker
  0 drwx--x--- 33 root _lp 1122 Jun 26 01:45 cups
  Yup, you're correct: You've done some messing-up somtime, somewhere!
  Now you need to figure out where you've left the launchd Daemon/Agent that causes the respawning of this doomed job. There are all over the place!
  Try this, but on your side. No need to post the full results here: It'll be too long.
  The 'ls -lrt' command sorts by last accessed time. So, you'll most likely to get the non-Apple ones listed last
  ls -lrt /System/Library/LaunchDaemons/
  ls -lrt /System/Library/LaunchAgents/
  ls -lrt /Library/LaunchDaemons/
  ls -lrt /Library/LaunchAgents/
  ls -lrt ~/Library/LaunchAgents/
  There is a bunch of plist (XML) files. One may spark in you some souvenir of what you've tried once and canceled.
  Remember that deleting an application from the /Application folder is NOT ENOUGH to uninstall a program!
  On good hint for you is to hit Command-I when a package installer runs. This will show you all the files that will be installed. Good thing to remember of those when you want to uninstall an application. There are some applications that take care of nicely uninstalling other applications ... removing launchd daemons/agents.
  Give a try first with
  ls -lrt /Library/LaunchAgents/
  My bet it's here.
  Good luck,
  Thierry