[Dovecot] uid fetch/store always use the last uid when range is invalid

[Jean-Baptiste Vignaud]

hello all;

one colleague found a strange behavior, that can be annoying :

-bash-3.1$ telnet 0 143
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready.
l login login pass
l OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
QUOTA] Logged in
l select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)]
Flags permitted.
* 281 EXISTS
* 0 RECENT
* OK [UNSEEN 7] First unseen.
* OK [UIDVALIDITY 1223038537] UIDs valid
* OK [UIDNEXT 363] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
l OK [READ-WRITE] Select completed.
l uid fetch 363:* rfc822.size
* 281 FETCH (UID 362 RFC822.SIZE 1559)
l OK Fetch completed.

and more annoying:

l uid store 100:* +flags (\Seen \Deleted)
* 281 FETCH (UID 362 FLAGS (\Deleted \Seen))
l OK Store completed.


# 1.2.10: /xam/dovecot/etc/dovecot.conf
# OS: Linux 2.6.22.14-72.fc6 i686 Fedora Core release 6 (Zod) ext3
base_dir: /opt/dovecot/var/run
log_path: /opt/logs/dovecot/dovecot.log
info_log_path: /opt/logs/dovecot-info.log
protocols: imap pop3 managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): *:2000
ssl: no
disable_plaintext_auth: no
login_dir: /opt/dovecot/var/run/login
login_executable(default): /xam/dovecot/libexec/dovecot/imap-login
login_executable(imap): /xam/dovecot/libexec/dovecot/imap-login
login_executable(pop3): /xam/dovecot/libexec/dovecot/pop3-login
login_executable(managesieve): /xam/dovecot/libexec/dovecot/managesieve-login
login_user: dovelog
mail_location: maildir:/opt/vmail/%d/%n
mail_cache_fields: imap.bodystructure, imap.body, mime.parts, flags,
date.sent, date.received, size.virtual, size.physical
mail_executable(default): /xam/dovecot/libexec/dovecot/imap
mail_executable(imap): /xam/dovecot/libexec/dovecot/imap
mail_executable(pop3): /xam/dovecot/libexec/dovecot/pop3
mail_executable(managesieve): /xam/dovecot/libexec/dovecot/managesieve
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugins(managesieve):
mail_plugin_dir(default): /xam/dovecot/lib/dovecot/imap
mail_plugin_dir(imap): /xam/dovecot/lib/dovecot/imap
mail_plugin_dir(pop3): /xam/dovecot/lib/dovecot/pop3
mail_plugin_dir(managesieve): /xam/dovecot/lib/dovecot/managesieve
lda:
  postmaster_address: postmas...@linux15.xandmail.com
  sendmail_path: /opt/postfix/usr/sbin/sendmail
  auth_socket_path: /opt/dovecot/var/run/dovecot/auth-master
  sendmail_path: /xam/postfix/usr/sbin/sendmail
  mail_plugins: quota sieve
  log_path: /xam/logs/deliver/deliver.log
  info_log_path: /xam/logs/deliver/deliver.log
auth default:
  mechanisms: plain cram-md5 apop
  user: dovecot
  passdb:
driver: sql
args: /opt/dovecot/etc/dovecot-mysql.conf
  userdb:
driver: sql
args: /opt/dovecot/etc/dovecot-mysql.conf
  socket:
type: listen
client:
  path: /opt/dovecot/var/run/dovecot/auth-client
  mode: 432
  user: postfix
  group: postfix
master:
  path: /opt/dovecot/var/run/dovecot/auth-master
  mode: 384
  user: vmail
  group: vmail
plugin:
  quota: dict:user::proxy::quotadict
  quota_rule: *:storage=100M
  quota_rule2: *:messages=100
  sieve: %h/sieve/dovecot.sieve
  sieve_global_path: /xam/dovecot/etc/sieve/default
  sieve_global_dir: /xam/dovecot/etc/sieve
  sieve_dir: %h/sieve/
  mail_log_max_lines_per_sec: 0
  mail_log_group_events: no
  mail_log_events: delete undelete expunge copy
  mail_log_fields: uid box msgid size
dict:
  quotadict: mysql:/opt/dovecot/etc/dovecot-dict-quota.conf
  path: /opt/dovecot/var/run/dict-server

Re: [Dovecot] uid fetch/store always use the last uid when range is invalid

[Timo Sirainen]

On 11.3.2010, at 11.27, Jean-Baptiste Vignaud wrote:

> one colleague found a strange behavior, that can be annoying :
..
> and more annoying:
> 
> l uid store 100:* +flags (\Seen \Deleted)
> * 281 FETCH (UID 362 FLAGS (\Deleted \Seen))
> l OK Store completed.

and exactly as required by RFC 3501.

Re: [Dovecot] uid fetch/store always use the last uid when range is invalid

[Jean-Baptiste Vignaud]

On Thu, Mar 11, 2010 at 10:54 AM, Timo Sirainen  wrote:

>> one colleague found a strange behavior, that can be annoying :
> ..
>> and more annoying:
>>
>> l uid store 100:* +flags (\Seen \Deleted)
>> * 281 FETCH (UID 362 FLAGS (\Deleted \Seen))
>> l OK Store completed.
>
> and exactly as required by RFC 3501.

Thanks; i'll tell him :)

It seems he has seen another server that does not comply with this.

JB

Re: [Dovecot] uid fetch/store always use the last uid when range is invalid

[Timo Sirainen]

On 11.3.2010, at 12.07, Jean-Baptiste Vignaud wrote:

>>> l uid store 100:* +flags (\Seen \Deleted)
>>> * 281 FETCH (UID 362 FLAGS (\Deleted \Seen))
>>> l OK Store completed.
>> 
>> and exactly as required by RFC 3501.
> 
> Thanks; i'll tell him :)
> 
> It seems he has seen another server that does not comply with this.

Yeah, Courier doesn't. Anyway if you're writing an IMAP client, you could 
instead do:

uid store 100:4294967295

that'll do what you want.

[Dovecot] troubles with expire plugin

[Denis Fateyev]

Hello there,

Now I'm using `expire` plugin and getting troubles with cronjob (from
user `exim`):
/usr/sbin/dovecot --exec-mail ext /usr/libexec/dovecot/expire-tool.sh

Fatal: setgid(12(mail)) failed with euid=93(exim), gid=93(exim),
egid=93(exim): Operation not permitted (This binary should probably be
called with process group set to 12(mail) instead of 93(exim))

The same error occurs when I run this command from `exim` user with sudo.


My dovecot v1.2.11 configuration:

dovecot.conf
-
...
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = exim
group = mail
}
client {
path = /var/spool/exim/private-auth
mode = 0660
user = exim
group = mail
}
}
...

userdb-sql.conf

# exim uid: 93, mail gid: 12
user_query = SELECT CONCAT('/var/mail/', maildir) AS home, \
CONCAT('maildir:/var/mail/', maildir) AS mail, 93 AS uid, 12 AS gid, \
CONCAT('*:storage=', quota, 'B') AS quota_rule, \
'storage=90%% /usr/libexec/dovecot/quota_warning.sh 90' AS quota_warning \
FROM mailbox WHERE username = '%u' AND active = '1'

password_query = SELECT username AS user, password, \
CONCAT('/var/mail/', maildir) AS userdb_home, \
CONCAT('maildir:/var/mail/', maildir) AS userdb_mail, \
93 AS userdb_uid, 12 AS userdb_gid, \
CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, \
'storage=90%% /usr/libexec/dovecot/quota_warning.sh 90' AS
userdb_quota_warning \
FROM mailbox WHERE username = '%u' AND active = '1'

( maybe, is any additional information required? )

All working fine with dovecot except this issue with `expire` plugin.
How to avoid it?
As I see, it's working if I run this command from `root` instead of
`exim`, but I don't think it will be right to leave it in the root's
crontab.

Thanks,

---
wbr, Denis.

[Dovecot] IMAP proxy configuration

[Leonardo Rodrigues]

i know dovecot can act as IMAP and POP3 proxy . but i'm having 
a hard time configuring it. Actually i'm using a simple dovecot 
configuration with virtual users stored on MySQL. My dovecot-sql.conf is 
pretty simple:




[r...@correio dovecot]# cat dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=DATABASE user=USERNAME password=PASSWORD

default_pass_scheme = PLAIN

# Get the mailbox
user_query = select '/var/spool/mail/%u' as home, 
'maildir:/var/spool/mail/%u' as mail, 8 as uid, 12 as gid, 
concat('*:storage=', quota) as quota_rule, 'Trash:storage=100M' as 
quota_rule2 from emails where endereco = '%u' and ativa = '1'


# Get the password
password_query = select endereco as user, password, '/var/spool/mail/%u' 
as userdb_home, 'maildir:/var/spool/mail/%u' as userdb_mail, 8 as 
userdb_uid, 12 as userdb_gid, concat('*:storage=', quota) as 
userdb_quota_rule, 'Trash:storage=100M' as userdb_quota_rule2 from 
emails where endereco = '%u' and ativa = '1'

[r...@correio dovecot]#


i've read several docs about configuring proxy on dovecot but all 
of them says about proxying specific users  i'm interested on 
proxying some domains. I couldnt find a way to configure that nor some 
howto similar to that.


could anyone point me some documentation on configuring dovecot as 
IMAP/POP3 proxy for a full domain and not specific users ? Ideally i 
would have a list of domains that should be proxied to somewhere else 
and all the other domains would be threated locally.


Thanks.





--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: [Dovecot] IMAP proxy configuration

[mail...@securitylabs.it]

On 11/03/2010 13:27, Leonardo Rodrigues wrote:

[cut]


# Get the password
password_query = select endereco as user, password, 
'/var/spool/mail/%u' as userdb_home, 'maildir:/var/spool/mail/%u' as 
userdb_mail, 8 as userdb_uid, 12 as userdb_gid, concat('*:storage=', 
quota) as userdb_quota_rule, 'Trash:storage=100M' as 
userdb_quota_rule2 from emails where endereco = '%u' and ativa = '1'

[r...@correio dovecot]#


i've read several docs about configuring proxy on dovecot but all 
of them says about proxying specific users  i'm interested on 
proxying some domains. I couldnt find a way to configure that nor some 
howto similar to that.


could anyone point me some documentation on configuring dovecot as 
IMAP/POP3 proxy for a full domain and not specific users ?



Just insert a column in the MySQL table with the host relative to the 
domain. This is my configuration on the proxy:



password_query = SELECT users.clear AS password, domains.host, 
'%u*proxy' AS destuser, 'proxy' AS pass, 'Y' AS proxy FROM users,domains 
WHERE users.username = '%u' AND users.enabled = '1' AND domains.domain = 
'%d'


In the table "domains" I have a column "domain" with the list of domains 
I want to proxy, and a column "host" with the IPof the pop/imap server.

Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem

[Ed W]

On 10/03/2010 21:19, Timo Sirainen wrote:

On 10.8.2009, at 20.01, Timo Sirainen wrote:

   

(3.5. Implement async I/O filesystem backend.)
 

You know what I found out today? Linux doesn't support async IO for regular 
buffered files. I had heard there were issues, but I thought it was mainly 
about some annoying APIs and such. Anyone know if some project has successfully 
figured out some usable way to do async disk IO? The possibilities seem to be:

a) Use Linux's native AIO, which requires direct-io for files. This *might* not 
be horribly bad for mail files. After all, same mail is rarely read multiple 
times. Except when parsing its headers first and then its body. Maybe the 
process could do some internal buffering?..

I guess no one ever tried my posix_fadvise() patch? The idea was that it would 
tell the kernel after closing a mail file that it's no longer needed in memory, 
so kernel could remove it from page cache. I never heard any positive or 
negative comments about how it affected performance.. 
http://dovecot.org/patches/1.1/fadvise.diff

b) Use threads, either via some library or implement yourself. Each thread of 
course uses some extra memory. Also enabling threads causes glibc to start 
using a thread-safe version of malloc() (I think?), which slows things down 
(unless that can be avoided, maybe by using clone() directly instead of 
pthreads?).

c) I read someone's idea about using posix_fadvise() and fincore() functions to somehow 
make it "kind of work, usually, maybe". I'm not sure if there's a practical way 
to make them work though. And of course I don't think fincore() has even been accepted by 
Linus yet.

   


Perhaps mail this question to the kernel list, stand back and watch it 
ignite?


Ed

Re: [Dovecot] IMAP proxy configuration

[Leonardo Rodrigues]

Em 11/03/2010 09:53, mail...@securitylabs.it escreveu:


Just insert a column in the MySQL table with the host relative to the 
domain. This is my configuration on the proxy:



password_query = SELECT users.clear AS password, domains.host, 
'%u*proxy' AS destuser, 'proxy' AS pass, 'Y' AS proxy FROM 
users,domains WHERE users.username = '%u' AND users.enabled = '1' AND 
domains.domain = '%d'


In the table "domains" I have a column "domain" with the list of 
domains I want to proxy, and a column "host" with the IPof the 
pop/imap server.




and for local domains i could return 127.0.0.1 as host  is that 
what you're doing for local domains ?



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Re: [Dovecot] IMAP proxy configuration

[mail...@securitylabs.it]

On 11/03/2010 17:14, Leonardo Rodrigues wrote:

Em 11/03/2010 09:53, mail...@securitylabs.it escreveu:


Just insert a column in the MySQL table with the host relative to the 
domain. This is my configuration on the proxy:



password_query = SELECT users.clear AS password, domains.host, 
'%u*proxy' AS destuser, 'proxy' AS pass, 'Y' AS proxy FROM 
users,domains WHERE users.username = '%u' AND users.enabled = '1' AND 
domains.domain = '%d'


In the table "domains" I have a column "domain" with the list of 
domains I want to proxy, and a column "host" with the IPof the 
pop/imap server.




and for local domains i could return 127.0.0.1 as host  is 
that what you're doing for local domains ?



No because I don't have local domains, I use proxy on public network to 
allow access to the real servers on the private LAN, but I think you 
have to use proxy_maybe and 127.0.0.1 for local domains:


http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy

Re: [Dovecot] IMAP proxy configuration

[ben]

No because I don't have local domains, I use proxy on public network to allow 
access to the real servers on the private LAN, but I think you have to use 
proxy_maybe and 127.0.0.1 for local domains:


http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy


We use the external IP of the local host (or the second dovecot backend) 
because things aren't listening on that interface, FWIW.

[Dovecot] Sendmail / Dovecot Config

[John Moorhouse]

I'm trying to set up dovecot on a Fedora box for about 5 users, I have a
raid 5 array that is used for home folders etc mounted on /home, and I've
created a directory /home/mail, which I have used a sym link to map
/var/mail to. I've created folders for each of the users with relevant
permissions and edited the dovecote config with:-

namespace private {
separator = /
prefix = "#dbox/"
location = dbox:~/mail:INBOX=/var/mail/%u
inbox = yes
hidden = yes
list = no   # for v1.1+
}
namespace private {
separator = /
prefix =
location = dbox:/var/mail/%u/mail
}

I was hoping that this would create a inbox in the root of each users
folder in the mail directory and a sub folder to hold any user created
folders.

This all seems to work as I can create folders, copy emails to them
r-arrange the folders etc as I want via a mail client using imap on 143.

My only problem is that I have also configured send mail as best as I know
to listen on port 25 as an SMPT client but any emails sent to it to one of
the email addresses are saved by sendmail to /var/spool/mail/username and
not picked up by dovecot

Thanks

John

[Dovecot] sieve fileinto rule (pigeonhole)

[Oliver Eales]

Hello,

i discovered that when a sieve rule "fileinto drawer;" tries to deliver
a mail into a non existent drawer, the drawer  gets created.
This is neat, but is there also a way to automatically subcribe to the
created folder ?

Regards,
Oliver Eales

Re: [Dovecot] Sendmail / Dovecot Config

[Dennis Guhl]

On Thu, Mar 11, 2010 at 04:40:27PM +, John Moorhouse wrote:

[..]

> My only problem is that I have also configured send mail as best as I know
> to listen on port 25 as an SMPT client but any emails sent to it to one of
> the email addresses are saved by sendmail to /var/spool/mail/username and
> not picked up by dovecot

You might want to tell sendmail how to deliver mail to dovecot. For
example, this can be done with dovecots LDA:

http://wiki.dovecot.org/LDA
http://wiki.dovecot.org/LDA/Sendmail

Bye
Dennis

Re: [Dovecot] sieve fileinto rule (pigeonhole)

[Stephan Bosch]

Oliver Eales wrote:

Hello,

i discovered that when a sieve rule "fileinto drawer;" tries to deliver
a mail into a non existent drawer, the drawer  gets created.
This is neat, but is there also a way to automatically subcribe to the
created folder ?


Yes, but not explicitly through some Sieve command. You must use the -s 
deliver parameter:


http://wiki.dovecot.org/LDA#Parameters

You can disable the implicit auto-creation with the -n parameter. You 
can then use Sieve's mailbox extension 
(http://ietfreport.isoc.org/idref/rfc5490/#page-2) to :create folders 
explicitly upon fileinto. However, -s is always necessary to subscribe 
to the newly created folder. Also note that IMAP clients will not 
instantly notice the newly created and subscribed folder, since IMAP has 
no (default) means for sending a notification of such an event.


Regards,

Stephan.

[Dovecot] Emails Disappearing -- Mystery

[Mario Antonio]

I got a case that I haven't  been able to resolve. I  hope somebody can 
give me some hints.


One of our users is reporting emails disappearing in front of his eyes,  
(Right ...  emails filters at the client side )


Server does not have global sieve filter enabled (no file present), even 
though this configuration is present:

  sieve_global_path=/vmail/globalsieverc

User does not have any sieve scripts enabled at the server side.

Ok,

1)
The user shuts down his apple mail software, his Iphone, and the Web 
interface:


2010-03-11 15:52:57 IMAP(my_u...@mydomain.com): Info: Connection closed 
bytes=2188/6499
2010-03-11 15:52:57 IMAP(my_u...@mydomain.com): Info: Connection closed 
bytes=3887/7336
2010-03-11 15:52:57 IMAP(my_u...@mydomain.com): Info: Connection closed 
bytes=5873/68309
2010-03-11 15:52:57 IMAP(my_u...@mydomain.com): Info: Disconnected in 
IDLE bytes=4514/547136


2)
He generates the troublesome emails from a notification system in 
Craiglist 
We can see the email hitting the inbox (we also see in Postfix this 
email going to Dovecot)
2010-03-11 15:54:48 deliver(my_u...@mydomain.com): Info: 
from=nore...@craigslist.org : 
msgid=<20100311205447.0c0fe118...@web8p.int.craigslist.org> : saved mail 
to INBOX


3)
Email is deleted !!!
2010-03-11 15:54:49 IMAP(my_u...@mydomain.com): Info: delete: uid=10719, 
flags=(\Deleted \Recent $Junk),
msgid=<20100311205447.0c0fe118...@web8p.int.craigslist.org>, 
from=craigslist.org , subject=POST/EDIT/DELETE : 
(accounting/financejobs) Test Post
2010-03-11 15:54:49 IMAP(my_u...@mydomain.com): Info: expunge: 
uid=10719, flags=(\Deleted \Recent $Junk),
msgid=<20100311205447.0c0fe118...@web8p.int.craigslist.org>, 
from=craigslist.org , subject=POST/EDIT/DELETE : 
(accounting/finance jobs) Test Post , size=2776


Who is deleting this email ?
I can see the flag $Junk ... perhaps some filter somewhere is seeing 
that flag and proceeding to delete it.
If I understand sieve filters at the server side, they will act in the 
deliver process. So once the email is saved into INBOX,  sieve filters 
will not count. Am I right?


Any Hints?

# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-686-bigmem i686 Debian 5.0.4 xfs


Regards,

Mario Antonio

Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem

[Sebastian Färber]

>b) Use threads, either via some library or implement yourself. Each thread of 
>course uses some extra memory. Also enabling >threads causes glibc to start 
>using a thread-safe version of malloc() (I think?), which slows things down 
>(unless that can be avoided, >maybe by using clone() directly instead of 
>pthreads?).

Perhaps libeio (http://software.schmorp.de/pkg/libeio.html) is a good
starting point?
I don't have any experience with it but it's used by node.js
(http://nodejs.org/) for the async I/O stuff.

-Sebastian

[Dovecot] patch: allow proxy to lookup host by name

[Martin F. Foster]

This patch allows the dovecot proxy processes to lookup the destination 
host by name instead of IP address.  Tested agains 1.2.10, expected to 
work against 1.2.11.


The patch is pretty straightforward, it's making it work within the 
restrictions of the login process that's more interesting.


I have made some changes to the wiki (pending approval) to
- enhance the discussion of proxy with LDAP 
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
- discuss the implication of this patch w.r.t. the login_chroot 
configuration parameter: 
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy/HostLookup


Feedback is appreciated, particulary from a security standpoint.

Cheers,

-Martin Foster
martin_fos...@netlog.net


dump of wiki info, for the lazy.  It will look better if viewed from the 
URL:

http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy/HostLookup


 For all released versions of Dovecot, the "host" referred to in a
 proxy or proxy_maybe lookup must be an IP address

see: the main PasswordDatabase/ExtraFields/Proxy 
 page for 
more info


A patch is available to enable lookups, but it has some imporant caveats 
due to the nature of the LoginProcess 
 that the proxy function is a part 
of. This page exists to discuss these.



   The Problem

Proxying is done from the dovecot login processes, both pop3-login & 
imap-login call code in src/login-common/login-proxy.c to handle the 
proxying to the given host.


If the host is not an IP address, name resolution must be done. Two 
options from dovecot's configuration:



 1. Dovecot running with roots

Dovecot is started as root and drops privileges later; this is the 
recommended way of running Dovecot. Set by the config option: 
login_chroot = yes.


In this mode, the login process is chrooted to login_dir, from which the 
proposed patch adds name resolution. Resolution is done via dovecot's 
net_gethostbyname() function - a wrapper for getaddrinfo/gethostbyname 
depending on compile-time platform support.


These functions need access to the name service switch configuration, 
then whatever dependencies are required to consult the host resolution 
databases stipulated.


so, if the /etc/nsswitch.conf hosts entry is:

hosts:  dns files

Then the system will need access to /etc/resolv.conf and the nss_dns 
libraries for "dns" lookup, and /etc/hosts for "files" lookup.


The exact files will vary by platform/operating system, but these all 
need to be available in the chroot for the lookup to succeed.


and, if dovecot.conf has:

login_chroot = yes
login_dir = /var/run/dovecot/login
login_user = dovecotuser

Then for the nsswitch.conf entry above, the following files need to be 
copied (not symbolically linked!) to the chroot. This example is for a 
64-bit RHEL5 system, with 64-bit dovecot daemon. Ownership of the new 
directories must be set to whatever the login_user is set to.


mkdir /var/run/dovecot/login/etc
mkdir /var/run/dovecot/login/lib64
cp /etc/nsswitch.conf /etc/resolv.conf /etc/hosts /var/run/dovecot/login/etc
cp /lib64/libnss_dns.so.2 /var/run/dovecot/login/lib64
chown -R dovecotuser:dovecotuser /var/run/dovecot/login/etc
chown -R dovecotuser:dovecotuser /var/run/dovecot/login/lib64

Remember that the ownership of the login_dir itself *must not* be 
changed. So:


# ls -ld /var/run/dovecot/login/
drwxr-x--- 4 root dovecotuser 4096 Mar 12 06:48 /var/run/dovecot/login/


   Troubleshooting

If the lookup fails because of a perceived lookup-in-chroot issue, an 
error message of this form will be printed to the logs


dovecot: pop3-login: proxy(t...@domain1.test): cannot resolve 
mailhost.domain1.test. If name resolution is working outside dovecot, it may be a 
chroot issue. See LoginProcess on wiki, and login_dir&  login_chroot in config.

Clients will receive a much less descript general error message, for 
example with POP3:


-ERR [IN-USE] Account is temporarily unavailable.

Things to check

  1. does name resolution work for normal users? the dovecot user?
  2. are all the files required by the Name Service Switch's
 configuration available? Use a process tracing tool such as strace
 or truss against the pop3-login or imap-login processes to check.
  3. are other security measures interfering? eg:
1.

   SELinux
   
   (RedHat  EL, CentOS, Oracle EL)

2.

   AppArmor  (SuSE,
   Ubuntu?)

3.

   RBAC (Solaris, OpenSolaris
   )


   Caveats

This procedure allows the chroot'ed login to do something, which forms a 
security risk if the libraries in the chroot are exploitable.


It will be up to the operator to ensure that the copy of the files in 
the chroot