Re: [Dovecot] v2.2.rc5 released
Oscar del Rio wrote: > On 04/ 5/13 02:07 PM, Timo Sirainen wrote: >> Please test before that. :) > > so far so good, on Solaris 11.1 :) +FreeBSD 9-STABLE Regards, Michael
Re: [Dovecot] password encryption
On Fri, 2013-04-05 at 23:36 -0700, Jim Pazarena wrote: > I have just come to the realization that password encryption using the > crypt function in linux, ONLY USES THE FIRST 8 CHARS. I have written > routines using crypt allowing 16+ chars, and find that anything past 8 > is ignored. Wow. > this was true in decades of old, but has not been the case for many, many, years - upgrade your system. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] password encryption
On 4/5/2013 11:36 PM, Jim Pazarena wrote: I have just come to the realization that password encryption using the crypt function in linux, ONLY USES THE FIRST 8 CHARS. I have written routines using crypt allowing 16+ chars, and find that anything past 8 is ignored. Wow. Is there a way around this that can be used in dovecot, as well as encryption routines for an email front end? (not system users). It's the integration with dovecot which is the most important. Dovecot supports *many* password hashing algorithms. Switch to SHA512 if you want good security. Generally the system figures out what hash a password is stored in, so you can mix and match. Set a default and all new passwords plus whenever a user changes their password, will generate a hash in the new format. Dem
Re: [Dovecot] password encryption
On 4/5/2013 11:36 PM, Jim Pazarena wrote: > I have just come to the realization that password encryption using the > crypt function in linux, ONLY USES THE FIRST 8 CHARS. I have written > routines using crypt allowing 16+ chars, and find that anything past 8 > is ignored. Wow. > > Is there a way around this that can be used in dovecot, as well as > encryption routines for an email front end? (not system users). Remember that most Linux distros offer a way to configure the default password salt/encryption scheme. Look in /etc/login.defs or equivalent on your distro. With any semi-recent glibc + contemporaneous toolchain, you'll see options like: # # Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5 , MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) # Overrides the MD5_CRYPT_ENAB option # ENCRYPT_METHOD SHA512 # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. # With a lot of rounds, it is more difficult to brute forcing the password. # But note also that it more CPU resources will be needed to authenticate # users. # SHA_CRYPT_MIN_ROUNDS 40 SHA_CRYPT_MAX_ROUNDS 400 Tune the values on your system so the authentication delay isn't too bad. I'm surprised your distro has defaulted to the ancient crypt(). Even slackware, not noted for being "bleeding edge" has defaulted to MD5 for a very very long time now. Of course, if you've been running the same system or one where you migrated shadow files from old ones, you may still be using those ancient shadow password formats. (No system changes those in-place for you until you explicitly change the password with new login.defs defaults in effect.) =R=
[Dovecot] script to detect dictionary attacks
Hi has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP signature.asc Description: OpenPGP digital signature
Re: [Dovecot] script to detect dictionary attacks
W dniu 2013-04-06 13:18, Reindl Harald pisze: > Hi Hi! > has someone a script which can filter out dictionary attacks > from /var/log/maillog and notify about the source-IPs? > > i know about fail2ban and so on, but i would like to have > a mail with the IP address for two reasons and avoid fail2ban > at all because it does not match in the way we maintain firewalls > > * add the IP to a distributed "iptables-block.sh" and distribute > it to any server with a comment and timestamp > * write a abuse-mail to the ISP > What about ...fail2ban?:) You can define to run any script when fail2ban detects bruteforce. You can pass as parameter to script. Fail2ban can also send email to proper abuse. Maybe I'm wrong but reading what you wrote about needings it looks fail2ban can do it. Marcin
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 13:18, schrieb Reindl Harald: > Hi > > has someone a script which can filter out dictionary attacks > from /var/log/maillog and notify about the source-IPs? > > i know about fail2ban and so on, but i would like to have > a mail with the IP address for two reasons and avoid fail2ban > at all because it does not match in the way we maintain firewalls > > * add the IP to a distributed "iptables-block.sh" and distribute > it to any server with a comment and timestamp > * write a abuse-mail to the ISP > Hi Harald, not exactly but i have written some blog to detect and alarm via xymon by brute force dovecot http://sys4.de/de/blog/2013/01/29/howto-monitor-brute-force-attacks-on-dovecot/ as well i have some blog about using iptables out of rsyslog pipe recent to drop ips http://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ mix it up somekind in scripts and produce some mail to abuse mail account found by whois, to me alarming is enough, at my servers it looks like most alarms are comming from users with wrong login data etc , real brute force are rare Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: [Dovecot] replicator/dsync over tcp
Timo Sirainen wrote:
> On 24.3.2013, at 23.07, Michael Grimm wrote:
>
>> First of all I did need to extend http://wiki2.dovecot.org/Replication to
>> get dsync over tcp running without ssl:
> ..
>> | dovecot: doveadm(test): Error: doveadm_password not set, can't
>> authenticate to remote server
>
> Updated http://master.wiki2.dovecot.org/Replication with it.
My point has been, that I needed to add ...
| local 1.2.3.4 {
| doveadm_password = secret
| }
... besides ...
| service doveadm {
| inet_listener {
| address = 1.2.3.4
| port = 12345
| }
| }
... which I cannot find at http://master.wiki2.dovecot.org/Replication if I am
not mistaken.
>> 1. Question: may one include "secret" from a file?
>
> name = > Now, I did try to add ssl by activating "ssl = yes" in 'service doveadm'
>> (see above) and adding ...
>>
>> | # used by replicator/dsync over tcp
>> | #
>> | ssl_client_ca_dir = //ssl/certs
>>
>> ... and ...
>>
>> | mail_replica = tcps:SERVER-A.TLD
>>
>> But, this didn't work (logfile at remote server):
>>
>> | dovecot: doveadm(test): Invalid certificate: self signed certificate:
>> /OU=dovecot server/CN=OTHER-NAME.TLD/emailAddress=postmas...@other-name.tld
>> | dovecot: doveadm(test): Error: SERVER-A.TLD: Received invalid SSL
>> certificate
>> | dovecot: doveadm(test): Error: sync: Disconnected from remote
>>
>> The OTHER-NAME.TLD is served by my additional settings used by my MUAs:
>>
>> | ssl_cert = /ssl/certs/OTHER-NAME.TLD.pem
>> | ssl_key = /ssl/private/OTHER-NAME.TLD.pem
>>
>> I did supply SERVER-A.TLD certs and private certificates at both servers as
>> well, but dovecot seems to use those of OTHER-NAME.TLD for replicator/dsync
>> instead :-(
>
> The SERVER-A.TLD needs to have a certificate that is signed by one of the CAs
> in ssl_client_ca_dir. ssl_cert/key settings are irrelevant here. You can't
> use a self-signed cert, unless you put it into the CA dir (I don't know how
> exactly that works).
I did get tcps running in the meantime following:
1. http://www.zytrax.com/tech/survival/ssl.html ("Method 3" plus "Multi-Server
Certificates")
2. postfix' documentation at
http://www.postfix.org/TLS_README.html#server_cert_key (here I had to reverse
order, meaning CA first)
3. pointing ssl_cert, ssl_key to relevant files in //ssl/ca/certs and
//ssl/ca/private, respectively
4. ssl_client_ca_dir = //ssl/ca/certs
Question: Why is it neccessary to use ssl_cert/key settings from my CA although
you state:
> ssl_cert/key settings are irrelevant here.
Besides dovecot is synchronising as expected, I do get a lot of logfile entries
like ...
| dovecot: dsync-local(test): Warning: I/O leak: 0x10b8cf20 (line 341, fd 14)
... and in addition if "verbose_ssl = yes" is set:
| dsync-remote(test): Warning: SSL alert: where=0x4004, ret=256: warning close
notify
Hmm, I do have to admit that I do not understand SSL/TLS/CA/...!
Thus, I am uncertain whether to ignore those warnings or if my setup is broken
in the first place?
All hints are highly appreciated,
Michael
Re: [Dovecot] script to detect dictionary attacks
Reindl Harald skrev den 2013-04-06 13:18: has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? yes i have :) pflogsumm i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls its simple to make a filter that checks unknown user in postfix logs, its even more simple if one make syslog to sql, then postfix can live block that ip that sends to unknown users * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP that would be cool, lol :)
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 14:24, schrieb Benny Pedersen: > Reindl Harald skrev den 2013-04-06 13:18: > >> has someone a script which can filter out dictionary attacks >> from /var/log/maillog and notify about the source-IPs? > > yes i have :) > > pflogsumm has to do what with IMAP/POP3 Logins? >> i know about fail2ban and so on, but i would like to have >> a mail with the IP address for two reasons and avoid fail2ban >> at all because it does not match in the way we maintain firewalls > > its simple to make a filter that checks unknown user in postfix logs, its > even more simple if one make syslog to > sql, then postfix can live block that ip that sends to unknown users but nobody speaks about postfix >> * add the IP to a distributed "iptables-block.sh" and distribute >> it to any server with a comment and timestamp >> * write a abuse-mail to the ISP > > that would be cool, lol :) what would be cool? what *lol*? i speak about a simple way to get a notify of the brute-forcing IP and the both are MANUAL tasks i do since virtually forever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] script to detect dictionary attacks
Reindl Harald skrev den 2013-04-06 14:43: has to do what with IMAP/POP3 Logins? patch / hack it to dovecot but nobody speaks about postfix and nobody use sql logs i speak about a simple way to get a notify of the brute-forcing IP and the both are MANUAL tasks i do since virtually forever if it was simple, others have writed it already http://wiki.dovecot.org/HowTo/Fail2Ban note that it works on dovecot 1.x aswell, no need to upgrade :)
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 14:52, schrieb Benny Pedersen: > Reindl Harald skrev den 2013-04-06 14:43: > >> has to do what with IMAP/POP3 Logins? > > patch / hack it to dovecot f**k yourself >> but nobody speaks about postfix > and nobody use sql logs are you drunken or what has this to do with sql logs? i am using both, so what the question was a already present script instead write my own so if you have nothing to say better shut up >> i speak about a simple way to get a notify of the brute-forcing IP >> and the both are MANUAL tasks i do since virtually forever > > if it was simple, others have writed it already and that was the question > http://wiki.dovecot.org/HowTo/Fail2Ban the question was a script to parse maillog and simüply notify and NOT fail2ban or whatever long-living process and NOT directly touch iptables, iptables-config is distributed with a inhosue solution accros the whole infrastructure > note that it works on dovecot 1.x aswell, no need to upgrade :) keep your silly smilies for yourself [root@mail:~]$ rpm -q dovecot dovecot-2.1.16-4.fc17.20130405.rh.x86_64 signature.asc Description: OpenPGP digital signature
Re: [Dovecot] script to detect dictionary attacks
> > http://wiki.dovecot.org/HowTo/Fail2Ban not sure if relevant, apologize if not: fwiw, I think csf/lfd (that came on my server) does similar job, detecting login failures and blocking offenders/suspects v
Re: [Dovecot] Sync errors trying to sync old mbox inboxes to dovecot
On 2013-04-05 5:10 PM, Michael Smith wrote: We are currently running dovecot 2.2.rc3. I am trying to 'dsync mirror' old Qpopper/mbox inboxes to our new Dovecot/mdbox servers. For most of the several thousand accounts, it works without issue. But there are a handful of accounts that are generating the following errors. First rule of thumb when running PRE-RELEASE software: If you run into a problem, and there are newer releases of the PRE-RELEASE software available (Timo just released rc5 yesterday), update before asking any questions. -- Best regards, Charles
Re: [Dovecot] script to detect dictionary attacks
Reindl Harald skrev den 2013-04-06 14:59: keep your silly smilies for yourself haha [root@mail:~]$ rpm -q dovecot dovecot-2.1.16-4.fc17.20130405.rh.x86_64 you live in a precompiled problem learn grep, cut, sort, and more on how to use fail2ban, just ignore my help will not solve it for you
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 16:04, schrieb Benny Pedersen: > Reindl Harald skrev den 2013-04-06 14:59: > >> keep your silly smilies for yourself > haha what haha? you are a young boy with no knowledge proven many times >> [root@mail:~]$ rpm -q dovecot >> dovecot-2.1.16-4.fc17.20130405.rh.x86_64 > you live in a precompiled problem idiot guess what the "rh" in "20130405.rh" means > learn grep, cut, sort, and more boy i am developer and use them all the day a lot > on how to use fail2ban > just ignore my help will not solve it for you to help you would need to understand the question what did you idiot not undersatnd in the inital post that fail2ban does not interest me because i do NOT want shorewall and whatever piece of crap on the infrastrcuture? gamin-python, python-inotify, shorewall, shorewall-core are not neeeded here PERIOD [root@buildserver:~]$ LANG=C; yum install fail2ban Loaded plugins: etckeeper, presto, protectbase, security 0 packages excluded due to repository protections Resolving Dependencies --> Running transaction check ---> Package fail2ban.noarch 0:0.8.8-2.fc17 will be installed --> Processing Dependency: shorewall for package: fail2ban-0.8.8-2.fc17.noarch --> Processing Dependency: python-inotify for package: fail2ban-0.8.8-2.fc17.noarch --> Processing Dependency: gamin-python for package: fail2ban-0.8.8-2.fc17.noarch --> Running transaction check ---> Package gamin-python.x86_64 0:0.1.10-12.fc17 will be installed ---> Package python-inotify.noarch 0:0.9.4-1.fc17 will be installed ---> Package shorewall.noarch 0:4.5.7.1-2.fc17 will be installed --> Processing Dependency: shorewall-core = 4.5.7.1-2.fc17 for package: shorewall-4.5.7.1-2.fc17.noarch --> Running transaction check ---> Package shorewall-core.noarch 0:4.5.7.1-2.fc17 will be installed --> Finished Dependency Resolution --> Finding unneeded leftover dependencies signature.asc Description: OpenPGP digital signature
[Dovecot] autocreate mailbox but no sub folders
Hello, We have been using lda_mailbox_autocreate to avoid to intialize empty mailboxes upon account creations. This does the job allright except that dovecot-lda is also allowed to autocreate sub folders which is a problem when using addresses extensions (adress+fol...@domain.tld). It's easy for a malicious user to flood a mailbox with tons of subfolders. Is there a way to tell dovecot-lda it can only create the initial mailbox and maybe some special folders but nothing else? Thanks, Arnaud -- Arnaud Abélard jabber: arnaud.abel...@univ-nantes.fr / twitter: ArnY Administrateur Système DSI Université de Nantes -
Re: [Dovecot] repeating dsync - questions
Maybe take a look at "vmstat 2" and see if i/o is blocking a lot or you are hitting swap space? Someone else may be more informed about the inner workings of dsync and how it handles maildir as opposed to mbox. Best of luck, Ken On 4/6/2013 1:09 AM, Bob Gustafson wrote: > Something must be wrong with my setup. It took 14+ hours for the first > dsync pass and it hasn't finished yet on the rerun to pick up the latest > mail (around 12+ hours). I have about 9 GB of mail! The destination > system is not fast, but.. > > Maybe I will wait for the 2.2 release.. > > Thanks for your response. > > Bob G > > On Fri, 2013-04-05 at 22:45 -0500, Ken A wrote: >> It's about 300GB of mboxes (I don't know how many messages) and dsync >> took about 3 hours from scratch in the destination. But, when I sync >> more frequently, it's much quicker, and depends on the number of >> changes. With no changes it runs in about 15 min. >> Ken A. >> >> >> On 4/5/2013 1:54 PM, Bob Gustafson wrote: >>> I tried that a week or so ago, with a 'dsync -R backup', but got the >>> funny named directories, so I read more and am trying the 'dsync >>> mirror' which doesn't require the -R. >>> >>> How long does the sync step take for you? (Normalize to # of >>> messages..) >>> >>> Bob G >>> >>> On Apr 5, 2013, at 13:48, Ken A wrote: >>> I've found that when going in one direction, using "backup -R" rather than mirror, works better. I'm going from mbox to sdbox, but doing roughly the same thing you are, rsync and then dsync. Ken A. On 4/5/2013 10:40 AM, Bob Gustafson wrote: > > I'm moving/converting email from one system to another > > The source system is: Dual core x86_64 6GB memory 180 GB raid1 > disks ext4 Fedora 9 Dovecot 1.0.15 Maildir format > > The destination system is: Dual core x86_64 2GB memory 1TB raid1 > disks ext4 Fedora 18 Dovecot 2.1.15 sdbox format > > I am moving mail in a series of steps: > > 0) cd ( to mail user home directory ) mkdir Maildir > > 1) # rsync mail from source system (hoho4) to current (hoho0) > time rsync -arv --times hoho4:/home/bobgus/Maildir/ > /home/bobgus/Maildir/ > > This step takes about 37 minutes the first time > > 2) # dsync mirror/convert to sdbox format on current system time > dsync mirror maildir:~/Maildir > > This step takes about 858 minutes (!!) > > Looking at -D messages indicates that dsync is deciding between > duplicates much of the time. > > Looking at the results in a mail browser (Evolution), it seems > fine, although the latest mails are not there. > > 3) # pick up more current mail - use same script as in 1) time > rsync -arv --times hoho4:/home/bobgus/Maildir/ > /home/bobgus/Maildir/ > > This step takes about 5 minutes although this varies depending on > the amount of new mail. > > 4) # repeat the 2) dsync step time dsync mirror > maildir:~/Maildir > > This is where things look peculiar. When I look at the directory > of sdbox/mailboxes, I see duplicated directories > > [bobgus@hoho0 sdbox]$ cd mailboxes [bobgus@hoho0 mailboxes]$ ls > Apple Mail To Do Apple Mail To > Do_2a47983780615e517960ba55d82c Deleted Messages Deleted > Messages_2847983780615e517960ba55d82c Drafts > Drafts_2447983780615e517960ba55d82c Important > Important_2947983780615e517960ba55d82c INBOX > INBOX_1547983780615e517960ba55d82c Sent > Sent_2547983780615e517960ba55d82c Trash > Trash_2747983780615e517960ba55d82c > > The 2nd dsync step has not completed yet. I'm wondering whether > the extra directory will be magically moved into the older > directory. > > (This is unlikely because the file names are duplicated in the > new directory) > > --- > > Is this expected behavior? Are there command changes I can make > to speed up the process? Eliminate the duplicate directories? > > > > -- Ken Anderson Pacific Internet - http://www.pacific.net >>> >> > > -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: [Dovecot] repeating dsync - questions
I whacked Maildir and sdbox and started over. Tweek of rsync script - removed trailing / on destination. Did yum update, restart Avoided running Firefox on that machine.. It is now running the 1st pass of dsync - estimated finish is about 4.3 hours on 14G of mails vmstat 2 shows no swapping (now..) Thanks for your suggestion. Bob G On Apr 6, 2013, at 10:19, Ken A wrote: > Maybe take a look at "vmstat 2" and see if i/o is blocking a lot or you > are hitting swap space? Someone else may be more informed about the > inner workings of dsync and how it handles maildir as opposed to mbox. > Best of luck, > Ken > > > On 4/6/2013 1:09 AM, Bob Gustafson wrote: >> Something must be wrong with my setup. It took 14+ hours for the first >> dsync pass and it hasn't finished yet on the rerun to pick up the latest >> mail (around 12+ hours). I have about 9 GB of mail! The destination >> system is not fast, but.. >> >> Maybe I will wait for the 2.2 release.. >> >> Thanks for your response. >> >> Bob G >> >> On Fri, 2013-04-05 at 22:45 -0500, Ken A wrote: >>> It's about 300GB of mboxes (I don't know how many messages) and dsync >>> took about 3 hours from scratch in the destination. But, when I sync >>> more frequently, it's much quicker, and depends on the number of >>> changes. With no changes it runs in about 15 min. >>> Ken A. >>> >>> >>> On 4/5/2013 1:54 PM, Bob Gustafson wrote: I tried that a week or so ago, with a 'dsync -R backup', but got the funny named directories, so I read more and am trying the 'dsync mirror' which doesn't require the -R. How long does the sync step take for you? (Normalize to # of messages..) Bob G On Apr 5, 2013, at 13:48, Ken A wrote: > I've found that when going in one direction, using "backup -R" > rather than mirror, works better. I'm going from mbox to sdbox, but > doing roughly the same thing you are, rsync and then dsync. > > Ken A. > > On 4/5/2013 10:40 AM, Bob Gustafson wrote: >> >> I'm moving/converting email from one system to another >> >> The source system is: Dual core x86_64 6GB memory 180 GB raid1 >> disks ext4 Fedora 9 Dovecot 1.0.15 Maildir format >> >> The destination system is: Dual core x86_64 2GB memory 1TB raid1 >> disks ext4 Fedora 18 Dovecot 2.1.15 sdbox format >> >> I am moving mail in a series of steps: >> >> 0) cd ( to mail user home directory ) mkdir Maildir >> >> 1) # rsync mail from source system (hoho4) to current (hoho0) >> time rsync -arv --times hoho4:/home/bobgus/Maildir/ >> /home/bobgus/Maildir/ >> >> This step takes about 37 minutes the first time >> >> 2) # dsync mirror/convert to sdbox format on current system time >> dsync mirror maildir:~/Maildir >> >> This step takes about 858 minutes (!!) >> >> Looking at -D messages indicates that dsync is deciding between >> duplicates much of the time. >> >> Looking at the results in a mail browser (Evolution), it seems >> fine, although the latest mails are not there. >> >> 3) # pick up more current mail - use same script as in 1) time >> rsync -arv --times hoho4:/home/bobgus/Maildir/ >> /home/bobgus/Maildir/ >> >> This step takes about 5 minutes although this varies depending on >> the amount of new mail. >> >> 4) # repeat the 2) dsync step time dsync mirror >> maildir:~/Maildir >> >> This is where things look peculiar. When I look at the directory >> of sdbox/mailboxes, I see duplicated directories >> >> [bobgus@hoho0 sdbox]$ cd mailboxes [bobgus@hoho0 mailboxes]$ ls >> Apple Mail To Do Apple Mail To >> Do_2a47983780615e517960ba55d82c Deleted Messages Deleted >> Messages_2847983780615e517960ba55d82c Drafts >> Drafts_2447983780615e517960ba55d82c Important >> Important_2947983780615e517960ba55d82c INBOX >> INBOX_1547983780615e517960ba55d82c Sent >> Sent_2547983780615e517960ba55d82c Trash >> Trash_2747983780615e517960ba55d82c >> >> The 2nd dsync step has not completed yet. I'm wondering whether >> the extra directory will be magically moved into the older >> directory. >> >> (This is unlikely because the file names are duplicated in the >> new directory) >> >> --- >> >> Is this expected behavior? Are there command changes I can make >> to speed up the process? Eliminate the duplicate directories? >> >> >> >> > > -- Ken Anderson Pacific Internet - http://www.pacific.net >>> >> >> > > -- > Ken Anderson > Pacific Internet - http://www.pacific.net
[Dovecot] mdbox and folders containing both messages and sub-folders
I've got Dovecot 2.2r5 (Ubuntu package version 2:2.2.0~rc5-0~auto+1 from the "testing-auto/dovecot-2.2" repository on xi.rename-it.nl) running on a brand-new Ubuntu 12.04.2 server. I'm trying to configure Dovecot (using the "mdbox" mailbox format) to allow folders to contain both messages and sub-folders. However, it's not working consistently. I need to have folders with both messages and sub-folders because I'm trying to migrate mail from an existing (but soon-to-be-retired) Cyrus server, and the existing body of mail has folders of this sort. I'm currently using the following configuration line: mail_location = mdbox:~/mdbox:DIRNAME=.indexes:INDEX=~/mdbox/indexes and am using the Larch program to do an IMAP-to-IMAP copy of one of my family member's mail from the old Cyrus server to the new Dovecot server. When I examine the "mailboxes" directory tree, I see some directories that (correctly) contain both the renamed ".indexes" directory and also directories for IMAP subfolders. However, the Larch output is showing many errors of the form "mailbox cannot contain messages", and some of the messages could not be migrated because of this problem. Am I doing something wrong? Or is the "folders containing both messages and sub-folders" feature simply broken for the "mdbox" format -- meaning presumably that I'll be forced either to use the Maildir format, or else abandon Dovecot entirely and install Cyrus on my new mail server instead? Rich Wales ri...@richw.org
Re: [Dovecot] script to detect dictionary attacks
On Sat, 6 Apr 2013, Reindl Harald wrote: Hi has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)? That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall. Thanks, Max Pyziur p...@brama.com
[Dovecot] Released Pigeonhole v0.3.4 for Dovecot v2.1.16
Hello Dovecot users, Much time passed since I last released a new Pigeonhole, so quite a few unreleased fixes were pending until now. Development of new features is shifted to the upcoming Pigeonhole v0.4 for Dovecot v2.2. I intend to release v0.4.0 shortly after Dovecot v2.2.0. Changelog v0.3.4: * Changed error handling to be less of a nuisance for administrators. Strictly user-caused errors are only reported in user log. Some errors are logged as info instead. * Sieve: Changed behavior of redirect in case of a duplicate message delivery or a mail loop. If a duplicate is detected the implicit keep is canceled, as though the redirect was successful. This prevents getting local deliveries. The original SMTP recipient is used when it is available to augment the entry in the LDA duplicate database. This way, duplicates are only detected when (initially) addressed to the same recipient. + Sieve vnd.dovecot.duplicate extension: added new features to the duplicate test, making it possible to manually compose the key value for duplicate checking. This extension is in the process of being standardized: https://tools.ietf.org/html/draft-bosch-sieve-duplicate-01 + Sieve date extension: generate warning when invalid date part is specified. - Sieve editheader extension: fixed crash occurring when addheader :last was used. - Sieve include extension: fixed missing error cleanup that caused a resource leak. - Sieve vacation extension: fixed determination of From: address for when sieve_vacation_dont_check_recipient is active. - Sieve tools: the -D option wasn't enabled and documented for all tools. - Sieve dict script storage: fixed potential segfault occurring when dict initialization fails. - ManageSieve: fixed bug in skipping of CRLF at end of AUTHENTICATE command. - ManageSieve: fixed handling of unknown commands pre-login. - Fixed compile on Mageia Linux. The release is available as follows: http://www.rename-it.nl/dovecot/2.1/dovecot-2.1-pigeonhole-0.3.4.tar.gz http://www.rename-it.nl/dovecot/2.1/dovecot-2.1-pigeonhole-0.3.4.tar.gz.sig Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for more information. Have fun testing this new release and don't hesitate to notify me when there are any problems. Regards, -- Stephan Bosch step...@rename-it.nl
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 22:55, schrieb Max Pyziur: > On Sat, 6 Apr 2013, Reindl Harald wrote: >> has someone a script which can filter out dictionary attacks >> from /var/log/maillog and notify about the source-IPs? >> >> i know about fail2ban and so on, but i would like to have >> a mail with the IP address for two reasons and avoid fail2ban >> at all because it does not match in the way we maintain firewalls >> >> * add the IP to a distributed "iptables-block.sh" and distribute >> it to any server with a comment and timestamp >> * write a abuse-mail to the ISP > > Thinking tangentially to this proposal, are there blacklists (BLs) maintained > regarding known IPs perpetrating > attempts at pop/imap intrusions, much in the same way CBL does for spam, and > OpenBL > (http://www.openbl.org/lists.html) does for ssh (primarily)? > > That way, you leave your iptables configuration status quo, and create a > mechanism to use the resource (the BLs) to > populate your /etc/hosts.deny file, using tcp_wrappers to prevent > intrusion/brute force attacks on service that > have open ports in the firewall i don't know but in fact i want not rely on automatisms and blacklists sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh" so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP signature.asc Description: OpenPGP digital signature
Re: [Dovecot] script to detect dictionary attacks
On Sat, 6 Apr 2013, Reindl Harald wrote: Am 06.04.2013 22:55, schrieb Max Pyziur: On Sat, 6 Apr 2013, Reindl Harald wrote: has someone a script which can filter out dictionary attacks from /var/log/maillog and notify about the source-IPs? i know about fail2ban and so on, but i would like to have a mail with the IP address for two reasons and avoid fail2ban at all because it does not match in the way we maintain firewalls * add the IP to a distributed "iptables-block.sh" and distribute it to any server with a comment and timestamp * write a abuse-mail to the ISP Thinking tangentially to this proposal, are there blacklists (BLs) maintained regarding known IPs perpetrating attempts at pop/imap intrusions, much in the same way CBL does for spam, and OpenBL (http://www.openbl.org/lists.html) does for ssh (primarily)? That way, you leave your iptables configuration status quo, and create a mechanism to use the resource (the BLs) to populate your /etc/hosts.deny file, using tcp_wrappers to prevent intrusion/brute force attacks on service that have open ports in the firewall i don't know but in fact i want not rely on automatisms and blacklists CBL is fairly reliable; you can screen it based on originating countries (I use ip2cc available from perl-IP-Country-2.27-1.el6.noarch to find the originating country for particular ips). I'm tentatively using OpenBL to block dictionary attacks by way of ssh. By way of logwatch, I see enough dictionary attacks on dovecot; I take those ips and hope to use them soon to block dovecot attacks. The problem is the "aging": there needs to be a mechanism that determines whether or not an ip continues to be a threat. The BLs are good for that - once an ip or, say, the first three octets, diminish in frequency of attacks, then based on some threshold that you set, you can remove that ip (or set of ips) as a hostile threat to a particular service that you are running on your server/servers. sometimes i recognize a dictionary attack because "tail -f" on the mailserver is running in background and after come back from a cigarette break i look a minute in the output and if i see attacks i add the IP after a whois to "iptables-block.sh" so i do not want to rely on automagic and if some IP is added to whatever blacklist hours or days later, i want simply a one-time mail notify to look NOW in maillog and take action or ignore it depending on the count and source if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there. MP p...@brama.com
Re: [Dovecot] script to detect dictionary attacks
On 4/6/2013 2:13 PM, Max Pyziur wrote: On Sat, 6 Apr 2013, Reindl Harald wrote: if it is some ISP from a country far away -> block it if it is the fivth attempt from this ISP -> block the whole subnet if it is a major ISP of the country i live (asutria) -> only absue mail to the ISP I understand the logic; I set a low threshold to label something being a threat for anything originating in China; the threshold is higher for things closer to home, since most of the traffic to the one server I control is from there. The problem with a non-automated system, such as manually blocking China, is that it does not easily and quickly adapt. Both of the following I have experienced: 1) Excessive spam and hacking from China. I blocked China. Then I got a client that did business in China and had a branch office there. Suddenly I cannot block login attempts from China. And the users complains loudly about the excessive reject rate of legitimate emails from Chinese customers due to the spam filters. Also, legitimate users in China pick weak passwords which get hacked. Convincing the customer to improve passwords, security, use a VPN for Chinese users to access email so I can block China again were unsuccessful. While this is a bit beyond the scope of this list, the underlying problem is that in many far east countries, hacking is not illegal and thus there is no fear of getting caught, since there is no punishment. The real solution is to change those laws and have those countries enforce the laws. Good luck with that, however. 2) I tried compiling a list of IPs used for hacking. As a test, I manually put them into the firewall to see if that stops anything. Results were that a single IP will attempt to brute force several hundred passwords, but then I never hear from that IP again, so the firewall block was pointless. However another, seemingly unrelated IP, takes up the brute force attack. Without an automated system, like fail2ban, I am just playing Whack-A-Mole and never actually manage to block any attempts. In a different scenario, I also see 1-2 attempts from each IP in a group of thousands of IPs. These IPs do have legitimate users within them, so I cannot block whole IP ranges. All these indicate that the brute force attacks are being implemented on zombie nets. I do not see a perfect solution, or even a good one. A mediocre solution is a combination of fail2ban (which I have implemented), and enforcing strong passwords. A feature that would be nice is if Dovecot could detect that X bad attempts for a given User ID happen in Y time, then that User ID is blocked (always gives back a bad authentication, even if the correct password is entered) for Z time. Also, Dovecot could slow down its reply, much like a tarpit. These would be configurable. For example, if 3 bad password attempts are received for u...@domain.com within 2 minutes, then the user is blocked for 10 minutes. That with strong passwords will make the system reasonably safe from zombie net attacks. Also, the tarpit feature would slow down the attacks and ease the bandwidth issue. I am very willing to work with anyone on a solution that works better than these methods. As I see it, in order for a blacklist to work, it has to be large and distributed, like the spam blacklists are. Dovecot would need to report to the blacklist cloud, any IPs that it detects are being used to launch attacks. This is a big undertaking. Dem
Re: [Dovecot] script to detect dictionary attacks
Am 06.04.2013 23:48, schrieb Professa Dementia: > Both of the following I have experienced: > > 1) Excessive spam and hacking from China. I blocked China. Then I got a > client that did business in China and had > a branch office there. Suddenly I cannot block login attempts from China. > And the users complains loudly about the > excessive reject rate of legitimate emails from Chinese customers due to the > spam filters. again: * i am on the dovecot list * i speak about dictionary attacks on POP3/IMAP * reject rate is not a topic here well, even if i would speak about the MTA it would not be a topic the MTA is a commercial spam-appliance and postfix not directly the MX signature.asc Description: OpenPGP digital signature
Re: [Dovecot] script to detect dictionary attacks
Here is the simplex script that I use to filter attacking sites.
I should be easy to add your extra bits (email etc).
Cheers,
Stephen
#! /bin/sh
d=`date +"%b %d"`
grep "$d" /var/log/mail/info.log|grep ruleset=check_rcp | gawk
'{split($0,q,/[\[\]]/);print "/sbin/iptables -A INPUT -s " q[4] "/32 -j
DROP"}' | sort -u > /tmp/fw$$
#reset iptable to base
/etc/rc.d/rc.fw > /dev/null 2>&1
#add new filter(s)
. /tmp/fw$$
rm -f /tmp/fw$$
--
=
Stephen Davies Consulting P/L Phone: 08-8177 1595
Adelaide, South Australia.Mobile:040 304 0583
Records & Collections Management.
[Dovecot] The sieve_extprograms plugin included in main Pigeonhole 0.4 source tree
Hi, I think the sieve_extprograms is mature enough for an initial release and that is why I've included the sieve_extprograms plugin into the main Pigeonhole v0.4 source tree. It is still a plugin, but is no longer provided as a separate package. This should make things easier. It will be released along with Pigeonhole v0.4.0. Regards, Stephan.
