Re: Disabling passdb pam in local.conf
Am 2016-06-21 um 13:51 schrieb Ralf Hildebrandt:
* Patrick Ben Koetter :
Greetings,
I'm trying to create a configuration that leaves every config file deployed by
an install process or paket management software untouched. The goal is to put
every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in
local.conf. What I get if I run doveconf -n is this section:
passdb {
driver = pam
}
What is the actual problem? System accounts shouldn't be able to
log-in? System accounts shouldn't be valid mailboxes?
Use case: virtual accounts in "passdb { driver = passwd-file …"
The initial pam driver will make each logon have to wait for pam to
timeout first which adds a considerable delay in the process
--
peter
Re: Storage upgrade maildir suggestions?
Am 21.06.16 um 16:09 schrieb Marcus Rueckert: > On 2016-06-21 07:17, Götz Reinicke - IT Koordinator wrote: >> Hi, >> >> we start to run out of diskspace soon as our users start to keep mails >> for longer time periods. That's fine, but space consuming. >> >> The maildirs are about 1 TB in total, and not long ago we enabled zlib >> which is very nice. >> >> Now I have some thoughts about the next steps: >> >> a) Migrating the whole system to a new server with more storage? >> >> b) Install a virtual server for the mailsystem and an extra storage >> system may be NFS? >> >> c) Stay with the current server and move all mails to a bigger NFS >> storage. >> >> The last option c) would be the most easy one for me as I currently have >> NFS space. >> >> Any thoughts? Hints regarding the NFS storage? Pros Cons? >> >> I have seen the dovecot wiki on NFS already and for now we will stay >> with one single dovecot server. > > FC or iSCSI as storage. > > and always have a lvm layer between your HW and the FS. that way you > can easily attach > more disk to the stripe set and grow your storage that way. > >darix > Hi Darix, thanks for that feedback. Currently we are moving away in lot of areas from iscsi as it is to mutch maintenance for us. But may be we go with a small one for the mailsystem ... Regards . Götz smime.p7s Description: S/MIME Cryptographic Signature
Re: Storage upgrade maildir suggestions?
Hi Daniel, thanks for your feedback. Adding more disks is adding a new shelf as all slots are in use and this is a sun/intel server with all slots already in use. Ceph is our goal for this year for some filestorages but for mail I'll need space now xD ... O.K. I'll check some storage with a bigger disk; may be some small "iscsi-box". Regards . Götz Am 21.06.16 um 21:53 schrieb Daniel van Ham Colchete: > Gotz, > > at that level of usage I would just add more drives. Working with > NFS/clustering is not worth it when you are at that level. In the following > months I'll send a e-mail to the list here talking about how I'm using Ceph > FS successfully with Dovecot, but it's a lot of trouble. At the 1TB/2TB/4TB > level, just go out and buy a bigger disk. > > As a side note, with too may emails it is always a problem to have too many > small files. I would recommend taking a look at mdbox. > > Best, > Daniel Colchete > > On Tue, Jun 21, 2016 at 4:17 AM, Götz Reinicke - IT Koordinator < > goetz.reini...@filmakademie.de> wrote: > >> Hi, >> >> we start to run out of diskspace soon as our users start to keep mails >> for longer time periods. That's fine, but space consuming. >> >> The maildirs are about 1 TB in total, and not long ago we enabled zlib >> which is very nice. >> >> Now I have some thoughts about the next steps: >> >> a) Migrating the whole system to a new server with more storage? >> >> b) Install a virtual server for the mailsystem and an extra storage >> system may be NFS? >> >> c) Stay with the current server and move all mails to a bigger NFS storage. >> >> The last option c) would be the most easy one for me as I currently have >> NFS space. >> >> Any thoughts? Hints regarding the NFS storage? Pros Cons? >> >> I have seen the dovecot wiki on NFS already and for now we will stay >> with one single dovecot server. >> >> >> Thanks and regards . Götz >> >> >> >> smime.p7s Description: S/MIME Cryptographic Signature
post-login script and original remote ip in proxy mode
Hi, i have similar problem like this: "On Mon, 2013-05-27 at 23:40 +0300, Ibrahim Harrani wrote: > Hi, > > I am running dovecot on 3 qmail-ldap server backend. > dovecot configured to use auth_pop3 wrapper for authentication. > Users logins to the qmail-ldap pop3&imap pools randomly. If a user is > mailhost is not the connected server, dovecot proxies the connection to the > user mailhost. In this case, I can not get the original client IP address > via post-logins script on user host. I see only the first connected server > IP as $IP environment. Set login_trusted_networks setting pointing to the proxies' IPs/network and you'll get the original IP. Requires v2.1.2+ to work with pop3 proxying." What can I do in case if dovecot proxy is installed ona same server ? Setting of login_trusted_networks causes issue like: dovecot: imap-login: proxy(xxx): Login failed to xxx:9993: [UNAVAILABLE] Account is temporarily unavailable. dovecot: imap-login: Disconnected (internal failure, 1 successful auths) on port 9993 works service dovecot imap on port 8993 works service courier imap proxy works on 993
Re: Disabling passdb pam in local.conf
On 2016-06-21 13:46, Ralf Hildebrandt wrote: * Edgar Pettijohn : > Only /etc/dovecot/local.conf should be changed. > So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf? Exactly (he said that in his initial mail). so we all need to do "dovecot -n >>/tmp/dovecot.conf" or go back to dovecot v1 ? :-) i think local.conf is more and extender conf file for new things not in current config, or more like non standard plugins not in dovecot sources in gentoo i just keep edit default files, and if its changed AFTER install gentoo tells me that its changed, and then show a "diff old new" so i know my faults later ps: is there a hope for dovecot maillist not break dkim ?
Mailboxes on NFS or iSCSI
Hello, we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on local 1.2TB RAID, it's about 5310 accounts. We are slowly getting out of space and we are considering to move Mailboxes onto Netapp disk array with two independent network connections. Are there some pitfalls? Not sure we should use NTP or iSCSI mounts (both open implementations are not so shiny). Thanks for sharing any experiences. Kind regards, Milo
Re: Mailboxes on NFS or iSCSI
I chose nfs for my env because I wanted multiple load balanced instances of dovecot to be able to access the mailbox files. If you use iscsi, you will need to pin the user to the dovecot instance that has the LUN mounted. For me, scalability and single point of failure was lost or lessened when using iscsi. On Jun 22, 2016 10:41 AM, "Miloslav Hůla" wrote: > Hello, > > we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured > with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on > local 1.2TB RAID, it's about 5310 accounts. > > We are slowly getting out of space and we are considering to move > Mailboxes onto Netapp disk array with two independent network connections. > > Are there some pitfalls? Not sure we should use NTP or iSCSI mounts (both > open implementations are not so shiny). > > Thanks for sharing any experiences. > > Kind regards, Milo >
Re: Pluggable SNI?
>
> On 21 Jun 2016, at 5:04 PM, Timo Sirainen wrote:
>
> On 21 Jun 2016, at 22:58, Felipe Gasper wrote:
>>
>> Hello,
>>
>> How feasible would it be to have a “pluggable” Dovecot setup that would
>> permit arbitrary logic for fetching TLS/SNI certificates and key, rather
>> than having to hard-code each domain’s resources in a configuration file?
>>
>> A couple scenarios that I envision such a framework being able to
>> accommodate:
>>
>> 1) An internal TLS service that accepts queries via a UNIX socket by domain
>> name and returns certificate/key.
>>
>> 2) A directory where these resources are stored, indexed by domain name.
>
> Configuration settings are looked up from $base_dir/config socket. In theory
> you could replace this socket with your own proxy service, which forwards all
> requests to the real config process and changes the reply in whatever way you
> want. You should be able to change the default config socket with:
>
> service config {
> unix_listener config {
>path = config-old
> }
> }
Interesting … thank you!
Does this just cache the config at start time, or will it query for each
connection? I just tried swapping in my own dummy socket, and it didn’t seem to
report anything interesting, which makes me suspect this is a start-time thing.
I was hoping for something that could be updated in real-time … ?
Thank you!
-FG
newbie userdb lookup problem
I'm new to Dovecot and I'm having trouble getting basic, flat file userdb
lookups to work. This must have been asked before, but if so, I can't find
it.
I'm following the basic setup here:
http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor
differences. Output of doveconf -n is below, as well as relevant entries
from postfix main.cf and master.cf.
When I send a message to a virtual user that will be handled by Dovecot,
Postfix hands it off to Dovecot LDA. But I get the following error in the
log:
Jun 22 20:53:33 x dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=5000(vmail) egid=5000(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)
/var/run/dovecot/ is indeed owned by root:root with 0755 permissions.
The actual passwd file used for userdb/passdb is currently owned by
root:vmail with 0640 permissions.
I read http://wiki2.dovecot.org/UserIds but I just don't understand the
section on "Authentication process user". It's very vague. It doesn't
explain which service is used for which circumstances or how to correlate
the userdb/passdb file permissions with the service user/group settings for
best security.
The http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall link mentions
nothing about having to modify the auth or auth-worker services.
And the http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix page
mentions a new "doveauth" user which isn't described elsewhere and sets
service auth to user postfix and group postfix, something not mentioned
anywhere else.
/etc/doveconf/10-master.conf says that the service auth socket is typically
readable only by root. Uhm. OK. Well, my passwd file is owned by root. I
don't know how that relates to the socket. So I don't understand the
problem.
Bottom line, each information source seems to say something completely
different. I can't correlate the information in the above sources into any
actionable result.
Questions:
Basically, can someone please explain how the permissions for userdb and
passdb lookup work (i.e. file permissions vs. service permissions)?
What's the best solution to solve the above problem permission problem in
the most secure way? Adjust the config of service auth? If so, how and
why? Or adjust my passwd file ownership? If so, how and why? I'm really
trying to understand the why, not just the what.
Thanks much.
Michael
Output of doveconf -n follows:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS
auth_verbose = yes
disable_plaintext_auth = no
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_uid = vmail
passdb {
driver = pam
}
passdb {
args = username_format=%n /var/vmail/auth.d/%d/passwd
driver = passwd-file
}
pop3_uidl_format = %08Xv%08Xu
protocols = pop3
ssl = no
ssl_cert = http://wiki2.dovecot.org/LDA/Postfix
# Allows user+extens...@domain.com (recipient_deliminter = + in main.cf)
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender}
-d ${user}@${nexthop} -m ${extension}
Re: newbie userdb lookup problem
> On June 23, 2016 at 8:01 AM Michael Fox wrote: > > > I'm new to Dovecot and I'm having trouble getting basic, flat file userdb > lookups to work. This must have been asked before, but if so, I can't find > it. > > > > I'm following the basic setup here: > http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor > differences. Output of doveconf -n is below, as well as relevant entries > from postfix main.cf and master.cf. > > > > When I send a message to a virtual user that will be handled by Dovecot, > Postfix hands it off to Dovecot LDA. But I get the following error in the > log: > > > > Jun 22 20:53:33 x dovecot: lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) > > > > /var/run/dovecot/ is indeed owned by root:root with 0755 permissions. > > The actual passwd file used for userdb/passdb is currently owned by > root:vmail with 0640 permissions. > > http://wiki.dovecot.org/LDA Section virtual users, with lookup has the answer. --- Aki Tuomi
RE: newbie userdb lookup problem
> http://wiki.dovecot.org/LDA
>
> Section virtual users, with lookup has the answer.
Thanks for the quick response Aki.
I presume you're referring to this:
service auth {
unix_listener auth-userdb {
mode = 0600
user = vmail # User running dovecot-lda
#group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group
}
}
So, given that, then I'm still not clear on the following:
1) User vmail is reading the userdb, not writing to the userdb. So why mode
0600?
2) What should the owner, group and mode/permissions of the actual userdb flat
file be for best security?
Michael
Re: Mailboxes on NFS or iSCSI
Hi, Am 22.06.16 um 16:40 schrieb Miloslav Hůla: > Hello, > > we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured > with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on > local 1.2TB RAID, it's about 5310 accounts. > > We are slowly getting out of space and we are considering to move > Mailboxes onto Netapp disk array with two independent network > connections. > > Are there some pitfalls? Not sure we should use NTP or iSCSI mounts > (both open implementations are not so shiny). > > Thanks for sharing any experiences. have a look at my question and the answers from the yesterday posting "Storage upgrade maildir suggestions". May be they help you too. Regards . Götz smime.p7s Description: S/MIME Cryptographic Signature
RE: newbie userdb lookup problem
> On June 23, 2016 at 8:56 AM Michael Fox wrote:
>
>
> > http://wiki.dovecot.org/LDA
> >
> > Section virtual users, with lookup has the answer.
>
> Thanks for the quick response Aki.
>
> I presume you're referring to this:
>
> service auth {
> unix_listener auth-userdb {
> mode = 0600
> user = vmail # User running dovecot-lda
> #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this
> group
> }
> }
>
> So, given that, then I'm still not clear on the following:
> 1) User vmail is reading the userdb, not writing to the userdb. So why mode
> 0600?
> 2) What should the owner, group and mode/permissions of the actual userdb
> flat file be for best security?
>
> Michael
1) that is a socket, not regular file. LDA speaks with auth service.
2) as auth *service* runs as root it prolly is best to use root:root 0400 for
the actual file.
---
Aki Tuomi
