hidden shared/public Trash and Junk folders

2017-09-14 Thread Rupert Gallagher 
We need ideas on how to do this reliably and efficiently for a specific client 
with unfaithful employees. --- We could do this using client-side configuration 
tied to windows GPO, but prefer a server-side solution.

Sent from ProtonMail Mobile

Re: [RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions

2017-09-14 Thread Brad Smith 



On 9/13/2017 4:51 PM, Apollon Oikonomopoulos wrote:

Hi,

I came up with the following patch while trying to figure out a good solution
for the situation described in Debian bug #871987[1]. In short, OpenSSL in
Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that
unless an application requests otherwise, only TLSv1.2 is supported. In the
world of e-mail this is seemingly an issue, as there are still way too many old
clients out there supporting only TLSv1 or TLSv1.1.

Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow
*disabling* specific protocols, without offering a way to enable previously
disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed
protocol versions, taking a linear version approach: the application may
request a minimum and a maximum allowed version (inclusive), allowing all
versions inbetween as well.

Dovecot's existing ssl_protocols option is probably not ideal to use with this
new "linear" model. Instead, I introduced two new options,
ssl_min_proto_version and ssl_max_proto_version, that map directly to OpenSSL
1.1 concepts.

I have tested the patch with both OpenSSL 1.0 and OpenSSL 1.1. With OpenSSL 1.1
it works as expected; with OpenSSL 1.0 it doesn't seem to break anything. Other
than that, this is a first version; I'm sure there are still things to improve,
so comments are welcome :)


Just FYI LibreSSL 2.6.0 and newer has picked up this API.

logins fail for virtual users (permission denied, we're not in group 5000)

2017-09-14 Thread Paul Schreiber 
I have:
- Ubuntu 17.04
- Dovecot 2.2.27 (c0f36b0)
- Postfix 3.1.4

- regular unix users with mail in /home/bob/Maildir
- virtual users with mail in /var/mail/vhosts/domain.com/bob/

The regular users can receive mail as expected.
When virtual users try to log in, it fails. The log shows an error like
this:

2017-09-14 22:44:55 auth: Error:
passwd-file(trav...@travler.net,54.210.254.169,):
stat(/var/mail/vhosts/travler.net/shadow) failed: Permission denied
(euid=114(dovecot) egid=121(dovecot) missing +x perm: /var/mail/vhosts,
we're not in group 5000(vmail), dir owned by 5000:5000 mode=0750)

A previous user had a similar problem in 2015:
https://dovecot.org/list/dovecot/2015-July/101469.html

He was advised to look at https://wiki2.dovecot.org/UserIds … without being
given more specific advice. I looked at the page. I tried adding mail_uid
and mail_gid. No luck.

In my case, I see:
# sudo -u dovecot groups
dovecot vmail

# sudo -u dovecot cat /var/mail/vhosts/travler.net/shadow


I have a vmail user:
# id vmail
uid=5000(vmail) gid=5000(vmail) groups=5000(vmail)

# ls -la /var/mail/vhosts
total 0
drwxr-s--- 1 vmail vmail 246 Jun 30 11:23 .
drwxrwsrwt 1 mail  mail   26 Dec  5  2016 ..
drwxr-s--- 1 vmail vmail  66 Sep 14 23:11 travler.net

# ls -l /var/mail/vhosts/travler.net/
total 8
-rwxr-s--- 1 vmail vmail 174 Dec  5  2016 passwd
-rwxr-s--- 1 vmail vmail 173 Dec  5  2016 shadow
drwxr-s--- 1 vmail vmail 450 Sep  9 13:16 travis.belmont
drwxr-s--- 1 vmail vmail 750 Sep 13 14:14 travler

I've set mail_gid and mail_uid
# doveconf  -n|grep id
mail_gid = 5000
mail_uid = 5000

Here's my full config:
# doveconf -n
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.10.0-33-generic x86_64 Ubuntu 17.04 btrfs
log_path = /var/log/dovecot
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = 5000
mail_location = maildir:/home/%u/Maildir
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
passdb {
  args = username_format=%n /var/mail/vhosts/%d/shadow
  driver = passwd-file
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
}
service imap-login {
  inet_listener imap {
port = 0
  }
}
ssl_cert = [snip]
ssl_cipher_list = [snip]
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_protocols = !SSLv3 !SSLv2
userdb {
  driver = passwd
}
userdb {
  args = username_format=%n /var/mail/vhosts/%d/passwd
  driver = passwd-file
}


What do I need to set to get dovecot to run as vmail / fix this error?


Paul

Re: logins fail for virtual users (permission denied, we're not in group 5000)

2017-09-14 Thread Aki Tuomi 


On 15.09.2017 06:21, Paul Schreiber wrote:
> I have:
> - Ubuntu 17.04
> - Dovecot 2.2.27 (c0f36b0)
> - Postfix 3.1.4
>
> - regular unix users with mail in /home/bob/Maildir
> - virtual users with mail in /var/mail/vhosts/domain.com/bob/
>
> The regular users can receive mail as expected.
> When virtual users try to log in, it fails. The log shows an error like
> this:
>
> 2017-09-14 22:44:55 auth: Error:
> passwd-file(trav...@travler.net,54.210.254.169,):
> stat(/var/mail/vhosts/travler.net/shadow) failed: Permission denied
> (euid=114(dovecot) egid=121(dovecot) missing +x perm: /var/mail/vhosts,
> we're not in group 5000(vmail), dir owned by 5000:5000 mode=0750)
>

check

doveadm user trav...@travler.net

you might be specifying uid/gid in passwd virtual passwd file.

Aki