Re: openssl question
Ok, i understand the difference. openssl s_client -starttls imap -connect mail.mydomain:143 openssl s_client -connect mail.mydomain:993 these command runs as expected. i know this forum isn2T about thunderbird but, when setup account in thunderbird 993 port and with SSL, i see this line on dovecot.log TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher our dovecot (2.0.9 on redhat) 10-ssl.conf file we have ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 settings. this settings is correct for dovecot ? if they correct , can we say there is problem for thunderbird ? :) thanks in advance On Tue, Jan 9, 2018 at 3:59 AM, Joseph Tam wrote: > > but i try to this command >> >> openssl s_client -connect mail.mydomain:pop3s -starttls imap >> >> it says CONNECTED and hang. second command is correct? >> > > Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or > whatever the hell the terminology is nowadays). > > If you're testing IMAP, try one or the other or both depending > of how many flavours of SSL you got going. > > openssl s_client -starttls imap -connect mail.mydomain:143 > openssl s_client -connect mail.mydomain:993 > > Joseph Tam > -- Selçuk YAZAR http://www.selcukyazar.blogspot.com
Re: Get parts from username variable
On 08.01.2018 03:16, Matt . wrote: > Hi Guys, > > When I have a username like foo-bar-candy can I get/seperate foo, bar > and candy as single variables for my storagepath of the usermail ? > > Thanks, > > Matt The new lua auth backend is probably easiest for this. Dovecot variable manipulation has no separator handling. Or alternatively some dict based script backend. Aki
Re: zlib plugin producing errors on 2.3.0
On 06.01.2018 20:54, Timo Sirainen wrote:
> On 5 Jan 2018, at 18.33, Carsten Uppenbrink wrote:
>> On 24.12.2017 15:58, Adam Weinberger wrote:
>>> Hello,
>>> I use the zlib and imap_zlib plugins on FreeBSD. As of 2.3.0, my logs
>>> are producing these errors every so often, but AFAICT the messages
>>> themselves aren't getting corrupted.
>>> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion
>>> failed: (zstream->ostream.finished ||
>>> zstream->ostream.ostream.stream_errno != 0)
>>> Fatal: master: service(imap): child 80128 killed with signal 6 (core
>>> not dumped - set service imap { drop_priv_before_exec=yes })
>>> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion
>>> failed: (zstream->ostream.finished ||
>>> zstream->ostream.ostream.stream_errno != 0)
>>> Fatal: master: service(imap): child 80266 killed with signal 6 (core
>>> not dumped - set service imap { drop_priv_before_exec=yes })
>>> They always come in pairs like that. Following is my doveconf. Let
>>> me know what else I can provide here. Thanks!
>> I had this errors in my logs, too.
>>
>> It happens only to users who using K-9 Mail on Android. They all had a
>> setting enabled called "Use compression on network: Mobile, Wi-Fi, Other" in
>> "Incoming server settings". I didn't looked for other imap clients, because
>> without this setting enabled the errors vanished.
>>
>> But it is likely that there are other imap clients who try to compress the
>> transfer.
>> No stored mails are corrupted, it is only the connection somehow.
> Oh, it's the imap_zlib plugin / IMAP COMPRESS extension that is crashing.
> Looks like it happens every time when COMPRESS-enabled client disconnects, so
> it's probably not visible to clients.
>
Can you try if this
https://github.com/dovecot/core/commit/23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch
fixes your issue?
Aki
Re: openssl question
> our dovecot (2.0.9 on redhat) 10-ssl.conf file we have > > ssl_cipher_list = > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:! > aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 > > settings. > > this settings is correct for dovecot ? if they correct , can we say there is > problem for thunderbird ? :) I think you should fix your dovecot cipher list using the guidance from Mozilla's security team: https://wiki.mozilla.org/Security/Server_Side_TLS If your server is accessible from the web, you can run this test (it gives you very helpful advice for configuring your cipherlist): https://www.htbridge.com/ssl You can also test your setup with the script from this site (you will have to download some files but you can run it even if your server is not connected to the internet). https://testssl.sh/ Ryan
Re: Get parts from username variable
On 7 Jan 2018, at 20.16, Matt . wrote:
>
> Hi Guys,
>
> When I have a username like foo-bar-candy can I get/seperate foo, bar
> and candy as single variables for my storagepath of the usermail ?
If there aren't any @ characters, I think you can kludge this by converting '-'
into '@':
auth_username_translation = -@
Then you can use %{username}, %{domain_first} and %{domain_last}
Re: zlib plugin producing errors on 2.3.0
On 09.01.2018 11:22, Aki Tuomi wrote: Can you try if this https://github.com/dovecot/core/commit/23da0fa1b30cc11bcc1d467674a0950c527e9ff1.patch fixes your issue? The panics are gone, it seems this patch fixes the issue. I see in my logs normal login and connection closed messages. I applied this patch to dovecot v2.3.0 and tested it with the Android K-9 Mail App. I used the option "Use compression on network", which seems to be a default for a new connection. Carsten
Re: openssl question
TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher our dovecot (2.0.9 on redhat) 10-ssl.conf file we have ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 Offhand, I don't know of a fast way to match up client cipher specs and server cipher specs. The hard part is trying to figure out what the client is doing. Maybe you can turn on dovecot "verbose_ssl = yes" and that will dump SSL diagnostics logs to point out where server/client cipher negotiations fail. You can also try and run "openssl s_server -cipher 'kEECDH:+...'" on an alternate port/host, point your client at it, and let this utility dump out the SSL cipher negotions. Joseph Tam
Make fails with 2.3.0 on Mac OS X 10.7.5
Compile is failing for me. ./configure --with-mysql --with-ssl=openssl: ... checking for SSL_read in -lssl... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking openssl/err.h usability... yes checking openssl/err.h presence... yes checking for openssl/err.h... yes checking if OpenSSL version is 1.0.1 or newer... true checking if OpenSSL version is 1.0.2 or better... true checking whether SSL_clear_options exists... no ... No problems. But then ‘make’ ends with: dcrypt-openssl.c:117: error: field 'ctx' has incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_ctx_hmac_destroy': dcrypt-openssl.c:451: warning: implicit declaration of function 'HMAC_cleanup' dcrypt-openssl.c: In function 'dcrypt_openssl_generate_ec_key': dcrypt-openssl.c:555: error: dereferencing pointer to incomplete type dcrypt-openssl.c:556: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_local': dcrypt-openssl.c:588: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_peer': dcrypt-openssl.c:668: error: dereferencing pointer to incomplete type dcrypt-openssl.c:697: error: dereferencing pointer to incomplete type dcrypt-openssl.c:698: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_store_private_key_dovecot': dcrypt-openssl.c:1461: error: dereferencing pointer to incomplete type dcrypt-openssl.c:1482: error: dereferencing pointer to incomplete type dcrypt-openssl.c:1489: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_load_private_key': dcrypt-openssl.c:1615: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_store_public_key': dcrypt-openssl.c:1765: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_private_to_public_key': dcrypt-openssl.c:1801: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_name2oid': dcrypt-openssl.c:2062: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_old': dcrypt-openssl.c:2112: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_private_key_id_old': dcrypt-openssl.c:2135: error: dereferencing pointer to incomplete type dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_evp': dcrypt-openssl.c:2153: error: dereferencing pointer to incomplete type make[3]: *** [libdcrypt_openssl_la-dcrypt-openssl.lo] Error 1 make[2]: *** [all-recursive] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Any suggestions? Thanks, James.
