Re: Frequent Out of Memory for service(config)

[Aki Tuomi via dovecot]

On 13.5.2019 22.56, Root Kev via dovecot wrote:
> Hello Group,
>
> We have dovecot deployed as solely a Pop3 service that is used by our
> applications to pass mail from one application to another internally. 
> We have roughly 4 applications that connect to the Pop3 service every
> 2 seconds, to check for new messages and pop them for processing if
> they are present.  Depending on the site, we have between 1024-2048MB
> of memory set for default_vsz_limit.  In all systems we see the Out of
> memory alert several times a day. We previously did not see this at
> all when running on CentOS6, with less memory.
>
> We have tried increasing the memory to the vsz_limit up to 2gb without
> success. 
>
> We are running on CentOS 7 servers, running dovecot 2.3.6 (7eab80676)
> (from the dovecot repo).
>
> Can anyone advise any other settings that could be modified in order
> to correct these out of memory issues?
>
> # dovecot -n
> # 2.3.6 (7eab80676): /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-957.5.1.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core) 
> # Hostname: ** #
> auth_cache_size = 10 M
> auth_verbose = yes
> default_vsz_limit = 1 G
> instance_name = Pop3 Mail Service
> listen = 10.*.*.* #
> log_path = /var/log/dovecot.log
> login_greeting = Pop3 Mail Service
> login_trusted_networks = 10.*.*.* 10.*.*.* 10.*.*.* 10.*.*.* 10.*.*.*
> #
> mail_location = maildir:~/Maildir
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = cache_key=#hidden_use-P_to_show#
>   driver = pam
> }
> protocols = pop3
> ssl_cert =  ssl_key = # hidden, use -P to show it
> userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> May 10 06:44:05 config: Fatal: pool_system_malloc(8192): Out of memory
> May 10 06:44:05 config: Fatal: master: service(config): child 27887
> returned error 83 (Out of memory (service config { vsz_limit=1024 MB
> }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to
> get core dump)

Can you try setting

import_environment = $import_environment CORE_OUTOFMEM=1

and see if it causes coredump?

Aki

Re: Anyone using object storage ceph?

[Christian Balzer via dovecot]

No, not for lack of interest though.

The former feels abandoned and has design issues IMHO.

The later is a Dovecot Pro thing and when I talked with Timo 2(?) years ago
he felt that Ceph with S3 or Swift wasn't a good fit and we didn't really
want to go with Scality and simply can't do out of house/country stuff.

The thing I said back then and I still think is valid is that I feel
object storage with lots of small objects is going to require a fast and
studly storage system below and due to the nature of the beast still loose
against something like DRBD when it comes to both latency and overall
costs. 

It also becomes more of a black box than maildir on a file system, but
that's another and lesser issue.

Christian

On Tue, 14 May 2019 14:58:10 +0200 Marc Roos via dovecot wrote:

> Just curious if there are already people actively using object storage?
> 
> https://github.com/ceph-dovecot/dovecot-ceph-plugin
> https://docplayer.net/docs-images/40/9935441/images/page_13.jpg
> 


-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Rakuten Communications

Re: LMTP and Sieve with

[Paul Muster via dovecot]

Hi,

way forward could be like this:

1) Introduce a new config option 'detail_affix' with parameters 'prefix' 
and 'suffix', defaulting to 'suffix' making sure not to break existing 
setups using  respectively 
:user:detail format.
If 'detail_affix' is switched to 'prefix' the expected format of local 
parts turns into  respectively 
:detail:user.


2) Add documentation to the Wiki https://wiki2.dovecot.org/LMTP:

* detail_affix = suffix

3) Add description to the relevant default config files¹:

  # The separator that is expected between the :user and :detail
  # address parts introduced by the subaddress extension. This may
  # also be a sequence of characters (e.g. '--'). The current
  # implementation looks for the separator from the left of the
  # localpart and uses the first one encountered. The :user part is
  # left of the separator and the :detail part is right. This setting
  # is also used by Dovecot's LMTP service.
  #recipient_delimiter = +
+
+ # Define if :detail is a prefix or a suffix to the :user address part,
+ # e.g. left or right, when using subaddress extension.
+ # Defaults to 'suffix' making sure not to break existing setups using
+ #  format.
+ # Switch to 'prefix' if you use the  format
+ # described in RfC 5233.
+ #detail_affix = suffix

4) Changelog

   + now we _fully_ support IETF RfC 5233² (Sieve Subaddress Extension),
 see new config parameter 'detail_affix'.


What do you think?

Thanks & greetings,

Paul



¹ On my Debian this is
/etc/dovecot/conf.d/20-lmtp.conf
and
/etc/dovecot/conf.d/90-sieve.conf

² https://tools.ietf.org/html/rfc5233


Am 13.05.2019 um 21:48 schrieb Paul Muster via dovecot:

Hi there,

Dovecot's LMTP implementation and Pigeonhole Sieve already do support
the  format. RfC 5233, the Sieve subaddress
extension, also offers .

Could Docecot's LMTP and Pigeonhole be extended to that effect?

Thanks & greetings,

Paul

Permissions fix

[Lefteris Tsintjelis via dovecot]

Is there a fast way for dovecot to set and/or fix its directory permissions?

Re: Permissions fix

[Tanstaafl via dovecot]

On Wed May 15 2019 12:58:39 GMT-0400 (Eastern Standard Time), Lefteris
Tsintjelis via dovecot  wrote:
> Is there a fast way for dovecot to set and/or fix its directory permissions?

I don't think so. I suggested dovecot implement something like postfix
does, but I believe the response was that there are too many variables
for there to be a reliable way for dovecot to do this automatically - at
least without a lot of work.

Dovecot not connecting to OpenLDAP

[Elias Falconi via dovecot]

Hi,

We recently shutdown our old LDAP server and repointed our mail server
(dovecot + postfix) to our new LDAP server and ever since we've been unable
to fetch mail. Mail is getting delivered, but we just can't pop it. We're
using Ubuntu 16.04, btw.

We keep on getting the following error messages in /var/log/dovecote:

2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Can't contact LDAP server
2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Connect error
2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Local error

However, our server is finding our LDAP users and postfix doesn't seem to
have a problem, just Dovecot. Also, when we try to connect via Dovecot, we
get the following message:

-ERR [SYS/TEMP] Temporary authentication failure. [mail:2019-05-15 21:40:06]

Our /etc/dovecot/dovecot.conf contains the following:

## Dovecot configuration file

# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put
the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Most (but not all) settings can be overridden by different protocols
and/or
# source/destination IPs by placing the settings inside sections, for
example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace
{})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on
configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

# A comma separated list of IPs or hosts where to listen in for
connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i  to select which instance is used (an
alternative
# to -c ). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =

# With proxy_maybe=yes if proxy destination matches any of these IPs, don't
do
# proxying. This isn't necessary normally, but may be useful if the
destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm
server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

# Space separated list of environment variables that are preserved on
Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::".

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
  quota = lda

imap failing

[@lbutlr via dovecot]

mail kernel: pid 59433 (imap-login), uid 0: exited on signal 11 (core dumped)
master: Error: service(imap-login): command startup failed, throttling for 16 
secs
May 15 17:21:37 imap-login: Fatal: master: service(imap-login): child 92934 
killed with signal 11 (core dumped)

I also get a password error for a user unknown, but if I connect to the 
database with the credentials dovecot uses, I get a password.


MariaDB [postfix]> select password FROM mailbox where username 
='sample@domain.munged';
+---+
| password  
|
+---+
| {SHA256-CRYPT}$5$042. 
|
+---+

MariaDB [postfix]> select 89 as uid, 89 as gid, concat('/usr/local/virtual/', 
maildir) as home FROM mailbox where username = 'sample@domain.munged';
+-+-+--+
| uid | gid | home |
+-+-+--+
|  89 |  89 | /usr/local/virtual/sample@domain.munged/ |
+-+-+--+
1 row in set (0.00 sec)

I updated my system to openssl111 and rebuilt dovecot and postfix (and a 
hundred other packages). 

Mutual auth and MS Outlook

[dovecot--- via dovecot]

I am trying to get Dovecot IMAP and Outlook to talk to each other with SSL
and client certificates enabled. In Dovecot, I have the following options
enabled:

 

ssl_ca = ...

ssl_verify_client_cert = yes

auth_ssl_require_client_cert = yes

auth_ssl_username_from_cert = yes

 

when I try to connect with Outlook, I get:

 

May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't send a
cert): user=<>, method=PLAIN, rip=192.168.1.245, lip=192.168.2.5, TLS:
Disconnected, session=

 

But when I use openssl directly with the same certificates it seems to pass
the certificate in just fine. Does anybody have any ideas?

 

Thanks in advance.

 

Re: imap failing

[Cerebus the Aardvark via dovecot]

I've rebuilt dovecot, but no change in behavior.

I also enabled debug, but nothing else is logged to /var/log/dovecot
as to why IMAP is crashing.

On Wed, May 15, 2019 at 5:46 PM @lbutlr via dovecot  wrote:
>
>
> mail kernel: pid 59433 (imap-login), uid 0: exited on signal 11 (core dumped)
> master: Error: service(imap-login): command startup failed, throttling for 16 
> secs
> May 15 17:21:37 imap-login: Fatal: master: service(imap-login): child 92934 
> killed with signal 11 (core dumped)
>
> I also get a password error for a user unknown, but if I connect to the 
> database with the credentials dovecot uses, I get a password.
>
>
> MariaDB [postfix]> select password FROM mailbox where username 
> ='sample@domain.munged';
> +---+
> | password
>   |
> +---+
> | 
> {SHA256-CRYPT}$5$042. 
> |
> +---+
>
> MariaDB [postfix]> select 89 as uid, 89 as gid, concat('/usr/local/virtual/', 
> maildir) as home FROM mailbox where username = 'sample@domain.munged';
> +-+-+--+
> | uid | gid | home |
> +-+-+--+
> |  89 |  89 | /usr/local/virtual/sample@domain.munged/ |
> +-+-+--+
> 1 row in set (0.00 sec)
>
> I updated my system to openssl111 and rebuilt dovecot and postfix (and a 
> hundred other packages). 
> I've looked through he logs for other info, but I don't see anything. Trying 
> to connect via openssl gives me:
>
> # openssl s_client -connect mail.covisp.net:993 -starttls imap
> CONNECTED(0003)
>

Setting up individual encrypted user keys using mail-crypt-plugin

[emordin via dovecot]

Hi,
I have setup up a simple mail server using the ISPMail tutorial and I'm trying 
to learn how to create email encryption at rest.

I'm having a tough time understanding how to set this up...

So say a user logins thru roundcube and they type in their password...so the 
password authenticates to the mysql database which is storing their encrypted 
private key?? And once they access that private key, how do they use that 
private key to unencrypt their mailbox?

I'm a super noob at this, and I may be off, but I don't know where to start 
when it comes to setting this up... if I'm way off could you just recommend 
some tutorials or other basics I should learn first before moving on to setting 
this up?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

Re: Password database - external verification questions

[Richard Hector via dovecot]

On 10/05/19 10:10 AM, Richard Hector via dovecot wrote:
> Hi all,
> 
> I'm currently using a PostgreSQL database for my user/password db,
> directly from dovecot. The trouble with that is that I'm stuck with
> whatever hash algorithms dovecot supports - which IIRC means (a subset
> of?) what libc has been compiled with, which can be a bit restrictive.
> 
> So I'd like to use an external tool, which would also let me integrate
> other applications (eg web apps).
> 
> PAM seems to be most suited to sharing accounts with the OS, which isn't
> what I want.
> 
> BSDAuth likewise, but I'm not using BSD.
> 
> CheckPassword looks like a somewhat convoluted protocol, but maybe the
> best bet?
> 
> IMAP - well, that's circular :-)
> 
> OAuth2 looks possible, but seems to be focused on http?
> 
> Any suggestions? And recommended implementations?
> 
> How hard is it to add extra methods?

No tips?

Are my requirements/preferences quite unusual?

Am I asking a silly question?

Am I misunderstanding/exaggerating the limitations of dovecot's/libc's
algorithms?

Thanks,
Richard

Re: Permissions fix

[Lefteris Tsintjelis via dovecot]

On 15/5/2019 21:19, Tanstaafl via dovecot wrote:

On Wed May 15 2019 12:58:39 GMT-0400 (Eastern Standard Time), Lefteris
Tsintjelis via dovecot  wrote:

Is there a fast way for dovecot to set and/or fix its directory permissions?


I don't think so. I suggested dovecot implement something like postfix
does, but I believe the response was that there are too many variables
for there to be a reliable way for dovecot to do this automatically - at
least without a lot of work.


And that is exactly the problem, too many things could go wrong also.

Re: imap failing

[Cerebus the Aardvark via dovecot]

I am now trying  portmaster -f dovecot-2.3.6 which is reinstalling 78
ports. 🤞🏼

On Wed, May 15, 2019 at 7:26 PM Cerebus the Aardvark  wrote:
>
> I've rebuilt dovecot, but no change in behavior.
>
> I also enabled debug, but nothing else is logged to /var/log/dovecot
> as to why IMAP is crashing.
>
> On Wed, May 15, 2019 at 5:46 PM @lbutlr via dovecot  
> wrote:
> >
> >
> > mail kernel: pid 59433 (imap-login), uid 0: exited on signal 11 (core 
> > dumped)
> > master: Error: service(imap-login): command startup failed, throttling for 
> > 16 secs
> > May 15 17:21:37 imap-login: Fatal: master: service(imap-login): child 92934 
> > killed with signal 11 (core dumped)
> >
> > I also get a password error for a user unknown, but if I connect to the 
> > database with the credentials dovecot uses, I get a password.
> >
> >
> > MariaDB [postfix]> select password FROM mailbox where username 
> > ='sample@domain.munged';
> > +---+
> > | password  
> > |
> > +---+
> > | 
> > {SHA256-CRYPT}$5$042.
> >  |
> > +---+
> >
> > MariaDB [postfix]> select 89 as uid, 89 as gid, 
> > concat('/usr/local/virtual/', maildir) as home FROM mailbox where username 
> > = 'sample@domain.munged';
> > +-+-+--+
> > | uid | gid | home |
> > +-+-+--+
> > |  89 |  89 | /usr/local/virtual/sample@domain.munged/ |
> > +-+-+--+
> > 1 row in set (0.00 sec)
> >
> > I updated my system to openssl111 and rebuilt dovecot and postfix (and a 
> > hundred other packages).  >
> > I've looked through he logs for other info, but I don't see anything. 
> > Trying to connect via openssl gives me:
> >
> > # openssl s_client -connect mail.covisp.net:993 -starttls imap
> > CONNECTED(0003)
> >

Re: imap failing

[Aki Tuomi via dovecot]

On 16.5.2019 2.46, @lbutlr via dovecot wrote:
> mail kernel: pid 59433 (imap-login), uid 0: exited on signal 11 (core dumped)
> master: Error: service(imap-login): command startup failed, throttling for 16 
> secs
> May 15 17:21:37 imap-login: Fatal: master: service(imap-login): child 92934 
> killed with signal 11 (core dumped)
>
> I also get a password error for a user unknown, but if I connect to the 
> database with the credentials dovecot uses, I get a password.
>
>
> MariaDB [postfix]> select password FROM mailbox where username 
> ='sample@domain.munged';
> +---+
> | password
>   |
> +---+
> | 
> {SHA256-CRYPT}$5$042. 
> |
> +---+
>
> MariaDB [postfix]> select 89 as uid, 89 as gid, concat('/usr/local/virtual/', 
> maildir) as home FROM mailbox where username = 'sample@domain.munged';
> +-+-+--+
> | uid | gid | home |
> +-+-+--+
> |  89 |  89 | /usr/local/virtual/sample@domain.munged/ |
> +-+-+--+
> 1 row in set (0.00 sec)
>
> I updated my system to openssl111 and rebuilt dovecot and postfix (and a 
> hundred other packages). 
> I've looked through he logs for other info, but I don't see anything. Trying 
> to connect via openssl gives me:
>
> # openssl s_client -connect mail.covisp.net:993 -starttls imap
> CONNECTED(0003)
>
Can you try get the core dump file and run gdb bt full on it?

Aki

Re: Mutual auth and MS Outlook

[Aki Tuomi via dovecot]

On 16.5.2019 3.36, dovecot--- via dovecot wrote:
>
> I am trying to get Dovecot IMAP and Outlook to talk to each other with
> SSL and client certificates enabled. In Dovecot, I have the following
> options enabled:
>
>  
>
> ssl_ca = ...
>
> ssl_verify_client_cert = yes
>
> auth_ssl_require_client_cert = yes
>
> auth_ssl_username_from_cert = yes
>
>  
>
> when I try to connect with Outlook, I get:
>
>  
>
> May 12 08:07:50 mail dovecot: imap-login: Disconnected (client didn't
> send a cert): user=<>, method=PLAIN, rip=192.168.1.245,
> lip=192.168.2.5, TLS: Disconnected, session=
>
>  
>
> But when I use openssl directly with the same certificates it seems to
> pass the certificate in just fine. Does anybody have any ideas?
>
>  
>
> Thanks in advance.
>
>  
>
Maybe Outlook is misconfigured? Does it ask for a certificate when you
connect?

Aki

Re: Setting up individual encrypted user keys using mail-crypt-plugin

[Aki Tuomi via dovecot]

On 16.5.2019 4.32, emordin via dovecot wrote:
> Hi,
> I have setup up a simple mail server using the ISPMail tutorial and
> I'm trying to learn how to create email encryption at rest.
>
> I'm having a tough time understanding how to set this up...
>
> So say a user logins thru roundcube and they type in their
> password...so the password authenticates to the mysql database which
> is storing their encrypted private key?? And once they access that
> private key, how do they use that private key to unencrypt their mailbox?
>

You can export mail_crypt_global_private_key_password from userdb to
specify how to do derive password to decrypt the private key. Or just
provide it there. Private key should be exported as
mail_crypt_global_private_key variable in userdb, and the corresponding
public key mail_crypt_global_public_key.


> I'm a super noob at this, and I may be off, but I don't know where to
> start when it comes to setting this up... if I'm way off could you
> just recommend some tutorials or other basics I should learn first
> before moving on to setting this up?
>
>
> Sent with ProtonMail  Secure Email.
>

Aki

Re: imap failing

[Cerebus the Aardvark via dovecot]

No change. Still get

May 15 23:39:43 master: Error: service(imap-login): command startup
failed, throttling for 8 secs
May 15 23:39:43 imap-login: Fatal: master: service(imap-login): child
68411 killed with signal 11 (core dumped)

(with debug enabled)

postconf -n (though it hasn't changed since pre openssl111)
# 2.3.6 (7eab80676): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.6 (92dc263a)
# OS: FreeBSD 11.2-RELEASE-p4 i386
# Hostname: mail.covisp.net
auth_debug = yes
auth_failure_delay = 5 secs
auth_mechanisms = PLAIN LOGIN
default_client_limit = 4096
default_process_limit = 1024
default_vsz_limit = 768 M
disable_plaintext_auth = no
first_valid_uid = 89
imap_id_log = *
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot
login_log_format_elements = user=<%u> %r %m %c
mail_location = maildir:~/Maildir
mail_max_userip_connections = 90
mail_plugins = " lazy_expunge acl"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
  username_filter = !*@*
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  imapsieve_mailbox3_before = file:/usr/lib/dovecot/sieve/mark-read.sieve
  imapsieve_mailbox3_causes = COPY
  imapsieve_mailbox3_name = Archive
  quota_rule2 = .EXPUNGED:ignore
  sieve = file:~/.sieve;active=~/.active_sieve
  sieve_default = /usr/lib/dovecot/sieve/default.sieve
  sieve_default_name = spamassassin
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
}
service imap-login {
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
port = 0
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
service stats {
  unix_listener stats-reader {
group = dovecot
mode = 0666
user =
  }
  unix_listener stats-writer {
group = dovecot
mode = 0666
user =
  }
}
ssl_cert = 

Re: imap failing

[Aki Tuomi via dovecot]

On 16.5.2019 9.04, Cerebus the Aardvark via dovecot wrote:
> No change. Still get
>
> May 15 23:39:43 master: Error: service(imap-login): command startup
> failed, throttling for 8 secs
> May 15 23:39:43 imap-login: Fatal: master: service(imap-login): child
> 68411 killed with signal 11 (core dumped)
>
>

Can you try get gdb bt full on that core file?

Aki

Re: Dovecot not connecting to OpenLDAP

[Steffen Kaiser via dovecot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 15 May 2019, Elias Falconi via dovecot wrote:


2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Can't contact LDAP server
2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Connect error
2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext:
ldap_start_tls_s() failed: Local error

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = 139.147.9.135

# Use TLS to connect to the LDAP server.
tls = yes
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =/etc/ssl/certs/ldap.crt
tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem



# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes

# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =



are you sure these settings fit each other?

a) IP address, but force tls with cert
- -> is the IP address part of the alternate subjects of the cert?

you seem to use STARTTLS
https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-sasl.html

b) once you've sorted TLS out looks like auth_bind conflicts with 
auth_bind_userdn



- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBXNz+EsQnQQNheMxiAQI8eggAh8bjcL6FQJgZBUd10bWBzPhR1UQmyUHx
6waUF02hPX2FJW/HnXcyHCcT/lR6sq1fIOYtT+IFniBmXt/MNb9cRi1PwGEdVWgs
6d7QNwRhesHLkfDnuK4WIt2J9/RXoWcUK/KW1DQ4cGPwXDCsDzAJnaFoqYqlN9DF
PjnZKyKaKoGvstDLTM0tFk87iHDue4SkWsw72o2sWEhOxgSdVGfN0taLh1nh
Spwdz03mTpZwJJW5MyDplklGofWLEZD8jiclsWsaSOb7A0+05gK7nl4YsLrnCIH7
9lADo4LNmCr4g90Xf6zO4T5HlpUjvQNME3OwiI+mIeoXPvU7wjYinA==
=6QRq
-END PGP SIGNATURE-

Re: Dovecot not connecting to OpenLDAP

[Aki Tuomi via dovecot]

On 16.5.2019 9.07, Steffen Kaiser via dovecot wrote:
> On Wed, 15 May 2019, Elias Falconi via dovecot wrote:
>
> > 2019-05-15 16:27:43 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Can't contact LDAP server
> > 2019-05-15 16:39:36 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Connect error
> > 2019-05-15 16:39:43 auth: Error: LDAP
> /etc/dovecot/dovecot-ldap.conf.ext:
> > ldap_start_tls_s() failed: Local error
>
> > # Space separated list of LDAP hosts to use. host:port is allowed too.
> > hosts = 139.147.9.135
>
> > # Use TLS to connect to the LDAP server.
> > tls = yes
> > # TLS options, currently supported only with OpenLDAP:
> > #tls_ca_cert_file =/etc/ssl/certs/ldap.crt
> > tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem
>
> > # is still used, only the password field is ignored in it. Before
> doing any
> > # search, the binding is switched back to the default DN.
> > auth_bind = yes
>
> > # For example:
> > #   auth_bind_userdn = cn=%u,ou=people,o=org
> > #
> > #auth_bind_userdn =
>
>
> are you sure these settings fit each other?
>
> a) IP address, but force tls with cert
> -> is the IP address part of the alternate subjects of the cert?
>
> you seem to use STARTTLS
> https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-sasl.html
>
> b) once you've sorted TLS out looks like auth_bind conflicts with
> auth_bind_userdn
>
>
> -- Steffen Kaiser


Also, can you try if setting

blocking=yes

in LDAP configuration helps?


fwiw we have seen this with some customers too but unfortunately it's
OpenLDAP issue which we can't really do much anything about.


Aki





signature.asc
Description: OpenPGP digital signature

Re: Password database - external verification questions

[Aki Tuomi via dovecot]

On 16.5.2019 4.43, Richard Hector via dovecot wrote:
> On 10/05/19 10:10 AM, Richard Hector via dovecot wrote:
>> Hi all,
>>
>> I'm currently using a PostgreSQL database for my user/password db,
>> directly from dovecot. The trouble with that is that I'm stuck with
>> whatever hash algorithms dovecot supports - which IIRC means (a subset
>> of?) what libc has been compiled with, which can be a bit restrictive.

In 2.3 you can choose also BLF-CRYPT (bcrypt) and if compiled with, you
can also use ARGON2. So you are not limited with glibc only.

>> So I'd like to use an external tool, which would also let me integrate
>> other applications (eg web apps).
>>
>> PAM seems to be most suited to sharing accounts with the OS, which isn't
>> what I want.
>>
>> BSDAuth likewise, but I'm not using BSD.
>>
>> CheckPassword looks like a somewhat convoluted protocol, but maybe the
>> best bet?
>>
>> IMAP - well, that's circular :-)
>>
>> OAuth2 looks possible, but seems to be focused on http?
>>
>> Any suggestions? And recommended implementations?
>>
>> How hard is it to add extra methods?

LDAP is most often used by customers. oauth2 requires client-side
support too, although since 2.3.6 you can also use oauth2 with "password
grant". You can use LUA passdb if you really need something exotic,
although then you need to write your own.

Aki

> No tips?
>
> Are my requirements/preferences quite unusual?
>
> Am I asking a silly question?
>
> Am I misunderstanding/exaggerating the limitations of dovecot's/libc's
> algorithms?
>
> Thanks,
> Richard