Re: [SOLVED] LMTP Post login script for acl_groups

[R.N.S. via dovecot]

Am 30.08.2019 um 08:10 schrieb Aki Tuomi via dovecot :
> 
> 
> On 29.8.2019 12.30, R.N.S. via dovecot wrote:
>> 
>>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot :
>>> 
>>> 
>>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot 
> :
> 
> 
>> On 28/08/2019 21:01 R.N.S. via dovecot  wrote:
>> 
>> 
>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot 
>>> :
>>> 
>>> I think, i had the same problem as you.
>>> 
>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>> which you can get groups. So i think, my solution is (not really sure,
>>> if this is right, it's a long time ago, i played around) this transport
>>> in exim for local delivery
>>> 
>>> dovecot_delivery: 
>>> debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>> translates to GET_LOCAL_MAIL"
>>> driver = pipe   
>>> command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>> message_prefix =
>>> message_suffix =
>>> delivery_date_add
>>> envelope_to_add 
>>> return_path_add 
>>> log_output
>>> user = MAILUSER
>>> group = MAILUSER
>>> 
>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>> receiving emailadress.
>>> 
>>> GET_LOCAL_MAIL could be $local_part@$domain
>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>> 
>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>> 
>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done 
>> in sieve configuration to solve this?
>> 
>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>> 
>> Thanks
>> 
>> Christian
> It could be possible to solve this with auth lua script that would allow 
> returning the acl groups as a string, instead of using post-login script.
 I finally got it working with Lua.
 
 Changes to the auth-ldap.conf.ext file:
 --
 userdb {
 driver = ldap
 args = /etc/dovecot/dovecot-ldap.conf.ext
 
 # Fetch acl_groups from LDAP with the Lua userdb script
 skip = never
 result_success = continue
 result_failure = return-fail
 
 # Default fields can be used to specify defaults that LDAP may override
 #default_fields = home=/home/virtual/%u
 }
 --
 
 I created this auth-lua.conf.ext:
 --
 # https://wiki.dovecot.org/AuthDatabase/Lua
 
 userdb {
  driver = lua
  args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
 }
 --
 
 I added it in 10-auth.conf behind the LDAP auth include statement.
 
 The Lua script looks like this:
 --
 require('io')
 
 function auth_userdb_lookup(req)
 local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
 local base = "ou=people,ou=it,dc=roessner-net,dc=de"
 local binddn = "cn=dovecot," .. base
 
 local cmd = [=[
   /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base 
 '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
 grep rnsMSACLGroup | \
 awk -vORS=, '{ print \$2 }' | \
 sed 's/,$/\n/'"
 ]=]
 
 cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
 cmd = cmd:gsub('$(%w+)', { binddn = binddn })
 cmd = cmd:gsub('$(%w+)', { base = base })
 cmd = cmd:gsub('$(%w+)', { user = req.user })
 
 local handle = io.popen(cmd)
 local acl_groups = handle:read("*a")
 
 return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
 end
 
 function script_init()
 return 0
 end
 
 function script_deinit()
 end
 
 -- vim: expandtab ts=2 sw=2
 --
 
 And this works for me :-)
 
 Many thanks
 
 Christian
>>> There really is no LDAP module for your LUA?
>> I was too early with success :-(
>> 
>> Even the doveadm acl debug command shows that I would have all rights, mails 
>> are insert into the INBOX :-(
>> 
>> ...
>> doveadm(li...@srvint.net): Info: User li...@srvint.net has rights: lookup 
>> read write write-seen write-deleted insert post expunge
>> doveadm(li...@srvint.net): Info: Mailbox found from dovecot-acl-list
>> doveadm(li...@srvint.net): Info: Mailbox is in public namespace
>> doveadm(li...@srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is 
>> visible in LIST
>>

Global ACL in SQL or LDAP possible?

[R.N.S. via dovecot]

Hi,

Can global ACLs for public folders be stored in SQL or LDAP instead of a 
dovecot-acl file?

I could only find something for shared folders, but not for public folders?

Thanks in advance

Christian

Different passdb backends for different services

[R.N.S. via dovecot]

Hi,

as Dovecot supports submission, which is the sending direction, I am interested 
to know, if I can configure a separate passdb backend just for submission.

I habe LDAP attributes that differ sending or receiving permissions. It would 
be nice, if I had a second passdb backend just for submission, which has a LDAP 
filter for locking this service.


Example for IMAP, POP3, Sieve:

(&(mail=%s)(mailAllowIncoming=TRUE))


Example for Submission:

(&(mail=%s)(mailAllowOutgoing=TRUE))


Use case is to lock compromised accounts that send spam. An operator can notify 
the account owner by placing a warning messegae into his/her mailbox.

Is this possible?

Thanks in advance

Christian

Re: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

[Christian Balzer via dovecot]

Hello,

Debian Stretch impact free security upgrade.

This is for the default version/unit which has a Type=forking service, not
the backport and buster one which switched to simple and has dovecot running
in the foreground. 
However it should work just the same, obviously try this on a test machine.

Create /etc/systemd/system/dovecot.service.d/override.conf:
---
[Service]
ExecStart=
ExecStart=/bin/true
ExecStop=
ExecStop=/bin/true
KillMode=none
---

Make it active with:
systemctl daemon-reload


Do a "systemctl status dovecot.service" and note the PID, the 
"Main PID: pidnum (dovecot)" one from the status output.
A stop action will have systemd delete the pid file (why, oh why?) and
thus during the course of an upgrade we will have to re-establish it in
another session with:

echo pidnum >/var/run/dovecot/master.pid

I had to do this 3 times, every time there was a setting up or processing
triggers for dovecot-core. You can see it by things stalling out or
watching "systemctl status dovecot.service" which will have it "starting". 
Since no daemons actually get stopped or started this is harmless, as in
there won't be any impact to existing or new connections.

And after the upgrade is finished a:

systemctl status dovecot.service

should have the status back to active.


At this point any new IMAP sessions will be using the new code, but
imap-login will NOT. 
A "systemctl reload dovecot.service" will have the master spawn off new
daemons while NOT killing off the old ones, so existing proxy connections
won't be killed either.

Afterwards you will likely want to comment out the "Exec" lines and do
another "systemctl daemon-reload", to re-establish normal behavior.

The Killmode bit depends on if you want the dovecot option
"shutdown_clients = no" to work as expected. 
That is, on stretch backports dovecot or buster, with the default stretch
version a "systemctl restart" will still kill off existing IMAP sessions
for reasons that are currently beyond me.

On a stretch-backport install we get initially:
---
ps faxv|grep dove

 3342 ?Ss 0:00  078 18449  3164  0.0 /usr/sbin/dovecot -F
 3344 ?S  0:00  020 23471  3460  0.0  \_ dovecot/pop3-login
 3345 ?S  0:00  030 23469  3740  0.0  \_ dovecot/imap-login
 3346 ?S  0:00  016  9867  1096  0.0  \_ dovecot/anvil [17 
connections]
 3347 ?S  0:00  017  9998  2668  0.0  \_ dovecot/log
[etc] 
 3362 ?S  0:00  0   117 26438  4452  0.1  \_ dovecot/config
 3363 ?S  0:00  019 10120  2988  0.0  \_ dovecot/stats [19 
connections]
 3365 ?S  0:00  0   356 87703  8032  0.1  \_ dovecot/auth [0 
wait, 0 passdb, 0 userdb]
 3408 ?S  0:00  025  9866  1108  0.0  \_ 
dovecot/imap-hibernate [0 connections]
 4690 ?S  0:00  0   235 26372  5312  0.1  \_ dovecot/imap 
[t...@goltest.com 203.216.99.99 IDLE]
---

and after a restart as expected:
---
 3347 ?S  0:00  017  9998  2668  0.0 dovecot/log
 3363 ?S  0:00  019 10120  2988  0.0 dovecot/stats [1 
connections]
 4690 ?S  0:00  0   235 26372  5312  0.1  \_ dovecot/imap 
[t...@goltest.com 203.216.99.99 IDLE]
 4701 ?Ss 0:00  078 18449  3096  0.0 /usr/sbin/dovecot -F
 4704 ?S  0:00  020 23471  3460  0.0  \_ dovecot/pop3-login
 4705 ?S  0:00  030 23469  3468  0.0  \_ dovecot/imap-login
 4706 ?S  0:00  016  9867  1096  0.0  \_ dovecot/anvil [17 
connections]
 4707 ?S  0:00  017  9998  2424  0.0  \_ dovecot/log
[etc]
 4722 ?S  0:00  0   117 26306  4448  0.1  \_ dovecot/config
 4723 ?S  0:00  019  9996  2540  0.0  \_ dovecot/stats [17 
connections]
 4725 ?S  0:00  0   356 87703  8048  0.1  \_ dovecot/auth [0 
wait, 0 passdb, 0 userdb]
---

Regards,

Christian

On Sat, 31 Aug 2019 11:30:12 +0900 Christian Balzer via dovecot wrote:

> Daniel,
> 
> thanks so much for the detailed pointers.
> 
> So it turns out to be both the evil that is systemd and an overzealous
> upgrade script.
> 
> Apollon, should I raise a Debian bug for this?
> 
> As for reasons, how do 50k proxy session on the proxy servers and 25k imap
> processes on the mailbox servers sound?
> 
> Even on a server with just 6k users and 7k imap processes that causes a
> massive load spike and a far longer service interruption (about 50
> seconds) than I'm happy with.
> 
> Penultimately if people do set "shutdown_clients = no" they hopefully know
> what they are doing and do expect that to work.
> 
> Regards,
> 
> Christian
> 
> On Fri, 30 Aug 2019 17:44:23 +0200 Daniel Lange via dovecot wrote:
> 
> > Am 30.08.19 um 17:38 schrieb Daniel Lange via dovecot:  
> > > Am 30.08.19 um 10:00 schrieb Christian Balzer via dovecot:
> > >> When upgrading on Debian Stretch with the security fix packages all
> >

Re: Different passdb backends for different services

[Sami Ketola via dovecot]

> On 3 Sep 2019, at 11.07, R.N.S. via dovecot  wrote:
> 
> Hi,
> 
> as Dovecot supports submission, which is the sending direction, I am 
> interested to know, if I can configure a separate passdb backend just for 
> submission.
> 
> I habe LDAP attributes that differ sending or receiving permissions. It would 
> be nice, if I had a second passdb backend just for submission, which has a 
> LDAP filter for locking this service.
> 
> 
> Example for IMAP, POP3, Sieve:
> 
> (&(mail=%s)(mailAllowIncoming=TRUE))

protocol imap {
  passdb {
...
  }
}


> 
> 
> Example for Submission:
> 
> (&(mail=%s)(mailAllowOutgoing=TRUE))

protocol submission {
  passdb {
...
  }
}

etc.

Sami

Re: Segfault with error 4 in doveadm-server (fixed)

[Holger Dehnhardt via dovecot]

Using a recent version of dovecot (2.3.7.2) fixed this issue.

Thanks to all!

Holger

19. August 2019 16:12, "Holger Dehnhardt via dovecot"  
schrieb:

> Wow, that's great! Why didn't I found it...
> Sorry and thanks!
> 
> Holger
> 
> 19. August 2019 16:08, "Alexander Dalloz via dovecot"  
> schrieb:
> 
>> Am 2019-08-19 16:01, schrieb Holger Dehnhardt via dovecot:
>> 
>>> Alexander and Aki,
>>> thanks for your quick answers.
>>> It might be the best to compile a more recent version of dovecot. For
>>> some reason it seems unpossible to get a core dump and the error might
>>> be fixed in a recent version.
>>> Holger
>> 
>> https://repo.dovecot.org
>> 
>> Alexander

Re: Dovecot 2.3.7 - char "-" missing

[Timo Sirainen via dovecot]

On 30 Aug 2019, at 13.44, Domenico Pastore via dovecot  
wrote:
> 
> Hello,
> 
> i have update dovecot from version 2.2.15 to 2.3.7.2.
> I have a problem with mine java software because there is a different 
> response when open connection to doveadm.
> 
> I need open socket to doveadm for get imap quota of a mailbox.
> 
> With version 2.2.15:
> # telnet 192.160.10.4 924
> Trying 192.160.10.4...
> Connected to 192.160.10.4.
> Escape character is '^]'.
> -
> 
> 
> With version 2.3.7.2:
> # telnet 192.160.10.3 924
> Trying 192.160.10.3...
> Connected to 192.160.10.3.
> Escape character is '^]'.
> 
> 
> The difference is "-" character. The version 2.3.7 not respond with "-" 
> character after opening the connection.
> 
> Is it possible to add the character again with a parameter?
> 
> Why did doveadm's answer change?

It got changed as part of some other doveadm protocol changes. The change was 
somewhat accidental though and we didn't notice the difference. Anyway, 
practically this shouldn't have made any difference if the code was implemented 
as was described in https://wiki.dovecot.org/Design/DoveadmProtocol 
 It says that the client needs 
to send VERSION first, and as a reply it receives the "+" or "-" line. So it 
was more of a bug that previous Dovecot versions sent the +/- line too early. I 
added a note about this to the wiki page though.

Dovecot and Apple's Mail.app not playing nicely?

[Coy Hile via dovecot]

Hi all,

Is there anything cute one has to take into account when using Dovecot with 
users of Apple’s Mail.app? 
Behavior I’m seeing is that if I delete or move messages via Webmail 
(Roundcube, Horde, or even ActiveSync
via Mail.app on my phone), they do get moved or deleted.  However, if I take 
the same actions in the desktop
mail client, when logging in to the Webmail (or phone) app, I see the messages 
still seeming to be in the Inbox.

Is this known behavior? A peculiarity in Apple Mail? 

--
Coy Hile
coy.h...@coyhile.com

Re: dsync and altpath on shared storage.

[Peter Mogensen via dovecot]

On 9/2/19 3:03 PM, Sami Ketola wrote:
>> On 2 Sep 2019, at 15.25, Peter Mogensen via dovecot  
>> wrote:
...
>> Is there anyway for dsync to avoid moving Gigabytes of data for could
>> just be "moved" by moving the mount?
> 
> 
> Not tested but you can probably do something like this in the target server:
> 
> doveadm backup -u victim -R ssh sudouser@old-server "sudo doveadm 
> dsync-server -o mail_location=sdbox:/location-to-your-sdbox/ -u victim"
> 
> just leave ALT storage path from the setting.


I'll have to test this... but my initial guess would be that doveadm
would then think the mails has disappeared. Would it then copy the index
metadata for those mails to the target host anyway?

/Peter

Re: Re: Quota count and clone questions

[Bratislav ILIC via dovecot]

Hi,

I presume you figured this out after all this time, but in any case.

Since quota_clone is not cumulative, it  always inserts new record with actual 
quota,
to be able to get correct results in postfixadmin one must:
 DROP TRIGGER mergequota2 ON quota2;

And to prevent ERROR:  duplicate key value violates unique constraint 
"quota2_pkey":
 CREATE FUNCTION public.clone_quota2() RETURNS trigger
LANGUAGE plpgsql
AS $$
BEGIN
UPDATE quota2 SET bytes = NEW.bytes,
messages = NEW.messages
WHERE username = NEW.username;
IF found THEN
RETURN NULL;
ELSE
RETURN NEW;
END IF;
  END;
  $$;

And then:
 CREATE TRIGGER clonequota2 BEFORE INSERT ON quota2 FOR EACH ROW EXECUTE 
PROCEDURE public.clone_quota2() ;

And finally just put:
 quota_clone_dict = proxy::sqlquota
 
Hope this helps somebody trying to figure out this too.

> I figured out that I can't just drop maintaining quota2 if I want 
> postfixadmin to report the quota status.
> 
> I also figured out a way to run a test on my config guesses.  I will try 
> to fit it in today, or tomorrow.  But any advise to the questions below 
> are welcomed!
> 
>>On 2/13/19 8:53 PM, Robert Moskowitz via dovecot wrote:
>> all this almost reads like I can drop maintaining the quota2 table?
>>
>> From https://wiki.dovecot.org/Quota/Count
>>
>> mailbox_list_index = yes
>> # Avoid spending excessive time waiting for the quota calculation to 
>> finish when
>> # mails' vsizes aren't already cached. If this many mails are opened, 
>> finish the
>> # quota calculation on background in indexer-worker process. Mail 
>> deliveries will
>> # be assumed to succeed, and explicit quota lookups will return 
>> internal error.
>> mail_vsize_bg_after_count = 100
>>
>> seems to belong in 10-mail.conf.  That is where those var are shown.
>>
>> But:
>>
>>
>> plugin {
>>   # 10MB quota limit
>>   quota = count:User quota
>>   quota_rule = *:storage=10M
>>
>>   # This is required - it uses "virtual sizes" rather than "physical 
>> sizes" for quota counting:
>>   quota_vsizes = yes
>> }
>>
>> I am having problems with.  Right now for quota I have:
>>
>> plugin {
>> quota = dict:user::proxy::sqlquota
>> trash = /etc/dovecot/dovecot-trash.conf.ext
>> }
>>
>> How do I reconcile these two?
>>
>> Then for clone:  https://wiki.dovecot.org/Plugins/QuotaClone
>>
>> how does:
>>
>> mail_plugins = $mail_plugins quota quota_clone
>> plugin {
>>   quota_clone_dict = redis:host=127.0.0.1:port=6379
>> }
>>
>> get replaced with something for mysql?
>>
>> dovecot-sql.conf.ext:
>>
>> driver = mysql
>> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
>> password=$Postfix_Database_Password
>> default_pass_scheme = $cryptsha-CRYPT
>> # following should all be on one line.
>> password_query = SELECT username as user, password, 
>> concat('/home/vmail/', maildir) as userdb_home, 
>> concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as 
>> userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND 
>> active = '1'
>> # following should all be on one line
>> user_query = SELECT concat('/home/vmail/', maildir) as home, 
>> concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS 
>> gid, CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM 
>> mailbox WHERE username = '%u' AND active = '1'
>>
>> and
>>
>> dovecot-dict-sql.conf.ext:
>>
>> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
>> password=$Postfix_Database_Password
>> map {
>> pattern = priv/quota/storage
>> table = quota2
>> username_field = username
>> value_field = bytes
>> }
>> map {
>> pattern = priv/quota/messages
>> table = quota2
>> username_field = username
>> value_field = messages
>> }
>>
>>
>>
>> thanks

Re: dsync and altpath on shared storage.

[Sami Ketola via dovecot]

> On 3 Sep 2019, at 15.34, Peter Mogensen via dovecot  
> wrote:
> 
> 
> 
> On 9/2/19 3:03 PM, Sami Ketola wrote:
>>> On 2 Sep 2019, at 15.25, Peter Mogensen via dovecot  
>>> wrote:
> ...
>>> Is there anyway for dsync to avoid moving Gigabytes of data for could
>>> just be "moved" by moving the mount?
>> 
>> 
>> Not tested but you can probably do something like this in the target server:
>> 
>> doveadm backup -u victim -R ssh sudouser@old-server "sudo doveadm 
>> dsync-server -o mail_location=sdbox:/location-to-your-sdbox/ -u victim"
>> 
>> just leave ALT storage path from the setting.
> 
> 
> I'll have to test this... but my initial guess would be that doveadm
> would then think the mails has disappeared. Would it then copy the index
> metadata for those mails to the target host anyway?


Hmm. That is true. It will probably not work after all then. 

Now I'm out of ideas how to do this efficiently.

Sami

Re: Dovecot and Apple's Mail.app not playing nicely?

[Gerald Galster via dovecot]

Hi Coy,

> Is there anything cute one has to take into account when using Dovecot with 
> users of Apple’s Mail.app? 
> Behavior I’m seeing is that if I delete or move messages via Webmail 
> (Roundcube, Horde, or even ActiveSync
> via Mail.app on my phone), they do get moved or deleted.  However, if I take 
> the same actions in the desktop
> mail client, when logging in to the Webmail (or phone) app, I see the 
> messages still seeming to be in the Inbox.
> 
> Is this known behavior? A peculiarity in Apple Mail? 

I don't see this behavior with Apple Mail 12.4 / MacOS 10.14.6 (using imap, as 
pop3 does not support folders).

You could configure mail_log_events and see what happens:

plugin {
  # Events to log. Also available: flag_change append
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
  # size and vsize are available only for expunge and copy events.
  mail_log_fields = uid box msgid size subject
}

When I move an email into another folder with Apple Mail it's moved on the 
server immediately.
Upon deletion it might get flagged as deleted and expunged later (probably a 
month after).
You can right click on the folder and choose "Erase Deleted Items" to remove 
them from the server,
or configure the time span in Mail's preferences.

Best regards
Gerald

Re: Dovecot and Apple's Mail.app not playing nicely?

[Sami Ketola via dovecot]

> On 3 Sep 2019, at 15.30, Coy Hile via dovecot  wrote:
> 
> Hi all,
> 
> Is there anything cute one has to take into account when using Dovecot with 
> users of Apple’s Mail.app? 
> Behavior I’m seeing is that if I delete or move messages via Webmail 
> (Roundcube, Horde, or even ActiveSync
> via Mail.app on my phone), they do get moved or deleted.  However, if I take 
> the same actions in the desktop
> mail client, when logging in to the Webmail (or phone) app, I see the 
> messages still seeming to be in the Inbox.
> 
> Is this known behavior? A peculiarity in Apple Mail? 

I am using Apple Mail.App in Macbook, iPhone and iPad. And in fact quite many 
of us internally are doing the same
and I can't see that behaviour. Mail.App correctly obeys \Deleted flag and does 
not show the mails in folders.

Sami

Re: Dovecot and Apple's Mail.app not playing nicely?

[Coy Hile via dovecot]

On 2019-09-03 09:22, Sami Ketola via dovecot wrote:
On 3 Sep 2019, at 15.30, Coy Hile via dovecot  
wrote:


Hi all,

Is there anything cute one has to take into account when using Dovecot 
with users of Apple’s Mail.app?
Behavior I’m seeing is that if I delete or move messages via Webmail 
(Roundcube, Horde, or even ActiveSync
via Mail.app on my phone), they do get moved or deleted.  However, if 
I take the same actions in the desktop
mail client, when logging in to the Webmail (or phone) app, I see the 
messages still seeming to be in the Inbox.


Is this known behavior? A peculiarity in Apple Mail?


I am using Apple Mail.App in Macbook, iPhone and iPad. And in fact
quite many of us internally are doing the same
and I can't see that behaviour. Mail.App correctly obeys \Deleted flag
and does not show the mails in folders.

Sami


That's exactly the converse of what I'm seeing. Mail.app sets the 
\Deleted flag, or flags a message as Junk
and moves it to the Junk folder. But when I login via, say, Roundcube, 
it still shows in the inbox, though
greyed out with a little (/) icon (which I assume is the deleted flag.)  
If I move or delete the message via
the webmail client, it actually gets moved to Junk or Trash. (Or 
wherever I moved it.)


FWIW, I think this applies only to deleted messages (where Mail.app may 
just set a flag rather than actually moving
the messages to Trash) and to Mail.app's own Junk processing. (Things 
flagged as Spam and moved to Junk via Sieve do

end up in the Junk folder.)


--
Coy Hile
coy.h...@coyhile.com

Re: dsync and altpath on shared storage.

[Peter Mogensen via dovecot]

On 9/3/19 2:38 PM, Sami Ketola wrote:
> 
> 
>> On 3 Sep 2019, at 15.34, Peter Mogensen via dovecot  
>> wrote:
>>
>>
>>
>> On 9/2/19 3:03 PM, Sami Ketola wrote:
 On 2 Sep 2019, at 15.25, Peter Mogensen via dovecot  
 wrote:
>> ...
 Is there anyway for dsync to avoid moving Gigabytes of data for could
 just be "moved" by moving the mount?
>>>
>>>
>>> Not tested but you can probably do something like this in the target server:
>>>
>>> doveadm backup -u victim -R ssh sudouser@old-server "sudo doveadm 
>>> dsync-server -o mail_location=sdbox:/location-to-your-sdbox/ -u victim"
>>>
>>> just leave ALT storage path from the setting.
>>
>>
>> I'll have to test this... but my initial guess would be that doveadm
>> would then think the mails has disappeared. Would it then copy the index
>> metadata for those mails to the target host anyway?
> 
> 
> Hmm. That is true. It will probably not work after all then. 
> 
> Now I'm out of ideas how to do this efficiently.

I assume it won't even work to just premount the shared storage
read-only on the target side, so the mails are already there.
... since I suppose the receiving dsync reserves the right to re-pack
the m.* storage files?

/Peter

Re: Different passdb backends for different services

[R.N.S. via dovecot]

> Am 03.09.2019 um 10:54 schrieb Sami Ketola via dovecot :
> 
> 
> 
>> On 3 Sep 2019, at 11.07, R.N.S. via dovecot  wrote:
>> 
>> Hi,
>> 
>> as Dovecot supports submission, which is the sending direction, I am 
>> interested to know, if I can configure a separate passdb backend just for 
>> submission.
>> 
>> I habe LDAP attributes that differ sending or receiving permissions. It 
>> would be nice, if I had a second passdb backend just for submission, which 
>> has a LDAP filter for locking this service.
>> 
>> 
>> Example for IMAP, POP3, Sieve:
>> 
>> (&(mail=%s)(mailAllowIncoming=TRUE))
> 
> protocol imap {
>  passdb {
>...
>  }
> }
> 
> 
>> 
>> 
>> Example for Submission:
>> 
>> (&(mail=%s)(mailAllowOutgoing=TRUE))
> 
> protocol submission {
>  passdb {
>...
>  }
> }

I tried this, but I have done something wrong probably.

I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the 
protocol sections. I also disabled the passdb section from the 
auth-ldap.conf.ext in 10-auth and left over the userdb part.

Sep  3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: 
Timeout waiting for handshake from auth server.
my pid=16106, input bytes=0
Sep  3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: 
Timeout waiting for handshake from auth server.
my pid=16107, input bytes=0

Can somebody tell me which "things" need the userdb and which the passdb 
sections?

I am a little bit confused. Or do I have to add the above lines and is some 
inheritance working here?

Thanks in advance

Christian

Re: Dovecot and Apple's Mail.app not playing nicely?

[Gerald Galster via dovecot]

>>> On 3 Sep 2019, at 15.30, Coy Hile via dovecot  wrote:
>>> Hi all,
>>> Is there anything cute one has to take into account when using Dovecot with 
>>> users of Apple’s Mail.app?
>>> Behavior I’m seeing is that if I delete or move messages via Webmail 
>>> (Roundcube, Horde, or even ActiveSync
>>> via Mail.app on my phone), they do get moved or deleted.  However, if I 
>>> take the same actions in the desktop
>>> mail client, when logging in to the Webmail (or phone) app, I see the 
>>> messages still seeming to be in the Inbox.
>>> Is this known behavior? A peculiarity in Apple Mail?
>> I am using Apple Mail.App in Macbook, iPhone and iPad. And in fact
>> quite many of us internally are doing the same
>> and I can't see that behaviour. Mail.App correctly obeys \Deleted flag
>> and does not show the mails in folders.
>> Sami
> 
> That's exactly the converse of what I'm seeing. Mail.app sets the \Deleted 
> flag, or flags a message as Junk
> and moves it to the Junk folder. But when I login via, say, Roundcube, it 
> still shows in the inbox, though
> greyed out with a little (/) icon (which I assume is the deleted flag.)  If I 
> move or delete the message via
> the webmail client, it actually gets moved to Junk or Trash. (Or wherever I 
> moved it.)
> 
> FWIW, I think this applies only to deleted messages (where Mail.app may just 
> set a flag rather than actually moving
> the messages to Trash) and to Mail.app's own Junk processing. (Things flagged 
> as Spam and moved to Junk via Sieve do
> end up in the Junk folder.)

Apple Mail does not show messages anymore when the \Deleted flag is set. They 
are moved to trash only if a mailbox
for deleted messages is set in preferences. Usually they are removed (expunged) 
from the server a month later.
Roundcube on the other hand displays \Deleted messages greyed out 
(strikethrough in some versions) by default.

The ability to just mark messages as \Deleted is a nice feature. Imagine 
deleting 10 small statusmails without
unnecessary i/o. It may stress your disks (local and server) when that many 
mails are moved around before being expunged.

Best regards
Gerald

Re: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

[KSB via dovecot]

On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote:


Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read
with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143




Hi!
Before I had 2.2.25 and returned result was:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a BAD Missing ')'

now I upgraded to 2.2.36.4 and the result is the same.

--
KSB

Pound on Dovecot with mailer.nim script

[Bob Gustafson via dovecot]

For testing mail programs (postfix and dovecot), it is reasonable to use 
a scripted client application on a separate machine.


Scripting started with unix shell scripts, but got a big boost with Sol 
Libes' tcl/expect.


From those early days, we now have 'puppet', 'chef', 'fabric', 
'ansible', ... to test and manage complex multi-machine systems.


A relatively new scripting entry is 'nimscript'. The underlying code is 
'nim' and nimscript shares the same syntax as nim. (Not necessary to 
learn a separate language such as ruby, python or tcl).


Nim and Nimscript have a number of explicit parallel operators in an 
asyncdispatch library. newAsyncSmtp and 'await' are some of the features 
used in this script. The script can be used as a library module for a 
custom application or it can be run as a standalone sample script. The 
phrase 'when isMainModule:' detects when it is run as a standalone.


Being based on Nim - means that it works on Windows-MacOS-Linux-(and 20+ 
other OS), so no portability problems. Nim is a compiled language with 
GC and is as fast as 'C'.


Take a look at 
https://christine.website/blog/how-send-email-nim-2019-08-28 for more 
information. And there is 'nim-lang.org' too.

Re: CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole

[KSB via dovecot]

On 2019.09.03. 22:32, KSB via dovecot wrote:

On 2019.08.28. 15:10, Aki Tuomi via dovecot wrote:


Steps to reproduce:

This bug is best observed using valgrind to see the out of bounds read
with following snippet:

perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143




Hi!
Before I had 2.2.25 and returned result was:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a BAD Missing ')'

now I upgraded to 2.2.36.4 and the result is the same.

--
KSB


Btw, got 1 time:
perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\"
\"\000".("x"x1020)."\\A\")\n"' | nc localhost 143
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a BAD Missing ')'
* BYE Input buffer full, aborting

with 2.2.36.4

--
KSB

plugin for IMAP protocol to modifie any email

[Matthew Brown via dovecot]

is there a plugin or anyway I can modifie any email content ?

I would like to change body text, headers, attachments

Re: plugin for IMAP protocol to modifie any email

[Benny Pedersen via dovecot]

Matthew Brown via dovecot skrev den 2019-09-04 07:12:

is there a plugin or anyway I can modifie any email content ?


not apricated to do


I would like to change body text, headers, attachments


use roundcube

i already hate mailman breaking dkim

YMMV

Fwd: plugin for IMAP protocol to modifie any email

[Matthew Brown via dovecot]

is there a plugin or anyway I can modifie any email content ?

I would like to change body text, headers, attachments

I know it is forbidden by protocol, but anyway ?

Mailcrypt plugin private password

[Dustin Schoenwolf via dovecot]

Hello there,

is there a way to make the mailcrypt plugin use the user's password or at least 
store it in a hashed value?

I'm using a passwd file for authentication.
I feel uncomfortable saving the private password in plaintext in that file.

Regards

Re: Different passdb backends for different services

[Sami Ketola via dovecot]

> On 3 Sep 2019, at 19.08, R.N.S. via dovecot  wrote:
> 
> I tried this, but I have done something wrong probably.
> 
> I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in 
> the protocol sections. I also disabled the passdb section from the 
> auth-ldap.conf.ext in 10-auth and left over the userdb part.
> 
> Sep  3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: 
> Timeout waiting for handshake from auth server.
> my pid=16106, input bytes=0
> Sep  3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: 
> Timeout waiting for handshake from auth server.
> my pid=16107, input bytes=0
> 
> Can somebody tell me which "things" need the userdb and which the passdb 
> sections?
> 
> I am a little bit confused. Or do I have to add the above lines and is some 
> inheritance working here?
> 
> Thanks in advance
> 
> Christian

I always use one flat dovecot.conf file. It is just so much more simpler and 
that way you can more easily ensure loading order of all settings.

Maybe you should too gather all settings you want to change to one config file 
and stop loading those in conf.d.

Also you can post your doveconf -n somewhere so that we can see what goes wrong.

Sami

Re: Mailcrypt plugin private password

[Aki Tuomi via dovecot]

On 4.9.2019 9.21, Dustin Schoenwolf via dovecot wrote:
> Hello there,
>
> is there a way to make the mailcrypt plugin use the user's password or
> at least store it in a hashed value?
>
> I'm using a passwd file for authentication.
>
> I feel uncomfortable saving the private password in plaintext in that
> file.
>
> Regards


You can try in passdb return

userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

Aki

Re: plugin for IMAP protocol to modifie any email

[Aki Tuomi via dovecot]

On 4.9.2019 8.48, Benny Pedersen via dovecot wrote:
> Matthew Brown via dovecot skrev den 2019-09-04 07:12:
>> is there a plugin or anyway I can modifie any email content ?
>
> not apricated to do
>
>> I would like to change body text, headers, attachments
>
> use roundcube
>
> i already hate mailman breaking dkim
>
> YMMV


You can use imap_sieve_refilter to perform Sieve actions to mails. Such
as piping them into a script that changes the mail contents.

Aki

Re: Mailcrypt plugin private password

[info--- via dovecot]

Do I have to replace the "password" part with the actual password or can I just 
copy it like that?

Will dovecot create the keypair automatically or do I have to use doveadm?


4. Sep. 2019, 08:33 von aki.tu...@open-xchange.com:

>
>
>
> On 4.9.2019 9.21, Dustin Schoenwolf via  dovecot wrote:
>
>> Hello there,
>>
>> is there a way to make themailcrypt plugin use the user's password 
>> or at least store it ina hashed value?
>>
>> I'm using a passwd file forauthentication.
>>
>> I feel uncomfortable savingthe private password in plaintext in that 
>> file.
>>
>> Regards
>>
>
>
>
>
> You can try in passdb return 
>
>
> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
>
> Aki
>
>

Re: Mailcrypt plugin private password

[Aki Tuomi via dovecot]

It should pick up the password used by the user, there is a caveat here
though. The keypair is created on first use, so password will be
initialized to empty string going thru pkcs5. This is slightly inconvenient.

To avoid this, you should probably have

protocol imap {

    passdb {

  driver = static

  args =
userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

}

and initialize the keypair using doveadm and set the password to this
value there.


This requires some user management tools though so that the password is
changed with doveadm when user changes  their password.

Another alternative is to keep the private password in database, you can
use the var expand encryption plugin to make sure it's decryptable with
the user's password. See
https://doc.dovecot.org/configuration_manual/config_file/config_variables/
for details.

Key management is pretty much the most difficult thing in mail crypt
plugin =)

Aki


On 4.9.2019 9.40, info--- via dovecot wrote:
> Do I have to replace the "password" part with the actual password or
> can I just copy it like that?
>
> Will dovecot create the keypair automatically or do I have to use doveadm?
>
>
> 4. Sep. 2019, 08:33 von aki.tu...@open-xchange.com:
>
>
> On 4.9.2019 9.21, Dustin Schoenwolf via dovecot wrote:
>> Hello there,
>>
>> is there a way to make the mailcrypt plugin use the user's
>> password or at least store it in a hashed value?
>>
>> I'm using a passwd file for authentication.
>>
>> I feel uncomfortable saving the private password in plaintext in
>> that file.
>>
>> Regards
>
>
> You can try in passdb return
>
> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
> Aki
>
>