Re: [Dovecot] Question regarding Postfix and Dovecot
Replying back to the list.
On Thu, Mar 14, 2013 at 10:51 AM, mourik jan c heupink <
heup...@merit.unu.edu> wrote:
> please reply to the list
>
>
> On 3/14/2013 11:38 AM, Daniel Reinhardt wrote:
>
>> Yes I have read everything on that, and yet postfix does not even see
>> the dovecot virtual transport.
>>
>>
>> On Thu, Mar 14, 2013 at 10:37 AM, mourik jan c heupink
>> mailto:heup...@merit.unu.edu>**> wrote:
>>
>> Hi Daniel,
>>
>> I'm new to dovecot myself, but did you read this:
>>
>> http://wiki2.dovecot.org/LDA/_**_Postfix<http://wiki2.dovecot.org/LDA/__Postfix>
>>
>>
>> <http://wiki2.dovecot.org/LDA/**Postfix<http://wiki2.dovecot.org/LDA/Postfix>
>> >
>>
>> I'm guessing that perhaps you need to configure your virtual
>> transport? So, in master.cf <http://master.cf>, include a line like:
>>
>>
>> dovecot unix - n n - - pipe
>>flags=DRhu user=vmail:vmail
>> argv=/usr/local/libexec/__**dovecot/dovecot-lda -f ${sender} -d
>> ${recipient}
>>
>> and configure virtual_transport = dovecot in main.cf <http://main.cf>
>>
>>
>> But again... I'm very new to all this myself, but perhaps it helps?
>>
>> Regards,
>> MJ
>>
>>
>>
>>
>> --
>> Daniel Reinhardt
>> crypto...@cryptodan.net
>> <mailto:cryptodan@cryptodan.**net
>> >
>> http://www.cryptodan.net
>> 301-875-7018(c)
>> 410-455-0488(h)
>>
>
--
Daniel Reinhardt
crypto...@cryptodan.net
http://www.cryptodan.net
301-875-7018(c)
410-455-0488(h)
Re: [Dovecot] Question regarding Postfix and Dovecot
I looked at my config in main.cf and I do not see it. Can you point it out?
On Thu, Mar 14, 2013 at 11:02 AM, mourik jan c heupink <
heup...@merit.unu.edu> wrote:
> Looking at your config, I notice
> virtual_transport = virtual
>
> However according to
> http://wiki2.dovecot.org/LDA/**Postfix<http://wiki2.dovecot.org/LDA/Postfix>
> :
> main.cf:
> dovecot_destination_recipient_**limit = 1
> virtual_mailbox_domains = your.domain.here
> virtual_transport = dovecot
>
> master.cf:
>
> dovecot unix - n n - - pipe
> flags=DRhu user=vmail:vmail argv=/usr/local/libexec/**dovecot/dovecot-lda
> -f ${sender} -d ${recipient}
>
> But again, I'm new to all this. Here postfix/dovecot/virtual works fine,
> and all I did was follow the docs.
>
>
> On 3/14/2013 11:53 AM, Daniel Reinhardt wrote:
>
>> Replying back to the list.
>>
>> On Thu, Mar 14, 2013 at 10:51 AM, mourik jan c heupink <
>> heup...@merit.unu.edu> wrote:
>>
>> please reply to the list
>>>
>>>
>>> On 3/14/2013 11:38 AM, Daniel Reinhardt wrote:
>>>
>>> Yes I have read everything on that, and yet postfix does not even see
>>>> the dovecot virtual transport.
>>>>
>>>>
>>>> On Thu, Mar 14, 2013 at 10:37 AM, mourik jan c heupink
>>>> mailto:heup...@merit.unu.edu>> wrote:
>>>>
>>>> Hi Daniel,
>>>>
>>>> I'm new to dovecot myself, but did you read this:
>>>>
>>>> http://wiki2.dovecot.org/LDA/__Postfix<http://wiki2.dovecot.org/LDA/_**_Postfix>
>>>> <http://wiki2.**dovecot.org/LDA/__Postfix<http://wiki2.dovecot.org/LDA/__Postfix>
>>>> >
>>>>
>>>>
>>>> <http://wiki2.dovecot.org/LDA/Postfix<http://wiki2.dovecot.org/LDA/**Postfix>
>>>> <http://wiki2.**dovecot.org/LDA/Postfix<http://wiki2.dovecot.org/LDA/Postfix>
>>>> >
>>>>
>>>>
>>>>>
>>>> I'm guessing that perhaps you need to configure your virtual
>>>> transport? So, in master.cf <http://master.cf>, include a line
>>>> like:
>>>>
>>>>
>>>> dovecot unix - n n - - pipe
>>>> flags=DRhu user=vmail:vmail
>>>> argv=/usr/local/libexec/__dovecot/dovecot-lda -f ${sender} -d
>>>>
>>>> ${recipient}
>>>>
>>>> and configure virtual_transport = dovecot in main.cf <
>>>> http://main.cf>
>>>>
>>>>
>>>> But again... I'm very new to all this myself, but perhaps it helps?
>>>>
>>>> Regards,
>>>> MJ
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Daniel Reinhardt
>>>> crypto...@cryptodan.net <mailto:cryptodan@cryptodan.net<
>>>> crypto...@cryptodan.net>
>>>>
>>>>>
>>>>> http://www.cryptodan.net
>>>> 301-875-7018(c)
>>>> 410-455-0488(h)
>>>>
>>>>
>>>
>>
>>
--
Daniel Reinhardt
crypto...@cryptodan.net
http://www.cryptodan.net
301-875-7018(c)
410-455-0488(h)
Re: [Dovecot] Question regarding Postfix and Dovecot
Thank you for point that out, so I went ahead and removed postfix, mysql,
and dovecot in hopes to start fresh and follow the guide I used previously.
Yet Postfix still isnt sending mail to the virtual mailbox setting defined
in my dovecot config:
Here is the output of the postconf -n. I aplogize for the postconf -d, as
I was not aware of the difference.
Postconf -n
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination = localhost, cryptodan.net, mail.cryptodan.net,
mail.pandorah.net, pandorah.net, andromeda.milkyway
myhostname = andromeda.milkyway
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = /etc/hostname
readme_directory = no
recipient_delimiter = +
smtp_helo_timeout = 60s
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_destination,
check_policy_service inet:127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:150
Here is the virtual_transport set in master.cf to dovecot:
dovecot unix -n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d
$(recipient)
Here is my dovecot -n output:
/root@andromeda:/etc/postfix# dovecot -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-38-generic-pae i686 Ubuntu 12.04.2 LTS ext4
disable_plaintext_auth = no
first_valid_uid = 150
last_valid_uid = 150
mail_gid = mail
mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = mail
mode = 01224
user = vmail
}
}
ssl_cert = was automatically rejected:%n%r
}
Thanks,
Daniel Reinhardt
On Thu, Mar 14, 2013 at 11:34 AM, Charles Marcus
wrote:
> On 2013-03-14 7:11 AM, Daniel Reinhardt wrote:
>
>> I looked at my config in main.cf and I do not see it. Can you point it
>> out?
>>
>
> First, virtual_transport = virtual is the default setting. Since you
> posted -d output, that is what was shown.
>
> With postfix (and I believe dovecot), the last config entry wins. So, if
> you have a certain setting specified twice in the config file, the last one
> (closest to the bottom) is the one that is used.
>
> Postconf -n output will show you whether or not you have changed it.
>
> If you are certain you have changed it, and postconf -n output doesn't
> show virtual_transp
Re: [Dovecot] Question regarding Postfix and Dovecot
Here are the non-verbose mode of the logs exhibiting the problem: /// Mar 15 06:56:37 andromeda dovecot: lda(cryptodan): Fatal: setgid(8(mail) from mail_gid setting) failed with euid=1000(cryptodan), gid=1000(cryptodan), egid=1000(cryptodan): Operation not permitted (This binary should probably be called with process group set to 8(mail) instead of 1000(cryptodan)) Mar 15 06:56:38 andromeda dovecot: lda(cryptodan): Fatal: setgid(8(mail) from mail_gid setting) failed with euid=1000(cryptodan), gid=1000(cryptodan), egid=1000(cryptodan): Operation not permitted (This binary should probably be called with process group set to 8(mail) instead of 1000(cryptodan)) Mar 15 06:56:38 andromeda postfix/local[5433]: E6DD110007E: to=< crypto...@cryptodan.net>, relay=local, delay=0.11, delays=0.07/0/0/0.04, dsn=4.3.0, status=deferred (temporary failure) Mar 15 06:56:38 andromeda dovecot: lda(cryptodan): Fatal: setgid(8(mail) from mail_gid setting) failed with euid=1000(cryptodan), gid=1000(cryptodan), egid=1000(cryptodan): Operation not permitted (This binary should probably be called with process group set to 8(mail) instead of 1000(cryptodan)) Mar 15 06:56:38 andromeda postfix/local[5439]: 20BB2100076: to=< crypto...@cryptodan.net>, relay=local, delay=879, delays=879/0.01/0/0.03, dsn=4.3.0, status=deferred (temporary failure) Mar 15 06:59:56 andromeda postfix/anvil[5420]: statistics: max connection rate 1/60s for (smtp:209.85.212.41) at Mar 15 10:56:35 Mar 15 06:59:56 andromeda postfix/anvil[5420]: statistics: max connection count 1 for (smtp:209.85.212.41) at Mar 15 10:56:35 Mar 15 06:59:56 andromeda postfix/anvil[5420]: statistics: max cache size 1 at Mar 15 10:56:35 /// I did not remove anything, just separated the log entries to make them more readable. dovecot unix -n n - - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient) On Fri, Mar 15, 2013 at 10:58 AM, Charles Marcus wrote: > On 2013-03-14 6:41 PM, Daniel Reinhardt wrote: > >> Here is the output of the postconf -n. I aplogize for the postconf -d, as >> I was not aware of the difference. >> > > No problem... but you forgot the other most important thing... > > NON-VERBOSE postfix logs exhibiting the problem... > > -- > > Best regards, > > Charles > > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Question regarding Postfix and Dovecot
I got the permission issues fixed, so now I am unable to retrieve email via imap or pop3 with either thunderbird, iphone, or webmail application. Is there something I am not doing that is preventing this from working? POP3 and IMAP logins work just fine. On Fri, Mar 15, 2013 at 12:46 PM, Steffen Kaiser < skdove...@smail.inf.fh-brs.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On Fri, 15 Mar 2013, Charles Marcus wrote: > > On 2013-03-15 7:11 AM, Daniel Reinhardt wrote: >> >>> Here are the non-verbose mode of the logs exhibiting the problem: >>> >>> /// >>> Mar 15 06:56:37 andromeda dovecot: lda(cryptodan): Fatal: setgid(8(mail) >>> from mail_gid setting) failed with euid=1000(cryptodan), >>> gid=1000(cryptodan), egid=1000(cryptodan): Operation not permitted (This >>> binary should probably be called with process group set to 8(mail) >>> instead >>> of 1000(cryptodan)) >>> >> >> Ok, thanks - that should be enough for someone who knows more than me to >> figure out what you have done wrong... >> > > Check out mail_access_groups setting or make LDA setuid. > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBUUMYNl3r2wJMiz2NAQIyJg**f/VhNc/**VjhXAMjiDbv9U27IWw9iwabh4/t > c+**SDKxFocvD08pVYc0tejH6t9Q4RwAWX**VukDa7a+**pKBc6oOeDzX7MUA6ylsei4vN > Sqlo3Ne7fdFtxZ6pKkoXUxmFmIDJ9a**eF75WcgDpxZYSb0GNOYEdcNJJrzt1d**Ngm/ > BxR2iualCro02kGGVSO/**usTwxf3JRHVFzuV6kSCspJPXbF0V+**D80QCGtl68UTAYm > 0ypAB9K7PDk/**29QjVQolME0NkLYR2YXNeFuQw4Ti9r**riZwThY21FR8Nn851ott+M > tmA7tgOAYTDBUd4LvzMgd+Kto+**tRqsW5ZyhPdRJrh+gYKpqpYQ/0HQ== > =eTP/ > -END PGP SIGNATURE- > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Question regarding Postfix and Dovecot
I really find the lack of error logging, and the virtual lack of documentation for Dovecot very disturbing. I am so close to dropping this side project of being able to support multiple domains on a mail server. It is in my utmost respectful opinion to have multiple files to edit just to get this working in basic mode. Why cant dovecot combine all configuration parameters into one config like that of postfix main.cf for server config, and the master.cf for sockets and listeners? If there are multiple files to be edited then the error logging should mention what file contains the log, and where so you can easily locate the issue. I find this software to be very lack luster and very difficult to use. Dovecot has given me nothing but headache and grief, and as far as I am concerned not a finished product. On Sun, Mar 17, 2013 at 12:29 AM, Noel Butler wrote: > On Sat, 2013-03-16 at 15:33 +0100, mourik jan heupink wrote: > > > destination_recipient_limit > > > Not sure what happened there but evolution did not like all the chars in > your post when invoking reply... probably time to update this darn > thing, its the last ubuntu POS that hasn't been updated to opensuse yet. > > > " Ah interesting..! Is that perhaps why > dovecot_destination_recipient_limit=1 was needed, here..? " > > No, it was to reduce the possibility of some other little quirks rearing > their nasty heads IIRC. > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Question regarding Postfix and Dovecot
Timo, First thank you for taking the time to reply to this, but I tried using various LDA Command line suggestions from various places on the net, and Postfix is not even seeing that dovecot is listed in the master.cf file as a unix socket. I have tried using LMTP and again it is not seeing that postfix is configured to use dovecot-lmtp as a mail delivery agent for postfix. The way postfix works with dovecot is via mail-stack-delivery and use of mailbox_command that is set up within main.cf If I comment that out postfix sends to default mode which is Maildir in the users /home directory. I have configured SQL Lookups successfully for authentication within postfix and dovecot, its just the mail delivery agent that is not working. I even tried the sudo method, and that also failed. Don't get me wrong Dovecot is a nice piece of software, but maybe getting rid of the multiple files could make things easier, and a couple of sample configs could then be included in the source. And I am here trying to learn something new that I could put to use in a future job if I were ever told to setup an email server to replace an exchange system to handle multiple domains for various people. So thanks for allowing me to learn another process of setting up a server with email. Sincerely, Daniel Reinhardt On Sun, Mar 17, 2013 at 8:50 PM, Timo Sirainen wrote: > On 17.3.2013, at 18.11, Daniel wrote: > > > First of all the wiki articles on dovecots site are poorly written > compared to apache and postfix. > > It's the best I can do myself. I have no idea how they could be improved > in any major way. They say that the software developer himself is the worst > possible person to write its documentation, because he can't understand > what others find difficult.. > > > That is what I mean by lack luster the error logging is lack luster as > it doesn't specify the file or the line error is on like many very well > supported applications like apache and postfix and that makes dovecot not > very user friendly. > > If there is a syntax error, Dovecot shows the file and line number. After > that it should always mention the setting name that is causing trouble, > which I'd think should be easy to grep from the configs.. I guess it could > be useful to show the file+line for it, but that's quite a lot of code to > add just to avoid a grep. It's also a bit tricky to do without wasting more > memory (wasting memory in config / doveconf process is fine, but not > elsewhere, and some settings won't get processed until later). > > > I owe no one an apology for stating my opinion and I have over 10 years > of using open source software and dovecot is the application that I have > used that given me such headache and grief to the point I have given up on > this learning experience. > > Quickly browsing through this thread, I guess this is the main problem? : > > Mar 15 06:56:37 andromeda dovecot: lda(cryptodan): Fatal: setgid(8(mail) > from mail_gid setting) failed with euid=1000(cryptodan), > gid=1000(cryptodan), egid=1000(cryptodan): Operation not permitted (This > binary should probably be called with process group set to 8(mail) instead > of 1000(cryptodan)) > > Yes, this is something I've been annoyed at for a long time. But it's also > not easy to make that error any better, except maybe by creating a wiki > page explaining the whole thing and linking to it. (There are a ton of > mails about this exact thing in Dovecot list archies.) There's also no > setting that is specifically related to this (the problem is a mismatch > between Dovecot/Postfix configuration). There is a super easy solution > though: use LMTP instead of LDA, and there are no permission troubles. > Maybe that's what the LDA wiki page should say.. Done: > http://wiki2.dovecot.org/LDA > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Disk Encryption
If you are concerned about data being left on a hard drive when it fails and you are returning it to vendor, then I would consider hard drive degaussers. They are effective, but are very costly. On Wed, Mar 27, 2013 at 12:36 AM, Xin Li wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 3/25/13 6:24 AM, Simon Brereton wrote: > > On 25 March 2013 12:30, Robert Schetterer wrote: > >> Am 25.03.2013 11:03, schrieb Simon Brereton: > >>> Hi > >>> > >>> As I understand it email headers need to be unencrypted > >>> (otherwise DKIM doesn't work). From the MUA to either Postfix, > >>> or Dovecot the connection is (or can/should be) secured with > >>> TLS/SSL. > >>> > >>> What I would like to know is if it is possible to encrypt the > >>> mailstore? Postfix is using Dovecot for delivery so it's only > >>> Dovecot that would need to encrypt/decrypt the mailstore. > >>> > >>> Is this possible? Is there a terrible reason to do it even if > >>> it is possible? > >>> > >>> I realise that from MTA to MTA there's no guarantee of > >>> encryption (and in fact it's very unlikely unless keys have > >>> been exchanged), but my primary goal is supplement the physical > >>> security of the mail store of mails we already have or have > >>> sent. > >>> > >>> Mostly just idle curiosity as to what has been done, or what > >>> could be done. What is worth doing is a separate thread > >>> entirely. > >>> > >>> Thanks. > >>> > >>> Simon > >>> > >> > >> my meaning > >> > >> crypted mailstore makes sense in a mail archive, in germany you > >> have to have a mail archive for some kind of company emails all > >> these solutions have some crypted mailstore , and some more > >> features for data security, but thats a big theme, to big for > >> here > >> > >> crypt storage isnt "the saveness" per default, someone hacking > >> the system and get root may hack your crypt storage too etc, also > >> to big theme for here > > > > Robert, indeed, this is sort of my point. If we encrypt laptop > > harddrives to prevent unauthorised access, that doesn't prevent > > the possiblity of someone who already has admin access to the > > device from decrypting/viewing/moving files. What it does do is > > prevent unauthorised access to the data if there is no admin > > access. > > > > Currently my mail store isn't encrypted and I would like to know if > > it is possible to do that, and if so, maybe get some pointers. > > Let's say you operate a mail server which uses a RAID array (or ZFS > pool) as backend storage and one day one disks goes bad and needs to > be replaced. You don't want information being leak from that bad disk > when returning to vendor for replacement. > > There are a lot of solutions to this issue. One possible way is to > use FreeBSD's full disk encryption, geli(4), to encrypt all hard > drives and have the email server hold the key on its boot partition, > but don't protect it with a password so that the mail server can boot > without any human intervention. > > Encrypting individual user's mail store make little sense as one can > still get your decryption key if they got root privilege, usually by > tracing the login process or just replace it with something that can > do the login but also save login credentials. In short, if root have > been compromised, it's game over already. > > Cheers, > > -BEGIN PGP SIGNATURE- > > iQEcBAEBCAAGBQJRUndLAAoJEG80Jeu8UPuzyyMIAJ22uv8U2OlZFFAUWTDL4zu/ > tw6ZhxqQxhHVsg69kQPmIRVnMvlv0bhRqQphaJl5PQJAnfiwvrulx8ruFfTWIM3W > xyxKMQtY/pJouRJwz1SZsfuuBNjU+ACX17IXIi5NDkLm8IT1FLgS9fWaYotACIUe > 5fTXgodDDAGrWoYE4X1WTJiYCEE4UisilExaAJ0quk72NO/TzMnsLktR7mx0eSaP > NqAi8ger9a2rflStgdJlI6pCmzRs4onAs2YWZq4F5Nv/wnnUysMsSjwNW+MuL4WY > jWbX8oF+11kyH14vPLvzLKvMXjC9yKf8G880OPuMmgFQOrYAXzP5yp3w/rRVBCM= > =SMvV > -END PGP SIGNATURE- > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Probs authenticating to Dovecot
What was the output of the telnet localhost 110? Did it present any error messages? On Tue, Apr 16, 2013 at 3:43 AM, Kris Magnusson wrote: > Thanks much. I prefer Debian for server work anyway. > > Best, Kris > > On Apr 16, 2013, at 12:29 AM, Noel Butler wrote: > > > On Mon, 2013-04-15 at 23:38 -0700, Kris Magnusson wrote: > > > > > >> I will blow this VM away and start from scratch. Unless anyone has any > concrete suggestions I can implement before then that I can use to salvage > a day's worth of work. > >> > > > > > > If it comes down to it, I just asked on IRC for you if anyone knows a > > good howto for ubuntu, someone replied to look for the ISP setup guide > > by Chris Haas, said it was for debian so should work. > > > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Probs authenticating to Dovecot
It would appear that port 110 is not opened on your firewall, and is that IP address one that is assigned to your External WAN interface on your Comcast connection? The VM should have a Privately assigned IP address as given by the VM Software. On Tue, Apr 16, 2013 at 4:12 AM, Kris Magnusson wrote: > root@mail:/etc/dovecot# telnet mail 110 > Trying 50.196.172.zzz... > telnet: Unable to connect to remote host: Connection timed out > > On Apr 16, 2013, at 1:10 AM, Daniel Reinhardt wrote: > > > What was the output of the telnet localhost 110? > > > > Did it present any error messages? > > > > > > On Tue, Apr 16, 2013 at 3:43 AM, Kris Magnusson > > wrote: > > > >> Thanks much. I prefer Debian for server work anyway. > >> > >> Best, Kris > >> > >> On Apr 16, 2013, at 12:29 AM, Noel Butler > wrote: > >> > >>> On Mon, 2013-04-15 at 23:38 -0700, Kris Magnusson wrote: > >>> > >>> > >>>> I will blow this VM away and start from scratch. Unless anyone has any > >> concrete suggestions I can implement before then that I can use to > salvage > >> a day's worth of work. > >>>> > >>> > >>> > >>> If it comes down to it, I just asked on IRC for you if anyone knows a > >>> good howto for ubuntu, someone replied to look for the ISP setup guide > >>> by Chris Haas, said it was for debian so should work. > >>> > >> > >> > > > > > > -- > > Daniel Reinhardt > > crypto...@cryptodan.net > > http://www.cryptodan.net > > 301-875-7018(c) > > 410-455-0488(h) > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Multiple Logins on same accounts from different stations, RE-POSTING
In all honesty with this setup, I would recommend that you setup a sales@domain alias account and put these 4 accounts within that alias. Each user would then get a single copy of the message, and would prevent accidental deletion by another user. It is never wise to allow multiple people to login to one account from multiple locations. One user can move data to another folder and another user may not like that other persons method of organization. On Fri, Apr 19, 2013 at 1:39 AM, HL wrote: > On 18/04/2013 10:21 μμ, Timo Sirainen wrote: > >> On 18.4.2013, at 20.08, HL wrote: >> >>> I've recently upgraded to 2.1.16 and found my self in deep >>> >>> There are 4 accounts in my setup that need to be accessed simultaneously >>> by 5-6 PCs on a local lan. >>> >>> The thing is if a user A updates, deletes, flags mail messages in the >>> imap folders the changes don't get propagated to the other >>> mail clients. >>> >>> To state this clearly, >>> PC (A) thunderbird has an account SALES, Maildir etc >>> PC (B) thunderbird also has the SALES account. >>> >>> Changes from PC (A) and vice-versa like marks,deletes, or moves mails >>> around will randomly get propagated to PC (B) >>> Sometimes they do sometimes they don't. >>> This never occured with previous version 1.2.xx >>> >> Do you mean that the 4 people are using 1 shared account, or do you mean >> 4 different user accounts are accessing a shared folder (via shared/public >> namespace)? >> >> Yes 4 people are using all 4 shared accounts. ( No Shared or Public > Namespaces for them ) > They all login from their client to these 4 accounts, with 4 distinct > userNames and passwords. > They prefer it this way. > > > > > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] pop3 and imap don't run
Or even a better command: netstat | grep pop3 netstat | grep imap Will tell you if the ports are in listening status. On Thu, Jun 20, 2013 at 3:51 AM, Steffen Kaiser < skdove...@smail.inf.fh-brs.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thu, 20 Jun 2013, Mohsen Pahlevanzadeh wrote: > > I run dovecot and when i use >> 'ps ax |egrep dovecot' command , i get the following result: >> > > what about ps ax|grep imap ? > > what about lsof -i :143 or netstat -an | grep 143 ? > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBUcK0bF3r2wJMiz2NAQL1cQ**f/T08fwL+**kmijkXpq3zwyG3T0ngcSCMg4h > Se3ZsI60r5hxKnbkZ7hxDW0JbUSw1S**aw4Ivn57g+2OLGgBSC9m/+Sz4f3gv/**Jn9t > IR3Z/**xqkSldFm4hIKq8xhV9M6QlnB1FzXdZ**jHXm47l1pzttUzSLf/DL/b21WBVeB > SaTa2xUDj0nlhLK5zmPGKeBwm6zLEs**iiBcT2k5DOFCY5mlpIjnZEmpracEBh**IKou > rMYO/1bb9HN/DUhgotcqa/**P52X7fQFy+rWUnbGIgztYdykxPSOc/**2C6USAEhjJeD > d7g8e4uhvbPgoknIkHecAoe6XNL73a**mFAObangeTxt2mUUKf+OBeoA== > =KCNL > -END PGP SIGNATURE- > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] Would attempting plaintext auth repeatably cause a DOS and server to crash?
I doubt that the 1161 log lines would cause the VM to crash. It would potentially cause the logging directory to fill up if you have a small /var partition where the logs are kept and at that point it could potentially freeze the VM, but not cause the host to crash. I think your issue revolves around the storms. I also do not consider a 1161 log lines a DoS. If it takes 1161 lines of failure entries to deny service to your server, then I would take a look at your setup. On Fri, Jun 21, 2013 at 3:37 AM, Steffen Kaiser < skdove...@smail.inf.fh-brs.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Fri, 21 Jun 2013, Hugh Davenport wrote: > > and a minute later the server lost contact to the world. When I checked a >> bit later, >> the underlying host machine (dovecot runs on a VM (KVM)) had been powered >> off. >> > > I cannot believe that a DoS of a guest VM causes the host machine to power > off. > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBUcQCtl3r2wJMiz2NAQIufg**gAr5cbKwdTNBIC7+RqhXAMN4N0C+**964Bn0 > Nlj5bxgZOo1KxqhRbxkvuiH5BRs7kQ**/**o7Nr7O7xbO0YPbMt3lQTGnsbKdPgbK**v7a > ojqbSsXCxHOZkzNRkW4pDRty8JMEGQ**0oSMBzRbVlMrS+9g+**5FtFkPmOHFnHfEJ39 > a91+**O34fa42TbQgjmVPMWZQr6Oy6JtDcy7**fhdzI8d5iPv5KI/rL81hSTr9bm7spk > ma4rBOKZfkd66In8BkqJPNRMIgP7ky**hGrrLxgOr4HlcgkxAm4+zo/**eBAGQruM4u+ > RcNa3IFTf0BpFrqL43XXS8ViqS5z16**L4a/MPnHFZc8rzLKldolI97Q== > =bCZ0 > -END PGP SIGNATURE- > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] reload without shutting imap connections down
Hajo, >From the looks and sounds of things your Dovecot installation and configuration is crashing without creating a dump. What happens prior to the aforementioned log entries? Thanks, Dan On Tue, Jul 16, 2013 at 11:44 AM, Hajo Locke wrote: > Hello, > > we have some problems with users who report connectionproblems to dovecot > sometimes. According to the logs there are dovecot reloads at this times. > Seems that a reload also causes dovecot to shut all imapconnections down: > > Jul 16 13:31:40 myhostname dovecot: master: Warning: SIGHUP received - > reloading configuration > Jul 16 13:31:40 myhostname dovecot: imap: Server shutting down. > bytes=251/675 > > I tried to reload by initscript or sending -HUP manually to pid, dovecot > is shutting down imapconnections and i think this is the reason for users > to report this problems with some clients. > This seems to be new with versions 2.x, i have some old 1.2.x dovecots > running and cant find "Server shutting down" in their logs after reload. > > I have still potential to reduce reloads, but cant avoid them completely. > Is there a workaround? > > Thanks, > Hajo > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
Re: [Dovecot] SSL with startssl.com certificates
Are you getting asked to add an exception to the email applications
certificate dialogue box?
This is an example with Thunderbird.
http://jwrr.com/content/Hostgator-Thunderbird-Email-Configuration/images/thunderbird-mail-account-add-security-exception.jpg
Dan
On Sat, Sep 14, 2013 at 7:21 PM, Dan Langille wrote:
>
> On Sep 13, 2013, at 9:55 PM, Noel Butler wrote:
>
> > On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote:
> >
> >
> >> Perhaps I am doing the chain incorrectly. I just tried again. The
> >> server is now set up with the following:
> >>
> >> I have three certs in this chain file:
> >>
> >> cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem >
> >> testing.chain.pem
> >>
> >> 1 - the certificate issued by startssl for my server
> >> 2 & 3 - the PEM files for StartSSL as found at
> >> http://www.startssl.com/certs/
> >>
> >
> >
> > That is the correct chain method, and order
> >
> >
> >> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
> >> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> >> Signing/CN=StartCom Certification Authority
> >> verify error:num=19:self signed certificate in certificate chain
> >
> >
> >
> > Never panic about the above, it is just indicating (rightly so) you
> > have a local certificate (the first) in your chain.
> >
> >
> >> ssl_cert = >> ssl_key = >
> > correct method, so long as the cert and key files are named correctly
> > and in the right location.
> >
> >
> >> ssl = required
> >
> > Bit dangerous... and may be the cause of your problems, change to :
> > ssl = yes
> >
> >
> > We use startssl and have many android, blackberry, and iphone users
> > (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop
> > types and never had any problems with them using startssl
>
> Hmmm, I tried ssl = yes. Mail.app still crashes when trying to connect.
>
> I also try the cert bundle mentioned by Johan.
>
> The server says:
>
> Sep 14 19:19:22 imaps dovecot: imap-login: Warning: SSL failed:
> where=0x2002: SSLv3 read client certificate A [173.49.195.214]
> Sep 14 19:19:22 imaps dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=173.49.195.214, lip=199.233.228.197, TLS
> handshaking: Disconnected, session=<8+862VzmPwCtMcPW>
>
> What is this… read client certificate? There is no client certification
> in this config.
>
> : doveconf -n
> # 2.2.5: /usr/local/etc/dovecot/dovecot.conf
> # OS: FreeBSD 9.1-RELEASE-p6 amd64
> auth_debug = yes
> auth_verbose = yes
> first_valid_gid = 1001
> first_valid_uid = 1001
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_privileged_group = mail
> passdb {
> args = scheme=BLF-CRYPT /var/db/dovecot.users
> driver = passwd-file
> }
> protocols = imap
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> address = 199.233.228.197
> }
> }
> ssl_cert = ssl_key = userdb {
> args = /var/db/dovecot.users
> driver = passwd-file
> }
> verbose_proctitle = yes
> verbose_ssl = yes
> protocol imap {
> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> }
>
>
> --
> Dan Langille - http://langille.org
>
>
--
Daniel Reinhardt
crypto...@cryptodan.net
http://www.cryptodan.net
301-875-7018(c)
410-455-0488(h)
Re: [Dovecot] Dovecot MTA
Easy configuration of virtual users and a default location setup to handle virtual users. On Fri, Nov 8, 2013 at 1:25 PM, Aleksey Tsvetkov wrote: > Hi! > It is possible to look towards Exim. To take as a basis ACL system. > > On Fri, 8 Nov 2013 14:07:12 +0100 > Timo Sirainen writes: > > >Hi all, > > > >I've never really wanted to create my own MTA, because I like Postfix > quite a lot. And I always thought it would require a horribly lot of time > to be able to create something that was anywhere even close to having > Postfix's features. (I would shudder to > >even think about recreating Dovecot from scratch nowadays.) But slowly > over time I've also been thinking of ways how things could be done a bit > better, and I think I have enough ideas to start thinking about Dovecot MTA > more seriously in a few more > >months (after my current busy schedule calms down a bit). And (unlike > Dovecot!) I'm not planning on taking over the world with the MTA (or at > least not very quickly), but it would definitely be useful for many > installations I know of. > > > >My main design goals for the MTA are: > > > >* In normal load don't queue mails, just continue delivering the mail > through different processes/services until it succeeds or fails, and only > after that return ok/failure to the SMTP client. So there's no (forced) > post-queue filtering, everything > >would normally happen pre-queue. This is required because in Germany (and > EU in general?) you aren't allowed to just drop spams after SMTP server has > responsed OK to the client, even if you’re 100% sure it’s a spam. So this > would also mean that the SMTP > >DATA replies will come more slowly, which means that the SMTP server must > be able to handle a lot more concurrent SMTP connections, which means that > in large installations the smtpd process must be able to asynchronously > handle multiple SMTP client > >connections. > > > >* In some cases you can't really avoid placing mails into a queue. This > could be because of temporary failures or maybe because of an abnormal load > spike. A mail queue in local disk isn't very nice though, because if the > local disk dies, the queued > >mails are lost. Dovecot MTA will allow the queue to be in object storage > and it will also likely support replication (similar to current dsync > replication). In both of these cases if a server dies, another server can > quickly take over its queue and > >continue handling it. > > > >* Dovecot MTA is a new product, which means we can add some requirements > to how it's being used, especially related to securely sending emails > between servers. It could do a bunch of checks at startup and fail to even > start if everything isn't correct. > >Here are some things I had in mind - not sure if all of these are good > ideas or not: > > > >- Require DKIM configuration. All outgoing mails will be DKIM signed. > >- Require the domain’s DNS to contain _submission._tcp SRV record (and > actually might as well require _imap._tcp too) > >- Require SSL certificates to be configured and always allow remote to > use STARTTLS > >- Require DANE TLSA record to exist and match the server's configured SSL > cert > >- Have very good (and strict?) DNSSEC support. If we know a remote server > is supposed to have valid DNSSEC entries, but doesn't, fail to deliver mail > entirely? > >- Add a new DNS record that advertises this is a Dovecot MTA (or > compatible). If such entry is found (especially when correctness is > guaranteed by DNSSEC), the email sender can assume that certain features > exist and work correctly. If they don't, it > >could indicate an attack and the mail sending should be retried later. > This DNS record would of course be good to try to standardize. > > > >* Configuration: It would take years to implement all of the settings > that Postfix has, but I think it's not going to be necessary. In fact I > think the number of new settings to dovecot.conf that Dovecot MTA requires > would be very minimal. Instead > >nearly all of the configuration could be done using Sieve scripts. We'd > need to implement some new MTA-specific Sieve extensions and a few core > features/configurations/databases that the scripts can use, but after that > there wouldn't be really any > >limits to what could be done with them. > > > > * Try to implement as many existing interfaces as possible (e.g. Milter > and various Postfix APIs like policy servers) so that it wouldn’t be > necessary to reimplement all the tools and filters. > > > >So perhaps something like this could be done in time for Dovecot v2.4. > Any thoughts/ideas/suggestions? > > > > > -- > Best regards, > Aleksey Tsvetkov > System Administrator > Company Grand Vision > tel. +7(495)933-39-79, ext. 184 > -- Daniel Reinhardt crypto...@cryptodan.net http://www.cryptodan.net 301-875-7018(c) 410-455-0488(h)
