Accessing SSL parameters via dovecot variables

2023-07-21 Thread Graham Leggett via dovecot 
Hi all,

Dovecot supports variables, which can be used in filters.

Does the SSL code expose variables linked to the client certificate?

The answer today appears to be no, and if that’s true I plan to patch it, but 
just need to confirm I am not missing something.

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Dovecot pigeon/sieve and SELinux

2023-07-21 Thread Graham Leggett via dovecot 
Hi all,

I am in the process of migrating a dovecot installation from RHEL8 to RHEL9, 
this time round I am trying to get everything to work in selinux enforcing mode.

First error I am stuck on is as follows:

Error: sieve: file storage: Failed to stat sieve storage path: 
stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied 
(euid=377(vmail) egid=376(vmail) missing +x perm: /var/lib/dovecot, we're not 
in group 97(dovecot), dir owned by 97:97 mode=0750)

It appears that the vmail user cannot access /var/lib/dovecot, because under 
RHEL9 the permissions are hidden to the world.

[root@seawitch dovecot]# ls -al /var/lib/dovecot
total 12
drwxr-x---.  3 dovecot dovecot   36 Jul 21 17:51 .

Am I correct in interpreting the error message as meaning that 
/var/lib/dovecot/sieve is not a correct directory for global sieve scripts, and 
they need to go somewhere else?

If they do need to go somewhere else, in the world of enforcing selinux, where 
do they go?

While dovecot-selinux is documented, sieve is not mentioned:

https://linux.die.net/man/8/dovecot_selinux

So, let’s work around the above error by adding the vmail user to the dovvecot 
group. Is this even a good idea?

/usr/sbin/usermod -a -G dovecot vmail

Now we hit the next error:

Error: sieve: file storage: Failed to stat sieve storage path: 
stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied 
(euid=380(vmail) egid=378(vmail) missing +w perm: 
/var/lib/dovecot/sieve/vacation.sieve 
stat(/var/lib/dovecot/sieve/vacation.sieve) failed: Permission denied, dir 
owned by 0:0 mode=0755)

This error is weird. Dovecot is trying to open the original vacation.sieve 
source file for write - why?

We have pre-compiled all the global sieve scripts:

[root@marcopolo ~]# ls -al /var/lib/dovecot/sieve/
total 36
drwxr-xr-x. 5 rootroot4096 Jul 21 17:29 .
drwxr-x---. 3 dovecot dovecot   36 Jul 21 17:29 ..
-rwxr-xr-x. 1 rootroot 284 Jul 21 08:47 junk.sieve
-rw-r--r--. 1 rootroot 277 Jul 21 17:29 junk.svbin
-rwxr-xr-x. 1 rootroot 316 Jul 21 08:47 report-ham.sieve
-rw-r--r--. 1 rootroot 476 Jul 21 17:29 report-ham.svbin
-rwxr-xr-x. 1 rootroot 201 Jul 21 08:47 report-spam.sieve
-rw-r--r--. 1 rootroot 382 Jul 21 17:29 report-spam.svbin
drwxr-xr-x. 2 rootroot   6 Jul 21 08:47 sieve-execute
drwxr-xr-x. 2 rootroot   6 Jul 21 08:47 sieve-filter
drwxr-xr-x. 2 rootroot   6 Jul 21 08:47 sieve-pipe
-rwxr-xr-x. 1 rootroot 309 Jul 21 08:47 vacation.sieve
-rw-r--r--. 1 rootroot 558 Jul 21 17:29 vacation.svbin

Is the error perhaps inaccurate, and it’s trying to open a temp file for write, 
failing (correctly, it has no business opening a temp file for write at this 
point), and then claiming the failure on the temp file is a failure on the 
source file?

So to sum up:

- In an SELinux world of Redhat, what directory do global sieve scripts go?
- What permissions and selinux context are required on the global sieve scripts 
directory?

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

SASL External and LDAP - Login attempt with empty password

2023-07-25 Thread Graham Leggett via dovecot 
Hi all,

I am trying to configure dovecot to accept SASL EXTERNAL authentication with a 
client certificate and no password.

I have tried the following configuration:

passdb {
  driver = ldap

  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
  args = /etc/dovecot/dovecot-ldap-external.conf.ext

  mechanisms = external

  default_fields = noauthenticate=y
}

In the logs I see dovecot correctly negotiate SASL EXTERNAL, but eventually we 
reach this line and we fail:

https://github.com/dovecot/core/blob/34a18f5a79bf7eca58e55aff3e1fe69468292d0f/src/auth/passdb-ldap.c#L184

Which is in turn reached by following this code:

https://github.com/dovecot/core/blob/34a18f5a79bf7eca58e55aff3e1fe69468292d0f/src/auth/passdb-ldap.c#L275

In theory, if I understand this correctly, what is missing is a field to say 
“don’t try check any password”, which field is this supposed to be? 
“nopassword”? “noauthenticate”?

I am happy to patch this, but need some guidance as what the correct approach 
is.

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Filtering by SASL auth mechanism

2023-07-26 Thread Graham Leggett via dovecot 
Hi all,

I want dovecot to behave differently depending on what SASL mechanism was used. 
Most specifically, if EXTERNAL, I want auth_ssl_username_from_cert to be yes, 
but no otherwise.

There is a filtering mechanism that supports protocol, remote, etc.

https://doc.dovecot.org/configuration_manual/config_file/

Would it make sense to add a SASL mechanism filter like this:

mechanism external {
  # …
}

Regards,
Graha
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Accessing SSL parameters via dovecot variables

2023-07-26 Thread Graham Leggett via dovecot 
On 24 Jul 2023, at 17:04, Michael Peddemors  wrote:

> On 2023-07-21 06:42, Graham Leggett via dovecot wrote:
>> Hi all,
>> Dovecot supports variables, which can be used in filters.
>> Does the SSL code expose variables linked to the client certificate?
>> The answer today appears to be no, and if that’s true I plan to patch it, 
>> but just need to confirm I am not missing something.
> 
> A little more in-site into what you are looking for might help.
> Dovecot does expose a method, we use if for our 'Fingerprinting' system..

We identify devices by the explicit certificate they present with, rather than 
the contents of the certificate they present with.

The following PR adds the ability to use the certificate itself as a username:

https://github.com/dovecot/core/pull/202

The format of the username is CertificateExactAssertion as defined in RFC4523 
appendix A.1.

This matches the SSL_CLIENT_CERT_RFC4523_CEA variable exposed by Apache httpd.

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Dovecot shared folders - examples of the "doveadm acl" command?

2023-07-30 Thread Graham Leggett via dovecot 
Hi all,

The old wiki has been taken down, and all the links I can find through google 
are now broken.

Does anyone have a concrete example of “doveadm acl” to grant someone access to 
a shared folder?

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Dovecot shared folders - examples of the "doveadm acl" command?

2023-08-05 Thread Graham Leggett via dovecot 
On 30 Jul 2023, at 16:47, Benny Pedersen  wrote:

>> Does anyone have a concrete example of “doveadm acl” to grant someone
>> access to a shared folder?
> 
> https://doc.dovecot.org/search/?q=acl

Unfortunately the search query above doesn’t return any examples of the doveadm 
acl command.

For the record, you can do this:

doveadm acl add -u sha...@example.com INBOX user=j...@example.com create delete 
expunge insert lookup read write write-deleted write-seen
doveadm acl add -u sha...@example.com INBOX user=j...@example.com create delete 
expunge insert lookup read write write-deleted write-seen

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

doveadm fts lookup: Is "search query" documented anywhere?

2023-08-05 Thread Graham Leggett via dovecot 
Hi all,

According to the —help option for doveadm fts, there is a “lookup” option as 
follows:

[root@aurora ~]# doveadm fts --help
usage: doveadm [-Dv] [-f ] fts  []
  expand   [-u |-A] [-S ] 
  lookup   [-u |-A] [-S ] 
  optimize [-u |-A] [-S ] []
  rescan   [-u |-A] [-S ] []
  tokenize [-u |-A] [-S ] 

The option does not appear to be documented anywhere (eg 
https://doc.dovecot.org/3.0/man/doveadm-fts.1/), and “search query” doesn’t 
appear to be defined.

Guessing that it might be just plain text, I tried searching for a known word, 
but this failed as follows:

[root@aurora ~]# doveadm fts lookup -u t...@example.com sweet
Fatal: Unknown argument SWEET

Anyone know?

Regards,
Graham
—

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: doveadm fts lookup: Is "search query" documented anywhere?

2023-08-07 Thread Graham Leggett via dovecot 
On 05 Aug 2023, at 14:18, Aki Tuomi  wrote:

> Did you look at https://doc.dovecot.org/3.0/man/doveadm-search-query.7/ 
> 
I did not - the page https://doc.dovecot.org/3.0/man/doveadm-fts.1/ has no link 
to the above, and https://doc.dovecot.org/3.0/man/doveadm-search-query.7/  has 
no link back to https://doc.dovecot.org/3.0/man/doveadm-fts.1/, and so google 
doesn;t link these pages.

Can you update the man pages to include the links in the “see also” section?

Regards,
Graham
—


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org