[Dovecot] LTMP Proxy fails when backend server connection refused
Version: 2.1.9
Connecting directly to the proxy server on the LMTP port, issue lhlo,
mail from, rcpt to, data. After the . closing of data, it just hangs
there. The logs on the proxy server show:
Sep 27 19:55:12 proxy1 dovecot: lmtp(9398): Connect from 69.8.2.71
Sep 27 19:55:24 proxy1 dovecot: lmtp(9398): Error: lmtp client:
connect(lmtp, 7025) failed: Connection refused
root 9398 1102 0 19:53 ?00:00:00 dovecot/lmtp
The proxy server is hard coded (not director in this case). I
purposefully shut it down to see how the system would handle failures.
Unfortunately, it appears that the process just hangs there. For fun, I
tried a separate protocol lmtp option in the config to try
proxy_timeout. It made no difference. Missing some error handling?
protocol lmtp {
passdb {
driver = static
args = proxy=y host=%s nopassword=y proxy_timeout=120
}
}
Jack
Re: [Dovecot] LTMP Proxy fails when backend server connection refused
On 9/27/2012 3:30 PM, Jack Bates wrote: Version: 2.1.9 Connecting directly to the proxy server on the LMTP port, issue lhlo, mail from, rcpt to, data. After the . closing of data, it just hangs there. The logs on the proxy server show: Looking at dovecot's proxy code. Calls to connect_connect_ip do not return an error when the server isn't there. This may be expected, but it is what determines failure/OK in the LMTP code. The log entry is performed by lmtp_client_wait_connect callback. In the standard client-common-auth.c code, the error returned for a failure is 1) syslog error is reported by proxy_wait_connect() callback 2) error to client is returned by an error in proxy_input() In the lmtp code, we issue a "250 2.1.5 OK". Right after, the lmtp_client_wait_connect() callback is called and issues the connection refused error. However, we've already approved the rcpt. I am not sure which method we really want in the lmtp proxy. Should it be failing at the initial rcpt command or after the data command. Currently, though I haven't checked yet, we don't appear to be detecting the input failure and handling the data command correctly since we've already allowed the rcpt to proceed without a backend proxy available. Jack
Re: [Dovecot] LTMP Proxy fails when backend server connection refused
On 9/28/2012 11:37 AM, Jack Bates wrote: On 9/27/2012 3:30 PM, Jack Bates wrote: Version: 2.1.9 Connecting directly to the proxy server on the LMTP port, issue lhlo, mail from, rcpt to, data. After the . closing of data, it just hangs there. The logs on the proxy server show: I am not sure which method we really want in the lmtp proxy. Should it be failing at the initial rcpt command or after the data command. Currently, though I haven't checked yet, we don't appear to be detecting the input failure and handling the data command correctly since we've already allowed the rcpt to proceed without a backend proxy available. Further testing shows that the connection fails are normally handled after the DATA block. It works perfectly if you only fail one recipient. If all recipients are failed, the code locks up instead of telling the client that they are all failed. Now to find out where between lmtp_client_fail() and some other part of the code, we aren't treating it right. :( Jack
Re: [Dovecot] LTMP Proxy fails when backend server connection refused
On 9/28/2012 12:44 PM, Jack Bates wrote: On 9/28/2012 11:37 AM, Jack Bates wrote: On 9/27/2012 3:30 PM, Jack Bates wrote: Version: 2.1.9 Connecting directly to the proxy server on the LMTP port, issue lhlo, mail from, rcpt to, data. After the . closing of data, it just hangs there. The logs on the proxy server show: Further testing shows that the connection fails are normally handled after the DATA block. It works perfectly if you only fail one recipient. If all recipients are failed, the code locks up instead of telling the client that they are all failed. Now to find out where between lmtp_client_fail() and some other part of the code, we aren't treating it right. :( It appears that the callbacks for the proxy connections are handled in the ioloop stuff. If you have at least one valid proxy session open, then proxy_try_finish will get called and all the replies are sent. The problem appears to be if all backend proxy sessions are bad (ie single recipient, proxy server down), there is nothing for ioloop to callback to. proxy_try_finish will never get called, and we end up locking up at epoll_wait as there are no events for us to process. Code needs to be written to handle the special case of us not having any proxy callbacks as they are all bad. Jack
Re: [Dovecot] LTMP Proxy failure fix/hack
On 9/28/2012 3:12 PM, Jack Bates wrote: Code needs to be written to handle the special case of us not having any proxy callbacks as they are all bad. Timo, please check and approve. This was diff'd on 2.1.10 on my test server (2.1.9 and 2.1.10 at least had this callback issue). *** lmtp-proxy.c-orig 2012-09-28 20:17:36.138916678 + --- lmtp-proxy.c2012-09-28 20:18:12.241940780 + *** *** 300,303 --- 300,304 lmtp_client_send(conn->client, conn->data_input); lmtp_client_send_more(conn->client); } + lmtp_proxy_try_finish(proxy); } ie, call lmtp_proxy_try_finish once. If all is bad, this will wrap us up. If we have valid proxies, it'll probably not finish and we'll return to waiting on callbacks. I'm not sure of any blocking restrictions. I just know it works. mail from: 250 2.1.0 OK rcpt to: 250 2.1.5 OK data 354 OK test . 451 4.4.0 Remote server not answering (connect) mail from: 250 2.1.0 OK rcpt to: 250 2.1.5 OK rcpt to: 250 2.1.5 OK data 354 OK test . 451 4.4.0 Remote server not answering (connect) 250 2.0.0 CYKfHcsHZlBcCAAALhEySA Saved mail from: 250 2.1.0 OK rcpt to: 250 2.1.5 OK data 354 OK test . 250 2.0.0 EYKfHcsHZlBcCAAALhEySA Saved Jack
Re: [Dovecot] Log NAT IP address?
On 9/30/2012 8:02 AM, Charles Marcus wrote: Hi Timo/everyone, Currently we are logging the remote IP, but is there a way to show the IP address that the NAT connection is coming from? The reason I ask is, we are changing ISPs, and I would like to see in the logs when an external connection is coming from our OLD ISP connection, and when it is coming through our new one. We have a Watchguard firewall, and I have both External connections setup and working, and have just pointed our DNS records to the new public IP, and would like to be able to see which WAN connection/IP they are coming from. You could bind 2 internal IP Addresses to the server and have each NAT translation go to a different internal IP. Jack
Re: [Dovecot] Log NAT IP address?
On 10/1/2012 2:58 AM, David Ledger wrote: At 09:33 -0500 30/9/12, Jack Bates wrote: On 9/30/2012 8:02 AM, Charles Marcus wrote: Hi Timo/everyone, Currently we are logging the remote IP, but is there a way to show the IP address that the NAT connection is coming from? The reason I ask is, we are changing ISPs, and I would like to see in the logs when an external connection is coming from our OLD ISP connection, and when it is coming through our new one. We have a Watchguard firewall, and I have both External connections setup and working, and have just pointed our DNS records to the new public IP, and would like to be able to see which WAN connection/IP they are coming from. You could bind 2 internal IP Addresses to the server and have each NAT translation go to a different internal IP. Jack From my remembrances of the packet layout there is nowhere in the packet for the pre-NAT address to live. The only place the mapping is stored is in the internal tables of the NAT router which has to know where to send the reply packets. David Public IP1 -> 192.168.0.33 Public IP2 -> 192.168.0.34 Now we just track the internal address in our logs, since each public IP is mapped to a different internal IP. Jack
Re: [Dovecot] Problem with process_limit
On 10/1/2012 4:15 AM, FABIO FERRARI wrote: Hello, i have a problem with the process_limit configuration. Occasionally, it happens that the dovecot.log shows this line: master: Warning: service(imap): process_limit reached, client connections are being dropped So I checked, the process number, with the command: ps auxwww | grep imap | grep -v login | wc -l and it shows 1024. Then, i edited the file /etc/dovecot/conf.d/10-master.conf and set the line process_limit = 1500 I checked if the dovecot had accepted the change with the command doveconf -n | grep process_limit and it shows process_limit = 1500 But it is dropping the connections when they reach 1024 anyway, the configuration parameter is totally ignored. Can anyone help? Am I editing the right parameter? thanks in advance Fabio Ferrari P.S. The version of the dovecot is dovecot-2.0.1-1_118.el5 on Red Hat Enterprise Linux Server release 5.8 (Tikanga). Don't forget to change the operating system limit as well. I added these lines to my /etc/sysconfig/dovecot on rhel6. I compiled dovecot myself, but I package similar to the system version. ulimit -n 4096 ulimit -u 5120 This increases the filehandles allowed by dovecot to 4096 and increases the number of processes per user to 5120. This is a proxy server, so I needed to support much larger numbers. than a silly 1024. Jack
Re: [Dovecot] Logging IP address for failed login
On 10/1/2012 3:36 PM, Scott Neville wrote: In /var/log/maillog I get lines like this: Oct 1 04:19:12 olive dovecot: auth: pam(marketing): unknown user Oct 1 04:19:17 olive dovecot: auth: pam(marketing): unknown user I'm guessing you are using a centos package. This may be package version specific. Here is RHEL6's dovecot 2.0.9 default except for setting auth_verbose = yes. Sep 28 21:12:10 compiler dovecot: auth: pam(test,::1): unknown user Sep 28 21:12:24 compiler dovecot: auth: pam(validuser,::1): pam_authenticate() failed: Authentication failure (password mismatch?) 2.1.9/2.1.10 which I packaged shows similar. Since I connected localhost, the IP is IPv6, of course. Jack
Re: [Dovecot] BUG to compile dovecot 2.1.10 on Debian 4.0, using gcc 4.1.2
It looks like this might be a bug in glibc 2.3.3
http://sourceware.org/bugzilla/show_bug.cgi?id=1392
Jack
On 10/1/2012 2:20 PM, Fabio Depin wrote:
Hello,
Today I needed to compile dovecot 2.1.10 on Debian 4.0, using gcc 4.1.2.
When running 'make' getting the following error:
--
db-checkpassword.c: In function 'sigchld_handler':
db-checkpassword.c: 426: error: assignment of read-only member '__in'
db-checkpassword.c: 429: error: assignment of read-only member '__in'
db-checkpassword.c: 431: error: assignment of read-only member '__in'
db-checkpassword.c: 432: error: assignment of read-only member '__in'
make [3]: ** [db-checkpassword.o] Error 1
make [3]: ** Waiting for other processes to finish.
mv-f .deps / auth-worker-server.Tpo .deps / auth-worker-server.Po
make [3]: Leaving directory `/ usr/src/dovecot/dovecot-2.1.7/src/auth '
make [2]: ** [all-recursive] Error 1
make [2]: Leaving directory `/ usr/src/dovecot/dovecot-2.1.7/src '
make [1]: ** [all-recursive] Error 1
make [1]: Leaving directory `/ usr/src/dovecot/dovecot-2.1.7 '
make: ** [all] Error 2
--
-To work did the following:
--
417a418
+ Int stat = status-> status;
426c427
- If (WIFSIGNALED (status-> status)) {
---
+ If (WIFSIGNALED (stat)) {
429c430
- Dec2str (status-> pid), WTERMSIG (status-> status));
---
+ Dec2str (status-> pid), WTERMSIG (stat));
431.432 c432, 433
-} Else if (WIFEXITED (status-> status)) {
- Request-> exit_status WEXITSTATUS = (status-> status);
---
+} Else if (WIFEXITED (stat)) {
+ Request-> exit_status WEXITSTATUS = (stat);
--
With this change worked perfectly ntanto in debian 4 with gcc 4.1.2, as in
debian 6 with gcc 4.4.5.
-I wonder if I made the change may affect any function of dovecot, or if it is
correct.
Thank you for your attention.
Fabio Depin
Re: [Dovecot] possible nfs issue
On 10/2/2012 4:39 PM, Cor Bosman wrote: Anyone else with NFS mailspools seeing this? Cor I haven't seen them yet, however, to help troubleshoot, see this link and follow it's links for more details on .nfs files http://wordpress.org/support/topic/how-can-i-prevent-unwanted-nfs-files-from-being-created Jack
Re: [Dovecot] LDA vs LMTP index files
On 10/3/2012 9:34 AM, l...@airstreamcomm.net wrote: In the docs it states that LDA " ...takes mail from anMTAand delivers it to a user's mailbox, while keeping Dovecot index files up to date." I am wondering if LMTP also interacts with the Dovecot index files and keeps them up to date? Brand new account created with LMTP. So I'd say yes. -rw---. 1 vmail vmail 16384 Oct 2 20:21 dovecot.index.cache -rw---. 1 vmail vmail 560 Oct 2 20:21 dovecot.index.log -rw---. 1 vmail vmail 152 Oct 2 20:21 dovecot-uidlist -rw---. 1 vmail vmail 8 Oct 2 18:58 dovecot-uidvalidity -r--r--r--. 1 vmail vmail 0 Oct 2 18:58 dovecot-uidvalidity.506b393c -rw---. 1 vmail vmail28 Oct 2 20:21 maildirsize Jack
Re: [Dovecot] LDA vs LMTP index files
On 10/3/2012 10:03 AM, Charles Marcus wrote: On 2012-10-03 10:34 AM, l...@airstreamcomm.net wrote: In the docs it states that LDA " ...takes mail from anMTAand delivers it to a user's mailbox, while keeping Dovecot index files up to date." I am wondering if LMTP also interacts with the Dovecot index files and keeps them up to date? Yes... although it doesn't seem to state that explicitly in the wiki... http://wiki2.dovecot.org/LMTP "The main difference is that the LDA is a short-running process, started as a binary from command line, while LMTP is a long-running process started by Dovecot's master process." I think they are trying to reduce duplication of information. Jack
[Dovecot] lmtp proxy logging
The logging on lmtp and lmtp proxy is pretty limited from what I can see. It seems to handle errors, Connect, Disconnect, and in the case of lmtp delivery, it logs where an email is saved to. The lmtp may be enough, "connect, saved user, saved user..., disconnect", but I was curious if it is worth while to add more info logging for the proxy, primarily which recipients are sent to which proxy. I was thinking of local patching it, but I'll generate up something more inline with official code if it is desired. My thought is to show 1 entry for each recipient, and the destination server chosen. If I recall correctly, the proxy code doesn't actually listen in on the conversation, so logging results would probably complicate the code. Jack
Re: [Dovecot] I need a quota expert
Looking at the wiki: http://wiki2.dovecot.org/Quota/Dict
It appears that the conf files for dict are different than the sql files
for auth. This is why you are getting error messages. The auth config
needs the driver option, the dict config does not. Create a file
specifically for dict and point to that. Use the above wiki's examples
for format.
Jack
On 10/10/2012 9:29 AM, Tibby wrote:
I'm having problems with dovecot quota configuration.
If I Include the driver mysql in dovecot-sql.conf I'm getting this error:
dovecot: dict: Error in configuration file /etc/dovecot/dovecot-sql.conf line
1: Unknown setting: driver
dovecot: dict: Failed to initialize dictionary 'quotadict'
If I Don't include it:
dovecot: auth(default): Fatal: sql: driver not set in configuration file
/etc/dovecot/dovecot-sql.conf
dovecot: auth(default): Fatal: sql: driver not set in configuration file
/etc/dovecot/dovecot-sql.conf
Now What???
How Should I configure quota ?
My SQL has a mail db with a user table.
The table has email, password, quota_kb fields.
my dovecot.conf:
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n/Maildir
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
namespace private {
separator = .
prefix = INBOX.
inbox = yes
}
protocol imap {
mail_plugins = quota imap_quota
}
protocol lda {
log_path = /home/vmail/dovecot-deliver.log
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmas...@domain.tld
mail_plugins = sieve quota
global_script_path = /home/vmail/globalsieverc
mail_plugin_dir = /usr/lib/dovecot/modules/lda
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_plugins = quota
}
dict {
quotadict = mysql:/etc/dovecot/dovecot-sql.conf
}
plugin {
quota = dict:user::proxy::quotadict
quota_rule = *:storage=10M:messages=1000
}
auth default {
user = root
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
mail_uid = 5000
mail_gid = 5000
my dovecot-sql.conf:
driver = mysql
connect = host=127.0.0.1 dbname=mail user=** password=**
default_pass_scheme = CRYPT
password_query = SELECT email as user, password, concat('*:storage=', quota_kb)
AS quota_rule FROM users WHERE email='%u';
user_query = SELECT
CONCAT('/home/vmail/',CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1)))
AS home, 5000 AS uid, 5000 AS gid, concat('*:storage=', quota_kb) AS
quota_rule FROM users WHERE email='%u'
map {
pattern = priv/quota/storage
table = user
username_field = user
value_field = quota_kb
}
SOMEBODY PLEASE HELP ME!!! :)
Re: [Dovecot] Dovecot doesnot disconnect at end of pop3 session
On 10/10/2012 9:40 AM, Robert JR wrote: telnet mymail.com 110 user username pass password list quit all commands work except the quit command, Dovecot hang at this point !!! Why Dovecot hang on receiving the Quit command !!! and doesnot disconnect !! Please include your dovecot version. Also, does the list command end with a line that contains a period? You might want to include dovecot -n as well, which will show everyone what your mail storage type is and other relevant information. Jack
Re: [Dovecot] Fwd: Re: Dovecot doesnot disconnect at end of pop3 session
On 10/10/2012 10:07 AM, Robert JR wrote: list command return msg number and size only. Thanks Below is the proper format you should see. The line with a period at the end is required to show that the list command has completed. If you do not get that, then the server hasn't successfully completed the list command to accept new commands. Check your logs for any mention of the connection and errors that might have generated. If you are using NFS, there are several issues with locking that can be problematic. If you are getting the '.' line, then try other commands besides quit. It is important to determine if the code is ignoring input or if it has a problem with the actual quit code. Also, I notice you mentioned several hours. It would be useful to know if this occurs on startup or if it fails over time. It is also useful to know if it effects all accounts or just some of the active accounts. It is also useful to know if there are people currently logged in on those accounts when you perform your test. telnet localhost 110 Trying ::1... Connected to localhost. Escape character is '^]'. +OK Dovecot ready. user +OK pass +OK Logged in. list +OK 3 messages: 1 2821 2 5907 3 11171 . quit +OK Logging out. Connection closed by foreign host.
Re: [Dovecot] Irrelevant information filling logs
On 10/10/2012 8:39 AM, 3.lis...@adminlinux.com.br wrote: Is there a way to send specific Dovecot errors on specific files or just discard them? syslog/rsyslog filters are the best method, in my opinion. This would allow you to filter to another file or discard things you aren't interested in all together. I personally like quota messages in another logfile. Then I can tail the file with a script and issue changes so that the MTA servers reject emails to that user instead of trying to deliver, then periodically check quotas for users we currently block to determine when it is okay to accept emails again. It really lowers the bounces on the MTA servers. Jack
Re: [Dovecot] iterate_query does not use userdb - mail_location not found
On 10/11/2012 8:19 AM, dove...@freakout.de wrote: sql.conf: driver = mysql connect = host=much dbname=toarx user=exim password= default_pass_scheme = PLAIN password_query = select user as username, password, userdb_home, userdb_mail, userdb_quota_rule from vusers where email = '%u' user_query = select user as username, userdb_home, userdb_mail, userdb_quota_rule from vusers where email = '%u' iterate_query = select email as user from vusers Only prefetch in the password_query prefixes with userdb_. Some things such as doveadm commands and lmtp delivery don't use passdb but userdb directly. The user_query should not have the userdb_ prefix. Also, according to the wiki, iterate_query returns username, not user. http://wiki2.dovecot.org/AuthDatabase/SQL Jack
Re: [Dovecot] lmtp proxy logging
On 10/12/2012 2:40 AM, Timo Sirainen wrote: would probably complicate the code. I don't think this would be difficult to implement. Probably just a few lines of code. Yeah, could be useful. Commented logs below. I did 3 different types of connections. Let me know what you think. Because I'm logging the proxy host itself, it can be IP or name depending on the configuration. If you like it, want minor changes, additional logging, let me know and I'll adjust the code. As is, this is a one liner. Jack Oct 12 19:03:45 compiler dovecot: lmtp(18568): Connect from ::1 Connection succeeds using static proxy to lmtp.example.com (default in this config). Oct 12 19:04:14 compiler dovecot: lmtp(18568): Reply from lmtp.example.com(test): 250 2.5.0 command succeeded Connection succeeds but user invalid using director mapping Oct 12 19:04:14 compiler dovecot: lmtp(18568): Reply from 192.168.1.3(test2): 550 5.1.1 User doesn't exist: test2 Current error reporting Oct 12 19:04:14 compiler dovecot: lmtp(18568): Error: lmtp client: connect(192.168.1.4, 7025) failed: No route to host Connection failed and what we returned to client Oct 12 19:04:14 compiler dovecot: lmtp(18568): Reply from 192.168.1.4(test42): 451 4.4.0 Remote server not answering (connect) Oct 12 19:04:16 compiler dovecot: lmtp(18568): Disconnect from ::1: Client quit (in reset)
Re: [Dovecot] lmtp proxy logging
On 10/15/2012 2:07 PM, Jack Bates wrote:
On 10/12/2012 2:40 AM, Timo Sirainen wrote:
would probably complicate the code.
I don't think this would be difficult to implement. Probably just a
few lines of code. Yeah, could be useful.
If there's no argument over the last email, confirm and check this
patch. It's not the overall logging I would like, but the lmtp code
isn't as mature as pop3/imap and the proxy is a quick and dirty on the
lmtp code. Both need a good revamp, preferably with x-session support
and perhaps logging rip/lip similar to how we do pop3/imap logins.
I think we should also work on adjusting all logging for services using
x-session to also log the proxy ip. rip,lip,pip. As I get time I'll look
at it.
This patch is just to keep us from having no useful logging in lmtp
proxy. Based on lmtp pid, one can at least follow the connect, the proxy
replies, and the disconnect of a session.
--- dovecot-2.1.10/src/lmtp/lmtp-proxy.c2012-10-12
19:46:49.688952484 +
+++ dovecot-2.1.10/src/lmtp/lmtp-proxy.c-new2012-10-12
19:48:51.751932325 +
@@ -160,6 +160,8 @@ static bool lmtp_proxy_send_data_replies
break;
o_stream_send_str(proxy->client_output,
t_strconcat(rcpt[i]->reply, "\r\n",
NULL));
+ i_info("proxy(%s): proxy host=%s:
status=%s",rcpt[i]->address,
+ rcpt[i]->conn->set.host,rcpt[i]->reply);
}
o_stream_uncork(proxy->client_output);
proxy->next_data_reply_idx = i;
Re: [Dovecot] Problem with quota update in dovecot 1.2
On 10/16/2012 8:39 AM, tower wrote: Hi A have a problem with quota2 table, working under postfixadmin. When I login into imap server with thunderbird client everything works fine, quota is update when i receive a message, but when I move message to trash or any other folder value for messages field in table quota2 increases +1 instead decreases or have still this same value. Only if I close my imap client value descending -2. I wish to table quota2 will be updated immediately after any operation on inbox. Is there any mistake in my configuration? Thanks for any advice. Are you sure the client isn't just copying it to the other folder. When you exit, you may be expunging inbox (deleting the marked message) and emptying trash (deleting the copied message). Jack
Re: [Dovecot] Problem with quota update in dovecot 1.2
On 10/16/2012 9:00 AM, tower wrote: Yes, now I see, that messages still is in folder from which I move it. In thunderbird I do drag and drop (FYI). Is there any switch in dovecot configuration which treats message as deleted from folder, from which I move that message? Not to my knowledge, but someone else may know more. I setup the Trash folder with a +100MB quota per the wiki so that it could handle deleting emails when quota was near full. Jack
[Dovecot] real_rip variable addition for dovecot 2.1.10
Timo,
Please check the code. I didn't add it, but a real_lip might be useful
for some people as well. Also, I notice that pop3-proxy is doing a
different xsession than the imap proxy. Is there an xsession standard
that is different between the two, or just an oversight in the code?
Both send the remote address/port, but only imap proxy sends the local
address/port.
This patch declares long variable %{real_rip} so that a backend server
can declare a different login_log_format_elements
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l
pip=%{real_rip} mpid=%e %c
This is primarily useful for backend servers to log both the rip, lip,
and in case of xsession, the real rip. I haven't done extensive testing
yet, but as long as nothing does anything weird elsewhere in the code,
it should be good.
http://www.brightok.net/jbates/dovecot-2.1.10-real-ip.patch
dovecot: pop3-login: Login: user=, method=PLAIN, rip=192.168.1.5,
lip=::1, pip=::1, mpid=8665, secured
Jack Bates
Re: [Dovecot] real_rip variable addition for dovecot 2.1.10
Still have some problems with the patch. will have to research it more.
Worked fine on localhost, but isn't logging at all for foreign hosts in
a production environment.
Jack
On 10/16/2012 3:43 PM, Jack Bates wrote:
Timo,
Please check the code. I didn't add it, but a real_lip might be useful
for some people as well. Also, I notice that pop3-proxy is doing a
different xsession than the imap proxy. Is there an xsession standard
that is different between the two, or just an oversight in the code?
Both send the remote address/port, but only imap proxy sends the local
address/port.
This patch declares long variable %{real_rip} so that a backend server
can declare a different login_log_format_elements
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l
pip=%{real_rip} mpid=%e %c
This is primarily useful for backend servers to log both the rip, lip,
and in case of xsession, the real rip. I haven't done extensive
testing yet, but as long as nothing does anything weird elsewhere in
the code, it should be good.
http://www.brightok.net/jbates/dovecot-2.1.10-real-ip.patch
dovecot: pop3-login: Login: user=, method=PLAIN,
rip=192.168.1.5, lip=::1, pip=::1, mpid=8665, secured
Jack Bates
Re: [Dovecot] real_rip variable addition for dovecot 2.1.10
Umm, yeah. Setting your rsyslog to pipe certain IP matches to another
file really screws things up when you change the log to include that IP.
Hours of work before I figured out that it was logging just fine but to
another file. lol
Jack
On 10/16/2012 5:51 PM, Jack Bates wrote:
Still have some problems with the patch. will have to research it
more. Worked fine on localhost, but isn't logging at all for foreign
hosts in a production environment.
Jack
On 10/16/2012 3:43 PM, Jack Bates wrote:
Timo,
Please check the code. I didn't add it, but a real_lip might be
useful for some people as well. Also, I notice that pop3-proxy is
doing a different xsession than the imap proxy. Is there an xsession
standard that is different between the two, or just an oversight in
the code? Both send the remote address/port, but only imap proxy
sends the local address/port.
This patch declares long variable %{real_rip} so that a backend
server can declare a different login_log_format_elements
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l
pip=%{real_rip} mpid=%e %c
This is primarily useful for backend servers to log both the rip,
lip, and in case of xsession, the real rip. I haven't done extensive
testing yet, but as long as nothing does anything weird elsewhere in
the code, it should be good.
http://www.brightok.net/jbates/dovecot-2.1.10-real-ip.patch
dovecot: pop3-login: Login: user=, method=PLAIN,
rip=192.168.1.5, lip=::1, pip=::1, mpid=8665, secured
Jack Bates
Re: [Dovecot] Difference between Indexing and Rescan in FTS
On 10/16/2012 6:14 PM, Fred Kilbourn wrote: I've had squat running on dovecot 2.0 and have been updating all users mailbox indexes nighty via cron with this command: doveadm -v search -A text xyzzyx I've just updated to 2.1 and I'm migrating to lucene indexes, but reading the documentation I'm having a hard time understanding the semantic differences between indexing and rescanning. If I were to continue to run an all user all mailbox index every night, would that be appropriate? Would running this every night avoid the need to ever rescan? 2 sets of indexes. dovecot indexes FTS indexes Performing the cron search will update the FTS indexes, although you should read up on 2.1's doveadm index command. The dovecot indexes should stay in sync. However, if they do lose track of the FTS indexes, you can do a rescan to sync them back up. Except for corruption or index changes made outside of dovecot, the two sets of indexes should stay in sync. Jack
Re: [Dovecot] Per user quotas
On 10/16/2012 11:39 AM, David Travers wrote:
Hi All,
I keep going round in circles with this.
I have quotas up and running but would like to add a couple of per user
exceptions but can't figure out how to do it!
I am using Open Xchange community edition on top of dovecot and tha tis showing
the 200MB limit, if I change it in the dovecot.conf the change is reflected in
open xchange, but can't figure out how to change for 1 user.
I believe I need to add to a passwd file, but I have added to that and nothing
has changed.
user:{plain}pass:1000:1000::/home/user::userdb_mail=mbox:~/mail
userdb_quota_rule=*:storage=100M
user2:{plain}pass2:1001:1001::/home/user2::userdb_mail=maildir:~/Maildir
userdb_quota_rule=*:storage=200M
Example given on http://wiki.dovecot.org/UserDatabase/ExtraFields
Note that the extra fields are prefixed with userdb_ when placed in a passwd
file.
Also, watch your quota_rule numbering. You have 2 rules with the same number
(quota_rule2 for Trash
and SPAM). In the passwd file, you are replacing the rule specified by number
(no number technically
being the first).
Jack
Re: [Dovecot] Dovecot failed logins delay all logins
On 10/17/2012 1:44 AM, Dominic Malolepszy wrote:
I think I found a solution to this thanks to a post by Timo here:
http://dovecot.org/list/dovecot/2011-December/062631.html
service anvil { unix_listener anvil-auth-penalty { mode = 0 } }
You can also leave IP based penalties and set your other servers such as
proxy and webmail as trusted.
Jack
Re: [Dovecot] dovecot died
Read the wiki that was linked. It could be anything from ntpd/OS/hardware bug. It isn't uncommon for there to be TSC timing issues as well. I have a cutting edge server that has a bug that breaks TSC and causes timing issues. Luckily, my OS is relatively good at not stepping backwards in time. Jack On 10/17/2012 1:26 AM, Hendrik wrote: Hi All I have been trying to get this website running for months now. I get this emails from cpanel and don't know how to fix it. If anyone can help me please contact me at pipe...@mweb.co.za. Kind regards Hendrik imap failed @ Fri Oct 12 05:51:18 2012. A restart was attempted automagically. Service Check Method: [check command] Number of Restart Attempts: 1 Cmd Service Check Raw Output: dovecot is not running Startup Log: /etc/init.d/dovecot: line 15: 6043 Alarm clock /usr/sbin/dovecot > /dev/null 2>&1 Syslog Messages: Oct 12 04:01:01 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__lvgws_iymiqndfmflick2pa3yjzc56ukpa2t6x3 yj43fuh...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:01:02 scene dovecot: IMAP(__cpanel__service__auth__imap__lvgws_iymiqndfmflick2pa3yjzc56ukpa2t6x3y j43fuhjgeiqomc3dhlkyjwdq): Disconnected: Logged out bytes=11/340 Oct 12 04:06:06 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__jxy1xcsu0koedgkhexhexpu3_idp4ynukxpaou0 jaovpdr...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:06:06 scene dovecot: IMAP(__cpanel__service__auth__imap__jxy1xcsu0koedgkhexhexpu3_idp4ynukxpaou0j aovpdrgqjnf0_rxyi0wncetn): Disconnected: Logged out bytes=11/313 Oct 12 04:11:01 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__6oxwycgffp_5xkysaitw4eifev2nffi_dqlhj4z k8h05nx...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:11:01 scene dovecot: IMAP(__cpanel__service__auth__imap__6oxwycgffp_5xkysaitw4eifev2nffi_dqlhj4zk 8h05nx2p9n4yfxhrp3a2gjhl): Disconnected: Logged out bytes=11/313 Oct 12 04:16:08 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__7zurxql5qf5whp4rupxen3viduh5kucjqtrzigs c75cnov...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:16:09 scene dovecot: IMAP(__cpanel__service__auth__imap__7zurxql5qf5whp4rupxen3viduh5kucjqtrzigsc 75cnovslbll4702ue2veu2n3): Disconnected: Logged out bytes=11/318 Oct 12 04:21:10 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__cq4wbk6o7svgbljnmw1hx2iiaunvzp3w1cywwsf ou8d5ky...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:21:11 scene dovecot: IMAP(__cpanel__service__auth__imap__cq4wbk6o7svgbljnmw1hx2iiaunvzp3w1cywwsfo u8d5kysrfeaqvlmjgx6afvnb): Disconnected: Logged out bytes=11/340 Oct 12 04:26:35 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__uhyykmmdnf31il4pn_kfci9y2gw2o9skyz7zuoe oga08za...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:26:36 scene dovecot: IMAP(__cpanel__service__auth__imap__uhyykmmdnf31il4pn_kfci9y2gw2o9skyz7zuoeo ga08zaq_nh6yzqsmveqpvnxi): Disconnected: Logged out bytes=11/313 Oct 12 04:31:05 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__hka0onlsdbqugjyirdyygk_d9wtw_xtkl7jgaus tpvzl1q...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:31:05 scene dovecot: IMAP(__cpanel__service__auth__imap__hka0onlsdbqugjyirdyygk_d9wtw_xtkl7jgaust pvzl1qjjei5uuoi1c4g8tpea): Disconnected: Logged out bytes=11/313 Oct 12 04:36:02 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__ouonjmdpliwgyj8ij6gucv6y7fxq6ojdk9hsxjj fzonng9...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:36:03 scene dovecot: IMAP(__cpanel__service__auth__imap__ouonjmdpliwgyj8ij6gucv6y7fxq6ojdk9hsxjjf zonng9eqrsw5l5hg7xoejer2): Disconnected: Logged out bytes=11/340 Oct 12 04:41:03 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__wpwfzoyvnb2rsz2desu10swelok4cdwrqqw70gw eibvov1...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:41:04 scene dovecot: IMAP(__cpanel__service__auth__imap__wpwfzoyvnb2rsz2desu10swelok4cdwrqqw70gwe ibvov1_minfh7j4_4ejaz7v2): Disconnected: Logged out bytes=11/340 Oct 12 04:46:04 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__razxoe9ffiqhzj6rahuftwwqprhj2blovjvsbhd rhafjur...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:46:05 scene dovecot: IMAP(__cpanel__service__auth__imap__razxoe9ffiqhzj6rahuftwwqprhj2blovjvsbhdr hafjureydiuxbtbk2jkpkvlo): Disconnected: Logged out bytes=11/340 Oct 12 04:51:06 scene dovecot: imap-login: Login: user=<__cpanel__service__auth__imap__as64dk7mx4gfxupigti8wwrbqpqhetm9zyhzlrq h1iztqo...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Oct 12 04:51:06 scene dovecot: IMAP(__cpanel__service__auth__imap__as64dk7mx4gfxupigti8wwrbqpqhetm9zyhzlrqh 1iztqosnzfwt28kkzv4riyd9): Disconnected: Logged out bytes=11/340 Oct 12 04:56:07 scene dovecot: imap-login: Login: user=<__cpane
Re: [Dovecot] Per user quotas
My recommendation is that you use Passwd-file instead of Passwd and
specify /etc/passwd. I mention this, as Passwd can use NSS and may not
give you the results you want. Passwd-file will guarantee you use the
/etc/passwd file. Also, I'm not as familiar with v1.x, but I know in
v2.1.10, a userdb lookup doesn't use the userdb_ prefix. So you can try
it with and without that prefix. userdb_ prefix on v2 is for cases where
you do a prefetch on the passdb.
I hope this helps. I've been using Passwd-file only for proxy settings
and ldap for my backends to handle quota.
Jack
On 10/17/2012 2:42 AM, David Travers wrote:
Hi Jake,
Yep, similar to what I had been trying, but it doesn't seem to be working.
In my /etc/passwd file I had the line:-
dave:x:1000:1000:David Travers,,,:/home/dave:/bin/bash
I have changed it to show:-
dave:x:1000:1000:David
Travers,,,:/home/dave:/bin/bash:userdb_quota_rule=*:storage=100M
Do I have to put the " userdb_mail=mbox:~/mail " in as well as that is
specified already in Dovecot?
Is there anything I need to do once specifying this in the passwd file as the
quota limit is not being shown as changed in Open Xchange
Also yes, I noticed the numbering and have corrected.
Thanks for your quick reply.
Dave
-Original Message-
From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On
Behalf Of Jack Bates
Sent: 17 October 2012 04:02
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Per user quotas
On 10/16/2012 11:39 AM, David Travers wrote:
Hi All,
I keep going round in circles with this.
I have quotas up and running but would like to add a couple of per user
exceptions but can't figure out how to do it!
I am using Open Xchange community edition on top of dovecot and tha tis showing
the 200MB limit, if I change it in the dovecot.conf the change is reflected in
open xchange, but can't figure out how to change for 1 user.
I believe I need to add to a passwd file, but I have added to that and nothing
has changed.
user:{plain}pass:1000:1000::/home/user::userdb_mail=mbox:~/mail
userdb_quota_rule=*:storage=100M
user2:{plain}pass2:1001:1001::/home/user2::userdb_mail=maildir:~/Maildir
userdb_quota_rule=*:storage=200M
Example given on http://wiki.dovecot.org/UserDatabase/ExtraFields
Note that the extra fields are prefixed with userdb_ when placed in a passwd
file.
Also, watch your quota_rule numbering. You have 2 rules with the same number
(quota_rule2 for Trash and SPAM). In the passwd file, you are replacing the
rule specified by number (no number technically being the first).
Jack
_
This email has been scanned for malicious content.
_
Re: [Dovecot] Dovecot: pipe() failed: Too many open files
I'm using RHEL6 instead of ubuntu, but check the startup scripts. In RHEL's case, the following file is sourced, so I updated it instead of the startup scripts. cat /etc/sysconfig/dovecot # Here you can specify your dovecot command line options. # #OPTIONS="" ulimit -n 4096 ulimit -u 5120 In addition, I had to also up the max allowed processes in the dovecot config. 2.x and 1.x are different on this. http://wiki1.dovecot.org/LoginProcess <-1.x method Jack On 10/17/2012 6:16 PM, Fasil wrote: Thanks Frank. Followed the URL and could not find any luck. Is there a way to change the value of 'max open files' of dovecot. I have tried to set the value in /etc/default/dovecot by setting ulimit. But the value is not getting applied. Could anyone help on this regard. Fasil. On 08/16/2012 09:17 AM, Frank Bonnet wrote: hello here some useful informations http://posidev.com/blog/2009/06/04/set-ulimit-parameters-on-ubuntu/ Envoyé de mon iPhone. Le 16 août 2012 à 02:52, Fasil a écrit : Dear all, Thank you all for such a wonderful support. Hats off to all :) Few times I came across imap login issues where new users will not be allowed to login. /var/log/mail.err shows the error below Aug 12 07:57:46 mail dovecot: dovecot: pipe() failed: Too many open files Aug 12 07:57:46 mail dovecot: dovecot: Temporary failure in creating login processes, slowing down for now Aug 12 07:58:46 mail dovecot: dovecot: pipe() failed: Too many open files Aug 12 07:59:46 mail dovecot: dovecot: pipe() failed: Too many open files Aug 12 08:00:46 mail dovecot: dovecot: pipe() failed: Too many open files I have a dovecot (V 1.2.9) +postfix (V 2.7.0) setup on ubuntu 10.04 # ulimit -Hn 1024 # ulimit -Sn 1024 # cat /proc/sys/fs/file-max 1238548 # cat /proc/`pidof dovecot`/limits | grep 'Max open' Max open files1024 1024 files Please advice how to get rid off this. Fasil.
Re: [Dovecot] dovecot-core, dovecot-mysql for Debian squeeze
On 10/17/2012 6:47 PM, Ricardo wrote: to install dovecot-core, dovecot-mysql, install it without problems is the version (2.1.7-2 ~ bpo60 +1) of both packages, now wanting to install dovecot-imapd dovecot-pop3d (version 1.2.15-7) breaks the dovecot-core, dovecot-mysql, apparently must be the same version all packages. I think something is wrong with your debian setup. 1.2 is normal version. 2.1 is the backports version. You should be getting this: Package: dovecot-imapd Priority: optional Section: mail Installed-Size: 559 Maintainer: Dovecot Maintainers Architecture: i386 Source: dovecot Version: 1:2.1.7-2~bpo60+1 Provides: imap-server Depends: dovecot-core (= 1:2.1.7-2~bpo60+1), libc6 (>= 2.4), ucf (>= 2.0020) That's from the Packages list http://backports.debian.org/debian-backports/dists/squeeze-backports/main/binary-i386/ Jack
Re: [Dovecot] lmtp proxy logging
Timo,
How do you feel about parent pointers in child structures? I'm curious
as the proxy structure is passed the input channel, but it doesn't know
much else about the input client. Rather than pass additional
information in the structure, I think it'd be better to just place a
pointer back to the input client so we can access all it's details.
I ask, as that might solve the problem of lack of information in logging
from some of the various functions in the proxy code. I know I was
limited in the quick patch I did below for my own use. I'm afraid to
change it too much. You have already started xclient work in v2.2 which
would necessitate a lot of changes to the lmtp/proxy code. I've actually
debated backporting it to 2.1 for my own use. :)
Jack
On 10/15/2012 3:10 PM, Jack Bates wrote:
On 10/15/2012 2:07 PM, Jack Bates wrote:
On 10/12/2012 2:40 AM, Timo Sirainen wrote:
would probably complicate the code.
I don't think this would be difficult to implement. Probably just a
few lines of code. Yeah, could be useful.
If there's no argument over the last email, confirm and check this
patch. It's not the overall logging I would like, but the lmtp code
isn't as mature as pop3/imap and the proxy is a quick and dirty on the
lmtp code. Both need a good revamp, preferably with x-session support
and perhaps logging rip/lip similar to how we do pop3/imap logins.
I think we should also work on adjusting all logging for services
using x-session to also log the proxy ip. rip,lip,pip. As I get time
I'll look at it.
This patch is just to keep us from having no useful logging in lmtp
proxy. Based on lmtp pid, one can at least follow the connect, the
proxy replies, and the disconnect of a session.
--- dovecot-2.1.10/src/lmtp/lmtp-proxy.c2012-10-12
19:46:49.688952484 +
+++ dovecot-2.1.10/src/lmtp/lmtp-proxy.c-new2012-10-12
19:48:51.751932325 +
@@ -160,6 +160,8 @@ static bool lmtp_proxy_send_data_replies
break;
o_stream_send_str(proxy->client_output,
t_strconcat(rcpt[i]->reply, "\r\n",
NULL));
+ i_info("proxy(%s): proxy host=%s:
status=%s",rcpt[i]->address,
+ rcpt[i]->conn->set.host,rcpt[i]->reply);
}
o_stream_uncork(proxy->client_output);
proxy->next_data_reply_idx = i;
Re: [Dovecot] Add S= to maildirfile
On 10/18/2012 11:22 AM, Robert Schetterer wrote: Am 18.10.2012 16:29, schrieb Alessio Cecchi: Hi, in some old Maildir/ I have file without the S= in file name. Is possibile to add the size to the file name with some tools like doveadm? Are there other methods to update these file? Thanks perhaps this helps for ideas http://wiki2.dovecot.org/HowTo/RefilterMail perhaps you can use dsync also , but i am really not sure if this works http://wiki2.dovecot.org/Tools/Dsync however its easy to test Dsync would be the best option, I believe. It should work moving from maildir to maildir, but if necessary, you could also convert it to another format and then put it back to maildir. Jack
[Dovecot] BUG: mishandling of username if it's a keyword?
Dec 14 14:33:03 test2 dovecot: auth: Debug: auth client connected
(pid=24143)
Dec 14 14:33:14 test2 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=pop3#011secured#011session=D6dl6dDQdAAB#011lip=::1#011rip=::1#011lport=110#011rport=38004#011resp=
Dec 14 14:33:14 test2 dovecot: auth: Debug:
static(home,::1,): lookup
Dec 14 14:33:14 test2 dovecot: auth: Debug: client passdb out:
OK#0111#011user=home
Dec 14 14:33:14 test2 dovecot: auth: Debug: master in:
REQUEST#0112033451009#01124143#0111#011243997dcca92c2dc1d1e401c78b4ea4f
Dec 14 14:33:14 test2 dovecot: auth: Debug: master userdb out:
USER#0112033451009#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
Dec 14 14:33:14 test2 dovecot: pop3-login: Login: user=,
method=PLAIN, rip=::1, lip=::1, mpid=24145, secured,
session=
Dec 14 14:33:14 test2 dovecot: pop3: Debug: Added userdb setting:
mail_location=maildir:~/Maildir
Dec 14 14:33:14 test2 dovecot: pop3(uid=503): Error: user uid=503:
Couldn't drop privileges: User is missing UID (see mail_uid setting)
Dec 14 14:33:14 test2 dovecot: pop3(uid=503): Error: Internal error
occurred. Refer to server log for more information.
compared to:
Dec 14 14:37:25 test2 dovecot: pop3-login: Login: user=,
method=PLAIN, rip=::1, lip=::1, mpid=24190, secured,
session=<5Zdb+NDQdQAB>
Dec 14 14:37:25 test2 dovecot: pop3: Debug: Added userdb setting:
mail_location=maildir:~/Maildir
Dec 14 14:37:25 test2 dovecot: pop3(home2): Debug: Effective uid=503,
gid=503, home=/nfs/maildir/vmail/home2
userdb {
args = uid=vmail gid=vmail home=/nfs/maildir/vmail/%u
mail_location=maildir:~/Maildir
driver = static
}
This was tested on a static passdb/userdb on a test server as well as
production. version 2.1.10. When I have time, I'll dig into it myself
after an upgrade to 2.1.12.
Jack
Re: [Dovecot] BUG: mishandling of username if it's a keyword?
Additional info by switching the home= and uid= settings in the config.
userdb {
args = home=/nfs/maildir/vmail/%u uid=vmail gid=vmail
mail_location=maildir:~/Maildir
driver = static
}
We got the effective id, but then home was unset and the user became the
home setting. lol
Dec 14 15:56:20 test2 dovecot: auth: Debug: master userdb out:
USER#0112586836993#011home=/nfs/maildir/vmail/home#011uid=503#011gid=503#011mail_location=maildir:~/Maildir
Dec 14 15:56:20 test2 dovecot: pop3-login: Login: user=,
method=PLAIN, rip=::1, lip=::1, mpid=24686, secured,
session=
Dec 14 15:56:20 test2 dovecot: pop3: Debug: Added userdb setting:
mail_location=maildir:~/Maildir
Dec 14 15:56:20 test2 dovecot: pop3(home=/nfs/maildir/vmail/home):
Debug: Effective uid=503, gid=503, home=
Dec 14 15:56:20 test2 dovecot: pop3(home=/nfs/maildir/vmail/home):
Debug: Namespace inbox: type=private, prefix=, sep=., inbox=yes,
hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
Dec 14 15:56:20 test2 dovecot: pop3(home=/nfs/maildir/vmail/home):
Error: user home=/nfs/maildir/vmail/home: Initialization failed:
Namespace '': Home directory not set for user. Can't expand ~/ for mail
root dir in: ~/Maildir
Dec 14 15:56:20 test2 dovecot: pop3(home=/nfs/maildir/vmail/home):
Error: Invalid user settings. Refer to server log for more information.
Jack
Re: [Dovecot] BUG: mishandling of username if it's a keyword?
Dec 14 14:33:14 test2 dovecot: auth: Debug: master userdb out:
USER#0112033451009#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
Dec 14 14:37:25 test2 dovecot: auth: Debug: master userdb out:
USER#011477757441#011home2#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home2#011mail_location=maildir:~/Maildir
Dec 14 15:44:23 test2 dovecot: auth: Debug: master userdb out:
USER#0113466592257#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
Looking at the proper home2 account, it appears that the username "home"
is being left out. This is definitely an issue with auth userdb.
This was on 2.1.12. I upgraded.
Jack
On 12/14/2012 10:00 AM, Jack Bates wrote:
Additional info by switching the home= and uid= settings in the config.
userdb {
args = home=/nfs/maildir/vmail/%u uid=vmail gid=vmail
mail_location=maildir:~/Maildir
driver = static
}
We got the effective id, but then home was unset and the user became
the home setting. lol
Re: [Dovecot] BUG: mishandling of username if it's a keyword?
It looks as if some things make extra passes. I'm still tracing it, but
could we modify userdb_template_export to skip the user part?
It's interesting as I noticed that user=%u in a static config still ends
up having an issue, which implies it was processed twice (once to home,
and again to mess up).
My problem is that I am moving an existing userbase and my user "home"
isn't going to be happy to change. lol
I'll keep looking. I know it has to be treated carefully given that USER
can be changed and it will effect all userdb types. Currently I'm
testing with both ldap w/ prefetch and static userdb.
Jack
On 12/14/2012 12:29 PM, Timo Sirainen wrote:
Yes, it's a bug. Most importantly: I don't think this is a security hole, except maybe in some very
specific installations. It only affects usernames that are the same as one of the "extra
fields" in userdb. Such user needs to log in with a valid username and password before this
happens. What happens is that when userdb sets the extra field, it thinks it's replacing an
existing field and removes the username. So the username gets replaced by the next field. This
often does mean that the user can log in using a wrong username (e.g. user is
"uid=1000"), but there's really no way to set that to any specific username. So users
can't read each others' mails. But because the username is different from expected, it could cause
some confusion.
I was also a bit worried that it still could allow users to create such
accounts for some webmail providers, but pretty much all of them use
user@domain style account names, and those aren't affected. So practically no
possibility of this affecting anyone where admin doesn't explicitly create such
account.
I'll get this fixed when I have a bit of time. The fix isn't as easy as I'd
like and it affects a large part of the authentication..
On 14.12.2012, at 18.04, Jack Bates wrote:
Dec 14 14:33:14 test2 dovecot: auth: Debug: master userdb out:
USER#0112033451009#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
Dec 14 14:37:25 test2 dovecot: auth: Debug: master userdb out:
USER#011477757441#011home2#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home2#011mail_location=maildir:~/Maildir
Dec 14 15:44:23 test2 dovecot: auth: Debug: master userdb out:
USER#0113466592257#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
Looking at the proper home2 account, it appears that the username "home" is
being left out. This is definitely an issue with auth userdb.
This was on 2.1.12. I upgraded.
Jack
On 12/14/2012 10:00 AM, Jack Bates wrote:
Additional info by switching the home= and uid= settings in the config.
userdb {
args = home=/nfs/maildir/vmail/%u uid=vmail gid=vmail
mail_location=maildir:~/Maildir
driver = static
}
We got the effective id, but then home was unset and the user became the home
setting. lol
Re: [Dovecot] Dovecot "sleep" for short snapshots
On 12/15/2012 1:52 AM, Peer Heinlein wrote: Making consistent backups from Dovecot with mdbox requires a snapshoted filesystem with (at least) a short Downtime for Dovecot. I'd like to avoid killing several thenthousand IMAP-sessions for 60 seconds. Users don't like that... And the admin dislakes that too... Are you sure it is necessary? I'm not very familiar with mdbox, but given the rundown on the wiki, it looks as though it should be very resilient to snapshots even mid-write. With fs-freeze and the nature of bulk writes, I suspect it should be fine. At worst, it might need to regain sanity off the backup indexes. Since file rewrites are done during the purge script, I'd definitely not do snapshots during the purge. The last I checked, the fs-freeze api isn't complete. It would make more sense for dovecot to work with that structure once it is completed (allowing fs-freeze to inform dovecot that the fs will be freezing/unfreezing). Jack
