Re: Howto authenticate smartPhone via Active Directory

[lists]

Hi,


ldap_bind: Strong(er) authentication required (8)
 additional info: BindSimple: Transport encryption required.




If you are using recent (4.7) samba, your problem could be that it 
requires ssl ldap by default, unless you configure


ldap server require strong auth = no

in smb.conf.

MJ

send specific NDR message for users in certain OU

[lists]

Hi,

The question can perhaps be made more generic like this:

Can dovecot generate a *specific* NDR (or an autoreply) for accounts 
that meet a specific criterium, such as:

- user account was found under OU=to-delete,CN=company...
contrary to the regular location CN=Users,CN=company...

We would like to move to-be-deleted users to this container, before 
actually deleting them. That gives us an easy way to revert, if the 
deletion turns out to be erroneous.


We could do that with via a sieve config for those accounts, but if 
dovecot could send a "delivery failure"-type specific for those accounts 
(with instructions who to contact to revert the situation) it would be 
very easy: only move the user to the specific OU, and have the system do 
the rest.


Can this be done?

(dovecot 2.1.17 on wheezy, yes we know we should upgrade, and we also 
will, but it runs rock solid...)


MJ

Re: send specific NDR message for users in certain OU

[lists]

Hi Tomas,

Thanks for your reply. We are using postfix yes, thanks for the tip!

MJ

On 30-1-2018 14:27, Tomas Habarta wrote:


That's something you probably want to do on the edge instead of message store, 
so a better place might be relocated_maps if you use Postfix. With that you can 
easily customize your ldap search base for accounts-to-be-deleted OU...

T.

On Mon, Jan 29, 2018 at 06:53:20PM +0100, lists wrote:

Hi,

The question can perhaps be made more generic like this:

Can dovecot generate a *specific* NDR (or an autoreply) for accounts
that meet a specific criterium, such as:
- user account was found under OU=to-delete,CN=company...
contrary to the regular location CN=Users,CN=company...

We would like to move to-be-deleted users to this container, before
actually deleting them. That gives us an easy way to revert, if the
deletion turns out to be erroneous.

We could do that with via a sieve config for those accounts, but if
dovecot could send a "delivery failure"-type specific for those
accounts (with instructions who to contact to revert the situation)
it would be very easy: only move the user to the specific OU, and
have the system do the rest.

Can this be done?

(dovecot 2.1.17 on wheezy, yes we know we should upgrade, and we
also will, but it runs rock solid...)

MJ

Re: I need some help with my Dovecot and Postfix configs - I'm unable to log in on my mail server

[lists]

  https://blog.andreev.it/?p=1975I have set up postfix and dovecot on both centos and freebsd using this person's blog. While you are using Debian, you might find the test procedures in this blog useful. You can test the set up without using an email client. That is the testing gets around client configuration issues because no client is used in testing. This is a stick shift email installation. No fancy scripting. Every step is tested. You don't go to the next step until the one you are testing works. You can probably adapt this for Debian. Personally I would rather used centos for a server. It is drama free but never cutting edge. I like cutting edge on the desktop but not on the server. From: n...@bdevgw.deSent: July 19, 2020 11:54 AMTo: dovecot@dovecot.orgSubject: Re: I need some help with my Dovecot and Postfix configs - I'm unable to log in on my mail server  Autocinfiguration is fine,
my problem is that once everything is (auto)configurated
(correctly, checked this) that the server doesn't accept my
login request.
STARTTLS is correct, ports are correct etc. My mail is correct,
my password is correct (tried with copy paste) and also with
name as username and name@domain aswell (name was also copy
pasted). 
  On 19/07/2020 12:43, Bernardo Reino
  wrote:
On
  Sun, 19 Jul 2020, Nils wrote:
  
  
  This is what my server logs (mail.info,
    mail.warn) tell me:
   
    root@bgrsld-mail0:~# tail /var/log/mail.info
   
    Jul 17 18:22:08 bgrsld-mail0 postfix/submission/smtpd[8472]:
    improper command pipelining after EHLO from
    unknown[192.168.2.110]: QUIT\r\n
   
    Jul 17 18:22:08 bgrsld-mail0 postfix/submission/smtpd[8465]:
    disconnect from unknown[192.168.2.110] ehlo=1 quit=1 commands=2
   
[...]

  
  
  Thunderbird, for some reason, violates the SMTP standard when
  attempting autoconfiguration. It sends multiple commands
  ("pipelining") without postfix having announced that it's OK to do
  so.
  
  
  You can either do the configuration manually (when Thunderbird
  fails, I think you can still go to "manual" or "advanced" or
  whatever button to continue with the configuration), or you could,
  at least temporarily, disable postscreen (which is the only
  complaining -- rightly -- about the improper pipelining), and then
  enable it again once you have configured your account.
  
  
  You can also read:
  
https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration
  
  
  and set-up the necessary XML file at your server so that
  Thunderbird can pickup the settings automatically. I've done this
  for one server, but don't have the details anymore in my head. The
  link above should explain that all though.
  
  
  Good luck!
  
  Bernardo
  

Re: Feature request.

[lists]

I have to say I'm totally baffled since I do nothing when LetsEncrypt renews 
the certificate. 

I know the cert has been updated because the mail clients asks me if I trust 
the certificate. 

If it makes a difference I use the bash LetsEncrypt not the Python code. 





  Original Message  


From: r...@mrstuudio.ee
Sent: October 9, 2020 1:55 AM
To: dovecot@dovecot.org
Subject: Re: Feature request.


On 09/10/2020 11:50, Plutocrat wrote:
> On 09/10/2020 4:16 pm, Rogier Wolff wrote:
>> It turns out that dovecot had been running uninterrupted since august
>> 13th, the certificate was renewed on september 7th and I suspect it
>> expired on october 7th.
> I guess you could do a few things yourself to make sure the cert is valid. 
> Thinking out loud:
>
> - Blunt instrument approach: Just restart/reload Dovecot once a week via a 
> cron job. Letsencrypt will renew certs with less than 15 days to go, so once 
> a week should catch it.

If you're using Let's Encrypt, then at least the certbot client has
renewal hooks that you can use to run dovecot reload etc.

Good luck!
Reio

Re: Feature request.

[lists]

  As it turns out my cert was renewed Oct 3. I usually don't reply to these "lists" from my phone since I risk the wrath of people who hate top posting. I usually reply from a Linux desktop, not the phone, where I can bottom post. All that said, my phone mail client asked me if I trusted the cert. It was the latest cert since it matches the date on my website. To be fair, I did a backup of the server on the 4th which involved a reboot, which would have loaded a new cert. But I can't possibly be that fortunate all the time. In need to look at that bash script that renews the cert. Maybe it forces a systemctl reload. I could never get that Python LetsEncrypt code to work on Centos. The LetsEncrypt forum suggested the bash script. https://github.com/acmesh-official/acme.shFrom: r...@mrstuudio.eeSent: October 9, 2020 2:57 AMTo: dovecot@dovecot.orgSubject: Re: Feature request.  On 09/10/2020 12:52, lists wrote:

  I have to say I'm totally baffled since I do nothing when LetsEncrypt renews the certificate. 

I know the cert has been updated because the mail clients asks me if I trust the certificate.

Curious. The mail clients really shouldn't ask anything when
encountering a valid certificate.

Are you sure the client isn't asking you to trust an expired
certificate?

Reio

  


  

  

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

You need SPF and DKIM for your outgoing email to be accepted. 

My idea of a secure email server is to use submission port 587. Expose port 25 
to the world and aggressively filter all remaining email ports with a firewall. 
And I mean aggressive. Geographically filter so only countries where youe users 
reside can send and retrieve email. Block major hosting IP space. 

How many users will be on the system? If you can handle it, assign all the 
email passwords. This means you need to contact them out of band. I avoid 
cpanel or similar internet access to email settings. I use nothing but ssh to 
maintain my server. 











  Original Message  


From: rdiezmail-2...@yahoo.de
Sent: October 25, 2020 10:57 AM
To: dovecot@dovecot.org
Subject: Looking for a guide to collect all e-mail from the ISP mail server


Hi all:

I am evaluating mail server solutions for a small business. The trouble is, I 
am only a part-time admin and a newbie to mail servers.

Most guides I have seen are rather unrealistic: they encourage you to expose 
your e-mail server to the Internet, and hope that you have the resources
to keep it patched up.

I would rather have an internal mail server that collects e-mails from a 
standard ISP mail server.  It is like the old "POP3 Connector" that came with
Microsoft Exchange.  Sometimes, there is a mailbox per user on the ISP, and a 
corresponding one on the local server.  Other times, there is a single
"catch all" or "multidrop" mailbox on the ISP.

Users can still access their internal mailboxes from outside through an OpenVPN 
connection.  The goal is that only VPN, and perhaps SSH, are
accessible from the outside.  We do not need to arrange any special SMTP 
configuration with the ISP either.

This kind of mail server setup is rather different to the standard 
configuration. You do not normally need you own antivirus and spam filter, and 
you
do not need to configure SSL certificates, MX or SPF DNS records. Most ISP 
handle that correctly and economically.  Internal e-mail does not leave
your LAN, and your internal SMTP server is just a relay for the external ISP 
SMTP server.

Furthermore, most guides do not explain how to setup an autoresponder ("I am on 
holiday until xxx") so that users can enable theirs with the mouse.
Editing configuration files over SSH is not really an option for normal users. 
This detail is important because it could be the only thing I need
above standard e-mail. Further groupware features can be seen as nice but 
ultimately unnecessary luxury, and a basic shared calendar can be
accomplished with a separate server like https://radicale.org/ and a calendar 
client like one built into Thunderbird. Hopefully, that is all I would
need for a small business.

Can anyone point me to the kind of guide I need? Failing that, I would need 
information or examples about using fetchmail, getmail or similar software
with Dovecot.  Good or bad experiences from you guys would also help.

Each of those tools has a detailed man page, but there are many options and 
ways with different advantages and disadvantages.  I would need a simpler
guide to get started.

I am aware that there are pre-packaged mail server solutions that would perhaps 
bring an easy-to-use autoresponder, but I haven't seen one yet that
where you could tick a box like "this server is only internal and collects mail 
from the ISP server" during installation. Nor have I seen instructions
about reconfiguring the mail server for my ISP mail scenario.

I am prepared to learn more and write my own Perl scripts and/or installation 
guide, but it would be stupid to waste time if something easy already
exists.  After all, the setup I am describing (external ISP mail server + 
internal mail server) is not so weird.

Thanks in advance,
   rdiez

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

You look spammy if you don't have SPF or DKIM, and hopefully both. Your email 
will either be bounced or sent to a spam folder. You need a reverse pointer as 
well, but that shouldn't be an issue. The situation is actually worse than it 
sounds. ATT/SBC needs to whitelist you by IP if you are using a VPS. 
Spectrum/Charter just plain blocks many VPS with no recourse.

Regarding geofencing, look back at my post. I leave port 25 open to the world. 
I can receive email from any country. Using submission port 587 means you can 
geofence from where your employee sends and receives email. It does not effect 
your customers since they use port 25.

The reason I run my own email server is I got hacked when using a hosting 
service. The hacker used a vulnerability in RoundCube and could send email as 
me. My PayPal account password was then changed. The hacker was in Morocco. I'm 
sure Morocco is a fine country but I don't plan on visiting it and thus don't 
need to access my email from there. Note the hacker could have changed my email 
password too but didn't. To top it off, I don't even use RoundCube. Never use a 
 browser for email.

When I set up my own email / webserver I made it a point to not use any GUI 
control panel. If there is no hook to change a password from a control panel 
then it won't happen. You reduce the attack surface. All passwords are SHA512.

You geofence all email ports except 25.

I also have a VPS using openvpn but it is on a different IP. That is a tunnel 
out of it to use the internet. Now I think for what you want to do is to have 
openvpn show up as the local host. What you might want to do is join the 
postfix users group. I wouldn't bring up this kind of proxied email scheme you 
want to set up. Rather just ask if it is possible to set up postfix/dovecot so 
that the user who will always be on a VPN can send and receive email. That is I 
think it will boil down to permit local host and nothing else in certain 
places. There are guru status users there.

One thing you will learn about email servers is there are many programs to 
chain together. However think of light bulbs in series. The more in the chain, 
the more likely it is to fail. I dropped SpamAssassin and amavisd due to poor 
reliability. That was when I used freeBSD. I now run centos but just don't 
bother with those extra programs. I use RBLs for spam  blocking. I use my brain 
for antivirus. Antivirus isn't all that good anyway. The key with antivirus is 
at what point in time do they recognize the file is a virus. I send all my 
malware links to virus total.com and maybe two will recognize the link goes to 
malware. 




  Original Message  


From: rdiezmail-2...@yahoo.de
Sent: October 25, 2020 3:25 PM
To: li...@lazygranch.com
Cc: dovecot@dovecot.org
Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server



> You need SPF and DKIM for your outgoing email to be accepted.
> [...]

I don't understand why that is the case (but keep in mind that I am a newbie).

Is it not possible to set up some internal SMTP server that only relies the 
e-mails to the external ISP SMTP server? The internal SMTP server would
then act like a normal user's Thunderbird.

At first I tought that the internal SMTP server would need to know the password 
for each mailbox user. But then I asked, and the ISP SMTP server
allegedly accepts any source e-mail address, as long as you are using one 
e-mail account that is valid in the domain. I wonder if that is standard
practice.


> My idea of a secure email server is to use submission port 587.
> Expose port 25 to the world and aggressively filter all remaining
> email ports with a firewall. And I mean aggressive. Geographically filter
> so only countries where youe users reside can send and retrieve email.
> Block major hosting IP space.

Geo blocking can be problematic. Depending on the small business, some 
customers and suppliers may sit in China or some other geographical area you
would normally block.

I am too afraid, I would not expose any such port on the Internet. Who knows if 
the mail server stays months without an update. If I am to recommend
or implement any such mail server solution to a small business, I would insist 
that the e-mail server is not exposed at all on the Internet.

A web interface etc. is not a problem: I just connect with a VPN and bypass 
most external security issues. If you are the admin, you can also forward
the web interface over an SSH connection.

Best regards,
   rdiez

Re: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

Good luck with all that coding. I have four years now of running my own email 
server. Zero hacks. I keep the attack surface to a minimum. Less is more. 

One thing you don't want to do is write your own code. This stuff is always way 
harder than you think. Worse yet you run alpha generation code because you are 
the only one using it. All software has bugs. What you need is a mass of users 
flogging the code and finding the bugs. 

Now if you do use a browser, you have to deal with leaks, bugs, possible 
process interaction if more than one tab is open, and possibly browser 
extensions hacks if extensions are used. 

Count me out. 

And did you miss the part where I was hacked via RoundCube? 






  Original Message  


From: sebast...@sebbe.eu
Sent: October 25, 2020 9:47 PM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: SV: Looking for a guide to collect all e-mail from the ISP mail server


>>"Never use a  browser for email."

I don't agree.
In fact, using a browser for email or atleast initial setup, is actually more 
secure. This because SMTP/IMAP clients normally don't support 2FA, so you would 
have to "hack" a solution to enable 2FA for email.

This can be made in 2 ways: Either, you have a full fledged email setup. Whats 
important, is, to prevent auth-bypass holes, you remove the authentication in 
RoundCube or whatever webmail you use, and instead use a reverse-proxy or 
firewall authentication instead. Thus an unauthenticated user doesn't even 
touch RoundCube/webmail at all, but must authenticate at a prior stage.

The second way, is to not have webmail at all, but instead have a 
authentication gateway in browser, where you must auth with 2FA and captcha. 
The only purpose of this gateway, is to authenticate users with 2FA before 
their IP is whitelisted.

After this, you simply have a script, that upon valid login (with 2FA) in 
either webmail or auth gateway, you set the authorized IP of the user to this. 
Whats happen then, is that each account will have an authorized IP attached 
(you could limit it to the /24 to cater for mobile clients), and then login to 
that account, will only be accepted from that authorized IP.

This then allows SMTP/IMAP usage from that IP.
If you want to go even more secure, you could restrict the firewall to the list 
of all IPs that all users have dynamically, and then in the SMTP/IMAP server, 
lock down auth to the authorized IP of that particular user account only.

Its very important, that upon authing with a incorrect IP, that the server 
responds in the same way as a invalid password was specified, in this way, if 
someone attempts to bruteforce the password, they will "miss" the correct 
password, if the server does not react differently to a correct password but 
invalid IP. Thus bots that bruteforce will not gain any success.


All this can be combined with permanent whitelists and geoIP whitelists, to 
avoid users having to authenticate with 2FA for "trusted" locations. One 
example would be to have the local office as permanent whitelist, and also have 
it that any IP in the user's "home country" is permanently whitelisted for his 
account once the user authenticates with 2FA.

Other IPs outside his home country, is then only whitelisted once, next 2FA 
login, the old whitelist is simply deleted.

Re: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

I have no problems with Gmail from Digital Ocean. But I have both spf, DKIM, 
DMARC and a reverse pointer. You need to not look spammy. 

One advantage to using a VPS is your IP is unique. That is you don't share it 
with a spammer. Not so with hosted services. 





  Original Message  


From: m.r...@f1-outsourcing.eu
Sent: October 26, 2020 1:06 AM
To: dovecot@dovecot.org; sebast...@sebbe.eu
Subject: RE: SV: Looking for a guide to collect all e-mail from the ISP mail 
server




> and also the problem is that gmail imposes heavy spam filters and
"reputation blocks"
> meaning smaller providers with low email volumes, are put in the spam
folder, even if
> they never send spam, just because their email volume is so low (ergo,
they must
> prove they don't spam before getting out of ispam folder)

How do you know that?

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

I have used this person's blog for a few operating systems.

https://blog.andreev.it/?p=1975

Poke around for the correct OS. I only set up dovecot and postfix. Keep it 
simple. You then need opendkim. I think opendkim checks the incoming mail. 
There is another procedure to sign your mail.

When you think it works, use
https://dkimvalidator.com/

Also go to mxtools to verify you haven't created an open relay.

Regarding LetsEncrypt, I use the bash script.
https://github.com/acmesh-official/acme.sh
This saves you Python headaches. 




  Original Message  


From: michael.schumac...@pamas.de
Sent: October 26, 2020 1:09 AM
To: rdiezmail-2...@yahoo.de; p...@myzel.net
Cc: dovecot@dovecot.org
Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server


Hello R.,

Sunday, October 25, 2020, 11:12:48 PM, you wrote:

RD> I was hoping that there would be a complete mail server setup
RD> guide somewhere for this kind of setup. But I guess I'll have to piece all 
these
RD> information snippets together.

There are plenty of guides available. I don't know your mother tongue,
but seeing your last name, I assume you may be speaking German. Take a
look at these German language guides:

https://www.it-management-kirchberger.at/manuals-tutorials/server-centos-7/postfix-mailserver-vimbadmin/postfix-amavisd-new-clamav-spamassassin.html
https://www.dokuwiki.tachtler.net/doku.php
https://dokuwiki.nausch.org/doku.php/centos:mail_c7:spam_6

I am sure others can provide other language guides as well.

best regards
---
Michael Schumacher

Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

Actually the reverse pointer doesn't have to match. In fact this is impossible 
if you are setting up virtual accounts on one server for different domains. You 
just need to have a reverse pointer. 

Most email servers look to seen if the reverse pointer has a "dyn" in it and 
blocks those. 





  Original Message  


From: build+dove...@de-korte.org
Sent: October 26, 2020 2:02 AM
To: dovecot@dovecot.org
Subject: Re: SV: SV: Looking for a guide to collect all e-mail from the ISP 
mail server


Citeren Sebastian Nielsen :

> Because when I email to friends that are using gmail, my mail ends up in
> spam unless  my friends put me in whitelist. Seems to vary however, and
> seems to get better with time.

In order to prevent ending up in spam in GMail, it is necessary to 
have working DKIM and/or SPF for your messages and forward- and 
reverse DNS records for your mailserver match.

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

  If you are using a "dot host" in your TLD you most certainly will be considered spam. Now I understand why you have Gmail problems. I have a number of TLDs I reject because they are known to be used by spammers. I never get listed as spam by Gmail. From: s...@ketola.ioSent: October 26, 2020 3:22 AMTo: li...@lazygranch.comCc: build+dove...@de-korte.org; dovecot@dovecot.orgSubject: Re: Looking for a guide to collect all e-mail from the ISP mail server  On 26. Oct 2020, at 11.36, lists <li...@lazygranch.com> wrote:Actually the reverse pointer doesn't have to match. In fact this is impossible if you are setting up virtual accounts on one server for different domains. You just need to have a reverse pointer. Most email servers look to seen if the reverse pointer has a "dyn" in it and blocks those. Also your own email server is not behaving nicely:<li...@lazygranch.com>: host lazygranch.com[198.199.119.111] said: 500 5.7.1   <83-136-254-93.uk-lon1.upcloud.host[83.136.254.93]>: Client host rejected:   eat a bag of dicks (in reply to RCPT TO command)and for that reason I have blacklisted you from any help requests. You may do the same whatever you are telling me to do.Sami

Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

As I previously stated the reverse pointer does not have to match your domain. 

Suppose you ran a hosting company called host.com. Suppose you had clients 
client1.com and client2.com. This requires virtual mailboxes. That is one 
domain, host.com provides email services for client1.com and client2.com. Most 
servers would just have a reverse pointer to host.com.






  Original Message  


From: m.r...@f1-outsourcing.eu
Sent: October 26, 2020 7:04 AM
To: build+dove...@de-korte.org; dovecot@dovecot.org
Subject: RE: SV: SV: Looking for a guide to collect all e-mail from the ISP 
mail server



> and forward- and reverse DNS records for your mailserver match.

do even googles ips confirm to this standard?

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

I assure you each IP address has only one reverse pointer at Digital Ocean. I 
know this because I set up the reverse pointer myself. 





  Original Message  


From: m.r...@f1-outsourcing.eu
Sent: October 26, 2020 4:41 AM
To: li...@lazygranch.com; s...@ketola.io
Cc: build+dove...@de-korte.org; dovecot@dovecot.org
Subject: RE: Looking for a guide to collect all e-mail from the ISP mail server



you should ask your ip provider to set a proper reverse lookup for you.
If I would get a lot of spam from upcloud.host ips, I would also
consider blocking upcloud.host reverse dns lookups. If it is your ip, it
is an easy request to have it changed.



-Original Message-
From: Sami Ketola [mailto:s...@ketola.io]
Sent: Monday, October 26, 2020 11:22 AM
To: lists
Cc: Arjen de Korte; Dovecot Mailing List
Subject: Re: Looking for a guide to collect all e-mail from the ISP mail
server



On 26. Oct 2020, at 11.36, lists  wrote:

Actually the reverse pointer doesn't have to match. In fact this is
impossible if you are setting up virtual accounts on one server for
different domains. You just need to have a reverse pointer.

Most email servers look to seen if the reverse pointer has a "dyn"
in it and blocks those.




Also your own email server is not behaving nicely:

: host lazygranch.com[198.199.119.111] said: 500
5.7.1
   <83-136-254-93.uk-lon1.upcloud.host[83.136.254.93]>: Client host
rejected:
   eat a bag of dicks (in reply to RCPT TO command)

and for that reason I have blacklisted you from any help requests. You
may do the same whatever you are telling me to do.

Sami

Re: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

  Ditto this. I pay for a VPS because I don't want my home facing the internet. If the VPS gets hacked, that is as far as they get. You could do a mail server on a $5 Digital Ocean or Linode VPS if you don't run SpamAssassin. Rather than have your email server on a 10 year old laptop, you let someone else maintain the hardware. You can and should image your VPS or pay for imaging. I do both. My pipe to the outside world is around 800mbps. I couldn't do that at home. I don't have to worry about leaving a computer running while on vacation. Should the OP want to join the real world, here again in the guide I use. I like this person's approach because you can test each step. The maintenance is gui free. From start to finish figure on three hours. That includes setting up the VPS, spf, and DKIM. I strongly encourage Centos. I don't use it at home, but it is great for a server. It is a long term disty. I should point out for ease of maintenance, use packaged software. You don't want to be compiling code for updates. Stick with IPV4. I have used this person's blog for a few operating systems.https://blog.andreev.it/?p=1975Poke around for the correct OS. I only set up dovecot and postfix. Keep it simple. You then need opendkim. I think opendkim checks the incoming mail. There is another procedure to sign your mail.When you think it works, usehttps://dkimvalidator.com/Also go to mxtools to verify you haven't created an open relay.Regarding LetsEncrypt, I use the bash script.https://github.com/acmesh-official/acme.shThis saves you Python headaches.From: gr...@sloop.netSent: October 26, 2020 6:01 PMTo: dovecot@dovecot.orgReply-to: gr...@sloop.net; dovecot@dovecot.orgSubject: Re: Looking for a guide to collect all e-mail from the ISP mail server  The reason there's no pretty complete how-to is because what you're doing seems completely insane to the vast majority of people who'd look at your problem and select your way of approaching solving it.

Yeah, you can also host your own website off of a DSL line, using a rasp-pi connected via a ham data relay which is faxing pages back and forth over a couple of soup-cans and string - etc, etc, etc.

While I get, at least in principle, why you want to do it your way - you've selected a particularly painful, and super time-expensive way, IMO.

A VPS for like $10 a month would do everything you want to do. Run Ubuntu on it, and allow Ubuntu to do security updates and restarts and you'll almost certainly be fine. If you want, get a fully managed VPS for a little more, and they'll do all that for you.

Or, one of a hundred other ways to accomplish handling mail - but you've picked one of the oddest, most difficult ways...and then "complain" that there's no examples. Yeah, 'cause no-one wants to do it your way because it's crazy.

Sorry dude - I kinda get it, but no, I'd never pick your way of doing it, and I'm not surprised that there's almost no one who has cranked a complete example of it either.

Not trying to make fun of you, but dang, the time wasted in this thread could probably have paid for 5 years of hosted mailcow.

Cheers!
Do have fun.

-Greg


>> 2. install and configure OfflineIMAP to synchronize the IMAP folders between your ISP IMAP server and your Dovecot server; see for example
>> http://www.offlineimap.org/doc/quick_start.htmlRD> OfflineIMAP is not the way to go. Many ISPs have very low size
RD> limits for the mailbox sizes. The one I am looking at right now does have this problem
RD> (unless you pay extra).

RD>  From what I have gathered now, your hints about Postfix and
RD> fetchmail are correct. The trouble is that those doc pages are not real-life, complete
RD> examples with Dovecot of the two possible ways: 1)
RD> multidrop/catch all, and 2) one mailbox per user.

RD> Yes, I should be able to piece it all together. I will probably
RD> try. I just find it surprising that there is no such a complete guide yet. Because I
RD> am sure that there are a few gotchas along the way.


 >> see
 >> https://blog.sys4.de/abholdienst-fur-mail-de.htmlRD> Yes, getmail is an alternative, and that looks like a good way
RD> too. But it's the same problem: the article is not complete. It states "how you could
RD> arrange it". It would be nice that you did not have to manually
RD> write a getmail config file per user. And an example for multidrop is missing. There
RD> is a note at the end that you should carefully plan the transport
RD> ways, but I wouldn't know yet what to do in that respect.

RD> It's just not a guide that I can follow from top to bottom to get
RD> a first working mail server to play with. That makes it pretty hard for me at this
RD> time. I will n

Re: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

I would have to also hack the email client since I don't enter my 20 character 
high entropy password when I send or retrieve email.

You really need an email standard to integrate TOTP. To be realistic, you need 
Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live 
in the real world, so whatever Google wants, I comply. 







  Original Message  


From: jtam.h...@gmail.com
Sent: October 27, 2020 3:57 PM
To: dovecot@dovecot.org
Subject: Re: SV: Looking for a guide to collect all e-mail from the ISP mail 
server


On Tue, 27 Oct 2020, Sebastian Nielsen wrote:

> Kind of stupid that there doesn't exist some common standard for 2FA that
> works in email clients.

You can bodge it for HOTP/TOTP hardware token generators.  Dovecot allows
custom plugins to check passwords.  The plugin can take passwords of
the form {password}+{2fa-token}, then split each part to check against
authentication systems to check validity.

Joseph Tam 

Re: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server

[lists]

And which email clients can do this? 

A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am 
likely to be deemed spammy, hence a defacto standard has been established. I 
don't see this with TOTP. 

I'm all for TOTP, but I'm not going to code my own. 





  Original Message  


From: sebast...@sebbe.eu
Sent: October 27, 2020 5:56 PM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: SV: SV: Looking for a guide to collect all e-mail from the ISP mail 
server


>>Whatever Gmail wants is essentially a defacto standard.

Gmail have solved it with a Oauth authorization scheme. Basically, first time 
setting up mail, you are asked to authenticate by 2FA in a webview, then a 
shared secret is established, that is used during SMTP and IMAP time.
Both Hotmail and Gmail is using this hackish webview solution for Outlook 
integration (and integration in some other email clients).

Thats why Google and Microsoft have their own buttons inside Outlook and some 
other mail clients.

Re: Delivering locally through the Submission Server

[lists]

It would be worth a $5 VPS investment to set up a proper email server with 
dovecot and postfix. Observe how they work together. Use maximum verbosity and 
read the logs. You can use one of those cheap TLDs nobody but the spammers use. 
They cost a dollar or so. Namecheap is peddling cyou. 




  Original Message  


From: rdiezmail-2...@yahoo.de
Sent: November 2, 2020 12:33 PM
To: j...@voipsupport.it
Cc: dovecot@dovecot.org
Subject: Re: Delivering locally through the Submission Server



> what should it do with the non local messages or local messages directly
> at aliases?

OK, so I gather that the Submission Server cannot do that (yet).

My suggestion for a future version would then be: How about running 
dovecot-lda, if the user happens to be local, or a local alias? Or at least
provide some sort of pattern matching: anything matching *@example.com , pass 
the message to dovecot-lda .

It feels strange that a plug-in accessing the local user database for 
authentication purposes, and running on the same Dovecot server instance, needs
to use an MTA to deliver a local message, it is like going out to come back in 
again. But I do not know much about mail servers yet. Have I missed
some important concept here that makes this idea silly indeed?

Regards,
   rdiez

Re: How do Cerbot files map to Dovecot?

[lists]

https://github.com/acmesh-official/acme.sh
I used the Neilpang bash script on Centos 7. 

No drama. It just works. The only thing is because it works so well I am pretty 
much useless to provide help with it because it has been so flawless. The only 
way I know it is running is I have to accept new certs on my mail clients. 

There is a mod to the script I added to restart dovecot to enable the new cert 
to be used. It may be stock now. 





  Original Message  


From: m...@tdiehl.org
Sent: November 12, 2020 12:28 PM
To: raym...@forcewise.com
Reply-to: m...@tdiehl.org
Cc: dovecot@dovecot.org
Subject: Re: How do Cerbot files map to Dovecot?


On Thu, 12 Nov 2020, Raymond Herrera wrote:

> I am postponing the Apache plugin issue (CentOS is not Certbot friendly) and

For the record, certbot works just fine on CentOS. It just requires that you
understand how things work. :-)

The plugin which you seek is called python2-certbot-apache.noarch. You can
see all of the available plugins on CentOS 7 by running the following:
yum list \*certbot\*

In addition there are MANY other packages available for generating LE certs.
Most are not included in CentOS or EPEL. Some are easier to configure some not
so much. It really depends on your requirements and skill level.

> requesting a standalone, generic certificate. After the command "1: Spin up a
> temporary webserver" I have the following 2 files in the folder
> /etc/letsencrypt:
>
> -rw-r--r-- 1 root root  924 Nov 12 11:14 csr/_csr-certbot.pem
> -rw--- 1 root root 1708 Nov 12 11:14 keys/_key-certbot.pem
>
> The "key" is probably a direct replacement for the file in the distribution.
> What about the "csr" file? It seems to be a request, not the certificate
> itself.

You have something mis-configured or something is running on port 80 when 
Certbot
is trying to install a tmp web server on port 80. What is mis-configured or what
is running on port 80, I cannot tell with the information you have provided. I
can tell you I have been running Certbot for the last 3 or 4 years without
issue on various CentOS systems I maintain.

In addition, I suspect this whole thread is off topic for the Dovecot list.

If you want further help, I suggest asking on the CentOS list.

Regards,

--
Tom m...@tdiehl.org

Re: important message

[lists]

I get about four of those a day. I was advised to learn how to use sieve. It is 
on my list. 

My goal is simply to dump any message with a Google form. 





  Original Message  


From: jtam.h...@gmail.com
Sent: December 11, 2020 2:35 PM
To: dovecot@dovecot.org
Subject: Re: important message


On Thu, 10 Dec 2020, Aki Tuomi wrote:

> Hi everyone, sorry about this, this email was accidentically approved.
> We will be more careful next time.



If you're wondering what this is all about, I believe spammers have lately
found a way to subvert a Google Forms feature and have been hammering
it to piggyback spam:

https://security.stackexchange.com/questions/241263/how-is-it-possible-that-this-spam-mail-came-from-google-forms-without-revealing

Blocking mail from @trix.bounces.google.com will squelch them, but
may also biock legitimate response receipts.



Joseph Tam 

Re: migration from 2.0.16

[lists]

I have found opensuse to be very stable and the upgrades to be drama free IF 
(big if) you stick to the distribution repositories. For a server, sticking to 
the disty repos is very likely. It is desktop users (me) that load a lot of 
software from other repos that occasionally muck things up.

I run centos 7 on my servers and opensuse on the desktop. They are very 
similar. I always have trouble when I have to use Debian, which these days is 
only on a R Pi. Opensuse can use three different package managers, one of which 
being yum. 






  Original Message  


From: barb...@rfx.it
Sent: December 17, 2020 6:57 AM
To: dovecot@dovecot.org
Subject: RE: migration from 2.0.16


On Thu, 17 Dec 2020, Marc Roos wrote:

> I would not choose centos 8 it has EOL < than centos7. IBM is pulling
> the plug on the centos distribution, and makes it more or less a beta
> for the rhel. Thus centos7 and then you have a few years to decide what
> to choose. Enough to go to full containerized eg. ;)

We own the servers and use CT (LXC).
The IBM move is clear, but going to C7 today seems to me not a good
choice.
It is in its descending stage and in a couple of years packages are going
to became very outdated.
If RH8 remain "open source" I suppose the community or some interested
medium level company that use CentOS for their business can became a new
CentOS and switch to a different named distro is supposed to be only a
question of replace repositories.
That seems to me a smoother path (IMHO).
Debian 10 is EOL on 2022
Ubuntu LTS seems a solution, but I hadn't ever used it (I may be wrong,
but in the past Canonical don't inspire me to much trust).

Other options (not too "exotic")?


> You do not need to rsync, dovecot can sync messages. I am just in the
> process of migrating a server from a different network to a different
> mailbox format.
>
> My approach was to create an 'archive' namespace on shared slower but
> distributed storage so I do not have to move to much data.

I am studying the situation, but there are many variables and the old age
of the source server probably meke it more complex.
And I am not a dovecot expert ...

Thanks, B.

Where is dovemon

[lists]

Hello,I found this link in the documentation:https://doc.dovecot.org/configuration_manual/dovemon/But where can I find the program "dovemon"? I searched all over whithout luck. In the source code, Google, nothing. It seems as only the web site would exist.Can somebody help me pleaseChristian Rößner-- Rößner-Network-SolutionsZertifizierter ITSiBe / CISOKarl-Bröger-Str. 10, 36304 AlsfeldFax: +49 6631 78823409, Mobil: +49 171 9905345USt-IdNr.: DE225643613, https://roessner.websitePGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

Re: disable pop3 ports?

[lists]

Don't enable the port in the firewall.  Actually two ports (encrypted and not).

110 and 995.

  Original Message  


From: d...@newideatest.site
Sent: May 4, 2021 1:20 AM
To: m...@f1-outsourcing.eu; dovecot@dovecot.org
Subject: Re: disable pop3 ports?


Already did all of that. like I said, EVERY instance of pop3 in the
entire config set is commented out.

On 5/4/2021 1:12 AM, Marc wrote:
> maybe remove pop3 from protocols, remove service pop3-login, service pop3?
>
>> I admit I don't quite understand dovecot's config yet, but this is
>> driving me batty. I was looking at my server and noticed that dovecot
>> was listening on the pop3 ports (110/TCP). Since I do not use pop3 at
>> all, nor does anyone who has ever or ever will connect to the server,
>> that seems like a needless waste. So I went through the config files and
>> commented out every reference to pop3 in them. But when I restart
>> dovecot, it STILL opens a listener on 110. How do I fix this? The ONLY
>> external ports I want dovecot listening to are imap4 and imap4s.
>>
>> Thanks!
>>
--
Dan Egli
From my Test Server

Re: disable pop3 ports?

[lists]

I meant in the firewall itself. 

Usually when you set up a server none of thr ports are open in the firewall. At 
some point you opened 110 and 995.





  Original Message  


From: d...@newideatest.site
Sent: May 4, 2021 2:41 AM
To: dovecot@dovecot.org; ml+dove...@valo.at
Subject: Re: disable pop3 ports?



On 5/4/2021 3:18 AM, Christian Kivalo wrote:
>
>
> On 2021-05-04 10:29, Dan Egli wrote:
>> For gentoo, there is only one package. And here's your output:
>>
>> # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.13 (cdd19fe3)
>> # OS: Linux 5.11.16-gentoo-x86_64 x86_64 Gentoo Base System release
>> 2.7 xfs
>> # Hostname: jupiter.newideatest.site
>
>>
>>
>> and yet if I do doveconf protocols:
>> # doveconf protocols
>> protocols = imap pop3 lmtp
> In dovecot.conf i have a line that enables the protocols.
>
> # Enable installed protocols
> !include_try /usr/share/dovecot/protocols.d/*.protocol
>
> This is on debian where every protocol is a separate package to install.
> This could also just be:
> protocols = imap lmtp pop3
>
> Remove pop3 from there and you should be good. You can even have the
> config in place.
>
> The other option to disable the pop3 listeners is to set the port = 0
>
> From 10-master.conf (when using split config files)
> service pop3-login {
>  inet_listener pop3 {
>    port = 0
>  }
>  inet_listener pop3s {
>    port = 0
>    ssl = yes
>  }
> }
>
> This disables pop3 listeners even when the pop3 protocol is enabled.
>
I would have thought that commenting them out would do that too. But I
can uncomment them and add a port = 0, see if that helps.


--
Dan Egli
From my Test Server

Re: disable pop3 ports? (success)

[lists]

This has been a long thread. In summary, do this:


 From 10-master.conf (when using split config files)

service pop3-login {
net_listener pop3 {
port = 0
}
inet_listener pop3s {
   port = 0
   ssl = yes
}


This disables pop3 listeners even when the pop3 protocol is enabled.
-


Regarding protection from the local host, if they can get on your system then 
they will just attack imap. But I suppose this port=0 thing is still a good 
idea since it reduces the attack surface.  I see no disadvantage. 




  Original Message  


From: d...@newideatest.site
Sent: May 4, 2021 12:35 PM
To: dovecot@dovecot.org
Subject: Re: disable pop3 ports? (success)


Changing the ports to = 0 did the trick. Nothing is listening on or 995

now. Thanks for your help, all!


--
Dan Egli
From my Test Server

Re: Sv: function for whitelisting IPs

[lists]

I run a personal email server. I can't emphasize enough how geofencing has 
reduced the useless hacking on my email server. I only leave port 25 open to 
the world. I use port 587.

I maintain a list of hosting companies that I block from using my web server 
since they are just going to scrape anyway. I also keep that IP space off of my 
email other than port 25. 

Firewalls use memory but tend to be very light on the CPU other than when you 
first start up the firewall. I assume they take the deny list and create a 
table in RAM to efficiently block IPs. I have found that dynamic IP blocking 
programs such as sshguard or fail2ban are a CPU burden since that table needs 
to be refreshed as new IPs are added or removed so I have stopped using them. 
Not that the programs themselves are CPU intensive, but they cause the firewall 
to be CPU intensive. I am considering using sshguard again but with a very high 
threshold to add an IP to the deny list. 

Regarding attempts to add 2FA by using RoundCube or similar web based email, I 
think those programs just increase the attack surface. When I used a hosting 
service I was hacked by an unpatched exploit in RoundCube. 




  Original Message  


From: sebast...@sebbe.eu
Sent: July 15, 2021 3:55 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Sv: function for whitelisting IPs


Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP as 
input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.

Then you just need to write some custom functions in roundcube or similiar to 
have the webmail insert the IP into a database.

Or just match it against a GeoIP database and save the latest country the 
webmail was logged in from, and then SMTP/IMAP is only approved for that 
country.
That reduces the attack surface greatly.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För White, 
Daniel E. (GSFC-770.0)[NICS]
Skickat: den 15 juli 2021 12:21
Till: Dovecot Mailing List 
Ämne: function for whitelisting IPs

Sebastian,

Do you have any examples of such a function and how/where it is used ?

-Original Message-
From: dovecot  on behalf of Sebastian 

Reply-To: Dovecot Mailing List 
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List' 
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission

    Main problem is that not many clients do natively support multifactor.
    Some clients, do popup a login dialog if the server rejects the password as 
invalid, which can be used to create a "cheaty variant" of multifactor, but 
some clients just popup an error dialog and tell the user to just correct 
password in settings.
    Some clients even go as long as requiring the user to delete the account 
with wrong password and set up a new connection.

    So no, it cannot be relied upon.

    I have a better idea:
    Have a function for whitelisting IPs, possible /24's or similiar, where a 
login to roundcube or other webmail client (with 2FA) will add the IP onto a 
whitelist for that account.
    Or perhaps, just "set" the country of the account based on GeoIP.

    When an account tries to login via IMAP or SMTP, you just check if IP 
and/or GeoIP country is right, and reject the login as invalid if so not.

    The only thing a client needs to do to get his IMAP or SMTP client to work 
again if it stops working, is to login once via the web client.

    -Ursprungligt meddelande-
    Från: dovecot-boun...@dovecot.org  För Alex
    Skickat: den 15 juli 2021 02:10
    Till: dovecot@dovecot.org
    Ämne: 2FA/MFA with IMAP & postfix/submission

    Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
    IMAP4 accounts, as well as postfix users using submission. Clients are
    using primarily Outlook on Windows and old squirrelmail.

    Are there multi-factor options available?

    If it is not available, do you have any recommendations on where I
    should look to do this?

    All of the links related to this topic appear to be very old, or
    limited to Linux PAM users.

Re: Sv: Sv: function for whitelisting IPs

[lists]

You can get away with a lot for a personal server that wouldn't be acceptable 
for a general purpose email server such as the need to move the fence. In my 
case, I don't allow anything on the email server to be altered with a browser 
interface. It is either ssh or nothing. Browsers get more complicated as time 
goes on and security is inversely related to complexity. I use MUAs for all my 
email. Less is more. 

I totally get why 2FA is useful. But if you are practicing good security 
hygiene, the advantage is less than you think. All my passwords are 20 
characters randomly generated and unique for everything, not just email. So 
there is no risk from password reuse. 2FA is really only useful if your 
personal devices have been breached and the plain text passwords are exposed. 
So to be totally effective the 2FA should come from a hardware device like a 
Ubikey or similar. 

What I have done is to use the 2FA with financial institutions. So I block the 
hackers where it matters. I can't stop attempts at my accounts being spoofed, 
but I can stop the hackers where is matters. Use DKIM and hope those getting 
your email check it. 

But if there was a friction free means of adding 2FA to email, I would do it. 
But it would have to be in the MUA and be supported by postfix and dovecot. 

The OTP code is done. I have played with FreeOTP and associated Linux program 
to recognize the token. (Name escapes me.) You just need everyone to agree on 
how to glue it all together. 





  Original Message  


From: sebast...@sebbe.eu
Sent: July 15, 2021 11:26 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Sv: Sv: function for whitelisting IPs


Yeah the idea was to use roundcube or other web service to add kind of "auth 
service" or "unlock service" where you can auth with 2FA to move the geofence 
or permit additional IPs in geofence. For example, if you are travelling or 
otherwise need to enable your account for a "outsider IP".

This could be a simple webpage asking for username and 2FA code, and all it 
does it adds the IP to auth list. But could be a full roundcube or other 
webmail solution too, to give more usefullness to the web login solution if you 
don't have a imap/smtp client for now.

I don't use 587 myself, but instead, I have set so auth is only permitted on 
port 25 for authorized IPs (auth_advertise_hosts in exim), thus the server will 
refuse to allow outsiders to authenticate.
In combination with some other policies, my server is practically rock solid.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För lists
Skickat: den 15 juli 2021 20:09
Till: 'Mailing List' 
Ämne: Re: Sv: function for whitelisting IPs

I run a personal email server. I can't emphasize enough how geofencing has 
reduced the useless hacking on my email server. I only leave port 25 open to 
the world. I use port 587.

I maintain a list of hosting companies that I block from using my web server 
since they are just going to scrape anyway. I also keep that IP space off of my 
email other than port 25.

Firewalls use memory but tend to be very light on the CPU other than when you 
first start up the firewall. I assume they take the deny list and create a 
table in RAM to efficiently block IPs. I have found that dynamic IP blocking 
programs such as sshguard or fail2ban are a CPU burden since that table needs 
to be refreshed as new IPs are added or removed so I have stopped using them. 
Not that the programs themselves are CPU intensive, but they cause the firewall 
to be CPU intensive. I am considering using sshguard again but with a very high 
threshold to add an IP to the deny list.

Regarding attempts to add 2FA by using RoundCube or similar web based email, I 
think those programs just increase the attack surface. When I used a hosting 
service I was hacked by an unpatched exploit in RoundCube.




  Original Message 


From: sebast...@sebbe.eu
Sent: July 15, 2021 3:55 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Sv: function for whitelisting IPs


Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP as 
input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.

Then you just need to write some custom functions in roundcube or similiar to 
have the webmail insert the IP into a database.

Or just match it against a GeoIP database and save the latest country the 
webmail was logged in from, and then SMTP/IMAP is only approved for that 
country.
That reduces the attack surface greatly.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För White, 
Daniel E. (GSFC-770.0)[NICS]
Skickat: den 15 juli 2021 12:21
Till: Dovecot Mailing List 
Ämne: function for whitelisting IPs

Sebastian,

Do you have any examples of such a fu

Re: Dovecot v2.3.17 released

[lists]

The unicode hack is in the comments. Google "Trojan Source". Having never dealt 
with Hebrew and Arabic, it was news to me there is a right to left feature in 
Unicode.

TWIT Security Now (MP3): SN 843: Trojan Source - Chrome 0-days, Windows 11 
confusion, VoIP DDos attacks, Dune 
https://pdst.fm/e/chtbl.com/track/E91833/cdn.twit.tv/audio/sn/sn0843/sn0843.mp3#t=4768
 [01:19:28]

Or look for the paper. Hopefully this isn't too off topic. 




  Original Message  


From: rei...@bbmk.org
Sent: November 4, 2021 2:16 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Re: Dovecot v2.3.17 released


On Thu, 4 Nov 2021, Rupert Gallagher wrote:

> Please convert all source code to ASCII. If it fails to compile, then it may
> have a trojan hiding in Unicode clothing.

Did you check yourself?

The only source code files which contain non-7-bit-ASCII characters are
1. src/lib-storage/list/mailbox-list-index-status.c
  * Opportunistic function to see ïf we can extract guid from mailbox path */

i.e. in a /* comment */, and it's 8-bit ASCII not even UTF-anything.

2. src/lib-mail/test-qp-encoder.c
which defines binary data.

I don't think any C compiler allows Unicode in the code itself (instructions,
variables names, etc.)

Cheers.

Re: Strategies for protecting IMAP (e.g. MFA)

[lists]

 It seems to me that Oauth weakens security. You allow some other system into your system. Are you running your own email server? I see you are using Gmail for the listserv.If you run your own server there are other steps I would take first other than MFA, though MFA would be the best. Geofencing alone reduces the attack pathways. My server is set up so only 25 sees the entire internet. All other email ports are behind a geofence and a rather large blocking list I have built up over the years of VPS, hosting companies, etc. I'm using 587.I see very little attempts to hack my email server. If I wanted to go the next level up I would use fail2ban. But that would be to cut down chatter in the log file. No bot or person is going to crack my password. It is high entropy. Server passwords are not in clear text. From: montneyty...@gmail.comSent: November 13, 2021 1:16 PMTo: dovecot@dovecot.orgSubject: Strategies for protecting IMAP (e.g. MFA)  With the world of ransomware as it is today (aka attacks seem more vicious and commonplace), anything I expose to WAN must have additional protection. I've seen a few posts to this list on it. The only thing that helped was that Dovecot supports OAuth. Through OAuth I figure I could implement MFA. However, I'd have to host my own identity server. From there, Thunderbird supports OAuth so that should work.Since this is getting increasingly complicated, I wanted to ask before going further. What do you all do? Any recommendations?

Re: Strategies for protecting IMAP (e.g. MFA)

[lists]

  The thing I don't like is most 2FA token generators. Ultimately you need to transfer the polynomial that generates the code. Most do that with a QR image. Well so much for security! Others have a one time emergency code. Of course we are talking evil maid attacks, which granted is an unacceptable term these days. Now Yubikey at least has my attention. But people often leave the key plugged into their notebook. Very true with the Google equivalent which I have heard from Google employees. The keys themselves aren't exactly transferable, but when you have physical access then all bets are off. If someone fool actually paid me to be sysadmin, I would use a Yubikey. Note Freeotp let's you input the code but also has the QR code fallback. The phone  app however hasn't been updated in years. It does allow you to test out a TOTP scheme. It took me no time to write a script to accept the token on Linux. The tricky part if I recall correctly was setting up the script to accept the token that just expired. You would want to do that to minimize user friction. Not to get too far off track but I don't allow any web control over my email server. There is no control panel to hack. I ssh into the server and that uses PKI. I do everything via CLI. If ssh is compromised then nothing else will be secure so email would be the last of my problems.    Companies such as Last pass (not an endorsement but an example) supposedly incorporate password generators. If you are going to allow users to set let alone change their own password, you might be able to write a script that generates the password. If I were to go up to the next level of security I would use mail-crypt. It is just that I see so much chatter about getting it to work.  From: montneyty...@gmail.comSent: November 13, 2021 3:03 PMTo: dovecot@dovecot.orgSubject: Re: Strategies for protecting IMAP (e.g. MFA)  "Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) password"Again, since it's just me, this is do-able. But I'm looking for something practical as well.I'm getting the feeling that people don't have an MFA implementation."if the users are sufficiently discipline"As a Sysadmin, I can tell you they genuinely are not and they likely never will be.Hope for the best, plan for the worst.I also want to clarify that I'm not rejecting any of these suggestions, they're all good.



On Sat, Nov 13, 2021 at 4:42 PM Ralph Seichter  wrote:* Tyler Montney:

> Since this is getting increasingly complicated, I wanted to ask before
> going further. What do you all do? Any recommendations?

Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) passwords which are used only once (!) and kept
either in the user's brain or in an encrypted password store. Ensure
that authentication data can only be transmitted over encrypted
connections.

These measures cover a lot of ground, if the users are sufficiently
disciplined. Users are usually the weakest link.

-Ralph

Re: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[lists]

  If this isn't too far off topic, is it useful to register with https://www.dnswl.org/?p=209The only servers that reject my email do so because I use DigitalOcean. Spectrum for example. Oddly enough Linode which has a fair number of hackers doesn't get the same treatment. The only odd TLDs that have become popular are "aero" and "info."  I will probably add some on your list though lately all my spam comes is Google related. I met one person who used a  "life" TLD. He was starting a consulting business for fire resistant home designs (hence life) and thought he would be clever with the TLD. I stopped a woman from using "design." From: sebast...@sebbe.euSent: February 12, 2022 5:25 AMTo: dovecot@dovecot.orgSubject: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC  Yep. Its a lot of TLDs that is banned at me, but I haven’t had any problems with .ru so .ru isn’t yet banned. Here is my TLD banlist:   deny    message = 5.7.1 Banned TLD where sending IP is not listed on DNSWL ( https://www.dnswl.org/selfservice/?action=""> )    condition = ${if eq {$acl_m4}{dnswl_whitelisted}{no}{yes}}    sender_domains = ^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|faith|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$ This crap that ICANN started with “custom” TLDs is of more harm than useful. So much spam TLDs in the registry. Från:  dovecot-boun...@dovecot.org För justina colmena ~bizSkickat: den 12 februari 2022 14:06Till:  dovecot@dovecot.orgÄmne: Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious and honest for what it is, unless that's part of Biden's sanctions, the others you mention look like vice domains, but looking at GitHub:* https://github.com/dovecotThere's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not heard of recent hostility between Finland and Russia, notwithstanding the Ukraine situation. Your mail client is all configured in Swedish, but Sweden & Finland are not officially part of NATO, AFAIK, and Sweden has its own currency whereas Finland did give up the markka in exchange for the Euro some 20-odd years ago I don't recall.On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen  wrote:Thats a TLD ban. Meaning *.ru is banned.same applies for my domain for example, I ban *.xyz, *.date and a few others.-Ursprungligt meddelande-Från: dovecot-boun...@dovecot.org  För Lev SerebryakovSkickat: den 12 februari 2022 12:08Till: dovecot@dovecot.orgÄmne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARCOn 11.02.2022 16:31, Marc wrote:  (sorry for posting to list this, but I don't have any ways to contact Marc off-list now)    Problem is, I need to unpack each of them to be sure, that these  are false positives and I'm afraid, that it could lower reputation of  my mail server IP address with major providers (like Google Mail).How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages.  Marc, my domain already has problems sending mail to you, for example:: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 550We have blocked this toplevel because of spam. Use another toplevel until the maintainer has resolved these issues (in reply to MAIL FROM command)--// Black Lion AKA Lev Serebryakov-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: 2FA for Dovecot

[lists]

I block all my email ports except 25 from countries where I am not going to be 
sending or receiving email. I also block many datacenters, but blocking Digital 
Ocean, Vultur and AWS will get you 90%of the way there. You will need to use 
587, that is no auth on 25. Again no blocking on 25, just block the other email 
ports. 

I get maybe one attempt to log into my email account a week. Yeah not as good 
as 2FA but it isn't a research project either. Just a little firewall 
programming. I get the CIDRs from bgp.he.net. 

I am assuming this is a personal server. 

A bit extreme, but you could set up a VPN on a VPS and only allow that IP to 
send and receive email. 




  Original Message  


From: li...@luigirosa.com
Sent: January 7, 2020 12:29 AM
To: dovecot@dovecot.org
Subject: Re: 2FA for Dovecot


Kees de Jong wrote on 06/01/2020 12:58:

> My goal is to protect my mail account with 2FA, which isn't a crazy
> idea in 2020. Therefore, I would like to know the possibilities of
> configuring 2FA for Dovecot.

Use an authentication backend that supports 2FA, such as oAuth:

https://wiki.dovecot.org/PasswordDatabase/oauth2



--


Ciao,
luigi

/
+--[Luigi Rosa]--
\

Re: Recommendations on intrusion prevention/detection?

[lists]

My email server is set up for port 587. I block all email ports other than port 
25 from countries that I will not be sending or receiving email. This is really 
only practical on a personal server. I also have a blocking file of data center 
IPs.  Port 25 is still open to the world but that has to be the case.

Firewalls are a bit ram intensive but not CPU intensive.

I am not saying this is perfect. Rather I have reduced the number of jerks that 
can access my email. Prior to running my own email server, I used a hosted 
service. I got hacked from an exploit in roundcube from Morocco. I don't use 
webmail and while I'm sure Morocco is a fine country, I don't need email access 
from there. This is why I now run my own email. 





  Original Message  


From: johan...@rohr.org
Sent: April 22, 2020 5:30 AM
To: dovecot@dovecot.org
Subject: Recommendations on intrusion prevention/detection?


Dear all,

what are the key strategies for intrusion prevention and detection with
dovecot, apart from installing fail2ban?
It is a pity that the IMAP protocol does not support 2 factor
authentication, which seems to stop 90% of intrusion attempts in their
tracks. Without it, if someone has obtained your password and reads your
mail without modifying it, you will hardly ever notice.

Is there a reasonable way of detecting and preventing logins from
unusual IP ranges? Or are there other strategies you would recommend?

Cheers,

Johannes

Re-to-archived-thread: Dict issue with PostgreSQL for last_login plugin (duplicate key)

[lists]

Hi,

I have tried to implement last_login with PostgreSQL and I found an old thread 
from June 2019. I have found a simple solution that I want to share with you:

I followed the instructions on how to set up a last_login on the official 
documentation. Therefor I creates a very simple table having userid and 
last_login fields. Added plugin and dict information.

I received the duplicate key errors and I did this trick for now, which seems 
to solve this issue:

CREATE OR REPLACE RULE insert_to_update AS
ON INSERT
TO users WHERE EXISTS (SELECT userid FROM users WHERE userid = 
NEW.userid)
DO INSTEAD
UPDATE users SET last_login = NEW.last_login WHERE userid = NEW.userid

With this rule in place, INSERTs are changed to UPDATEs, if a userid entry 
already exists. No ned to patch code.

Feel free to comment :-)

Christian

Thread online: https://www.dovecot.org/list/dovecot/2019-May/115921.html
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

Testing COI

[lists]

Hi,

I am playing around with the COI plugin and try to get things working.

I followed the Dovecot docs and also got the source from Github (dovecot/coi).

I have compiled and installed coi successfully.

IMAP seems to be fine, but LMTP has some errors in the logs, so I removed 
imap_coi for the moment:

Apr 23 17:05:16 mx dovecot: lmtp(10752): Fatal: Couldn't load required plugin 
/usr/lib64/dovecot/lib11_imap_coi_plugin.so: dlopen() failed: 
/usr/lib64/dovecot/lib11_imap_coi_plugin.so: undefined symbol: 
client_add_capability

I am running Dovecot 2.3.10 and coi at the same version.

Am I missing something here?

Thanks in advance

Christian
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

Re: Testing COI

[lists]

Am 23.04.2020 um 17:15 schrieb Aki Tuomi :
> 
> 
>> On 23/04/2020 18:12 li...@mlserv.org wrote:
>> 
>> 
>> Hi,
>> 
>> I am playing around with the COI plugin and try to get things working.
>> 
>> I followed the Dovecot docs and also got the source from Github 
>> (dovecot/coi).
>> 
>> I have compiled and installed coi successfully.
>> 
>> IMAP seems to be fine, but LMTP has some errors in the logs, so I removed 
>> imap_coi for the moment:
>> 
>> Apr 23 17:05:16 mx dovecot: lmtp(10752): Fatal: Couldn't load required 
>> plugin /usr/lib64/dovecot/lib11_imap_coi_plugin.so: dlopen() failed: 
>> /usr/lib64/dovecot/lib11_imap_coi_plugin.so: undefined symbol: 
>> client_add_capability
>> 
>> I am running Dovecot 2.3.10 and coi at the same version.
>> 
>> Am I missing something here?
>> 
>> Thanks in advance
>> 
>> Christian
>> --
>> Rößner-Network-Solutions
>> Karl-Bröger-Str. 10, 36304 Alsfeld
>> Fax: +49 6631 78823409, Mobil: +49 171 9905345
>> USt-IdNr.: DE225643613, https://roessner.website
>> PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
> imap_coi_plugin can only be loaded for imap.
> 
> 
> protocol imap {
>   mail_plugins = $mail_plugins imap_coi
> }
> 
> protocol lmtp {
>   mail_plugins = $mail_plugins lmtp_coi

*plonk* Many thanks. That solved my problems

Christian

> }
> ---
> Aki Tuomi
> 

--
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5



signature.asc
Description: Message signed with OpenPGP

Directory hashing

[lists]

Hi,

I struggle with directory hashing. I want something like this:

/srv/mail/c/cf37a8dff5e360927ba10ab2

The final folder is simpel, as it is:

%{sha256;truncate=96:user}

But how do I get a first level from sha256? Unfortunately, the truncate option 
aligns only full 8bit and does not divide into low and high nibbles. How can I 
express this for sha256?

in MD5 this would be %1Mu

Many thanks in advance

Christian
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

Re: Directory hashing

[lists]

> Am 11.05.2020 um 10:16 schrieb Aki Tuomi :
> 
> 
>> On 11/05/2020 11:10 Simone Lazzaris  wrote:
>> 
>> 
>> In data lunedì 11 maggio 2020 10:00:38 CEST, li...@mlserv.org ha scritto:
>>> Hi,
>>> 
>>> I struggle with directory hashing. I want something like this:
>>> 
>>> /srv/mail/c/cf37a8dff5e360927ba10ab2
>>> 
>>> The final folder is simpel, as it is:
>>> 
>>> %{sha256;truncate=96:user}
>>> 
>>> But how do I get a first level from sha256? Unfortunately, the truncate
>>> option aligns only full 8bit and does not divide into low and high nibbles.
>>> How can I express this for sha256?
>>> 
>>> in MD5 this would be %1Mu
>>> 
>>> Many thanks in advance
>>> 
>>> Christian
>> 
>> Maybe as a workaround you can create a directory named /srv/mail/c and make 
>> 16 
>> symbolic links to it: /srv/mail/c0, /srv/mail/c1, /srv/mail/c2,  up to /srv/
>> mail/cf.
>> 
>> In that way you can use truncate=8.
>> 
>> 
>> 
>> -- 
>> Simone Lazzaris
>> QCom SpA
> 
> Out of curiosity, but why do you use SHA256? You get probably no extra 
> benefit from it. I mean, you are free to do so, but ... why?

The reason for me was that I could bash script a transition from username to 
directory:

echo -n "username" | sha256sum | cut -c 1-24

That way I could convert all folders easily. I did not know how to do this with 
the M-versions.

> 
> Anyways, it would work pretty much the same way, %1{sha256:..} and 
> %4{sha256:...}.

Thanks. I will try that out.

Christian

> 
> Aki

-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

Re: fail2ban setup centos 7 not picking auth fail?

[lists]

I use SSHGuard on well ssh (doh!), but supposedly you can use it for postfix 
and dovecot also. I can tell you it is well supported.  I am on Centos 7 using 
firewalld. 



  Original Message  


From: a...@ddns.com.au
Sent: May 21, 2020 11:01 PM
To: voy...@sbt.net.au
Cc: dovecot@dovecot.org
Subject: Re: fail2ban setup centos 7 not picking auth fail?


On 22-05-2020 15:45, Voytek Eymont wrote:
> On Fri, May 22, 2020 2:05 pm, Adi Pircalabu wrote:
>> On 22-05-2020 10:38, Voytek Eymont wrote:
>
>>
>> Hardly a Dovecot issue. Can you please post the output of this
>> command?
>> /usr/bin/fail2ban-regex /var/log/dovecot.log
>> /etc/fail2ban/filter.d/dovecot.conf
>
>
> Adi,
>
> thanks, what I get is:
>
[...]
>
> Results
> ===
>
> Failregex: 5149 total
[...]
>
> Lines: 338975 lines, 0 ignored, 5149 matched, 333826 missed
> [processed in 87.44 sec]

Right, so it's not a regex problem then, you're getting some matches
there, although you might want to revisit it it the result is not
consistent with your own searches. It might be that Dovecot isn't
logging to systemd' journal, or the regex doesn't match the journal
entries. Try to comment out "journalmatch =
_SYSTEMD_UNIT=dovecot.service" entry in your filter file, restart f2b
and see if there's any change.
P.S. Let's try and keep the replies to the list :)

--
Adi Pircalabu

Re: fail2ban setup centos 7 not picking auth fail?

[lists]

I leave well enough alone, but rev 2 got a new parser to allow more user 
control.

The documentation may be old. However  the dovecot trigger does look for auth 
failed.

dovecot default imap-login: Aborted login (auth failed, 6 attempts): XYZ 
rip=6.6.6.0, lip=127.0.0.1

I run a personal email server and have the luxury of geographically limiting 
access to all mail ports other than 25. (I use 587). So I get few attempts at 
logins. Then again I can't access my email in 99% of the world in addition from 
hosting companies and cloud servers. 





  Original Message  


From: je...@seibercom.net
Sent: May 22, 2020 3:38 AM
To: dovecot@dovecot.org
Reply-to: dovecot@dovecot.org
Subject: Re: fail2ban setup centos 7 not picking auth fail?


On Thu, 21 May 2020 23:22:04 -0700, lists stated:
>I use SSHGuard on well ssh (doh!), but supposedly you can use it for
>postfix and dovecot also. I can tell you it is well supported.  I am
>on Centos 7 using firewalld.

SSHGuard works fairly well with Postfix; however, it is virtually
useless with Dovecot. It never picks up on "auth fail" and a few
others. I have submitted documentation and requests to SSHGuard, but
they have never acted upon them, other than to say that they will look
into it.

--
Jerry

Re: SV: handling spam from gmail.

[lists]

I get two or three of these a day. They are not from Gmail but have a "reply 
to" address that is a Gmail account. The messages cone from an email account 
that passes SPF and DKIM. So the sender and reply domains differ, but that 
isn't unique. I have email that I need that arrives like that.

I am on the Postfix list where this does belong, but I looked at the problem 
and decided it isn't worth fixing. I suppose I could whitelist the senders who 
have sender and reply to domain differences, but then I would have to deal with 
the people I bounce the first time because they aren't white listed.

I suspect these spammers do have Gmail accounts but you can't report that 
address because technically no spam came from that account. You could report 
the sender account. However some days I get spam with the same reply to Gmail 
account but different sender account. 





  Original Message  


From: m.r...@f1-outsourcing.eu
Sent: June 11, 2020 1:26 AM
To: dovecot@dovecot.org; sebast...@sebbe.eu
Subject: RE: SV: handling spam from gmail.



I know it is not dovecot who should fix this. But anyone using dovecot
is using an MTA, and receiving spam ;) I know how to look at email
headers. Spf and dkim is not solving anything here.



-Original Message-
From: Sebastian Nielsen [mailto:sebast...@sebbe.eu]
Sent: donderdag 11 juni 2020 10:23
To: Marc Roos; 'dovecot'; 'users'
Subject: SV: handling spam from gmail.

This is not a job for dovecot. You should look into whatever is your MTA
(exim, postfix etc) and implement the solution there.

But my initial suggestion is to check SPF and DKIM of the email. Because
I know that gmail does terminate spammers quick, but if you don't
validate SPF or DKIM, you might be a victim of spoofed Gmail email.

Best regards, Sebastian Nielsen

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Marc
Roos
Skickat: den 11 juni 2020 10:21
Till: dovecot ; users

Ämne: handling spam from gmail.



I am sick of this gmail spam. Does anyone know a solution where I can do
something like this:

1. received email from adcpni...@gmail.com 2. system recognizes this
email address has been 'whitelisted', continue with 7.
3. system recognizes as this email never been seen before 4. auto reply
with something like (maybe with a wait time of x hours):
   Your message did not receive the final recipient. You are sending
from a known spam provider
   network that is why we blocked your message. Please confirm that:
   - you are not a spammer and
   - you have permission to use the mail adress you send your message to
   - you and your provider agree to uphold GDPR legislation
   - you and your provider are liable for damages when breaching any of
the above.
  

   Click link to confirm and you agree with the above
   https://www.domainwithoutletsencryptcertificate.com/asdfasdfadsfaf

5. sender clicks confirm url
6. email address is added to some white list.
7. email is delivered to recipient.

Re: Good email client to use with Dovecot?

[lists]

FWIW, I use claws, which is about the only one not mentioned. 

I don't like Thunderbird. For one thing, it is in caretaker status. Mozilla 
believes Web based mail is the "future." I rather not run roundcube, given I 
got hacked via an unpatched roundcube  back when I was using a hosting company. 
‎ Webmail just increases your attack surface. 

Re: Good email client to use with Dovecot?

[lists]

Claws is an active project. 

I became roundcube free when I set up my own mail server.  

I simply use an email client rather than a browser. Browsers can leak.

Comments about the retired TB:
‎https://blog.mozilla.org/thunderbird/

Practically what this means is that in 2016, Thunderbird will finally be able 
to accept donations from users directed toward the update and maintenance of 
Thunderbird. In the long run, Thunderbird needs to rely on our users for 
support, and not expect to be subsidized by revenue from Firefox. We welcome 
this help from the Mozilla Foundation in moving toward our goal of developing 
independent sources of income for Thunderbird.

In the technical part of that post, Mitchell reiterated that Mozilla needs to 
be laser-focused on Firefox, and that the burden this places on Thunderbird (as 
well as the burden that Thunderbird places on Firefox) is leading to 
unacceptable outcomes for both projects. The most immediate need is for the 
Thunderbird release infrastructure to be independent of that used by Firefox, 
and Mozilla has offered to help. In the long-term, there will be additional 
technical separation between Firefox and Thunderbird as a continuation of a 
process that has been ongoing for the last three years.
--

  Original Message  
From: Benny Pedersen
Sent: Thursday, November 17, 2016 6:36 PM
To: dovecot@dovecot.org
Reply To: Dovecot Mailing List
Subject: Re: Good email client to use with Dovecot?

li...@lazygranch.com skrev den 2016-11-18 03:07:
> FWIW, I use claws, which is about the only one not mentioned. 

lets see if dovecot will be webmail ng someday

> I don't like Thunderbird.

sadly

> For one thing, it is in caretaker status.

what ?

> Mozilla believes Web based mail is the "future."

do you have references for this somewhere ?

> I rather not run
> roundcube, given I got hacked via an unpatched roundcube

unpatched is allways good, problems come when non default and mostly 
custom plugins is not tested, keep plain roundcube should not be a 
problem more then a claws client that is not patched

> back when I
> was using a hosting company.

nothing happended since then ?

> ‎ Webmail just increases your attack
> surface. 

so what is the solution ?, going offline ?

Re: Good email client to use with Dovecot?

[lists]

So does mutt suck or not?

  Original Message  
From: Andreas Kalex
Sent: Thursday, November 17, 2016 11:06 PM
To: Dovecot Mailing List
Subject: Re: Good email client to use with Dovecot?

since years mutt, 'cause it really sucks. 
I tried TB or claws, evolution, opera but always returned to mutt. 



Am 18. November 2016 06:31:43 MEZ, schrieb Steve Litt 
:
>On Thu, 17 Nov 2016 18:07:15 -0800
>li...@lazygranch.com wrote:
>
>> FWIW, I use claws, which is about the only one not mentioned. 
>> 
>> I don't like Thunderbird. For one thing, it is in caretaker status.
>> Mozilla believes Web based mail is the "future." I rather not run
>> roundcube, given I got hacked via an unpatched roundcube  back when I
>> was using a hosting company. ‎ Webmail just increases your attack
>> surface. 
>
>Thanks.
>
>My reason for exploring Alpine is I'm moving away from Claws, for
>non-technical reasons I won't burden this list with.
>
>Thanks,
>
>SteveT
>
>Steve Litt 
>November 2016 featured book: Quit Joblessness: Start Your Own Business
>http://www.troubleshooters.com/startbiz

Re: Good email client to use with Dovecot?

[lists]

https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html

  Original Message  
From: robert k Wild
Sent: Thursday, November 17, 2016 11:22 PM
To: li...@lazygranch.com
Reply To: Dovecot Mailing List
Cc: Andreas Kalex; dovecot@dovecot.org
Subject: Re: Good email client to use with Dovecot?

Look up "roundcube", really straight forward configuration, once installed
type in the IP of your server publishing it on a web browser and it will
walk you through configuring it

On 18 Nov 2016 07:16,  wrote:

> So does mutt suck or not?
>
> Original Message
> From: Andreas Kalex
> Sent: Thursday, November 17, 2016 11:06 PM
> To: Dovecot Mailing List
> Subject: Re: Good email client to use with Dovecot?
>
> since years mutt, 'cause it really sucks.
> I tried TB or claws, evolution, opera but always returned to mutt.
>
>
>
> Am 18. November 2016 06:31:43 MEZ, schrieb Steve Litt <
> sl...@troubleshooters.com>:
> >On Thu, 17 Nov 2016 18:07:15 -0800
> >li...@lazygranch.com wrote:
> >
> >> FWIW, I use claws, which is about the only one not mentioned.
> >>
> >> I don't like Thunderbird. For one thing, it is in caretaker status.
> >> Mozilla believes Web based mail is the "future." I rather not run
> >> roundcube, given I got hacked via an unpatched roundcube back when I
> >> was using a hosting company. ‎ Webmail just increases your attack
> >> surface.
> >
> >Thanks.
> >
> >My reason for exploring Alpine is I'm moving away from Claws, for
> >non-technical reasons I won't burden this list with.
> >
> >Thanks,
> >
> >SteveT
> >
> >Steve Litt
> >November 2016 featured book: Quit Joblessness: Start Your Own Business
> >http://www.troubleshooters.com/startbiz
>

Re: Good email client to use with Dovecot?

[lists]

I like vi (really vim), but I'm OK with Claws. I do most of my email on a 
BlackBerry. (No, really.)

  Original Message  
From: Patrick Ben Koetter
Sent: Friday, November 18, 2016 12:15 AM
To: dovecot@dovecot.org
Subject: Re: Good email client to use with Dovecot?

* li...@lazygranch.com :
> So does mutt suck or not?

If you work with vi and like it, chances are you will also like mutt.

Personally I *love* mutt! No extra fat. Always on the spot. It is "liberal in
what it receives and conservative in how it sends". Since it is command line
program, I can run it almost everywhere.

It supports local mailboxes, SMTP, POP and IMAP as well as S/MIME and PGP.
You can highly customize it, if you want to with rules per folder, per sender
adress etc. pp.

Just like vi it takes a while until you have internalized the (invisible)
interface. Once you've moved beyond that point you will experience an enormous
boost in efficency.

If you want to, ping me offline and I will share my mutt config. That should
make it easier to start using it.

p@rick


>   Original Message  
> From: Andreas Kalex
> Sent: Thursday, November 17, 2016 11:06 PM
> To: Dovecot Mailing List
> Subject: Re: Good email client to use with Dovecot?
> 
> since years mutt, 'cause it really sucks. 
> I tried TB or claws, evolution, opera but always returned to mutt. 
> 
> 
> 
> Am 18. November 2016 06:31:43 MEZ, schrieb Steve Litt 
> :
> >On Thu, 17 Nov 2016 18:07:15 -0800
> >li...@lazygranch.com wrote:
> >
> >> FWIW, I use claws, which is about the only one not mentioned. 
> >> 
> >> I don't like Thunderbird. For one thing, it is in caretaker status.
> >> Mozilla believes Web based mail is the "future." I rather not run
> >> roundcube, given I got hacked via an unpatched roundcube  back when I
> >> was using a hosting company. ‎ Webmail just increases your attack
> >> surface. 
> >
> >Thanks.
> >
> >My reason for exploring Alpine is I'm moving away from Claws, for
> >non-technical reasons I won't burden this list with.
> >
> >Thanks,
> >
> >SteveT
> >
> >Steve Litt 
> >November 2016 featured book: Quit Joblessness: Start Your Own Business
> >http://www.troubleshooters.com/startbiz

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

unexpected delivery location

[lists]

Hi,

We're running dovecot 2.2.13, virtual users, with postfix. We have an 
olddomain and a new domainname. To 'translate' *@olddomain into 
*@newdomain, I have configured:



cat /etc/postfix/canonical
@olddomain.com   @newdomain.com


While this seems to work, lately we have noticed that dovecot 
occasionally creates mailboxes for non-existent users, like:

/var/vmail/...username
/var/vmail/20username


This only seems to be happening for mails sent to *olddomain*

Looking at the source of these mails, they are indeed sent to 
20usern...@olddomain.com and ...usern...@olddomain.com


Mail headers sample:

Delivered-To: 20usern...@newdomain.com
Received: from server1.newdomain.com (server2.newdomain.com [x.y.z.q])
by server3.newdomain.com (Postfix) with ESMTPS id 067B4812CF29E
for <20usern...@olddomain.com>; Thu, 13 Jul 2017 19:05:02 +0200 (CEST)


Why doesn't the emailadress 20usern...@newdomain.com in the above 
generate an error, but instead are delivered to a newly created mailbox?


My feeling is that something is wrong with the way I created the alias 
for olddomain -> newdomain with the canonical-file . Does that make sense?


Our goal is to accept *@olddomain.com like it was sent to 
*@newdomain.com, including delivery failures for nonexistent mailboxes 
like 20username


We configured postfix like:

canonical_maps = hash:/etc/postfix/canonical
virtual_alias_maps = ldap:/etc/postfix/ad-mailboxes.cf, 
ldap:/etc/postfix/ad-groups.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = dovecot


Verified that this config works for newdomain, using:

root@mail:/etc/postfix# postmap -q al...@newdomain.com  
ldap:/etc/postfix/ad-mailboxes.cf
use...@newdomain.com
root@mail:/etc/postfix# postmap -q al...@olddomain.com  
ldap:/etc/postfix/ad-mailboxes.cf
root@mail:/etc/postfix# 

olddomain gives no result.

Then, from master.cf:

dovecot unix - n n - - pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a 
${recipient} -d ${user}@${nexthop}


Finally, the mail location as defined in dovecot:


mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir


So, can anyone explain why for mails to olddomain, dovecot creates new 
mailboxes, instead of simply generating an error?

Re: unexpected delivery location

[lists]

Hi,

Not sure what the lack of replies means... As postfix is also involved, 
should I better ask there?


It seems a little bit in between postfix and dovecot...

Just to clearify one thing I wrote:

On 22-8-2017 16:23, lists wrote:
We're running dovecot 2.2.13, virtual users, with postfix. We have an 
olddomain and a new domainname. To 'translate' *@olddomain into 


With "translate" I mean that olddomain should be treated as if it were 
newdomain. No translation, but more like an alias.


MJ

Re: unexpected delivery location

[lists]

For the archives:

On 23-8-2017 21:56, Noel wrote:

Perhaps you can adjust your query or your database to return the
desired result.  Otherwise, use your scripting skills to generate a
file, then automate the procedure.


I ended up creating a file /etc/postfix/olddomain with this contents:


/^([^@]*)@olddomain.com/ $(1)@newdomain.com


and reference that in main.cf like:

virtual_alias_maps = regexp:/etc/postfix/olddomain

That seems to to the job nicely:

Emails for exist...@olddomain.com are delivered to 
exist...@newdomain.com, and mails sent to nonexist...@olddomain.com 
receive DSN Undelivered Mail Returned to Sender, with:


 (expanded from ): 
user unknown


Perfect. :-)

Can't receive email

[lists]

No problem sending email, but I can't receive email. Diagnostics follow:

a login u...@domain.com password
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND 
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH 
LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags 
permitted.
* 9 EXISTS
* 1 RECENT
* OK [UNSEEN 9] First unseen.
* OK [UIDVALIDITY 1439944213] UIDs valid
* OK [UIDNEXT 10] Predicted next UID
* OK [HIGHESTMODSEQ 2] Highest
b OK [READ-WRITE] Select completed (0.017 secs).
c list "" *
* LIST (\HasNoChildren \Trash) "." Trash
* LIST (\HasNoChildren) "." Queue
* LIST (\HasNoChildren \Sent) "." Sent
* LIST (\HasNoChildren \Drafts) "." Drafts
* LIST (\HasNoChildren) "." INBOX
c OK List completed (0.001 secs).
d lsub "" *
* LSUB (\Trash) "." Trash
* LSUB () "." Queue
* LSUB (\Sent) "." Sent
* LSUB (\Drafts) "." Drafts
d OK Lsub completed (0.003 secs).
e logout
* BYE Logging out
e OK Logout completed.
closed
---
from dovecot.log
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 19 23:35:13 auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Sep 19 23:35:13 auth: Debug: passwd-file /usr/local/etc/dovecot/users: Read 2 
users in 0 secs
Sep 19 23:35:13 auth: Debug: auth client connected (pid=1698)
Sep 19 23:38:13 imap-login: Info: Disconnected: Inactivity (no auth attempts in 
180 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking, 
session=


# dovecot -n
# 2.2.18: /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: FreeBSD 10.1-RELEASE-p19 amd64 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_debug = yes
mail_gid = 1003
mail_home = /var/mail/vhosts/%d/%n
mail_location = maildir:~
mail_privileged_group = vpostfix
mail_uid = 1003
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location = 
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = 
}
passdb {
args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users
driver = passwd-file
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert = 

Re: Can't receive email

[lists]

‎It now works. I have no idea why now and not yesterday. I had booted the 
server yesterday and that didn't fix it. 

Thank for your help.

Re: dovecot wiki...

[lists]

On 15-3-2016 14:05, Andrew McGlashan wrote:

Hi,

Just want to know if this is a problem at my end (in my browser), or if
it is something else.

When I copy text from the wiki, the page changes to an edit one; that is
very, very annoying.  How can I stop this if it is normal dovecot wiki
behaviour and what do you think I might look at in my browser if it isn't?

I'm never likely to want to edit the wiki any time soon.


Strange. Tried firefox and chrome on windows, but I can select and copy. 
It's when I double-click that it changes to edit-mode.


MJ

Re: Intermittent IMAP Login failures - about 25% fail

[lists]

I'm not getting a hit on "Dovecot pwck". Can you elaborate.

  Original Message  
From: Mobile Phone
Sent: Friday, April 8, 2016 3:20 AM
To: Dovecot Mailing List
Reply To: supp...@eceb.co.uk
Subject: Re: Intermittent IMAP Login failures - about 25% fail

SOLVED: Should anyone else run into this and debugging shows no issues,
just random dovecot logins fails - there was a bad username stored.
"pwck" showed it up.
Only cost me 3 days

On 7 April 2016 at 17:24, Timo Sirainen  wrote:

> On 07 Apr 2016, at 19:02, Mobile Phone  wrote:
> >
> > pam(prtg.08dir,91.91.91.91): pam_authenticate() failed: Authentication
> > failure (password mismatch?) (given password:
> YesThisWasTheCorrectPassword)
> ..
> > Why it this bouncing 25% + of IMAP AUTH LOGINs?
>
> PAM said that login wasn't allowed. PAM can have all kinds of plugins that
> can do all kinds of things. Maybe you have enabled some PAM plugin that
> denies the user's access even if the password is correct. Unfortunately
> there's no way to enable debugging for PAM. Try simplifying your PAM setup,
> or if you can't figure out anything else switch to passdb shadow.
>
>

Re: controlling STARTTLS by IP address

[lists]

Are you 100% sure your interpretation of the FCC rules is correct? Do you 
really want passwords going out over RF unencrypted? 

As far as I know, only ham bands are not allowed to use encryption. Even baby 
monitors these days are DECT. (Mind you, not good encryption.)



  Original Message  
From: Michael Fox
Sent: Thursday, July 14, 2016 1:57 PM
To: Dovecot Mailing List
Subject: controlling STARTTLS by IP address

On my POP3 server, I need to be able to control the use of STARTTLS by
client IP address. Specifically:

* Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have
the option to use TLS. If the client tries to use STARTTLS, the option
should be rejected. This is to satisfy US FCC rules regarding the use of
encryption over certain radio frequencies.
* All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24)
should be able to use STARTTLS if they choose to.
* All external clients (0.0.0.0/0) will be required to use TLS.

Is there a way to control which clients are allowed to use STARTTLS
according to the client's IP address?

Thanks,
Michael

Re: controlling STARTTLS by IP address

[lists]

I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign" 
messages and not send them if the sign isn't correct.  The package itself is in 
plain text. 

Anyway, I'll leave the thread but would like to hear about the final solution.



  Original Message  
From: Michael Fox
Sent: Thursday, July 14, 2016 2:54 PM
To: 'Dovecot Mailing List'
Subject: RE: controlling STARTTLS by IP address

> Are you 100% sure your interpretation of the FCC rules is correct?
Yes

> Do you really want passwords going out over RF unencrypted?
No. I don't plan to use plaintext auth methods.

> As far as I know, only ham bands are not allowed to use encryption. Even
> baby monitors these days are DECT. (Mind you, not good encryption.)
Correct. It is ham radio.

Michael

[Dovecot] Switching Servers now can't retrieve mail

[lists]

I have just switched my mail server. I have copied (I think) the config files 
from the old to new. Exim is work fine on the new machine as I can see email 
file showing up in /var/mail/lists/new . However, dovecot reports nothing when 
I check mail . I am have turn on logging on both machines and I do not see 
anything that looks like an error. I have also looked to see if the 
dovecot.conf file is compatible between 1.0.14 and 1.1.2 and have found little.

I am guessing this is a simple problem, can someone tell me what I have done 
wrong here.

I have provided Working dovecot -n from both machines and the log output from a 
mail fetch. 

Thanks,

working 
---
# 1.0.14: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: pop3 pop3s imap imaps
ssl_disable: yes
disable_plaintext_auth: no
version_ignore: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_location: maildir:/var/mail/%u
mail_debug: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
namespace:
  type: private
  separator: /
auth default:
  verbose: yes
  debug: yes
  passdb:
driver: pam
  userdb:
driver: passwd

non Working Config 
# 1.1.2: /etc/dovecot/dovecot.conf
log_path: /var/log/dovecot.log
protocols: pop3 pop3s imap imaps
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
mail_location: maildir:/var/mail/%u:INDEX=/var/mail/%u
mail_debug: yes
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
namespace:
  type: private
  separator: /
  list: yes
  subscriptions: yes
auth default:
  verbose: yes
  debug: yes
  passdb:
driver: pam
  userdb:
driver: passwd


Working Log --
dovecot: Oct 10 07:52:25 Info: auth(default): client in: AUTH   1   PLAIN   
service=POP3   lip=75.48.112.185rip=192.168.1.103   resp=
dovecot: Oct 10 07:52:25 Info: auth(default): pam(lists,192.168.1.103): lookup 
service=dovecot
dovecot: Oct 10 07:52:25 Info: auth(default): client out: OK1   
user=lists
dovecot: Oct 10 07:52:25 Info: auth(default): master in: REQUEST67  
72801
dovecot: Oct 10 07:52:25 Info: auth(default): passwd(lists,192.168.1.103): 
lookup
dovecot: Oct 10 07:52:25 Info: auth(default): master out: USER  67  lists   
system_user=lists   uid=1012gid=1005home=/home/lists
dovecot: Oct 10 07:52:25 Info: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.1.103, lip=75.48.112.185
dovecot: Oct 10 07:52:25 Info: POP3(lists): Effective uid=1012, gid=1005
dovecot: Oct 10 07:52:25 Info: POP3(lists): maildir: data=/var/mail/lists
dovecot: Oct 10 07:52:25 Info: POP3(lists): maildir: root=/var/mail/lists, 
index=/var/mail/lists, control=, inbox=
dovecot: Oct 10 07:52:25 Info: POP3(lists): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0
dovecot: Oct 10 07:52:26 Info: auth(default): new auth connection: pid=7304


Not Working Log --
dovecot: Oct 10 07:51:33 Info: auth(default): client in: AUTH   1   PLAIN   
service=pop3   lip=75.48.112.186rip=192.168.1.103   lport=110   
rport=48667 resp=
dovecot: Oct 10 07:51:33 Info: auth-worker(default): pam(lists,192.168.1.103): 
lookup service=dovecot
dovecot: Oct 10 07:51:33 Info: auth-worker(default): pam(lists,192.168.1.103): 
#1/1 style=1 msg=Password:
dovecot: Oct 10 07:51:33 Info: auth(default): client out: OK1   
user=lists
dovecot: Oct 10 07:51:33 Info: auth(default): master in: REQUEST2   
24165   1
dovecot: Oct 10 07:51:33 Info: auth(default): passwd(lists,192.168.1.103): 
lookup
dovecot: Oct 10 07:51:33 Info: auth(default): master out: USER  2   lists   
system_user=lists   uid=1002gid=1002home=/home/lists
dovecot: Oct 10 07:51:33 Info: POP3(lists): Effective uid=1002, gid=1002
dovecot: Oct 10 07:51:33 Info: POP3(lists): Namespace: type=private, prefix=, 
sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
dovecot: Oct 10 07:51:33 Info: POP3(lists): maildir: 
data

Re: [Dovecot] Switching Servers now can't retrieve mail

[lists]

Started with a new conf file and now it's working. I guess there is a 
configuration difference between  1.0.14  and  1.1.2

On Fri October 10 2008 08:01:34 [EMAIL PROTECTED] wrote:
> 
> I have just switched my mail server. I have copied (I think) the config files 
> from the old to new. Exim is work fine on the new machine as I can see email 
> file showing up in /var/mail/lists/new . However, dovecot reports nothing 
> when I check mail . I am have turn on logging on both machines and I do not 
> see anything that looks like an error. I have also looked to see if the 
> dovecot.conf file is compatible between 1.0.14 and 1.1.2 and have found 
> little.
> 
> I am guessing this is a simple problem, can someone tell me what I have done 
> wrong here.
> 
> I have provided Working dovecot -n from both machines and the log output from 
> a mail fetch. 
> 
> Thanks,
> 
> working 
> ---
> # 1.0.14: /etc/dovecot/dovecot.conf
> log_path: /var/log/dovecot.log
> protocols: pop3 pop3s imap imaps
> ssl_disable: yes
> disable_plaintext_auth: no
> version_ignore: yes
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> mail_location: maildir:/var/mail/%u
> mail_debug: yes
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> pop3_uidl_format(default):
> pop3_uidl_format(imap):
> pop3_uidl_format(pop3): %08Xu%08Xv
> namespace:
>   type: private
>   separator: /
> auth default:
>   verbose: yes
>   debug: yes
>   passdb:
> driver: pam
>   userdb:
> driver: passwd
> 
> non Working Config 
> # 1.1.2: /etc/dovecot/dovecot.conf
> log_path: /var/log/dovecot.log
> protocols: pop3 pop3s imap imaps
> disable_plaintext_auth: no
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> mail_location: maildir:/var/mail/%u:INDEX=/var/mail/%u
> mail_debug: yes
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> namespace:
>   type: private
>   separator: /
>   list: yes
>   subscriptions: yes
> auth default:
>   verbose: yes
>   debug: yes
>   passdb:
> driver: pam
>   userdb:
> driver: passwd
> 
> 
> Working Log ------
> dovecot: Oct 10 07:52:25 Info: auth(default): client in: AUTH   1   PLAIN 
>   service=POP3   lip=75.48.112.185rip=192.168.1.103   
> resp=
> dovecot: Oct 10 07:52:25 Info: auth(default): pam(lists,192.168.1.103): 
> lookup service=dovecot
> dovecot: Oct 10 07:52:25 Info: auth(default): client out: OK1   
> user=lists
> dovecot: Oct 10 07:52:25 Info: auth(default): master in: REQUEST67
>   72801
> dovecot: Oct 10 07:52:25 Info: auth(default): passwd(lists,192.168.1.103): 
> lookup
> dovecot: Oct 10 07:52:25 Info: auth(default): master out: USER  67  lists 
>   system_user=lists   uid=1012    gid=1005home=/home/lists
> dovecot: Oct 10 07:52:25 Info: pop3-login: Login: user=, method=PLAIN, 
> rip=192.168.1.103, lip=75.48.112.185
> dovecot: Oct 10 07:52:25 Info: POP3(lists): Effective uid=1012, gid=1005
> dovecot: Oct 10 07:52:25 Info: POP3(lists): maildir: data=/var/mail/lists
> dovecot: Oct 10 07:52:25 Info: POP3(lists): maildir: root=/var/mail/lists, 
> index=/var/mail/lists, control=, inbox=
> dovecot: Oct 10 07:52:25 Info: POP3(lists): Disconnected: Logged out top=0/0, 
> retr=0/0, del=0/0, size=0
> dovecot: Oct 10 07:52:26 Info: auth(default): new auth connection: pid=7304
> 
> 
> Not Working Log --
> dovecot: Oct 10 07:51:33 Info: auth(default): client in: AUTH   1   PLAIN 
>   service=pop3   lip=75.48.112.186rip=192.168.1.103   lport=110   
> rport=48667 resp=
> dovecot: Oct 10 07:51:33 Info: auth-worker(default): 
> pam(lists,192.168.1.103): lookup service=dovecot
> dovecot: Oct 10 07:

[Dovecot] 1.0.15 -> 2.x upgrade for mass hosting environment

[lists]

Hi all,

We're looking at upgrading our current mail platform from 1.0.15 to  
2.x to take advantage of the new director functionality.


Our main concern is the number of mailboxes involved (circa. 300K) and  
the rebuilding of the index files, especially as it seems that once  
you've upgraded, rolling back requires the deletion and recreation of  
all indices.


Has anyone worked on an upgrade like this in the past? If so, do you  
have any war stories you can share either on or off list?


Thanks in advance,

Matt

Re: [Dovecot] 1.0.15 -> 2.x upgrade for mass hosting environment

[lists]

Quoting Ed W :

Hi, don't have an installation of anything approaching your size.
However, I do regularly see folks missing out on the idea that its
reasonably straightforward to have both Dovecot (old) and Dovecot (new)
versions running at the same time and migrate users over slowly rather
than in a big bang?


Yeah, we're actually now thinking that we should create a new cluster  
running dovecot 2.0, mount the existing control/maildir files from the  
current shared storage and then regenerate the indices before going  
live - would that work here? I'm struggling to find anything in the  
docs that state the control files will be affected by the upgrade.



Personally my own experience was that changing from v1 to v2 was a
fairly unexciting upgrade (as the admin) other than the obvious (large)
change in configuration required.


That's good to know... :)


Oh, one feature of Dovecot 2 which isn't on by default, but I have
found very interesting is the "COMPRESS" IMAP feature.  You need to
enable a few config changes, but after that many clients can talk over
a gzip'd tunnel, which in my testing leads to a decent reduction in
bandwidth.  It's especially nice for mobile use (eg Profimail on Nokia
S60)


sounds v. cool... :D

Thanks,

Matt

Re: [Dovecot] 1.0.15 -> 2.x upgrade for mass hosting environment

[lists]

Quoting Timo Sirainen :


On 1.3.2011, at 18.57, li...@truthisfreedom.org.uk wrote:
Yeah, we're actually now thinking that we should create a new   
cluster running dovecot 2.0, mount the existing control/maildir   
files from the current shared storage and then regenerate the   
indices before going live - would that work here? I'm struggling to  
 find anything in the docs that state the control files will be   
affected by the upgrade.


v2.0 will read v1.x indexes just fine, no need to do any   
regeneration. (But v2.0 indexes can be read only by v1.2.5+.)


OK, that's good to know.  Just to confirm, dovecot 2.0 *does not*  
upgrade any files by default?


M.

[Dovecot] POP3 vs. IMAP Load/Memory usage in Dovecot 1.0.15

[lists]

Hi all,

We've just provisioned a new cluster of dovecot nodes running Centos  
and Dovecot 1.0.15 (we needed to match the original configuration,  
we're upgrading to 1.2 next week!).


The nodes are currently equally allocated (50/50 split) to IMAP and  
POP3, with the intention to move them into a single cluster hosting  
both services in the next month.


All the servers are of identical spec (24 cores, 24G RAM) and are  
configured to load the indices, control files and maildirs via NFS.


We have noticed that the IMAP servers appear to be under much less  
load and utilising drastically less RAM than the POP3 servers and I'm  
wondering if there is a reason for this as we have seen some swapping  
onto disk yet we are only handling 500 concurrent POP3 connections to  
each server at any given time compared with over 600 IMAP connections.


I'm wondering if we've missed a config flag somewhere or (better  
still!) this issue will go away when we upgrade to 1.2.


If anyone can shed any light on this, that would be much appreciated.

Thanks in advance,

Matt

Re: [Dovecot] POP3 vs. IMAP Load/Memory usage in Dovecot 1.0.15

[lists]

Quoting Stan Hoeppner :


On 7/11/2011 1:24 AM, Matthew Macdonald-Wallace wrote:

On Fri, 2011-07-08 at 10:48 +0100, li...@truthisfreedom.org.uk wrote:

We have noticed that the IMAP servers appear to be under much less
load and utilising drastically less RAM than the POP3 servers and I'm
wondering if there is a reason for this as we have seen some swapping
onto disk yet we are only handling 500 concurrent POP3 connections to
each server at any given time compared with over 600 IMAP connections.


Am I to take it that this is expected behaviour?

If anyone can shed more light on this I'd be very grateful.


More specific information would be helpful.  Load as shown through top
doesn't really tell anything.  Are you simply seeing memory pressure?
Is all that RAM being used for block device cache or actually eaten by
the pop servers?


Hi Stan,

Thanks for getting back to me.

The Load average comparisons are taken from Munin graphs and based  
upon the servers being in production for five days between Monday and  
Friday.


The vast majority of the RAM usage is cache, however there is still a  
discrepancy between the IMAP servers and the POP3 servers.


I guess all I'm really after knowing is if there is a reason why this  
is the case so I can put my mind (and those of my team!) at ease  
before we start making other changes to the infrastructure - the last  
thing I want to do is increase the load on these nodes and watch them  
die because they didn't have enough resources.


Kind regards,

Matt

Re: [Dovecot] POP3 vs. IMAP Load/Memory usage in Dovecot 1.0.15

[lists]

Hi Stan,

Quoting Stan Hoeppner :


On 7/11/2011 4:28 AM, li...@truthisfreedom.org.uk wrote:

Quoting Stan Hoeppner :

This still doesn't provide us with the necessary information to give you
an intelligent answer to your question.


Sorry, I thought I'd given quite a large amount of detail so far.

To answer the questions I believe were in your analogy:

* All the servers are made by the same manufacturer (Dell)
* They are all the same model (R410)
* The have the same engine (24 cores, 24G RAM, SAS Drives)
* The motorway is exactly the same for all servers (NFS to a NetApp  
6080 and a RAMSAN)
* The weather is almost exactly the same (Same Datacentre, different  
rooms/racks)

* The Driver is exactly the same (Dovecot 1.0.15)


The vast majority of the RAM usage is cache, however there is still a
discrepancy between the IMAP servers and the POP3 servers.


A discrepancy where?  RAM usage by the pop and imap processes?  Is there
any reason why you didn't post the actual data?


I thought I had explained this, but obviously not.

The discrepancies lie in two areas:

1) Load Average
2) RAM Usage (particularly in regard to cache)

In both cases, the value for each area is higher on the three nodes  
running POP3 than the nodes running IMAP.



I guess all I'm really after knowing is if there is a reason why this is
the case so I can put my mind (and those of my team!) at ease before we
start making other changes to the infrastructure - the last thing I want
to do is increase the load on these nodes and watch them die because
they didn't have enough resources.


You still have not demonstrated what resources, if any, these nodes are
lacking.  The only thing you have mentioned is memory consumption.  All
Unices today will dump cache pages if a process needs memory space and
will instantly reallocate it.  If the bulk of the RAM on these systems
is consumed by disk cache, you don't have a problem.  If the "load" you
mentioned is caused by something other then memory usage, then can you
please show detail of such?  Could you at least provide a snapshot of
top output from one pop and one imap machine?


POP3: https://gist.github.com/1075816
IMAP: https://gist.github.com/1075821

Unfortunately I can't provide access to the Munin Graphs owing to  
company policies, however I'm happy to post the output of pretty much  
any command (except `rm -rf` ;) ) that you would like to see.


I hope that's enough detail, if not please let me know.

Thanks again,

Matt

Re: [Dovecot] POP3 vs. IMAP Load/Memory usage in Dovecot 1.0.15

[lists]

* All the servers are made by the same manufacturer (Dell)
* They are all the same model (R410)
* The have the same engine (24 cores, 24G RAM, SAS Drives)


The R410 is a two socket Xeon box with max 2 x 6 core CPUs.  The 24 CPUs
you see is the result of HyperThreading being enabled.  I'd disable HT
if I were you, or those boxen mine.


OK, I'll take a look at this, thanks.


* The motorway is exactly the same for all servers (NFS to a NetApp 6080
and a RAMSAN)
* The weather is almost exactly the same (Same Datacentre, different
rooms/racks)
* The Driver is exactly the same (Dovecot 1.0.15)


What operating system?  Linux or *BSD?  If Linux, what kernel version?
Given that you're running Dovecot 1.0.15 I'm guessing you're using
CentOS or RHEL 5.x and thus have kernel 2.6.18-xxx.  2.6.18 is 5 years
old now and not inappropriate for a modern 2 socket, 6 core
HyperThreading box.  You need a much newer kernel, preferably in the
2.6.3x series.  2.6.18 could be reporting incorrect load numbers on
these machines.


Linux, Centos 5.6 and (yup, you've guessed it...) 2.6.18 again, I'll  
take a look at this, thanks.



1) Load Average


On Linux, load average strictly shows total system CPU usage in
intervals, nothing else.  Neither memory, disk, nor network or anything
else affects load average.  Thus, with a 12 core system, until you see a
load average above 12 you have absolutely nothing to worry about.  With
HT enabled load averages pretty much go out the window as half the
"CPUs" are merely glorified duplicate register file phantoms.

Given that all mail apps are 100% IO bound, never CPU or memory bound,
I'd guess you'll never see a load average over 4.00 on any of these
machines with less than 1000 concurrent connections.  This assuming you
run a newer kernel and with HT disabled.  In other words, no more than 4
cores worth of CPU time will ever be eaten by your workload.  What
number do your Munin graphs show for load average for each set of boxes?
 Do they even come close to 4?


They're showing as between 20 and 24 for the POP3 servers and 1.4 for  
the IMAP servers.



Also note that TCP stack processing on the pop nodes will be greater
than that of the imap boxes, eating more CPU cycles.  More data sent
over the wire means more packets, more packets means more CPU time in
both code/data processing and interrupts.  If you're running iptables
rules on each host that bumps up network processing cycles a bit more yet.


OK, I'll take a look at that as well


2) RAM Usage (particularly in regard to cache)



In both cases, the value for each area is higher on the three nodes
running POP3 than the nodes running IMAP.


Almost all the memory consumption on both systems is buffer cache.  Thus
you don't have a memory issue on either host.  The kernel will free and
immediately reassign pages from cache to application processes as
needed.  I don't see evidence of the pop machine using more memory, in
fact the imap processes are using more.  Both boxes are just under 24GB
total usage and both using right at 20GB of cache.  Looks like a default
config Linux kernel based on the ultra aggressive caching and eating up
nearly all memory.


So a kernel update is more than sensible...


It may have been.  I'll know when you post your load numbers from those
top secret graphs. ;)


LOL, see above.

Thanks again,

Matt

Sieve coding question

[lists . dovecot]

Is there a more appropriate list on which to ask for assistance in 
coding Sieve rules, or may I ask here?

Re: encrypted storage on the fly using user's password without storing password on the server

[dovecot . lists]

Bump? Nobody using mail-crypt right now (with user keys encrypted by 
user's password to work transparently from, say, Thunderbird) who could 
share their config?


On 12/02/2020 11:54 pm, Alex Knowles wrote:

Hi all,

I just joined the list. I've read through the mail-crypt plugin docs 
here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/


I'm still unclear (I'm not an expert) about the following: Is it 
possible to obtain on-the-fly encrypted storage using the user's 
password without the password being stored on the server? Basically a 
zero-knowledge solution.


Theoretically this should be possible as the user provides the password 
when storing or retrieving emails. The above plugin docs don't make it 
clear for me whether it is supported.


Could a kind clarify? I'd also be very grateful for a working conf as an 
example.


Best wishes and thanks in advance,

Alex.

Re: encrypted storage on the fly using user's password without storing password on the server

[dovecot . lists]

Bumping one last time in hope for assistance.

On 18-02-20 6:44pm, dovecot.li...@graphyc.io wrote:
Bump? Nobody using mail-crypt right now (with user keys encrypted by 
user's password to work transparently from, say, Thunderbird) who could 
share their config?


On 12/02/2020 11:54 pm, Alex Knowles wrote:

Hi all,

I just joined the list. I've read through the mail-crypt plugin docs 
here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/


I'm still unclear (I'm not an expert) about the following: Is it 
possible to obtain on-the-fly encrypted storage using the user's 
password without the password being stored on the server? Basically a 
zero-knowledge solution.


Theoretically this should be possible as the user provides the 
password when storing or retrieving emails. The above plugin docs 
don't make it clear for me whether it is supported.


Could a kind clarify? I'd also be very grateful for a working conf as 
an example.


Best wishes and thanks in advance,

Alex.

Dict quota calculation errors "remote disconnected"/"broken pipe" on 2.22.

[ygrishin-lists]

Keywords: dovecot, dict, quota, postgre sql, broken pipe, remote 
disconnected


Having Dovecot 2.2.22 (fe789d2) with Postgre SQL 9.5 
(9.5.5-0ubuntu0.16.04) as the backend. I do not understand why quota 
service is not working, not seeing it as a configuration error at least. 
My quotas are DICT/SQL based.
OS: Ubuntu 16.0.4.1 32-bit (Linux XXX 4.4.0-59-generic #80-Ubuntu SMP 
Fri Jan 6 17:36:54 UTC 2017 i686 i686 i686 GNU/Linux)



dovecot --build-options:
***
Build options: ioloop=epoll notify=inotify ipv6 openssl 
io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw 
fail

SQL driver plugins: mysql postgresql sqlite
Passdb: checkpassword ldap pam passwd passwd-file shadow sql
Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql


/etc/dovecot/conf.d/10-master.conf:
***
service quota-warning {
  executable = script /etc/dovecot/some-script.sh
  unix_listener quota-warning {
  user = Debian-exim
  mode = 0660
  }
}
service dict {
  unix_listener dict {
  mode = 0660
  user = Debian-exim
  group = Debian-exim
  }
}


/etc/dovecot/conf.d/90-quota.conf:
**
plugin {
  quota = dict:user_quota::proxy::sqlquota
  quota_rule2 = Trash:storage=+10%%
  quota_rule3 = Junk:storage=+10%%
  quota_grace = 10%%
  quota_warning = storage=100%% quota-exceeded 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=75%% quota-warning 75 %u
}
dict {
  sqlquota = pgsql:/etc/dovecot/dovecot-dict-sql-user.conf
}


/etc/dovecot/dovecot-dict-sql-user.conf:

connect = host=A.B.C.D dbname=db user=DDD password=YYY
map {
   pattern = priv/quota/storage
   table = quota2
   username_field = username
   value_field = bytes
 }
map {
   pattern = priv/quota/messages
   table = quota2
   username_field = username
   value_field = messages
 }


I will not be able to provide full "doveconf -n" output unfortunately.

Logging ALL incoming DB queries:

...
2017-02-04 12:03:12 MST [29500-10] DDD@db LOG:  statement: SELECT 
password FROM mailbox WHERE local_part = 'YYY' AND domain = 'XXX' AND 
active ='t' LIMIT 1;
2017-02-04 12:03:12 MST [29501-10] DDD@db LOG:  statement: SELECT 111 AS 
uid, 222 AS gid, '/var/mail/AAA/' || 'BBB' || '/' || 'YYY' AS home, 
'*:bytes=' || mailbox.quota AS quota_rule FROM mailbox WHERE local_part 
= 'YYY' AND active ='t' LIMIT 1;



And seeing that BOTH dict statements are missing: SELECT and UPDATE.


dovecot-lda-erros.log:
**
Feb 04 14:23:33 lda(testuser@XXX): Error: read(/var/run/dovecot/dict) 
failed: Remote disconnected
Feb 04 14:23:33 lda(testuser@XXX): Error: Internal quota calculation 
error
Feb 04 14:23:33 lda(testuser@XXX): Error: Internal quota calculation 
error



dovecot.log:

Feb 04 13:57:06 imap(YYY@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe
Feb 04 13:57:06 imap(YYY@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe

...
Feb 04 13:57:07 imap(YYY@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe

...
Feb 04 13:57:10 imap(YYY@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe


I have tried stopping dovecot, removing /var/run/dovecot/dict manually 
and starting dovecot. This has not changed the behavior.



dovecot-debug.log:
**
Feb 04 13:18:12 lda(YYY@XXX): Error: read(/var/run/dovecot/dict) failed: 
Remote disconnected
Feb 04 13:18:12 lda(YYY@XXX): Error: dict quota: Quota update failed, 
it's now desynced
Feb 04 13:57:07 lda(testuser@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe
Feb 04 13:57:07 lda(testuser@XXX): Error: Internal quota calculation 
error
Feb 04 13:57:07 lda(testuser@XXX): Error: Internal quota calculation 
error



Running 'user_query' manually on the server:

db=> SELECT 111 AS uid, 222 AS gid, '/var/mail/AAA/' || 'XXX' || '/' || 
'testuser' AS home, '*:bytes=' || mailbox.quota AS quota_rule 
FROM mailbox WHERE local_part = 'testuser' AND active ='t' LIMIT 1;

 uid | gid |   home|quota_rule
-+-+---+--
 111 | 222 | /var/mail/AAA/BBB/testuser | *:bytes=10485760
(1 row)


The identity had been granted 'all' privilege for 'quota2' table:
*
db=> SELECT table_catalog, table_schema, table_name, privilege_type
db-> FROM   information_schema.table_privileges
db-> WHERE  grantee='DDD';
 table_catalog | table_schema | table_name | privilege_type
---+--++
 mail  | public   | quota2 | INSERT
 mail  | public   | quota2 | SELECT
 mail  | public   | quota2 | UPDATE
 mail  | public   | 

Re: Dict quota calculation errors "remote disconnected"/"broken pipe" on 2.22.

[ygrishin-lists]

On 2017-02-08 00:10, Steffen Kaiser wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, 5 Feb 2017, ygrishin-li...@mail2.ca wrote:


service dict {
 unix_listener dict {
 mode = 0660
 user = Debian-exim
 group = Debian-exim
 }
}

dovecot-lda-erros.log:
**
Feb 04 14:23:33 lda(testuser@XXX): Error: read(/var/run/dovecot/dict) 
failed: Remote disconnected


dovecot.log:

Feb 04 13:57:06 imap(YYY@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe

...

dovecot-debug.log:
**
Feb 04 13:18:12 lda(YYY@XXX): Error: read(/var/run/dovecot/dict) 
failed: Remote disconnected
Feb 04 13:18:12 lda(YYY@XXX): Error: dict quota: Quota update failed, 
it's now desynced
Feb 04 13:57:07 lda(testuser@XXX): Error: write(/var/run/dovecot/dict) 
failed: Broken pipe


Does a process listens on /var/run/dovecot/dict ?


It certainly does:

#lsof /var/run/dovecot/dict
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
dovecot 1140 root   42u  unix 0xc6fe2300  0t0 15861 
/var/run/dovecot/dict type=STREAM


$ ls -l /var/run/dovecot/dict
srw-rw 1 Debian-exim Debian-exim 0 Feb 12 03:53 
/var/run/dovecot/dict



The socket is accessable by Debian-exim:Debian-exim only (0660). As
what user and group does the LDA and imap service run as?


LDA works as dovecot:Debian-exim:
*
lda:
driver = pipe
...
group = Debian-exim
...

(without specifying the user explicitly).

Yuriy

Re: Dict quota calculation errors "remote disconnected"/"broken pipe" on 2.22.

[ygrishin-lists]

Solved the problem, reporting back to the community.

/etc/dovecot/dovecot-dict-sql-user.conf had been lacking dovecot group 
permissions. It was 700/root:root.


However why it wasn't reported by Dovecot explicitly in the log -- the 
greatest mystery to me. Now, after deleting dovecot and all its packages 
via 'apt' and installing afresh makes "lacking permissions for the file" 
entry to appear in the log.


I can confirm that Dict-quota works perfectly well with Dovecot 2.2.22.

Dovecot 2.2.19 - Panic: file dict-sql.c: line 670 (sql_dict_iterate): assertion failed: ((ctx->flags & DICT_ITERATE_FLAG_ASYNC) != 0)

[mailing lists]

Hello everyone,
For this installation I am using passdb against AD, userdb with MySQL and nfs 
storage but using simultaneously the vfile acl backend and the shared mailbox 
dictionary I get the following panic:
Oct 19 12:34:51 server dovecot: imap-login: Login: user=, method=PLAIN, 
rip=10.112.99.52, lip=10.113.63.50, mpid=7538, session=
Oct 19 12:34:51 server dovecot: dict(7540): Panic: file dict-sql.c: line 670 
(sql_dict_iterate): assertion failed: ((ctx->flags & DICT_ITERATE_FLAG_ASYNC) 
!= 0)
Oct 19 12:34:51 server dovecot: dict(7540): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0() [0x31826800ca] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x3182680136] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x31826299ea] -> dovecot-mailbox/dict() 
[0x406abc] -> dovecot-mailbox/dict() [0x4047aa] -> dovecot-mailbox/dict() 
[0x404f32] -> dovecot-mailbox/dict(dict_command_input+0xab) [0x4050bb] -> 
dovecot-mailbox/dict() [0x40425b] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x5b) [0x3182692deb] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xb7) 
[0x31826943c7] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) 
[0x3182692e95] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) 
[0x3182693038] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) 
[0x318262e953] -> dovecot-mailbox/dict(main+0x165) [0x405295] -> 
/lib64/libc.so.6(__libc_start_main+0xfd) [0x303be1ed5d] -> 
dovecot-mailbox/dict() [0x403da9]
Oct 19 12:34:51 server dovecot: dict(7540): Fatal: master: service(dict): child 
7540 killed with signal 6 (core dumps disabled)
am I missing something obvious or this is a dovecot bug?

# 2.2.19: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.9 (357ac0a0e68b+)
# OS: Linux 2.6.32-573.1.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server 
release 6.7 (Santiago) 
auth_master_user_separator = *
auth_username_format = %Ln
dict {
  acl = mysql:/etc/dovecot/dovecot-dict-acl.conf.ext
}
disable_plaintext_auth = no
instance_name = dovecot-mailbox
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_fsync = always
mail_gid = vmail
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " mail_log notify acl mailbox_alias quota listescape"
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex im
ap4flags copy include variables body enotify environment mailbox date index 
ihave duplicate imapflags notify
mbox_write_locks = fcntl
mmap_disable = yes
namespace {
  list = children
  location = maildir:%%h/Mail:INDEX=~/shared/%%u:INDEXPVT=~/shared-pvt/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  mailbox sent_mail_folder {
    special_use = \Sent
  }
  mailbox trash_folder {
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-pass_db-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
flag_change append
  mail_log_fields = uid box msgid from subject size flags
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_extensions = +notify +imapflags
  sieve_max_actions = 32
  sieve_max_redirects = 25
  sieve_max_script_size = 1M
  sieve_quota_max_storage = 10M
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener auth-userdb {
    group = vmail
  }
}
service dict {
  unix_listener dict {
    group = dovecot
    mode = 0660
    user = vmail
  }
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
  service_count = 1
}
service managesieve {
  process_limit = 1024
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-user_db-sql.conf.ext
  driver = sql
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape sieve"
}
protocol lda {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape sieve"
}
protocol imap {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape imap_acl 
imap_quota"
}
protocol sieve {
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_logout_format = bytes=%i/%o
  managesieve_max_compile_errors = 1
  managesieve_max_line_length = 65536
}
protocol pop3 {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape"
}

Dovecot 2.2.19 - Panic: file dict-sql.c: line 670 (sql_dict_iterate): assertion failed: ((ctx->flags & DICT_ITERATE_FLAG_ASYNC) != 0)

[mailing lists]

Hello everyone,
For this installation I am using passdb against AD, userdb with MySQL and nfs 
storage but using simultaneously the vfile acl backend and the shared mailbox 
dictionary I get the following panic:
Oct 19 12:34:51 server dovecot: imap-login: Login: user=, method=PLAIN, 
rip=10.112.99.52, lip=10.113.63.50, mpid=7538, session=
Oct 19 12:34:51 server dovecot: dict(7540): Panic: file dict-sql.c: line 670 
(sql_dict_iterate): assertion failed: ((ctx->flags & DICT_ITERATE_FLAG_ASYNC) 
!= 0)
Oct 19 12:34:51 server dovecot: dict(7540): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0() [0x31826800ca] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x3182680136] -> 
/usr/lib64/dovecot/libdovecot.so.0() [0x31826299ea] -> dovecot-mailbox/dict() 
[0x406abc] -> dovecot-mailbox/dict() [0x4047aa] -> dovecot-mailbox/dict() 
[0x404f32] -> dovecot-mailbox/dict(dict_command_input+0xab) [0x4050bb] -> 
dovecot-mailbox/dict() [0x40425b] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x5b) [0x3182692deb] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xb7) 
[0x31826943c7] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) 
[0x3182692e95] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) 
[0x3182693038] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) 
[0x318262e953] -> dovecot-mailbox/dict(main+0x165) [0x405295] -> 
/lib64/libc.so.6(__libc_start_main+0xfd) [0x303be1ed5d] -> 
dovecot-mailbox/dict() [0x403da9]
Oct 19 12:34:51 server dovecot: dict(7540): Fatal: master: service(dict): child 
7540 killed with signal 6 (core dumps disabled)
to reproduce the panic I only have to delete the dovecot-acl-list file and 
access the mailbox. It looks like that this commit 
http://hg.dovecot.org/dovecot-2.2/rev/7ccff6d5dd1b is causing the panic.

# 2.2.19: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.9 (357ac0a0e68b+)
# OS: Linux 2.6.32-573.1.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server 
release 6.7 (Santiago) 
auth_master_user_separator = *
auth_username_format = %Ln
dict {
  acl = mysql:/etc/dovecot/dovecot-dict-acl.conf.ext
}
disable_plaintext_auth = no
instance_name = dovecot-mailbox
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
lmtp_rcpt_check_quota = yes
lmtp_save_to_detail_mailbox = yes
mail_fsync = always
mail_gid = vmail
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " mail_log notify acl mailbox_alias quota listescape"
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex im
ap4flags copy include variables body enotify environment mailbox date index 
ihave duplicate imapflags notify
mbox_write_locks = fcntl
mmap_disable = yes
namespace {
  list = children
  location = maildir:%%h/Mail:INDEX=~/shared/%%u:INDEXPVT=~/shared-pvt/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  mailbox sent_mail_folder {
    special_use = \Sent
  }
  mailbox trash_folder {
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-pass_db-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
flag_change append
  mail_log_fields = uid box msgid from subject size flags
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_extensions = +notify +imapflags
  sieve_max_actions = 32
  sieve_max_redirects = 25
  sieve_max_script_size = 1M
  sieve_quota_max_storage = 10M
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener auth-userdb {
    group = vmail
  }
}
service dict {
  unix_listener dict {
    group = dovecot
    mode = 0660
    user = vmail
  }
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
  service_count = 1
}
service managesieve {
  process_limit = 1024
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-user_db-sql.conf.ext
  driver = sql
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape sieve"
}
protocol lda {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape sieve"
}
protocol imap {
  mail_plugins = " mail_log notify acl mailbox_alias quota listescape imap_acl 
imap_quota"
}
protocol sieve {
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_logout_format = bytes=%i/%o
  managesieve_max_compile_errors = 1
  managesieve_max_line_length = 65536
}
protoco

Re: Dovecot 2.2.19 - Panic: file dict-sql.c: line 670 (sql_dict_iterate): assertion failed: ((ctx->flags & DICT_ITERATE_FLAG_ASYNC) != 0)

[mailing lists]

> On 20 Oct 2015, at 12:26, mailing lists  wrote:

>
>> Oct 19 12:34:51 server dovecot: dict(7540): Panic: file dict-sql.c: line 670 
>> (sql_dict_iterate): assertion failed: ((ctx->flags & 
>> DICT_ITERATE_FLAG_ASYNC) != 0)>
>
> http://hg.dovecot.org/dovecot-2.2/rev/467695fee373 probably fixes this?
yes, it does it!! thank you.

   

Alternate Storage and quota limits

[mailing lists]

Hi all,
is there any way of exclude messages storaged in alternate storage (*dbox 
mailbox format) from being included in the quota usage? 

I think this is not possible but let me ask.

Alternate Storage and quota limits

[mailing lists]

Hi all,

is there any way of exclude messages storaged in alternate storage (*dbox 
mailbox format) from being included in the quota usage?

I think this is not possible but let me ask.

[Dovecot] Dovecot + LDAP login issues

[ml lists]

Morning all, I've managed to work my self into a corner and hoping someone
can help me out

I have OpenLDAP and Dovecot installed based on the following documents:
   https://help.ubuntu.com/community/DovecotLDAP
   https://help.ubuntu.com/community/OpenLDAPServer

When Dovecot is set up to log in without using LDAP, connections work fine.
However as soon as I change the dovecot.conf to use ldap I get the following
error when trying to log in:

error in syslog:
   dovecot: auth(default): ldap(myuser,10.10.10.10): invalid credentials
(given password: myuserpasswd)
   dovecot: auth(default): client out: FAIL#0112#011user=myuser


I have checked via phpLDAPadmin that the password I am entering matches what
is in the database, so from what I can see the issue lies in how Dovecot is
passing the password to openLDAP, though I may be way off base here.  No
special characters in the passphrase other than spaces.


Would anyone be able to shed some light on this?




Server Setup and Dovecot Config
Ubuntu Server 11.04

# uname -a
Linux base 2.6.38-10-server #46-Ubuntu SMP Tue Jun 28 16:31:00 UTC 2011
x86_64 x86_64 x86_64 GNU/Linux[

# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Apr  7 2011 18:00:55) $[/CODE][CODE]

# dovecot --version
1.2.15

# cat dovecot.conf
base_dir = /var/run/dovecot/
protocols = imaps imap
listen = *
disable_plaintext_auth = no
shutdown_clients = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
###ssl_disable = no
ssl_cert_file = /etc/ssl/private/mail_mydomain_com.crt
ssl_key_file = /etc/ssl/private/mail_mydomain_com.key
ssl_ca_file = /etc/ssl/private/comodo-bundle.crt
mail_location = maildir:/home/MAIL/%n
mail_privileged_group = mail
mail_debug = yes
protocol imap {
###  login_greeting_capability = yes
  imap_client_workarounds = tb-extra-mailbox-sep
}
protocol lda {
  postmaster_address = postmas...@mydomain.com
  hostname = base
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugins = cmusieve
}
auth_verbose = no
auth_debug = yes
auth_debug_passwords = yes
auth default {
  mechanisms = plain
  passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
  }
#  passdb passwd-file {
# args = /etc/dovecot/passwd
#  }
  userdb static {
args = uid=vmail gid=vmail home=/home/MAIL/%n allow_all_users=yes
  }
  user = vmail
  socket listen {
 master {
path = /var/run/dovecot/auth-master
   mode = 0600
   user = vmail # User running Dovecot LDA
   group = vmail # Or alternatively mode 0660 + LDA user in this group
 }
  }
}
dict {
}
plugin {


#cat dovecot-ldap.conf (with a number of commented out lines removed)

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts= localhost

# Distinguished Name - the username used to login to the LDAP server
dn= cn=admin,dc=mydomain

# Password for LDAP server
dnpass = alongpasswd

auth_bind = yes

auth_bind_userdn = uid=%u,ou=Users,dc=mydomain

# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3

# LDAP base. %variables can be used here.
base = ou=Users,dc=mydomain

# Dereference: never, searching, finding, always
deref = never

# Search scope: base, onelevel, subtree
scope = subtree

user_attrs = mail=uid

user_filter = (&(objectClass=posixAccount)(uid=%n))

# Password checking attributes:
pass_attrs = uid=user,userPassword=password
###,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

# Filter for password lookups
pass_filter = (&(objectClass=posixAccount)(uid=%n))

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki.dovecot.org/Authentication
default_pass_scheme = MD5

[Dovecot] Shared Mailboxes with VirtualUsers and mail_location retrieved from ldap

[mailing lists]

Hello,

I spend a couple of days configurating a new installation of dovecot 2.0.14 
with virtual accounts and NFS storage for maildir home/mail directories.


At this point I need shared mailboxes but since user mail/home locations are 
ldap attributes, how is it supposed I must configure this for shared mailboxes?

for the users' mail/home directories I set this line:

user_attrs = mailbox=mail=maildir:/var/maildir/%$,homeFilter=home

creating a namespace like the below one for shared mbx throw a lot of errors:


namespace {
  type = shared
  separator = /
  prefix = shared/%%u/
  subscriptions = no
  list = children
  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  location = mailbox=mail=maildir:/var/maildir/%$
}
I would like to hear if anyone has this configuration running. Thank you.


 /--/

uris = ldap://ldap.example.com
dn = cn=user,ou=People,dc=example,dc=com
dnpass = secret
sasl_bind = no
tls = no
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
deref = never
scope = subtree
user_attrs = mailbox=mail=maildir:/var/maildir/%$,homeFilter=home
user_filter = (&(objectClass=CourierMailAccount)(uid=%u))
pass_filter = (&(objectClass=CourierMailAccount)(uid=%u))




# dovecot -n
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  list = children
  location = mailbox=mail=maildir:/var/maildir/%$
  prefix = shared/%%u/
  separator = /
  subscriptions = no
  type = shared
}
namespace {
  inbox = yes
  location = 
  prefix = INBOX.
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
verbose_proctitle = yes
protocol imap {
  mail_max_userip_connections = 100
  mail_plugins = acl imap_acl autocreate
}

[Dovecot] is it necessary lmtp and director to avoid index corruption in mail delivery?

[mailing lists]

Hello all,
If I have several postfix/dovecot-lda boxes with shared nfs storage, how 
director helps in this scenario? is it necesary to use lmtp instead of 
dovecot-lda?


With postfix/dovecot-lda boxes incoming mail happens at the smtp layer but 
director redirects are working in the lmtp/imap/pop3 layer.

Re: [Dovecot] Shared Mailboxes with VirtualUsers and mail_location retrieved from ldap

[mailing lists]

Hello,


On 09/07/2011 07:22 PM, Timo Sirainen wrote:
> On 6.9.2011, at 14.27, mailing lists wrote:
>> At this point I need shared mailboxes but since user mail/home locations are 
>> ldap attributes, how is it supposed I must configure this for shared 
>> mailboxes?
>>
>> for the users' mail/home directories I set this line:
>>
>> user_attrs = mailbox=mail=maildir:/var/maildir/%$,homeFilter=home
> 
> Are home dirs and mail dirs related in any way? The only way you can get it 
> working is by using home dirs, e.g.:

>

> user_attrs = mailbox=home=/var/maildir/%$

yes, my virtual users have separate directories for home and mail. Their 
locations are stored in ldap attributes (with random generated paths), so a 
flat scheme like /var/maildr/%%u isn't valid.


for typical (virtual) users the location returned looks like:

Sep  8 12:48:33 imap1 dovecot: auth: Debug: ldap(user012,::1): result: 
mailbox(mail=maildir:/var/maildir/%$)=vol06/1/15/user012 
homeFilter(home)=/var/mailfilter/vol06/1/15/user012

...
Sep  8 12:54:50 imap1 dovecot: imap(user012): Debug: maildir++: 
root=/var/maildir/vol06/1/15/user012, index=, control=, 
inbox=/var/maildir/vol06/1/15/user012, alt=


 

> Then in dovecot.conf:
> 
> mail_location = maildir:~/
>

>> namespace {
>>    type = shared
>>    separator = /
>>    prefix = shared/%%u/
>>    subscriptions = no
>>    list = children

>

> location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

this is that I see in  logs and not shared folders are seen by imap clients:


Sep  8 12:57:11 imap1 dovecot: imap(user012): Debug: Namespace : type=shared, 
prefix=shared.%u., sep=., inbox=no, hidden=no, list=children, subscriptions=no 
location=maildir:%h/Maildir:INDEX=~/Maildir/shared/%u
Sep  8 12:57:11 imap1 dovecot: imap(user012): Debug: shared: 
root=/var/run/dovecot/, index=, control=, inbox=, alt=
Sep  8 12:57:11 imap1 dovecot: imap(user012): Debug: acl: initializing backend 
with data: vfile


I fail to understand how %%u is retrieved from ldap...



  /--/


# dovecot -n
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_location = maildir:~/
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  inbox = yes
  location = 
  prefix = INBOX.
  separator = .
}
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared.%%u.
  separator = .
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/maildir/shared-mailboxes
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
verbose_proctitle = yes
protocol imap {
  mail_max_userip_connections = 100
  mail_plugins = acl imap_acl autocreate
}

Re: [Dovecot] is it necessary lmtp and director to avoid index corruption in mail delivery?

[mailing lists]

JF, thank you for the reply.

I'm just curious how to big players fix this problem, which seems impact 
systems with shared storage.

Have a nice day.



On 09/07/2011 12:59 PM, Jan-Frode Myklebust wrote:
> On Wed, Sep 07, 2011 at 11:26:28AM +0100, mailing lists wrote:
>> Hello all,
>> If I have several postfix/dovecot-lda boxes with shared nfs storage,
>> how director helps in this scenario?
> 
> The director can help by directing each unique user to the same backend
> server for each delivery, which should give you better performance
> (indexes cached in memory on only one machine instead of on all,
> inotify will work for IMAP NOTIFY), and also avoid some apparent race
> conditions that has lead to index corruption when several nodes are
> writing to the same mailbox at the same time.
> 
>> is it necesary to use lmtp instead of dovecot-lda?
> 
> Yes.
> 
> 
>> With postfix/dovecot-lda boxes incoming mail happens at the smtp layer
>> but director redirects are working in the lmtp/imap/pop3 layer.
> 
> Right.
> 
> With LMTP you can have dovecot listening on the network (port 24/tcp)
> for incoming mail. No need for postfix on the backend mailstorage
> servers.
> 
> Our setups has been:
> 
>     Mailgw[1-14] ---smtp-->  dovecot-server[1-5] (postfix + dovecot/lda)
> 
> and used MX priorities to make all deliveries go to the same
> dovecot-server with the others as backup.
> 
>     $ dig mx deliver.example.com +short
>     10 dove2.example.com.
>     15 dove3.example.com.
>     20 dove4.example.com.
>     25 dove5.example.com.
>     5 dove1.example.com.
> 
> 
> Now I'm moving towards:
> 
>     Mailgw[1-14] ---lmtp-->  dovecot-server[1-5] (dovecot/lmtp)
> 
> but worry that the index corruption might hit me again.. Ideally
> I want:
> 
>     Mailgw[1-14] ---lmtp-->  directors --lmtp-->  dovecot-server[1-5] 
> (dovecot/lmtp)
> 
> but lmtp-proxying seems to have bugs (ref: my latest mails to this
> list).
> 
> 
>    -jf

Re: [Dovecot] Shared Mailboxes with VirtualUsers and mail_location retrieved from ldap

[mailing lists]

On 09/08/2011 03:07 PM, Timo Sirainen wrote:

> On Thu, 2011-09-08 at 12:14 +0100, mailing lists wrote:
> 
>> yes, my virtual users have separate directories for home and mail.
>> Their locations are stored in ldap attributes (with random generated
>> paths), so a flat scheme like /var/maildr/%%u isn't valid.
> 
> Sorry, you're out of luck with that kind of a setup. Only the %%h can
> look up a home directory from LDAP. Maybe some day in future there will
> be other variables that can be looked up.

and how to I might configure dovecot to use the mail directory as a 
subdirectory of the home directory?

this way all lookups for home (with %%h fetched from ldap) will return the 
correct locationand mail will be in (i.e.) ~/mailSubDir

is this configuration possible?

Re: [Dovecot] Shared Mailboxes with VirtualUsers and mail_location retrieved from ldap

[mailing lists]

(I'm sorry for breaking the thread with each mail) 

On 09/09/2011 10:04 AM, Jan-Frode Myklebust wrote:
> On Fri, Sep 09, 2011 at 08:18:40AM +0100, mailing lists wrote:
>>
>> and how to I might configure dovecot to use the mail directory as a 
>> subdirectory of the home directory?
>>
>> this way all lookups for home (with %%h fetched from ldap) will return the 
>> correct locationand mail will be in (i.e.) ~/mailSubDir
>>
>> is this configuration possible?
> 
> In the main dovecot.conf:
> 
>     mail_location = maildir:~/mailSubDir
> 
> In the ldap-config:
> 
>     user_attrs = homeFilter=home 


and which is the value for the location directive in namespace declaration ??


namespace {
  list = children
  location = maildir:%%h/mailSubDir:INDEX=~/mailSubDIr/shared/%%u
  prefix = shared.%%u.
  separator = .
  subscriptions = no
  type = shared
}


with the above conf. no shared folders are seen by tests users and afaik %%h is 
retrieved from ldap.


this is that I had done until now:

# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user001 secret
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAME

. create INBOX.docs-user001
. OK Create completed.

. setacl INBOX.docs-user001 user002 lr
. OK Setacl complete.
. logout
* BYE Logging out 
. OK Logout completed.
Connection closed by foreign host.
# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user002 secret
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAME

. create INBOX.docs-user002
. OK Create completed.
. setacl INBOX.docs-user002 user001 lr
. OK Setacl complete.
. logout
* BYE Logging out 
. OK Logout completed.
Connection closed by foreign host.

 # cat /var/maildir/shared-mailboxes 
shared/shared-boxes/user/user002/user001
1
shared/shared-boxes/user/user002/user002
1
shared/shared-boxes/user/user001/user001
1
shared/shared-boxes/user/user001/user002
1

# cat /var/maildir/vol04/4/46/user001/.docs-user001/dovecot-acl 
user=user002 lr

# cat /var/maildir/vol05/4/40/user002/.docs-user002/dovecot-acl
user=user001 lr


# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user001 secret
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in
. namespace
* NAMESPACE (("INBOX." ".")) (("shared." ".")) NIL
. OK Namespace completed.
. list "shared." "*"
. OK List completed.



  /--/

# grep  ^[^#] /etc/dovecot/dovecot-ldap.conf.ext

uris = ldap://ldap.example.com
dn = cn=testuser,dc=example,dc=com
dnpass = secret
sasl_bind = no
tls = no
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
deref = never
scope = subtree
user_attrs = mailbox=mail=maildir:/var/maildir/%$,homeFilter=home
user_filter = (&(objectClass=CourierMailAccount)(uid=%u))
pass_filter = (&(objectClass=CourierMailAccount)(uid=%u))




# dovecot -n
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_location = maildir:~/mailSubDir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  inbox = yes
  location = 
  prefix = INBOX.
  separator = .
}
namespace {
  list = children
  location = maildir:%%h/mailSubDir:INDEX=~/mailSubDir/shared/%%u
  prefix = shared.%%u.
  separator = .
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/maildir/shared-mailboxes
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service lmtp {
  inet_liste

Re: [Dovecot] Shared Mailboxes with VirtualUsers and mail_location retrieved from ldap

[mailing lists]

and for the time that user001 execute the imap 'list' command, this is the log 
trace in dovecot:

Sep  9 13:09:12 imap1 dovecot: imap(user001): Debug: Namespace : type=shared, 
prefix=shared.%u., sep=., inbox=no, hidden=no, list=children, subscriptions=no 
location=maildir:%h/mailSubDir:INDEX=~/mailSubDir/shared/%u
Sep  9 13:09:12 imap1 dovecot: imap(user001): Debug: shared: 
root=/var/run/dovecot/, index=, control=, inbox=, alt=
[...]

Sep  9 13:10:44 imap1 dovecot: auth: Debug: master in: USER   1   user002 
service=lib-storage
Sep  9 13:10:44 imap1 dovecot: auth: Debug: ldap(user002): user search: 
base=dc=example,dc=com scope=subtree 
filter=(&(objectClass=CourierMailAccount)(uid=user002)) 
fields=mailbox,homeFilter
Sep  9 13:10:44 imap1 dovecot: auth: Debug: ldap(user002): result: 
mailbox(mail=maildir:/var/maildir/%$)=vol05/4/40/user002 
homeFilter(home)=/var/mailfilter/vol05/4/40/user002
Sep  9 13:10:44 imap1 dovecot: auth: Debug: master out: USER  1   user002 
mail=maildir:/var/maildir/vol05/4/40/user002    
home=/var/mailfilter/vol05/4/40/user002 
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: auth input: user002 
mail=maildir:/var/maildir/vol05/4/40/user002 
home=/var/mailfilter/vol05/4/40/user002
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: maildir++: 
root=/var/mailfilter/vol05/4/40/user002/mailSubDir, 
index=/var/mailfilter/vol04/4/46/user001/mailSubDir/shared/user002, control=, 
inbox=/var/mailfilter/vol05/4/40/user002/mailSubDir, alt= 
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: acl: initializing backend 
with data: vfile
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: acl: acl username = user001
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: acl: owner = 0
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: acl vfile: Global ACL 
directory: (none)
Sep  9 13:10:44 imap1 dovecot: imap(user001): Debug: acl: Mailbox not in 
dovecot-acl-list: shared.user002.INBOX

[Dovecot] NO Unknown subscription namespace.

[mailing lists]

Hello,

what this message means?

"NO Unknown subscription namespace."

the shared namespace is visible and I can fetch messages from it, but 
subscription fails with the above message.

(user002 is sharing the folder named docs-users002 with user user001)


# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user001 secret
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in
. list "shared." "*"
* LIST (\Noselect \HasChildren) "." "shared.user002"
. OK List completed.
. list "shared.user002." "*"
* LIST (\HasNoChildren) "." "shared.user002.docs-user002"
. OK List completed.
. list "shared.user002.docs-user002." "*"
. OK List completed.
. select "shared.user002.docs-user002"
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)] Flags 
permitted.
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1315765265] UIDs valid
* OK [UIDNEXT 3] Predicted next UID
* OK [HIGHESTMODSEQ 3] Highest
. OK [READ-WRITE] Select completed.
. fetch 1 all
* 1 FETCH (FLAGS (\Seen) INTERNALDATE "24-Nov-2009 11:58:34 +0100" RFC822.SIZE 
3734 ENVELOPE ("Tue, 24 Nov 2009 07:58:34 -0400 (AST)" "Thank you for 
registering for the Red Hat Virtual Experience" 
(("supp...@virtualevents365.com" NIL "support" "virtualevents365.com")) 
(("supp...@virtualevents365.com" NIL "support" "virtualevents365.com")) 
(("supp...@virtualevents365.com" NIL "support" "virtualevents365.com")) 
(("damocl...@hotmail.com" NIL "damocles-" "hotmail.com")) NIL NIL NIL 
"<6955854.2731259063914762.javamail.r...@app130.vs.int.cgsinc.ca>"))
. OK Fetch completed.
. subscribe "shared.user002.docs-user002"
. NO Unknown subscription namespace.
. logout
* BYE Logging out
. OK Logout completed.
Connection closed by foreign host.

 //

namespace {
  inbox = yes
  location = 
  prefix = INBOX.
  separator = .
  subscriptions = yes
}
namespace {
  list = yes
  location = maildir:/var/virtual-maildir/%%n
  prefix = shared.%%n.
  separator = .
  subscriptions = no
  type = shared
}

[Dovecot] director ignoring director_mail_servers for lmtp connections

[mailing lists]

Hello,

Following Jan-Frode's advise I am trying this configuration:


{postfix} ---lmtp---> {director} ---lmtp---> {dovecot}

so I have two dovecot instances for director/proxy and lmtp delivery on ports 
1024 and 24 respectively.

whilst for imap connections I can specify a pool of imap backend servers via 
'director_mail_servers' it seems is not possible with lmtp.

Sep 12 17:14:13 imap1 dovecot: auth: Debug: master in: PASS   1   
user...@example.com    service=lmtp    lip=::1 lport=1024  rip=::1 rpor5
Sep 12 17:14:13 imap1 dovecot: auth: Debug: static(user...@example.com,::1): 
lookup
Sep 12 17:14:13 imap1 dovecot: auth: Debug: password(user...@eexample.com,::1): 
Credentials:
Sep 12 17:14:13 imap1 dovecot: auth: Debug: master out: PASS  1   
user=user...@example.com   proxy   port=24
Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Debug: auth input: 
user=user...@example.com proxy port=24
Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Error: proxy: host not given
Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Debug: Loading modules from 
directory: /usr/lib64/dovecot/modules
Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Debug: Module loaded: 
/usr/lib64/dovecot/modules/lib01_acl_plugin.so
Sep 12 17:14:13 imap1 dovecot: auth: Debug: master in: USER   2   
user...@example.com    service=lmtp    lip=::1 rip=::1
Sep 12 17:14:13 imap1 dovecot: auth: Debug: static(user...@example.com,::1): 
lookup
Sep 12 17:14:13 imap1 dovecot: auth: Debug: password(user...@example.com,::1): 
Credentials:
Sep 12 17:14:13 imap1 dovecot: auth: Debug: master out: USER  2   
user...@example.com
Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Debug: auth input: 
user...@example.com
Sep 12 17:14:43 imap1 dovecot: lmtp(25682): Disconnect from ::1: Client quit 
(in RCPT TO)


how I can redirect incoming lmtp request to backend lmtp servers (and not just 
one)? what I'm missing here? 

    /--/

# dovecot -c /etc/dovecot-director/dovecot.conf -n
# 2.0.14: /etc/dovecot-director/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot-director/
director_mail_servers = 101.180.245.101
director_servers = 101.180.245.101
disable_plaintext_auth = no
lmtp_proxy = yes
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
passdb {
  args = proxy=y nopassword=y
  driver = static
}
plugin {
  acl = vfile
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service auth {
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service director {
  fifo_listener login/proxy-notify {
    mode = 0666
  }
  inet_listener {
    port = 9090
  }
  unix_listener director-userdb {
    mode = 0666
  }
  unix_listener login/director {
    mode = 0666
  }
}
service imap-login {
  executable = imap-login director
  inet_listener imap {
    port = 10143
  }
}
service lmtp {
  inet_listener lmtp {
    port = 1024
  }
}
ssl = no
verbose_proctitle = yes
protocol lmtp {
  passdb {
    args = proxy=y nopassword=y port=24
    driver = static
  }
}
protocol imap {
  mail_max_userip_connections = 100
}

Re: [Dovecot] director ignoring director_mail_servers for lmtp connections

[mailing lists]

On 09/13/2011 08:34 AM, Jan-Frode Myklebust wrote:
> On Mon, Sep 12, 2011 at 04:55:51PM +0100, mailing lists wrote:

>>

>> director_mail_servers = 101.180.245.101
>> director_servers = 101.180.245.101


it works with imap connections, so I assumed it also would do it for lmtp.


Sep 13 09:04:03 imap1 dovecot: imap-login: proxy(user001): started proxying to 
10.180.245.101:143: user=, method=PLAIN, rip=::1, lip=:    :1, secured


> Is this a loop maybe?  director_mail_servers should list all
> your backend dovecot servers, space separated. Here's mine:
> 
>     director_mail_servers = 192.168.42.7 192.168.42.8 192.168.42.9 
> 192.168.42.10 192.168.42.11 192.168.42.28 192.168.42.29


using only one director and backend would be fine for tests purposes (as it was 
with imap and not loops were formed)

What I don't understand is why director insists in providing a proxy host from 
passdb when all it needs to do is pick the ones in director_mail_servers ¿?


Sep 12 17:14:13 imap1 dovecot: lmtp(25682): Error: proxy: host not given

please could you post you lmtp configuration??

Re: [Dovecot] director ignoring director_mail_servers for lmtp connections

[mailing lists]

Hello,

it works!!


I was missing this line


"auth_socket_path = director-userdb"

Sep 13 10:26:12 imap1 dovecot: auth: Debug: master in: PASS   1   
user...@example.com    service=lmtp    lip=100.180.245.101  lport=1024  8
Sep 13 10:26:12 imap1 dovecot: auth: Debug: 
static(user...@example.com,100.180.242.38): lookup
Sep 13 10:26:12 imap1 dovecot: auth: Debug: 
password(user...@example.com,100.180.242.38): Credentials: 
Sep 13 10:26:12 imap1 dovecot: auth: Debug: master out: PASS  1   
user=user...@example.com   proxy   port=24
Sep 13 10:26:12 imap1 dovecot: lmtp(29659): Debug: auth input: 
user=user...@example.com proxy port=24 host=100.180.245.101 proxy_refresh=450
Sep 13 10:26:12 imap1 dovecot: lmtp(29658): Debug: none: root=, index=, 
control=, inbox=, alt=
Sep 13 10:26:12 imap1 dovecot: lmtp(29658): Connect from 100.180.245.101


full config for the archives:


# dovecot  -c /etc/dovecot-director/dovecot.conf -n
# 2.0.14: /etc/dovecot-director/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot-director/
director_mail_servers = 100.180.245.101
director_servers = 100.180.245.101
disable_plaintext_auth = no
lmtp_proxy = yes
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
ine
mmap_disable = yes
passdb {
  args = proxy=y nopassword=y
  driver = static
}
plugin {
  acl = vfile
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp
service auth {
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service director {
  fifo_listener login/proxy-notify {
    mode = 0666
  }
  inet_listener {
    port = 9090
  }
  unix_listener director-userdb {
    mode = 0666
  }
  unix_listener login/director {
    mode = 0666
  }
}
service imap-login {
  executable = imap-login director
  inet_listener imap {
    port = 10143
  }
}
service lmtp {
  inet_listener lmtp {
    port = 1024
  }
}
ssl = no
verbose_proctitle = yes
protocol lmtp {
  auth_socket_path = director-userdb
  passdb {
    args = proxy=y nopassword=y port=24
    driver = static
  }
}
protocol imap {
  mail_max_userip_connections = 100
}

[Dovecot] Panic: file lmtp-proxy.c: line 370 (lmtp_proxy_output_timeout): assertion failed: (proxy->data_input->eof)

[mailing lists]

Hello all,

today I got this crash from dovecot (2.0.14)


Sep 29 14:09:32 imap1 dovecot: lmtp(17693): Panic: file lmtp-proxy.c: line 370 
(lmtp_proxy_output_timeout): assertion failed: (proxy->data_input->eof)
Sep 29 14:09:32 imap1 dovecot: lmtp(17693): Error: Raw backtrace: 
/usr/lib64/dovecot/libdovecot.so.0(+0x3f9aa)  [0x7f18f10299aa] -> 
/usr/lib64/dovecot/libdovecot.so.0(+0x3f9f6) [0x7f18f10299f6] -> 
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f18f1003211] -> 
dovecot/lmtp(+0x7a4f) [0x7f18f1982a4f] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xcb) 
[0x7f18f103590b] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x5b) [0x7f18f103680b] 
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x28) [0x7f18f1035768] -> 
/usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f18f1023423] -> 
dovecot/lmtp(main+0x183) [0x7f18f197fa93] -> 
/lib64/libc.so.6(__libc_start_main+0xfd) [0x7f18f0ca8b7d] -> 
dovecot/lmtp(+0x4819) [0x7f18f197f819]
Sep 29 14:09:32 imap1 dovecot: master: Error: service(lmtp): child 17693 killed 
with signal 6 (core dumps disabled)


   /-/

# dovecot -n -c /etc/dovecot-director/dovecot.conf 
# 2.0.14: /etc/dovecot-director/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_verbose = yes
base_dir = /var/run/dovecot-director/
director_mail_servers = 100.1.245.101 100.1.245.105
director_servers = 100.1.245.101:9091 100.1.245.105:9091 100.1.241.204:9091
disable_plaintext_auth = no
doveadm_proxy_port = 24245
lmtp_proxy = yes
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
passdb {
  args = proxy=y nopassword=y
  driver = static
}
plugin {
  acl = vfile
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp pop3
service auth {
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service director {
  fifo_listener login/proxy-notify {
    mode = 0666
  }
  inet_listener {
    port = 9091
  }
  unix_listener director-userdb {
    mode = 0666
  }
  unix_listener login/director {
    mode = 0666
  }
}
service doveadm {
  inet_listener {
    port = 24245
  }
}
service imap-login {
  executable = imap-login director
  inet_listener imap {
    port = 10143
  }
}
service lmtp {
  inet_listener lmtp {
    port = 1024
  }
}
service pop3-login {
  executable = pop3-login director
  inet_listener pop3 {
    port = 10110
  }
}
ssl = no
verbose_proctitle = yes
protocol lmtp {
  auth_socket_path = director-userdb
  passdb {
    args = proxy=y nopassword=y port=24
    driver = static
  }
}
protocol imap {
  mail_max_userip_connections = 100
}
local 100.1.245.101/28/28 {
  doveadm_password = secret
}

[Dovecot] doveadm(user001): Fatal: passdb lookup failed

[mailing lists]

Hello all,

why I can run whis command:

imap1:~ # doveadm user user001
userdb: user001
  mail  : maildir:/var/maildir/vol04/4/46/user001
  home  : /var/mailfilter/vol04/4/46/user001
  quota_rule: *:bytes=1


but not this one:

imap1:~ # doveadm quota get -u user001 
doveadm(user001): Error: user user001: Auth PASS lookup failed
doveadm(user001): Fatal: passdb lookup failed


what I'm missing ?


    /---/

imap1:/etc/dovecot # grep ^[^#] dovecot-ldap.conf.ext
uris = ldap://ldap.example.com
dn = cn=admin,dc=example,dc=com
dnpass = secret
sasl_bind = no
tls = no
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
deref = never
scope = subtree
user_attrs = 
mailbox=mail=maildir:/var/maildir/%$,homeFilter=home,mailQuota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=CourierMailAccount)(uid=%n))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=CourierMailAccount)(uid=%n))
iterate_filter = (objectClass=CourierMailAccount)



imap1:/etc/dovecot # dovecot -n
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_verbose = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
doveadm_proxy_port = 24244
doveadm_socket_path = localhost:24244
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl quota notify
quota = maildir:User Quota
quota_exceeded_message = Quota exceded
quota_rule2 = Trash:storage=+50M
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=90%% quota-warning 90 %u
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  inbox = yes
  list = yes
  location = 
  prefix = 
  separator = .
  subscriptions = yes
}
namespace {
  hidden = yes
  inbox = no
  list = no
  location = 
  prefix = INBOX.
  separator = .
  subscriptions = no
}
namespace {
  list = children
  location = maildir:/var/virtual-maildir/%%n:INDEX=~/shared.%%n
  prefix = shared.%%n.
  separator = .
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/maildir/shared-mailboxes
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
flag_change append
  mail_log_fields = uid box msgid from subject size vsize flags
  mail_plugins = " mail_log notify"
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = nonrespo...@example.com
service auth {
  unix_listener auth-userdb {
    group = vmail
    mode = 0600
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0600
    user = vmail
  }
}
service doveadm {
  inet_listener {
    port = 24244
  }
}
service imap {
  process_limit = 1024
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
  unix_listener lmtp {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
}
service pop3 {
  process_limit = 1024
}
service quota-warning {
  executable = script /etc/dovecot/quota-warning.sh
  user = vmail
}
ssl = no
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = acl quota notify sieve
}
protocol lda {
  mail_plugins = acl quota notify sieve
}
protocol imap {
  mail_max_userip_connections = 100
  mail_plugins = acl quota notify imap_acl autocreate imap_quota
}
protocol pop3 {
  pop3_uidl_format = %v-%u
}
local 100.1.245.101/28/28 {
  doveadm_password = secret
}

[Dovecot] Failing to share folders when listescape is enabled (2.0.14)

[mailing lists]

Hello,

How I can share a folder with dots when the listescape plugin is enabled?

In this example user001 is sharing two foders named "docs-abc" and "docs-a.b.c" 
to user002. 


The first folder (without dots) is seen by user002 but the second is not found 
by dovecot because it search a system folder named ".docs-a.b.c" but the system 
folder is ".docs-a\2eb\2ec"


Nov  8 11:03:52 imap2 dovecot: imap(user002): Debug: acl vfile: file 
/var/virtual-maildir/user001/.docs-a.b.c/dovecot-acl not found

drwx-- 2 vmail vmail 4096 2011-11-08 10:54 cur
drwx-- 5 vmail vmail 4096 2011-11-08 10:57 .docs-a\2eb\2ec
drwx-- 5 vmail vmail 4096 2011-11-08 10:57 .docs-abc
-rw--- 1 vmail vmail   20 2011-11-08 10:57 dovecot-acl-list
-rw--- 1 vmail vmail  248 2011-11-08 10:55 dovecot.index.log
-rw--- 1 vmail vmail   96 2011-11-08 10:54 dovecot.mailbox.log
-rw--- 1 vmail vmail   51 2011-11-08 10:55 dovecot-uidlist
-rw--- 1 vmail vmail    8 2011-11-08 10:57 dovecot-uidvalidity
-r--r--r-- 1 vmail vmail    0 2011-11-08 10:54 dovecot-uidvalidity.4eb8fc5b
drwx-- 5 vmail vmail 4096 2011-11-08 10:57 .Drafts
-rw--- 1 vmail vmail   15 2011-11-08 10:54 maildirsize
drwx-- 2 vmail vmail 4096 2011-11-08 10:54 new
drwx-- 5 vmail vmail 4096 2011-11-08 10:54 .Sent
drwx-- 5 vmail vmail 4096 2011-11-08 10:54 .Spam
-rw--- 1 vmail vmail   23 2011-11-08 10:54 subscriptions
drwx-- 2 vmail vmail 4096 2011-11-08 10:54 tmp
drwx-- 5 vmail vmail 4096 2011-11-08 10:54 .Trash


# cat /var/virtual-maildir/user001/subscriptions 
Trash
Sent
Drafts
Spam
docs-abc
docs-a\2eb\2ec


# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user001 X
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA ACL RIGHTS=texk] Logged in
. create docs-abc    
. OK Create completed.
. create docs-a.b.c
. OK Create completed.
. setacl docs-abc user002 lrsw
. OK Setacl complete.
. setacl docs-a.b.c user002 lrsw
. OK Setacl complete.
. subscribe docs-abc
. OK Subscribe completed.
. subscribe docs-a.b.c
. OK Subscribe completed.
. logout
* BYE Logging out
. OK Logout completed.
Connection closed by foreign host.



# telnet localhost 143
Trying ::1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
. login user002 XX
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA ACL RIGHTS=texk] Logged in
. subscribe shared/user001/docs-abc
. OK Subscribe completed.
. subscribe shared/user001/docs-a.b.c
. NO Mailbox doesn't exist: shared/user001/docs-a.b.c
. logout
* BYE Logging out
. OK Logout completed.
Connection closed by foreign host.




    /-/


# dovecot -n
# 2.0.14: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.34.7-0.7-xen x86_64 openSUSE 11.3 (x86_64) 
auth_debug = yes
auth_verbose = yes
base_dir = /var/run/dovecot/
dict {
  expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
doveadm_proxy_port = 24244
doveadm_socket_path = localhost:24244
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_fsync = always
mail_gid = 5000
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = acl quota notify expire listescape
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
mmap_disable = yes
namespace {
  inbox = yes
  list = yes
  location = 
  prefix = 
  separator = /
  subscriptions = yes
  type = private
}
namespace {
  list = children
  location = maildir:/var/virtual-maildir/%%n:INDEX=~/shared.%%n
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/maildir/vol00/shared-mailboxes
  autocreate = Trash
  autocreate2 = Sent
  autocreate3 = Drafts
  autocreate4 = Spam
  autosubscribe = Trash
  autosubscribe2 = Sent
  autosubscribe3 = Drafts
  autosubscribe4 = Spam
  expire = Trash
  expire2 = Trash/*
  expire5 = Spam
  expire6 = Spam/*
  expire_dict = proxy::expire
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
flag_change append
  mail_log_fields = uid box ms

Re: [Dovecot] IPv6 & SSL

[Patrick Lists]

On 10/06/2012 12:02 PM, Patrick Westenberg wrote:

Hi Luigi,

with regard to SSL my configuration is much more simple and it works
fine with IPv4 and IPv6. But you have of course to use a hostname
matching the certificates common name.


You could add additional hostnames in the certificate by specifying them 
in SubjectAltName. I use that so my certificate works with both the 
public FQDN going over the Internet as well as the internal hostname 
when using a VPN or on the local LAN.


Regards,
Patrick

[Dovecot] doveadm fails with passdb authentication binds (dovecot 2.0.16)

[mailing lists]

Hello,

I'm testing passdb auth binds with dovecot 2.0.16, but for some reason dovedm 
fails to work with the configuration showed below. The network trace shows the 
successful bind for the administrative user (uid=mailapp), but nothing for the 
mail user (uid=user001).

what am i missing here?


# doveadm mailbox list -u user001
doveadm(user001): Error: user user001: Auth PASS lookup failed
doveadm(user001): Fatal: passdb lookup failed


10-auth.conf:


disable_plaintext_auth = no
auth_cache_size = 0
auth_cache_ttl = 0
auth_cache_negative_ttl = 0
auth_mechanisms = plain
!include auth-ldap.conf.ext


auth-ldap.conf.ext:
=

passdb {
  driver = ldap
  args = /etc/dovecot/passdb-dovecot-ldap.conf.ext
}
userdb {
  driver = ldap
  args = /etc/dovecot/userdb-dovecot-ldap.conf.ext
}



passdb-dovecot-ldap.conf.ext:
=

uris = ldap://ldap.example.com
dn = uid=mailapp,ou=People,dc=example,dc=com
dnpass = xx
sasl_bind = no
tls = no
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
deref = never
scope = subtree
pass_attrs = uid=user
pass_filter = (uid=%n)



userdb-dovecot-ldap.conf.ext:


uris = ldap://ldap.example.com
dn = uid=mailapp,ou=People,dc=example,dc=com
dnpass = xx
sasl_bind = no
tls = no
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
deref = never
scope = subtree
user_attrs = 
mailbox=mail=maildir:/var/maildir/%$,homeFilter=home,mailQuota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=user,userPassword=password,\
    
mailbox=userdb_mail=maildir:/var/maildir/%$,homeFilter=userdb_home,mailQuota=userdb_quota_rule=*:bytes=%$
pass_filter = (&(objectClass=posixAccount)(uid=%n))
iterate_attrs = uid=user
iterate_filter = (objectClass=posixMailAccount)

Re: [Dovecot] doveadm fails with passdb authentication binds (dovecot 2.0.16)

[mailing lists]

Hello, 


>> # doveadm mailbox list -u user001
>> doveadm(user001): Error: user user001: Auth PASS lookup failed
>> doveadm(user001): Fatal: passdb lookup failed

> Are you running this on a Dovecot proxy? It looks like doveadm wants to do a 
> passdb lookup to find out which server should handle this user. Passdb 
> lookups don't work with LDAP binding. But if everything else works then I 
> think you simply shouldn't have enabled doveadm proxying. So, set 
> doveadm_proxy_port back to 0?

thank you Timo, setting doveadm_proxy_port to 0 did the trick.

Re: [Dovecot] Understanding Sockets

[Patrick Lists]

On 12/22/2012 09:50 AM, Reindl Harald wrote:

because they are too lazy to lern how tu buld
packages for their distribution which is at
least for redhat-based distribution trivial


Calling people lazy is a bit over the top now isn't it? The reason that 
organizations use Red Hat RHEL is, among other things, support. And Red 
Hat only supports what they ship. The ability to create an RPM of the 
latest version is not the issue. Loosing support for that piece of 
software because you rolled your own is.


Regards,
Patrick

Re: [Dovecot] sieve vacation error

[aja-lists]

Andre Rodier wrote:

>* If the sieve vacation script had to use a counter for limits per
>  day, where this counter is supposed to be stored ? I cant see any
>  dovecot file. I have temporary try to use 0777 for
>  home/sieve/maildir folders, but no file is created at all.

You don't have a file called .dovecot.lda-dupes there ?

And Sieve/Dovecot will produce an error file for sieve errors in the
same directory where your dovecot.sieve file is located, I forgot the
name of that file but it should be obvious.

(To me it sounds like you have a mail setup where the setup for email
delivery causes vacation not to work properly, which has nothing to do
with Dovecot or Sieve.)

Re: [Dovecot] Enabling security on POP3 and IMAP

[aja-lists]

Richard Hobbs wrote:

> I'm running Debian Lenny 5.0 btw - does anyone know if these keys were
> simply part of the dovecot package, or whether they have been generated
> during the installation process and are therefore unique?

In Debian Lenny (and Etch) those keys are generated during the
installation of the dovecot-imapd and/or dovecot-pop3d packages.

If you really want to re-do them, you can (re)move them, and then run
apt-get install --reinstall dovecot-imapd dovecot-pop3d .

Re: [Dovecot] migrating from Courier

[aja-lists]

LuKreme wrote:

> 1) what do I need to do to convert or prepare the courier maildirs for 
> dovecot?

See here : http://wiki.dovecot.org/Migration

> 2) is the current setup of virtual users reasonable for dovecot?
>   2.1) Is there a better option than postfixadmin?

I'm happily using Dovecot + Postfixadmin since years, and Postfixadmin
is only getting better.

But apparently the ISPwebAdmin is more flexible,
http://workaround.org/ispmail/lenny/manage-email-accounts
but I haven't really tried that one.

Regards,
Adrian

Re: [Dovecot] Postfix issue but I want to fix it here...

[aja-lists]

On Mon, 30 Nov 2009 14:15:45 -0600 (CST) da...@davidwbrown.name wrote:

Hi,

>> Hello, Dovecot bunch and Timo. I am using Sylpheed as my
>> Dovecot/IMAP client. At home behind my LAN Sylpheed can send email
>> because the Postfix SMTPd views my LAN as a trusted network. No
>> such luck when I'm away from home.
--- cut ---
>> Error condition: Error occurred while sending the message: 554
>> 5.7.1 : Relay access denied

I suggest that you set up SASL with Dovecot for this, see here :
http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Regards,
Adrian

Re: [Dovecot] Spam filtering

[aja-lists]

Patrick Nagel wrote:

> You could go for bogofilter (purely Bayesian).
-- cut --
> The solution was inspired by a Gentoo Wiki article
> (http://www.gentoo-wiki.info/Bogofilter).

If it's not just for personal use, but on a mailserver with quite some
users I'd like to happily recommend ASSP. http://assp.sf.net/

It's *not* easy to setup, but after you've gone through all the options
and learned about it, it is indeed the most deadly spam killer around.

It's very flexible, with a lot of options. and active development.
You can do regex filtering on subject, header, body, data etc.
It has a nice web GUI, but you can put several things in different
configuration files if you like.

One interesting option e.g. is to do delaying only for emails which have
a certain "griplist" score.
Another interesting option is the "Test mode", you can run it in front
of e.g. postfix and just monitor it without doing any real filtering yet.