ation.
(Applicable only for alpine but show the interaction)
https://alpineapp.email/alpine/alpine-info/misc/AuthorizeAlpineGmail.html
Good luck.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovec
DELETED BEFORE 5d
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
nd this by
seeding the cache by doing a doveadm search for that metadata
(date.received?).
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
n the IMAP server denies
then when they hit the max.
If Aki doesn't can't offer a solution, neither can I, but maybe you
can play around
with mail_max_userip_connections to stop them from swamping all your
connections.
You might have to resort to firewall or other general network control
From: Nils
> Still, there is no filter rule that would apply to that. Additionally, I
> only use "fileinto" actions in my filter rules.
No, I meant Thunderbird's rules and filters. If your mail reader
decides to not save the message,
IMAP and Sireve will neve
your sent
mail folder), you can look at other causes.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
your sent
mail folder), you can look at other causes.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Postfix does a better job in this regard, so these issues may
not present itself.
(I did a Postfix/opendkim milter on an Ubuntu system and it was much
less hassle.)
You should look at *lots* of DMARC RUA reports. People are doing crazy batsh*t
stuff with your mail domain.
Joseph Tam
___
meone gain controls over your IMAP account, they can
create messages with a format totally different than what your mail server
can make.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
ere: maybe artful remapping of namespaces?
https://doc.dovecot.org/configuration_manual/mail_location/#custom-namespace-location
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
;mail.domain.com" load balanced to
M1/M2, then both your Postifx servers need to use the same
certificate with "mail.domain.com" as a subject. Simple as that.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
on
data and passes it to the persistent process via sockets? You'll
have to have some initial handshake protocol to establish session context,
but this seems the easiest way to accomplish what you want.
Joseph Tam
___
dovecot mailing list -- doveco
e appreciated.
This depends on how you set up your filesystem and authentication and your
security constraints. You'll have to be more specific on your setup.
Confining my reply to just SSL setup, you can obtain a SSL certificate
with multiple domains named listed, which makes multi-doma
dev/null |&
openssl x509 -noout -text | grep DNS:
DNS:sge.sgeinc.com, DNS:sgeinc.com, DNS:www.sgeinc.com
"mail.sgeinc.com" is not in your list of alternate names, hence your
mail clients
started rejecting the SSL certificate as invalid.
Joseph Tam
app tries the same stuff, but at least you can turn that
behaviour off and stop it from second guessing your settings.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
gured
protocol pop3 {
...
pop3_reuse_xuidl = yes
}
Maybe that's of use to you?
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
On Thu, Jan 18, 2024 at 6:42 PM Joseph Tam wrote:
> If you dump the above values e.g.
>
> doveadm fetch -ftab -A 'mailbox date.received' mailbox Trash BEFORE 90d
Correction: if what I suspect is true, this won't show you anything as all
your messages will be yo
s before you ask
for it, then it gets instantiated the current timestamp when you do.
If you do a fetch
every day, you'll eventually reach 90d, and it will work forever more
(+/- 1 day).
Perhaps adding those fields into these settings is a more direct and
better solution:
https://do
6
> Address:1110 Nuuanu Ave
> City: Honolulu
> StateProv: HI
> PostalCode: 96817
> Country:US
Out of business virtual offices, naturally.
AIRLL also operating out of 195.96.137.0/24.
Joseph Tam
arvation
whose cause was not dovecot. I'm not sure what you hope to gain by saving
a few sockets that dovecot uses just to make headroom for a buggy script.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
older than 60days? If the former, you can probably just delete the entire
INBOX folder or mailbox via filesystem commands as an alternative.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
servation.
...
service_count
...
See note 3. above.
--------
Better?
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
0
> service_count = 100
This service limit might be your culprit.
I wrote about the strange interaction between service_count and
process_limit here:
https://www.mail-archive.com/dovecot%40dovecot.org/msg85850.html
This gotcha should really be documented.
Joseph Tam
_
you do..
That will disable STARTTLS though. Even though it's not plaintext,
maybe that is
a good thing as it avoids MITM banner stripping attacks.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
the open
connections and do another round.
This may be interpreted as a BFD attack, and you'll lock out a legitimate user.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
in: Disconnected: Inactivity (auth failed, 1
attempts in 180 secs): user= ...
I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to
0-99sec like so
failregex = ...( in \d{1,2} secs)...
Some BFD attempts will leak through but it avoids trigg
older than 30 days. I
> assume if I wait 30 days from now, it will start working?
Yup. If you run your script every day (and thus, run "doveadm fetch
... date.saved"
as well), that will make sure any new mail put into your Trash folder
will have date.saved
within 2
#x27;t previously set -- your run of same values
coincided when you ran "doveadm fetch".
My expunge script just uses date.received instead -- it seems to work.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
x27;s certificate authority store so that
your mail reader does not complain about an untrusted certificate.
Clear?
Joseph Tam
a 40s
gap in the session logs: it will tell you who was doing what when the pause
happened (e.g. during authentication? During LIST fetch? During message
fetch?)
For example, if dovecot was busy mulching through a large INBOX rebuilding
indices, I can see how it can chew up 40s under some circumstances.
Joseph Tam
ng out the correct data, then TB is somehow
misinterpreting it.
> on an uneducated guess, the mailbox is just 'too large' ?
> POP has difficulty handling so many files ?
Typically, if some resource limit is hit, one side or the other will
create a log or notification. Your INBOX is large, but not outrageous.
You can test it directly by creating smaller subsets of the INBOX messages
and see if the problem goes away.
Joseph Tam
dir/user
to obtain session transcripts of what server/client are doing.
I don't see any obvious errors from the logs that indicate any failure.
I do see the INBOX is rather large so maybe a timeout is involved.
Joseph Tam
s.
I lost the context of this thread, but if you're looking for mailutil
or the older pine
stuff, the project has forked inti alpine and you can find the source tarball at
https://alpineapp.email/
Joseph Tam
es {0,1} so that
others don't blunder along the same path I did.
Joseph Tam
ny file descriptors are being held by the
config process, and
see the behaviour over time (e.g. monitor /proc/{pid}/fd/*); maybe
that will give you a clue
as to what the config process is doing.
Joseph Tam
> > doveadm -fjson mailbox status -u user unseen "*"
>
> Very nice Aki! I can pass that JSON to a Python program I make to parse
> JSON, and then just report the ones not having "unseen":"0" . Thank
Or use format "-ftab" and grep non-zero entries. Simpler than parsing JSON.
Joseph Tam
rs do not allow you to type the
mailbox name to delete.
I believe Tbunderbird has some IMAP server setting that will give it a hint.
Joseph Tam
logs for this user
protocol imap {
...
rawlog_dir = /log/dir/%u
}
then
(Make sure this user has write permissions into this directory)
mkdir /log/dir/$user
After you're done, you can disable logging,
rm -rf /log/dir/$user
Joseph Tam
re how this is
typically handled -- maybe an outbound block rule is required to handle
this niche case to finally drive a stake through a BFD connection's
heart.
(more stuff:
https://unix.stackexchange.com/questions/646663/iptables-how-kill-established-connection-except-for-an-ip).
Joseph Tam
x27;ll find many of
attacking IPs are represented on one of these lists.
2) Triggerimmediate block against authentication attempts that
can not possibly be real (e.g. "mysql", "testuser", "nagios", etc.)
Joseph Tam
And are those quotes really there?
Joseph Tam
t with HTTP challenge and a stub web servers.
the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?
For wildcarded certs (valid for *.sample.com), your only recourse is
use DNS challenges.
Joseph Tam
nge method
to support multiple hostnames on the same certificate.
Joseph Tam
can use Dovecot's
virtual mailbox feature to define a catch-all virtual mailbox to placate
these users which won't bring an imap process to its knees.
Joseph Tam
features to find what you're looking for.
Users of mine who previously used Gmail expect our mail system to behave
similarly, and I have to break them of their habit to packrat all their
mail into their INBOX.
Joseph Tam
to the same
pit I did.
References
[1] https://doc.dovecot.org/admin_manual/login_processes/
Joseph Tam
ock if you recongize it as a dictionary attack, but it may be too
late as your AD will see it by that point.
Joseph Tam
becomes a complex question how different
is different.
If you make some simplifying assumptions (e.g. exact same message body,
same header for From/Sending network or IP/time-range/Subject, you can
do a fairly good job.
Joseph Tam
he Apple mail client now has a similar control or
it's up to the user to figure it all out.
Joseph Tam
nyone come across this? Is this related to
https://doc.dovecot.org/configuration_manual/mail_location/mbox/mboxchildfolders/
?
Joseph Tam
utorials at various levels of
technical complexity, but the mathematics can get pretty hairy for both
key exchange methods.
Joseph Tam
n those FPs led to some useful discoveries that the client had a
malware they didn't know about.
http://www.blocklist.de/en/index.html also run a DBS RBL list and I've
had zero FPs after years of use. I think you can even get Fail2ban
report to your attackers to this site to add to the crowdsourcing.
Joseph Tam
On Wed, 5 Jan 2022, Ken Wright wrote:
Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=m...@mydomain.com
Just a wild ass guess, but does your password backend expect "me", or
"m...@mydomain.com" (which is what it was given).
Joseph Tam
1.0)?
Those running Solr to implement Dovecot FTS should look at
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Joseph Tam
S:www.deanhh.com, DNS:www.sizzelicks.com,
DNS:www.softlinksys.com
Is your Thunderbird set up to use one of the above server names, and not, for
example,
imap.aecperformance.com. The server name has to match one of the above.
Joseph Tam
rather than the whole MDBOX, the above is not applicable as any change to
a byte will affect all subsequent bytes.
I think MDBOX is a compromise in data granularity that tries to strike
a balance between various aspects of I/O performance.
Joseph Tam
well they catch IMAP hackers, but they list 95%+ of our
ssh brute forcing attacks.
Joseph Tam
be).
Ah, that is a different situation. It could happen if the same message
tooks different paths to your user e.g. via mailing list processor,
but that is less common and would probably break DKIM.
Joseph Tam
ssage-ids happen whenever
the sender names more than one local recipient during SMTP. It's a wholly
unreliable way to indicates spaminess. However, if a high proportion
of those recipients do not exist, ...
Joseph Tam
/var/run/lmtp')
If you don't need LMTP exposed to the internet (i.e. your front-end MTA
is on the same host as your LMTP), socket connection is probably simpler
and safer than TCP connections.
Joseph Tam
not much that can be without knowing your current settings.
Have you tried creating nested folder structure with your mail clients?
Joseph Tam
ingle account access.
Joseph Tam
is reporting in blocks, not K.
The man page for my OS 's'ls' states exactly that -- counts are in blocks.
Joseph Tam
hypothesis.
Apr 12 16:12:49 SERVERNAME dovecot: imap(ACCOUNTNAME): Logged out in=164 out=757
However, my hypothesis wouldn't produce this. This is a active
logout.
Joseph Tam
tell me "Duh, you can do
it with doveadm of course".
MIMEDefang may help.
Joseph Tam
2>&1
Maybe it's better to add another formatter to avoid tricky parsing
or shell hacks e.g.
# doveadm -f tab-nohdr ...
Joseph Tam
uot; done?
I'm not sure what you mean by "organizing": making users' mail more
consistent across different mail readers, despite their differences?
Most are taken care of by using IMAP, and there are special niche settings
for the mail reader features you're trying to address.
Joseph Tam
On Wed, 3 Mar 2021, Yassine Chaouche wrote:
Le 3/2/21 ? 9:02 PM, Matthias Kneer a ?crit :
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null |
openssl x509 -noout
-enddate
I am intrigued about the function of echo in that command line ?
It just a dummy input so that openssl
outlook-pop-leave-mail-on-server-for-days-not-deleting-mail.aspx
You may have to create a POP3 session log to diagnose what POP3 commands
you're client is issuing.
Joseph Tam
On Fri, 15 Jan 2021, Ron Garret wrote:
Why not simply use the message-id?
Because not every email has one. RFC5322 doesn?t require them.
Doesn't your MTA then insert one if it's missing?
Joseph Tam
hat needs to
have FD limits set larger than to the sum of client_limits.
Joseph Tam
or limits, which is currently
set to match
default_client_limit = 1000
What should I set "ulimit -n" relative to client_limit? Or perhaps I've roofed
service imap-login {
process_limit = 2
...
}
and should adjust that?
Joseph Tam
MAP is the only authenticated service,
munge their password hash.
Joseph Tam
to reuse UIDLs. Maybe
pop3_reuse_xuidl = yes
Joseph Tam
ng
it to piggyback spam:
https://security.stackexchange.com/questions/241263/how-is-it-possible-that-this-spam-mail-came-from-google-forms-without-revealing
Blocking mail from @trix.bounces.google.com will squelch them, but
may also biock legitimate response receipts.
Joseph Tam
L-and-TLS-Deployment-Best-Practices
- (client) enforce SSL connection (i.e. refuse plaintext
sessions).
Joseph Tam
f
the form {password}+{2fa-token}, then split each part to check against
authentication systems to check validity.
Joseph Tam
so a graph of user mailbox connections will
show sawtooth patterns.
Joseph Tam
time.
Joseph Tam
start rather
than a synchronous process, that will check certs and restart/reload once per
day/week/whatever. This is the method I use as my LE certificates are obtained
via DNS challenges on a different host.
Joseph Tam
tarted)
you can try debugging the interaction by using "openssl s_server" on
an alternate port with the same SSL parameters used by your dovecot.
It's not the full-fledged environment you're trying to test but may
expose the problem.
Joseph Tam
hich could really do your head in.
Joseph Tam
having to know all their passwords.
By making both master and passdb's the same, you allow anyone to access
anybody else's account e.g. "xyz" can access account for "abc" by using
their password with user "abc*xyz".
Joseph Tam
pass = yes
}
# Contains regular user credentials
passdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
Joseph Tam
. |remail.sh), which accepts the message, then sends it to
your 20k+ recipients in small batches with small delays.
Joseph Tam
that ~user holds mailboxes,
you are telling Dovecot an untruth. It's better to tell Dovecot user
mailboxes (other than INBOX) don't exist, rather than to push all the
indices under the carpet.
Joseph Tam
ction: Tracking use of QUIT)
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
I issue post-DATA return codes, and I have yet, in decades of use, had
problems with legitimate senders.
Joseph Tam
. I have email that I need that
arrives like that.
This entire thread belongs on an anti-spam forum, but you might want to
check out
http://msbl.org/ebl.html
Joseph Tam
sure whether owner=rootZ:root, mode=555 will work, but those
permissions would be the safest.
Joseph Tam
; }
Also my backup scripts have locking procedures built-in so as to avoid race
conditions.
You might also want a trap handler that does a cleanup in case something
goes sideways in the middle of processing e.g.
trap rmTmpFiles 0
Joseph Tam
install: not using a package manager. (I've edited the doveconf
location, but you've outed me.) I was hoping to get "doveadm pw"
working on non-dovecot servers without having to provide seemingly
irrelevant dependencies, but it's probably more bother than its worth.
Thanks, anyways.
Joseph Tam
password out of a client, despite what the server policy is, or even
whether the server is available.
Only allowing implicit SSL will guarantee insecurely configured clients
will fail (and maybe not even that if it autoconfigures), but it doesn't
prevent them from being exploited.
Joseph Tam
r/bin/doveconf) failed: No such file or
directory
Joseph Tam
ectory
Is there a way to circumvent the need for a configuration file?
Joseph Tam
ssl_forbid_decline" or "ssl_not_optional" might have been clearer.
Joseph Tam
they externalize the
patterns into runtime configuration like fail2ban does, rather than
baking them into executables.
Joseph Tam
On Fri, 8 May 2020, Joseph Tam wrote:
It depends on what you consider reasonable.
Whoops. Editing error. What I wanted to send.
On Fri, 8 May 2020, a...@globalchangemusic.org wrote:
So, generally speaking, you don't want to have inboxes that just sync all day
long, due to massive am
hive folder, but not good for regularly
accessed inboxes, etc.?
Joseph Tam
opies of attachments, then Dovecot's
*dbox support de-duping which would aso help.
Joseph Tam
-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s
this error comes about when you specify the client must authenticate with
their own certificate. If your Dveocot setup is working with Evolution, have
you ported the client certificate to the Thunderbird setup?
Joseph Tam
1 - 100 of 569 matches
Mail list logo
