Re: regarding ssl certificates

With PKIX validation the certificate should match the hostname. With SMTP, the hostname should match the reverse IP though often it does not. Using subdomains gives you flexibility. with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is

Re: offtopic: rant about thoughtless enabling DMARC checks

On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A

Re: offtopic: rant about thoughtless enabling DMARC checks

On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, d

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote: On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: *snip* Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: On 09/02/2019 10:44, Aki Tuomi via dovecot wrote: For some reason mailman failed to "munge from" for senders with dmarc policy ;( It's now configured to always munge to avoid this again. I'd say, let Mailman throw all people off the list t

Re: Changing the imaps port #

error wasn't an SSL error, it just would act like it was not connecting. With CA signed certificates it did work on 993 and 465. On 1/22/19 1:25 AM, Michael A. Peters wrote: Comcast DNS servers enforce dnssec, AT&T does not (last I checked). If by chance your zone has DNSSEC enabled but

Re: Changing the imaps port #

Comcast DNS servers enforce dnssec, AT&T does not (last I checked). If by chance your zone has DNSSEC enabled but mis-configured then it is possible the domain name you use for the dovecot server is not resolving because of a dnssec validation failure. I have never heard of comcast or any ISP

Re: ECDSA client question

On 12/16/18 7:52 AM, Tributh via dovecot wrote: Am 16.12.18 um 12:13 schrieb Michael A. Peters: Hi, for those who have adopted ECDSA, Are there still any commonly used IMAPS/POP3S clients that still can not handle ECDSA certificates? I know you can set up Dovecot dor dual cert, I am just

ECDSA client question

Hi, for those who have adopted ECDSA, Are there still any commonly used IMAPS/POP3S clients that still can not handle ECDSA certificates? I know you can set up Dovecot dor dual cert, I am just trying to determine if there still is a real world need to.

Re: Mailing list address harvested for spamming

On 12/02/2018 08:42 AM, Hendrik Boom wrote: On Sun, Dec 02, 2018 at 04:22:52PM +0100, Ralph Seichter wrote: * Ruben Safir: On Sun, Dec 02, 2018 at 03:58:53AM +0100, Bernd Petrovitsch wrote: Let's hope that people who do not know how to use a tool - e.g. like a hammer - doesn't use that tool

Re: Mailing list address harvested for spamming

On 12/01/2018 05:49 PM, Ralph Seichter wrote: * Michael A. Peters: Netiquette posts are just someone's opinion, and they often don't take into account the vastly different way different types of minds work. Mailing list netiquette has been around for decades, for good reasons. If

Re: Mailing list address harvested for spamming

On 12/01/2018 05:00 PM, Hendrik Boom wrote: There's an extensive email etiquette post somewhere on the net explaining why setting 'reply-to' to the list is a bad idea. Reply-to is intended for the sender to explain that replies shouldn't be sent to the obvious sending address, but to another a

Re: Mailing list address harvested for spamming

On 12/01/2018 04:22 PM, Noel Butler wrote: On 02/12/2018 10:16, Michael A. Peters wrote: On 12/01/2018 04:09 PM, Noel Butler wrote: Which is why it annoys me that some people on mailing lists feel the need to reply directly, rather than through mailing list. Sometimes it is the MUA that

Re: Mailing list address harvested for spamming

On 12/01/2018 04:09 PM, Noel Butler wrote: Which is why it annoys me that some people on mailing lists feel the need to reply directly, rather than through mailing list. Sometimes it is the MUA that is poorly designed that causes this. Also, some lists set the "reply to" with the sender rat

Re: DMARC policies

On 11/29/2018 11:13 PM, Aki Tuomi wrote: Hi! It seems we accidentically had a high amount of subscribers temporarily disabled due to DMARC on some sender's host. We have now taken actions to prevent this in the future and all temporarily disabled members have been restored. Aki I've seen th

Re: different TLS protocols on different ports

On 11/14/2018 01:46 PM, Joseph Tam wrote: On Wed, 14 Nov 2018, Aki Tuomi wrote: I'm providing IMAP+Starttls on port 143 for users with legacy MUA.  So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only. Is this possible with dovecot-2.2.36 / how to

Re: New install - getting error: "Failed to initialize SSL server context: Couldn't parse DH parameters"

try openssl dhparam -out /usr/local/etc/dovecot/dh.pem 2048 On 11/12/2018 07:28 PM, James Brown wrote: I’m setting up Dovecot using Homebrew on a new server and am getting this when I try to login via IMAP: Nov 13 14:13:35 auth: Debug: auth client connected (pid=30719) Nov 13 14:13:35 imap-lo

Re: OCSP Stapling and Certificate Transparency

On 05/01/2018 09:08 AM, Aki Tuomi wrote: On 01 May 2018 at 19:03 Felipe Gasper < fel...@felipegasper.com > wrote: Hi, For CAs that do not include a signed certificate timestamp in their newly-issued certificates, does Dovecot support either OCSP stapling or th

Re: OT: 'lost' emails

On 07/20/2018 03:31 AM, Voytek wrote: I suspect this is mail client issue, but looking for any suggestions: user with Thunderbird says " I'm losing emails, mail is not in inbox, but, when I search, that email shows in search result, but, I can't open the email body" i don't fully understand what

Re: Bounced message after update

okay weird - I read https://wiki2.dovecot.org/DomainLost I set auth_debug=yes to get a clearer indication if that was my problem. Tried again and it successfully went through. On 02/08/2018 05:46 PM, Michael A. Peters wrote: Hi - Updated from 2.2.27 to 2.3.0 server is webmail (roundcube

Bounced message after update

Hi - Updated from 2.2.27 to 2.3.0 server is webmail (roundcube) Sending worked before after update. Now it receives, but trying to send - this is the bounce in the log Feb 9 01:37:45 {hostname} postfix/pipe[22891]: 931FD2577: to=<{user}@{hostname}.{tld}>, relay=dovecot, delay=0.01, delays=

Dovecot and /dev/rand

There's a (2014 I think) patch in dovecot rpm for Red Hat / Fedora ecosystem that was last update with 2.2.9 (patch last updated for that release) I want to know if the problem it solves still exists in 2.3.x branch. The patch is called "dovecot-2.2.9-nodevrand.patch" and is attached. It alle

Re: Dovecot and Self-signed issue

Just to confirm - building thunderbird 45.8.0 worked, it connects just fine. On 09/26/2017 01:46 AM, Michael A. Peters wrote: No, no certificate in thunderbird. Work fine when running CentOS 7.3, laptop that still runs 7.3 works fine. I'm going to attempt building the CentOS 7.3 thundi

Re: Dovecot and Self-signed issue

nect your.server:993 and grep for "CertificateRequest". Do you have a certificate configured in your mailclient Thunderbird but not in Evolution? HTH Peter Am 2017-09-26 um 00:08 schrieb Michael A. Peters: Definitely client issue, connecting via evolution works just fine. So I su

Re: Dovecot and Self-signed issue

problem. On 09/25/2017 01:49 PM, Michael A. Peters wrote: I'm not running any A/V software, and the same version of dovecot on servers with CA signed certs (komodo) - the client connects to them just fine. On 09/25/2017 01:40 PM, Tony wrote: It does look like a client issue. Do you also

Re: Dovecot and Self-signed issue

that can sometimes interfere with mail sessions. See if you might be running into a similar situation: https://support.mozilla.org/en-US/questions/1066126 Cheers, -- TC On 9/25/17 1:27 PM, Michael A. Peters wrote: I use dovecot on several servers. One of them uses a self-signed cert, it's ju

Dovecot and Self-signed issue

I use dovecot on several servers. One of them uses a self-signed cert, it's just me. It worked fine until yesterday when I upgraded my desktop (NOT the server) to CentOS 7.4 Now thunderbird complains when it starts up, and won't let me confirm the security exception. On the server the foll

Re: Problem with Let's Encrypt Certificate

On 02/20/2017 01:32 AM, chaouche yacine wrote: What is the motivation behind using a new pair of keys and CSR ? Every now and then, a bug in the OpenSSL API is found that leaked the private key under certain conditions. By replacing the private key once a year with a new one, you are at lo

Re: Problem with Let's Encrypt Certificate

On 02/19/2017 05:39 AM, KT Walrus wrote: That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key. I use dehydrated (with Cloudflare DNS challenges) and as far as I

Re: Problem with Let's Encrypt Certificate

On 02/18/2017 10:24 PM, Robert L Mathews wrote: On 2/17/17 1:38 PM, chaouche yacine wrote: Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ? No; any SSL software that uses the file will extract the parts it needs

Re: Dovecot and MariaDB/MySQL

On 01/10/2017 11:50 PM, Aki Tuomi wrote: Hi! Try using doveadm pw -S SSHA256 for generating the password. The salt is included in the password hash. Aki Thank you! Found the doveadm-pw man page, think I'm good from here.

Dovecot and MariaDB/MySQL

Howdy - For most of my dovecot servers, they are small and I just use unix accounts. However I am going to be running a new server for more general users, webmail (probably roundcube but I'm hacking roundcube quite a bit, enough that I'm calling it squarepeg instead so users familiar with rou

Re: v2.2.27 released --- libressl

On 12/06/2016 11:35 AM, Ruga wrote: Results from the application of the following patch from Aki. perl -i -ple 's|^(\s*#include \s*)$|$1\n\t#if OPENSSL_VERSION_NUMBER == 0x2000L\n\t#define OPENSSL_VERSION_NUMBER 0x10001000L\n\t#endif|' configure.ac; I use a different method of patching

Re: Good email client to use with Dovecot?

On 11/16/2016 11:48 PM, Steve Litt wrote: Hi all, When I use an email client, its purpose is as a window into my Dovecot IMAP, and as a mechanism to reply to and send emails. I don't do filtering or calendaring on my email client (filtering via procmail direct to Dovecot). What email clients ar

Re: dovecot pre-install issue

On 11/16/2016 01:06 AM, soumi...@iitk.ac.in wrote: Hello all, I am going for a dovecot director based setup (2 director+ 2 imap), more imap servers will be added later depending on demand/load. Presently I have 12000+ dovecot users with Maildir quota varying from 1 GB to 20GB. (peak hour IOPS 5

Re: v2.2.26.0 released

esn't have someone who can officially maintain LibreSSL support. On 11/02/2016 05:08 AM, Ruga wrote: libressl is a leaner and safer openssl Sent from ProtonMail Mobile On Wed, Nov 2, 2016 at 12:39 PM, Michael A. Peters <'mpet...@domblogger.net'> wrote: IMHO it would be acc

Re: v2.2.26.0 released

IMHO it would be acceptable to have a LibreSSL patch that is maintained by the people who want it. It's free software, and that kind of is the point of Open Source. On 11/02/2016 04:36 AM, Michael A. Peters wrote: They have stated they are going to remain API compatible with 1.0.1h

Re: v2.2.26.0 released

API. I would personally like to avoid more ifdef hell if possible... Aki On 02.11.2016 13:22, Michael A. Peters wrote: Standard way to fix it (on the LibreSSL page) is to check for LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think catches them all where needed. Note the word think

Re: v2.2.26.0 released

Standard way to fix it (on the LibreSSL page) is to check for LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think catches them all where needed. Note the word think. It certainly appears to be working anyway with it. On 11/02/2016 04:07 AM, Aki Tuomi wrote: After doing some testin

Re: v2.2.26.0 released

I can confirm that LibreSSL 2.4.3 works just fine for building 2.2.26.0 On 11/01/2016 09:25 PM, Reuben Farrelly wrote: I don't believe that is the case. I have 2.2.26.0 and -git building and running on multiple systems now (two of which are Gentoo boxes) with LibreSSL-2.5 - and these systems do

Re: v2.2.26 released

On 10/27/2016 09:43 AM, Aki Tuomi wrote: *snip* Aki You are right, it was supposed to be there. Unfortunately it isn't. We'll see what can be done. Aki I maintain an RPM of the 2.2.x branch. Should I wait with pushing the update?

Re: v2.2.26 release candidate released

On 10/21/2016 02:25 AM, Michael A. Peters wrote: On 10/19/2016 02:01 PM, Timo Sirainen wrote: http://dovecot.org/releases/2.2/rc/dovecot-2.2.26.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.26.rc1.tar.gz.sig There are quite a lot of changes since v2.2.25. Please try out this RC so

Re: v2.2.26 release candidate released

On 10/19/2016 02:01 PM, Timo Sirainen wrote: http://dovecot.org/releases/2.2/rc/dovecot-2.2.26.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.26.rc1.tar.gz.sig There are quite a lot of changes since v2.2.25. Please try out this RC so we can get a good and stable v2.2.26 out. I am n

Re: Dovecot 2.2.25 fails on SSL

On 09/02/2016 12:50 PM, Joseph Tam wrote: Aki Tuomi wrote: ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found ... Well, then it leaves only option of using /etc/ld.so.conf so basically add your libs

Re: Dovecot password policy

On 08/05/2016 08:41 AM, Robert Blayzor wrote: Is there a way to configure Dovecot to perhaps filter/enforce which passwords are accepted before authenticating? Ie: Reject immediately (without a database lookup) if password is not X characters in length? ? Not sure what the benefit would b

Re: Dovecot 2.2.25 test failure

On 08/04/2016 10:31 AM, aki.tu...@dovecot.fi wrote: On August 4, 2016 at 7:38 PM aki.tu...@dovecot.fi wrote: On August 4, 2016 at 4:53 PM "Michael A. Peters" wrote: On 08/04/2016 06:50 AM, aki.tu...@dovecot.fi wrote: On August 4, 2016 at 4:19 PM "Michael A. Peters"

Re: Dovecot 2.2.25 test failure

On 08/04/2016 06:50 AM, aki.tu...@dovecot.fi wrote: On August 4, 2016 at 4:19 PM "Michael A. Peters" wrote: On 08/04/2016 06:13 AM, Aki Tuomi wrote: On 04.08.2016 16:11, Michael A. Peters wrote: Operating system - 64 bit CentOS 7 gcc-4.8.5-4.el7.x86_64 Building against Libr

Re: Dovecot 2.2.25 test failure

On 08/04/2016 06:13 AM, Aki Tuomi wrote: On 04.08.2016 16:11, Michael A. Peters wrote: Operating system - 64 bit CentOS 7 gcc-4.8.5-4.el7.x86_64 Building against LibreSSL which has been fine for other releases, but it is a crypto test that is fails. Tried with LibreSSL 2.4.2 and 2.3.6

Dovecot 2.2.25 test failure

Operating system - 64 bit CentOS 7 gcc-4.8.5-4.el7.x86_64 Building against LibreSSL which has been fine for other releases, but it is a crypto test that is fails. Tried with LibreSSL 2.4.2 and 2.3.6 - both the build completes but fails the make check Dovecot 2.2.24 passes make check on both