Hi,
Thank you both for the additional suggestions!
MJ
Op 23-03-2022 om 12:29 schreef Aki Tuomi:
1. Try hashing possible password candidates and compare
2. Temporarily log everyone's passwords and then sanitize logs after you're
done.
No way to enable that option for a single user.
Thank you! I will follow your advise.
Op 23-03-2022 om 11:11 schreef Aki Tuomi:
Well, is the sha1 value same every time? If it is, then they are trying same
password each time.
Aki
Yes, understood. :-)
The SHA1 changes, but each SHA1 is tried multiple times.
The question is: can we find out, just for this specific user, WHA
Hi,
We are logging failed authentication attempts, with the attempted
password as auth_verbose_passwords=sha1
The question: is it possible to configure auth_verbose_passwords=plain
for a specific user only? Turning it on globally would be too much
sensitive information for the purpose.
Rea
Hi Christian,
Thanks for replying!
It seems that your comments (or perhaps some of my recent config
tinkering) helped, because once I tried just now to make it go from 89%
to 91%, and I did receive the quota warning!
Thanks!
MJ
Op 15-12-2021 om 15:23 schreef Christian Mack:
Hello
Just
rivate/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
}
}
service imap-login {
process_limit = 500
process_min_avail = 2
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
unix_listener quota-warning {
mode = 0666
user = vmail
}
user = vmail
}
service stats {
unix_listener stats-reader {
group = vmail
mode = 0666
user = vmail
}
unix_listener stats-writer {
group = vmail
mode = 0666
user = vmail
}
}
shutdown_clients = no
ssl = required
ssl_cert =
Thanks very much for your help!
MJ
msgid=,
from=, subject=test
Dec 8 11:31:57 mail dovecot: lda(username)<14734>: sieve:
usern...@gmail.com | test | msgid=: stored
mail into mailbox 'INBOX'
Does "quota: quota_over_flag check: quota_over_script unset - skipping"
mean I forgot to set some specific flag in order to make our script run?
MJ
s for your suggestions!
MJ
But are permissions of stats-writer related to not sending out quota
notifications?
MJ
Op 06-12-2021 om 12:10 schreef mj:
Hi,
We suddenly realised that our maildir quota warnings are no longer sent
out. We don't understand why not.
This is dovecot 2.3.4.1 on debian 10.11. We use a scri
vmail 0 Dec 6 11:34 stats-reader
srw-rw 1 vmail vmail 0 Dec 6 11:34 stats-writer
drwxr-x--- 2 rootnogroup 80 Dec 6 11:34 token-login
Can anyone help, and explain what is going on here?
Thank you very much in advance for a reply!
MJ
The doveconf -n output:
root@imap:/
Hi,
One of our users managed to rename her INOX folder to ' ' (space)
This caused a new INBOX directory to be created, and all older emails to
become 'invisible' to her.
My question: Is there a (dovecot config) way to prevent this from
happening? We cannot image any scenario where we would l
Hi,
Nobody?
It happens so rarely, and the system appears to be running fine
otherwise, should I just ignore it?
Still makes me wonder way it would happen at all..?
MJ
On 10/22/20 12:53 PM, mj wrote:
Hi,
We are getting very occasional messags from dovecot:
net_connect_unix(/var/run
vecot/old-stats-user
srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-reader
srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-writer
We're not sure what makes the Permission denied error happen...
Anyone with an idea?
MJ
Thanks to all who participated in the interesting discussion.
It seems my initial thought might have been best after all, and
discontinuing port 143 might be the safest way proceed.
Thanks again, valuable insights!
MJ
On 5/29/20 11:48 AM, Jean-Daniel wrote:
Le 29 mai 2020 à 11:17, Stuart
Hi Markus,
Thank you very much.
MJ
On 26/05/2020 10:25, Markus Winkler wrote:
Hi,
On 26.05.20 09:21, mj wrote:
One doubt I had: "disable_plaintext_auth = yes" sounds as if only the
authentication part is secured, and the rest is kept plain text,
whereas with 993/SSL, *everything
eas
with 993/SSL, *everything* would be encrypted?
Or am I missing something? (then perhaps someone can point it out?)
Thanks,
MJ
On 25/05/2020 20:52, Aki Tuomi wrote:
You could use
https://doc.dovecot.org/settings/core/#login-log-format-elements
to log this.
Yes! Perfect!
Thanks! :-)
Hi,
I am trying to find a nice way to identify dovecot clients that are
still configured to use port 143 to connect to our mailserver, from the
dovecot logs.
I would then ask them to move over to 993, and finally disable port 143
altogether.
When looking at the dovecot logs, it seems this is
the way, a rejection is "legally safe", while
your catch-all-and-let-messages-rot approach is not, in case you have
not considered that.
Of course, you can do as you please, but that does not change the facts
and mechanics involved.
Thank you for your feedback, we will take it into consideration.
MJ
sh for the time being, but
only during the transitional period. Afterwards we will put the nullmx
config in place.
Thanks for again for all your thoughts: appreciated.
MJ
On 4/21/20 4:02 AM, LuKreme wrote:
On Apr 20, 2020, at 19:13, @lbutlr wrote:
The other thing you can do is NOMX the
step, in a couple of months
perhaps.
Hopefully someone has a suggestion for my sieve script.
Thanks again,
MJ
found in message headers
(recipient=, and no additional `:addresses'
are specified)
I have googled this, but adding :addresses in this case will not work,
as we are trying to answer (basically) emails sent to any email
addresses sent to that domain, and thus I cannot define specific :addresses
Can anyone suggest what to do here?
Thanks and stay healthy!
MJ
Hi,
No expert, but:
We always use the postmap utility to check that the right mailboxes are
actually found:
postmap -q t...@test.loc ldap:/etc/postfix/ldap-config.cf
And perhaps show us your postfix main.cf?
MJ
On 2/20/20 8:46 AM, phil wrote:
Helo you,
I try to build a mail server
//raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset";
# Firehol Level 1
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset";
# Stopforumspam via Firehol
MJ
Hi,
What we do is: use https://github.com/trick77/ipset-blacklist to block
IPs (from various existing blacklists) at the iptables level using an ipset.
That way, the known bad IPs never even talk to dovecot, but are dropped
immediately. We have the feeling it helps a lot.
MJ
On 4/12/19 10
w-to-use-useraccountcontrol-to-manipulate-user-account-properties)
there are some many different userAccountControl to check, that it might
be smarter to only allow userAccountControl=512, or?
Any ideas on this..?
(or examples of how you do it?)
MJ
running it for years, with the same backend-components you
are using: postfix and dovecot. (and active directory)
MJ
Hi,
If you consider ceph as "the cloud", this could also apply:
https://github.com/ceph-dovecot/dovecot-ceph-plugin
MJ
Hi,
It sounds as if you want to be looking at sogo.nu:
https://sogo.nu/
It re-uses your imap/mail setup, and implements caldav/carddav, and also
ActiveSync to interact with the same contacts/calendars.
Take a look: It's modern and very well-maintained, plus light-weight.
MJ
On 06/30
my question, since we are (and were)
always using (samba) AD.
Everything connects to this same AD backend, including SOGo and imap.
MJ
developers attention on this. :-)
MJ
username*master/masterpassword, and get
rid of the 127.0.0.1 passwordless listener.
Right?
But SOGo doesn't do that. (afaik)
MJ
ig is required.
(https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html)
Thanks,
MJ
ebug = yes
auth_debug_passwords = yes
auth_verbose = yes
It would be nice if the "Allowing any password" could be rephrased, or
taken out. It really had me scared for a while.
Thanks Aki,
MJ
is
'wrong'? Access was actually DENIED, even though it says "Allowing any
password" and even though one line later it says: "auth: Debug: auth
client connected (pid=6174)"?
This is all very misleading
MJ
: static(username,1.2.3.4,): Allowing any
password" 1.2.3.4 is NOT localhost...
(obviously 1.2.3.4 is not the *real* ip, bit it's a *real* ip from the
internet, NOT localhost...
MJ
l/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
shutdown_clients = no
ssl_ca =
MJ
Hi,
Not much time to reply now.
On 12/05/2017 05:21 AM, Mark Foley wrote:
mj - thanks! That the first useful example I've received from any forum/list.
I'm getting ready
to try my config (have to do so after hours), but I have some probably
simple-minded questions:
Well, that looks
hat's
what we do, anyway.
MJ
Name=%n)(!(userAccountControl=514)))
> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass = top_secret
And not the 3268 port, but regular 389.
Hope that helps.
MJ
On 12/04/2017 01:38 AM, Mark Foley wrote:
Unfortunately, I tried for weeks to figure out passdb ldap without success. I
guess
hout
having to basically migrate all your mailboxes.
MJ
On 10/06/2017 04:08 AM, David.M.Clark wrote:
Hi All, please be kind, this is my first e-mail to the list :-)
I actively support CentOS based e-mail servers running Dovecot,
Sendmail, Spammassassin and 3 x SOGo based setups.
Dovecot
Hi ceph-ers,
The email below was posted on the ceph mailinglist yesterday by Wido den
Hollander. I guess this could be interesting for user here as well.
MJ
Forwarded Message
Subject: [ceph-users] librmb: Mail storage on RADOS with Dovecot
Date: Thu, 21 Sep 2017 10:40:03
Hi,
Perhaps you need auth_bind = yes?
MJ
On 09/13/2017 01:34 PM, Garry Glendown wrote:
Hi,
I had to start using Dovecot on a machine as the new OS does not come
with Cyrus IMAP anymore. After multiple problems, I managed to get
everything working, including LDAP authentication against the
t reinvent the wheel.
Besides that: most places will have many of the requirements in place
already.
MJ
On 08/24/2017 07:38 AM, Rupert Gallagher wrote:
We tried installing Radicale months ago, and decided to postpone testing. Its
footprint exceeds 140MB, because of python. It require
config to make one domain an alias to
another domain would be very useful. :-)
MJ
e 500+ addresses in ldap, surely there must be some
'automated' way to 'transform' any incoming mail sent to
ran...@olddomain.com into ran...@newdomain.com?
(and then have it processed regularly, so that bounces still work for
non-existant addresses and such)
MJ
On 07/29/2017 07:44 PM, Doug Barton wrote:
On 07/25/2017 07:54 AM, mj wrote:
Since we implemented country blocking,
Please don't do that. Balkanizing the Internet doesn't really benefit
anyone, and makes innovation a lot more difficult.
Perhaps I need to be more specific
. It helps tremendously.
MJ
the VPN first.
This works for us.
Only one thing on my wishlist: application specific passwords. I would
very much appreciate a respond on that thread... (posted yesterday
evening, with a pseudo-dovecot-config file...)
Hope the above helps you a bit, Olaf.
MJ
On 07/25/2017 04:37 PM, Olaf Hopp w
x27;s what you want.
Having read the wiki page on checkpassword, I am unsure how this would
work with an ldap backend.
Could you elaborate on that?
Best,
MJ
some pointers in that direction?
MJ
On 07/20/2017 06:50 PM, Kirill Miazine wrote:
I'm not familiar with samba AD and with it's features and limitation.
For my simple system I'm using plain files for passdb and userdb (aka.
passwd-file). Application (or rather device) specific passwords
X=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24
user_filter =
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter =
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)
MJ
instantly.
Works nicely. :-)
Now I want to implement application specific passwords, I will post
about that in a seperate message. As you have been such a great help,
perhaps you can also help a little bit in that thread...?
Thanks again,
MJ
nly
works for non-ssl/non-tls connections.
Your iptables solution makes sure that thy cannot authenticate *at all*,
while the above solution makes sure they can only authnticate *once*.
MJ
samba AD as an authentication backend.
MJ
other suggestions are very much appreciated, including
weakforced, however implementing that is a much larger project.
Next I have to find out how to feed my fail2ban logs back to
blocklist.de, to improve their mail.txt hit rate.
Thanks again for all kind assistance.
MJ
On 07/20/2017 11:16 A
Hi all,
If I may, one more question on this subject:
I would like to create a fail2ban filer, that scans for these lines:
Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,):
invalid credentials (given password: password)
Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid
crede
ists of ips, so if anyone has additional
lists to block?
MJ
On 07/19/2017 12:42 PM, Dave wrote:
On 19/07/2017 11:23, mj wrote:
Hi Robert,
On 07/18/2017 11:43 PM, Robert Schetterer wrote:
i guess not, but typical bots arent using ssl, check it
however fail2ban sometimes is to slow
I
Hi Joseph,
On 07/18/2017 11:10 PM, Joseph Tam wrote:
However, it seems almost all IPs are different, and I don't think I can
keep the above settings permanently.
Why not? Limited by firewall rules overload? You could probably use
a persistent DB, can't you?
I meant: keep the "block after the
failed login attempt, and fail2ban will have blocked the ip by then.
MJ
Hi Robert,
On 07/18/2017 10:15 PM, mj wrote:
Robert, your iptables suggestions are _very_ interesting! However, will
they also work on imaps/993, because of the ssl?
I have adjusted and put into place your iptables suggestion like this:
iptables -I INPUT -p tcp --dport 143 -m string --algo
, and I don't think I can
keep the above settings permanently.
Robert, your iptables suggestions are _very_ interesting! However, will
they also work on imaps/993, because of the ssl?
Thanks for the quick replies!
MJ
On 07/18/2017 09:52 PM, Robert Schetterer wrote:
Am 18.07.2017 um
can do about this??
Any advice you could give us would be very much appreciated.
MJ
into place :-)
Thanks for your assistance!
MJ
"
work?
Below are our configs. Any tips would be appreciated...!
MJ
root@dovetest:/etc/dovecot# doveconf -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
auth_debug = yes
auth_debug_
ure.
Our config is against ldap (active directory) and generdoveadm user -u "*"
oalally works fine. Can anyone here take a quick look, and tell me how
to make
> doveadm user -u "*"
work?
Below are the required configs. Any tips would be appreciated...!
MJ
root@dovetest:/e
Yes:
I'm using the acme.sh client, and I can do:
> acme.sh --issue --standalone -d example.com --httpport 88
It does what you'd expect: it runs using a small webserver on port 88
I only just discovered that option myself :-)
MJ
On 03/03/2017 08:22 PM, David Mehler wrote:
Hello
Hi Sami,
It is difficult.
So it seems. :-)
Thanks for your suggestions.
Perhaps I just have to accept that what I would like is not possible.
Thanks again for all suggestions!
MJ
Hi Aki, list,
On 12/31/2016 11:50 AM, Aki Tuomi wrote:
or maybe you can try
local 0.0.0.0/0:144 {
passdb {
}
}
That makes dovecot complain:
"Auth settings not supported inside local/remote blocks: passdb"
MJ
ar to everybody :-)
(and thanks Aki Tuomi for your relies)
MJ
Hi,
Does the lack of replies mean that what I'm asking is not possible?
(or am I missing something SO obvious that nobody bothers to point it
out..?)
MJ
On 12/29/2016 09:23 PM, mj wrote:
Hi,
I would like to have two seperate imap listeners, with different
authentication settings, bu
On 12/29/2016 09:23 PM, mj wrote:
Hi,
I would like to have two seperate imap listeners, with different
authentication settings, but the mailstore and userbase etc will be
identical.
I know I can do this:
service imap-login {
inet_listener imap {
port = 143
}
inet_listener
stener
144 to only serve this saml authentication listener, and the regular 143
listener with driver = ldap.
Is that config possible?
Best regards,
MJ
On 12/03/2016 08:04 PM, Timo Sirainen wrote:
If SOGo used AUTHENTICATE PLAIN instead of LOGIN, it should work. The
SASL authentication buffer is larger (8 kB) than regular commands'
buffer (~1 kB).
Thanks Timo, that worked! :-)
MJ
: Info: Disconnected: Input buffer full (no
> auth attempts in 0 secs): user=<>, rip=x.y.z.32, lip=x.y.z.68,
> session=
and
BYE Input buffer full, aborting
So this doesn't work. :-(
The question: is there a way to make this work? (make the input buffer
larger, for example..?)
Or any other ideas to make this work?
Thanks in advance,
MJ
On 07/31/2016 07:04 PM, mj wrote:
What exactly is a "ce repository"?
Guessing now: Community Edition...
Such a repo would be very much welcomed by us! (currently running wheezy
with it's original dovecot, 2.1.7)
MJ
Hi,
On 07/31/2016 04:36 PM, aki.tu...@dovecot.fi wrote:
We are discussing about making ce repos at some point. This would probably help
some people.
Aki
We're following this thread with interest. What exactly is a "ce
repository"?
(google doesn't help)
MJ
s I add Kerberos into the mix, which is an
additional learning curve, and possibly not widely supported.
Open-Xchage appsuite might fit your needs.
Or you could take a look at SOGo: http://sogo.nu/
MJ
On 03/11/2016 03:30 PM, Gordon Grubert wrote:
Of course, such a WORKAROUND could be used and I'm sure that this
works. But Timo says, dovecot is using the LDAP API. The openldap
client can handle network timeouts. Therefore, dovecot has to be able
to use these timeouts, too, like described in l
Hi,
We're now running with ldap via haproxy, as was suggested in this thread
by Timo. So far, so good: it seems to work very well.
MJ
On 03/10/2016 04:15 PM, Gordon Grubert wrote:
Hi Timo,
On 01.03.2016 22:51, Timo Sirainen wrote:
On 29 Feb 2016, at 17:18, Gordon Grubert
wrote:
Hi
becomes 'stuck' (as in: returning no data
anymore, but not actually terminating the connection) a failover does
not happen.
(we have had the second scenario, with samba4 AD ldap)
MJ
On 03/01/2016 10:51 PM, Timo Sirainen wrote:
But now that I'm testing it, the timeout doe
... and I also don't seem to find paid
dovecot plans/subscriptions, licenses on the open-xchange site..? (they
mostly talk about an "OX App Suite")
I hope I'm missing something..?
MJ
82 matches
Mail list logo
