From patrickdk at patrickdk.com Wed Jun 1 00:22:17 2016 From: patrickdk at patrickdk.com (Patrick Domack) Date: Tue, 31 May 2016 20:22:17 -0400 Subject: Ubuntu package - Was: Re: doveadm-server protocol change? In-Reply-To: <20160531123241.GN4691@jumper.schlittermann.de> References: <20160530151705.GF4691@jumper.schlittermann.de> <1264900304.1298.1464623395647@appsuite-dev.open-xchange.com> <20160530185450.GH4691@jumper.schlittermann.de> <304527445.583.1464634679358@appsuite-dev.open-xchange.com> <20160530191809.GI4691@jumper.schlittermann.de> <20160530192612.GJ4691@jumper.schlittermann.de> <1646393565.595.1464638790584@appsuite-dev.open-xchange.com> <574D4BF6.3060400@myzel.net> <20160531123241.GN4691@jumper.schlittermann.de> Message-ID: <20160531202217.Horde.WyzOGSCNKMyja4CzN6Gs6gY@mail.patrickdk.com> Those are my packages. I try to track each release, and bug fixed. But since those are mine, I'm really concerned with stability as it affects my enviroment. Mainly mdbox/maildir with gzip, at this present time. If someone lets me know of any issues, I will fix and adjust for it, but I'm not doing full scale stability testing. It's just the straight ubuntu package, with it swapped out for 2.2.24+fixes, and other adjustments as needed. I do consider them stable enough for other people to use, but again, your at my mercy. (But these are what I use on my production systems so) As far as the init scripts goes, it's the same as what the dovecot packages as shipped by ubuntu for 16.04 does it. I have not looked into it much myself yet, other than it functions. I only have one 16.04 dovecot system currently. Quoting Heiko Schlittermann : > Hi, > > Peter Chiochetti (Di 31 Mai 2016 10:31:50 CEST): >> Not having installed any of the two, I can say, as a Ubuntu user: >> In ppa "/etc/init.d/dovecot" is a symlink to "/lib/init/upstart-job" > > The 2.2.24 on 16.04 installs both > > /etc/init.d/dovecot > /lib/systemd/system/dovecot.service > >> While xi packages places its own init script there. > > The xi packages I didn't check yet. > > Best regards from Dresden/Germany > Viele Gr??e aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de ---------------------------- internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --------------- key ID: F69376CE - > ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - From tve at voneicken.com Wed Jun 1 01:39:25 2016 From: tve at voneicken.com (Thorsten von Eicken) Date: Wed, 1 Jun 2016 01:39:25 +0000 Subject: forwarding emails using sieve Message-ID: <01000155099d83c5-f8500cc9-97f1-424b-9ef7-8cd256070a0c-000000@email.amazonses.com> I know this is a tad tangential to dovecot, but maybe someone has some pointers for me. I'm trying to forward emails using the sieve filtering and redirect doesn't do it because it doesn't wrap the message in a new email, instead, it seems to just change the envelope From (and To). This causes the outbound relay to reject the message for security/spam reasons (forged From). It looks like the dovecot sieve implementation doesn't let me change the From header in the sieve script. Is there a way to accomplish what I'm looking for? Thanks! From vijayaramanda at gmail.com Wed Jun 1 04:00:18 2016 From: vijayaramanda at gmail.com (Vijay Kumar) Date: Wed, 1 Jun 2016 09:30:18 +0530 Subject: Not receiving mails Message-ID: Hi, I have setup spam filter and opendkim key on our mail server with Postfix,Dovecot and OpenDKIM server. Following are few lines from dovecot.conf which were added to dovecot.conf. After troubleshooting, we removed the following lines and the login from webUI roundcube started working. Can someone please explain the importance of following lines in accordance with Opendkim? Should we disable plaintext authentication for opendkim to work? ----------------------------------------------------- disable_plaintext_auth = no mail_privileged_group = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u userdb { driver = passwd } passdb { args = %s driver = pam } protocol imap { mail_plugins = " autocreate" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ----------------------------------------------------- Thanks, Vijay --- http://www.matchfinder.in From skdovecot at smail.inf.fh-brs.de Wed Jun 1 07:33:11 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Wed, 1 Jun 2016 09:33:11 +0200 (CEST) Subject: stat .../.dovecot.sieve/tmp failed: Not a directory In-Reply-To: <574E16B8.5050604@sys4.de> References: <574E16B8.5050604@sys4.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 1 Jun 2016, Robert Schetterer wrote: > Hi, i have > > stat .../.dovecot.sieve/tmp failed: Not a directory > > using > > sieve = file:~/sieve;active=~/.dovecot.sieve > > dovecot_2.2.24-1-auto-38 > > cause i can subscribe to dovecot sieve > > cant remember to see this in previous versions you are sure that home dir != mail location, arn't you? :-) - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV06Pt3z1H7kL/d9rAQJPgAgAqinz9UpDofcUsjG5KYbqStZHWeQAgD15 r4ntBPC9Ru66cbfdpROUgIHNBx0xZy4g5SXT20u8k/Eob5i/24ikhltkt9NJQVJd +1jU2hzHbaKqobOehZQskpWWmN7xN82VtO+oXVBkztiDkQHmwlJ1Yn7lCcgcQh4T naWTAcLUerXiEJpKJU967/GHFrnllWncLhd83s5C0b9f5tDsqMqnYc+uk2Ya5B43 gglbIMSjxF+6w+S5C752f2js4WaSmomYj1O0BwwgEtzba9dpK5XhTmFBFxSoV8Sc sopxt27e/ZkGKqLzeq2F8PWHlDGQi+RLLp20fZEJqDZiZjQcxO8vLg== =DV+s -----END PGP SIGNATURE----- From hs at schlittermann.de Wed Jun 1 08:45:37 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Wed, 1 Jun 2016 10:45:37 +0200 Subject: Ubuntu package - Was: Re: doveadm-server protocol change? In-Reply-To: <20160531202217.Horde.WyzOGSCNKMyja4CzN6Gs6gY@mail.patrickdk.com> References: <20160530151705.GF4691@jumper.schlittermann.de> <1264900304.1298.1464623395647@appsuite-dev.open-xchange.com> <20160530185450.GH4691@jumper.schlittermann.de> <304527445.583.1464634679358@appsuite-dev.open-xchange.com> <20160530191809.GI4691@jumper.schlittermann.de> <20160530192612.GJ4691@jumper.schlittermann.de> <1646393565.595.1464638790584@appsuite-dev.open-xchange.com> <574D4BF6.3060400@myzel.net> <20160531123241.GN4691@jumper.schlittermann.de> <20160531202217.Horde.WyzOGSCNKMyja4CzN6Gs6gY@mail.patrickdk.com> Message-ID: <20160601084537.GO4691@jumper.schlittermann.de> Hi Patrick, Patrick Domack (Mi 01 Jun 2016 02:22:17 CEST): > Those are my packages. I try to track each release, and bug fixed. ? > I do consider them stable enough for other people to use, but again, your at > my mercy. (But these are what I use on my production systems so) Thank you for your response, we're using your packages now in a production ready environment I'll contact you in case of any issues. (The environment uses a directors/backends setup.) Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From stephan at rename-it.nl Wed Jun 1 11:02:24 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Wed, 1 Jun 2016 13:02:24 +0200 Subject: doveadm-server protocol change? In-Reply-To: <1646393565.595.1464638790584@appsuite-dev.open-xchange.com> References: <20160530151705.GF4691@jumper.schlittermann.de> <1264900304.1298.1464623395647@appsuite-dev.open-xchange.com> <20160530185450.GH4691@jumper.schlittermann.de> <304527445.583.1464634679358@appsuite-dev.open-xchange.com> <20160530191809.GI4691@jumper.schlittermann.de> <20160530192612.GJ4691@jumper.schlittermann.de> <1646393565.595.1464638790584@appsuite-dev.open-xchange.com> Message-ID: <518eeef9-93cc-aa3e-8bcd-f899774244dc@rename-it.nl> Op 30-5-2016 om 22:06 schreef aki.tuomi at dovecot.fi: >> On May 30, 2016 at 10:26 PM Heiko Schlittermann wrote: >> >> >> Heiko Schlittermann (Mo 30 Mai 2016 21:18:09 CEST): >>> Hi Aki, >>> >>> aki.tuomi at dovecot.fi (Mo 30 Mai 2016 20:57:58 CEST): >>> ? >>>> You can get packages from http://xi.dovecot.fi/debian/, if it helps. The HTTP API should not suffer from the username problem. >>> Thank you. I just used ppa:patrickdk/production, but probably will try >>> the xi.dovecot.fi packages. >> The question is, which of these locations is more trustworthy in the >> sense of 'production ready'? >> >> -- >> Heiko > I'd consider xi.dovecot.fi more reliable myself. The wiki should be pretty clear about this. Using Xi packages for production systems is a very bad idea, unless perhaps you carefully review and test it on another system before every update. If the developers commit a horrible bug to the repositories, you're likely going to be one of the first to notice. Keep that in mind! Regards, Stephan. From rs at sys4.de Wed Jun 1 11:12:34 2016 From: rs at sys4.de (Robert Schetterer) Date: Wed, 01 Jun 2016 13:12:34 +0200 Subject: stat .../.dovecot.sieve/tmp failed: Not a directory In-Reply-To: References: <574E16B8.5050604@sys4.de> Message-ID: Am 1. Juni 2016 09:33:11 MESZ, schrieb Steffen Kaiser : >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Wed, 1 Jun 2016, Robert Schetterer wrote: > >> Hi, i have >> >> stat .../.dovecot.sieve/tmp failed: Not a directory >> >> using >> >> sieve = file:~/sieve;active=~/.dovecot.sieve >> >> dovecot_2.2.24-1-auto-38 >> >> cause i can subscribe to dovecot sieve >> >> cant remember to see this in previous versions > >you are sure that home dir != mail location, arn't you? :-) > >- -- >Steffen Kaiser >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1 > >iQEVAwUBV06Pt3z1H7kL/d9rAQJPgAgAqinz9UpDofcUsjG5KYbqStZHWeQAgD15 >r4ntBPC9Ru66cbfdpROUgIHNBx0xZy4g5SXT20u8k/Eob5i/24ikhltkt9NJQVJd >+1jU2hzHbaKqobOehZQskpWWmN7xN82VtO+oXVBkztiDkQHmwlJ1Yn7lCcgcQh4T >naWTAcLUerXiEJpKJU967/GHFrnllWncLhd83s5C0b9f5tDsqMqnYc+uk2Ya5B43 >gglbIMSjxF+6w+S5C752f2js4WaSmomYj1O0BwwgEtzba9dpK5XhTmFBFxSoV8Sc >sopxt27e/ZkGKqLzeq2F8PWHlDGQi+RLLp20fZEJqDZiZjQcxO8vLg== >=DV+s >-----END PGP SIGNATURE----- Stephan allready posted a solution found in archive set Maildir_stat_dirs yes fixed it, but should be avoided if possible -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From wolfgang.baumgartner at hswt.de Wed Jun 1 12:41:48 2016 From: wolfgang.baumgartner at hswt.de (Wolfgang Baumgartner) Date: Wed, 01 Jun 2016 14:41:48 +0200 Subject: Fatal Error with sdbox and attachment storage Message-ID: <574ED80C.30208@hswt.de> Hello, we've shortly migrated to sdbox with attachment storage. Now there are many errors like this: May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): Panic: file fs-api.c: line 615 (fs_copy): assertion failed: (src->fs == dest->fs) May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x6b6fe) [0x7fae10a6d6fe] -> /usr/lib/dovecot/libdovecot.so.0(+0x6b7ec) [0x7fae10a6d7ec] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7fae10a248fb] -> /usr/lib/dovecot/libdovecot.so.0(fs_copy+0x90) [0x7fae10a2e4a0] -> /usr/lib/dovecot/libdovecot-storage.so.0(sdbox_copy+0x4e0) [0x7fae10d20c10] -> /usr/lib/dovecot/modules/lib10_quota_plugin.so(+0xbaab) [0x7fae10037aab] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_copy+0x7d) [0x7fae10d5d01d] -> /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver_save+0x196) [0x7fae110049d6] -> /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver+0xf3) [0x7fae11004e13] -> dovecot/lmtp [DATA](+0x6171) [0x7fae11434171] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x3f) [0x7fae10a7ed0f] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xf9) [0x7fae10a7fd09] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7fae10a7ed79] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7fae10a7edf8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7fae10a29dc3] -> dovecot/lmtp [DATA](main+0x165) [0x7fae114329b5] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fae10678b45] -> dovecot/lmtp [DATA](+0x4a95) [0x7fae11432a95] May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): Fatal: master: service(lmtp): child 21310 killed with signal 6 (core dumps disabled) What can we do now? Migrate back to Maildir? Greetings Wolfgang Baumgartner System: Debian 8 with Dovecot 2.2.13 dovecot -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.4 auth_master_user_separator = * auth_mechanisms = plain login auth_verbose_passwords = yes disable_plaintext_auth = no mail_attachment_dir = /srv/archive/attachments mail_location = auto: mail_plugins = quota zlib acl managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no list = children location = auto: prefix = shared.%%n. separator = . subscriptions = yes type = shared } namespace inbox { hidden = no inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = INBOX. separator = . subscriptions = yes type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes quota = dict:User quota::file:%h/dovecot-quota quota_grace = 20M quota_rule = *:storage=400M quota_rule2 = INBOX.Archiv:ignore quota_rule3 = INBOX.Trash:storage=+20M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full / Mailbox ist voll quota_status_success = DUNNO quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = ~/.dovecot.sieve sieve_default_name = roundcube sieve_dir = ~/sieve sieve_max_redirects = 15 zlib_save = gz zlib_save_level = 6 } protocols = " imap lmtp sieve pop3" service auth { inet_listener saslauth_via_dovecot { address = 141.40.2.7 port = 12341 } unix_listener auth-userdb { group = vmail user = vmail } } service imap-login { process_min_avail = 4 service_count = 0 } service imap { process_limit = 8192 } service lmtp { inet_listener lmtp { address = 141.40.2.7 port = 24 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } service pop3-login { process_min_avail = 4 service_count = 0 } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 141.40.2.7 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = vmail } ssl_cert = From wolfgang.baumgartner at hswt.de Wed Jun 1 13:10:50 2016 From: wolfgang.baumgartner at hswt.de (Wolfgang Baumgartner) Date: Wed, 01 Jun 2016 15:10:50 +0200 Subject: Fatal Error with sdbox and attachment storage In-Reply-To: <574ED80C.30208@hswt.de> References: <574ED80C.30208@hswt.de> Message-ID: <574EDEDA.9090404@hswt.de> I now can reproduce the error with some Mails which are in deferred queue of postfix because of this fatal error. The error in postfix is "lost connection with mail.hswt.de[141.40.2.7] while sending end of data -- message may be sent more than once" The mails are mails from a listserver (sympa) with attachment. If I do "postqueue -i ID" of this mail, two of the recipients are delivered, then "fatal error", "postqueue -i ID" next two, then "fatal error" and so on. Greetings. Wolfgang > Hello, > > we've shortly migrated to sdbox with attachment storage. Now there are > many errors like this: > > May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): > Panic: file fs-api.c: line 615 (fs_copy): assertion > failed: (src->fs == dest->fs) > May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): > Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x6b6fe) > [0x7fae10a6d6fe] -> /usr/lib/dovecot/libdovecot.so.0(+0x6b7ec) > [0x7fae10a6d7ec] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) > [0x7fae10a248fb] -> /usr/lib/dovecot/libdovecot.so.0(fs_copy+0x90) > [0x7fae10a2e4a0] -> > /usr/lib/dovecot/libdovecot-storage.so.0(sdbox_copy+0x4e0) > [0x7fae10d20c10] -> > /usr/lib/dovecot/modules/lib10_quota_plugin.so(+0xbaab) > [0x7fae10037aab] -> > /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_copy+0x7d) > [0x7fae10d5d01d] -> > /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver_save+0x196) > [0x7fae110049d6] -> > /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver+0xf3) > [0x7fae11004e13] -> dovecot/lmtp [DATA](+0x6171) [0x7fae11434171] -> > /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x3f) > [0x7fae10a7ed0f] -> > /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xf9) > [0x7fae10a7fd09] -> > /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) > [0x7fae10a7ed79] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) > [0x7fae10a7edf8] -> > /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) > [0x7fae10a29dc3] -> dovecot/lmtp [DATA](main+0x165) [0x7fae114329b5] > -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) > [0x7fae10678b45] -> dovecot/lmtp [DATA](+0x4a95) [0x7fae11432a95] > May 30 14:11:17 rzw-x-mail2 dovecot: lmtp(21310, xxx.xxx at hswt.de): > Fatal: master: service(lmtp): child 21310 killed with signal 6 (core > dumps disabled) > > What can we do now? Migrate back to Maildir? > > Greetings > Wolfgang Baumgartner > > > -- -------------------------------------------------------------- Hochschule Weihenstephan-Triesdorf, Rechenzentrum Dipl.-Ing. (FH) Wolfgang Baumgartner Am Weihenstephaner Berg 4, 85350 Freising Tel. 08161/71-5276 Fax: 08161/71-5116 E-Mail: wolfgang.baumgartner at hswt.de -------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5150 bytes Desc: S/MIME Cryptographic Signature URL: From fabio at improve.inf.br Wed Jun 1 13:44:38 2016 From: fabio at improve.inf.br (Fabio S. Schmidt) Date: Wed, 01 Jun 2016 13:44:38 +0000 Subject: Full subject on dovecot log Message-ID: Hi, I've noticed that when a subject is very long Dovecot doesn't show its full lenght on the logs. Is there any way to always register the full subject on the log? (I'm using dovecot 2.2) My best regards, Fabio S. Schmidt From alessio at skye.it Wed Jun 1 13:48:09 2016 From: alessio at skye.it (Alessio Cecchi) Date: Wed, 1 Jun 2016 15:48:09 +0200 Subject: Increased errors "Broken MIME parts" in log file Message-ID: <574EE799.2070806@skye.it> Hi, after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 35 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fd0a000000000000410b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000eb00000000000000f100000000000000440000005e090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007c09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): unlink(/home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 49 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): unlink(/home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 50 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): unlink(/home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 54 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): unlink(/home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 55 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) I try to run: - doveadm index -u alessio.cecchi at skye.it INBOX - doveadm force-resync -u alessio.cecchi at skye.it INBOX - delete all dovecot.* files for user but the error reappears always (for the same UID) when I do "search" from webmail. All works fine for the users but I don't think is good to have these errors in log file. My configuration: # dovecot -n # 2.2.24.2 (d066a24): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (5986a78) # OS: Linux 2.6.32-642.el6.x86_64 x86_64 CentOS release 6.8 (Final) auth_cache_negative_ttl = 2 mins auth_cache_size = 20 M auth_cache_ttl = 20 mins auth_master_user_separator = * auth_mechanisms = plain login auth_worker_max_count = 50 deliver_log_format = msgid=%m, from=%f, subject="%s": %$ dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no first_valid_gid = 89 first_valid_uid = 89 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags imap_idle_notify_interval = 29 mins imap_logout_format = in=%i out=%o session=<%{session}> imap_max_line_length = 2 M last_valid_gid = 89 last_valid_uid = 89 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 10.0.0.157 login_trusted_networks = 10.0.0.0/24 mail_fsync = always mail_location = maildir:~/Maildir mail_plugins = quota acl expire zlib maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vnd.dovecot.duplicate mmap_disable = yes namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = username_format=%Ld /etc/dovecot/extra/alias-domains-denylogin.txt deny = yes driver = passwd-file } passdb { args = /etc/dovecot/dovecot-deny-sql.conf.ext deny = yes driver = sql } passdb { args = /etc/dovecot/extra/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile acl_shared_dict = proxy::acl antispam_backend = mailtrain antispam_mail_notspam = --ham antispam_mail_sendmail = /usr/bin/sa-learn antispam_mail_spam = --spam antispam_spam = Spam antispam_trash = Trash expire = Trash expire2 = Spam expire_dict = proxy::expire fts = solr fts_solr = url=http://10.0.0.5:8983/solr/ quota = maildir:UserQuota quota2 = dict:Quota Usage::noenforcing:proxy::sqlquota quota_grace = 10M quota_rule2 = Trash:storage=+100M quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = ~/.dovecot.sieve sieve_before = /etc/dovecot/sieve/before.sieve sieve_dir = ~/sieve sieve_extensions = +vnd.dovecot.duplicate -vacation zlib_save = gz zlib_save_level = 6 } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o, session=<%{session}> protocols = imap pop3 sieve sendmail_path = /var/qmail/bin/sendmail service anvil { unix_listener anvil-auth-penalty { mode = 00 } } service auth { client_limit = 6524 unix_listener auth-userdb { group = vchkpw mode = 0660 user = vpopmail } } service dict { process_limit = 500 unix_listener dict { group = vchkpw mode = 0660 user = vpopmail } } service imap-login { process_min_avail = 4 service_count = 0 } service imap-postlogin { executable = script-login /etc/dovecot/scripts/imap-postlogin.sh unix_listener imap-postlogin { group = vchkpw mode = 0660 user = vpopmail } user = vpopmail } service imap { executable = imap imap-postlogin process_limit = 5000 vsz_limit = 384 M } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { process_min_avail = 4 service_count = 0 } service pop3-postlogin { executable = script-login /etc/dovecot/scripts/pop3-postlogin.sh unix_listener pop3-postlogin { group = vchkpw mode = 0660 user = vpopmail } user = vpopmail } service pop3 { executable = pop3 pop3-postlogin process_limit = 1024 } service quota-warning { executable = script /etc/dovecot/scripts/quota-warning.sh unix_listener quota-warning { user = vpopmail } user = vpopmail } service stats { fifo_listener stats-mail { group = vchkpw mode = 0660 user = vpopmail } } ssl = no ssl_protocols = !SSLv2 !SSLv3 submission_host = 127.0.0.1 userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } verbose_proctitle = yes protocol lda { mail_fsync = optimized mail_location = maildir:~/Maildir:INDEX=MEMORY mail_plugins = quota acl expire zlib sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl expire zlib imap_quota imap_acl imap_zlib } protocol sieve { mail_max_userip_connections = 2 } protocol pop3 { mail_max_userip_connections = 15 } -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice From stephan at rename-it.nl Wed Jun 1 14:49:39 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Wed, 1 Jun 2016 16:49:39 +0200 Subject: sieve vacation script exclude based on sender email address In-Reply-To: <20160531155031.49E415A1C81@sinclaire.sibble.net> References: <20160531155031.49E415A1C81@sinclaire.sibble.net> Message-ID: <9b3aa581-7865-96c6-792d-b987fb40cedb@rename-it.nl> Op 31-5-2016 om 17:50 schreef Harondel J. Sibble: > I thought I'd asked this question a few years ago but can't seem to find any eveidence of that so > here goes. > > I've been looking at the sieve docs and recipes, done a lot of googling but no joy so far. > > Using stanard vacation script and that works great, however I want to exclude certain sender > email addressess from ever receiving a vacation autoresponse, how do I go about adding that to > my existing vacation recipe. > > I suspect my search terminology is what is causing me not to find anything as I typically am using > exclude and similar search terms. Just use the envelope test: https://tools.ietf.org/html/rfc5228#section-5.4 Regards, Stephan. From stephan at rename-it.nl Wed Jun 1 14:58:31 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Wed, 1 Jun 2016 16:58:31 +0200 Subject: forwarding emails using sieve In-Reply-To: <01000155099d83c5-f8500cc9-97f1-424b-9ef7-8cd256070a0c-000000@email.amazonses.com> References: <01000155099d83c5-f8500cc9-97f1-424b-9ef7-8cd256070a0c-000000@email.amazonses.com> Message-ID: Op 1-6-2016 om 3:39 schreef Thorsten von Eicken: > I know this is a tad tangential to dovecot, but maybe someone has some > pointers for me. I'm trying to forward emails using the sieve > filtering and redirect doesn't do it because it doesn't wrap the > message in a new email, instead, it seems to just change the envelope > From (and To). This causes the outbound relay to reject the message > for security/spam reasons (forged From). Forwarding like that is currently not possible with the Sieve language. The "enclose" extension seems to come close, but it explicitly has no effect on redirected messages, which I find rather strange. > It looks like the dovecot sieve implementation doesn't let me change > the From header in the sieve script. Is there a way to accomplish what > I'm looking for? Changing the "From" header field can be done using the "editheader" extension (https://tools.ietf.org/html/rfc5293). require "editheader"; deleteheader "From"; addheader "From" "User "; Note that this extension is not enabled by default and thus requires explicit configuration. Regards, Stephan. From rs at sys4.de Wed Jun 1 15:43:57 2016 From: rs at sys4.de (Robert Schetterer) Date: Wed, 1 Jun 2016 17:43:57 +0200 Subject: forwarding emails using sieve In-Reply-To: References: <01000155099d83c5-f8500cc9-97f1-424b-9ef7-8cd256070a0c-000000@email.amazonses.com> Message-ID: <574F02BD.2030706@sys4.de> Am 01.06.2016 um 16:58 schrieb Stephan Bosch: > > > Op 1-6-2016 om 3:39 schreef Thorsten von Eicken: >> I know this is a tad tangential to dovecot, but maybe someone has some >> pointers for me. I'm trying to forward emails using the sieve >> filtering and redirect doesn't do it because it doesn't wrap the >> message in a new email, instead, it seems to just change the envelope >> From (and To). This causes the outbound relay to reject the message >> for security/spam reasons (forged From). > > Forwarding like that is currently not possible with the Sieve language. > The "enclose" extension seems to come close, but it explicitly has no > effect on redirected messages, which I find rather strange. > >> It looks like the dovecot sieve implementation doesn't let me change >> the From header in the sieve script. Is there a way to accomplish what >> I'm looking for? > > Changing the "From" header field can be done using the "editheader" > extension (https://tools.ietf.org/html/rfc5293). > > require "editheader"; > > deleteheader "From"; > addheader "From" "User "; > > Note that this extension is not enabled by default and thus requires > explicit configuration. > > Regards, > > Stephan. you may read this ( german ) https://sys4.de/de/blog/2016/01/24/e-mail-weiterleitungen-mit-dovecot-sieve-ohne-spf-dmarc-und-dkim-konflikte-2/ highly experimental ! remember Stephan s post before give it a try Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From tve at voneicken.com Wed Jun 1 16:37:49 2016 From: tve at voneicken.com (Thorsten von Eicken) Date: Wed, 1 Jun 2016 16:37:49 +0000 Subject: forwarding emails using sieve In-Reply-To: References: <01000155099d83c5-f8500cc9-97f1-424b-9ef7-8cd256070a0c-000000@email.amazonses.com> Message-ID: <010001550cd404c3-a2578879-9cff-41ec-bdf8-9369b1f878ff-000000@email.amazonses.com> On 6/1/2016 7:58 AM, Stephan Bosch wrote: > >> It looks like the dovecot sieve implementation doesn't let me change >> the From header in the sieve script. Is there a way to accomplish >> what I'm looking for? > > Changing the "From" header field can be done using the "editheader" > extension (https://tools.ietf.org/html/rfc5293). > > require "editheader"; > > deleteheader "From"; > addheader "From" "User "; > > Note that this extension is not enabled by default and thus requires > explicit configuration. That's what I was missing, thanks! Thorsten From kremels at kreme.com Wed Jun 1 19:58:54 2016 From: kremels at kreme.com (@lbutlr) Date: Wed, 1 Jun 2016 13:58:54 -0600 Subject: Marking an entire mailbox read Message-ID: I have an archive mailbox that contains in excess of 100,000 mail messages (stored in maildir) that accidentally got marked as unread. It is too large for my mail client to select all the mail and mark it as read without throttling. Is there a simple way that I can use doveadm or something to simply mark every message in that maildir as read? Or do I just loop through every message and move it to +S? find ~/Maildir/.Archive/cur/* -type f -name ?1*:2? --exec mv {} {}S \; -- By the way, I think you might be the prettiest girl I've ever seen outside the pages of a really filthy magazine From wrosenauer at gmail.com Wed Jun 1 21:12:00 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Wed, 1 Jun 2016 23:12:00 +0200 Subject: special-use for virtual folder Message-ID: Hi, I'm running two different Dovecot servers (actually more but those are pretty similar and same versions 2.2.24). Today I configured a virtual All folder on both: namespace { location = virtual:/etc/dovecot/virtual:INDEX=~/virtual prefix = virtual. separator = . } mailbox virtual.All { special_use = \All } On this system the special-use flag is not applied to the folder (checked via LIST "" "*"). On the other system: namespace { location = virtual:/etc/dovecot/virtual:INDEX=~/virtual prefix = virtual/ separator = / } mailbox virtual/All { special_use = \All } On the second system I can see * LIST (\HasNoChildren \All) "/" virtual/All Besides the separator I don't see a big difference between both configurations. Any idea? Thanks, Wolfgang From kremels at kreme.com Wed Jun 1 21:41:09 2016 From: kremels at kreme.com (@lbutlr) Date: Wed, 1 Jun 2016 15:41:09 -0600 Subject: Marking an entire mailbox read In-Reply-To: References: Message-ID: <403F2FCD-C7E2-4CB5-A6B5-379AC2C751C6@kreme.com> On Jun 1, 2016, at 1:58 PM, @lbutlr wrote: > find ~/Maildir/.Archive/cur/* -type f -name ?1*:2? --exec mv {} {}S \; For the record,I did the following, which appears to have worked: find . -type f -name "1*2,*" -not -name "*2,S*" -exec mv {} {}S \; -- It wasn't that her [Susan's] parents didn't believe in such things. They didn't need to believe in them. They knew they existed. They just wished they didn't. From skdovecot at smail.inf.fh-brs.de Thu Jun 2 05:56:29 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Thu, 2 Jun 2016 07:56:29 +0200 (CEST) Subject: stat .../.dovecot.sieve/tmp failed: Not a directory In-Reply-To: References: <574E16B8.5050604@sys4.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 1 Jun 2016, Robert Schetterer wrote: > Am 1. Juni 2016 09:33:11 MESZ, schrieb Steffen Kaiser : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Wed, 1 Jun 2016, Robert Schetterer wrote: >> >>> Hi, i have >>> >>> stat .../.dovecot.sieve/tmp failed: Not a directory >>> >>> using >>> >>> sieve = file:~/sieve;active=~/.dovecot.sieve >>> >>> dovecot_2.2.24-1-auto-38 >>> >>> cause i can subscribe to dovecot sieve >>> >>> cant remember to see this in previous versions >> >> you are sure that home dir != mail location, arn't you? :-) > > Stephan allready posted a solution found in archive set > Maildir_stat_dirs yes fixed it, but should be avoided if possible that's the workaround, if you have homedir == mail location, for the penalty of performance decrease - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV0/KjXz1H7kL/d9rAQKmHwgAs2Clz55db+5WQkTGB11Gv2iONSD0CndK BSZjuIoOxbzqQYNP3lkwXNw+/cCKRVqATNqKxkylnA9uglEV71ebFStu+4OE/Zxm nH8nGzX8g2hYtPuznpkLfc+7DnGvVAYudm5/ObYrWgUdRFr/auoXg7HmO6ph06zT EJGRM23Pr5l77QPUF9qPg366E8Yp8RpAt+K2xk9uXiPR1H897+HnBw9ti7mIPF98 3SuOAKAiI6s5Z8LEDT46k9WaejyR2Ip1uRJWwYtaYkc4HmXm43eNC70lR0Px4ZfW Q/WIgq81Xfm07gRgfSVh2jsc+O13B59jqjhqxb+c6hPadcn7vmXipg== =9X4C -----END PGP SIGNATURE----- From wrosenauer at gmail.com Thu Jun 2 14:13:45 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Thu, 2 Jun 2016 16:13:45 +0200 Subject: special-use for virtual folder In-Reply-To: References: Message-ID: Hi, On Wed, Jun 1, 2016 at 11:12 PM, Wolfgang Rosenauer wrote: > Hi, > > I'm running two different Dovecot servers (actually more but those are > pretty similar and same versions 2.2.24). > > Today I configured a virtual All folder on both: > > namespace { > location = virtual:/etc/dovecot/virtual:INDEX=~/virtual > prefix = virtual. > separator = . > } > > mailbox virtual.All { > special_use = \All > } > > On this system the special-use flag is not applied to the folder (checked > via LIST "" "*"). > > with some help I was able to workaround this by just moving the mailbox declaration directly into the namespace section and leaving out the prefix. I still think this is some kind of bug that it works in one case but not the other but I can live with the current behaviour. Thanks Wolfgang From tanstaafl at libertytrek.org Thu Jun 2 14:35:33 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Thu, 2 Jun 2016 10:35:33 -0400 Subject: Multiple recipient delimiter support? Message-ID: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> Trying to find out if dovecot supports the use of multiple recipient delimiters, as postfix does, but can't find an answer... The wiki only mentions it in two meaningful places (that I can find)... With respect to postfix: /wiki.dovecot.org/LDA/Postfix The above seems to imply that for postfix/LDA all I need to do is define it in postfix (which supports multiple recipient delimiters). And with Pigeonhole/Sieve: wiki.dovecot.org/Pigeonhole/Sieve/Configuration It seems to be saying that I must also define the same recipient_delimiters in dovecot config if using LMTP, and also if I want to use sieve for filtering of mail. But, the example and text says nothing about the use of multiple delimiters... So, is this supported? If so, the wiki should be updated to reflect this... From rs at sys4.de Thu Jun 2 17:04:05 2016 From: rs at sys4.de (Robert Schetterer) Date: Thu, 2 Jun 2016 19:04:05 +0200 Subject: stat .../.dovecot.sieve/tmp failed: Not a directory In-Reply-To: References: <574E16B8.5050604@sys4.de> Message-ID: <57506705.8090604@sys4.de> Am 02.06.2016 um 07:56 schrieb Steffen Kaiser: > On Wed, 1 Jun 2016, Robert Schetterer wrote: > >> Am 1. Juni 2016 09:33:11 MESZ, schrieb Steffen Kaiser >> : >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On Wed, 1 Jun 2016, Robert Schetterer wrote: >>> >>>> Hi, i have >>>> >>>> stat .../.dovecot.sieve/tmp failed: Not a directory >>>> >>>> using >>>> >>>> sieve = file:~/sieve;active=~/.dovecot.sieve >>>> >>>> dovecot_2.2.24-1-auto-38 >>>> >>>> cause i can subscribe to dovecot sieve >>>> >>>> cant remember to see this in previous versions >>> >>> you are sure that home dir != mail location, arn't you? :-) > >> Stephan allready posted a solution found in archive set >> Maildir_stat_dirs yes fixed it, but should be avoided if possible > > that's the workaround, if you have homedir == mail location, for the > penalty of performance decrease for now i am happy with this, hopefully i remember when redesign the servers > > -- Steffen Kaiser Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From tanstaafl at libertytrek.org Thu Jun 2 19:50:57 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Thu, 2 Jun 2016 15:50:57 -0400 Subject: Multiple recipient delimiter support? In-Reply-To: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> References: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> Message-ID: On 6/2/2016 10:35 AM, Tanstaafl wrote: > Trying to find out if dovecot supports the use of multiple recipient > delimiters, as postfix does, but can't find an answer... The reason this is important is simple. I've encountered a lot of sites that refuse to accept an email with the '+' character in it, but every one of them has accepted one with a '-' sign as the delimiter, so I use both. From kevin at my.walr.us Thu Jun 2 20:07:43 2016 From: kevin at my.walr.us (KT Walrus) Date: Thu, 2 Jun 2016 16:07:43 -0400 Subject: nginx proxy to dovecot servers Message-ID: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> I?m trying to understand how the nginx mail proxy and dovecot work. As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection. Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user?s mail client requests? Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user?s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP. Kevin From tss at iki.fi Thu Jun 2 21:58:36 2016 From: tss at iki.fi (Timo Sirainen) Date: Fri, 3 Jun 2016 00:58:36 +0300 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <574EE799.2070806@skye.it> References: <574EE799.2070806@skye.it> Message-ID: <406D3729-5078-4674-B8EC-8B5F5541C6D0@iki.fi> On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: > > Hi, > > after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: > > Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) .. > but the error reappears always (for the same UID) when I do "search" from webmail. All works fine for the users but I don't think is good to have these errors in log file. If it's reproducible for a specific email, can you send me the email? From kevin at my.walr.us Fri Jun 3 01:16:51 2016 From: kevin at my.walr.us (KT Walrus) Date: Thu, 2 Jun 2016 21:16:51 -0400 Subject: Blowfish hashed passwords Message-ID: The PHP app I?m using on my website uses PHP to generate password hashes to be stored into the user database. These password hashes use Blowfish encryption ("$2y$?). In fact, since PHP 5.3.0, PHP contains its own implementation of the hash types it supports including: - CRYPT_STD_DES - CRYPT_EXT_DES - CRYPT_MD5 - CRYPT_BLOWFISH - CRYPT_SHA256 - CRYPT_SHA512 The C code for these hash types is in https://github.com/php/php-src/tree/master/ext/standard I?m working on adding Dovecot to my site, but Dovecot doesn?t seem to support Blowfish password hashes (at least on Ubuntu 14.04). Would you consider adding built-in ?fallback? support for Blowfish and SHA512 (which doesn?t seem to be supported either on Ubuntu 14.04 last time I checked) to an upcoming Dovecot release? You could probably take the source code from the GitHub PHP repo to incorporate support for these hash types in Dovecot. That way, Dovecot could easily use the same hash types that PHP supports regardless of what hash types are installed in the OS running Dovecot. And, I wouldn?t have to deal with a second set of hashes for Dovecot passdb for my existing user accounts. See PHP manual for crypt function: http://php.net/manual/en/function.crypt.php Kevin From 304706283 at qq.com Fri Jun 3 02:59:55 2016 From: 304706283 at qq.com (=?gb18030?B?vuS6xc/IyfqhoyB8?=) Date: Fri, 3 Jun 2016 10:59:55 +0800 Subject: dovecot-sieve help Message-ID: hi, I have a question hope to get everybody's help, thank you. I write the dovecot sieve rules, use notify:mailto. such as mailto:mymail at dovecot.org, this is ok.but i want to go to a url address,like this,mailto:"http://http://wiki.dovecot.org/".but i don't know how to do it.I hope you can help me.thanks. From craig at mypenguin.net.au Fri Jun 3 04:04:26 2016 From: craig at mypenguin.net.au (craig) Date: Fri, 03 Jun 2016 14:04:26 +1000 Subject: Shared =?UTF-8?Q?Mailbox=3F?= Message-ID: Hi, I've been doing a lot of reading on this topic, I'm just finding a lot of doco that's potentially out of date now? System: Red Hat Enterprise Linux Server release 7.2 (Maipo) dovecot-2.2.10-5.el7.x86_64 The need: 1. I'd like to create a mailbox called "accounts", email would simply get delivered to the account via "accounts at example.com" (Maildir format) 2. Share this mailbox so it appears in three other accounts as an extra folder called "accounts" 3. If a user reads an email in the "accounts" folder, I'd like the other users to know this. Clients: * Latest Thunderbird * Outlook 2013. Any advice welcome ;) Cheers, Craig From aki.tuomi at dovecot.fi Fri Jun 3 06:20:37 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Fri, 3 Jun 2016 09:20:37 +0300 Subject: Bug with shared access to mailbox In-Reply-To: References: Message-ID: <575121B5.4000006@dovecot.fi> On 30.05.2016 16:41, van der Kamp, John wrote: > Hello, > > I'm testing dovecot with some setups, and one of them is with shared > mailboxes. The test I wrote will create and delete mail using multiple > connections to the same user and folder. Each connection makes a couple of > mails, remembers the uid from APPENDUID, and will delete those emails again. > At the end of the test I expect an empty folder. > > This is not what happens. At the end I still have several mails in the > folder. I lack insight in the dovecot source to tell exactly what's going > on. I've tested this with different setups: > 1) local system user, connecting over localhost -> bug is present > 2) local system user, connecting over internet -> bug is present, but is > harder to reproduce > 3) dovecot as proxy to another imap server -> bug is present > In step 3, you can even setup a dovecot to be a proxy to another dovecot > server. > > From logging in the other imap server I've seen that a client command to the > proxy like: > TAG UID STORE 1:3 +FLAGS (\Deleted) > TAG UID EXPUNGE 1:3 > will be sent to the other imap server in 3 steps, one for each message. When > running the test with multiple threads, that logging shows that some uids > are never sent to the other imap server, and some uids are sent over > different connections than they original were sent to. (Thread 1 deletes > 1:3, Thread 2 deletes 4:6, the proxy of Thread 1 might expunge messages from > Thread 2 and vice versa). > > Attached is a python script which tests the behavior. The script expects a > file named "testmail.eml" to upload to the imap server. I used an email > which was about 75 kB. > I tested using version: 2.2.22 (fe789d2). > Let me know if I can help in any other way too. > > John > Hi! We tested with 2.2.24, and were unable to reproduce the error. Can you try again with 2.2.24? Aki From skdovecot at smail.inf.fh-brs.de Fri Jun 3 06:49:15 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Fri, 3 Jun 2016 08:49:15 +0200 (CEST) Subject: dovecot-sieve help In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 3 Jun 2016, ?????????? | wrote: > I write the dovecot sieve rules, use notify:mailto. such as > mailto:mymail at dovecot.org, this is ok.but i want to go to a url > address,like this,mailto:"http://http://wiki.dovecot.org/".but i don't > know how to do it.I hope you can help me.thanks. Well, what mailto:"http://wiki.dovecot.org/" is to mean? see https://en.wikipedia.org/wiki/Mailto - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV1Eoa3z1H7kL/d9rAQK2lwf+JotA1RjxHHrxuSVU1MNXBttgkGQBSdkm PTLzYtPkh2Y0CJ+DatSydR49ZfCtNFQC2dlQ+54MNEd1QQwEUGGCuR891RpkNY7b rv8bocYa7M/ZXVVBWBN+q4JdccGLvOIwVrCVcnoEb1xCeTUn5phzCcX0IqH4N+Fu ZAYQV4XWS/pzcBUNM5gwsj5l870EIRZWW6k7lZ1CaqGW6X5NMBClQRhkr3pZpE7O zUUZ1s840lU1J3vygtJ4SK7LmlIFmFRMAXVpH4W52bkN7bF5gpQK7oOGBocqfJkY 1RD4c8lzndxY3rfZcWto6S5y62Zm0sb8EzJNDU7cBiJOCJuN3kbbug== =0Uop -----END PGP SIGNATURE----- From skdovecot at smail.inf.fh-brs.de Fri Jun 3 07:00:06 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Fri, 3 Jun 2016 09:00:06 +0200 (CEST) Subject: Shared Mailbox? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 3 Jun 2016, craig wrote: > The need: > 1. I'd like to create a mailbox called "accounts", email would simply get > delivered to the account via "accounts at example.com" (Maildir format) > 2. Share this mailbox so it appears in three other accounts as an extra > folder called "accounts" > 3. If a user reads an email in the "accounts" folder, I'd like the other > users to know this. a) symlink /mail/location/accounts/Maildir to /mail/location/user1/Maildir/.accounts that will map the INBOX only and works only if your filesystem level permissions allows the access. b) use ACLs and a shared namespace - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV1Eq9nz1H7kL/d9rAQImLwgAyqefNuwXoKLWmnOuxVnrdBO61knX3A5r zwM29VahVwHoYIQTbhsSYwETQYM47LaliiQugXPlFnzFXYbLLCe64+NqOigvSn1j iGcXFH3agEaztAPXFI+r8nqnxV1QImxjZbRJd1yH5C+DieERccslWF648b9IUtGh AdA5nZ24+xhNneI1UUdC60EafNbBMBWMjjT7X+rbXJB4+ZaiQITqwgcLgwI3J4/d 6YcfofB+AheyGWr+Vi/PIvIrVXyIrGvmPCnQPxA24FagRTQZeUDszBtQLZ3HKpm1 SQb/3Cs4wP00iPwLEq6j8fIfEa/v9USkAURocuKWl5lHY+y/dfboow== =BvjR -----END PGP SIGNATURE----- From aki.tuomi at dovecot.fi Fri Jun 3 07:14:09 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Fri, 3 Jun 2016 10:14:09 +0300 Subject: Blowfish hashed passwords In-Reply-To: References: Message-ID: <57512E41.5060506@dovecot.fi> On 03.06.2016 04:16, KT Walrus wrote: > The PHP app I?m using on my website uses PHP to generate password hashes to be stored into the user database. These password hashes use Blowfish encryption ("$2y$?). In fact, since PHP 5.3.0, PHP contains its own implementation of the hash types it supports including: > > - CRYPT_STD_DES > - CRYPT_EXT_DES > - CRYPT_MD5 > - CRYPT_BLOWFISH > - CRYPT_SHA256 > - CRYPT_SHA512 > > The C code for these hash types is in https://github.com/php/php-src/tree/master/ext/standard > > I?m working on adding Dovecot to my site, but Dovecot doesn?t seem to support Blowfish password hashes (at least on Ubuntu 14.04). > > Would you consider adding built-in ?fallback? support for Blowfish and SHA512 (which doesn?t seem to be supported either on Ubuntu 14.04 last time I checked) to an upcoming Dovecot release? > > You could probably take the source code from the GitHub PHP repo to incorporate support for these hash types in Dovecot. That way, Dovecot could easily use the same hash types that PHP supports regardless of what hash types are installed in the OS running Dovecot. > > And, I wouldn?t have to deal with a second set of hashes for Dovecot passdb for my existing user accounts. > > See PHP manual for crypt function: http://php.net/manual/en/function.crypt.php > > Kevin Hi! We support in latest 2.2 release MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT SHA512-CRYPT There is also blowfish support as BLF-CRYPT, but that requires that your system supports it. CRYPT supports whatever your crypt() supports. Aki From jlambot at gmail.com Fri Jun 3 07:24:59 2016 From: jlambot at gmail.com (Julien Lambot) Date: Fri, 3 Jun 2016 09:24:59 +0200 Subject: AD query timeout might be result size limit exceeded In-Reply-To: References: Message-ID: On Thu, May 19, 2016 at 4:27 PM, Julien Lambot wrote: > Hello list > > I've been struggling for a while trying to configure multiple domain ldap > authentication with full e-mail address authentication. Which in fact was > not the issue. > There where some discrepancies between the doc and our actual > configuration (see appendix A/ ) Seems that pass_filters and user_filters > don't need much special settings for our setup. > > Now it's working correctly at the sole exception that when an OU contains > "lots" of users (>200) i suspect that the ldapseach query fails. We can > well authenticate when we have 50 users in an OU, but not when the number > raises (I don't have the exact number above which it locks). > After further investigations, seems the issue is caused by the presence of an "_" (underscore) in the OU name. Other OUs are not impacted. If anyone as a suggestion, that would be welcome. In fact, we cannot rename this OU without a wide impact on other configurations. Regards Julien > > Is there a parameter that we can set to increase the result size limit (as > i suspect this to be the cause of this possible bug)? > > If I query manually it's ok (ldapsearch) > if I use "doveadm auth user.name at domain.tld", it succeed also but I > wonder if it doesn't use the winbind authentication instead. > > > > Here is our ldap-auth configuration > > hosts = master.domain.local:389 > dn = DOMAIN\ro-user > dnpass = password > debug_level = 2 > auth_bind = yes > #auth_bind_userdn = > cn=%u,OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local (tried with and > without with no better results) > ldap_version = 3 > #deref = never > #base = OU=InfrastructureManagement,DC=domain,DC=local (works has a few > users) > base = OU=_myou,OU=Utilisateurs,OU=ouname,DC=domain,DC=local > scope = subtree > user_filter = (&(objectclass=person)(mail=%u)) > pass_filter = (&(objectclass=person)(mail=%u)) > > and some logs in appendix B/ > > > Thanks for any hints on this. > > Have a nice day > > From dovecot-e51 at deemzed.uk Fri Jun 3 08:26:59 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Fri, 3 Jun 2016 09:26:59 +0100 Subject: Bug with shared access to mailbox In-Reply-To: <575121B5.4000006@dovecot.fi> References: <575121B5.4000006@dovecot.fi> Message-ID: <70ec3048-22b7-bc61-a152-4193d5dd1f7b@deemzed.uk> On 03/06/2016 07:20, Aki Tuomi wrote: > We tested with 2.2.24, and were unable to reproduce the error. Can you > try again with 2.2.24? Apologies for butting in, but I've been seeing exactly the same issue post upgrade to 2.2.24 (from 2.2.18): [2016-06-02T10:38:28+0100] imap(xxxxx): Error: Corrupted index cache file /mnt/index/8cc/95 2952/.INBOX/dovecot.index.cache: Broken MIME parts for mail UID 13758 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=41000000f7020000000000000a030000000000000508000 0000000003108000000000000030000004800000018030000000000005b000000000000005f00000000000000f100000000000000f500000 000000000040000004000000086040000000000002700000000000000290000000000000064010000000000006b010000000000004400000 033060000000000001e000000000000002000000000000000860400000000000097040000000000001100000001000000410000005106000 000000000850400000000000095040000000000000000000000000000000000000000000000000000) etc. At first I assumed it was better at picking up corrupted indexes and would reduce in severity over time. However, I've also seen that attempting to force-resync or remove and rebuild indexes doesn't help - it reoccurs on the same mailboxes. Unfortunately I'm unable to reveal mails from affected mailboxes, so I'm not sure how much help this is beyond a "me too". doveconf (dovecot behind directors) # doveconf -n # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: Linux 2.6.32-573.26.1.el6.x86_64 x86_64 CentOS release 6.7 (Final) auth_anonymous_username = auth_failure_delay = 0 auth_master_user_separator = * auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_ auth_worker_max_count = 64 base_dir = /var/run/dovecot/ default_client_limit = 5120 default_process_limit = 128 default_vsz_limit = 64 M deliver_log_format = msgid=%m from=<%e> (%f) to=<%{to_envelope}>: %$ disable_plaintext_auth = no first_valid_gid = 2000 first_valid_uid = 2000 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = 192.168.0.214 lmtp_hdr_delivery_address = none lmtp_rcpt_check_quota = yes log_path = /var/log/dovecot/dovecot.log log_timestamp = "[%Y-%m-%dT%H:%M:%S%z] " login_greeting = Mail Server Ready login_log_format_elements = pid=%e user=<%u> ip=%r login_trusted_networks = 192.168.0.223 192.168.0.224 192.168.0.225 192.168.0.226 192.168.0.227 192.168.0.228 mail_access_groups = doveuser mail_fsync = always mail_home = /mnt/mail/%3Mu/%u mail_location = maildir:~:INDEX=/mnt/index/%3Mu/%i:CONTROL=/mnt/control/%3Mu/%u mail_plugins = " stats" mailbox_idle_check_interval = 2 mins mailbox_list_index = yes maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii -numeric relational regex imap4flags copy include variables body enotify mailbox date index ihave duplicate mime foreverypart extracttext mmap_disable = yes passdb { args = /etc/dovecot/passwd.master driver = passwd-file master = yes pass = yes result_failure = return-fail result_internalfail = return-fail } passdb { args = /etc/dovecot/sql.d/user.ext driver = sql } plugin { sieve = file:~/sieve;active=~/sieve/.active.sieve sieve_extensions = -environment sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 16 sieve_quota_max_storage = 2M sieve_redirect_envelope_from = sender sieve_user_log = /dev/null stats_refresh = 30 secs stats_track_cmds = no } protocols = lmtp imap pop3 sieve recipient_delimiter = service auth-worker { user = $default_internal_user vsz_limit = 128 M } service auth { client_limit = 7664 vsz_limit = 128 M } service imap-login { inet_listener imap { port = 10143 } service_count = 0 } service imap { process_limit = 5120 process_min_avail = 24 vsz_limit = 512 M } service lmtp { executable = lmtp -L inet_listener lmtp { port = 10024 } process_limit = 128 process_min_avail = 12 vsz_limit = 512 M } service managesieve-login { inet_listener sieve { port = 14190 } service_count = 0 vsz_limit = 512 M } service managesieve { process_limit = 128 } service pop3-login { inet_listener pop3 { port = 10110 } service_count = 0 } service pop3 { process_limit = 2048 process_min_avail = 24 vsz_limit = 512 M } service stats { fifo_listener stats-mail { group = doveuser mode = 0660 } vsz_limit = 256 M } ssl = no stats_command_min_time = 0 stats_ip_min_time = 2 mins stats_memory_limit = 64 M stats_session_min_time = 2 mins stats_user_min_time = 2 mins userdb { args = /etc/dovecot/sql.d/user.ext driver = sql } verbose_proctitle = yes protocol lmtp { auth_username_chars = auth_username_format = %Ln log_path = /var/log/dovecot/lmtp.log mail_plugins = " stats sieve" } protocol imap { imap_client_workarounds = delay-newmail imap_id_log = name version os os-version imap_id_send = imap_idle_notify_interval = 10 mins imap_logout_format = bytes=%i/%o imap_max_line_length = 64 k mail_max_userip_connections = 16 mail_plugins = " stats imap_stats" } protocol sieve { mail_max_userip_connections = 16 managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 } protocol pop3 { mail_max_userip_connections = 16 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_enable_last = no pop3_fast_size_lookups = no pop3_lock_session = yes pop3_logout_format = bytes=%i/%o, top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_no_flag_updates = no pop3_reuse_xuidl = no pop3_save_uidl = no pop3_uidl_format = %08Xv%08Xu } -- Dave From sami.ketola at dovecot.fi Fri Jun 3 08:27:55 2016 From: sami.ketola at dovecot.fi (Sami Ketola) Date: Fri, 3 Jun 2016 11:27:55 +0300 Subject: nginx proxy to dovecot servers In-Reply-To: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> Message-ID: <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> > On 02 Jun 2016, at 23:07, KT Walrus wrote: > > I?m trying to understand how the nginx mail proxy and dovecot work. > > As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection. > > Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user?s mail client requests? > > Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user?s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP. Hi, you can always skip password check on dovecot side with static passdb that accepts all passwords if you are absolutely sure that the session has been authenticated earlier. Also you could switch the session from using user password to using a master password at the proxy if NGINX supports this. btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. Sami From amateo at um.es Fri Jun 3 09:38:17 2016 From: amateo at um.es (Angel L. Mateo) Date: Fri, 3 Jun 2016 11:38:17 +0200 Subject: zlib corrupted data Message-ID: <57515009.30801@um.es> Hello, We are having performance problems with one of our users. We are having a server (2.1.16) for about 8000 users. This server is a vmware vm with 8 cores and 32GB of RAM. Normally, it is working fine, but when one of our users access his email, then the load increases a lot and this high load is maintained while the user is connected. Looking for problems with this user I have found that trying to move messages from one folder to another I have errors like: doveadm(mctm at um.es): Error: zlib.read(/mail/users/mailboxes/um.es/mc/mctm/mdbox/storage/m.1486): corrupted data at 30152376 doveadm(mctm at um.es): Error: zlib_istream.seek(/mail/users/mailboxes/um.es/mc/mctm/mdbox/storage/m.1486) failed: Invalid argument doveadm(mctm at um.es): Error: zlib.read(/mail/users/mailboxes/um.es/mc/mctm/mdbox/storage/m.1473): corrupted data at 7175520 doveadm(mctm at um.es): Error: zlib_istream.seek(/mail/users/mailboxes/um.es/mc/mctm/mdbox/storage/m.1473) failed: Invalid argument but a doveadm dump of these files shows no problem. Is there any way to debug this problem? How could I fix it? -- Angel L. Mateo Mart?nez Secci?n de Telem?tica ?rea de Tecnolog?as de la Informaci?n y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337 From kevin at my.walr.us Fri Jun 3 12:14:01 2016 From: kevin at my.walr.us (KT Walrus) Date: Fri, 3 Jun 2016 08:14:01 -0400 Subject: Blowfish hashed passwords In-Reply-To: References: Message-ID: (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) Anyway, Aki Tuomi replied to my feature request saying: > We support in latest 2.2 release > > MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN > CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 > PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT > SHA512-CRYPT > > There is also blowfish support as BLF-CRYPT, but that requires that your > system supports it. CRYPT supports whatever your crypt() supports. > The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. Kevin From aki.tuomi at dovecot.fi Fri Jun 3 12:19:28 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Fri, 3 Jun 2016 15:19:28 +0300 Subject: Blowfish hashed passwords In-Reply-To: References: Message-ID: <575175D0.3060207@dovecot.fi> On 03.06.2016 15:14, KT Walrus wrote: > (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) > > Anyway, Aki Tuomi replied to my feature request saying: > >> We support in latest 2.2 release >> >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >> SHA512-CRYPT >> >> There is also blowfish support as BLF-CRYPT, but that requires that your >> system supports it. CRYPT supports whatever your crypt() supports. >> > The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. > > If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. > > Kevin Unfortunately "just including" files from another project is not that straightforward. We can see if we could add BLF-CRYPT support to core even if system does not support it. Aki From kevin at my.walr.us Fri Jun 3 13:00:07 2016 From: kevin at my.walr.us (KT Walrus) Date: Fri, 3 Jun 2016 09:00:07 -0400 Subject: nginx proxy to dovecot servers In-Reply-To: <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> Message-ID: > btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com for accounts in Virginia or ca.example.com for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend. I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com ). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection. The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won?t show this IP. Can I use Dovecot Proxy to do the same thing? Will it use 50 threads to listen on the different IPs/ports or will it only have a small set of workers to do the proxying (like NGINX)? Basically, I couldn?t figure out how to use Dovecot Proxy to do authentication based on the incoming IP/port or I would use it as the Dovecot Proxy will preserve the client IPs in the logs. Even though I?m starting with 50 IPs for state-based mail servers without having to run 50 Dovecot servers, I will eventually have over 100 region-based IPs so I need the mail server to scale easily starting with only 1 or 2 backend mail servers and scaling gradually to many hundreds of servers. Any thoughts on how to do this with Dovecot Proxy? Kevin > On Jun 3, 2016, at 4:27 AM, Sami Ketola wrote: > >> >> On 02 Jun 2016, at 23:07, KT Walrus wrote: >> >> I?m trying to understand how the nginx mail proxy and dovecot work. >> >> As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection. >> >> Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user?s mail client requests? >> >> Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user?s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP. > > Hi, > > you can always skip password check on dovecot side with static passdb that accepts all passwords if you are absolutely sure that the session has been authenticated earlier. Also you could switch the session from using user password to using a master password at the proxy if NGINX supports this. > > btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. > > Sami From aki.tuomi at dovecot.fi Fri Jun 3 13:14:00 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Fri, 3 Jun 2016 16:14:00 +0300 Subject: nginx proxy to dovecot servers In-Reply-To: References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> Message-ID: <57518298.4000102@dovecot.fi> On 03.06.2016 16:00, KT Walrus wrote: >> btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. > I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com for accounts in Virginia or ca.example.com for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend. > > I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com ). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection. > > The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won?t show this IP. > Dovecot supports real IP forwarding with HAproxy. http://wiki2.dovecot.org/HAProxy Aki From kevin at my.walr.us Fri Jun 3 13:29:10 2016 From: kevin at my.walr.us (KT Walrus) Date: Fri, 3 Jun 2016 09:29:10 -0400 Subject: nginx proxy to dovecot servers In-Reply-To: <57518298.4000102@dovecot.fi> References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> <57518298.4000102@dovecot.fi> Message-ID: > Dovecot supports real IP forwarding with HAproxy. Yes. I was aware of this, but that doesn?t answer my question of how to configure a Dovecot proxy to listen on many IPs/ports and do authentication based on the incoming IP/port. If I could do this without having to run 50 Dovecot proxies (one for each incoming IP/port), I would probably use the HAProxy/Dovecot Proxy solution. Or is Dovecot proxy light-weight enough to run a 100 instances or more on a single cloud VM (limited cores/memory) with an HAProxy front-end? > On Jun 3, 2016, at 9:14 AM, Aki Tuomi wrote: > > > > On 03.06.2016 16:00, KT Walrus wrote: >>> btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. >> I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com for accounts in Virginia or ca.example.com for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend. >> >> I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com ). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection. >> >> The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won?t show this IP. >> > Dovecot supports real IP forwarding with HAproxy. > > http://wiki2.dovecot.org/HAProxy > > Aki From rick at havokmon.com Fri Jun 3 13:31:40 2016 From: rick at havokmon.com (Rick Romero) Date: Fri, 03 Jun 2016 08:31:40 -0500 Subject: nginx proxy to dovecot servers In-Reply-To: References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> <57518298.4000102@dovecot.fi> Message-ID: <20160603083140.Horde.OwtrALM6fsf_gn6Hs6RQRQ7@www.vfemail.net> Quoting KT Walrus : >> Dovecot supports real IP forwarding with HAproxy. > > Yes. I was aware of this, but that doesn?t answer my question of how to > configure a Dovecot proxy to listen on many IPs/ports and do > authentication based on the incoming IP/port. If I could do this without > having to run 50 Dovecot proxies (one for each incoming IP/port), I > would probably use the HAProxy/Dovecot Proxy solution. > > ? From rick at havokmon.com Fri Jun 3 13:33:35 2016 From: rick at havokmon.com (Rick Romero) Date: Fri, 03 Jun 2016 08:33:35 -0500 Subject: nginx proxy to dovecot servers In-Reply-To: References: <4CE2AF50-C230-4007-B542-19D906862278@my.walr.us> <1887E016-019D-4C38-96CE-7CA0A516854F@dovecot.fi> <57518298.4000102@dovecot.fi> Message-ID: <20160603083335.Horde.LFGlPOiEl4hhHvTZEEoHaw1@www.vfemail.net> Quoting KT Walrus : >> Dovecot supports real IP forwarding with HAproxy. > > Yes. I was aware of this, but that doesn?t answer my question of how to > configure a Dovecot proxy to listen on many IPs/ports and do > authentication based on the incoming IP/port. If I could do this without > having to run 50 Dovecot proxies (one for each incoming IP/port), I > would probably use the HAProxy/Dovecot Proxy solution. http://wiki.dovecot.org/Variables %l is local IP, so if your backend auth system knows who is supposed to auth where, then I'd say one instance on all IPs, and use the variable in your auth query. Rick From mailinglist at darac.org.uk Fri Jun 3 14:05:09 2016 From: mailinglist at darac.org.uk (Darac Marjal) Date: Fri, 3 Jun 2016 15:05:09 +0100 Subject: dovecot-sieve help In-Reply-To: References: Message-ID: <20160603140509.GA19045@darac.org.uk> On Fri, Jun 03, 2016 at 10:59:55AM +0800, ????? | wrote: >hi, > I have a question hope to get everybody's help, thank you. >I write the dovecot sieve rules, use notify:mailto. such as mailto:mymail at dovecot.org, this is ok.but i want to go to a url address,like this,mailto:"http://http://wiki.dovecot.org/".but i don't know how to do it.I hope you can help me.thanks. In this case, you're probably best off using the "pipe" extension[1], rather than "notify". Write a script that takes the email on STDIN and performs whatever necessary HTTP commands based on that (sending an email to a HTTP URL is too generic a process. Should it be POSTed to the address? Is there a form at the address which the mail should be posted to? Should certain fields be parsed out and a complex GET request be performed? etc. Only you know how that should work) [1] http://master.wiki.dovecot.org/Pigeonhole/Sieve/Plugins/Extprograms -- For more information, please reread. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From ricardomachini at gmail.com Fri Jun 3 20:23:36 2016 From: ricardomachini at gmail.com (Ricardo Machini Barbosa) Date: Fri, 3 Jun 2016 17:23:36 -0300 Subject: Doveadm HTTP API - Disconnected for inactivity Message-ID: <064801d1bdd5$d06cf3e0$7146dba0$@gmail.com> Hello, I am doing some calls using doveadm http API and I noticed that when some calls took more than 5 seconds the connection are closed, this happen general with huge mailbox's. There are some kind of timeout that I have to set ? For example: # curl call time curl -v --user doveadm:senha -H "Content-Type: application/json" -d '[["purge",{"user":"email at dominio.com.br"},"c01"]]' http://192.168.0.1:8080/doveadm/v1 * About to connect() to 192.168.0.1 port 8080 (#0) * Trying 192.168.0.1... connected * Connected to host (192.168.0.1) port 8080 (#0) * Server auth using Basic with user 'doveadm' > POST /doveadm/v1 HTTP/1.1 > Authorization: Basic XXXXXX > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 192.168.0.1:8080 > Accept: */* > Content-Type: application/json > Content-Length: 69 > * Empty reply from server * Connection #0 to host 192.168.0.1 left intact curl: (52) Empty reply from server * Closing connection #0 real 0m5.432s user 0m0.003s sys 0m0.002s # server log Jun 3 17:11:09 host dovecot: doveadm(192.168.0.2): Executing command 'purge' as 'email at dominio.com.br' Jun 3 17:11:14 host dovecot: doveadm: http-server: conn 192.168.0.2:59617 [1]: Disconnected for inactivity Regards, Ricardo From aki.tuomi at dovecot.fi Sat Jun 4 06:19:19 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Sat, 4 Jun 2016 09:19:19 +0300 Subject: Doveadm HTTP API - Disconnected for inactivity In-Reply-To: <064801d1bdd5$d06cf3e0$7146dba0$@gmail.com> References: <064801d1bdd5$d06cf3e0$7146dba0$@gmail.com> Message-ID: <575272E7.7090208@dovecot.fi> On 03.06.2016 23:23, Ricardo Machini Barbosa wrote: > Hello, > > > > I am doing some calls using doveadm http API and I noticed that when some > calls took more than 5 seconds the connection are closed, this happen > general with huge mailbox's. > > There are some kind of timeout that I have to set ? > > > > For example: > > > > # curl call > > time curl -v --user doveadm:senha -H "Content-Type: application/json" -d > '[["purge",{"user":"email at dominio.com.br"},"c01"]]' > http://192.168.0.1:8080/doveadm/v1 > > * About to connect() to 192.168.0.1 port 8080 (#0) > > * Trying 192.168.0.1... connected > > * Connected to host (192.168.0.1) port 8080 (#0) > > * Server auth using Basic with user 'doveadm' > >> POST /doveadm/v1 HTTP/1.1 >> Authorization: Basic XXXXXX >> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 > NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > >> Host: 192.168.0.1:8080 >> Accept: */* >> Content-Type: application/json >> Content-Length: 69 > * Empty reply from server > > * Connection #0 to host 192.168.0.1 left intact > > curl: (52) Empty reply from server > > * Closing connection #0 > > > > real 0m5.432s > > user 0m0.003s > > sys 0m0.002s > > > > # server log > > Jun 3 17:11:09 host dovecot: doveadm(192.168.0.2): Executing command > 'purge' as 'email at dominio.com.br' > > Jun 3 17:11:14 host dovecot: doveadm: http-server: conn 192.168.0.2:59617 > [1]: Disconnected for inactivity > > > > Regards, > > Ricardo There is fixed timeout, I'll take a look next week. Aki From patrickdk at patrickdk.com Sat Jun 4 13:53:49 2016 From: patrickdk at patrickdk.com (Patrick Domack) Date: Sat, 04 Jun 2016 09:53:49 -0400 Subject: Blowfish hashed passwords In-Reply-To: References: Message-ID: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> Quoting KT Walrus : > (I subscribed to a daily digest for this list and can?t figure out > how to reply to a reply.) > > Anyway, Aki Tuomi replied to my feature request saying: > >> We support in latest 2.2 release >> >> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >> SHA512-CRYPT >> >> There is also blowfish support as BLF-CRYPT, but that requires that your >> system supports it. CRYPT supports whatever your crypt() supports. >> > > The reason I suggest building in fallback hash type support is that > my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or > BLF-CRYPT. > > If Dovecot just included the PHP .c files to make sure it can > process Blowfish/SHA512 password hashes on all installs, it would > greatly simplify adding Dovecot as a service for my existing user > accounts (without forcing them to give their password for the site > so I can generate new hashes in a form that Dovecot supports). > SHA256-CRYPT is probably my best option for password hashing since > it supports ROUNDS to make hash generation slower. But, I would > rather use BLF-CRYPT so I can re-use my existing hashes for my user > accounts. I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. From help at pdscc.com Sat Jun 4 17:10:50 2016 From: help at pdscc.com (Harondel J. Sibble) Date: Sat, 04 Jun 2016 10:10:50 -0700 Subject: sieve vacation script exclude based on sender email address In-Reply-To: <9b3aa581-7865-96c6-792d-b987fb40cedb@rename-it.nl> References: <20160531155031.49E415A1C81@sinclaire.sibble.net>, <9b3aa581-7865-96c6-792d-b987fb40cedb@rename-it.nl> Message-ID: <20160604171057.419415A1C81@sinclaire.sibble.net> On 1 Jun 2016 at 16:49, Stephan Bosch wrote: > > I've been looking at the sieve docs and recipes, done a lot of googling but > > no joy so far. > > > > Using stanard vacation script and that works great, however I want to > > exclude certain sender email addressess from ever receiving a vacation > > autoresponse, how do I go about adding that to my existing vacation recipe. > > > > I suspect my search terminology is what is causing me not to find anything > > as I typically am using exclude and similar search terms. > > Just use the envelope test: > > https://tools.ietf.org/html/rfc5228#section-5.4 > > Regards, > > Stephan. Any recommendations for example usage, the RFC doesn't really tell me how to use it so that the vacation script will not reply if the header test turns out to be true. I just want the email to be delivered without an autoresponse at that point. -- Harondel J. Sibble Sibble Computer Consulting Ltd. Creating Solutions for the small and medium business computer user. harondel at pdscc.com (use pgp keyid 0x3CC3CFCE not 0x3AD5C11D) http://www.pdscc.com Blog: http://www.pdscc.com/blog (604) 739-3709 (voice) From kevin at my.walr.us Sat Jun 4 18:28:44 2016 From: kevin at my.walr.us (KT Walrus) Date: Sat, 4 Jun 2016 14:28:44 -0400 Subject: Scalability of Dovecot in the Cloud Message-ID: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> Does anyone have any idea of how many IMAP connections a single cloud VM (4 vCores at 2.4GHz, 30GB RAM, local SSD storage - non-RAID) can be expected to handle in production. The mailboxes are fairly small (average 5MB total - 50MB max, as I don?t store attachments in Dovecot expect those saved through IMAP in the Sent/Drafts folders) and each user will probably have an average of 2 devices that have the mail clients configured to access each mailbox. Can such a server handle 100,000 mailboxes (200,000 devices/clients)? Or is it more like 10,000? Or, even smaller? I can scale the cloud VM up to 32 vCores and 240GB RAM (at 8 times the price) or split the mailboxes onto multiple VMs. The VM will also be running LMTP and other Dovecot services (I don?t plan on supporting POP3 at this time). The mailboxes will be sync?d to a backup VM running Dovecot for high availability so has some load from this background activity. LMTP will not be that high a load, I think, since most messages will be delivered by at night. But, clients will have IMAP connections 24/7. Just trying to get an idea of the cost of running a potentially huge/growing mail service in the cloud? I?m going to have to support around a million mailboxes before the site will generate significant revenue to support operations. Kevin From yacinechaouche at yahoo.com Sat Jun 4 20:09:06 2016 From: yacinechaouche at yahoo.com (chaouche yacine) Date: Sat, 4 Jun 2016 20:09:06 +0000 (UTC) Subject: Shared Mailbox? In-Reply-To: References: Message-ID: <1375211327.4916432.1465070946976.JavaMail.yahoo@mail.yahoo.com> Hello Craig, I did this some weeks ago and documented my attempt at https://ychaouche.informatick.net/dovecotsharefolders I hope this helps. Yassine. ________________________________ From: Steffen Kaiser To: craig Cc: dovecot at dovecot.org Sent: Friday, June 3, 2016 8:00 AM Subject: Re: Shared Mailbox? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 3 Jun 2016, craig wrote: > The need: > 1. I'd like to create a mailbox called "accounts", email would simply get > delivered to the account via "accounts at example.com" (Maildir format) > 2. Share this mailbox so it appears in three other accounts as an extra > folder called "accounts" > 3. If a user reads an email in the "accounts" folder, I'd like the other > users to know this. a) symlink /mail/location/accounts/Maildir to /mail/location/user1/Maildir/.accounts that will map the INBOX only and works only if your filesystem level permissions allows the access. b) use ACLs and a shared namespace - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV1Eq9nz1H7kL/d9rAQImLwgAyqefNuwXoKLWmnOuxVnrdBO61knX3A5r zwM29VahVwHoYIQTbhsSYwETQYM47LaliiQugXPlFnzFXYbLLCe64+NqOigvSn1j iGcXFH3agEaztAPXFI+r8nqnxV1QImxjZbRJd1yH5C+DieERccslWF648b9IUtGh AdA5nZ24+xhNneI1UUdC60EafNbBMBWMjjT7X+rbXJB4+ZaiQITqwgcLgwI3J4/d 6YcfofB+AheyGWr+Vi/PIvIrVXyIrGvmPCnQPxA24FagRTQZeUDszBtQLZ3HKpm1 SQb/3Cs4wP00iPwLEq6j8fIfEa/v9USkAURocuKWl5lHY+y/dfboow== =BvjR -----END PGP SIGNATURE----- From pali.rohar at gmail.com Sun Jun 5 13:48:13 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:13 +0200 Subject: [PATCH v2 0/7] Fixes for lib-mail message-address Message-ID: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Hello, I borrowed dovecot parser for email addresses and I'm using it in my new perl module Email::Address::XS for parsing & formatting list of email addresses. That perl module is available at github [1]. During implementation and testing I found bugs in dovecot code. So I'm sending my patches (together with tests) which I'm using in my perl module. Lot of other (normal & corner) test cases are part of that perl module [2], so if you are interested feel free to reuse them. Because writing new test cases for dovecot is hard for me, I'm not going to do it. In perl for perl modules it is a lot of easier for me. [1] - https://github.com/pali/Email-Address-XS [2] - https://github.com/pali/Email-Address-XS/blob/master/t/Email-Address-XS.t Changes since v1: * Updated description with test example * Rebased on top of master branch Pali Roh?r (7): lib-mail: message_address_write: Fix generating empty group list lib-mail: message_address_write: Fix generating group list with empty name lib-mail: parse_addr_spec: Like in rfc822_skip_comment() check if last_comment is not NULL lib-mail: parse_addr_spec: Email address without local-part is invalid lib-mail: parse_mailbox: Set display name instead mailbox when parsing failed lib-mail: message_address_write: Quote and escape strings if needed lib-mail: Update tests for message address src/lib-mail/message-address.c | 99 +++++++++++++++++++++++++++++++---- src/lib-mail/test-message-address.c | 11 +++- 2 files changed, 98 insertions(+), 12 deletions(-) -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:15 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:15 +0200 Subject: [PATCH v2 2/7] lib-mail: message_address_write: Fix generating group list with empty name In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-3-git-send-email-pali.rohar@gmail.com> Empty name for group list must be quoted. Test case: { { name = NULL, mailbox = "", domain = NULL }, { name = NULL, mailbox = NULL, domain = NULL } } converts to: "":; --- src/lib-mail/message-address.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index efa91fd..9ce4a55 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -357,8 +357,12 @@ void message_address_write(string_t *str, const struct message_address *addr) if (!in_group) { /* beginning of group. mailbox is the group name, others are NULL. */ - if (addr->mailbox != NULL) + if (addr->mailbox != NULL && *addr->mailbox != '\0') { str_append(str, addr->mailbox); + } else { + /* empty group name needs to be quoted */ + str_append(str, "\"\""); + } str_append(str, ": "); first = TRUE; } else { -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:18 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:18 +0200 Subject: [PATCH v2 5/7] lib-mail: parse_mailbox: Set display name instead mailbox when parsing failed In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-6-git-send-email-pali.rohar@gmail.com> It does not make sense to set mailbox without domain on incorrect input. Rather set display name which is more likely useable value. Test case: test is parsed as: { name = "test", mailbox = NULL, domain = NULL } --- src/lib-mail/message-address.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 93b7c83..54d4ee1 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -205,6 +205,10 @@ static int parse_mailbox(struct message_address_parser_context *ctx) /* nope, should be addr-spec */ ctx->parser.data = start; ret = parse_addr_spec(ctx); + if (ctx->addr.invalid_syntax && !ctx->addr.name && ctx->addr.mailbox && !ctx->addr.domain) { + ctx->addr.name = ctx->addr.mailbox; + ctx->addr.mailbox = NULL; + } } if (ret < 0) -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:17 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:17 +0200 Subject: [PATCH v2 4/7] lib-mail: parse_addr_spec: Email address without local-part is invalid In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-5-git-send-email-pali.rohar@gmail.com> Add explicit invalid_syntax flag also when end of input occure because address is without domain invalid and in this case it was not correctly propagated. --- src/lib-mail/message-address.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 4e86185..93b7c83 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -162,6 +162,10 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) str_truncate(ctx->parser.last_comment, 0); ret = parse_local_part(ctx); + if (ret <= 0) { + /* end of input or parsing local-part failed */ + ctx->addr.invalid_syntax = TRUE; + } if (ret != 0 && *ctx->parser.data == '@') { ret2 = parse_domain(ctx); if (ret2 <= 0) -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:14 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:14 +0200 Subject: [PATCH v2 1/7] lib-mail: message_address_write: Fix generating empty group list In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-2-git-send-email-pali.rohar@gmail.com> Empty group list ends with ": " not with ", ". Test case: { { name = NULL, mailbox = "group", domain = NULL }, { name = NULL, mailbox = NULL, domain = NULL } } converts to: group:; --- src/lib-mail/message-address.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 36cb483..efa91fd 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -340,6 +340,7 @@ message_address_parse(pool_t pool, const unsigned char *data, size_t size, void message_address_write(string_t *str, const struct message_address *addr) { + const char *tmp; bool first = TRUE, in_group = FALSE; /* a) mailbox at domain @@ -365,7 +366,12 @@ void message_address_write(string_t *str, const struct message_address *addr) i_assert(addr->mailbox == NULL); /* cut out the ", " */ - str_truncate(str, str_len(str)-2); + tmp = str_c(str)+str_len(str)-2; + i_assert((tmp[0] == ',' || tmp[0] == ':') && tmp[1] == ' '); + if (tmp[0] == ',' && tmp[1] == ' ') + str_truncate(str, str_len(str)-2); + else if (tmp[0] == ':' && tmp[1] == ' ') + str_truncate(str, str_len(str)-1); str_append_c(str, ';'); } -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:16 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:16 +0200 Subject: [PATCH v2 3/7] lib-mail: parse_addr_spec: Like in rfc822_skip_comment() check if last_comment is not NULL In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-4-git-send-email-pali.rohar@gmail.com> This will fix possible NULL pointer dereference when caller does not set last_comment. --- src/lib-mail/message-address.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 9ce4a55..4e86185 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -158,7 +158,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) /* addr-spec = local-part "@" domain */ int ret, ret2; - str_truncate(ctx->parser.last_comment, 0); + if (ctx->parser.last_comment != NULL) + str_truncate(ctx->parser.last_comment, 0); ret = parse_local_part(ctx); if (ret != 0 && *ctx->parser.data == '@') { @@ -167,9 +168,11 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) ret = ret2; } - if (str_len(ctx->parser.last_comment) > 0) { - ctx->addr.name = - p_strdup(ctx->pool, str_c(ctx->parser.last_comment)); + if (ctx->parser.last_comment != NULL) { + if (str_len(ctx->parser.last_comment) > 0) { + ctx->addr.name = + p_strdup(ctx->pool, str_c(ctx->parser.last_comment)); + } } return ret; } -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:19 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:19 +0200 Subject: [PATCH v2 6/7] lib-mail: message_address_write: Quote and escape strings if needed In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-7-git-send-email-pali.rohar@gmail.com> ATEXT characters must be properly quoted when are in phrase. Test case: { name = "test\"test", mailbox = "user", domain = "host" } converts to: "test\"test" --- src/lib-mail/message-address.c | 66 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index 54d4ee1..7d6356c 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -2,6 +2,7 @@ #include "lib.h" #include "str.h" +#include "strescape.h" #include "message-parser.h" #include "message-address.h" #include "rfc822-parser.h" @@ -32,6 +33,49 @@ static void add_address(struct message_address_parser_context *ctx) ctx->last_addr = addr; } +/* quote with "" and escape all '\', '"' and "'" characters if need */ +static void str_append_maybe_escape(string_t *dest, const char *cstr, bool escape_dot) +{ + const char *p; + + /* see if we need to quote it */ + for (p = cstr; *p != '\0'; p++) { + if (!IS_ATEXT(*p) && (escape_dot || *p != '.')) + break; + } + + if (*p == '\0') { + str_append_data(dest, cstr, (size_t) (p - cstr)); + return; + } + + /* see if we need to escape it */ + for (p = cstr; *p != '\0'; p++) { + if (IS_ESCAPED_CHAR(*p)) + break; + } + + if (*p == '\0') { + /* only quote */ + str_append_c(dest, '"'); + str_append_data(dest, cstr, (size_t) (p - cstr)); + str_append_c(dest, '"'); + return; + } + + /* quote and escape */ + str_append_c(dest, '"'); + str_append_data(dest, cstr, (size_t) (p - cstr)); + + for (; *p != '\0'; p++) { + if (IS_ESCAPED_CHAR(*p)) + str_append_c(dest, '\\'); + str_append_c(dest, *p); + } + + str_append_c(dest, '"'); +} + static int parse_local_part(struct message_address_parser_context *ctx) { int ret; @@ -369,7 +413,14 @@ void message_address_write(string_t *str, const struct message_address *addr) /* beginning of group. mailbox is the group name, others are NULL. */ if (addr->mailbox != NULL && *addr->mailbox != '\0') { - str_append(str, addr->mailbox); + /* check for MIME encoded-word */ + if (strstr(addr->mailbox, "=?")) + /* MIME encoded-word MUST NOT appear within a 'quoted-string' + so escaping and quoting of phrase is not possible, instead + use obsolete RFC822 phrase syntax which allow spaces */ + str_append(str, addr->mailbox); + else + str_append_maybe_escape(str, addr->mailbox, TRUE); } else { /* empty group name needs to be quoted */ str_append(str, "\"\""); @@ -396,7 +447,7 @@ void message_address_write(string_t *str, const struct message_address *addr) /* no name and no route. use only mailbox at domain */ i_assert(addr->mailbox != NULL); - str_append(str, addr->mailbox); + str_append_maybe_escape(str, addr->mailbox, FALSE); str_append_c(str, '@'); str_append(str, addr->domain); } else { @@ -404,7 +455,14 @@ void message_address_write(string_t *str, const struct message_address *addr) i_assert(addr->mailbox != NULL); if (addr->name != NULL) { - str_append(str, addr->name); + /* check for MIME encoded-word */ + if (strstr(addr->name, "=?")) + /* MIME encoded-word MUST NOT appear within a 'quoted-string' + so escaping and quoting of phrase is not possible, instead + use obsolete RFC822 phrase syntax which allow spaces */ + str_append(str, addr->name); + else + str_append_maybe_escape(str, addr->name, TRUE); str_append_c(str, ' '); } str_append_c(str, '<'); @@ -412,7 +470,7 @@ void message_address_write(string_t *str, const struct message_address *addr) str_append(str, addr->route); str_append_c(str, ':'); } - str_append(str, addr->mailbox); + str_append_maybe_escape(str, addr->mailbox, FALSE); str_append_c(str, '@'); str_append(str, addr->domain); str_append_c(str, '>'); -- 1.7.9.5 From pali.rohar at gmail.com Sun Jun 5 13:48:20 2016 From: pali.rohar at gmail.com (=?UTF-8?q?Pali=20Roh=C3=A1r?=) Date: Sun, 5 Jun 2016 15:48:20 +0200 Subject: [PATCH v2 7/7] lib-mail: Update tests for message address In-Reply-To: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> References: <1465134500-17695-1-git-send-email-pali.rohar@gmail.com> Message-ID: <1465134500-17695-8-git-send-email-pali.rohar@gmail.com> --- src/lib-mail/test-message-address.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c index 9bbf29e..bf85806 100644 --- a/src/lib-mail/test-message-address.c +++ b/src/lib-mail/test-message-address.c @@ -20,11 +20,13 @@ static void test_message_address(void) static const char *input[] = { "user at domain", NULL, "", "user at domain", - "foo bar ", NULL, - "\"foo bar\" ", "foo bar ", + "foo bar ", "\"foo bar\" ", + "\"foo bar\" ", NULL, + "\"foo: ;,\" ", NULL, "<@route:user at domain>", NULL, "<@route at route2:user at domain>", "<@route, at route2:user at domain>", "hello <@route , at route2:user at domain>", "hello <@route, at route2:user at domain>", + "hello", NULL, "user (hello)", NULL, "hello ", NULL, "@domain", NULL @@ -40,9 +42,11 @@ static void test_message_address(void) { NULL, NULL, NULL, "user", "domain", FALSE }, { NULL, "foo bar", NULL, "user", "domain", FALSE }, { NULL, "foo bar", NULL, "user", "domain", FALSE }, + { NULL, "foo: ;,", NULL, "user", "domain", FALSE }, { NULL, NULL, "@route", "user", "domain", FALSE }, { NULL, NULL, "@route, at route2", "user", "domain", FALSE }, { NULL, "hello", "@route, at route2", "user", "domain", FALSE }, + { NULL, "hello", NULL, "", "", TRUE }, { NULL, "hello", NULL, "user", "", TRUE }, { NULL, "hello", NULL, "user", "", TRUE }, { NULL, NULL, NULL, "", "domain", TRUE } @@ -104,10 +108,13 @@ static void test_message_address(void) str_append(group, "group:;"); addr = message_address_parse(pool_datastack_create(), str_data(group), str_len(group), UINT_MAX, FALSE); + str_truncate(str, 0); + message_address_write(str, addr); test_assert(addr != NULL && cmp_addr(addr, &group_prefix)); addr = addr->next; test_assert(addr != NULL && addr->next == NULL && cmp_addr(addr, &group_suffix)); + test_assert(strcmp(str_c(str), "group:;") == 0); test_end(); } -- 1.7.9.5 From sven_roellig at yahoo.de Sun Jun 5 14:48:12 2016 From: sven_roellig at yahoo.de (Sven Roellig) Date: Sun, 5 Jun 2016 14:48:12 +0000 (UTC) Subject: Update Kills Dovecot References: <1323371211.8355205.1465138092274.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1323371211.8355205.1465138092274.JavaMail.yahoo@mail.yahoo.com> Hi,i? run Dovecot 2.3.0 Alpha The last two Updates broken dovecot.in the mail.war log i became the error, on every mail, ..........de)<3+RHF1k4VFfDOwAApDKQ5A>: Fatal: master: service(lmtp): child 15299 killed with signal 6 (core dumps disabled) Jun? 5 16:39:40 director dovecot: lmtp(roellig@*******.org)<1o6JAKw5VFcPPAAApDKQ5A>: Panic: file imem.c: line 60 (i_strconcat): assertion failed: (str1 != NULL)?????????????????????????????????????????????????????????????????????????????????????????????? ....dovecot: lmtp(roellig@*******.org)<1o6JAKw5VFcPPAAApDKQ5A>: Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x8cfbe) [0x7f62fe5defbe] -> /usr/lib/dovecot/libdovecot.so.0(+0x8d0ac) [0x7f62fe5df0ac] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f62fe57dd1e] -> /usr/lib/dovecot/libdovecot.so.0(i_strconcat+0x146) [0x7f62fe5e6bb6] -> /usr/lib/dovecot/libdovecot-lda.so.0(duplicate_init+0x5d) [0x7f62feba1dfd] -> /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver+0x3c) [0x7f62feba47bc] -> dovecot/lmtp(+0x6ac8) [0x7f62fefd3ac8] -> dovecot/lmtp(+0x73cf) [0x7f62fefd43cf] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f62fe5f2ffc] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x101) [0x7f62fe5f4461] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f62fe5f3085] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f62fe5f3228] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f62fe584273] -> dovecot/lmtp(main+0x165) [0x7f62fefd21a5] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f62fe1c8b45] -> dovecot/lmtp(+0x5293) [0x7f62fefd2293]??????????????????????????????????????????????????????????????????????????????????????????????? the errors is from update to dovecot-lmtpd_2%3a2.3.0~alpha0-1~auto+67_amd64.deb on debian 8.3on the morning it came an update to debian 8.4 an dovecot dovecot-lmtpd_2%3a2.3.0~alpha0-1~auto+78_amd64.deb can anyone help Sorry for my english. Sven ? From tanstaafl at libertytrek.org Sun Jun 5 20:28:43 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Sun, 5 Jun 2016 16:28:43 -0400 Subject: Multiple recipient delimiter support? In-Reply-To: References: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> Message-ID: <78628c25-2355-62c9-61b2-3ac8ba897986@libertytrek.org> On 6/2/2016 3:50 PM, Tanstaafl wrote: > On 6/2/2016 10:35 AM, Tanstaafl wrote: >> Trying to find out if dovecot supports the use of multiple recipient >> delimiters, as postfix does, but can't find an answer... > > The reason this is important is simple. I've encountered a lot of sites > that refuse to accept an email with the '+' character in it, but every > one of them has accepted one with a '-' sign as the delimiter, so I use > both. I did find the prior questions asking the same thing, and that there was a patch (one liner?) - but apparently it was never integrated? Timo? Any chance of incorporating this? Here's a link to the message with the patch: https://www.mail-archive.com/dovecot at dovecot.org/msg65308.html From kevin at my.walr.us Sun Jun 5 23:16:51 2016 From: kevin at my.walr.us (KT Walrus) Date: Sun, 5 Jun 2016 19:16:51 -0400 Subject: Blowfish hashed passwords In-Reply-To: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> Message-ID: <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> > I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. Kevin > On Jun 4, 2016, at 9:53 AM, Patrick Domack wrote: > > > Quoting KT Walrus >: > >> (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) >> >> Anyway, Aki Tuomi replied to my feature request saying: >> >>> We support in latest 2.2 release >>> >>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>> SHA512-CRYPT >>> >>> There is also blowfish support as BLF-CRYPT, but that requires that your >>> system supports it. CRYPT supports whatever your crypt() supports. >>> >> >> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. >> >> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. > > I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > > My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. > > The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. From edgar at pettijohn-web.com Sun Jun 5 23:43:04 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Sun, 5 Jun 2016 18:43:04 -0500 Subject: Blowfish hashed passwords In-Reply-To: <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> Message-ID: <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> Sent from my iPhone On Jun 5, 2016, at 6:16 PM, KT Walrus wrote: >> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > > I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. > > I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. > > Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. > It already does. As previously stated. > This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. > > Kevin > >> On Jun 4, 2016, at 9:53 AM, Patrick Domack wrote: >> >> >> Quoting KT Walrus >: >> >>> (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) >>> >>> Anyway, Aki Tuomi replied to my feature request saying: >>> >>>> We support in latest 2.2 release >>>> >>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>>> SHA512-CRYPT >>>> >>>> There is also blowfish support as BLF-CRYPT, but that requires that your >>>> system supports it. CRYPT supports whatever your crypt() supports. >>> >>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. >>> >>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. >> >> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >> >> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. >> >> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. From kevin at my.walr.us Mon Jun 6 00:36:35 2016 From: kevin at my.walr.us (KT Walrus) Date: Sun, 5 Jun 2016 20:36:35 -0400 Subject: Blowfish hashed passwords In-Reply-To: <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> Message-ID: <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >> > It already does. As previously stated. It doesn?t for me. I?m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. Does BLF-CRYPT work for you? Maybe I?m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql $ make $ make install Am I missing some library/switch to enable BLF-CRYPT? I just did a quick Google search, and it appears that Ubuntu 14.04 doesn?t have support for BLF-CRYPT according to this issue: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 Actually, now that I?ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I?m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don?t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. Kevin > On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn wrote: > > > > Sent from my iPhone > > On Jun 5, 2016, at 6:16 PM, KT Walrus wrote: > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >> >> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. >> >> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. >> >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I?m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >> > It already does. As previously stated. > > >> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. >> >> Kevin >> >>> On Jun 4, 2016, at 9:53 AM, Patrick Domack wrote: >>> >>> >>> Quoting KT Walrus >: >>> >>>> (I subscribed to a daily digest for this list and can?t figure out how to reply to a reply.) >>>> >>>> Anyway, Aki Tuomi replied to my feature request saying: >>>> >>>>> We support in latest 2.2 release >>>>> >>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>>>> SHA512-CRYPT >>>>> >>>>> There is also blowfish support as BLF-CRYPT, but that requires that your >>>>> system supports it. CRYPT supports whatever your crypt() supports. >>>> >>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn?t support SHA512-CRYPT or BLF-CRYPT. >>>> >>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. >>> >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>> >>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. >>> >>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. From edgar at pettijohn-web.com Mon Jun 6 00:54:11 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Sun, 5 Jun 2016 19:54:11 -0500 Subject: Blowfish hashed passwords In-Reply-To: <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> Message-ID: <20160606005411.GA85734@thinkpad.my.domain> On 16-06-05 20:36:35, KT Walrus wrote: > >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. > >> > > It already does. As previously stated. > > It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. > > Does BLF-CRYPT work for you? Yes, but I don't use ubuntu. > > Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: > > $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql > $ make > $ make install > > Am I missing some library/switch to enable BLF-CRYPT? Does your libc support it? $ man crypt || $ man bcrypt > > I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue: > > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 > > Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. > Changing your php app will probably be the easiest solution. > Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. > > Kevin > > > > On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn wrote: > > > > > > > > Sent from my iPhone > > > > On Jun 5, 2016, at 6:16 PM, KT Walrus wrote: > > > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > >> > >> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. > >> > >> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. > >> > >> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. > >> > > It already does. As previously stated. > > > > > >> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. > >> > >> Kevin > >> > >>> On Jun 4, 2016, at 9:53 AM, Patrick Domack wrote: > >>> > >>> > >>> Quoting KT Walrus >: > >>> > >>>> (I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.) > >>>> > >>>> Anyway, Aki Tuomi replied to my feature request saying: > >>>> > >>>>> We support in latest 2.2 release > >>>>> > >>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN > >>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 > >>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT > >>>>> SHA512-CRYPT > >>>>> > >>>>> There is also blowfish support as BLF-CRYPT, but that requires that your > >>>>> system supports it. CRYPT supports whatever your crypt() supports. > >>>> > >>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT. > >>>> > >>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. > >>> > >>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. > >>> > >>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. > >>> > >>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. -- Edgar Pettijohn From aki.tuomi at dovecot.fi Mon Jun 6 05:16:36 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Mon, 6 Jun 2016 08:16:36 +0300 Subject: Update Kills Dovecot In-Reply-To: <1323371211.8355205.1465138092274.JavaMail.yahoo@mail.yahoo.com> References: <1323371211.8355205.1465138092274.JavaMail.yahoo.ref@mail.yahoo.com> <1323371211.8355205.1465138092274.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57550734.4090406@dovecot.fi> On 05.06.2016 17:48, Sven Roellig wrote: > Hi,i run Dovecot 2.3.0 Alpha > The last two Updates broken dovecot.in the mail.war log i became the error, on every mail, > ..........de)<3+RHF1k4VFfDOwAApDKQ5A>: Fatal: master: service(lmtp): child 15299 killed with signal 6 (core dumps disabled) > Jun 5 16:39:40 director dovecot: lmtp(roellig@*******.org)<1o6JAKw5VFcPPAAApDKQ5A>: Panic: file imem.c: line 60 (i_strconcat): assertion failed: (str1 != NULL) > ....dovecot: lmtp(roellig@*******.org)<1o6JAKw5VFcPPAAApDKQ5A>: Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x8cfbe) [0x7f62fe5defbe] -> /usr/lib/dovecot/libdovecot.so.0(+0x8d0ac) [0x7f62fe5df0ac] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f62fe57dd1e] -> /usr/lib/dovecot/libdovecot.so.0(i_strconcat+0x146) [0x7f62fe5e6bb6] -> /usr/lib/dovecot/libdovecot-lda.so.0(duplicate_init+0x5d) [0x7f62feba1dfd] -> /usr/lib/dovecot/libdovecot-lda.so.0(mail_deliver+0x3c) [0x7f62feba47bc] -> dovecot/lmtp(+0x6ac8) [0x7f62fefd3ac8] -> dovecot/lmtp(+0x73cf) [0x7f62fefd43cf] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f62fe5f2ffc] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x101) [0x7f62fe5f4461] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f62fe5f3085] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f62fe5f3228] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f62fe584273] -> dovecot/lmtp(main+0x165) [0x7f62fefd21a5] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f62fe1c8b45] -> dovecot/lmtp(+0x5293) [0x7f62fefd2293] > > the errors is from update to dovecot-lmtpd_2%3a2.3.0~alpha0-1~auto+67_amd64.deb on debian 8.3on the morning it came an update to debian 8.4 an dovecot dovecot-lmtpd_2%3a2.3.0~alpha0-1~auto+78_amd64.deb > can anyone help > Sorry for my english. > Sven > > Could you include doveconf -n and if possible gdb output with bt full? Would make lot easier to debug this. Aki From mail at tomsommer.dk Mon Jun 6 06:24:04 2016 From: mail at tomsommer.dk (Tom Sommer) Date: Mon, 06 Jun 2016 08:24:04 +0200 Subject: Multiple recipient delimiter support? In-Reply-To: <78628c25-2355-62c9-61b2-3ac8ba897986@libertytrek.org> References: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> <78628c25-2355-62c9-61b2-3ac8ba897986@libertytrek.org> Message-ID: On 2016-06-05 22:28, Tanstaafl wrote: > On 6/2/2016 3:50 PM, Tanstaafl wrote: >> On 6/2/2016 10:35 AM, Tanstaafl wrote: >>> Trying to find out if dovecot supports the use of multiple recipient >>> delimiters, as postfix does, but can't find an answer... >> >> The reason this is important is simple. I've encountered a lot of >> sites >> that refuse to accept an email with the '+' character in it, but every >> one of them has accepted one with a '-' sign as the delimiter, so I >> use >> both. > > I did find the prior questions asking the same thing, and that there > was > a patch (one liner?) - but apparently it was never integrated? > > Timo? Any chance of incorporating this? > > Here's a link to the message with the patch: > > https://www.mail-archive.com/dovecot at dovecot.org/msg65308.html https://github.com/dovecot/core/commit/972c9172e9e6a0fc6053efb3d2ee9d354b67727f From kevin at my.walr.us Mon Jun 6 13:36:51 2016 From: kevin at my.walr.us (KT Walrus) Date: Mon, 6 Jun 2016 09:36:51 -0400 Subject: Blowfish hashed passwords In-Reply-To: <20160606005411.GA85734@thinkpad.my.domain> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> <20160606005411.GA85734@thinkpad.my.domain> Message-ID: <1392F740-943D-4CEE-A3CC-2D52F839065D@my.walr.us> > Changing your php app will probably be the easiest solution. Since I?m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well. What Linux distros support BLF-CRYPT and are well tested and secure? > On Jun 5, 2016, at 8:54 PM, Edgar Pettijohn wrote: > > On 16-06-05 20:36:35, KT Walrus wrote: >>>> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >>>> >>> It already does. As previously stated. >> >> It doesn???t for me. I???m building Dovecot from source (v2.2.24) in a Docker container using Ubuntu 14.04. >> >> Does BLF-CRYPT work for you? > > Yes, but I don't use ubuntu. > >> >> Maybe I???m not building Dovecot correctly. I install libssl-dev and libmysqlclient-dev and do: >> >> $ ./configure --prefix=/usr --sysconfdir=/etc --with-mysql >> $ make >> $ make install >> >> Am I missing some library/switch to enable BLF-CRYPT? > > Does your libc support it? > > $ man crypt || $ man bcrypt > >> >> I just did a quick Google search, and it appears that Ubuntu 14.04 doesn???t have support for BLF-CRYPT according to this issue: >> >> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1349252 > >> >> Actually, now that I???ve researched this a bit more, it was a mistake for my PHP app to make BLF-CRYPT password hashes since SHA512-CRYPT with a high number of rounds should be just as good. If Ubuntu 16.04 didn't add support for BLF-CRYPT, I guess I will have to implement a Checkpassword script for Dovecot that might generate SHA512-CRYPT replacement hashes after successfully checking against the BLF-CRYPT hashes. I???m no Dovecot expert, but I think I can have multiple passdbs so the first passdb mysql lookup will be set to fail if it finds a BLF-CRYPT hash so the Checkpassword script would only be run once per failed mysql lookup. >> > > Changing your php app will probably be the easiest solution. > >> Hopefully, I just missed some ./configure switch to enable BLF-CRYPT and don???t have to deal with converting BLF-CRYPT to SHA512-CRYPT just for Dovecot. >> >> Kevin >> >> >>> On Jun 5, 2016, at 7:43 PM, Edgar Pettijohn wrote: >>> >>> >>> >>> Sent from my iPhone >>> >>> On Jun 5, 2016, at 6:16 PM, KT Walrus wrote: >>> >>>>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>>> >>>> I just tried SHA512-CRYPT and it is supported on Ubuntu 14.04. I think I was thinking about DBMail instead of Dovecot. >>>> >>>> I could really use support for BLF-CRYPT since my current password hashes generated by PHP are using Blowfish encryption. >>>> >>>> Maybe, Dovecot could just add support for BLF-CRYPT by using the open source implementation of Blowfish hashing found in https://github.com/php/php-src/tree/master/ext/standard . The implementation looks like a single function to generate the hash. I???m not much of a programmer, but it would seem to me that these .c/.h files could be added to Dovecot for doing BLF-CRYPT hashing. >>>> >>> It already does. As previously stated. >>> >>> >>>> This would mean all installations of Dovecot going forward would support BLF-CRYPT regardless of whether the crypt libraries have Blowfish built in. >>>> >>>> Kevin >>>> >>>>> On Jun 4, 2016, at 9:53 AM, Patrick Domack wrote: >>>>> >>>>> >>>>> Quoting KT Walrus >: >>>>> >>>>>> (I subscribed to a daily digest for this list and can???t figure out how to reply to a reply.) >>>>>> >>>>>> Anyway, Aki Tuomi replied to my feature request saying: >>>>>> >>>>>>> We support in latest 2.2 release >>>>>>> >>>>>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN >>>>>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 >>>>>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA CRYPT SHA256-CRYPT >>>>>>> SHA512-CRYPT >>>>>>> >>>>>>> There is also blowfish support as BLF-CRYPT, but that requires that your >>>>>>> system supports it. CRYPT supports whatever your crypt() supports. >>>>>> >>>>>> The reason I suggest building in fallback hash type support is that my install of Dovecot on Ubuntu 14.04 didn???t support SHA512-CRYPT or BLF-CRYPT. >>>>>> >>>>>> If Dovecot just included the PHP .c files to make sure it can process Blowfish/SHA512 password hashes on all installs, it would greatly simplify adding Dovecot as a service for my existing user accounts (without forcing them to give their password for the site so I can generate new hashes in a form that Dovecot supports). SHA256-CRYPT is probably my best option for password hashing since it supports ROUNDS to make hash generation slower. But, I would rather use BLF-CRYPT so I can re-use my existing hashes for my user accounts. >>>>> >>>>> I would love to know why your ubuntu 14.04 system doesn't support sha512-crypt. >>>>> >>>>> My dovecot installs have only ever used sha512-crypt since 2008. Been using ubuntu since 7.04 with sha512-crypt, and my current systems running 14.04 and 16.04 both use sha512-crypt. >>>>> >>>>> The default password hash for system user accounts in ubuntu has been sha512-crypt for a very long time now. > > -- > Edgar Pettijohn From pch at myzel.net Mon Jun 6 23:17:43 2016 From: pch at myzel.net (Peter Chiochetti) Date: Tue, 7 Jun 2016 01:17:43 +0200 Subject: Blowfish hashed passwords In-Reply-To: <1392F740-943D-4CEE-A3CC-2D52F839065D@my.walr.us> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> <20160606005411.GA85734@thinkpad.my.domain> <1392F740-943D-4CEE-A3CC-2D52F839065D@my.walr.us> Message-ID: <57560497.6090409@myzel.net> Am 2016-06-06 um 15:36 schrieb KT Walrus: > > Since I?m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well. > > What Linux distros support BLF-CRYPT and are well tested and secure? > As you are running Ubuntu 14.04 now - I suppose most all Linux distros are as well tested as this. For both tested and secure, you may choose openbsd? Dont know if Docker does this though -- nevertheless, I guess docker probably rules out anything secure... -- peter From tss at iki.fi Tue Jun 7 00:07:29 2016 From: tss at iki.fi (Timo Sirainen) Date: Tue, 7 Jun 2016 03:07:29 +0300 Subject: Update Kills Dovecot In-Reply-To: <1323371211.8355205.1465138092274.JavaMail.yahoo@mail.yahoo.com> References: <1323371211.8355205.1465138092274.JavaMail.yahoo.ref@mail.yahoo.com> <1323371211.8355205.1465138092274.JavaMail.yahoo@mail.yahoo.com> Message-ID: <2083466E-A07A-481A-8F0E-F175E4856336@iki.fi> > On 05 Jun 2016, at 17:48, Sven Roellig wrote: > > Hi,i run Dovecot 2.3.0 Alpha > The last two Updates broken dovecot.in the mail.war log i became the error, on every mail, > ..........de)<3+RHF1k4VFfDOwAApDKQ5A>: Fatal: master: service(lmtp): child 15299 killed with signal 6 (core dumps disabled) > Jun 5 16:39:40 director dovecot: lmtp(roellig@*******.org)<1o6JAKw5VFcPPAAApDKQ5A>: Panic: file imem.c: line 60 (i_strconcat): assertion failed: (str1 != NULL) .. > (duplicate_init+0x5d) Thanks, fixed: https://github.com/dovecot/core/commit/759871175771fb122620949190ee3b40cc955695 BTW. You should have a home directory set: http://wiki2.dovecot.org/VirtualUsers/Home From edwinh at earthcaretech.com.au Tue Jun 7 00:22:06 2016 From: edwinh at earthcaretech.com.au (Edwin Humphries) Date: Tue, 7 Jun 2016 10:22:06 +1000 Subject: Can't delete emails from or write replies to Inbox Message-ID: <575613AE.2080905@earthcaretech.com.au> Hi, I'm running Dovecot and Thunderbird, with 2 separate accounts (business and personal). One operates fine, but the other one won't allow me to write replies to the Inbox (so that I can track current threads), and if I move emails to another folder, it copies them instead. New emails do appear in the Inbox. I've checked the permissions on the two Inboxes, and they are the same (except for the owner name). I've tried compacting the problem Inbox, but that hasn't changed things. Edwin -------------- next part -------------- A non-text attachment was scrubbed... Name: edwinh.vcf Type: text/x-vcard Size: 277 bytes Desc: not available URL: From kevin at my.walr.us Tue Jun 7 01:03:03 2016 From: kevin at my.walr.us (KT Walrus) Date: Mon, 6 Jun 2016 21:03:03 -0400 Subject: Blowfish hashed passwords In-Reply-To: <57560497.6090409@myzel.net> References: <20160604095349.Horde.4rppLfL6kAJvnYoMmQgOzsP@mail.patrickdk.com> <7737C5BC-C476-47CD-85EC-BF1F2D81615D@my.walr.us> <8533AE74-CE21-41CE-80EC-806498E2FB77@pettijohn-web.com> <37DB02C2-9B4F-46AD-ACC2-4E684B7E4940@my.walr.us> <20160606005411.GA85734@thinkpad.my.domain> <1392F740-943D-4CEE-A3CC-2D52F839065D@my.walr.us> <57560497.6090409@myzel.net> Message-ID: <79054EB0-5F65-4CBB-A95C-4F2391C78467@my.walr.us> I don?t understand your reply. I am running Ubuntu 14.04 in Docker image now, but there is no support for BLF-CRYPT in 14.04. As for openbsd, Docker images can be based on any Linux distro that is available in the Docker Hub. OpenBSD is not a Linux distro and I would have to run it inside a VM which isn?t acceptable. See https://hub.docker.com/explore/ for a list of Official Repos that are suitable to use as base images for building Dovecot such as ubuntu, debian, centos, alpine, oraclelinux, opensuse, etc. I suspect that most glibc crypt() implementations don?t support BLF-CRYPT and that is one reason that PHP includes fallback BLF-CRYPT function so PHP users can generate Blowfish password hashes without worrying whether PHP is running on Linux or not. Kevin > On Jun 6, 2016, at 7:17 PM, Peter Chiochetti wrote: > > Am 2016-06-06 um 15:36 schrieb KT Walrus: >> >> Since I?m using Docker, the easiest solution for me is to find a linux distro that can run Dovecot well and supports BLF-CRYPT as well. >> >> What Linux distros support BLF-CRYPT and are well tested and secure? >> > > As you are running Ubuntu 14.04 now - I suppose most all Linux distros are as well tested as this. > > For both tested and secure, you may choose openbsd? Dont know if Docker does this though -- nevertheless, I guess docker probably rules out anything secure... > > -- > peter From rrosenfeld at netcologne.de Tue Jun 7 08:20:51 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Tue, 7 Jun 2016 10:20:51 +0200 Subject: segfault in IMAP APPEND with compressed maildir Message-ID: <20160607082051.GA18611@sys-241.netcologne.de> Hi! After upgrading from Debian wheezy with (self compiled) dovecot 2.2.15 to Debian jessie with (self compiled) 2.2.24, I observe the following segmentation fault in the logs: Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read() failed: read(size=8003) failed: Connection reset by peer (uid=0, box=trash) Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read(zlib(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap)) failed: read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap) failed: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 (uid=0, box=trash) Jun 7 09:23:09 imap dovecot: imap(user at example.com): Fatal: master: service(imap): child 22902 killed with signal 11 (core dumped) We also observed the same (rare) error in the past on the old system. But on the old system, there were only the first 3 lines without the segmentation fault, so we ignored the issue until now. The problem always happens on IMAP folders where the client writes to, like "trash", "drafts", "sent" and the like. I wasn't able to actively reproduce this issue, but can only observe in the logs that some customers run into this issue from time to time. So all I have is a core dump with the following backtrace: Core was generated by `dovecot/imap'. Program terminated with signal SIGSEGV, Segmentation fault. (gdb) bt full #0 0x00007f57e276f29f in i_stream_default_get_size (stream=0x1fd2790, exact=, size_r=0x7ffed3839718) at istream.c:807 No locals. #1 0x00007f57e17024e4 in zlib_mail_close (_mail=0x1fd4de0) at zlib-plugin.c:170 mail = 0x1fd4de0 zmail = 0x1fd5398 zuser = 0x1fbd040 cache = 0x1fbd050 size = 33201320 #2 0x00007f57e2a2a8b9 in mailbox_save_cancel (_ctx=_ctx at entry=0x1fc4d48) at mail-storage.c:2117 ctx = 0x1fd3dd0 keywords = 0x0 mail = __FUNCTION__ = "mailbox_save_cancel" #3 0x000000000040c759 in cmd_append_finish (ctx=0x1fc4cf0) at cmd-append.c:149 __FUNCTION__ = "cmd_append_finish" #4 0x000000000040c835 in client_input_append (cmd=0x1fc4bc0) at cmd-append.c:89 ctx = client = 0x1fc3fc0 reason = 0x1f9e0b8 "Disconnected in APPEND (1 msgs, 306 secs, 188416/1122858 bytes)" finished = lit_offset = __FUNCTION__ = "client_input_append" #5 0x00007f57e2778dcc in io_loop_call_io (io=0x1fc4ad0) at ioloop.c:564 ioloop = 0x1fa6750 t_id = 2 __FUNCTION__ = "io_loop_call_io" #6 0x00007f57e277a0f1 in io_loop_handler_run_internal (ioloop=ioloop at entry=0x1fa6750) at ioloop-epoll.c:220 ctx = 0x1fa8260 io = tv = {tv_sec = 1799, tv_usec = 997118} events_count = msecs = ret = 1 i = 0 j = call = __FUNCTION__ = "io_loop_handler_run_internal" #7 0x00007f57e2778e55 in io_loop_handler_run (ioloop=ioloop at entry=0x1fa6750) at ioloop.c:612 No locals. #8 0x00007f57e2778ff8 in io_loop_run (ioloop=0x1fa6750) at ioloop.c:588 __FUNCTION__ = "io_loop_run" #9 0x00007f57e2713713 in master_service_run (service=0x1fa65f0, callback=callback at entry=0x423a20 ) at master-service.c:640 No locals. #10 0x000000000040c427 in main (argc=1, argv=0x1fa6390) at main.c:460 set_roots = {0x42c480 , 0x635440 , 0x0} login_set = {auth_socket_path = 0x1f9e048 "ailed: Connection reset by peer", postlogin_socket_path = 0x0, postlogin_timeout_secs = 60, callback = 0x424170 , failure_callback = 0x423b30 , request_auth_token = 1} service_flags = storage_service_flags = username = 0x0 auth_socket_path = 0x42d42e "auth-master" c = This is on a server, which uses compressed maildir on a NFS storage. Here's dovecot -n output: # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.4 auth_cache_negative_ttl = 5 mins auth_cache_size = 100 M auth_cache_ttl = 15 mins auth_default_realm = example.com auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf } disable_plaintext_auth = no listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " mail_fsync = always mail_gid = 999 mail_location = maildir:~/mail mail_plugins = acl quota zlib mail_uid = 999 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags mmap_disable = yes namespace { list = children location = maildir:%%h/mail:INDEX=~/mail/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { acl = vfile acl_shared_dict = proxy::acl quota = maildir sieve = ~/.dovecot.sieve sieve_dir = ~/mail/sieve sieve_extensions = +imapflags zlib_save = gz } pop3_no_flag_updates = yes pop3_uidl_format = %v.%u protocols = imap pop3 sieve service auth { unix_listener auth-master { group = vmail mode = 0600 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0600 user = vmail } } service imap { process_limit = 4000 } service managesieve-login { inet_listener sieve { port = 4190 } } service managesieve { process_limit = 100 } service pop3 { process_limit = 1000 } shutdown_clients = no ssl = no syslog_facility = local2 userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } verbose_proctitle = yes protocol imap { mail_max_userip_connections = 10 mail_plugins = acl quota zlib imap_quota imap_acl } protocol pop3 { mail_plugins = acl quota zlib } I hope, that this is all required information to find and solve this issue. Greetings Roland From aki.tuomi at dovecot.fi Tue Jun 7 08:52:34 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Tue, 7 Jun 2016 11:52:34 +0300 Subject: segfault in IMAP APPEND with compressed maildir In-Reply-To: <20160607082051.GA18611@sys-241.netcologne.de> References: <20160607082051.GA18611@sys-241.netcologne.de> Message-ID: <57568B52.3060203@dovecot.fi> On 07.06.2016 11:20, Roland Rosenfeld wrote: > Hi! > > After upgrading from Debian wheezy with (self compiled) dovecot 2.2.15 > to Debian jessie with (self compiled) 2.2.24, I observe the following > segmentation fault in the logs: > > Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read() failed: read(size=8003) failed: Connection reset by peer (uid=0, box=trash) > Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 > Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read(zlib(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap)) failed: read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap) failed: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 (uid=0, box=trash) > Jun 7 09:23:09 imap dovecot: imap(user at example.com): Fatal: master: service(imap): child 22902 killed with signal 11 (core dumped) > > We also observed the same (rare) error in the past on the old system. > But on the old system, there were only the first 3 lines without the > segmentation fault, so we ignored the issue until now. > > The problem always happens on IMAP folders where the client writes to, > like "trash", "drafts", "sent" and the like. > > I wasn't able to actively reproduce this issue, but can only observe > in the logs that some customers run into this issue from time to time. > > > So all I have is a core dump with the following backtrace: > > Core was generated by `dovecot/imap'. > Program terminated with signal SIGSEGV, Segmentation fault. > (gdb) bt full > #0 0x00007f57e276f29f in i_stream_default_get_size (stream=0x1fd2790, exact=, size_r=0x7ffed3839718) at istream.c:807 > No locals. > #1 0x00007f57e17024e4 in zlib_mail_close (_mail=0x1fd4de0) at zlib-plugin.c:170 > mail = 0x1fd4de0 > zmail = 0x1fd5398 > zuser = 0x1fbd040 > cache = 0x1fbd050 > size = 33201320 > #2 0x00007f57e2a2a8b9 in mailbox_save_cancel (_ctx=_ctx at entry=0x1fc4d48) at mail-storage.c:2117 > ctx = 0x1fd3dd0 > keywords = 0x0 > mail = > __FUNCTION__ = "mailbox_save_cancel" > #3 0x000000000040c759 in cmd_append_finish (ctx=0x1fc4cf0) at cmd-append.c:149 > __FUNCTION__ = "cmd_append_finish" > #4 0x000000000040c835 in client_input_append (cmd=0x1fc4bc0) at cmd-append.c:89 > ctx = > client = 0x1fc3fc0 > reason = 0x1f9e0b8 "Disconnected in APPEND (1 msgs, 306 secs, 188416/1122858 bytes)" > finished = > lit_offset = > __FUNCTION__ = "client_input_append" > #5 0x00007f57e2778dcc in io_loop_call_io (io=0x1fc4ad0) at ioloop.c:564 > ioloop = 0x1fa6750 > t_id = 2 > __FUNCTION__ = "io_loop_call_io" > #6 0x00007f57e277a0f1 in io_loop_handler_run_internal (ioloop=ioloop at entry=0x1fa6750) at ioloop-epoll.c:220 > ctx = 0x1fa8260 > io = > tv = {tv_sec = 1799, tv_usec = 997118} > events_count = > msecs = > ret = 1 > i = 0 > j = > call = > __FUNCTION__ = "io_loop_handler_run_internal" > #7 0x00007f57e2778e55 in io_loop_handler_run (ioloop=ioloop at entry=0x1fa6750) at ioloop.c:612 > No locals. > #8 0x00007f57e2778ff8 in io_loop_run (ioloop=0x1fa6750) at ioloop.c:588 > __FUNCTION__ = "io_loop_run" > #9 0x00007f57e2713713 in master_service_run (service=0x1fa65f0, callback=callback at entry=0x423a20 ) at master-service.c:640 > No locals. > #10 0x000000000040c427 in main (argc=1, argv=0x1fa6390) at main.c:460 > set_roots = {0x42c480 , 0x635440 , 0x0} > login_set = {auth_socket_path = 0x1f9e048 "ailed: Connection reset by peer", postlogin_socket_path = 0x0, postlogin_timeout_secs = 60, > callback = 0x424170 , failure_callback = 0x423b30 , request_auth_token = 1} > service_flags = > storage_service_flags = > username = 0x0 > auth_socket_path = 0x42d42e "auth-master" > c = > > > This is on a server, which uses compressed maildir on a NFS storage. > > Here's dovecot -n output: > > # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.14 (099a97c) > # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.4 > auth_cache_negative_ttl = 5 mins > auth_cache_size = 100 M > auth_cache_ttl = 15 mins > auth_default_realm = example.com > auth_master_user_separator = * > auth_mechanisms = plain login > auth_verbose = yes > dict { > acl = mysql:/etc/dovecot/dovecot-dict-sql.conf > } > disable_plaintext_auth = no > listen = * > log_timestamp = "%Y-%m-%d %H:%M:%S " > mail_fsync = always > mail_gid = 999 > mail_location = maildir:~/mail > mail_plugins = acl quota zlib > mail_uid = 999 > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags > mmap_disable = yes > namespace { > list = children > location = maildir:%%h/mail:INDEX=~/mail/shared/%%u > prefix = shared/%%u/ > separator = / > subscriptions = no > type = shared > } > namespace inbox { > inbox = yes > location = > prefix = > separator = / > type = private > } > passdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > plugin { > acl = vfile > acl_shared_dict = proxy::acl > quota = maildir > sieve = ~/.dovecot.sieve > sieve_dir = ~/mail/sieve > sieve_extensions = +imapflags > zlib_save = gz > } > pop3_no_flag_updates = yes > pop3_uidl_format = %v.%u > protocols = imap pop3 sieve > service auth { > unix_listener auth-master { > group = vmail > mode = 0600 > user = vmail > } > } > service dict { > unix_listener dict { > group = vmail > mode = 0600 > user = vmail > } > } > service imap { > process_limit = 4000 > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > } > service managesieve { > process_limit = 100 > } > service pop3 { > process_limit = 1000 > } > shutdown_clients = no > ssl = no > syslog_facility = local2 > userdb { > args = /etc/dovecot/dovecot-sql.conf > driver = sql > } > verbose_proctitle = yes > protocol imap { > mail_max_userip_connections = 10 > mail_plugins = acl quota zlib imap_quota imap_acl > } > protocol pop3 { > mail_plugins = acl quota zlib > } > > > I hope, that this is all required information to find and solve this issue. > > Greetings > Roland Hi! This would appear to be fixed in https://github.com/dovecot/core/commit/5df8396a7cbad0b38b83a86667fb3d4c223f6f7c --- Aki Tuomi Dovecot Oy From aki.tuomi at dovecot.fi Tue Jun 7 08:54:07 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Tue, 7 Jun 2016 11:54:07 +0300 Subject: segfault in IMAP APPEND with compressed maildir In-Reply-To: <57568B52.3060203@dovecot.fi> References: <20160607082051.GA18611@sys-241.netcologne.de> <57568B52.3060203@dovecot.fi> Message-ID: <57568BAF.5020509@dovecot.fi> On 07.06.2016 11:52, Aki Tuomi wrote: > > On 07.06.2016 11:20, Roland Rosenfeld wrote: >> Hi! >> >> After upgrading from Debian wheezy with (self compiled) dovecot 2.2.15 >> to Debian jessie with (self compiled) 2.2.24, I observe the following >> segmentation fault in the logs: >> >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read() failed: read(size=8003) failed: Connection reset by peer (uid=0, box=trash) >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read(zlib(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap)) failed: read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap) failed: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 (uid=0, box=trash) >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Fatal: master: service(imap): child 22902 killed with signal 11 (core dumped) >> >> We also observed the same (rare) error in the past on the old system. >> But on the old system, there were only the first 3 lines without the >> segmentation fault, so we ignored the issue until now. >> >> The problem always happens on IMAP folders where the client writes to, >> like "trash", "drafts", "sent" and the like. >> >> I wasn't able to actively reproduce this issue, but can only observe >> in the logs that some customers run into this issue from time to time. >> >> >> So all I have is a core dump with the following backtrace: >> >> Core was generated by `dovecot/imap'. >> Program terminated with signal SIGSEGV, Segmentation fault. >> (gdb) bt full >> #0 0x00007f57e276f29f in i_stream_default_get_size (stream=0x1fd2790, exact=, size_r=0x7ffed3839718) at istream.c:807 >> No locals. >> #1 0x00007f57e17024e4 in zlib_mail_close (_mail=0x1fd4de0) at zlib-plugin.c:170 >> mail = 0x1fd4de0 >> zmail = 0x1fd5398 >> zuser = 0x1fbd040 >> cache = 0x1fbd050 >> size = 33201320 >> #2 0x00007f57e2a2a8b9 in mailbox_save_cancel (_ctx=_ctx at entry=0x1fc4d48) at mail-storage.c:2117 >> ctx = 0x1fd3dd0 >> keywords = 0x0 >> mail = >> __FUNCTION__ = "mailbox_save_cancel" >> #3 0x000000000040c759 in cmd_append_finish (ctx=0x1fc4cf0) at cmd-append.c:149 >> __FUNCTION__ = "cmd_append_finish" >> #4 0x000000000040c835 in client_input_append (cmd=0x1fc4bc0) at cmd-append.c:89 >> ctx = >> client = 0x1fc3fc0 >> reason = 0x1f9e0b8 "Disconnected in APPEND (1 msgs, 306 secs, 188416/1122858 bytes)" >> finished = >> lit_offset = >> __FUNCTION__ = "client_input_append" >> #5 0x00007f57e2778dcc in io_loop_call_io (io=0x1fc4ad0) at ioloop.c:564 >> ioloop = 0x1fa6750 >> t_id = 2 >> __FUNCTION__ = "io_loop_call_io" >> #6 0x00007f57e277a0f1 in io_loop_handler_run_internal (ioloop=ioloop at entry=0x1fa6750) at ioloop-epoll.c:220 >> ctx = 0x1fa8260 >> io = >> tv = {tv_sec = 1799, tv_usec = 997118} >> events_count = >> msecs = >> ret = 1 >> i = 0 >> j = >> call = >> __FUNCTION__ = "io_loop_handler_run_internal" >> #7 0x00007f57e2778e55 in io_loop_handler_run (ioloop=ioloop at entry=0x1fa6750) at ioloop.c:612 >> No locals. >> #8 0x00007f57e2778ff8 in io_loop_run (ioloop=0x1fa6750) at ioloop.c:588 >> __FUNCTION__ = "io_loop_run" >> #9 0x00007f57e2713713 in master_service_run (service=0x1fa65f0, callback=callback at entry=0x423a20 ) at master-service.c:640 >> No locals. >> #10 0x000000000040c427 in main (argc=1, argv=0x1fa6390) at main.c:460 >> set_roots = {0x42c480 , 0x635440 , 0x0} >> login_set = {auth_socket_path = 0x1f9e048 "ailed: Connection reset by peer", postlogin_socket_path = 0x0, postlogin_timeout_secs = 60, >> callback = 0x424170 , failure_callback = 0x423b30 , request_auth_token = 1} >> service_flags = >> storage_service_flags = >> username = 0x0 >> auth_socket_path = 0x42d42e "auth-master" >> c = >> >> >> This is on a server, which uses compressed maildir on a NFS storage. >> >> Here's dovecot -n output: >> >> # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.14 (099a97c) >> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.4 >> auth_cache_negative_ttl = 5 mins >> auth_cache_size = 100 M >> auth_cache_ttl = 15 mins >> auth_default_realm = example.com >> auth_master_user_separator = * >> auth_mechanisms = plain login >> auth_verbose = yes >> dict { >> acl = mysql:/etc/dovecot/dovecot-dict-sql.conf >> } >> disable_plaintext_auth = no >> listen = * >> log_timestamp = "%Y-%m-%d %H:%M:%S " >> mail_fsync = always >> mail_gid = 999 >> mail_location = maildir:~/mail >> mail_plugins = acl quota zlib >> mail_uid = 999 >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags >> mmap_disable = yes >> namespace { >> list = children >> location = maildir:%%h/mail:INDEX=~/mail/shared/%%u >> prefix = shared/%%u/ >> separator = / >> subscriptions = no >> type = shared >> } >> namespace inbox { >> inbox = yes >> location = >> prefix = >> separator = / >> type = private >> } >> passdb { >> args = /etc/dovecot/dovecot-sql.conf >> driver = sql >> } >> plugin { >> acl = vfile >> acl_shared_dict = proxy::acl >> quota = maildir >> sieve = ~/.dovecot.sieve >> sieve_dir = ~/mail/sieve >> sieve_extensions = +imapflags >> zlib_save = gz >> } >> pop3_no_flag_updates = yes >> pop3_uidl_format = %v.%u >> protocols = imap pop3 sieve >> service auth { >> unix_listener auth-master { >> group = vmail >> mode = 0600 >> user = vmail >> } >> } >> service dict { >> unix_listener dict { >> group = vmail >> mode = 0600 >> user = vmail >> } >> } >> service imap { >> process_limit = 4000 >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> } >> } >> service managesieve { >> process_limit = 100 >> } >> service pop3 { >> process_limit = 1000 >> } >> shutdown_clients = no >> ssl = no >> syslog_facility = local2 >> userdb { >> args = /etc/dovecot/dovecot-sql.conf >> driver = sql >> } >> verbose_proctitle = yes >> protocol imap { >> mail_max_userip_connections = 10 >> mail_plugins = acl quota zlib imap_quota imap_acl >> } >> protocol pop3 { >> mail_plugins = acl quota zlib >> } >> >> >> I hope, that this is all required information to find and solve this issue. >> >> Greetings >> Roland > Hi! > > This would appear to be fixed in > https://github.com/dovecot/core/commit/5df8396a7cbad0b38b83a86667fb3d4c223f6f7c > > --- > Aki Tuomi > Dovecot Oy Sorry I mean https://github.com/dovecot/core/commit/6bc001ee9dc03cb3107239861867cd674fd321d7 Aki From yacinechaouche at yahoo.com Tue Jun 7 09:20:41 2016 From: yacinechaouche at yahoo.com (chaouche yacine) Date: Tue, 7 Jun 2016 09:20:41 +0000 (UTC) Subject: Can't delete emails from or write replies to Inbox In-Reply-To: <575613AE.2080905@earthcaretech.com.au> References: <575613AE.2080905@earthcaretech.com.au> Message-ID: <1830788362.271646.1465291241451.JavaMail.yahoo@mail.yahoo.com> How about some /var/log/dovecot.log lines ? ----- Original Message ----- From: Edwin Humphries To: Dovecot Mailing List Sent: Tuesday, June 7, 2016 1:22 AM Subject: Can't delete emails from or write replies to Inbox Hi, I'm running Dovecot and Thunderbird, with 2 separate accounts (business and personal). One operates fine, but the other one won't allow me to write replies to the Inbox (so that I can track current threads), and if I move emails to another folder, it copies them instead. New emails do appear in the Inbox. I've checked the permissions on the two Inboxes, and they are the same (except for the owner name). I've tried compacting the problem Inbox, but that hasn't changed things. Edwin From zeeshan.muhammad at gmail.com Tue Jun 7 09:52:30 2016 From: zeeshan.muhammad at gmail.com (Zeeshan Muhammad) Date: Tue, 7 Jun 2016 10:52:30 +0100 Subject: Potential bug report: Cannot use ":args" option via Pigeonhole Sieve pipe plugin Message-ID: Hi all, Following the instructions noted at http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe , I am trying to make use of the Pigeonhole sieve pipe plugin to execute an application with custom arguments via my test sieve script: require ["vnd.dovecot.pipe"]; if address :is "to" "test at example.com" { pipe :args [ "first-arg", "second-arg" ] "sieve-pipe-example"; } I am editing my test sieve script via Mozilla Thunderbird v45.1.1 using the Sieve email-client addon (v0.2.3h, see https://github.com/thsmi/sieve#releases and https://addons.mozilla.org/en-US/thunderbird/addon/sieve/ ) When I attempt to save the example sieve script above, I get the following error returned by ManageSieve via Mozilla Thunderbird's Sieve addon: "The script could not be saved: Sieve mail filter: line 3: error: unknown tagged argument ':args' for the pipe command (reported only once at first occurrence). Sieve mail filter: error: validation failed." I have setup sieve-pipe-example as follows in my 90-sieve.conf configuration: service sieve-pipe-script { executable = script /usr/bin/echo user = dovenull # socket name is program-name in Sieve unix_listener sieve-pipe-example { } } I cannot see where I am going wrong. I have combed through the specification at http://hg.rename-it.nl/dovecot-2.2-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-extprograms.txt as well as the official Dovecot/Pigeonhole wiki-pages and cannot find a solution. If I omit the :args option (and the arguments array), the sieve script successfully gets accepted by ManageSieve. Am I encountering a potential bug or am I doing something silly in my test setup? # Dovecot version: v2.2.24 # Pigeonhole version: v0.4.14 # Operating system: CentOS Linux release 7.2.1511 (Core) # CPU architecture: x86_64 # Dovecot -n output (I have filtered my IP addresses and mail server's FQDN): # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: Linux 3.10.0-327.18.2.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core) auth_default_realm = example.com base_dir = /var/run/dovecot/ default_login_user = vpopmail first_valid_uid = 500 info_log_path = /dev/stderr last_valid_uid = 500 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /dev/stderr mail_debug = yes mail_location = maildir:~/Maildir mail_max_userip_connections = 20 mail_plugins = " fts fts_lucene" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext editheader vnd.dovecot.pipe namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = vpopmail } plugin { fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. sieve = file:~/sieve;active=~/.dovecot.sieve sieve_execute_socket_dir = sieve-execute sieve_extensions = +editheader +vnd.dovecot.pipe sieve_pipe_socket_dir = sieve-pipe sieve_plugins = sieve_extprograms } protocols = imap pop3 sieve service auth { unix_listener auth-userdb { group = vchkpw mode = 0666 user = vpopmail } } service imap-login { inet_listener imap { address = 127.0.0.1 port = 143 ssl = no } inet_listener imaps { address = 192.168.1.1 port = 993 ssl = yes } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 port = 110 ssl = no } inet_listener pop3s { address = 192.168.1.1 port = 995 ssl = yes } } service sieve-pipe-script { executable = script /usr/bin/echo group = dovenull user = dovenull } ssl_cert = References: Message-ID: It looks like pipe addon specification at http://hg.rename-it.nl/pigeonhole-0.2-sieve-pipe/raw-file/tip/doc/rfc/spec-bosch-sieve-pipe.txt notes ":args" usage is possible but the implementation source at https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/cmd-pipe.c shows it was implemented as follows: pipe "sieve-pipe-example" [ "first-arg", "second-arg" ]; My test sieve is now working, but I don't understand why I wasn't able to use ":args" format noted in the specification document. On 7 June 2016 at 10:52, Zeeshan Muhammad wrote: > Hi all, > > Following the instructions noted at > http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe , I am trying to > make use of the Pigeonhole sieve pipe plugin to execute an application with > custom arguments via my test sieve script: > > require ["vnd.dovecot.pipe"]; > if address :is "to" "test at example.com" { > pipe :args [ "first-arg", "second-arg" ] "sieve-pipe-example"; > } > > I am editing my test sieve script via Mozilla Thunderbird v45.1.1 using > the Sieve email-client addon (v0.2.3h, see > https://github.com/thsmi/sieve#releases and > https://addons.mozilla.org/en-US/thunderbird/addon/sieve/ ) > > When I attempt to save the example sieve script above, I get the following > error returned by ManageSieve via Mozilla Thunderbird's Sieve addon: > > "The script could not be saved: > Sieve mail filter: line 3: error: unknown tagged argument ':args' for the > pipe command (reported only once at first occurrence). > Sieve mail filter: error: validation failed." > > I have setup sieve-pipe-example as follows in my 90-sieve.conf > configuration: > > service sieve-pipe-script { > executable = script /usr/bin/echo > user = dovenull > > # socket name is program-name in Sieve > unix_listener sieve-pipe-example { > } > } > > I cannot see where I am going wrong. I have combed through the > specification at > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-extprograms.txt > as well as the official Dovecot/Pigeonhole wiki-pages and cannot find a > solution. > > If I omit the :args option (and the arguments array), the sieve script > successfully gets accepted by ManageSieve. > > Am I encountering a potential bug or am I doing something silly in my test > setup? > > # Dovecot version: v2.2.24 > # Pigeonhole version: v0.4.14 > # Operating system: CentOS Linux release 7.2.1511 (Core) > # CPU architecture: x86_64 > > # Dovecot -n output (I have filtered my IP addresses and mail server's > FQDN): > > # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.14 (099a97c) > # OS: Linux 3.10.0-327.18.2.el7.x86_64 x86_64 CentOS Linux release > 7.2.1511 (Core) > auth_default_realm = example.com > base_dir = /var/run/dovecot/ > default_login_user = vpopmail > first_valid_uid = 500 > info_log_path = /dev/stderr > last_valid_uid = 500 > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > log_path = /dev/stderr > mail_debug = yes > mail_location = maildir:~/Maildir > mail_max_userip_connections = 20 > mail_plugins = " fts fts_lucene" > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment mailbox date index ihave > duplicate mime foreverypart extracttext editheader vnd.dovecot.pipe > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > driver = vpopmail > } > plugin { > fts = lucene > fts_autoindex = yes > fts_lucene = whitespace_chars=@. > sieve = file:~/sieve;active=~/.dovecot.sieve > sieve_execute_socket_dir = sieve-execute > sieve_extensions = +editheader +vnd.dovecot.pipe > sieve_pipe_socket_dir = sieve-pipe > sieve_plugins = sieve_extprograms > } > protocols = imap pop3 sieve > service auth { > unix_listener auth-userdb { > group = vchkpw > mode = 0666 > user = vpopmail > } > } > service imap-login { > inet_listener imap { > address = 127.0.0.1 > port = 143 > ssl = no > } > inet_listener imaps { > address = 192.168.1.1 > port = 993 > ssl = yes > } > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > } > service pop3-login { > inet_listener pop3 { > address = 127.0.0.1 > port = 110 > ssl = no > } > inet_listener pop3s { > address = 192.168.1.1 > port = 995 > ssl = yes > } > } > service sieve-pipe-script { > executable = script /usr/bin/echo > group = dovenull > user = dovenull > } > ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3 > userdb { > driver = vpopmail > } > verbose_proctitle = yes > protocol lda { > hostname = mail.example.com > info_log_path = /var/log/dovecot/dovecot-lda.log > log_path = /var/log/dovecot/dovecot-lda-errors.log > mail_plugins = " fts fts_lucene sieve" > postmaster_address = postmaster at example.com > } > protocol imap { > mail_plugins = " fts fts_lucene imap_zlib" > } > From rrosenfeld at netcologne.de Tue Jun 7 10:52:37 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Tue, 7 Jun 2016 12:52:37 +0200 Subject: segfault in IMAP APPEND with compressed maildir In-Reply-To: <57568BAF.5020509@dovecot.fi> References: <20160607082051.GA18611@sys-241.netcologne.de> <57568B52.3060203@dovecot.fi> <57568BAF.5020509@dovecot.fi> Message-ID: <20160607105237.GB18611@sys-241.netcologne.de> Hi Aki! On Tue, 07 Jun 2016, Aki Tuomi wrote: > > This would appear to be fixed in > > https://github.com/dovecot/core/commit/5df8396a7cbad0b38b83a86667fb3d4c223f6f7c > > Sorry I mean > https://github.com/dovecot/core/commit/6bc001ee9dc03cb3107239861867cd674fd321d7 Many thanks for your quick response. I just applied the second patch and now we have to wait some days, to see weather the issue really disappeared. I'll keep you informed... Tschoeeee Roland -- Roland Rosenfeld - Teamverantwortlicher Content Delivery - NED - Technik NETCOLOGNE Gesellschaft f?r Telekommunikation mbH Am Coloneum 9 50829 K?ln Tel.: +49 221 2222-373 Fax: +49 221 2222-7373 Gesch?ftsf?hrer: Jost Hermanns, Mario Wilhelm Vorsitzender des Aufsichtsrates: Dr. Andreas Cerbe HRB 25580, AG K?ln From aki.tuomi at dovecot.fi Tue Jun 7 11:52:41 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Tue, 7 Jun 2016 14:52:41 +0300 Subject: fts lucene crashes in 2.2.24 In-Reply-To: References: Message-ID: <5756B589.4090602@dovecot.fi> On 29.05.2016 10:56, Wolfgang Rosenauer wrote: > Hi, > > I've just enabled FTS via Lucene on my Dovecot 2.2.24 installation but I > see the indexer crashing ?always?. > > This simple testcase with a very tiny testing mailbox exposes the issue > immediately: > > doveadm -v index -u anmesse INBOX > > Program received signal SIGSEGV, Segmentation fault. > rescan_clear_unseen_mailbox (rescan_ctx=rescan_ctx at entry=0x0, > vname=0x555555839820 "INBOX.Testfolder 2", hdr=hdr at entry=0x7fffffffdaf0) at > lucene-wrapper.cc:831 > 831 (enum mailbox_flags)0); > (gdb) bt full > #0 rescan_clear_unseen_mailbox (rescan_ctx=rescan_ctx at entry=0x0, > vname=0x555555839820 "INBOX.Testfolder 2", hdr=hdr at entry=0x7fffffffdaf0) at > lucene-wrapper.cc:831 > box = 0x7ffff76fd0ad > metadata = {guid = "\230\332\377\377\377\177\000\000\200?UUU\000", > virtual_size = 140737340823160, physical_size = 140737488345756, > first_save_date = 140737488345840, > cache_fields = 0x555500000000, > precache_fields = (MAIL_FETCH_SAVE_DATE | > MAIL_FETCH_PHYSICAL_SIZE | MAIL_FETCH_NUL_STATE | MAIL_FETCH_STREAM_BINARY > | MAIL_FETCH_IMAP_BODY | MAIL_FETCH_IMAP_BODYSTRUCTURE | > MAIL_FETCH_IMAP_ENVELOPE | MAIL_FETCH_FROM_ENVELOPE | MAIL_FETCH_REFCOUNT | > MAIL_FETCH_BODY_SNIPPET | unknown: 1409286144), backend_ns_prefix = 0x0, > backend_ns_type = (unknown: 4294957808)} > #1 0x00007ffff489aade in rescan_clear_unseen_mailboxes > (index=index at entry=0x555555822e20, > rescan_ctx=rescan_ctx at entry=0x0) at lucene-wrapper.cc:863 > iter = 0x55555588d530 > info = > vname = > hdr = {last_indexed_uid = 0, settings_checksum = 3784394109, unused > = 0} > ns = 0x55555580f6c0 > #2 0x00007ffff489b700 in lucene_settings_check (index=0x555555822e20) at > lucene-wrapper.cc:429 > set_checksum = > ret = > #3 lucene_index_build_init (index=0x555555822e20) at lucene-wrapper.cc:448 > lock_path = 0x5555557dd320 > "/srv/dovecot/anmesse/maildir/lucene-indexes/write.lock" > st = {st_dev = 93823560581121, st_ino = 0, st_nlink = > 140737344007992, st_mode = 4150696184, st_uid = 32767, st_gid = 5, __pad0 = > 0, st_rdev = 93824995156880, st_size = 93824995175648, > st_blksize = 140737351975397, st_blocks = 93824995096256, st_atim > = {tv_sec = 140737488346056, tv_nsec = 5}, st_mtim = {tv_sec = 5, tv_nsec = > 93824995156880}, st_ctim = { > tv_sec = 93824995175648, tv_nsec = 140737488346352}, > __glibc_reserved = {140737488346352, 93824995267672, 140737344364485}} > exists = > #4 0x00007ffff4899dbe in fts_backend_lucene_update_set_build_key > (_ctx=0x55555583a550, key=0x7fffffffdcf0) at fts-backend-lucene.c:366 > ctx = 0x55555583a550 > backend = 0x555555822ce0 > __FUNCTION__ = "fts_backend_lucene_update_set_build_key" > #5 0x00007ffff674c984 in fts_backend_update_set_build_key > (ctx=0x55555583a550, key=key at entry=0x7fffffffdcf0) at fts-api.c:175 > __FUNCTION__ = "fts_backend_update_set_build_key" > #6 0x00007ffff674dbb8 in fts_build_mail_header (block=0x7fffffffdcd0, > block=0x7fffffffdcd0, ctx=0x7fffffffdd20) at fts-build-mail.c:174 > hdr = > key = {uid = 96, type = FTS_BACKEND_BUILD_KEY_HDR, part = > 0x5555557dd2c0, hdr_name = 0x5555558396b0 "Return-Path", body_content_type > = 0x0, body_content_disposition = 0x0} > ret = > #7 fts_build_mail_real (mail=0x555555838190, update_ctx=0x55555583a550) at > fts-build-mail.c:548 > block = {part = 0x5555557dd2c0, hdr = 0x555555839458, data = > 0x55550000007c , > size = 0} > ret = > input = 0x555555838eb0 > raw_block = {part = 0x5555557dd2c0, hdr = 0x5555558395e0, data = > 0x0, size = 0} > skip_body = false > ctx = {mail = 0x555555838190, update_ctx = 0x55555583a550, > content_type = 0x0, content_disposition = 0x0, body_parser = 0x0, word_buf > = 0x0, pending_input = 0x0, cur_user_lang = 0x0} > prev_part = 0x5555557dd2c0 > parser = 0x555555839070 > decoder = 0x555555839440 > parts = 0x31 > body_part = false > body_added = false > binary_body = > error = 0x60 > #8 fts_build_mail (update_ctx=0x55555583a550, mail=mail at entry=0x555555838190) > at fts-build-mail.c:594 > _data_stack_cur_id = 5 > #9 0x00007ffff675393e in fts_mail_index (_mail=0x555555838190) at > fts-storage.c:501 > ft = 0x5555558366a0 > flist = 0x55555581ea68 > #10 fts_mail_precache (_mail=0x555555838190) at fts-storage.c:520 > _data_stack_cur_id = 4 > mail = 0x555555838190 > fmail = > ft = > #11 0x00007ffff76987b9 in mail_precache (mail=0x555555838190) at mail.c:401 > _data_stack_cur_id = 3 > p = 0x555555838190 > #12 0x0000555555582fa7 in cmd_index_box_precache (box=0x55555582fd80) at > doveadm-mail-index.c:75 > ctx = 0x555555839be0 > metadata = {guid = '\000' , virtual_size = 0, > physical_size = 0, first_save_date = 0, cache_fields = 0x0, > precache_fields = (MAIL_FETCH_STREAM_HEADER | > MAIL_FETCH_STREAM_BODY | MAIL_FETCH_RECEIVED_DATE | MAIL_FETCH_SAVE_DATE | > MAIL_FETCH_PHYSICAL_SIZE | MAIL_FETCH_VIRTUAL_SIZE | > MAIL_FETCH_UIDL_BACKEND | MAIL_FETCH_GUID | MAIL_FETCH_POP3_ORDER), > backend_ns_prefix = 0x0, backend_ns_type = (unknown: 0)} > counter = 0 > max = 15 > status = {messages = 15, recent = 0, unseen = 0, uidvalidity = > 1048765368, uidnext = 151, first_unseen_seq = 0, first_recent_uid = 151, > last_cached_seq = 0, highest_modseq = 0, > highest_pvt_modseq = 0, keywords = 0x0, permanent_flags = 0, > permanent_keywords = 0, allow_new_keywords = 0, nonpermanent_modseqs = 0, > no_modseq_tracking = 0, have_guids = 1, > have_save_guids = 1, have_only_guid128 = 0} > mail = 0x555555838190 > ret = 0 > trans = 0x555555834310 > search_args = 0x0 > seq = > #13 cmd_index_box (info=, info=, > ctx=0x555555807410) at doveadm-mail-index.c:130 > box = 0x55555582fd80 > status = {messages = 130, recent = 0, unseen = 0, uidvalidity = 0, > uidnext = 1434552496, first_unseen_seq = 21845, first_recent_uid = > 4294958896, last_cached_seq = 32767, > highest_modseq = 93824995069728, highest_pvt_modseq = > 93824995074385, keywords = 0x555555819868, permanent_flags = 4150947016, > permanent_keywords = 1, allow_new_keywords = 1, > nonpermanent_modseqs = 1, no_modseq_tracking = 1, have_guids = 1, > have_save_guids = 1, have_only_guid128 = 1} > ret = 0 > #14 cmd_index_run (_ctx=0x555555807410, user=0x5555558188b0) at > doveadm-mail-index.c:201 > _data_stack_cur_id = 2 > iter = 0x55555582b9f0 > info = > ret = 0 > user = 0x5555558188b0 > _ctx = 0x555555807410 > ctx = 0x555555807410 > i = > #15 0x000055555557dedf in doveadm_mail_next_user (ctx=ctx at entry=0x555555807410, > cctx=cctx at entry=0x7fffffffe2a0, error_r=error_r at entry=0x7fffffffe0b8) at > doveadm-mail.c:400 > input = {module = 0x0, service = 0x5555555b15a9 "doveadm", username > = 0x5555557da298 "anmesse", session_id = 0x0, session_id_prefix = 0x0, > local_ip = {family = 0, u = {ip6 = {__in6_u = { > ---Type to continue, or q to quit--- > __u6_addr8 = '\000' , __u6_addr16 = {0, > 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, ip4 = {s_addr = 0}}}, > remote_ip = {family = 0, u = {ip6 = { > __in6_u = {__u6_addr8 = '\000' , > __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, ip4 = > {s_addr = 0}}}, local_port = 0, remote_port = 0, > userdb_fields = 0x0, flags_override_add = (unknown: 0), > flags_override_remove = (unknown: 0), no_userdb_lookup = 0, debug = 0} > error = 0x20 > ip = > ret = > __FUNCTION__ = "doveadm_mail_next_user" > #16 0x000055555557e843 in doveadm_mail_single_user > (ctx=ctx at entry=0x555555807410, > cctx=cctx at entry=0x7fffffffe2a0, error_r=error_r at entry=0x7fffffffe0b8) at > doveadm-mail.c:431 > __FUNCTION__ = "doveadm_mail_single_user" > #17 0x000055555557e8fd in doveadm_mail_cmd_exec (ctx=ctx at entry=0x555555807410, > cctx=cctx at entry=0x7fffffffe2a0, wildcard_user=wildcard_user at entry=0x0) at > doveadm-mail.c:589 > ret = > error = 0x7ffff7fe89e8 "" > #18 0x000055555557f6ef in doveadm_cmd_ver2_to_mail_cmd_wrapper > (cctx=0x7fffffffe2a0) at doveadm-mail.c:1030 > mctx = 0x555555807410 > wildcard_user = > username_args = {0x5555555b1479 "-u", 0x5555557da298 "anmesse", 0x0} > fieldstr = 0x7ffff73d7423 > "H\203\304\bH\211\330[]\303\017\037" > username_args_count = > i = > mail_cmd = {alloc = 0x555555582ad0 , name = > 0x5555555b3e7b "index", usage_args = 0x5555555b2ee8 "[-u |-A] [-S > ] [-q] [-n ] "} > #19 0x000055555558c93c in doveadm_cmd_run_ver2 (argc=4, > argv=0x5555557e13a0, cctx=cctx at entry=0x7fffffffe2a0) at doveadm-cmd.c:524 > param = > pargv = {arr = {buffer = 0x5555557d9a40, element_size = 104}, v = > 0x5555557d9a40, v_modifiable = 0x5555557d9a40} > opts = {arr = {buffer = , element_size = 32}, v = > , v_modifiable = } > pargc = 7 > c = -1 > li = 21845 > pool = 0x5555557d9778 > optbuf = 0x5555557d9790 > __FUNCTION__ = "doveadm_cmd_run_ver2" > #20 0x000055555558c9d7 in doveadm_cmd_try_run_ver2 (cmd_name= out>, argc=4, argv=0x5555557e13a0, cctx=0x7fffffffe2a0) at doveadm-cmd.c:447 > cmd = > #21 0x000055555556fb1f in main (argc=4, argv=0x5555557e13a0) at > doveadm.c:376 > cctx = {cmd = 0x5555557e8208, argc = 7, argv = 0x5555557d9a78, > username = 0x5555557da298 "anmesse", cli = true, local_ip = {family = 0, u > = {ip6 = {__in6_u = { > __u6_addr8 = '\000' , __u6_addr16 = {0, > 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, ip4 = {s_addr = 0}}}, > remote_ip = {family = 0, u = {ip6 = { > __in6_u = {__u6_addr8 = '\000' , > __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, ip4 = > {s_addr = 0}}}, local_port = 0, remote_port = 0} > cmd_name = 0x5555557e13dc "index" > quick_init = false > c = > > > doveconf -n: > > # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.14 (099a97c) > # OS: Linux 4.1.21-14-default x86_64 openSUSE 42.1 (x86_64) > auth_mechanisms = plain login > imap_id_log = * > mail_gid = vmail > mail_home = /srv/dovecot/%u > mail_location = maildir:~/maildir > mail_plugins = acl fts fts_lucene virtual zlib quota > mail_uid = vmail > mailbox_list_index = yes > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment > mailbox date index ihave duplicate mime foreverypart extracttext > namespace { > list = children > location = > maildir:/srv/dovecot/%%u/maildir:INDEX=~/maildir/shared/%%u:CONTROL=~/maildir/shared/%%u > prefix = shared.%%n. > separator = . > subscriptions = yes > type = shared > } > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Entw?rfe { > special_use = \Drafts > } > mailbox "Gesendete Objekte" { > special_use = \Sent > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Items" { > special_use = \Sent > } > mailbox Spam { > auto = create > special_use = \Junk > } > mailbox Trash { > auto = subscribe > special_use = \Trash > } > prefix = INBOX. > separator = . > type = private > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > plugin { > acl = vfile > acl_shared_dict = file:/srv/dovecot/shared-mailboxes.db > fts = lucene > fts_autoindex = yes > fts_lucene = whitespace_chars="@" > quota = dict:User quota::file:%h/dovecot-quota > quota_grace = 10%% > quota_rule = *:storage=100M > quota_rule2 = INBOX.Trash:storage=+10M > quota_status_nosuser = DUNNO > quota_status_overquota = 552 5.2.2 Mailbox is full / Mailbox ist voll > quota_status_success = DUNNO > sieve = file:~/sieve;active=~/.dovecot.sieve > zlib_save = gz > zlib_save_level = 6 > } > protocols = imap pop3 lmtp sieve > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > mode = 0777 > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0660 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > inet_listener sieve_deprecated { > port = 2000 > } > } > service quota-status { > client_limit = 1 > executable = quota-status -p postfix > inet_listener { > address = 127.0.0.1,::1 > port = 12340 > } > } > ssl_cert = < > ssl_dh_parameters_length = 2048 > ssl_key = < > ssl_options = no_compression > ssl_prefer_server_ciphers = yes > userdb { > driver = prefetch > } > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > userdb { > args = username_format=%n /etc/dovecot/shared-mailboxes > default_fields = uid=600 gid=600 home=/srv/dovecot/%n > driver = passwd-file > } > protocol lmtp { > mail_plugins = acl fts fts_lucene virtual zlib quota sieve > } > protocol imap { > mail_max_userip_connections = 30 > mail_plugins = acl fts fts_lucene virtual zlib quota imap_acl imap_zlib > imap_quota > namespace inbox { > location = > mailbox Spam { > autoexpunge = 90 days > } > mailbox Trash { > autoexpunge = 370 days > } > prefix = > } > } Thank you for your report, we are looking into it. Aki From wrosenauer at gmail.com Tue Jun 7 12:00:29 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Tue, 7 Jun 2016 14:00:29 +0200 Subject: fts lucene crashes in 2.2.24 In-Reply-To: <5756B589.4090602@dovecot.fi> References: <5756B589.4090602@dovecot.fi> Message-ID: Thanks Aki, if you need any more information please let me know. > Thank you for your report, we are looking into it. > > Aki > From g.danti at assyoma.it Tue Jun 7 12:59:16 2016 From: g.danti at assyoma.it (Gionatan Danti) Date: Tue, 7 Jun 2016 14:59:16 +0200 Subject: Questions about hardlinks, alternate storage and compression] In-Reply-To: References: <20151126141529.GO18514@frodo.gerdesas.com> <20151126150115.2F0BA23488@talvi.dovecot.org> <565C071F.1000302@assyoma.it> Message-ID: <5756C524.20502@assyoma.it> Hi list, any news regarding hardlinks + sieve/pigeonhole setup? Hardlinking seems a very important feature to me, and I would really like to get it working. Thanks. On 30/11/2015 14:23, Timo Sirainen wrote: > On 30 Nov 2015, at 10:21, Gionatan Danti wrote: >> >> So, let me do a straigth question: is someone using dovecot/LMTP with hardlinking? To me, this seems a _very_ important feature, and I wonder if I am doing something wrong or if the feature (hardlink+sieve) simply does not exists. > > Hardlink+Sieve has never worked. The fix is a bit complicated. Here's my TODO entry about it: > > - remove mail_deliver_session after all, do all the stuff transparently > by hooking into mailbox_copy(). > - use this hook also to do the mail deduplication: 1) sort all destination > users, 2) create mail_user only once for each user, 3) remember in > src_mail the previously copied mail, 4) use that for mailbox_copy()ing > to following recipients > - make sure this removes duplicate dbox mails when sieve saves mail to > multiple mailboxes > -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8 From tanstaafl at libertytrek.org Tue Jun 7 13:05:12 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Tue, 7 Jun 2016 09:05:12 -0400 Subject: Multiple recipient delimiter support? In-Reply-To: References: <896dfd15-f0dc-2380-708d-6eee0e4a1b21@libertytrek.org> <78628c25-2355-62c9-61b2-3ac8ba897986@libertytrek.org> Message-ID: <26581dfb-b1eb-bc35-5b21-51cae57a9dc2@libertytrek.org> On 6/6/2016 2:24 AM, Tom Sommer wrote: > https://github.com/dovecot/core/commit/972c9172e9e6a0fc6053efb3d2ee9d354b67727f So, for non programmers, this is you're way of saying yes, the patch was committed to core code? Thanks From kevin at my.walr.us Tue Jun 7 15:42:15 2016 From: kevin at my.walr.us (KT Walrus) Date: Tue, 7 Jun 2016 11:42:15 -0400 Subject: userdb for imap proxy Message-ID: <7C553D5F-B658-4999-B46B-E3C299F3264F@my.walr.us> If I?m running only imap-login service in my dovecot imap proxy, do I need to configure userdb or only passdb? From m3freak at thesandhufamily.ca Tue Jun 7 16:07:42 2016 From: m3freak at thesandhufamily.ca (Ranbir) Date: Tue, 07 Jun 2016 12:07:42 -0400 Subject: Slow auth Message-ID: <1465315662.18765.32.camel@thesandhufamily.ca> Hi Everyone, I'm running dovecot on a CentOS 7 box using PLAIN and GSSAPI auth. I need to use both because I have some clients that can't use GSSAPI. I haven't been able to get the userdb working properly without a password file and a userdb file. For example, I have to set the home default and change the username_format. I use FreeIPA and the dovecot server is joined properly to the realm. Authentication works (I don't have any passwords in the userdb file). The problem is authentication is slow. When I use Roundcube, the login takes longer than it should. In fact, every operation (changing folders, opening an email, replying, etc.) is just slow. The web server where Roundcube is running is barely loaded, the dovecot server isn't loaded and the FreeIPA server is basically sitting idle. When I watch /var/log/secure as I login to roundcube, I see this in the logs: http://pastebin.ca/3620032 Why is pam_unix being hit and then pam_sss? I'm thinking the pam_unix failures are the reason why the auth is slow. Here's the output from dovecot -n: http://pastebin.ca/3620029 I'm sure I haven't configured something correctly, hence the performance problems. Any help would be appreciated. -- Ranbir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From edgar at pettijohn-web.com Tue Jun 7 16:45:45 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 7 Jun 2016 11:45:45 -0500 Subject: Slow auth In-Reply-To: <1465315662.18765.32.camel@thesandhufamily.ca> References: <1465315662.18765.32.camel@thesandhufamily.ca> Message-ID: Sent from my iPhone > On Jun 7, 2016, at 11:07 AM, Ranbir wrote: > > Hi Everyone, > > I'm running dovecot on a CentOS 7 box using PLAIN and GSSAPI auth. I > need to use both because I have some clients that can't use GSSAPI. > > I haven't been able to get the userdb working properly without a > password file and a userdb file. For example, I have to set the home > default and change the username_format. > > I use FreeIPA and the dovecot server is joined properly to the realm. > Authentication works (I don't have any passwords in the userdb file). > > The problem is authentication is slow. When I use Roundcube, the login > takes longer than it should. In fact, every operation (changing > folders, opening an email, replying, etc.) is just slow. The web server > where Roundcube is running is barely loaded, the dovecot server isn't > loaded and the FreeIPA server is basically sitting idle. > > When I watch /var/log/secure as I login to roundcube, I see this in the > logs: > > http://pastebin.ca/3620032 > > Why is pam_unix being hit and then pam_sss? I'm thinking the pam_unix > failures are the reason why the auth is slow. > You have Pam as your passdb driver. > Here's the output from dovecot -n: > > http://pastebin.ca/3620029 > > I'm sure I haven't configured something correctly, hence the > performance problems. > > Any help would be appreciated. > > > -- > Ranbir From m3freak at thesandhufamily.ca Tue Jun 7 18:06:29 2016 From: m3freak at thesandhufamily.ca (Ranbir) Date: Tue, 07 Jun 2016 14:06:29 -0400 Subject: Slow auth In-Reply-To: References: <1465315662.18765.32.camel@thesandhufamily.ca> Message-ID: <1465322789.18765.35.camel@thesandhufamily.ca> On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote: > You have Pam as your passdb driver. Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server? -- Ranbir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From aki.tuomi at dovecot.fi Tue Jun 7 18:16:31 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Tue, 7 Jun 2016 21:16:31 +0300 (EEST) Subject: Slow auth In-Reply-To: <1465322789.18765.35.camel@thesandhufamily.ca> References: <1465315662.18765.32.camel@thesandhufamily.ca> <1465322789.18765.35.camel@thesandhufamily.ca> Message-ID: <1883012201.4567.1465323394226@appsuite-dev.open-xchange.com> > On June 7, 2016 at 9:06 PM Ranbir wrote: > > > On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote: > > > You have Pam as your passdb driver. > > Yes, because I have to. How else would I get Dovecot to authenticate > users against my FreeIPA server? > > > -- > Ranbir LDAP does come into mind... IPA after all IS ldap based. It's what sssd uses as well. --- Aki Tuomi From laz at paravis.net Tue Jun 7 18:24:10 2016 From: laz at paravis.net (Laz C. Peterson) Date: Tue, 7 Jun 2016 11:24:10 -0700 Subject: Slow auth In-Reply-To: <1883012201.4567.1465323394226@appsuite-dev.open-xchange.com> References: <1465315662.18765.32.camel@thesandhufamily.ca> <1465322789.18765.35.camel@thesandhufamily.ca> <1883012201.4567.1465323394226@appsuite-dev.open-xchange.com> Message-ID: <7B324227-6827-4875-B160-DF4710C87AEC@paravis.net> We had this issue as well - switch your primary authentication to LDAP and make sure it is attempting those auth sources first before any PAM sources. You also don?t need to have your Dovecot server joined to the domain by doing it this way, which is nice. We were previously using PAM auth through Kerberos as a method of authenticating from our LDAP servers. I can?t remember the reason why we decided to go with Dovecot->LDAP (no mediating auth service in between), but the performance was significantly faster. Or, you can also try PAM using Kerberos, instead of WInbind (or whatever you are using with PAM). Just a thought. ~ Laz Peterson Paravis, LLC > On Jun 7, 2016, at 11:16 AM, aki.tuomi at dovecot.fi wrote: > > >> On June 7, 2016 at 9:06 PM Ranbir wrote: >> >> >> On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote: >> >>> You have Pam as your passdb driver. >> >> Yes, because I have to. How else would I get Dovecot to authenticate >> users against my FreeIPA server? >> >> >> -- >> Ranbir > > LDAP does come into mind... IPA after all IS ldap based. It's what sssd uses as well. > > --- > Aki Tuomi From edgar at pettijohn-web.com Tue Jun 7 20:13:10 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 7 Jun 2016 15:13:10 -0500 Subject: Slow auth In-Reply-To: <1465322789.18765.35.camel@thesandhufamily.ca> References: <1465315662.18765.32.camel@thesandhufamily.ca> <1465322789.18765.35.camel@thesandhufamily.ca> Message-ID: Sent from my iPhone > On Jun 7, 2016, at 1:06 PM, Ranbir wrote: > >> On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote: >> >> You have Pam as your passdb driver. > > Yes, because I have to. How else would I get Dovecot to authenticate > users against my FreeIPA server? > > Sorry. Thought you were asking why it was using Pam. > -- > Ranbir From m3freak at thesandhufamily.ca Tue Jun 7 20:43:09 2016 From: m3freak at thesandhufamily.ca (Ranbir) Date: Tue, 07 Jun 2016 16:43:09 -0400 Subject: Slow auth [solved] In-Reply-To: <7B324227-6827-4875-B160-DF4710C87AEC@paravis.net> References: <1465315662.18765.32.camel@thesandhufamily.ca> <1465322789.18765.35.camel@thesandhufamily.ca> <1883012201.4567.1465323394226@appsuite-dev.open-xchange.com> <7B324227-6827-4875-B160-DF4710C87AEC@paravis.net> Message-ID: <1465332189.18765.44.camel@thesandhufamily.ca> On Tue, 2016-06-07 at 11:24 -0700, Laz C. Peterson wrote: > Or, you can also try PAM using Kerberos, instead of WInbind (or > whatever you are using with PAM). Just a thought. So I did a tad bit more research because I didn't want to configure Dovecot to use LDAP. I wanted to use pam because the dovecot pam module would continue to be used. It's just easier that way! Anyway, I noticed this option for the pam driver in passdb: cache_key= I ended up adding this to the "args" list: cache_key=%u%n I also set these: auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 0 Now Roundcube is flying again, just like it was before I made Dovecot use FreeIPA. The slow auth issue is gone. Thanks for listening! -- Ranbir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From tss at iki.fi Wed Jun 8 00:13:28 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 8 Jun 2016 03:13:28 +0300 Subject: Questions about hardlinks, alternate storage and compression] In-Reply-To: <5756C524.20502@assyoma.it> References: <20151126141529.GO18514@frodo.gerdesas.com> <20151126150115.2F0BA23488@talvi.dovecot.org> <565C071F.1000302@assyoma.it> <5756C524.20502@assyoma.it> Message-ID: It's a rather difficult change and also pretty low priority right now. I'd be happy to explain the details to whoever wants to develop this, but I wouldn't be surprised if it was still unimplemented a few years from now. > On 07 Jun 2016, at 15:59, Gionatan Danti wrote: > > Hi list, > any news regarding hardlinks + sieve/pigeonhole setup? > > Hardlinking seems a very important feature to me, and I would really like to get it working. > > Thanks. > > On 30/11/2015 14:23, Timo Sirainen wrote: >> On 30 Nov 2015, at 10:21, Gionatan Danti wrote: >>> >>> So, let me do a straigth question: is someone using dovecot/LMTP with hardlinking? To me, this seems a _very_ important feature, and I wonder if I am doing something wrong or if the feature (hardlink+sieve) simply does not exists. >> >> Hardlink+Sieve has never worked. The fix is a bit complicated. Here's my TODO entry about it: >> >> - remove mail_deliver_session after all, do all the stuff transparently >> by hooking into mailbox_copy(). >> - use this hook also to do the mail deduplication: 1) sort all destination >> users, 2) create mail_user only once for each user, 3) remember in >> src_mail the previously copied mail, 4) use that for mailbox_copy()ing >> to following recipients >> - make sure this removes duplicate dbox mails when sieve saves mail to >> multiple mailboxes >> > > -- > Danti Gionatan > Supporto Tecnico > Assyoma S.r.l. - www.assyoma.it > email: g.danti at assyoma.it - info at assyoma.it > GPG public key ID: FF5F32A8 From g.danti at assyoma.it Wed Jun 8 04:51:02 2016 From: g.danti at assyoma.it (Gionatan Danti) Date: Wed, 08 Jun 2016 06:51:02 +0200 Subject: Questions about hardlinks, alternate storage and compression] In-Reply-To: References: <20151126141529.GO18514@frodo.gerdesas.com> <20151126150115.2F0BA23488@talvi.dovecot.org> <565C071F.1000302@assyoma.it> <5756C524.20502@assyoma.it> Message-ID: <8ac8c1526850c19a268675afaba8e66a@assyoma.it> OK, I see. Let me attack the problem from another side: there is any method to use some sort of message filtering (not necessarily Sieve) without destroying hardlinking capability? Or are you all running dovecot without hardlinking? Thanks. Il 08-06-2016 02:13 Timo Sirainen ha scritto: > It's a rather difficult change and also pretty low priority right now. > I'd be happy to explain the details to whoever wants to develop this, > but I wouldn't be surprised if it was still unimplemented a few years > from now. > >> On 07 Jun 2016, at 15:59, Gionatan Danti wrote: >> >> Hi list, >> any news regarding hardlinks + sieve/pigeonhole setup? >> >> Hardlinking seems a very important feature to me, and I would really >> like to get it working. >> >> Thanks. >> >> On 30/11/2015 14:23, Timo Sirainen wrote: >>> On 30 Nov 2015, at 10:21, Gionatan Danti wrote: >>>> >>>> So, let me do a straigth question: is someone using dovecot/LMTP >>>> with hardlinking? To me, this seems a _very_ important feature, and >>>> I wonder if I am doing something wrong or if the feature >>>> (hardlink+sieve) simply does not exists. >>> >>> Hardlink+Sieve has never worked. The fix is a bit complicated. Here's >>> my TODO entry about it: >>> >>> - remove mail_deliver_session after all, do all the stuff >>> transparently >>> by hooking into mailbox_copy(). >>> - use this hook also to do the mail deduplication: 1) sort all >>> destination >>> users, 2) create mail_user only once for each user, 3) >>> remember in >>> src_mail the previously copied mail, 4) use that for >>> mailbox_copy()ing >>> to following recipients >>> - make sure this removes duplicate dbox mails when sieve saves >>> mail to >>> multiple mailboxes >>> >> >> -- >> Danti Gionatan >> Supporto Tecnico >> Assyoma S.r.l. - www.assyoma.it >> email: g.danti at assyoma.it - info at assyoma.it >> GPG public key ID: FF5F32A8 -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8 From mail at marc-stuermer.de Wed Jun 8 06:21:44 2016 From: mail at marc-stuermer.de (Marc =?utf-8?b?U3TDvHJtZXI=?=) Date: Wed, 08 Jun 2016 08:21:44 +0200 Subject: Scalability of Dovecot in the Cloud In-Reply-To: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> Message-ID: <20160608082144.Horde.frrbhRbMuRw13lLHAH8G1Iw@webmail.no-carrier.info> Zitat von KT Walrus : > Does anyone have any idea of how many IMAP connections a single > cloud VM (4 vCores at 2.4GHz, 30GB RAM, local SSD storage - > non-RAID) can be expected to handle in production. The mailboxes are > fairly small (average 5MB total - 50MB max, as I don?t store > attachments in Dovecot expect those saved through IMAP in the > Sent/Drafts folders) and each user will probably have an average of > 2 devices that have the mail clients configured to access each > mailbox. > > Can such a server handle 100,000 mailboxes (200,000 > devices/clients)? Or is it more like 10,000? Or, even smaller? The bottleneck of IMAP-operations normally is the number of needed IOPS for accessing the mail storage, which depends on the mean number of concurrent users to be expected. Can such a server handle this number of mailboxes? Most certainly yes. The real question is: can such a server cope up with the expected load of concurrent user sessions you are expecting? From mkawada at redhat.com Wed Jun 8 06:37:39 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Wed, 8 Jun 2016 15:37:39 +0900 Subject: password expire warning for dovecot users in IMAP/POP login Message-ID: <5757BD33.20408@redhat.com> Dear list, Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below: # ssh testuser at localhost testuser at localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP? Thanks, -- Masaharu Kawada From aki.tuomi at dovecot.fi Wed Jun 8 06:49:32 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Wed, 8 Jun 2016 09:49:32 +0300 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757BD33.20408@redhat.com> References: <5757BD33.20408@redhat.com> Message-ID: <5757BFFC.5010304@dovecot.fi> On 08.06.2016 09:37, mkawada at redhat.com wrote: > Dear list, > > Is it possible to give a notification about password exprire warning > to users authenticated by OpenLDAP when the users login via dovecot > using IMAP or POP? For example, when you ssh to a server and/or run > ldapsearch, you can be warned with password expire warning like below: > > # ssh testuser at localhost > testuser at localhost's password: > Your password will expire in 31 minute(s). <== > Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain > > ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w > redhat "cn=testuser" -e ppolicy > ldap_bind: Success (0) (Password expires in 1808 seconds) <== > dn: uid=testuser,ou=People,dc=example,dc=com > > Does the same can be done for dovecot users authenticated by OpenLDAP > in IMAP/POP? > > > Thanks, > How would this warning get shown to people? Aki From rrosenfeld at netcologne.de Wed Jun 8 07:13:02 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Wed, 8 Jun 2016 09:13:02 +0200 Subject: segfault in IMAP APPEND with compressed maildir In-Reply-To: <57568BAF.5020509@dovecot.fi> References: <20160607082051.GA18611@sys-241.netcologne.de> <57568B52.3060203@dovecot.fi> <57568BAF.5020509@dovecot.fi> Message-ID: <20160608071302.GA30824@sys-241.netcologne.de> Hi Aki! On Tue, 07 Jun 2016, Aki Tuomi wrote: > >> After upgrading from Debian wheezy with (self compiled) dovecot 2.2.15 > >> to Debian jessie with (self compiled) 2.2.24, I observe the following > >> segmentation fault in the logs: > >> > >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read() failed: read(size=8003) failed: Connection reset by peer (uid=0, box=trash) > >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 > >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Error: read(zlib(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap)) failed: read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap) failed: zlib.read(/srv/mailstore/user at example.com/mail/.trash/tmp/1465283884.M336492P22902.imap): unexpected EOF at 88001 (uid=0, box=trash) > >> Jun 7 09:23:09 imap dovecot: imap(user at example.com): Fatal: master: service(imap): child 22902 killed with signal 11 (core dumped) > >> > >> We also observed the same (rare) error in the past on the old system. > >> But on the old system, there were only the first 3 lines without the > >> segmentation fault, so we ignored the issue until now. > Sorry I mean > https://github.com/dovecot/core/commit/6bc001ee9dc03cb3107239861867cd674fd321d7 Many thanks! This really fixed the Segfault. After applying this patch on 2.2.24, the Segfault disappeared while the above Error messages stayed (as known from 2.2.15). Tschoeeee Roland From alessio at skye.it Wed Jun 8 07:49:49 2016 From: alessio at skye.it (Alessio Cecchi) Date: Wed, 8 Jun 2016 09:49:49 +0200 Subject: userdb for imap proxy In-Reply-To: <7C553D5F-B658-4999-B46B-E3C299F3264F@my.walr.us> References: <7C553D5F-B658-4999-B46B-E3C299F3264F@my.walr.us> Message-ID: <5757CE1D.5060705@skye.it> Il 07/06/2016 17:42, KT Walrus ha scritto: > If I?m running only imap-login service in my dovecot imap proxy, do I need to configure userdb or only passdb? > In proxy and director configuration you can configure only the passdb lookup. -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice From mkawada at redhat.com Wed Jun 8 08:05:04 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Wed, 8 Jun 2016 17:05:04 +0900 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757BFFC.5010304@dovecot.fi> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> Message-ID: <5757D1B0.6030603@redhat.com> Aki-san, Thanks for your feedback. Whatever ways will do. For instance, in a thunderbird mail client, a pop-up message or notification email telling client that the password will be expired in XX days, something like this, would be nice. Thanks, Masaharu Kawada On 2016?06?08? 15:49, Aki Tuomi wrote: > > On 08.06.2016 09:37, mkawada at redhat.com wrote: >> Dear list, >> >> Is it possible to give a notification about password exprire warning >> to users authenticated by OpenLDAP when the users login via dovecot >> using IMAP or POP? For example, when you ssh to a server and/or run >> ldapsearch, you can be warned with password expire warning like below: >> >> # ssh testuser at localhost >> testuser at localhost's password: >> Your password will expire in 31 minute(s). <== >> Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain >> >> ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w >> redhat "cn=testuser" -e ppolicy >> ldap_bind: Success (0) (Password expires in 1808 seconds) <== >> dn: uid=testuser,ou=People,dc=example,dc=com >> >> Does the same can be done for dovecot users authenticated by OpenLDAP >> in IMAP/POP? >> >> >> Thanks, >> > How would this warning get shown to people? > > Aki -- Masaharu Kawada From dovecot at benjaminhubert.at Wed Jun 8 08:13:12 2016 From: dovecot at benjaminhubert.at (Benjamin) Date: Wed, 8 Jun 2016 10:13:12 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses Message-ID: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> Hi, I want to replace an old mailserver setup with postfix+dovecot. The problem I'm facing now is, that the old system had usernames different to the e-mail address of the user. For example: E-Mail-Address: foo at example.com Username: foo-example.com I configured postfix so that it passes mails to dovecot using the following command (master.cf): dovecot unix - n n - - pipe flags=DRhu user=mail-data:mail-data argv=/usr/lib/dovecot /dovecot-lda -a $(recipient) When dovecot now receives an e-mail from postfix it logs dovecot: lda(mail-data): Error: User initialization failed: Namespace 'INBOX.': Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir dovecot: lda: Fatal: Invalid user settings. Refer to server log for more information. My dovecot-ldap configuration looks quite simple: hosts = 192.168.0.1,192.168.0.2 dn = cn=mailadmin,dc=example,dc=com dnpass = foo auth_bind = yes ldap_version = 3 base = ou=users,dc=example,dc=com user_attrs = mailMessageStore=home user_filter = (&(objectClass=qmailUser)(uid=%u)) pass_filter = (&(objectClass=qmailUser)(uid=%u)) I think dovecot does not know that the username is not the e-mail address, but how can I tell him? Furthermore we have alternative addresses here, so for example there may be an e-mail address bar at example.com owned by foo-example.com who has foo at example.com as primary address. Dovecot itself (IMAP) works fine, so here it can find the correct Maildir for the user. The difference is, that I connect using the username instead of the e-mail address in this case. # dovecot --version 2.2.22 (fe789d2) # postconf -d | grep mail_version mail_version = 3.1.0 # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial Thanks for your help Benjamin From alec at alec.pl Wed Jun 8 08:27:55 2016 From: alec at alec.pl (A.L.E.C) Date: Wed, 8 Jun 2016 10:27:55 +0200 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757D1B0.6030603@redhat.com> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> Message-ID: <5757D70B.7070405@alec.pl> On 06/08/2016 10:05 AM, mkawada at redhat.com wrote: > Whatever ways will do. For instance, in a thunderbird mail client, a > pop-up message or notification email telling client that the password > will be expired in XX days, something like this, would be nice. IMAP has ALERT response which is supported by some clients. I think Thunderbird supports that. I don't think POP has such a feature, but I wouldn't care about POP. -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl From mkawada at redhat.com Wed Jun 8 08:39:03 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Wed, 8 Jun 2016 17:39:03 +0900 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757D70B.7070405@alec.pl> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> <5757D70B.7070405@alec.pl> Message-ID: <5757D9A7.70004@redhat.com> Alec-san, Thanks for your comment. Please lemme make sure one more thing. >IMAP has ALERT response which is supported by some clients. To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set? Thanks, Masaharu Kawada On 2016?06?08? 17:27, A.L.E.C wrote: > On 06/08/2016 10:05 AM, mkawada at redhat.com wrote: >> Whatever ways will do. For instance, in a thunderbird mail client, a >> pop-up message or notification email telling client that the password >> will be expired in XX days, something like this, would be nice. > IMAP has ALERT response which is supported by some clients. I think > Thunderbird supports that. I don't think POP has such a feature, but I > wouldn't care about POP. > -- Masaharu Kawada From alec at alec.pl Wed Jun 8 08:51:21 2016 From: alec at alec.pl (A.L.E.C) Date: Wed, 8 Jun 2016 10:51:21 +0200 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757D9A7.70004@redhat.com> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> <5757D70B.7070405@alec.pl> <5757D9A7.70004@redhat.com> Message-ID: <5757DC89.7030900@alec.pl> On 06/08/2016 10:39 AM, mkawada at redhat.com wrote: > To make it happen, no need to add any other configurations on LDAP end > once possword policy is correctly set? You've got me wrong. I just responded to Aki's question. ALERT feature could be used to send the message to the client, but there's no code to handle such LDAP password policies/notices yet. -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl From mkawada at redhat.com Wed Jun 8 08:58:09 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Wed, 8 Jun 2016 17:58:09 +0900 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757DC89.7030900@alec.pl> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> <5757D70B.7070405@alec.pl> <5757D9A7.70004@redhat.com> <5757DC89.7030900@alec.pl> Message-ID: <5757DE21.10006@redhat.com> Alec-san, Eexcuse me for my misconception. Anyway, appreciate your comment. Thanks, Masaharu Kawada On 2016?06?08? 17:51, A.L.E.C wrote: > On 06/08/2016 10:39 AM, mkawada at redhat.com wrote: >> To make it happen, no need to add any other configurations on LDAP end >> once possword policy is correctly set? > You've got me wrong. I just responded to Aki's question. ALERT feature > could be used to send the message to the client, but there's no code to > handle such LDAP password policies/notices yet. > -- Masaharu Kawada Technical Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8347 From peter at ifm.liu.se Wed Jun 8 09:23:07 2016 From: peter at ifm.liu.se (Peter Eriksson) Date: Wed, 8 Jun 2016 11:23:07 +0200 Subject: Dovecot 2.2.24 coredump client_check_command_hangs() Message-ID: I?m seeing core dumps from Dovecot?s imap process (around 1/day currently) from client_check_command_hangs(). Dovecot 2.2.24 OS: Solaris 10 CPU: x86 Filesystem: Local ZFS Most crashes are associated with one user (with 25GB of mail in his mailboxes) but some (two) are also associated with other user with ?just? 10GB mail. Please find enclosed various log files/traces. Let me know if there is something else I might be able to provide that might give more insight into this. The output is from one of the ?25GB?-user crashes. He is able to access mail normally most of the time though so the client recovers and he hasn?t reported this issue to us. ? [L?.U] SysAdmin KITVS-IFM & ITI-NET IT.LiU.SE +46-13-28 2786 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: cores.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dbx.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: dovecot-n.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pstack.txt URL: From yacinechaouche at yahoo.com Wed Jun 8 09:32:37 2016 From: yacinechaouche at yahoo.com (chaouche yacine) Date: Wed, 8 Jun 2016 09:32:37 +0000 (UTC) Subject: Fw: Can't delete emails from or write replies to Inbox In-Reply-To: <2048766222.338697.1465378300766.JavaMail.yahoo@mail.yahoo.com> References: <575613AE.2080905@earthcaretech.com.au> <1830788362.271646.1465291241451.JavaMail.yahoo@mail.yahoo.com> <57579DD3.8000502@earthcaretech.com.au> <2048766222.338697.1465378300766.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1589947027.366415.1465378357267.JavaMail.yahoo@mail.yahoo.com> ----- Forwarded Message ----- From: chaouche yacine To: Edwin Humphries Sent: Wednesday, June 8, 2016 10:31 AM Subject: Re: Can't delete emails from or write replies to Inbox We have made a copy of our mail server and we sometimes rsync files between the original server and the copy so that when we need to do maintenance work we unplug the production server and put the copy server in lieu. We later found out that rsync needs to be run with the --no-numeric-ids argument to keep owners and groups intact, otherwise you end up with weired owners and groups. Yassine. ________________________________ From: Edwin Humphries To: chaouche yacine Sent: Wednesday, June 8, 2016 5:23 AM Subject: Re: Can't delete emails from or write replies to Inbox Chaouche Duh! I reproduced the issue, then found the log file (mail.log, in my case) and found that that user wasn't in the mail group (which is itself a puzzle, because it used to be, but not sure I'm going to spend much time investigating why); added the user to the mail group, restarted dovecot, and hey presto, everything works. Regards, Edwin Humphries Mobile: 0419 233 051 EarthCare Technology (a division of Ironstone Technology Pty Ltd) 79 Barney St, Kiama, NSW, 2533 Web: http://www.earthcaretech.com.au -- This email is intended for the named addressee/s only and may contain confidential or privileged information. If you are not a named addressee please delete it and notify the sender. -- "Sometimes when I consider what tremendous consequences come from little things?I am tempted to think?there are no little things." Bruce Barton "The activist is not the man who says the river is dirty. The activist is the man who cleans up the river." Ross Perot "Our world has enough for each person's need, but not for his greed." Mahatma Gandhi "The best way to predict the future...is to create it." Source unknown "He who knows that enough is enough will always have enough." Lao Tzu "For man two wings are necessary. One wing is physical power and material civilisation; the other is spiritual power and divine civilisation. With one wing only, flight is impossible. Two wings are essential. Therefore, no matter how much material civilisation advances, it cannot attain to perfection except through the uplift of spiritual civilisation." 'Abdu'l-Baha, Promulgation of Universal Peace On 07/06/16 19:20, chaouche yacine wrote: How about some /var/log/dovecot.log lines ? ----- Original Message ----- From: Edwin Humphries To: Dovecot Mailing List Sent: Tuesday, June 7, 2016 1:22 AM Subject: Can't delete emails from or write replies to Inbox Hi, I'm running Dovecot and Thunderbird, with 2 separate accounts (business and personal). One operates fine, but the other one won't allow me to write replies to the Inbox (so that I can track current threads), and if I move emails to another folder, it copies them instead. New emails do appear in the Inbox. I've checked the permissions on the two Inboxes, and they are the same (except for the owner name). I've tried compacting the problem Inbox, but that hasn't changed things. Edwin From tom at talpey.com Wed Jun 8 13:10:25 2016 From: tom at talpey.com (Tom Talpey) Date: Wed, 8 Jun 2016 09:10:25 -0400 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757DE21.10006@redhat.com> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> <5757D70B.7070405@alec.pl> <5757D9A7.70004@redhat.com> <5757DC89.7030900@alec.pl> <5757DE21.10006@redhat.com> Message-ID: <72f414c5-20b2-55fb-a1c2-28159559ba79@talpey.com> Kawada-san, have you seen this page? http://wiki2.dovecot.org/PostLoginScripting You will need to write some shell code to determine the expiration, but it has examples of similar actions, including sending an ALERT. On 6/8/2016 4:58 AM, mkawada at redhat.com wrote: > Alec-san, > > Eexcuse me for my misconception. > > Anyway, appreciate your comment. > > Thanks, > Masaharu Kawada > > > On 2016?06?08? 17:51, A.L.E.C wrote: >> On 06/08/2016 10:39 AM, mkawada at redhat.com wrote: >>> To make it happen, no need to add any other configurations on LDAP end >>> once possword policy is correctly set? >> You've got me wrong. I just responded to Aki's question. ALERT feature >> could be used to send the message to the client, but there's no code to >> handle such LDAP password policies/notices yet. >> > > From juan at inti.gob.ar Wed Jun 8 13:31:55 2016 From: juan at inti.gob.ar (Juan Bernhard) Date: Wed, 8 Jun 2016 10:31:55 -0300 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757BD33.20408@redhat.com> References: <5757BD33.20408@redhat.com> Message-ID: El 08/06/2016 a las 03:37 a.m., mkawada at redhat.com escribi?: > Dear list, > > Is it possible to give a notification about password exprire warning to > users authenticated by OpenLDAP when the users login via dovecot using > IMAP or POP? For example, when you ssh to a server and/or run > ldapsearch, you can be warned with password expire warning like below: > > # ssh testuser at localhost > testuser at localhost's password: > Your password will expire in 31 minute(s). <== > Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain > > ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w > redhat "cn=testuser" -e ppolicy > ldap_bind: Success (0) (Password expires in 1808 seconds) <== > dn: uid=testuser,ou=People,dc=example,dc=com > > Does the same can be done for dovecot users authenticated by OpenLDAP in > IMAP/POP? > > > Thanks, > I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP. Saludos, Juan. From michael.slusarz at dovecot.fi Wed Jun 8 14:26:28 2016 From: michael.slusarz at dovecot.fi (Michael Slusarz) Date: Wed, 8 Jun 2016 08:26:28 -0600 (MDT) Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: <5757DC89.7030900@alec.pl> References: <5757BD33.20408@redhat.com> <5757BFFC.5010304@dovecot.fi> <5757D1B0.6030603@redhat.com> <5757D70B.7070405@alec.pl> <5757D9A7.70004@redhat.com> <5757DC89.7030900@alec.pl> Message-ID: <2061228266.7608.1465395988842@appsuite-dev.open-xchange.com> The correct way to handle this IMAP-wise would be to return the EXPIRED response code (https://tools.ietf.org/html/rfc5530#section-3). But this requires client support to report to the end user. (And also requires that Dovecot would be able to determine from authentication source that the credentials are expired, as opposed to incorrect.) michael > On June 8, 2016 at 2:51 AM "A.L.E.C" wrote: > > On 06/08/2016 10:39 AM, mkawada at redhat.com wrote: > > > To make it happen, no need to add any other configurations on LDAP end > > once possword policy is correctly set? > > You've got me wrong. I just responded to Aki's question. ALERT feature > could be used to send the message to the client, but there's no code to > handle such LDAP password policies/notices yet. > > -- > Aleksander 'A.L.E.C' Machniak > Kolab Groupware Developer [http://kolab.org] > > Roundcube Webmail Developer [http://roundcube.net] > > --------------------------------------------------- > PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl From kevin at my.walr.us Wed Jun 8 15:10:47 2016 From: kevin at my.walr.us (KT Walrus) Date: Wed, 8 Jun 2016 11:10:47 -0400 Subject: userdb for imap proxy In-Reply-To: <5757CE1D.5060705@skye.it> References: <7C553D5F-B658-4999-B46B-E3C299F3264F@my.walr.us> <5757CE1D.5060705@skye.it> Message-ID: > In proxy and director configuration you can configure only the passdb lookup. Thanks. I got my installation working yesterday. I have proxies for LMTP and IMAP (no POP3) backed by a farm of Dovecot servers. The IMAP proxy listens on 70 different IPs/ports and does passdb lookups to authenticate the users based on the incoming IP/port. The passdb lookups select the particular backend server containing the user?s mailbox. SMTP (Postfix) does authentication through the IMAP proxy and mail delivery through the LMTP proxy. I haven?t bothered to set up an SMTP proxy yet, since my SMTP server will only handle submission and not relay. Submitted messages are queued to a Redis queue for importation into a MySQL database where the messages are held giving the sender the ability to edit/delete their messages before midnight. Messages are sent out to the recipient mailboxes in the early morning through another internal SMTP server talking to the LMTP proxy. For my site, I only want to delivery new messages once a day (in the early morning) with the sender/mailbox admin having the opportunity to edit/delete the messages the day it is sent by the sender. All appears to be working well, but I?m currently only doing SSL/TLS on the edge (in SMTP/IMAP) and haven?t figured out how to do SSL from end to end. I?m not sure if end to end SSL is important for my site, but it seems to be a trend that should not be ignored. Kevin > On Jun 8, 2016, at 3:49 AM, Alessio Cecchi wrote: > > > > Il 07/06/2016 17:42, KT Walrus ha scritto: >> If I?m running only imap-login service in my dovecot imap proxy, do I need to configure userdb or only passdb? >> > > In proxy and director configuration you can configure only the passdb lookup. > -- > Alessio Cecchi > Postmaster @ http://www.qboxmail.it > https://www.linkedin.com/in/alessice From kevin at my.walr.us Wed Jun 8 15:26:21 2016 From: kevin at my.walr.us (KT Walrus) Date: Wed, 8 Jun 2016 11:26:21 -0400 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: References: <5757BD33.20408@redhat.com> Message-ID: > I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. > I don't know any mechanism to send this kind of message via POP. I agree with you. Don?t bother trying to alert the user when he logs in (where there is no universal client support for such alerts). But, simply send a notification message from a cron script to their mailbox (a couple days before expiration). You could mark the message as high priority/urgent just in case their client displays such messages more prominently than normal inbox new messages. IMAP or POP login is usually done by the email client in the background and the user isn?t necessarily even around to handle the alert. But, clients are used to alerting the user that they have new mail. So, simply sending a notification message, from a cron job, to their INBOX is definitely the way I would go. Kevin > On Jun 8, 2016, at 9:31 AM, Juan Bernhard wrote: > > > El 08/06/2016 a las 03:37 a.m., mkawada at redhat.com escribi?: >> Dear list, >> >> Is it possible to give a notification about password exprire warning to >> users authenticated by OpenLDAP when the users login via dovecot using >> IMAP or POP? For example, when you ssh to a server and/or run >> ldapsearch, you can be warned with password expire warning like below: >> >> # ssh testuser at localhost >> testuser at localhost's password: >> Your password will expire in 31 minute(s). <== >> Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain >> >> ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w >> redhat "cn=testuser" -e ppolicy >> ldap_bind: Success (0) (Password expires in 1808 seconds) <== >> dn: uid=testuser,ou=People,dc=example,dc=com >> >> Does the same can be done for dovecot users authenticated by OpenLDAP in >> IMAP/POP? >> >> >> Thanks, >> > I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. > I don't know any mechanism to send this kind of message via POP. > > Saludos, Juan. From kevin at my.walr.us Wed Jun 8 15:53:13 2016 From: kevin at my.walr.us (KT Walrus) Date: Wed, 8 Jun 2016 11:53:13 -0400 Subject: Advice on once a day message delivery setup Message-ID: <5BDA6A01-69DA-4D30-9E11-FABB0B7D3E05@my.walr.us> I?m adding once a day mail delivery to my site. Messages are marked by the sender as ?overnight? or ?once a week? delivery. The way I?m planning on implementing this is to queue messages until midnight in a MySQL database. Each mailbox will be kept in two Dovecot mailstores. The first mailstore will give the users IMAP access to their mailbox. A second mailstore will hold the next day?s new messages. At midnight, a cron job runs to send messages in the MySQL database out to the second mailstore. Then, at 6am, a second cron job will run to sync the two mailstores using doveadm sync. What I am expecting to happen is that during the day, notification messages (from the site) may be delivered to the first mailstore (the one providing IMAP access to the user) but no messages from other users sent during the day will come until after 6am the next day. Each time the user submits a new message, a notification message is sent back to the sender with a link for editing the queued message in the MySQL database and an indication of when it is scheduled for delivery. I am kind of assuming that the morning sync process is fast enough so it can easily complete before noon (in 6 hours) even if I end up having lots of mailboxes on each fully loaded Dovecot server. Is the doveadm sync process reliable and efficient enough for this type of ?once a day? morning new message mail delivery? Or, should I just start delivering messages after midnight and not bother with the second mailstore and subsequent sync? Just looking for any advice? I kind of like the idea of modeling my mail service after the US Post Office where the mailman delivers new mail once a day rather than like Twitter/Facebook where messages are posted in real time to encourage users to monitor their boxes throughout the day. Kevin From wrosenauer at gmail.com Wed Jun 8 20:45:02 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Wed, 8 Jun 2016 22:45:02 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses In-Reply-To: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> References: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> Message-ID: On Wed, Jun 8, 2016 at 10:13 AM, Benjamin wrote: > > My dovecot-ldap configuration looks quite simple: > > hosts = 192.168.0.1,192.168.0.2 > dn = cn=mailadmin,dc=example,dc=com > dnpass = foo > auth_bind = yes > ldap_version = 3 > base = ou=users,dc=example,dc=com > user_attrs = mailMessageStore=home > user_filter = (&(objectClass=qmailUser)(uid=%u)) > pass_filter = (&(objectClass=qmailUser)(uid=%u)) > > I think dovecot does not know that the username is not the e-mail address, > but how can I tell him? > > Furthermore we have alternative addresses here, so for example there may > be an e-mail address bar at example.com owned by foo-example.com who has > foo at example.com as primary address. > You need user_filter and pass_filter to recognize also the email addresses IMHO. Mine look like: pass_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) user_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) You have to adapt to your own ldap attributes and use the correct variable (%n) to match your usecase. My users can login (and receive mails) via all of their aliases, primary address (part of the alias set) or their username. HTH, Wolfgang From mkawada at redhat.com Thu Jun 9 00:15:32 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Thu, 9 Jun 2016 09:15:32 +0900 Subject: password expire warning for dovecot users in IMAP/POP login In-Reply-To: References: <5757BD33.20408@redhat.com> Message-ID: <5758B524.8050105@redhat.com> Hi list, I very much appreciate you all who gave me a help on my question. Will check and try the stuff based on the given info from you guys. Thanks a million! Masaharu Kawada On 2016?06?09? 00:26, KT Walrus wrote: >> I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. >> I don't know any mechanism to send this kind of message via POP. > I agree with you. Don?t bother trying to alert the user when he logs in (where there is no universal client support for such alerts). But, simply send a notification message from a cron script to their mailbox (a couple days before expiration). You could mark the message as high priority/urgent just in case their client displays such messages more prominently than normal inbox new messages. IMAP or POP login is usually done by the email client in the background and the user isn?t necessarily even around to handle the alert. But, clients are used to alerting the user that they have new mail. > > So, simply sending a notification message, from a cron job, to their INBOX is definitely the way I would go. > > Kevin > >> On Jun 8, 2016, at 9:31 AM, Juan Bernhard wrote: >> >> >> El 08/06/2016 a las 03:37 a.m., mkawada at redhat.com escribi?: >>> Dear list, >>> >>> Is it possible to give a notification about password exprire warning to >>> users authenticated by OpenLDAP when the users login via dovecot using >>> IMAP or POP? For example, when you ssh to a server and/or run >>> ldapsearch, you can be warned with password expire warning like below: >>> >>> # ssh testuser at localhost >>> testuser at localhost's password: >>> Your password will expire in 31 minute(s). <== >>> Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain >>> >>> ]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w >>> redhat "cn=testuser" -e ppolicy >>> ldap_bind: Success (0) (Password expires in 1808 seconds) <== >>> dn: uid=testuser,ou=People,dc=example,dc=com >>> >>> Does the same can be done for dovecot users authenticated by OpenLDAP in >>> IMAP/POP? >>> >>> >>> Thanks, >>> >> I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. >> I don't know any mechanism to send this kind of message via POP. >> >> Saludos, Juan. -- Masaharu Kawada From mail at marc-stuermer.de Thu Jun 9 05:36:37 2016 From: mail at marc-stuermer.de (Marc =?utf-8?b?U3TDvHJtZXI=?=) Date: Thu, 09 Jun 2016 07:36:37 +0200 Subject: Advice on once a day message delivery setup In-Reply-To: <5BDA6A01-69DA-4D30-9E11-FABB0B7D3E05@my.walr.us> Message-ID: <20160609073637.Horde.-eXYx89fwFT6HmiGkvG9phZ@webmail.no-carrier.info> Zitat von KT Walrus : > Just looking for any advice? I kind of like the idea of modeling my > mail service after the US Post Office where the mailman delivers new > mail once a day rather than like Twitter/Facebook where messages are > posted in real time to encourage users to monitor their boxes > throughout the day. This is not going to work. People are used and do consider email delivery instantly to themselves, that's what they expect. Breaking this thing will only give you a major disadvantage in your field of competition and some major headache, as well. From matthias.lay at securepoint.de Thu Jun 9 12:48:56 2016 From: matthias.lay at securepoint.de (Matthias Lay) Date: Thu, 9 Jun 2016 14:48:56 +0200 Subject: auth_bind with "()" in username not working Message-ID: <20160609144856.20d7ee37@eugen.spdev.local> Hi all, I have an AD testsetup with auth_bind setting auth_bind_userdn = "spdev\\%Ln" I created a testuser "claasc (test)" which works fine in all ldapfilters but not for the auth_bind. the log shows everything correct just "invalid credentials" mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: auth client connected (pid=12202) mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap secured session=T6knVtc0wQB/AAAB lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=39873 mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client passdb out: CONT 1 mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: client in: CONT mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: passwd-file(claasc (test),127.0.0.1,): cache miss mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: passwd-file(claasc (test),127.0.0.1,): lookup: user=claasc (test) file=/etc/dovecot/passwd.postmaster mail.info: Jun 9 14:12:31 dovecot: auth: passwd-file(claasc (test),127.0.0.1,): unknown user (given password: HubertHans99) mail.debug: Jun 9 14:12:31 dovecot: auth: Debug: ldap(claasc (test),127.0.0.1,): cache miss mail.info: Jun 9 14:12:31 dovecot: auth: ldap(claasc (test),127.0.0.1,): invalid credentials mail.debug: Jun 9 14:12:33 dovecot: auth: Debug: client passdb out: FAIL 1 user=claasc (test) mail.info: Jun 9 14:12:33 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session= So I guess its just a bind problem. strace output from auth process of imap login: write(26, "0-\2\1\4`(\2\1\3\4\25spdev\\claasc \\(test\\)\200\fHubertHans99", 47) = 47 the additional \\ in front of the brackets look strange to me and might be the reason. tested Version is 2.2.18 Greetz Matze From dovecot at benjaminhubert.at Thu Jun 9 14:03:38 2016 From: dovecot at benjaminhubert.at (Benjamin) Date: Thu, 9 Jun 2016 16:03:38 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses In-Reply-To: References: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> Message-ID: Thank you for this hint, but no, that does not work. Does Dovecot really use this user_filter when postfix passes mail using the dovecot-lda command? I now tried it with user_filter = (&(objectClass=qmailUser)(|(uid=%u)(mail=%u))) and when I search with this filter in LDAP directly (using the recipients e-mail address as %u) it returns the wanted user. I also ensured, postfix passes the e-mail address as argument by playing around with master.cf, and it does. At the moment the dovecot line looks as follows: dovecot unix - n n - - pipe flags=DRhu user=mail-data:mail-data argv=/usr/lib/dovecot/dovecot-lda -a ${recipient} Dovecot still tells me that it does not find the home directory for the user. Benjamin On 06/08/2016 10:45 PM, Wolfgang Rosenauer wrote: > On Wed, Jun 8, 2016 at 10:13 AM, Benjamin wrote: > >> >> My dovecot-ldap configuration looks quite simple: >> >> hosts = 192.168.0.1,192.168.0.2 >> dn = cn=mailadmin,dc=example,dc=com >> dnpass = foo >> auth_bind = yes >> ldap_version = 3 >> base = ou=users,dc=example,dc=com >> user_attrs = mailMessageStore=home >> user_filter = (&(objectClass=qmailUser)(uid=%u)) >> pass_filter = (&(objectClass=qmailUser)(uid=%u)) >> >> I think dovecot does not know that the username is not the e-mail address, >> but how can I tell him? >> >> Furthermore we have alternative addresses here, so for example there may >> be an e-mail address bar at example.com owned by foo-example.com who has >> foo at example.com as primary address. >> > > You need user_filter and pass_filter to recognize also the email addresses > IMHO. > > Mine look like: > pass_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) > user_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) > > You have to adapt to your own ldap attributes and use the correct variable > (%n) to match your usecase. My users can login (and receive mails) via all > of their aliases, primary address (part of the alias set) or their username. > > HTH, > Wolfgang > From dovecot-e51 at deemzed.uk Thu Jun 9 14:06:22 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Thu, 9 Jun 2016 15:06:22 +0100 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <406D3729-5078-4674-B8EC-8B5F5541C6D0@iki.fi> References: <574EE799.2070806@skye.it> <406D3729-5078-4674-B8EC-8B5F5541C6D0@iki.fi> Message-ID: On 02/06/2016 22:58, Timo Sirainen wrote: > On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: >> >> Hi, >> >> after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: >> >> Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) > .. > >> but the error reappears always (for the same UID) when I do "search" from webmail. All works fine for the users but I don't think is good to have these errors in log file. > > If it's reproducible for a specific email, can you send me the email? I'm replying to this again for a couple of reasons: 1. I've not heard any further discussion and I accidentally replied to the wrong thread initially (oops!) 2. It's actually looking to become a fairly serious issue (extra 100Mb/s of network traffic, extra 10K NFS ops/sec) I've been seeing the same problem after upgrading from 2.2.18 to 2.2.24 with identical config. Reads from mailboxes have doubled, which looks consistent with repeated index rebuilds. It's not got any better over time, so the indexes aren't managing to self-heal (over 1300 of these errors today so far, for example). [2016-06-09T09:50:30+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/c69/923413/.INBOX/dovecot.index.cache: Broken MIME parts for mail UID 74359 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000009c0a000000000000cc0a000000000000230c20000000000030782000000000000600000041000000bb0a0000000000004c000000000000004e00000000000000cf68000000000000966b0000000000000200000048000000260b00000000000055000000000000005800000000000000251600000000000066170000000000004101000048000000c02100000000000054000000000000005700000000000000a0510000000000001b530000000000007b01000040000000f573000000000000f400000000000000fb00000000000000f0c700000000000088ca00000000000040000000f93c01000000000019010000000000001f0100000000000094fc080000000000741a09000000000040000000c63a0a0000000000cf00000000000000d40000000000000094fc080000000000741a09000000000044000000493813000000000086000000000000008b00000000000000928b0c000000000048b50c0000000000b62900000100000008000000cf38130000000000918b0c000000000046b50c000000000000000000000000000000000000000000000000004400000080c41f000000000086000000000000008b000000000000009851000000000000a85200000000000010010000010000000800000006c51f00000000009751000000000000a6520000000000000000000000000000000000000000000000000000) [2016-06-09T10:05:32+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/498/1603514/.INBOX/dovecot.index.cache: Broken MIME parts for mail UID 810 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=41000000dc02000000000000ef02000000000000e8060000000000001c070000000000000300000048000000fc020000000000005b000000000000005f0000000000000098000000000000009b0000000000000003000000400000001004000000000000270000000000000029000000000000000a0100000000000011010000000000004400000062050000000000001e00000000000000200000000000000020040000000000003a040000000000001a000000010000004100000080050000000000001f0400000000000038040000000000000000000000000000000000000000000000000000) Again, usual force-resync of the index or deletion and recreation don't help, the same indexes keep corrupting based on certain messages. Checking one of the triggering emails, maildir tags for size and virtual size are correct, contains a 6 part multipart/mixed with the first part being itself a 2 part multipart/alternative, both have different boundary ids (unfortunately I still cannot release the email itself, I'm hoping the error will trigger on some that I can release, none so far) -- Dave From dovecot at benjaminhubert.at Thu Jun 9 15:13:42 2016 From: dovecot at benjaminhubert.at (Benjamin) Date: Thu, 9 Jun 2016 17:13:42 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses In-Reply-To: References: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> Message-ID: <357b6838-815b-d21b-7797-3aff67ca5668@benjaminhubert.at> Ok. The problem seems to be something different. I found out that even if I pass the real username (foo-example.com) to dovecot-lda, dovecot tells me Error: User initialization failed: Namespace 'INBOX.': Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir Why does dovecot find the home when accessed via IMAP, but not when accessed via dovecot-lda? Benjamin On 06/09/2016 04:03 PM, Benjamin wrote: > Thank you for this hint, but no, that does not work. > > Does Dovecot really use this user_filter when postfix passes mail using > the dovecot-lda command? > > I now tried it with > > user_filter = (&(objectClass=qmailUser)(|(uid=%u)(mail=%u))) > > and when I search with this filter in LDAP directly (using the > recipients e-mail address as %u) it returns the wanted user. > > I also ensured, postfix passes the e-mail address as argument by playing > around with master.cf, and it does. At the moment the dovecot line looks > as follows: > > dovecot unix - n n - - pipe > flags=DRhu user=mail-data:mail-data > argv=/usr/lib/dovecot/dovecot-lda -a ${recipient} > > Dovecot still tells me that it does not find the home directory for the > user. > > > Benjamin > > > On 06/08/2016 10:45 PM, Wolfgang Rosenauer wrote: >> On Wed, Jun 8, 2016 at 10:13 AM, Benjamin >> wrote: >> >>> >>> My dovecot-ldap configuration looks quite simple: >>> >>> hosts = 192.168.0.1,192.168.0.2 >>> dn = cn=mailadmin,dc=example,dc=com >>> dnpass = foo >>> auth_bind = yes >>> ldap_version = 3 >>> base = ou=users,dc=example,dc=com >>> user_attrs = mailMessageStore=home >>> user_filter = (&(objectClass=qmailUser)(uid=%u)) >>> pass_filter = (&(objectClass=qmailUser)(uid=%u)) >>> >>> I think dovecot does not know that the username is not the e-mail >>> address, >>> but how can I tell him? >>> >>> Furthermore we have alternative addresses here, so for example there may >>> be an e-mail address bar at example.com owned by foo-example.com who has >>> foo at example.com as primary address. >>> >> >> You need user_filter and pass_filter to recognize also the email >> addresses >> IMHO. >> >> Mine look like: >> pass_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) >> user_filter = (&(objectClass=suseMailRecipient)(|(alias=%n)(uid=%n))) >> >> You have to adapt to your own ldap attributes and use the correct >> variable >> (%n) to match your usecase. My users can login (and receive mails) via >> all >> of their aliases, primary address (part of the alias set) or their >> username. >> >> HTH, >> Wolfgang >> From wrosenauer at gmail.com Thu Jun 9 16:26:23 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Thu, 9 Jun 2016 18:26:23 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses In-Reply-To: <357b6838-815b-d21b-7797-3aff67ca5668@benjaminhubert.at> References: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> <357b6838-815b-d21b-7797-3aff67ca5668@benjaminhubert.at> Message-ID: Hi, On Thu, Jun 9, 2016 at 5:13 PM, Benjamin wrote: > Ok. The problem seems to be something different. I found out that even if > I pass the real username (foo-example.com) to dovecot-lda, dovecot tells > me > > Error: User initialization failed: Namespace 'INBOX.': Home directory > not set for user. Can't expand ~/ for mail root dir in: ~/Maildir > > Why does dovecot find the home when accessed via IMAP, but not when > accessed via dovecot-lda? > > actually good question. I have to admit I only use LMTP and for that it works for me. I left out some more settings which might be important for you: pass_attrs = uid=user user_attrs = uid=user,=uid=600,=gid=600,=home=/srv/dovecot/%n,suseImapQuota=quota_rule=*:storage=%{ldap:suseImapQuota}M since obviously the search itself it not sufficient. You need to make sure that the right mailbox is addressed in the end via the uid=user In your configuration you do not return a user at all so this can be a problem IMHO. From jtam.home at gmail.com Thu Jun 9 18:44:28 2016 From: jtam.home at gmail.com (Joseph Tam) Date: Thu, 9 Jun 2016 11:44:28 -0700 (PDT) Subject: Advice on once a day message delivery setup In-Reply-To: References: Message-ID: KT Walrus writes: > Just looking for any advice? I kind of like the idea of modeling my > mail service after the US Post Office where the mailman delivers new > mail once a day rather than like Twitter/Facebook where messages are > posted in real time to encourage users to monitor their boxes > throughout the day. You've rediscovered digesting, which many mailing list (including this one), will batch up messages and periodically send them as one large message (using MIME multipart or some other combination technique). The only difference is that your doing it at the receiving end. I wouldn't recommend it for all mail, but it could be useful to aggregate high-volume low-priority mail into managable chunks. There are many ways you could accomplish it, but the most straightforward way is to deliver new mail to sideline mailbox, and have a cron script deliver them to the user's INBOX (possibly digesting them into one message). Joseph Tam From bind at enas.net Fri Jun 10 07:09:52 2016 From: bind at enas.net (Urban Loesch) Date: Fri, 10 Jun 2016 09:09:52 +0200 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: References: <574EE799.2070806@skye.it> <406D3729-5078-4674-B8EC-8B5F5541C6D0@iki.fi> Message-ID: <575A67C0.1040507@enas.net> Hi, same here on my installation. Version: Enterprise Edition: 2:2.2.24.1-2 Some logs: ... Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11678 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000009f0d000000000000d90d000000000000d52f00000000000002310000000000000200000048000000e40d0000000000005c000000000000005e00000000000000000000000000000000000000000000000000000048000000580e0000000000005c000000000000005f00000000000000a52e000000000000c52f00000000000020010000) Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11694 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=41000000bb0d000000000000f50d000000000000e4f2000000000000a9f80000000000000200000048000000000e0000000000005c000000000000005e00000000000000000000000000000000000000000000000000000048000000740e0000000000005c000000000000005f00000000000000b4f10000000000006cf7000000000000b8050000) Got also this errors: Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11742 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11752 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) Jun 5 07:40:02 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) ... Thanks Urban Am 09.06.2016 um 16:06 schrieb Dave: > On 02/06/2016 22:58, Timo Sirainen wrote: >> On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: >>> >>> Hi, >>> >>> after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an >>> example: >>> >>> Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: >>> Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch >>> (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) >>> >> .. >> >>> but the error reappears always (for the same UID) when I do "search" from webmail. All works fine for the users but I don't think is good to have >>> these errors in log file. >> >> If it's reproducible for a specific email, can you send me the email? > > I'm replying to this again for a couple of reasons: > > 1. I've not heard any further discussion and I accidentally replied to the wrong thread initially (oops!) > > 2. It's actually looking to become a fairly serious issue (extra 100Mb/s of network traffic, extra 10K NFS ops/sec) > > I've been seeing the same problem after upgrading from 2.2.18 to 2.2.24 with identical config. Reads from mailboxes have doubled, which looks > consistent with repeated index rebuilds. It's not got any better over time, so the indexes aren't managing to self-heal (over 1300 of these errors > today so far, for example). > > [2016-06-09T09:50:30+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/c69/923413/.INBOX/dovecot.index.cache: Broken MIME parts for mail > UID 74359 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch > (parts=410000009c0a000000000000cc0a000000000000230c20000000000030782000000000000600000041000000bb0a0000000000004c000000000000004e00000000000000cf68000000000000966b0000000000000200000048000000260b00000000000055000000000000005800000000000000251600000000000066170000000000004101000048000000c02100000000000054000000000000005700000000000000a0510000000000001b530000000000007b01000040000000f573000000000000f400000000000000fb00000000000000f0c700000000000088ca00000000000040000000f93c01000000000019010000000000001f0100000000000094fc080000000000741a09000000000040000000c63a0a0000000000cf00000000000000d40000000000000094fc080000000000741a09000000000044000000493813000000000086000000000000008b00000000000000928b0c000000000048b50c0000000000b62900000100000008000000cf38130000000000918b0c000000000046b50c000000000000000000000000000000000000000000000000004400000080c41f000000000086000000000000008b000000000000009851000000000000a85200000000000010010000010000000800000006c51f00000000009751000000000000a652000000000 0 000000000000000000000000000000000000000000) > > [2016-06-09T10:05:32+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/498/1603514/.INBOX/dovecot.index.cache: Broken MIME parts for mail > UID 810 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch > (parts=41000000dc02000000000000ef02000000000000e8060000000000001c070000000000000300000048000000fc020000000000005b000000000000005f0000000000000098000000000000009b0000000000000003000000400000001004000000000000270000000000000029000000000000000a0100000000000011010000000000004400000062050000000000001e00000000000000200000000000000020040000000000003a040000000000001a000000010000004100000080050000000000001f0400000000000038040000000000000000000000000000000000000000000000000000) > > > Again, usual force-resync of the index or deletion and recreation don't help, the same indexes keep corrupting based on certain messages. > > Checking one of the triggering emails, maildir tags for size and virtual size are correct, contains a 6 part multipart/mixed with the first part being > itself a 2 part multipart/alternative, both have different boundary ids (unfortunately I still cannot release the email itself, I'm hoping the error > will trigger on some that I can release, none so far) > From teemu.huovila at dovecot.fi Fri Jun 10 07:18:00 2016 From: teemu.huovila at dovecot.fi (Teemu Huovila) Date: Fri, 10 Jun 2016 10:18:00 +0300 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <575A67C0.1040507@enas.net> References: <574EE799.2070806@skye.it> <406D3729-5078-4674-B8EC-8B5F5541C6D0@iki.fi> <575A67C0.1040507@enas.net> Message-ID: <575A69A8.8060106@dovecot.fi> On 10.06.2016 10:09, Urban Loesch wrote: > Hi, > > same here on my installation. Version: Enterprise Edition: 2:2.2.24.1-2 Any chance to get some example input triggering this. Perhaps using one of the obfuscation scripts in http://dovecot.org/tools/ br, Teemu Huovila > > Some logs: > > ... > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11678 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000009f0d000000000000d90d000000000000d52f00000000000002310000000000000200000048000000e40d0000000000005c000000000000005e00000000000000000000000000000000000000000000000000000048000000580e0000000000005c000000000000005f00000000000000a52e000000000000c52f00000000000020010000) > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11694 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=41000000bb0d000000000000f50d000000000000e4f2000000000000a9f80000000000000200000048000000000e0000000000005c000000000000005e00000000000000000000000000000000000000000000000000000048000000740e0000000000005c000000000000005f00000000000000b4f10000000000006cf7000000000000b8050000) > > Got also this errors: > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11742 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) > Jun 5 07:40:01 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: Corrupted index cache file /home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache: Broken MIME parts for mail UID 11752 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=) > Jun 5 07:40:02 dovecot-server dovecot: imap(user at domain.com pid:27937 session:): Error: unlink(/home/dovecotindex/domain.com/user/mailboxes/INBOX/dovecot.index.cache) failed: No such file or directory (in mail-cache.c:28) > > ... > > Thanks > Urban > > > Am 09.06.2016 um 16:06 schrieb Dave: >> On 02/06/2016 22:58, Timo Sirainen wrote: >>> On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: >>>> >>>> Hi, >>>> >>>> after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an >>>> example: >>>> >>>> Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: >>>> Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch >>>> (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) >>>> >>> .. >>> >>>> but the error reappears always (for the same UID) when I do "search" from webmail. All works fine for the users but I don't think is good to have >>>> these errors in log file. >>> >>> If it's reproducible for a specific email, can you send me the email? >> >> I'm replying to this again for a couple of reasons: >> >> 1. I've not heard any further discussion and I accidentally replied to the wrong thread initially (oops!) >> >> 2. It's actually looking to become a fairly serious issue (extra 100Mb/s of network traffic, extra 10K NFS ops/sec) >> >> I've been seeing the same problem after upgrading from 2.2.18 to 2.2.24 with identical config. Reads from mailboxes have doubled, which looks >> consistent with repeated index rebuilds. It's not got any better over time, so the indexes aren't managing to self-heal (over 1300 of these errors >> today so far, for example). >> >> [2016-06-09T09:50:30+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/c69/923413/.INBOX/dovecot.index.cache: Broken MIME parts for mail >> UID 74359 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch >> (parts=410000009c0a000000000000cc0a000000000000230c20000000000030782000000000000600000041000000bb0a0000000000004c000000000000004e00000000000000cf68000000000000966b0000000000000200000048000000260b00000000000055000000000000005800000000000000251600000000000066170000000000004101000048000000c02100000000000054000000000000005700000000000000a0510000000000001b530000000000007b01000040000000f573000000000000f400000000000000fb00000000000000f0c700000000000088ca00000000000040000000f93c01000000000019010000000000001f0100000000000094fc080000000000741a09000000000040000000c63a0a0000000000cf00000000000000d40000000000000094fc080000000000741a09000000000044000000493813000000000086000000000000008b00000000000000928b0c000000000048b50c0000000000b62900000100000008000000cf38130000000000918b0c000000000046b50c000000000000000000000000000000000000000000000000004400000080c41f000000000086000000000000008b000000000000009851000000000000a85200000000000010010000010000000800000006c51f00000000009751000000000000a652 0 > 00000000 > 0 > 000000000000000000000000000000000000000000) >> >> [2016-06-09T10:05:32+0100] imap(xxxx): Error: Corrupted index cache file /mnt/index/498/1603514/.INBOX/dovecot.index.cache: Broken MIME parts for mail >> UID 810 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch >> (parts=41000000dc02000000000000ef02000000000000e8060000000000001c070000000000000300000048000000fc020000000000005b000000000000005f0000000000000098000000000000009b0000000000000003000000400000001004000000000000270000000000000029000000000000000a0100000000000011010000000000004400000062050000000000001e00000000000000200000000000000020040000000000003a040000000000001a000000010000004100000080050000000000001f0400000000000038040000000000000000000000000000000000000000000000000000) >> >> >> Again, usual force-resync of the index or deletion and recreation don't help, the same indexes keep corrupting based on certain messages. >> >> Checking one of the triggering emails, maildir tags for size and virtual size are correct, contains a 6 part multipart/mixed with the first part being >> itself a 2 part multipart/alternative, both have different boundary ids (unfortunately I still cannot release the email itself, I'm hoping the error >> will trigger on some that I can release, none so far) >> From dovecot at benjaminhubert.at Fri Jun 10 09:56:05 2016 From: dovecot at benjaminhubert.at (Benjamin) Date: Fri, 10 Jun 2016 11:56:05 +0200 Subject: postfix+dovecot and usernames different to e-mail addresses In-Reply-To: References: <73c9ba32-6dcc-81db-6c88-3e26a78ffafd@benjaminhubert.at> <357b6838-815b-d21b-7797-3aff67ca5668@benjaminhubert.at> Message-ID: <79b7fc7f-9ab6-bb09-905d-8dbb4ffa57a6@benjaminhubert.at> To me it seems that dovecot-lda is just ignoring all my LDAP configuration. I now added =mail=maildir:%{ldap:mailMessageStore}/Maildir to user_attrs, but dovecot still logs Home directory not set for user. Can't expand ~/ for mail root dir in: ~/Maildir Do I have to include the configuration somewhere else? It's only referenced in auth-ldap.conf.ext twice (passdb, userdb): root at mailtest:/etc/dovecot# grep ldap /etc/dovecot/conf.d/* conf.d/10-auth.conf:!include auth-ldap.conf.ext conf.d/auth-ldap.conf.ext: driver = ldap conf.d/auth-ldap.conf.ext: args = /etc/dovecot/dovecot-ldap.conf.ext conf.d/auth-ldap.conf.ext: driver = ldap conf.d/auth-ldap.conf.ext: args = /etc/dovecot/dovecot-ldap.conf.ext Benjamin On 06/09/2016 06:26 PM, Wolfgang Rosenauer wrote: > Hi, > > > On Thu, Jun 9, 2016 at 5:13 PM, Benjamin wrote: > >> Ok. The problem seems to be something different. I found out that even if >> I pass the real username (foo-example.com) to dovecot-lda, dovecot tells >> me >> >> Error: User initialization failed: Namespace 'INBOX.': Home directory >> not set for user. Can't expand ~/ for mail root dir in: ~/Maildir >> >> Why does dovecot find the home when accessed via IMAP, but not when >> accessed via dovecot-lda? >> >> > actually good question. I have to admit I only use LMTP and for that it > works for me. > I left out some more settings which might be important for you: > pass_attrs = uid=user > user_attrs = > uid=user,=uid=600,=gid=600,=home=/srv/dovecot/%n,suseImapQuota=quota_rule=*:storage=%{ldap:suseImapQuota}M > > since obviously the search itself it not sufficient. You need to make sure > that the right mailbox is addressed in the end via the uid=user > In your configuration you do not return a user at all so this can be a > problem IMHO. > From tss at iki.fi Sat Jun 11 18:29:31 2016 From: tss at iki.fi (Timo Sirainen) Date: Sat, 11 Jun 2016 21:29:31 +0300 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <574EE799.2070806@skye.it> References: <574EE799.2070806@skye.it> Message-ID: On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: > > Hi, > > after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: > > Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) Should be fixed by https://github.com/dovecot/core/commit/1bc6f1c54b4d77830288b8cf19060bd8a6db7b27 From tss at iki.fi Sat Jun 11 18:31:04 2016 From: tss at iki.fi (Timo Sirainen) Date: Sat, 11 Jun 2016 21:31:04 +0300 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: References: <574EE799.2070806@skye.it> Message-ID: <320B320C-A711-4787-8183-D4B42DC2EEBD@iki.fi> On 11 Jun 2016, at 21:29, Timo Sirainen wrote: > > On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: >> >> Hi, >> >> after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: >> >> Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) > > Should be fixed by https://github.com/dovecot/core/commit/1bc6f1c54b4d77830288b8cf19060bd8a6db7b27 Oh, also this is required for it: https://github.com/dovecot/core/commit/20faa69d801460e89aa0b1214f3db4b026999b1e From n0t3p4d.opensource at gmail.com Thu Jun 9 22:57:07 2016 From: n0t3p4d.opensource at gmail.com (N0T3P4D) Date: Fri, 10 Jun 2016 00:57:07 +0200 Subject: sieve_extprograms: how to filter original message twice? Message-ID: Hi, I use dovecot and sieve_extprograms to encrypt all incoming messages with the help of a Python script. Now, I want to process the _original_ message a second time. However, as expected, the second filter is applied to the already filtered message. For reference, here's a copy of the sieve script in question: if address :matches "To" "X at Y.Z" { fileinto "INBOX"; filter "gpgit.py" ["X at Y.Z", "--encrypt"]; fileinto "encrypted"; filter "gpgit.py" ["X at Y.Z", "--wrap"]; # Should be applied to the original message but uses the result of the first filter command fileinto "wrapped"; stop; } Does anyone have an idea how to modify the script to get the intended result? Please cc me, as I'm not subscribed. Thanks for your help Jeremias From murray.t at dreamscapenetworks.com Fri Jun 10 00:21:03 2016 From: murray.t at dreamscapenetworks.com (Murray T. | Dreamscape) Date: Fri, 10 Jun 2016 00:21:03 +0000 Subject: Easily kick and flush dovecot cache for all dovecot mailboxes in a domain Message-ID: Hi, We are running a dovecot director cluster. We want to be able to easily kick all mailboxes in a domain off all backend mailstores. We also then want to flush the dovecot cache for all dovecot mailboxes in the domain. Is there a single command we can run on one of the front-end director mail proxies or backend mailstores that will do this instead of having to kick or flush each mailbox in a domain individually on each mailstore. Thanks Murray Trainer Regards, Murray T. Level 3 Project Manager P: +61 8 9422 0894 F: +61 8 9422 0801 www.DreamscapeNetworks.com [dreamscape] DISCLAIMER: This e-mail and/or attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to other persons or use it for any purpose or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Dreamscape Networks. Copyright (c) 2016 www.DreamscapeNetworks.com, All rights reserved. From tss at iki.fi Sat Jun 11 22:37:58 2016 From: tss at iki.fi (Timo Sirainen) Date: Sun, 12 Jun 2016 01:37:58 +0300 Subject: Scalability of Dovecot in the Cloud In-Reply-To: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> References: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> Message-ID: <7A46DEFD-7566-4FA4-8A6A-EA41EA8D19A5@iki.fi> On 04 Jun 2016, at 21:28, KT Walrus wrote: > > Does anyone have any idea of how many IMAP connections a single cloud VM (4 vCores at 2.4GHz, 30GB RAM, local SSD storage - non-RAID) can be expected to handle in production. The mailboxes are fairly small (average 5MB total - 50MB max, as I don?t store attachments in Dovecot expect those saved through IMAP in the Sent/Drafts folders) and each user will probably have an average of 2 devices that have the mail clients configured to access each mailbox. > > Can such a server handle 100,000 mailboxes (200,000 devices/clients)? Or is it more like 10,000? Or, even smaller? > > I can scale the cloud VM up to 32 vCores and 240GB RAM (at 8 times the price) or split the mailboxes onto multiple VMs. The VM will also be running LMTP and other Dovecot services (I don?t plan on supporting POP3 at this time). The mailboxes will be sync?d to a backup VM running Dovecot for high availability so has some load from this background activity. LMTP will not be that high a load, I think, since most messages will be delivered by at night. But, clients will have IMAP connections 24/7. > > Just trying to get an idea of the cost of running a potentially huge/growing mail service in the cloud? I?m going to have to support around a million mailboxes before the site will generate significant revenue to support operations. Do you mean most of the IMAP clients will be IDLEing waiting for new mails, which mostly won't arrive until the next night? imap-hibernate feature will be very helpful there then. Bottlenecks are commonly either the disk IO or the memory usage. With SSD you're probably less likely to run bottleneck in disk IO. Memory usage mainly depends on the number of active (non-hibernated) concurrent connections and also the mailbox sizes of the users. I'd limit a single Dovecot VM to 64 GB of memory. Maybe more would work, but it might run into bottlenecks on the CPU usage side for services that are limited to a single process per instance. Replication with dsync is going to increase the load and I'm not sure how big of an issue that is. Anyway, if it's mostly IDLE connections, I'd expect 100k mailboxes/VM to be fine. Generally I'd expect about 10k active (non-hibernated) IMAP connections/VM for 32 GB of memory, but this depends a lot on the mailbox sizes. From kevin at my.walr.us Sat Jun 11 23:00:08 2016 From: kevin at my.walr.us (KT Walrus) Date: Sat, 11 Jun 2016 19:00:08 -0400 Subject: Scalability of Dovecot in the Cloud In-Reply-To: <7A46DEFD-7566-4FA4-8A6A-EA41EA8D19A5@iki.fi> References: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> <7A46DEFD-7566-4FA4-8A6A-EA41EA8D19A5@iki.fi> Message-ID: <4E576C3E-B6F8-437C-9D3D-AE8352725CB9@my.walr.us> > Anyway, if it's mostly IDLE connections, I'd expect 100k mailboxes/VM to be fine. Generally I'd expect about 10k active (non-hibernated) IMAP connections/VM for 32 GB of memory, but this depends a lot on the mailbox sizes. That is great news. 100k mailboxes/VM is a great number. I do expect most IMAP clients will be IDLEing. Do almost all email clients in use today do the IDLE command? Do most email clients open many connections per mailbox? Perhaps IDLEing on multiple namespaces/folders per mailbox? Would this affect your 100k mailboxes/VM estimate? The cloud VM at 4 vCores, 30GB RAM, and local SSD storage is just $40/month (OVH Public Cloud). I had expected a cost of 10 cents per mailbox per month (with redundancies raising that cost to 25 cents per mailbox per month). But 100k mailboxes/VM would give me a total operating cost of less than 1 cent per month per mailbox, at scale. Maybe even 10 cents per year per mailbox for Public Cloud hosting fees? Does anyone on this list run a large number of mailboxes per server in production? What is the largest number of Dovecot mailboxes/client connections you supported on a single server before you had to upgrade to multiple Dovecot servers? Kevin > On Jun 11, 2016, at 6:37 PM, Timo Sirainen wrote: > > On 04 Jun 2016, at 21:28, KT Walrus > wrote: >> >> Does anyone have any idea of how many IMAP connections a single cloud VM (4 vCores at 2.4GHz, 30GB RAM, local SSD storage - non-RAID) can be expected to handle in production. The mailboxes are fairly small (average 5MB total - 50MB max, as I don?t store attachments in Dovecot expect those saved through IMAP in the Sent/Drafts folders) and each user will probably have an average of 2 devices that have the mail clients configured to access each mailbox. >> >> Can such a server handle 100,000 mailboxes (200,000 devices/clients)? Or is it more like 10,000? Or, even smaller? >> >> I can scale the cloud VM up to 32 vCores and 240GB RAM (at 8 times the price) or split the mailboxes onto multiple VMs. The VM will also be running LMTP and other Dovecot services (I don?t plan on supporting POP3 at this time). The mailboxes will be sync?d to a backup VM running Dovecot for high availability so has some load from this background activity. LMTP will not be that high a load, I think, since most messages will be delivered by at night. But, clients will have IMAP connections 24/7. >> >> Just trying to get an idea of the cost of running a potentially huge/growing mail service in the cloud? I?m going to have to support around a million mailboxes before the site will generate significant revenue to support operations. > > Do you mean most of the IMAP clients will be IDLEing waiting for new mails, which mostly won't arrive until the next night? imap-hibernate feature will be very helpful there then. > > Bottlenecks are commonly either the disk IO or the memory usage. With SSD you're probably less likely to run bottleneck in disk IO. Memory usage mainly depends on the number of active (non-hibernated) concurrent connections and also the mailbox sizes of the users. > > I'd limit a single Dovecot VM to 64 GB of memory. Maybe more would work, but it might run into bottlenecks on the CPU usage side for services that are limited to a single process per instance. > > Replication with dsync is going to increase the load and I'm not sure how big of an issue that is. > > Anyway, if it's mostly IDLE connections, I'd expect 100k mailboxes/VM to be fine. Generally I'd expect about 10k active (non-hibernated) IMAP connections/VM for 32 GB of memory, but this depends a lot on the mailbox sizes. From patrickdk at patrickdk.com Sun Jun 12 03:16:13 2016 From: patrickdk at patrickdk.com (Patrick Domack) Date: Sat, 11 Jun 2016 23:16:13 -0400 Subject: Scalability of Dovecot in the Cloud In-Reply-To: <4E576C3E-B6F8-437C-9D3D-AE8352725CB9@my.walr.us> References: <46EABE42-19FC-4907-A362-6D634A56D7D6@my.walr.us> <7A46DEFD-7566-4FA4-8A6A-EA41EA8D19A5@iki.fi> <4E576C3E-B6F8-437C-9D3D-AE8352725CB9@my.walr.us> Message-ID: <20160611231613.Horde.dvBcrJyQSwogc8Mqbpsmc3w@mail.patrickdk.com> This will depend on many more things also. 4 vcores, of unspecified dedication to your vm is not a good thing. If you use something like gzip/bz2/lzma for compression of the emails, will highly affect your cpu usage. Searching and indexing will affect your cpu usage. Quoting KT Walrus : >> Anyway, if it's mostly IDLE connections, I'd expect 100k >> mailboxes/VM to be fine. Generally I'd expect about 10k active >> (non-hibernated) IMAP connections/VM for 32 GB of memory, but this >> depends a lot on the mailbox sizes. > > That is great news. 100k mailboxes/VM is a great number. I do expect > most IMAP clients will be IDLEing. Do almost all email clients in > use today do the IDLE command? Do most email clients open many > connections per mailbox? Perhaps IDLEing on multiple > namespaces/folders per mailbox? Would this affect your 100k > mailboxes/VM estimate? > > The cloud VM at 4 vCores, 30GB RAM, and local SSD storage is just > $40/month (OVH Public Cloud). I had expected a cost of 10 cents per > mailbox per month (with redundancies raising that cost to 25 cents > per mailbox per month). But 100k mailboxes/VM would give me a total > operating cost of less than 1 cent per month per mailbox, at scale. > Maybe even 10 cents per year per mailbox for Public Cloud hosting > fees? > > Does anyone on this list run a large number of mailboxes per server > in production? What is the largest number of Dovecot > mailboxes/client connections you supported on a single server before > you had to upgrade to multiple Dovecot servers? > > Kevin > >> On Jun 11, 2016, at 6:37 PM, Timo Sirainen wrote: >> >> On 04 Jun 2016, at 21:28, KT Walrus > > wrote: >>> >>> Does anyone have any idea of how many IMAP connections a single >>> cloud VM (4 vCores at 2.4GHz, 30GB RAM, local SSD storage - >>> non-RAID) can be expected to handle in production. The mailboxes >>> are fairly small (average 5MB total - 50MB max, as I don?t store >>> attachments in Dovecot expect those saved through IMAP in the >>> Sent/Drafts folders) and each user will probably have an average >>> of 2 devices that have the mail clients configured to access each >>> mailbox. >>> >>> Can such a server handle 100,000 mailboxes (200,000 >>> devices/clients)? Or is it more like 10,000? Or, even smaller? >>> >>> I can scale the cloud VM up to 32 vCores and 240GB RAM (at 8 times >>> the price) or split the mailboxes onto multiple VMs. The VM will >>> also be running LMTP and other Dovecot services (I don?t plan on >>> supporting POP3 at this time). The mailboxes will be sync?d to a >>> backup VM running Dovecot for high availability so has some load >>> from this background activity. LMTP will not be that high a load, >>> I think, since most messages will be delivered by at night. But, >>> clients will have IMAP connections 24/7. >>> >>> Just trying to get an idea of the cost of running a potentially >>> huge/growing mail service in the cloud? I?m going to have to >>> support around a million mailboxes before the site will generate >>> significant revenue to support operations. >> >> Do you mean most of the IMAP clients will be IDLEing waiting for >> new mails, which mostly won't arrive until the next night? >> imap-hibernate feature will be very helpful there then. >> >> Bottlenecks are commonly either the disk IO or the memory usage. >> With SSD you're probably less likely to run bottleneck in disk IO. >> Memory usage mainly depends on the number of active >> (non-hibernated) concurrent connections and also the mailbox sizes >> of the users. >> >> I'd limit a single Dovecot VM to 64 GB of memory. Maybe more would >> work, but it might run into bottlenecks on the CPU usage side for >> services that are limited to a single process per instance. >> >> Replication with dsync is going to increase the load and I'm not >> sure how big of an issue that is. >> >> Anyway, if it's mostly IDLE connections, I'd expect 100k >> mailboxes/VM to be fine. Generally I'd expect about 10k active >> (non-hibernated) IMAP connections/VM for 32 GB of memory, but this >> depends a lot on the mailbox sizes. From sven_roellig at yahoo.de Sun Jun 12 12:06:44 2016 From: sven_roellig at yahoo.de (Sven Roellig) Date: Sun, 12 Jun 2016 12:06:44 +0000 (UTC) Subject: Unknow Imap Fatal Panic References: <246700430.2756961.1465733204884.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <246700430.2756961.1465733204884.JavaMail.yahoo@mail.yahoo.com> Hello, when i sync an Mailbox from old Dovecot to the new Dovecot System the new dovecot Imap create an Fatal/Panic log. Error Log <5Je8ahM17oSwCVUI>: Fatal: master: service(imap): child 4670 killed with signal 6 (core dumps disabled) : Panic: file mail-index-transaction-update.c: line 803 (mail_index_ext_resize): assertion failed: (record_align != (uint16_t)-1) : Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x8d04e) [0x7fb23526104e] -> /usr/lib/dovecot/libdovecot.so.0(+0x8d13c) [0x7fb23526113c] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7fb2351ffd1e] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_index_ext_resize+0x3d0) [0x7fb2355c1780] -> /usr/lib/dovecot/libdovecot-storage.so.0(mdbox_update_header+0x133) [0x7fb235545493] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x5d5bc) [0x7fb2355455bc] -> /usr/lib/dovecot/libdovecot-storage.so.0(mdbox_mailbox_create_indexes+0x10) [0x7fb235545710] -> /usr/lib/dovecot/libdovecot-storage.so.0(dbox_mailbox_create_indexes+0x93) [0x7fb235549f93] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x5d87a) [0x7fb23554587a] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0xa06cc) [0x7fb2355886cc] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_metadata+0x63) [0x7fb23552d253] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_list_index_sync_name+0x2a7) [0x7fb2355892d7] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_list_index_sync+0x12c) [0x7fb2355899ec] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_list_index_refresh_force+0xc5) [0x7fb23558b095] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x9f571) [0x7fb235587571] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0xa074f) [0x7fb23558874f] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_metadata+0x63) [0x7fb23552d253] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x3a43e) [0x7fb23552243e] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_user_autoexpunge+0x105) [0x7fb2355226b5] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_user_unref+0x88) [0x7fb235532838] -> dovecot/imap(+0x1b224) [0x7fb235c6a224] -> dovecot/imap(client_input+0xba) [0x7fb235c69d9a] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7fb23527508c] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x101) [0x7fb2352764f1] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7fb235275115] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7fb2352752b8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7fb235206273] -> dovecot/imap(main+0x322) [0x7fb235c5cad2] dovecot -n # 2.3.0.alpha0 (90dd3c6) [XI:2:2.3.0~alpha0-1~auto+111]: /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.0.alpha0 (67dfb5a) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5 ext4 auth_mechanisms = plain login auth_verbose_passwords = plain dict { expire = mysql:/etc/dovecot/dovecot-dict-expire.conf.ext } imap_hibernate_timeout = 10 secs lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_gid = vmail mail_location = mdbox:/var/vmail/dovecot/mailboxes/%d/%n:INDEX=/var/vmail/dovecot/indexes/%d/%n:ALT=/var/vmail_altstorage/dovecot/mailboxes/%d/%n mail_plugins = quota zlib acl expire mail_uid = vmail namespace inbox { inbox = yes location = mailbox Archive { auto = no special_use = \Archive } mailbox Archives { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe } mailbox Trash { auto = subscribe autoexpunge = 10 days special_use = \Trash } mailbox name { special_use = \Drafts \Junk \Sent \Trash \Archive } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 acl_shared_dict = file:/var/vmail/dovecot/shared-mailboxes expire = Trash expire2 = Trash/* expire3 = Spam expire_cache = yes expire_dict = proxy::expire quota = dirsize:User quota quota_exceeded_message = Quota ?berschritten ..... quota_grace = 10%% quota_over_flag_value = TRUE quota_over_script = quota-warning mismatch %u quota_rule = Trash:storage=+500M quota_rule2 = Spam:storage=+500M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is over quota / Mailbox ist voll quota_status_success = DUNNO quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = /var/vmail/sieve/%d/%n/dovecot.sieve sieve_dir = /var/vmail/sieve/%d/%n/dovecot sieve_global_dir = /var/vmail/sieve/sieve sieve_global_path = /var/vmail/sieve/sieveglobalfilter.sieve zlib_save = lz4 zlib_save_level = 9 } protocols = " imap lmtp" service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0660 } } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-hibernate { unix_listener imap-hibernate { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { inet_listener lmtp { port = 2003 } unix_listener lmtp { mode = 0666 } } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 10000 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { group = users mode = 0666 user = vmail } user = root } ssl_cert = References: <20160531155031.49E415A1C81@sinclaire.sibble.net> <9b3aa581-7865-96c6-792d-b987fb40cedb@rename-it.nl> <20160604171057.419415A1C81@sinclaire.sibble.net> Message-ID: Op 4-6-2016 om 19:10 schreef Harondel J. Sibble: > On 1 Jun 2016 at 16:49, Stephan Bosch wrote: > >>> I've been looking at the sieve docs and recipes, done a lot of googling but >>> no joy so far. >>> >>> Using stanard vacation script and that works great, however I want to >>> exclude certain sender email addressess from ever receiving a vacation >>> autoresponse, how do I go about adding that to my existing vacation recipe. >>> >>> I suspect my search terminology is what is causing me not to find anything >>> as I typically am using exclude and similar search terms. >> Just use the envelope test: >> >> https://tools.ietf.org/html/rfc5228#section-5.4 >> >> Regards, >> >> Stephan. > Any recommendations for example usage, the RFC doesn't really tell me how to use it so that the > vacation script will not reply if the header test turns out to be true. I just want the email to be > delivered without an autoresponse at that point. require "envelope"; require "vacation"; if not envelope "from" "excluded at example.com" { vacation "I am away"; } From stephan at rename-it.nl Mon Jun 13 16:45:25 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Mon, 13 Jun 2016 18:45:25 +0200 Subject: Marking an entire mailbox read In-Reply-To: References: Message-ID: <28abc23a-b90e-a44f-b695-f30c20a51c19@rename-it.nl> Op 1-6-2016 om 21:58 schreef @lbutlr: > I have an archive mailbox that contains in excess of 100,000 mail messages (stored in maildir) that accidentally got marked as unread. It is too large for my mail client to select all the mail and mark it as read without throttling. > > Is there a simple way that I can use doveadm or something to simply mark every message in that maildir as read? Or do I just loop through every message and move it to +S? > > find ~/Maildir/.Archive/cur/* -type f -name ?1*:2? --exec mv {} {}S \; Probably something like this: doveadm flags -u bob remove '\Seen' mailbox dovecot See `man doveadm flags` for more information. Regards, Stephan. From stephan at rename-it.nl Mon Jun 13 16:54:12 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Mon, 13 Jun 2016 18:54:12 +0200 Subject: Potential bug report: Cannot use ":args" option via Pigeonhole Sieve pipe plugin In-Reply-To: References: Message-ID: <2b9bba9d-82b7-f8d4-6beb-7b8644669028@rename-it.nl> Op 7-6-2016 om 12:16 schreef Zeeshan Muhammad: > It looks like pipe addon specification at > http://hg.rename-it.nl/pigeonhole-0.2-sieve-pipe/raw-file/tip/doc/rfc/spec-bosch-sieve-pipe.txt > notes ":args" usage is possible but the implementation source at > https://github.com/dovecot/pigeonhole/blob/master/src/plugins/sieve-extprograms/cmd-pipe.c > shows it was implemented as follows: > > pipe "sieve-pipe-example" [ "first-arg", "second-arg" ]; > > My test sieve is now working, but I don't understand why I wasn't able to > use ":args" format noted in the specification document. The wiki page states that the old pipe plugin is superseded by the extprograms plugin. So, this is the correct specification: https://github.com/dovecot/pigeonhole/blob/master/doc/rfc/spec-bosch-sieve-extprograms.txt#L233 Regards, Stephan. > On 7 June 2016 at 10:52, Zeeshan Muhammad > wrote: > >> Hi all, >> >> Following the instructions noted at >> http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe , I am trying to >> make use of the Pigeonhole sieve pipe plugin to execute an application with >> custom arguments via my test sieve script: >> >> require ["vnd.dovecot.pipe"]; >> if address :is "to" "test at example.com" { >> pipe :args [ "first-arg", "second-arg" ] "sieve-pipe-example"; >> } >> >> I am editing my test sieve script via Mozilla Thunderbird v45.1.1 using >> the Sieve email-client addon (v0.2.3h, see >> https://github.com/thsmi/sieve#releases and >> https://addons.mozilla.org/en-US/thunderbird/addon/sieve/ ) >> >> When I attempt to save the example sieve script above, I get the following >> error returned by ManageSieve via Mozilla Thunderbird's Sieve addon: >> >> "The script could not be saved: >> Sieve mail filter: line 3: error: unknown tagged argument ':args' for the >> pipe command (reported only once at first occurrence). >> Sieve mail filter: error: validation failed." >> >> I have setup sieve-pipe-example as follows in my 90-sieve.conf >> configuration: >> >> service sieve-pipe-script { >> executable = script /usr/bin/echo >> user = dovenull >> >> # socket name is program-name in Sieve >> unix_listener sieve-pipe-example { >> } >> } >> >> I cannot see where I am going wrong. I have combed through the >> specification at >> http://hg.rename-it.nl/dovecot-2.2-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-extprograms.txt >> as well as the official Dovecot/Pigeonhole wiki-pages and cannot find a >> solution. >> >> If I omit the :args option (and the arguments array), the sieve script >> successfully gets accepted by ManageSieve. >> >> Am I encountering a potential bug or am I doing something silly in my test >> setup? >> >> # Dovecot version: v2.2.24 >> # Pigeonhole version: v0.4.14 >> # Operating system: CentOS Linux release 7.2.1511 (Core) >> # CPU architecture: x86_64 >> >> # Dovecot -n output (I have filtered my IP addresses and mail server's >> FQDN): >> >> # 2.2.24 (a82c823): /usr/local/etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.14 (099a97c) >> # OS: Linux 3.10.0-327.18.2.el7.x86_64 x86_64 CentOS Linux release >> 7.2.1511 (Core) >> auth_default_realm = example.com >> base_dir = /var/run/dovecot/ >> default_login_user = vpopmail >> first_valid_uid = 500 >> info_log_path = /dev/stderr >> last_valid_uid = 500 >> lda_mailbox_autocreate = yes >> lda_mailbox_autosubscribe = yes >> log_path = /dev/stderr >> mail_debug = yes >> mail_location = maildir:~/Maildir >> mail_max_userip_connections = 20 >> mail_plugins = " fts fts_lucene" >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope encoded-character >> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags >> copy include variables body enotify environment mailbox date index ihave >> duplicate mime foreverypart extracttext editheader vnd.dovecot.pipe >> namespace inbox { >> inbox = yes >> location = >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix = >> } >> passdb { >> driver = vpopmail >> } >> plugin { >> fts = lucene >> fts_autoindex = yes >> fts_lucene = whitespace_chars=@. >> sieve = file:~/sieve;active=~/.dovecot.sieve >> sieve_execute_socket_dir = sieve-execute >> sieve_extensions = +editheader +vnd.dovecot.pipe >> sieve_pipe_socket_dir = sieve-pipe >> sieve_plugins = sieve_extprograms >> } >> protocols = imap pop3 sieve >> service auth { >> unix_listener auth-userdb { >> group = vchkpw >> mode = 0666 >> user = vpopmail >> } >> } >> service imap-login { >> inet_listener imap { >> address = 127.0.0.1 >> port = 143 >> ssl = no >> } >> inet_listener imaps { >> address = 192.168.1.1 >> port = 993 >> ssl = yes >> } >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> } >> } >> service pop3-login { >> inet_listener pop3 { >> address = 127.0.0.1 >> port = 110 >> ssl = no >> } >> inet_listener pop3s { >> address = 192.168.1.1 >> port = 995 >> ssl = yes >> } >> } >> service sieve-pipe-script { >> executable = script /usr/bin/echo >> group = dovenull >> user = dovenull >> } >> ssl_cert = > ssl_key = > ssl_protocols = !SSLv2 !SSLv3 >> userdb { >> driver = vpopmail >> } >> verbose_proctitle = yes >> protocol lda { >> hostname = mail.example.com >> info_log_path = /var/log/dovecot/dovecot-lda.log >> log_path = /var/log/dovecot/dovecot-lda-errors.log >> mail_plugins = " fts fts_lucene sieve" >> postmaster_address = postmaster at example.com >> } >> protocol imap { >> mail_plugins = " fts fts_lucene imap_zlib" >> } >> From stephan at rename-it.nl Mon Jun 13 17:09:03 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Mon, 13 Jun 2016 19:09:03 +0200 Subject: sieve_extprograms: how to filter original message twice? In-Reply-To: References: Message-ID: <3317b0d0-86c6-5d96-ffe4-d6b11a223c68@rename-it.nl> Op 10-6-2016 om 0:57 schreef N0T3P4D: > Hi, > > I use dovecot and sieve_extprograms to encrypt all incoming messages with the help of a Python script. > Now, I want to process the _original_ message a second time. However, as expected, the second filter is applied to the already filtered message. > > For reference, here's a copy of the sieve script in question: > > if address :matches "To" "X at Y.Z" { > fileinto "INBOX"; > filter "gpgit.py" ["X at Y.Z", "--encrypt"]; > fileinto "encrypted"; > filter "gpgit.py" ["X at Y.Z", "--wrap"]; # Should be applied to the original message but uses the result of the first filter command > fileinto "wrapped"; > stop; > } > > Does anyone have an idea how to modify the script to get the intended result? > > Please cc me, as I'm not subscribed. The Sieve language currently has no means to manage several modified versions of a message in parallel; there is no means to revert back to an older version of a modified message. So, unfortunately, I see no way to implement a Sieve script like this at this time :/. The only (ugly) solution I see is to use a pipe program rather than a filter program. The pipe program will then fork and filter the e-mail twice and store it into the required folders using doveadm. Regards, Stephan. From larryrtx at gmail.com Mon Jun 13 19:15:24 2016 From: larryrtx at gmail.com (Larry Rosenman) Date: Mon, 13 Jun 2016 14:15:24 -0500 Subject: doveadm fts rescan doesn't seem(!) to find Message-ID: thebighonker.lerctr.org ~ $ doveadm fts rescan \#ARCHIVE doveadm(ler): Error: Namespace prefix not found: #ARCHIVE thebighonker.lerctr.org ~ $ doveadm fts rescan #ARCHIVE thebighonker.lerctr.org ~ $ doveadm fts rescan inbox doveadm(ler): Error: Namespace prefix not found: inbox thebighonker.lerctr.org ~ $ Doveconf -n attached. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 -------------- next part -------------- A non-text attachment was scrubbed... Name: dc.n Type: application/octet-stream Size: 4120 bytes Desc: not available URL: From larryrtx at gmail.com Mon Jun 13 19:33:36 2016 From: larryrtx at gmail.com (Larry Rosenman) Date: Mon, 13 Jun 2016 14:33:36 -0500 Subject: doveadm fts rescan doesn't seem(!) to find In-Reply-To: References: Message-ID: doveadm fts rescan \#ARCHIVE/ finds it. So, Never Mind. On Mon, Jun 13, 2016 at 2:15 PM, Larry Rosenman wrote: > thebighonker.lerctr.org ~ $ doveadm fts rescan \#ARCHIVE > doveadm(ler): Error: Namespace prefix not found: #ARCHIVE > thebighonker.lerctr.org ~ $ doveadm fts rescan #ARCHIVE > thebighonker.lerctr.org ~ $ doveadm fts rescan inbox > doveadm(ler): Error: Namespace prefix not found: inbox > thebighonker.lerctr.org ~ $ > > Doveconf -n attached. > > > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com > US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 > -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 From hs at schlittermann.de Mon Jun 13 19:38:11 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Mon, 13 Jun 2016 21:38:11 +0200 Subject: doveadm-server protocol change? In-Reply-To: <518eeef9-93cc-aa3e-8bcd-f899774244dc@rename-it.nl> References: <20160530151705.GF4691@jumper.schlittermann.de> <1264900304.1298.1464623395647@appsuite-dev.open-xchange.com> <20160530185450.GH4691@jumper.schlittermann.de> <304527445.583.1464634679358@appsuite-dev.open-xchange.com> <20160530191809.GI4691@jumper.schlittermann.de> <20160530192612.GJ4691@jumper.schlittermann.de> <1646393565.595.1464638790584@appsuite-dev.open-xchange.com> <518eeef9-93cc-aa3e-8bcd-f899774244dc@rename-it.nl> Message-ID: <20160613193811.GF28267@jumper.schlittermann.de> Hi Stephan, Stephan Bosch (Mi 01 Jun 2016 13:02:24 CEST): ? Thanks for the hint: > The wiki should be pretty clear about this. Using Xi packages for production > systems is a very bad idea, unless perhaps you carefully review and test it > on another system before every update. I'm using the ppa http://ppa.launchpad.net/patrickdk/production/ubuntu and until now it works fine. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From nick.bright at valnet.net Mon Jun 13 23:55:36 2016 From: nick.bright at valnet.net (Nick Bright) Date: Mon, 13 Jun 2016 18:55:36 -0500 Subject: Advice on once a day message delivery setup In-Reply-To: <20160609073637.Horde.-eXYx89fwFT6HmiGkvG9phZ@webmail.no-carrier.info> References: <20160609073637.Horde.-eXYx89fwFT6HmiGkvG9phZ@webmail.no-carrier.info> Message-ID: On 6/9/2016 12:36 AM, Marc St?rmer wrote: > Zitat von KT Walrus : > >> Just looking for any advice? I kind of like the idea of modeling my >> mail service after the US Post Office where the mailman delivers new >> mail once a day rather than like Twitter/Facebook where messages are >> posted in real time to encourage users to monitor their boxes >> throughout the day. > > This is not going to work. People are used and do consider email > delivery instantly to themselves, that's what they expect. > > Breaking this thing will only give you a major disadvantage in your > field of competition and some major headache, as well. Several studies have indicated that this actually improves worker productivity and reduces stress, there could be very valid use cases (mostly in business) which this may be desired. http://www.fastcompany.com/3040361/work-smart/the-science-behind-why-constantly-checking-your-email-is-making-you-crazy http://www.fastcompany.com/3030999/work-smart/what-i-learned-from-checking-email-only-twice-a-day https://cogzest.com/2015/06/try-as-you-might-does-checking-email-less-frequently-reduce-stress/ http://www.forbes.com/sites/francesbooth/2015/01/23/stop-checking-email-so-often-and-reduce-your-stress/#1f90ad1f33f1 -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information & 30 day free trial at - - http://www.valnet.net/services/valnet-vault - ----------------------------------------------- This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system. From listas.correo at yahoo.es Tue Jun 14 10:50:44 2016 From: listas.correo at yahoo.es (mailing lists) Date: Tue, 14 Jun 2016 10:50:44 +0000 (UTC) Subject: Alternate Storage and quota limits References: <1271429235.4756644.1465901444981.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1271429235.4756644.1465901444981.JavaMail.yahoo@mail.yahoo.com> Hi all, is there any way of exclude messages storaged in alternate storage (*dbox mailbox format) from being included in the quota usage? I think this is not possible but let me ask. From leon at f-m.fm Tue Jun 14 13:34:50 2016 From: leon at f-m.fm (Leon Kyneur) Date: Tue, 14 Jun 2016 21:34:50 +0800 Subject: Double variable expansion / multiple password mechanisms Message-ID: <576007FA.5060604@f-m.fm> Hi, Trying to solve the problem of supporting multiple auth mechanisms + proxy and really don't want to store user passwords in plain test and fine to do master user to backend. I had the crazy thought I could do something like the following: For each user Store supported password schemes as LDAP attributes: userPasswordCRAM-MD5: {CRAM-MD5}xxx userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx userPasswordSCRAM: {SCRAM-SHA-1}xxxx userPasswordNTLM: {NTLM}xxxx then: =password=%{ldap:userPassword%m} <- Though this doesn't work.. just wondering if it could possibly work or if I should give up on this crazy idea :) Thanks Leon From heiken at luis.uni-hannover.de Tue Jun 14 14:40:05 2016 From: heiken at luis.uni-hannover.de (Karsten Heiken) Date: Tue, 14 Jun 2016 16:40:05 +0200 Subject: Double variable expansion / multiple password mechanisms In-Reply-To: <576007FA.5060604@f-m.fm> References: <576007FA.5060604@f-m.fm> Message-ID: Hi Leon, > I had the crazy thought I could do something like the following: > > For each user Store supported password schemes as LDAP attributes: > userPasswordCRAM-MD5: {CRAM-MD5}xxx > userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx > userPasswordSCRAM: {SCRAM-SHA-1}xxxx > userPasswordNTLM: {NTLM}xxxx You should be able to add multiple userPassword attributes to your directory: userPassword: {CRAM-MD5}xxx userPassword: {DIGEST-MD5}xxxx userPassword: {SCRAM-SHA-1}xxxx userPassword: {NTLM}xxxx Karsten From rrosenfeld at netcologne.de Tue Jun 14 15:02:17 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Tue, 14 Jun 2016 17:02:17 +0200 Subject: shutdown_clients has no effect on doveadm stop Message-ID: <20160614150217.GA18713@sys-241.netcologne.de> I try to restart dovecot 2.2.24 (for changing limits) without killing all IMAP and POP3 sessions. dovecot(1) tells me: When shutdown_clients is set to no, existing sessions will continue to use the old settings, after a dovecot reload. Also all sessions will keep alive after a dovecot stop. By default all active sessions will be shut down. According to my "dovecot -n" (see below), I have set "shutdown_clients=no", so "doveadm stop" should keep my open sessions. But if I try this out with a simple telnet to port 143 during "doveadm stop", I see the following: $ telnet imap 143 Connected to imap. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. a login user at example.com XXXXX a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in * BYE Server shutting down. Connection closed by foreign host. The "BYE Server shutting down." happens exactly at the time, when I press return after "doveadm stop", "systemctl stop dovecot", or "systemctl restart dovecot" in the other shell. Only "systemctl reload dovecot" keeps the open sessions healthy. So it seems that either the man page is wrong, or shutdown_clients=no has no effect after dovecot stop... Greetings Roland dovecot -n # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5 auth_cache_negative_ttl = 5 mins auth_cache_size = 100 M auth_cache_ttl = 15 mins auth_default_realm = netcologne.de auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes dict { acl = mysql:/etc/dovecot/dovecot-dict-sql.conf } disable_plaintext_auth = no listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " mail_fsync = always mail_gid = 999 mail_location = maildir:~/mail mail_plugins = acl quota zlib mail_uid = 999 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags mmap_disable = yes namespace { list = children location = maildir:%%h/mail:INDEX=~/mail/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = prefix = separator = / type = private } passdb { args = /etc/dovecot/passwd.master driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { acl = vfile acl_shared_dict = proxy::acl quota = maildir sieve = ~/.dovecot.sieve sieve_dir = ~/mail/sieve sieve_extensions = +imapflags zlib_save = gz } pop3_no_flag_updates = yes pop3_uidl_format = %v.%u protocols = imap pop3 sieve service auth { unix_listener auth-master { group = vmail mode = 0600 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0600 user = vmail } } service imap { process_limit = 4000 } service managesieve-login { inet_listener sieve { port = 4190 } } service managesieve { process_limit = 100 } service pop3 { process_limit = 1000 } shutdown_clients = no ssl = no syslog_facility = local2 userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } verbose_proctitle = yes protocol imap { mail_max_userip_connections = 10 mail_plugins = acl quota zlib imap_quota imap_acl } protocol pop3 { mail_plugins = acl quota zlib } From leon at f-m.fm Tue Jun 14 15:04:51 2016 From: leon at f-m.fm (Leon Kyneur) Date: Tue, 14 Jun 2016 23:04:51 +0800 Subject: Double variable expansion / multiple password mechanisms In-Reply-To: References: <576007FA.5060604@f-m.fm> Message-ID: <57601D13.4050304@f-m.fm> Hi Karsten, > You should be able to add multiple userPassword attributes to your directory: > > userPassword: {CRAM-MD5}xxx > userPassword: {DIGEST-MD5}xxxx > userPassword: {SCRAM-SHA-1}xxxx > userPassword: {NTLM}xxxx > > > Karsten Did try this, didn't end end well. Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,): Multiple password values not supported Jun 14 12:59:43 auth: Panic: file passdb-ldap.c: line 99 (ldap_lookup_finish): assertion failed: (password == NULL || scheme != NULL) Jun 14 12:59:43 auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x8699e) [0x7f0233cd499e] -> /usr/lib64/dovecot/libdovecot.so.0(+0x86a7e) [0x7f0233cd4a7e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f0233c78b3d] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x720b) [0x7f022f4f020b] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(+0x5e2f) [0x7f022f4eee2f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_call_io+0x4c) [0x7f0233ce821c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xff) [0x7f0233ce967f] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7f0233ce82a5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f0233ce8458] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f0233c7f013] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](main+0x39c) [0x7f023418a46c] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f0233264b15] -> dovecot/auth [0 wait, 1 passdb, 0 userdb](+0xf661) [0x7f023418a661] Jun 14 12:59:43 auth: Fatal: master: service(auth): child 48169 killed with signal 6 (core dumps disabled) Jun 14 12:59:43 imap-login: Warning: Auth connection closed with 1 pending requests (max 0 secs, pid=48164, EOF) From aki.tuomi at dovecot.fi Tue Jun 14 15:08:08 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Tue, 14 Jun 2016 18:08:08 +0300 (EEST) Subject: shutdown_clients has no effect on doveadm stop In-Reply-To: <20160614150217.GA18713@sys-241.netcologne.de> References: <20160614150217.GA18713@sys-241.netcologne.de> Message-ID: <2103902071.371.1465916889972@appsuite-dev.open-xchange.com> > On June 14, 2016 at 6:02 PM Roland Rosenfeld wrote: > > > I try to restart dovecot 2.2.24 (for changing limits) without killing > all IMAP and POP3 sessions. > > dovecot(1) tells me: > When shutdown_clients is set to no, existing sessions will continue to > use the old settings, after a dovecot reload. Also all sessions will > keep alive after a dovecot stop. > By default all active sessions will be shut down. > > According to my "dovecot -n" (see below), I have set > "shutdown_clients=no", so "doveadm stop" should keep my open > sessions. > > But if I try this out with a simple telnet to port 143 during > "doveadm stop", I see the following: > > $ telnet imap 143 > Connected to imap. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. > a login user at example.com XXXXX > a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in > * BYE Server shutting down. > Connection closed by foreign host. > > The "BYE Server shutting down." happens exactly at the time, when I > press return after "doveadm stop", "systemctl stop dovecot", or > "systemctl restart dovecot" in the other shell. Only > "systemctl reload dovecot" keeps the open sessions healthy. > > So it seems that either the man page is wrong, or shutdown_clients=no > has no effect after dovecot stop... > > Greetings > Roland > Are you using systemd by chance? --- Aki Tuomi From heiken at luis.uni-hannover.de Tue Jun 14 15:15:32 2016 From: heiken at luis.uni-hannover.de (Karsten Heiken) Date: Tue, 14 Jun 2016 17:15:32 +0200 Subject: Double variable expansion / multiple password mechanisms In-Reply-To: <57601D13.4050304@f-m.fm> References: <576007FA.5060604@f-m.fm> <57601D13.4050304@f-m.fm> Message-ID: <57601F94.5080805@luis.uni-hannover.de> Hi Leon, >> You should be able to add multiple userPassword attributes to your directory: >> >> userPassword: {CRAM-MD5}xxx >> userPassword: {DIGEST-MD5}xxxx >> userPassword: {SCRAM-SHA-1}xxxx >> userPassword: {NTLM}xxxx > > Did try this, didn't end end well. > > Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,): Multiple password values not supported > [...] Huh. You're right, I'm sorry. A few days ago I tried just that - adding a second userPassword to my LDAP and got this result: > dovecot: auth: Warning: ldap(x,127.0.0.1,): Multiple values found for 'password', using value '{SSHA}yaddayadda' Turns out there is still only one password tried, not all of them - which was working as intended on this occasion. But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP. http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds This of course only works for passdb lookups. From leon at f-m.fm Tue Jun 14 15:26:09 2016 From: leon at f-m.fm (Leon Kyneur) Date: Tue, 14 Jun 2016 23:26:09 +0800 Subject: Double variable expansion / multiple password mechanisms In-Reply-To: <57601F94.5080805@luis.uni-hannover.de> References: <576007FA.5060604@f-m.fm> <57601D13.4050304@f-m.fm> <57601F94.5080805@luis.uni-hannover.de> Message-ID: <57602211.5060109@f-m.fm> On 14/06/16 23:15, Karsten Heiken wrote: > Hi Leon, > >>> You should be able to add multiple userPassword attributes to your directory: >>> >>> userPassword: {CRAM-MD5}xxx >>> userPassword: {DIGEST-MD5}xxxx >>> userPassword: {SCRAM-SHA-1}xxxx >>> userPassword: {NTLM}xxxx >> Did try this, didn't end end well. >> >> Jun 14 12:59:43 auth: Error: ldap(leonkyneur at itest.com,192.168.99.3,): Multiple password values not supported >> [...] > Huh. You're right, I'm sorry. > > A few days ago I tried just that - adding a second userPassword to my LDAP and got this result: >> dovecot: auth: Warning: ldap(x,127.0.0.1,): Multiple values found for 'password', using value '{SSHA}yaddayadda' > Turns out there is still only one password tried, not all of them - which was working as intended on this occasion. > > But have you tried to authenticate using auth_bind? Maybe that is possible with your LDAP setup. > If you were using auth_bind = yes, then Dovecot shouldn't care about the passwords stored in LDAP. > > http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds > > This of course only works for passdb lookups. Auth bind wont work here as if they auth with encrypted password it can't bind to ldap with it. and get a lot of these: auth: Info: ldap(leonkyneur,192.168.99.3,<7Rr1lj41tJzLhgGR>): Requested DIGEST-MD5 scheme, but we have a NULL password From rrosenfeld at netcologne.de Tue Jun 14 15:31:29 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Tue, 14 Jun 2016 17:31:29 +0200 Subject: shutdown_clients has no effect on doveadm stop In-Reply-To: <2103902071.371.1465916889972@appsuite-dev.open-xchange.com> References: <20160614150217.GA18713@sys-241.netcologne.de> <2103902071.371.1465916889972@appsuite-dev.open-xchange.com> Message-ID: <20160614153129.GB18713@sys-241.netcologne.de> Hi Aki! On Tue, 14 Jun 2016, aki.tuomi at dovecot.fi wrote: > Are you using systemd by chance? Yes, with the default dovecot.service file provided with 2.2.24: $ systemctl cat dovecot # /lib/systemd/system/dovecot.service # This file is part of Dovecot # # If you want to pass additionally command line options to the dovecot # binary, create the file: # `/etc/systemd/system/dovecot.service.d/service.conf'. # In this file create a Service section and configure an Environment with # the variable `OPTIONS'. For example: # # [Service] # Environment='OPTIONS=-p' # # In the `Service' section you may also specify various other setting. # If you have trouble with `Too many open files' you may set: #LimitNOFILE=8192 # # If you want to allow the Dovecot services to produce core dumps, use: #LimitCORE=infinity [Unit] Description=Dovecot IMAP/POP3 email server Documentation=man:dovecot(1) Documentation=http://wiki2.dovecot.org/ After=local-fs.target network.target [Service] Type=forking ExecStart=/opt/dovecot/sbin/dovecot PIDFile=/var/run/dovecot/master.pid ExecReload=/opt/dovecot/bin/doveadm reload ExecStop=/opt/dovecot/bin/doveadm stop PrivateTmp=true NonBlocking=yes # Enable this if your systemd is new enough to support it: #ProtectSystem=full [Install] WantedBy=multi-user.target # /etc/systemd/system/dovecot.service.d/override.conf [Service] LimitNOFILE=22000 Greetings Roland From listas.correo at yahoo.es Tue Jun 14 15:56:54 2016 From: listas.correo at yahoo.es (mailing lists) Date: Tue, 14 Jun 2016 15:56:54 +0000 (UTC) Subject: Alternate Storage and quota limits References: <1013210938.5228612.1465919814216.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1013210938.5228612.1465919814216.JavaMail.yahoo@mail.yahoo.com> Hi all, is there any way of exclude messages storaged in alternate storage (*dbox mailbox format) from being included in the quota usage? I think this is not possible but let me ask. From rrosenfeld at netcologne.de Tue Jun 14 16:20:23 2016 From: rrosenfeld at netcologne.de (Roland Rosenfeld) Date: Tue, 14 Jun 2016 18:20:23 +0200 Subject: shutdown_clients has no effect on doveadm stop In-Reply-To: <2103902071.371.1465916889972@appsuite-dev.open-xchange.com> References: <20160614150217.GA18713@sys-241.netcologne.de> <2103902071.371.1465916889972@appsuite-dev.open-xchange.com> Message-ID: <20160614162023.GC18713@sys-241.netcologne.de> On Tue, 14 Jun 2016, aki.tuomi at dovecot.fi wrote: > Are you using systemd by chance? I did some more testing, stopped dovecot via systemd, started it manually via /opt/dovecot/sbin/dovecot, stopped it via "doveadm stop" and this time the IMAP connection stayed active. So it seems to be systemd, which killed the IMAP connection :-( After reading systemd.kill(5), it seems that [Service] KillMode=none in /etc/systemd/system/dovecot.service.d/override.conf does what I expect. It only runs "doveadm stop" on "systemctl stop dovecot" and "systemctl restart dovecot", but doesn't terminate all processes from the dovecot control-group as the default does. But I'm not sure, whether this implies new problems on shutting down the system, because the IMAP/POP3 connections aren't terminated on dovecot shutdown any more. Greeetings Roland From kremels at kreme.com Tue Jun 14 22:50:08 2016 From: kremels at kreme.com (@lbutlr) Date: Tue, 14 Jun 2016 16:50:08 -0600 Subject: Mail dates Message-ID: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> Where exactly does dovecot get the date that it reports via IMAP? I have a lot of messages that were restored from an archive and so all have the same date, despite being over the span over several years. I tried setting the timestamps of the files to the date in the Received header, but that didn?t seem to make any difference to what my IMAP clients see. Do I have to rename the files to the right epoch seconds in order for dovecot to show the right dates to the IMAP clients? ? It seems I?ve been here before, but I don?t remember the solution ? -- 'What is this thing, anyway?' said the Dean, inspecting the implement in his hands. 'It's called a shovel', said the Senior Wrangler. 'I've seen the gardeners use them. You stick the sharp end in the ground. Then it gets a bit technical.' --Reaper Man From paul at enlund.co.uk Tue Jun 14 22:50:53 2016 From: paul at enlund.co.uk (Paul) Date: Tue, 14 Jun 2016 23:50:53 +0100 Subject: Upgrade to 2.2.9 breaks sasl auth Message-ID: Hi This is my 1st time here so please be gentle. I have encountered one problem since upgrading from 2.0.19 to 2.2.9 which has me beat. The system provides sasl auth services via inet to a postfix 2.11 system. Since the upgrade postfix complains of no sasl methods available. The same dovecot configuration is used on both versions. Now I get these results looking at the inet connection Version 2.0.19 root at larch:~# telnet 192.168.3.15 12345 Trying 192.168.3.15... Connected to 192.168.3.15. Escape character is '^]'. VERSION 1 1 MECH PLAIN plaintext MECH LOGIN plaintext MECH CRAM-MD5 dictionary active SPID 23223 CUID 1 COOKIE d0b71942d48585303f9ae4681baabf87 DONE Version 2.2.9 root at larch:~# telnet 192.168.3.112 12345 Trying 192.168.3.112... Connected to 192.168.3.112. Escape character is '^]'. VERSION 1 1 SPID 5300 Seems be something lacking in the response from 2.2.9 that fits the "no sasl methods" response from postfix I believe I should supply root at larchvm:/etc/dovecot-sasl# dovecot -n -c dovecot.conf # 2.2.9: dovecot.conf # OS: Linux 3.13.0-88-generic i686 Ubuntu 14.04.4 LTS auth_mechanisms = plain login cram-md5 auth_verbose_passwords = plain base_dir = /var/run/dovecot-sasl/ disable_plaintext_auth = no instance_name = sasl mail_chroot = /chroot/mail mail_location = maildir:~/Maildir mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacati on subaddress comparator-i;ascii-numeric relational regex imap4flags copy includ e variables body enotify environment mailbox date ihave namespace { inbox = yes location = prefix = INBOX. type = private } passdb { args = /etc/dovecot-sasl/dovecot-sqlmd5.conf driver = sql } plugin { deleted_to_trash_folder = Trash quota = maildir:User quota quota:noenforcing quota_rule = Trash:ignore sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } service auth { inet_listener auth-userdb { address = 192.168.3.112 port = 12345 ssl = yes } unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { mode = 0600 } } service imap-login { inet_listener imap { address = 213.210.16.65 port = 143 } inet_listener imaps { address = 213.210.16.65 port = 993 ssl = yes } } service managesieve-login { inet_listener sieve { address = 213.210.16.65 port = 4190 } } ssl_cert = Dear All, Is it possible to make quota rules under $HOME/Maildir/* mailboxes with a specific command such as 'edquota' when the first email arrives at the $HOME/Maildir/{new,cur,tmp} of a user. In the below example, the is the one who gets an email for the first time. edquota -p ---man edquot--- -p, --prototype=protoname Duplicate the quotas of the prototypical user specified for each user specified. This is the normal mechanism used to initialize quotas for groups of users. --- To configure quotas in postfix/dovecot environment, it seems that you need to use dovecot-lda plugin, and then my exact question is as follows: Is it possible to automatically run any commands or scripts in order to set a quota rule to $HOME/Maildir/* mailboxes when users receive an email for the first time? I just found the post-login service allows you to execute scripts after authentication in the following URL, but I have not found the exact way to make it. http://www.dovecot.org/list/dovecot/2009-November/044279.html Any comments/suggestions would be greatly appreciated. -- Masaharu Kawada From aki.tuomi at dovecot.fi Wed Jun 15 08:04:53 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Wed, 15 Jun 2016 11:04:53 +0300 (EEST) Subject: Upgrade to 2.2.9 breaks sasl auth In-Reply-To: References: Message-ID: <1631913834.427.1465977894443@appsuite-dev.open-xchange.com> > On June 15, 2016 at 1:50 AM Paul wrote: > > > Hi > This is my 1st time here so please be gentle. > > I have encountered one problem since upgrading from 2.0.19 to 2.2.9 > which has me beat. > The system provides sasl auth services via inet to a postfix 2.11 system. > Since the upgrade postfix complains of no sasl methods available. > The same dovecot configuration is used on both versions. > Now I get these results looking at the inet connection > > Version 2.0.19 > root at larch:~# telnet 192.168.3.15 12345 > Trying 192.168.3.15... > Connected to 192.168.3.15. > Escape character is '^]'. > VERSION 1 1 > MECH PLAIN plaintext > MECH LOGIN plaintext > MECH CRAM-MD5 dictionary active > SPID 23223 > CUID 1 > COOKIE d0b71942d48585303f9ae4681baabf87 > DONE > > Version 2.2.9 > root at larch:~# telnet 192.168.3.112 12345 > Trying 192.168.3.112... > Connected to 192.168.3.112. > Escape character is '^]'. > VERSION 1 1 > SPID 5300 > > Seems be something lacking in the response from 2.2.9 that fits the "no > sasl methods" response from postfix > have you checked doveadm log errors --- Aki Tuomi From yacinechaouche at yahoo.com Wed Jun 15 10:36:02 2016 From: yacinechaouche at yahoo.com (chaouche yacine) Date: Wed, 15 Jun 2016 10:36:02 +0000 (UTC) Subject: quota rules for mail users In-Reply-To: <57609F4B.1090100@redhat.com> References: <57609F4B.1090100@redhat.com> Message-ID: <1153815724.3400203.1465986962360.JavaMail.yahoo@mail.yahoo.com> I personnaly use courier's maildirmake, which is a real binary unlike dovecote's maildirmake which is a thin bash wrapper around the linux mkdir command. Courier's maildirmake on the other hand has this nice -q option that let you specify a quota, at creation time of afterwards. I'm using it in a script like this : root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # cat setupquota.single if [[ "$#" = 0 ]] then ??? echo "usage : $0 boite at domain.com [quota en megas]" ??? exit 1 fi quota=$((1024*1024*1024)) #1Go inbox="${1%@*}" maildir="/var/vmail/example.domain/$inbox" backup="/var/vmail/backup.example.domain/$inbox" if [[ "$#" = 2 ]] then ??? quota=$((1024*1024*$2)) fi function set_quota { ??? local quota="$1" ??? local dst="$2" ??? echo maildirmake.courier -q "$quota"S "$dst" ??? maildirmake.courier -q "$quota"S "$dst" ??? echo chown vmail:vmail -R "$dst" ??? chown vmail:vmail -R "$dst" } set_quota "$quota" "$maildir" quota=$(( 1024 * 1024 * 1024 *? 5 )) # 5Go set_quota "$quota" "$backup" echo "-------------------------------------------------------------------------" root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # And use it like this : root at messagerie[CHROOT][10.10.10.19] ~/SCRIPTS/MAIL # ./setupquota.single h.messamri at example.domain 1024 From: "mkawada at redhat.com" To: dovecot at dovecot.org Sent: Wednesday, June 15, 2016 1:20 AM Subject: quota rules for mail users Dear All, Is it possible to make quota rules under $HOME/Maildir/* mailboxes with a specific command such as 'edquota' when the first email arrives at the $HOME/Maildir/{new,cur,tmp} of a user. In the below example, the is the one who gets an email for the first time. &?"edquota? -p? ---man edquot--- -p, --prototype=protoname Duplicate the quotas of the prototypical user specified for each user specified. This is the normal mechanism used to initialize quotas for groups of users. --- To configure quotas in postfix/dovecot environment, it seems that you need to use dovecot-lda plugin, and then my exact question is as follows: Is it possible to automatically run any commands or scripts in order to set a quota rule to $HOME/Maildir/* mailboxes when users receive an email for the first time? I just found the post-login service allows you to execute scripts after authentication in the following URL, but I have not found the exact way to make it. http://www.dovecot.org/list/dovecot/2009-November/044279.html Any comments/suggestions would be greatly appreciated. -- Masaharu Kawada From paul at enlund.co.uk Wed Jun 15 11:40:45 2016 From: paul at enlund.co.uk (Paul) Date: Wed, 15 Jun 2016 12:40:45 +0100 Subject: Upgrade to 2.2.9 breaks sasl auth In-Reply-To: <1631913834.427.1465977894443@appsuite-dev.open-xchange.com> References: <1631913834.427.1465977894443@appsuite-dev.open-xchange.com> Message-ID: <85d7e475-72b6-1794-ec7c-16fd791ec779@enlund.co.uk> Hi On 15/06/2016 09:04, aki.tuomi at dovecot.fi wrote: >> On June 15, 2016 at 1:50 AM Paul wrote: >> >> >> Hi >> This is my 1st time here so please be gentle. >> >> I have encountered one problem since upgrading from 2.0.19 to 2.2.9 >> which has me beat. >> The system provides sasl auth services via inet to a postfix 2.11 system. >> Since the upgrade postfix complains of no sasl methods available. >> The same dovecot configuration is used on both versions. >> Now I get these results looking at the inet connection >> >> Version 2.0.19 >> root at larch:~# telnet 192.168.3.15 12345 >> Trying 192.168.3.15... >> Connected to 192.168.3.15. >> Escape character is '^]'. >> VERSION 1 1 >> MECH PLAIN plaintext >> MECH LOGIN plaintext >> MECH CRAM-MD5 dictionary active >> SPID 23223 >> CUID 1 >> COOKIE d0b71942d48585303f9ae4681baabf87 >> DONE >> >> Version 2.2.9 >> root at larch:~# telnet 192.168.3.112 12345 >> Trying 192.168.3.112... >> Connected to 192.168.3.112. >> Escape character is '^]'. >> VERSION 1 1 >> SPID 5300 >> >> Seems be something lacking in the response from 2.2.9 that fits the "no >> sasl methods" response from postfix >> > have you checked > > doveadm log errors > > --- > Aki Tuomi > I had not so here they are root at larch:/var/log# doveadm log errors ( no output) root at larch:/var/log# doveadm -D log errors doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin .so doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules/d oveadm doveadm(root): Debug: Skipping module doveadm_acl_plugin, because dlopen() faile d: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined symbo l: acl_user_module (this is usually intentional, so just ignore this message) doveadm(root): Debug: Skipping module doveadm_expire_plugin, because dlopen() fa iled: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this mes sage) doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_dove adm_quota_plugin.so doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_dove adm_sieve_plugin.so doveadm(root): Debug: Skipping module doveadm_fts_plugin, because dlopen() faile d: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbo l: fts_backend_rescan (this is usually intentional, so just ignore this message) A note if I change postfix to use the unix socket defined in the same service auth section that the inet listener is defined in postfix sasl auth works fine. Stiil getting short response to telnet connection to sasl inet port compared to 2.0.19 response Paul From paul at enlund.co.uk Wed Jun 15 14:29:58 2016 From: paul at enlund.co.uk (Paul) Date: Wed, 15 Jun 2016 15:29:58 +0100 Subject: Upgrade to 2.2.9 breaks sasl auth Resolved In-Reply-To: <1631913834.427.1465977894443@appsuite-dev.open-xchange.com> References: <1631913834.427.1465977894443@appsuite-dev.open-xchange.com> Message-ID: <0d19d1c0-c583-f16d-caa5-d19dab11ecf5@enlund.co.uk> Hi Sorted.... After reading changelog of latest sources and noting comments about corrected problems with inet_listener I made the following change which resolved the short response from the sasl inet socket as seen with telnet inet_listener auth-userdb { address = 192.168.3.112 port = 12345 ssl = yes } to inet_listener { address = 192.168.3.112 port = 12345 ssl = yes } or inet_listener auth-inet { address = 192.168.3.112 port = 12345 ssl = yes } seems auth-userdb as a name screws something. auth sasl over inet socket no working 100% ok Paul On 15/06/2016 09:04, aki.tuomi at dovecot.fi wrote: >> On June 15, 2016 at 1:50 AM Paul wrote: >> >> >> Hi >> This is my 1st time here so please be gentle. >> >> I have encountered one problem since upgrading from 2.0.19 to 2.2.9 >> which has me beat. >> The system provides sasl auth services via inet to a postfix 2.11 system. >> Since the upgrade postfix complains of no sasl methods available. >> The same dovecot configuration is used on both versions. >> Now I get these results looking at the inet connection >> >> Version 2.0.19 >> root at larch:~# telnet 192.168.3.15 12345 >> Trying 192.168.3.15... >> Connected to 192.168.3.15. >> Escape character is '^]'. >> VERSION 1 1 >> MECH PLAIN plaintext >> MECH LOGIN plaintext >> MECH CRAM-MD5 dictionary active >> SPID 23223 >> CUID 1 >> COOKIE d0b71942d48585303f9ae4681baabf87 >> DONE >> >> Version 2.2.9 >> root at larch:~# telnet 192.168.3.112 12345 >> Trying 192.168.3.112... >> Connected to 192.168.3.112. >> Escape character is '^]'. >> VERSION 1 1 >> SPID 5300 >> >> Seems be something lacking in the response from 2.2.9 that fits the "no >> sasl methods" response from postfix >> > have you checked > > doveadm log errors > > --- > Aki Tuomi > From jcblanco at fi.upm.es Wed Jun 15 15:25:37 2016 From: jcblanco at fi.upm.es (Juan C. Blanco) Date: Wed, 15 Jun 2016 17:25:37 +0200 Subject: Building Dovecot 2.2.24 GIT HEAD version Message-ID: <072e01a2-29d6-d451-0c58-f3e11e696f63@fi.upm.es> Hello, I'm testing the last GIT (master-2.2) versi?n of dovecot 2.2 but I'm not able to build new rpm packages with our SPEC file on Centos 5.11. The problem seems to be with a new lib-dcrypt library, the file "src/lib-dcrypt/dcrypt-openssl.c" includes the file "openssl/ec.h" but the OpenSSL devel package included in Centos 5.11 is openssl-devel-0.9.8e-40.el5_11 that not contains the "openssl/ec.h" file I don't know if the next dovecot 2.2 release (derived from 2.2.24 GIT) will not be compatible with Centos 5.11 or if it will be necesary to install some optional openssl packages. Regards. -- +-------------------------------------------------------------------+ | Juan C. Blanco | | | | Centro de Calculo | | | E.T.S. Ingenieros Inform?ticos | E-mail: jcblanco at fi.upm.es | | Universidad Polit?cnica de Madrid | | | Campus de Montegancedo | | | Boadilla del Monte | Tel.: (+34) 91 336 7466 | | 28660 MADRID (Spain) | Fax : (+34) 91 336 6913 | +-------------------------------------------------------------------+ From tanstaafl at libertytrek.org Wed Jun 15 15:44:07 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Wed, 15 Jun 2016 11:44:07 -0400 Subject: Mail dates In-Reply-To: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> Message-ID: On 6/14/2016 6:50 PM, @lbutlr wrote: > Where exactly does dovecot get the date that it reports via IMAP? This is a problem with how you restored the files. On a linux system, you should use something like rsync -a to preserve the original date/times... From n0t3p4d.opensource at gmail.com Wed Jun 15 16:12:52 2016 From: n0t3p4d.opensource at gmail.com (N0T3P4D) Date: Wed, 15 Jun 2016 18:12:52 +0200 Subject: sieve_extprograms: how to filter original message twice? In-Reply-To: <3317b0d0-86c6-5d96-ffe4-d6b11a223c68@rename-it.nl> References: <3317b0d0-86c6-5d96-ffe4-d6b11a223c68@rename-it.nl> Message-ID: <5d5876d8-c8d2-e392-8572-9d3047366fe5@gmail.com> On 06/13/16 19:09, Stephan Bosch wrote: > > > Op 10-6-2016 om 0:57 schreef N0T3P4D: >> Hi, >> >> I use dovecot and sieve_extprograms to encrypt all incoming messages with the help of a Python script. >> Now, I want to process the _original_ message a second time. However, as expected, the second filter is applied to the already filtered message. >> >> For reference, here's a copy of the sieve script in question: >> >> if address :matches "To" "X at Y.Z" { >> fileinto "INBOX"; >> filter "gpgit.py" ["X at Y.Z", "--encrypt"]; >> fileinto "encrypted"; >> filter "gpgit.py" ["X at Y.Z", "--wrap"]; # Should be applied to the original message but uses the result of the first filter command >> fileinto "wrapped"; >> stop; >> } >> >> Does anyone have an idea how to modify the script to get the intended result? >> >> Please cc me, as I'm not subscribed. > > The Sieve language currently has no means to manage several modified versions of a message in parallel; there is no means to revert back to an older version of a modified message. > So, unfortunately, I see no way to implement a Sieve script like this at this time :/. > > The only (ugly) solution I see is to use a pipe program rather than a filter program. The pipe program will then fork and filter the e-mail twice and store it into the required > folders using doveadm. > > Regards, > > Stephan. Hi Stephan, thanks for the suggestion - I've implemented it and it seems to works as expected! As I couldn't find out how to store the message using doveadm, I use LMTP. If anyone is interested, see [1]. In contrast to other solutions such as [2], the message gets encrypted twice. Once in the usual way as in [2], which may break DKIM and possibly other things like signatures, but is compatible with normal mail clients such as K-9 Mail, which now supports PGP/MIME in the alpha version. The second time, the whole message is encrypted as-is (including headers and so on) and then stored in the body of the original message, replacing it. When fetching the message with getmail to my local dovecot inbox, the original message gets decrypted and restored, preserving the DKIM signature and so on (of course, you could also use sieve). This is especially useful if you use a plugin like DKIM verifier for Thunderbird [3] (thanks to Robert Schetterer for the hint in the sys4.de blog). Regards Jeremias [1] https://github.com/N0T3P4D/gpg-filter [2] https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve [3] https://addons.mozilla.org/de/thunderbird/addon/dkim-verifier/ From kremels at kreme.com Wed Jun 15 16:30:37 2016 From: kremels at kreme.com (@lbutlr) Date: Wed, 15 Jun 2016 10:30:37 -0600 Subject: Mail dates In-Reply-To: References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> Message-ID: <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> On Jun 15, 2016, at 9:44 AM, Tanstaafl wrote: > On 6/14/2016 6:50 PM, @lbutlr wrote: >> Where exactly does dovecot get the date that it reports via IMAP? > > This is a problem with how you restored the files. > > On a linux system, you should use something like rsync -a to preserve > the original date/times? The original emails were in box files, so that was not the issue. -- Worlds of belief, she [Susan] thought. Just like oysters. A little piece of shit gets in and then a pearl grows around it. --Hogfather From tanstaafl at libertytrek.org Wed Jun 15 16:46:07 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Wed, 15 Jun 2016 12:46:07 -0400 Subject: Mail dates In-Reply-To: <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> Message-ID: On 6/15/2016 12:30 PM, @lbutlr wrote: > On Jun 15, 2016, at 9:44 AM, Tanstaafl wrote: >> On 6/14/2016 6:50 PM, @lbutlr wrote: >>> Where exactly does dovecot get the date that it reports via IMAP? >> >> This is a problem with how you restored the files. >> >> On a linux system, you should use something like rsync -a to preserve >> the original date/times? > The original emails were in box files, so that was not the issue. How ere they restored? From mail at aaron-mueller.de Mon Jun 13 06:38:14 2016 From: mail at aaron-mueller.de (=?UTF-8?Q?Aaron_M=C3=BCller?=) Date: Mon, 13 Jun 2016 08:38:14 +0200 Subject: Multiple ACTIVE Sieve scripts Message-ID: Hi! Is there a reason the email filter sieve can only activate one single script? > list "mailinglists.sieve" "spam.sieve" ACTIVE > activate mailinglists.sieve > list "mailinglists.sieve" ACTIVE "spam.sieve" > I can't see the logic here ... I am doing something wrong? Aaron From larryrtx at gmail.com Wed Jun 15 17:45:50 2016 From: larryrtx at gmail.com (Larry Rosenman) Date: Wed, 15 Jun 2016 12:45:50 -0500 Subject: Multiple ACTIVE Sieve scripts In-Reply-To: References: Message-ID: I have a "master" script that includes all my other snippets. And each file can have MULTIPLE scripts. Let me know if you need more info. Also, mail to you (Aaron) BOUNCES: Delivery to the following recipient failed permanently: mail at aaron-mueller.de Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the server for the recipient domainaaron-mueller.de by mail.aaron-mueller.de. [37.120.190.162]. The error that the other server returned was: 554 5.7.1 : Relay access denied On Wed, Jun 15, 2016 at 12:43 PM, Larry Rosenman wrote: > I have a "master" script that includes all my other snippets. And > each file can have MULTIPLE scripts. Let me know if you need more > info. > > > On 6/13/16, Aaron M?ller wrote: > > Hi! > > > > Is there a reason the email filter sieve can only activate one single > > script? > > > >> list > > "mailinglists.sieve" > > "spam.sieve" ACTIVE > >> activate mailinglists.sieve > >> list > > "mailinglists.sieve" ACTIVE > > "spam.sieve" > >> > > > > I can't see the logic here ... I am doing something wrong? > > Aaron > > > > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com > US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 > -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx at gmail.com US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 From pi at lab2000-linux.homepc.it Wed Jun 15 20:26:38 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Wed, 15 Jun 2016 22:26:38 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 Message-ID: <20160615202638.GA28902@lab2000-linux.homepc.it> Hi, I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi running Raspbian Jassie OS. Now I would like to add an on-line e-mail client like Squirrelmail or Roundcube. I was able to start up these two clients but when I try to login I get this error message in the dovecot log: tlsv1 alert unknown ca: SSL alert number 48 But I have inserted the self-signed certificate and key in /etc/dovecot/conf.d/10-master.conf Moreover, I can send and receive e-mails from/to my server, and I can login successfully to dovecot IMAP with Thunderbird. Can somebody give me a clue on how to solve this problem? Any help would me much appreciated. Regards, Maurizio From gedalya at gedalya.net Wed Jun 15 21:48:32 2016 From: gedalya at gedalya.net (Gedalya) Date: Wed, 15 Jun 2016 17:48:32 -0400 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160615202638.GA28902@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> Message-ID: On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: > Hi, > > I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi > running Raspbian Jassie OS. > > Now I would like to add an on-line e-mail client like Squirrelmail or > Roundcube. I was able to start up these two clients but when I try to login > I get this error message in the dovecot log: > > tlsv1 alert unknown ca: SSL alert number 48 > > But I have inserted the self-signed certificate and key in > /etc/dovecot/conf.d/10-master.conf > > Moreover, I can send and receive e-mails from/to my server, and I can login > successfully to dovecot IMAP with Thunderbird. > > Can somebody give me a clue on how to solve this problem? Any help would me much > appreciated. > > Regards, > Maurizio This could mean that the client has indicated it was unable to verify the server's certificate. With regards to Roundcube, see this in config/defaults.inc.php: //$config['imap_conn_options'] = array( // 'ssl' => array( // 'verify_peer' => true, // 'verify_depth' => 3, // 'cafile' => '/etc/openssl/certs/ca.crt', // ), // ); From mkawada at redhat.com Thu Jun 16 04:40:24 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Thu, 16 Jun 2016 13:40:24 +0900 Subject: quota rules for mail users In-Reply-To: <1153815724.3400203.1465986962360.JavaMail.yahoo@mail.yahoo.com> References: <57609F4B.1090100@redhat.com> <1153815724.3400203.1465986962360.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57622DB8.7070201@redhat.com> Yachine-san, I very much appreciate you giving me the very useful information on my question. Masaharu Kawada On 2016?06?15? 19:36, chaouche yacine wrote: > I personnaly use courier's maildirmake, which is a real binary unlike dovecote's maildirmake which is a thin bash wrapper around the linux mkdir command. Courier's maildirmake on the other hand has this nice -q option that let you specify a quota, at creation time of afterwards. > > I'm using it in a script like this : > > root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # cat setupquota.single > > if [[ "$#" = 0 ]] > then > echo "usage : $0 boite at domain.com [quota en megas]" > exit 1 > fi > > quota=$((1024*1024*1024)) #1Go > inbox="${1%@*}" > maildir="/var/vmail/example.domain/$inbox" > backup="/var/vmail/backup.example.domain/$inbox" > > if [[ "$#" = 2 ]] > then > quota=$((1024*1024*$2)) > fi > > > > function set_quota { > local quota="$1" > local dst="$2" > echo maildirmake.courier -q "$quota"S "$dst" > maildirmake.courier -q "$quota"S "$dst" > echo chown vmail:vmail -R "$dst" > chown vmail:vmail -R "$dst" > } > > set_quota "$quota" "$maildir" > quota=$(( 1024 * 1024 * 1024 * 5 )) # 5Go > set_quota "$quota" "$backup" > echo "-------------------------------------------------------------------------" > root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # > > > And use it like this : > > root at messagerie[CHROOT][10.10.10.19] ~/SCRIPTS/MAIL # ./setupquota.single h.messamri at example.domain 1024 > > > > > From: "mkawada at redhat.com" > To: dovecot at dovecot.org > Sent: Wednesday, June 15, 2016 1:20 AM > Subject: quota rules for mail users > > Dear All, > > Is it possible to make quota rules under $HOME/Maildir/* mailboxes with > a specific command such as 'edquota' when the first email arrives at the > $HOME/Maildir/{new,cur,tmp} of a user. In the below example, the > is the one who gets an email for the first time. > > &?"edquota -p > > ---man edquot--- > -p, --prototype=protoname > Duplicate the quotas of the prototypical user specified for each user > specified. This is the normal mechanism used to initialize quotas for > groups of users. > --- > > To configure quotas in postfix/dovecot environment, it seems that you > need to use dovecot-lda plugin, and then my exact question is as follows: > > Is it possible to automatically run any commands or scripts in order to > set a quota rule to $HOME/Maildir/* mailboxes when users receive an > email for the first time? I just found the post-login service allows you > to execute scripts after authentication in the following URL, but I have > not found the exact way to make it. > > http://www.dovecot.org/list/dovecot/2009-November/044279.html > > Any comments/suggestions would be greatly appreciated. > -- Masaharu Kawada From mkawada at redhat.com Thu Jun 16 07:01:10 2016 From: mkawada at redhat.com (mkawada at redhat.com) Date: Thu, 16 Jun 2016 16:01:10 +0900 Subject: quota rules for mail users In-Reply-To: <57622DB8.7070201@redhat.com> References: <57609F4B.1090100@redhat.com> <1153815724.3400203.1465986962360.JavaMail.yahoo@mail.yahoo.com> <57622DB8.7070201@redhat.com> Message-ID: <57624EB6.5000601@redhat.com> Yacine-san, Oops, excuse me that I mistyped your name. Once again, thanks a million Yacine-san. Masaharu Kawada On 2016?06?16? 13:40, mkawada at redhat.com wrote: > Yachine-san, > > I very much appreciate you giving me the very useful information on my > question. > > Masaharu Kawada > > On 2016?06?15? 19:36, chaouche yacine wrote: >> I personnaly use courier's maildirmake, which is a real binary unlike >> dovecote's maildirmake which is a thin bash wrapper around the linux >> mkdir command. Courier's maildirmake on the other hand has this nice >> -q option that let you specify a quota, at creation time of afterwards. >> >> I'm using it in a script like this : >> >> root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # cat >> setupquota.single >> >> if [[ "$#" = 0 ]] >> then >> echo "usage : $0 boite at domain.com [quota en megas]" >> exit 1 >> fi >> >> quota=$((1024*1024*1024)) #1Go >> inbox="${1%@*}" >> maildir="/var/vmail/example.domain/$inbox" >> backup="/var/vmail/backup.example.domain/$inbox" >> >> if [[ "$#" = 2 ]] >> then >> quota=$((1024*1024*$2)) >> fi >> >> >> >> function set_quota { >> local quota="$1" >> local dst="$2" >> echo maildirmake.courier -q "$quota"S "$dst" >> maildirmake.courier -q "$quota"S "$dst" >> echo chown vmail:vmail -R "$dst" >> chown vmail:vmail -R "$dst" >> } >> >> set_quota "$quota" "$maildir" >> quota=$(( 1024 * 1024 * 1024 * 5 )) # 5Go >> set_quota "$quota" "$backup" >> echo >> "-------------------------------------------------------------------------" >> root at messagerie[CHROOT][10.10.10.20] ~/SCRIPTS/MAIL # >> >> >> And use it like this : >> >> root at messagerie[CHROOT][10.10.10.19] ~/SCRIPTS/MAIL # >> ./setupquota.single h.messamri at example.domain 1024 >> >> >> >> >> From: "mkawada at redhat.com" >> To: dovecot at dovecot.org >> Sent: Wednesday, June 15, 2016 1:20 AM >> Subject: quota rules for mail users >> Dear All, >> >> Is it possible to make quota rules under $HOME/Maildir/* mailboxes with >> a specific command such as 'edquota' when the first email arrives at the >> $HOME/Maildir/{new,cur,tmp} of a user. In the below example, the >> is the one who gets an email for the first time. >> >> &?"edquota -p >> >> ---man edquot--- >> -p, --prototype=protoname >> Duplicate the quotas of the prototypical user specified for each user >> specified. This is the normal mechanism used to initialize quotas for >> groups of users. >> --- >> >> To configure quotas in postfix/dovecot environment, it seems that you >> need to use dovecot-lda plugin, and then my exact question is as >> follows: >> >> Is it possible to automatically run any commands or scripts in order to >> set a quota rule to $HOME/Maildir/* mailboxes when users receive an >> email for the first time? I just found the post-login service allows you >> to execute scripts after authentication in the following URL, but I have >> not found the exact way to make it. >> >> http://www.dovecot.org/list/dovecot/2009-November/044279.html >> >> Any comments/suggestions would be greatly appreciated. >> > > -- Masaharu Kawada From dovecot-ml at makomi.de Thu Jun 16 07:41:00 2016 From: dovecot-ml at makomi.de (M. Koehler) Date: Thu, 16 Jun 2016 09:41:00 +0200 Subject: sieve-extprograms: How to hand over a variable or pipe a mail so a shell script? In-Reply-To: <8646a2f3-bfec-5a9e-d48b-4f8a930d8b99@makomi.de> References: <8646a2f3-bfec-5a9e-d48b-4f8a930d8b99@makomi.de> Message-ID: <9227b40f-960d-10be-7860-953a0469b214@makomi.de> Hi, did nobody has any suggestions?! I?m still stucking :(. Best regards, Michael > I?m just playing around with sieve-extprograms but it didn?t works > like I think. I want > > a. execute a shell script that get the subject as parameter > > my try: > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute :input "${1}" "exec-test"; > keep; > } > > and > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute "exec-test" "${1}"; > keep; > } > > The shell script will create a file with $1 as text. But I didn?t get > any output - the created file is empty > > b. later the complete mail should piped to the shell script > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute :pipe "exec-test"; > keep; > } > > This should (as > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-extprograms.txt > described) hand over the complete mail to the script But I don?t know > how I handle the complete mail with a shell script? I think the mail > will not hand over as a parameter to the shell script, right? But how > should I store the mail into a file or should I pipe it through a sed > command line (and so one) into a shell script? From pi at lab2000-linux.homepc.it Thu Jun 16 18:43:02 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Thu, 16 Jun 2016 20:43:02 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: References: <20160615202638.GA28902@lab2000-linux.homepc.it> Message-ID: <20160616184302.GA31787@lab2000-linux.homepc.it> I think that you are right when you say that the problem may be the certificate recognition. As for Roundcube, I've inserted the uncommented php code that you provided in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for /config/defaults.inc.php. Unfortunately Roundcube doesn't login and replies with the message "connection to storage server failed". And the log file of dovecot gives the reason: unknown certificate. In order to solve this problem do you think that I should look into the configuration file of Squirrelmail/Roundcube or in the config file of Dovecot? On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: > On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: > > Hi, > > > > I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi > > running Raspbian Jassie OS. > > > > Now I would like to add an on-line e-mail client like Squirrelmail or > > Roundcube. I was able to start up these two clients but when I try to login > > I get this error message in the dovecot log: > > > > tlsv1 alert unknown ca: SSL alert number 48 > > > > But I have inserted the self-signed certificate and key in > > /etc/dovecot/conf.d/10-master.conf > > > > Moreover, I can send and receive e-mails from/to my server, and I can login > > successfully to dovecot IMAP with Thunderbird. > > > > Can somebody give me a clue on how to solve this problem? Any help would me much > > appreciated. > > > > Regards, > > Maurizio > > This could mean that the client has indicated it was unable to verify the server's certificate. > > With regards to Roundcube, see this in config/defaults.inc.php: > > //$config['imap_conn_options'] = array( > // 'ssl' => array( > // 'verify_peer' => true, > // 'verify_depth' => 3, > // 'cafile' => '/etc/openssl/certs/ca.crt', > // ), > // ); > > From dovecot-e51 at deemzed.uk Thu Jun 16 19:49:31 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Thu, 16 Jun 2016 20:49:31 +0100 Subject: Recipient delimiter and lmtp proxying Message-ID: Hi, I'm attempting to proxy lmtp using director to hash to the same backend as pop3/imap. My pop3/imap users are of the form: username and my lmtp users are of the form: Where domain is fairly redundant but does carry some useful information. Now, I can proxy lmtp using user=%{username} and destuser=%{orig_user}, and this all appears to work correctly. However, if I also try to pass a detail part through to the backend the lmtp users now take the form: I can still use user=%{username} with recipient_delimiter = +, and the detail is correctly stripped, hashing works as expected. However, I can no longer use destuser=%{orig_user} Because recipient_delimiter = +, destuser becomes: And the detail part never reaches the backend. There doesn't appear to be any variables suitable for the destuser expansion - %{auth_user} is unsupported (UNSUPPORTED_VARIABLE_auth_user) on override_fields and in the sql passdb driver. Is there any "correct" way to do this? I can think of a couple of approaches that may work, but both seem like hacks to me: 1. Unset recipient_delimiter and manually strip the detail from the username in the passdb lookup. 2. Give up on passing detail via the login and instead pass the detail via a message header to sieve. Any thoughts/suggestions? -- Dave From matthias at familie-sitte.org Thu Jun 16 19:55:57 2016 From: matthias at familie-sitte.org (Dr. Matthias Sitte) Date: Thu, 16 Jun 2016 21:55:57 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160616184302.GA31787@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> Message-ID: <2b4279174947db6a06fcfa93fef093d1@familie-sitte.org> I recently came across the same problem after upgrading Debian. Under Wheezy Roundcube was working fine, but under Jessie I had to tweak it a bit. The error you describe below is probably related to the fact that you "just uncommented" the values, telling Roundcube to use '/etc/openssl/certs/ca.crt' as CA file which, I guess, doesn't exist on your server. Try the following settings instead: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verfify_peer_name' => false, ), ); If Roundcube refuses to send mail, then add the following settings, too: $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); Cheers, Matthias On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: > I think that you are right when you say that the problem may be the > certificate recognition. > > As for Roundcube, I've inserted the uncommented php code that you > provided > in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file > for > /config/defaults.inc.php. Unfortunately Roundcube doesn't login and > replies > with the message "connection to storage server failed". And the log > file > of dovecot gives the reason: unknown certificate. > > In order to solve this problem do you think that I should look into the > configuration file of Squirrelmail/Roundcube or in the config file of > Dovecot? > > > On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >> > Hi, >> > >> > I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >> > running Raspbian Jassie OS. >> > >> > Now I would like to add an on-line e-mail client like Squirrelmail or >> > Roundcube. I was able to start up these two clients but when I try to login >> > I get this error message in the dovecot log: >> > >> > tlsv1 alert unknown ca: SSL alert number 48 >> > >> > But I have inserted the self-signed certificate and key in >> > /etc/dovecot/conf.d/10-master.conf >> > >> > Moreover, I can send and receive e-mails from/to my server, and I can login >> > successfully to dovecot IMAP with Thunderbird. >> > >> > Can somebody give me a clue on how to solve this problem? Any help would me much >> > appreciated. >> > >> > Regards, >> > Maurizio >> >> This could mean that the client has indicated it was unable to verify >> the server's certificate. >> >> With regards to Roundcube, see this in config/defaults.inc.php: >> >> //$config['imap_conn_options'] = array( >> // 'ssl' => array( >> // 'verify_peer' => true, >> // 'verify_depth' => 3, >> // 'cafile' => '/etc/openssl/certs/ca.crt', >> // ), >> // ); >> >> From matthias at familie-sitte.org Thu Jun 16 20:11:50 2016 From: matthias at familie-sitte.org (Dr. Matthias Sitte) Date: Thu, 16 Jun 2016 22:11:50 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160616184302.GA31787@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> Message-ID: <2713694ee0bea32d868d98002bfd5290@familie-sitte.org> Check this one here: http://lists.roundcube.net/pipermail/users/2014-October/010742.html On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: > I think that you are right when you say that the problem may be the > certificate recognition. > > As for Roundcube, I've inserted the uncommented php code that you > provided > in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file > for > /config/defaults.inc.php. Unfortunately Roundcube doesn't login and > replies > with the message "connection to storage server failed". And the log > file > of dovecot gives the reason: unknown certificate. > > In order to solve this problem do you think that I should look into the > configuration file of Squirrelmail/Roundcube or in the config file of > Dovecot? > > > On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >> > Hi, >> > >> > I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >> > running Raspbian Jassie OS. >> > >> > Now I would like to add an on-line e-mail client like Squirrelmail or >> > Roundcube. I was able to start up these two clients but when I try to login >> > I get this error message in the dovecot log: >> > >> > tlsv1 alert unknown ca: SSL alert number 48 >> > >> > But I have inserted the self-signed certificate and key in >> > /etc/dovecot/conf.d/10-master.conf >> > >> > Moreover, I can send and receive e-mails from/to my server, and I can login >> > successfully to dovecot IMAP with Thunderbird. >> > >> > Can somebody give me a clue on how to solve this problem? Any help would me much >> > appreciated. >> > >> > Regards, >> > Maurizio >> >> This could mean that the client has indicated it was unable to verify >> the server's certificate. >> >> With regards to Roundcube, see this in config/defaults.inc.php: >> >> //$config['imap_conn_options'] = array( >> // 'ssl' => array( >> // 'verify_peer' => true, >> // 'verify_depth' => 3, >> // 'cafile' => '/etc/openssl/certs/ca.crt', >> // ), >> // ); >> >> From stephan at rename-it.nl Thu Jun 16 21:46:35 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Thu, 16 Jun 2016 23:46:35 +0200 Subject: sieve-extprogram: How to hand over a variable or pipe a mail so a shell script? In-Reply-To: <8646a2f3-bfec-5a9e-d48b-4f8a930d8b99@makomi.de> References: <8646a2f3-bfec-5a9e-d48b-4f8a930d8b99@makomi.de> Message-ID: <023dad30-4cb7-cc75-9ac0-1924b54ca8c4@rename-it.nl> Op 5/19/2016 om 2:40 PM schreef M. Koehler: > Hi, > > I?m just playing around with sieve-extprogram but it didn?t works like > I think. I want > > a. execute a shell script that get the subject as parameter > > my try: > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute :input "${1}" "exec-test"; > keep; > } > > and > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute "exec-test" "${1}"; > keep; > } > > The shell script will create a file with $1 as text. But I didn?t get > any output - the created file is empty What is ${1} supposed to contain? Only with the ":matches" and ":regex" match types those numeric variables are assigned. > b. later the complete mail should piped to the shell script > > require ["fileinto","variables","envelope","vnd.dovecot.execute"]; > if header :contains "Subject" "123test" > { > execute :pipe "exec-test"; > keep; > } > > This should (as > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-extprograms.txt > described) hand over the complete mail to the script But I don?t know > how I handle the complete mail with a shell script? I think the mail > will not hand over as a parameter to the shell script, right? But how > should I store the mail into a file or should I pipe it through a sed > command line (and so one) into a shell script? > > Hope someone could bring some lights into my darkness :) The mail is passed as the standard input of the script. Lots of online resources should tell you what that means. Regards, Stephan. From bc979 at lafn.org Fri Jun 17 05:53:26 2016 From: bc979 at lafn.org (Doug Hardie) Date: Thu, 16 Jun 2016 22:53:26 -0700 Subject: Mailbox location Message-ID: I am running a small server with a fixed number of users. Postfix is using dovecot lda so that I can run pigeonhole. I have setup a user file with the ids and passwords and everything authenticates properly. Postfix uses that also. However, mail is consistently delivered to user at domain. How do I tell it to deliver to just user? I have tried setting a variety of different things like: 10-mail.conf:mail_location = maildir:/var/mail/home_mail/%u userdb { driver = static args = uid=2222 gid=2222 home=/var/mail/home_mail/%u } and a few other things. None of them affected the mailbox location. Fortunately, this is a test system as I probably have mucked up the config files by now. ? Doug From matthias at familie-sitte.org Fri Jun 17 06:43:11 2016 From: matthias at familie-sitte.org (Dr. Matthias Sitte) Date: Fri, 17 Jun 2016 08:43:11 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160616184302.GA31787@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> Message-ID: <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the server certificate(s): // IMAP socket context options // See http://php.net/manual/en/context.ssl.php $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => '', 'verify_peer' => true, 'verify_depth' => 3, #'cafile' => '/dont/need/to/set/this/option', ), ); // SMTP socket context options // See http://php.net/manual/en/context.ssl.php $config['smtp_conn_options'] = array( 'ssl' => array( 'peer_name' => '', 'verify_peer' => true, 'verify_depth' => 3, #'cafile' => '/dont/need/to/set/this/option', ), ); Works for me. On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: > I think that you are right when you say that the problem may be the > certificate recognition. > > As for Roundcube, I've inserted the uncommented php code that you > provided > in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file > for > /config/defaults.inc.php. Unfortunately Roundcube doesn't login and > replies > with the message "connection to storage server failed". And the log > file > of dovecot gives the reason: unknown certificate. > > In order to solve this problem do you think that I should look into the > configuration file of Squirrelmail/Roundcube or in the config file of > Dovecot? > > > On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >> > Hi, >> > >> > I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >> > running Raspbian Jassie OS. >> > >> > Now I would like to add an on-line e-mail client like Squirrelmail or >> > Roundcube. I was able to start up these two clients but when I try to login >> > I get this error message in the dovecot log: >> > >> > tlsv1 alert unknown ca: SSL alert number 48 >> > >> > But I have inserted the self-signed certificate and key in >> > /etc/dovecot/conf.d/10-master.conf >> > >> > Moreover, I can send and receive e-mails from/to my server, and I can login >> > successfully to dovecot IMAP with Thunderbird. >> > >> > Can somebody give me a clue on how to solve this problem? Any help would me much >> > appreciated. >> > >> > Regards, >> > Maurizio >> >> This could mean that the client has indicated it was unable to verify >> the server's certificate. >> >> With regards to Roundcube, see this in config/defaults.inc.php: >> >> //$config['imap_conn_options'] = array( >> // 'ssl' => array( >> // 'verify_peer' => true, >> // 'verify_depth' => 3, >> // 'cafile' => '/etc/openssl/certs/ca.crt', >> // ), >> // ); >> >> From bc979 at lafn.org Fri Jun 17 07:10:41 2016 From: bc979 at lafn.org (Doug Hardie) Date: Fri, 17 Jun 2016 00:10:41 -0700 Subject: Mailbox location In-Reply-To: References: Message-ID: > On 16 June 2016, at 22:53, Doug Hardie wrote: > > I am running a small server with a fixed number of users. Postfix is using dovecot lda so that I can run pigeonhole. I have setup a user file with the ids and passwords and everything authenticates properly. Postfix uses that also. However, mail is consistently delivered to user at domain. How do I tell it to deliver to just user? I have tried setting a variety of different things like: > > 10-mail.conf:mail_location = maildir:/var/mail/home_mail/%u > > userdb { > driver = static > args = uid=2222 gid=2222 home=/var/mail/home_mail/%u > } > > and a few other things. None of them affected the mailbox location. Fortunately, this is a test system as I probably have mucked up the config files by now. > > ? Doug here is config: root at test:/usr/local/etc/dovecot/conf.d # doveconf -n # 2.2.22 (fe789d2): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: FreeBSD 10.3-RELEASE amd64 ufs auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose_passwords = yes base_dir = /var/run/home_mail/ first_valid_gid = 0 login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}> port=%a mail_debug = yes mail_gid = 2222 mail_location = maildir:/var/mail/home_mail/%u mail_uid = 2222 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users driver = passwd-file } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size from } postmaster_address = doug at sermon-archive.info protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } ssl_cert = References: Message-ID: <8629637ef619e417c02c12b9aba4e29b@otaking.se> Hi Doug, "home" from your userdb query will dictate where mail will be dropped. If you want to store in /var/mail/home_mail/, then use %n. You were almost there with /%d/%n in your current configuration, posted below, just remove the %d completely. http://wiki.dovecot.org/Variables The domain part is added by postfix. Postfix most often requires some kind of domain, and if not added will append one (unless you have an unorthodox configuration). It's not recommended to remove this feature from your postfix configuration. /Tobias On 2016-06-17 16:10, Doug Hardie wrote: >> On 16 June 2016, at 22:53, Doug Hardie wrote: >> >> I am running a small server with a fixed number of users. Postfix is >> using dovecot lda so that I can run pigeonhole. I have setup a user >> file with the ids and passwords and everything authenticates properly. >> Postfix uses that also. However, mail is consistently delivered to >> user at domain. How do I tell it to deliver to just user? I have tried >> setting a variety of different things like: >> >> 10-mail.conf:mail_location = maildir:/var/mail/home_mail/%u >> >> userdb { >> driver = static >> args = uid=2222 gid=2222 home=/var/mail/home_mail/%u >> } >> >> and a few other things. None of them affected the mailbox location. >> Fortunately, this is a test system as I probably have mucked up the >> config files by now. >> >> ? Doug > > here is config: > > root at test:/usr/local/etc/dovecot/conf.d # doveconf -n > # 2.2.22 (fe789d2): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.13 (7b14904) > # OS: FreeBSD 10.3-RELEASE amd64 ufs > auth_debug = yes > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose_passwords = yes > base_dir = /var/run/home_mail/ > first_valid_gid = 0 > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e > %c %k session=<%{session}> port=%a > mail_debug = yes > mail_gid = 2222 > mail_location = maildir:/var/mail/home_mail/%u > mail_uid = 2222 > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users > driver = passwd-file > } > plugin { > mail_log_events = delete undelete expunge copy mailbox_delete > mailbox_rename > mail_log_fields = uid box msgid size from > } > postmaster_address = doug at sermon-archive.info > protocols = imap > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vmail > mode = 0666 > user = vmail > } > } > service imap-login { > inet_listener imap { > port = 143 > } > inet_listener imaps { > port = 993 > ssl = yes > } > } > ssl_cert = ssl_key = syslog_facility = local0 > userdb { > args = home=/var/mail/home_mail/%d/%n allow_all_users=yes > driver = static > } > verbose_proctitle = yes > protocol imap { > mail_plugins = " mail_log notify" > } > protocol pop3 { > mail_plugins = " mail_log notify" > } > root at test:/usr/local/etc/dovecot/conf.d # > > > ? Doug From skdovecot at smail.inf.fh-brs.de Fri Jun 17 09:58:46 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Fri, 17 Jun 2016 11:58:46 +0200 (CEST) Subject: Multiple ACTIVE Sieve scripts In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 13 Jun 2016, Aaron M?ller wrote: >> list > "mailinglists.sieve" > "spam.sieve" ACTIVE >> activate mailinglists.sieve >> list > "mailinglists.sieve" ACTIVE > "spam.sieve" See RFC 5804 sec 1.4 - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2PJ1nz1H7kL/d9rAQJtXAgAhjsuYjtbQpXmuIC0nyqqTEM+OQ2q7es+ SZPW8dwYRxB4HFidP/uYYO6JLWbMMtQNXU8eukuk4IJEvWzG/VLoFBtgklov9Lvk EDi7o1MptJJLNbUd6xBJFrXz3DEITqGljOvluu6JxHW0OiIqB3xSWFx5vOlZOeR9 wsB2vB+isy0vJfTq5irVoi7ymk8G0+ffrgqYoWcScoMHwr9qf3fM2pl8i1TvDUwM QQVEnNzx7VVz0+q6p4A1l8iYtotXJSgk10iTIgxCTFcrr1fCiNgKpvwJPd39LUnN OMUP6BpfhacZxgz84Ghf56X2Ek5aU5GLSycy545E26IOuIkvm1zDVA== =8f3d -----END PGP SIGNATURE----- From skdovecot at smail.inf.fh-brs.de Fri Jun 17 10:21:04 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Fri, 17 Jun 2016 12:21:04 +0200 (CEST) Subject: Double variable expansion / multiple password mechanisms In-Reply-To: <576007FA.5060604@f-m.fm> References: <576007FA.5060604@f-m.fm> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 14 Jun 2016, Leon Kyneur wrote: > For each user Store supported password schemes as LDAP attributes: > userPasswordCRAM-MD5: {CRAM-MD5}xxx > userPasswordDIGEST-MD5: {DIGEST-MD5}xxxx > userPasswordSCRAM: {SCRAM-SHA-1}xxxx > userPasswordNTLM: {NTLM}xxxx > > then: > =password=%{ldap:userPassword%m} <- Though this doesn't work.. just wondering > if it could possibly work or if I should give up on this crazy idea :) did you've tried: userPassword%m=password but I assume that these scripts are pulled in before %m is known. You could try to add one *auth* entry per mechanism and per person: mechanism=CRAM-MD5,uid=user,... and user mechanism=%m in the filter - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2PPEHz1H7kL/d9rAQKxpwf+OOBqCUMT8pMuh6k9g/st2jojEigJIPue deo2QDfhYnAf5qz7IlCT0DjE3JuCktMAsZX2jtDe2Y0/wHgclKg+graS70aitMjV 5uttJM9llUuVtd1NFV3Qk/w/RqBtrksWozfmkcAlJVrtgQjnOqwHpgP08ZFfbujP 60caUCqYFRMppP4+usrrQML/Bkg4/RMHzpt4qH2h2XlJNdk/cfYLyrZbXfeS5t0/ PWs3MugDV91v9M+6kh11FALAN/xhZHZPaCSadh7EYwyWC6cjZWYcz2dqqwnl4PWZ i0BdYHmAFy9cjiiPuQwGt8p3tg7LUcRtaqLG56aqy/lzgiCka9fFfw== =1PlI -----END PGP SIGNATURE----- From dovecot-e51 at deemzed.uk Fri Jun 17 12:39:21 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Fri, 17 Jun 2016 13:39:21 +0100 Subject: Recipient delimiter and lmtp proxying In-Reply-To: References: Message-ID: On 16/06/2016 20:49, Dave wrote: > > Hi, > > I'm attempting to proxy lmtp using director to hash to the same backend > as pop3/imap. My pop3/imap users are of the form: > > username > > and my lmtp users are of the form: > > > > Where domain is fairly redundant but does carry some useful information. > > Now, I can proxy lmtp using user=%{username} and > destuser=%{orig_user}, and this all appears to work correctly. > > However, if I also try to pass a detail part through to the backend the > lmtp users now take the form: > > > > I can still use user=%{username} > with recipient_delimiter = +, and the detail is correctly stripped, > hashing works as expected. > > However, I can no longer use destuser=%{orig_user} > > Because recipient_delimiter = +, destuser becomes: > > > > And the detail part never reaches the backend. > > There doesn't appear to be any variables suitable for the destuser > expansion - %{auth_user} is unsupported (UNSUPPORTED_VARIABLE_auth_user) > on override_fields and in the sql passdb driver. > > Is there any "correct" way to do this? I can think of a couple of > approaches that may work, but both seem like hacks to me: > > 1. Unset recipient_delimiter and manually strip the detail from the > username in the passdb lookup. What I will say is that LMTP proxying doesn't quite work in all cases: director: recipient_delimiter = protocol lmtp { auth_username_chars = ... passdb { driver = sql override_fields = proxy=y destuser=%{orig_user} ... } } ... driver = mysql password_query = SELECT username AS user, \ NULL AS password, \ 'y' AS nopassword \ FROM users WHERE username=SUBSTRING_INDEX('%u','+',1) ... This sucessfully accepts '' and passes through to the backend, but still experiences problems where the local part is quoted: <"user+Junk\ Email"@domain> will extract user in director, but passes through the unescaped: to the backend, which leads to a 501 5.5.4 Invalid parameter. %{login_user} gives a blank string, %{auth_user} is unsupported. I supposed that %{orig_user} was unaltered, but it appears to be interpreted by both unescaping quoted local parts and removing detail if recipient_delimiter is set. I'm not suggesting this behaviour is changed, obviously it makes sense. So I guess the question is is there any way to pass the original pure, unaltered login string through lmtp proxy to the backend, or for lmtp proxy to correctly use a quoted local part with escapes if the destuser contains non dot-atom characters, as per RFC? -- Dave From ddr2pw at yahoo.com Fri Jun 17 15:34:07 2016 From: ddr2pw at yahoo.com (Marco Usai) Date: Fri, 17 Jun 2016 15:34:07 +0000 (UTC) Subject: Migrate email account from Dovecot to Dovecot servers References: <920371362.8451304.1466177647696.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <920371362.8451304.1466177647696.JavaMail.yahoo@mail.yahoo.com> Hello, 1) I needto migrate some mbox imap email accounts from a shared webhosting provider toanother one. 2) Bothservers seem to use Devecot, as a telnet command on port 143 shows an identicalresponse:* OK[CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACESTARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. 3) I don'tknow Dovecot version because I don't have access to "dovecot --version"command. 4) I can'tuse "doveadm-sync" because the command is not available on my sharedhosting account. 5) I preferto leave imapsync perl script as the last option because I want to preserve theUID. So, I needto know what migration procedure can be adopted: if I copythe /home/user/mail/ directory containing all email account from the sourceserver to the destination server, can I expect to see all accounts working withall the emails transferred ? Should I firstcreate from cPanel all the email account with identical names and password onthe destination server ? Anysuggestion will be much appreciated. Thanks in advance! From kremels at kreme.com Fri Jun 17 17:51:33 2016 From: kremels at kreme.com (@lbutlr) Date: Fri, 17 Jun 2016 11:51:33 -0600 Subject: Mail dates In-Reply-To: References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> Message-ID: On Jun 15, 2016, at 10:46 AM, Tanstaafl wrote: > On 6/15/2016 12:30 PM, @lbutlr wrote: >> On Jun 15, 2016, at 9:44 AM, Tanstaafl wrote: >>> On 6/14/2016 6:50 PM, @lbutlr wrote: >>>> Where exactly does dovecot get the date that it reports via IMAP? >>> >>> This is a problem with how you restored the files. >>> >>> On a linux system, you should use something like rsync -a to preserve >>> the original date/times? > >> The original emails were in box files, so that was not the issue. > > How ere they restored? The issue is that the files currently in the milder have the correct time stamps, but Dovecot reports them to the IMAP clients as having a different time and date. -- Footnote: The calendar of the Theocracy of Muntab counts down, not up. No-one knows why, but it might not be a good idea to hang around and find out. From tanstaafl at libertytrek.org Fri Jun 17 17:57:45 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Fri, 17 Jun 2016 13:57:45 -0400 Subject: Mail dates In-Reply-To: References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> Message-ID: On 6/17/2016 1:51 PM, @lbutlr wrote: > On Jun 15, 2016, at 10:46 AM, Tanstaafl wrote: >> On 6/15/2016 12:30 PM, @lbutlr wrote: >>> The original emails were in box files, so that was not the issue. >> >> How were they restored? > The issue is that the files currently in the milder have the correct > time stamps, but Dovecot reports them to the IMAP clients as having a > different time and date. That totally doesn't answer the question. Again - how were they restored? From tanstaafl at libertytrek.org Fri Jun 17 18:04:45 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Fri, 17 Jun 2016 14:04:45 -0400 Subject: Mail dates In-Reply-To: References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> Message-ID: <099962bb-f5dc-88ff-25f4-64351dbaa754@libertytrek.org> On 6/17/2016 1:51 PM, @lbutlr wrote: > The issue is that the files currently in the milder have the correct > time stamps, but Dovecot reports them to the IMAP clients as having a > different time and date. Maybe - or maybe not... Different clients perceive the dates differently... Here is a decent link to explaining this, as well as providing a tool that may help you fix the dates: http://imapsync.lamiral.info/FAQ.d/FAQ.Dates.txt From kevin at my.walr.us Fri Jun 17 19:14:07 2016 From: kevin at my.walr.us (KT Walrus) Date: Fri, 17 Jun 2016 15:14:07 -0400 Subject: Advice needed: SMTP/LMTP or IMAP for internal message delivery Message-ID: <0C1E3A90-509D-4634-8F86-F9397954FB4A@my.walr.us> I?ve implemented ?next day? delivery this week by taking messages submitted through Postfix, queuing the messages in a MySQL database, and sending them out for delivery through another Postfix instance/Dovecot LMTP proxy with final delivery using the destination mail servers LMTP service. Delivery is sent to a ?next day? mail server which is sync?d to the recipient?s mail server using ?doveadm sync -A tcp:next-day-mail:12345? on each mail server in the early morning. This all appears to be working well. I do have a need to deliver these messages into specific mail folders in the recipient?s mailbox and I was planning on using global Sieve scripts running on the ?next day? mail server to place the messages in the proper folder (not all messages are delivered to the INBOX folder). I am using a PHP script to move the messages from Postfix to the MySQL database and then later sending them via SMTP to the internal Postfix instance for delivery to the ?next day? mail server. I started investing how to code the Sieve scripts today and it occurred to me that I could greatly simplify message delivery by using IMAP to deliver the messages to the ?next day? mail server. The PHP script would be able to deliver the exact message that should be stored to the proper folders setting the \Seen flags appropriately. My backend ?next day? mail server already supports Master password login so I figure the PHP script should be able to login via IMAP to access the folders in the recipient mailboxes. Also, the PHP script could do other mailbox maintenance tasks when it connects to the user?s mailbox such as purge folders by age, message count, etc. The PHP script could also retrieve info about the current state of the user?s mailbox folders (like the date of the oldest unread message, how many messages have been read in the last week or so, etc) and store this data in the MySQL DB. I?m looking for any advice on whether to scrap the current plan of deploying internal Postfix SMTP/Dovecot LMTP proxy/Dovecot LMTP/Sieve script for ?next day? mail delivery and just write PHP script to access Dovecot IMAP (direct to the ?next day? mail server or to the user?s mail server for ?immediate? delivery). This would allow me to drop using Dovecot LMTP at all. Postfix SMTP would only be configured to invoke a PHP script to deliver messages to the database (which is already implemented). Postfix would still use Dovecot IMAP authentication, but only Dovecot IMAP service would need to be ?highly available?. Any opinions? Should I dump LMTP? Kevin From pi at lab2000-linux.homepc.it Fri Jun 17 20:14:04 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Fri, 17 Jun 2016 22:14:04 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> Message-ID: <20160617201404.GB31787@lab2000-linux.homepc.it> I have tried all the suggestions up till now but the error message is still there. I have tried this configuaration for roundcube: $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => '', 'verify_peer' => true, 'verify_depth' => 3, // 'cafile' => '/dont/need/to/set/this/option', ), ); and this one: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); and this one too: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, 'cafile' => '/path/to/my/self/signed/certificate.pem', ), ); I'm at a loss :-( On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: > Solution: Set 'peer_name' in the SSL stream context to the FQDN of the > server certificate(s): > > // IMAP socket context options > // See http://php.net/manual/en/context.ssl.php > $config['imap_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '', > 'verify_peer' => true, > 'verify_depth' => 3, > #'cafile' => '/dont/need/to/set/this/option', > ), > ); > > // SMTP socket context options > // See http://php.net/manual/en/context.ssl.php > $config['smtp_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '', > 'verify_peer' => true, > 'verify_depth' => 3, > #'cafile' => '/dont/need/to/set/this/option', > ), > ); > > Works for me. > > On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: > >I think that you are right when you say that the problem may be the > >certificate recognition. > > > >As for Roundcube, I've inserted the uncommented php code that you provided > >in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for > >/config/defaults.inc.php. Unfortunately Roundcube doesn't login and > >replies > > with the message "connection to storage server failed". And the log file > >of dovecot gives the reason: unknown certificate. > > > >In order to solve this problem do you think that I should look into the > >configuration file of Squirrelmail/Roundcube or in the config file of > >Dovecot? > > > > > >On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: > >>On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: > >>> Hi, > >>> > >>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi > >>> running Raspbian Jassie OS. > >>> > >>> Now I would like to add an on-line e-mail client like Squirrelmail or > >>> Roundcube. I was able to start up these two clients but when I try to login > >>> I get this error message in the dovecot log: > >>> > >>> tlsv1 alert unknown ca: SSL alert number 48 > >>> > >>> But I have inserted the self-signed certificate and key in > >>> /etc/dovecot/conf.d/10-master.conf > >>> > >>> Moreover, I can send and receive e-mails from/to my server, and I can login > >>> successfully to dovecot IMAP with Thunderbird. > >>> > >>> Can somebody give me a clue on how to solve this problem? Any help would me much > >>> appreciated. > >>> > >>> Regards, > >>> Maurizio > >> > >>This could mean that the client has indicated it was unable to verify > >>the server's certificate. > >> > >>With regards to Roundcube, see this in config/defaults.inc.php: > >> > >>//$config['imap_conn_options'] = array( > >>// 'ssl' => array( > >>// 'verify_peer' => true, > >>// 'verify_depth' => 3, > >>// 'cafile' => '/etc/openssl/certs/ca.crt', > >>// ), > >>// ); > >> > >> From kevin at my.walr.us Fri Jun 17 20:18:28 2016 From: kevin at my.walr.us (KT Walrus) Date: Fri, 17 Jun 2016 16:18:28 -0400 Subject: archive all saved IMAP messages Message-ID: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> I need to archive (i.e., send to another mail server) all messages saved on my mail servers. I?ve implemented for SMTP submission, but haven?t figured out how to archive messages saved by IMAP (like to Drafts, Sent, etc.). How would I best implement this? Can I enable Sieve plugin for IMAP? Or, some other method? Like one way backup to archive server? I really only need to archive the messages sent/saved by a user and not the messages received from other users. Kevin From yacinechaouche at yahoo.com Sat Jun 18 00:01:53 2016 From: yacinechaouche at yahoo.com (chaouche yacine) Date: Sat, 18 Jun 2016 00:01:53 +0000 (UTC) Subject: archive all saved IMAP messages In-Reply-To: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> References: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> Message-ID: <1024768756.5234502.1466208113886.JavaMail.yahoo@mail.yahoo.com> I'm also interested in learning how to do this best. Last time I thought about it is if users have a different e-mail address on the archive server, you can setup a BCC map in postfix that matches the pair of emails (primary email - archive email), this will automatically send all sent messages in the inbox of the archived email account. In that archive server you can setup sieve rules to move the emails to the sent folder. But that's rather a complicated solution, besides it doesn't work draft folder. ________________________________ From: KT Walrus To: Dovecot Mailing List Sent: Friday, June 17, 2016 9:18 PM Subject: archive all saved IMAP messages I need to archive (i.e., send to another mail server) all messages saved on my mail servers. I?ve implemented for SMTP submission, but haven?t figured out how to archive messages saved by IMAP (like to Drafts, Sent, etc.). How would I best implement this? Can I enable Sieve plugin for IMAP? Or, some other method? Like one way backup to archive server? I really only need to archive the messages sent/saved by a user and not the messages received from other users. Kevin From gedalya at gedalya.net Sat Jun 18 04:34:31 2016 From: gedalya at gedalya.net (Gedalya) Date: Sat, 18 Jun 2016 00:34:31 -0400 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160617201404.GB31787@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> <20160617201404.GB31787@lab2000-linux.homepc.it> Message-ID: What version of Roundcube are you using? On 06/17/2016 04:14 PM, Maurizio Dall'Acqua wrote: > I have tried all the suggestions up till now but the error message is still > there. > > I have tried this configuaration for roundcube: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '', > 'verify_peer' => true, > 'verify_depth' => 3, > // 'cafile' => '/dont/need/to/set/this/option', > ), > ); > > and this one: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'verify_peer_name' => false, > ), > ); > > and this one too: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => true, > 'verify_depth' => 3, > 'cafile' => '/path/to/my/self/signed/certificate.pem', > ), > ); > > I'm at a loss :-( > > > > > > On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: >> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the >> server certificate(s): >> >> // IMAP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> // SMTP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['smtp_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> Works for me. >> >> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: >>> I think that you are right when you say that the problem may be the >>> certificate recognition. >>> >>> As for Roundcube, I've inserted the uncommented php code that you provided >>> in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for >>> /config/defaults.inc.php. Unfortunately Roundcube doesn't login and >>> replies >>> with the message "connection to storage server failed". And the log file >>> of dovecot gives the reason: unknown certificate. >>> >>> In order to solve this problem do you think that I should look into the >>> configuration file of Squirrelmail/Roundcube or in the config file of >>> Dovecot? >>> >>> >>> On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >>>> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >>>>> Hi, >>>>> >>>>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >>>>> running Raspbian Jassie OS. >>>>> >>>>> Now I would like to add an on-line e-mail client like Squirrelmail or >>>>> Roundcube. I was able to start up these two clients but when I try to login >>>>> I get this error message in the dovecot log: >>>>> >>>>> tlsv1 alert unknown ca: SSL alert number 48 >>>>> >>>>> But I have inserted the self-signed certificate and key in >>>>> /etc/dovecot/conf.d/10-master.conf >>>>> >>>>> Moreover, I can send and receive e-mails from/to my server, and I can login >>>>> successfully to dovecot IMAP with Thunderbird. >>>>> >>>>> Can somebody give me a clue on how to solve this problem? Any help would me much >>>>> appreciated. >>>>> >>>>> Regards, >>>>> Maurizio >>>> This could mean that the client has indicated it was unable to verify >>>> the server's certificate. >>>> >>>> With regards to Roundcube, see this in config/defaults.inc.php: >>>> >>>> //$config['imap_conn_options'] = array( >>>> // 'ssl' => array( >>>> // 'verify_peer' => true, >>>> // 'verify_depth' => 3, >>>> // 'cafile' => '/etc/openssl/certs/ca.crt', >>>> // ), >>>> // ); >>>> >>>> From kremels at kreme.com Sat Jun 18 06:13:18 2016 From: kremels at kreme.com (@lbutlr) Date: Sat, 18 Jun 2016 00:13:18 -0600 Subject: Mail dates In-Reply-To: <099962bb-f5dc-88ff-25f4-64351dbaa754@libertytrek.org> References: <6041A995-8E8F-4607-B0D0-2FFA0F3875A7@kreme.com> <0A8A1BA9-2F29-4087-AAFC-5A39EC281C99@kreme.com> <099962bb-f5dc-88ff-25f4-64351dbaa754@libertytrek.org> Message-ID: On Jun 17, 2016, at 12:04 PM, Tanstaafl wrote: > Different clients perceive the dates differently? Yes, but I used several clients. I thought I said that. > Here is a decent link to explaining this, as well as providing a tool > that may help you fix the dates: > > http://imapsync.lamiral.info/FAQ.d/FAQ.Dates.txt This looks very promising. Thanks. -- "Eureka," he said. "Going to have a bath then?" From pi at lab2000-linux.homepc.it Sat Jun 18 06:27:37 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Sat, 18 Jun 2016 08:27:37 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 Message-ID: <20160618062737.GC31787@lab2000-linux.homepc.it> The version of Roundcube I am using is 0.9.5+dfsg1-4.1 From lists.zxinn at otaking.se Sat Jun 18 06:36:43 2016 From: lists.zxinn at otaking.se (Tobias) Date: Sat, 18 Jun 2016 15:36:43 +0900 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> <20160617201404.GB31787@lab2000-linux.homepc.it> Message-ID: <058ff7d9f9b9510a7ef006f83178706a@otaking.se> What does openssl say when you connect to your dovecot server? openssl s_client -starttls imap -connect :143 With my previous setup (Roundcube 1.1.3; PHP 5.6) I was successfully using only "verify_peer" and "verify_peer_name", both set to false, when connecting to a very old Courier-IMAP server using a self-signed certificate. E.g. $config['default_host'] = array( 'tls://:143' => 'implicit STARTTLS', 'ssl://:993' => 'explicit SSL', ); $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); /Tobias On 2016-06-18 13:34, Gedalya wrote: > What version of Roundcube are you using? > > On 06/17/2016 04:14 PM, Maurizio Dall'Acqua wrote: >> I have tried all the suggestions up till now but the error message is >> still >> there. >> >> I have tried this configuaration for roundcube: >> >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> // 'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> and this one: >> >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'verify_peer' => false, >> 'verify_peer_name' => false, >> ), >> ); >> >> and this one too: >> >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'verify_peer' => true, >> 'verify_depth' => 3, >> 'cafile' => '/path/to/my/self/signed/certificate.pem', >> ), >> ); >> >> I'm at a loss :-( >> >> >> >> >> >> On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: >>> Solution: Set 'peer_name' in the SSL stream context to the FQDN of >>> the >>> server certificate(s): >>> >>> // IMAP socket context options >>> // See http://php.net/manual/en/context.ssl.php >>> $config['imap_conn_options'] = array( >>> 'ssl' => array( >>> 'peer_name' => '', >>> 'verify_peer' => true, >>> 'verify_depth' => 3, >>> #'cafile' => '/dont/need/to/set/this/option', >>> ), >>> ); >>> >>> // SMTP socket context options >>> // See http://php.net/manual/en/context.ssl.php >>> $config['smtp_conn_options'] = array( >>> 'ssl' => array( >>> 'peer_name' => '', >>> 'verify_peer' => true, >>> 'verify_depth' => 3, >>> #'cafile' => '/dont/need/to/set/this/option', >>> ), >>> ); >>> >>> Works for me. >>> >>> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: >>>> I think that you are right when you say that the problem may be the >>>> certificate recognition. >>>> >>>> As for Roundcube, I've inserted the uncommented php code that you >>>> provided >>>> in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian >>>> file for >>>> /config/defaults.inc.php. Unfortunately Roundcube doesn't login and >>>> replies >>>> with the message "connection to storage server failed". And the log >>>> file >>>> of dovecot gives the reason: unknown certificate. >>>> >>>> In order to solve this problem do you think that I should look into >>>> the >>>> configuration file of Squirrelmail/Roundcube or in the config file >>>> of >>>> Dovecot? >>>> >>>> >>>> On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >>>>> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >>>>>> Hi, >>>>>> >>>>>> I have set up a mail server with postfix+dovecot 2.2.13 on my >>>>>> raspberry pi >>>>>> running Raspbian Jassie OS. >>>>>> >>>>>> Now I would like to add an on-line e-mail client like Squirrelmail >>>>>> or >>>>>> Roundcube. I was able to start up these two clients but when I try >>>>>> to login >>>>>> I get this error message in the dovecot log: >>>>>> >>>>>> tlsv1 alert unknown ca: SSL alert number 48 >>>>>> >>>>>> But I have inserted the self-signed certificate and key in >>>>>> /etc/dovecot/conf.d/10-master.conf >>>>>> >>>>>> Moreover, I can send and receive e-mails from/to my server, and I >>>>>> can login >>>>>> successfully to dovecot IMAP with Thunderbird. >>>>>> >>>>>> Can somebody give me a clue on how to solve this problem? Any help >>>>>> would me much >>>>>> appreciated. >>>>>> >>>>>> Regards, >>>>>> Maurizio >>>>> This could mean that the client has indicated it was unable to >>>>> verify >>>>> the server's certificate. >>>>> >>>>> With regards to Roundcube, see this in config/defaults.inc.php: >>>>> >>>>> //$config['imap_conn_options'] = array( >>>>> // 'ssl' => array( >>>>> // 'verify_peer' => true, >>>>> // 'verify_depth' => 3, >>>>> // 'cafile' => '/etc/openssl/certs/ca.crt', >>>>> // ), >>>>> // ); >>>>> >>>>> From matthias at familie-sitte.org Sat Jun 18 08:45:39 2016 From: matthias at familie-sitte.org (Dr. Matthias Sitte) Date: Sat, 18 Jun 2016 10:45:39 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160617201404.GB31787@lab2000-linux.homepc.it> References: <20160615202638.GA28902@lab2000-linux.homepc.it> <20160616184302.GA31787@lab2000-linux.homepc.it> <6bfb3ebdbef97e2449727ee9e6e20d8c@familie-sitte.org> <20160617201404.GB31787@lab2000-linux.homepc.it> Message-ID: OK, what if you try to set 'peer_name' to the FQDN in the self-signed cert AND 'cafile' to your CA file? What exactly do the debug logs for Roundcube, Dovecot say? openssl connect output would be helpful, too, as others pointed out as well. On 2016-06-17 22:14, Maurizio Dall'Acqua wrote: > I have tried all the suggestions up till now but the error message is > still > there. > > I have tried this configuaration for roundcube: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'peer_name' => '', > 'verify_peer' => true, > 'verify_depth' => 3, > // 'cafile' => '/dont/need/to/set/this/option', > ), > ); > > and this one: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => false, > 'verify_peer_name' => false, > ), > ); > > and this one too: > > $config['imap_conn_options'] = array( > 'ssl' => array( > 'verify_peer' => true, > 'verify_depth' => 3, > 'cafile' => '/path/to/my/self/signed/certificate.pem', > ), > ); > > I'm at a loss :-( > > > > > > On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote: >> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the >> server certificate(s): >> >> // IMAP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['imap_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> // SMTP socket context options >> // See http://php.net/manual/en/context.ssl.php >> $config['smtp_conn_options'] = array( >> 'ssl' => array( >> 'peer_name' => '', >> 'verify_peer' => true, >> 'verify_depth' => 3, >> #'cafile' => '/dont/need/to/set/this/option', >> ), >> ); >> >> Works for me. >> >> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote: >> >I think that you are right when you say that the problem may be the >> >certificate recognition. >> > >> >As for Roundcube, I've inserted the uncommented php code that you provided >> >in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for >> >/config/defaults.inc.php. Unfortunately Roundcube doesn't login and >> >replies >> > with the message "connection to storage server failed". And the log file >> >of dovecot gives the reason: unknown certificate. >> > >> >In order to solve this problem do you think that I should look into the >> >configuration file of Squirrelmail/Roundcube or in the config file of >> >Dovecot? >> > >> > >> >On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote: >> >>On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote: >> >>> Hi, >> >>> >> >>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi >> >>> running Raspbian Jassie OS. >> >>> >> >>> Now I would like to add an on-line e-mail client like Squirrelmail or >> >>> Roundcube. I was able to start up these two clients but when I try to login >> >>> I get this error message in the dovecot log: >> >>> >> >>> tlsv1 alert unknown ca: SSL alert number 48 >> >>> >> >>> But I have inserted the self-signed certificate and key in >> >>> /etc/dovecot/conf.d/10-master.conf >> >>> >> >>> Moreover, I can send and receive e-mails from/to my server, and I can login >> >>> successfully to dovecot IMAP with Thunderbird. >> >>> >> >>> Can somebody give me a clue on how to solve this problem? Any help would me much >> >>> appreciated. >> >>> >> >>> Regards, >> >>> Maurizio >> >> >> >>This could mean that the client has indicated it was unable to verify >> >>the server's certificate. >> >> >> >>With regards to Roundcube, see this in config/defaults.inc.php: >> >> >> >>//$config['imap_conn_options'] = array( >> >>// 'ssl' => array( >> >>// 'verify_peer' => true, >> >>// 'verify_depth' => 3, >> >>// 'cafile' => '/etc/openssl/certs/ca.crt', >> >>// ), >> >>// ); >> >> >> >> From lists.zxinn at otaking.se Sat Jun 18 09:33:13 2016 From: lists.zxinn at otaking.se (Tobias) Date: Sat, 18 Jun 2016 18:33:13 +0900 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160618062737.GC31787@lab2000-linux.homepc.it> References: <20160618062737.GC31787@lab2000-linux.homepc.it> Message-ID: Well there's your problem. Upgrade Roundcube, or add the code to use imap_conn_options to your current version. http://lists.roundcube.net/pipermail/svn/2014-September/012195.html Add config option to specify IMAP connection socket parameters - imap_conn_options (#1489948) On 2016-06-18 15:27, Maurizio Dall'Acqua wrote: > The version of Roundcube I am using is 0.9.5+dfsg1-4.1 From gedalya at gedalya.net Sat Jun 18 10:37:33 2016 From: gedalya at gedalya.net (Gedalya) Date: Sat, 18 Jun 2016 06:37:33 -0400 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160618062737.GC31787@lab2000-linux.homepc.it> References: <20160618062737.GC31787@lab2000-linux.homepc.it> Message-ID: <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote: > The version of Roundcube I am using is 0.9.5+dfsg1-4.1 If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list : deb http://httpredir.debian.org/debian jessie-backports main Then run: apt-get --dry-run -tjessie-backports install roundcube and take a close look at what's being pulled from where, make sure it all makes sense to you. Then run it again, for real: apt-get -tjessie-backports install roundcube This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian. From pi at lab2000-linux.homepc.it Sat Jun 18 12:01:30 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Sat, 18 Jun 2016 14:01:30 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> References: <20160618062737.GC31787@lab2000-linux.homepc.it> <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> Message-ID: <20160618120130.GA27424@lab2000-linux.homepc.it> I've tried to install the new version of Roundcube but I've got an error message: Unpacking roundcube (1.1.5+dfsg.1-1~bpo8+1) ... Errors were encountered while processing: /var/cache/apt/archives/roundcube-core_1.1.5+dfsg.1-1~bpo8+1_all.deb E: Sub-process /usr/bin/dpkg returned an error code (1) If anybody can give me instructions on how to correct this, perhaps I should try to downgrade again? On Sat, Jun 18, 2016 at 06:37:33AM -0400, Gedalya wrote: > On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote: > > The version of Roundcube I am using is 0.9.5+dfsg1-4.1 > > If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list : > > deb http://httpredir.debian.org/debian jessie-backports main > > Then run: > > apt-get --dry-run -tjessie-backports install roundcube > > and take a close look at what's being pulled from where, make sure it all makes sense to you. > > Then run it again, for real: > > apt-get -tjessie-backports install roundcube > > This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian. From gedalya at gedalya.net Sat Jun 18 14:27:50 2016 From: gedalya at gedalya.net (Gedalya) Date: Sat, 18 Jun 2016 10:27:50 -0400 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160618120130.GA27424@lab2000-linux.homepc.it> References: <20160618062737.GC31787@lab2000-linux.homepc.it> <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> <20160618120130.GA27424@lab2000-linux.homepc.it> Message-ID: I didn't actually test this. There might be some incompatibility preventing this from installing properly on raspbian. Was there nothing else printed out? Usually when you get such a line it is printed several lines below something else, where the actual problem occurred. Anyway, this is getting way out of the scope of this mailing list. Frankly it isn't too difficult to just manually install roundcube directly from the sources on github, and that may be your best option right now. On 06/18/2016 08:01 AM, Maurizio Dall'Acqua wrote: > I've tried to install the new version of Roundcube but I've got an error > message: > > > Unpacking roundcube (1.1.5+dfsg.1-1~bpo8+1) ... > Errors were encountered while processing: > /var/cache/apt/archives/roundcube-core_1.1.5+dfsg.1-1~bpo8+1_all.deb > E: Sub-process /usr/bin/dpkg returned an error code (1) > > If anybody can give me instructions on how to correct this, perhaps I should > try to downgrade again? > > > > On Sat, Jun 18, 2016 at 06:37:33AM -0400, Gedalya wrote: >> On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote: >>> The version of Roundcube I am using is 0.9.5+dfsg1-4.1 >> If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list : >> >> deb http://httpredir.debian.org/debian jessie-backports main >> >> Then run: >> >> apt-get --dry-run -tjessie-backports install roundcube >> >> and take a close look at what's being pulled from where, make sure it all makes sense to you. >> >> Then run it again, for real: >> >> apt-get -tjessie-backports install roundcube >> >> This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian. From kevin at my.walr.us Sat Jun 18 14:46:07 2016 From: kevin at my.walr.us (KT Walrus) Date: Sat, 18 Jun 2016 10:46:07 -0400 Subject: archive all saved IMAP messages In-Reply-To: <1024768756.5234502.1466208113886.JavaMail.yahoo@mail.yahoo.com> References: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> <1024768756.5234502.1466208113886.JavaMail.yahoo@mail.yahoo.com> Message-ID: <84AC9D49-D722-4DF0-A560-F16D6ABDEBED@my.walr.us> > On Jun 17, 2016, at 8:01 PM, chaouche yacine wrote: > > I'm also interested in learning how to do this best. Last time I thought about it is if users have a different e-mail address on the archive server, you can setup a BCC map in postfix that matches the pair of emails (primary email - archive email), this will automatically send all sent messages in the inbox of the archived email account. In that archive server you can setup sieve rules to move the emails to the sent folder. But that's rather a complicated solution, besides it doesn't work draft folder. Yes. I already have Postfix set up to send a copy of all incoming messages to an archival Dovecot mail server. This was rather easy to do since I have Postfix deliver all inbound messages to a shell script that queues the message in a Redis queue and then sends the message to the archive. But, my issue is capturing all IMAP saved messages (via IMAP APPEND command). Is there any way to ?hook? into the APPEND action to send a copy of the message to the archival Dovecot mail server? I?d really like to just post-process the APPENDED messages with a shell script that is similar to my Postfix shell script (that queues to Redis and sends to the archive). How do I configure Dovecot IMAP for this use case? Kevin > > > > > > > > ________________________________ > From: KT Walrus > To: Dovecot Mailing List > Sent: Friday, June 17, 2016 9:18 PM > Subject: archive all saved IMAP messages > > > I need to archive (i.e., send to another mail server) all messages saved on my mail servers. I?ve implemented for SMTP submission, but haven?t figured out how to archive messages saved by IMAP (like to Drafts, Sent, etc.). > > How would I best implement this? Can I enable Sieve plugin for IMAP? Or, some other method? Like one way backup to archive server? > > I really only need to archive the messages sent/saved by a user and not the messages received from other users. > > Kevin From kevin at my.walr.us Sat Jun 18 15:20:49 2016 From: kevin at my.walr.us (KT Walrus) Date: Sat, 18 Jun 2016 11:20:49 -0400 Subject: archive all saved IMAP messages In-Reply-To: <84AC9D49-D722-4DF0-A560-F16D6ABDEBED@my.walr.us> References: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> <1024768756.5234502.1466208113886.JavaMail.yahoo@mail.yahoo.com> <84AC9D49-D722-4DF0-A560-F16D6ABDEBED@my.walr.us> Message-ID: > How do I configure Dovecot IMAP for this use case? I just thought of one possible way to do this: 1. Backup all mail servers every hour or so using ?doveadm sync -1? to a mail server that uses Maildir (my source mail servers are using mdbox) 2. Run a script on the backup server that uses the ?find? command to identify all new messages in the Maildir folders that have appeared since the last backup 3. Send these new messages to my archive server if the headers in the messages indicate that they were stored by the user directly and not ?Received? from outside the mail server This will pick up messages that have been saved by APPEND and not deleted before the backup command runs. As I type this, maybe I should just do this hourly check on the source mail servers using the ?doveadm search -A? command combined with the ?doveadm fetch? command to extract the newly saved messages and check their headers to determine whether the message was saved by IMAP. Newly saved IMAP messages could then be sent to the archive mail server (or queued in Redis for further processing). > On Jun 18, 2016, at 10:46 AM, KT Walrus wrote: > > >> On Jun 17, 2016, at 8:01 PM, chaouche yacine wrote: >> >> I'm also interested in learning how to do this best. Last time I thought about it is if users have a different e-mail address on the archive server, you can setup a BCC map in postfix that matches the pair of emails (primary email - archive email), this will automatically send all sent messages in the inbox of the archived email account. In that archive server you can setup sieve rules to move the emails to the sent folder. But that's rather a complicated solution, besides it doesn't work draft folder. > > Yes. I already have Postfix set up to send a copy of all incoming messages to an archival Dovecot mail server. This was rather easy to do since I have Postfix deliver all inbound messages to a shell script that queues the message in a Redis queue and then sends the message to the archive. > > But, my issue is capturing all IMAP saved messages (via IMAP APPEND command). Is there any way to ?hook? into the APPEND action to send a copy of the message to the archival Dovecot mail server? I?d really like to just post-process the APPENDED messages with a shell script that is similar to my Postfix shell script (that queues to Redis and sends to the archive). > > How do I configure Dovecot IMAP for this use case? > > Kevin > >> >> >> >> >> >> >> >> ________________________________ >> From: KT Walrus >> To: Dovecot Mailing List >> Sent: Friday, June 17, 2016 9:18 PM >> Subject: archive all saved IMAP messages >> >> >> I need to archive (i.e., send to another mail server) all messages saved on my mail servers. I?ve implemented for SMTP submission, but haven?t figured out how to archive messages saved by IMAP (like to Drafts, Sent, etc.). >> >> How would I best implement this? Can I enable Sieve plugin for IMAP? Or, some other method? Like one way backup to archive server? >> >> I really only need to archive the messages sent/saved by a user and not the messages received from other users. >> >> Kevin > From corneliuscharlie1 at gmail.com Sat Jun 18 16:49:34 2016 From: corneliuscharlie1 at gmail.com (Cornelius Charlie) Date: Sat, 18 Jun 2016 18:49:34 +0200 Subject: Custom storage backend Message-ID: Hello, We use a storage backend that is using non-standard apis. We would like to know if there is some way to write a storage backend as a plugin instead of hardcoding our changes directly into the dovecot source ? Thanks. From kevin at my.walr.us Sat Jun 18 16:52:44 2016 From: kevin at my.walr.us (KT Walrus) Date: Sat, 18 Jun 2016 12:52:44 -0400 Subject: archive all saved IMAP messages In-Reply-To: References: <493DBB3D-8100-4F56-A790-228B7BA25E0F@my.walr.us> <1024768756.5234502.1466208113886.JavaMail.yahoo@mail.yahoo.com> <84AC9D49-D722-4DF0-A560-F16D6ABDEBED@my.walr.us> Message-ID: One more question: Does ?doveadm sync? replicate messages with refcount=0 at the time of sync?ing? The reason I ask is that, in my case of sync?ing with a ?next-day? mail server overnight, all messages that might have been saved by IMAP but deleted shortly thereafter, should still be in the user?s mailbox with refcount=0. Correct? If ?doveadm sync? does replicate all messages, whether expunged or not to the ?next-day? server, I can run ?doveadm search -A? to find all messages saved by IMAP and archive them. This would not put any extra load on my mail servers and allow me to run this extra processing at night on a dedicated ?next-day? mail server. Kevin > On Jun 18, 2016, at 11:20 AM, KT Walrus wrote: > >> How do I configure Dovecot IMAP for this use case? > > I just thought of one possible way to do this: > > 1. Backup all mail servers every hour or so using ?doveadm sync -1? to a mail server that uses Maildir (my source mail servers are using mdbox) > 2. Run a script on the backup server that uses the ?find? command to identify all new messages in the Maildir folders that have appeared since the last backup > 3. Send these new messages to my archive server if the headers in the messages indicate that they were stored by the user directly and not ?Received? from outside the mail server > > This will pick up messages that have been saved by APPEND and not deleted before the backup command runs. > > As I type this, maybe I should just do this hourly check on the source mail servers using the ?doveadm search -A? command combined with the ?doveadm fetch? command to extract the newly saved messages and check their headers to determine whether the message was saved by IMAP. Newly saved IMAP messages could then be sent to the archive mail server (or queued in Redis for further processing). > >> On Jun 18, 2016, at 10:46 AM, KT Walrus wrote: >> >> >>> On Jun 17, 2016, at 8:01 PM, chaouche yacine wrote: >>> >>> I'm also interested in learning how to do this best. Last time I thought about it is if users have a different e-mail address on the archive server, you can setup a BCC map in postfix that matches the pair of emails (primary email - archive email), this will automatically send all sent messages in the inbox of the archived email account. In that archive server you can setup sieve rules to move the emails to the sent folder. But that's rather a complicated solution, besides it doesn't work draft folder. >> >> Yes. I already have Postfix set up to send a copy of all incoming messages to an archival Dovecot mail server. This was rather easy to do since I have Postfix deliver all inbound messages to a shell script that queues the message in a Redis queue and then sends the message to the archive. >> >> But, my issue is capturing all IMAP saved messages (via IMAP APPEND command). Is there any way to ?hook? into the APPEND action to send a copy of the message to the archival Dovecot mail server? I?d really like to just post-process the APPENDED messages with a shell script that is similar to my Postfix shell script (that queues to Redis and sends to the archive). >> >> How do I configure Dovecot IMAP for this use case? >> >> Kevin >> >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> From: KT Walrus >>> To: Dovecot Mailing List >>> Sent: Friday, June 17, 2016 9:18 PM >>> Subject: archive all saved IMAP messages >>> >>> >>> I need to archive (i.e., send to another mail server) all messages saved on my mail servers. I?ve implemented for SMTP submission, but haven?t figured out how to archive messages saved by IMAP (like to Drafts, Sent, etc.). >>> >>> How would I best implement this? Can I enable Sieve plugin for IMAP? Or, some other method? Like one way backup to archive server? >>> >>> I really only need to archive the messages sent/saved by a user and not the messages received from other users. >>> >>> Kevin >> > From aki.tuomi at dovecot.fi Sat Jun 18 17:39:58 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Sat, 18 Jun 2016 20:39:58 +0300 (EEST) Subject: Custom storage backend In-Reply-To: References: Message-ID: <1449439626.147.1466271600808@appsuite-dev.open-xchange.com> > On June 18, 2016 at 7:49 PM Cornelius Charlie wrote: > > > Hello, > > We use a storage backend that is using non-standard apis. > > We would like to know if there is some way to write a storage backend as a > plugin instead of hardcoding our changes directly into the dovecot source ? > > Thanks. You want to look at lib-fs I guess and you can probably get somewhere by looking at existing plugins. Unfortunately this is not documented as well as it perhaps should be. --- Aki Tuomi From pi at lab2000-linux.homepc.it Sun Jun 19 09:42:44 2016 From: pi at lab2000-linux.homepc.it (Maurizio Dall'Acqua) Date: Sun, 19 Jun 2016 11:42:44 +0200 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: References: <20160618062737.GC31787@lab2000-linux.homepc.it> <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> <20160618120130.GA27424@lab2000-linux.homepc.it> Message-ID: <20160619094244.GA12508@lab2000-linux.homepc.it> I have found a solution! I have tried to install the new version or Roundcube from github, but I have had some problems with the configuration files. So I've switched back to Squirrelmail. I have set Squirrelmail to plain text login but I have tunneled the connection to stunnel4 by means of xinetd, so I can have a secure login connection. For some reasons both Roundcube and Squirrelmail can't use the self-signed certificate I provided, but it is not a problem for stunnel4. So, here we go, Thanks to all those who have suggested a solution in the mail-list. ;-) On Sat, Jun 18, 2016 at 10:27:50AM -0400, Gedalya wrote: > I didn't actually test this. There might be some incompatibility preventing this from installing properly on raspbian. > Was there nothing else printed out? Usually when you get such a line it is printed several lines below something else, where the actual problem occurred. > Anyway, this is getting way out of the scope of this mailing list. Frankly it isn't too difficult to just manually install roundcube directly from the sources on github, and that may be your best option right now. > > > On 06/18/2016 08:01 AM, Maurizio Dall'Acqua wrote: > > I've tried to install the new version of Roundcube but I've got an error > > message: > > > > > > Unpacking roundcube (1.1.5+dfsg.1-1~bpo8+1) ... > > Errors were encountered while processing: > > /var/cache/apt/archives/roundcube-core_1.1.5+dfsg.1-1~bpo8+1_all.deb > > E: Sub-process /usr/bin/dpkg returned an error code (1) > > > > If anybody can give me instructions on how to correct this, perhaps I should > > try to downgrade again? > > > > > > > > On Sat, Jun 18, 2016 at 06:37:33AM -0400, Gedalya wrote: > >> On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote: > >>> The version of Roundcube I am using is 0.9.5+dfsg1-4.1 > >> If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list : > >> > >> deb http://httpredir.debian.org/debian jessie-backports main > >> > >> Then run: > >> > >> apt-get --dry-run -tjessie-backports install roundcube > >> > >> and take a close look at what's being pulled from where, make sure it all makes sense to you. > >> > >> Then run it again, for real: > >> > >> apt-get -tjessie-backports install roundcube > >> > >> This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian. From lists.zxinn at otaking.se Sun Jun 19 14:44:29 2016 From: lists.zxinn at otaking.se (Tobias) Date: Sun, 19 Jun 2016 23:44:29 +0900 Subject: tlsv1 alert unknown ca: SSL alert number 48 In-Reply-To: <20160619094244.GA12508@lab2000-linux.homepc.it> References: <20160618062737.GC31787@lab2000-linux.homepc.it> <65b22f63-742e-ead3-139c-8cdb68f2d742@gedalya.net> <20160618120130.GA27424@lab2000-linux.homepc.it> <20160619094244.GA12508@lab2000-linux.homepc.it> Message-ID: <042b4b6845e9a967d93e7b1e01c500b9@otaking.se> That's great! Yeah, stunnel is a very useful tool in this case. Also works well for securing mail out via submission (port 587), when the webmail client does not properly support STARTTLS, or the configurability of these TLS parameters. Squirrelmail does not currently support this, so you're better off also using stunnel for outgoing mail, if it needs encryption for authentication purposes. Not only are these certificate options not yet implemented (neither for IMAP nor SMTP), but Squirrelmail also does not play nice with Dovecot when using STARTTLS, and you also disallow any login attempts until the connection is encrypted. Neither the stable 1.4.23 release, nor the development track, 1.5.2, handle these parameters or scenarios yet. I submitted bug reports for these issues, and hacked my own code to include corrections for my own setup. A quick look at current SVN source for 1.5 track shows no improvement yet. (If I have time this summer I may clean up my own modification and submit a patch.) Here's a link to my cross-post to this very mail list, on April 3rd 2016. https://www.mail-archive.com/dovecot at dovecot.org/msg65453.html While I use stunnel for many things (perhaps too many), in this case I wanted to use STARTTLS for no particular reason. /Tobias On 2016-06-19 18:42, Maurizio Dall'Acqua wrote: > I have found a solution! > > I have tried to install the new version or Roundcube from github, but I > have > had some problems with the configuration files. So I've switched back > to > Squirrelmail. > > I have set Squirrelmail to plain text login but I have tunneled the > connection to stunnel4 by means of xinetd, so I can have a secure login > connection. For some reasons both Roundcube and Squirrelmail can't use > the > self-signed certificate I provided, but it is not a problem for > stunnel4. > > So, here we go, > > Thanks to all those who have suggested a solution in the mail-list. > > ;-) > > On Sat, Jun 18, 2016 at 10:27:50AM -0400, Gedalya wrote: >> I didn't actually test this. There might be some incompatibility >> preventing this from installing properly on raspbian. >> Was there nothing else printed out? Usually when you get such a line >> it is printed several lines below something else, where the actual >> problem occurred. >> Anyway, this is getting way out of the scope of this mailing list. >> Frankly it isn't too difficult to just manually install roundcube >> directly from the sources on github, and that may be your best option >> right now. >> >> >> On 06/18/2016 08:01 AM, Maurizio Dall'Acqua wrote: >> > I've tried to install the new version of Roundcube but I've got an error >> > message: >> > >> > >> > Unpacking roundcube (1.1.5+dfsg.1-1~bpo8+1) ... >> > Errors were encountered while processing: >> > /var/cache/apt/archives/roundcube-core_1.1.5+dfsg.1-1~bpo8+1_all.deb >> > E: Sub-process /usr/bin/dpkg returned an error code (1) >> > >> > If anybody can give me instructions on how to correct this, perhaps I should >> > try to downgrade again? >> > >> > >> > >> > On Sat, Jun 18, 2016 at 06:37:33AM -0400, Gedalya wrote: >> >> On 06/18/2016 02:27 AM, Maurizio Dall'Acqua wrote: >> >>> The version of Roundcube I am using is 0.9.5+dfsg1-4.1 >> >> If you want to get a newer version using Debian packages, perhaps try to add the following line to /etc/apt/sources.list : >> >> >> >> deb http://httpredir.debian.org/debian jessie-backports main >> >> >> >> Then run: >> >> >> >> apt-get --dry-run -tjessie-backports install roundcube >> >> >> >> and take a close look at what's being pulled from where, make sure it all makes sense to you. >> >> >> >> Then run it again, for real: >> >> >> >> apt-get -tjessie-backports install roundcube >> >> >> >> This should get you roundcube 1.1.5+dfsg.1-1~bpo8+1 from Debian's repository, while pulling necessary dependencies from your native raspbian. From ddr2pw at yahoo.com Sun Jun 19 20:47:27 2016 From: ddr2pw at yahoo.com (Marco Usai) Date: Sun, 19 Jun 2016 20:47:27 +0000 (UTC) Subject: Migrate Dovecot email archive References: <1971464803.9861540.1466369247996.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1971464803.9861540.1466369247996.JavaMail.yahoo@mail.yahoo.com> Yesterday I'vemigrated Dovecot mail archive between two servers using the procedure below: 1) Createon the new server the same email accounts existing on the old server. 2) Transferthe "tarred" mail folder from the old to the new server. For testingpurposes, on Outlook 2007 I've deleted a .pst cache file, forcing the client todownload all emails again. The switchwas absolutely transparent without any problem. All the emails were availableand Outlook 2007 noticed no changes. Can Iconsider this a correct procedure or should I use some tools like Dsync ? From thomas.cameron at camerontech.com Mon Jun 20 02:15:21 2016 From: thomas.cameron at camerontech.com (Thomas Cameron) Date: Sun, 19 Jun 2016 19:15:21 -0700 Subject: Fedora + Dovecot - only one client can connect per user? Message-ID: Howdy - I am running dovecot-2.2.24-1.fc23.x86_64 on Fedora 23. It's up to date as of last night. When I log in from a desktop using Thunderbird on Linux, my Android phone (Nexus 6P) stops receiving mail. It happens if I'm on my laptop or my desktop. My wife has the same problem using Thunderbird on Windows. If she leaves the house and forgets to shut down her MUA, her phone can't retrieve messages. Is this expected behavior? Can I change it? I feel like it's pretty common for folks to have multiple devices which access the same mail account. Between phones, tablets, PCs, etc., this seems like a pretty common scenario. It's a pretty vanilla setup: [root at wintermute ~]# dovecot -n # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # OS: Linux 4.4.4-301.fc23.x86_64 x86_64 Fedora release 23 (Twenty Three) mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = required ssl_cert = From bind at enas.net Mon Jun 20 06:44:36 2016 From: bind at enas.net (Urban Loesch) Date: Mon, 20 Jun 2016 08:44:36 +0200 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <320B320C-A711-4787-8183-D4B42DC2EEBD@iki.fi> References: <574EE799.2070806@skye.it> <320B320C-A711-4787-8183-D4B42DC2EEBD@iki.fi> Message-ID: <576790D4.1000204@enas.net> Hi, Am 11.06.2016 um 20:31 schrieb Timo Sirainen: > On 11 Jun 2016, at 21:29, Timo Sirainen wrote: >> >> On 01 Jun 2016, at 16:48, Alessio Cecchi wrote: >>> >>> Hi, >>> >>> after the last upgrade to Dovecot 2.2.24.2 (d066a24) I see an increased number of errors "Broken MIME parts" for users in dovecot log file, here an example: >>> >>> Jun 01 15:25:29 Error: imap(alessio.cecchi at skye.it): Corrupted index cache file /home/domains/skye.it/alessio.cecchi/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 34 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005b070000000000007b07000000000000fc0a000000000000400b0000000000000300000048000000800700000000000060000000000000006400000000000000200000000000000021000000000000000100000040000000260800000000000027000000000000002900000000000000ea00000000000000f000000000000000440000005d090000000000001e000000000000002000000000000000b308000000000000e0080000000000002d00000001000000410000007b09000000000000b208000000000000de080000000000000000000000000000000000000000000000000000) >> >> Should be fixed by https://github.com/dovecot/core/commit/1bc6f1c54b4d77830288b8cf19060bd8a6db7b27 > > Oh, also this is required for it: https://github.com/dovecot/core/commit/20faa69d801460e89aa0b1214f3db4b026999b1e > I installed a new version three days ago. There are no more error entries like "Broken MIME parts" in the logs. Many thanks for the fix Urban From skdovecot at smail.inf.fh-brs.de Mon Jun 20 07:13:55 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Mon, 20 Jun 2016 09:13:55 +0200 (CEST) Subject: Migrate Dovecot email archive In-Reply-To: <1971464803.9861540.1466369247996.JavaMail.yahoo@mail.yahoo.com> References: <1971464803.9861540.1466369247996.JavaMail.yahoo.ref@mail.yahoo.com> <1971464803.9861540.1466369247996.JavaMail.yahoo@mail.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 19 Jun 2016, Marco Usai wrote: > Yesterday I'vemigrated Dovecot mail archive between two servers using the procedure below: > 1) Createon the new server the same email accounts existing on the old server. > 2) Transferthe "tarred" mail folder from the old to the new server. > For testingpurposes, on Outlook 2007 I've deleted a .pst cache file, forcing the client todownload all emails again. > > The switchwas absolutely transparent without any problem. All the emails were availableand Outlook 2007 noticed no changes. > Can Iconsider this a correct procedure or should I use some tools like Dsync ? If you do not change the mail storage format (Maildir -> dbox, or something like that), do not change 32bit -> 64bit, big / little endian a.s.o. and if you make sure the old mailbox is not accessed, while you copy the data over, it should work :-) In fact, I use "rsync". - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2eXs3z1H7kL/d9rAQKUUQf/WebZz4IiJogPyWO0vCvJVomDl12E/1cX fDz0FW7wceJrKIYmLfIJa5S4L2r1bimdfVimiPbs3ORMbBV37TXH8lErbLZMSrEi gjn7FI1Q6hF97Lrc1YSn9UkENp9M7bXpXsDPiuOn++KXZ+fM5QkSzKxV2F9YAoap J/efjEo/cliOiSYWC5R4yZ8bIY45x83kxMhWctH3ZQ/dCGWdiAgGxg0l+bP0AurV 7vEJhfhJxdV2FnaQtnhHHRuOFcIVBSyvDWkx9iQZ5ZiTnE9NDsVYf5gkPy+2dkrf XvtZ+G9HRaBGrCkqGJxWZTRzjgtnBYx6lxz+9zPgRVGpguKFR7Qnkg== =2W8A -----END PGP SIGNATURE----- From dovecot-e51 at deemzed.uk Mon Jun 20 08:45:51 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Mon, 20 Jun 2016 09:45:51 +0100 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <576790D4.1000204@enas.net> References: <574EE799.2070806@skye.it> <320B320C-A711-4787-8183-D4B42DC2EEBD@iki.fi> <576790D4.1000204@enas.net> Message-ID: On 20/06/2016 07:44, Urban Loesch wrote: > Hi, > > I installed a new version three days ago. There are no more error > entries like "Broken MIME parts" in the logs. > > Many thanks for the fix > Urban Sorry I didn't report back also, but can confirm the patch also removed the errors here, too. Thank you very much! -- Dave From alessio at skye.it Mon Jun 20 08:57:16 2016 From: alessio at skye.it (Alessio Cecchi) Date: Mon, 20 Jun 2016 10:57:16 +0200 Subject: Increased errors "Broken MIME parts" in log file In-Reply-To: <576790D4.1000204@enas.net> References: <574EE799.2070806@skye.it> <320B320C-A711-4787-8183-D4B42DC2EEBD@iki.fi> <576790D4.1000204@enas.net> Message-ID: <5767AFEC.8030807@skye.it> Il 20/06/2016 08:44, Urban Loesch ha scritto: >>> Should be fixed by >>> https://github.com/dovecot/core/commit/1bc6f1c54b4d77830288b8cf19060bd8a6db7b27 >>> >> >> Oh, also this is required for it: >> https://github.com/dovecot/core/commit/20faa69d801460e89aa0b1214f3db4b026999b1e >> >> > > I installed a new version three days ago. There are no more error > entries like "Broken MIME parts" in the logs. Hi, I'm also upgrade dovecot: # dovecot --version 2.2.24.3 (55cdc32) but I saw the same error (only one): Jun 19 09:36:54 pop02 dovecot: imap(pippo at pluto.com): Error: Corrupted index cache file /home/domains/pluto.com/pippo/Maildir/dovecot.index.cache: Broken MIME parts for mail UID 999 in mailbox INBOX: Cached MIME parts don't match message during parsing: Cached header size mismatch (parts=410000005f050000000000007805000000000000055d0000000000008f5d00000000000002000000410000009105000000000000640000000000000065000000000000001859000000000000905900000000000002000000480000002b060000000000004b000000000000004e00000000000000500000000000000050000000000000000000000048000000fd060000000000004a000000000000004d000000000000008d57000000000000fa570000000000006d00000040000000405f0000000000004d010000000000005301000000000000a101000000000000a601000000000000) Jun 19 09:36:54 pop02 dovecot: imap(pippo at pluto.com): BUG: Unknown internal error in=4990 out=421981 session= I will send this message to Timo or Teemu for further analysis. -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice From tanstaafl at libertytrek.org Mon Jun 20 12:22:44 2016 From: tanstaafl at libertytrek.org (Tanstaafl) Date: Mon, 20 Jun 2016 08:22:44 -0400 Subject: Migrate Dovecot email archive In-Reply-To: References: <1971464803.9861540.1466369247996.JavaMail.yahoo.ref@mail.yahoo.com> <1971464803.9861540.1466369247996.JavaMail.yahoo@mail.yahoo.com> Message-ID: On 6/20/2016 3:13 AM, Steffen Kaiser wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sun, 19 Jun 2016, Marco Usai wrote: > >> Yesterday I'vemigrated Dovecot mail archive between two servers using the procedure below: >> 1) Createon the new server the same email accounts existing on the old server. >> 2) Transferthe "tarred" mail folder from the old to the new server. >> For testingpurposes, on Outlook 2007 I've deleted a .pst cache file, forcing the client todownload all emails again. >> >> The switchwas absolutely transparent without any problem. All the emails were availableand Outlook 2007 noticed no changes. >> Can Iconsider this a correct procedure or should I use some tools like Dsync ? > If you do not change the mail storage format (Maildir -> dbox, or > something like that), do not change 32bit -> 64bit, big / little endian > a.s.o. > > and if you make sure the old mailbox is not accessed, while you copy the > data over, > > it should work :-) > > In fact, I use "rsync". Imapsync is easier. Made migration from dovecot to Office 365, then back to dovecot painless and easy, and can be done while both systems are live. From ddr2pw at yahoo.com Mon Jun 20 14:13:37 2016 From: ddr2pw at yahoo.com (Marco Usai) Date: Mon, 20 Jun 2016 14:13:37 +0000 (UTC) Subject: Migrate Dovecot email archive In-Reply-To: References: <1971464803.9861540.1466369247996.JavaMail.yahoo.ref@mail.yahoo.com> <1971464803.9861540.1466369247996.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1756572018.10641500.1466432017899.JavaMail.yahoo@mail.yahoo.com> Yes, infact it's working: after thecopy I've switched mx record and server address on the email client so, the oldmailbox is not used. Mailstorage format was the same on both servers (mbox). I'vepreferred this approach than the use of Dsync or Imapsync tools. Il Luned? 20 Giugno 2016 9:14, Steffen Kaiser ha scritto: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 19 Jun 2016, Marco Usai wrote: > Yesterday I'vemigrated Dovecot mail archive between two servers using the procedure below: > 1) Createon the new server the same email accounts existing on the old server. > 2) Transferthe "tarred" mail folder from the old to the new server. > For testingpurposes, on Outlook 2007 I've deleted a .pst cache file, forcing the client todownload all emails again. > > The switchwas absolutely transparent without any problem. All the emails were availableand Outlook 2007 noticed no changes. > Can Iconsider this a correct procedure or should I use some tools like Dsync ? If you do not change the mail storage format (Maildir -> dbox, or something like that), do not change 32bit -> 64bit, big / little endian a.s.o. and if you make sure the old mailbox is not accessed, while you copy the data over, it should work :-) In fact, I use "rsync". - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2eXs3z1H7kL/d9rAQKUUQf/WebZz4IiJogPyWO0vCvJVomDl12E/1cX fDz0FW7wceJrKIYmLfIJa5S4L2r1bimdfVimiPbs3ORMbBV37TXH8lErbLZMSrEi gjn7FI1Q6hF97Lrc1YSn9UkENp9M7bXpXsDPiuOn++KXZ+fM5QkSzKxV2F9YAoap J/efjEo/cliOiSYWC5R4yZ8bIY45x83kxMhWctH3ZQ/dCGWdiAgGxg0l+bP0AurV 7vEJhfhJxdV2FnaQtnhHHRuOFcIVBSyvDWkx9iQZ5ZiTnE9NDsVYf5gkPy+2dkrf XvtZ+G9HRaBGrCkqGJxWZTRzjgtnBYx6lxz+9zPgRVGpguKFR7Qnkg== =2W8A -----END PGP SIGNATURE----- From dovecot-e51 at deemzed.uk Mon Jun 20 18:37:38 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Mon, 20 Jun 2016 19:37:38 +0100 Subject: Recipient delimiter and lmtp proxying In-Reply-To: References: Message-ID: On 17/06/2016 13:39, Dave wrote: > On 16/06/2016 20:49, Dave wrote: ... > driver = sql > override_fields = proxy=y destuser=%{orig_user} ... > <"user+Junk\ Email"@domain> > > will extract user in director, but passes through the unescaped: > > > > to the backend, which leads to a 501 5.5.4 Invalid parameter. Just following up on my (one-man) thread, in case it is of future use to anyone: Eventually, setting: destuser="%{orig_username}"@%{orig_domain} worked around the issue mentioned above, allowing both recipient-delimiter'ed usernames and quoted local to be passed front to back without issue. -- Dve From ad+lists at uni-x.org Mon Jun 20 19:00:34 2016 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Mon, 20 Jun 2016 21:00:34 +0200 Subject: Fedora + Dovecot - only one client can connect per user? In-Reply-To: References: Message-ID: <13e86c6c-508e-e9a4-353c-eafe3388adae@uni-x.org> Am 20.06.2016 um 04:15 schrieb Thomas Cameron: > Howdy - Hi Thomas, > I am running dovecot-2.2.24-1.fc23.x86_64 on Fedora 23. It's up to date > as of last night. > > When I log in from a desktop using Thunderbird on Linux, my Android > phone (Nexus 6P) stops receiving mail. It happens if I'm on my laptop or > my desktop. > > My wife has the same problem using Thunderbird on Windows. If she leaves > the house and forgets to shut down her MUA, her phone can't retrieve > messages. > > Is this expected behavior? Can I change it? I feel like it's pretty > common for folks to have multiple devices which access the same mail > account. Between phones, tablets, PCs, etc., this seems like a pretty > common scenario. no, that's not to be expected and should work pretty well. > It's a pretty vanilla setup: > > [root at wintermute ~]# dovecot -n > # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf > # OS: Linux 4.4.4-301.fc23.x86_64 x86_64 Fedora release 23 (Twenty Three) > mbox_write_locks = fcntl > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > driver = pam > } > ssl = required > ssl_cert = ssl_cipher_list = PROFILE=SYSTEM > ssl_key = userdb { > driver = passwd > } # 2.2.24 (a82c823): /etc/dovecot/dovecot.conf # OS: Linux 4.5.5-300.fc24.x86_64 x86_64 Fedora release 24 (Twenty Four) Used an F24 test VM which came up with the same Fedora default dovecot configuration. I am a bit surprised that your's provides access to mail though it has no configuration where the mailbox is located on the drive: "mail_location" is empty as well "location" in the inbox namespace. What is being logged in /var/log/maillog when the access fails? My test system did log Jun 20 20:37:36 fedora24 dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=13441, secured, session=<6G6V/7k1FNV/AAAB> Jun 20 20:37:36 fedora24 dovecot: imap(dalloz): Error: User initialization failed: Namespace '': Mail storage autodetection failed with home=/home/dalloz Jun 20 20:37:36 fedora24 dovecot: imap: Error: Invalid user settings. Refer to server log for more information. Made it working by adding mail_location = mbox:~/mail:INBOX=/var/mail/%u to /etc/dovecot/conf.d/10-mail.conf. 2 parallel IMAP logins then were no problem at all. The default limit on your Fedora is # doveconf | grep mail_max_userip_connections > Thanks! > Thomas Kind regards Alexander From p at sys4.de Mon Jun 20 20:03:44 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Mon, 20 Jun 2016 22:03:44 +0200 Subject: Disabling passdb pam in local.conf Message-ID: <20160620200344.GK31639@sys4.de> Greetings, I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf. I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section: passdb { driver = pam } It is in there, because 10-auth.conf includes it: !include auth-system.conf.ext These actions are not an option at the moment: - modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the !include-statement - create an /etc/dovecot/dovecot.conf which would contain all options required and would not include any other *.conf files Reading http://wiki2.dovecot.org/ConfigFile I see ways to include external files, but nothing to exclude a file in local.conf. Knowing Timo I would expect there is a way to acchieve what I want. I just don't seem to find it. What am I missing? Regards, p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From edgar at pettijohn-web.com Mon Jun 20 21:17:23 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:17:23 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620200344.GK31639@sys4.de> References: <20160620200344.GK31639@sys4.de> Message-ID: <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> Sent from my iPhone > On Jun 20, 2016, at 3:03 PM, Patrick Ben Koetter

wrote: > > Greetings, > > I'm trying to create a configuration that leaves every config file deployed by > an install process or paket management software untouched. The goal is to put > every configuration required into /etc/dovecot/local.conf. > > I've come quite far, but I fail to disable pam as passdb service in > local.conf. What I get if I run doveconf -n is this section: > > passdb { > driver = pam > } > > It is in there, because 10-auth.conf includes it: > > !include auth-system.conf.ext > > > These actions are not an option at the moment: > > - modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the > !include-statement > - create an /etc/dovecot/dovecot.conf which would contain all options required > and would not include any other *.conf files > > Reading http://wiki2.dovecot.org/ConfigFile I see ways to include external > files, but nothing to exclude a file in local.conf. > > Knowing Timo I would expect there is a way to acchieve what I want. I just > don't seem to find it. > > What am I missing? > > Regards, > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG,80333 M?nchen > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > Is your goal to have "1" config file? If so get your system working how you want it then: doveconf -n > /etc/dovecot/config.test Start dovecot with this file. From p at sys4.de Mon Jun 20 21:28:20 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Mon, 20 Jun 2016 23:28:20 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> Message-ID: <20160620212820.GS31639@sys4.de> * Edgar Pettijohn : > Is your goal to have "1" config file? No, that would eliminate the ability to change distro settings via the regular package management. My goal is to add/remove what my service requires via the additional local.conf. p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From edgar at pettijohn-web.com Mon Jun 20 22:36:21 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 17:36:21 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> What distro settings? Sent from my iPhone > On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter

wrote: > > * Edgar Pettijohn : >> Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG,80333 M?nchen > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > From p at sys4.de Tue Jun 21 06:26:43 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Tue, 21 Jun 2016 08:26:43 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> Message-ID: <20160621062634.GB22505@sys4.de> * Edgar Pettijohn : > What distro settings? These files should remain unchanged: ~$ tree /etc/dovecot/ /etc/dovecot/ ??? conf.d ??? ??? 10-auth.conf ??? ??? 10-director.conf ??? ??? 10-logging.conf ??? ??? 10-mail.conf ??? ??? 10-master.conf ??? ??? 10-ssl.conf ??? ??? 10-tcpwrapper.conf ??? ??? 15-lda.conf ??? ??? 15-mailboxes.conf ??? ??? 20-imap.conf ??? ??? 90-acl.conf ??? ??? 90-plugin.conf ??? ??? 90-quota.conf ??? ??? auth-checkpassword.conf.ext ??? ??? auth-deny.conf.ext ??? ??? auth-master.conf.ext ??? ??? auth-passwdfile.conf.ext ??? ??? auth-sql.conf.ext ??? ??? auth-static.conf.ext ??? ??? auth-system.conf.ext ??? ??? auth-vpopmail.conf.ext ??? dovecot.conf ??? dovecot-dict-sql.conf.ext ??? dovecot.pem ??? dovecot-sql.conf.ext ??? private ??? README Only /etc/dovecot/local.conf should be changed. p at rick > > Sent from my iPhone > > > On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter

wrote: > > > > * Edgar Pettijohn : > >> Is your goal to have "1" config file? > > > > No, that would eliminate the ability to change distro settings via the regular > > package management. > > > > My goal is to add/remove what my service requires via the additional > > local.conf. > > > > p at rick > > > > -- > > [*] sys4 AG > > > > https://sys4.de, +49 (89) 30 90 46 64 > > Schlei?heimer Stra?e 26/MG,80333 M?nchen > > > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein > > -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From goetz.reinicke at filmakademie.de Tue Jun 21 07:17:06 2016 From: goetz.reinicke at filmakademie.de (=?UTF-8?Q?G=c3=b6tz_Reinicke_-_IT_Koordinator?=) Date: Tue, 21 Jun 2016 09:17:06 +0200 Subject: Storage upgrade maildir suggestions? Message-ID: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> Hi, we start to run out of diskspace soon as our users start to keep mails for longer time periods. That's fine, but space consuming. The maildirs are about 1 TB in total, and not long ago we enabled zlib which is very nice. Now I have some thoughts about the next steps: a) Migrating the whole system to a new server with more storage? b) Install a virtual server for the mailsystem and an extra storage system may be NFS? c) Stay with the current server and move all mails to a bigger NFS storage. The last option c) would be the most easy one for me as I currently have NFS space. Any thoughts? Hints regarding the NFS storage? Pros Cons? I have seen the dovecot wiki on NFS already and for now we will stay with one single dovecot server. Thanks and regards . G?tz -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5571 bytes Desc: S/MIME Cryptographic Signature URL: From edgar at pettijohn-web.com Tue Jun 21 11:41:27 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 21 Jun 2016 06:41:27 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160621062634.GB22505@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> <20160621062634.GB22505@sys4.de> Message-ID: <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> > On Jun 21, 2016, at 1:26 AM, Patrick Ben Koetter

wrote: > > * Edgar Pettijohn : >> What distro settings? > > These files should remain unchanged: > > ~$ tree /etc/dovecot/ > /etc/dovecot/ > ??? conf.d > ? ??? 10-auth.conf > ? ??? 10-director.conf > ? ??? 10-logging.conf > ? ??? 10-mail.conf > ? ??? 10-master.conf > ? ??? 10-ssl.conf > ? ??? 10-tcpwrapper.conf > ? ??? 15-lda.conf > ? ??? 15-mailboxes.conf > ? ??? 20-imap.conf > ? ??? 90-acl.conf > ? ??? 90-plugin.conf > ? ??? 90-quota.conf > ? ??? auth-checkpassword.conf.ext > ? ??? auth-deny.conf.ext > ? ??? auth-master.conf.ext > ? ??? auth-passwdfile.conf.ext > ? ??? auth-sql.conf.ext > ? ??? auth-static.conf.ext > ? ??? auth-system.conf.ext > ? ??? auth-vpopmail.conf.ext > ??? dovecot.conf > ??? dovecot-dict-sql.conf.ext > ??? dovecot.pem > ??? dovecot-sql.conf.ext > ??? private > ??? README > > Only /etc/dovecot/local.conf should be changed. > So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf? > p at rick > > > > >> >> Sent from my iPhone >> >>> On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter

wrote: >>> >>> * Edgar Pettijohn : >>>> Is your goal to have "1" config file? >>> >>> No, that would eliminate the ability to change distro settings via the regular >>> package management. >>> >>> My goal is to add/remove what my service requires via the additional >>> local.conf. >>> >>> p at rick >>> >>> -- >>> [*] sys4 AG >>> >>> https://sys4.de, +49 (89) 30 90 46 64 >>> Schlei?heimer Stra?e 26/MG,80333 M?nchen >>> >>> Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 >>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer >>> Aufsichtsratsvorsitzender: Florian Kirstein > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG,80333 M?nchen > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > From r at sys4.de Tue Jun 21 11:46:27 2016 From: r at sys4.de (Ralf Hildebrandt) Date: Tue, 21 Jun 2016 13:46:27 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> <20160621062634.GB22505@sys4.de> <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> Message-ID: <20160621114627.GG16708@sys4.de> * Edgar Pettijohn : > > Only /etc/dovecot/local.conf should be changed. > > > So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf? Exactly (he said that in his initial mail). -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From r at sys4.de Tue Jun 21 11:51:56 2016 From: r at sys4.de (Ralf Hildebrandt) Date: Tue, 21 Jun 2016 13:51:56 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620200344.GK31639@sys4.de> References: <20160620200344.GK31639@sys4.de> Message-ID: <20160621115156.GI16708@sys4.de> * Patrick Ben Koetter

: > Greetings, > > I'm trying to create a configuration that leaves every config file deployed by > an install process or paket management software untouched. The goal is to put > every configuration required into /etc/dovecot/local.conf. > > I've come quite far, but I fail to disable pam as passdb service in > local.conf. What I get if I run doveconf -n is this section: > > passdb { > driver = pam > } It seems that there is no way of saying something like: remove passdb Adding new passdb entries is no problem, but removing existing ones is hard. What is the actual problem? System accounts shouldn't be able to log-in? System accounts shouldn't be valid mailboxes? -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From edgar at pettijohn-web.com Tue Jun 21 12:20:49 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 21 Jun 2016 07:20:49 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160621114627.GG16708@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> <20160621062634.GB22505@sys4.de> <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> <20160621114627.GG16708@sys4.de> Message-ID: Sent from my iPhone > On Jun 21, 2016, at 6:46 AM, Ralf Hildebrandt wrote: > > * Edgar Pettijohn : > >>> Only /etc/dovecot/local.conf should be changed. >> So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf? > > Exactly (he said that in his initial mail). > Sorry for requesting verification. However, to answer the question. I don't think it's possible. There are a lot of neat config options, but I don't think the exact use case is possible. It may be easy to implement, im not familiar with dovecots parse_config(). Maybe store the first occurrence of a setting, but replace it with the last encountered. > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Schlei?heimer Stra?e 26/MG, 80333 M?nchen > > Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein From skdovecot at smail.inf.fh-brs.de Tue Jun 21 12:54:11 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Tue, 21 Jun 2016 14:54:11 +0200 (CEST) Subject: Disabling passdb pam in local.conf In-Reply-To: <20160621115156.GI16708@sys4.de> References: <20160620200344.GK31639@sys4.de> <20160621115156.GI16708@sys4.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Jun 2016, Ralf Hildebrandt wrote: >> I'm trying to create a configuration that leaves every config file deployed by >> an install process or paket management software untouched. The goal is to put >> every configuration required into /etc/dovecot/local.conf. >> >> I've come quite far, but I fail to disable pam as passdb service in >> local.conf. What I get if I run doveconf -n is this section: >> >> passdb { >> driver = pam >> } > > It seems that there is no way of saying something like: > > remove passdb > > Adding new passdb entries is no problem, but removing existing ones is > hard. I thought passwd 1 { driver = none } would do the trick, but you get an error about that this passdb is already defined. passdb 0 { passdb 2 { is fine, because they do not already exist. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV2k483z1H7kL/d9rAQKAkQgApe4vem0lhSEcsgNK8W0jJjROC/z7N5Ij sNBdWolbzwP7I1cnNMP6cs7xHwneM7khmRh6PzNScHBoF6YpMkAb7MLWeXKpWLpN AafN9NOM6wBjr1Stzb4DzuztuKsFE806md96MgrSQKqfNKPNUDwlNpDW8yIRo07E kOi3CBRzur+ZVkUFXhtgtcejTpoo441WNUMbL9oFRatMv+lPVddLHMuNWINWoz2N kVtYdzN+hlTUHuI2wlWIs1J0YqiAVXbbsEHT8LExp9d30eMxbNiQDqX9hQlUSmax 2tTKPuiLZ8VRZytQcMfAHX0DmNfDga8/zvWrt9SRaLn5d9Qc4rGdPA== =5tei -----END PGP SIGNATURE----- From edgar at pettijohn-web.com Mon Jun 20 21:46:01 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:46:01 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214557.GA42175@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > By distro settings do you mean that you want a config that can be easily changed going from say Debian to FreeBSD? What package management do you speak of? -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:47:34 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:47:34 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214734.GA69217@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files. -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:45:57 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:45:57 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214557.GA42175@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > By distro settings do you mean that you want a config that can be easily changed going from say Debian to FreeBSD? What package management do you speak of? -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:46:02 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:46:02 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214557.GA42175@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > By distro settings do you mean that you want a config that can be easily changed going from say Debian to FreeBSD? What package management do you speak of? -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:47:36 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:47:36 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214734.GA69217@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files. -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:47:37 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:47:37 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214734.GA69217@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files. -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:47:36 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:47:36 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214734.GA69217@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files. -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:47:37 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:47:37 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620214734.GA69217@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files. -- Edgar Pettijohn From edgar at pettijohn-web.com Mon Jun 20 21:57:30 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Mon, 20 Jun 2016 16:57:30 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620212820.GS31639@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> Message-ID: <20160620215730.GA62107@thinkpad.my.domain> On 16-06-20 23:28:20, Patrick Ben Koetter wrote: > * Edgar Pettijohn : > > Is your goal to have "1" config file? > > No, that would eliminate the ability to change distro settings via the regular > package management. > > My goal is to add/remove what my service requires via the additional > local.conf. > > p at rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schlei??heimer Stra??e 26/MG,80333 M??nchen > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > I'm not sure what you mean by "ability to change distro settings" -- Edgar Pettijohn From edgar at pettijohn-web.com Tue Jun 21 13:00:28 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 21 Jun 2016 08:00:28 -0500 Subject: Disabling passdb pam in local.conf In-Reply-To: References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> <20160621062634.GB22505@sys4.de> <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> <20160621114627.GG16708@sys4.de> Message-ID: <20160621130028.GA70399@thinkpad.my.domain> On 16-06-21 07:20:49, Edgar Pettijohn wrote: > > > Sent from my iPhone > > > On Jun 21, 2016, at 6:46 AM, Ralf Hildebrandt wrote: > > > > * Edgar Pettijohn : > > > >>> Only /etc/dovecot/local.conf should be changed. > >> So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf? > > > > Exactly (he said that in his initial mail). > > > Sorry for requesting verification. > > However, to answer the question. I don't think it's possible. There are a lot of neat config options, but I don't think the exact use case is possible. It may be easy to implement, im not familiar with dovecots parse_config(). Maybe store the first occurrence of a setting, but replace it with the last encountered. > > > -- > > [*] sys4 AG > > > > http://sys4.de, +49 (89) 30 90 46 64 > > Schlei??heimer Stra??e 26/MG, 80333 M??nchen > > > > Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein Sorry didn't send to list. -- Edgar Pettijohn From daniel.colchete at gmail.com Tue Jun 21 19:53:02 2016 From: daniel.colchete at gmail.com (Daniel van Ham Colchete) Date: Tue, 21 Jun 2016 16:53:02 -0300 Subject: Storage upgrade maildir suggestions? In-Reply-To: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> References: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> Message-ID: Gotz, at that level of usage I would just add more drives. Working with NFS/clustering is not worth it when you are at that level. In the following months I'll send a e-mail to the list here talking about how I'm using Ceph FS successfully with Dovecot, but it's a lot of trouble. At the 1TB/2TB/4TB level, just go out and buy a bigger disk. As a side note, with too may emails it is always a problem to have too many small files. I would recommend taking a look at mdbox. Best, Daniel Colchete On Tue, Jun 21, 2016 at 4:17 AM, G?tz Reinicke - IT Koordinator < goetz.reinicke at filmakademie.de> wrote: > Hi, > > we start to run out of diskspace soon as our users start to keep mails > for longer time periods. That's fine, but space consuming. > > The maildirs are about 1 TB in total, and not long ago we enabled zlib > which is very nice. > > Now I have some thoughts about the next steps: > > a) Migrating the whole system to a new server with more storage? > > b) Install a virtual server for the mailsystem and an extra storage > system may be NFS? > > c) Stay with the current server and move all mails to a bigger NFS storage. > > The last option c) would be the most easy one for me as I currently have > NFS space. > > Any thoughts? Hints regarding the NFS storage? Pros Cons? > > I have seen the dovecot wiki on NFS already and for now we will stay > with one single dovecot server. > > > Thanks and regards . G?tz > > > > From felipe at felipegasper.com Tue Jun 21 19:58:01 2016 From: felipe at felipegasper.com (Felipe Gasper) Date: Tue, 21 Jun 2016 14:58:01 -0500 Subject: Pluggable SNI? Message-ID: <898B1DA3-3C4B-4B02-8D37-8BBB8AEC8624@felipegasper.com> Hello, How feasible would it be to have a ?pluggable? Dovecot setup that would permit arbitrary logic for fetching TLS/SNI certificates and key, rather than having to hard-code each domain?s resources in a configuration file? A couple scenarios that I envision such a framework being able to accommodate: 1) An internal TLS service that accepts queries via a UNIX socket by domain name and returns certificate/key. 2) A directory where these resources are stored, indexed by domain name. Thank you! -FG From darix at nordisch.org Tue Jun 21 14:09:43 2016 From: darix at nordisch.org (Marcus Rueckert) Date: Tue, 21 Jun 2016 14:09:43 +0000 Subject: Storage upgrade maildir suggestions? In-Reply-To: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> References: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> Message-ID: <8af80bc699e8d3470cb717ce56be0188@nordisch.org> On 2016-06-21 07:17, G?tz Reinicke - IT Koordinator wrote: > Hi, > > we start to run out of diskspace soon as our users start to keep mails > for longer time periods. That's fine, but space consuming. > > The maildirs are about 1 TB in total, and not long ago we enabled zlib > which is very nice. > > Now I have some thoughts about the next steps: > > a) Migrating the whole system to a new server with more storage? > > b) Install a virtual server for the mailsystem and an extra storage > system may be NFS? > > c) Stay with the current server and move all mails to a bigger NFS > storage. > > The last option c) would be the most easy one for me as I currently > have > NFS space. > > Any thoughts? Hints regarding the NFS storage? Pros Cons? > > I have seen the dovecot wiki on NFS already and for now we will stay > with one single dovecot server. FC or iSCSI as storage. and always have a lvm layer between your HW and the FS. that way you can easily attach more disk to the stripe set and grow your storage that way. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org From tss at iki.fi Tue Jun 21 22:04:45 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 22 Jun 2016 01:04:45 +0300 Subject: Pluggable SNI? In-Reply-To: <898B1DA3-3C4B-4B02-8D37-8BBB8AEC8624@felipegasper.com> References: <898B1DA3-3C4B-4B02-8D37-8BBB8AEC8624@felipegasper.com> Message-ID: <0C91EC1A-3A32-4BF9-9903-0FA45D960B50@iki.fi> On 21 Jun 2016, at 22:58, Felipe Gasper wrote: > > Hello, > > How feasible would it be to have a ?pluggable? Dovecot setup that would permit arbitrary logic for fetching TLS/SNI certificates and key, rather than having to hard-code each domain?s resources in a configuration file? > > A couple scenarios that I envision such a framework being able to accommodate: > > 1) An internal TLS service that accepts queries via a UNIX socket by domain name and returns certificate/key. > > 2) A directory where these resources are stored, indexed by domain name. Configuration settings are looked up from $base_dir/config socket. In theory you could replace this socket with your own proxy service, which forwards all requests to the real config process and changes the reply in whatever way you want. You should be able to change the default config socket with: service config { unix_listener config { path = config-old } } From tss at iki.fi Tue Jun 21 22:20:42 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 22 Jun 2016 01:20:42 +0300 Subject: Dovecot 2.2.24 coredump client_check_command_hangs() In-Reply-To: References: Message-ID: <0C231194-C6A2-487E-9998-D1151548ACC8@iki.fi> On 08 Jun 2016, at 12:23, Peter Eriksson wrote: > > I?m seeing core dumps from Dovecot?s imap process (around 1/day currently) from client_check_command_hangs(). > > Dovecot 2.2.24 > OS: Solaris 10 > CPU: x86 > Filesystem: Local ZFS > > Most crashes are associated with one user (with 25GB of mail in his mailboxes) but some (two) are also associated with other user with ?just? 10GB mail. > > Please find enclosed various log files/traces. Let me know if there is something else I might be able to provide that might give more insight into this. Could you also print in dbx: print *client->command_queue print *client->command_queue->next print *client->command_queue->next->next print *client->command_queue->next->next->next ..etc until it stops working Looks like there is still some bug with command pipelining. From tss at iki.fi Tue Jun 21 22:25:43 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 22 Jun 2016 01:25:43 +0300 Subject: fts lucene crashes in 2.2.24 In-Reply-To: References: Message-ID: On 29 May 2016, at 10:56, Wolfgang Rosenauer wrote: > > Hi, > > I've just enabled FTS via Lucene on my Dovecot 2.2.24 installation but I > see the indexer crashing ?always?. > > This simple testcase with a very tiny testing mailbox exposes the issue > immediately: > > doveadm -v index -u anmesse INBOX > > Program received signal SIGSEGV, Segmentation fault. > rescan_clear_unseen_mailbox (rescan_ctx=rescan_ctx at entry=0x0, > vname=0x555555839820 "INBOX.Testfolder 2", hdr=hdr at entry=0x7fffffffdaf0) at > lucene-wrapper.cc:831 Should be fixed by https://github.com/dovecot/core/commit/0f801c1bd3d684c219d7f3b1e75f8b85f66f7951 From tss at iki.fi Tue Jun 21 23:23:39 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 22 Jun 2016 02:23:39 +0300 Subject: Bug with shared access to mailbox In-Reply-To: <70ec3048-22b7-bc61-a152-4193d5dd1f7b@deemzed.uk> References: <575121B5.4000006@dovecot.fi> <70ec3048-22b7-bc61-a152-4193d5dd1f7b@deemzed.uk> Message-ID: <79C9F4D8-2551-4BCD-ABBA-0070E9651531@iki.fi> On 03 Jun 2016, at 11:26, Dave wrote: > >> We tested with 2.2.24, and were unable to reproduce the error. Can you >> try again with 2.2.24? > > Apologies for butting in, but I've been seeing exactly the same issue post upgrade to 2.2.24 (from 2.2.18): > > [2016-06-02T10:38:28+0100] imap(xxxxx): Error: Corrupted index cache file /mnt/index/8cc/95 > 2952/.INBOX/dovecot.index.cache: Broken MIME parts for mail UID 13758 in mailbox INBOX: Cached MIME parts don't > match message during parsing: Cached header size mismatch (parts=41000000f7020000000000000a030000000000000508000 This bug should have been fixed by https://github.com/dovecot/core/commit/20faa69d801460e89aa0b1214f3db4b026999b1e + https://github.com/dovecot/core/commit/1bc6f1c54b4d77830288b8cf19060bd8a6db7b27 From tss at iki.fi Tue Jun 21 23:33:24 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 22 Jun 2016 02:33:24 +0300 Subject: autocreate: We need "auto=init"! In-Reply-To: <5735ACA8.8080303@heinlein-support.de> References: <5735ACA8.8080303@heinlein-support.de> Message-ID: <7A247C7B-E170-4C6C-A748-77D45C45A453@iki.fi> On 13 May 2016, at 13:30, Peer Heinlein wrote: > > > There had been several discussions about the common problem, that > there's need for a autocreate-function that creates mailboxes ONLY for > new users that had never been logged in before. > > The reason: Existing users already HAVE "special folders" with localized > names. Creating "standard names" at every login will produce confusion, > because then they have multiple Sent-Folders and aren't be able to > delete them, because they'll always be recreated. > > I would love to have: > > 1) auto = init > Create the folders ONLY if the whole Storage-Folder (e.g.: ~/Maildir or > e.g. `/mdbox) is create (=creation of the INBOX itself). Don't create > any folder if the main INBOX already exists. Since there has to be a > hook to autoreate a non-existing INBOX it should be able to use this > action to also create the folders with auto=init at the same time. You should be able to implement this with http://wiki2.dovecot.org/Plugins/Welcome From darix at nordisch.org Wed Jun 22 04:46:21 2016 From: darix at nordisch.org (Marcus Rueckert) Date: Wed, 22 Jun 2016 06:46:21 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160620200344.GK31639@sys4.de> References: <20160620200344.GK31639@sys4.de> Message-ID: <20160622064621.381ada63@pixie.lan> On Mon, 20 Jun 2016 22:03:44 +0200 Patrick Ben Koetter

wrote: > Greetings, > > I'm trying to create a configuration that leaves every config file > deployed by an install process or paket management software > untouched. The goal is to put every configuration required > into /etc/dovecot/local.conf. > > I've come quite far, but I fail to disable pam as passdb service in > local.conf. What I get if I run doveconf -n is this section: > > passdb { > driver = pam > } > > It is in there, because 10-auth.conf includes it: > > !include auth-system.conf.ext > > > These actions are not an option at the moment: > > - modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the > !include-statement > - create an /etc/dovecot/dovecot.conf which would contain all options > required and would not include any other *.conf files > > Reading http://wiki2.dovecot.org/ConfigFile I see ways to include > external files, but nothing to exclude a file in local.conf. > > Knowing Timo I would expect there is a way to acchieve what I want. I > just don't seem to find it. > > What am I missing? That 10-auth.conf is actually meant to be edited. most distros should have configuration file handling pretty much figured out by now. so none of your changes to those files should get lost. also configuration management comes to mind. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org From p at sys4.de Wed Jun 22 06:09:46 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Wed, 22 Jun 2016 08:09:46 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160622064621.381ada63@pixie.lan> References: <20160620200344.GK31639@sys4.de> <20160622064621.381ada63@pixie.lan> Message-ID: <20160622060946.GB1552@sys4.de> * Marcus Rueckert : > > What am I missing? > > That 10-auth.conf is actually meant to be edited. most distros should > have configuration file handling pretty much figured out by now. so > none of your changes to those files should get lost. also configuration > management comes to mind. As I repeatedly said none of those actions are an option in this project. I think we better stop this thread. p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From p at sys4.de Wed Jun 22 06:48:05 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Wed, 22 Jun 2016 08:48:05 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160622060946.GB1552@sys4.de> References: <20160620200344.GK31639@sys4.de> <20160622064621.381ada63@pixie.lan> <20160622060946.GB1552@sys4.de> Message-ID: <20160622064804.GC4589@sys4.de> * Patrick Ben Koetter

: > * Marcus Rueckert : > > > What am I missing? > > > > That 10-auth.conf is actually meant to be edited. most distros should > > have configuration file handling pretty much figured out by now. so > > none of your changes to those files should get lost. also configuration > > management comes to mind. > > As I repeatedly said none of those actions are an option in this project. > I think we better stop this thread. For the books: It can't be done at the moment. That would require the passdb section to become a named section, e.g. like this: passdb pam { driver = pam } Then one would be able to address this particular passdb namespace and do e.g. something like this: passdb pam { driver = pam enabled = no } p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From pch at myzel.net Wed Jun 22 08:02:09 2016 From: pch at myzel.net (Peter Chiochetti) Date: Wed, 22 Jun 2016 10:02:09 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160621115156.GI16708@sys4.de> References: <20160620200344.GK31639@sys4.de> <20160621115156.GI16708@sys4.de> Message-ID: <576A4601.7030604@myzel.net> Am 2016-06-21 um 13:51 schrieb Ralf Hildebrandt: > * Patrick Ben Koetter

: >> Greetings, >> >> I'm trying to create a configuration that leaves every config file deployed by >> an install process or paket management software untouched. The goal is to put >> every configuration required into /etc/dovecot/local.conf. >> >> I've come quite far, but I fail to disable pam as passdb service in >> local.conf. What I get if I run doveconf -n is this section: >> >> passdb { >> driver = pam >> } > > > What is the actual problem? System accounts shouldn't be able to > log-in? System accounts shouldn't be valid mailboxes? > Use case: virtual accounts in "passdb { driver = passwd-file ?" The initial pam driver will make each logon have to wait for pam to timeout first which adds a considerable delay in the process -- peter From goetz.reinicke at filmakademie.de Wed Jun 22 08:28:08 2016 From: goetz.reinicke at filmakademie.de (=?UTF-8?Q?G=c3=b6tz_Reinicke_-_IT_Koordinator?=) Date: Wed, 22 Jun 2016 10:28:08 +0200 Subject: Storage upgrade maildir suggestions? In-Reply-To: <8af80bc699e8d3470cb717ce56be0188@nordisch.org> References: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> <8af80bc699e8d3470cb717ce56be0188@nordisch.org> Message-ID: <9348569b-c044-3bfb-3072-b57059190d96@filmakademie.de> Am 21.06.16 um 16:09 schrieb Marcus Rueckert: > On 2016-06-21 07:17, G?tz Reinicke - IT Koordinator wrote: >> Hi, >> >> we start to run out of diskspace soon as our users start to keep mails >> for longer time periods. That's fine, but space consuming. >> >> The maildirs are about 1 TB in total, and not long ago we enabled zlib >> which is very nice. >> >> Now I have some thoughts about the next steps: >> >> a) Migrating the whole system to a new server with more storage? >> >> b) Install a virtual server for the mailsystem and an extra storage >> system may be NFS? >> >> c) Stay with the current server and move all mails to a bigger NFS >> storage. >> >> The last option c) would be the most easy one for me as I currently have >> NFS space. >> >> Any thoughts? Hints regarding the NFS storage? Pros Cons? >> >> I have seen the dovecot wiki on NFS already and for now we will stay >> with one single dovecot server. > > FC or iSCSI as storage. > > and always have a lvm layer between your HW and the FS. that way you > can easily attach > more disk to the stripe set and grow your storage that way. > > darix > Hi Darix, thanks for that feedback. Currently we are moving away in lot of areas from iscsi as it is to mutch maintenance for us. But may be we go with a small one for the mailsystem ... Regards . G?tz -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5571 bytes Desc: S/MIME Cryptographic Signature URL: From goetz.reinicke at filmakademie.de Wed Jun 22 08:30:15 2016 From: goetz.reinicke at filmakademie.de (=?UTF-8?Q?G=c3=b6tz_Reinicke_-_IT_Koordinator?=) Date: Wed, 22 Jun 2016 10:30:15 +0200 Subject: Storage upgrade maildir suggestions? In-Reply-To: References: <9f19fb94-501e-e892-1a56-928273fe9e92@filmakademie.de> Message-ID: <9a2be83c-7d90-4e9f-a8cf-49f8dcfc7e5d@filmakademie.de> Hi Daniel, thanks for your feedback. Adding more disks is adding a new shelf as all slots are in use and this is a sun/intel server with all slots already in use. Ceph is our goal for this year for some filestorages but for mail I'll need space now xD ... O.K. I'll check some storage with a bigger disk; may be some small "iscsi-box". Regards . G?tz Am 21.06.16 um 21:53 schrieb Daniel van Ham Colchete: > Gotz, > > at that level of usage I would just add more drives. Working with > NFS/clustering is not worth it when you are at that level. In the following > months I'll send a e-mail to the list here talking about how I'm using Ceph > FS successfully with Dovecot, but it's a lot of trouble. At the 1TB/2TB/4TB > level, just go out and buy a bigger disk. > > As a side note, with too may emails it is always a problem to have too many > small files. I would recommend taking a look at mdbox. > > Best, > Daniel Colchete > > On Tue, Jun 21, 2016 at 4:17 AM, G?tz Reinicke - IT Koordinator < > goetz.reinicke at filmakademie.de> wrote: > >> Hi, >> >> we start to run out of diskspace soon as our users start to keep mails >> for longer time periods. That's fine, but space consuming. >> >> The maildirs are about 1 TB in total, and not long ago we enabled zlib >> which is very nice. >> >> Now I have some thoughts about the next steps: >> >> a) Migrating the whole system to a new server with more storage? >> >> b) Install a virtual server for the mailsystem and an extra storage >> system may be NFS? >> >> c) Stay with the current server and move all mails to a bigger NFS storage. >> >> The last option c) would be the most easy one for me as I currently have >> NFS space. >> >> Any thoughts? Hints regarding the NFS storage? Pros Cons? >> >> I have seen the dovecot wiki on NFS already and for now we will stay >> with one single dovecot server. >> >> >> Thanks and regards . G?tz >> >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5571 bytes Desc: S/MIME Cryptographic Signature URL: From j.emerlik at gmail.com Wed Jun 22 10:51:35 2016 From: j.emerlik at gmail.com (j.emerlik) Date: Wed, 22 Jun 2016 12:51:35 +0200 Subject: post-login script and original remote ip in proxy mode Message-ID: Hi, i have similar problem like this: "On Mon, 2013-05-27 at 23:40 +0300, Ibrahim Harrani wrote: > Hi, > > I am running dovecot on 3 qmail-ldap server backend. > dovecot configured to use auth_pop3 wrapper for authentication. > Users logins to the qmail-ldap pop3&imap pools randomly. If a user is > mailhost is not the connected server, dovecot proxies the connection to the > user mailhost. In this case, I can not get the original client IP address > via post-logins script on user host. I see only the first connected server > IP as $IP environment. Set login_trusted_networks setting pointing to the proxies' IPs/network and you'll get the original IP. Requires v2.1.2+ to work with pop3 proxying." What can I do in case if dovecot proxy is installed ona same server ? Setting of login_trusted_networks causes issue like: dovecot: imap-login: proxy(xxx): Login failed to xxx:9993: [UNAVAILABLE] Account is temporarily unavailable. dovecot: imap-login: Disconnected (internal failure, 1 successful auths) on port 9993 works service dovecot imap on port 8993 works service courier imap proxy works on 993 From me at junc.eu Wed Jun 22 13:45:31 2016 From: me at junc.eu (Benny Pedersen) Date: Wed, 22 Jun 2016 15:45:31 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160621114627.GG16708@sys4.de> References: <20160620200344.GK31639@sys4.de> <92C84AE5-A69C-43D1-8D25-3DEE90C14E6E@pettijohn-web.com> <20160620212820.GS31639@sys4.de> <4D6E3647-C0D8-4886-A3E3-3C0CC42B3FDD@pettijohn-web.com> <20160621062634.GB22505@sys4.de> <230EE63E-38A8-431B-8D56-32E348DD2741@pettijohn-web.com> <20160621114627.GG16708@sys4.de> Message-ID: <148690843a44d7d5594d469c051c3fbe@junc.eu> On 2016-06-21 13:46, Ralf Hildebrandt wrote: > * Edgar Pettijohn : >> > Only /etc/dovecot/local.conf should be changed. >> > >> So you want the standard files to remain unchanged from default >> settings and override them with your settings in local.conf? > > Exactly (he said that in his initial mail). so we all need to do "dovecot -n >>/tmp/dovecot.conf" or go back to dovecot v1 ? :-) i think local.conf is more and extender conf file for new things not in current config, or more like non standard plugins not in dovecot sources in gentoo i just keep edit default files, and if its changed AFTER install gentoo tells me that its changed, and then show a "diff old new" so i know my faults later ps: is there a hope for dovecot maillist not break dkim ? From miloslav.hula at gmail.com Wed Jun 22 14:40:56 2016 From: miloslav.hula at gmail.com (=?UTF-8?Q?Miloslav_H=c5=afla?=) Date: Wed, 22 Jun 2016 16:40:56 +0200 Subject: Mailboxes on NFS or iSCSI Message-ID: Hello, we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on local 1.2TB RAID, it's about 5310 accounts. We are slowly getting out of space and we are considering to move Mailboxes onto Netapp disk array with two independent network connections. Are there some pitfalls? Not sure we should use NTP or iSCSI mounts (both open implementations are not so shiny). Thanks for sharing any experiences. Kind regards, Milo From bpk678 at gmail.com Wed Jun 22 17:18:55 2016 From: bpk678 at gmail.com (brendan kearney) Date: Wed, 22 Jun 2016 13:18:55 -0400 Subject: Mailboxes on NFS or iSCSI In-Reply-To: References: Message-ID: I chose nfs for my env because I wanted multiple load balanced instances of dovecot to be able to access the mailbox files. If you use iscsi, you will need to pin the user to the dovecot instance that has the LUN mounted. For me, scalability and single point of failure was lost or lessened when using iscsi. On Jun 22, 2016 10:41 AM, "Miloslav H?la" wrote: > Hello, > > we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured > with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on > local 1.2TB RAID, it's about 5310 accounts. > > We are slowly getting out of space and we are considering to move > Mailboxes onto Netapp disk array with two independent network connections. > > Are there some pitfalls? Not sure we should use NTP or iSCSI mounts (both > open implementations are not so shiny). > > Thanks for sharing any experiences. > > Kind regards, Milo > From felipe at felipegasper.com Wed Jun 22 21:02:57 2016 From: felipe at felipegasper.com (Felipe Gasper) Date: Wed, 22 Jun 2016 16:02:57 -0500 Subject: Pluggable SNI? In-Reply-To: <0C91EC1A-3A32-4BF9-9903-0FA45D960B50@iki.fi> References: <898B1DA3-3C4B-4B02-8D37-8BBB8AEC8624@felipegasper.com> <0C91EC1A-3A32-4BF9-9903-0FA45D960B50@iki.fi> Message-ID: <42B9C51B-0F44-46B8-BAAF-50EBB30BE067@felipegasper.com> > > On 21 Jun 2016, at 5:04 PM, Timo Sirainen wrote: > > On 21 Jun 2016, at 22:58, Felipe Gasper wrote: >> >> Hello, >> >> How feasible would it be to have a ?pluggable? Dovecot setup that would permit arbitrary logic for fetching TLS/SNI certificates and key, rather than having to hard-code each domain?s resources in a configuration file? >> >> A couple scenarios that I envision such a framework being able to accommodate: >> >> 1) An internal TLS service that accepts queries via a UNIX socket by domain name and returns certificate/key. >> >> 2) A directory where these resources are stored, indexed by domain name. > > Configuration settings are looked up from $base_dir/config socket. In theory you could replace this socket with your own proxy service, which forwards all requests to the real config process and changes the reply in whatever way you want. You should be able to change the default config socket with: > > service config { > unix_listener config { > path = config-old > } > } Interesting ? thank you! Does this just cache the config at start time, or will it query for each connection? I just tried swapping in my own dummy socket, and it didn?t seem to report anything interesting, which makes me suspect this is a start-time thing. I was hoping for something that could be updated in real-time ? ? Thank you! -FG From news at mefox.org Thu Jun 23 05:01:32 2016 From: news at mefox.org (Michael Fox) Date: Wed, 22 Jun 2016 22:01:32 -0700 Subject: newbie userdb lookup problem Message-ID: <022801d1cd0c$4fc112d0$ef433870$@mefox.org> I'm new to Dovecot and I'm having trouble getting basic, flat file userdb lookups to work. This must have been asked before, but if so, I can't find it. I'm following the basic setup here: http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor differences. Output of doveconf -n is below, as well as relevant entries from postfix main.cf and master.cf. When I send a message to a virtual user that will be handled by Dovecot, Postfix hands it off to Dovecot LDA. But I get the following error in the log: Jun 22 20:53:33 xxxxx dovecot: lda: Error: userdb lookup: connect(/var/run/dovecot/auth-userdb) failed: Permission denied (euid=5000(vmail) egid=5000(vmail) missing +r perm: /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) /var/run/dovecot/ is indeed owned by root:root with 0755 permissions. The actual passwd file used for userdb/passdb is currently owned by root:vmail with 0640 permissions. I read http://wiki2.dovecot.org/UserIds but I just don't understand the section on "Authentication process user". It's very vague. It doesn't explain which service is used for which circumstances or how to correlate the userdb/passdb file permissions with the service user/group settings for best security. The http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall link mentions nothing about having to modify the auth or auth-worker services. And the http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix page mentions a new "doveauth" user which isn't described elsewhere and sets service auth to user postfix and group postfix, something not mentioned anywhere else. /etc/doveconf/10-master.conf says that the service auth socket is typically readable only by root. Uhm. OK. Well, my passwd file is owned by root. I don't know how that relates to the socket. So I don't understand the problem. Bottom line, each information source seems to say something completely different. I can't correlate the information in the above sources into any actionable result. Questions: Basically, can someone please explain how the permissions for userdb and passdb lookup work (i.e. file permissions vs. service permissions)? What's the best solution to solve the above problem permission problem in the most secure way? Adjust the config of service auth? If so, how and why? Or adjust my passwd file ownership? If so, how and why? I'm really trying to understand the why, not just the what. Thanks much. Michael Output of doveconf -n follows: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS auth_verbose = yes disable_plaintext_auth = no mail_gid = vmail mail_location = maildir:~/Maildir mail_uid = vmail passdb { driver = pam } passdb { args = username_format=%n /var/vmail/auth.d/%d/passwd driver = passwd-file } pop3_uidl_format = %08Xv%08Xu protocols = pop3 ssl = no ssl_cert = References: <022801d1cd0c$4fc112d0$ef433870$@mefox.org> Message-ID: <1549109748.8193.1466659161644@appsuite-dev.open-xchange.com> > On June 23, 2016 at 8:01 AM Michael Fox wrote: > > > I'm new to Dovecot and I'm having trouble getting basic, flat file userdb > lookups to work. This must have been asked before, but if so, I can't find > it. > > > > I'm following the basic setup here: > http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor > differences. Output of doveconf -n is below, as well as relevant entries > from postfix main.cf and master.cf. > > > > When I send a message to a virtual user that will be handled by Dovecot, > Postfix hands it off to Dovecot LDA. But I get the following error in the > log: > > > > Jun 22 20:53:33 xxxxx dovecot: lda: Error: userdb lookup: > connect(/var/run/dovecot/auth-userdb) failed: Permission denied > (euid=5000(vmail) egid=5000(vmail) missing +r perm: > /var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755) > > > > /var/run/dovecot/ is indeed owned by root:root with 0755 permissions. > > The actual passwd file used for userdb/passdb is currently owned by > root:vmail with 0640 permissions. > > http://wiki.dovecot.org/LDA Section virtual users, with lookup has the answer. --- Aki Tuomi From news at mefox.org Thu Jun 23 05:56:55 2016 From: news at mefox.org (Michael Fox) Date: Wed, 22 Jun 2016 22:56:55 -0700 Subject: newbie userdb lookup problem In-Reply-To: <1549109748.8193.1466659161644@appsuite-dev.open-xchange.com> References: <022801d1cd0c$4fc112d0$ef433870$@mefox.org> <1549109748.8193.1466659161644@appsuite-dev.open-xchange.com> Message-ID: <025501d1cd14$0c82be30$25883a90$@mefox.org> > http://wiki.dovecot.org/LDA > > Section virtual users, with lookup has the answer. Thanks for the quick response Aki. I presume you're referring to this: service auth { unix_listener auth-userdb { mode = 0600 user = vmail # User running dovecot-lda #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group } } So, given that, then I'm still not clear on the following: 1) User vmail is reading the userdb, not writing to the userdb. So why mode 0600? 2) What should the owner, group and mode/permissions of the actual userdb flat file be for best security? Michael From goetz.reinicke at filmakademie.de Thu Jun 23 06:05:07 2016 From: goetz.reinicke at filmakademie.de (=?UTF-8?Q?G=c3=b6tz_Reinicke_-_IT_Koordinator?=) Date: Thu, 23 Jun 2016 08:05:07 +0200 Subject: Mailboxes on NFS or iSCSI In-Reply-To: References: Message-ID: <65191e0f-99ba-d2a2-6ba9-2e1854f059fa@filmakademie.de> Hi, Am 22.06.16 um 16:40 schrieb Miloslav H?la: > Hello, > > we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured > with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on > local 1.2TB RAID, it's about 5310 accounts. > > We are slowly getting out of space and we are considering to move > Mailboxes onto Netapp disk array with two independent network > connections. > > Are there some pitfalls? Not sure we should use NTP or iSCSI mounts > (both open implementations are not so shiny). > > Thanks for sharing any experiences. have a look at my question and the answers from the yesterday posting "Storage upgrade maildir suggestions". May be they help you too. Regards . G?tz -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5571 bytes Desc: S/MIME Cryptographic Signature URL: From aki.tuomi at dovecot.fi Thu Jun 23 06:39:33 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Thu, 23 Jun 2016 09:39:33 +0300 (EEST) Subject: newbie userdb lookup problem In-Reply-To: <025501d1cd14$0c82be30$25883a90$@mefox.org> References: <022801d1cd0c$4fc112d0$ef433870$@mefox.org> <1549109748.8193.1466659161644@appsuite-dev.open-xchange.com> <025501d1cd14$0c82be30$25883a90$@mefox.org> Message-ID: <1670730106.8461.1466663974228@appsuite-dev.open-xchange.com> > On June 23, 2016 at 8:56 AM Michael Fox wrote: > > > > http://wiki.dovecot.org/LDA > > > > Section virtual users, with lookup has the answer. > > Thanks for the quick response Aki. > > I presume you're referring to this: > > service auth { > unix_listener auth-userdb { > mode = 0600 > user = vmail # User running dovecot-lda > #group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group > } > } > > So, given that, then I'm still not clear on the following: > 1) User vmail is reading the userdb, not writing to the userdb. So why mode 0600? > 2) What should the owner, group and mode/permissions of the actual userdb flat file be for best security? > > Michael 1) that is a socket, not regular file. LDA speaks with auth service. 2) as auth *service* runs as root it prolly is best to use root:root 0400 for the actual file. --- Aki Tuomi From wrosenauer at gmail.com Thu Jun 23 09:07:17 2016 From: wrosenauer at gmail.com (Wolfgang Rosenauer) Date: Thu, 23 Jun 2016 11:07:17 +0200 Subject: fts lucene crashes in 2.2.24 In-Reply-To: References: Message-ID: According to my logs it's indeed fixed: ds9 dovecot: indexer-worker(christiane): Indexed 1 messages in INBOX Thanks! On Wed, Jun 22, 2016 at 12:25 AM, Timo Sirainen wrote: > On 29 May 2016, at 10:56, Wolfgang Rosenauer wrote: > > > > Hi, > > > > I've just enabled FTS via Lucene on my Dovecot 2.2.24 installation but I > > see the indexer crashing ?always?. > > > > This simple testcase with a very tiny testing mailbox exposes the issue > > immediately: > > > > doveadm -v index -u anmesse INBOX > > > > Program received signal SIGSEGV, Segmentation fault. > > rescan_clear_unseen_mailbox (rescan_ctx=rescan_ctx at entry=0x0, > > vname=0x555555839820 "INBOX.Testfolder 2", hdr=hdr at entry=0x7fffffffdaf0) > at > > lucene-wrapper.cc:831 > > Should be fixed by > https://github.com/dovecot/core/commit/0f801c1bd3d684c219d7f3b1e75f8b85f66f7951 > > From news at mefox.org Thu Jun 23 17:49:16 2016 From: news at mefox.org (Michael Fox) Date: Thu, 23 Jun 2016 10:49:16 -0700 Subject: error using default_fields in passwd-file Message-ID: <010a01d1cd77$9067d060$b1377120$@mefox.org> I'm trying to put virtual user mail in: /var/vmail// I tried setting the home field in the userdb to /var/vmail/%d/%n But apparently variable expansion doesn't happen in the userdb because the Dovecot LDA created the literal directory /var/vmail/%d/%n/Maildir So then I tried to use default_fields as shown here: http://wiki2.dovecot.org/AuthDatabase/PasswdFile So my config is: userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d/passwd default_fields = home=/var/vmail/%d/%u } But when I reload doveadm I get: doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 87: Unknown setting: default_fields I tried override_fields: userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d/passwd override_fields = home=/var/vmail/%d/%u } And I get the same type of error: doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 87: Unknown setting: override_fields What gives? Michael From jeffgamsby at merlock.com Thu Jun 23 18:06:37 2016 From: jeffgamsby at merlock.com (Jeff Gamsby) Date: Thu, 23 Jun 2016 11:06:37 -0700 Subject: fts_solr not working Message-ID: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> I am running ISPConfig 3 on Debian and have managed to install the dovecot-solr and dovecot-fts plugins. I have solr running undet tomcat at http://localhost:8880 but the indexing is not working. I am using Dovecot 2.17 I do not understand namespaces and why fts_solr needs them, I just want to index the entire users Maildir. I am trying to index a users mailbox but am getting the following error: (changed user name) doveadm fts rescan -u user at user.com inbox doveadm(user at user.com): Error: Namespace prefix not found: inbox running that in debig mode gives: doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm doveadm(root): Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined symbol: acl_user_module (this is usually intentional, so just ignore this message) doveadm(root): Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message) doveadm(root): Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: undefined symbol: quota_user_module (this is usually intentional, so just ignore this message) doveadm(root): Debug: Skipping module doveadm_zlib_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_zlib_plugin.so: undefined symbol: i_stream_create_deflate (this is usually intentional, so just ignore this message) doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so doveadm(user at user.com): Debug: Added userdb setting: mail=maildir:/var/vmail/user.com/user/Maildir doveadm(user at user.com): Debug: Added userdb setting: plugin/quota_rule=*:storage=0B doveadm(user at user.com): Debug: Added userdb setting: plugin/sieve=/var/vmail/user.com/user/.sieve doveadm(user at user.com): Debug: Effective uid=5000, gid=5000, home=/var/vmail/user.com/user doveadm(user at user.com): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/vmail/user.com/user/Maildir doveadm(user at user.com): Debug: maildir++: root=/var/vmail/user.com/user/Maildir, index=, control=, inbox=/var/vmail/user.com/user/Maildir, alt= doveadm(user at user.com): Debug: fts: No fts setting - plugin disabled doveadm(user at user.com): Error: Namespace prefix not found: inbox in conf.d/10-mail.conf I have this namespace defined: namespace inbox { # Namespace type: private, shared or public #type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. #separator = # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. #location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". #hidden = no protocol imap { plugin { fts = solr fts_solr = break-imap-search url=http://localhost:8880/solr/ } } protocol pop3 { plugin { fts = solr fts_solr = break-imap-search url=http://localhost:8880/solr/ } # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. #list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes } I had to put this in dovecot.conf in order for the plugin to be enabled: mail_plugins = fts fts_solr solr is reachable at localhost:8880/solr and appears to be working. Please help, any suggestions are welcome Thanks From aki.tuomi at dovecot.fi Thu Jun 23 18:24:55 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Thu, 23 Jun 2016 21:24:55 +0300 (EEST) Subject: fts_solr not working In-Reply-To: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> References: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> Message-ID: <1747793449.2992.1466706297365@appsuite-dev.open-xchange.com> > On June 23, 2016 at 9:06 PM Jeff Gamsby wrote: > > > I am running ISPConfig 3 on Debian and have managed to install the > dovecot-solr and dovecot-fts plugins. > > I have solr running undet tomcat at http://localhost:8880 but the > indexing is not working. > > I am using Dovecot 2.17 > > I do not understand namespaces and why fts_solr needs them, I just want > to index the entire users Maildir. > > I am trying to index a users mailbox but am getting the following error: > > (changed user name) > doveadm fts rescan -u user at user.com inbox > doveadm(user at user.com): Error: Namespace prefix not found: inbox > > running that in debig mode gives: > > doveadm(root): Debug: Loading modules from directory: > /usr/lib/dovecot/modules > doveadm(root): Debug: Module loaded: > /usr/lib/dovecot/modules/lib20_fts_plugin.so > doveadm(root): Debug: Module loaded: > /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so > doveadm(root): Debug: Loading modules from directory: > /usr/lib/dovecot/modules/doveadm > doveadm(root): Debug: Skipping module doveadm_acl_plugin, because > dlopen() failed: > /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined > symbol: acl_user_module (this is usually intentional, so just ignore > this message) > doveadm(root): Debug: Skipping module doveadm_expire_plugin, because > dlopen() failed: > /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: > undefined symbol: expire_set_deinit (this is usually intentional, so > just ignore this message) > doveadm(root): Debug: Skipping module doveadm_quota_plugin, because > dlopen() failed: > /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: > undefined symbol: quota_user_module (this is usually intentional, so > just ignore this message) > doveadm(root): Debug: Skipping module doveadm_zlib_plugin, because > dlopen() failed: > /usr/lib/dovecot/modules/doveadm/lib10_doveadm_zlib_plugin.so: undefined > symbol: i_stream_create_deflate (this is usually intentional, so just > ignore this message) > doveadm(root): Debug: Module loaded: > /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so > doveadm(user at user.com): Debug: Added userdb setting: > mail=maildir:/var/vmail/user.com/user/Maildir > doveadm(user at user.com): Debug: Added userdb setting: > plugin/quota_rule=*:storage=0B > doveadm(user at user.com): Debug: Added userdb setting: > plugin/sieve=/var/vmail/user.com/user/.sieve > doveadm(user at user.com): Debug: Effective uid=5000, gid=5000, > home=/var/vmail/user.com/user > doveadm(user at user.com): Debug: Namespace inbox: type=private, prefix=, > sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes > location=maildir:/var/vmail/user.com/user/Maildir > doveadm(user at user.com): Debug: maildir++: > root=/var/vmail/user.com/user/Maildir, index=, control=, > inbox=/var/vmail/user.com/user/Maildir, alt= > doveadm(user at user.com): Debug: fts: No fts setting - plugin disabled > doveadm(user at user.com): Error: Namespace prefix not found: inbox > > in conf.d/10-mail.conf I have this namespace defined: > > namespace inbox { > # Namespace type: private, shared or public > #type = private > > # Hierarchy separator to use. You should use the same separator for > all > # namespaces or some clients get confused. '/' is usually a good one. > # The default however depends on the underlying mail storage format. > #separator = > > # Prefix required to access this namespace. This needs to be different > for > # all namespaces. For example "Public/". > #prefix = > > # Physical location of the mailbox. This is in same format as > # mail_location, which is also the default for it. > #location = > > # There can be only one INBOX, and this setting defines which > namespace > # has it. > inbox = yes > > # If namespace is hidden, it's not advertised to clients via NAMESPACE > # extension. You'll most likely also want to set list=no. This is > mostly > # useful when converting from another server with different namespaces > which > # you want to deprecate but still keep working. For example you can > create > # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". > #hidden = no > protocol imap { > plugin { > fts = solr > fts_solr = break-imap-search url=http://localhost:8880/solr/ > } > } > protocol pop3 { > plugin { > fts = solr > fts_solr = break-imap-search url=http://localhost:8880/solr/ > } > > # Show the mailboxes under this namespace with LIST command. This > makes the > # namespace visible for clients that don't support NAMESPACE > extension. > # "children" value lists child mailboxes, but hides the namespace > prefix. > #list = yes > > # Namespace handles its own subscriptions. If set to "no", the parent > # namespace handles them (empty prefix should always have this as > "yes") > #subscriptions = yes > } > > > I had to put this in dovecot.conf in order for the plugin to be enabled: > > mail_plugins = fts fts_solr > > solr is reachable at localhost:8880/solr and appears to be working. > > Please help, any suggestions are welcome > > Thanks Can you please send doveconf -n? --- Aki Tuomi From reuben-dovecot at reub.net Thu Jun 23 22:51:33 2016 From: reuben-dovecot at reub.net (Reuben Farrelly) Date: Fri, 24 Jun 2016 08:51:33 +1000 Subject: SSL Problem with -git master-2.2 tip (24 June 16) Message-ID: Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs I suspect that this is because I have libressl installed on my systems instead of OpenSSL. A known commit point which does not work is: f5e6b05684328b9800ccd973c73027300c832d65 However a few commits earlier this problem does not occur: f292589f4b85e02d97d974dfe34324c6c0bb9d9f Looks like commit bff052bd29dbf7175ee6cd14bd14bcea1900b869 : "lib-dcrypt, lib-ssl-iostream: Share OpenSSL init/deinit code." may have broken the tree for LibreSSL/non OpenSSL users. Reuben From news at mefox.org Fri Jun 24 01:10:22 2016 From: news at mefox.org (Michael Fox) Date: Thu, 23 Jun 2016 18:10:22 -0700 Subject: FW: error using default_fields in passwd-file Message-ID: <01b101d1cdb5$2f12c930$8d385b90$@mefox.org> I didn't see a response. Sending again and adding doveconf -n output. ---- I'm trying to put virtual user mail in: /var/vmail// I tried setting the home field in the userdb to /var/vmail/%d/%n But apparently variable expansion doesn't happen in the userdb because the Dovecot LDA created the literal directory /var/vmail/%d/%n/Maildir So then I tried to use default_fields as shown here: http://wiki2.dovecot.org/AuthDatabase/PasswdFile So I tried: userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d/passwd default_fields = home=/var/vmail/%d/%n } But when I reload doveadm I get: doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 87: Unknown setting: default_fields I tried override_fields: userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d/passwd override_fields = home=/var/vmail/%d/%n } And I get the same type of error: doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line 87: Unknown setting: override_fields What gives? Michael doveconf -n: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS auth_verbose = yes disable_plaintext_auth = no mail_gid = vmail mail_location = maildir:~/Maildir mail_uid = vmail passdb { driver = pam } passdb { args = /etc/dovecot/deny-users deny = yes driver = passwd-file } passdb { args = username_format=%n /etc/dovecot/auth.d/%d/passwd driver = passwd-file } pop3_uidl_format = %08Xv%08Xu protocols = pop3 service auth { unix_listener auth-userdb { mode = 0600 user = vmail } } ssl = no ssl_cert = References: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> Message-ID: <79F5FF17-4730-4BC6-991E-5B0A5A003658@iredmail.org> > On Jun 24, 2016, at 2:06 AM, Jeff Gamsby wrote: > > doveadm(user at user.com): Debug: fts: No fts setting - plugin disabled Isn't it very clear here? ---- Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/ Time zone: GMT+8 (China/Beijing). From zhb at iredmail.org Fri Jun 24 01:27:33 2016 From: zhb at iredmail.org (Zhang Huangbin) Date: Fri, 24 Jun 2016 09:27:33 +0800 Subject: fts_solr not working In-Reply-To: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> References: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> Message-ID: <8EFC708F-8AD9-40C0-8D9E-46066D397A34@iredmail.org> > On Jun 24, 2016, at 2:06 AM, Jeff Gamsby wrote: > > protocol imap { > plugin { > fts = solr > fts_solr = break-imap-search url=http://localhost:8880/solr/ > } > } > protocol pop3 { > plugin { > fts = solr > fts_solr = break-imap-search url=http://localhost:8880/solr/ > } Don't place `plugin {}` setting in other config block. It should be: protocol imap {...} protocol pop3 {...} plugin { ... } ---- Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/ Time zone: GMT+8 (China/Beijing). From reuben-dovecot at reub.net Fri Jun 24 03:18:13 2016 From: reuben-dovecot at reub.net (Reuben Farrelly) Date: Fri, 24 Jun 2016 13:18:13 +1000 Subject: Unread Mail flag being reset frequently with dovecot -git master-2.2 Message-ID: <3d43142a-edd6-8f94-f363-1602798dedfd@reub.net> Hi again, I'm experiencing problems with the Dovecot git master-2.2 branch, in which mails that have been previously read are randomly appearing as unread. This happens slowly and affects more and more emails the more changes that occur to a mailbox. I am using Maildir format and on Gentoo Linux x86_64 on local disks. Usually only a few at a time change their status - and it seems to be random which ones lose their read status. Typically though they are the most recent emails that have been delivered in the past few months (I haven't yet seen this occur with any really old emails). This problem is MUA independent, it can be observed with Thunderbird as well as Roundcube. If I go in and mark all mails as read then they will show as read for a short while until they too slowly start become 'unread' again. Currently I'm running git rev from https://github.com/dovecot/core/commits/master-2.2 : f292589f4b85e02d97d974dfe34324c6c0bb9d9f (I can't run anything newer due to an SSL symbol error which I reported earlier). This rev: b1254dfe442639236f881afae85e0739520ab409 Is known to be good, so the problem started happening somewhere between these two. (I know there are a lot of in-between revisions, but bisecting that could take days of time). Dovecot config is up at: http://www.reub.net/files/dovecot/thunderstorm-dovecot.conf Rawlog debug files are at http://www.reub.net/files/dovecot/rawlogs/ Hopefully someone else may have seen this happen before. Are there any other debugs I can gather which will help get to the bottom of this? Reuben From lists.zxinn at otaking.se Fri Jun 24 04:27:18 2016 From: lists.zxinn at otaking.se (Tobias) Date: Fri, 24 Jun 2016 13:27:18 +0900 Subject: Authentication Penalty with ID x-originating-ip, HAproxy Message-ID: The wiki states that anvil's authentication penalties are skipped when IP is in login_trusted_networks. http://wiki.dovecot.org/Authentication/Penalty Is there a way to enable the authentication penalties for specific advertised remote IPs, when the connecting IP is in "login_trusted_networks", and it advertises the originating remote IP via 'ID ("x-originating-ip", "")'? And with regards to HAproxy, is anvil's authentication penalties by default transparent with regards to the remote IP advertised in the proxy protocol header? /Tobias From lists.zxinn at otaking.se Fri Jun 24 08:11:11 2016 From: lists.zxinn at otaking.se (Tobias) Date: Fri, 24 Jun 2016 17:11:11 +0900 Subject: Authentication Penalty with ID x-originating-ip, HAproxy In-Reply-To: References: Message-ID: A quick test confirms that HAproxy header IP information does properly delay the authentication failures upon successive failed login attempts from the same IP. And furthermore if the webmail client is delayed on the IMAP level, this could potentially be exploited for DoS and as such may not be a good idea after all. Even with the auth_failure_delay=2 by default this is possible, but it's much easier to achieve the DoS if the pre-auth delay increases to 17 seconds (maximum delay I've observed). Is there any other brute force / DoS mitigation option for dovecot / webmail interaction, short of fail2ban type IP blocking in a firewall (which will not work on a machine several layers deep behind e.g. a proxy), that isn't exclusively relying on the webmail client for such mitigation? Can dovecot itself temp-ban remote IPs (as reported by HAproxy protocol, or IMAP ID x-originating-ip), perhaps with a notice to try again in X seconds, instead of delaying them? /Tobias On 2016-06-24 13:27, Tobias wrote: > The wiki states that anvil's authentication penalties are skipped when > IP is in login_trusted_networks. > http://wiki.dovecot.org/Authentication/Penalty > > Is there a way to enable the authentication penalties for specific > advertised remote IPs, when the connecting IP is in > "login_trusted_networks", and it advertises the originating remote IP > via 'ID ("x-originating-ip", "")'? > > And with regards to HAproxy, is anvil's authentication penalties by > default transparent with regards to the remote IP advertised in the > proxy protocol header? > > /Tobias From matthias.lay at securepoint.de Fri Jun 24 08:33:51 2016 From: matthias.lay at securepoint.de (Matthias Lay) Date: Fri, 24 Jun 2016 10:33:51 +0200 Subject: auth_bind with "()" in username not working In-Reply-To: <20160609144856.20d7ee37@eugen.spdev.local> References: <20160609144856.20d7ee37@eugen.spdev.local> Message-ID: <20160624103351.1a683b24@eugen.spdev.local> Hi again, did some more tseting on this. I think the problem is the ldap userlookup, where "("s are evil and have to be quoted, but these quotes should be removed for the bind request. I get my usernames from ldap with a filter like this user_filter = (sAMAccountName=%Ln) so I think in between this to steps is the problem. For testing I hard coded the username for auth_bind and compared strace output from the auth process auth_bind_userdn = "spdev\\claasc (test)" this works fine. strace output from imap login write(26, "0+\2\1\2`&\2\1\3\4\23spdev\\claasc (test)\200\fHubertHans99", 45) compared to auth_bind_userdn = "spdev\\%Ln" which gives write(26, "0-\2\1\2`(\2\1\3\4\25spdev\\claasc \\(test\\)\200\fHubertHans99", 47) and wrong credentials nobody else encountering similar problems? maybe the "()" are the only chars making problems at this point Greetz Matze From skdovecot at smail.inf.fh-brs.de Fri Jun 24 10:33:16 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Fri, 24 Jun 2016 12:33:16 +0200 (CEST) Subject: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm using Dovecot v2.2 with unix_listener auth-client { } to verify passwords for a different service. However, it looks like that auth_failure_delay effects all connects going through that socket. I mean: connect /var/run/dovecot2.2/auth-client attempt bad auth 2s penalty NO disconnect ==> Note, it's another connection almost immediately following each connect /var/run/dovecot2.2/auth-client attempt good auth 2s penalty OK disconnect Can I disable auth_failure_delay for local UNIX sockets? How do I add it to login_trusted_networks? - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV20MbHz1H7kL/d9rAQKm1AgAiVjjSimUTapEbhqHwZzfQWLzcJlkfm2W z5smziGbVELYb0/COPd84GK6wyUF7+3iRZOuVPhLRdljhB72PWRe+hHX3KgMWHr2 1o5WLkX+0cGEwSXMvJ2w3ee/zmxYxva2WI+PjSzkgvvhxGMtnIxO7mMglEV5zbbq ZxJcC1Ba4T9qpUhRIw3EQ5VPRs4cnLBz3Im4IDGLduWAGJYf/Rrxh+x+k3IqMtzb v92ErjgQtz5bN+bgEtQ8C33UehoZeZ93eA3V8o/OiwZPtWyneWL6Yqwxni4LjtLI R4wuu0N6Ea/BbA/fsElquRer0bXH2Zkt5mckJpDG6Rbe/IO5WYXq0A== =axyE -----END PGP SIGNATURE----- From news at mefox.org Fri Jun 24 16:20:08 2016 From: news at mefox.org (Michael Fox) Date: Fri, 24 Jun 2016 09:20:08 -0700 Subject: Postfix and Dovecot LDA vs. LMTP Message-ID: <010101d1ce34$46d88030$d4898090$@mefox.org> I'm new to Dovecot and will be using it with Postfix. I'm looking for recommendations regarding the use of Dovecot's LDA or LMTP for virtual mailbox delivery. Many of the simple examples on the wiki use LDA. So I've set that up initially. But apparently an advantage of LMTP is recipient verification. So, as I understand it, LMTP would let Postfix know whether or not the message was deliverable to a local virtual recipient without needing to have a separate virtual recipients map in Postfix. That sounds like a nice simplification. But I see in Ubuntu that the dovecot-lmtp package is not marked with the Canonical support icon, like the pop, imap, and other packages are. I don't have a contract with Canonical. But I'm wondering why they would not support the lmtp package when they do support most of the others. Is it possible that the dovecot LMTP package is not as stable or reliable? I'd appreciate comments from experienced users of postfix with dovecot. Are you using Dovecot LDA or LMTP and why? Thanks much, Michael From jan at kivitendo-premium.de Fri Jun 24 16:59:47 2016 From: jan at kivitendo-premium.de (=?iso-8859-1?Q?=22Jan_B=FCren=22?=) Date: Fri, 24 Jun 2016 18:59:47 +0200 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <010101d1ce34$46d88030$d4898090$@mefox.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> Message-ID: Hi Michael, > I'd appreciate comments from experienced users of postfix with dovecot. > Are > you using Dovecot LDA or LMTP and why? I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04. LDA is the worser solution, this is best explained in chapter LTMP in Peers dovecot book, which is unluckily in german and more or less out of print. But you can easily grasp the configuration details and reverse engineer the technical german phrases ... > > > > Thanks much, > > Michael > > > > -- kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 DELUG-DVD Ausgabe Richardson & B?ren GmbH Jan B?ren K?lnstr. 311 53117 Bonn USt-IdNr. DE238288407 Telefon: 0228 92 98 2012 Durchwahl: 0228 92 97 8965 From aki.tuomi at dovecot.fi Fri Jun 24 17:03:14 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Fri, 24 Jun 2016 20:03:14 +0300 (EEST) Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: References: <010101d1ce34$46d88030$d4898090$@mefox.org> Message-ID: <1595924118.5196.1466787796583@appsuite-dev.open-xchange.com> The most crucial difference is that LDA is intended for delivering email to a *real* user. Aki > On June 24, 2016 at 7:59 PM Jan B?ren wrote: > > > Hi Michael, > > > I'd appreciate comments from experienced users of postfix with dovecot. > > Are > > you using Dovecot LDA or LMTP and why? > I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04. > > LDA is the worser solution, this is best explained in chapter LTMP in > Peers dovecot book, which is unluckily in german and more or less out of > print. > > But you can easily grasp the configuration details and reverse engineer > the technical german phrases ... > > > > > > > > > > Thanks much, > > > > Michael > > > > > > > > > > > -- > kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 > DELUG-DVD Ausgabe > > Richardson & B?ren GmbH > Jan B?ren > K?lnstr. 311 > 53117 Bonn > > USt-IdNr. DE238288407 > Telefon: 0228 92 98 2012 > > > Durchwahl: 0228 92 97 8965 From jan at kivitendo-premium.de Fri Jun 24 17:04:54 2016 From: jan at kivitendo-premium.de (=?iso-8859-1?Q?=22Jan_B=FCren=22?=) Date: Fri, 24 Jun 2016 19:04:54 +0200 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: References: <010101d1ce34$46d88030$d4898090$@mefox.org> Message-ID: <840e8dd4188b42c87ff2c3723d4cd0fa.squirrel@weitan.org> Hi, > But you can easily grasp the configuration details and reverse engineer > the technical german phrases ... Ah well, the link: http://www.dovecot-buch.de/buch/vorwort-timo-sirainen/ > > >> >> >> >> Thanks much, >> >> Michael >> >> >> >> > > > -- > kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 > DELUG-DVD Ausgabe > > Richardson & B?ren GmbH > Jan B?ren > K?lnstr. 311 > 53117 Bonn > > USt-IdNr. DE238288407 > Telefon: 0228 92 98 2012 > > > Durchwahl: 0228 92 97 8965 > > -- kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 DELUG-DVD Ausgabe Richardson & B?ren GmbH Jan B?ren K?lnstr. 311 53117 Bonn USt-IdNr. DE238288407 Telefon: 0228 92 98 2012 Durchwahl: 0228 92 97 8965 From hughbragg at dodo.com.au Sat Jun 25 05:25:02 2016 From: hughbragg at dodo.com.au (Hugh Bragg) Date: Sat, 25 Jun 2016 15:25:02 +1000 Subject: mail-search backtrace In-Reply-To: <5740B443.9070205@dodo.com.au> References: <57094E96.7020501@dodo.com.au> <2D05C734-10E5-4F8E-B26C-39B981C18FBC@iki.fi> <5740B443.9070205@dodo.com.au> Message-ID: <576E15AE.5000302@dodo.com.au> On 22/05/16 05:17, Hugh Bragg wrote: > > > On 13/04/16 06:41, Timo Sirainen wrote: >> On 09 Apr 2016, at 21:48, Hugh Bragg wrote: >>> I'm repeatedly getting this error: >>> >>> Apr 07 04:37:27 imap(mymail at address): Panic: file mail-search.c: >>> line 84 (mail_search_arg_init): assertion failed: >>> (arg->initialized.keywords == NULL) >>> Apr 07 04:37:27 imap(mymail at address): Error: Raw backtrace: >>> /usr/lib64/dovecot/libdovecot.so.0(+0x827c2) [0x7fcb7f65e7c2] -> >>> /usr/lib64/dovecot/libdovecot.so.0(+0x828ad) [0x7fcb7f65e8ad] -> >>> /usr/lib64/dov >>> ecot/libdovecot.so.0(i_fatal+0) [0x7fcb7f605b01] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) >>> [0x7fcb7f91a328] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat >>> e_flags+0x100) [0x7fcb7f98e470] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >>> [0x7fcb7f9983e2] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 >>> ) [0x7fcb7f998bb5] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) >>> [0x7fcb7f921222] -> >>> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0xab3) >>> [0x7fcb7e9f7313] -> /usr >> It's coming from virtual mailboxes. >> >>> namespace virtual { >>> location = virtual:/var/mail/vhosts/%d/%n/virtual >>> prefix = virtual. >>> separator = . >>> } >> What do your dovecot-virtual files contain? I guess opening one of >> those virtual mailboxes crashes always. Related to searching keywords. > It still happens once in a while. It just won't expunge old messages > from unseen. There is no other trace or log message. > I was hoping to isolate the cause, but all I could only say for sure > that it happens sometime after Dovecot first starts up and I have to > restart to fix it. > dovecot-virtual files look like this: > # cat virtual/all/dovecot-virtual > * > all > # cat virtual/Unseen/dovecot-virtual > virtual.all > inthread refs unseen > > > A fresh trace: > > May 21 00:28:08 imap(x at y): Panic: file mail-search.c: line 84 > (mail_search_arg_init): assertion failed: (arg->initialized.keywords > == NULL) > May 21 00:28:08 imap(x at y): Error: Raw backtrace: > /usr/lib64/dovecot/libdovecot.so.0(+0x85c62) [0x7f4fd8915c62] -> > /usr/lib64/dovecot/libdovecot.so.0(+0x85d4d) [0x7f4fd8915d4d] -> > /usr/lib64/dov > ecot/libdovecot.so.0(i_fatal+0) [0x7f4fd88ba5c1] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) > [0x7f4fd8bd4b78] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat > e_flags+0x100) [0x7f4fd8c49d00] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) > [0x7f4fd8c53ce2] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 > ) [0x7f4fd8c544b5] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) > [0x7f4fd8bdba82] -> > /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) > [0x7f4fd7caa428] -> /usr > /lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) > [0x7f4fd8bdb9fb] -> dovecot/imap(imap_sync_init+0x68) [0x56091d93b078] > -> dovecot/imap(+0x1210e) [0x56091d92710e] -> dovecot/imap(+0x1234d) > [0x56091 > d92734d] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) > [0x7f4fd892984a] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) > [0x7f4fd892ae4b] -> /usr/lib64/dovecot/libdo > vecot.so.0(io_loop_handler_run+0x25) [0x7f4fd8929a75] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f4fd8929c18] > -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) > [0x7f4fd88c0123] -> d > ovecot/imap(main+0x328) [0x56091d922a98] -> > /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f4fd84ef580] -> > dovecot/imap(_start+0x29) [0x56091d922c19] Still no clue on this even with debug set on. It's become so bad I need to restart it or new mail is no longer reported after a few days when the unseen has dozens of read mails. I've no idea why it would need the keyword when I haven't done a search but I suppose the virtual plugin works by using the mail-search. Still, this shouldn't cause an error even if it is null. I'm suppose it could be caused by the number of emails being so great. Perhaps something is corrupt but as given, my dovecot-virtual files are as recommended by the plugin doco and nothing else seems amiss. If there is a corrupt mail or something then I don't know how to trace it. Anything anyone? A fresh trace : Jun 25 15:10:30 imap(x at y.z): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) Jun 25 15:10:30 imap(x at y.z): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7fcb73696102] -> /usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7fcb736961ed] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fcb736399e1] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7fcb73955cc8] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_update_flags+0x100) [0x7fcb739cb3f0] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) [0x7fcb739d5392] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185) [0x7fcb739d5b65] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7fcb7395cbd2] -> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) [0x7fcb72e434f8] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) [0x7fcb7395cb4b] -> dovecot/imap(imap_sync_init+0x68) [0x55cfd865d0f8] -> dovecot/imap(+0x1217e) [0x55cfd864917e] -> dovecot/imap(+0x123bd) [0x55cfd86493bd] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) [0x7fcb736a9dba] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7fcb736ab3bb] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) [0x7fcb736a9fe5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7fcb736aa188] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7fcb7363fea3] -> dovecot/imap(main+0x328) [0x55cfd8644b08] -> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7fcb7326e580] -> dovecot/imap(_start+0x29) [0x55cfd8644c89] From news at mefox.org Sat Jun 25 16:39:06 2016 From: news at mefox.org (Michael Fox) Date: Sat, 25 Jun 2016 09:39:06 -0700 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: References: <010101d1ce34$46d88030$d4898090$@mefox.org> Message-ID: <00d901d1cf00$17c76c30$47564490$@mefox.org> Thanks Jan. I've been trying to obtain an English copy of the Dovecot book for months, prior to starting this project. So far, I just can't find a copy. It's too bad that the author/publisher won't do a second printing or, if they're not interested in making any more money, then release it to the public domain as a PDF. Very frustrating. Michael > -----Original Message----- > From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of "Jan > B?ren" > Sent: Friday, June 24, 2016 10:00 AM > To: dovecot at dovecot.org > Subject: Re: Postfix and Dovecot LDA vs. LMTP > > Hi Michael, > > > I'd appreciate comments from experienced users of postfix with dovecot. > > Are > > you using Dovecot LDA or LMTP and why? > I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04. > > LDA is the worser solution, this is best explained in chapter LTMP in > Peers dovecot book, which is unluckily in german and more or less out of > print. > > But you can easily grasp the configuration details and reverse engineer > the technical german phrases ... > > > > > > > > > > Thanks much, > > > > Michael > > > > > > > > > > > -- > kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 > DELUG-DVD Ausgabe > > Richardson & B?ren GmbH > Jan B?ren > K?lnstr. 311 > 53117 Bonn > > USt-IdNr. DE238288407 > Telefon: 0228 92 98 2012 > > > Durchwahl: 0228 92 97 8965 From news at mefox.org Sat Jun 25 16:39:06 2016 From: news at mefox.org (Michael Fox) Date: Sat, 25 Jun 2016 09:39:06 -0700 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <1595924118.5196.1466787796583@appsuite-dev.open-xchange.com> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <1595924118.5196.1466787796583@appsuite-dev.open-xchange.com> Message-ID: <00d801d1cf00$178b2680$46a17380$@mefox.org> > The most crucial difference is that LDA is intended for delivering email > to a *real* user. > > Aki Thanks Aki. Pardon my ignorance, but why does it matter? In other words, what is it that makes LDA better for a *real* user and LMTP better for a virtual user? Thanks, Michael From mfoley at ohprs.org Sat Jun 25 16:43:06 2016 From: mfoley at ohprs.org (Mark Foley) Date: Sat, 25 Jun 2016 12:43:06 -0400 Subject: Looking for NTLM config example In-Reply-To: <201604220607.u3M67ODM006995@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> Message-ID: <201606251643.u5PGh6ZI004436@mail.hprs.local> I've asked this several times over the past year with essentially zero responses. I'll keep it simple: Does NTLM authentication work in Dovecot? I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work. Thanks, --Mark -----Original Message----- From: Mark Foley Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot at dovecot.org Subject: Looking for NTLM config example > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = ssl_key = userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark >From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 Return-Path: X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ X-Original-To: dovecot at dovecot.org Delivered-To: dovecot at dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot at dovecot.org Subject: Looking for NTLM config example User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot at dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dovecot-bounces at dovecot.org Sender: "dovecot" X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's white-list * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' Status: R Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email! But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme". The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means. Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need? My current/working dovecot settings, which have been running perfectly for well over a year now, are: $ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , rip=192.168.0.58, lip=98.102.63.107, session= On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." Clearly, something is configured wrong, but I've no clue what. Can I get some advice? THX --Mark From jan at kivitendo-premium.de Sat Jun 25 19:52:59 2016 From: jan at kivitendo-premium.de (=?iso-8859-1?Q?=22Jan_B=FCren=22?=) Date: Sat, 25 Jun 2016 21:52:59 +0200 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <00d901d1cf00$17c76c30$47564490$@mefox.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> Message-ID: <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> Hi Michael, we?ll actually the author is reading this list as well. Maybe he can help out here (cc). As far as I know went the publisher bancrupt and that?s why currently further prints and next books are delayed. @Peer: Anyway, is there a english copy? More or less I am refering to the chapter LMTP with dovecot and postfix. Hmm, just with the information in the dovecot wiki, there is at least the postfix part missing: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP Best luck, > Thanks Jan. > > I've been trying to obtain an English copy of the Dovecot book for months, > prior to starting this project. So far, I just can't find a copy. It's > too > bad that the author/publisher won't do a second printing or, if they're > not > interested in making any more money, then release it to the public domain > as > a PDF. Very frustrating. > > Michael > > >> -----Original Message----- >> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of "Jan >> B?ren" >> Sent: Friday, June 24, 2016 10:00 AM >> To: dovecot at dovecot.org >> Subject: Re: Postfix and Dovecot LDA vs. LMTP >> >> Hi Michael, >> >> > I'd appreciate comments from experienced users of postfix with >> dovecot. >> > Are >> > you using Dovecot LDA or LMTP and why? >> I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04. >> >> LDA is the worser solution, this is best explained in chapter LTMP in >> Peers dovecot book, which is unluckily in german and more or less out of >> print. >> >> But you can easily grasp the configuration details and reverse engineer >> the technical german phrases ... >> >> >> > >> > >> > >> > Thanks much, >> > >> > Michael >> > >> > >> > >> > >> >> >> -- >> kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 >> DELUG-DVD Ausgabe >> >> Richardson & B?ren GmbH >> Jan B?ren >> K?lnstr. 311 >> 53117 Bonn >> >> USt-IdNr. DE238288407 >> Telefon: 0228 92 98 2012 >> >> >> Durchwahl: 0228 92 97 8965 > > -- kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 DELUG-DVD Ausgabe Richardson & B?ren GmbH Jan B?ren Weiherstra?e 33a 53111 Bonn USt-IdNr. DE238288407 Telefon: 0228 92 98 2012 Durchwahl: 0228 92 97 8965 From news at mefox.org Sat Jun 25 21:56:37 2016 From: news at mefox.org (Michael Fox) Date: Sat, 25 Jun 2016 14:56:37 -0700 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> Message-ID: <00e001d1cf2c$72cec840$586c58c0$@mefox.org> Thanks again Jan. I appear to have basic LMTP working now (messages are delivered to virtual mailboxes of valid recipients and non-existent recipients are rejected). Cool. Still lots more work to do. But I think I could really use the Dovecot book. I find the wiki to be lacking in explanation. So, too often I'm just copying without knowing the reason why or how some things fit together. Peer: Is there any way to get an English copy of your book? Michael > -----Original Message----- > From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of "Jan > B?ren" > Sent: Saturday, June 25, 2016 12:53 PM > To: dovecot at dovecot.org > Cc: Peer Heinlein > Subject: RE: Postfix and Dovecot LDA vs. LMTP > > Hi Michael, > we?ll actually the author is reading this list as well. > Maybe he can help out here (cc). > As far as I know went the publisher bancrupt and that?s why currently > further prints and next books are delayed. > > @Peer: Anyway, is there a english copy? More or less I am refering to the > chapter LMTP with dovecot and postfix. > > Hmm, just with the information in the dovecot wiki, there is at least the > postfix part missing: > http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP > > Best luck, > > Thanks Jan. > > > > I've been trying to obtain an English copy of the Dovecot book for > months, > > prior to starting this project. So far, I just can't find a copy. It's > > too > > bad that the author/publisher won't do a second printing or, if they're > > not > > interested in making any more money, then release it to the public > domain > > as > > a PDF. Very frustrating. > > > > Michael > > > > > >> -----Original Message----- > >> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of "Jan > >> B?ren" > >> Sent: Friday, June 24, 2016 10:00 AM > >> To: dovecot at dovecot.org > >> Subject: Re: Postfix and Dovecot LDA vs. LMTP > >> > >> Hi Michael, > >> > >> > I'd appreciate comments from experienced users of postfix with > >> dovecot. > >> > Are > >> > you using Dovecot LDA or LMTP and why? > >> I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04. > >> > >> LDA is the worser solution, this is best explained in chapter LTMP in > >> Peers dovecot book, which is unluckily in german and more or less out > of > >> print. > >> > >> But you can easily grasp the configuration details and reverse engineer > >> the technical german phrases ... > >> > >> > >> > > >> > > >> > > >> > Thanks much, > >> > > >> > Michael > >> > > >> > > >> > > >> > > >> > >> > >> -- > >> kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 > >> DELUG-DVD Ausgabe > >> > >> Richardson & B?ren GmbH > >> Jan B?ren > >> K?lnstr. 311 > >> 53117 Bonn > >> > >> USt-IdNr. DE238288407 > >> Telefon: 0228 92 98 2012 > >> > >> > >> Durchwahl: 0228 92 97 8965 > > > > > > > -- > kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07 > DELUG-DVD Ausgabe > > Richardson & B?ren GmbH > Jan B?ren > Weiherstra?e 33a > 53111 Bonn > > USt-IdNr. DE238288407 > Telefon: 0228 92 98 2012 > > Durchwahl: 0228 92 97 8965 From me at junc.eu Sat Jun 25 22:57:06 2016 From: me at junc.eu (Benny Pedersen) Date: Sun, 26 Jun 2016 00:57:06 +0200 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <00e001d1cf2c$72cec840$586c58c0$@mefox.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> <00e001d1cf2c$72cec840$586c58c0$@mefox.org> Message-ID: On 2016-06-25 23:56, Michael Fox wrote: > Peer: Is there any way to get an English copy of your book? imho wiki is the way to go to be up2date with information, else it would make more sense to make more informative man pages in dovecot, that will never be outdated that sayed i am intrested in the book aswell From news at mefox.org Sat Jun 25 23:18:35 2016 From: news at mefox.org (Michael Fox) Date: Sat, 25 Jun 2016 16:18:35 -0700 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> <00e001d1cf2c$72cec840$586c58c0$@mefox.org> Message-ID: <010001d1cf37$e63578f0$b2a06ad0$@mefox.org> > imho wiki is the way to go to be up2date with information, else it would > make more sense to make more informative man pages in dovecot, that will > never be outdated I agree that the wiki is useful and important. It just doesn't have any depth regarding the "why" and "how" part of the equation. For example, WHY LMTP vs. LDA (just one example). There are many config snippets with a couple of lines of explanation and not much about how they fit into the big picture. And some config examples (like the default_fields and override_fields issue I reported earlier) simply don't work. In the Postfix world, there is an old Postfix book (older than Peer's book) which goes into a lot of the "why" and "how". It takes you through the whole process from nothing to a full-fledged server and really gives you the big picture. All of that is still valid today. Then the postfix website is the place to go for up-to-date description of each config option. Even there, the web pages contain much more descriptive information about each config option -- how it's used, when, why, side-effects, etc. If I knew what I was doing, I'd offer to help add to the wiki. But as a newbie, I don't even know what I don't know. ;-) So I'm hoping that Peer's book will provide that overall big-picture and that I can find an English copy somehow. Michael From noel.butler at ausics.net Sat Jun 25 23:51:06 2016 From: noel.butler at ausics.net (Noel Butler) Date: Sun, 26 Jun 2016 09:51:06 +1000 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <00d801d1cf00$178b2680$46a17380$@mefox.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <1595924118.5196.1466787796583@appsuite-dev.open-xchange.com> <00d801d1cf00$178b2680$46a17380$@mefox.org> Message-ID: On 26/06/2016 02:39, Michael Fox wrote: >> The most crucial difference is that LDA is intended for delivering >> email >> to a *real* user. >> >> Aki > > > Thanks Aki. > > Pardon my ignorance, but why does it matter? In other words, what is > it that makes LDA better for a *real* user and LMTP better for a > virtual user? > > Thanks, > Michael We've used LDA for virtual users for a very very long time, though we use multiple front ends, each with postfix/dovecot and mysql (replicated DB) they all talk to one big storage backend via NFS (as do the pop3/imap/webmails servers), we looked at lmtp once but saw no advantages given the setup. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/ From p.heinlein at heinlein-support.de Sun Jun 26 06:50:05 2016 From: p.heinlein at heinlein-support.de (Peer Heinlein) Date: Sun, 26 Jun 2016 08:50:05 +0200 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> Message-ID: <576F7B1D.9080300@heinlein-support.de> Am 25.06.2016 um 21:52 schrieb "Jan B?ren": >> I've been trying to obtain an English copy of the Dovecot book for months, >> prior to starting this project. So far, I just can't find a copy. It's >> too >> bad that the author/publisher won't do a second printing or, if they're >> not >> interested in making any more money, then release it to the public domain The book company has to shut down their business last december. It took some time to get the copyrights back, to talk to some other book companies and to get everything ready. Actually we're one the way to get the book back into the shop into the next few weeks. Peer -- Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-42 Fax: 030 / 405051-19 Zwangsangaben lt. ?35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Gesch?ftsf?hrer: Peer Heinlein -- Sitz: Berlin From phil at philfixit.info Sun Jun 26 07:22:34 2016 From: phil at philfixit.info (phil) Date: Sun, 26 Jun 2016 17:22:34 +1000 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <576F7B1D.9080300@heinlein-support.de> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> <576F7B1D.9080300@heinlein-support.de> Message-ID: On 26/06/2016 4:50 PM, Peer Heinlein wrote: > Am 25.06.2016 um 21:52 schrieb "Jan B?ren": > > >>> I've been trying to obtain an English copy of the Dovecot book for months, >>> prior to starting this project. So far, I just can't find a copy. It's >>> too >>> bad that the author/publisher won't do a second printing or, if they're >>> not >>> interested in making any more money, then release it to the public domain > > The book company has to shut down their business last december. > > It took some time to get the copyrights back, to talk to some other book > companies and to get everything ready. Actually we're one the way to get > the book back into the shop into the next few weeks. > > Peer > > In English as well this time Peer? I will buy a copy if it is available in English . . . -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From aki.tuomi at dovecot.fi Sun Jun 26 11:00:49 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) Subject: Looking for NTLM config example In-Reply-To: <201606251643.u5PGh6ZI004436@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> Message-ID: <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> It should work. Although if you are using linux server you might want to use gssapi instead. > On June 25, 2016 at 7:43 PM Mark Foley wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List > List-Unsubscribe: , > > List-Archive: > List-Post: > List-Help: > List-Subscribe: , > > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = ssl_key = userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark --- Aki Tuomi From aki.tuomi at dovecot.fi Sun Jun 26 12:08:03 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST) Subject: Looking for NTLM config example In-Reply-To: <201606251643.u5PGh6ZI004436@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> Message-ID: <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default. Aki > On June 25, 2016 at 7:43 PM Mark Foley wrote: > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > Does NTLM authentication work in Dovecot? > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > has actually tried this authentication method and it therefore does not work. > > Thanks, --Mark > > -----Original Message----- > From: Mark Foley > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > Return-Path: > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > X-Original-To: dovecot at dovecot.org > Delivered-To: dovecot at dovecot.org > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > From: Mark Foley > Date: Fri, 22 Apr 2016 02:07:24 -0400 > Organization: Ohio Highway Patrol Retirement System > To: dovecot at dovecot.org > Subject: Looking for NTLM config example > User-Agent: Heirloom mailx 12.5 7/5/10 > Content-Type: text/plain; charset=us-ascii > X-BeenThere: dovecot at dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > List-Id: Dovecot Mailing List > List-Unsubscribe: , > > List-Archive: > List-Post: > List-Help: > List-Subscribe: , > > Errors-To: dovecot-bounces at dovecot.org > Sender: "dovecot" > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > Status: R > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > authentication submethods are, tells you what password schemes are, tells you what the NTLM > client/server handshake is, but doesn't actually tell you how to configure dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = ssl_key = userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what. > > Can I get some advice? > > THX --Mark --- Aki Tuomi From edgar at pettijohn-web.com Sun Jun 26 14:42:07 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Sun, 26 Jun 2016 09:42:07 -0500 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> <576F7B1D.9080300@heinlein-support.de> Message-ID: Sent from my iPhone > On Jun 26, 2016, at 2:22 AM, phil wrote: > > >> On 26/06/2016 4:50 PM, Peer Heinlein wrote: >> Am 25.06.2016 um 21:52 schrieb "Jan B?ren": >> >> >>>> I've been trying to obtain an English copy of the Dovecot book for months, >>>> prior to starting this project. So far, I just can't find a copy. It's >>>> too >>>> bad that the author/publisher won't do a second printing or, if they're >>>> not >>>> interested in making any more money, then release it to the public domain >> >> The book company has to shut down their business last december. >> >> It took some time to get the copyrights back, to talk to some other book >> companies and to get everything ready. Actually we're one the way to get >> the book back into the shop into the next few weeks. >> >> Peer > In English as well this time Peer? > I will buy a copy if it is available in English . . . > Me too. From news at mefox.org Sun Jun 26 16:16:16 2016 From: news at mefox.org (Michael Fox) Date: Sun, 26 Jun 2016 09:16:16 -0700 Subject: Postfix and Dovecot LDA vs. LMTP In-Reply-To: <576F7B1D.9080300@heinlein-support.de> References: <010101d1ce34$46d88030$d4898090$@mefox.org> <00d901d1cf00$17c76c30$47564490$@mefox.org> <5f078837e4effb4ccd72f706884076af.squirrel@weitan.org> <576F7B1D.9080300@heinlein-support.de> Message-ID: <006101d1cfc6$11b16e10$35144a30$@mefox.org> > Actually we're one the way to get > the book back into the shop into the next few weeks. > > Peer That's great news! English version please! Michael From jeffgamsby at merlock.com Sun Jun 26 18:56:15 2016 From: jeffgamsby at merlock.com (Jeff Gamsby) Date: Sun, 26 Jun 2016 11:56:15 -0700 Subject: fts_solr not working In-Reply-To: <1747793449.2992.1466706297365@appsuite-dev.open-xchange.com> References: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> <1747793449.2992.1466706297365@appsuite-dev.open-xchange.com> Message-ID: <39f44c88.AEEADyjI2VQAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXcCVe@mailjet.com> On 2016-06-23 11:24, aki.tuomi at dovecot.fi wrote: >> On June 23, 2016 at 9:06 PM Jeff Gamsby >> wrote: >> >> >> I am running ISPConfig 3 on Debian and have managed to install the >> dovecot-solr and dovecot-fts plugins. >> >> I have solr running undet tomcat at http://localhost:8880 but the >> indexing is not working. >> >> I am using Dovecot 2.17 >> >> I do not understand namespaces and why fts_solr needs them, I just >> want >> to index the entire users Maildir. >> >> I am trying to index a users mailbox but am getting the following >> error: >> >> (changed user name) >> doveadm fts rescan -u user at user.com inbox >> doveadm(user at user.com): Error: Namespace prefix not found: inbox >> >> running that in debig mode gives: >> >> doveadm(root): Debug: Loading modules from directory: >> /usr/lib/dovecot/modules >> doveadm(root): Debug: Module loaded: >> /usr/lib/dovecot/modules/lib20_fts_plugin.so >> doveadm(root): Debug: Module loaded: >> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so >> doveadm(root): Debug: Loading modules from directory: >> /usr/lib/dovecot/modules/doveadm >> doveadm(root): Debug: Skipping module doveadm_acl_plugin, because >> dlopen() failed: >> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: >> undefined >> symbol: acl_user_module (this is usually intentional, so just ignore >> this message) >> doveadm(root): Debug: Skipping module doveadm_expire_plugin, because >> dlopen() failed: >> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: >> undefined symbol: expire_set_deinit (this is usually intentional, so >> just ignore this message) >> doveadm(root): Debug: Skipping module doveadm_quota_plugin, because >> dlopen() failed: >> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: >> undefined symbol: quota_user_module (this is usually intentional, so >> just ignore this message) >> doveadm(root): Debug: Skipping module doveadm_zlib_plugin, because >> dlopen() failed: >> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_zlib_plugin.so: >> undefined >> symbol: i_stream_create_deflate (this is usually intentional, so just >> ignore this message) >> doveadm(root): Debug: Module loaded: >> /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so >> doveadm(user at user.com): Debug: Added userdb setting: >> mail=maildir:/var/vmail/user.com/user/Maildir >> doveadm(user at user.com): Debug: Added userdb setting: >> plugin/quota_rule=*:storage=0B >> doveadm(user at user.com): Debug: Added userdb setting: >> plugin/sieve=/var/vmail/user.com/user/.sieve >> doveadm(user at user.com): Debug: Effective uid=5000, gid=5000, >> home=/var/vmail/user.com/user >> doveadm(user at user.com): Debug: Namespace inbox: type=private, prefix=, >> sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes >> location=maildir:/var/vmail/user.com/user/Maildir >> doveadm(user at user.com): Debug: maildir++: >> root=/var/vmail/user.com/user/Maildir, index=, control=, >> inbox=/var/vmail/user.com/user/Maildir, alt= >> doveadm(user at user.com): Debug: fts: No fts setting - plugin disabled >> doveadm(user at user.com): Error: Namespace prefix not found: inbox >> >> in conf.d/10-mail.conf I have this namespace defined: >> >> namespace inbox { >> # Namespace type: private, shared or public >> #type = private >> >> # Hierarchy separator to use. You should use the same separator for >> all >> # namespaces or some clients get confused. '/' is usually a good >> one. >> # The default however depends on the underlying mail storage >> format. >> #separator = >> >> # Prefix required to access this namespace. This needs to be >> different >> for >> # all namespaces. For example "Public/". >> #prefix = >> >> # Physical location of the mailbox. This is in same format as >> # mail_location, which is also the default for it. >> #location = >> >> # There can be only one INBOX, and this setting defines which >> namespace >> # has it. >> inbox = yes >> >> # If namespace is hidden, it's not advertised to clients via >> NAMESPACE >> # extension. You'll most likely also want to set list=no. This is >> mostly >> # useful when converting from another server with different >> namespaces >> which >> # you want to deprecate but still keep working. For example you can >> create >> # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and >> "mail/". >> #hidden = no >> protocol imap { >> plugin { >> fts = solr >> fts_solr = break-imap-search url=http://localhost:8880/solr/ >> } >> } >> protocol pop3 { >> plugin { >> fts = solr >> fts_solr = break-imap-search url=http://localhost:8880/solr/ >> } >> >> # Show the mailboxes under this namespace with LIST command. This >> makes the >> # namespace visible for clients that don't support NAMESPACE >> extension. >> # "children" value lists child mailboxes, but hides the namespace >> prefix. >> #list = yes >> >> # Namespace handles its own subscriptions. If set to "no", the >> parent >> # namespace handles them (empty prefix should always have this as >> "yes") >> #subscriptions = yes >> } >> >> >> I had to put this in dovecot.conf in order for the plugin to be >> enabled: >> >> mail_plugins = fts fts_solr >> >> solr is reachable at localhost:8880/solr and appears to be working. >> >> Please help, any suggestions are welcome >> >> Thanks > > Can you please send doveconf -n? > --- > Aki Tuomi I managed to get fts_slor working and now I can index mailboxes, but I am getting a solr error and cannot use the indexes that were created I get: Error: fts_solr: Lookup failed: Internal Server Error dovecot -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.1 auth_mechanisms = plain login default_vsz_limit = 2 G disable_plaintext_auth = no lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = *,[::] log_timestamp = "%Y-%m-%d %H:%M:%S " mail_plugins = fts fts_solr mail_privileged_group = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { fts = solr fts_autoindex = yes fts_solr = break-imap-search url=http://localhost:8880/solr/ quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve = ~/.dovecot.sieve sieve_after = /etc/sieve/after sieve_before = /etc/sieve/before sieve_default = /var/vmail/sieve/default.sieve sieve_dir = ~/sieve } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { group = vmail mode = 0660 user = vmail } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 500 } service imap { vsz_limit = 2 G } ssl_cert = Hi, I'm doing a backup from a Cyrus to a Dovecot (2.2.24) instance. On the dovecot side (localhost) I'm running doveadm \ -o mail_plugins= \ -o imapc_master_user=cyrus \ -o imapc_password= \ -o imapc_host= \ \ -o imapc_ssl_verify=no \ -o imapc_ssl=imaps \ -o imapc_port=993 \ backup -f -u "heiko" -R imapc: dsync(heiko): Warning: Deleting mailbox 'Trash': UID=18290 already exists locally for a different mail: highest than remote's UIDs (remote UIDNEXT=19588) The destination (local system) does not change while running backup, the remote system (cyrus) can't be stopped while running this backup. Repeating the above command sometimes helps, sometimes not. Sometimes the names of the mailboxes dsync deletes change? Any idea how to stabilize it? I'm talking about cca 4500 mailboxes. Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From mfoley at ohprs.org Mon Jun 27 04:31:14 2016 From: mfoley at ohprs.org (Mark Foley) Date: Mon, 27 Jun 2016 00:31:14 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> Message-ID: <201606270431.u5R4VEfP004658@mail.hprs.local> Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to: auth_mechanisms = plain login gssapi Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is: ----------SNIP------------ > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , rip=192.168.0.99, lip=98.102.63.107, session= So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located. I'm also using Dovecot 2.2.15. Too old? Do you think auth_krb5_keytab is my problem or something deeper? THX --Mark -----Original Message----- > Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for NTLM config example > > It should work. Although if you are using linux server you might want to use gssapi instead. > > > On June 25, 2016 at 7:43 PM Mark Foley wrote: > > > > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > > has actually tried this authentication method and it therefore does not work. > > > > Thanks, --Mark > > > > -----Original Message----- > > From: Mark Foley > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = > > ssl_key = > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > > > disable_plaintext_auth = no > > > auth_use_winbind = yes > > > info_log_path = /var/log/dovecot_info > > > auth_verbose = yes > > > auth_debug_passwords = yes > > > auth_verbose_passwords= plain > > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > > > auth_mechanisms = ntlm plain login > > > > > > userdb { > > > driver = passwd > > > args = username_format=%n allow_all_users=yes > > > > > > } > > > > > > > > > Which gives me a dovecot -n of: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = ntlm plain login > > > auth_use_winbind = yes > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > protocols = imap > > > ssl_cert = > > ssl_key = > > userdb { > > > args = username_format=%n allow_all_users=yes > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > > following in /var/log/dovecot_info: > > > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > > my.server.name does not support the selected authentication method. Please change the > > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > > > Clearly, something is configured wrong, but I've no clue what. > > > > > > Can I get some advice? > > > > > > THX --Mark > > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > > Return-Path: > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > > mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List > > List-Unsubscribe: , > > > > List-Archive: > > List-Post: > > List-Help: > > List-Subscribe: , > > > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" > > X-Spam-Report: > > * -100 USER_IN_WHITELIST From: address is in the user's white-list > > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > > Status: R > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > > --- > Aki Tuomi From hs at schlittermann.de Mon Jun 27 05:28:59 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Mon, 27 Jun 2016 07:28:59 +0200 Subject: dsync unstable? (other strange detail) Message-ID: <20160627052859.GQ7131@jumper.schlittermann.de> Hi, I'm trying to migrate from Cyrus (remote side) to Dovecot 2.2.24 (local). On the local side the destinations folders, and indexes are empty. The command I'm using is doveadm \ -o mail_plugins= \ -o imapc_master_user= \ -o imapc_password= \ -o imapc_host= \ \ -o imapc_ssl_verify=no \ -o imapc_ssl=imaps \ -o imapc_port=993 \ backup -f -u "heiko" -R imapc: \ || { rc=$? echo "EXIT: $rc" >&2 exit $rc } On successive runs of the above command I get: dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten Anforderung': UID=16 GUID= is missing locally EXIT: 75 dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailman': UID=2 GUID= is missing locally EXIT: 75 dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Servermeldungen': UID=514 GUID= is missing locally EXIT: 75 dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Servermeldungen.AIDE': UID=188292 GUID= is missing locally EXIT: 75 dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Servermeldungen.AIDE.AIDE - 2012': UID=9343 GUID= is missing locally EXIT: 75 Any idea where to look next? Is 'doveadm backup' the wrong tool for such migration? (I'd say with about 2.2.9 I had similar problems, but at least it didn't stop at every subfolder.) Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From aki.tuomi at dovecot.fi Mon Jun 27 06:18:54 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Mon, 27 Jun 2016 09:18:54 +0300 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606270431.u5R4VEfP004658@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> Message-ID: <5770C54E.50102@dovecot.fi> On 27.06.2016 07:31, Mark Foley wrote: > Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying > you've not actually tried NTLM yourself, right? I've never gotten a response from someone > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be > the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. > > That's OK, I'd be glad to try something different that would work!!! I am trying your advice > for gssapi. I've followed the instructions at > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the > auth_mechanism line to: > > auth_mechanisms = plain login gssapi > > Which is only different from before with the addition of "gssapi". That's all I've done. I'm > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > ----------SNIP------------ >> doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login gssapi > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > ------------PINS------------- > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I > got the following in my Dovecot log: > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session= > > So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab > configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file > needed? If so, I've got a message in to the Samba4 folks asking where it is located. > > I'm also using Dovecot 2.2.15. Too old? > > Do you think auth_krb5_keytab is my problem or something deeper? > > THX --Mark > You need to set up keytab. I'll assume you know nothing about kerberos, so please if you already knew all this, sorry. For kerberos to work PROPERLY you need to have 1. Functional AD or Kerberos environment 2. Time synced against your KDC (which is your Domain Controller on Windows) 3. /etc/krb5.conf configured 4. Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems. 5. You need a keytab. This keytab needs to hold entries like IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate these on any Windows DC server (at least). Only bullet 5. is about Dovecot really, but since this is usually rather hard to gather information, I'll recap these things here: 2. Time sync Install ntpd and configure it to use *your* *ad* *server*. (Not some generic service). 3. /etc/krb5.conf Here is a *SAMPLE* configuration: [libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Note that some windows environments require additional configuration to get this working. 4. Forward/reverse DNS. For your *server* this is *absolutely* must. It has to match for your clients and your server. So if your server name is mail.example.org, and it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It will give you strange and convoluted errors otherwise. 5. Keytab This is bit tricky to generate, and there are various ways to do this. You can install samba, join it to your domain and use the samba tools to generate a keytab. It's not a bad idea, just remember to add the required spn's (service principal names) to the machine account. setspn -q is helpful here, also setspn command in general. You can use either system keytab file (/etc/krb5.keytab), or you can put the dovecot specific (mainly IMAP/something) into dedicated keytab for the service. Either way you need to tell dovecot about it with auth_krb5_keytab setting. You should have at least following entries in your keytab file. You can see them with klist -k /path/to/keytab. The KVNO can be different. Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 host/mail.example.org at EXAMPLE.ORG 3 IMAP/mail.example.org at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 host/MAIL at EXAMPLE.ORG 3 IMAP/MAIL at EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG 3 MAIL$@EXAMPLE.ORG This will at least get you somewhere. Kerberos is notoriously hard to debug, but it usually is about a) DNS b) Keytab c) Mismatch of some name somewhere d) Encryption type support Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. If you want to try with something else first, which I recommend for the server in any case, is to see if you can get sssd working with Kerberos and LDAP. If you get that working, it's not very difficult anymore to get Dovecot running with it. ---- Aki Tuomi Dovecot oy From aki.tuomi at dovecot.fi Mon Jun 27 06:32:11 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Mon, 27 Jun 2016 09:32:11 +0300 Subject: fts_solr not working In-Reply-To: <39f44c88.AEEADyjI2VQAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXcCVe@mailjet.com> References: <150f6983.AEQADtVCpeIAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXbCU0@mailjet.com> <1747793449.2992.1466706297365@appsuite-dev.open-xchange.com> <39f44c88.AEEADyjI2VQAAAAAAAAAAAKUPdkAAAAAAAIAAAAAAAZosgBXcCVe@mailjet.com> Message-ID: <5770C86B.4090205@dovecot.fi> On 26.06.2016 21:56, Jeff Gamsby wrote: > On 2016-06-23 11:24, aki.tuomi at dovecot.fi wrote: >>> On June 23, 2016 at 9:06 PM Jeff Gamsby wrote: >>> >>> >>> I am running ISPConfig 3 on Debian and have managed to install the >>> dovecot-solr and dovecot-fts plugins. >>> >>> I have solr running undet tomcat at http://localhost:8880 but the >>> indexing is not working. >>> >>> I am using Dovecot 2.17 >>> >>> I do not understand namespaces and why fts_solr needs them, I just want >>> to index the entire users Maildir. >>> >>> I am trying to index a users mailbox but am getting the following >>> error: >>> >>> (changed user name) >>> doveadm fts rescan -u user at user.com inbox >>> doveadm(user at user.com): Error: Namespace prefix not found: inbox >>> >>> running that in debig mode gives: >>> >>> doveadm(root): Debug: Loading modules from directory: >>> /usr/lib/dovecot/modules >>> doveadm(root): Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib20_fts_plugin.so >>> doveadm(root): Debug: Module loaded: >>> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so >>> doveadm(root): Debug: Loading modules from directory: >>> /usr/lib/dovecot/modules/doveadm >>> doveadm(root): Debug: Skipping module doveadm_acl_plugin, because >>> dlopen() failed: >>> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined >>> symbol: acl_user_module (this is usually intentional, so just ignore >>> this message) >>> doveadm(root): Debug: Skipping module doveadm_expire_plugin, because >>> dlopen() failed: >>> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: >>> undefined symbol: expire_set_deinit (this is usually intentional, so >>> just ignore this message) >>> doveadm(root): Debug: Skipping module doveadm_quota_plugin, because >>> dlopen() failed: >>> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so: >>> undefined symbol: quota_user_module (this is usually intentional, so >>> just ignore this message) >>> doveadm(root): Debug: Skipping module doveadm_zlib_plugin, because >>> dlopen() failed: >>> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_zlib_plugin.so: >>> undefined >>> symbol: i_stream_create_deflate (this is usually intentional, so just >>> ignore this message) >>> doveadm(root): Debug: Module loaded: >>> /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so >>> doveadm(user at user.com): Debug: Added userdb setting: >>> mail=maildir:/var/vmail/user.com/user/Maildir >>> doveadm(user at user.com): Debug: Added userdb setting: >>> plugin/quota_rule=*:storage=0B >>> doveadm(user at user.com): Debug: Added userdb setting: >>> plugin/sieve=/var/vmail/user.com/user/.sieve >>> doveadm(user at user.com): Debug: Effective uid=5000, gid=5000, >>> home=/var/vmail/user.com/user >>> doveadm(user at user.com): Debug: Namespace inbox: type=private, prefix=, >>> sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes >>> location=maildir:/var/vmail/user.com/user/Maildir >>> doveadm(user at user.com): Debug: maildir++: >>> root=/var/vmail/user.com/user/Maildir, index=, control=, >>> inbox=/var/vmail/user.com/user/Maildir, alt= >>> doveadm(user at user.com): Debug: fts: No fts setting - plugin disabled >>> doveadm(user at user.com): Error: Namespace prefix not found: inbox >>> >>> in conf.d/10-mail.conf I have this namespace defined: >>> >>> namespace inbox { >>> # Namespace type: private, shared or public >>> #type = private >>> >>> # Hierarchy separator to use. You should use the same separator for >>> all >>> # namespaces or some clients get confused. '/' is usually a good >>> one. >>> # The default however depends on the underlying mail storage format. >>> #separator = >>> >>> # Prefix required to access this namespace. This needs to be >>> different >>> for >>> # all namespaces. For example "Public/". >>> #prefix = >>> >>> # Physical location of the mailbox. This is in same format as >>> # mail_location, which is also the default for it. >>> #location = >>> >>> # There can be only one INBOX, and this setting defines which >>> namespace >>> # has it. >>> inbox = yes >>> >>> # If namespace is hidden, it's not advertised to clients via >>> NAMESPACE >>> # extension. You'll most likely also want to set list=no. This is >>> mostly >>> # useful when converting from another server with different >>> namespaces >>> which >>> # you want to deprecate but still keep working. For example you can >>> create >>> # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and >>> "mail/". >>> #hidden = no >>> protocol imap { >>> plugin { >>> fts = solr >>> fts_solr = break-imap-search url=http://localhost:8880/solr/ >>> } >>> } >>> protocol pop3 { >>> plugin { >>> fts = solr >>> fts_solr = break-imap-search url=http://localhost:8880/solr/ >>> } >>> >>> # Show the mailboxes under this namespace with LIST command. This >>> makes the >>> # namespace visible for clients that don't support NAMESPACE >>> extension. >>> # "children" value lists child mailboxes, but hides the namespace >>> prefix. >>> #list = yes >>> >>> # Namespace handles its own subscriptions. If set to "no", the >>> parent >>> # namespace handles them (empty prefix should always have this as >>> "yes") >>> #subscriptions = yes >>> } >>> >>> >>> I had to put this in dovecot.conf in order for the plugin to be >>> enabled: >>> >>> mail_plugins = fts fts_solr >>> >>> solr is reachable at localhost:8880/solr and appears to be working. >>> >>> Please help, any suggestions are welcome >>> >>> Thanks >> >> Can you please send doveconf -n? >> --- >> Aki Tuomi > > > I managed to get fts_slor working and now I can index mailboxes, but I > am getting a solr error and cannot use the indexes that were created > > I get: > > Error: fts_solr: Lookup failed: Internal Server Error > You have checked SOLR logs right? That error I think is coming from the solr server, not dovecot. Aki From aki.tuomi at dovecot.fi Mon Jun 27 06:35:46 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Mon, 27 Jun 2016 09:35:46 +0300 Subject: mail-search backtrace In-Reply-To: <576E15AE.5000302@dodo.com.au> References: <57094E96.7020501@dodo.com.au> <2D05C734-10E5-4F8E-B26C-39B981C18FBC@iki.fi> <5740B443.9070205@dodo.com.au> <576E15AE.5000302@dodo.com.au> Message-ID: <5770C942.4010001@dovecot.fi> On 25.06.2016 08:25, Hugh Bragg wrote: > > On 22/05/16 05:17, Hugh Bragg wrote: >> >> >> On 13/04/16 06:41, Timo Sirainen wrote: >>> On 09 Apr 2016, at 21:48, Hugh Bragg wrote: >>>> I'm repeatedly getting this error: >>>> >>>> Apr 07 04:37:27 imap(mymail at address): Panic: file mail-search.c: >>>> line 84 (mail_search_arg_init): assertion failed: >>>> (arg->initialized.keywords == NULL) >>>> Apr 07 04:37:27 imap(mymail at address): Error: Raw backtrace: >>>> /usr/lib64/dovecot/libdovecot.so.0(+0x827c2) [0x7fcb7f65e7c2] -> >>>> /usr/lib64/dovecot/libdovecot.so.0(+0x828ad) [0x7fcb7f65e8ad] -> >>>> /usr/lib64/dov >>>> ecot/libdovecot.so.0(i_fatal+0) [0x7fcb7f605b01] -> >>>> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) >>>> [0x7fcb7f91a328] -> >>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat >>>> e_flags+0x100) [0x7fcb7f98e470] -> >>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >>>> [0x7fcb7f9983e2] -> >>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 >>>> ) [0x7fcb7f998bb5] -> >>>> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7fcb7f921222] >>>> -> >>>> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0xab3) >>>> [0x7fcb7e9f7313] -> /usr >>> It's coming from virtual mailboxes. >>> >>>> namespace virtual { >>>> location = virtual:/var/mail/vhosts/%d/%n/virtual >>>> prefix = virtual. >>>> separator = . >>>> } >>> What do your dovecot-virtual files contain? I guess opening one of >>> those virtual mailboxes crashes always. Related to searching keywords. >> It still happens once in a while. It just won't expunge old messages >> from unseen. There is no other trace or log message. >> I was hoping to isolate the cause, but all I could only say for sure >> that it happens sometime after Dovecot first starts up and I have to >> restart to fix it. >> dovecot-virtual files look like this: >> # cat virtual/all/dovecot-virtual >> * >> all >> # cat virtual/Unseen/dovecot-virtual >> virtual.all >> inthread refs unseen >> >> >> A fresh trace: >> >> May 21 00:28:08 imap(x at y): Panic: file mail-search.c: line 84 >> (mail_search_arg_init): assertion failed: (arg->initialized.keywords >> == NULL) >> May 21 00:28:08 imap(x at y): Error: Raw backtrace: >> /usr/lib64/dovecot/libdovecot.so.0(+0x85c62) [0x7f4fd8915c62] -> >> /usr/lib64/dovecot/libdovecot.so.0(+0x85d4d) [0x7f4fd8915d4d] -> >> /usr/lib64/dov >> ecot/libdovecot.so.0(i_fatal+0) [0x7f4fd88ba5c1] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7f4fd8bd4b78] >> -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat >> e_flags+0x100) [0x7f4fd8c49d00] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >> [0x7f4fd8c53ce2] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 >> ) [0x7f4fd8c544b5] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) >> [0x7f4fd8bdba82] -> >> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) >> [0x7f4fd7caa428] -> /usr >> /lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) >> [0x7f4fd8bdb9fb] -> dovecot/imap(imap_sync_init+0x68) >> [0x56091d93b078] -> dovecot/imap(+0x1210e) [0x56091d92710e] -> >> dovecot/imap(+0x1234d) [0x56091 >> d92734d] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) >> [0x7f4fd892984a] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) >> [0x7f4fd892ae4b] -> /usr/lib64/dovecot/libdo >> vecot.so.0(io_loop_handler_run+0x25) [0x7f4fd8929a75] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f4fd8929c18] >> -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) >> [0x7f4fd88c0123] -> d >> ovecot/imap(main+0x328) [0x56091d922a98] -> >> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f4fd84ef580] -> >> dovecot/imap(_start+0x29) [0x56091d922c19] > > Still no clue on this even with debug set on. It's become so bad I > need to restart it or new mail is no longer reported after a few days > when the unseen has dozens of read mails. > I've no idea why it would need the keyword when I haven't done a > search but I suppose the virtual plugin works by using the > mail-search. Still, this shouldn't cause an error even if it is null. > I'm suppose it could be caused by the number of emails being so great. > Perhaps something is corrupt but as given, my dovecot-virtual files > are as recommended by the plugin doco and nothing else seems amiss. If > there is a corrupt mail or something then I don't know how to trace it. > > Anything anyone? > > > A fresh trace : > Jun 25 15:10:30 imap(x at y.z): Panic: file mail-search.c: line 84 > (mail_search_arg_init): assertion failed: (arg->initialized.keywords > == NULL) > Jun 25 15:10:30 imap(x at y.z): Error: Raw backtrace: > /usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7fcb73696102] -> > /usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7fcb736961ed] -> > /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fcb736399e1] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) > [0x7fcb73955cc8] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_update_flags+0x100) > [0x7fcb739cb3f0] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) > [0x7fcb739d5392] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185) > [0x7fcb739d5b65] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) > [0x7fcb7395cbd2] -> > /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) > [0x7fcb72e434f8] -> > /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) > [0x7fcb7395cb4b] -> dovecot/imap(imap_sync_init+0x68) [0x55cfd865d0f8] > -> dovecot/imap(+0x1217e) [0x55cfd864917e] -> dovecot/imap(+0x123bd) > [0x55cfd86493bd] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) > [0x7fcb736a9dba] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) > [0x7fcb736ab3bb] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) > [0x7fcb736a9fe5] -> > /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7fcb736aa188] > -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) > [0x7fcb7363fea3] -> dovecot/imap(main+0x328) [0x55cfd8644b08] -> > /lib64/libc.so.6(__libc_start_main+0xf0) [0x7fcb7326e580] -> > dovecot/imap(_start+0x29) [0x55cfd8644c89] Hi! Thank you for your report, we'll look into it. --- Aki Tuomi Dovecot oy From mfoley at ohprs.org Mon Jun 27 06:45:21 2016 From: mfoley at ohprs.org (Mark Foley) Date: Mon, 27 Jun 2016 02:45:21 -0400 Subject: Looking for NTLM config example In-Reply-To: <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> Message-ID: <201606270645.u5R6jLqW023623@mail.hprs.local> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 and modified the Dovecot config: auth_debug_passwords = yes auth_mechanisms = plain login ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = , rip=192.168.0.54, lip=192.168.0.2, session= Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges This looks quite similar to the output I got with the gssapi test. It seems there is nothing I can do to get AD authentication working with Dovecot. Do you (or anyone) have any ideas? What does "disconnected before auth was ready" mean? Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully with Dovecot? Please speak up! Let me know you exist! --Mark -----Original Message----- > Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org, Mark Foley > Subject: Re: Looking for NTLM config example > > Also it seems we lack support for NTLMv2. If you want to use NTLM you need to permit use of NTLM(v1), which is usually not enabled by default. > > Aki > > > On June 25, 2016 at 7:43 PM Mark Foley wrote: > > > > > > I've asked this several times over the past year with essentially zero responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to conclude that no one > > has actually tried this authentication method and it therefore does not work. > > > > Thanks, --Mark > > > > -----Original Message----- > > From: Mark Foley > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = > > ssl_key = > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > > > disable_plaintext_auth = no > > > auth_use_winbind = yes > > > info_log_path = /var/log/dovecot_info > > > auth_verbose = yes > > > auth_debug_passwords = yes > > > auth_verbose_passwords= plain > > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > > > auth_mechanisms = ntlm plain login > > > > > > userdb { > > > driver = passwd > > > args = username_format=%n allow_all_users=yes > > > > > > } > > > > > > > > > Which gives me a dovecot -n of: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = ntlm plain login > > > auth_use_winbind = yes > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > protocols = imap > > > ssl_cert = > > ssl_key = > > userdb { > > > args = username_format=%n allow_all_users=yes > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > > following in /var/log/dovecot_info: > > > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > > my.server.name does not support the selected authentication method. Please change the > > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > > > Clearly, something is configured wrong, but I've no clue what. > > > > > > Can I get some advice? > > > > > > THX --Mark > > From dovecot-bounces at dovecot.org Fri Apr 22 02:07:47 2016 > > Return-Path: > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.19__ (2011-06-06) on > > mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=-106.0 required=3.0 tests=USER_IN_WHITELIST, > > USER_IN_WHITELIST_TO autolearn=unavailable version=3.3.2-_revision__1.19__ > > X-Original-To: dovecot at dovecot.org > > Delivered-To: dovecot at dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot at dovecot.org > > Subject: Looking for NTLM config example > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot at dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot Mailing List > > List-Unsubscribe: , > > > > List-Archive: > > List-Post: > > List-Help: > > List-Subscribe: , > > > > Errors-To: dovecot-bounces at dovecot.org > > Sender: "dovecot" > > X-Spam-Report: > > * -100 USER_IN_WHITELIST From: address is in the user's white-list > > * -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > > Status: R > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take > > another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. > > > > With the help of the samba maillist folks I was able to set up NTLM authentication for domain > > user login. I should be able to do the same for email! > > > > But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the > > referenced link I found no reference to "NTLM password scheme". > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM > > authentication submethods are, tells you what password schemes are, tells you what the NTLM > > client/server handshake is, but doesn't actually tell you how to configure dovecot config > > files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, > > MITM can't force downgrade" ... whatever that means. > > > > Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" > > is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML > > and any other supporting settings or configs I need? > > > > My current/working dovecot settings, which have been running perfectly for well over a year > > now, are: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > > > Here's what I've tried so far as 10-auth.conf: > > > > disable_plaintext_auth = no > > auth_use_winbind = yes > > info_log_path = /var/log/dovecot_info > > auth_verbose = yes > > auth_debug_passwords = yes > > auth_verbose_passwords= plain > > auth_winbind_helper_path = /usr/bin/ntlm_auth > > > > auth_mechanisms = ntlm plain login > > > > userdb { > > driver = passwd > > args = username_format=%n allow_all_users=yes > > > > } > > > > > > Which gives me a dovecot -n of: > > > > $ dovecot -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = ntlm plain login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > args = username_format=%n allow_all_users=yes > > driver = passwd > > } > > verbose_ssl = yes > > > > > > I configured Thunderbird for NTLM authentication, then tried sending a message, I got the > > following in /var/log/dovecot_info: > > > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Apr 22 01:37:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= > > > > > > On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) > > my.server.name does not support the selected authentication method. Please change the > > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > > > Clearly, something is configured wrong, but I've no clue what. > > > > Can I get some advice? > > > > THX --Mark > > --- > Aki Tuomi From mfoley at ohprs.org Mon Jun 27 06:58:26 2016 From: mfoley at ohprs.org (Mark Foley) Date: Mon, 27 Jun 2016 02:58:26 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <5770C54E.50102@dovecot.fi> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> Message-ID: <201606270658.u5R6wQ7a028643@mail.hprs.local> Aki, again, thanks A LOT for your reply. Concerning your checklist: > 1. Functional AD or Kerberos environment Check! > 2. Time synced against your KDC (which is your Domain Controller on Windows) Check! (needed for AD/DC anyway) > 3. /etc/krb5.conf configured NO > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. Check! > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > these on any Windows DC server (at least). NO So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. I will (and have already) contacted the Samba list to see what needs to be done. I'll post back what I find. Maybe I can finally get to the bottom of this problem. Thanks again -- Mark -----Original Message---- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot at dovecot.org > From: Aki Tuomi > Organization: Dovecot Oy > Date: Mon, 27 Jun 2016 09:18:54 +0300 > > On 27.06.2016 07:31, Mark Foley wrote: > > Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying > > you've not actually tried NTLM yourself, right? I've never gotten a response from someone > > saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be > > the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. > > > > That's OK, I'd be glad to try something different that would work!!! I am trying your advice > > for gssapi. I've followed the instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the > > auth_mechanism line to: > > > > auth_mechanisms = plain login gssapi > > > > Which is only different from before with the addition of "gssapi". That's all I've done. I'm > > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > > > ----------SNIP------------ > >> doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > ------------PINS------------- > > > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a Slackware 14.1 AD/DC. I > > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When trying the connection I > > got the following in my Dovecot log: > > > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.99, lip=98.102.63.107, session= > > > > So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab > > configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file > > needed? If so, I've got a message in to the Samba4 folks asking where it is located. > > > > I'm also using Dovecot 2.2.15. Too old? > > > > Do you think auth_krb5_keytab is my problem or something deeper? > > > > THX --Mark > > > > You need to set up keytab. I'll assume you know nothing about kerberos, > so please if you already knew all this, sorry. > > For kerberos to work PROPERLY you need to have > > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > these on any Windows DC server (at least). > > Only bullet 5. is about Dovecot really, but since this is usually rather > hard to gather information, I'll recap these things here: > > 2. Time sync > > Install ntpd and configure it to use *your* *ad* *server*. (Not some > generic service). > > 3. /etc/krb5.conf > > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false > > Note that some windows environments require additional configuration to > get this working. > > 4. Forward/reverse DNS. > > For your *server* this is *absolutely* must. It has to match for your > clients and your server. So if your server name is mail.example.org, and > it has IP 10.0.2.3, then 10.0.2.3 MUST resolve to mail.example.org. It > will give you strange and convoluted errors otherwise. > > 5. Keytab > > This is bit tricky to generate, and there are various ways to do this. > You can install samba, join it to your domain and use the samba tools to > generate a keytab. It's not a bad idea, just remember to add the > required spn's (service principal names) to the machine account. setspn > -q is helpful here, also setspn command in general. > > You can use either system keytab file (/etc/krb5.keytab), or you can put > the dovecot specific (mainly IMAP/something) into dedicated keytab for > the service. Either way you need to tell dovecot about it with > auth_krb5_keytab setting. > > You should have at least following entries in your keytab file. You can > see them with klist -k /path/to/keytab. The KVNO can be different. > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 host/mail.example.org at EXAMPLE.ORG > 3 host/mail.example.org at EXAMPLE.ORG > 3 host/mail.example.org at EXAMPLE.ORG > 3 host/mail.example.org at EXAMPLE.ORG > 3 host/mail.example.org at EXAMPLE.ORG > 3 IMAP/mail.example.org at EXAMPLE.ORG > 3 host/MAIL at EXAMPLE.ORG > 3 host/MAIL at EXAMPLE.ORG > 3 host/MAIL at EXAMPLE.ORG > 3 host/MAIL at EXAMPLE.ORG > 3 host/MAIL at EXAMPLE.ORG > 3 IMAP/MAIL at EXAMPLE.ORG > 3 MAIL$@EXAMPLE.ORG > 3 MAIL$@EXAMPLE.ORG > 3 MAIL$@EXAMPLE.ORG > 3 MAIL$@EXAMPLE.ORG > 3 MAIL$@EXAMPLE.ORG > > This will at least get you somewhere. Kerberos is notoriously hard to > debug, but it usually is about > > a) DNS > b) Keytab > c) Mismatch of some name somewhere > d) Encryption type support > > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. > > If you want to try with something else first, which I recommend for the > server in any case, is to see if you can get sssd working with Kerberos > and LDAP. If you get that working, it's not very difficult anymore to > get Dovecot running with it. > > ---- > Aki Tuomi > Dovecot oy From dovecot-ml at makomi.de Mon Jun 27 09:11:46 2016 From: dovecot-ml at makomi.de (M. Koehler) Date: Mon, 27 Jun 2016 11:11:46 +0200 Subject: fts_solr crashs Message-ID: Hi, I?ve set up in dovecot 2.2.24-1~auto+49 (from dovecot repo) fts_solr and fts_tika - jetti8 (from Debian Jessie) and latest tika-server running on a seperate machine. But if I want to rescan all messages for reindexing for instance all attachments with "doveadm -v index -u user at domain.tld INBOX" with 3137 mail in the INBOX it counts and then by 2900 mails the doveadm crashes with the following error message: doveadm(user at domain.tld): Info: INBOX: Caching mails seq=1..3137 2900/3137doveadm(user at domain.tld): Error: fts_solr: Indexing failed: 500 Java heap space java.lang.OutOfMemoryError: Java heap space doveadm(user at domain.tld): Panic: file http-client-request.c: line 769 (http_client_request_send_payload): assertion failed: (ret == 0) doveadm(user at domain.tld): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x8dc1e) [0x7f269375ec1e] -> /usr/lib/dovecot/libdovecot.so.0(+0x8dc98) [0x7f269375ec98] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f26936fd02e] -> /usr/lib/dovecot/libdovecot.so.0(http_client_request_send_payload+0xc8) [0x7f2693716b88] -> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(solr_connection_post_more+0x49) [0x7f2691c538b9] -> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(+0x361e) [0x7f2691c4f61e] -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9a17) [0x7f2692ad5a17] -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9e20) [0x7f2692ad5e20] -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(fts_build_mail+0x999) [0x7f2692ad6809] -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x1056e) [0x7f2692adc56e] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_precache+0x29) [0x7f2693a1f7b9] -> doveadm(+0x2e947) [0x7f26943be947] -> doveadm(+0x28daf) [0x7f26943b8daf] -> doveadm(+0x2989d) [0x7f26943b989d] -> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x278) [0x7f26943ba788] -> doveadm(doveadm_cmd_run_ver2+0x560) [0x7f26943c8c70] -> doveadm(doveadm_cmd_try_run_ver2+0x37) [0x7f26943c8cc7] -> doveadm(main+0x1df) [0x7f26943aa33f] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f2693347b45] -> doveadm(+0x1a716) [0x7f26943aa716] I don?t see any shortages on the seperate solr machine. What could I do? How do I get more details to locate the problem?! Thanks a lot and regards, Michael From aki.tuomi at dovecot.fi Mon Jun 27 09:14:19 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Mon, 27 Jun 2016 12:14:19 +0300 Subject: fts_solr crashs In-Reply-To: References: Message-ID: <5770EE6B.7020304@dovecot.fi> On 27.06.2016 12:11, M. Koehler wrote: > Hi, > > I?ve set up in dovecot 2.2.24-1~auto+49 (from dovecot repo) fts_solr > and fts_tika - jetti8 (from Debian Jessie) and latest tika-server > running on a seperate machine. But if I want to rescan all messages > for reindexing for instance all attachments with "doveadm -v index -u > user at domain.tld INBOX" with 3137 mail in the INBOX it counts and then > by 2900 mails the doveadm crashes with the following error message: > > doveadm(user at domain.tld): Info: INBOX: Caching mails seq=1..3137 > 2900/3137doveadm(user at domain.tld): Error: fts_solr: Indexing failed: > 500 Java heap space java.lang.OutOfMemoryError: Java heap space > doveadm(user at domain.tld): Panic: file http-client-request.c: line 769 > (http_client_request_send_payload): assertion failed: (ret == 0) > doveadm(user at domain.tld): Error: Raw backtrace: > /usr/lib/dovecot/libdovecot.so.0(+0x8dc1e) [0x7f269375ec1e] -> > /usr/lib/dovecot/libdovecot.so.0(+0x8dc98) [0x7f269375ec98] -> > /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f26936fd02e] -> > /usr/lib/dovecot/libdovecot.so.0(http_client_request_send_payload+0xc8) [0x7f2693716b88] > -> > /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(solr_connection_post_more+0x49) > [0x7f2691c538b9] -> > /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(+0x361e) > [0x7f2691c4f61e] -> > /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9a17) [0x7f2692ad5a17] > -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9e20) > [0x7f2692ad5e20] -> > /usr/lib/dovecot/modules/lib20_fts_plugin.so(fts_build_mail+0x999) > [0x7f2692ad6809] -> > /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x1056e) > [0x7f2692adc56e] -> > /usr/lib/dovecot/libdovecot-storage.so.0(mail_precache+0x29) > [0x7f2693a1f7b9] -> doveadm(+0x2e947) [0x7f26943be947] -> > doveadm(+0x28daf) [0x7f26943b8daf] -> doveadm(+0x2989d) > [0x7f26943b989d] -> > doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x278) [0x7f26943ba788] > -> doveadm(doveadm_cmd_run_ver2+0x560) [0x7f26943c8c70] -> > doveadm(doveadm_cmd_try_run_ver2+0x37) [0x7f26943c8cc7] -> > doveadm(main+0x1df) [0x7f26943aa33f] -> > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) > [0x7f2693347b45] -> doveadm(+0x1a716) [0x7f26943aa716] > > I don?t see any shortages on the seperate solr machine. What could I > do? How do I get more details to locate the problem?! > > Thanks a lot and regards, > > Michael Well. Your server reports: 2900/3137doveadm(user at domain.tld): Error: fts_solr: Indexing failed: 500 Java heap space java.lang.OutOfMemoryError: Java heap space So I guess this is your problem? The dovecot crash is due to assertion failure, which happens because the request failed. Aki From dovecot-ml at makomi.de Mon Jun 27 10:38:01 2016 From: dovecot-ml at makomi.de (M. Koehler) Date: Mon, 27 Jun 2016 12:38:01 +0200 Subject: fts_solr crashs In-Reply-To: <5770EE6B.7020304@dovecot.fi> References: <5770EE6B.7020304@dovecot.fi> Message-ID: Hi Aki, Am 27.06.2016 um 11:14 schrieb Aki Tuomi: > On 27.06.2016 12:11, M. Koehler wrote: >> I?ve set up in dovecot 2.2.24-1~auto+49 (from dovecot repo) fts_solr >> and fts_tika - jetti8 (from Debian Jessie) and latest tika-server >> running on a seperate machine. But if I want to rescan all messages >> for reindexing for instance all attachments with "doveadm -v index -u >> user at domain.tld INBOX" with 3137 mail in the INBOX it counts and then >> by 2900 mails the doveadm crashes with the following error message: >> >> doveadm(user at domain.tld): Info: INBOX: Caching mails seq=1..3137 >> 2900/3137doveadm(user at domain.tld): Error: fts_solr: Indexing failed: >> 500 Java heap space java.lang.OutOfMemoryError: Java heap space >> doveadm(user at domain.tld): Panic: file http-client-request.c: line 769 >> (http_client_request_send_payload): assertion failed: (ret == 0) >> doveadm(user at domain.tld): Error: Raw backtrace: >> /usr/lib/dovecot/libdovecot.so.0(+0x8dc1e) [0x7f269375ec1e] -> >> /usr/lib/dovecot/libdovecot.so.0(+0x8dc98) [0x7f269375ec98] -> >> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f26936fd02e] -> >> /usr/lib/dovecot/libdovecot.so.0(http_client_request_send_payload+0xc8) [0x7f2693716b88] >> -> >> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(solr_connection_post_more+0x49) >> [0x7f2691c538b9] -> >> /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so(+0x361e) >> [0x7f2691c4f61e] -> >> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9a17) [0x7f2692ad5a17] >> -> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x9e20) >> [0x7f2692ad5e20] -> >> /usr/lib/dovecot/modules/lib20_fts_plugin.so(fts_build_mail+0x999) >> [0x7f2692ad6809] -> >> /usr/lib/dovecot/modules/lib20_fts_plugin.so(+0x1056e) >> [0x7f2692adc56e] -> >> /usr/lib/dovecot/libdovecot-storage.so.0(mail_precache+0x29) >> [0x7f2693a1f7b9] -> doveadm(+0x2e947) [0x7f26943be947] -> >> doveadm(+0x28daf) [0x7f26943b8daf] -> doveadm(+0x2989d) >> [0x7f26943b989d] -> >> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x278) [0x7f26943ba788] >> -> doveadm(doveadm_cmd_run_ver2+0x560) [0x7f26943c8c70] -> >> doveadm(doveadm_cmd_try_run_ver2+0x37) [0x7f26943c8cc7] -> >> doveadm(main+0x1df) [0x7f26943aa33f] -> >> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) >> [0x7f2693347b45] -> doveadm(+0x1a716) [0x7f26943aa716] >> >> I don?t see any shortages on the seperate solr machine. What could I >> do? How do I get more details to locate the problem?! > Well. Your server reports: > > 2900/3137doveadm(user at domain.tld): Error: fts_solr: Indexing failed: 500 > Java heap space java.lang.OutOfMemoryError: Java heap space > > So I guess this is your problem? > > The dovecot crash is due to assertion failure, which happens because the > request failed. Well, that?s right - I?ve checked it with the solr server but I can?t imagine what the problem is. I increase the java heap memory from 256MB to 2GB but it crashes already by 2900 messages. Will Dovecot forward message by message to solr server or "as a block"? And how could I find out which message maybe caused the problem? I?ve checked the INBOX and the biggest mail got 48MB as an attachment. Best regards, Michael From miloslav.hula at gmail.com Mon Jun 27 12:12:12 2016 From: miloslav.hula at gmail.com (=?UTF-8?Q?Miloslav_H=c5=afla?=) Date: Mon, 27 Jun 2016 14:12:12 +0200 Subject: Mailboxes on NFS or iSCSI In-Reply-To: <65191e0f-99ba-d2a2-6ba9-2e1854f059fa@filmakademie.de> References: <65191e0f-99ba-d2a2-6ba9-2e1854f059fa@filmakademie.de> Message-ID: <83a611f7-e65f-9bc5-6723-10466018f1d1@gmail.com> Hi, thank you both for hints. I'm still not sure what to choose, so I'll probably test it on some dev installation. Kind regards, Milo Dne 23.06.2016 v 8:05 G?tz Reinicke - IT Koordinator napsal(a): > Hi, > > Am 22.06.16 um 16:40 schrieb Miloslav H?la: >> Hello, >> >> we are running Dovecot (2.2.13-12~deb8u1) on Debian stable. Configured >> with Mailbox++, IMAP, POP3, LMTPD, Managesieved, ACL. Mailboxes are on >> local 1.2TB RAID, it's about 5310 accounts. >> >> We are slowly getting out of space and we are considering to move >> Mailboxes onto Netapp disk array with two independent network >> connections. >> >> Are there some pitfalls? Not sure we should use NTP or iSCSI mounts >> (both open implementations are not so shiny). >> >> Thanks for sharing any experiences. > > have a look at my question and the answers from the yesterday posting > "Storage upgrade maildir suggestions". May be they help you too. > > Regards . G?tz > > > From miloslav.hula at gmail.com Mon Jun 27 12:21:22 2016 From: miloslav.hula at gmail.com (=?UTF-8?Q?Miloslav_H=c5=afla?=) Date: Mon, 27 Jun 2016 14:21:22 +0200 Subject: Where Dovecot stores subscribtions for shared folder Message-ID: <77df4ed7-8ef7-3d14-ccbf-589889e772ea@gmail.com> Hi, could please someone hint me, where Dovecot stores subscribtions for shared folder? Our configuration: namespace { disabled = no hidden = no ignore_on_failure = no inbox = no list = children location = maildir:/vmail/user/%%n/Maildir:INDEXPVT=/vmail/user/%n/Maildir/Shared/%%n prefix = user.%%n. separator = . subscriptions = yes type = shared } When I subscribe to 'user.test', I'll get ~Maildir/Shared/test/.INBOX/dovecot.index.pvt.log in it. When I unsubscribe from 'user.test', file stays there and its hash is the same. Kind regards, Milo From apm at one.com Mon Jun 27 12:46:07 2016 From: apm at one.com (Peter Mogensen) Date: Mon, 27 Jun 2016 14:46:07 +0200 Subject: Suggestion: Split login_trusted_networks Message-ID: <5771200F.30102@one.com> Hi, For the upcoming 2.3 development, I'd like to re-suggest this: It seems the use of login_trusted_networks is overloaded. Example: * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) Often these two uses cases have a different set of hosts. So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks. /Peter From zedd at list.ru Mon Jun 27 13:11:15 2016 From: zedd at list.ru (=?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0JzQsNC90LDQvdC60L7Qsg==?=) Date: Mon, 27 Jun 2016 16:11:15 +0300 Subject: =?UTF-8?B?RXh0ZXJuYWwgbWFpbCBhdHRhY2htZW50cyBzdG9yYWdlIGNsZWFudXA=?= Message-ID: <1467033075.442360294@f328.i.mail.ru> Hi, I have set up mdbox backend witch saving mail attachments to external files option. Dovecot store attachments to external files but never delete them. Why? From mhlavink at redhat.com Mon Jun 27 15:30:03 2016 From: mhlavink at redhat.com (Michal Hlavinka) Date: Mon, 27 Jun 2016 17:30:03 +0200 Subject: doveadm purge -A includes users with gid outside of limits and then reports error Message-ID: <21004e0d-3681-2573-056b-83b2aed16628@redhat.com> Hi, one our user reported that when he runs "doveadm purge -A" it goes through users that don't have gid in the first_valid_gid-last_valid_git range and it reports error. For example: doveadm(dovenull): Error: user dovenull: Mail access for users with GID 996 not permitted (see first_valid_gid in config file, gid from userdb lookup). doveadm(dovenull): Error: User init failed auth/userdb-passwd.c : passwd_iterate_want_pw(...) has checks for UID range, but does not have checks for GID range. Is there any reason for this? We've added those checks (see attached patch) and all seems fine. Cheers, Michal Hlavinka -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-2.2.24-gidlimit.patch Type: text/x-patch Size: 1959 bytes Desc: not available URL: From tom at talpey.com Mon Jun 27 17:00:15 2016 From: tom at talpey.com (Tom Talpey) Date: Mon, 27 Jun 2016 13:00:15 -0400 Subject: Looking for NTLM config example In-Reply-To: <201606270645.u5R6jLqW023623@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> <201606270645.u5R6jLqW023623@mail.hprs.local> Message-ID: On 6/27/2016 2:45 AM, Mark Foley wrote: > While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set > Thunderbird to NTLM v1 ... You are aware, I hope, that NTLM v1 is well over 20 years old and is trivially compromised today. Basically, it's about as secure as sending plaintext passwords. Since you're supporting SSL on your Dovecot server, why not require it, and not bother with NTLM auth? From gregs at sloop.net Mon Jun 27 17:50:32 2016 From: gregs at sloop.net (Gregory Sloop) Date: Mon, 27 Jun 2016 10:50:32 -0700 Subject: Looking for NTLM config example In-Reply-To: References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> <201606270645.u5R6jLqW023623@mail.hprs.local> Message-ID: <1848652779.20160627105032@sloop.net> TT> On 6/27/2016 2:45 AM, Mark Foley wrote: >> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set >> Thunderbird to NTLM v1 ... TT> You are aware, I hope, that NTLM v1 is well over 20 years old and TT> is trivially compromised today. Basically, it's about as secure as TT> sending plaintext passwords. Since you're supporting SSL on your TT> Dovecot server, why not require it, and not bother with NTLM auth? I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.] -Greg From aki.tuomi at dovecot.fi Mon Jun 27 18:14:13 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Mon, 27 Jun 2016 21:14:13 +0300 (EEST) Subject: Looking for NTLM config example In-Reply-To: <1848652779.20160627105032@sloop.net> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <1091380044.5867.1466942884603@appsuite-dev.open-xchange.com> <201606270645.u5R6jLqW023623@mail.hprs.local> <1848652779.20160627105032@sloop.net> Message-ID: <26306859.1428.1467051254812@appsuite-dev.open-xchange.com> > On June 27, 2016 at 8:50 PM Gregory Sloop wrote: > > > > > TT> On 6/27/2016 2:45 AM, Mark Foley wrote: > >> While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set > >> Thunderbird to NTLM v1 ... > > TT> You are aware, I hope, that NTLM v1 is well over 20 years old and > TT> is trivially compromised today. Basically, it's about as secure as > TT> sending plaintext passwords. Since you're supporting SSL on your > TT> Dovecot server, why not require it, and not bother with NTLM auth? > > I can't speak for the OP, but I suspect he'd like to use a SSO for dovecot, utilizing the same credentials as is in their Samba AD infrastructure. [Thus, have Dovecot submit authentications for dovecot to the AD domain and get an ack/nak on success.] So, he's not eager to use NTLMv1, but isn't getting much love in how to setup proxy auth against AD. [I suspect asking on the Samba list isn't a bad idea, but I'm surprised he hasn't gotten some good pointers here. There really ought to be a FAQ of white-paper on it, and I'm dismayed there isn't.] > > -Greg It's not very used feature as most with AD probably are using Exchange. I'll have a look at the NTLM authentication and see if we can improve it's documentation. --- Aki Tuomi Dovecot oy From j.jurkus at gcecad-service.nl Mon Jun 27 21:02:17 2016 From: j.jurkus at gcecad-service.nl (Jan Jurkus) Date: Mon, 27 Jun 2016 23:02:17 +0200 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606270658.u5R6wQ7a028643@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> <201606270658.u5R6wQ7a028643@mail.hprs.local> Message-ID: <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> Hi, On 27-06-2016 08:58, Mark Foley wrote: > So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal > Kerberos and when I provisioned my domain apparently none of these needed kerberos files were > set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. You don't need any Samba4 stuff, to get it working. Samba is great, but can be hard to get right. I tend to steer clear of Samba when I don't really need it. My first experience was with an OTRS helpdesk install, and trying to get it to do SSO. I was helped a great deal by wireshark, and this website: http://www.grolmsnet.de/kerbtut/ On a sidenote: mod_auth_kerb is rather ancient, in computer-terms. You'd be better off with mod_auth_gssapi. In the case of Dovecot we are not using Apache, of course. With Dovecot I got the SSO working with Kerberos, and this part is working great. Other parts (shared mailboxes, that sort of stuff) aren't working for me yet. This is my own fault, not a dovecot one, haven't looked into it enough. Anyway, the SSO is working great. One of the tricky bits is you need a kerberos keytab with two services. I used ktutil: # ktutil ktutil: read_kt mail-imap.keytab ktutil: read_kt mail-smtp.keytab ktutil: write_kt mail.keytab ktutil: quit I'm using a windows 2003 r2 server as domain controller, to create a keytab file you need the windows 2003 support tools. ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab Most instructions on the internet do not quite work out that well. RC4-HMAC-NT crypto is needed if you still have Windows XP machines. It should work with a newer crypto but have not tested that. FYI: Kerberos service names (imap, smtp) are sometimes capitalised, mostly when using HTTP. Great, isn't it? On the dovecot server I had to install a kerberos package: # yum install krb5-workstation (I am using CentOS7, but it should not be too hard to translate this to your own distro) My kerberos configuration: # vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GCECAD-SERVICE.LOCAL default_keytab_file = /etc/krb5.keytab default_ccache_name = KEYRING:persistent:%{uid} allow_weak_crypto = true default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes = arcfour-hmac-md5 [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false } [realms] GCECAD-SERVICE.LOCAL = { kdc = this.is.the.dns.name.of.your.kdc admin_server = this.is.the.dns.name.of.your.kdc } [domain_realm] .gcecad-service.local = GCECAD-SERVICE.LOCAL gcecad-service.local = GCECAD-SERVICE.LOCAL .gcecad-service.nl = GCECAD-SERVICE.LOCAL gcecad-service.nl = GCECAD-SERVICE.LOCAL Dovecot config, the needed parts: In /etc/dovecot/conf.d/10-auth.conf : auth_krb5_keytab = /etc/dovecot/mail.keytab auth_mechanisms = plain gssapi In /etc/dovecot/conf.d/auth-system.conf.ext : passdb { driver = pam } userdb { driver = static args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes } In /etc/pam.d/dovecot : #%PAM-1.0 auth sufficient pam_krb5.so no_user_check validate account sufficient pam_permit.so I'm not entirely happy with the static userdb, because of the limitations with kerberos/pam, but this can of course be changed rather easily. The hardest part is to get the SSO working. One of the limitiations is stated here: http://wiki.dovecot.org/UserDatabase/Static Postfix SMTP auth is using LMTP, reading from my notes. I hope you can get a clearer picture with this rather long and chaotic reply. -- Jan Jurkus | ICT Beheerder | GCE cad-service B.V. Postbus 12, 3220 AA Hellevoetsluis Daltonweg 9, 3225 LR Hellevoetsluis tel: 0181-336955 | fax: 0181-311899 j.jurkus at gcecad-service.nl | www.gcecad-service.nl From aki.tuomi at dovecot.fi Mon Jun 27 21:19:45 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST) Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> <201606270658.u5R6wQ7a028643@mail.hprs.local> <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> Message-ID: <343976970.2190.1467062386638@appsuite-dev.open-xchange.com> > On June 28, 2016 at 12:02 AM Jan Jurkus wrote: > > > Hi, > > I'm not entirely happy with the static userdb, because of the > limitations with kerberos/pam, but this can of course be changed rather > easily. The hardest part is to get the SSO working. > One of the limitiations is stated here: > http://wiki.dovecot.org/UserDatabase/Static > > Postfix SMTP auth is using LMTP, reading from my notes. > > I hope you can get a clearer picture with this rather long and chaotic > reply. > As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute. This should let you get rid of pam as well. --- Aki Tuomi Dovecot oy > -- > Jan Jurkus | ICT Beheerder | GCE cad-service B.V. > Postbus 12, 3220 AA Hellevoetsluis > Daltonweg 9, 3225 LR Hellevoetsluis > tel: 0181-336955 | fax: 0181-311899 > j.jurkus at gcecad-service.nl | www.gcecad-service.nl From sca at andreasschulze.de Mon Jun 27 21:32:58 2016 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 27 Jun 2016 23:32:58 +0200 Subject: Where Dovecot stores subscribtions for shared folder In-Reply-To: <77df4ed7-8ef7-3d14-ccbf-589889e772ea@gmail.com> References: <77df4ed7-8ef7-3d14-ccbf-589889e772ea@gmail.com> Message-ID: <2e4d6e13-9bc8-7870-864d-b754b82b0ca5@andreasschulze.de> Hello, my location: location = maildir:%%h/Maildir:INDEX=~/.dovecot.shared/%%u/:INDEXPVT=~/.dovecot.shared/%%u/:CONTROL=~/.dovecot.shared/%%u/ Am 27.06.2016 um 14:21 schrieb Miloslav H?la: > could please someone hint me, where Dovecot stores subscribtions for shared folder? > > Our configuration: > > namespace { > disabled = no > hidden = no > ignore_on_failure = no > inbox = no > list = children > location = maildir:/vmail/user/%%n/Maildir:INDEXPVT=/vmail/user/%n/Maildir/Shared/%%n > prefix = user.%%n. > separator = . > subscriptions = yes > type = shared > } > > When I subscribe to 'user.test', I'll get ~Maildir/Shared/test/.INBOX/dovecot.index.pvt.log in it. > > When I unsubscribe from 'user.test', file stays there and its hash is the same. > > Kind regards, Milo From mfoley at ohprs.org Tue Jun 28 05:45:13 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 01:45:13 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> <201606270658.u5R6wQ7a028643@mail.hprs.local> <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> Message-ID: <201606280545.u5S5jDkl014576@mail.hprs.local> Jan, thanks for your helpful reply. You wrote: > With Dovecot I got the SSO working with Kerberos, and this part is > working great. Other parts (shared mailboxes, that sort of stuff) aren't > working for me yet. ... I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet. I've attempted to follow your instructions, but still having problems. First, my errors: Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= Now, your instructions: > One of the tricky bits is you need a kerberos keytab with two services. > I used ktutil: > # ktutil > ktutil: read_kt mail-imap.keytab > ktutil: read_kt mail-smtp.keytab > ktutil: write_kt mail.keytab > ktutil: quit > > I'm using a windows 2003 r2 server as domain controller, to create a > keytab file you need the windows 2003 support tools. > > ktpass.exe -princ imap/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab > > ktpass.exe -princ smtp/mailserver.gcecad-service.nl at GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab" Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these? > On the dovecot server I had to install a kerberos package: Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > My kerberos configuration: > # vi /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign. > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = GCECAD-SERVICE.LOCAL > default_keytab_file = /etc/krb5.keytab > default_ccache_name = KEYRING:persistent:%{uid} > allow_weak_crypto = true > default_tkt_enctypes = arcfour-hmac-md5 > default_tgs_enctypes = arcfour-hmac-md5 > permitted_enctypes = arcfour-hmac-md5 I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL > [appdefaults] > pam = { > debug = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > krb4_convert = false > } I also added this [appdefaults] section. > > [realms] > GCECAD-SERVICE.LOCAL = { > kdc = this.is.the.dns.name.of.your.kdc > admin_server = this.is.the.dns.name.of.your.kdc > } I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server: [realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local } > > [domain_realm] > .gcecad-service.local = GCECAD-SERVICE.LOCAL > gcecad-service.local = GCECAD-SERVICE.LOCAL > .gcecad-service.nl = GCECAD-SERVICE.LOCAL > gcecad-service.nl = GCECAD-SERVICE.LOCAL > I also tried with and without this section. Again, not sure what should go there. I tried: [domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL I'm a bit skeptical on the above as .nl your public top level domain. In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server mark at ohprs.org; the connection was refused." > Dovecot config, the needed parts: > In /etc/dovecot/conf.d/10-auth.conf : > auth_krb5_keytab = /etc/dovecot/mail.keytab > auth_mechanisms = plain gssapi I added those. > In /etc/dovecot/conf.d/auth-system.conf.ext : > passdb { > driver = pam > } > userdb { > driver = static > args = uid=2000 gid=2000 home=/var/vmail/%Ln allow_all_users=yes > } I used my same userdb and passdb settings (although I understand that passdb is not used by gssapi?) passdb { driver = shadow } userdb { driver = passwd } > In /etc/pam.d/dovecot : > #%PAM-1.0 > auth sufficient pam_krb5.so no_user_check validate > account sufficient pam_permit.so The /etc/pam.d directory did not exist so I created it and added the dovecot file as shown. The permissions are a+r. So, no go so far, but I am encouraged that you have it working. Perhaps you can point out what I might have missing or am otherwise done wrong? THX --Mark From mfoley at ohprs.org Tue Jun 28 05:48:29 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 01:48:29 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <343976970.2190.1467062386638@appsuite-dev.open-xchange.com> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> <201606270658.u5R6wQ7a028643@mail.hprs.local> <9F01C9BB699F2141BB3A9EB777BCC58B630EEA@win2003sbs-001.GCECAD-Service.local> <343976970.2190.1467062386638@appsuite-dev.open-xchange.com> Message-ID: <201606280548.u5S5mTia019466@mail.hprs.local> aki.tuomi at dovecot.fi wrote: > As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute. Do you see any problem with my continuing to use: userdb { driver = passwd } ... with gssapi? (providing I get other configs correct) --Mark -----Original Message----- > Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 12:02 AM Jan Jurkus wrote: > > > > > > Hi, > > > > I'm not entirely happy with the static userdb, because of the > > limitations with kerberos/pam, but this can of course be changed rather > > easily. The hardest part is to get the SSO working. > > One of the limitiations is stated here: > > http://wiki.dovecot.org/UserDatabase/Static > > > > Postfix SMTP auth is using LMTP, reading from my notes. > > > > I hope you can get a clearer picture with this rather long and chaotic > > reply. > > > > As mentioned before, you can use ldap as userdb instead of static userdb. Username matching in AD environment should be done against userPrincipalName attribute. > > This should let you get rid of pam as well. > > --- > Aki Tuomi > Dovecot oy > > > -- > > Jan Jurkus | ICT Beheerder | GCE cad-service B.V. > > Postbus 12, 3220 AA Hellevoetsluis > > Daltonweg 9, 3225 LR Hellevoetsluis > > tel: 0181-336955 | fax: 0181-311899 > > j.jurkus at gcecad-service.nl | www.gcecad-service.nl From mfoley at ohprs.org Tue Jun 28 06:27:34 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 02:27:34 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <5770C54E.50102@dovecot.fi> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> Message-ID: <201606280627.u5S6RY10022091@mail.hprs.local> Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine at HPRS.LOCAL 1 charmaine at HPRS.LOCAL 1 charmaine at HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. > setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = Hello, We are using dovecot (2.2.10) and it's working great! When I enable chrooting by appending /./ to the homedirs I'm getting errors like this: mail1 dovecot[47074]: imap(user): Error: Temp file creation to /tmp/dovecot.imap.mail1.70079. failed: No such file or directory On the surface everything seems to be working fine and I have not been able to produce the error myself. Any ideas? Thanks in advance, bvr. From aki.tuomi at dovecot.fi Tue Jun 28 12:13:11 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Tue, 28 Jun 2016 15:13:11 +0300 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606280627.u5S6RY10022091@mail.hprs.local> References: <201604220607.u3M67ODM006995@mail.hprs.local> <201606251643.u5PGh6ZI004436@mail.hprs.local> <10036776.5864.1466938851255@appsuite-dev.open-xchange.com> <201606270431.u5R4VEfP004658@mail.hprs.local> <5770C54E.50102@dovecot.fi> <201606280627.u5S6RY10022091@mail.hprs.local> Message-ID: <577269D7.3040105@dovecot.fi> On 28.06.2016 09:27, Mark Foley wrote: > Aki, > > To review your 5 points: > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > >> 1. Functional AD or Kerberos environment >> 2. Time synced against your KDC (which is your Domain Controller on Windows) >> 3. /etc/krb5.conf configured >> 4. Both forward / reverse DNS names correct for clients and servers. >> Reverse is only mandatory for servers, but having them right will work >> wonders. Most kerberos problems are about DNS problems. >> 5. You need a keytab. This keytab needs to hold entries like >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate >> these on any Windows DC server (at least). > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > and klist according to the instructions at > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > As to the the keytab (#5) I did the following: > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > which created the file. I made this owned and readable by group dovecot, per instructions at > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > configuration listing all the users and computers in the domain, mostly in triplicate. A > partial list: > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 18 COMMON$@HPRS.LOCAL > 18 COMMON$@HPRS.LOCAL > 18 COMMON$@HPRS.LOCAL > 1 MAIL$@HPRS.LOCAL > 1 MAIL$@HPRS.LOCAL > 1 MAIL$@HPRS.LOCAL > 1 charmaine at HPRS.LOCAL > 1 charmaine at HPRS.LOCAL > 1 charmaine at HPRS.LOCAL > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > but am assuming it is OK. Strange that you do not have any host/ entries. Maybe it works without. >> setspn -q is helpful here, also setspn command in general. > I have no such command in my system. Is that a Windows thing? > Yes, but you can do those kind of things in Samba too. > As to the /etc/krb5.conf, the default one generated by samba is: > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > >> Here is a *SAMPLE* configuration: >> >> [libdefaults] >> default_realm = YOUR.REALM >> dns_lookup_kdc = true >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: You can remove the krb4_ stuff > krb5_config = /etc/krb5.conf > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that. >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> fcc-mit-ticketflags = true >> >> [realms] >> YOUR.REALM = { >> default_domain = your.domain.name >> auth_to_local_names = { >> Administrator = root >> } >> } > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > server: mail.hprs.local, or is it just hprs.local? (or something else!) HPRS.LOCAL is your REALM, hprs.local is your domain name. > >> [domain_realm] >> your.domain.name = YOUR.REALM >> # this is not a mistake >> .your.domain.name = YOUR.REALM >> [login] >> krb4_convert = true >> krb4_get_tickets = false > Likewise here a question on the whole krb4 versus krb5 thing. > > Your closing comment: > >> Also, note that kerberos can only act as AUTHENTICATION system. It >> cannot act as USER DATABASE. For that you need to configure LDAP or >> something else. With Active Directory LDAP is probably a damn good idea. > I have the following doveconf -n: > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = plain login gssapi > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > any case I still have all but this test workstation NOT using gssapi, so I still need to > accomodate them. > > Thanks, --Mark passwd driver is fine, yes, if you ensure that users can be found. Aki From luca at lm-net.it Tue Jun 28 13:07:48 2016 From: luca at lm-net.it (Luca Lesinigo) Date: Tue, 28 Jun 2016 15:07:48 +0200 Subject: FTS search used / useful on an IMAP proxy? Message-ID: <640BD919-7C32-41F7-B241-659298813725@lm-net.it> We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy functionality is already working and I?m trying to understand if having the FTS service configured on the dovecot *proxy* would be of any use. I do suspect it would be useless, I guess dovecot in imap proxy mode just forwards any command to the backend and does not bother to do anything about it, but I?m failing to find a definitive answer in the documentation. If I am guessing correctly, an fts service would only be useful if configured and working on the actual backend. Can anyone clarify my doubts? thank you, -- Luca Lesinigo From mfoley at ohprs.org Tue Jun 28 14:17:39 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 10:17:39 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] Message-ID: <201606281417.u5SEHd2J003587@mail.hprs.local> Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: ------SNIP-------- [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } } [domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL ------PINS----------- you wrote: > You can remove the krb4_ stuff I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator? my doveconf -n is exactly the same as posted below, but in particular: auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi). In /var/log/maillog I got (repeatedly): Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though! Suggestions? THX -- Mark -----original Message----- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot at dovecot.org > From: Aki Tuomi > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > On 28.06.2016 09:27, Mark Foley wrote: > > Aki, > > > > To review your 5 points: > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > >> 1. Functional AD or Kerberos environment > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > >> 3. /etc/krb5.conf configured > >> 4. Both forward / reverse DNS names correct for clients and servers. > >> Reverse is only mandatory for servers, but having them right will work > >> wonders. Most kerberos problems are about DNS problems. > >> 5. You need a keytab. This keytab needs to hold entries like > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > >> these on any Windows DC server (at least). > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > and klist according to the instructions at > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > As to the the keytab (#5) I did the following: > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > partial list: > > > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 18 COMMON$@HPRS.LOCAL > > 18 COMMON$@HPRS.LOCAL > > 18 COMMON$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > 1 charmaine at HPRS.LOCAL > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > but am assuming it is OK. > > Strange that you do not have any host/ entries. Maybe it works without. > > >> setspn -q is helpful here, also setspn command in general. > > I have no such command in my system. Is that a Windows thing? > > > > Yes, but you can do those kind of things in Samba too. > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > >> Here is a *SAMPLE* configuration: > >> > >> [libdefaults] > >> default_realm = YOUR.REALM > >> dns_lookup_kdc = true > >> krb4_config = /etc/krb.conf > >> krb4_realms = /etc/krb.realms > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > You can remove the krb4_ stuff > > > krb5_config = /etc/krb5.conf > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > You don't necessarely require that. > > >> kdc_timesync = 1 > >> ccache_type = 4 > >> forwardable = true > >> proxiable = true > >> fcc-mit-ticketflags = true > >> > >> [realms] > >> YOUR.REALM = { > >> default_domain = your.domain.name > >> auth_to_local_names = { > >> Administrator = root > >> } > >> } > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > >> [domain_realm] > >> your.domain.name = YOUR.REALM > >> # this is not a mistake > >> .your.domain.name = YOUR.REALM > >> [login] > >> krb4_convert = true > >> krb4_get_tickets = false > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > Your closing comment: > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > >> cannot act as USER DATABASE. For that you need to configure LDAP or > >> something else. With Active Directory LDAP is probably a damn good idea. > > I have the following doveconf -n: > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > accomodate them. > > > > Thanks, --Mark > passwd driver is fine, yes, if you ensure that users can be found. > > Aki > From aki.tuomi at dovecot.fi Tue Jun 28 15:06:10 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606281417.u5SEHd2J003587@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> Message-ID: <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> > On June 28, 2016 at 5:17 PM Mark Foley wrote: > > > Aki - made your suggested changes, but no joy :( > > My /etc/krb5.conf: > > ------SNIP-------- > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > HPRS.LOCAL = { > default_domain = hprs.local > auth_to_local_names = { > Administrator = root > } > } > > [domain_realm] > hprs.local = HPRS.LOCAL > # this is not a mistake > .hprs.local = HPRS.LOCAL > ------PINS----------- > > you wrote: > > You can remove the krb4_ stuff > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > my doveconf -n is exactly the same as posted below, but in particular: > > auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = plain login gssapi > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > plain/ssl, no one yet configured for gssapi). > > In /var/log/maillog I got (repeatedly): > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > Suggestions? > > THX -- Mark > > -----original Message----- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > To: dovecot at dovecot.org > > From: Aki Tuomi > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > Aki, > > > > > > To review your 5 points: > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > > > >> 1. Functional AD or Kerberos environment > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > >> 3. /etc/krb5.conf configured > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > >> Reverse is only mandatory for servers, but having them right will work > > >> wonders. Most kerberos problems are about DNS problems. > > >> 5. You need a keytab. This keytab needs to hold entries like > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > >> these on any Windows DC server (at least). > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > and klist according to the instructions at > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > As to the the keytab (#5) I did the following: > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > partial list: > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > KVNO Principal > > > ---- -------------------------------------------------------------------------- > > > 18 COMMON$@HPRS.LOCAL > > > 18 COMMON$@HPRS.LOCAL > > > 18 COMMON$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > 1 charmaine at HPRS.LOCAL > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > but am assuming it is OK. > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > >> setspn -q is helpful here, also setspn command in general. > > > I have no such command in my system. Is that a Windows thing? > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > >> Here is a *SAMPLE* configuration: > > >> > > >> [libdefaults] > > >> default_realm = YOUR.REALM > > >> dns_lookup_kdc = true > > >> krb4_config = /etc/krb.conf > > >> krb4_realms = /etc/krb.realms > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > You can remove the krb4_ stuff > > > > > krb5_config = /etc/krb5.conf > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > You don't necessarely require that. > > > > >> kdc_timesync = 1 > > >> ccache_type = 4 > > >> forwardable = true > > >> proxiable = true > > >> fcc-mit-ticketflags = true > > >> > > >> [realms] > > >> YOUR.REALM = { > > >> default_domain = your.domain.name > > >> auth_to_local_names = { > > >> Administrator = root > > >> } > > >> } > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > >> [domain_realm] > > >> your.domain.name = YOUR.REALM > > >> # this is not a mistake > > >> .your.domain.name = YOUR.REALM > > >> [login] > > >> krb4_convert = true > > >> krb4_get_tickets = false > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > Your closing comment: > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > I have the following doveconf -n: > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_krb5_keytab = /etc/krb5.keytab > > > auth_mechanisms = plain login gssapi > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > > disable_plaintext_auth = no > > > info_log_path = /var/log/dovecot_info > > > mail_location = maildir:~/Maildir > > > passdb { > > > driver = shadow > > > } > > > protocols = imap > > > ssl_cert = > > ssl_key = > > userdb { > > > driver = passwd > > > } > > > verbose_ssl = yes > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > accomodate them. > > > > > > Thanks, --Mark > > passwd driver is fine, yes, if you ensure that users can be found. > > > > Aki > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? I'll try to check status of NTLM this week. Aki From michael.slusarz at dovecot.fi Tue Jun 28 17:15:22 2016 From: michael.slusarz at dovecot.fi (Michael Slusarz) Date: Tue, 28 Jun 2016 11:15:22 -0600 (MDT) Subject: FTS search used / useful on an IMAP proxy? In-Reply-To: <640BD919-7C32-41F7-B241-659298813725@lm-net.it> References: <640BD919-7C32-41F7-B241-659298813725@lm-net.it> Message-ID: <100720327.6102.1467134123338@appsuite-dev.open-xchange.com> > > On June 28, 2016 at 7:07 AM Luca Lesinigo wrote: > > We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy functionality is already working and I?m trying to understand if having the FTS service configured on the dovecot *proxy* would be of any use. > > I do suspect it would be useless, I guess dovecot in imap proxy mode just forwards any command to the backend and does not bother to do anything about it, but I?m failing to find a definitive answer in the documentation. If I am guessing correctly, an fts service would only be useful if configured and working on the actual backend. > FTS only makes sense on backend, where the search would be executed. michael From hughbragg at dodo.com.au Tue Jun 28 19:05:44 2016 From: hughbragg at dodo.com.au (Hugh Bragg) Date: Wed, 29 Jun 2016 05:05:44 +1000 Subject: mail-search backtrace In-Reply-To: <5770C942.4010001@dovecot.fi> References: <57094E96.7020501@dodo.com.au> <2D05C734-10E5-4F8E-B26C-39B981C18FBC@iki.fi> <5740B443.9070205@dodo.com.au> <576E15AE.5000302@dodo.com.au> <5770C942.4010001@dovecot.fi> Message-ID: <5772CA88.4000805@dodo.com.au> On 27/06/16 16:35, Aki Tuomi wrote: > > On 25.06.2016 08:25, Hugh Bragg wrote: >> On 22/05/16 05:17, Hugh Bragg wrote: >>> >>> On 13/04/16 06:41, Timo Sirainen wrote: >>>> On 09 Apr 2016, at 21:48, Hugh Bragg wrote: >>>>> I'm repeatedly getting this error: >>>>> >>>>> Apr 07 04:37:27 imap(mymail at address): Panic: file mail-search.c: >>>>> line 84 (mail_search_arg_init): assertion failed: >>>>> (arg->initialized.keywords == NULL) >>>>> Apr 07 04:37:27 imap(mymail at address): Error: Raw backtrace: >>>>> /usr/lib64/dovecot/libdovecot.so.0(+0x827c2) [0x7fcb7f65e7c2] -> >>>>> /usr/lib64/dovecot/libdovecot.so.0(+0x828ad) [0x7fcb7f65e8ad] -> >>>>> /usr/lib64/dov >>>>> ecot/libdovecot.so.0(i_fatal+0) [0x7fcb7f605b01] -> >>>>> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) >>>>> [0x7fcb7f91a328] -> >>>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat >>>>> e_flags+0x100) [0x7fcb7f98e470] -> >>>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >>>>> [0x7fcb7f9983e2] -> >>>>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 >>>>> ) [0x7fcb7f998bb5] -> >>>>> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7fcb7f921222] >>>>> -> >>>>> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0xab3) >>>>> [0x7fcb7e9f7313] -> /usr >>>> It's coming from virtual mailboxes. >>>> >>>>> namespace virtual { >>>>> location = virtual:/var/mail/vhosts/%d/%n/virtual >>>>> prefix = virtual. >>>>> separator = . >>>>> } >>>> What do your dovecot-virtual files contain? I guess opening one of >>>> those virtual mailboxes crashes always. Related to searching keywords. >>> It still happens once in a while. It just won't expunge old messages >>> from unseen. There is no other trace or log message. >>> I was hoping to isolate the cause, but all I could only say for sure >>> that it happens sometime after Dovecot first starts up and I have to >>> restart to fix it. >>> dovecot-virtual files look like this: >>> # cat virtual/all/dovecot-virtual >>> * >>> all >>> # cat virtual/Unseen/dovecot-virtual >>> virtual.all >>> inthread refs unseen >>> >>> >>> A fresh trace: >>> >>> May 21 00:28:08 imap(x at y): Panic: file mail-search.c: line 84 >>> (mail_search_arg_init): assertion failed: (arg->initialized.keywords >>> == NULL) >>> May 21 00:28:08 imap(x at y): Error: Raw backtrace: >>> /usr/lib64/dovecot/libdovecot.so.0(+0x85c62) [0x7f4fd8915c62] -> >>> /usr/lib64/dovecot/libdovecot.so.0(+0x85d4d) [0x7f4fd8915d4d] -> >>> /usr/lib64/dov >>> ecot/libdovecot.so.0(i_fatal+0) [0x7f4fd88ba5c1] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7f4fd8bd4b78] >>> -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat >>> e_flags+0x100) [0x7f4fd8c49d00] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >>> [0x7f4fd8c53ce2] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 >>> ) [0x7f4fd8c544b5] -> >>> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) >>> [0x7f4fd8bdba82] -> >>> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) >>> [0x7f4fd7caa428] -> /usr >>> /lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) >>> [0x7f4fd8bdb9fb] -> dovecot/imap(imap_sync_init+0x68) >>> [0x56091d93b078] -> dovecot/imap(+0x1210e) [0x56091d92710e] -> >>> dovecot/imap(+0x1234d) [0x56091 >>> d92734d] -> >>> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) >>> [0x7f4fd892984a] -> >>> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) >>> [0x7f4fd892ae4b] -> /usr/lib64/dovecot/libdo >>> vecot.so.0(io_loop_handler_run+0x25) [0x7f4fd8929a75] -> >>> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f4fd8929c18] >>> -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) >>> [0x7f4fd88c0123] -> d >>> ovecot/imap(main+0x328) [0x56091d922a98] -> >>> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f4fd84ef580] -> >>> dovecot/imap(_start+0x29) [0x56091d922c19] >> Still no clue on this even with debug set on. It's become so bad I >> need to restart it or new mail is no longer reported after a few days >> when the unseen has dozens of read mails. >> I've no idea why it would need the keyword when I haven't done a >> search but I suppose the virtual plugin works by using the >> mail-search. Still, this shouldn't cause an error even if it is null. >> I'm suppose it could be caused by the number of emails being so great. >> Perhaps something is corrupt but as given, my dovecot-virtual files >> are as recommended by the plugin doco and nothing else seems amiss. If >> there is a corrupt mail or something then I don't know how to trace it. >> >> Anything anyone? >> >> >> A fresh trace : >> Jun 25 15:10:30 imap(x at y.z): Panic: file mail-search.c: line 84 >> (mail_search_arg_init): assertion failed: (arg->initialized.keywords >> == NULL) >> Jun 25 15:10:30 imap(x at y.z): Error: Raw backtrace: >> /usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7fcb73696102] -> >> /usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7fcb736961ed] -> >> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fcb736399e1] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) >> [0x7fcb73955cc8] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_update_flags+0x100) >> [0x7fcb739cb3f0] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) >> [0x7fcb739d5392] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185) >> [0x7fcb739d5b65] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) >> [0x7fcb7395cbd2] -> >> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) >> [0x7fcb72e434f8] -> >> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) >> [0x7fcb7395cb4b] -> dovecot/imap(imap_sync_init+0x68) [0x55cfd865d0f8] >> -> dovecot/imap(+0x1217e) [0x55cfd864917e] -> dovecot/imap(+0x123bd) >> [0x55cfd86493bd] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) >> [0x7fcb736a9dba] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) >> [0x7fcb736ab3bb] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x25) >> [0x7fcb736a9fe5] -> >> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7fcb736aa188] >> -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) >> [0x7fcb7363fea3] -> dovecot/imap(main+0x328) [0x55cfd8644b08] -> >> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7fcb7326e580] -> >> dovecot/imap(_start+0x29) [0x55cfd8644c89] > Hi! > > Thank you for your report, we'll look into it. > > --- > Aki Tuomi > Dovecot oy Some hopefully useful further debugging logs: Jun 29 04:50:02 imap(username at nodo.com.au): Debug: Loading modules from directory: /usr/lib64/dovecot Jun 29 04:50:02 imap(username at nodo.com.au): Debug: Module loaded: /usr/lib64/dovecot/lib20_virtual_plugin.so Jun 29 04:50:02 imap(username at nodo.com.au): Debug: Effective uid=5000, gid=5000, home=/var/mail/vhosts/nodo.com.au/username Jun 29 04:50:02 imap(username at nodo.com.au): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/mail Jun 29 04:50:02 imap(username at nodo.com.au): Debug: maildir++: root=/var/mail/vhosts/nodo.com.au/username/mail, index=, indexpvt=, control=, inbox=/var/mail/vhosts/nodo.com.au/username/mail, alt= Jun 29 04:50:02 imap(username at nodo.com.au): Debug: Namespace virtual: type=private, prefix=virtual., sep=., inbox=no, hidden=no, list=yes, subscriptions=yes location=virtual:/var/mail/vhosts/nodo.com.au/hughbra gg/virtual Jun 29 04:50:02 imap(username at nodo.com.au): Debug: fs: root=/var/mail/vhosts/nodo.com.au/username/virtual, index=, indexpvt=, control=, inbox=, alt= Jun 29 04:50:06 imap(username at nodo.com.au): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) Jun 29 04:50:06 imap(username at nodo.com.au): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7f68355e1102] -> /usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7f68355e11ed] -> /usr/lib64/dov ecot/libdovecot.so.0(i_fatal+0) [0x7f68355849e1] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7f68358a0cc8] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat e_flags+0x100) [0x7f68359163f0] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) [0x7f6835920392] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 ) [0x7f6835920b65] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7f68358a7bd2] -> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) [0x7f6834d8e4f8] -> /usr /lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) [0x7f68358a7b4b] -> dovecot/imap(imap_sync_init+0x68) [0x55fa42fc70f8] -> dovecot/imap(+0x1217e) [0x55fa42fb317e] -> dovecot/imap(+0x123bd) [0x55fa4 2fb33bd] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) [0x7f68355f4dba] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7f68355f63bb] -> /usr/lib64/dovecot/libdo vecot.so.0(io_loop_handler_run+0x25) [0x7f68355f4fe5] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f68355f5188] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f683558aea3] -> dovecot/imap(main+0x328) [0x55fa42faeb08] -> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f68351b9580] -> dovecot/imap(_start+0x29) [0x55fa42faec89] Jun 29 04:50:07 imap(username at nodo.com.au): Fatal: master: service(imap): child 22020 killed with signal 6 (core dumped) From tss at iki.fi Tue Jun 28 21:17:02 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:17:02 +0300 Subject: chroot: Error: Temp file creation to /tmp In-Reply-To: <77650433-522c-800b-7fea-793e430ce507@somewhere.in.the-netherlands.eu> References: <77650433-522c-800b-7fea-793e430ce507@somewhere.in.the-netherlands.eu> Message-ID: On 28 Jun 2016, at 10:55, bvr wrote: > > > Hello, > > We are using dovecot (2.2.10) and it's working great! When I enable chrooting by appending /./ to the homedirs I'm getting errors like this: > > mail1 dovecot[47074]: imap(user): Error: Temp file creation to /tmp/dovecot.imap.mail1.70079. failed: No such file or directory > > On the surface everything seems to be working fine and I have not been able to produce the error myself. Sometimes Dovecot wants to create temporary files to avoid excessive memory usage. If it can't create the temp file it'll just keep the temporary data in memory. You can control the temporary file location with mail_temp_dir setting. But maybe the nicest solution would be to just create tmp/ director to everybody's home dir? I guess Dovecot could do this also automatically if it has permissions, but I'm not entirely sure if that's a good idea. From tss at iki.fi Tue Jun 28 21:18:37 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:18:37 +0300 Subject: External mail attachments storage cleanup In-Reply-To: <1467033075.442360294@f328.i.mail.ru> References: <1467033075.442360294@f328.i.mail.ru> Message-ID: <62CD13D3-8AC6-4208-A732-B885B6BD58BC@iki.fi> On 27 Jun 2016, at 16:11, ??????? ???????? wrote: > > Hi, > > I have set up mdbox backend witch saving mail attachments to external files option. Dovecot store attachments to external files but never delete them. You haven't run doveadm purge? From tss at iki.fi Tue Jun 28 21:30:38 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:30:38 +0300 Subject: dsync unstable? (other strange detail) In-Reply-To: <20160627052859.GQ7131@jumper.schlittermann.de> References: <20160627052859.GQ7131@jumper.schlittermann.de> Message-ID: <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> On 27 Jun 2016, at 08:28, Heiko Schlittermann wrote: > > Hi, > > I'm trying to migrate from Cyrus (remote side) to Dovecot 2.2.24 (local). > On the local side the destinations folders, and indexes are empty. > > The command I'm using is > > doveadm \ > -o mail_plugins= \ > -o imapc_master_user= \ > -o imapc_password= \ > -o imapc_host= \ > \ > -o imapc_ssl_verify=no \ > -o imapc_ssl=imaps \ > -o imapc_port=993 \ > backup -f -u "heiko" -R imapc: \ > || { > rc=$? > echo "EXIT: $rc" >&2 > exit $rc > } > > On successive runs of the above command I get: > > dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten Anforderung': UID=16 GUID= is missing locally This means that on Dovecot side there are messages after UID=16, but either: a) UID=16 was expunged from Dovecot side or b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. Dovecot can't insert UIDs, so it'll delete the folder and re-sync everything on the next run. > Any idea where to look next? Is 'doveadm backup' the wrong tool for such > migration? (I'd say with about 2.2.9 I had similar problems, but at > least it didn't stop at every subfolder.) If you allow local access already that can do modification, use doveadm sync -1 after that. From tss at iki.fi Tue Jun 28 21:32:19 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:32:19 +0300 Subject: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ? In-Reply-To: References: Message-ID: On 24 Jun 2016, at 13:33, Steffen Kaiser wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm using Dovecot v2.2 with unix_listener auth-client { > } to verify passwords for a different service. However, it looks like that auth_failure_delay effects all connects going through that socket. > > I mean: > > connect /var/run/dovecot2.2/auth-client > attempt bad auth > 2s penalty > NO > disconnect > ==> Note, it's another connection almost immediately following each > connect /var/run/dovecot2.2/auth-client > attempt good auth > 2s penalty > OK > disconnect > > Can I disable auth_failure_delay for local UNIX sockets? > How do I add it to login_trusted_networks? If you add no-penalty parameter to the AUTH command you avoid the penalty. From tss at iki.fi Tue Jun 28 21:45:04 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:45:04 +0300 Subject: Disabling passdb pam in local.conf In-Reply-To: <20160622064804.GC4589@sys4.de> References: <20160620200344.GK31639@sys4.de> <20160622064621.381ada63@pixie.lan> <20160622060946.GB1552@sys4.de> <20160622064804.GC4589@sys4.de> Message-ID: On 22 Jun 2016, at 09:48, Patrick Ben Koetter

wrote: > > * Patrick Ben Koetter

: >> * Marcus Rueckert : >>>> What am I missing? >>> >>> That 10-auth.conf is actually meant to be edited. most distros should >>> have configuration file handling pretty much figured out by now. so >>> none of your changes to those files should get lost. also configuration >>> management comes to mind. >> >> As I repeatedly said none of those actions are an option in this project. >> I think we better stop this thread. > > For the books: > > It can't be done at the moment. That would require the passdb section to > become a named section, e.g. like this: > > passdb pam { > driver = pam > } > > Then one would be able to address this particular passdb namespace and do e.g. > something like this: > > passdb pam { > driver = pam > enabled = no > } Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf: passdb { driver = whatever you want for your real passdb args = etc result_failure = return result_internalfail = return } So even though pam is still in the config, it's just never actually called. From tss at iki.fi Tue Jun 28 21:49:56 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:49:56 +0300 Subject: Suggestion: Split login_trusted_networks In-Reply-To: <5771200F.30102@one.com> References: <5771200F.30102@one.com> Message-ID: On 27 Jun 2016, at 15:46, Peter Mogensen wrote: > > Hi, > > For the upcoming 2.3 development, I'd like to re-suggest this: > > It seems the use of login_trusted_networks is overloaded. > > Example: > * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) > * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) > > Often these two uses cases have a different set of hosts. > > So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks. Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example: passdb { driver = passwd-file args = username_format=%{lip} /etc/dovecot/passdb } 127.0.0.1:::::::nodelay=yes So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks. Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide. From tss at iki.fi Tue Jun 28 21:52:51 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 00:52:51 +0300 Subject: Suggestion: Split login_trusted_networks In-Reply-To: References: <5771200F.30102@one.com> Message-ID: <9AB0E2A9-170E-4A90-80C8-A94EE6BC99FF@iki.fi> > On 29 Jun 2016, at 00:49, Timo Sirainen wrote: > > On 27 Jun 2016, at 15:46, Peter Mogensen wrote: >> >> Hi, >> >> For the upcoming 2.3 development, I'd like to re-suggest this: >> >> It seems the use of login_trusted_networks is overloaded. >> >> Example: >> * It's used for indicating which hosts you trust to provide XCLIENT remote IP's. (like a proxy) >> * It's used for indicating from which hosts you trust logins enough to disable auth penalty. (like in a webmail) >> >> Often these two uses cases have a different set of hosts. >> >> So you can't have one set of hosts which you trust for XCLIENT and another set of hosts you trust for not being the origin of brute force attacks. > > Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example: > > passdb { > driver = passwd-file > args = username_format=%{lip} /etc/dovecot/passdb %{rip} I meant. > } > > 127.0.0.1:::::::nodelay=yes So this could be e.g. 192.168.10.123 or something. > > So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks. > > Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide. From hs at schlittermann.de Tue Jun 28 21:53:21 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Tue, 28 Jun 2016 23:53:21 +0200 Subject: dsync unstable? (other strange detail) In-Reply-To: <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> References: <20160627052859.GQ7131@jumper.schlittermann.de> <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> Message-ID: <20160628215321.GA7131@jumper.schlittermann.de> Hi, Timo Sirainen (Di 28 Jun 2016 23:30:38 CEST): > > > > On successive runs of the above command I get: > > > > dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten Anforderung': UID=16 GUID= is missing locally > > This means that on Dovecot side there are messages after UID=16, but either: > a) UID=16 was expunged from Dovecot side or On the dovecot side nobody is accessing the mail system. > b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. Hm, this seems to be a possible reason. So, successive numbers? It seems to happen mostly on huuge mailboxes. -- Heiko -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From p at sys4.de Tue Jun 28 21:54:30 2016 From: p at sys4.de (Patrick Ben Koetter) Date: Tue, 28 Jun 2016 23:54:30 +0200 Subject: Disabling passdb pam in local.conf In-Reply-To: References: <20160620200344.GK31639@sys4.de> <20160622064621.381ada63@pixie.lan> <20160622060946.GB1552@sys4.de> <20160622064804.GC4589@sys4.de> Message-ID: <20160628215430.GA30521@sys4.de> * Timo Sirainen : > Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf: > > passdb { > driver = whatever you want for your real passdb > args = etc > result_failure = return > result_internalfail = return > } > > So even though pam is still in the config, it's just never actually called. I played with the idea to set result_failure and result_internalfail to pass it all through, too. But then things started to get nasty and I took the long road and began to edit more than local.conf. But thanks for taking the time to review and rethink this. p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From tss at iki.fi Tue Jun 28 22:00:11 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 01:00:11 +0300 Subject: dsync unstable? (other strange detail) In-Reply-To: <20160628215321.GA7131@jumper.schlittermann.de> References: <20160627052859.GQ7131@jumper.schlittermann.de> <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> <20160628215321.GA7131@jumper.schlittermann.de> Message-ID: On 29 Jun 2016, at 00:53, Heiko Schlittermann wrote: > > Hi, > Timo Sirainen (Di 28 Jun 2016 23:30:38 CEST): >>> >>> On successive runs of the above command I get: >>> >>> dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten Anforderung': UID=16 GUID= is missing locally >> >> This means that on Dovecot side there are messages after UID=16, but either: >> a) UID=16 was expunged from Dovecot side or > > On the dovecot side nobody is accessing the mail system. > >> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. > > Hm, this seems to be a possible reason. > So, successive numbers? > > It seems to happen mostly on huuge mailboxes. It's still strange if Cyrus is doing that. It's generally a pretty well behaving IMAP server. What version is it? From tss at iki.fi Tue Jun 28 22:02:51 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 01:02:51 +0300 Subject: FTS search used / useful on an IMAP proxy? In-Reply-To: <640BD919-7C32-41F7-B241-659298813725@lm-net.it> References: <640BD919-7C32-41F7-B241-659298813725@lm-net.it> Message-ID: <43F59F87-29D0-46DE-869B-D856E103ADF4@iki.fi> On 28 Jun 2016, at 16:07, Luca Lesinigo wrote: > > We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy functionality is already working and I?m trying to understand if having the FTS service configured on the dovecot *proxy* would be of any use. > > I do suspect it would be useless, I guess dovecot in imap proxy mode just forwards any command to the backend and does not bother to do anything about it, but I?m failing to find a definitive answer in the documentation. If I am guessing correctly, an fts service would only be useful if configured and working on the actual backend. > > Can anyone clarify my doubts? If you want to use doveadm fts optimize/rescan commands via doveadm proxy, you need to load fts plugin on the proxy to get the commands. But otherwise there's no reason for it. From hs at schlittermann.de Tue Jun 28 22:13:29 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Wed, 29 Jun 2016 00:13:29 +0200 Subject: dsync unstable? (other strange detail) In-Reply-To: References: <20160627052859.GQ7131@jumper.schlittermann.de> <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> <20160628215321.GA7131@jumper.schlittermann.de> Message-ID: <20160628221329.GB7131@jumper.schlittermann.de> Timo Sirainen (Mi 29 Jun 2016 00:00:11 CEST): ? > >> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. > It's still strange if Cyrus is doing that. It's generally a pretty well behaving IMAP server. What version is it? * OK srvlx Cyrus IMAP4 v2.2.12 server ready Maybe, did you read my previous post with a similar subject? There I had an empty local destination and some nasty effects too. In case it helps: mail_location = maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n which leads to /volumes/dovecot/{cache,home,inbox}// is used for the maildir storage. As I'm writing this, I'm not sure, if I really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/ where clean as a baby. The storage is imported via NFS. But the other backends (we're using a director/backend setup) are switched off, to really be sure the we don't have concurrent access. -- Heiko -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From tss at iki.fi Tue Jun 28 22:20:05 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 01:20:05 +0300 Subject: dsync unstable? (other strange detail) In-Reply-To: <20160628221329.GB7131@jumper.schlittermann.de> References: <20160627052859.GQ7131@jumper.schlittermann.de> <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> <20160628215321.GA7131@jumper.schlittermann.de> <20160628221329.GB7131@jumper.schlittermann.de> Message-ID: On 29 Jun 2016, at 01:13, Heiko Schlittermann wrote: > > Timo Sirainen (Mi 29 Jun 2016 00:00:11 CEST): > ? >>>> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. >> It's still strange if Cyrus is doing that. It's generally a pretty well behaving IMAP server. What version is it? > > * OK srvlx Cyrus IMAP4 v2.2.12 server ready > > Maybe, did you read my previous post with a similar subject? There I had > an empty local destination and some nasty effects too. There was another mail with "highest than remote's UIDs" error. Do you mean that one? I don't see others. That's also kind of strange. Dovecot had seen mails that suddenly no longer existed on Cyrus side. It's as if you're syncing to two different Cyrus servers that are somewhat out of sync themselves. Is that possible? > In case it helps: > > mail_location = maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n > > which leads to > > /volumes/dovecot/{cache,home,inbox}// > > is used for the maildir storage. As I'm writing this, I'm not sure, if I > really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/ > where clean as a baby. > > The storage is imported via NFS. But the other backends (we're using a > director/backend setup) are switched off, to really be sure the we don't have concurrent access. An out-of-date index with Maildir shouldn't really matter since it should get automatically updated. From hs at schlittermann.de Tue Jun 28 22:41:45 2016 From: hs at schlittermann.de (Heiko Schlittermann) Date: Wed, 29 Jun 2016 00:41:45 +0200 Subject: dsync unstable? (other strange detail) In-Reply-To: References: <20160627052859.GQ7131@jumper.schlittermann.de> <947D9C4B-CC88-4763-8F74-0D13FA169B73@iki.fi> <20160628215321.GA7131@jumper.schlittermann.de> <20160628221329.GB7131@jumper.schlittermann.de> Message-ID: <20160628224145.GC7131@jumper.schlittermann.de> Timo Sirainen (Mi 29 Jun 2016 00:20:05 CEST): ? > > Maybe, did you read my previous post with a similar subject? There I had > > an empty local destination and some nasty effects too. > > There was another mail with "highest than remote's UIDs" error. Do you mean that one? I don't see others. That's also kind of strange. Dovecot had seen mails that suddenly no longer existed on Cyrus side. It's as if you're syncing to two different Cyrus servers that are somewhat out of sync themselves. Is that possible? Yes, dsync(heiko): Warning: Deleting mailbox 'Trash': UID=18290 already exists locally for a different mail: highest than remote's UIDs (remote UIDNEXT=19588) This happend during a sync to an empty local destination The source (cyrus) is an active/passive cluster, the IP I'm connecting to should be on the same machine for the time the syncronisation runs. But I'll check this. Thank you for responding? It give me the hope that it *should* work. (Meanwhile I'm writing 'yet-another-imap2imap' sync tool, but using dsync would be the better choice, definitivly) Best regards from Dresden/Germany Viele Gr??e aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From mfoley at ohprs.org Wed Jun 29 02:04:42 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 22:04:42 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> Message-ID: <201606290204.u5T24gRt009386@mail.hprs.local> Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -----Original Message----- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > ------SNIP-------- > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > ------PINS----------- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > > > Suggestions? > > > > THX -- Mark > > > > -----original Message----- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > To: dovecot at dovecot.org > > > From: Aki Tuomi > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > > partial list: > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > > but am assuming it is OK. > > > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > [libdefaults] > > > > default_realm = HPRS.LOCAL > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > > > >> Here is a *SAMPLE* configuration: > > > >> > > > >> [libdefaults] > > > >> default_realm = YOUR.REALM > > > >> dns_lookup_kdc = true > > > >> krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> ccache_type = 4 > > > >> forwardable = true > > > >> proxiable = true > > > >> fcc-mit-ticketflags = true > > > >> > > > >> [realms] > > > >> YOUR.REALM = { > > > >> default_domain = your.domain.name > > > >> auth_to_local_names = { > > > >> Administrator = root > > > >> } > > > >> } > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > >> [domain_realm] > > > >> your.domain.name = YOUR.REALM > > > >> # this is not a mistake > > > >> .your.domain.name = YOUR.REALM > > > >> [login] > > > >> krb4_convert = true > > > >> krb4_get_tickets = false > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > Your closing comment: > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > > I have the following doveconf -n: > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > auth_debug_passwords = yes > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > auth_mechanisms = plain login gssapi > > > > auth_verbose = yes > > > > auth_verbose_passwords = plain > > > > disable_plaintext_auth = no > > > > info_log_path = /var/log/dovecot_info > > > > mail_location = maildir:~/Maildir > > > > passdb { > > > > driver = shadow > > > > } > > > > protocols = imap > > > > ssl_cert = > > > ssl_key = > > > userdb { > > > > driver = passwd > > > > } > > > > verbose_ssl = yes > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > > accomodate them. > > > > > > > > Thanks, --Mark > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > Aki > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. > > Aki > From mfoley at ohprs.org Wed Jun 29 03:32:37 2016 From: mfoley at ohprs.org (Mark Foley) Date: Tue, 28 Jun 2016 23:32:37 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606290204.u5T24gRt009386@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> Message-ID: <201606290332.u5T3Wb6l027033@mail.hprs.local> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled. HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host: Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous messages below. Closer! --Mark -----Original Message----- From: Mark Foley Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot at dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -----Original Message----- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tuomi at dovecot.fi > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > ------SNIP-------- > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > ------PINS----------- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > > Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give up though! > > > > Suggestions? > > > > THX -- Mark > > > > -----original Message----- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > To: dovecot at dovecot.org > > > From: Aki Tuomi > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly in triplicate. A > > > > partial list: > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > KVNO Principal > > > > ---- -------------------------------------------------------------------------- > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 18 COMMON$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 MAIL$@HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > > > > but am assuming it is OK. > > > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > [libdefaults] > > > > default_realm = HPRS.LOCAL > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > > > I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > > > > > > > >> Here is a *SAMPLE* configuration: > > > >> > > > >> [libdefaults] > > > >> default_realm = YOUR.REALM > > > >> dns_lookup_kdc = true > > > >> krb4_config = /etc/krb.conf > > > >> krb4_realms = /etc/krb.realms > > > > Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > > > > > > You can remove the krb4_ stuff > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > > > You don't necessarely require that. > > > > > > >> kdc_timesync = 1 > > > >> ccache_type = 4 > > > >> forwardable = true > > > >> proxiable = true > > > >> fcc-mit-ticketflags = true > > > >> > > > >> [realms] > > > >> YOUR.REALM = { > > > >> default_domain = your.domain.name > > > >> auth_to_local_names = { > > > >> Administrator = root > > > >> } > > > >> } > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > > > > server: mail.hprs.local, or is it just hprs.local? (or something else!) > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > >> [domain_realm] > > > >> your.domain.name = YOUR.REALM > > > >> # this is not a mistake > > > >> .your.domain.name = YOUR.REALM > > > >> [login] > > > >> krb4_convert = true > > > >> krb4_get_tickets = false > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > Your closing comment: > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > >> cannot act as USER DATABASE. For that you need to configure LDAP or > > > >> something else. With Active Directory LDAP is probably a damn good idea. > > > > I have the following doveconf -n: > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > auth_debug_passwords = yes > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > auth_mechanisms = plain login gssapi > > > > auth_verbose = yes > > > > auth_verbose_passwords = plain > > > > disable_plaintext_auth = no > > > > info_log_path = /var/log/dovecot_info > > > > mail_location = maildir:~/Maildir > > > > passdb { > > > > driver = shadow > > > > } > > > > protocols = imap > > > > ssl_cert = > > > ssl_key = > > > userdb { > > > > driver = passwd > > > > } > > > > verbose_ssl = yes > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > > > > any case I still have all but this test workstation NOT using gssapi, so I still need to > > > > accomodate them. > > > > > > > > Thanks, --Mark > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > Aki > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > > I'll try to check status of NTLM this week. > > Aki > From edgar at pettijohn-web.com Wed Jun 29 03:52:25 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Tue, 28 Jun 2016 22:52:25 -0500 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606290332.u5T3Wb6l027033@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> Message-ID: > On Jun 28, 2016, at 10:32 PM, Mark Foley wrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. That's a big > step. In examining my original config.log output I apparently did not have --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > What does thunderbird tell you? > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous > messages below. > > Closer! --Mark > > -----Original Message----- > From: Mark Foley > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > Aki, you wrote: > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >> >> I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious > realated to gssapi) > > --Mark > > -----Original Message----- >> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) >> From: aki.tuomi at dovecot.fi >> To: dovecot at dovecot.org >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> >>> On June 28, 2016 at 5:17 PM Mark Foley wrote: >>> >>> >>> Aki - made your suggested changes, but no joy :( >>> >>> My /etc/krb5.conf: >>> >>> ------SNIP-------- >>> [libdefaults] >>> default_realm = HPRS.LOCAL >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> [libdefaults] >>> default_realm = HPRS.LOCAL >>> dns_lookup_kdc = true >>> kdc_timesync = 1 >>> ccache_type = 4 >>> forwardable = true >>> proxiable = true >>> fcc-mit-ticketflags = true >>> >>> [realms] >>> HPRS.LOCAL = { >>> default_domain = hprs.local >>> auth_to_local_names = { >>> Administrator = root >>> } >>> } >>> >>> [domain_realm] >>> hprs.local = HPRS.LOCAL >>> # this is not a mistake >>> .hprs.local = HPRS.LOCAL >>> ------PINS----------- >>> >>> you wrote: >>>> You can remove the krb4_ stuff >>> >>> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. >>> Question on [realms]Administrator: should that really be root or should it be my AD Administrator? >>> >>> my doveconf -n is exactly the same as posted below, but in particular: >>> >>> auth_krb5_keytab = /etc/krb5.keytab >>> auth_mechanisms = plain login gssapi >>> >>> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using >>> plain/ssl, no one yet configured for gssapi). >>> >>> In /var/log/maillog I got (repeatedly): >>> >>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= >>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' >>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs >>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= >>> >>> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? >>> >>> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd >>> finally able to get AD authentication going for Dovecot. Not ready to give up though! >>> >>> Suggestions? >>> >>> THX -- Mark >>> >>> -----original Message----- >>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>>> To: dovecot at dovecot.org >>>> From: Aki Tuomi >>>> Date: Tue, 28 Jun 2016 15:13:11 +0300 >>>> >>>>> On 28.06.2016 09:27, Mark Foley wrote: >>>>> Aki, >>>>> >>>>> To review your 5 points: >>>>> >>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: >>>>>> >>>>>> 1. Functional AD or Kerberos environment >>>>>> 2. Time synced against your KDC (which is your Domain Controller on Windows) >>>>>> 3. /etc/krb5.conf configured >>>>>> 4. Both forward / reverse DNS names correct for clients and servers. >>>>>> Reverse is only mandatory for servers, but having them right will work >>>>>> wonders. Most kerberos problems are about DNS problems. >>>>>> 5. You need a keytab. This keytab needs to hold entries like >>>>>> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate >>>>>> these on any Windows DC server (at least). >>>>> I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit >>>>> and klist according to the instructions at >>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos >>>>> >>>>> As to the the keytab (#5) I did the following: >>>>> >>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab >>>>> >>>>> which created the file. I made this owned and readable by group dovecot, per instructions at >>>>> http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me >>>>> configuration listing all the users and computers in the domain, mostly in triplicate. A >>>>> partial list: >>>>> >>>>> Keytab name: FILE:/etc/krb5.keytab >>>>> KVNO Principal >>>>> ---- -------------------------------------------------------------------------- >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 18 COMMON$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 MAIL$@HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> 1 charmaine at HPRS.LOCAL >>>>> >>>>> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, >>>>> but am assuming it is OK. >>>> >>>> Strange that you do not have any host/ entries. Maybe it works without. >>>> >>>>>> setspn -q is helpful here, also setspn command in general. >>>>> I have no such command in my system. Is that a Windows thing? >>>> >>>> Yes, but you can do those kind of things in Samba too. >>>> >>>>> As to the /etc/krb5.conf, the default one generated by samba is: >>>>> >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> >>>>> I'd like to modify that to your suggestions, but I need more help. You have (with my questions): >>>>> >>>>>> Here is a *SAMPLE* configuration: >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = YOUR.REALM >>>>>> dns_lookup_kdc = true >>>>>> krb4_config = /etc/krb.conf >>>>>> krb4_realms = /etc/krb.realms >>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: >>>> >>>> You can remove the krb4_ stuff >>>> >>>>> krb5_config = /etc/krb5.conf >>>>> >>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? >>>> You don't necessarely require that. >>>> >>>>>> kdc_timesync = 1 >>>>>> ccache_type = 4 >>>>>> forwardable = true >>>>>> proxiable = true >>>>>> fcc-mit-ticketflags = true >>>>>> >>>>>> [realms] >>>>>> YOUR.REALM = { >>>>>> default_domain = your.domain.name >>>>>> auth_to_local_names = { >>>>>> Administrator = root >>>>>> } >>>>>> } >>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD >>>>> server: mail.hprs.local, or is it just hprs.local? (or something else!) >>>> >>>> HPRS.LOCAL is your REALM, hprs.local is your domain name. >>>>> >>>>>> [domain_realm] >>>>>> your.domain.name = YOUR.REALM >>>>>> # this is not a mistake >>>>>> .your.domain.name = YOUR.REALM >>>>>> [login] >>>>>> krb4_convert = true >>>>>> krb4_get_tickets = false >>>>> Likewise here a question on the whole krb4 versus krb5 thing. >>>>> >>>>> Your closing comment: >>>>> >>>>>> Also, note that kerberos can only act as AUTHENTICATION system. It >>>>>> cannot act as USER DATABASE. For that you need to configure LDAP or >>>>>> something else. With Active Directory LDAP is probably a damn good idea. >>>>> I have the following doveconf -n: >>>>> >>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >>>>> auth_debug_passwords = yes >>>>> auth_krb5_keytab = /etc/krb5.keytab >>>>> auth_mechanisms = plain login gssapi >>>>> auth_verbose = yes >>>>> auth_verbose_passwords = plain >>>>> disable_plaintext_auth = no >>>>> info_log_path = /var/log/dovecot_info >>>>> mail_location = maildir:~/Maildir >>>>> passdb { >>>>> driver = shadow >>>>> } >>>>> protocols = imap >>>>> ssl_cert = >>>> ssl_key = >>>> userdb { >>>>> driver = passwd >>>>> } >>>>> verbose_ssl = yes >>>>> >>>>> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in >>>>> any case I still have all but this test workstation NOT using gssapi, so I still need to >>>>> accomodate them. >>>>> >>>>> Thanks, --Mark >>>> passwd driver is fine, yes, if you ensure that users can be found. >>>> >>>> Aki >> >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >> >> I'll try to check status of NTLM this week. >> >> Aki >> From skdovecot at smail.inf.fh-brs.de Wed Jun 29 06:19:32 2016 From: skdovecot at smail.inf.fh-brs.de (Steffen Kaiser) Date: Wed, 29 Jun 2016 08:19:32 +0200 (CEST) Subject: [Solved] Re: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 29 Jun 2016, Timo Sirainen wrote: > On 24 Jun 2016, at 13:33, Steffen Kaiser wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I'm using Dovecot v2.2 with unix_listener auth-client { >> } to verify passwords for a different service. However, it looks like that auth_failure_delay effects all connects going through that socket. >> >> I mean: >> >> connect /var/run/dovecot2.2/auth-client >> attempt bad auth >> 2s penalty >> NO >> disconnect >> ==> Note, it's another connection almost immediately following each >> connect /var/run/dovecot2.2/auth-client >> attempt good auth >> 2s penalty >> OK >> disconnect >> >> Can I disable auth_failure_delay for local UNIX sockets? >> How do I add it to login_trusted_networks? > > If you add no-penalty parameter to the AUTH command you avoid the penalty. Oh, I did missed the doc, when I grepped for "penalty" in the source tree. For the archive, it's documented in the wiki Design/AuthProtocol . It seems to work like charm. Thank you. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBV3NodHz1H7kL/d9rAQKQ2QgAwkBJ6RwWQmGRo3+F8TNohVI4w979ZA7F ReWgZzMNdLWQbBGXEyv8TPa5hjHoBVFGV6xgLP99Fbw4WQPMSAtVptCWKKlq8InY SNn1Pw0p1yYRkI9rvjWDN+ucsiHZ34JHIzF7UrFzaEhoaBzaQRw2oFjOv3KNAdX3 aywPJlloWKV5rmdRQI4zG8PWldxXYV7Iazim9LQzy+tIGYEqFoSJ2YPUiZaK3InF 7IoMBEX7oTXbmlbcc2nCKrKd7BGT7+hloFyMlKJ4L4J5yKA60DCxB6KDHoi7kkYK bxb75JOly1eX+j0ihMmcllGz2/jAZBq+ZIhuqN83t3ZXraEQpadoqw== =+XmK -----END PGP SIGNATURE----- From bvr at dds.nl Wed Jun 29 08:07:46 2016 From: bvr at dds.nl (bvr) Date: Wed, 29 Jun 2016 10:07:46 +0200 Subject: chroot: Error: Temp file creation to /tmp In-Reply-To: References: <77650433-522c-800b-7fea-793e430ce507@somewhere.in.the-netherlands.eu> Message-ID: <9e8922c3-d891-0d9a-48dc-64e894cc47ff@somewhere.in.the-netherlands.eu> On 28-06-16 23:17, Timo Sirainen wrote: > On 28 Jun 2016, at 10:55, bvr wrote: >> >> >> Hello, >> >> We are using dovecot (2.2.10) and it's working great! When I enable chrooting by appending /./ to the homedirs I'm getting errors like this: >> >> mail1 dovecot[47074]: imap(user): Error: Temp file creation to /tmp/dovecot.imap.mail1.70079. failed: No such file or directory >> >> On the surface everything seems to be working fine and I have not been able to produce the error myself. > > Sometimes Dovecot wants to create temporary files to avoid excessive memory usage. If it can't create the temp file it'll just keep the temporary data in memory. You can control the temporary file location with mail_temp_dir setting. But maybe the nicest solution would be to just create tmp/ director to everybody's home dir? I guess Dovecot could do this also automatically if it has permissions, but I'm not entirely sure if that's a good idea. > So you are saying it is expected behaviour for Dovecot to use mail_temp_dir within the mail_chroot? That makes sense but it surprises me there are so few results when I google the error message. Since we are using Maildir I suppose I could simply use mail_temp_dir=/Maildir/tmp Thanks, bvr. From bernhard.westenhoefer at particip.de Wed Jun 29 08:38:01 2016 From: bernhard.westenhoefer at particip.de (=?UTF-8?Q?Bernhard_Westenh=c3=b6fer?=) Date: Wed, 29 Jun 2016 10:38:01 +0200 Subject: doveadm import from backup of public namespace Message-ID: Hello, we are creating backups of our public folders with following command: /usr/bin/doveadm -o mail=mdbox:/home/vmail/public backup "mdbox:/var/local/backup/dovecot/public" With doveadm we can search/extract mails like that: doveadm -D -o plugin/acl="" -o mail=mdbox:/var/local/backup/dovecot/public search mailbox INBOX.projects.implementation.55-0004-000-IT.Server.Mailsystem.imap all .... doveadm(bwe): Debug: Effective uid=0, gid=0, home=/root doveadm(bwe): Debug: acl: No acl setting - ACLs are disabled doveadm(bwe): Debug: Namespace inbox: type=private, prefix=INBOX., sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:/var/local/backup/dovecot/public doveadm(bwe): Debug: fs: root=/var/local/backup/dovecot/public, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=public, prefix=Public., sep=., inbox=no, hidden=no, list=yes, subscriptions=yes location=mdbox:/home/vmail/public doveadm(bwe): Debug: fs: root=/home/vmail/public, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=public, prefix=Archive., sep=., inbox=no, hidden=no, list=yes, subscriptions=yes location=mdbox:/home/vmail/archive doveadm(bwe): Debug: fs: root=/home/vmail/archive, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=private, prefix=, sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none doveadm(bwe): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt= 12a155041b825d57c7150000d77ca1d0 2 12a155041b825d57c7150000d77ca1d0 3 12a155041b825d57c7150000d77ca1d0 4 When trying to import mails from those backups we can find no way to address the public folder to import from: doveadm -D -o plugin/acl="" import -u bwe mdbox:/var/local/backup/dovecot/public restore Mailbox projects.implementation.55-0004-000-IT.Server.Mailsystem.imap all doveadm -D -o plugin/acl="" import -u bwe mdbox:/var/local/backup/dovecot/public restore mailbox INBOX.projects.implementation.55-0004-000-IT.Server.Mailsystem.imap all doveadm -D -o plugin/acl="" import -u bwe mdbox:/var/local/backup/dovecot/public restore mailbox Public.projects.implementation.55-0004-000-IT.Server.Mailsystem.imap all nothing happens, we just get: doveadm(bwe): Debug: Effective uid=0, gid=0, home=/root doveadm(bwe): Debug: acl: No acl setting - ACLs are disabled doveadm(bwe): Debug: fs: root=/var/local/backup/dovecot/public, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Added userdb setting: mail=mdbox:~/mdbox doveadm(bwe): Debug: Added userdb setting: plugin/master_user=bwe doveadm(bwe): Debug: Effective uid=2000, gid=2000, home=/home/vmail/bwe doveadm(bwe): Debug: acl: No acl setting - ACLs are disabled doveadm(bwe): Debug: Namespace inbox: type=private, prefix=INBOX., sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox doveadm(bwe): Debug: fs: root=/home/vmail/bwe/mdbox, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=public, prefix=Public., sep=., inbox=no, hidden=no, list=yes, subscriptions=yes location=mdbox:/home/vmail/public doveadm(bwe): Debug: fs: root=/home/vmail/public, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=public, prefix=Archive., sep=., inbox=no, hidden=no, list=yes, subscriptions=yes location=mdbox:/home/vmail/archive doveadm(bwe): Debug: fs: root=/home/vmail/archive, index=, indexpvt=, control=, inbox=, alt= doveadm(bwe): Debug: Namespace : type=private, prefix=, sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none doveadm(bwe): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt= How can mails from those backups restored or how do we have to address the mailbox in this case? Bernhard From zedd at list.ru Wed Jun 29 10:06:45 2016 From: zedd at list.ru (=?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0JzQsNC90LDQvdC60L7Qsg==?=) Date: Wed, 29 Jun 2016 13:06:45 +0300 Subject: =?UTF-8?B?RXh0ZXJuYWwgbWFpbCBhdHRhY2htZW50cyBzdG9yYWdlIGNsZWFudXA=?= In-Reply-To: <62CD13D3-8AC6-4208-A732-B885B6BD58BC@iki.fi> References: <1467033075.442360294@f328.i.mail.ru> <62CD13D3-8AC6-4208-A732-B885B6BD58BC@iki.fi> Message-ID: <1467194805.199187901@f292.i.mail.ru> Hi! Thanks it worked! But only when I have a specific user instead wldcard (i mean -u *@example.org). Now I think I need to write a script that searches for users in the domain , and starts each of them this command . And apparently it is necessary to add to the cron job.. From bpk678 at gmail.com Wed Jun 29 12:03:14 2016 From: bpk678 at gmail.com (brendan kearney) Date: Wed, 29 Jun 2016 08:03:14 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606290332.u5T3Wb6l027033@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> Message-ID: The last log line shows "user=<>". This indicates no credentials were presented. If the rip field matches the client ip you tested from, I would bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not pulled for the authentication. On Jun 28, 2016 11:33 PM, "Mark Foley" wrote: > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > and restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN > authentication. That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > used for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 > read client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush > data [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL > negotiation finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 > secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, > session= > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -----Original Message----- > From: Mark Foley > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot at dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > Aki, you wrote: > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows > nothing obvious > realated to gssapi) > > --Mark > > -----Original Message----- > > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > > From: aki.tuomi at dovecot.fi > > To: dovecot at dovecot.org > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > > On June 28, 2016 at 5:17 PM Mark Foley wrote: > > > > > > > > > Aki - made your suggested changes, but no joy :( > > > > > > My /etc/krb5.conf: > > > > > > ------SNIP-------- > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > > > [libdefaults] > > > default_realm = HPRS.LOCAL > > > dns_lookup_kdc = true > > > kdc_timesync = 1 > > > ccache_type = 4 > > > forwardable = true > > > proxiable = true > > > fcc-mit-ticketflags = true > > > > > > [realms] > > > HPRS.LOCAL = { > > > default_domain = hprs.local > > > auth_to_local_names = { > > > Administrator = root > > > } > > > } > > > > > > [domain_realm] > > > hprs.local = HPRS.LOCAL > > > # this is not a mistake > > > .hprs.local = HPRS.LOCAL > > > ------PINS----------- > > > > > > you wrote: > > > > You can remove the krb4_ stuff > > > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the > [login] section altogether. > > > Question on [realms]Administrator: should that really be root or > should it be my AD Administrator? > > > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > auth_mechanisms = plain login gssapi > > > > > > When I reloaded dovecot no mail was delivered to anyone (even though > everyone was still using > > > plain/ssl, no one yet configured for gssapi). > > > > > > In /var/log/maillog I got (repeatedly): > > > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=192.168.0.54, lip=192.168.0.2, session= > > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication > mechanism 'gssapi' > > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command > startup failed, throttling for 60 secs > > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > 'gssapi'"? > > > > > > Do you have any idea from the configs I've posted? I'm rather > depressed about this. I thought I'd > > > finally able to get AD authentication going for Dovecot. Not ready to > give up though! > > > > > > Suggestions? > > > > > > THX -- Mark > > > > > > -----original Message----- > > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > example] > > > > To: dovecot at dovecot.org > > > > From: Aki Tuomi > > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > > Aki, > > > > > > > > > > To review your 5 points: > > > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi > wrote: > > > > > > > > > >> 1. Functional AD or Kerberos environment > > > > >> 2. Time synced against your KDC (which is your Domain Controller > on Windows) > > > > >> 3. /etc/krb5.conf configured > > > > >> 4. Both forward / reverse DNS names correct for clients and > servers. > > > > >> Reverse is only mandatory for servers, but having them right will > work > > > > >> wonders. Most kerberos problems are about DNS problems. > > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > > >> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can > generate > > > > >> these on any Windows DC server (at least). > > > > > I believe I am good on 1,2 and 4. I downloaded and installed > kerberos and tested it with kinit > > > > > and klist according to the instructions at > > > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > > > which created the file. I made this owned and readable by group > dovecot, per instructions at > > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist > -k /etc/krb5.keytab` shows me > > > > > configuration listing all the users and computers in the domain, > mostly in triplicate. A > > > > > partial list: > > > > > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > > > KVNO Principal > > > > > ---- > -------------------------------------------------------------------------- > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 18 COMMON$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 MAIL$@HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > 1 charmaine at HPRS.LOCAL > > > > > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't > really understand the listing, > > > > > but am assuming it is OK. > > > > > > > > Strange that you do not have any host/ entries. Maybe it works > without. > > > > > > > > >> setspn -q is helpful here, also setspn command in general. > > > > > I have no such command in my system. Is that a Windows thing? > > > > > > > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > > > > > [libdefaults] > > > > > default_realm = HPRS.LOCAL > > > > > dns_lookup_realm = false > > > > > dns_lookup_kdc = true > > > > > > > > > > I'd like to modify that to your suggestions, but I need more help. > You have (with my questions): > > > > > > > > > >> Here is a *SAMPLE* configuration: > > > > >> > > > > >> [libdefaults] > > > > >> default_realm = YOUR.REALM > > > > >> dns_lookup_kdc = true > > > > >> krb4_config = /etc/krb.conf > > > > >> krb4_realms = /etc/krb.realms > > > > > Here, you have krb4_*. Do you mean that? My config file is > krb5.conf. Should I rather have: > > > > > > > > You can remove the krb4_ stuff > > > > > > > > > krb5_config = /etc/krb5.conf > > > > > > > > > > Also, I have no /etc/krb*.realms file. Do I need this? If so, what > should be in there? > > > > You don't necessarely require that. > > > > > > > > >> kdc_timesync = 1 > > > > >> ccache_type = 4 > > > > >> forwardable = true > > > > >> proxiable = true > > > > >> fcc-mit-ticketflags = true > > > > >> > > > > >> [realms] > > > > >> YOUR.REALM = { > > > > >> default_domain = your.domain.name > > > > >> auth_to_local_names = { > > > > >> Administrator = root > > > > >> } > > > > >> } > > > > > I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my " > your.domain.name" my FQDN for my AD > > > > > server: mail.hprs.local, or is it just hprs.local? (or something > else!) > > > > > > > > HPRS.LOCAL is your REALM, hprs.local is your domain name. > > > > > > > > > >> [domain_realm] > > > > >> your.domain.name = YOUR.REALM > > > > >> # this is not a mistake > > > > >> .your.domain.name = YOUR.REALM > > > > >> [login] > > > > >> krb4_convert = true > > > > >> krb4_get_tickets = false > > > > > Likewise here a question on the whole krb4 versus krb5 thing. > > > > > > > > > > Your closing comment: > > > > > > > > > >> Also, note that kerberos can only act as AUTHENTICATION system. It > > > > >> cannot act as USER DATABASE. For that you need to configure LDAP > or > > > > >> something else. With Active Directory LDAP is probably a damn > good idea. > > > > > I have the following doveconf -n: > > > > > > > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > > > auth_debug_passwords = yes > > > > > auth_krb5_keytab = /etc/krb5.keytab > > > > > auth_mechanisms = plain login gssapi > > > > > auth_verbose = yes > > > > > auth_verbose_passwords = plain > > > > > disable_plaintext_auth = no > > > > > info_log_path = /var/log/dovecot_info > > > > > mail_location = maildir:~/Maildir > > > > > passdb { > > > > > driver = shadow > > > > > } > > > > > protocols = imap > > > > > ssl_cert = > > > > > ssl_key = > > > > userdb { > > > > > driver = passwd > > > > > } > > > > > verbose_ssl = yes > > > > > > > > > > I assume the passwd driver for the userdb is OK? Seems to me it > should work with gssapi, but in > > > > > any case I still have all but this test workstation NOT using > gssapi, so I still need to > > > > > accomodate them. > > > > > > > > > > Thanks, --Mark > > > > passwd driver is fine, yes, if you ensure that users can be found. > > > > > > > > Aki > > > > > > > > Doh. Seems your dovecot isn't compiled with gssapi support? Can you > compile it yourself? > > > > I'll try to check status of NTLM this week. > > > > Aki > > > From Christoph at plmail.de Wed Jun 29 13:40:18 2016 From: Christoph at plmail.de (Christoph Pleger) Date: Wed, 29 Jun 2016 15:40:18 +0200 Subject: Error when searching in mailfolders Message-ID: <007e5e520147e2c07707d10ce22a076c.squirrel@webmail.plmail.de> Hello, I just found that with my dovecot 2.2.21, when I use squirrelmail to search for something in my mailfolders, that fails with ERROR: Connection dropped by IMAP server. Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" That happens for searches in any folder, except from INBOX. When I search in all folders, only results from INBOX are found, then the error message is shown. The log says: imap: Error: terminate called after throwing an instance of 'CLuceneError' imap(christoph): Fatal: master: service(imap): child 2834 killed with signal 6 (core dumps disabled) What can I do about that? Regards Christoph From mfoley at ohprs.org Wed Jun 29 15:32:23 2016 From: mfoley at ohprs.org (Mark Foley) Date: Wed, 29 Jun 2016 11:32:23 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> Message-ID: <201606291532.u5TFWNLS031925@mail.hprs.local> On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn wrote: > What does thunderbird tell you? Good question. I saw Tbird's message after sending my last email. When Tbird starts I get a message box in the lower right saying: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." The interesting bit, to me, is that the IMAP server's hostname is not mark at ohprs.org. It should be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the actual local domain/realm name, not the public FQDN. I'm suspecting there is something wrong with the kerberos config. To further confuse. There *is* a WIN7 workstation 'mark' in the domain, though not the workstation from which this testing is being done (this workstation is named 'common') and host 'mark' is not reachable as mark at ohprs.org. Furthermore, the Thunderbird account/user for this testing is also 'mark', not to be confused with the host 'mark' (though I think that's exactly what's being confused). Where is this mark at ohprs.org coming from? The Thunderbird Account Name is mark at ohprs.org, which is this user's email address. Perhaps Thunderbird simply has a badly worded error message and didn't really mean "IMAP server mark at ohprs.org", or perhapd kerberos is not configured correctly. My /etc/krb5.conf is shown below. Any ideas on what might be wrong? > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_kdc = true > >>> kdc_timesync = 1 > >>> ccache_type = 4 > >>> forwardable = true > >>> proxiable = true > >>> fcc-mit-ticketflags = true > >>> > >>> [realms] > >>> HPRS.LOCAL = { > >>> default_domain = hprs.local > >>> auth_to_local_names = { > >>> Administrator = root > >>> } > >>> } > >>> > >>> [domain_realm] > >>> hprs.local = HPRS.LOCAL > >>> # this is not a mistake > >>> .hprs.local = HPRS.LOCAL Thanks, --Mark -----Original Message----- > From: Edgar Pettijohn > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > Date: Tue, 28 Jun 2016 22:52:25 -0500 > To: Mark Foley > > > > > On Jun 28, 2016, at 10:32 PM, Mark Foley wrote: > > > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I > > don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is > > delivered successfully to the other domain users having PLAIN authentication. That's a big > > step. In examining my original config.log output I apparently did not have --with-gssapi enabled. > > > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly > > authenticate and retrieve mail. Here is the dovecot log for that host: > > > What does thunderbird tell you? > > > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth > > Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat > > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] > > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= > > > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous > > messages below. > > > > Closer! --Mark > > > > -----Original Message----- > > From: Mark Foley > > Date: Tue, 28 Jun 2016 22:04:42 -0400 > > To: dovecot at dovecot.org > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > > Aki, you wrote: > > > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > >> > >> I'll try to check status of NTLM this week. > > > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > > > I do have the Dovecot sources and will peruse the possible options after I send this. I am on > > version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do > > you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious > > realated to gssapi) > > > > --Mark > > > > -----Original Message----- > >> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > >> From: aki.tuomi at dovecot.fi > >> To: dovecot at dovecot.org > >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > >> > >>> On June 28, 2016 at 5:17 PM Mark Foley wrote: > >>> > >>> > >>> Aki - made your suggested changes, but no joy :( > >>> > >>> My /etc/krb5.conf: > >>> > >>> ------SNIP-------- > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_kdc = true > >>> kdc_timesync = 1 > >>> ccache_type = 4 > >>> forwardable = true > >>> proxiable = true > >>> fcc-mit-ticketflags = true > >>> > >>> [realms] > >>> HPRS.LOCAL = { > >>> default_domain = hprs.local > >>> auth_to_local_names = { > >>> Administrator = root > >>> } > >>> } > >>> > >>> [domain_realm] > >>> hprs.local = HPRS.LOCAL > >>> # this is not a mistake > >>> .hprs.local = HPRS.LOCAL > >>> ------PINS----------- > >>> > >>> you wrote: > >>>> You can remove the krb4_ stuff > >>> > >>> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. > >>> Question on [realms]Administrator: should that really be root or should it be my AD Administrator? > >>> > >>> my doveconf -n is exactly the same as posted below, but in particular: > >>> > >>> auth_krb5_keytab = /etc/krb5.keytab > >>> auth_mechanisms = plain login gssapi > >>> > >>> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using > >>> plain/ssl, no one yet configured for gssapi). > >>> > >>> In /var/log/maillog I got (repeatedly): > >>> > >>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= > >>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' > >>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs > >>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= > >>> > >>> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? > >>> > >>> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd > >>> finally able to get AD authentication going for Dovecot. Not ready to give up though! > >>> > >>> Suggestions? > >>> > >>> THX -- Mark > >>> > >>> -----original Message----- > >>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > >>>> To: dovecot at dovecot.org > >>>> From: Aki Tuomi > >>>> Date: Tue, 28 Jun 2016 15:13:11 +0300 > >>>> > >>>>> On 28.06.2016 09:27, Mark Foley wrote: > >>>>> Aki, > >>>>> > >>>>> To review your 5 points: > >>>>> > >>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > >>>>>> > >>>>>> 1. Functional AD or Kerberos environment > >>>>>> 2. Time synced against your KDC (which is your Domain Controller on Windows) > >>>>>> 3. /etc/krb5.conf configured > >>>>>> 4. Both forward / reverse DNS names correct for clients and servers. > >>>>>> Reverse is only mandatory for servers, but having them right will work > >>>>>> wonders. Most kerberos problems are about DNS problems. > >>>>>> 5. You need a keytab. This keytab needs to hold entries like > >>>>>> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate > >>>>>> these on any Windows DC server (at least). > >>>>> I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit > >>>>> and klist according to the instructions at > >>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > >>>>> > >>>>> As to the the keytab (#5) I did the following: > >>>>> > >>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab > >>>>> > >>>>> which created the file. I made this owned and readable by group dovecot, per instructions at > >>>>> http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me > >>>>> configuration listing all the users and computers in the domain, mostly in triplicate. A > >>>>> partial list: > >>>>> > >>>>> Keytab name: FILE:/etc/krb5.keytab > >>>>> KVNO Principal > >>>>> ---- -------------------------------------------------------------------------- > >>>>> 18 COMMON$@HPRS.LOCAL > >>>>> 18 COMMON$@HPRS.LOCAL > >>>>> 18 COMMON$@HPRS.LOCAL > >>>>> 1 MAIL$@HPRS.LOCAL > >>>>> 1 MAIL$@HPRS.LOCAL > >>>>> 1 MAIL$@HPRS.LOCAL > >>>>> 1 charmaine at HPRS.LOCAL > >>>>> 1 charmaine at HPRS.LOCAL > >>>>> 1 charmaine at HPRS.LOCAL > >>>>> > >>>>> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, > >>>>> but am assuming it is OK. > >>>> > >>>> Strange that you do not have any host/ entries. Maybe it works without. > >>>> > >>>>>> setspn -q is helpful here, also setspn command in general. > >>>>> I have no such command in my system. Is that a Windows thing? > >>>> > >>>> Yes, but you can do those kind of things in Samba too. > >>>> > >>>>> As to the /etc/krb5.conf, the default one generated by samba is: > >>>>> > >>>>> [libdefaults] > >>>>> default_realm = HPRS.LOCAL > >>>>> dns_lookup_realm = false > >>>>> dns_lookup_kdc = true > >>>>> > >>>>> I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > >>>>> > >>>>>> Here is a *SAMPLE* configuration: > >>>>>> > >>>>>> [libdefaults] > >>>>>> default_realm = YOUR.REALM > >>>>>> dns_lookup_kdc = true > >>>>>> krb4_config = /etc/krb.conf > >>>>>> krb4_realms = /etc/krb.realms > >>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: > >>>> > >>>> You can remove the krb4_ stuff > >>>> > >>>>> krb5_config = /etc/krb5.conf > >>>>> > >>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > >>>> You don't necessarely require that. > >>>> > >>>>>> kdc_timesync = 1 > >>>>>> ccache_type = 4 > >>>>>> forwardable = true > >>>>>> proxiable = true > >>>>>> fcc-mit-ticketflags = true > >>>>>> > >>>>>> [realms] > >>>>>> YOUR.REALM = { > >>>>>> default_domain = your.domain.name > >>>>>> auth_to_local_names = { > >>>>>> Administrator = root > >>>>>> } > >>>>>> } > >>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD > >>>>> server: mail.hprs.local, or is it just hprs.local? (or something else!) > >>>> > >>>> HPRS.LOCAL is your REALM, hprs.local is your domain name. > >>>>> > >>>>>> [domain_realm] > >>>>>> your.domain.name = YOUR.REALM > >>>>>> # this is not a mistake > >>>>>> .your.domain.name = YOUR.REALM > >>>>>> [login] > >>>>>> krb4_convert = true > >>>>>> krb4_get_tickets = false > >>>>> Likewise here a question on the whole krb4 versus krb5 thing. > >>>>> > >>>>> Your closing comment: > >>>>> > >>>>>> Also, note that kerberos can only act as AUTHENTICATION system. It > >>>>>> cannot act as USER DATABASE. For that you need to configure LDAP or > >>>>>> something else. With Active Directory LDAP is probably a damn good idea. > >>>>> I have the following doveconf -n: > >>>>> > >>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >>>>> auth_debug_passwords = yes > >>>>> auth_krb5_keytab = /etc/krb5.keytab > >>>>> auth_mechanisms = plain login gssapi > >>>>> auth_verbose = yes > >>>>> auth_verbose_passwords = plain > >>>>> disable_plaintext_auth = no > >>>>> info_log_path = /var/log/dovecot_info > >>>>> mail_location = maildir:~/Maildir > >>>>> passdb { > >>>>> driver = shadow > >>>>> } > >>>>> protocols = imap > >>>>> ssl_cert = >>>>> ssl_key = >>>>> userdb { > >>>>> driver = passwd > >>>>> } > >>>>> verbose_ssl = yes > >>>>> > >>>>> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in > >>>>> any case I still have all but this test workstation NOT using gssapi, so I still need to > >>>>> accomodate them. > >>>>> > >>>>> Thanks, --Mark > >>>> passwd driver is fine, yes, if you ensure that users can be found. > >>>> > >>>> Aki > >> > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? > >> > >> I'll try to check status of NTLM this week. > >> > >> Aki > >> > > From tss at iki.fi Wed Jun 29 15:40:09 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 18:40:09 +0300 Subject: SSL Problem with -git master-2.2 tip (24 June 16) In-Reply-To: References: Message-ID: On 24 Jun 2016, at 01:51, Reuben Farrelly wrote: > > Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: > > Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods > Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs > > I suspect that this is because I have libressl installed on my systems instead of OpenSSL. Fixed: https://github.com/dovecot/core/commit/be2be317de8059c135bea0ec698045f0f7475d6e From mfoley at ohprs.org Wed Jun 29 15:40:35 2016 From: mfoley at ohprs.org (Mark Foley) Date: Wed, 29 Jun 2016 11:40:35 -0400 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> Message-ID: <201606291540.u5TFeZcJ030860@mail.hprs.local> Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong. Thanks for your help! I'm sure this is solvable! --Mark -----Original Message----- > Date: Wed, 29 Jun 2016 08:03:14 -0400 > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > From: brendan kearney > To: Mark Foley > Cc: dovecot at dovecot.org > > The last log line shows "user=<>". This indicates no credentials were > presented. If the rip field matches the client ip you tested from, I would > bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not > pulled for the authentication. > On Jun 28, 2016 11:33 PM, "Mark Foley" wrote: [deleted] From tss at iki.fi Wed Jun 29 15:41:09 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 18:41:09 +0300 Subject: Unread Mail flag being reset frequently with dovecot -git master-2.2 In-Reply-To: <3d43142a-edd6-8f94-f363-1602798dedfd@reub.net> References: <3d43142a-edd6-8f94-f363-1602798dedfd@reub.net> Message-ID: <2A4D69F8-D9AB-4881-B8DB-14BD7252CB6E@iki.fi> On 24 Jun 2016, at 06:18, Reuben Farrelly wrote: > > Hi again, > > I'm experiencing problems with the Dovecot git master-2.2 branch, in which mails that have been previously read are randomly appearing as unread. This happens slowly and affects more and more emails the more changes that occur to a mailbox. > > I am using Maildir format and on Gentoo Linux x86_64 on local disks. > > Usually only a few at a time change their status - and it seems to be random which ones lose their read status. Typically though they are the most recent emails that have been delivered in the past few months (I haven't yet seen this occur with any really old emails). Most likely fixed by: https://github.com/dovecot/core/commit/0649b7a1656bd98d95cdf40a98d47cff9c8de9f8 From tss at iki.fi Wed Jun 29 15:42:55 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 18:42:55 +0300 Subject: Error when searching in mailfolders In-Reply-To: <007e5e520147e2c07707d10ce22a076c.squirrel@webmail.plmail.de> References: <007e5e520147e2c07707d10ce22a076c.squirrel@webmail.plmail.de> Message-ID: <4CB5BEB9-1A7D-4F47-BEDD-78751EFB78B2@iki.fi> On 29 Jun 2016, at 16:40, Christoph Pleger wrote: > > Hello, > > I just found that with my dovecot 2.2.21, when I use squirrelmail to > search for something in my mailfolders, that fails with > > ERROR: Connection dropped by IMAP server. > Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" > > That happens for searches in any folder, except from INBOX. When I search > in all folders, only results from INBOX are found, then the error message > is shown. > > The log says: > > imap: Error: terminate called after throwing an instance of 'CLuceneError' > > imap(christoph): Fatal: master: service(imap): child 2834 killed with > signal 6 (core dumps disabled) > > What can I do about that? Lucene library is throwing an error, which crashes Dovecot. Maybe Dovecot should catch the error, but it would still be broken. Try deleting the lucene indexes and rebuilding them? From moiseev at mezonplus.ru Wed Jun 29 16:10:28 2016 From: moiseev at mezonplus.ru (Alexander Moisseev) Date: Wed, 29 Jun 2016 19:10:28 +0300 Subject: External mail attachments storage cleanup In-Reply-To: <1467194805.199187901@f292.i.mail.ru> References: <1467033075.442360294@f328.i.mail.ru> <62CD13D3-8AC6-4208-A732-B885B6BD58BC@iki.fi> <1467194805.199187901@f292.i.mail.ru> Message-ID: <5c5ad336-cd9e-0b14-aca0-ce5319c08776@mezonplus.ru> On 29.06.2016 13:06, ??????? ???????? wrote: > Hi! > > Thanks it worked! But only when I have a specific user instead wldcard (i mean -u *@example.org). Now I think I need to write a script that searches for users in the domain , and starts each of them this command . And apparently it is necessary to add to the cron job.. > Hi, The script: doveadm-expunge - iterates over passwd-file databases, expunges messages in Junk and Trash folders and purges mailboxes for every user. https://github.com/moisseev/doveadm-tools/blob/master/bin/doveadm-expunge The crontab entry: 5 4 * * * /usr/local/bin/doveadm-expunge From tss at iki.fi Wed Jun 29 16:15:01 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 19:15:01 +0300 Subject: mail-search backtrace In-Reply-To: <5740B443.9070205@dodo.com.au> References: <57094E96.7020501@dodo.com.au> <2D05C734-10E5-4F8E-B26C-39B981C18FBC@iki.fi> <5740B443.9070205@dodo.com.au> Message-ID: <651743D9-6236-4061-B1E8-F4FE5871881F@iki.fi> On 21 May 2016, at 22:17, Hugh Bragg wrote: > > dovecot-virtual files look like this: > # cat virtual/all/dovecot-virtual > * > all > # cat virtual/Unseen/dovecot-virtual > virtual.all > inthread refs unseen > > > A fresh trace: > > May 21 00:28:08 imap(x at y): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) I don't see how this would happen unless you had a "keyword something" after the INTHEAD. Anyway should be fixed by https://github.com/dovecot/core/commit/127b836fd82f421767da3bf843fca55f39f1b109 From tss at iki.fi Wed Jun 29 16:24:54 2016 From: tss at iki.fi (Timo Sirainen) Date: Wed, 29 Jun 2016 19:24:54 +0300 Subject: [patch] Fix for returning NULL values in SQL dict lookups In-Reply-To: References: Message-ID: <5FE3F589-DBB3-4686-BFCC-D6FCDE12B9B6@iki.fi> On 11 May 2016, at 23:49, NederHost/Sebastiaan Hoogeveen wrote: > > Hi, > > I noticed a bug doing dict lookups on an SQLite database which had NULL values in its columns; a segmentation fault occurred, probably due to a null pointer dereference in str_tabescape. The problem is that sqlite3_column_text returns a null pointer for column values which are (SQL) NULL. It seems the other database drivers do something similar. The following patch makes the dict server check for null pointers and return a 'not found' reply in those cases (I changed the order around in the decision tree to avoid having to repeat return values): Fixed a bit differently: https://github.com/dovecot/core/commit/923ed5836f90175e736846f02edfd9c2ee07dc6b From edgar at pettijohn-web.com Wed Jun 29 16:43:12 2016 From: edgar at pettijohn-web.com (Edgar Pettijohn) Date: Wed, 29 Jun 2016 11:43:12 -0500 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606291532.u5TFWNLS031925@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> <201606291532.u5TFWNLS031925@mail.hprs.local> Message-ID: <265424C7-6F95-493D-BAD8-CD0EC456DB5F@pettijohn-web.com> > On Jun 29, 2016, at 10:32 AM, Mark Foley wrote: > >> On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn wrote: >> >> What does thunderbird tell you? > > Good question. I saw Tbird's message after sending my last email. When Tbird starts I get a > message box in the lower right saying: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > The interesting bit, to me, is that the IMAP server's hostname is not mark at ohprs.org. It should > be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the actual local > domain/realm name, not the public FQDN. I'm suspecting there is something wrong with the > kerberos config. > > To further confuse. There *is* a WIN7 workstation 'mark' in the domain, though not the > workstation from which this testing is being done (this workstation is named 'common') and host > 'mark' is not reachable as mark at ohprs.org. Furthermore, the Thunderbird account/user for this > testing is also 'mark', not to be confused with the host 'mark' (though I think that's exactly > what's being confused). > > Where is this mark at ohprs.org coming from? The Thunderbird Account Name is mark at ohprs.org, which > is this user's email address. > > Perhaps Thunderbird simply has a badly worded error message and didn't really mean "IMAP server > mark at ohprs.org", or perhapd kerberos is not configured correctly. My /etc/krb5.conf is shown > below. Any ideas on what might be wrong? It's doubtful it's a thunderbird issue unless you've given it bad information. Unfortunately I don't use ldap or gssapi so I'm afraid I can't offer much help. > >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_kdc = true >>>>> kdc_timesync = 1 >>>>> ccache_type = 4 >>>>> forwardable = true >>>>> proxiable = true >>>>> fcc-mit-ticketflags = true >>>>> >>>>> [realms] >>>>> HPRS.LOCAL = { >>>>> default_domain = hprs.local >>>>> auth_to_local_names = { >>>>> Administrator = root >>>>> } >>>>> } >>>>> >>>>> [domain_realm] >>>>> hprs.local = HPRS.LOCAL >>>>> # this is not a mistake >>>>> .hprs.local = HPRS.LOCAL > > Thanks, --Mark > > -----Original Message----- >> From: Edgar Pettijohn >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> Date: Tue, 28 Jun 2016 22:52:25 -0500 >> To: Mark Foley >> >> >> >>> On Jun 28, 2016, at 10:32 PM, Mark Foley wrote: >>> >>> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I >>> don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is >>> delivered successfully to the other domain users having PLAIN authentication. That's a big >>> step. In examining my original config.log output I apparently did not have --with-gssapi enabled. >>> >>> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly >>> authenticate and retrieve mail. Here is the dovecot log for that host: >> What does thunderbird tell you? >> >> >>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >>> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges >>> Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth >>> Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat >>> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] >>> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] >>> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] >>> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] >>> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= >>> >>> Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous >>> messages below. >>> >>> Closer! --Mark >>> >>> -----Original Message----- >>> From: Mark Foley >>> Date: Tue, 28 Jun 2016 22:04:42 -0400 >>> To: dovecot at dovecot.org >>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>> >>> Aki, you wrote: >>> >>>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >>>> >>>> I'll try to check status of NTLM this week. >>> >>> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. >>> >>> I do have the Dovecot sources and will peruse the possible options after I send this. I am on >>> version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do >>> you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious >>> realated to gssapi) >>> >>> --Mark >>> >>> -----Original Message----- >>>> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) >>>> From: aki.tuomi at dovecot.fi >>>> To: dovecot at dovecot.org >>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>>> >>>>> On June 28, 2016 at 5:17 PM Mark Foley wrote: >>>>> >>>>> >>>>> Aki - made your suggested changes, but no joy :( >>>>> >>>>> My /etc/krb5.conf: >>>>> >>>>> ------SNIP-------- >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_realm = false >>>>> dns_lookup_kdc = true >>>>> >>>>> [libdefaults] >>>>> default_realm = HPRS.LOCAL >>>>> dns_lookup_kdc = true >>>>> kdc_timesync = 1 >>>>> ccache_type = 4 >>>>> forwardable = true >>>>> proxiable = true >>>>> fcc-mit-ticketflags = true >>>>> >>>>> [realms] >>>>> HPRS.LOCAL = { >>>>> default_domain = hprs.local >>>>> auth_to_local_names = { >>>>> Administrator = root >>>>> } >>>>> } >>>>> >>>>> [domain_realm] >>>>> hprs.local = HPRS.LOCAL >>>>> # this is not a mistake >>>>> .hprs.local = HPRS.LOCAL >>>>> ------PINS----------- >>>>> >>>>> you wrote: >>>>>> You can remove the krb4_ stuff >>>>> >>>>> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. >>>>> Question on [realms]Administrator: should that really be root or should it be my AD Administrator? >>>>> >>>>> my doveconf -n is exactly the same as posted below, but in particular: >>>>> >>>>> auth_krb5_keytab = /etc/krb5.keytab >>>>> auth_mechanisms = plain login gssapi >>>>> >>>>> When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using >>>>> plain/ssl, no one yet configured for gssapi). >>>>> >>>>> In /var/log/maillog I got (repeatedly): >>>>> >>>>> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= >>>>> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' >>>>> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs >>>>> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= >>>>> >>>>> This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? >>>>> >>>>> Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd >>>>> finally able to get AD authentication going for Dovecot. Not ready to give up though! >>>>> >>>>> Suggestions? >>>>> >>>>> THX -- Mark >>>>> >>>>> -----original Message----- >>>>>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >>>>>> To: dovecot at dovecot.org >>>>>> From: Aki Tuomi >>>>>> Date: Tue, 28 Jun 2016 15:13:11 +0300 >>>>>> >>>>>>> On 28.06.2016 09:27, Mark Foley wrote: >>>>>>> Aki, >>>>>>> >>>>>>> To review your 5 points: >>>>>>> >>>>>>>> On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: >>>>>>>> >>>>>>>> 1. Functional AD or Kerberos environment >>>>>>>> 2. Time synced against your KDC (which is your Domain Controller on Windows) >>>>>>>> 3. /etc/krb5.conf configured >>>>>>>> 4. Both forward / reverse DNS names correct for clients and servers. >>>>>>>> Reverse is only mandatory for servers, but having them right will work >>>>>>>> wonders. Most kerberos problems are about DNS problems. >>>>>>>> 5. You need a keytab. This keytab needs to hold entries like >>>>>>>> IMAP/your.host.name at REALM and IMAP/$HOSTNAME at REALM. You can generate >>>>>>>> these on any Windows DC server (at least). >>>>>>> I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit >>>>>>> and klist according to the instructions at >>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos >>>>>>> >>>>>>> As to the the keytab (#5) I did the following: >>>>>>> >>>>>>> $ samba-tool domain exportkeytab /etc/krb5.keytab >>>>>>> >>>>>>> which created the file. I made this owned and readable by group dovecot, per instructions at >>>>>>> http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me >>>>>>> configuration listing all the users and computers in the domain, mostly in triplicate. A >>>>>>> partial list: >>>>>>> >>>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>>> KVNO Principal >>>>>>> ---- -------------------------------------------------------------------------- >>>>>>> 18 COMMON$@HPRS.LOCAL >>>>>>> 18 COMMON$@HPRS.LOCAL >>>>>>> 18 COMMON$@HPRS.LOCAL >>>>>>> 1 MAIL$@HPRS.LOCAL >>>>>>> 1 MAIL$@HPRS.LOCAL >>>>>>> 1 MAIL$@HPRS.LOCAL >>>>>>> 1 charmaine at HPRS.LOCAL >>>>>>> 1 charmaine at HPRS.LOCAL >>>>>>> 1 charmaine at HPRS.LOCAL >>>>>>> >>>>>>> where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, >>>>>>> but am assuming it is OK. >>>>>> >>>>>> Strange that you do not have any host/ entries. Maybe it works without. >>>>>> >>>>>>>> setspn -q is helpful here, also setspn command in general. >>>>>>> I have no such command in my system. Is that a Windows thing? >>>>>> >>>>>> Yes, but you can do those kind of things in Samba too. >>>>>> >>>>>>> As to the /etc/krb5.conf, the default one generated by samba is: >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = HPRS.LOCAL >>>>>>> dns_lookup_realm = false >>>>>>> dns_lookup_kdc = true >>>>>>> >>>>>>> I'd like to modify that to your suggestions, but I need more help. You have (with my questions): >>>>>>> >>>>>>>> Here is a *SAMPLE* configuration: >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> default_realm = YOUR.REALM >>>>>>>> dns_lookup_kdc = true >>>>>>>> krb4_config = /etc/krb.conf >>>>>>>> krb4_realms = /etc/krb.realms >>>>>>> Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: >>>>>> >>>>>> You can remove the krb4_ stuff >>>>>> >>>>>>> krb5_config = /etc/krb5.conf >>>>>>> >>>>>>> Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? >>>>>> You don't necessarely require that. >>>>>> >>>>>>>> kdc_timesync = 1 >>>>>>>> ccache_type = 4 >>>>>>>> forwardable = true >>>>>>>> proxiable = true >>>>>>>> fcc-mit-ticketflags = true >>>>>>>> >>>>>>>> [realms] >>>>>>>> YOUR.REALM = { >>>>>>>> default_domain = your.domain.name >>>>>>>> auth_to_local_names = { >>>>>>>> Administrator = root >>>>>>>> } >>>>>>>> } >>>>>>> I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD >>>>>>> server: mail.hprs.local, or is it just hprs.local? (or something else!) >>>>>> >>>>>> HPRS.LOCAL is your REALM, hprs.local is your domain name. >>>>>>> >>>>>>>> [domain_realm] >>>>>>>> your.domain.name = YOUR.REALM >>>>>>>> # this is not a mistake >>>>>>>> .your.domain.name = YOUR.REALM >>>>>>>> [login] >>>>>>>> krb4_convert = true >>>>>>>> krb4_get_tickets = false >>>>>>> Likewise here a question on the whole krb4 versus krb5 thing. >>>>>>> >>>>>>> Your closing comment: >>>>>>> >>>>>>>> Also, note that kerberos can only act as AUTHENTICATION system. It >>>>>>>> cannot act as USER DATABASE. For that you need to configure LDAP or >>>>>>>> something else. With Active Directory LDAP is probably a damn good idea. >>>>>>> I have the following doveconf -n: >>>>>>> >>>>>>> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf >>>>>>> # OS: Linux 3.10.17 x86_64 Slackware 14.1 >>>>>>> auth_debug_passwords = yes >>>>>>> auth_krb5_keytab = /etc/krb5.keytab >>>>>>> auth_mechanisms = plain login gssapi >>>>>>> auth_verbose = yes >>>>>>> auth_verbose_passwords = plain >>>>>>> disable_plaintext_auth = no >>>>>>> info_log_path = /var/log/dovecot_info >>>>>>> mail_location = maildir:~/Maildir >>>>>>> passdb { >>>>>>> driver = shadow >>>>>>> } >>>>>>> protocols = imap >>>>>>> ssl_cert = >>>>>> ssl_key = >>>>>> userdb { >>>>>>> driver = passwd >>>>>>> } >>>>>>> verbose_ssl = yes >>>>>>> >>>>>>> I assume the passwd driver for the userdb is OK? Seems to me it should work with gssapi, but in >>>>>>> any case I still have all but this test workstation NOT using gssapi, so I still need to >>>>>>> accomodate them. >>>>>>> >>>>>>> Thanks, --Mark >>>>>> passwd driver is fine, yes, if you ensure that users can be found. >>>>>> >>>>>> Aki >>>> >>>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile it yourself? >>>> >>>> I'll try to check status of NTLM this week. >>>> >>>> Aki >> >> From reuben-dovecot at reub.net Wed Jun 29 22:09:32 2016 From: reuben-dovecot at reub.net (Reuben Farrelly) Date: Thu, 30 Jun 2016 08:09:32 +1000 Subject: SSL Problem with -git master-2.2 tip (24 June 16) In-Reply-To: References: Message-ID: <21153cf4-130f-ff1b-aff7-4e55de47b2b7@reub.net> On 30/06/2016 1:40 AM, Timo Sirainen wrote: > On 24 Jun 2016, at 01:51, Reuben Farrelly wrote: >> Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: >> >> Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods >> Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs >> >> I suspect that this is because I have libressl installed on my systems instead of OpenSSL. > Fixed: https://github.com/dovecot/core/commit/be2be317de8059c135bea0ec698045f0f7475d6e Thanks. Better but perhaps not quite right yet - I'm now seeing lots of these messages logged: Jun 30 08:07:22 thunderstorm.reub.net dovecot: doveadm: Warning: CRYPTO_set_mem_functions() was called too late Reuben From tss at iki.fi Wed Jun 29 22:17:47 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 01:17:47 +0300 Subject: SSL Problem with -git master-2.2 tip (24 June 16) In-Reply-To: <21153cf4-130f-ff1b-aff7-4e55de47b2b7@reub.net> References: <21153cf4-130f-ff1b-aff7-4e55de47b2b7@reub.net> Message-ID: On 30 Jun 2016, at 01:09, Reuben Farrelly wrote: > > On 30/06/2016 1:40 AM, Timo Sirainen wrote: > >> On 24 Jun 2016, at 01:51, Reuben Farrelly wrote: >>> Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: >>> >>> Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods >>> Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs >>> >>> I suspect that this is because I have libressl installed on my systems instead of OpenSSL. >> Fixed: https://github.com/dovecot/core/commit/be2be317de8059c135bea0ec698045f0f7475d6e > > Thanks. Better but perhaps not quite right yet - I'm now seeing lots of these messages logged: > > Jun 30 08:07:22 thunderstorm.reub.net dovecot: doveadm: Warning: CRYPTO_set_mem_functions() was called too late Are you using Ubuntu 16.04? That and maybe some other latest OpenSSL versions are a bit broken. Anyway, disabled the warning for now: https://github.com/dovecot/core/commit/a0f2b68fe41b9565a42c4854c2450c0fd8b3a8d9 It doesn't matter much that the function fails. From reuben-dovecot at reub.net Wed Jun 29 22:22:37 2016 From: reuben-dovecot at reub.net (Reuben Farrelly) Date: Thu, 30 Jun 2016 08:22:37 +1000 Subject: SSL Problem with -git master-2.2 tip (24 June 16) In-Reply-To: References: <21153cf4-130f-ff1b-aff7-4e55de47b2b7@reub.net> Message-ID: On 30/06/2016 8:17 AM, Timo Sirainen wrote: > On 30 Jun 2016, at 01:09, Reuben Farrelly wrote: >> On 30/06/2016 1:40 AM, Timo Sirainen wrote: >> >>> On 24 Jun 2016, at 01:51, Reuben Farrelly wrote: >>>> Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: >>>> >>>> Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods >>>> Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs >>>> >>>> I suspect that this is because I have libressl installed on my systems instead of OpenSSL. >>> Fixed: https://github.com/dovecot/core/commit/be2be317de8059c135bea0ec698045f0f7475d6e >> Thanks. Better but perhaps not quite right yet - I'm now seeing lots of these messages logged: >> >> Jun 30 08:07:22 thunderstorm.reub.net dovecot: doveadm: Warning: CRYPTO_set_mem_functions() was called too late > Are you using Ubuntu 16.04? That and maybe some other latest OpenSSL versions are a bit broken. Anyway, disabled the warning for now: https://github.com/dovecot/core/commit/a0f2b68fe41b9565a42c4854c2450c0fd8b3a8d9 > > It doesn't matter much that the function fails. No. This was with Gentoo x86_64 with LibreSSL 2.4.1 (not OpenSSL). It appears to be a cosmetic problem though. Compiling now - if it's still a problem I'll re-post (otherwise assume it's all OK). Reuben From tss at iki.fi Wed Jun 29 22:32:33 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 01:32:33 +0300 Subject: SSL Problem with -git master-2.2 tip (24 June 16) In-Reply-To: References: <21153cf4-130f-ff1b-aff7-4e55de47b2b7@reub.net> Message-ID: <8DE157E8-7603-496E-90A3-CEDEAD0C1B90@iki.fi> On 30 Jun 2016, at 01:22, Reuben Farrelly wrote: > > On 30/06/2016 8:17 AM, Timo Sirainen wrote: > >> On 30 Jun 2016, at 01:09, Reuben Farrelly wrote: >>> On 30/06/2016 1:40 AM, Timo Sirainen wrote: >>> >>>> On 24 Jun 2016, at 01:51, Reuben Farrelly wrote: >>>>> Current master-2.2 branch of Dovecot compiles for me on Gentoo x86_64 but experiences symbol errors when starting up: >>>>> >>>>> Jun 24 08:38:00 thunderstorm dovecot: lmtp(8180): Fatal: Couldn't load required plugin /usr/lib64/dovecot/libssl_iostream_openssl.so: dlopen() failed: /usr/lib64/dovecot/libssl_iostream_openssl.so: undefined symbol: SSL_COMP_free_compression_methods >>>>> Jun 24 08:38:00 thunderstorm dovecot: master: Error: service(lmtp): command startup failed, throttling for 16 secs >>>>> >>>>> I suspect that this is because I have libressl installed on my systems instead of OpenSSL. >>>> Fixed: https://github.com/dovecot/core/commit/be2be317de8059c135bea0ec698045f0f7475d6e >>> Thanks. Better but perhaps not quite right yet - I'm now seeing lots of these messages logged: >>> >>> Jun 30 08:07:22 thunderstorm.reub.net dovecot: doveadm: Warning: CRYPTO_set_mem_functions() was called too late >> Are you using Ubuntu 16.04? That and maybe some other latest OpenSSL versions are a bit broken. Anyway, disabled the warning for now: https://github.com/dovecot/core/commit/a0f2b68fe41b9565a42c4854c2450c0fd8b3a8d9 >> >> It doesn't matter much that the function fails. > > No. This was with Gentoo x86_64 with LibreSSL 2.4.1 (not OpenSSL). It appears to be a cosmetic problem though. > > Compiling now - if it's still a problem I'll re-post (otherwise assume it's all OK). I guess LibreSSL should also fix it. I reported it to Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 There's an upstream bug about it: https://rt.openssl.org/Ticket/Display.html?id=4559 But for some reason it's now marked as "rejected"... From aki.tuomi at dovecot.fi Thu Jun 30 06:58:14 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Thu, 30 Jun 2016 09:58:14 +0300 Subject: Looking for GSSAPI config [was: Looking for NTLM config example] In-Reply-To: <201606291540.u5TFeZcJ030860@mail.hprs.local> References: <201606281417.u5SEHd2J003587@mail.hprs.local> <28360759.5872.1467126370957@appsuite-dev.open-xchange.com> <201606290204.u5T24gRt009386@mail.hprs.local> <201606290332.u5T3Wb6l027033@mail.hprs.local> <201606291540.u5TFeZcJ030860@mail.hprs.local> Message-ID: <5774C306.2040005@dovecot.fi> I think the problem still is that your keytab file has no entry imap/hostname at DOMAIN and IMAP/hostname at DOMAIN you also have no host/hostname at DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote: > Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server mark at ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -----Original Message----- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney >> To: Mark Foley >> Cc: dovecot at dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld at REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" wrote: > [deleted] From Christoph at plmail.de Thu Jun 30 07:38:52 2016 From: Christoph at plmail.de (Christoph Pleger) Date: Thu, 30 Jun 2016 09:38:52 +0200 Subject: Error when searching in mailfolders In-Reply-To: <4CB5BEB9-1A7D-4F47-BEDD-78751EFB78B2@iki.fi> References: <007e5e520147e2c07707d10ce22a076c.squirrel@webmail.plmail.de> <4CB5BEB9-1A7D-4F47-BEDD-78751EFB78B2@iki.fi> Message-ID: Hello, > On 29 Jun 2016, at 16:40, Christoph Pleger wrote: >> >> Hello, >> >> I just found that with my dovecot 2.2.21, when I use squirrelmail to >> search for something in my mailfolders, that fails with >> >> ERROR: Connection dropped by IMAP server. >> Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" >> >> That happens for searches in any folder, except from INBOX. When I >> search >> in all folders, only results from INBOX are found, then the error >> message >> is shown. >> >> The log says: >> >> imap: Error: terminate called after throwing an instance of >> 'CLuceneError' >> >> imap(christoph): Fatal: master: service(imap): child 2834 killed with >> signal 6 (core dumps disabled) >> >> What can I do about that? > > Lucene library is throwing an error, which crashes Dovecot. Maybe Dovecot > should catch the error, but it would still be broken. Try deleting the > lucene indexes and rebuilding them? Deleting the indexes helped, but after they had been rebuilt, the error occurred again. Regards Christoph From aki.tuomi at dovecot.fi Thu Jun 30 08:43:20 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Thu, 30 Jun 2016 11:43:20 +0300 Subject: Error when searching in mailfolders In-Reply-To: References: <007e5e520147e2c07707d10ce22a076c.squirrel@webmail.plmail.de> <4CB5BEB9-1A7D-4F47-BEDD-78751EFB78B2@iki.fi> Message-ID: <5774DBA8.2030105@dovecot.fi> On 30.06.2016 10:38, Christoph Pleger wrote: > Hello, > >> On 29 Jun 2016, at 16:40, Christoph Pleger wrote: >>> Hello, >>> >>> I just found that with my dovecot 2.2.21, when I use squirrelmail to >>> search for something in my mailfolders, that fails with >>> >>> ERROR: Connection dropped by IMAP server. >>> Query: SEARCH CHARSET ISO-8859-1 ALL FROM "someone" >>> >>> That happens for searches in any folder, except from INBOX. When I >>> search >>> in all folders, only results from INBOX are found, then the error >>> message >>> is shown. >>> >>> The log says: >>> >>> imap: Error: terminate called after throwing an instance of >>> 'CLuceneError' >>> >>> imap(christoph): Fatal: master: service(imap): child 2834 killed with >>> signal 6 (core dumps disabled) >>> >>> What can I do about that? >> Lucene library is throwing an error, which crashes Dovecot. Maybe Dovecot >> should catch the error, but it would still be broken. Try deleting the >> lucene indexes and rebuilding them? > Deleting the indexes helped, but after they had been rebuilt, the error > occurred again. > > Regards > Christoph Could you enable core dumps and run bt full in gdb? Aki From sylvain.allemand at math.u-bordeaux.fr Thu Jun 30 09:52:08 2016 From: sylvain.allemand at math.u-bordeaux.fr (Sylvain Allemand) Date: Thu, 30 Jun 2016 11:52:08 +0200 Subject: ltmp, quota and quota grace Message-ID: Hi, i try to configure quota in dovecot. 1) I test quota with postfix and quota-status : quota is respected but quota grace is ignored... 2) i test quota with Dovecot LMTP : quota (and quota grace) are ignored i can see in log file : Jun 30 11:36:39 mail1 dovecot: lmtp(24424, sallemantest at test.fr): Debug: Quota root: name=User quota sallemantest at test.fr backend=count args= Jun 30 11:36:39 mail1 dovecot: lmtp(24424, sallemantest at test.fr): Debug: Quota rule: root=User quota sallemantest at test.fr mailbox=* bytes=1073741824 messages=0 Jun 30 11:36:39 mail1 dovecot: lmtp(24424, sallemantest at test.fr): Debug: Quota rule: root=User quota sallemantest at test.fr mailbox=Trash bytes=+104857600 messages=0 Jun 30 11:36:39 mail1 dovecot: lmtp(24424, sallemantest at test.fr): Debug: Quota grace: root=User quota sallemantest at test.fr bytes=107374182 (10%) Jun 30 11:36:39 mail1 dovecot: lmtp(sallemantest at test.fr): Debug: replication: Replication requested by 'transaction commit', priority=2 Jun 30 11:36:39 mail1 dovecot: lmtp(sallemantest at test.fr): /z7gBifodFdoXwAAs3/TQA: msgid=: saved mail to INBOX Jun 30 11:36:39 mail1 dovecot: lmtp(24424): Disconnect from 127.0.0.1: Successful quit my quota : root at mail1:~# doveadm -v quota get -u sallemantest at test.fr Quota name Type Value Limit % User quota sallemantest at test.fr STORAGE 29 10 290 User quota sallemantest at test.fr MESSAGE 11 - 0 my config for lmtp and quota : protocol lmtp { mail_plugins = " acl notify replication quota sieve" userdb { args = /etc/dovecot/dovecot-lmtp-ldap-userdb.conf.ext default_fields = uid=vmail gid=vmail driver = ldap name = } } plugin { quota = count:User quota %u quota_grace = 10%% quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_vsizes = yes } root at mail1:/etc/dovecot# dovecot --version 2.2.24 (a82c823) Help please ! Sylvain ps : sorry for my poor english From zedd at list.ru Thu Jun 30 10:22:23 2016 From: zedd at list.ru (=?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0JzQsNC90LDQvdC60L7Qsg==?=) Date: Thu, 30 Jun 2016 13:22:23 +0300 Subject: =?UTF-8?B?UmVbMl06IEV4dGVybmFsIG1haWwgYXR0YWNobWVudHMgc3RvcmFnZSBjbGVh?= =?UTF-8?B?bnVw?= In-Reply-To: <5c5ad336-cd9e-0b14-aca0-ce5319c08776@mezonplus.ru> References: <1467033075.442360294@f328.i.mail.ru> <1467194805.199187901@f292.i.mail.ru> <5c5ad336-cd9e-0b14-aca0-ce5319c08776@mezonplus.ru> Message-ID: <1467282143.14788026@f216.i.mail.ru> Thank you very much for your help! My mail users are stored in the SQL base, therefore, using the fact that the my dovecot mailbox folder names correspond to the names of mail users in the domain , I wrote a simple scrpt? and just threw it in a "/etc/cron.daily" folder. -----screenshot begin----- mail:/etc/cron.daily # cat ./dovepurge.sh #!/bin/sh cd /MailRoot/dovecot/domains for i in * ? do ?? cd $i ??? for j in *; do dovecot purge -u $j@$i; done ?? cd .. done -----screenshot end ----- It is strange that the daemon does not do this automatically , and even setting up autoexpunge option does not help. A lso IMHO certainly evident mistake in the documentation about the wildcards processing by purge command.. From dovecot-e51 at deemzed.uk Thu Jun 30 10:45:51 2016 From: dovecot-e51 at deemzed.uk (Dave) Date: Thu, 30 Jun 2016 11:45:51 +0100 Subject: [patch] Support redis AUTH Message-ID: A very minor patch to support redis AUTH (for all that's worth) using an extra password= field. I'm not sure if this will be of any value to anyone here. We're testing it in development and "it works for us" but it's yet to be used in anger. Sorry if I'm going about this the wrong way, I tried emailing this directly but heard nothing back; so I'm reposting to the list as I'm honestly not sure what established protocol is regarding code contribution. -- Dave -------------- next part -------------- diff -aurN dovecot-2.2.24.orig/src/lib-dict/dict-redis.c dovecot-2.2.24/src/lib-dict/dict-redis.c --- dovecot-2.2.24.orig/src/lib-dict/dict-redis.c 2016-04-26 14:01:20.000000000 +0100 +++ dovecot-2.2.24/src/lib-dict/dict-redis.c 2016-06-22 17:18:45.082453708 +0100 @@ -13,6 +13,8 @@ #define DICT_USERNAME_SEPARATOR '/' enum redis_input_state { + /* expecting +OK reply for AUTH */ + REDIS_INPUT_STATE_AUTH, /* expecting +OK reply for SELECT */ REDIS_INPUT_STATE_SELECT, /* expecting $-1 / $ followed by GET reply */ @@ -45,7 +47,7 @@ struct redis_dict { struct dict dict; - char *username, *key_prefix, *expire_value; + char *username, *password, *key_prefix, *expire_value; unsigned int timeout_msecs, db_id; struct ioloop *ioloop, *prev_ioloop; @@ -219,6 +221,7 @@ switch (state) { case REDIS_INPUT_STATE_GET: i_unreached(); + case REDIS_INPUT_STATE_AUTH: case REDIS_INPUT_STATE_SELECT: case REDIS_INPUT_STATE_MULTI: case REDIS_INPUT_STATE_DISCARD: @@ -348,6 +351,7 @@ i_unreached(); dict->timeout_msecs = REDIS_DEFAULT_LOOKUP_TIMEOUT_MSECS; dict->key_prefix = i_strdup(""); + dict->password = i_strdup(""); args = t_strsplit(uri, ":"); for (; *args != NULL; args++) { @@ -390,6 +394,9 @@ "Invalid timeout_msecs: %s", *args+14); ret = -1; } + } else if (strncmp(*args, "password=", 9) == 0) { + i_free(dict->password); + dict->password = i_strdup(*args + 9); } else { *error_r = t_strdup_printf("Unknown parameter: %s", *args); @@ -397,6 +404,7 @@ } } if (ret < 0) { + i_free(dict->password); i_free(dict->key_prefix); i_free(dict); return -1; @@ -439,6 +447,7 @@ array_free(&dict->input_states); i_free(dict->expire_value); i_free(dict->key_prefix); + i_free(dict->password); i_free(dict->username); i_free(dict); @@ -470,6 +479,19 @@ return key; } +static void redis_dict_auth(struct redis_dict *dict) +{ + const char *cmd; + + if (*dict->password == '\0') + return; + + cmd = t_strdup_printf("*2\r\n$4\r\nAUTH\r\n$%d\r\n%s\r\n", + (int)strlen(dict->password), dict->password); + o_stream_nsend_str(dict->conn.conn.output, cmd); + redis_input_state_add(dict, REDIS_INPUT_STATE_AUTH); +} + static void redis_dict_select_db(struct redis_dict *dict) { const char *cmd, *db_str; @@ -515,6 +537,8 @@ if (!dict->connected) { /* wait for connection */ io_loop_run(dict->ioloop); + if (dict->connected) + redis_dict_auth(dict); } if (dict->connected) { @@ -586,6 +610,8 @@ } else if (!dict->connected) { /* wait for connection */ redis_wait(dict); + if (dict->connected) + redis_dict_auth(dict); } if (dict->connected) redis_dict_select_db(dict); From aki.tuomi at dovecot.fi Thu Jun 30 11:30:11 2016 From: aki.tuomi at dovecot.fi (Aki Tuomi) Date: Thu, 30 Jun 2016 14:30:11 +0300 Subject: [patch] Support redis AUTH In-Reply-To: References: Message-ID: <577502C3.5080205@dovecot.fi> On 30.06.2016 13:45, Dave wrote: > > A very minor patch to support redis AUTH (for all that's worth) > using an extra password= field. I'm not sure if this will be of any > value to anyone here. We're testing it in development and "it works > for us" but it's yet to be used in anger. > > Sorry if I'm going about this the wrong way, I tried emailing this > directly but heard nothing back; so I'm reposting to the list as I'm > honestly not sure what established protocol is regarding code > contribution. > Hi! Your patch is under consideration. Thank you for your contribution. --- Aki Tuomi Dovecot oy From zedd at list.ru Thu Jun 30 11:31:07 2016 From: zedd at list.ru (=?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0JzQsNC90LDQvdC60L7Qsg==?=) Date: Thu, 30 Jun 2016 14:31:07 +0300 Subject: =?UTF-8?B?UmVbMl06IEV4dGVybmFsIG1haWwgYXR0YWNobWVudHMgc3RvcmFnZSBjbGVh?= =?UTF-8?B?bnVw?= In-Reply-To: <49dc7835-515f-43c6-f807-a8b0b45907fa@mezonplus.ru> References: <1467033075.442360294@f328.i.mail.ru> <1467280262.62820908@f268.i.mail.ru> <49dc7835-515f-43c6-f807-a8b0b45907fa@mezonplus.ru> Message-ID: <1467286267.841941945@f419.i.mail.ru> ? Yes "dovecot purge" is certainly my mistake in the script but it really works completely analogous "doveadm purge" probably why I did not notice? the difference before :) It looks like it just launches the doveadm in this case. Adding slashes after asterisks unfortunately they also adds to the variable and the script gives an error like "doveadm(user/@example.org/): Error: User doesn't exist" Thanks for the idea , I think it will be now more correctly : === #!/bin/sh cd /backup/MailRoot/dovecot/domains? || exit 1 for i in * ? do ?? if [ -d $i ]; then ????? cd $i ??????? for j in * ???????? do ??????????? if [ -d $j ]; then ??????????????? dovecot purge -u $j@$i ??????????? fi ???????? done ?????? cd .. ?? fi ? done === >???????, 30 ???? 2016, 13:53 +03:00 ?? Alexander Moisseev : > >On 30.06.16 12:51, ??????? ???????? wrote: >> -----screenshot begin----- >> >> mail:/etc/cron.daily # cat ./dovepurge.sh >> #!/bin/sh >> >> cd /MailRoot/dovecot/domains >> >> for i in * >> do >> cd $i >> for j in *; do dovecot purge -u $j@$i; done >> cd .. >> done >> >> -----screenshot end ----- >> >It might be worth to add slashes after asterisks to process only directories. >Does "dovecot purge" actually work? > >-----screenshot begin----- > >#!/bin/sh > >cd /MailRoot/dovecot/domains || exit 1 > >for i in */ >???do >????cd $i >?????for j in */; do doveadm purge -u $j@$i; done >????cd .. >done > >-----screenshot end ----- > >> It is strange that the daemon does not do this automatically, and even setting up autoexpunge option does not help. Also IMHO certainly evident mistake in the documentation about the wildcards processing by purge command.. > >I don't know how the developers themselves use Dovecot, but it lacks some obvious features like automatic purge or SIS cleanup on mailbox deletion. > From zedd at list.ru Thu Jun 30 11:33:30 2016 From: zedd at list.ru (=?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0JzQsNC90LDQvdC60L7Qsg==?=) Date: Thu, 30 Jun 2016 14:33:30 +0300 Subject: =?UTF-8?B?UmVbMl06IEV4dGVybmFsIG1haWwgYXR0YWNobWVudHMgc3RvcmFnZSBjbGVh?= =?UTF-8?B?bnVw?= In-Reply-To: <49dc7835-515f-43c6-f807-a8b0b45907fa@mezonplus.ru> References: <1467033075.442360294@f328.i.mail.ru> <1467280262.62820908@f268.i.mail.ru> <49dc7835-515f-43c6-f807-a8b0b45907fa@mezonplus.ru> Message-ID: <1467286410.419750559@f382.i.mail.ru> Yes "dovecot purge" is certainly my mistake in the script but it really works completely analogous "doveadm purge" probably why I did not notice? the difference before :) It looks like it just launches the doveadm in this case. Adding slashes after asterisks unfortunately they also adds to the variable and the script gives an error like "doveadm(user/@example.org/): Error: User doesn't exist" Thanks for the idea , I think it will be now more correctly : === #!/bin/sh cd /backup/MailRoot/dovecot/domains? || exit 1 for i in * ? do ?? if [ -d $i ]; then ????? cd $i ??????? for j in * ???????? do ??????????? if [ -d $j ]; then ??????????????? dovecot purge -u $j@$i ??????????? fi ???????? done ?????? cd .. ?? fi ? done === >???????, 30 ???? 2016, 13:53 +03:00 ?? Alexander Moisseev : > >On 30.06.16 12:51, ??????? ???????? wrote: >> -----screenshot begin----- >> >> mail:/etc/cron.daily # cat ./dovepurge.sh >> #!/bin/sh >> >> cd /MailRoot/dovecot/domains >> >> for i in * >> do >> cd $i >> for j in *; do dovecot purge -u $j@$i; done >> cd .. >> done >> >> -----screenshot end ----- >> >It might be worth to add slashes after asterisks to process only directories. >Does "dovecot purge" actually work? > >-----screenshot begin----- > >#!/bin/sh > >cd /MailRoot/dovecot/domains || exit 1 > >for i in */ >???do >????cd $i >?????for j in */; do doveadm purge -u $j@$i; done >????cd .. >done > >-----screenshot end ----- > >> It is strange that the daemon does not do this automatically, and even setting up autoexpunge option does not help. Also IMHO certainly evident mistake in the documentation about the wildcards processing by purge command.. > >I don't know how the developers themselves use Dovecot, but it lacks some obvious features like automatic purge or SIS cleanup on mailbox deletion. > From mayuri.enggheads at gmail.com Thu Jun 30 11:41:49 2016 From: mayuri.enggheads at gmail.com (Mayuri AgarwAl) Date: Thu, 30 Jun 2016 17:11:49 +0530 Subject: Remove my email id from mailing list Message-ID: Sent from my iPhone From reuben-dovecot at reub.net Thu Jun 30 12:49:10 2016 From: reuben-dovecot at reub.net (Reuben Farrelly) Date: Thu, 30 Jun 2016 22:49:10 +1000 Subject: Unread Mail flag being reset frequently with dovecot -git master-2.2 In-Reply-To: <2A4D69F8-D9AB-4881-B8DB-14BD7252CB6E@iki.fi> References: <3d43142a-edd6-8f94-f363-1602798dedfd@reub.net> <2A4D69F8-D9AB-4881-B8DB-14BD7252CB6E@iki.fi> Message-ID: <1471b6a7-169f-e47b-696d-d16a07136c61@reub.net> On 30/06/2016 1:41 AM, Timo Sirainen wrote: > On 24 Jun 2016, at 06:18, Reuben Farrelly wrote: >> Hi again, >> >> I'm experiencing problems with the Dovecot git master-2.2 branch, in which mails that have been previously read are randomly appearing as unread. This happens slowly and affects more and more emails the more changes that occur to a mailbox. >> >> I am using Maildir format and on Gentoo Linux x86_64 on local disks. >> >> Usually only a few at a time change their status - and it seems to be random which ones lose their read status. Typically though they are the most recent emails that have been delivered in the past few months (I haven't yet seen this occur with any really old emails). > Most likely fixed by: https://github.com/dovecot/core/commit/0649b7a1656bd98d95cdf40a98d47cff9c8de9f8 Indeed. After 12+ hours of use and replication everything looks to now be stable again in master-2.2. No outstanding issues and no problems seen. Thanks! Reuben From tss at iki.fi Thu Jun 30 12:49:50 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 15:49:50 +0300 Subject: v2.2.25 release candidate released Message-ID: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz.sig Quite a lot of changes. Please test out before the final v2.2.25 release, which I'm planning for tomorrow. Especially the new lib-dcrypt might have compiling problems with some OpenSSL versions. * lmtp: Start tracking lmtp_user_concurrency_limit and reject already at RCPT TO stage. This avoids MTA unnecessarily completing DATA only to get an error. * doveadm: Previously only mail settings were read from protocol doveadm { .. } section. Now all settings are. + quota: Added quota_over_flag_lazy_check setting. It avoids checking quota_over_flag always at startup. Instead it's checked only when quota is being read for some other purpose. + auth: Added a new auth policy service: http://wiki2.dovecot.org/Authentication/Policy + auth: Added PBKDF2 password scheme + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} + auth: Added ":remove" suffix to extra field names to remove them. + auth: Added "delay_until=[+]" passdb extra field. The auth will wait until and optionally some randomness and then return success. + dict proxy: Added idle_msecs= parameter. Support async operations. + Performance improvements for handling large mailboxes. + Added lib-dcrypt API for providing cryptographic functions. + Added "doveadm mailbox update" command + imap commands' output now includes timing spent on the "syncing" stage if it's larger than 0. + cassandra: Added metrics= to connect setting to output internal statistics in JSON format every second to . + doveadm mailbox delete: Added -e parameter to delete only empty mailboxes. Added --unsafe option to quickly delete a mailbox, bypassing lazy_expunge and quota plugins. + doveadm user & auth cache flush are now available via doveadm-server. + doveadm service stop will stop specified services while leaving the rest of Dovecot running. + quota optimization: Avoid reading mail sizes for backends which don't need them (count, fs, dirsize) + Added mailbox { autoexpunge_max_mails= } setting. + Added welcome plugin: http://wiki2.dovecot.org/Plugins/Welcome + fts: Added fts_autoindex_exclude setting. - v2.2.24's MIME parser was assert-crashing on mails having truncated MIME headers. - auth: With multiple userdbs the final success/failure result wasn't always correct. The last userdb's result was always used. - doveadm backup was sometimes deleting entire mailboxes unnecessarily. - doveadm: Command -parameters weren't being sent to doveadm-server. - If dovecot.index read failed e.g. because mmap() reached VSZ limit, an empty index could have been opened instead, corrupting the mailbox state. - imapc: Fixed EXPUNGE handling when imapc_features didn't have modseq. - lazy-expunge: Fixed a crash when copying failed. Various other fixes. - fts-lucene: Fixed crash on index rescan. - auth_stats=yes produced broken output - dict-ldap: Various fixes - dict-sql: NULL values crashed. Now they're treated as "not found". From russell at stuart.id.au Thu Jun 30 11:24:23 2016 From: russell at stuart.id.au (Russell Stuart) Date: Thu, 30 Jun 2016 21:24:23 +1000 Subject: filtering ssl_cert Message-ID: <1467285863.4332.13.camel@stuart.id.au> In dovecot 1 I was able to do something like this: protocol imap { ? ssl_cert = cert-imap.pem ? ssl_key ?= key-imap.pem } local ww.xx.yy.zz { ? protocol imap { ? ? ssl_cert = cert-imap-ww.xx.yy.zz.pem ? ? ssl_key ?= key-imap-ww.xx.yy.zz.pem ? } } The intent is ww.xx.yy.zz is an externally routable IP address which has a Cert signed by a real CA, other addresses are internal which have a variety of domain names, signed by a self-signed cert. That worked in dovecot 1, but in dovecot 2 I get the error: "Conflict in setting ssl_cert found from filter". Weirdly, this works in dovecot 2: ? local 0.0.0.0/0 { ? ? ssl_cert = cert-imap.pem ? ? ssl_key ?= key-imap.pem ? } ? local ww.xx.yy.zz { ? ? ssl_cert = cert-imap-ww.xx.yy.zz.pem ? ? ssl_key ?= key-imap-ww.xx.yy.zz.pem ? } But this doesn't: ? local 0.0.0.0/0 { ? ? protocol imap { ? ? ? ssl_cert = cert-imap.pem ? ? ? ssl_key ?= key-imap.pem ? ? } ? } ? local ww.xx.yy.zz { ? ? protocol imap { ? ? ? ssl_cert = cert-imap-ww.xx.yy.zz.pem ? ? ? ssl_key ?= key-imap-ww.xx.yy.zz.pem ? ? } ? } It smells like a bug. Anyway, does anybody know of a way to port my config to dovecot 2? From Christoph at plmail.de Thu Jun 30 12:56:22 2016 From: Christoph at plmail.de (Christoph Pleger) Date: Thu, 30 Jun 2016 14:56:22 +0200 Subject: Error when searching in mailfolders Message-ID: <824c05dc4308c87ffd7cb9308a5e6324.squirrel@webmail.plmail.de> Hello, >>> Lucene library is throwing an error, which crashes Dovecot. Maybe Dovecot >>> should catch the error, but it would still be broken. Try deleting the lucene indexes and rebuilding them? >> Deleting the indexes helped, but after they had been rebuilt, the error occurred again. > Could you enable core dumps and run bt full in gdb? I attached the result. Regards Christoph -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gdb.txt URL: From tss at iki.fi Thu Jun 30 13:11:05 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 16:11:05 +0300 Subject: Error when searching in mailfolders In-Reply-To: <824c05dc4308c87ffd7cb9308a5e6324.squirrel@webmail.plmail.de> References: <824c05dc4308c87ffd7cb9308a5e6324.squirrel@webmail.plmail.de> Message-ID: > On 30 Jun 2016, at 15:56, Christoph Pleger wrote: > > Hello, > >>>> Lucene library is throwing an error, which crashes Dovecot. Maybe Dovecot >>>> should catch the error, but it would still be broken. Try deleting the > lucene indexes and rebuilding them? >>> Deleting the indexes helped, but after they had been rebuilt, the error > occurred again. > >> Could you enable core dumps and run bt full in gdb? > > I attached the result. It crashes in: _CLTHROWA(CL_ERR_IllegalArgument, "language not available for stemming\n"); //todo: richer error So looks like you're trying to use an unknown language. If you have only a single language, don't enable textcat. Or if you do, I guess you need to disable some languages that Snowball doesn't like. Yet another possibility could be to use Dovecot's new lib-fts, which can also be used with fts-lucene. It's still basically the same snowball+textcat though, but made to work better. But looks like it's not documented yet in wiki.. From tss at iki.fi Thu Jun 30 13:25:47 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 16:25:47 +0300 Subject: v2.2.25 release candidate released In-Reply-To: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> References: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> Message-ID: <4B544EF0-B1C9-4405-B7B2-C7F01A9620E0@iki.fi> On 30 Jun 2016, at 15:49, Timo Sirainen wrote: > > http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz > http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz.sig > > Quite a lot of changes. Please test out before the final v2.2.25 release, which I'm planning for tomorrow. Especially the new lib-dcrypt might have compiling problems with some OpenSSL versions. Oh, forgot to include https://github.com/dovecot/core/commit/3c432ac593a4df5658eec0e88e03285a1345a75a in there. Just means that stopping Dovecot takes a few seconds longer than normally. From sr42354 at gmail.com Thu Jun 30 13:41:50 2016 From: sr42354 at gmail.com (Sam) Date: Thu, 30 Jun 2016 15:41:50 +0200 Subject: Dictionary quota with Flat file database Message-ID: <2aae7ec7-a765-2603-1ed6-ec790aa8c422@gmail.com> Hello, I want specific quotas for certain users and I looking for doing that with dictionary quota backend and Flat file. Because I am using "active directory" with PAM for authenticate, I can't get per-user quota limits with set/override them by returning "quota_rule" extra field from userdb. I started reading http://wiki1.dovecot.org/Quota/Dict, saw some good stuff... The problem is that I don't understand how to set the limit in the users files. If I open one created file I only see the current number of messages and the actual size. Not the quota limits... vi /home/vmail/john.doe/Maildir/dovecot-quota : priv/quota/messages 13 priv/quota/storage 600201 Here is /etc/dovecot/conf.d/90-quota.conf file details : plugin { # I think I have to set the default limits here quota_rule = *:storage=10G:messages=10000 } ... plugin { quota = dict:user::file:%h/Maildir/dovecot-quota # same result with : # quota = dict:User::file:%h/Maildir/dovecot-quota } my server : CentOS Linux release 7.2.1511 dovecot : dovecot-2.2.10-5.el7.x86_64 Thanks for helping. Sam From lista at xdrv.co.uk Thu Jun 30 13:57:15 2016 From: lista at xdrv.co.uk (James) Date: Thu, 30 Jun 2016 14:57:15 +0100 Subject: v2.2.25 release candidate released In-Reply-To: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> References: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> Message-ID: On 30/06/2016 13:49, Timo Sirainen wrote: > http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz Compiling on Solaris with studio compiler gives: "dcrypt.c", line 139: void function cannot return value cc: acomp failed for dcrypt.c --- ../original/src/lib-dcrypt/dcrypt.c 2016-06-27 10:05:04.000000000 +0100 +++ src/lib-dcrypt/dcrypt.c 2016-06-30 14:12:29.466826659 +0100 @@ -136,7 +136,7 @@ void dcrypt_ctx_sym_set_padding(struct dcrypt_context_symmetric *ctx, bool padding) { - return dcrypt_vfs->ctx_sym_set_padding(ctx, padding); + dcrypt_vfs->ctx_sym_set_padding(ctx, padding); } bool dcrypt_ctx_hmac_create(const char *algorithm, struct dcrypt_context_hmac **ctx_r, const char **error_r) From aki.tuomi at dovecot.fi Thu Jun 30 14:13:30 2016 From: aki.tuomi at dovecot.fi (aki.tuomi at dovecot.fi) Date: Thu, 30 Jun 2016 17:13:30 +0300 (EEST) Subject: Dictionary quota with Flat file database In-Reply-To: <2aae7ec7-a765-2603-1ed6-ec790aa8c422@gmail.com> References: <2aae7ec7-a765-2603-1ed6-ec790aa8c422@gmail.com> Message-ID: <750244010.240.1467296011910@appsuite-dev.open-xchange.com> > On June 30, 2016 at 4:41 PM Sam wrote: > > > Hello, > > I want specific quotas for certain users and I looking for doing that > with dictionary quota backend and Flat file. > > Because I am using "active directory" with PAM for authenticate, I can't > get per-user quota limits with set/override them by returning > "quota_rule" extra field from userdb. > > I started reading http://wiki1.dovecot.org/Quota/Dict, saw some good > stuff... > > The problem is that I don't understand how to set the limit in the users > files. > > If I open one created file I only see the current number of messages and > the actual size. Not the quota limits... > > vi /home/vmail/john.doe/Maildir/dovecot-quota : > priv/quota/messages > 13 > priv/quota/storage > 600201 > > Here is /etc/dovecot/conf.d/90-quota.conf file details : > plugin { > # I think I have to set the default limits here > quota_rule = *:storage=10G:messages=10000 > } > ... > plugin { > quota = dict:user::file:%h/Maildir/dovecot-quota > # same result with : > # quota = dict:User::file:%h/Maildir/dovecot-quota > } > > my server : CentOS Linux release 7.2.1511 > dovecot : dovecot-2.2.10-5.el7.x86_64 > > Thanks for helping. > Sam Hi! You can use passwd-file userdb for setting additional attributes. Aki From odhiambo at gmail.com Thu Jun 30 14:26:29 2016 From: odhiambo at gmail.com (Odhiambo Washington) Date: Thu, 30 Jun 2016 17:26:29 +0300 Subject: v2.2.25 release candidate released In-Reply-To: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> References: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> Message-ID: FreeBSD 9.3-STABLE FreeBSD 9.3-STABLE amd64: [wash at waridi ~/Tools/Dovecot/2.2/dovecot-2.2.25.rc1]$ make make all-recursive Making all in . /bin/sh ./update-version.sh . . Making all in src Making all in lib-test Making all in lib make all-am /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/local/include -MT guid.lo -MD -MP -MF .deps/guid.Tpo -c -o guid.lo guid.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/local/include -MT guid.lo -MD -MP -MF .deps/guid.Tpo -c guid.c -fPIC -DPIC -o .libs/guid.o In file included from guid.c:6: sha1.h:80: error: static or type qualifiers in abstract declarator *** [guid.lo] Error code 1 Stop in /usr/home/wash/Tools/Dovecot/2.2/dovecot-2.2.25.rc1/src/lib. *** [all] Error code 1 Stop in /usr/home/wash/Tools/Dovecot/2.2/dovecot-2.2.25.rc1/src/lib. *** [all-recursive] Error code 1 Stop in /usr/home/wash/Tools/Dovecot/2.2/dovecot-2.2.25.rc1/src. *** [all-recursive] Error code 1 Stop in /usr/home/wash/Tools/Dovecot/2.2/dovecot-2.2.25.rc1. *** [all] Error code 1 Stop in /usr/home/wash/Tools/Dovecot/2.2/dovecot-2.2.25.rc1. [wash at waridi ~/Tools/Dovecot/2.2/dovecot-2.2.25.rc1]$ On 30 June 2016 at 15:49, Timo Sirainen wrote: > http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz > http://dovecot.org/releases/2.2/rc/dovecot-2.2.25.rc1.tar.gz.sig > > Quite a lot of changes. Please test out before the final v2.2.25 release, > which I'm planning for tomorrow. Especially the new lib-dcrypt might have > compiling problems with some OpenSSL versions. > > * lmtp: Start tracking lmtp_user_concurrency_limit and reject > already > at RCPT TO stage. This avoids MTA unnecessarily completing DATA > only > to get an error. > * doveadm: Previously only mail settings were read from protocol > doveadm { .. } section. Now all settings are. > > + quota: Added quota_over_flag_lazy_check setting. It avoids > checking > quota_over_flag always at startup. Instead it's checked only when > quota is being read for some other purpose. > + auth: Added a new auth policy service: > http://wiki2.dovecot.org/Authentication/Policy > + auth: Added PBKDF2 password scheme > + auth: Added %{auth_user}, %{auth_username} and %{auth_domain} > + auth: Added ":remove" suffix to extra field names to remove them. > + auth: Added "delay_until=[+]" passdb > extra field. The auth will wait until and optionally > some > randomness and then return success. > + dict proxy: Added idle_msecs= parameter. Support async > operations. > + Performance improvements for handling large mailboxes. > + Added lib-dcrypt API for providing cryptographic functions. > + Added "doveadm mailbox update" command > + imap commands' output now includes timing spent on the "syncing" > stage if it's larger than 0. > + cassandra: Added metrics= to connect setting to output > internal > statistics in JSON format every second to . > + doveadm mailbox delete: Added -e parameter to delete only empty > mailboxes. Added --unsafe option to quickly delete a mailbox, > bypassing lazy_expunge and quota plugins. > + doveadm user & auth cache flush are now available via > doveadm-server. > + doveadm service stop will stop specified services > while > leaving the rest of Dovecot running. > + quota optimization: Avoid reading mail sizes for backends which > don't need them (count, fs, dirsize) > + Added mailbox { autoexpunge_max_mails= } setting. > + Added welcome plugin: http://wiki2.dovecot.org/Plugins/Welcome > + fts: Added fts_autoindex_exclude setting. > - v2.2.24's MIME parser was assert-crashing on mails having > truncated > MIME headers. > - auth: With multiple userdbs the final success/failure result > wasn't > always correct. The last userdb's result was always used. > - doveadm backup was sometimes deleting entire mailboxes > unnecessarily. > - doveadm: Command -parameters weren't being sent to > doveadm-server. > - If dovecot.index read failed e.g. because mmap() reached VSZ > limit, > an empty index could have been opened instead, corrupting the > mailbox state. > - imapc: Fixed EXPUNGE handling when imapc_features didn't have > modseq. > - lazy-expunge: Fixed a crash when copying failed. Various other > fixes. > - fts-lucene: Fixed crash on index rescan. > - auth_stats=yes produced broken output > - dict-ldap: Various fixes > - dict-sql: NULL values crashed. Now they're treated as "not > found". > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft." From me at junc.eu Thu Jun 30 14:50:10 2016 From: me at junc.eu (Benny Pedersen) Date: Thu, 30 Jun 2016 16:50:10 +0200 Subject: Remove my email id from mailing list In-Reply-To: References: Message-ID: <32dcc0f494e9fa791bca343bd7d58ec0@junc.eu> On 2016-06-30 13:41, Mayuri AgarwAl wrote: > Sent from my iPhone one day apple will add https://www.rfc-editor.org/info/rfc2919 into there ios devices, so users dont post help me get out of maillist that was equal hard to join :=) to be polite i will post this link here aswell http://dovecot.org/mailinglists.html From tss at iki.fi Thu Jun 30 15:18:01 2016 From: tss at iki.fi (Timo Sirainen) Date: Thu, 30 Jun 2016 18:18:01 +0300 Subject: v2.2.25 release candidate released In-Reply-To: References: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> Message-ID: <32BEE787-BB42-49F6-BA45-368EAA10803D@iki.fi> On 30 Jun 2016, at 17:26, Odhiambo Washington wrote: > > FreeBSD 9.3-STABLE FreeBSD 9.3-STABLE amd64: > > sha1.h:80: error: static or type qualifiers in abstract declarator What gcc version is this? It should have been valid C99 code, so I expected it to work without any special version checks.. From jcblanco at fi.upm.es Thu Jun 30 15:41:29 2016 From: jcblanco at fi.upm.es (Juan C. Blanco) Date: Thu, 30 Jun 2016 17:41:29 +0200 Subject: v2.2.25 release candidate released In-Reply-To: <32BEE787-BB42-49F6-BA45-368EAA10803D@iki.fi> References: <579B0EF1-E355-447A-8214-9E885B1E4DF6@iki.fi> <32BEE787-BB42-49F6-BA45-368EAA10803D@iki.fi> Message-ID: On 30/06/2016 17:18, Timo Sirainen wrote: > On 30 Jun 2016, at 17:26, Odhiambo Washington wrote: >> >> FreeBSD 9.3-STABLE FreeBSD 9.3-STABLE amd64: >> >> sha1.h:80: error: static or type qualifiers in abstract declarator > > What gcc version is this? It should have been valid C99 code, so I expected it to work without any special version checks.. Compiling in CentOS 5.11 with GCC 4.1.2 gives the same error, and problem with missing openssl/ec.h with OpenSSL 0.9.8e also (I've post a message about this issue) -- +-------------------------------------------------------------------+ | Juan C. Blanco | | | | Centro de Calculo | | | E.T.S. Ingenieros Inform?ticos | E-mail: jcblanco at fi.upm.es | | Universidad Polit?cnica de Madrid | | | Campus de Montegancedo | | | Boadilla del Monte | Tel.: (+34) 91 336 7466 | | 28660 MADRID (Spain) | Fax : (+34) 91 336 6913 | +-------------------------------------------------------------------+ From Christoph at plmail.de Thu Jun 30 16:21:19 2016 From: Christoph at plmail.de (Christoph Pleger) Date: Thu, 30 Jun 2016 18:21:19 +0200 Subject: Error when searching in mailfolders In-Reply-To: References: <824c05dc4308c87ffd7cb9308a5e6324.squirrel@webmail.plmail.de> Message-ID: Hello, >>> Could you enable core dumps and run bt full in gdb? >> >> I attached the result. > > It crashes in: > > _CLTHROWA(CL_ERR_IllegalArgument, "language not available for > stemming\n"); //todo: richer error > > So looks like you're trying to use an unknown language. If you have only a > single language, don't enable textcat. Or if you do, I guess you need to > disable some languages that Snowball doesn't like. I added option no_snowball in 90-plugin.conf, that helped. Regards Christoph From marti1234 at gmail.com Thu Jun 30 20:20:08 2016 From: marti1234 at gmail.com (Marti Markov) Date: Thu, 30 Jun 2016 21:20:08 +0100 Subject: Shared mailboxes not showing up in shared namespace Message-ID: <2EDBDF5A-1F0D-4617-BF6F-6CE32E6BE969@gmail.com> Hi, I think I have configured everything correctly but for some reason I can?t get a list of the shared mailboxes to show up. When I run: doveadm acl debug -u m.markov Shared/d.marteva/INBOX doveadm(root): Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_backend_rescan (this is usually intentional, so just ignore this message) doveadm(m.markov): Debug: Added userdb setting: plugin/=yes doveadm(m.markov): Debug: Effective uid=1000, gid=1000, home=/home/vmail/domain.com/m.markov doveadm(m.markov): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir doveadm(m.markov): Debug: maildir++: root=/home/vmail/domain.com/m.markov/Maildir, index=, indexpvt=, control=, inbox=/home/vmail/domain.com/m.markov/Maildir, alt= doveadm(m.markov): Debug: acl: initializing backend with data: vfile doveadm(m.markov): Debug: acl: acl username = m.markov at domain.com doveadm(m.markov): Debug: acl: owner = 1 doveadm(m.markov): Debug: acl vfile: Global ACLs disabled [ Read 8 lines ] doveadm(m.markov): Debug: Namespace : type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/home/vmail/Public:INDEXPVT=~/Maildir/Publics doveadm(m.markov): Debug: maildir++: root=/home/vmail/Public, index=, indexpvt=/home/vmail/domain.com/m.markov/Maildir/Public, control=, inbox=, alt=ext ^T To Spell doveadm(m.markov): Debug: acl: initializing backend with data: vfile doveadm(m.markov): Debug: acl: acl username = m.markov at domain.com doveadm(m.markov): Debug: acl: owner = 0 doveadm(m.markov): Debug: acl vfile: Global ACLs disabled doveadm(m.markov): Debug: Namespace : type=shared, prefix=Shared/%u/, sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes location=maildir:/home/vmail/domain.com/%u/Maildir:INDEXPVT=~/Maildir/shared/%u doveadm(m.markov): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= doveadm(m.markov): Debug: acl: initializing backend with data: vfile doveadm(m.markov): Debug: acl: acl username = m.markov at domain.com doveadm(m.markov): Debug: acl: owner = 0 doveadm(m.markov): Debug: acl vfile: Global ACLs disabled doveadm(m.markov): Debug: maildir++: root=/home/vmail/domain.com/d.marteva/Maildir, index=, indexpvt=/home/vmail//d.marteva/Maildir/shared/d.marteva, control=, inbox=/home/vmail/domain.com/d.marteva/Maildir, alt= doveadm(m.markov): Debug: acl: initializing backend with data: vfile doveadm(m.markov): Debug: acl: acl username = d.marteva doveadm(m.markov): Debug: acl: owner = 1 doveadm(m.markov): Debug: acl vfile: Global ACLs disabled doveadm(m.markov): Debug: maildir++: root=/home/vmail/domain.com/d.marteva/Maildir, index=, indexpvt=/home/vmail/domain.com/m.markov/Maildir/shared/d.marteva, control=, inbox=/home/vmail/domain.com/d.marteva/Maildir, alt= doveadm(m.markov): Debug: acl: initializing backend with data: vfile doveadm(m.markov): Debug: acl: acl username = m.markov at domain.com doveadm(m.markov): Debug: acl: owner = 0 doveadm(m.markov): Debug: acl vfile: Global ACLs disabled doveadm(m.markov): Info: Mailbox 'INBOX' is in namespace 'Shared/d.marteva/' doveadm(m.markov): Info: Mailbox path: /home/vmail/domain.com/d.marteva/Maildir doveadm(m.markov): Info: Per-user private flags in mailbox: \Seen doveadm(m.markov): Debug: acl vfile: reading file /home/vmail/domain.com/d.marteva/Maildir/dovecot-acl doveadm(m.markov): Info: User m.markov at domain.com has rights: lookup read write create doveadm(m.markov): Info: Mailbox found from dovecot-acl-list doveadm(m.markov): Info: User d.marteva found from ACL shared dict doveadm(m.markov): Info: Mailbox Shared/d.marteva/INBOX is visible in LIST Here is how I have defined the namespace: namespace { type = shared separator = / prefix = Shared/%%u/ # a) Per-user seen flags. Maildir indexes are shared. (INDEXPVT requires v2.2+) location = maildir:/home/vmail/domain.com/%%u/Maildir:INDEXPVT=~/Maildir/shared/%%u # b) Per-user seen flags. Maildir indexes are not shared. If users have direct filesystem level access to their mails, this is a safer option: #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u subscriptions = yes # list = children list=yes } And here is the ACL config: plugin { #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 acl = vfile } # To let users LIST mailboxes shared by other users, Dovecot needs a # shared mailbox dictionary. For example: plugin { #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes acl_shared_dict = file:/home/vmail/domain.com/shared-mailboxes2 #acl_lookup_dict = file:/home/vmail/domain.com/shared-mailboxes } Any suggestions? From news at mefox.org Thu Jun 30 20:59:17 2016 From: news at mefox.org (Michael Fox) Date: Thu, 30 Jun 2016 13:59:17 -0700 Subject: quota-status service Message-ID: <022201d1d312$44cd1ca0$ce6755e0$@mefox.org> I'm trying to understand the quota-status service, but I can't find complete documentation. The quota-status service is mentioned here: http://wiki.dovecot.org/Quota And an example configuration is shown: service quota-status { executable = quota-status -p postfix inet_listener { port = 12340 # You can choose any port you want } client_limit = 1 } But I can't find any information on quota-status. "man quota-status" returns nothing. I am unable to find a "quota-status" file on my machine. Where is the executable located? What does the "-p postfix" option do? Are there any other command line options? The above wiki page shows three quota_status_* options in use: quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full" Where are their meanings documented? What are the allowed values? Are there other quota_status_* options? Thanks in advance. Thanks, Michael From felipe at felipegasper.com Thu Jun 30 19:36:26 2016 From: felipe at felipegasper.com (Felipe Gasper) Date: Thu, 30 Jun 2016 14:36:26 -0500 Subject: quota_full_tempfail Message-ID: <4DFA9049-8581-4738-A485-44797EABBFA7@felipegasper.com> Hi all, What specifically does this flag do? Does it affect what happens: -------------- - when the drive is full? - when the system user?s disk quota is full? - when the mailbox?s quota is full? -------------- Also, does it work with both LDA and LMTP? I don?t see much on this option in the docs. Thank you! -Felipe Gasper Houston, TX From stephan at rename-it.nl Thu Jun 30 23:42:54 2016 From: stephan at rename-it.nl (Stephan Bosch) Date: Fri, 1 Jul 2016 01:42:54 +0200 Subject: Released Pigeonhole v0.4.15.rc1 for Dovecot v2.2.25.rc1. Message-ID: <4d9f5b0e-7dce-85f0-1dde-437b8c77896d@rename-it.nl> Hello Dovecot users, This upcoming release is all about bug fixes, of which only one is really important. It affects the new imapsieve plugin. Changelog v0.4.15: - imapsieve plugin: For any mail transaction, the mailbox was opened a second time, even if no mailbox rule matched. This was unintentional, useless and caused problems when the imapsieve plugin was used with other plugins like acl. - extprograms plugin: Significantly improved error handling. No stream errors were logged. - Several small fixes based on static analysis. The release is available as follows: http://pigeonhole.dovecot.org/releases/2.2/rc/dovecot-2.2-pigeonhole-0.4.15.rc1.tar.gz http://pigeonhole.dovecot.org/releases/2.2/rc/dovecot-2.2-pigeonhole-0.4.15.rc1.tar.gz.sig Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for more information. Have fun testing this release candidate and don't hesitate to notify me when there are any problems. Regards, -- Stephan Bosch stephan at rename-it.nl