March 2017 - dovecot - dovecot.org

doveadm proxy password
by Angel L. Mateo 20 Mar '17

20 Mar '17

Hi, I'm configuring a proxy host to connect to backend servers. As proxy is done based on an LDAP attribute of the user, I'm not using director. In the proxy server I have configured: doveadm_port = 24245 doveadm_password = secret And in the backend: service doveadm { inet_listener { port = 24245 } } local <mynetwork> { doveadm_password = secret } But when I run a doveadm command in the proxy I get: amateo_adm@musio10:/etc/dovecot/conf.d$ sudo doveadm quota get -u amateo(a)um.es doveadm(amateo(a)um.es): Error: doveadm authentication failed () doveadm(amateo(a)um.es): Error: myotis50.um.es:24245: Command quota get failed for amateo(a)um.es: EOF Quota name Type Value Limit % And in the backed I get: Mar 20 15:52:01 myotis50 dovecot: doveadm: Error: doveadm client authenticated with wrong password I have checked with tcpdump and in the command is sending the base64 encoding of "doveadmsecret" Any help? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337

1 0

Re: Dovecot 2.2.27 proxy - enforcing per client IP connection limits
by Joseph Tam 20 Mar '17

20 Mar '17

Adi Pircalabu writes: > For us it is, we're periodically getting hammered by iOS devices that > try to open 300+ simultaneous IMAP connections for a single user from > the same IP, while the average hovers usually below 50 for the busier > mailboxes with many folders. Oh yeah, I've seen this. I think this happens when someone does a global pattern search, which causes the client to launch IMAP SEARCH commands on each and every mailbox. I've wondered whether installing Solr would alleviate this: it wouldn't directly address the connection limit problem, but perhaps it can return results fast enough to keep the concurrent connections count down. Can anyone with Solr installed confirm/refute this: does installing Solr keep iOS clients from roofing the connection count? Joseph Tam <jtam.home(a)gmail.com>

2 1

Mail restore and single storage attachement
by Jean-Luc Oms 20 Mar '17

20 Mar '17

Bonjour, I'm finishing the upgrade of an old installation of Dovecot/postfix mail system for my lab. In the configuration i plan ( dovecot 2.2.27 ), i choose to use: - mdbox format - single storage for attachements - 2 zfs file systems, one for mdboxes, the other for attachments The last tests before production concern my hability to restore a lost mail (or mailbox) ... (lot of changes when you are used to mbox format). 1) I uses doveadm import to restore part of mail from one of the zfs snapshot with a cde like: doveadm -Dv import -U bof2 -s -u bof2 mdbox:/mailpool/lirmm/.zfs/snapshot/zfs-auto-snap_frequent-2017-03-15-1645/vmail/bof2/mdbox Recup-AAAA mailbox AAAA I get this error: doveadm(bof2): Error: open() failed with file /mailpool/lirmm/.zfs/snapshot/zfs-auto-snap_frequent-2017-03-15-1645/vmail/bof2/mdbox/mailboxes/AAAA/dbox-Mails/dovecot.index.log: Read-only file system Thats right, my snapshot is ro, but why the import has to write to the source ? I'm missing something ? 2) I don't find any way to specify a source for attachements with the import command, then I first restore all the atachements from one snapshot, then make import, then purge. Is there a way to use a source for attachement file tree, or a command to find the mssing files for the import command ? Thanks -- __________________________________________ Jean-Luc Oms STI-RéseauX - LIRMM - CNRS/UM2 161 rue Ada - BAT 4 - CC 477 34095 Montpellier cedex 5 Tel +33 4 67 41 85 93 Urg +33 6 32 01 04 17 __________________________________________

1 1

Deploying Diffie-Hellman for TLS
by Jerry 20 Mar '17

20 Mar '17

I have been reading up on TLS and Dovecot and came across this URL: https://www.weakdh.org/sysadmin.html which recommended these settings for Dovecot. I would like to know if they are correct? Some much documentation on the web is pure garbage. Dovecot These changes should be made in /etc/dovecot.conf Cipher Suites ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes (Dovecot 2.2.6 or greater) DH parameters #regenerates every week ssl_dh_parameters_length = 2048 Contrary to what the site recommends, I would have thought that changes should be made in the "10-ssl.conf" file. I am running "Dovecot 2.2.28" on a FreeBSD-11 machine with OpenSSL 1.0.2k, if that makes any difference. Thanks -- Jerry

2 1

Server migration
by Gandalf Corvotempesta 20 Mar '17

20 Mar '17

Hi to all. It's time to migrate an old server to a newer platform Some questions: 1) what happens by changing the pop3/IMAP server on the client? Is the client (Outlook, Thunderbird,...) smart enough to not download every message again? I'm asking this because the easier way to migrate would be move all mailboxes to the new server and then change the hostname on the client 2) what if I add a dovecot proxy on the new server, proxing back all requests to the older one, if the mailbox is still not migrated? Would the whole pop3/IMAP transaction happen through the proxy or there is something an http redirect (or anything similiar to the SIP protocol) ? 3) I think the response to this is no: is dovecot able to log the hostname used for the connection? I have multiple domains pointing to the same IP. Something like the Host header in Http.

2 1

[Bug] Mailbox aliases still broken
by azurit＠pobox.sk 20 Mar '17

20 Mar '17

Hi, about an year ago i was reporting a bug in mailbox aliases, which remains unfixed and unasnwered (probably totally ignored, don't understand why). I thought it was because the bug is old and already fixed but yesterday i upgraded to Dovecot 2.2.24 and problem persists. Here is the original report, everything, except the Dovecot version, is still correct: http://dovecot.org/list/dovecot/2015-June/101176.html Will this be fixed? Thanks for info. azur

4 7

dovecot problem with ssl
by Nilton Jose Rizzo 19 Mar '17

19 Mar '17

Hi all, I already searched for this error on google and nothing I never install dovecot, this is a first time. This error, I know, is too newbie and stupid, but I checked more than twice. root@server:/usr/local/etc/dovecot # sievec /home3/virtual/default.sieve doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl root@server:/usr/local/etc/dovecot # I'm running a FreeBSD 12-current and compile all from ports (mysql, dovecot2, portfix3.1, and all needs ports, but this error don't leave. I'm fowling this tutorial to install all, but when I'll run a sievec this stop with this error. I'm not new in FreeBSD, I'm have good experience in FreeBSD. --- /************************************************* **Nilton José Rizzo UFRRJ **http://www.rizzo.eng.br http://www.ufrrj.br **http://lattes.cnpq.br/0079460703536198 **************************************************/

4 11

replication issues between to nodes
by Remko Lodder 18 Mar '17

18 Mar '17

Hi, Some time ago I posted the below but never got a reponse that I could work with. So i am retrying now in the hope that there might be a better idea/suggestion on how to approach this. Situation; I have two nodes, which should replicate to eachother. My main machine receives most mail and the other one receives mostly system messages and should get replicated. (This used to be delivered on both machines, but given the issues below I had to make sure that the customer email at least arrives on machine A, as detailed below). When a mail arrives on main machine (A) everything is fine and things are synchronised asap. Customers can see the email directly via webmail/imap. When a mail arrives on the secondary machine (B) the replication is not issued until machine A starts a sync session. Customers do not see the email on machine A via webmail/imap. When a mail arrives on A, the synchronisation occurs, and all messages on B, not yet on A, are synchronised as well. Customers can now see the email on machine A as well via webmail/imap. Sadly this can mean that emails that became visible are hours late (read: were delivered hours before, but not visible for the customer). Both machines are configured through puppet, only individual settings like IP addresses and certificates are different because well, they have to. I included the difference below, and both ‘doveconf -n’s. If someone has a suggestion on seeing why machine B is not issueing (or does not seem to issue) replication, let me know. I verified that I can connect to the remote machines via IPv4 and IPv6 (for doveadm / replication purposes). Difference between configurations; --- tmp1.txt 2017-03-18 15:18:41.000000000 +0100 +++ tmp2.txt 2017-03-18 15:18:56.000000000 +0100 @@ -55,7 +55,7 @@ imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size - mail_replica = tcps:mail.jr-hosting.nl:12346 + mail_replica = tcps:mail2.jr-hosting.nl:12346 sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve @@ -105,7 +105,7 @@ } service lmtp { inet_listener lmtp { - address = XXX/X 127.0.0.1 ::1 + address = YYYY/Y 127.0.0.1 ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { @@ -123,8 +123,8 @@ mode = 0666 } } -ssl_ca = </usr/local/etc/letsencrypt/live/mail2.jr-hosting.nl/fullchain.pem -ssl_cert = </usr/local/etc/letsencrypt/live/mail2.jr-hosting.nl/cert.pem +ssl_ca = </usr/local/etc/letsencrypt/live/mail.jr-hosting.nl/fullchain.pem +ssl_cert = </usr/local/etc/letsencrypt/live/mail.jr-hosting.nl/cert.pem ssl_client_ca_file = /usr/local/certificates/letsencrypt-ca.pem ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 Machine A (the best working machine) # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) # OS: FreeBSD 11.0-RELEASE-p8 amd64 auth_mechanisms = plain login disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it haproxy_trusted_networks = XXXX/X lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_debug = yes mail_fsync = always mail_location = mdbox:~/mdbox mail_plugins = " quota notify replication" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve namespace { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = . } passdb { driver = pam } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size mail_replica = tcps:mail2.jr-hosting.nl:12346 sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve sieve_global_dir = /usr/local/etc/dovecot/sieve/global/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_global_path = /usr/local/etc/dovecot/sieve/default.sieve sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = postmaster(a)jr-hosting.nl protocols = imap pop3 lmtp sieve replication_dsync_parameters = -d -N -l 60 -U replication_max_conns = 100 service aggregator { fifo_listener replication-notify-fifo { mode = 0666 } unix_listener replication-notify { mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service doveadm { inet_listener { port = 12346 ssl = yes } } service imap-login { inet_listener imap_haproxy { haproxy = yes port = 10143 } inet_listener imaps_haproxy { haproxy = yes port = 10144 ssl = yes } service_count = 1 } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { address = XXXX/X 127.0.0.1 ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3 { process_limit = 1024 } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl_ca = </usr/local/etc/letsencrypt/live/mail.jr-hosting.nl/fullchain.pem ssl_cert = </usr/local/etc/letsencrypt/live/mail.jr-hosting.nl/cert.pem ssl_client_ca_file = /usr/local/certificates/letsencrypt-ca.pem ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { auth_username_format = %n mail_plugins = quota sieve postmaster_address = postmaster(a)jr-hosting.nl } protocol lda { mail_plugins = " quota notify replication sieve" } protocol imap { mail_max_userip_connections = 50 mail_plugins = " quota notify replication imap_quota imap_sieve” } Machine B: # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) # OS: FreeBSD 11.0-RELEASE-p8 amd64 auth_mechanisms = plain login disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it haproxy_trusted_networks = XXX/X lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_debug = yes mail_fsync = always mail_location = mdbox:~/mdbox mail_plugins = " quota notify replication" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve namespace { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = . } passdb { driver = pam } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size mail_replica = tcps:mail.jr-hosting.nl:12346 sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve sieve_global_dir = /usr/local/etc/dovecot/sieve/global/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_global_path = /usr/local/etc/dovecot/sieve/default.sieve sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = postmaster(a)jr-hosting.nl protocols = imap pop3 lmtp sieve replication_dsync_parameters = -d -N -l 60 -U replication_max_conns = 100 service aggregator { fifo_listener replication-notify-fifo { mode = 0666 } unix_listener replication-notify { mode = 0666 } } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service doveadm { inet_listener { port = 12346 ssl = yes } } service imap-login { inet_listener imap_haproxy { haproxy = yes port = 10143 } inet_listener imaps_haproxy { haproxy = yes port = 10144 ssl = yes } service_count = 1 } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { address = XXXX/X 127.0.0.1 ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3 { process_limit = 1024 } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl_ca = </usr/local/etc/letsencrypt/live/mail2.jr-hosting.nl/fullchain.pem ssl_cert = </usr/local/etc/letsencrypt/live/mail2.jr-hosting.nl/cert.pem ssl_client_ca_file = /usr/local/certificates/letsencrypt-ca.pem ssl_key = # hidden, use -P to show it ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { auth_username_format = %n mail_plugins = quota sieve postmaster_address = postmaster(a)jr-hosting.nl } protocol lda { mail_plugins = " quota notify replication sieve" } protocol imap { mail_max_userip_connections = 50 mail_plugins = " quota notify replication imap_quota imap_sieve” }

1 0

sievec
by Robert Moskowitz 17 Mar '17

17 Mar '17

I am building a new mailserver on Centos7. My sieve is created with: mkdir /home/sieve cat <<EOF>/home/sieve/globalfilter.sieve || exit 1 require "fileinto"; if exists "X-Spam-Flag" { if header :contains "X-Spam-Flag" "NO" { } else { fileinto "Spam"; stop; } } if header :contains "subject" ["***SPAM***"] { fileinto "Spam"; stop; } EOF chown -R vmail:mail /home/sieve But in 90-sieve.conf there is the comment: # A path to a global sieve script file, which gets executed ONLY # if user's private Sieve script doesn't exist. Be sure to # pre-compile this script manually using the sievec command line # tool. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve Do I run sievec on this script? And I found the following comment on a blog, about 3 years old: 2: Having a user-defined sieve script will cancel out the global script for redirecting spam. In the dovecot.conf, get rid of the sieve_global_path and sieve_global_dir, and instead use: sieve_before = /path/to/global.sieve -- what this will do is make sure that the global script runs before any user scripts, which allows the spam redirecting to actually work. What is current situation on this? thank you

4 8

Do I need to configure director?
by Angel L. Mateo 17 Mar '17

17 Mar '17

Hi, I'm configuring a farm of dovecot proxies redirecting users to backend servers. The decision of which backend server is used for a user is based in its ldap account information. In my previous configuration I was using an inherited director configuration in these proxy servers, but now I was wondering that because the decision is made according to user information, I don't need to run director. Do it? Is there any advantage of running director in this scenario? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337

2 2