March 2017 - dovecot - dovecot.org

Re: Dovecot 2.2.27 proxy - enforcing per client IP connection limits
by Joseph Tam 21 Mar '17

21 Mar '17

Sami Ketola writes: >> Can anyone with Solr installed confirm/refute this: does installing >> Solr keep iOS clients from roofing the connection count? > > I doubt it, but since IMAP SEARCH goes all the way down to the backends > mail_max_userip_connections can be used to limit the number of > connections. Understood -- that's the current situation I'm in now. Our iOS users would launch a search resulting in a connection burst, hit the connection cap, log out all IMAP sessions out, then start the cycle again. This sometimes lasts for 10's of minutes. I'm not sure what the users sees. Sample logs entries: Mar 19 01:21:30 server dovecot: imap-login: Login: user=<user> ... [... 14 similar logins removed ...] Mar 19 01:21:41 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:42 server dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=16) : user=<user> ... Mar 19 01:21:42 server dovecot: imap(user): Logged out in=425 out=1107 [... 14 similar logouts removed ...] Mar 19 01:21:42 server dovecot: imap(user): Logged out in=382 out=1107 Mar 19 01:21:42 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:42 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:43 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:44 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:44 server dovecot: imap(user): Logged out in=442 out=1173 Mar 19 01:21:44 server dovecot: imap(user): Logged out in=442 out=1155 Mar 19 01:21:44 server dovecot: imap(user): Logged out in=442 out=1166 Mar 19 01:21:44 server dovecot: imap(user): Logged out in=442 out=1174 Mar 19 01:21:44 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:47 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:47 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:48 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:48 server dovecot: imap-login: Login: user=<user> ... Mar 19 01:21:49 server dovecot: imap-login: Login: user=<user> ... { ... and on and on for the next 10 minutes ... } However, there is a pause between each login that might be long enough to squeeze the search results in if given quickly enough. From the I/O stats, most of these searches have empty results. It probably won't prevent the connection cap problem, but it might minimize the length and severity of these connection storms. Of course, the real fix is for iOS mail-app developers to stop assuming the IMAP server is owned exclusively by the user by configuring some reasonable connection throttles. Joseph Tam <jtam.home(a)gmail.com>

2 1

Dovecot can't connect to openldap over starttls
by info＠gwarband.de 20 Mar '17

20 Mar '17

Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband

2 10

Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
by Ralf Hildebrandt 20 Mar '17

20 Mar '17

Hi! I upgraded the 2.2 packages today (from 2:2.2.28-1~auto+5 to 2:2.2.28-1~auto+8) I now I'm getting an error: Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) I checked, and alas, I had ssl_client_ca_dir = ssl_client_ca_file = So I set: ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt But I'm still getting the error above. I addition, dovecot is crashing with SIGSEGV: Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): No SSL context Mar 20 13:28:23 mproxy dovecot: auth: Error: imap(la***sch,87.77.180.61): Disconnected from server Mar 20 13:28:23 mproxy postfix/submission/smtpd[32682]: warning: zb43d.pia.fu-berlin.de[87.77.180.61]: SASL PLAIN authentication failed: Connection lost to authentication server Mar 20 13:28:23 mproxy dovecot: auth: Fatal: master: service(auth): child 32685 killed with signal 11 (core dumped) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de

2 5

doveadm proxy password
by Angel L. Mateo 20 Mar '17

20 Mar '17

Hi, I'm configuring a proxy host to connect to backend servers. As proxy is done based on an LDAP attribute of the user, I'm not using director. In the proxy server I have configured: doveadm_port = 24245 doveadm_password = secret And in the backend: service doveadm { inet_listener { port = 24245 } } local <mynetwork> { doveadm_password = secret } But when I run a doveadm command in the proxy I get: amateo_adm@musio10:/etc/dovecot/conf.d$ sudo doveadm quota get -u amateo(a)um.es doveadm(amateo(a)um.es): Error: doveadm authentication failed () doveadm(amateo(a)um.es): Error: myotis50.um.es:24245: Command quota get failed for amateo(a)um.es: EOF Quota name Type Value Limit % And in the backed I get: Mar 20 15:52:01 myotis50 dovecot: doveadm: Error: doveadm client authenticated with wrong password I have checked with tcpdump and in the command is sending the base64 encoding of "doveadmsecret" Any help? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337

1 0

Re: Dovecot 2.2.27 proxy - enforcing per client IP connection limits
by Joseph Tam 20 Mar '17

20 Mar '17

Adi Pircalabu writes: > For us it is, we're periodically getting hammered by iOS devices that > try to open 300+ simultaneous IMAP connections for a single user from > the same IP, while the average hovers usually below 50 for the busier > mailboxes with many folders. Oh yeah, I've seen this. I think this happens when someone does a global pattern search, which causes the client to launch IMAP SEARCH commands on each and every mailbox. I've wondered whether installing Solr would alleviate this: it wouldn't directly address the connection limit problem, but perhaps it can return results fast enough to keep the concurrent connections count down. Can anyone with Solr installed confirm/refute this: does installing Solr keep iOS clients from roofing the connection count? Joseph Tam <jtam.home(a)gmail.com>

2 1

Mail restore and single storage attachement
by Jean-Luc Oms 20 Mar '17

20 Mar '17

Bonjour, I'm finishing the upgrade of an old installation of Dovecot/postfix mail system for my lab. In the configuration i plan ( dovecot 2.2.27 ), i choose to use: - mdbox format - single storage for attachements - 2 zfs file systems, one for mdboxes, the other for attachments The last tests before production concern my hability to restore a lost mail (or mailbox) ... (lot of changes when you are used to mbox format). 1) I uses doveadm import to restore part of mail from one of the zfs snapshot with a cde like: doveadm -Dv import -U bof2 -s -u bof2 mdbox:/mailpool/lirmm/.zfs/snapshot/zfs-auto-snap_frequent-2017-03-15-1645/vmail/bof2/mdbox Recup-AAAA mailbox AAAA I get this error: doveadm(bof2): Error: open() failed with file /mailpool/lirmm/.zfs/snapshot/zfs-auto-snap_frequent-2017-03-15-1645/vmail/bof2/mdbox/mailboxes/AAAA/dbox-Mails/dovecot.index.log: Read-only file system Thats right, my snapshot is ro, but why the import has to write to the source ? I'm missing something ? 2) I don't find any way to specify a source for attachements with the import command, then I first restore all the atachements from one snapshot, then make import, then purge. Is there a way to use a source for attachement file tree, or a command to find the mssing files for the import command ? Thanks -- __________________________________________ Jean-Luc Oms STI-RéseauX - LIRMM - CNRS/UM2 161 rue Ada - BAT 4 - CC 477 34095 Montpellier cedex 5 Tel +33 4 67 41 85 93 Urg +33 6 32 01 04 17 __________________________________________

1 1

Deploying Diffie-Hellman for TLS
by Jerry 20 Mar '17

20 Mar '17

I have been reading up on TLS and Dovecot and came across this URL: https://www.weakdh.org/sysadmin.html which recommended these settings for Dovecot. I would like to know if they are correct? Some much documentation on the web is pure garbage. Dovecot These changes should be made in /etc/dovecot.conf Cipher Suites ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes (Dovecot 2.2.6 or greater) DH parameters #regenerates every week ssl_dh_parameters_length = 2048 Contrary to what the site recommends, I would have thought that changes should be made in the "10-ssl.conf" file. I am running "Dovecot 2.2.28" on a FreeBSD-11 machine with OpenSSL 1.0.2k, if that makes any difference. Thanks -- Jerry

2 1

Server migration
by Gandalf Corvotempesta 20 Mar '17

20 Mar '17

Hi to all. It's time to migrate an old server to a newer platform Some questions: 1) what happens by changing the pop3/IMAP server on the client? Is the client (Outlook, Thunderbird,...) smart enough to not download every message again? I'm asking this because the easier way to migrate would be move all mailboxes to the new server and then change the hostname on the client 2) what if I add a dovecot proxy on the new server, proxing back all requests to the older one, if the mailbox is still not migrated? Would the whole pop3/IMAP transaction happen through the proxy or there is something an http redirect (or anything similiar to the SIP protocol) ? 3) I think the response to this is no: is dovecot able to log the hostname used for the connection? I have multiple domains pointing to the same IP. Something like the Host header in Http.

2 1

[Bug] Mailbox aliases still broken
by azurit＠pobox.sk 20 Mar '17

20 Mar '17

Hi, about an year ago i was reporting a bug in mailbox aliases, which remains unfixed and unasnwered (probably totally ignored, don't understand why). I thought it was because the bug is old and already fixed but yesterday i upgraded to Dovecot 2.2.24 and problem persists. Here is the original report, everything, except the Dovecot version, is still correct: http://dovecot.org/list/dovecot/2015-June/101176.html Will this be fixed? Thanks for info. azur

4 7

dovecot problem with ssl
by Nilton Jose Rizzo 19 Mar '17

19 Mar '17

Hi all, I already searched for this error on google and nothing I never install dovecot, this is a first time. This error, I know, is too newbie and stupid, but I checked more than twice. root@server:/usr/local/etc/dovecot # sievec /home3/virtual/default.sieve doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl root@server:/usr/local/etc/dovecot # I'm running a FreeBSD 12-current and compile all from ports (mysql, dovecot2, portfix3.1, and all needs ports, but this error don't leave. I'm fowling this tutorial to install all, but when I'll run a sievec this stop with this error. I'm not new in FreeBSD, I'm have good experience in FreeBSD. --- /************************************************* **Nilton José Rizzo UFRRJ **http://www.rizzo.eng.br http://www.ufrrj.br **http://lattes.cnpq.br/0079460703536198 **************************************************/

4 11