April 2019 - dovecot - dovecot.org

Dovecot release v2.3.6
by Aki Tuomi 30 Apr '19

30 Apr '19

Hi! We are pleased to release Dovecot v2.3.6. Tarball is available at https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig Binary packages are available at https://repo.dovecot.org/ Changes ------- * CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. * CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent. * auth: Support password grant with passdb oauth2. + Use system default CAs for outbound TLS connections. + Simplify array handling with new helper macros. + fts_solr: Enable configuring batch_size and soft_commit features. - lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server. - lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client. - lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used. - fts_solr: Plugin was no longer compatible with Solr 7. - Make it possible to disable certificate checking without setting ssl_client_ca_* settings. - pop3c: SSL support was broken. - mysql: Closing connection twice lead to crash on some systems. - auth: Multiple oauth2 passdbs crashed auth process on deinit. - HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance. --- Aki Tuomi Open-Xchange oy

4 6

Pigeonhole release 0.5.6
by Aki Tuomi 30 Apr '19

30 Apr '19

Hi! We are pleased to release Pigeonhole 0.5.6 for Dovecot 2.3.6. Tarball https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.ta… https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.ta… Binary packages can be found from https://repo.dovecot.org/ Changes + sieve: Redirect loop prevention is sometimes ineffective. Improve existing loop detection by also recognizing the X-Sieve-Redirected-From header in incoming messages and dropping redirect actions when it points to the sending account. This header is already added by the redirect action, so this improvement only adds an additional use of this header. - sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime. --- Aki Tuomi Open-Xchange oy

1 0

CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent
by Aki Tuomi 30 Apr '19

30 Apr '19

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11499 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s). Workaround: Authentication crash can be avoided if authentication is done without TLS. Solution: Operators should upgrade to a fixed version.

1 0

CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting.
by Aki Tuomi 30 Apr '19

30 Apr '19

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11494 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s). Workaround: There is no available workaround for this issue. Solution: Operators should upgrade to a fixed version.

1 0

Re: Sis to deduplicate attachments does not work?
by Daniel Miller 29 Apr '19

29 Apr '19

On April 23, 2019 10:54:38 PM luckydog xf <luckydogxf(a)gmail.com> wrote: > Is it worthwile to use dbox? seeing from > http://www.linuxmail.info/mbox-maildir-mail-storage-formats/ it may cause > file lock and easy to corrupt. As with everything - it depends. You're asking me so these are *my* opinions - and I do not claim to be anything more than a hobbyist/tinkerer when the comes to this. mbox has potential use for long term read-only archives - I see no reason to use it for live mailboxes. maildir is undoubtedly the least susceptible to corruption. It's also the slowest format for reading. How slow is "slow" depends on your hardware - it may be imperceptible with enough RAM and SSD's - or it may result in user complaints with large mailboxes. dbox is Dovecot's preferred format. I know Timo has put a lot of effort into it. sdbox is similar to maildir in that each mail is a separate file. mdbox significantly reduces the number of files which can make file-based backups faster. Both dbox formats are dependent on their index files. If you've got good hardware, including a proper UPS, I'd recommend dbox (my server is presently using sdbox). With large mailboxes and file-based backups you'll benefit from mdbox. When reliability is the #1 concern above anything else - use maildir. Depending on your use SIS can have significant impact on storage requirements - but storage these days is relatively cheap. I haven't seen much feedback from users actively using SIS - I'd love to hear from high traffic sites with SIS experience to know if the corruption issues have been resolved. In my case there was at least a 30% reduction in space but I had too many errors - admittedly it's been a couple years since I last tried it. -- Daniel

3 3

Using lmtp to authenticate email users
by Patrick Mahan 29 Apr '19

29 Apr '19

FreeBSD 11.2 Postfix 3.3.2 Dovecot 2.3.4 I am trying to use dovecot lmtp with postfix to verify authentication of incoming email and to avoid being a spam relay (an issue I was having using sendmail as my MTA). I am getting the following log message in /var/log/maillog: Mar 30 20:31:38 ns postfix/smtpd[40373]: NOQUEUE: reject: RCPT from mail-eopbgr750091.outbound.protection.outlook.com[40.107.75.91]: 450 4.1.1 < mahan(a)mahan.org>: Recipient address rejected: unverified address: host ns.mahan.org[private/dovecot-lmtp] said: 550 5.1.1 <mahan(a)mahan.org> User doesn't exist: mahan(a)mahan.org (in reply to RCPT TO command); from=< pmahan(a)silver-peak.com> to=<mahan(a)mahan.org> proto=ESMTP helo=< NAM02-BL2-obe.outbound.protection.outlook.com> 'mahan' does exist on ns.mahan.org. So I am confused to why lmtp is failing to find this username. Thanks, Patrick

4 5

used Lazyexpunge
by lty 28 Apr '19

28 Apr '19

I used Lazyexpunge. I tried to create .DELETED without any hints and see that the creation was successful. I want to prevent users from creating .DELETED, what should I do? My settings > plugin { > lazy_expunge = .DELETED/ > } > # > > namespace { > prefix = .DELETED/ > hidden = yes > list = no > separator = / > location = maildir:/var/vmail/backup/expunged/%d/%n > }

2 1

Auto rebuilding of Solr indexes on settings change?
by Peter Mogensen 25 Apr '19

25 Apr '19

Hi, Looking at the source, it doesn't seem like fts-solr checks for settings changes using fts_index_have_compatible_settings() like fts-lucene does. Is there any special reason for why fts-solr shouldn't also rebuild indexes if settings has changed? /Peter

2 1

msg header has bad magic value
by 김태용 25 Apr '19

25 Apr '19

There was an error saving the message. 'Error: Corrupted dbox file /storage/m.1 (around offset = 21589): msg header has bad magic value' Why do I get an error? How can I fix it?

1 0

haproxy + submission services -> postfix failure
by Chris Thomas 24 Apr '19

24 Apr '19

Hi, I have a nginx server which is using the proxy protocol to forward tcp connections to dovecot. Dovecot is configured to be a submission service for email to be sent. Then postfix should send the email itself which is also using the ha proxy protocol. There are a few moving parts in this problem so I'm not sure where the problem is. But I want to ask if somebody can validate my dovecot configuration somehow so I can start to tick off some things from the list. Sending email fails, seems to get to postfix, then die Receiving emails succeeds and I don't have any problem to pick them up. I've figured out some stuff, like lmtp shouldn't use haproxy when talking between postfix -> dovecot for receiving emails. If I enable the protocol on lmtp, I can't receive any emails at all. In order to get postfix to accept emails, I enabled haproxy protocol and enabled postscreen and then postfix could access the source ip and stop my server from being an open relay. I've got tls certificates installed on dovecot and postfix, all created by letsencrypt and I don't appear to have any problems with them. I will try to give as much information about the config as I can, I'm not sure what other parts are good to have, but let me know if you are missing something or want to check a value. >> 10-master.conf: service submission-login { inet_listener submission { port = 587 haproxy = yes } } service lmtp { inet_listener lmtp { port = 24 haproxy = no } } >> 20-submission.conf submission_relay_host = postfix.mail-server submission_relay_port = 25 submission_relay_ssl = starttls submission_relay_ssl_verify = yes Then because it might help to give the other side of the connection configuration for postfix, here is the relevant information: >> master.cf: smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd >> main.cf postscreen_upstream_proxy_protocol = haproxy postscreen_upstream_proxy_timeout = 10s That's it. I don't know what other information could be useful. There are some logs, they are like this (I've got logging turned on for pretty much every option I have: Dovecot logs: Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: Added userdb setting: plugin/quota_rule=*:bytes=0 Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: Effective uid=8, gid=8, home=/mail/__DOMAIN_COM__/__USER__ Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/mail/__DOMAIN_COM__/__USER__ Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: maildir++: root=/mail/__DOMAIN_COM__/__USER__, index=, indexpvt=, control=, inbox=/mail/__DOMAIN_COM__/__USER__, alt= Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-server: conn __IP_ADDR_1__:31217 [0]: Connection created Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Connection created Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Looking up IP address Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: DNS lookup successful; got 1 IPs Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Connecting to 10.104.211.161:25 Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Connected Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Received greeting from server: 421 4.3.2 No system resources Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Connection failed: 421 4.3.2 No system resources Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Error: Failed to establish relay connection: 421 4.3.2 No system resources Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-client: conn postfix.mail-server:25 [0]: Disconnected Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Info: Disconnect from __IP_ADDR_1__: Failed to establish relay connection in=0 out=22 (state=GREETING) Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug: smtp-server: conn __IP_ADDR_1__:31217 [0]: Disconnected: Failed to establish relay connection Postfix Logs: postfix/postscreen[525]: warning: haproxy read: time limit exceeded If anybody could help out, I'd be grateful because I just can't see what the problem is. Chris

2 1