April 2019 - dovecot - dovecot.org

Feature request: exclude IP/network in allow_nets extra field
by Zhang Huangbin 01 May '19

01 May '19

Dear all, We use `allow_nets`[1] to restrict login clients, it works fine. Recently we need to allow some users to login from everywhere except some IP/networks, how can we accomplish this with "allow_nets"? Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid network '!a.b.c.d'". Can we have this feature? i guess it should be done in function "auth_request_validate_networks"[2] in file src/auth/auth-request.c. [1] allow_nets: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets [2] https://github.com/dovecot/core/blob/fbc3ccc4a9a02b82073585a33254eacedc6a99…

6 11

Dovecot release v2.3.6
by Aki Tuomi 30 Apr '19

30 Apr '19

Hi! We are pleased to release Dovecot v2.3.6. Tarball is available at https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig Binary packages are available at https://repo.dovecot.org/ Changes ------- * CVE-2019-11494: Submission-login crashed with signal 11 due to null pointer access when authentication was aborted by disconnecting. * CVE-2019-11499: Submission-login crashed when authentication was started over TLS secured channel and invalid authentication message was sent. * auth: Support password grant with passdb oauth2. + Use system default CAs for outbound TLS connections. + Simplify array handling with new helper macros. + fts_solr: Enable configuring batch_size and soft_commit features. - lmtp/submission: Fixed various bugs in XCLIENT handling, including a hang when XCLIENT commands were sent infinitely to the remote server. - lmtp/submission: Forwarded multi-line replies were erroneously sent as two replies to the client. - lib-smtp: client: Message was not guaranteed to contain CRLF consistently when CHUNKING was used. - fts_solr: Plugin was no longer compatible with Solr 7. - Make it possible to disable certificate checking without setting ssl_client_ca_* settings. - pop3c: SSL support was broken. - mysql: Closing connection twice lead to crash on some systems. - auth: Multiple oauth2 passdbs crashed auth process on deinit. - HTTP client connection errors infrequently triggered a segmentation fault when the connection was idle and not used for a particular client instance. --- Aki Tuomi Open-Xchange oy

4 6

Pigeonhole release 0.5.6
by Aki Tuomi 30 Apr '19

30 Apr '19

Hi! We are pleased to release Pigeonhole 0.5.6 for Dovecot 2.3.6. Tarball https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.ta… https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.6.ta… Binary packages can be found from https://repo.dovecot.org/ Changes + sieve: Redirect loop prevention is sometimes ineffective. Improve existing loop detection by also recognizing the X-Sieve-Redirected-From header in incoming messages and dropping redirect actions when it points to the sending account. This header is already added by the redirect action, so this improvement only adds an additional use of this header. - sieve: Prevent execution of implicit keep upon temporary failure occurring at runtime. --- Aki Tuomi Open-Xchange oy

1 0

CVE-2019-11499: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent
by Aki Tuomi 30 Apr '19

30 Apr '19

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3223 (Bug ID) Vulnerability type: CWE-617 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notification: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11499 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s). Workaround: Authentication crash can be avoided if authentication is done without TLS. Solution: Operators should upgrade to a fixed version.

1 0

CVE-2019-11494: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting.
by Aki Tuomi 30 Apr '19

30 Apr '19

Open-Xchange Security Advisory 2019-04-30 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3212 (Bug ID) Vulnerability type: CWE-476 Vulnerable version: 2.3.0 - 2.3.5.2 Vulnerable component: submission-login Report confidence: Confirmed Researcher credits: Marcelo Coelho Solution status: Fixed by Vendor Fixed version: 2.3.6 Vendor notificatio: 2019-03-11 Solution date: 2019-04-23 Public disclosure: 2019-04-30 CVE reference: CVE-2019-11494 CVSS: 7.5 (CVSS3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Vulnerability Details: Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of-service attack by persistent attacker(s). Workaround: There is no available workaround for this issue. Solution: Operators should upgrade to a fixed version.

1 0

Re: Sis to deduplicate attachments does not work?
by Daniel Miller 28 Apr '19

28 Apr '19

On April 23, 2019 10:54:38 PM luckydog xf <luckydogxf(a)gmail.com> wrote: > Is it worthwile to use dbox? seeing from > http://www.linuxmail.info/mbox-maildir-mail-storage-formats/ it may cause > file lock and easy to corrupt. As with everything - it depends. You're asking me so these are *my* opinions - and I do not claim to be anything more than a hobbyist/tinkerer when the comes to this. mbox has potential use for long term read-only archives - I see no reason to use it for live mailboxes. maildir is undoubtedly the least susceptible to corruption. It's also the slowest format for reading. How slow is "slow" depends on your hardware - it may be imperceptible with enough RAM and SSD's - or it may result in user complaints with large mailboxes. dbox is Dovecot's preferred format. I know Timo has put a lot of effort into it. sdbox is similar to maildir in that each mail is a separate file. mdbox significantly reduces the number of files which can make file-based backups faster. Both dbox formats are dependent on their index files. If you've got good hardware, including a proper UPS, I'd recommend dbox (my server is presently using sdbox). With large mailboxes and file-based backups you'll benefit from mdbox. When reliability is the #1 concern above anything else - use maildir. Depending on your use SIS can have significant impact on storage requirements - but storage these days is relatively cheap. I haven't seen much feedback from users actively using SIS - I'd love to hear from high traffic sites with SIS experience to know if the corruption issues have been resolved. In my case there was at least a 30% reduction in space but I had too many errors - admittedly it's been a couple years since I last tried it. -- Daniel

3 3

Using lmtp to authenticate email users
by Patrick Mahan 28 Apr '19

28 Apr '19

FreeBSD 11.2 Postfix 3.3.2 Dovecot 2.3.4 I am trying to use dovecot lmtp with postfix to verify authentication of incoming email and to avoid being a spam relay (an issue I was having using sendmail as my MTA). I am getting the following log message in /var/log/maillog: Mar 30 20:31:38 ns postfix/smtpd[40373]: NOQUEUE: reject: RCPT from mail-eopbgr750091.outbound.protection.outlook.com[40.107.75.91]: 450 4.1.1 < mahan(a)mahan.org>: Recipient address rejected: unverified address: host ns.mahan.org[private/dovecot-lmtp] said: 550 5.1.1 <mahan(a)mahan.org> User doesn't exist: mahan(a)mahan.org (in reply to RCPT TO command); from=< pmahan(a)silver-peak.com> to=<mahan(a)mahan.org> proto=ESMTP helo=< NAM02-BL2-obe.outbound.protection.outlook.com> 'mahan' does exist on ns.mahan.org. So I am confused to why lmtp is failing to find this username. Thanks, Patrick

4 5

used Lazyexpunge
by lty 28 Apr '19

28 Apr '19

I used Lazyexpunge. I tried to create .DELETED without any hints and see that the creation was successful. I want to prevent users from creating .DELETED, what should I do? My settings > plugin { > lazy_expunge = .DELETED/ > } > # > > namespace { > prefix = .DELETED/ > hidden = yes > list = no > separator = / > location = maildir:/var/vmail/backup/expunged/%d/%n > }

2 1

Auto rebuilding of Solr indexes on settings change?
by Peter Mogensen 25 Apr '19

25 Apr '19

Hi, Looking at the source, it doesn't seem like fts-solr checks for settings changes using fts_index_have_compatible_settings() like fts-lucene does. Is there any special reason for why fts-solr shouldn't also rebuild indexes if settings has changed? /Peter

2 1

msg header has bad magic value
by 김태용 24 Apr '19

24 Apr '19

There was an error saving the message. 'Error: Corrupted dbox file /storage/m.1 (around offset = 21589): msg header has bad magic value' Why do I get an error? How can I fix it?

1 0