September 2019 - dovecot

Mailcrypt plugin private password
by info＠unkn0wn3d.com 04 Sep '19

04 Sep '19

Hello there, is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? I'm using a passwd file for authentication. I feel uncomfortable saving the private password in plaintext in that file. Regards

2 5

plugin for IMAP protocol to modifie any email
by Matthew Brown 04 Sep '19

04 Sep '19

is there a plugin or anyway I can modifie any email content ? I would like to change body text, headers, attachments

3 3

CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole
by Aki Tuomi 04 Sep '19

04 Sep '19

Dear subscribers, we have been made aware of critical vulnerability in Dovecot and Pigeonhole. --- Open-Xchange Security Advisory 2019-08-14 Product: Dovecot Vendor: OX Software GmbH Internal reference: DOV-3278 Vulnerability type: Improper input validation (CWE-20) Vulnerable version: All versions prior to 2.3.7.2 and 2.2.36.4 Vulnerable component: IMAP and ManageSieve protocol parsers (before and after login) Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.3.7.2, 2.2.36.4 Researcher credits: Nick Roessler and Rafi Rubin, University of Pennsylvania Vendor notification: 2019-04-13 Solution date: 2019-06-05 Public disclosure: 2019-08-28 CVE reference: CVE-2019-11500 CVSS: 8.1 (CVSS3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Vulnerability Details: IMAP and ManageSieve protocol parsers do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Risk: This vulnerability allows for out-of-bounds writes to objects stored on the heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login phase, allowing sufficiently skilled attacker to perform complicated attacks that can lead to leaking private information or remote code execution. Abuse of this bug is very difficult to observe, as it does not necessarily cause a crash. Attempts to abuse this bug are not directly evident from logs. Steps to reproduce: This bug is best observed using valgrind to see the out of bounds read with following snippet: perl -e 'print "a id (\"foo\" \"".("x"x1021)."\\A\" \"bar\" \"\000".("x"x1020)."\\A\")\n"' | nc localhost 143 Solution: Operators should update to the latest Patch Release. There is no workaround for the issue. --- Aki Tuomi Open-Xchange oy

8 14

Dovecot and Apple's Mail.app not playing nicely?
by Coy Hile 03 Sep '19

03 Sep '19

Hi all, Is there anything cute one has to take into account when using Dovecot with users of Apple’s Mail.app? Behavior I’m seeing is that if I delete or move messages via Webmail (Roundcube, Horde, or even ActiveSync via Mail.app on my phone), they do get moved or deleted. However, if I take the same actions in the desktop mail client, when logging in to the Webmail (or phone) app, I see the messages still seeming to be in the Inbox. Is this known behavior? A peculiarity in Apple Mail? -- Coy Hile coy.hile(a)coyhile.com

4 5

Re: Re: Quota count and clone questions
by Bratislav ILIC 03 Sep '19

03 Sep '19

Hi, I presume you figured this out after all this time, but in any case. Since quota_clone is not cumulative, it always inserts new record with actual quota, to be able to get correct results in postfixadmin one must: DROP TRIGGER mergequota2 ON quota2; And to prevent ERROR: duplicate key value violates unique constraint "quota2_pkey": CREATE FUNCTION public.clone_quota2() RETURNS trigger LANGUAGE plpgsql AS $$ BEGIN UPDATE quota2 SET bytes = NEW.bytes, messages = NEW.messages WHERE username = NEW.username; IF found THEN RETURN NULL; ELSE RETURN NEW; END IF; END; $$; And then: CREATE TRIGGER clonequota2 BEFORE INSERT ON quota2 FOR EACH ROW EXECUTE PROCEDURE public.clone_quota2() ; And finally just put: quota_clone_dict = proxy::sqlquota Hope this helps somebody trying to figure out this too. > I figured out that I can't just drop maintaining quota2 if I want > postfixadmin to report the quota status. > > I also figured out a way to run a test on my config guesses. I will try > to fit it in today, or tomorrow. But any advise to the questions below > are welcomed! > >>On 2/13/19 8:53 PM, Robert Moskowitz via dovecot wrote: >> all this almost reads like I can drop maintaining the quota2 table? >> >> From https://wiki.dovecot.org/Quota/Count >> >> mailbox_list_index = yes >> # Avoid spending excessive time waiting for the quota calculation to >> finish when >> # mails' vsizes aren't already cached. If this many mails are opened, >> finish the >> # quota calculation on background in indexer-worker process. Mail >> deliveries will >> # be assumed to succeed, and explicit quota lookups will return >> internal error. >> mail_vsize_bg_after_count = 100 >> >> seems to belong in 10-mail.conf. That is where those var are shown. >> >> But: >> >> >> plugin { >> # 10MB quota limit >> quota = count:User quota >> quota_rule = *:storage=10M >> >> # This is required - it uses "virtual sizes" rather than "physical >> sizes" for quota counting: >> quota_vsizes = yes >> } >> >> I am having problems with. Right now for quota I have: >> >> plugin { >> quota = dict:user::proxy::sqlquota >> trash = /etc/dovecot/dovecot-trash.conf.ext >> } >> >> How do I reconcile these two? >> >> Then for clone: https://wiki.dovecot.org/Plugins/QuotaClone >> >> how does: >> >> mail_plugins = $mail_plugins quota quota_clone >> plugin { >> quota_clone_dict = redis:host=127.0.0.1:port=6379 >> } >> >> get replaced with something for mysql? >> >> dovecot-sql.conf.ext: >> >> driver = mysql >> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix >> password=$Postfix_Database_Password >> default_pass_scheme = $cryptsha-CRYPT >> # following should all be on one line. >> password_query = SELECT username as user, password, >> concat('/home/vmail/', maildir) as userdb_home, >> concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as >> userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND >> active = '1' >> # following should all be on one line >> user_query = SELECT concat('/home/vmail/', maildir) as home, >> concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS >> gid, CONCAT('*:messages=30000:bytes=', quota) as quota_rule FROM >> mailbox WHERE username = '%u' AND active = '1' >> >> and >> >> dovecot-dict-sql.conf.ext: >> >> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix >> password=$Postfix_Database_Password >> map { >> pattern = priv/quota/storage >> table = quota2 >> username_field = username >> value_field = bytes >> } >> map { >> pattern = priv/quota/messages >> table = quota2 >> username_field = username >> value_field = messages >> } >> >> >> >> thanks

1 0

Dovecot 2.3.7 - char "-" missing
by Domenico Pastore 03 Sep '19

03 Sep '19

Hello, i have update dovecot from version 2.2.15 to 2.3.7.2. I have a problem with mine java software because there is a different response when open connection to doveadm. I need open socket to doveadm for get imap quota of a mailbox. With version 2.2.15: # telnet 192.160.10.4 924 Trying 192.160.10.4... Connected to 192.160.10.4. Escape character is '^]'. - With version 2.3.7.2: # telnet 192.160.10.3 924 Trying 192.160.10.3... Connected to 192.160.10.3. Escape character is '^]'. The difference is "-" character. The version 2.3.7 not respond with "-" character after opening the connection. Is it possible to add the character again with a parameter? Why did doveadm's answer change? Br Domenico

3 2

Segfault with error 4 in doveadm-server
by holger＠dehnhardt.org 03 Sep '19

03 Sep '19

I set up dovecot on two servers with replication enabled. The replication is over a vpn connection. I get massive segfaults from doveadm-server every few minutes. dmesg: doveadm-server[30030]: segfault at 0 ip 0000557fa16d2e62 sp 00007ffdcaafec50 error 4 in doveadm-server[557fa16a3000+41000] [486397.225636] Code: 40 03 4c 8d 3c c3 48 8d 44 24 18 48 89 44 24 08 0f 1f 84 00 00 00 00 00 49 8b bc 24 60 01 00 00 e8 e3 2a 00 00 48 89 44 24 18 <48> 8b 13 48 8d 35 c4 8d 00 00 48 89 c7 e8 2c 2b 00 00 31 c0 c6 45 mail.err dovecot: doveadm: Fatal: master: service(doveadm): child 29507 killed with signal 11 (core dumps disabled) I am absolutely unaware of how I can come to the cause of this error. Can anyone give me a hint? ----------------------------- Configuration: # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 5.1.14-xen x86_64 Debian 8.11 auth_debug = yes disable_plaintext_auth = no doveadm_password = xxxx doveadm_port = 4711 listen = * mail_access_groups = vmail mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:~/mail mail_plugins = " notify replication" mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size mail_replica = tcp:backup-vpn.local:12345 sieve = ~/.dovecot.sieve sieve_after = ~/sieve/after sieve_before = ~/sieve/before sieve_default = /var/vmail/%d/default.sieve sieve_dir = ~/sieve } protocols = " imap sieve pop3" service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = vmail } unix_listener replication-notify { mode = 0666 user = vmail } } service auth { unix_listener auth-client { group = vmail mode = 0660 user = vmail } unix_listener auth-userdb { mode = 0666 user = vmail } } service config { unix_listener config { user = vmail } } service doveadm { client_limit = 1 idle_kill = 0 inet_listener { address = master-vpn.local port = 12345 } process_limit = 0 process_min_avail = 0 user = vmail } service replicator { client_limit = 0 drop_priv_before_exec = no idle_kill = 4294967295 secs process_limit = 1 process_min_avail = 0 service_count = 0 unix_listener replicator-doveadm { group = vmail mode = 0666 user = dovecot } vsz_limit = 8 G } ssl_cert = </etc/ssl/certs/xxx.cert ssl_key = </etc/ssl/private/xxx.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol sieve { managesieve_implementation_string = Dovecot Pigeonhole managesieve_max_line_length = 65536 } protocol lda { mail_plugins = " notify replication acl sieve" } protocol imap { mail_plugins = " notify replication acl" }

3 6

LMTP Post login script for acl_groups
by lists＠mlserv.org 03 Sep '19

03 Sep '19

Hi, I use a post login script for imap, to fetch acl groups from LDAP. Because Dovecot can only deal with a single value, which must be a comma seperated list of groups, I decided to use a post login script do deal with multi values in LDAP: This looks like this in LDAP: rnsMSACLGroup: admin rnsMSACLGroup: automx rnsMSACLGroup: amavis rnsMSACLGroup: postfix rnsMSACLGroup: dovecot rnsMSACLGroup: rspamd rnsMSACLGroup: powerdns rnsMSACLGroup: sogo rnsMSACLGroup: zabbix rnsMSACLGroup: dane-users rnsMSACLGroup: gentoo rnsMSACLGroup: openbsd My post login script looks like this: --------------------------------------------------------- #!/bin/sh BINDDN='cn=dovecot-postlogin,ou=people,ou=it,dc=roessner-net,dc=de' BINDPWFILE='/etc/dovecot/ldap-postlogin.secret' BASE='ou=people,ou=it,dc=roessner-net,dc=de' LDAPSEARCH="/usr/bin/ldapsearch" AWK="/usr/bin/awk" test -x ${LDAPSEARCH} || exec "$@" test -x ${AWK} || exec "$@" ACL_GROUPS=$( ${LDAPSEARCH} -LLL -ZZ -y ${BINDPWFILE} -xD ${BINDDN} -b ${BASE} "(rnsMSDovecotUser=${USER})" rnsMSACLGroup | \ grep rnsMSACLGroup | \ ${AWK} -vORS=, '{ print $2 }' | \ sed 's/,$/\n/' ) export ACL_GROUPS export USERDB_KEYS="${USERDB_KEYS} acl_groups" exec "$@" --------------------------------------------------------- This script is included in imap-postlogin executables and works for logged in users. But it does not work for LMTP. LMTP itself seems not to have any permissions to access the folders associated with these groups. I thought, I simply could add the imap-postlogin block to lmtp-postlogin and that would work, but it doesn't. So here is the question: What am I missing in Dovecot that LMTP can also have ACL_GROUPS like the imap service? Here is my config (non-defaults): --------------------------------------------------------- doveconf -n # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6 # Hostname: mx.roessner-net.de auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = no list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh /usr/local/bin/dovecot-aclgroups.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp-postlogin { executable = script-login /usr/local/bin/dovecot-aclgroups.sh user = vmail } service lmtp { executable = lmtp lmtp-postlogin inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf.ext driver = ldap } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve } protocol submission { login_greeting = ESMTP } --------------------------------------------------------- Thanks for any help in advance Christian

3 15

dovecot 2.2 repo
by Bas van Rooijen 02 Sep '19

02 Sep '19

Hi, >From the v2.2.36.4 announcement message: "Binary packages are available at https://repo.dovecot.org/" My question is, where exactly? There's an instruction at repo.dovecot.org that tells you to replace 'ce-latest-2.3' with 'ce-<version>' but the given url doesn't even contain 'ce-latest-2.3' and http://repo.dovecot.org/ce-2.2.36 returns a 404. Thanks in advance! bvr.

4 3

Experimental docker images
by aki.tuomi＠dovecot.fi 02 Sep '19

02 Sep '19

Hi, you can now find experimental Docker images for dovecot CE releases (starting from 2.3.7.2) from https://hub.docker.com/r/dovecot/dovecot You can find instructions and more details on the repository page. ---- Aki

1 0