July 2020 - dovecot - dovecot.org

Dovecot - Xoauth2 - keycloak
by la.jolie＠paquerette 09 Jul '20

09 Jul '20

Hello, Still trying to make roundcube / Dovecot works with Keycloak. Dovecot can't seem to validate the access_token that Roundcube gave. ----- Jul 08 20:48:05 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…] Sent header Jul 08 20:48:05 auth: Debug: http-client[1]: peer 11.22.33.44:443: No more requests to service for this peer (1 connections exist, 0 pending) Jul 08 20:48:05 auth: Debug: http-client[1]: conn 11.22.33.44:443 [0]: Got 404 response for request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…] (took 11 ms + 19 ms in queue) Jul 08 20:48:05 auth: Debug: oauth2(my.mail@whatever,::1,<Z2mDOfSpJJ8AAAAAAAAAAAAAAAAAAAAB>): oauth2: callback(0, Invalid token) ---- The access_token used by Dovecot is the right one. Dovecot also has the right login (my.mail@whatever) The Nginx and Keycloak logs show this: ---- - - [08/Jul/2020:23:25:18 +0200] "POST /auth/realms/test_saml/protocol/openid-connect/token HTTP/1.1" 200 3171 "-" "Guzzle/5.3.1 curl/7.64.0 PHP/7.3.14-1~deb10u1" - - [08/Jul/2020:23:42:05 +0200] "GET /auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg HTTP/1.1" 404 1465 "-" "dovecot-oauth2-passdb/2.3.4.1" DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1N iIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDQ3MDQsImlhdCI6MTU5NDI0NDUyNCwiYXV0aF90aW1lIjoxNTk0MjQ0MzQ3LCJqdGk iOiIyYTg3MjQ3NS0zMGMxLTRmMDctODg5Ny04YmQ4OTJjMGI1MjEiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhN C1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmMjY0OTQyMy0xNmZkLTQzMTgtYTVkYy04NWJhNmU3YTQ4MWYiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5 zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6e yJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWl kIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iX SwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHe NRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg --- Dovecot does a GET request where the access_token is directly attached to the 'tokeninfo_url' option. Is that the correct/normal way? Shouldn't it be a POST with data passed as params? Or is it Keycloak that should accept that request? Thanks Kenny

2 1

Re: Urgent Help required
by Kishore Potnuru 08 Jul '20

08 Jul '20

Hi, Our organisation has dependencies. There is a separate team/department who creates the servers for us. When they build a new RHEL system, the system will come up with various in-house softwares/tools. Those tools are not compatible as of now with RHEL8. So, our organisation is going with redhat 7.7 only as of today which is supported for all in-house tools also. This is my current situation: 1) I have 2 test servers which are loaded with the following configuration. ============= [root@devap01 ~]# cat /etc/redhat-* Red Hat Enterprise Linux Server release 6.10 (Santiago) [root@devap01 ~]# dovecot --version 2.0.9 [root@devap01 ~]# postconf | grep mail_version mail_version = 2.6.6 =============== So, I would like to install the max possible dovecot version on the above servers for the testing purpose. I would like to implement the HA/Resilience with those 2 servers. I have shared storage and individual storage in this environment. But I am seeing some issues with both of them ( I explained details in my first email thread). please see if you can help. 2) If it is successful, I will get two RHEL 7.7 servers to implement the same in LIVE environment for HA/Resilience. First I am going with compatibility issues to resolve in my environment. Once that is resolved, I will go with HA/Resilience implementation. Please let me know if you need any more details. Thanks & Regards, Kishore Potnuru On Wed, Jul 8, 2020 at 8:57 PM Marc Roos <M.Roos(a)f1-outsourcing.eu> wrote: > > > >>> with broken or vulnerable software is there really a benefit? > >> > >> LTS distributions back port necessary patches > > >Then the OP should be able to update to a dovecot that doesn't have the > issue, right? > > I have no idea what his issue is, and why he is stuck even in specific > releases. I have been running dovecot on el6 and el7 for years and years > without issues. > > > > > > > >

2 1

RE: Urgent Help required
by Marc Roos 08 Jul '20

08 Jul '20

>>The other side of the question is, Why is the software always so "vulnerable" and "broken" in the first >>place as to be unsuitable for Long Term Support? >> >>If the software code worked when it was released some number of years ago, then why doesn't it still work >>the same way today as it it did when it was released? Whenever I hear people complain about computers and/or software. I always suggest them to use something like the abacus of 2000 bc. You should be glad for what they do for you ;) And since humans operate them, you will find annoyances as with doctors amputating the wrong limb.

1 0

Re: Urgent Help required
by Kishore Potnuru 08 Jul '20

08 Jul '20

Thank you for your reply. 1. Am i able to upgrade directly from 2.0 to 2.3? or I should go periodically from 2.0 to 2.1, then 2.1 to 2.2, then 2.2 to 2.3....? 2. could you please suggest me steps to pick the correct package to upgrade in the above version (2.1, 2.2, 2.3)? 3. which location i need to download the packages? 4. I am using redhat servers. Am i able to directly download and upgrade the software from my redhat linux server? please advise step-by-step instructions for this? Thanks, Kishore Potnuru On Wed, Jul 8, 2020 at 11:00 AM Apostolis Hardalias <a.hardalias(a)skroutz.gr> wrote: > > On 7/8/20 12:53 PM, Kishore Potnuru wrote: > > Hi All, > > > > I request your help on this. > > > > I have 2 dovecot test servers (IMAP protocol) installed with the > > following configuration. > > ============= > > [root@devap01 ~]# cat /etc/redhat-* > > Red Hat Enterprise Linux Server release 6.10 (Santiago) > > > > [root@devap01 ~]# dovecot --version > > 2.0.9 > > > > [root@devap01 ~]# postconf | grep mail_version > > mail_version = 2.6.6 > > =============== > > > > I have another server also "devap02" with the same configuration. > > > > Couple of points/questions/queries here. > > > > 1. I know these servers are having old dovecot versions. I would like > > to upgrade to the latest versions. Could you please suggest the steps > > for upgrading to the latest version in redhat (step by step details > > are helpful please) . If I upgrade to the latest version, will there > > be any impact on the existing configuration/setup? > > Check the documents posted here: > > https://doc.dovecot.org/installation_guide/upgrading/from-2.0-to-2.1/ > > https://doc.dovecot.org/installation_guide/upgrading/from-2.1-to-2.2/ > > https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/ > > Depending on your setup, you may also need to check for changes to > additional software (e.g. amavis) > > > > > 2. Now I have added these 2 servers behind the Load Balancer. Enabled > > 110/143 ports on the Load Balancer FQDN (test.pop3.testing.com > > <http://test.pop3.testing.com>) and opened the firewall ports. Here I > > configured IMAP settings from microsoft outlook to see the emails. I > > gave the Incoming Mail Server & Outgoing mail server as > > "test.pop3.testing.com <http://test.pop3.testing.com>". It is > > configured without errors in Outlook. But I see these 2 types issues > > (shared storage & individual storage) > > > > a) individual separate storage - When I send 10 emails to LB FQDN > > (test.pop3.testing.com <http://test.pop3.testing.com>), the emails are > > going to 2 backend servers. But when i see the emails from Outlook > > inbox, it shows 5 emails from one server for some time. After sometime > > it shows other 5 emails in the inbox. But, I am not able to see all 10 > > emails at same time in my inbox. Please suggest how to fix this issue? > > In this scenario, I have separate individual storage in both the servers. > > I'm not sure if you've set it up already because it's unclear from the > configuration you posted but, you may wanna have a look at: > https://wiki.dovecot.org/Replication > > I suggest using replication after you've upgraded since earlier versions > of dovecot had a few issues. > > > > b) common shared storage - I have tried a different scenario also. > > I also have one common NFS storage. So, I have configured that storage > > in both the servers. So when I sent 10 emails, I see all the 10 emails > > from both the servers as it is common shared storage. But, I am not > > getting those 10 emails delivered into my Outlook. I have made all the > > configuration correctly. Please suggest what is the mistake here. > > > > Dovecot.conf > > ========================================================= > > > > [root@devap01 ~]# cat /etc/dovecot/dovecot.conf > > disable_plaintext_auth = no > > > > listen = * > > log_path = /var/log/dovecot.log > > mail_location = maildir:/r3/mail/virtual/%d/%n/Maildir/ > > passdb { > > args = /etc/dovecot/passwd > > driver = passwd-file > > } > > pop3_uidl_format = %g > > protocols = imap pop3 > > ssl = yes > > ssl_cert = </etc/pki/dovecot/certs/dovecot.pem > > ssl_key = </etc/pki/dovecot/private/dovecot.pem > > > > userdb { > > args = uid=vmail gid=vmail home=/r3/mail/virtual/%d/%n > > driver = static > > } > > mail_debug = no > > verbose_ssl = no > > ========================================================= > > > > Please help me here. > > > > Thanks, > > Kishore Potnuru >

1 1

Dovecot Maildirs multi language
by Luca Müller 07 Jul '20

07 Jul '20

Hello, I'm hosting a few customers on a dovecot Server. Most users speak german and have german as their main language. I configured the IMAP Foldernames in a Dovecot configuration file like this: ##### root@srv04:~# cat /etc/dovecot/conf.d/105-mailboxes.conf imap_capability = +XLIST namespace inbox { inbox = yes location = separator = / mailbox "Entwürfe" { auto = subscribe special_use = \Drafts auto=subscribe } mailbox Junk-E-Mail { special_use = \Junk auto=subscribe } mailbox "Gelöschte Elemente" { special_use = \Trash auto=subscribe } mailbox "Gesendete Elemente" { special_use = \Sent auto=subscribe } mailbox Archive { special_use = \Archive auto=subscribe } } ##### Dovecot Version: 2.3.10 (0da0eff44) ##### Is it possible to change this configuration for specific users or to provide multi language support somehow? Thanks in advance. Best regards, Luca

4 4

dovecot oauth
by la.jolie＠paquerette 06 Jul '20

06 Jul '20

Hello, I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below). My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html) Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4) I'm wondering if this bug is still present in my version or if I have another problem. Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error. If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file? I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error. Thanks, Kenny My configs: - I'm on a Debian Buster with Dovecot / postfix / roundcube - dovecot -n : --- # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-5-cloud-amd64 x86_64 Debian 10.4 auth_debug = yes auth_mechanisms = xoauth2 oauthbearer login auth_verbose = yes debug_log_path = /var/log/dovecot-debug.log first_valid_gid = 10000 first_valid_uid = 10000 info_log_path = /var/log/dovecot.log last_valid_gid = 20000 last_valid_uid = 20000 lda_mailbox_autocreate = yes log_path = /var/log/dovecot.log mail_debug = yes mail_gid = mail mail_location = maildir:~/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-oauth2.conf.ext driver = oauth2 mechanisms = xoauth2 oauthbearer } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { mode = 0600 user = postfix } unix_listener auth-master { mode = 0600 user = mail } unix_listener auth-userdb { mode = 0600 user = mail } } service stats { unix_listener stats-reader { mode = 0600 user = mail } unix_listener stats-writer { mode = 0600 user = mail } } ssl_cert = </etc/letsencrypt/live/my.host/fullchain.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes ssl_require_crl = no userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { args = gid=mail home=/var/mail/%u driver = static } verbose_ssl = yes protocol lda { info_log_path = /var/log/dovecot-deliver.log log_path = /var/log/dovecot-deliver-errors.log } ------ - dovecot-oauth2.conf.ext ----- tokeninfo_url = https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token introspection_mode = post introspection_url = https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke… username_attribute = email tls_ca_cert_file = /etc/letsencrypt/live/my.host/chain.pem #tls_ca_cert_file = /etc/ssl/certs/letsencrypt.pem #active_attribute = enableMail #active_value = TRUE debug = yes rawlog_dir = /tmp/oauth2 ----- * Logs: ------- Jul 04 17:00:12 auth: Debug: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2: Making token validation lookup to https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Host created Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Host session created Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: IPs have expired; need to refresh DNS lookup Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Performing asynchronous DNS lookup Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…... (long token)]: Submitted (requests left=1) Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: DNS lookup successful; got 1 IPs Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14 (shared): Peer created Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14: Peer pool created Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Peer created Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Setting up connection to 151.62.56.14 (SSL=my.keycloak.host) (1 requests pending) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Linked queue https://my.keycloak.host (1 queues linked) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Started new connection to 151.62.56.14 (SSL=my.keycloak.host) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Making new connection 1 of 1 (0 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Connecting Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Waiting for connect (fd=22) to finish for max 0 msecs Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: HTTPS connection created (1 parallel connections exist) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Client connected (fd=22) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connected Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Starting SSL handshake Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x10, ret=1: before SSL initialization Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: before SSL initialization Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server certificate Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server key exchange Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server done Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client key exchange Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write change cipher spec Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished ==> dovecot.log <== Jul 04 17:00:12 auth: Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ==> dovecot-debug.log <== Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read change cipher spec Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x20, ret=1: SSL negotiation finished successfully Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=1: SSL negotiation finished successfully Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Connection failed (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14: Failed to make connection (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Failed to establish any connection within our peer pool: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Failed to set up connection to 151.62.56.14 (SSL=my.keycloak.host): SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (1 peers pending, 1 requests pending) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Failed to set up any connection; failing all queued requests Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Unlinked queue https://my.keycloak.host (0 queues linked) Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…... (long token)]: Error: 9003 SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Dropping request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…... (long token)] Jul 04 17:00:12 auth: Debug: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2: callback(-1, SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3) ==> dovecot.log <== Jul 04 17:00:12 auth: Error: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2 failed: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ==> dovecot-debug.log <== Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…... (long token)]: Destroy (requests left=1) Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/toke…... (long token)]: Free (requests left=0) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection close Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection disconnect Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Disconnected: Connection closed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (fd=22) Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Detached peer Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection destroy -------

2 4

export of information about mail into csv
by Marcel Blenkers 05 Jul '20

05 Jul '20

3 3

Quota: How/where to set/change
by Frank Elsner 03 Jul '20

03 Jul '20

Hi experts. in the output of imapsync I found: Host2: found quota, presented in raw IMAP Sending: 7 GETQUOTAROOT INBOX Sent 22 bytes Read: * QUOTAROOT INBOX "User quota" * QUOTA "User quota" (STORAGE 420325 1953125) 7 OK Getquotaroot completed (0.001 + 0.000 secs). Host2: Quota current storage is 430412800 bytes. Limit is 2000000000 bytes. So 21.52 % full Host2 is under my control and running dovecot-2.3.10.1. I need to increase the quota above 2 GB but don't know where it comes from and therefor don't know what to do. This is the doveconf -a: | # 2.3.10.1 (a3d0e1171): /usr/local/dovecot/etc/dovecot/dovecot.conf | # OS: Linux 5.7.6-201.fc32.x86_64 x86_64 Fedora release 32 (Thirty Two) ext3 | # Hostname: christo.fritz.box | # NOTE: Send doveconf -n output instead when asking for help. | auth_anonymous_username = anonymous | auth_cache_negative_ttl = 1 hours | auth_cache_size = 0 | auth_cache_ttl = 1 hours | auth_cache_verify_password_with_worker = no | auth_debug = no | auth_debug_passwords = no | auth_default_realm = | auth_failure_delay = 2 secs | auth_gssapi_hostname = | auth_krb5_keytab = | auth_master_user_separator = | auth_mechanisms = plain login | auth_policy_check_after_auth = yes | auth_policy_check_before_auth = yes | auth_policy_hash_mech = sha256 | auth_policy_hash_nonce = | auth_policy_hash_truncate = 12 | auth_policy_log_only = no | auth_policy_reject_on_fail = no | auth_policy_report_after_auth = yes | auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s | auth_policy_server_api_header = | auth_policy_server_timeout_msecs = 2000 | auth_policy_server_url = | auth_proxy_self = | auth_realms = | auth_socket_path = auth-userdb | auth_ssl_require_client_cert = no | auth_ssl_username_from_cert = no | auth_stats = no | auth_use_winbind = no | auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ | auth_username_format = %Lu | auth_username_translation = | auth_verbose = no | auth_verbose_passwords = no | auth_winbind_helper_path = /usr/bin/ntlm_auth | auth_worker_max_count = 30 | base_dir = /var/run/dovecot | config_cache_size = 1 M | debug_log_path = | default_client_limit = 1024 | default_idle_kill = 1 mins | default_internal_group = dovecot | default_internal_user = dovecot | default_login_user = dovenull | default_process_limit = 256 | default_vsz_limit = 512 M | deliver_log_format = msgid=%m: %$ | dict_db_config = | director_flush_socket = | director_mail_servers = | director_max_parallel_kicks = 100 | director_max_parallel_moves = 100 | director_output_buffer_size = 10 M | director_ping_idle_timeout = 30 secs | director_ping_max_timeout = 1 mins | director_servers = | director_user_expire = 15 mins | director_user_kick_delay = 2 secs | director_username_hash = %Lu | disable_plaintext_auth = yes | dotlock_use_excl = yes | doveadm_allowed_commands = | doveadm_api_key = | doveadm_http_rawlog_dir = | doveadm_password = | doveadm_port = 0 | doveadm_socket_path = doveadm-server | doveadm_ssl = no | doveadm_username = doveadm | doveadm_worker_count = 0 | dsync_alt_char = _ | dsync_commit_msgs_interval = 100 | dsync_features = | dsync_hashed_headers = Date Message-ID | dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U | first_valid_gid = 1 | first_valid_uid = 200 | haproxy_timeout = 3 secs | haproxy_trusted_networks = | hostname = | imap_capability = | imap_client_workarounds = | imap_fetch_failure = disconnect-immediately | imap_hibernate_timeout = 0 | imap_id_log = | imap_id_retain = no | imap_id_send = name * | imap_idle_notify_interval = 2 mins | imap_literal_minus = no | imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes} | imap_max_line_length = 64 k | imap_metadata = no | imap_urlauth_host = | imap_urlauth_logout_format = in=%i out=%o | imap_urlauth_port = 143 | imapc_cmd_timeout = 5 mins | imapc_connection_retry_count = 1 | imapc_connection_retry_interval = 1 secs | imapc_features = | imapc_host = | imapc_list_prefix = | imapc_master_user = | imapc_max_idle_time = 29 mins | imapc_max_line_length = 0 | imapc_password = | imapc_port = 143 | imapc_rawlog_dir = | imapc_sasl_mechanisms = | imapc_ssl = no | imapc_ssl_verify = yes | imapc_user = | import_environment = TZ CORE_OUTOFMEM CORE_ERROR | info_log_path = | instance_name = dovecot | last_valid_gid = 0 | last_valid_uid = 65534 | lda_mailbox_autocreate = no | lda_mailbox_autosubscribe = no | lda_original_recipient_header = | libexec_dir = /usr/local/dovecot/libexec/dovecot | listen = * | lmtp_add_received_header = yes | lmtp_client_workarounds = | lmtp_hdr_delivery_address = final | lmtp_proxy = no | lmtp_proxy_rawlog_dir = | lmtp_rawlog_dir = | lmtp_rcpt_check_quota = no | lmtp_save_to_detail_mailbox = yes | lmtp_user_concurrency_limit = 0 | lock_method = fcntl | log_core_filter = | log_debug = | log_path = syslog | log_timestamp = "%b %d %H:%M:%S " | login_access_sockets = | login_greeting = m28a.ddns.net - IMAPs Service (dovecot) ready. | login_log_format = %$: %s | login_log_format_elements = %u %r %c | login_plugin_dir = /usr/local/dovecot/lib/dovecot/login | login_plugins = | login_proxy_max_disconnect_delay = 0 | login_proxy_notify_path = proxy-notify | login_source_ips = | login_trusted_networks = | mail_access_groups = | mail_always_cache_fields = | mail_attachment_detection_options = | mail_attachment_dir = | mail_attachment_fs = sis posix | mail_attachment_hash = %{sha1} | mail_attachment_min_size = 128 k | mail_attribute_dict = | mail_cache_compress_continued_percentage = 200 | mail_cache_compress_delete_percentage = 20 | mail_cache_compress_header_continue_count = 4 | mail_cache_compress_min_size = 32 k | mail_cache_fields = flags | mail_cache_min_mail_count = 0 | mail_cache_record_max_size = 64 k | mail_cache_unaccessed_field_drop = 30 days | mail_chroot = | mail_debug = no | mail_fsync = optimized | mail_full_filesystem_access = no | mail_gid = | mail_home = | mail_index_log2_max_age = 2 days | mail_index_log_rotate_max_size = 1 M | mail_index_log_rotate_min_age = 5 mins | mail_index_log_rotate_min_size = 32 k | mail_index_rewrite_max_log_bytes = 128 k | mail_index_rewrite_min_log_bytes = 8 k | mail_location = maildir:/var/spool/mail/%u:LAYOUT=fs | mail_log_prefix = "%Us(%u,%r): " | mail_max_keyword_length = 50 | mail_max_lock_timeout = 0 | mail_max_userip_connections = 10 | mail_never_cache_fields = imap.envelope | mail_nfs_index = no | mail_nfs_storage = no | mail_plugin_dir = /usr/dovecot/lib/dovecot/ | mail_plugins = notify quota fts fts_squat acl | mail_prefetch_count = 0 | mail_privileged_group = | mail_save_crlf = no | mail_server_admin = | mail_server_comment = | mail_shared_explicit_inbox = no | mail_sort_max_read_count = 0 | mail_temp_dir = /tmp | mail_temp_scan_interval = 1 weeks | mail_uid = | mail_vsize_bg_after_count = 0 | mailbox_idle_check_interval = 30 secs | mailbox_list_index = yes | mailbox_list_index_include_inbox = no | mailbox_list_index_very_dirty_syncs = no | maildir_broken_filename_sizes = no | maildir_copy_with_hardlinks = yes | maildir_empty_new = no | maildir_stat_dirs = no | maildir_very_dirty_syncs = no | master_user_separator = | mbox_dirty_syncs = yes | mbox_dotlock_change_timeout = 2 mins | mbox_lazy_writes = yes | mbox_lock_timeout = 5 mins | mbox_md5 = apop3d | mbox_min_index_size = 0 | mbox_read_locks = fcntl | mbox_very_dirty_syncs = no | mbox_write_locks = dotlock fcntl | mdbox_preallocate_space = no | mdbox_rotate_interval = 0 | mdbox_rotate_size = 10 M | mmap_disable = no | namespace inbox { | disabled = no | hidden = no | ignore_on_failure = no | inbox = yes | list = yes | location = | mailbox Drafts { | auto = no | autoexpunge = 0 | autoexpunge_max_mails = 0 | comment = | driver = | special_use = \Drafts | } | mailbox Gesendet { | auto = no | autoexpunge = 0 | autoexpunge_max_mails = 0 | comment = | driver = | special_use = \Sent | } | mailbox SPAM { | auto = no | autoexpunge = 0 | autoexpunge_max_mails = 0 | comment = | driver = | special_use = \Junk | } | mailbox Sent { | auto = no | autoexpunge = 0 | autoexpunge_max_mails = 0 | comment = | driver = | special_use = \Sent | } | mailbox Trash { | auto = no | autoexpunge = 0 | autoexpunge_max_mails = 0 | comment = | driver = | special_use = \Trash | } | order = 0 | prefix = | separator = | subscriptions = yes | type = private | } | old_stats_carbon_interval = 30 secs | old_stats_carbon_name = | old_stats_carbon_server = | old_stats_command_min_time = 1 mins | old_stats_domain_min_time = 12 hours | old_stats_ip_min_time = 12 hours | old_stats_memory_limit = 16 M | old_stats_session_min_time = 15 mins | old_stats_user_min_time = 1 hours | passdb { | args = dovecot | auth_verbose = default | default_fields = | deny = no | driver = pam | master = no | mechanisms = | name = | override_fields = | pass = no | result_failure = continue | result_internalfail = continue | result_success = return-ok | skip = never | username_filter = | } | plugin { | fts = squat | fts_squat = partial=4 full=10 | mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append | mail_log_fields = uid box from subject msgid size flags | mail_log_group_events = yes | quota = maildir:User quota | quota_rule = ?:storage=5G | quota_rule2 = Trash:storage=+100M | } | pop3_client_workarounds = | pop3_delete_type = default | pop3_deleted_flag = | pop3_enable_last = no | pop3_fast_size_lookups = no | pop3_lock_session = no | pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s | pop3_no_flag_updates = no | pop3_reuse_xuidl = no | pop3_save_uidl = no | pop3_uidl_duplicates = allow | pop3_uidl_format = %08Xu%08Xv | pop3c_features = | pop3c_host = | pop3c_master_user = | pop3c_password = | pop3c_port = 110 | pop3c_quick_received_date = no | pop3c_rawlog_dir = | pop3c_ssl = no | pop3c_ssl_verify = yes | pop3c_user = %u | postmaster_address = mailonator(a)mailbox.org | protocols = imap | quota_full_tempfail = no | rawlog_dir = | recipient_delimiter = + | rejection_reason = Your message to <%t> was automatically rejected:%n%r | rejection_subject = Rejected: %s | replication_dsync_parameters = -d -N -l 30 -U | replication_full_sync_interval = 1 days | replication_max_conns = 10 | replicator_host = replicator | replicator_port = 0 | sendmail_path = /usr/sbin/sendmail | service aggregator { | chroot = . | client_limit = 0 | drop_priv_before_exec = no | executable = aggregator | extra_groups = | fifo_listener replication-notify-fifo { | group = | mode = 0600 | user = | } | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener replication-notify { | group = | mode = 0600 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service anvil { | chroot = empty | client_limit = 1024 | drop_priv_before_exec = no | executable = anvil | extra_groups = | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 1 | protocol = | service_count = 0 | type = anvil | unix_listener anvil-auth-penalty { | group = | mode = 0600 | user = | } | unix_listener anvil { | group = | mode = 0600 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service auth-worker { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = auth -w | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 1 | type = | unix_listener auth-worker { | group = | mode = 0600 | user = $default_internal_user | } | user = | vsz_limit = 18446744073709551615 B | } | service auth { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = auth | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener auth-client { | group = exim | mode = 0660 | user = exim | } | unix_listener auth-login { | group = | mode = 0600 | user = $default_internal_user | } | unix_listener auth-master { | group = | mode = 0600 | user = | } | unix_listener auth-userdb { | group = | mode = 0666 | user = $default_internal_user | } | unix_listener login/login { | group = | mode = 0666 | user = | } | unix_listener token-login/tokenlogin { | group = | mode = 0666 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service config { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = config | extra_groups = | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = config | unix_listener config { | group = | mode = 0600 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service dict-async { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = dict | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener dict-async { | group = $default_internal_group | mode = 0660 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service dict { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = dict | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener dict { | group = $default_internal_group | mode = 0660 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service director { | chroot = . | client_limit = 0 | drop_priv_before_exec = no | executable = director | extra_groups = | fifo_listener login/proxy-notify { | group = | mode = 00 | user = | } | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener director-admin { | group = | mode = 0600 | user = | } | unix_listener login/director { | group = | mode = 00 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service dns_client { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = dns-client | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener dns-client { | group = | mode = 0666 | user = | } | unix_listener login/dns-client { | group = | mode = 0666 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service doveadm { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = doveadm-server | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 1 | type = | unix_listener doveadm-server { | group = | mode = 0600 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service health-check { | chroot = | client_limit = 1 | drop_priv_before_exec = yes | executable = script -p health-check.sh | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service imap-hibernate { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = imap-hibernate | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = imap | service_count = 0 | type = | unix_listener imap-hibernate { | group = $default_internal_group | mode = 0660 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service imap-login { | chroot = login | client_limit = 0 | drop_priv_before_exec = no | executable = imap-login | extra_groups = | group = | idle_kill = 0 | inet_listener imap { | address = | haproxy = no | port = 143 | reuse_port = no | ssl = no | } | inet_listener imaps { | address = | haproxy = no | port = 993 | reuse_port = no | ssl = yes | } | privileged_group = | process_limit = 512 | process_min_avail = 3 | protocol = imap | service_count = 1 | type = login | user = $default_login_user | vsz_limit = 18446744073709551615 B | } | service imap-postlogin { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = script-login /usr/local/sbin/dovecot-imap-post-login | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = | service_count = 0 | type = | user = | vsz_limit = 18446744073709551615 B | } | service imap-urlauth-login { | chroot = token-login | client_limit = 0 | drop_priv_before_exec = no | executable = imap-urlauth-login | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = imap | service_count = 1 | type = login | unix_listener imap-urlauth { | group = | mode = 0666 | user = | } | user = $default_login_user | vsz_limit = 18446744073709551615 B | } | service imap-urlauth-worker { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = imap-urlauth-worker | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 1024 | process_min_avail = 0 | protocol = imap | service_count = 1 | type = | unix_listener imap-urlauth-worker { | group = | mode = 0600 | user = $default_internal_user | } | user = | vsz_limit = 18446744073709551615 B | } | service imap-urlauth { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = imap-urlauth | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 1024 | process_min_avail = 0 | protocol = imap | service_count = 1 | type = | unix_listener token-login/imap-urlauth { | group = | mode = 0666 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service imap { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = imap | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 128 | process_min_avail = 0 | protocol = imap | service_count = 1 | type = | unix_listener imap-master { | group = | mode = 0600 | user = | } | unix_listener login/imap { | group = | mode = 0666 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service indexer-worker { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = indexer-worker | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 10 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener indexer-worker { | group = | mode = 0600 | user = $default_internal_user | } | user = | vsz_limit = 18446744073709551615 B | } | service indexer { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = indexer | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener indexer { | group = | mode = 0666 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service ipc { | chroot = empty | client_limit = 0 | drop_priv_before_exec = no | executable = ipc | extra_groups = | group = | idle_kill = 0 | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener ipc { | group = | mode = 0600 | user = $default_internal_user | } | unix_listener login/ipc-proxy { | group = | mode = 0600 | user = $default_login_user | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service lmtp { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = lmtp | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = lmtp | service_count = 0 | type = | unix_listener lmtp { | group = | mode = 0666 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service log { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = log | extra_groups = | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = log | unix_listener log-errors { | group = | mode = 0600 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service old-stats { | chroot = empty | client_limit = 0 | drop_priv_before_exec = no | executable = old-stats | extra_groups = | fifo_listener old-stats-mail { | group = | mode = 0600 | user = | } | fifo_listener old-stats-user { | group = | mode = 0600 | user = | } | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener old-stats { | group = | mode = 0600 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service pop3-login { | chroot = login | client_limit = 0 | drop_priv_before_exec = no | executable = pop3-login | extra_groups = | group = | idle_kill = 0 | inet_listener pop3 { | address = | haproxy = no | port = 110 | reuse_port = no | ssl = no | } | inet_listener pop3s { | address = | haproxy = no | port = 995 | reuse_port = no | ssl = yes | } | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = pop3 | service_count = 1 | type = login | user = $default_login_user | vsz_limit = 18446744073709551615 B | } | service pop3 { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = pop3 | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 128 | process_min_avail = 0 | protocol = pop3 | service_count = 1 | type = | unix_listener login/pop3 { | group = | mode = 0666 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | service replicator { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = replicator | extra_groups = | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener replicator-doveadm { | group = | mode = 00 | user = $default_internal_user | } | unix_listener replicator { | group = | mode = 0600 | user = $default_internal_user | } | user = | vsz_limit = 18446744073709551615 B | } | service stats { | chroot = | client_limit = 0 | drop_priv_before_exec = no | executable = stats | extra_groups = | group = | idle_kill = 4294967295 secs | privileged_group = | process_limit = 1 | process_min_avail = 0 | protocol = | service_count = 0 | type = | unix_listener stats-reader { | group = | mode = 0600 | user = | } | unix_listener stats-writer { | group = $default_internal_group | mode = 0660 | user = | } | user = $default_internal_user | vsz_limit = 18446744073709551615 B | } | service submission-login { | chroot = login | client_limit = 0 | drop_priv_before_exec = no | executable = submission-login | extra_groups = | group = | idle_kill = 0 | inet_listener submission { | address = | haproxy = no | port = 587 | reuse_port = no | ssl = no | } | privileged_group = | process_limit = 0 | process_min_avail = 0 | protocol = submission | service_count = 1 | type = login | user = $default_login_user | vsz_limit = 18446744073709551615 B | } | service submission { | chroot = | client_limit = 1 | drop_priv_before_exec = no | executable = submission | extra_groups = $default_internal_group | group = | idle_kill = 0 | privileged_group = | process_limit = 1024 | process_min_avail = 0 | protocol = submission | service_count = 1 | type = | unix_listener login/submission { | group = | mode = 0666 | user = | } | user = | vsz_limit = 18446744073709551615 B | } | shutdown_clients = yes | ssl = yes | ssl_alt_cert = | ssl_alt_key = | ssl_ca = | ssl_cert = </usr/local/etc/Certs/m28a.crt | ssl_cert_username_field = commonName | ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH | ssl_client_ca_dir = | ssl_client_ca_file = | ssl_client_cert = | ssl_client_key = | ssl_client_require_valid_cert = yes | ssl_crypto_device = | ssl_curve_list = | ssl_dh = # hidden, use -P to show it | ssl_key = # hidden, use -P to show it | ssl_key_password = | ssl_min_protocol = TLSv1 | ssl_options = | ssl_prefer_server_ciphers = no | ssl_require_crl = yes | ssl_verify_client_cert = no | state_dir = /var/lib/dovecot | stats_writer_socket_path = stats-writer | submission_client_workarounds = | submission_host = | submission_logout_format = in=%i out=%o | submission_max_mail_size = 0 | submission_max_recipients = 0 | submission_relay_command_timeout = 5 mins | submission_relay_connect_timeout = 30 secs | submission_relay_host = | submission_relay_master_user = | submission_relay_max_idle_time = 29 mins | submission_relay_password = | submission_relay_port = 25 | submission_relay_rawlog_dir = | submission_relay_ssl = no | submission_relay_ssl_verify = yes | submission_relay_trusted = no | submission_relay_user = | submission_ssl = no | submission_timeout = 30 secs | syslog_facility = mail | userdb { | args = | auth_verbose = default | default_fields = | driver = passwd | name = | override_fields = | result_failure = continue | result_internalfail = continue | result_success = return-ok | skip = never | } | valid_chroot_dirs = | verbose_proctitle = yes | verbose_ssl = no | version_ignore = no | protocol lmtp { | mail_plugins = notify quota fts fts_squat acl | } | protocol lda { | mail_plugins = notify quota fts fts_squat acl | } | protocol imap { | imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags | imap_id_log = * | imap_logout_format = [%i/%o] | mail_max_userip_connections = 0 | mail_plugins = notify quota fts fts_squat acl quota imap_quota listescape fts fts_squat | } The config may be sub-optimal. Please concentrate on my quota problem. Stay healthy, Frank Elsner

1 0

Mail replication fails between v2.2.27 and v2.3.4.1
by Apostolis Hardalias 03 Jul '20

03 Jul '20

Hello, I have two installations of dovecot configured to replicate mailboxes between them. recently, i upgraded the operating system on one of them (mx2.example.com) and now i'm running one installation on version 2.2.27 (debian stretch) and another on version 2.3.4.1 (mx1.example.com debian buster). My setup includes 3 shared namespaces that point to the mailboxes of 3 accounts. these accounts are setup to use maildir format. After upgrading one of the hosts, i started having issues with failed replications on those mailboxes. I tried running the replication manually and repeatedly by issuing the following on mx1.example.com: doveadv -d sync -u exception_bucket(a)example.com -d -l 30 -n -u and the logs on mx2.example.com included the following lines consistently: Jul 02 14:21:58 dsync-server(exception_bucket(a)example.com): Debug: brain S: Change during sync: Mailbox GUID 2d32711ddfd27250390e0000a712b6e3 was lost Jul 02 14:21:58 dsync-server(exception_bucket(a)example.com): Debug: brain S: We don't have mailbox 2d32711ddfd27250390e0000a712b6e3 I double checked for the existance of the mailbox with that guid (that guid points to the inbox) and the mailbox existed on both servers but, the contents of the mailbox on the two servers where different (missing e-mails on both servers). I attempted running a force-resync command as follows but with no luck. doveadm -d force-resync -u exception_bucket(a)example.com inbox but the issue persisted. admittedly, i didn't run the command on both servers because i read it doesn't replicate after figuring a workaround. The next thing i tried was attempting replication without the -n flag, given that you mention that there are some issues replicating shared namespaces. That didn't fix the replication status either. After looking around, i came onto the solution on this thread: https://dovecot.org/pipermail/dovecot/2017-october/109620.html which proposed setting mailbox_list_index = no. This was the default setting on version 2.2.27, so i changed that setting on mx2.example.com which was running version 2.3.4.1. This allowed the replication to work but i don't think it is a setting i want in my configuration. Is there something i can do to re-enable dovecot to check index files instead of mailboxes? Could that be an issue when replicating between those two different versions? I'm attaching the configuration files for both the mailservers, a separate configuration file is included since mail_replica settings are set from there, and a link to the compressed log file i pulled during the operation. https://filebin.net/d9yygnq8jg74unwb/replication_debug.log.bz2?t=vv2o81ka Thank you in advance, Apostolis Hardalias

1 0

local stanza only generated for IPv6
by Jeremy Ardley 02 Jul '20

02 Jul '20

I have a mail server with multiple IP addresses and associated DNS names In the dovecot configuration I have a listen directive: listen = mail.example.com.com,mail.otherexample.com,localhost Multiple local stanzas are of the form: local mail.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem service imaps_login { inet_listener imaps { address=mail.example.com } inet_listener imap { address=mail.example.com } } } } mail.example.com has IPv4 and IPv6 addresses in DNS When I run doveconf -n the local configuration is only generated for the IPv6 address. I can test the operation on IPv6 using openSSL and see different server certificates on different IP addresses as expected. How do I force local generation for both IPv4 and IPv6 ?

3 4