February 2024 - dovecot

Re: Auth USER lookup failed
by Michael Slusarz 08 Feb '24

08 Feb '24

> On 02/05/2024 10:17 PM MST thecoudge(a)gmail.com wrote: > > I have dovecot working with PAM and Samba DC authentication for IMAP. However when I'm attempting to pass emails from postfix via LMTP > I don't actually need to authenticate LMTP I'm happy to check for valid users upstream. > > I'm getting the error: > Feb 06 15:11:39 Debian-server postfix/local[178200]: ADF0E78713C: passing <dom.username(a)Debian-server.sr.local> to transport=lmtp > Feb 06 15:11:39 Debian-server dovecot[178075]: auth: Error: static(dom.username): passdb doesn't support lookups, can't verify user's existence > Feb 06 15:11:39 Debian-server dovecot[178075]: lmtp(dom.username(a)Debian-server.sr.local)<178233><GJ/9Nou/wWU5uAIAiShiCA:T2>: Error: auth-master: userdb lookup(dom.username(a)Debian-server.sr.local): Auth USER lookup failed You need to define a userdb to return user information. Since LMTP doesn't require auth, it can't use the passdb so that's what the error message is saying. michael

3 2

Permission problem when using sieve script
by tacodewolff＠gmail.com 07 Feb '24

07 Feb '24

Hi, I've been banging my head on this problem for a while now and need some help on this issue. I've set up Dovecot with Sieve scripts, which use bash scripts to either learn ham or learn spam. This is sent to the Rspamd controller (using a Unix socket at /var/run/rspamd/rspamd-controller.sock). The socket has permissions 660 and is owned by _rspamd:_rspamd. It's directory and parent directory have 755. The sieve script looks like: exec /usr/bin/rspamc -h /var/run/rspamd/rspamd-controller.sock -P 'password' learn_ham I've added the dovecot user to the _rspamd group, but I consistently get "Permission denied" when marking emails as ham/spam. Only when I make the socket permission 666 it works correctly. Also when the permission is 660 but ownership is _rspamd:dovecot it works as well. I don't want the former as anyone could connect, and the latter can't be set automatically in Rspamd. I'm pulling my hairs out. I've tried to figure out the user and group that dovecot uses to run the sieve script (creatively by 'exit'ing the bash script with the uid or gid as error code), and they are both 97 (i.e. dovecot uid and gid). I've tried personally logging in as dovecot using 'sudo -u dovecot bash' and then using 'socat' to connect to the socket. This works fine. But through the dovecot sieve script for some reason it's not working. I've tried disabling SELinux and fapolicyd, but no luck. Is Dovecot using some restricted permissions when running sieve scripts? # dovecot --version 2.3.16 (7e2e900c1a) Thank you, Taco

1 1

Auth USER lookup failed
by thecoudge＠gmail.com 06 Feb '24

06 Feb '24

I have dovecot working with PAM and Samba DC authentication for IMAP. However when I'm attempting to pass emails from postfix via LMTP I don't actually need to authenticate LMTP I'm happy to check for valid users upstream. I'm getting the error: Feb 06 15:11:39 Debian-server postfix/local[178200]: ADF0E78713C: passing <dom.username(a)Debian-server.sr.local> to transport=lmtp Feb 06 15:11:39 Debian-server dovecot[178075]: auth: Error: static(dom.username): passdb doesn't support lookups, can't verify user's existence Feb 06 15:11:39 Debian-server dovecot[178075]: lmtp(dom.username(a)Debian-server.sr.local)<178233><GJ/9Nou/wWU5uAIAiShiCA:T2>: Error: auth-master: userdb lookup(dom.username(a)Debian-server.sr.local): Auth USER lookup failed Feb 06 15:11:39 Debian-server dovecot[178075]: lmtp(178233): Error: lmtp-server: conn unix:pid=178201,uid=111 [4]: rcpt dom.username(a)Debian-server.sr.local: Failed to lookup user dom.usernamey(a)Debian-server.sr.local: Internal error occurred. Refer to server log for more information. Doveconf -n: auth_username_format = %Ln disable_plaintext_auth = no mail_gid = vmail mail_location = maildir:/var/mail/virtual/%d/%n mail_privileged_group = mail mail_uid = vmail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = mail driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp lmtp" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it protocol lmtp { passdb { args = allow_all_users=yes driver = pam name = } }

2 1

possible wrong sql syntax ?
by Maurizio Caloro 06 Feb '24

06 Feb '24

hi i dont know exactly what succeeded but me alias don't run any more :-/ i know i used to be able to send mail via aliases from mae to markus(a)domain.com The names have of course been changed, simply for reasons of data protection. frendly asking i need little help, i think i have syntax mistake on mysql syntax call please why auth-worker don't find the alias mae, and send back "unknown user" ? emails send to markus(a)domain.com and also other mail adresses will run without problems. only the function alias no longer wants to. Feb 05 Time Dovecot/lmtp(279699): Info: Connect from local Feb 05 Time Dovecot/auth-worker(279700): Info: conn unix:auth-worker (pid=279685,uid=113): auth-worker<5>: sql(mae(a)domain.com): unknown user Feb 05 Time Dovecot/lmtp(279699): Info: Disconnect from local: Client has quit the connection (state=READY) dovecot.conf [snip] passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } cat auth-sql.conf.ext [snip] passdb { driver = mysql args = /etc/dovecot/dovecot-sql.conf } userdb { driver = mysql args = /etc/dovecot/dovecot-sql.conf } # cat dovecot-sql.conf driver = mysql connect = host=localhost dbname=mailserver user=username password= default_pass_scheme = CRYPT user_query = SELECT '/srv/vmail/%d/%n' AS home, '10000' AS uid, '10000' AS gid, CONCAT('*:storage=', (quota*1024)) as quota_rule FROM mailbox WHERE username='%u' AND active = 1 password_query = SELECT username AS user, password, '/srv/vmail/%d/%n' AS userdb_home, '10000' AS userdb_uid, '10000' AS userdb_gid, CONCAT('maildir:storage=', (quota*1024)) as userdb_quota FROM mailbox WHERE username='%u' AND active = 1 yes this exist as mailbox # dovecot user markus(a)domain.com field value uid 10000 gid 10000 home /srv/vmail/domain.com/markus mail maildir:~/Maildir quota_rule *:storage=0 yes the mae are only a alias, so i think this are right!? # dovecot user mae(a)domain.com userdb lookup: user mae(a)domain.com doesn't exist field value MariaDB [mailserver]> SELECT * FROM mailbox; +------------------ +----------+--------+---------------------+------------+------------+---------+ | username | password | name | maildir | local_part | domain | active | +-------------------+----------+--------+---------------------+------------+------------+---------+ | markus(a)domain.com | ******** | markus | domain.com/markus/ | Markus M | domain.com | 1 | MariaDB [mailserver]> SELECT * FROM alias; +-----------------+--------------------+------------+--------+ | address | goto | domain | active | +-----------------+---------------------------------+--------+ | mae(a)domain.com | markus(a)domain.com | domain.com | 1 | +-----------------+---------------------------------+--------+ 34 rows in set (0.001 sec) dovecot --version 2.3.13 (89f716dc2) postconf mail_version 3.5.23 mysql Ver 15.1 Distrib 10.5.21-MariaDB debian 11 bullseye

1 0

Sieve question: Rewriting from using variables (ccsend issues)
by Ian Evans 06 Feb '24

06 Feb '24

As a journalist, I deal with a lot of PR companies that use constant contact. For years, I've built up a nice sieve filter that sports these people into my PR folder. I guess to help with dkim/SPF issues, Constant Contact has started rewriting the from header to the sender's address rewritten to end with a ccsend domain. The sender's actual email address is now in the reply-to header. This has resulted in all my PR emails ending up in the main inbox. Rather than rewrite hundreds of rules, I asked (foolishly?) ChatGPT if there was a way to check for ccsend in the from and then use the reply-to as the from. This is what it came up with and this would be the first rule in the sieve file: #Many PR companies use ccsend for lists. Check if headers contain "ccsend" and #then use reply-to for rules if allof (header :contains "from" "ccsend") { # Set "Reply-To" as "From" address set "from" "${reply-to}"; } Before I put this into production, will this work? Do the rest of the rules go inside the last curly bracket or after it? Thanks for any advice. As a journalist, I deal with a lot of PR companies that use constant contact. For years, I've built up a nice sieve filter that sports these people into my PR folder. I guess to help with dkim/SPF issues, Constant Contact has started rewriting the from header to the sender's address rewritten to end with a ccsend domain. The sender's actual email address is now in the reply-to header. This has resulted in all my PR emails ending up in the main inbox. Rather than rewrite hundreds of rules, I asked (foolishly?) ChatGPT if there was a way to check for ccsend in the from and then use the reply-to as the from. This is what it came up with and this would be the first rule in the sieve file: #Many PR companies use ccsend for lists. Check if headers contain "ccsend" and #then use reply-to for rules if allof (header :contains "from" "ccsend") { # Set "Reply-To" as "From" address set "from" "${reply-to}"; } Before I put this into production, will this work? Do the rest of the rules go inside the last curly bracket or after it? Thanks for any advice.

1 0

submission_add_received_header option?
by Ellie McNeill 05 Feb '24

05 Feb '24

Hi, I've recently upgraded my mail server from Debian 11 to Debian 12. It now runs dovecot 2.3.19.1 (verified with dovecot --version). According to the "Dovecot Core Settings" page, a new setting 'submission_add_received_header' was added in dovecot 2.3.19 to give admins the option of hiding the IP of the sending client when using dovecot's submissiond: https://doc.dovecot.org/3.0/settings/core/ However, when I place this option in my config, dovecot refuses to start and says that the option is not recognised: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/20-submission.conf line 92: Unknown setting: submission_add_received_header Can anyone help me with this? Ellie

5 5

Recommended changes for delivery from Exim
by jgh＠exim.org 05 Feb '24

05 Feb '24

Hi, Security changes to Exim have invalidated certain suggested configurations in the Dovecot wiki. As I do not have a Dovecot installation to test, I am not going to write any updates there. It would be good if someone would test these suggestions and then make updates as needed. 1) The use of $local_part and $domain in commands run by the "pipe" transport will be disallowed in the upcoming Exim release. These are currently noted as optional, with the "-m" flag to dovecot-lda. They should be replaced with validated (untainted) versions, commonly $local_part_data and $domain_data, developed via one of the several de-taint methods documented for Exim. The same applies to $original_local_part and $original_domain. 2) The use of $sender_address will likewise be disallowed. This and the "-f" flag can be dropped from the dovecot-lda command line, and the specification of a null "message_prefix" option removed. The defaults for a pipe transport will then prefix the message with a suitable Mbox "From " header line, which dovecot-lda is documented to extract the sender from. Both of these suggestions are back-compatible to the current 4.95 release of Exim, and will be required with the 4.96 release. -- Cheers, Jeremy Refs: - https://wiki.dovecot.org/LDA/Exim - https://doc.dovecot.org/configuration_manual/protocols/lda/

3 3

Problem with share mailbox
by Frédéric FONDRIEST 05 Feb '24

05 Feb '24

Hi all, we get some problems with sharing mailbox between users. when we share something the dovecot-acl file is updated, but the shared-mailboxes.db file is not created nor updated. Even if we create the file and set permission to 777... strangely the debug log gives : 2024-02-05 09:29:04 imap(xxxxxx)<13741><SA8qQZ4QBIsKDMcL>: Debug: dict(file): dict created (uri=file:/tmp/shared-mailboxes.db, base_dir=/var/run/dovecot) 2024-02-05 09:29:04 imap(xxxxxx)<13741><SA8qQZ4QBIsKDMcL>: Debug: open(/proc/self/io) failed: Permission denied we don't understand why we get this kind of message. we search on this mailing list without any clean explaination. we expect a bug somewhere.. any ideas ? system is : debian 12 dovecot 2.3.19.1 (9b53102964) # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 6.1.0-17-amd64 x86_64 Debian 12.4 auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %n base_dir = /var/run/dovecot log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_gid = 5000 mail_home = /home/vmail/%u mail_location = /home/vmail/%u/Maildir mail_plugins = acl mail_log acl mail_log mail_privileged_group = mail mail_uid = 5000 namespace { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf driver = ldap name = ldap } plugin { acl = vfile acl_shared_dict = file:/tmp/shared-mailboxes.db acl_user = %u master_user = %u } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { inet_listener lmtp { address = * port = 24 } user = vmail } ssl_cert = </etc/ssl/mail.crt ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf driver = ldap name = ldap } protocol imap { imap_client_workarounds = delay-newmail imap_max_line_length = 64 k mail_max_userip_connections = 20 mail_plugins = acl imap_acl } protocol lda { info_log_path = log_path = mail_plugins = mail_log postmaster_address = postmaster@xxx quota_full_tempfail = yes syslog_facility = mail } protocol lmtp { info_log_path = log_path = mail_plugins = mail_log postmaster_address = postmaster@xxx quota_full_tempfail = yes } Hi all, we get some problems with sharing mailbox between users. when we share something the dovecot-acl file is updated, but the shared- mailboxes.db file is not created nor updated. Even if we create the file and set permission to 777... strangely the debug log gives : 2024-02-05 09:29:04 imap(xxxxxx)<13741><SA8qQZ4QBIsKDMcL>: Debug: dict(file): dict created (uri=file:/tmp/shared-mailboxes.db, base_dir=/var/run/dovecot) 2024-02-05 09:29:04 imap(xxxxxx)<13741><SA8qQZ4QBIsKDMcL>: Debug: open(/proc/ self/io) failed: Permission denied we don't understand why we get this kind of message. we search on this mailing list without any clean explaination. we expect a bug somewhere.. any ideas ? system is : debian 12 dovecot 2.3.19.1 (9b53102964) # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 6.1.0-17-amd64 x86_64 Debian 12.4 auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %n base_dir = /var/run/dovecot log_path = /var/log/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_gid = 5000 mail_home = /home/vmail/%u mail_location = /home/vmail/%u/Maildir mail_plugins = acl mail_log acl mail_log mail_privileged_group = mail mail_uid = 5000 namespace { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u:INDEXPVT=~/Maildir/ shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf driver = ldap name = ldap } plugin { acl = vfile acl_shared_dict = file:/tmp/shared-mailboxes.db acl_user = %u master_user = %u } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { inet_listener lmtp { address = * port = 24 } user = vmail } ssl_cert = </etc/ssl/mail.crt ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-ldap-userdb.conf driver = ldap name = ldap } protocol imap { imap_client_workarounds = delay-newmail imap_max_line_length = 64 k mail_max_userip_connections = 20 mail_plugins = acl imap_acl } protocol lda { info_log_path = log_path = mail_plugins = mail_log postmaster_address = postmaster@xxx quota_full_tempfail = yes syslog_facility = mail } protocol lmtp { info_log_path = log_path = mail_plugins = mail_log postmaster_address = postmaster@xxx quota_full_tempfail = yes }

4 7

Splitting up packages
by Larry Rosenman 01 Feb '24

01 Feb '24

I'm the maintainer of the dovecot and pigeonhole ports on FreeBSD and am looking to make separate installable packages like the project does for Linux. Can you help me know what needs to go where and what options (if any) change the base? Thanks for any help here. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx(a)gmail.com US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106 I'm the maintainer of the dovecot and pigeonhole ports on FreeBSD and am looking to make separate installable packages like the project does for Linux. Can you help me know what needs to go where and what options (if any) change the base? Thanks for any help here. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larryrtx(a)gmail.com US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

3 2

We couldn't drop root group privileges
by forumforeign 01 Feb '24

01 Feb '24

Hello. I have - dovecot 2.3.21 (also tried 2.3.5) - postfix 3.8.5 (also tried 3.8.4) It's a new setup where I use postfix + dovecot-delivery for delivery to local mailbox. At logs I have an error and mail deffers in queue: dovecot: [ID 702911 mail.crit] lda(poli(a)domain.com)<7808>: Fatal: We couldn't drop root group privileges (wanted=6(mail), gid=0(root), egid=0(root)) Postfix and dovecot start from root UID, but user dovecot/postfix has corresponding groups to run as specific group: root@solaris:# id -a dovecot uid=110(dovecot) gid=110(dovecot) groups=110(dovecot),6(mail) root@solaris:# id -a postfix uid=26(postfix) gid=26(postfix) groups=26(postfix),6(mail) root@solaris:# id -a root uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon) Also, when I run a dtrace (a system call trace mechanism) I see, that dovecot-lda runs as group "mail" (gid=6), so, there isn't any problem, but dovecot thinks another: UID GID PID PPID ARGS 0 26 7719 7638 pipe -n dovecot -t unix flags=DRhu user=nobody:mail argv=/usr/libexec/dovecot/d 60001 6 7720 7718 /usr/libexec/dovecot/dovecot-lda -f mega(a)domain.com -d poli(a)domain.com 60001 6 7720 7718 /usr/bin/amd64/doveconf -f service=lda -c /etc/dovecot/dovecot.conf -m lda -e / 60001 6 7720 7718 /usr/libexec/dovecot/dovecot-lda -f mega(a)domain.com -d poli(a)domain.com What exactly dovecot wants and how to solve this error? Here is part of "dovecot -n" output which is corresponding to user/group/lda: # 2.3.5.1 (7ec6d0ade): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.6 (92dc263a) # OS: SunOS 5.11 i86pc # Hostname: solaris auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_process_limit = 99 disable_plaintext_auth = no first_valid_gid = 6 first_valid_uid = 60001 last_valid_gid = 6 last_valid_uid = 60001 mail_access_groups = mail mail_debug = yes mail_gid = 6 mail_location = /var/mail/vmail/%u@%d mail_max_userip_connections = 99 mail_privileged_group = mail mail_uid = 60001 maildir_very_dirty_syncs = yes ... service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } ... protocol lda { mail_plugins = " sieve" postmaster_address = postmaster } PS. Also, I have aother box with very old setup (dovecot 2.2.27) and it works with the same configuration without any errors. I thought that this is OS specific problem and tried on the same version OS run a dovecot 2.3.21, but still had an errors.

1 1