July 2024 - dovecot - dovecot.org

One-way synchronization with doveadm/TCP
by Дилян Палаузов 04 Jul '24

04 Jul '24

Hello, the replication procedure described at https://doc.dovecot.org/configuration_manual/replication/ suggests to open a server port 12345 on two systems, and then point each system to the other one. This creates bi-directional synchronization. I want to synchronize only from server A to server B, but not in the opposite direction. Is it sufficient on server A to set service doveadm { inet_listener { port = 12345 } } doveadm_password = secret and server B to set doveadm_port = 12345 doveadm_password = secret ? In other words, when a doveadm client (system B) connects to a server (system A) for replication purposes, does it only read data? Or does it instruct the server also to delete data? To start the replication I had to executed «doveadm replicator replicate '*'». Is in necessary to run this periodically? Thanks for your answer, Дилян

2 1

login_access_sockets
by John Fawcett 03 Jul '24

03 Jul '24

Hi I've used Dovecot for a long time but I never stop learning about the depth of features I've never used.... I just discovered the login_access_sockets setting when reading this page: https://doc.dovecot.org/admin_manual/login_processes/ The compilation using --with-libwrap configure setting was not immediate, since on Fedora which I am using there is no tcp_wrappers-devel package so tcpd.h wasn't installed in /usr/include and the library name libwrap.so that was expected by Dovecot needed a symlink to the library installed by tcp_wrappers package. So differently to what I previously understood, Dovecot does have a way of controlling access at connect time via tcp_wrappers hosts.allow and hosts.deny files. But now I also realize that this discovery will be short lived, since I understand this is going away in 3.0 and also 2.4 though I can't find a page on that: https://doc.dovecotpro.com/3.0/installation/upgrading/2.3.x-3.x.html I can understand the logic about slimming down the code to leave out less used features, but this part of the code looks well written and hasn't required much maintenance over the years. I know there's zero chance of reversing the removal of login_access_sockets, but I just wondered whether there could be the chance to introduce a LUA hook at connect time rather than waiting for authentication to be done. Also I have no idea what the overhead of LUA script is, does it spawn additional processes per connection? Thanks John

1 0

IMAP login-logout cycle performance with performance mode seems slow/limited and cause cannot be found
by m＠maltris.org 03 Jul '24

03 Jul '24

Hello, I am running a test setup in a docker stack with Dovecot (2.3.21). Basically as a test to see whats possible. The whole thing works okay, but I noticed that with imaptest (latest version) somewhere between 230 and 270 requests per second on a login+logout cycle it cannot go further. However, this is a 384G memory, 48 core, dual-cpu setup that is pretty much idling (utilization somewhere around 6-12%). The ssds are not loaded at all. The memory usage is low. For testing purpose I set nopassword=y and allowed all logins, the users just require a small mysql db lookup which is done once before the cache is filled. If I copy that exact same stack to my local machine, I yield around 450 cycles per second. And the only difference I somehow see is that my local machine has a faster cpu-memory connection and only one cpu with less cores. Is it possible memory speed is a limiting factor because of the cpu-memory-mapping on the server and the slower memory? What performance should I expect? Asking because I am planning to run a stateless client at a later point and the limited login-performance really seems to make that difficult at scale. doveconf -n: # 2.3.21 (47349e2482): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.21 (f6cd4b8e) # OS: Linux 6.8.0-36-generic x86_64 Debian 11.7 ext4 # Hostname: 4e83f0e9d630 auth_cache_negative_ttl = 0 auth_cache_size = 50 M auth_cache_ttl = 5 hours auth_cache_verify_password_with_worker = yes auth_debug = yes auth_debug_passwords = yes auth_failure_delay = 0 auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes auth_worker_max_count = 500 default_vsz_limit = 2 G disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it doveadm_password = # hidden, use -P to show it doveadm_port = 2425 log_debug = event=* log_path = /var/log/dovecot-debug.log login_trusted_networks = 10.0.0.0/8 127.0.0.0/8 mail_debug = yes mail_fsync = never mail_gid = 1000 mail_location = maildir:/data/vmail/%d/%1n/%n mail_uid = 1000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = nopassword=y driver = static } protocols = " imap lmtp sieve pop3 submission" service anvil { chroot = empty client_limit = 75100 idle_kill = 4294967295 secs process_limit = 1 unix_listener anvil-auth-penalty { mode = 00 } } service auth-worker { client_limit = 1 process_limit = 6000 user = $default_internal_user } service auth { client_limit = 91000 } service doveadm { inet_listener { port = 2425 } inet_listener http { port = 8080 } } service imap-login { process_limit = 15000 process_min_avail = 48 service_count = 0 vsz_limit = 2 G } service imap { client_limit = 1 process_limit = 15000 } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol doveadm { passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql name = override_fields = port=2425 ssl=no starttls=no } } protocol imap { mail_max_userip_connections = 250 } Best regards

2 5

AW: AW: AW: IMAPSieve plugin will not run rspamd script
by postfix_dovecot＠gmx.de 02 Jul '24

02 Jul '24

Hi John, the prefix is just a sign of my desperation - I tried all sorts of variations yesterday and now forgot to undo it. There’s a very detailed tutorial available (German language) with Debian 10. Just the sieve scripts are little different. I spend the time to raise a Debian 10 with this tutorial – and with exact the same result as with my up to date configuration. So it would be interesting for me to know if there is anyone here who has managed to get this to work on Debian? Jens Von: John Fawcett <john(a)voipsupport.it> Gesendet: Montag, 1. Juli 2024 18:26 An: postfix_dovecot(a)gmx.de Betreff: Re: AW: AW: IMAPSieve plugin will not run rspamd script On 01/07/2024 18:08, postfix_dovecot(a)gmx.de <mailto:postfix_dovecot@gmx.de> wrote: Hi John, is there any other log than system? Jens Hi Jens I meant the same type of logging you already posted (i.e. as below) for exactly the same test case, but where the rules use the mailbox name that includes the prefix you set for the namespace (i.e.INBOX/Spam). There is probably a good reason why you have configured a prefix for your namespace, but my suspicion is that the example imapsieve config you copied assumes no prefix set (it was not part of the example so we cannot see it). I personally tried the settings from the example and they work fine and I have no prefix. I also did the opposite test and I get the behaviour you reported when I have prefix set. In order to solve it (without changing the prefix) I had to state the full mailbox name including the prefix in the imapsieve rules. In that case it worked. What I'd like to check in your logging is if there is a clue why it didn't work for you when yu used INBOX/Spam in the rules. John imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: Module loaded: /usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: mailbox INBOX/Spam: APPEND event imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Sieve imapsieve plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: Static mailbox rule [1]: mailbox=`Spam' from=`*' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-spam.sieve' after=(none) imap(mail(a)test.example <mailto:mail@test.example> )<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: Static mailbox rule [2]: mailbox=`*' from=`Spam' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-ham.sieve' after=(none) imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: mailbox INBOX: FLAG event (changed flags: \Deleted) imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Sieve imapsieve plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: Static mailbox rule [1]: mailbox=`Spam' from=`*' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-spam.sieve' after=(none) imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: Static mailbox rule [2]: mailbox=`*' from=`Spam' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-ham.sieve' after=(none) imap(mail(a)test.example <mailto:mail@test.example> )<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: mailbox INBOX: FLAG event (changed flags: \Seen)

2 10

IMAPSieve plugin will not run rspamd script
by postfix_dovecot＠gmx.de 02 Jul '24

02 Jul '24

Host: VMware Workstation 14.1.8 OS: Debian 12 (Bookworm) Dovecot: 2.3.19.1 Postfix: 3.7.10 Mailclient: Outlook 2016 Hello, I am currently working on a new mail server to replace my Debian 10 mail server. For preparation, I use VMware Workstation to learn and test the installation steps. When I'm eventually done, I'll rebuild my root server from scratch. This time, my problem is getting the IMAPSieve plugin working to trigger rspamd if mail gets moved to the junk folder. Sieve runs well – if rspam recognizes a spam mail, it will be transferred to the junk folder. For me it looks like the IMAPSieve plugin recognizes the move but will not running the script behind. I can see some actions in the log but nothing happens on the rspamd side where the log is also open to view. Moving a mail with Outlook produces the following log entry: imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: Module loaded: /usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: mailbox INBOX/Spam: APPEND event imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Sieve imapsieve plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: Static mailbox rule [1]: mailbox=`Spam' from=`*' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-spam.sieve' after=(none) imap(mail(a)test.example)<1797><a/FKmgIcqKvAqB4a>: Debug: imapsieve: Static mailbox rule [2]: mailbox=`*' from=`Spam' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-ham.sieve' after=(none) imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: mailbox INBOX: FLAG event (changed flags: \Deleted) imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: include: sieve_global is not set; it is currently not possible to include `:global' scripts. imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Sieve imapsieve plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: sieve: Sieve Extprograms plugin for Pigeonhole version 0.5.19 (4eae2f79) loaded imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: Static mailbox rule [1]: mailbox=`Spam' from=`*' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-spam.sieve' after=(none) imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: Static mailbox rule [2]: mailbox=`*' from=`Spam' causes=(COPY APPEND) => before=`file:/usr/lib/dovecot/sieve/report-ham.sieve' after=(none) imap(mail(a)test.example)<1795><iC6JmQIcnqvAqB4a>: Debug: imapsieve: mailbox INBOX: FLAG event (changed flags: \Seen) My /etc/dovecot/local.conf looks like this: ## dovecot.conf # Mailuser im Log mit Namen darstellen verbose_proctitle = yes protocols = imap lmtp sieve ## 10-auth.conf # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. disable_plaintext_auth = yes # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. auth_username_format = %Lu ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include conf.d/auth-deny.conf.ext #!include conf.d/auth-master.conf.ext #!include conf.d/auth-system.conf.ext #!include conf.d/auth-sql.conf.ext #!include conf.d/auth-ldap.conf.ext !include conf.d/auth-passwdfile.conf.ext #!include conf.d/auth-checkpassword.conf.ext #!include conf.d/auth-static.conf.ext ## 10-director.conf ## 10-logging.conf # Loglevel festelegen auth_verbose = no auth_debug = no mail_debug = yes ## 10-mail.conf # Format der Mailbox ändern mail_location = maildir:~/Maildir namespace inbox { # Namespace type: private, shared or public type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. separator = / # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". prefix = INBOX/ # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". hidden = no # If namespace namespace/location fails to load, by default the entire # session will fail to start. If this is set, this namespace will be ignored # instead. ignore_on_failure = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") subscriptions = yes # See 15-mailboxes.conf for definitions of special mailboxes. } ## 10-master.conf service lmtp { inet_listener lmtp { address = 127.0.0.1 ::1 port = 24 } } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 #user = #group = } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } # Auth process is run as this user. #user = $default_internal_user } ## 10-ssl.conf ## 10-tcpwrapper.conf ## 15-lda.conf ## 15-mailboxes.conf namespace inbox { inbox = yes mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } } ## 20-imap.conf protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins imap_sieve } ## 20-lmtp.conf protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve } ## 20-managesieve.conf ## 90-acl.conf ## 90-plugin.conf ## 90-quota.conf ## 90-sieve.conf plugin { sieve_before = /etc/dovecot/conf.d/custom-sieve/global_before.sieve sieve_after = /etc/dovecot/conf.d/custom-sieve/global_after.sieve sieve_plugins = sieve_imapsieve sieve_extprograms # From elsewhere to Spam folder imapsieve_mailbox1_name = Spam imapsieve_mailbox1_causes = COPY APPEND imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve # From Spam folder to elsewhere imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Spam imapsieve_mailbox2_causes = COPY APPEND imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment } ## 90-sieve-extprograms.conf root@ServerIV-home:~# ^C root@ServerIV-home:~# cat /etc/dovecot/local.conf ## dovecot.conf # Mailuser im Log mit Namen darstellen verbose_proctitle = yes protocols = imap lmtp sieve ## 10-auth.conf # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. disable_plaintext_auth = yes # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. auth_username_format = %Lu ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include conf.d/auth-deny.conf.ext #!include conf.d/auth-master.conf.ext #!include conf.d/auth-system.conf.ext #!include conf.d/auth-sql.conf.ext #!include conf.d/auth-ldap.conf.ext !include conf.d/auth-passwdfile.conf.ext #!include conf.d/auth-checkpassword.conf.ext #!include conf.d/auth-static.conf.ext ## 10-director.conf ## 10-logging.conf # Loglevel festelegen auth_verbose = no auth_debug = no mail_debug = yes ## 10-mail.conf # Format der Mailbox ändern mail_location = maildir:~/Maildir namespace inbox { # Namespace type: private, shared or public type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. separator = / # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". prefix = INBOX/ # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". hidden = no # If namespace namespace/location fails to load, by default the entire # session will fail to start. If this is set, this namespace will be ignored # instead. ignore_on_failure = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") subscriptions = yes # See 15-mailboxes.conf for definitions of special mailboxes. } ## 10-master.conf service lmtp { inet_listener lmtp { address = 127.0.0.1 ::1 port = 24 } } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 #user = #group = } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } # Auth process is run as this user. #user = $default_internal_user } ## 10-ssl.conf ## 10-tcpwrapper.conf ## 15-lda.conf ## 15-mailboxes.conf namespace inbox { inbox = yes mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } } ## 20-imap.conf protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins imap_sieve } ## 20-lmtp.conf protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve } ## 20-managesieve.conf ## 90-acl.conf ## 90-plugin.conf ## 90-quota.conf ## 90-sieve.conf plugin { sieve_before = /etc/dovecot/conf.d/custom-sieve/global_before.sieve sieve_after = /etc/dovecot/conf.d/custom-sieve/global_after.sieve sieve_plugins = sieve_imapsieve sieve_extprograms # From elsewhere to Spam folder imapsieve_mailbox1_name = Spam imapsieve_mailbox1_causes = COPY APPEND imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve # From Spam folder to elsewhere imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Spam imapsieve_mailbox2_causes = COPY APPEND imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment } ## 90-sieve-extprograms.conf root@ServerIV-home:~# cat /etc/dovecot/local.conf ## dovecot.conf # Mailuser im Log mit Namen darstellen verbose_proctitle = yes protocols = imap lmtp sieve ## 10-auth.conf # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. disable_plaintext_auth = yes # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. auth_username_format = %Lu ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include conf.d/auth-deny.conf.ext #!include conf.d/auth-master.conf.ext #!include conf.d/auth-system.conf.ext #!include conf.d/auth-sql.conf.ext #!include conf.d/auth-ldap.conf.ext !include conf.d/auth-passwdfile.conf.ext #!include conf.d/auth-checkpassword.conf.ext #!include conf.d/auth-static.conf.ext ## 10-director.conf ## 10-logging.conf # Loglevel festelegen auth_verbose = no auth_debug = no mail_debug = yes ## 10-mail.conf # Format der Mailbox ändern mail_location = maildir:~/Maildir namespace inbox { # Namespace type: private, shared or public type = private # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. separator = / # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". prefix = INBOX/ # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. location = # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". hidden = no # If namespace namespace/location fails to load, by default the entire # session will fail to start. If this is set, this namespace will be ignored # instead. ignore_on_failure = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") subscriptions = yes # See 15-mailboxes.conf for definitions of special mailboxes. } ## 10-master.conf service lmtp { inet_listener lmtp { address = 127.0.0.1 ::1 port = 24 } } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 #user = #group = } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } # Auth process is run as this user. #user = $default_internal_user } ## 10-ssl.conf ## 10-tcpwrapper.conf ## 15-lda.conf ## 15-mailboxes.conf namespace inbox { inbox = yes mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } } ## 20-imap.conf protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins imap_sieve } ## 20-lmtp.conf protocol lmtp { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins sieve } ## 20-managesieve.conf ## 90-acl.conf ## 90-plugin.conf ## 90-quota.conf ## 90-sieve.conf plugin { sieve_before = /etc/dovecot/conf.d/custom-sieve/global_before.sieve sieve_after = /etc/dovecot/conf.d/custom-sieve/global_after.sieve sieve_plugins = sieve_imapsieve sieve_extprograms # From elsewhere to Spam folder imapsieve_mailbox1_name = Spam imapsieve_mailbox1_causes = COPY APPEND imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve # From Spam folder to elsewhere imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Spam imapsieve_mailbox2_causes = COPY APPEND imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment } ## 90-sieve-extprograms.conf Meanwhile I tried a lot of several guides in the internet – nothing of them worked for me – what’s hard to understand because it’s a fresh and simple installation I did. Any help is very appreciated! Thanks Jens

4 6

Oauth2 introspection mode bug(?)
by Scott Q. 01 Jul '24

01 Jul '24

Here goes another oauth2 question, hoping it won't be ignored like all the others. I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ? as can be seen in src/lib-oauth2/oauth2-request.c if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

2 6

Sieve Symlink Error
by Benjamin Rose 01 Jul '24

01 Jul '24

Hello, I'm in the process of moving our mail server from RHEL 6 to RHEL 9. We will be moving to: # dovecot --version 2.3.16 (7e2e900c1a) My issue is that sieve does not appear to work on the new setup, where it does work on the old one. I made a simple filter rule: # cat /u/mail0test/.sieve/ingo.sieve # Sieve Filter # Generated by Ingo (http://www.horde.org/apps/ingo/) (06/28/2024, 11:14:52 PM) require "fileinto"; # Test if header :comparator "i;ascii-casemap" :contains "Subject" "filtertest" { fileinto "Fun"; stop; } Upon sending an email to this test account, the following appears in /var/log/maillog: Jun 29 23:19:56 mail5 dovecot[3066980]: lda(mail0test)<3066980><FA8fFtzOgGZkzC4AuM9lWg>: Warning: sieve: file storage: Active sieve script symlink /u/mail0test/.dovecot.sieve is broken: Invalid/unknown path to storage (points to /u/mail0test/.sieve). Jun 29 23:19:56 mail5 dovecot[2987026]: doveadm(mail0test)<3066983><KFf4FtzOgGZnzC4AuM9lWg>: Warning: sieve: file storage: Active sieve script symlink /u/mail0test/.dovecot.sieve is broken: Invalid/unknown path to storage (points to /u/mail0test/.sieve). Jun 29 23:19:56 mail5 dovecot[2987026]: doveadm(mail0test)<3067016><VdsdK9zOgGaIzC4AuM9lWg>: Warning: sieve: file storage: Active sieve script symlink /u/mail0test/.dovecot.sieve is broken: Invalid/unknown path to storage (points to /u/mail0test/.sieve). Yet: # ll /u/mail0test/.dovecot.sieve lrwxrwxrwx. 1 mail0test sysguest 17 Jun 28 23:26 /u/mail0test/.dovecot.sieve -> .sieve/ingo.sieve # file /u/mail0test/.sieve/ingo.sieve /u/mail0test/.sieve/ingo.sieve: ASCII text That is the filter file I've pasted above. I've set the following directives in /etc/dovecot/conf.d/90-sieve.conf via puppet: augeas { "dovecot_sieve_settings": context => "/files/etc/dovecot/conf.d/90-sieve.conf", changes => [ "set plugin/sieve_dir ~/.sieve", "set plugin/sieve_user_log ~/.sieve/log" ], require => Package["dovecot"], notify => Service["dovecot"]; } The full configuration dump is attached. /u in our environment is the path for user homedirs, which is an NFS mount to a NetApp. The OS is Springdale Linux 9.2, a clone of RedHat from before the IBM license change. It will soon be RHEL 9.4 as we have obtained a license, but for all intents and purposes, Springdale 9.2 and RHEL 9.2 should be considered bug-for-bug compatible. The arch is x86_64 with both machines mail5 and mail6 (replicated) having Intel(R) Xeon(R) Gold 6244 CPU @ 3.60GHz and 768gb of memory. I have the same issue with SELinux in both enforcing and permissive modes, so this is not a permissions error due to SELinux. Am I doing something wrong, or is this a bug? I've seen that there have been some previous issues similar to this that ended up being bugs in pigeonhole, so here I am. Thanks, Ben

2 3

Glean all from addresses from a users mailbox?
by Austin Witmer 01 Jul '24

01 Jul '24

Hello all! Is there a quick and easy way to search through an entire mailbox for a user on my dovecot server and glean all the “from” email addresses? This user would like a record of all the email addresses who have contacted him. Thanks in advance for your ideas. Austin Witmer

3 2