If you have time, please test
http://dovecot.org/nightly/dovecot-latest.tar.gz
If nothing big comes up, I'll release it as 1.0beta1 tomorrow evening.
On Sun, 2006-01-15 at 21:54 +0200, Timo Sirainen wrote:
If you have time, please test
http://dovecot.org/nightly/dovecot-latest.tar.gz
If nothing big comes up, I'll release it as 1.0beta1 tomorrow evening.
Note that there's one big change here: DH parameters are now set for SSL to get forward secrecy, and Dovecot doesn't really start until it sees them for the first time. The first generation may take minutes, or even longer if you have an old computer.
After the first time, by default they're regenerated once a week, but in background where it shouldn't affect running.
If this becomes a real problem, I suppose I could include pregenerated DH parameters that are used until the generation completes for the first time..
On Sun, 2006-01-15 at 23:03 +0200, Timo Sirainen wrote:
On Sun, 2006-01-15 at 21:54 +0200, Timo Sirainen wrote:
If you have time, please test
Rebuilt this a couple of times already since there was problems with login process finding the ssl-parameters file. Should finally work now properly. :)
Timo Sirainen wrote:
On Sun, 2006-01-15 at 23:03 +0200, Timo Sirainen wrote:
On Sun, 2006-01-15 at 21:54 +0200, Timo Sirainen wrote:
If you have time, please test
Rebuilt this a couple of times already since there was problems with login process finding the ssl-parameters file. Should finally work now properly. :)
It took a good ten minutes to generate the ssl-parameters.dat file on Solaris on an Sun Ultra 5 (probably counts as a slow machine!) during which logins were hanging.
I'd vote for starting with some pregenerated ones, generating them when Dovecot starts (rather at the first SSL login) or somehow making it clear that the generation is still going on. I was about to email you to say it wasn't working; trussing the login process seemed to suggest it was looping :-
open64("ssl-parameters.dat", O_RDONLY) Err#2 ENOENT alarm(0) = 0 sigaction(SIGALRM, 0xFFBEF770, 0xFFBEF820) = 0 sigprocmask(SIG_BLOCK, 0xFFBEF810, 0xFFBEF800) = 0 alarm(1) = 0 Received signal #14, SIGALRM, in sigsuspend() [caught] sigsuspend(0xFFBEF7F0) Err#4 EINTR setcontext(0xFFBEF4D8) alarm(0) = 0 sigprocmask(SIG_UNBLOCK, 0xFFBEF810, 0x00000000) = 0 sigaction(SIGALRM, 0xFFBEF770, 0x00000000) = 0 open64("ssl-parameters.dat", O_RDONLY) Err#2 ENOENT alarm(0) = 0
Best Wishes, Chris
P.S. I had to comment out my ssl_parameters_file option in dovecot.conf due to the latest change but dovecot-example.conf still has it in.
P.P.S. Thanks for the LIST fixes. Looks good now (and my yuckiest patch is gone!).
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Chris Wakelin wrote:
It took a good ten minutes to generate the ssl-parameters.dat file on Solaris on an Sun Ultra 5 (probably counts as a slow machine!) during which logins were hanging.
It was much quicker on the real mail server (Sun V480 with quad processors)
I'd vote for starting with some pregenerated ones, generating them when Dovecot starts (rather at the first SSL login) or somehow making it clear that the generation is still going on. I was about to email you to say it wasn't working; trussing the login process seemed to suggest it was looping :-
Ah, sorry, it *is* generated by the master process and the login process was looping waiting for it. Maybe the master process shouldn't detach from the console until it's done or something?
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
On 16/01/2006 12:01 p.m., Chris Wakelin wrote:
Timo Sirainen wrote:
On Sun, 2006-01-15 at 23:03 +0200, Timo Sirainen wrote:
On Sun, 2006-01-15 at 21:54 +0200, Timo Sirainen wrote:
If you have time, please test
Rebuilt this a couple of times already since there was problems with login process finding the ssl-parameters file. Should finally work now properly. :)
It took a good ten minutes to generate the ssl-parameters.dat file on Solaris on an Sun Ultra 5 (probably counts as a slow machine!) during which logins were hanging.
I'd vote for starting with some pregenerated ones, generating them when Dovecot starts (rather at the first SSL login) or somehow making it clear that the generation is still going on. I was about to email you to say it wasn't working; trussing the login process seemed to suggest it was looping :-
I had the same problem, there have been some commits to CVS earlier but since the nightly release, which seem to fix it.
You may want to give the next nightly a go or pull from CVS and see if that helps (it probably will).
reuben
Timo Sirainen wrote:
Note that there's one big change here: DH parameters are now set for SSL to get forward secrecy, and Dovecot doesn't really start until it sees them for the first time. The first generation may take minutes, or even longer if you have an old computer.
Oh. And I thougt ssl was broken when I tested the latest cvs yesterday. The new message "... may take a while" is better. A "finished" message would also be nice.
If this becomes a real problem, I suppose I could include pregenerated DH parameters that are used until the generation completes for the first time..
I don't really know that this file is good for. Btw, it is created world readable, I hope that is by intention.
If a pregenerated file is not a security issue, it would be good to install it, I think. Otherwise it would be better to include such a parameter file, but not install it by default, so people can decide by themselves and nobody gets surprised (and the security people will also be happy).
On Mon, Jan 16, 2006 at 10:10:09AM +0100, Jakob Hirsch wrote:
If this becomes a real problem, I suppose I could include pregenerated DH parameters that are used until the generation completes for the first time.. ... If a pregenerated file is not a security issue, it would be good to install it, I think. Otherwise it would be better to include such a
Timo Sirainen wrote: parameter file, but not install it by default, so people can decide by themselves and nobody gets surprised (and the security people will also be happy).
I think the best way (the usual way?) is to generate the files through the install script. That way you get unique files and you don't get surprised by the length of the task. Generalize to default self-signed certificates, etc.
--On Monday, January 16, 2006 11:30 AM +0100 Lorens <dovecot.fdop@tagged.lorens.org> wrote:
I think the best way (the usual way?) is to generate the files through the install script. That way you get unique files and you don't get surprised by the length of the task. Generalize to default self-signed certificates, etc.
You can copy what Apache does. At least on Fedora, the RPM creates self-signed certs upon installation.
søn, 15,.01.2006 kl. 21.54 +0200, skrev Timo Sirainen:
If you have time, please test
http://dovecot.org/nightly/dovecot-latest.tar.gz
If nothing big comes up, I'll release it as 1.0beta1 tomorrow evening.
Works great here :) Except one little bug, but I guess that's not "big". When using userdb prefetch with ldap, user_global_uid and user_global_gid isn't used, so users without uid and gid can't logon. A little frustrating.
And do you think you'll have time to fix filesystem quota before 1.0 final is released?
Best regards, Stian
Timo Sirainen wrote:
If you have time, please test
http://dovecot.org/nightly/dovecot-latest.tar.gz
If nothing big comes up, I'll release it as 1.0beta1 tomorrow evening.
I have a problem with building RPM. I use attached spec file. The problem building dovecot with this spec file started with alpha-5, previous versions was built O.K. Now at install stage this spec installs perfectly all core files, and at entering to quota plugin it tries to install files not in virtual installation root, but directly to /usr/lib or /usr/lib64. If I erased quota from plugins makefile, the same occurs with the next plugin. This is the lines from error log:
test -z "/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot" || mkdir -p
-- "/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot"
/bin/sh ../../libtool --mode=install /bin/install -p 'rawlog'
'/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot/rawlog'
/bin/install -p rawlog
/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot/rawlog
/bin/sh ../../libtool --mode=install /bin/install -p 'gdbhelper'
'/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot/gdbhelper'
/bin/install -p gdbhelper
/home/seriv/tmp/dovecot-buildroot/usr/lib/dovecot/gdbhelper
test -z "/home/seriv/tmp/dovecot-buildroot/usr/sbin" || mkdir -p --
"/home/seriv/tmp/dovecot-buildroot/usr/sbin"
/bin/sh ../../libtool --mode=install /bin/install -p 'dovecotpw'
'/home/seriv/tmp/dovecot-buildroot/usr/sbin/dovecotpw'
/bin/install -p dovecotpw
/home/seriv/tmp/dovecot-buildroot/usr/sbin/dovecotpw
make[3]: Nothing to be done for install-data-am'. make[3]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/util'
make[2]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/util' Making install in plugins make[2]: Entering directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins'
Making install in quota
make[3]: Entering directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins/quota' make[4]: Entering directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins/quota'
mkdir -p -- /usr/lib64/dovecot/imap /usr/lib64/dovecot/lda
mkdir: cannot create directory /usr/lib64/dovecot': Permission denied mkdir: cannot create directory
/usr/lib64/dovecot': Permission denied
make[4]: *** [install-exec-local] Error 1
make[4]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins/quota' make[3]: *** [install-am] Error 2 make[3]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins/quota'
make[2]: *** [install-recursive] Error 1
make[2]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src/plugins' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory
/home/seriv/RPM/BUILD/dovecot-1.0.alpha5/src'
make: *** [install-recursive] Error 1
make: Leaving directory `/home/seriv/RPM/BUILD/dovecot-1.0.alpha5'
error: Bad exit status from /home/seriv/tmp/rpm-tmp.38278 (%install)
-- WBR, Sergey Ivanov
%define _ssldir %(openssl-config --openssldir)
Name: dovecot Version: 1.0 Release: alt0.cvs20060115
Summary: Dovecot secure IMAP/POP3 server License: GPL Group: System/Servers Url: http://%name.org/
Packager: Sergey Ivanov <seriv@altlinux.ru>
PreReq: shadow-utils, service, openssl >= 0.9.6g-alt2
########################################### # Relations with other POP3/IMAP server pkgs (like courier-imap)
# Provide the abstract service names (which are virtual pkg names), # specify their origin (our pkg name as the epoch + version-release): Provides: IMAPD = %name:%version-%release Provides: POP3D = %name:%version-%release
# End of the statements to describe relations with other POP3/IMAP server pkgs ########################################
Source0: %name-20060115.tar.gz Source1: %name.init Source2: %name.pam
# ALT patches Patch0: %name-1.0-alpha4-alt-mkcert.patch Patch1: %name-1.0-alpha5-alt-conf.patch
# Upstream patches # Unapplied Patch5: auth-lmpass.patch
BuildPreReq: automake_1.9 # Automatically added by buildreq on Sun Aug 21 2005 BuildRequires: gcc-c++ libldap-devel libpam-devel libpq4-devel libsasl2-devel libssl-devel libstdc++-devel openssl pkgconfig postgresql-devel
%description Dovecot is an IMAP/POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Although it's written with C, it uses several coding techniques to avoid most of the common pitfalls.
Dovecot can work with standard mbox and maildir formats and it's fully compatible with UW-IMAP and Courier IMAP servers as well as mail clients accessing the mailboxes directly.
%prep %setup -q -n %name-1.0.alpha5 %patch0 -p1 %patch1 -p1
#%patch5 -p1
%build %set_automake_version 1.9
export CPPFLAGS="pkg-config --cflags-only-I openssl
"
export LDFLAGS="pkg-config --libs-only-L openssl
"
aclocal %__automake %__autoconf
%configure
--localstatedir=%_var
--without-vpopmail
--with-ldap
--with-pgsql
--with-cyrus-sasl2
--with-rawlog
--with-storages='maildir,mbox'
--with-ssl=openssl --with-ssldir=%_ssldir
%make_build
%install %makeinstall
## Cleanup
# We will make our own %%doc set %__rm -rf %buildroot%_docdir/%name
## Install
%__mkdir_p -m 0755 %buildroot%_sysconfdir/pam.d %__mkdir_p -m 0755 %buildroot%_initdir %__mkdir_p -m 0755 %buildroot%_sysconfdir/%name %__mkdir_p -m 0755 %buildroot%_datadir/%name %__mkdir_p -m 0755 %buildroot%_ssldir/{certs,private}
# Base directory %__mkdir_p -m 0700 %buildroot%_var/run/%name
# Chroot for imap-login %__mkdir_p -m 0750 %buildroot%_var/run/%name/login
# Init script %__install -m 0755 %SOURCE1 %buildroot%_initdir/%name
# PAM config %__install -m 0600 %SOURCE2 %buildroot%_sysconfdir/pam.d/%name
# Default config %__mv -f %buildroot%_sysconfdir/%name{-example,}.conf
# OpenSSL stuff # Need more working on it. %__mv doc/dovecot-openssl.cnf %buildroot%_sysconfdir/%name %__install -m 0755 doc/mkcert.sh %buildroot%_datadir/%name/mkcert
# Ghosts. How to include it in package and remove on # package remove without checking of size mismatch? touch %buildroot%_ssldir/certs/%name.pem touch %buildroot%_ssldir/private/%name.pem touch %buildroot%_var/run/%name/ssl-parameters.dat
# Done
%pre
%_sbindir/groupadd -r -f %name 2>/dev/null ||:
%_sbindir/useradd -r -n -g %name -d %_var/run/%name
-s /dev/null -c 'Dovecot secure IMAP server' %name 2>/dev/null ||:
%post
# adjust config for generating SSL certs
#HOSTNAME=hostname -f
# %__subst "s|^CN=.*$|CN=$HOSTNAME|g;s|^emailAddress=.*$|emailAddress=root@$HOSTNAME|g" %_sysconfdir/%name/.cnf
# generate SSL certs # if [ ! -f %buildroot%_ssldir/certs/imapd.pem ]; then # echo -n "Generating SSL cert for imapd-ssl: " # cmd="%_datadir/%name/mk"$i"cert" # $cmd >/dev/null 2>&1 # echo "%buildroot%_ssldir/certs/imapd.pem - done." # fi
echo "Generating SSL cert for imapd-ssl" %_datadir/%name/mkcert
%post_service %name
%preun %preun_service %name #%postun #if id %name >/dev/null 2>&1; then # userdel %name #fi
#if sg %name -c true >/dev/null 2>&1; then # groupdel nntpcache #fi
%files %config(noreplace) %_sysconfdir/%name.conf %config(noreplace) %_sysconfdir/pam.d/%name %config(noreplace) %_initdir/%name
%dir %attr(0700,root,root) %_var/run/%name %dir %attr(0750,root,%name) %_var/run/%name/login
%_libexecdir/%name %_sysconfdir/%name %_datadir/%name %_sbindir/*
%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %_var/run/%name/ssl-parameters.dat %attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %_ssldir/certs/%name.pem %attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %_ssldir/private/%name.pem
%doc doc/*.txt INSTALL AUTHORS doc/USE-WIKI-INSTEAD ChangeLog %doc COPYING* TODO README NEWS doc/*.conf
%changelog
- Sun Dec 04 2005 Sergey Ivanov <seriv@altlinux.ru> 1.0-alt0.cvs20051204
- 1.0-alpha4 of nightly cvs builds at 12/04/2005
- Mon Nov 21 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.14-alt5
- Fix postgresql-devel dependency, removed version number binding; fix %_libexecdir - %_libdir confusion; fix documentation installation.
- Tue Oct 11 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.14-alt4
- removed undefined macro from commented-out text; removed conflicting relation to other POP3/IMAP servers
- Fri Aug 05 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.14-alt3
- Fix #7479
- Sun May 22 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.14-alt2
- Buildreq fix: removed version binding for libpq-devel
- Fri Feb 18 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.14-alt1
- Message address fields are now parsed differently, fixing some issues with spaces. Affects only clients which use FETCH ENVELOPE command.
- Message MIME parser was somewhat broken with missing MIME boundaries
- mbox: Don't allow X-UID headers in mails to override the UIDs we would otherwise set. Too large values can break some clients and cause other trouble.
- passwd-file userdb wasn't working
- PAM crashed with 64bit systems
- non-SSL inetd startup wasn't working
- If UID FETCH notices and skips an expunged message, don't return a NO reply. It's not needed and only makes clients give error messages.
- Thu Jan 06 2005 Sergey Ivanov <seriv@altlinux.ru> 0.99.13-alt1
- Update to new version. From it's changelog:
- GNUTLS support hasn't been working for a while, so it's not even tried to be used anymore unless explicitly wanted.
- Added CRAM-MD5 authentication mechanism. Patch by Joshua Goodall
- Added SMD5 and LDAP-MD5 password schemes and changed MD5 scheme to use LDAP-MD5 if the password isn't in MD5crypt format. Patch by Joshua Goodall
- Workaround for some POP3 client bugs: if message doesn't contain the "end of headers" empty line, add it automatically.
- vpopmail supports now all password schemes, most importantly MD5crypt works now without support from libc's crypt()
- SQL and LDAP authentication was broken
- SEARCH UNKEYWORD wasn't working
- Sun Dec 05 2004 Sergey Ivanov <seriv@altlinux.ru> 0.99.12-alt1
- Updated to new version. From changelog of 0.99.12:
- Fix memory leaks in LDAP, MySQL and PGSQL userdb/passdb
- Fix hanging when parsing mails that have over 4096 bytes in one line (SMTP servers normally don't allow over 1000 bytes so it shouldn't be much of a problem)
- FETCH BODYSTRUCTURE sometimes gave a wrong reply (eg. with FETCH (BODYSTRUCTURE RFC822.SIZE) if it wasn't cached)
- Never return more than one INBOX in LIST even if there are such files. They don't work anyway and it just confuses clients.
- mbox: Don't allow creating INBOX directory by creating/renaming mailboxes under it. They just wouldn't work.
- POP3: Don't return PLAIN in SASL list. We don't support initial SASL responses, so it only breaks with most clients that try to use it.
- IMAP and POP3 login processes may have sent each line in two IP packets, one with the data and another with CR+LF. Some clients didn't work because of this.
- Thu Sep 23 2004 Sergey Ivanov <seriv@altlinux.ru> 0.99.11-alt1
- Updated to 0.99.11
- Mon Aug 02 2004 Sergey Ivanov <seriv@altlinux.ru> 0.99.10.9-alt1
- Update to 0.99.10.9
- Fri Jul 30 2004 Sergey Ivanov <seriv@altlinux.ru> 0.99.10.8-alt1
- Updated to 0.99.10.8
- Sat Jan 10 2004 Anton V. Denisov <avd@altlinux.org> 0.99.10.4-alt1.1
- Explicitly use automake-1.4 for build and run %%__automake before %%configure (hope this fix build with new autotools and GCC).
- Mon Dec 15 2003 Anton V. Denisov <avd@altlinux.org> 0.99.10.4-alt1
- Updated to 0.99.10.4 (bugfix release).
- Tue Dec 09 2003 Anton V. Denisov <avd@altlinux.org> 0.99.10.2-alt1
- Initial release for ALT Linux Sisyphus.
- Mon Dec 08 2003 Anton V. Denisov <avd@altlinux.org> 0.99.10.2-alt0.2
- Built with pop3 daemon and enable it in config.
- Add into %%summary and %%descrition info about POP3 protocol.
- Minor improvements in %%files section.
- PreReq tuned.
- Tue Nov 11 2003 Anton V. Denisov <avd@altlinux.org> 0.99.10.2-alt0.1
- Updated to 0.99.10.2 (bugfix release).
- Removed auth-no-homedir.patch (no longer need).
- Updated our patches for new version.
- Add Packager tag.
- added %postun for user removal and commented it out.
- TODO is still todo.
- Mon Nov 10 2003 Anton V. Denisov <avd@altlinux.org> 0.99.10-alt0.1
- New version 0.99.10.
- Applied upstream bugfix patch.
- Added alt-conf-paths.patch
- Updated alt-mkcert.patch
- Updated %%description.
- Updated buildrequires.
- PAM config renamed: imap->%name
- SSL/TLS certs renamed.
- Additional flags for %%configure.
- Temporary build with --without-pop3d (should we?)
- Use default config instead of our.
- Mark %_initdir/%name as %%config(noreplace) (should we?).
- Init script updated.
- Corrected permissions for %_var/run/%name and %_var/run/%name/login.
- Other minor updates in spec file.
- TODO:
- build and split modules (like postfix2 package).
- other.
- Sun Nov 09 2003 Anton V. Denisov <avd@altlinux.org> 0.99.4-alt0.2
- Initial build for ALT Linux.
- Spec file cleaned up and improved (courier-imap.spec as example).
- Automatically added BuildRequires.
- %%confugure with additional keys.
- PAM configs added.
- Create user for imap-login process.
- added sample default config
- SSL/TLS certs generation during package install (need more working)
- TODO:
- check FHS and ALT policy compliance
- with/without logic of build (do we need shadow-auth support?)
- Sun Dec 1 2002 Seth Vidal <skvidal@phy.duke.edu>
- 0.99.4 and fix startup so it starts imap-master not vsftpd :)
- Tue Nov 26 2002 Seth Vidal <skvidal@phy.duke.edu>
- first build
participants (8)
-
Chris Wakelin
-
Jakob Hirsch
-
Kenneth Porter
-
Lorens
-
Reuben Farrelly
-
Sergey Ivanov
-
Stian Jordet
-
Timo Sirainen