http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz.sig
I've almost managed to read my email backlog, but there are still some unanswered mails. Feel free to resend if you think I should have answered some of your mails.
The most important changes since v2.0.12:
+ Added "doveadm index" command to add unindexed messages into
index/cache. If full text search is enabled, it also adds unindexed
messages to the fts database.
+ added "doveadm director dump" command.
+ pop3: Added support for showing messages in "POP3 order", which can
be different from IMAP message order. This can be useful for
migrations from other servers. Implemented it for Maildir as 'O'
field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to
trouble with dsync.
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names
that contained NUL characters.On Wed, 11 May 2011 18:52:21 +0300 Timo Sirainen wrote:
[ ... ]
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.
This version gives problems with my post-login script to track last usage, which works perfect with 2.0.12.
Error messages:
May 11 20:38:53 seymour dovecot: master: Dovecot v2.0.13 starting up (core dumps disabled) May 11 20:39:01 seymour dovecot: imap-login: Login: frank, 192.168.28.53, TLS May 11 20:39:01 seymour dovecot: imap-postlogin: Error: script-login: Error: user frank: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied May 11 20:39:01 seymour dovecot: imap-postlogin: Error: script-login: Fatal: Internal error occurred. Refer to server log for more information. May 11 20:39:01 seymour dovecot: log: Error: service(imap-postlogin): child 8651 returned error 89 (Fatal failure) May 11 20:39:01 seymour dovecot: imap(frank): Post-login script denied access to user frank
# 2.0.12: /usr/local/dovecot/etc/dovecot/dovecot.conf # OS: Linux 2.6.35.13-91.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3 disable_plaintext_auth = no first_valid_uid = 200 last_valid_uid = 65534 listen = * login_greeting = c64.shuttle.de - IMAPs Service ready. login_log_format_elements = %u %r %c mail_location = maildir:/var/spool/mail/%u:INDEX=MEMORY mail_log_prefix = "%Us(%u,%r): " mail_plugins = " notify quota" passdb { args = dovecot driver = pam } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename flag_change append mail_log_fields = uid box from subject msgid size flags mail_log_group_events = yes quota = maildir:User quota quota_rule = *:storage=2G quota_rule2 = Trash:storage=+100M } protocols = imap service auth { unix_listener auth-client { group = exim mode = 0660 user = exim } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 3 } service imap-postlogin { executable = script-login /usr/dovecot/bin/imap-post-login user = dovecot } service imap { executable = imap imap-postlogin } ssl_cert = </usr/local/etc/c64.shuttle.de.CRT ssl_cipher_list = ALL:!LOW:!SSLv2 ssl_key = </usr/local/etc/c64.shuttle.de-dovecot.KEY userdb { driver = passwd } verbose_proctitle = yes protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags imap_logout_format = [%i/%o] mail_plugins = " notify quota mail_log quota imap_quota listescape" }
Procedure "/usr/dovecot/bin/imap-post-login" simply writes a datestamp to a file with owner "frank".
Any pointer to solution welcome.
--Frank Elsner
On 11.5.2011, at 22.03, Frank Elsner wrote:
This version gives problems with my post-login script to track last usage, which works perfect with 2.0.12.
That would be because of this change:
- script-login binary wasn't actually dropping privileges to the
user/group/chroot specified by its service settings.May 11 20:39:01 seymour dovecot: imap-postlogin: Error: script-login: Error: user frank: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied
Hmm. I suppose it drops the privileges a bit too early now.. Well, you can switch back to v2.0.12 behavior by removing the user=dovecot:
service imap-postlogin { user = dovecot
I'll fix it properly for v2.0.14 then. Another alternative would be to change config socket's permissions to allow dovecot user to read/write it.
On Wed, 11 May 2011 22:17:28 +0300 Timo Sirainen wrote:
On 11.5.2011, at 22.03, Frank Elsner wrote:
This version gives problems with my post-login script to track last usage, which works perfect with 2.0.12.
That would be because of this change:
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.May 11 20:39:01 seymour dovecot: imap-postlogin: Error: script-login: Error: user frank: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied
Hmm. I suppose it drops the privileges a bit too early now.. Well, you can switch back to v2.0.12 behavior by removing the user=dovecot:
service imap-postlogin { user = dovecot
Thanks, works.
I'll fix it properly for v2.0.14 then. Another alternative would be to change config socket's permissions to allow dovecot user to read/write it.
How to do that?
PS: I'd like to have the lastlogin file to be owned by user dovecot. Currently it is owned bx the user.
--Frank Elsner
On 11.5.2011, at 22.34, Frank Elsner wrote:
I'll fix it properly for v2.0.14 then. Another alternative would be to change config socket's permissions to allow dovecot user to read/write it.
How to do that?
For example:
service config { unix_listener config { group = dovecot mode = 0660 } }
(or just user=dovecot)
PS: I'd like to have the lastlogin file to be owned by user dovecot. Currently it is owned bx the user.
Not root?..
On Wed, 11 May 2011 22:37:22 +0300 Timo Sirainen wrote:
On 11.5.2011, at 22.34, Frank Elsner wrote:
I'll fix it properly for v2.0.14 then. Another alternative would be to change config socket's permissions to allow dovecot user to read/write it.
How to do that?
For example:
service config { unix_listener config { group = dovecot mode = 0660 } }
(or just user=dovecot)
PS: I'd like to have the lastlogin file to be owned by user dovecot. Currently it is owned bx the user.
Not root?..
No.
-rw------- 1 frank elsner 31 May 11 20:54 lastlogin
--Frank Elsner
Compiling dovecot-2.0.13 on OS X emits these warnings: user-directory.c: In function user_directory_add: user-directory.c:79: warning: comparison between signed and unsigned user-directory.c:84: warning: comparison between signed and unsigned Casting the left hand sides of the comparisons to time_t, as you do in other places, silences them: --- a/src/director/user-directory.c 2011-05-11 09:35:21.000000000 -0500 +++ b/src/director/user-directory.c 2011-05-11 16:55:45.000000000 -0500 @@ -76,12 +76,12 @@ user->host->user_count++; user->timestamp = timestamp; - if (dir->tail == NULL || dir->tail->timestamp <= timestamp) + if (dir->tail == NULL || (time_t) dir->tail->timestamp <= timestamp) DLLIST2_APPEND(&dir->head, &dir->tail, user); else { /* need to insert to correct position */ for (pos = dir->tail; pos != NULL; pos = pos->prev) { - if (pos->timestamp <= timestamp) + if ((time_t) pos->timestamp <= timestamp) break; } if (pos == NULL)
On Wed, 2011-05-11 at 17:01 -0500, Mike Abbott wrote:
Compiling dovecot-2.0.13 on OS X emits these warnings:
user-directory.c: In function user_directory_add: user-directory.c:79: warning: comparison between signed and unsigned user-directory.c:84: warning: comparison between signed and unsigned
On all 32 bit systems I guess.
Casting the left hand sides of the comparisons to time_t, as you do in other places, silences them:
Yeah.. Hmm. I wonder if there's a reason I didn't make the timestamp just be time_t. Oh well, we still have 30 years or so to fix it. :) Applied your patch: http://hg.dovecot.org/dovecot-2.0/rev/d9d5759196ee
rsync not active? or now protected to mirrors?
On Wed, 2011-05-11 at 18:52 +0300, Timo Sirainen wrote:
http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz.sig
I've almost managed to read my email backlog, but there are still some unanswered mails. Feel free to resend if you think I should have answered some of your mails.
The most important changes since v2.0.12:
- Added "doveadm index" command to add unindexed messages into index/cache. If full text search is enabled, it also adds unindexed messages to the fts database.
- added "doveadm director dump" command.
- pop3: Added support for showing messages in "POP3 order", which can be different from IMAP message order. This can be useful for migrations from other servers. Implemented it for Maildir as 'O' field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to trouble with dsync.
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names that contained NUL characters.
Dovecot-news mailing list Dovecot-news@dovecot.org http://dovecot.org/cgi-bin/mailman/listinfo/dovecot-news
Specifics of what you're talking about?
(Yeah, I may have screwed up something, but currently I'm a bit too busy/lazy to find out what.)
On 13.5.2011, at 2.39, Noel Butler wrote:
rsync not active? or now protected to mirrors?
On Wed, 2011-05-11 at 18:52 +0300, Timo Sirainen wrote:
http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz.sig
I've almost managed to read my email backlog, but there are still some unanswered mails. Feel free to resend if you think I should have answered some of your mails.
The most important changes since v2.0.12:
- Added "doveadm index" command to add unindexed messages into index/cache. If full text search is enabled, it also adds unindexed messages to the fts database.
- added "doveadm director dump" command.
- pop3: Added support for showing messages in "POP3 order", which can be different from IMAP message order. This can be useful for migrations from other servers. Implemented it for Maildir as 'O' field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to trouble with dsync.
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names that contained NUL characters.
Dovecot-news mailing list Dovecot-news@dovecot.org http://dovecot.org/cgi-bin/mailman/listinfo/dovecot-news
On Fri, 2011-05-13 at 02:43 +0200, Timo Sirainen wrote:
Specifics of what you're talking about?
(Yeah, I may have screwed up something, but currently I'm a bit too busy/lazy to find out what.)
not to worry then, chmod -x /etc/cron.rsyncs.bi-daily/dovecot.pl has fixed it here
On 13.5.2011, at 2.39, Noel Butler wrote:
rsync not active? or now protected to mirrors?
On Wed, May 11, 2011 at 06:52:21PM +0300, Timo Sirainen wrote:
http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz.sig
I've almost managed to read my email backlog, but there are still some unanswered mails. Feel free to resend if you think I should have answered some of your mails.
The most important changes since v2.0.12:
- Added "doveadm index" command to add unindexed messages into index/cache. If full text search is enabled, it also adds unindexed messages to the fts database.
- added "doveadm director dump" command.
- pop3: Added support for showing messages in "POP3 order", which can be different from IMAP message order. This can be useful for migrations from other servers. Implemented it for Maildir as 'O' field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to trouble with dsync.
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names that contained NUL characters.
Should this get CVE-identifier? I can request it.
Best regards, Henri Salo
On Wed, May 11, 2011 at 06:52:21PM +0300, Timo Sirainen wrote:
http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz http://dovecot.org/releases/2.0/dovecot-2.0.13.tar.gz.sig
I've almost managed to read my email backlog, but there are still some unanswered mails. Feel free to resend if you think I should have answered some of your mails.
The most important changes since v2.0.12:
- Added "doveadm index" command to add unindexed messages into index/cache. If full text search is enabled, it also adds unindexed messages to the fts database.
- added "doveadm director dump" command.
- pop3: Added support for showing messages in "POP3 order", which can be different from IMAP message order. This can be useful for migrations from other servers. Implemented it for Maildir as 'O' field in dovecot-uidlist.
- doveconf: Fixed a wrong "subsection has ssl=yes" warning.
- mdbox purge: Fixed wrong warning about corrupted extrefs.
- sdbox: INBOX GUID changed when INBOX was autocreated, leading to trouble with dsync.
- script-login binary wasn't actually dropping privileges to the user/group/chroot specified by its service settings.
- Fixed potential crashes and other problems when parsing header names that contained NUL characters.
Header NUL problem got assigned CVE-2011-1929.
Best regards, Henri Salo
participants (5)
-
Frank Elsner
-
Henri Salo
-
Mike Abbott
-
Noel Butler
-
Timo Sirainen