[Dovecot] ACL and SSL
Finally got Dovecot to work on ports 100 and 143.
I would like to
a) Learn about ACL esp on port 110 as there are still yodellaks that try to brake in on port 110.
b) Setting up separate SSL cert for imaps and pop3s.
-- For effective Internet Etiquette and communications read http://catb.org/jargon/html/T/top-post.html, http://idallen.com/topposting.html & http://www.caliburn.nl/topposting.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
At 5PM -0700 on 17/11/12 you (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) wrote:
Finally got Dovecot to work on ports 100 and 143.
Port 100 is unassigned. Are you using it for POP3?
I would like to
a) Learn about ACL esp on port 110 as there are still yodellaks that try to brake in on port 110.
If Dovecot is not listening on port 110 there is nothing it can do about people trying to connect to that port. Perhaps you want to simply block it in your firewall?
b) Setting up separate SSL cert for imaps and pop3s.
See the section called 'Different certificates per IP and protocol' in http://wiki2.dovecot.org/SSL/DovecotConfiguration .
Ben
Am 18.11.2012 01:23, schrieb Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem:
) Learn about ACL esp on port 110 as there are still yodellaks that try to brake in on port 110.
what acl you like to set over pop3 ?
usually acl at dovecot means folder permissions in imap
if you mean what to do against brute force
use i.e fail2ban
http://wiki2.dovecot.org/HowTo/Fail2Ban
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
On Sat, Nov 17, 2012 at 05:23:43PM -0700, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote:
Finally got Dovecot to work on ports 100 and 143.
I would like to
a) Learn about ACL esp on port 110 as there are still yodellaks that try to brake in on port 110.
b) Setting up separate SSL cert for imaps and pop3s.
Found this one out easily, however new issue:
Nov 19 09:21:23 doctor dovecot: pop3-login: Login: user=<MOEuser>, method=PLAIN, rip=208.118.93.81, lip=local mail server, TLS Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Debug: Effective uid=2618, gid=2991, home=/usr/home/MOEuser Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Debug: fs: root=/usr/home/MOEuser/mail, index=, control=, inbox=/var/mail/MOEuser, alt= Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Debug: Namespace : /usr/home/MOEuser/mail doesn't exist yet, using default permissions Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Debug: Namespace : Using permissions from /usr/home/MOEuser/mail: mode=0700 gid=-1 Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Error: user MOEuser: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/usr/home/MOEuser/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755) Nov 19 09:21:23 doctor dovecot: POP3(MOEuser):Error: Invalid user settings. Refer to server log for more information. Nov 19 09:21:27 doctor dovecot: pop3-login: Login: user=<MOEuser>, method=PLAIN, rip=208.118.93.81, lip=local mail server, TLS Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Debug: Effective uid=2618, gid=2991, home=/usr/home/MOEuser Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Debug: fs: root=/usr/home/MOEuser/mail, index=, control=, inbox=/var/mail/MOEuser, alt= Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Debug: Namespace : /usr/home/MOEuser/mail doesn't exist yet, using default permissions Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Debug: Namespace : Using permissions from /usr/home/MOEuser/mail: mode=0700 gid=-1 Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Error: user MOEuser: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/usr/home/MOEuser/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755) Nov 19 09:21:27 doctor dovecot: POP3(MOEuser):Error: Invalid user settings. Refer to server log for more information. Nov 19 09:21:35 doctor dovecot: imap-login: Login: user=<MOEuser>, method=PLAIN, rip=208.118.93.81, lip=local mail server Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Debug: Effective uid=2618, gid=2991, home=/usr/home/MOEuser Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Debug: fs: root=/usr/home/MOEuser/mail, index=, control=, inbox=/var/mail/MOEuser, alt= Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Debug: Namespace : /usr/home/MOEuser/mail doesn't exist yet, using default permissions Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Debug: Namespace : Using permissions from /usr/home/MOEuser/mail: mode=0700 gid=-1 Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Error: user MOEuser: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/usr/home/MOEuser/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755) Nov 19 09:21:35 doctor dovecot: IMAP(MOEuser):Error: Invalid user settings. Refer to server log for more information. Nov 19 09:21:48 doctor dovecot: imap-login: Login: user=<MOEuser>, method=PLAIN, rip=208.118.93.81, lip=local mail server Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Debug: Effective uid=2618, gid=2991, home=/usr/home/MOEuser Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Debug: fs: root=/usr/home/MOEuser/mail, index=, control=, inbox=/var/mail/MOEuser, alt= Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Debug: Namespace : /usr/home/MOEuser/mail doesn't exist yet, using default permissions Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Debug: Namespace : Using permissions from /usr/home/MOEuser/mail: mode=0700 gid=-1 Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Error: user MOEuser: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/usr/home/MOEuser/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755) Nov 19 09:21:48 doctor dovecot: IMAP(MOEuser):Error: Invalid user settings. Refer to server log for more information.
The MOEuser atnds for Microsoft Outlook Express user.
The credentials were correct i.e. user/pw but Dovecot kept reject the user.
I heard similar complants from M$ Mail, OE, and Outlook users
doveconf -n # 2.1.10: /usr/dovecot2/etc/dovecot/dovecot.conf # OS: BSD/OS 4.3 i386 base_dir = /var/run/dovecot/ disable_plaintext_auth = no first_valid_uid = 100 listen = [::] login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_log_prefix = %Us(%u): mdbox_rotate_size = 2 k passdb { args = /etc/master.passwd driver = passwd-file } plugin { home = /usr/dovecot2 } protocols = imap pop3 service auth { executable = /usr/dovecot2/libexec/dovecot/auth user = root } service imap-login { chroot = login client_limit = 256 executable = /usr/dovecot2/libexec/dovecot/imap-login inet_listener imap { address = local mail server port = 143 } inet_listener imaps { address = local mail server port = 993 ssl = yes } process_limit = 128 process_min_avail = 3 service_count = 1 user = dovecot } service imap { executable = /usr/dovecot2/libexec/dovecot/imap process_limit = 512 } service pop3-login { chroot = login client_limit = 256 executable = /usr/dovecot2/libexec/dovecot/pop3-login inet_listener pop3s { address = local mail server port = 995 ssl = yes } process_limit = 128 process_min_avail = 3 service_count = 1 user = dovecot } service pop3 { executable = /usr/dovecot2/libexec/dovecot/pop3 process_limit = 512 } ssl_cert = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:aNULL ssl_key = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.key userdb { driver = passwd } userdb { args = /etc/passwd driver = passwd-file } verbose_ssl = yes local local mail server { protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep imap_idle_notify_interval = 2 mins imap_logout_format = bytes=%i/%o imap_max_line_length = 64 k mail_max_userip_connections = 10 mail_plugin_dir = /usr/dovecot2/lib/dovecot/imap ssl_cert = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:aNULL ssl_key = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.key verbose_ssl = yes } } local local mail server { protocol pop3 { mail_max_userip_connections = 3 mail_plugins = pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_enable_last = yes pop3_lock_session = yes pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_no_flag_updates = yes pop3_reuse_xuidl = yes pop3_save_uidl = no pop3_uidl_format = %08Xu%08Xv ssl_cert = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:aNULL ssl_key = </usr/dovecot2/etc/dovecot/ssl/pop3.nk.ca.key verbose_ssl = yes } }
Thunderbird works.
Why are M$ mail clients messing up?
-- For effective Internet Etiquette and communications read http://catb.org/jargon/html/T/top-post.html, http://idallen.com/topposting.html & http://www.caliburn.nl/topposting.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013
Am 19.11.2012 18:55, schrieb The Doctor:
/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755
seems you got a permisson problem
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
On Mon, Nov 19, 2012 at 07:13:21PM +0100, Robert Schetterer wrote:
Am 19.11.2012 18:55, schrieb The Doctor:
/mail) failed: Permission denied (euid=2618(MOEuser) egid=2991(sc) missing +w perm: /usr/home/MOEuser, dir owned by 0:2991 mode=0755
seems you got a permisson problem
Found it !
Looks like the user account was missing the mail directory.
fail2ban will implement.
Now Outlook 2010 reporting repeated mail. Is this a similar issue with OL2003?
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
-- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Merry Christmas 2012 and Happy New Year 2013
Am 20.11.2012 03:27, schrieb The Doctor:
Now Outlook 2010 reporting repeated mail. Is this a similar issue with OL2003?
it doesnt look like general a client issue at all, check your logs for more warnings and errors, outlook(s) may not best clients, but they arent guilty for all
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
participants (4)
-
Ben Morrow
-
Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem
-
Robert Schetterer
-
The Doctor