Hello list,
I'm trying to get pidgeonhole/managesieve running, and I'm stuck connecting clients to the server (Dovecot 2.2.33.2-1ubuntu4.1 on an Ubnutu 18.04 machine). So far, my config looks like this:
protocols = imap lmtp sieve
disable_plaintext_auth = yes
auth_mechanisms = plain login scram-sha-1
service managesieve-login {
inet_listener sieve {
port = 4190
ssl = yes
}
service_count = 1
}
service managesieve {
process_limit = 256
}
protocol sieve {
managesieve_max_line_length = 65536
}(please let me know if you need more details).
When I connect via
openssl s_client -connect $myserver:4190I get the following prompt (after the usual certificate prompt):
"IMPLEMENTATION" "Dovecot (Ubuntu) Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve" "NOTIFY" "mailto" "SASL" "PLAIN LOGIN SCRAM-SHA-1" "VERSION" "1.0" OK "Dovecot (Ubuntu) ready."
and I can login successfully:
AUTHENTICATE "PLAIN" "base64(0x00 $user 0x00 $password)"
OK "Logged In."Note how this is different from the troubleshooting guide 1, which suggests gnutls-bin and waiting for the STARTTLS capability before hitting Ctrl-D. This is what I get with gnutls-bin:
$ gnutls-cli --starttls --insecure -p 4190 $myserver
Processed 0 CA certificate(s).
Resolving '$myserver:4190'...
Connecting to '$myserverip:4190'...
- Simple Client Mode:
_where "_" denotes the waiting prompt. When I hit Ctrl-D here, I get an output similar that of s_client.
Now, my problem are the clients: neither Thunderbird's sieve extenstion 2, nor the Ruby ManageSieve class 3, nor Roundcube's managesieve plugin 4 (via Net_Sieve module 5) are able to communicate with my server. They all wait for a "STARTTLS" line, before they attempt to perform a TLS handshake.
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
Kind regards, Dominik
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik
On 10.1.2019 18.28, Dominik Menke wrote:
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik
Can you provide output of doveconf -n
Aki
Sure, here you go (I've masked a few unimportant fields, though):
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
auth_default_realm = masked
auth_master_user_separator = *
auth_mechanisms = plain login scram-sha-1
default_vsz_limit = 4 G
doveadm_worker_count = 8
log_path = /dev/stderr
mail_attachment_dir = /var/mail/sis
mail_attachment_hash = %{sha256}
mail_location = mdbox:~/mdbox
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_rotate_size = 128 M namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = username_format=%n /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { args = username_format=%n /etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve imapsieve_mailbox1_cause = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * sieve = ~/dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_dir = ~/sieve sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /etc/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 1d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1d } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0600 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 128 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } service_count = 1 } service managesieve { process_limit = 256 } ssl_cert =
--Dominik
On 1/11/19 9:44 AM, Aki Tuomi wrote:
On 10.1.2019 18.28, Dominik Menke wrote:
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik
Can you provide output of
doveconf -nAki
-- Digineo GmbH Fahrenheitstraße 15 28359 Bremen
Telefon: +49 421 167 66 090 Telefax: +49 421 167 66 099
E-Mail: dom@digineo.de Internet: www.digineo.de
Geschäftsführer: Dipl.-Inf. Julian Kornberger Amtsgericht Bremen HRB 25061 USt-ID: DE 815023724
Hi Dominik,
I have set ssl = required in 10-ssl.conf globally but no ssl here:
service managesieve-login {
inet_listener sieve {
port = 4190
}
...
}
Nevertheless, STARTTLS is offered
"IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "service active"
and the connection will be encrypted (tested with roudcube webmail)
STARTTLS < OK "Begin TLS negotiation now."
...
You can check if it works with tcpdump:
tcpdump -nn -l -A -i eth0 port 4190
Best regards Gerald
Am 11.01.2019 um 09:59 schrieb Dominik Menke dom@digineo.de:
Sure, here you go (I've masked a few unimportant fields, though):
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS auth_default_realm = masked auth_master_user_separator = * auth_mechanisms = plain login scram-sha-1 default_vsz_limit = 4 G doveadm_worker_count = 8 log_path = /dev/stderr mail_attachment_dir = /var/mail/sis mail_attachment_hash = %{sha256} mail_location = mdbox:~/mdbox managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_rotate_size = 128 M namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = username_format=%n /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { args = username_format=%n /etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve imapsieve_mailbox1_cause = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * sieve = ~/dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_dir = ~/sieve sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /etc/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 1d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1d } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0600 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 128 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } service_count = 1 } service managesieve { process_limit = 256 } ssl_cert =
--Dominik
On 1/11/19 9:44 AM, Aki Tuomi wrote:
On 10.1.2019 18.28, Dominik Menke wrote:
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik Can you provide output of
doveconf -nAki-- Digineo GmbH Fahrenheitstraße 15 28359 Bremen
Telefon: +49 421 167 66 090 Telefax: +49 421 167 66 099
E-Mail: dom@digineo.de Internet: www.digineo.de
Geschäftsführer: Dipl.-Inf. Julian Kornberger Amtsgericht Bremen HRB 25061 USt-ID: DE 815023724
Hello Gerald,
that did the trick, thank you very much!
--Dominik
On 1/11/19 10:54 AM, Gerald Galster wrote:
Hi Dominik,
I have set ssl = required in 10-ssl.conf globally but no ssl here:
service managesieve-login { inet_listener sieve { port = 4190 } ... }
Nevertheless, STARTTLS is offered
"IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "service active"
and the connection will be encrypted (tested with roudcube webmail)
STARTTLS < OK "Begin TLS negotiation now."
...
You can check if it works with tcpdump:
tcpdump -nn -l -A -i eth0 port 4190
Best regards Gerald
Am 11.01.2019 um 09:59 schrieb Dominik Menke dom@digineo.de:
Sure, here you go (I've masked a few unimportant fields, though):
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS auth_default_realm = masked auth_master_user_separator = * auth_mechanisms = plain login scram-sha-1 default_vsz_limit = 4 G doveadm_worker_count = 8 log_path = /dev/stderr mail_attachment_dir = /var/mail/sis mail_attachment_hash = %{sha256} mail_location = mdbox:~/mdbox managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_rotate_size = 128 M namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = username_format=%n /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { args = username_format=%n /etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve imapsieve_mailbox1_cause = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * sieve = ~/dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_dir = ~/sieve sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /etc/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 1d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1d } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0600 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 128 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } service_count = 1 } service managesieve { process_limit = 256 } ssl_cert = </masked/path/to/server.crt ssl_key = # hidden, use -P to show it userdb { args = uid=vmail gid=vmail home=/var/mail/users/%n driver = static } verbose_proctitle = yes protocol lmtp { mail_plugins = " sieve notify push_notification" ssl = no } protocol imap { mail_plugins = " imap_sieve" } protocol sieve { mail_debug = yes managesieve_max_line_length = 65536 }--Dominik
On 1/11/19 9:44 AM, Aki Tuomi wrote:
On 10.1.2019 18.28, Dominik Menke wrote:
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik Can you provide output of
doveconf -nAki
Hello Gerald,
that did the trick, thank you very much!
--Dominik
On 1/11/19 10:54 AM, Gerald Galster wrote:
Hi Dominik,
I have set ssl = required in 10-ssl.conf globally but no ssl here:
service managesieve-login { inet_listener sieve { port = 4190 } ... }
For reference: if you put ssl=yes there, the TLS layer is established immediately. However, the standard ManageSieve protocol does not support
Op 11/01/2019 om 16:05 schreef Dominik Menke: that (not currently anyway): only the establishment of the TLS layer using the STARTTLS command is part of the standard. That is why your clients fail to connect: they're speaking plaintext while the server is speaking TLS. Still, Dovecot supports configuring it that way, which is what you did.
Regards,
Stephan.
Nevertheless, STARTTLS is offered
"IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "service active"
and the connection will be encrypted (tested with roudcube webmail)
STARTTLS < OK "Begin TLS negotiation now."
...
You can check if it works with tcpdump:
tcpdump -nn -l -A -i eth0 port 4190
Best regards Gerald
Am 11.01.2019 um 09:59 schrieb Dominik Menke dom@digineo.de:
Sure, here you go (I've masked a few unimportant fields, though):
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS auth_default_realm = masked auth_master_user_separator = * auth_mechanisms = plain login scram-sha-1 default_vsz_limit = 4 G doveadm_worker_count = 8 log_path = /dev/stderr mail_attachment_dir = /var/mail/sis mail_attachment_hash = %{sha256} mail_location = mdbox:~/mdbox managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_rotate_size = 128 M namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = username_format=%n /etc/dovecot/passwd.masterusers driver = passwd-file master = yes pass = yes } passdb { args = username_format=%n /etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve imapsieve_mailbox1_cause = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * sieve = ~/dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_dir = ~/sieve sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /etc/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 1d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1d } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0600 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 128 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } service_count = 1 } service managesieve { process_limit = 256 } ssl_cert =
--Dominik
On 1/11/19 9:44 AM, Aki Tuomi wrote:
On 10.1.2019 18.28, Dominik Menke wrote:
I've missed a part at the end:
This leads me to my question: How do I force Dovecot to print at least a STARTTLS line after a client connects to port 4190? Looking
... at the default configuration files in /etc/dovecot/conf.d/ I don't see an obvious difference.
--Dominik Can you provide output of
doveconf -nAki
For reference: if you put ssl=yes there, the TLS layer is established immediately. However, the standard ManageSieve protocol does not support that (not currently anyway): only the establishment of the TLS layer using the STARTTLS command is part of the standard. That is why your clients fail to connect: they're speaking plaintext while the server is speaking TLS. Still, Dovecot supports configuring it that way, which is what you did.
Regards,
Stephan.
I'm just surprised that ssl=yes leads to STARTTLS being disabled, as per the wiki 1:
ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=required: SSL/TLS is always required [...]. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure.
Maybe this bit needs to be clarified a bit? I think I've read that page a few times and it still didn't occur to me that this could be a problem.
Best regards, --Dominik
Op 13/01/2019 om 00:22 schreef Dominik Menke:
For reference: if you put ssl=yes there, the TLS layer is established immediately. However, the standard ManageSieve protocol does not support that (not currently anyway): only the establishment of the TLS layer using the STARTTLS command is part of the standard. That is why your clients fail to connect: they're speaking plaintext while the server is speaking TLS. Still, Dovecot supports configuring it that way, which is what you did.
Regards,
Stephan.
I'm just surprised that ssl=yes leads to STARTTLS being disabled, as per the wiki 1:
With ssl=yes, the TLS layer is enabled immediately on the connection. So, there is no need to perform STARTTLS. But worse, a client that doesn't work this way will try to send "STARTTLS" in plaintext to a service talking TLS already. This will obviously not work.
Regards,
Stephan.
ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=required: SSL/TLS is always required [...]. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure.
Maybe this bit needs to be clarified a bit? I think I've read that page a few times and it still didn't occur to me that this could be a problem.
Best regards, --Dominik
On 1/13/19 12:23 PM, Stephan Bosch wrote:
With ssl=yes, the TLS layer is enabled immediately on the connection.
Again, that's not what the documentation says:
ssl=yes [...]: SSL/TLS is offered to the client, but the client
isn't required to use it.If the client is not _required_ to use it, it _may_ chose plaintext transport, no?
(I'm not here to argue, I'm just pointing out an issue with the wiki).
--Dominik
Op 14-1-2019 om 9:58 schreef Dominik Menke:
On 1/13/19 12:23 PM, Stephan Bosch wrote:
With ssl=yes, the TLS layer is enabled immediately on the connection.
Again, that's not what the documentation says:
ssl=yes [...]: SSL/TLS is offered to the client, but the client isn't required to use it.
If the client is not _required_ to use it, it _may_ chose plaintext transport, no?
(I'm not here to argue, I'm just pointing out an issue with the wiki).
Oh, I think we are talking about different things here. You're talking about the global ssl= setting. I am talking about the ssl = yes inside the service listener configuration (https://wiki.dovecot.org/Services#inet_listeners). The former specifies whether SSL is available/required for user connections in general, whereas the latter specifies whether the service activates the TLS layer immediately for that particular listener. The latter is also where you made the configuration mistake.
Regards,
Stephan
On 1/14/19 11:02 AM, Stephan Bosch wrote:
Op 14-1-2019 om 9:58 schreef Dominik Menke:
On 1/13/19 12:23 PM, Stephan Bosch wrote:
With ssl=yes, the TLS layer is enabled immediately on the connection.
Again, that's not what the documentation says:
ssl=yes [...]: SSL/TLS is offered to the client, but the client isn't required to use it.
If the client is not _required_ to use it, it _may_ chose plaintext transport, no?
(I'm not here to argue, I'm just pointing out an issue with the wiki).
Oh, I think we are talking about different things here. You're talking about the global ssl= setting. I am talking about the ssl = yes inside the service listener configuration (https://wiki.dovecot.org/Services#inet_listeners). The former specifies whether SSL is available/required for user connections in general, whereas the latter specifies whether the service activates the TLS layer immediately for that particular listener. The latter is also where you made the configuration mistake.
Oh, I see! Thanks for the clarification :-) --Dominik
participants (4)
-
Aki Tuomi
-
Dominik Menke
-
Gerald Galster
-
Stephan Bosch