[Dovecot] v2.0.beta1 released
http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz.sig
Now that v2.0 is in beta stage I don't expect anything big to change anymore. The configuration and the APIs shouldn't change in non-backwards compatible ways. There are still bugs left to be fixed and some small features to be implemented, but I'd like to have people start testing it more.
The biggest unimplemented "feature" is how to convert v1.x configuration easily/automatically to v2.0. Either the old config file should be translated to new one, or Dovecot should be able to read the old config file as-is. I think I like the translation better, so that people won't still be using v1.x configuration when v2.1 arrives and drops v1.x support.
Largest changes since alpha3:
- if some IP address is failing authentications, all auth attempts from the IP are delayed increasingly. a successful auth drops the delay. max delay is 15 seconds. this is enforced by auth process, so it works across different connections/processes/protocols.
- lib-storage plugin API changed. processes handling multiple users now support different plugins for different users.
- expire plugin's settings work a bit differently now: http://hg.dovecot.org/dovecot-2.0/rev/46691becc45e
- post-login scripting works again, see http://dovecot.org/list/dovecot/2009-December/045139.html
- Tons of fixes
On Mon, Dec 14, 2009 at 6:12 AM, Timo Sirainen tss@iki.fi wrote:
http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz.sig
FreeBSD 6.4 (yes, it is old but I have been running the latest alpha on it):
/usr/local/bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -I/usr/local/include -MT env-util.lo -MD -MP -MF .deps/env-util.Tpo -c -o env-util.lo env-util.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -I/usr/local/include -MT env-util.lo -MD -MP -MF .deps/env-util.Tpo -c env-util.c -fPIC -DPIC -o .libs/env-util.o env-util.c: In function `env_remove': env-util.c:28: error: void value not ignored as it ought to be *** Error code 1
Stop in /usr/home/wash/Tools/Dovecot/dovecot-2.0/dovecot-2.0.beta1/src/lib. *** Error code 1
Stop in /usr/home/wash/Tools/Dovecot/dovecot-2.0/dovecot-2.0.beta1/src/lib. *** Error code 1
Stop in /usr/home/wash/Tools/Dovecot/dovecot-2.0/dovecot-2.0.beta1/src. *** Error code 1
Stop in /usr/home/wash/Tools/Dovecot/dovecot-2.0/dovecot-2.0.beta1. *** Error code 1
Stop in /usr/home/wash/Tools/Dovecot/dovecot-2.0/dovecot-2.0.beta1.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223
"If you have nothing good to say about someone, just shut up!." -- Lucky Dube
On Tue, 2009-12-15 at 11:39 +0300, Odhiambo Washington wrote:
env-util.c: In function `env_remove': env-util.c:28: error: void value not ignored as it ought to be
On Sun, 2009-12-13 at 22:12 -0500, Timo Sirainen wrote:
http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz http://dovecot.org/releases/2.0/beta/dovecot-2.0.beta1.tar.gz.sig
Testing this in low volume very simple setup and seems to work fine after a day. Configuration is just plain pam/passwd, Maildirs and postfix using dovecot-lda and sasl auth.
On an unrelated note: I also felt brave and installed dovecot-2.0-sieve from pigeonhole mercurial repository. It works fine.
dovecot-2.0-managesieve does not even build though. I know this is not for you Timo, but here is the debug output anyway if anyone cares.
ciao
Luca
Making all in managesieve
make[3]: Entering directory
/usr/local/src/dovecot/dovecot-2.0-managesieve/src/managesieve' /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I/usr/local/src/dovecot/dovecot-2.0.beta1 -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-settings -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-dict -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-master -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-mail -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-index -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-storage -DMODULEDIR= \""/usr/local/lib/dovecot"\" -I../../src/lib-managesieve -I../../src/lib-sievestorage -I/usr/local/src/dovecot/dovecot-2.0-sieve -I/usr/local/src/dovecot/dovecot-2.0-sieve/src/lib-sieve -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -Wstrict-aliasing=2 -MT managesieve-settings.lo -MD -MP -MF .deps/managesieve-settings.Tpo -c -o managesieve-settings.lo managesieve-settings.c gcc -DHAVE_CONFIG_H -I. -I../.. -I/usr/local/src/dovecot/dovecot-2.0.beta1 -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-settings -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-dict -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-master -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-mail -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-index -I/usr/local/src/dovecot/dovecot-2.0.beta1/src/lib-storage -DMODULEDIR= \"/usr/local/lib/dovecot\" -I../../src/lib-managesieve -I../../src/lib-sievestorage -I/usr/local/src/dovecot/dovecot-2.0-sieve -I/usr/local/src/dovecot/dovecot-2.0-sieve/src/lib-sieve -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -Wstrict-aliasing=2 -MT managesieve-settings.lo -MD -MP -MF .deps/managesieve-settings.Tpo -c managesieve-settings.c -fPIC -DPIC -o .libs/managesieve-settings.o managesieve-settings.c:30: warning: implicit declaration of function 'MEMBER' managesieve-settings.c:30: error: 'name' undeclared here (not in a function) managesieve-settings.c:30: error: initializer element is not constant managesieve-settings.c:30: error: (near initialization for 'managesieve_settings_service_settings.name') managesieve-settings.c:30: error: expected '}' before string constant managesieve-settings.c:76: error: 'mail_debug' undeclared here (not in a function) managesieve-settings.c:76: error: called object 'MEMBER((struct setting_define *)&<erroneous-expression>)' is not a function managesieve-settings.c:76: error: initializer element is not constant managesieve-settings.c:76: error: (near initialization for 'managesieve_default_settings.mail_debug') managesieve-settings.c:77: error: 'verbose_proctitle' undeclared here (not in a function) managesieve-settings.c:77: error: called object 'MEMBER((struct setting_define *)&<erroneous-expression>)' is not a function managesieve-settings.c:77: error: initializer element is not constant managesieve-settings.c:77: error: (near initialization for 'managesieve_default_settings.verbose_proctitle') managesieve-settings.c:82: error: 'managesieve_max_line_length' undeclared here (not in a function) managesieve-settings.c:82: error: initializer element is not constant managesieve-settings.c:82: error: (near initialization for 'managesieve_default_settings.managesieve_max_line_length') managesieve-settings.c:82: error: expected '}' before numeric constant managesieve-settings.c:95: error: 'module_name' undeclared here (not in a function) managesieve-settings.c:95: error: initializer element is not constant managesieve-settings.c:95: error: (near initialization for 'managesieve_setting_parser_info.module_name') managesieve-settings.c:95: error: expected '}' before string constant make[3]: *** [managesieve-settings.lo] Error 1 make[3]: Leaving directory /usr/local/src/dovecot/dovecot-2.0-managesieve/src/managesieve'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
/usr/local/src/dovecot/dovecot-2.0-managesieve/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory /usr/local/src/dovecot/dovecot-2.0-managesieve'
make: *** [all] Error 2
On 12/15/2009 10:31 PM Luca Corti wrote:
… dovecot-2.0-managesieve does not even build though. I know this is not for you Timo, but here is the debug output anyway if anyone cares. … Making all in managesieve … managesieve-settings.c:30: warning: implicit declaration of function 'MEMBER' managesieve-settings.c:30: error: 'name' undeclared here (not in a function)
There were a few API changes in the past. My ManageSieve installation is working so far. The necessary modifications are attached as patch. (But remember: There is no guarantee …)
Regards, Pascal
The trapper recommends today: deadbeef.0934922@localdomain.org
On 12/15/2009 10:48 PM, Pascal Volk wrote:
There were a few API changes in the past. My ManageSieve installation is working so far. The necessary modifications are attached as patch. (But remember: There is no guarantee …)
Thanks a lot Pascal for sharing the patch. I don't expect guarantees.
I patched and compiled fine, then added
protocols = ... managesieve
and
service managesieve { inet_listener { port = 2000 } }
service managesieve{ }
to dovecot.conf and master.conf respectively.
Seems to work, but complains after login about not finding the active script.
dovecot: managesieve(someuser): sieve-storage: Active sieve script symlink /home/someuser/.dovecot.sieve is broken: invalid/unknown path to storage (points to /somepath/user/sieve/.dovecot.sieve.sieve).
But the script seems to be there as expected. Have you encountered anything ilike this in your setup?
thanks again
Luca
On 12/16/2009 04:15 AM Luca Corti wrote:
… I patched and compiled fine, then added
protocols = ... managesieve
and
service managesieve { inet_listener { port = 2000 } }
Are you sure? Or was it: 'service managesieve-login {…}'? BTW: Use port 4190 http://www.iana.org/assignments/port-numbers: (last updated 2009-12-15) … sieve 4190/tcp ManageSieve Protocol
service managesieve{ }
This is optional.
Seems to work, but complains after login about not finding the active script.
dovecot: managesieve(someuser): sieve-storage: Active sieve script symlink /home/someuser/.dovecot.sieve is broken: invalid/unknown path to storage (points to /somepath/user/sieve/.dovecot.sieve.sieve).
But the script seems to be there as expected. Have you encountered anything ilike this in your setup?
No, I've seen nothing like that. Additional to your above mentioned settings I've got this settings:
# plugin.conf plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve # some none sieve related settings }
Your userdb returns a home value? I'm asking because one time /home/someuser and the other one /somepath/user.
Regards, Pascal
The trapper recommends today: cafebabe.0935004@localdomain.org
On Wed, 2009-12-16 at 05:01 +0100, Pascal Volk wrote:
service managesieve { inet_listener { port = 2000 } }
Are you sure? Or was it: 'service managesieve-login {…}'?
Right, stupid typo, in the config is obviously correct.
BTW: Use port 4190 http://www.iana.org/assignments/port-numbers: (last updated 2009-12-15) … sieve 4190/tcp ManageSieve Protocol
Oh, great. Changed.
service managesieve{ }
This is optional.
Thanks, I've moved it out.
No, I've seen nothing like that. Additional to your above mentioned settings I've got this settings:
# plugin.conf plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve # some none sieve related settings }
Yes, me too:
plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags }
Your userdb returns a home value? I'm asking because one time /home/someuser and the other one /somepath/user.
mail_location = maildir:/somepath/%u
...
userdb { args = blocking=yes driver = passwd }
I added blocking right now because I just realized users are in LDAP.
/home/someuser/.dovecot.sieve is a symlink to /somepath/user/.dovecot.sieve.sieve
By the way, I just reloaded dovecot with the few changes highligthed in this mail and it does not give the error I described...
I could also alter my filters from Horde Ingo, but strangely enough it won't display the currently active script and managesieve does not log anything anymore about the sieve script not being there.
I tried adding a new sieve fileinto rule, which works. Sent a test mail which would match the filter and dovecot also logged this
Dec 17 20:45:35 someserver dovecot: lda(someuser): rename(/somepath/someuser/dovecot-uidvalidity, /somepath/someuser/luca/dovecot-uidvalidity) failed: No such file or directory
But now both sieve and managesieve seem to work.
thanks for your time
Luca
On Thu, 2009-12-17 at 20:56 +0100, Luca Corti wrote:
I could also alter my filters from Horde Ingo, but strangely enough it won't display the currently active script and managesieve does not log anything anymore about the sieve script not being there.
Ignore this one, it's an issue with Ingo apparently. Still wondering what fixed the symlink error though.
thanks
Luca
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 17-12-2009 21:21, Luca Corti wrote:
On Thu, 2009-12-17 at 20:56 +0100, Luca Corti wrote:
I could also alter my filters from Horde Ingo, but strangely enough it won't display the currently active script and managesieve does not log anything anymore about the sieve script not being there.
Ignore this one, it's an issue with Ingo apparently. Still wondering what fixed the symlink error though.
thanks
Luca
Off-topic: could you tell me how you configured Ingo to work with ManageSieve? I tried following the guide on the Horde website, but it doesn't work for me. I defined the Dovecot backend, but I don't get how I go from there. Here is the relevant part:
$backends['dovecot'] = array( 'driver' => 'timsieved', 'preferred' => 'localhost', 'hordeauth' => true, 'params' => array( // Hostname of the timsieved server 'hostspec' => 'localhost', // Login type of the server 'logintype' => 'PLAIN', // Enable/disable TLS encryption 'usetls' => true, // Port number of the timsieved server 'port' => 2000, // Name of the sieve script 'scriptname' => 'ingo', // The following settings can be used to specify an administration // user to update all users' scripts. If you want to use an admin // user, you also need to disable 'hordeauth' above. You have to use // an admin user if you want to use shared rules. // 'username' => 'cyrus', // 'password' => '*****', ), 'script' => 'sieve', 'scriptparams' => array(), 'shares' => false );
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksqmrgACgkQkPq5zKsAFijYLwCfbWlYo6atN4Xa2cZdtRiAwU6b hiYAnjZZALPlzZWOfbZqgvs5eyGg/qYd =JuTV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 17-12-2009 22:02, Luca Corti wrote:
On Thu, 2009-12-17 at 21:55 +0100, Nick Douma wrote:
// Name of the sieve script 'scriptname' => 'ingo','scriptname' => '.dovecot.sieve',
Everything else seems good to me.
ciao
Luca
Ok, but how do I tell ingo to use this backend? I can't find a config entry of something in the Horde Administration panels that seem to control this. Also, when I click filters, I don't see my already present Sieve filters. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksqn1AACgkQkPq5zKsAFijgxwCfQI/FkKpqa/H8PztAxiJ+oAaK R+MAn2oyQHHi1y3EjGrVIVLfp2rS9kEC =qkvj -----END PGP SIGNATURE-----
On Thu, 2009-12-17 at 22:14 +0100, Nick Douma wrote:
Ok, but how do I tell ingo to use this backend? I can't find a config entry of something in the Horde Administration panels that seem to control this. Also, when I click filters, I don't see my already present Sieve filters.
Just leave only that backend uncommented in backends.php
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 17-12-2009 23:06, Luca Corti wrote:
On Thu, 2009-12-17 at 22:14 +0100, Nick Douma wrote:
Ok, but how do I tell ingo to use this backend? I can't find a config entry of something in the Horde Administration panels that seem to control this. Also, when I click filters, I don't see my already present Sieve filters.
Just leave only that backend uncommented in backends.php
Actually, I figured it out. I needed to set the 'preferred' setting to the right hostname. In my case it was the web address of the server that Horde runs on (mail.domain.tld) instead of localhost or just domain.tld. Now it works like a charm. Thanks for the help. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksqrC0ACgkQkPq5zKsAFijLOgCggJpuFl8Qs1pzFHUyB3i8Iehj N1wAoI03a5qteghwcvtWkzrjT8VBiw4h =xlUn -----END PGP SIGNATURE-----
We are using the quota plugin and storing people's usage in the (mysql) db.
We have some users that have some mail, but are not really receiving new mail, nor are they logging in to check mail, so they don't yet have a row in the quota table.
Is there a way to cause dovecot to just generate that quota usage?
Ben
On Tue, 2009-12-15 at 14:01 -0800, ben@electricembers.net wrote:
We are using the quota plugin and storing people's usage in the (mysql) db.
We have some users that have some mail, but are not really receiving new mail, nor are they logging in to check mail, so they don't yet have a row in the quota table.
Is there a way to cause dovecot to just generate that quota usage?
Not currently. But you could log in as the users and issue GETQUOTAROOT INBOX command. (If you don't know their passwords, you could enable master user logins.)
On 14/12/2009 03:12, Timo Sirainen wrote:
Largest changes since alpha3:
- if some IP address is failing authentications, all auth attempts from the IP are delayed increasingly. a successful auth drops the delay. max delay is 15 seconds. this is enforced by auth process, so it works across different connections/processes/protocols.
I have a bunch of users behind several NATs (wifi hotspots, dialup gateways) and it would seem that if some muppet innocently sets up the wrong username/password then all the other users get significantly penalised? (I have even seen cases people have a go at configuring Outlook, it doesn't work and they just leave it misconfigured and sending incorrect passwords forever afterwards...)
(This actually caught me out recently when a fairly large group of users got dropped due to pretty much just this type of rule implemented via an overeager Fail2ban rule... One user just kept trying to use the wrong password (innocently) and locked out the whole group of users behind the nat... Durr, quick fix of the whitelisted IPs, but we don't always spot the smaller gateways)
Should it not only delay *incorrect* logins? ie each time you get it wrong then you get a penalty (which increases). Getting it right would login instantly and slightly decrease the "got it wrong" penalty (or perhaps it just time ages)?
Seems that this is a good compromise and doesn't penalise good users, whilst only very slightly assisting attackers? (If they hacked a login then delaying them a few seconds from using it isn't all the helpful anyway...)
My 2p.. Although possibly I misunderstood the changelog...?
Ed W
On Wed, 2009-12-16 at 00:03 +0000, Ed W wrote:
On 14/12/2009 03:12, Timo Sirainen wrote:
Largest changes since alpha3:
- if some IP address is failing authentications, all auth attempts from the IP are delayed increasingly. a successful auth drops the delay. max delay is 15 seconds. this is enforced by auth process, so it works across different connections/processes/protocols.
I have a bunch of users behind several NATs (wifi hotspots, dialup gateways) and it would seem that if some muppet innocently sets up the wrong username/password then all the other users get significantly penalised? (I have even seen cases people have a go at configuring Outlook, it doesn't work and they just leave it misconfigured and sending incorrect passwords forever afterwards...)
This could be a problem, yes.. I probably have to make this configurable in some way. Or perhaps I could add some more code so that if only the same user+password combination (or a few of them) are the problem, it doesn't penalize. This feels familiar, I think I almost started coding that before. Or it's as if I already did, but I don't see the code..
When that's done, once in a while when an invalid user+pass combo happens it delays the next user's login for a couple of seconds, but then it would get cached for some time so if it tries again there would be no delays.
Also in any case, even if I don't change it from how it works now, the penalty goes away immediately after first successful login. So pretty much the worst that can happen is that innocent users have to wait for 15 seconds before they can log in.
Should it not only delay *incorrect* logins? ie each time you get it wrong then you get a penalty (which increases). Getting it right would login instantly and slightly decrease the "got it wrong" penalty (or perhaps it just time ages)?
That would also make the penalty pretty pointless. Attackers would just login, wait for half a second, assume it was a failed login, disconnect and connect again.
Hmm, you raise some good points...
This could be a problem, yes.. I probably have to make this configurable in some way. Or perhaps I could add some more code so that if only the same user+password combination (or a few of them) are the problem, it doesn't penalize. This feels familiar, I think I almost started coding that before. Or it's as if I already did, but I don't see the code..
Yeah, interesting idea to ignore a "stuck" login - this would help a lot
There are probably related ideas to look at number of incorrect usernames from a given IP as well as number of wrong passwords, but things get complicated fast. Also I think the trend is going to quickly shift to distributed bruteforcing - I have already seen this a little bit where you hardly see any one IP address login, but the log files as a whole are seeing a lot of breakin attempts
Should it not only delay *incorrect* logins? ie each time you get it
wrong then you get a penalty (which increases). Getting it right would login instantly and slightly decrease the "got it wrong" penalty (or perhaps it just time ages)?
That would also make the penalty pretty pointless. Attackers would just login, wait for half a second, assume it was a failed login, disconnect and connect again.
Good point...
I guess you could mark IPs which disconnect before receiving a "password incorrect" message as being especially naughty? In fact this is probably an excellent thing to log so that those with fail2ban kind of things could trigger something if they see it? It would seem to be a high probability sign of someone bruteforcing?
Perhaps this itself is enough to justify an option to allow valid logins from an IP to proceed immediately? It doesn't help with a distributed bruteforce, but really those are so slow (per IP) that it really makes no odds if you tarpit them or not... Is this a reasonable compromise? (allow correct logins immediately, optionally unless we see really naughty behaviour of not waiting for the "incorrect" response from that IP on failed logins?)
Nice new feature anyway! Cheers
Ed W
Just in case someone thought about testing beta1 on a live system, here's a small update about some of the bad bugs found (and fixed in hg) so far:
- LMTP server drops first 128k from mails with >128k mails
- some plugins crash / don't work correctly
I'll probably make a beta2 release on Sunday.
On Thu, Dec 17, 2009 at 12:02 AM, Timo Sirainen tss@iki.fi wrote:
Just in case someone thought about testing beta1 on a live system, here's a small update about some of the bad bugs found (and fixed in hg) so far:
- LMTP server drops first 128k from mails with >128k mails
- some plugins crash / don't work correctly
I'll probably make a beta2 release on Sunday.
I am testing on a live system with a few hundred users, but I am lucky I don't use LMTP anyway.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223
"If you have nothing good to say about someone, just shut up!." -- Lucky Dube
participants (7)
-
ben@electricembers.net
-
Ed W
-
Luca Corti
-
Nick Douma
-
Odhiambo Washington
-
Pascal Volk
-
Timo Sirainen