several misc questions, public folders and sharing, quota, ssl
Hello,
I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to optimize how the system is running and have a few misc questions.
First ssl, is my cipher list good? I'm trying for pfs and wanting to ensure these cipherlist is appropriate:
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Next, a new feature that I'm trying for is virtual folders that store All messages. My understanding of this is that it stores a version of every received message in one place? I've got the virtual plugin loaded and have:
mailbox virtual/All { comment = All my messages special_use = \All }
I've got a directory /home/vmail/example.com/username/virtual under which is an ALL folder both directories are accessible to the vmail user, yet there's no contents in this folder and it's showing up nowhere.
Next, quota warnings, are not being sent at all. I set up a testuser with a quota of 2 mb, then sent a message to that user getting the box to 95% full, and no message. Took the user overquota with the next message, still nothing, and a third message did trigger my custom quota exceeded message and the message was bounced.
I'm wanting to implement public folders. My mailboxes are all virtual, and they are stored under /home/vmail/example.com/username and /home/vmail/example.org/username in the maildir format. I've got one user uid and gid of 999 name of vmail who owns all the mailboxes. I've separated out public folders storing them under /home/vmail/public. I've created one mailbox called TestFolder and new, cur, and tmp directories under it. This is what it looks like:
ls -la /home/vmail/public total 24 drwx------ 4 vmail vmail 512 Apr 13 18:23 ./ drwx------ 8 vmail vmail 512 Mar 15 10:34 ../ drwxr-xr-x 5 vmail vmail 512 Apr 13 18:16 TestFolder/ drwxr-xr-x 5 vmail vmail 512 Apr 13 18:25 TestFolder1/ -rw------- 1 vmail vmail 8 Apr 13 18:15 dovecot-uidvalidity -r--r--r-- 1 vmail vmail 0 Apr 13 18:15 dovecot-uidvalidity.58eff89a -rw------- 1 vmail vmail 688 Apr 13 18:24 dovecot.list.index.log
ls -la /home/vmail/public/TestFolder total 28 drwxr-xr-x 5 vmail vmail 512 Apr 13 18:16 ./ drwx------ 4 vmail vmail 512 Apr 13 18:23 ../ drwxr-xr-x 2 vmail vmail 512 Apr 13 18:13 cur/ -rw-r--r-- 1 vmail vmail 51 Apr 13 18:16 dovecot-uidlist -rw-r--r-- 1 vmail vmail 304 Apr 13 18:16 dovecot.index.log drwxr-xr-x 2 vmail vmail 512 Apr 13 18:13 new/ drwxr-xr-x 2 vmail vmail 512 Apr 13 18:13 tmp/
ls -la /home/vmail/public/TestFolder1 total 20 drwxr-xr-x 5 vmail vmail 512 Apr 13 18:25 ./ drwx------ 4 vmail vmail 512 Apr 13 18:23 ../ drwxr-xr-x 2 vmail vmail 512 Apr 13 18:25 cur/ drwxr-xr-x 2 vmail vmail 512 Apr 13 18:25 new/ drwxr-xr-x 2 vmail vmail 512 Apr 13 18:25 tmp/
The public/TestFolder is showing up fine and I can switch to it. The public/TestFolder1 is not showing up at all so I'm not seeing it and can't switch to it. Any ideas?
My second question involves public folders and domain sharing. Are public folders accessible to all users and all domains? I've got two domains example.com and example.org i'd like to create a folder that some users in example.com can share with some users in example.org, not necessarily all users in those domains should be able to see the folders.
Ideas welcome.
Thanks. Dave.
doveconf -n # 2.2.29 (13ebc01): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.18 (29cc74d) # OS: FreeBSD 10.3-RELEASE-p11 amd64 ufs auth_cache_size = 8 k auth_default_realm = example.com auth_mechanisms = plain login cram-md5 auth_realms = example.com example.org auth_socket_path = /var/run/dovecot/auth-userdb dict { sqlquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no first_valid_gid = 999 first_valid_uid = 999 hostname = mail.example.com imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags last_valid_gid = 999 last_valid_uid = 999 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1 xxx.xxx.xxx.xxx mail_fsync = never mail_gid = vmail mail_home = /home/vmail/%d/%n/home mail_location = maildir:/home/vmail/%d/%n:LAYOUT=fs mail_plugins = acl mail_log notify quota trash virtual welcome zlib mail_server_admin = mailto:postmaster@example.com mail_uid = vmail mailbox_list_index = yes maildir_broken_filename_sizes = yes maildir_empty_new = yes maildir_very_dirty_syncs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify imapsieve vnd.dovecot.imapsieve namespace { hidden = no list = yes location = maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=/home/vmail/public/:INDEX=/home/vmail/public/ prefix = public/ separator = / subscriptions = yes type = public } namespace inbox { hidden = no inbox = yes list = yes location = mailbox "Deleted Messages" { auto = no autoexpunge = 30 days special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox "Junk E-mail" { auto = no autoexpunge = 30 days special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Items" { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = no autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } mailbox virtual/All { comment = All my messages special_use = \All } prefix = separator = / subscriptions = yes type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * last_login_dict = redis:host=127.0.0.1:port=6379 last_login_key = last-login/%u mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = dict:User quota::proxy::sqlquota quota2 = maildir:Shared quota:ns=public/ quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_warning = storage=100%% quota-warning 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = /home/vmail/%d/%n/sieve/scripts;active=/home/vmail/%d/%n/sieve/.dovecot.sieve sieve_before = /usr/local/etc/dovecot/sieve/dovecot.sieve sieve_default = /usr/local/etc/dovecot/sieve/dovecot.sieve sieve_dir = /usr/local/etc/dovecot/sieve sieve_extensions = +notify +imapflags sieve_global_dir = /usr/local/etc/dovecot/sieve/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_max_redirects = 30 sieve_max_script_size = 1M sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms sieve_user_log = /home/vmail/%d/%n/sieve/sieve_error.log trash = /usr/local/etc/dovecot/dovecot-trash.conf.ext welcome_script = welcome %u welcome_wait = yes } postmaster_address = postmaster@example.com protocols = imap sieve sendmail_path = /usr/local/sbin/sendmail service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } service_count = 1 } service imap { client_limit = 1 } service lmtp { unix_listener dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12345 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { group = vmail mode = 0666 user = vmail } user = vmail } service welcome { executable = script /usr/local/bin/welcome.sh unix_listener welcome { user = vmail } user = vmail } ssl_cert = </usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ssl_dh_parameters_length = 2048 ssl_key = # hidden, use -P to show it ssl_options = no_compression ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { driver = prefetch } userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } userdb { args = uid=vmail gid=vmail home=/home/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = acl mail_log notify quota trash virtual welcome zlib sieve } protocol lda { mail_fsync = optimized mail_plugins = acl mail_log notify quota trash virtual welcome zlib quota sieve } protocol imap { mail_max_userip_connections = 30 mail_plugins = acl mail_log notify quota trash virtual welcome zlib imap_acl imap_quota imap_sieve imap_zlib last_login } protocol sieve { managesieve_implementation_string = Dovecot Pigeonhole managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext connect = host=/tmp/mysql.sock dbname=dbname user=user password=password
# CREATE TABLE quota ( # username varchar(100) not null, # bytes bigint not null default 0, # messages integer not null default 0, # primary key (username) # );
map { pattern = priv/quota/storage table = quota username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota username_field = username value_field = messages }
# CREATE TABLE expires ( # username varchar(100) not null, # mailbox varchar(255) not null, # expire_stamp integer not null, # primary key (username, mailbox) # );
#map { #pattern = shared/expire/$user/$mailbox #table = expires #value_field = expire_stamp
#fields { #username = $user #mailbox = $mailbox #} #}
On April 14, 2017 at 3:04 AM David Mehler <dave.mehler@gmail.com> wrote:
Hello,
I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to optimize how the system is running and have a few misc questions.
First ssl, is my cipher list good? I'm trying for pfs and wanting to ensure these cipherlist is appropriate:
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
I would add @STRENGTH to the end, so it'll get sorted by strengthness.
Next, a new feature that I'm trying for is virtual folders that store All messages. My understanding of this is that it stores a version of every received message in one place? I've got the virtual plugin loaded and have:
mailbox virtual/All { comment = All my messages special_use = \All }
I've got a directory /home/vmail/example.com/username/virtual under which is an ALL folder both directories are accessible to the vmail user, yet there's no contents in this folder and it's showing up nowhere.
Configuring virtual all folder:
namespace { prefix = virtual location = virtual:/etc/dovecot/virtual:INDEX=%h/virtual comment = All my messages special_use = \All mailbox All { auto = subscribe } }
==== /etc/dovecot/virtual/All/dovecot-virtual ==== * all ==== EOF ===
Next, quota warnings, are not being sent at all. I set up a testuser with a quota of 2 mb, then sent a message to that user getting the box to 95% full, and no message. Took the user overquota with the next message, still nothing, and a third message did trigger my custom quota exceeded message and the message was bounced.
I would recommend you using
mail_plugins = $mail_plugins quota quota_clone
plugin { quota = count:User quota quota_clone_dict = proxy::sqlquota quota_vsizes = true }
Also,
"Note that the warning is ONLY executed at the exact time when the limit is being crossed, so when you're testing it you have to do it by crossing the limit by saving a new mail. If something else besides Dovecot updates quota so that the limit is crossed, the warning is never executed."
I'm wanting to implement public folders. My mailboxes are all virtual, and they are stored under /home/vmail/example.com/username and /home/vmail/example.org/username in the maildir format. I've got one user uid and gid of 999 name of vmail who owns all the mailboxes. I've separated out public folders storing them under /home/vmail/public. I've created one mailbox called TestFolder and new, cur, and tmp directories under it. This is what it looks like:
<snip />
The public/TestFolder is showing up fine and I can switch to it. The public/TestFolder1 is not showing up at all so I'm not seeing it and can't switch to it. Any ideas?
Not sure why it's not showing up, *but*, you could add :INDEXPVT=%h/public to the folder, to keep per-user indexes separate.
My second question involves public folders and domain sharing. Are public folders accessible to all users and all domains? I've got two domains example.com and example.org i'd like to create a folder that some users in example.com can share with some users in example.org, not necessarily all users in those domains should be able to see the folders.
Dovecot does not, as per such, care about your domains. It cares about user names. If you want to do this kind of thing, please consult ACL plugin. https://wiki2.dovecot.org/ACL
Ideas welcome.
Thanks. Dave.
Some other comments, if you are using SSL, you can drop cram-md5 as auth mech, it's not storage-safe.
you should use mail_location = maildir:~/maildir:LAYOUT=fs
to avoid your other things in user's home being interprepted as mail directories.
why are you setting these? maildir_broken_filename_sizes = yes maildir_empty_new = yes maildir_very_dirty_syncs = yes
and in general I see lots of overconfiguring, dovecot defaults are usually right, and setting various things just for the fun of it, can cause problems.
Aki
On 04/14/2017 02:04 AM, David Mehler wrote:
First ssl, is my cipher list good? I'm trying for pfs and wanting to ensure these cipherlist is appropriate:
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
You can check the quality of your SSL/TLS setup via https://www.htbridge.com/ssl/
Regards, Olaf
-- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp@kit.edu www.atis.informatik.kit.edu
www.kit.edu
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
participants (3)
-
Aki Tuomi
-
David Mehler
-
Olaf Hopp