Amongst other plug-ins, yes..

On 2020-03-17 10:15 p.m., Aki Tuomi wrote:

Those plugins can be resurrected with simple git revert.

Are you planning on open sourcing your client id authetication plugin?

Aki

...

On 18/03/2020 01:44 Michael Peddemors < michael@linuxmagic.com <mailto:michael@linuxmagic.com>> wrote:

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

• Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia
• Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
• Authentication mechanisms: ntlm, rpa, skey
• Dict drivers: memcached, memcached-ascii (use redis instead)
• postfix postmap support
• autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)
• expire plugin (use built-in autoexpunge setting)
• fts-squat plugin
• mailbox alias plugin
• mail-filter plugin
• snarf plugin
• xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

---

Aki Tuomi

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Hi!

I understand that it is not trivial to move away from vpopmail and does require changing a working system. But then again, one should be able to configure MySQL passdb/userdb with vpopmail schema.

I am not familiar with vpopmail but if someone comes with instructions we can polish them a bit (if necessary) and publish them as howto on doc.dovecot.org.

Aki

On 18/03/2020 17:52 Remo Mattei <remo@rm.ht> wrote:

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people. 

I do understand dropping things out but a valid solutions needs to be proposed.

Remo 

...

On Mar 18, 2020, at 06:49, Michael Peddemors <michael@linuxmagic.com> wrote:

Amongst other plug-ins, yes..

On 2020-03-17 10:15 p.m., Aki Tuomi wrote:

...

Those plugins can be resurrected with simple git revert. Are you planning on open sourcing your client id authetication plugin? Aki

...

On 18/03/2020 01:44 Michael Peddemors <michael@linuxmagic.com<mailto:michael@linuxmagic.com>> wrote:

With these planned changes, you mention they will be removed from 'core', so is the intention to allow more of these legacy plugins to more to their own repo's for those that might still want to use them?

Eg, more in the the path of plug-in architecture? Just curious for clarity.

Oh, and have to add.. still waiting on the variable capability patch, to allow plugins to modify advertised capabilities. (#pull request 86)

This will allow us to provide our dove cot plugins more widely to the community.

On 2020-03-16 11:50 p.m., Aki Tuomi wrote:

...

Hi!

Dovecot is now a nearly 20 year old product, and during that time it has accumulated many different features and plugins in its core repository.

We are starting to gradually remove some of these parts, which are unused, untested or deprecated. We will provide advance notification before removing anything.

To start, the following features are likely to be removed in next few releases of Dovecot.

• Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia
• Password schemes: HMAC-MD5, RPA, SKEY, PLAIN-MD4, LANMAN, NTLM, SMD5
• Authentication mechanisms: ntlm, rpa, skey
• Dict drivers: memcached, memcached-ascii (use redis instead)
• postfix postmap support
• autocreate & autosubscribe plugins (use built-in auto=create/subscribe setting instead)
• expire plugin (use built-in autoexpunge setting)
• fts-squat plugin
• mailbox alias plugin
• mail-filter plugin
• snarf plugin
• xz compression algorithm

For the authentication drivers that are being removed, we suggest using Lua as a replacement. See https://doc.dovecot.org/configuration_manual/authentication/lua_based_authen...

For information about converting between password schemes, see https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

If you are using any of these features, please start preparing for their removal in the near future. Features will begin to be dropped as of v2.3.11.

Additionally, the mbox format will no longer receive new development. It will still be maintained, however its use beyond migrations and other limited use cases will be discouraged.

Please contact us via the mailing list if you have any questions.

Regards, Dovecot Team

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

---

Aki Tuomi

-- "Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc. Visit us athttp://www.linuxmagic.com (http://www.linuxmagic.com/)@linuxmagic A Wizard IT Company - For More Infohttp://www.wizard.ca (http://www.wizard.ca/) "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.

Hi Aki and Remo,

switch from vpopmail driver to SQL driver (if you are using vpopmail with mysql as backend) is very simple.

First you need to setup the right query for vpopmail database:

# cat /etc/dovecot/dovecot-sql.conf.ext

### Vpopmail driver = mysql connect = host=192.168.1.2 dbname=vpopmail user=vpopmail password=Vp0pM4iL default_pass_scheme = MD5-CRYPT

### Query to get a list of all usernames. iterate_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user FROM vpopmail

### user_query for vpopmail user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

### password_query for vpopmail (not used) #password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

### password_query for vpopmail with prefetch password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, concat('*:backend=', pw_shell) as userdb_quota_rule, 89 AS userdb_uid, 89 AS userdb_gid, pw_dir AS userdb_home FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

after to setup auth-sql like this:

# cat /etc/dovecot/conf.d/auth-sql.conf.ext

passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

userdb { driver = prefetch }

userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext }

and after to swith from auth-vpopmail to auth-sql from /etc/dovecot/conf.d/10-auth.conf

You can also setup Dovecot in order to apply vpopmail POP/IMAP/SMTP/Webmail gids/domains limits for example with a password query more complicated like this:

password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, concat('*:backend=', pw_shell) as userdb_quota_rule, 89 AS userdb_uid, 89 AS userdb_gid, pw_dir AS userdb_home FROM vpopmail LEFT JOIN limits ON vpopmail.pw_domain = limits.domain WHERE pw_name = '%n' AND pw_domain='%d' AND (( '%s' = 'smtp' AND (pw_gid & 2048)<>2048 AND COALESCE(disable_smtp,0)!=1) OR ('%s' = 'pop3' AND (pw_gid & 2)<>2 AND COALESCE(disable_pop,0) != 1 ) OR ('%s' = 'imap' AND ('%r'='192.168.100.1' OR '%r'='192.168.100.2') AND (pw_gid & 4)<>4 AND COALESCE(disable_webmail,0)!=1) OR ('%s' = 'imap' AND ('%r'!='192.168.100.1' AND '%r'!='192.168.100.2') AND (pw_gid & 8)<>8 AND COALESCE(disable_imap,0)!=1));

where 192.168.100.1 and 192.168.100.2 are the IPs of your webmail servers.

For a more beautifull setup and to show in dovecot logs "user disabled" instead of "password error" you can put this password_query under the dovecot auth-deny.conf.ext configurations.

If you need more help or info I can help you.

Ciao

Il 18/03/20 18:26, Aki Tuomi ha scritto:

Hi!

I understand that it is not trivial to move away from vpopmail and does require changing a working system. But then again, one should be able to configure MySQL passdb/userdb with vpopmail schema.

I am not familiar with vpopmail but if someone comes with instructions we can polish them a bit (if necessary) and publish them as howto on doc.dovecot.org.

Aki

...

On 18/03/2020 17:52 Remo Mattei <remo@rm.ht> wrote:

So I am on of the many users with qmail, and using vpopmail auth, I guess chatting with some other guys in the other mailing list we will convert to mysql driver but this is a lot of work for many people.

I do understand dropping things out but a valid solutions needs to be proposed.

Remo

-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice

Il 19/03/20 02:01, John Stoffel ha scritto:

Alessio> ### user_query for vpopmail Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Careful! You need to explain that 89 is the UID and GID of the vpopmail user account? Or some other account? I don't use either of these auth methods, but this just struck me a a little magical.

Hi John,

what you said is true but historically in vpopmail environments uid and gid are usually hardcoded at 89

Anyone can check their uid and gid with "id vpopmail" command from shell and update as necessary.

-- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice

...

...

...

...

"Alessio" == Alessio Cecchi <alessio@skye.it> writes:

Alessio> Il 19/03/20 02:01, John Stoffel ha scritto: Alessio> ### user_query for vpopmail

Alessio> user_query = SELECT pw_dir AS home, 89 AS uid, 89 AS gid, Alessio> concat('*:backend=', pw_shell) AS quota_rule FROM vpopmail Alessio> WHERE pw_name = '%n' AND pw_domain = '%d'

Alessio> Careful! You need to explain that 89 is the UID and GID of the Alessio> vpopmail user account? Or some other account? I don't use either of Alessio> these auth methods, but this just struck me a a little magical.

Alessio> what you said is true but historically in vpopmail Alessio> environments uid and gid are usually hardcoded at 89

Alessio> Anyone can check their uid and gid with "id vpopmail" command Alessio> from shell and update as necessary.

Thanks for the clarification, hopefully this helps other people having to move.

John

18.03.20, 04:32 CET, Peter:

Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

Seconded! That you are going to drop features from the code base that are old and rarely used is understandable. Doing so in a minor release is not.

-- Regards mks

On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote:

I fully agree with this:

...

Please consider holding off on removing features for the next major release, 2.4.0 instead. It makes sense to retain, in as much as is possible, feature backwards compatibility across a major release.

I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out.

None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release.

Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm.

-- Kind Regards,

Noel Butler

	This Email, including attachments, may contain legally privileged

information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.

Hi!

We appreciate the feedback we have received from everyone, and we have discussed it internally.

The features we are removing are deprecated and should not have been used anymore. They all have alternatives that work equally well if not better.

For the authentication drivers, you can use passwd, pam and Lua as replacements for most of them. Lua in particular allows good integration with just about any external system. VPopmail can be replaced with SQL authentication.

For password schemes, we have guide: https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes

Memcached should be replaced with redis.

The expire, autocreate and autosubscribe plugins can be replaced with namespace settings:

namespace { mailbox Name { auto = create or subscribe autoexpunge = value } }

See the mailbox configuration documentation at https://doc.dovecot.org/configuration_manual/namespace/#mailbox-settings.

fts-squat can be replaced with Solr. squat has been considered obsolete (and that has been also indicated in documentation) since at least 2014.

After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)

You can switch your repository configuration to not use the ce-2.3-latest symlink, but rather to use a specific version (e.g., ce-2.3.10) giving you the control about when the system upgrades to a new version without missing out on CVE fixes in updated packages.

Finally, I want to point out that we will be happy if someone wants to start maintaining a feature we are planning to remove.

Aki

Hello Aki

Can you elaborate about memory management issues in liblzma & dovecot?

Regards

El 19/03/2020 a las 20:07, Aki Tuomi escribió:

After discussing it internally, we decided to postpone the xz removal for the time being. We understand the complexity of migrating away from it, so we want to give more time to do that. However beware that there are memory management issues in liblzma and we consider it unsafe to use. Feel free to use any of the other supported compresion algorithms instead. (We are also adding zstandard support in 2.3.11.)