v2.2.20 release candidate released
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz.sig
v2.2.20 probably will be released tomorrow or maybe during weekend.
- Added mailbox { autoexpunge=<time> } setting. See http://wiki2.dovecot.org/MailboxSettings for details.
- ssl_options: Added support for no_ticket
- imap/pop3/managesieve-login: Added postlogin_socket=path passdb extra field. This allows replacing the default service imap/pop3/managesieve {} settings for specific users (e.g. running their imap process via valgrind or strace).
- doveadm fetch: Added date.sent/received/saved.unixtime
- fs-posix: Added mode=auto parameter to set the created files' and directories' mode based on the parent dir if it has setgid-bit.
- director: Support backends having hostnames, which makes it possible to verify their SSL certificates.
- director: Directors' state became desynchronized if doveadm director commands were used to modify the same backend in multiple directors at the same time with conflicting changes. This fix includes some extra checks, which makes sure that if such a conflict still happens it's automatically fixed. In some situations such an automatic fix may now be unnecessarily triggered and an error logged.
- director: Backend tags weren't working correctly.
- ldap: tls_* settings weren't used for ldaps URIs.
- ldap, mysql: Fixed setting connect timeout.
- auth: userdb lookups via auth-worker couldn't change username
- dsync: Fixed handling deleted directories. Make sure we don't go to infinite mailbox renaming loop.
- imap: Fixed crash in NOTIFY when there were watched namespaces that didn't support NOTIFY.
- imap: After SETMETADATA was used, various commands (especially FETCH) could have started hanging when their output was large.
- stats: Idle sessions weren't refreshed often enough, causing stats process to forget them and log errors about unknown sessions when they were updated later.
- stats: Fixed "Duplicate session ID" errors when LMTP delivered to multiple recipients and fts_autoindex=yes.
- zlib plugin: Fixed copying causing cache corruption when zlib_save wasn't set, but the source message was compressed.
- fts-solr: Fixed escaping Solr query parameters.
- Timo Sirainen tss@iki.fi 2015.12.03 14:51:
- Added mailbox { autoexpunge=<time> } setting. See http://wiki2.dovecot.org/MailboxSettings for details.
namespace inbox { mailbox Trash { autoexpunge = 5 days special_use = \Trash } }
I'm using autoexpunge on the Trash mailbox. Looking at the wiki text I'm unclear on how to limit it to a specific service:
So it may be better to explicitly enable this only inside protocol imap, pop3 and maybe lmtp.
Regards Thomas
On 03 Dec 2015, at 16:09, Thomas Leuxner tlx@leuxner.net wrote:
- Timo Sirainen tss@iki.fi 2015.12.03 14:51:
- Added mailbox { autoexpunge=<time> } setting. See http://wiki2.dovecot.org/MailboxSettings for details.
namespace inbox { mailbox Trash { autoexpunge = 5 days special_use = \Trash } }
I'm using autoexpunge on the Trash mailbox. Looking at the wiki text I'm unclear on how to limit it to a specific service:
So it may be better to explicitly enable this only inside protocol imap, pop3 and maybe lmtp.
namespace inbox { mailbox Trash { special_use = \Trash } }
protocol imap { namespace inbox { mailbox Trash { autoexpunge = 5 days } } }
If you want it for other protocols, you'll unfortunately have to just copy&paste the entire block.
- Timo Sirainen tss@iki.fi 2015.12.03 15:27:
protocol imap { namespace inbox { mailbox Trash { autoexpunge = 5 days } } }
Thanks.
On 03/12/2015 13:51, Timo Sirainen wrote:
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz
I see a clash with the pigeonhole 0.4.9 preventing compilation of pigeonhole.
"sieve-settings.c", line 14: identifier redeclared: t_str_trim current : static function(pointer to const char) returning pointer to const char previous: function(pointer to const char, pointer to const char) returning pointer to const char : "/.../dovecot/strfuncs.h", line 60
pigeonhole src/lib-sieve/sieve-settings.c line 13 says: // FIXME: add to dovecot
Looks like it's added to dovecot but not removed from pigeonhole.
Otherwise it is working for me, I am using 2.2.20.rc1 on a lightly loaded Solaris 10 system.
On 04 Dec 2015, at 11:41, James lista@xdrv.co.uk wrote:
pigeonhole src/lib-sieve/sieve-settings.c line 13 says: // FIXME: add to dovecot
Looks like it's added to dovecot but not removed from pigeonhole.
Stephan will soon release pigeonhole 0.4.10rc for dovecot 2.2.20 that will fix this issue.
Sami
On 04 Dec 2015, at 11:41, James lista@xdrv.co.uk wrote:
pigeonhole src/lib-sieve/sieve-settings.c line 13 says: // FIXME: add to dovecot
Looks like it's added to dovecot but not removed from pigeonhole.
Stephan will soon release pigeonhole 0.4.10rc for dovecot 2.2.20 that will fix this issue.
Sami
On 03.12.2015 14:51, Timo Sirainen wrote:
http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.20.rc1.tar.gz.sig
v2.2.20 probably will be released tomorrow or maybe during weekend.
- ssl_options: Added support for no_ticket
Hello TImo,
great to see that inseucre session tickets (violating PFS) can be disabled.
Is it possible to configure the secure session caching mechanism? e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx
Thnx.
Ciao, Gerhard
On 05 Dec 2015, at 11:32, Gerhard Wiesinger lists@wiesinger.com wrote:
Is it possible to configure the secure session caching mechanism? e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx
I remember hearing about various security vulnerabilities in that earlier.. I guess they're fixed now then, unless people find more ways to exploit it. Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 servers, because most clients don't connect all that often. Or I guess it might help some clients that create multiple connections immediately.
Then again, we are planning on adding some HTTP(S)-based services to Dovecot and there it would likely be more useful. So I guess it gets implemented at some point.
On 06.12.2015 13:10, Timo Sirainen wrote:
On 05 Dec 2015, at 11:32, Gerhard Wiesinger lists@wiesinger.com wrote:
Is it possible to configure the secure session caching mechanism? e.g. like in nginx: https://bjornjohansen.no/optimizing-https-nginx I remember hearing about various security vulnerabilities in that earlier.. I guess they're fixed now then, unless people find more ways to exploit it. Anyway I'm not sure how useful it would actually even be for most IMAP/POP3 servers, because most clients don't connect all that often. Or I guess it might help some clients that create multiple connections immediately.
Then again, we are planning on adding some HTTP(S)-based services to Dovecot and there it would likely be more useful. So I guess it gets implemented at some point.
Session tickets are broken by DESIGN as they violate PFS (Perfect Forward Secrecy). If you can steal one AES key (all session tickets are encrypted for server lifetime with only one key) you can decrypt ALL sessions ever made with session tickets for the future. This violates PFS (Perfect Forward Secrecy) as only server side "parameters" are relevant from now on.
Yes, session caching should reduce server load on multiple connections.
See e.g. https://community.qualys.com/thread/15768
Therefore it would be great if you could implement the secure session caching mechanism.
As Gedalya mentioned OCSP would be great, too.
Ciao, Gerhard
On 12/06/2015 07:19 AM, Gerhard Wiesinger wrote:
Session tickets are broken by DESIGN as they violate PFS (Perfect Forward Secrecy). If you can steal one AES key (all session tickets are encrypted for server lifetime with only one key) you can decrypt ALL sessions ever made with session tickets for the future.
I'm in no way an expert or an authority, but it is my understanding that there being only one key for the server's lifetime is not exactly by design, rather (sloppy) implementation. See [0] as an example of at least a discussion on key rotation or even smooth rollover. Perhaps in a perfect world, those who don't find a session cache suitable could instead use a better implementation of session tickets. Until of course someone takes security shaming to the next level and declares session tickets unconditionally evil. Notably, Qualys isn't doing that yet. Even Google is currently otherwise engaged. Superficially speaking, both approaches sound like a matter of securing server memory space and rotating things out frequently.
[0] http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004373.html
participants (6)
-
Gedalya
-
Gerhard Wiesinger
-
James
-
Sami Ketola
-
Thomas Leuxner
-
Timo Sirainen