- dovecot - dovecot.org

[Dovecot] SSL certs per listen IP
by Ian P. Christian 21 Dec '08

21 Dec '08

I'd like to host multiple domains though a central dovecot proxy - however, I need to present different certs to different hostnames (which are on different IPs). I can't see a way to this in the documentation, is it possible? thanks, Ian

4 8

[Dovecot] Move mail in Maildir without IMAP
by RW 21 Dec '08

21 Dec '08

I set-up some spam/ham learning folders where a crontab entry learns the mail and them moves it do a different Maildir folder. Unfortunately, since it has a different dovecot-keywords file, any imap flags get changed to unknown-0, unknown-1 etc. I tried the following, but it didn't work mv "${src_ham}"/cur/* "$dest_ham"/new/ cp "${src_ham}"/dovecot-keywords "${dest_ham}" Is there a simple way to do this correctly without going through IMAP? And are there any more serious consequences of moving mail like this, with dovecot imap running on top.

2 3

[Dovecot] Dovecot with LDAP on multiple domains ?
by Guillaume Hilt 20 Dec '08

20 Dec '08

Hello, I intend to set up a mail server for a few domains with Dovecot/Postfix/MySQL/DSPAM and antispam plugin. The better solution to manage users would be to set up a ldap server. So, do anyone have ever set up this kind of server with dovecot ? Any advice that would help me ? Thanks, -- Guillaume Hilt

1 0

[Dovecot] Heartbeat OCF ressource agent
by Mathieu Kretchner 19 Dec '08

19 Dec '08

Hello, I've tried to write an OCF ressource agent in order to manage by the heartbeat way a dovecot server. It seems to work fine. This kind of script could be found in the directory on a CentOS release 5.2 : /usr/lib/ocf/resource.d/ If the attachement isn't working, I've cut and paste the script here : http://www-sop.inria.fr/members/Mathieu.Kretchner/dotclear/index.php/2008/1… #!/bin/bash -p # # $Id: ha-dovecot,v 1.2 2008/12/19 09:32:27 mkretchn Exp $ #---+ Notes ## Cf: http://linux-ha.org/OCFResourceAgent ## http://www.opencf.org/cgi-bin/viewcvs.cgi/specs/ra/resource-agent-api.txt?r… ## /usr/share/heartbeat/crm.dtd #---+ Contexte OCF # Pour execution (status monitor) hors controle de heartbeat if [ -z "$OCF_ROOT" ]; then OCF_ROOT=/usr/lib/ocf fi source ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs #---+ Actions usage () { echo "Usage: $0 {start|stop|monitor|meta-data|validate-all}" } meta_data () { local rev="$Revision: 1.2 $" rev=${rev#* }; rev=${rev% *} cat <<EOF <?xml version="1.0"?> <!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd"> <resource-agent name="ha-dovecot"> <version>$rev</version> <longdesc lang="en"> dovecot </longdesc> <shortdesc lang="en">dovecot RA</shortdesc> <actions> <action name="start" timeout="1m"/> <action name="stop" timeout="1m"/> <action name="monitor" interval="30s" timeout="20s" start-delay="1m" /> <action name="validate-all" timeout="5s" /> <action name="meta-data" timeout="5s" /> </actions> </resource-agent> EOF } exec="/usr/sbin/dovecot" bin=$(basename $exec) config="/etc/dovecot.conf" start () { [ -x $exec ] || { echo >&2 "** $exec not executable" return $OCF_ERR_GENERIC } [ -f $config ] || { echo >&2 "** $config doesn't exist" return $OCF_ERR_GENERIC } local pid=$(dovecot_pid) if [ "$pid" ]; then echo >&2 "dovecot already running" return $OCF_SUCCESS elif $exec; then local pid=$(dovecot_pid) if [ "$pid" ]; then return $OCF_SUCCESS else echo >&2 "** no dovecot pid" return $OCF_ERR_GENERIC fi else echo >&2 "** $bin fails to start" return $OCF_ERR_GENERIC fi } stop () { local pid=$(dovecot_pid) echo $pid if [ "$pid" ]; then if killpid $pid; then return $OCF_SUCCESS else echo >&2 "** killpid $pid: fails" return $OCF_ERR_GENERIC fi else return $OCF_SUCCESS fi } status () { # Seems to not be used by heartbeat return } monitor () { local pid=$(dovecot_pid) if [ "$pid" ]; then MYSTATUS=`echo ". logout" | nc localhost 143 | grep "ready" | wc -l` if [ "$MYSTATUS" -eq "1" ]; then return $OCF_SUCCESS else return $OCF_ERR_GENERIC fi else return $OCF_NOT_RUNNING fi } validate_all () { return } #---+ Utilitaires dovecot_pid () { pidof $bin } # Check if $pid (could be plural) are running checkpid() { local i for i in $* ; do [ -d "/proc/$i" ] && return 0 done return 1 } killpid () { # Repris depuis /etc/init.d/functions:killproc # killpid <pid> [<delai en secondes>] # FIXME: faire faire ca par lps -k ou autre option? local pid=$1 local delay=${2:-3} # Succes si pas de process checkpid $pid || return 0 # TERM first, then KILL if not dead kill -TERM $pid usleep 100000 if checkpid $pid && sleep 1 && checkpid $pid && sleep $delay && checkpid $pid ; then kill -KILL $pid usleep 100000 fi if checkpid $pid; then return 1 else return 0 fi } #---+ Debug [[ $0 == *bash ]] && return #---+ Main if [ $# -eq 0 ] then usage exit $OCF_ERR_ARGS fi # PATH source /usr/local/bashutil/autoload_lib autoload_lib /usr/local/bashutil/lib/batch case $1 in start) start ;; stop) stop ;; status) status ;; monitor) monitor ;; meta-data) meta_data;; validate-all ) validate_all;; *) usage exit $OCF_ERR_UNIMPLEMENTED ;; esac

1 0

[Dovecot] More info from mail_log plugin
by Bardur Haskor 19 Dec '08

19 Dec '08

HiWe need to track exactly when our users read messages. Unfortunately, I haven't been able to figure out how we can achieve this with Dovecot. Then I saw the mail_log plugin.Is it possible to extend the plugin to also log system flag changes? This would be great, because then we could see in the log files when the Seen flag has been set. Changes in user defined flags would also be interesting to track.I know this would create a lot of log entries, but for us this wouldn't be a problem. Maybe the plugin would default to not tracking flag changes, but could be configured to do so.RegardsBardur Ha Skor _________________________________________________________________ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=…

2 3

[Dovecot] "nopassword" extra field useless with LDAP passdb
by Zohan 19 Dec '08

19 Dec '08

Hi, We are trying to implement a highly secure mail server with user authentication restricted to SSL certificates only (not using passwords at all). Still, user information is stored in a LDAP directory. In this configuration LDAP is used to check whether the user is registered (and probably supply quota and other info), and actual authentication is done by SSL layer. According to wiki, a "nopassword" extra field should be supplied, together with empty password. But there is no way to return an empty password from LDAP, as LDAP simply does not allow "empty attributes"; if an attribute is present, it is not empty. Supplying empty password as a static field (like this: pass_attrs = uid=user,=password=,nopassword) works an odd way, allowing empty password only, not "any password", and most MUAs (including our target Thunderbird) do not allow empty passwords. Log excerpt follows ("1" was entered as a password during POP3 session; static empty password was configured as above): ==================== Dec 9 02:11:15 localhost dovecot: auth(default): ldap(user1,127.0.0.1): pass search: base=ou=People,dc=example,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(uid=user1)) fields=uid,nopassword Dec 9 02:11:15 localhost dovecot: auth(default): ldap(user1,127.0.0.1): result: uid(user)=user1 Dec 9 02:11:15 localhost dovecot: auth(default): ldap(user1,127.0.0.1): Password mismatch Dec 9 02:11:15 localhost dovecot: auth(default): ldap(user1,127.0.0.1): PLAIN(1) != '' Dec 9 02:11:17 localhost dovecot: auth(default): client out: FAIL 1 user=user1 Dec 9 02:11:19 localhost dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<user1>, method=PLAIN, rip=127 .0.0.1, lip=127.0.0.1, secured ==================== That's why we now have to maintain a separate passwd-like file with the following contents: user1:::::::nopassword user2:::::::nopassword ... and so on (updating it each time manually as users are added/removed), and use it as passdb. Only this allows true "any password" policy. In fact, the problem seems to be a little bit deeper. In our setup user/password challenge is not needed at all. This is exactly what RFC 4959, "IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response", is about (http://tools.ietf.org/html/rfc4959 , see SASL EXTERNAL example). Are there any plans to implement SASL EXTERNAL mechanism in Dovecot? Thank you! Zohan

3 5

[Dovecot] OT: Looking for a robust IMAP client
by Stewart Dean 19 Dec '08

19 Dec '08

This weekend we had a runaway email endless loop. When it was killed after 18 hours, my inbox had 135,000 messages in it...there were two messages that were being endlessly sent and bounced and I'm on the postmaster alias. Thunderbird was able to do a mass select of one of the two messages, and deleted 65,000, but after that it locked up. I ended up firing up Pine to do the final 65,000...whereas TBird had had mulitple imap sessions (and failed), Pine only had one and did the job. And even after I had done the mass delete of the other 65,000 and the inbox was down to 2000 messages, TBird was still hiding under the covers and telling me there were still 135,000 messages. In the end, I had to kill the TBird profile for that account and recreate it. Is there a simple robust IMAP client to replace Pine (which I *think* is no longer supported)? GUI or TTY session? I'm wondering if there is something we can tell users to use when Things Are Dire. GUI would be better since it removes one of the few remaining reasons for a logon server -- ==== Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, Bard College, New York 12504 sdean(a)bard.edu voice: 845-758-7475, fax: 845-758-7035

14 19

[Dovecot] [PATCH] drop root privileges on solaris, request for testing
by Andrey Panin 18 Dec '08

18 Dec '08

Hello all, this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot. Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Best regards.

3 6

[Dovecot] Dovecot imap processes pinning CPU
by David Rosenstrauch 18 Dec '08

18 Dec '08

In recent days, dovecot's "imap" processes keep getting stuck. Each time I check my server (running dovecot 1.1.7) there's a bunch of "imap" processes (sometimes 2 of them, sometimes 4, sometimes 6) that are using all of the box's CPU. And worse, there's no way to kill the processes either (neither kill -15 or kill -9 works), which means that I wind up having to reboot the box every time this happens. REALLY irritating. I don't normally even *see* the imap processes in htop, as I think they're pretty short lived. And I'm not sure what they're looping trying to do. My debugging skills on Linux are a bit weak, and so I don't know how to look at the process and see what it's doing. Also, not sure what's changed on my system to cause this, as this is definitely a recent problem. Maybe the upgrade to Thunderbird 2.0.0.18 (since I usually use T'Bird to access my email). I don't seem to run into this problem when I use Squirrelmail. Anyone have any idea what the problem might be? Or, if not, then suggestions on how I might be able to debug the situation myself? TIA, DR

6 10

[Dovecot] SSL Certificate Authentication
by Anthony Davies 18 Dec '08

18 Dec '08

Hi Guys, I am using the SSL Client Certificate authentication method for my Dovecot instance, however rather then just requiring the client certificate it also prompts me for my user password. My certificate was securely generated on a smart card and is passphrase protected so I would like to stop having to enter my certificate passphrase and my user password to collect my mail. Where abouts in the config file can I resolve this issue? Cheers, Tony Davies

4 5