[courier-users] Fwd: Re: Looking for new Debian maintainers for courier-mta packages

[Mark Constable]

Hi Markus, I hope you don't mind me forwarding your email to the courier-users
mailing-list. There are some users their that wold be very interested in 
uptodate
packages for stretch that would hopefully also filter down to the ubuntu repos.

 Forwarded Message 
Subject: Re: Looking for new Debian maintainers for courier-mta packages
Date: Tue, 28 Mar 2017 18:56:58 +0200
From: Markus Wanner <mar...@bluegap.ch>
To: Ondřej Surý <ond...@sury.org>, debian-de...@lists.debian.org, Willi Mann 
<wi...@debian.org>, courier-i...@lists.sourceforge.net
CC: Mark Constable <ma...@renta.net>

Hi,

it's certainly a bit late, but I'd like to adopt the courier mta
packages, as stated in the wnpp bugs. (Stumbled over this old mail only
today.)

On 12/06/2016 03:04 PM, Ondřej Surý wrote:
> I have filled RFH (Request for Help) bug on courier package, but nobody
> responded so far. Today I have changed that to RFA (Request for
> Adoption) and I intend to properly orphan the packages before stretch
> release and remove them from next Debian stable release. Well, unless
> somebody comes up and makes a hard promise to take care of all Courier
> MTA till Debian stretch (next stable) end-of-life and becomes
> maintainers.

Well, that's hard to promise, but I'll try to get courier ready for
stretch, in the first place. If that effort isn't successful, it should
better be dropped from stretch.

> Please note that the bug list on src:courier is rather long:
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=courier
> (143 filled bugs) and it will need some time to comb through the list,
> close the non-issues, fix the Debian related bugs and forward the
> appropriate bugs to upstream. I would suggest it might be better this
> would be a team effort.

While I'm a long-time courier user and DD, I clearly don't qualify as a
team. I'd certainly appreciate help and would instantly hand over
maintenance to one.

Kind Regards

Markus Wanner




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Future of Courier MTA

[Mark Constable]

On 19/02/17 10:14, Gordon Messmer wrote:
>> Is anyone willing to cooperate with me on fixing Debian-related
>> errors? https://github.com/szepeviktor/courier
>
> Well, I just sent some more patches to the FreeBSD maintainer to
> bring the package up to date. I think I can put in some effort to
> help maintain Courier for Debian. Is Ondřej still the package
> maintainer?

Not really, this explains Ondřej's position...

https://sourceforge.net/p/courier/mailman/message/35535235/


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Best practize for $USER -> EMail

[Mark Constable]

On 20/01/17 22:22, Michelle Konzack wrote:
> All the users where created on  as "normal" UNIX users
> and there login name is also there email address. So, now you can
> imagine, that this give problems if  is responsable for
> different  domains, where maybe two users have the same names...

You could go completely virtual and store j...@domain1.tld and
j...@domain2.tld usernames in PG, MySQL or SQLite, along with
different home/maildir paths, quotas and uid/gids.

> Question: Is there a limitation in the number if files or symlinks
>  in the /etc/courier/aliases/ directory? I think also on using my
> PostgreSQL for all this aliasses and generate only one file
>automated which then run "makealiases" Any suggestions?

System aliases are certainly efficient but if you would consider
running maildrop as the delivery agent then you could "naturally"
split up all user aliasing to each users home dir dictated by the
above SQL query (not the /etc/passwd homedir, but could be the same.)

maildrop also provides per-user mailfilters which allows for per-user
vacation scripts along with a wide range of flexibility to do just
about anything.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] rspamd for courier-mta

[Mark Constable]

On 17/01/17 06:59, Ben Kennedy wrote:
>> Has anyone tried this with courier-mta?
>
> I have nothing to contribute except to add my interest to this as
> well. I've been running SpamAssassin for years, but with poorer and
> poorer results, and have been keen to find an alternative.

FWIW atm I only use spamprobe via maildop using 2 IMAP retraining
folders (super simple setup, no ram hogging daemons) and out of ~30
spams per day I get about 2 or 3 spams per week that get through to
my Inbox. But its taken a year of training to get to this point.

> I'd not heard of rspamd; looks like it could be the thing.

It's a monster unto itself and the only way I've got it to work is
by installing mailcow-dockerized which I'm trying to "flatten" out
so it doesn't require docker containers. It's not as light as I
hoped it might be but it should be fast being written in C by a
Russian (shades of nginx.) This is it's startup state and it will
spawn many more processes under load but it's still only half as
much as spamassassin would use...

ps -eo rss:10,vsz:10,cmd --sort=rss | grep rspamd

   4580 327444 rspamd: hs_helper process
   5648 327436 rspamd: main process
  59664 402564 rspamd: controller process
  60300 478416 rspamd: normal process

In the postfix world it's called via rmilter (which also uses
redis for caching so that is another ram sinkhole)...

main.cf:smtpd_milters = unix:/var/run/rmilter/rmilter.sock

which has this rspamd config option in /etc/rmilter.conf...

spamd {
   extended_spam_headers = yes
   servers = r:localhost:11333;
   reject_message = "Spam message rejected; If this is not spam contact abuse";
   whitelist = 127.0.0.1/32, 192.168.0.0/16, [::1]/128;
   [...]]
};

so rspamd is expected on localhost:11333 and runs quite a range
of tests including a baysean filter and also uses LUA to provide
a huge level of configurability...

classifier "bayes" {
   tokenizer {
 name = "osb";
   }
   cache {
 path = "${DBDIR}/learn_cache.sqlite";
   }
   statfile {
 symbol = "BAYES_HAM";
 path = "${DBDIR}/bayes.ham.sqlite";
 spam = false;
   }
   statfile {
 symbol = "BAYES_SPAM";
 path = "${DBDIR}/bayes.spam.sqlite";
 spam = true;
   }
   learn_condition =

[courier-users] rspamd for courier-mta

[Mark Constable]

I've been looking for a lightweight faster amavisd/spamassassin
replacement for years and generally rely on just SpamProbe so
this is very interesting. Has anyone tried this with courier-mta?

https://rspamd.com/doc/integration.html

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Fwd: Looking for new Debian maintainers for courier-mta packages

[Mark Constable]

On 11/12/16 23:02, Alessandro Vesely wrote:
> I'm not clear whether Ondřej's changes break compatibility with the
> current package. If aiming at an incompatible repackaging, dropping
> the existing packages and creating new ones can be easier. Call it
> /renaming/ if you like.

They are a significant departure from the original 0.68.2-1ubuntu7
packages in xenial:universe/mail. Not only are Ondřej's packages using
almost current source (0.76.2-1+deb.sury.org~xenial+1) but they have
changed the default user ID from "deamon" to "courier" which essentially
means that a simple upgrade is not really possible.

I spent a lot of time testing Ondřej's packages as he built them and I
could never do a simple upgrade. I always had to completely uninstall
the old packages and start a fresh courier install.

He also amalgamated a few packages so that these ones became redundant...

courier-imap-ssl - Courier mail server - IMAP over SSL [transitional]
courier-maildrop - Courier mail server - mail delivery agent [transitional 
package]
courier-pop-ssl - Courier mail server - POP3 over SSL [transitional]
courier-ssl - Courier mail server - SSL/TLS Support [transitional]

and their functionality incorporated into the "parent" packages. One
fairly significant change is that the maildrop package binary works a
little differently from the "old" courier-maildrop binary, ie; in
/etc/courier/courierd if one wanted global maildrop delivery then
this workaround was needed...

#DEFAULTDELIVERY="|/usr/bin/maildrop -w 90 -V 1"
DEFAULTDELIVERY='|/usr/bin/maildrop -w 90 -d "${RECIPIENT}"'

Other than clearing out all remnants of the old "daemon" owned files
and directories so the newer "courier" owned components would not be
compromised it all seems to work. Ondřej did an amazing job...

deb http://ppa.launchpad.net/ondrej/courier/ubuntu xenial main

FWIW this is a fairly good history of what Ondřej did to the packages...

https://github.com/oerdnj/deb.sury.org/issues?utf8=%E2%9C%93=is%3Aissue%20is%3Aclosed%20courier

> I propose interested Ubuntu users subscribe here. I reckon
> subscribers of this list, even if not interested in Debian packaging,
> are more likely to occasionally lend some interest on the subject
> than subscribers of Ububtu- or Debian- devel who are not interested
> in Courier or mail. Am I wrong?

The original packages list...

Maintainer: Ubuntu Developers 
Original-Maintainer: Stefan Hornburg (Racke) 

... so I presume ubuntu-devel-disc...@lists.ubuntu.com has some bearing
on whether the newer packages could ever replace the old ones, which
could only ever formally happen in post-xenial releases.

On 12/12/16 01:03, Sam Varshavchik wrote:
> Although Github's bug tracker is enabled, I don't link to it directly
> from www.courier-mta.org/links.html, only to the mailing lists.
> Courier is stable, and requires very little maintenance. Github's bug
> tracker is there, for anyone that wants to use it.

Well there we go. Maybe it is possible to ask Sam to include the /debian
directories from Ondřejs' PPA packages into his Github and personal git
repos so the issue of the canonical (not Canonical) upstream source is
no longer ambiguous?

That should satisfy the Debian/Ubuntu upstream requirements so whoever
was the formal package maintainer would only have to build and submit
the packages direct from Github and a "bunch of us deb using guys" only
have to focus on the QA of that /debian directory which we could mainly
coordinate via the Github issue tracker, and of course this list.


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Fwd: Looking for new Debian maintainers for courier-mta packages

[Mark Constable]

On 11/12/16 03:09, SZÉPE Viktor wrote:
> On 07/12/16 00:04, Ondřej Surý wrote:
>> I have filled RFH (Request for Help) bug on courier package, but
>> nobody responded so far. Today I have changed that to RFA (Request
>> for Adoption) and I intend to properly orphan the packages before
>> stretch release and remove them from next Debian stable release.
>> Well, unless somebody comes up and makes a hard promise to take
>> care of all Courier MTA till Debian stretch (next stable)
>> end-of-life and becomes maintainers.

This was one of the saddest emails I have ever received.

If my servers ran Archlinux I'd have no problem building from source,
and even maintaining a source package in AUR, but even though I am a
staunch ubuntu-server user I really don't like debs (or rpm) packaging.

I have little choice left but to start testing postfix/dovecot :-(

And so far I really despise what I see after becoming so comfortable
with courier. No SNI (SSL on a single IP) for a start and goodness
knows what else will be awkward to impossible to achieve compared to
the relative ease and unified sanity of the courier suite.

And not least of all the superb effort put in by Sam, and others, on
this list to provide a level of consistent free support rarely seen
elsewhere (in my experience.)

> I could lend a hand to the maintainer for couple of hours/month. I
> am Courier user and I am able to put together simple, lintian-free
> packages
>
> https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets/ipset-persistent/debian
>
> Though I've never used Debian's source/build infrastructure.

That's very encouraging. I am less experienced with Debian packaging than
you so I'm not sure I can do much to help. It looks like ra...@linuxia.de
has retired from the original Debian packages and Ondřej put in an amazing
effort to re-package the latest source to run under the "courier" user
instead of the previous "daemon" user (more in line with original source).

Some discussion on ubuntu-devel-disc...@lists.ubuntu.com might dig up some
more support and help determine if Ondřejs' packages could replace the
current way-to-old barely-on-life-support package set.

> Two things:
> The package has no git source https://packages.qa.debian.org/c/courier.html
> Courier upstream has no bug-tracking system.
>
> I would choose GitHub as a place to store /debian and to communicate
> with upstream.

Unfortunately Sam doesn't seem interested in moving his whole development
system over to Github.

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Fwd: Looking for new Debian maintainers for courier-mta packages

[Mark Constable]

Apologies if this is a repost but I couldn't find it in the courier-users@ 
archives.


 Forwarded Message 
Subject: Looking for new Debian maintainers for courier-mta packages
Date: Tue, 06 Dec 2016 15:04:59 +0100
From: Ondřej Surý <ond...@sury.org>
To: debian-de...@lists.debian.org, Willi Mann <wi...@debian.org>, 
courier-i...@lists.sourceforge.net
CC: Mark Constable <ma...@renta.net>

Hi,

TL;DR I am looking for prospective courier-mta maintainers for Courier
MTA packages.

a little history - Mark Constable asked me a while ago if I could
prepare updated Courier MTA packages for Ubuntu PPA. As a part of that I
whipped the courier-authlib, courier-unicode and courier packages up to
modern Debian packages standard and did some more improvements to the
packaging (as privilege separation on separate 'courier' user). I also
merged non-TLS and TLS versions and did some more changes (most of it
could be found in debian/changelog and/or in git log).

I did my best to break as little things as possible, but the changes to
the packages were massive. There's one problem though - I am not active
Courier MTA user, so I can do my best from Debian point of view, but I
am unable to do any extensive testing.

Therefore I am looking for active Courier MTA users that happen to be
either Debian Developers, Debian Maintainers, or just people that would
be happy to learn the Debian Packaging - I would be more than happy to
provide guidance in such case.

I have filled RFH (Request for Help) bug on courier package, but nobody
responded so far. Today I have changed that to RFA (Request for
Adoption) and I intend to properly orphan the packages before stretch
release and remove them from next Debian stable release. Well, unless
somebody comes up and makes a hard promise to take care of all Courier
MTA till Debian stretch (next stable) end-of-life and becomes
maintainers.

Please note that the bug list on src:courier is rather long:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=courier
(143 filled bugs) and it will need some time to comb through the list,
close the non-issues, fix the Debian related bugs and forward the
appropriate bugs to upstream. I would suggest it might be better this
would be a team effort.

Cheers,
-- 
Ondřej Surý <ond...@sury.org>


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Alternate and extra IMAP folders

[Mark Constable]

I always set up a "standard" set of extra IMAP folders like Sent,
Junk and Trash (plus Drafts, Templates and Archives for Thunderbird
users) but some of our Outlook and Apple Mail user programs are
creating, for instance, "Sent Items", "Junk E-mail" and "Deleted
Items" folders.

Some of these users are not capable of changing anything on their
end other than read and delete messages. Some of them can't even
tell use what program they are using let alone what version!

This is a case in point this morning, this Outlook user can only
see the "Sent Items" folder on her end but when she uses Roundcube
it puts outgoing messages in the Sent folder so both it and "Sent
Items" had messages in them.

~ cat courierimapsubscribed
INBOX.Deleted Items
INBOX.Drafts
INBOX.Junk
INBOX.Junk E-mail
INBOX.Sent
INBOX.Sent Items
INBOX.Trash

Can anyone suggest a sane method to normalize this situation so
there is only a single set of IMAP folders that will work for all
or most client mail programs?

Ie; would it be possible to symlink "Sent Items" to "Sent" so the
users Outlook/Mail program is happy, Roundcube is happy, and that
courier-imap is happy dealing with one set of "real" folders?

Is it possible to tell courier-imap PER CLIENT which folders to use?

How do you guys deal with this situation?

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Ports 465 vs 587

[Mark Constable]

Because of arguments like this, and that I do not even want to offer
non-SSL options, I routinely disable ports 143 and 587 and only use
ports 993 and 465 for authenticated user mail...

https://www.agwa.name/blog/post/starttls_considered_harmful

However just now I notice this comment and am now concerned that ie;
port 465 might be deprecated and dropped by future Roundcube updates...

https://github.com/roundcube/roundcubemail/blob/ee895a2c96a33b854c62a5835a7a1fcd24c02b39/config/defaults.inc.php#L251

I guess my question is; how safe is it to continue to rely on NOT
using ports 143/587?

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Vhost certificates

[Mark Constable]

FWIW I finally got around to testing 0.76.1 with a virtual vhost SSL
(letsencrypt) certificate and it worked!

All I did was create symlinks from /etc/courier/{esmtpd,imapd}.pem.DOMAIN
to the right combined privkey.pem + fullchain.pem for the particular
vhost and Thunderbird worked perfectly.

Brilliant! Thank you Sam :-)

Just checked, Outlook for Android did not work. Anyone know of an Android
mail app that might work with IMAP/ESMTP SNA?


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] OpenSSL v1.1.0

[Mark Constable]

Hi Sam, FWIW Debian "stretch" is currently rebuilding all SSL related
packages based on OpenSSL v1.1.0 which will also flow through to Ubuntu
packages pretty soon. Perhaps you could provide a tweak to help ondrej
build new deb packages, and no doubt this will affect rpm packages too.

> From: Kurt Roeckx 
> To: sub...@bugs.debian.org 
> Subject: courier: FTBFS with openssl 1.1.0
> Date: Sun, 26 Jun 2016 12:21:22 +0200
> 
> Source: courier Version: 0.76.1-3 Severity: important Control: block
> 827061 by -1
> 
> Hi,
> 
> OpenSSL 1.1.0 is about to released. During a rebuild of all packages
> using OpenSSL this package failed to build. A log of that build can be
> found at:
>
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/courier_0.76.1-3_amd64-20160529-1412
>
> On https://wiki.openssl.org/index.php/1.1_API_Changes you can see
> various of the reasons why it might fail. There are also updated man
> pages at https://www.openssl.org/docs/manmaster/ that should contain
> useful information.
> 
> There is a libssl-dev package available in experimental that contains
> a recent snapshot, I suggest you try building against that to see if
> everything works.
> 
> If you have problems making things work, feel free to contact us.
> 
> Kurt

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828272


--
Attend Shape: An AT Tech Expo July 15-16. Meet us at AT Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Courier is malware

[Mark Constable]

On 03/06/16 11:44, Sam Varshavchik wrote:
> If Sourceforge doesn't resolve it tomorrow, or I get an unhelpful
> response, they won't follow-up until Monday; and I'll just replace
> all the links with the direct download links, bypassing Sourceforge's
> banner ads, for now.

FWIW how about replacing SF altogether with...

https://help.github.com/articles/creating-releases/

scriptable API for above...

https://developer.github.com/v3/repos/releases/#create-a-release

and this could also be useful...

https://help.github.com/articles/versioning-large-files/


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Disable SSL for esmtpd on port 25

[Mark Constable]

On 28/05/16 23:23, Sam Varshavchik wrote:
>> We only use authenticated relaying via 465/SSL and 587/TLS so none
>> of our clients use port 25 for auth/relay. The problem is our client
>> recipient has to contact our support which then asks them for a copy
>> of the error, then I get it, then I have to squirrel around in the
>> mail logs to determine IP/hosts and hope a dig mx finds the right
>> mailserver etc then whitelists that server/mx and cross my fingers
>> I got all that right and our client can continue on their merry way.
> 
> Do you know for sure that the sender bounces the mail if it can't
> negotiate SSL; that the sender does not fallback to unencrypted?

Our recipient client gets a bounce from our server when they try to
send to, for instance, @dss.gov.au so I presume these servers are not
falling back to an unencrypted connection. This is a recent example
of our client trying to send to x...@dss.gov.au...

May 24 12:12:26 s1 courierd: newmsg,id=xxx, auth=xxx: dns; [xxx] ([:::xxx])
May 24 12:12:26 s1 courierd: 
started,id=xxx,from=,module=esmtp,host=dss.gov.au,addr=
May 24 12:12:27 s1 courieresmtp: id=xxx,from=,addr=:
 500 couriertls: connect: error:1407741A:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
May 24 12:12:27 s1 courieresmtp: 
id=xxx,from=,addr=,status: failure
May 24 12:12:27 s1 courierd: completed,id=xxx
May 24 12:12:27 s1 courierd: started,id=xxx,from=<>,module=dsn,host=,addr=
May 24 12:12:27 s1 courierd: completed,id=xxx

No real hint of a unencrypted connection in any of the examples I checked.

Other failed domains are...

orica.com
network.pmc.gov.au
bg-group.com
jc.com.au
ecanyons.com




signature.asc
Description: OpenPGP digital signature
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Disable SSL for esmtpd on port 25

[Mark Constable]

On 27/05/16 02:20, Matus UHLAR - fantomas wrote:
>> Some lame govt mailservers are still using SSL23...
>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error"
>> and rather than whitelist them I'm sure I used to just disable SSL
>> via /etc/courier/esmtpd altogether (currently using v0.68.2)...
>
> why not whitelisting? Why to avoid security just because some can't
> cope with it?

We only use authenticated relaying via 465/SSL and 587/TLS so none
of our clients use port 25 for auth/relay. The problem is our client
recipient has to contact our support which then asks them for a copy
of the error, then I get it, then I have to squirrel around in the
mail logs to determine IP/hosts and hope a dig mx finds the right
mailserver etc then whitelists that server/mx and cross my fingers
I got all that right and our client can continue on their merry way.

I don't know how to check what percentage of port 25 mailserver to
mailserver connections may be SSL encrypted to justify leaving SSL
on port 25 for server to server connections. Would you (or anyone)
have any idea how many mailservers are successfully connecting to
each other via SSL these days?

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Disable SSL for esmtpd on port 25

[Mark Constable]

I just set up a new server and I can't for the life of me remember,
or find, how to disable SSL on port 25 for general incoming mail?

Some lame govt mailservers are still using SSL23...

SSL23_GET_SERVER_HELLO:tlsv1 alert decode error

and rather than whitelist them I'm sure I used to just disable SSL
via /etc/courier/esmtpd altogether (currently using v0.68.2)...

~ egrep -v "^(#|$)" /etc/courier/esmtpd
PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
ULIMIT=32768
BOFHCHECKDNS=1
BOFHNOEXPN=1
BOFHNOVRFY=1
TARPIT=1
NOADDMSGID=1
NOADDDATE=1
ESMTP_LOG_DIALOG=0
AUTH_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/etc/courier/esmtpd.pem
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_VERIFYPEER=NONE
MAILUSER=daemon
MAILGROUP=daemon
BLACKLISTS="-block=zen.spamhaus.org,BLOCK -block=cbl.abuseat.org,BLOCK"
DROP="-drop"
ACCESSFILE=${sysconfdir}/smtpaccess
MAXDAEMONS=40
MAXPERC=5
MAXPERIP=5
PIDFILE=/var/run/courier/esmtpd.pid
TCPDOPTS="-stderrlogger=/usr/sbin/courierlogger -nodnslookup -noidentlookup"
ESMTPAUTH="LOGIN PLAIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
ESMTPAUTH_WEBADMIN="LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
ESMTPAUTH_TLS=""
ESMTPAUTH_TLS_WEBADMIN="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256"
ESMTPDSTART=YES

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] How to force quota recalculation ?

[Mark Constable]

On 25/05/16 19:00, chaouche yacine wrote:
> I've move maildirsize to maildirsize- but quota is still shown as
> 209715200 (instead of 64764) even after an authentification lookup
> [...]
>  Authenticated: i.aitah...@domain.tld  (uid 5000, gid 5000)
> Home Directory: /var/vmail
>Maildir: domain.tld/i.aitahmed
>  Quota: 209715200
> Encrypted Password: $1$j5tuqwxC$rsLuOD5v8DDBydp.kBEPf0
> Cleartext Password: (none)
>Options: disableimap=n,disablepop3=n

You are seeing the default quota setting, not the dynamic value
determined by courier as to how full the mailbox currently is.

If anyone is using Thunderbird then RMB on the Inbox and go to
Properties -> Quota and that will give you a real time estimate
AFTER removing the maildirsize file and restarting TB to enforce
a fresh login and scan of the IMAP/POP folders.


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] How to force quota recalculation ?

[Mark Constable]

On 25/05/16 16:38, Matus UHLAR - fantomas wrote:
> so this depends on authdaemon providing that information, e.g. this
> won't work with standard user accounts other that removing quota at
> all...

You're right, not with authpam (and maybe authpipe / authcustom
depending what's returned), but I think all the others have a quota
field...

authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authsqlite 
authcustom authpipe"


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] How to force quota recalculation ?

[Mark Constable]

On 25/05/16 16:10, Matus UHLAR - fantomas wrote:
> On 25.05.16 12:41, Mark Constable wrote:
>> There may be more elegant solutions but I just simply delete that
>> file and quotawarn. The maildirsize file will be rebuilt soon
>> enough.
>
> isn't quota lost when you lose maildirsize?
> I thought the first line sets the quota...

The quota comes from an authdaemon lookup...

May 25 16:16:01 s2 authdaemond[23816]:
Authenticated: sysusername=, sysuserid=, sysgroupid=,
homedir=/xxx/xxx/markc, address=ma...@renta.net, fullname=,
maildir=, quota=2097152000S, options=

so when there is no maildirsize it gets rebuilt. The proof is that
when maildirmake first creates a users maildir area there is no
maildirsize file and everything works fine, it simply gets created
if it doesn't exist.


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] How to force quota recalculation ?

[Mark Constable]

On 25/05/16 01:48, chaouche yacine wrote:
> maildirsize shows 200Mb+ of disk usage while du shows only 64Mb. How
> can I ask courier to recaclculate the quota and allow this poor user
> to receive mail again ?

There may be more elegant solutions but I just simply delete that file
and quotawarn. The maildirsize file will be rebuilt soon enough.


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Let's encrypt

[Mark Constable]

On 14/05/16 06:30, SZÉPE Viktor wrote:
> Let's Encrypt also provides you 3 certs: intermediate, public and
> private. Just install them (symlink them) as any other certificate.
> The order is:
>
> # cat "$PRIV" "$PUB" "$INT" > "$COURIER_COMBINED"

FWIW I find that only privkey.pem and fullchain.pem are necessary.

I also use a simple shell wrapper around this to manage my LE certs...

https://github.com/lukas2511/letsencrypt.sh.git

as it has no dependencies on perl or python.

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Manipulating outgoing messages

[Mark Constable]

We often have a problem with Thunderbird hanging when trying to send
a copy of an outgoing email to the Sent folder. Using RMB -> Properties
-> Repair Folder and Compact seems to generally fix it for a few months.

However it occurred to me that if the original sent message could be
squirreled away to the Sent folder on the server then it would both
solve the hanging problem and save a second round trip to the server
when saving a copy to the Sent folder.

We can do almost anything with incoming mail using maildrop but is
there anything we can do to manipulate outgoing mail, per user?

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] courier-mta.org website down?

[Mark Constable]

On 05/04/16 14:18, Harry Duncan wrote:
> The usual site is missing and I get a cpanel message?

Yikes. I'm not even getting that. Whois and dig/ping work okay
but nothing on port 80 comes up for me.

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] TLS SNI when Courier is built with OpenSSL

[Mark Constable]

Mini followup on success with using 0.76.0.20160430 SNI SSL. I'm
happy to report that Windows10 Outlook works with SNI as does the
Android Outlook client. The Android K9 mail app does not.

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] I need working nginx configuration for webadmin

[Mark Constable]

On 05/02/16 20:14, Matus UHLAR - fantomas wrote:
> and I mean, apache process loads all modules at startup time, which
> means that mod-php is loaded only at the start or reconfigure time,
> and all child processes are created by forking only when servers are
> spawned at:
> - startup
> - increating number of server processes
> - restarting after MaxRequestsPerChild or MaxConnectionsPerChild hit.

And my point is that every apache process includes the full mod-php
interpreter regardless of whether that process is about to handle a
PHP script or a static file. It's not the startup time that is the
issue (for me) but that a PHP interpreter is included within each
process even if it is not going to be used to interpret a PHP script
(in the case of delivering a non-php static resource).


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] I need working nginx configuration for webadmin

[Mark Constable]

On 05/02/16 19:19, Matus UHLAR - fantomas wrote:
>> A couple of more points, apache with libapache2-mod-php requires
>> the slower pre-forking version of apache and because that module is
>> always loaded for every access
>
> is it? iiuc it's only loaded on apache reload... (unless you tune
> MaxRequestsPerChild/2.2 or MaxConnectionsPerChild/2.4)

I meant the entire libapache2-mod-php module is loaded into ram for
every access to every file no matter if it's a non-php static file
or a php file. Each apache process (+ mod-php) is from 20Mb to 100Mb
regardless of whether it's about to parse a PHP script or not. A nginx
instance is about ~9Mb and delivers a static file up to twice as fast
as apache with mod-php (according to ab testing I did 1/2 dozen years
ago).

I find php-fpm usually runs at 3Mb to 30Mb but sometimes up to 100Mb
for Wordpress with massively complex themes and plugins. So nginx +
php-fpm generally uses less ram than apache + mod-php for PHP scripts
but up to 10 times less ram for static files (css, js, images) and
static files (until cached) far outnumber PHP script access.


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] TLS SNI when Courier is built with OpenSSL

[Mark Constable]

On 04/30/16 11:59, Sam Varshavchik wrote:
>> - courier, courier-imap: add support for TLS SNI when Courier is
>> built with OpenSSL.

I'm happy to report that the 0.76.0.20160430 devel version does indeed
support TLS SNI with OpenSSL.

http://downloads.sourceforge.net/project/courier/courier-devel/20160430/courier-0.76.0.20160430.tar.bz2

~ netstat -tanup | grep couriertcpd
tcp6 0 0 :::993 :::* LISTEN  13053/couriertcpd <-- 13053 for imapd-ssl
tcp6 0 0 :::465 :::* LISTEN  13033/couriertcpd
tcp6 0 0 :::25  :::* LISTEN  13014/couriertcpd

~ strace -s 256 -f -p 13053 2>&1 | grep imapd.pem

Then in another shell use something like this (ubuntu) with your own
domain, OR use a regular mail client (Thunderbird 45.0 definitely works)...

~ TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=none couriertls \
   -host=mrsam.goldcoast.org -port=993 -verify=mrsam.goldcoast.org

and the result should be similar to this...

13250 access("/etc/courier/imapd.pem.192.168.0.2", R_OK) = -1 ENOENT (No such 
file or directory)
13250 open("/etc/courier/imapd.pem", O_RDONLY) = 5
13250 open("/etc/courier/imapd.pem", O_RDONLY) = 5
13250 access("/etc/courier/imapd.pem.mrsam.goldcoast.org", R_OK) = 0
13250 access("/etc/courier/imapd.pem.192.168.0.2", R_OK) = -1 ENOENT (No such 
file or directory)
13250 open("/etc/courier/imapd.pem", O_RDONLY) = 5
13250 open("/etc/courier/imapd.pem", O_RDONLY) = 5
13250 open("/etc/courier/imapd.pem.mrsam.goldcoast.org", O_RDONLY) = 5
13250 open("/etc/courier/imapd.pem.mrsam.goldcoast.org", O_RDONLY) = 5
13250 open("/etc/courier/imapd.pem.mrsam.goldcoast.org", O_RDONLY) = 5

And as a bonus, the above imapd.pem.mrsam.goldcoast.org is symlinked to
a LetsEncrypt certificate that includes a SAN of www.mrsam.goldcoast.org.

Subject: CN=mrsam.goldcoast.org
X509v3 Subject Alternative Name:
   DNS:mrsam.goldcoast.org, DNS:www.mrsam.goldcoast.org

Excellent work Sam and many many thanks.


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] I need working nginx configuration for webadmin

[Mark Constable]

On 05/02/16 03:16, Matus UHLAR - fantomas wrote:
>> Perl kludge suggested on nginx site for runnig CGI scripts as
>> FastCGI much worse than time-honoured apache.
>
> but what's the point of proxying it from apache? Apache can run cgi
> (and fastcgi, even php as module, not as fastcgi, so php should be
> even faster under apache) too, you don't need nginx.  
>
> if you want nginx, what's the point of apache proxying?

A couple of more points, apache with libapache2-mod-php requires the
slower pre-forking version of apache and because that module is always
loaded for every access it makes sense to use the much faster and
lighter nginx frontend to deliver static files and then proxy to apache
just for php. Also, a lot of web apps expect, or are easier, to use a
.htaccess file which nginx does not handle.

As for running webadmin, and perhaps sqwebmail, the simplest solution
is to use a dedicated instance of lighthttpd on another port (assuming
nginx is already in use on 80/443).

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] TLS SNI when Courier is built with OpenSSL

[Mark Constable]

On 29/04/16 22:36, Sam Varshavchik wrote:
>>> I finally have a 0.76.0 ubuntu install to test and trying to get this to
>>> work...
>>>
>>> > - courier, courier-imap: add support for TLS SNI when Courier is built 
>>> > with OpenSSL.
>>>
>>> I've added this vhost settings but no sign the LetsEncrypt certificate is
>>> being delivered to Thunderbird.
>>>
>>> ~ ls -1 /etc/courier/*renta.net
>>> defaultdomain.ded1649.renta.net
>>> dsnfrom.ded1649.renta.net
>>> esmtpd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> imapd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> vhost.ded1649.renta.net
>
> Find the pid that's listening on localhost, then run strace on it. In my case 
> it's pid 15018.
>
> # strace -s 256 -f -o z -p 15018
>
> Then, use couriertls like this:
>
> TLS_TRUSTCERTS=/etc/pki/tls/cert.pem TLS_VERIFYPEER=none couriertls \
> -host=localhost -port=143 -protocol=imap -verify=localhost
>
> Fedora installs all trusted certs in /etc/pki/tls/cert.pem; use the 
> equivalent for Debian, Ubuntu, etc…
>
> The connection attempt will fail to verify the "localhost" certificate, of 
> course. That's fine. Then:
>
> # grep imapd.pem z
> 2734  access("/usr/lib/courier-imap/share/imapd.pem.localhost", R_OK) = -1 
> ENOENT (No such file or directory)
> 2734  access("/usr/lib/courier-imap/share/imapd.pem", R_OK) = 0
> 2734  open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 10
>
> That shows that the server process tried to open imapd.pem.localhost, first.

Excellent, thank you Sam! Every variation I tried results in...

21989 access("/etc/courier/imapd.pem.xxx.xxx.104.254", R_OK) = -1 ENOENT (No 
such file or directory)
21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5
21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5

I don't seem to be able to use the -host=localhost parameter to couriertls.

My "netstat -tanup" gives me...

tcp6   0  0 :::465  :::*LISTEN  
21926/couriertcpd
tcp6   0  0 :::25   :::*LISTEN  
21895/couriertcpd
tcp6   0  0 :::993  :::*LISTEN  
21947/couriertcpd
tcp6   0  1 xxx.xxx.104.254:993 xxx.xxx.99.177:54272FIN_WAIT1   
-

Which is odd but the last field does indeed show an ip4 connection.

I used the below as I don't enable STARTTLS on 143 and -host=localhost
results in an almost empty strace dump file (like it's not even hitting
localhost at all)...

~ strace -s 256 -f -o z -p 21947
~ TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=none couriertls 
-host=xxx.xxx.104.254 -port=993 -protocol=imap -verify=localhost

And no matter if I use any combination of localhost, ded1649.renta.net or the
IP for -host or -verify I always get the "imapd.pem.xxx.xxx.104.254" result 
above.

- is a PTR record required for ded1649.renta.net?

- is it possible the 0.76.0 package I am using is missing a build flag?

- anything other than vhost.ded1649.renta.net and imapd.pem.ded1649.renta.net 
needed?


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] New courier and courier-imap release

[Mark Constable]

I finally have a 0.76.0 ubuntu install to test and trying to get this to
work...

> - courier, courier-imap: add support for TLS SNI when Courier is built with 
> OpenSSL.

I've added this vhost settings but no sign the LetsEncrypt certificate is
being delivered to Thunderbird.

~ ls -1 /etc/courier/*renta.net
defaultdomain.ded1649.renta.net
dsnfrom.ded1649.renta.net
esmtpd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
imapd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
vhost.ded1649.renta.net

../ssl/ded1649.renta.net/mailserver.pem does exist and the default one
for the canonical host does work okay.

Is there some other settings I am missing?


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] esmtproutes (SOLVED)

[Mark Constable]

On 30/03/16 13:04, Sam Varshavchik wrote:
>> Anyway, it almost worked... except that I am using LetsEncrypt certificates
>> where I have a multiple subdomains of renta.net AND www.renta.net on the
>> destination server and the source server said...
>> 400 couriertls: Mismatched SSL certificate: CN=www.renta.net (expected 
>> renta.net)
>
> You need to either build Courier, on both servers, with GnuTLS, or
> use the development builds I currently have up, that add the
> necessary support when Courier is built with OpenSSL.

Yes, I am waiting and hoping Ondřej Surý will build the latest release
as a set of courier dev packages so I can start testing/using this
virtual SSL feature.

> You could also simply specify the smarthost, in both esmtproutes and
> esmtpauthclient, as www.renta.net; this would be the path of least
> resistance.

Sam, you are a genius... so simple... thank you :)

Mar 30 14:23:10 motd courieresmtp[10387]: id=blah,
from=,addr=,size=746,status: success

Now that I can see something working I can tease it into a more sane
state and look into getting a separate renta.net-only certificate.


--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] esmtproutes (was How to disable ipv6)

[Mark Constable]

On 30/03/16 01:13, Mark Constable wrote:
> So it seems that maybe courier-mta is trying to use ipv6 and seeing that
> I'm not sure how to deal set up ipv6 I would like to completely disable
> courier-mta (and imap for that matter) using ipv6 and default to ipv4.

So it seems; because outgoing ipv4 port 25 is now blocked by the hosting
company that courier-mta managed to at least squeak through an ipv6
connection to the other end that happens to accept ipv6. Cool, but I have
no idea how, or time, to set up ipv6 and most destinations won't accept
ipv6 anyway.

I have to set up a smarthost route to either one of my other courier based
mailservers or mailgun/sendgrid but I've never had to stoop so low before.

I have used ssmtp on a few really small VPSs and I guess that is an option
for me in this case just but I am unsure how to integrate incoming port 25
using esmtpd with outgoing via ssmtp.

In looking at esmtproutes I can't see how I can authenticate to port 587/TLS
or 465/SSL on the other end so how do I use esmtproutes...

domain:relay[,port][/SECURITY=STARTTLS][/SECURITY=REQUIRED][/SECURITY=SMTPS]

to emulate something like this setting for ssmtp?

mailhub=smtp.sendgrid.net:587
AuthUser=sendgridusername
AuthPass=sendgridpassword
UseSTARTTLS=YES


--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] How to disable ipv6

[Mark Constable]

I have a weird new install where mail comes in okay but trying to send out
just hangs with no real feedback as to why but just now an attempt to send
to Gmail gave me a hint...

"Our system has detected that this message does not meet IPv6 sending
guidelines regarding PTR records and authentication. Please review
https://support.google.com/mail/?p=ipv6_authentication_error for more
information."

So it seems that maybe courier-mta is trying to use ipv6 and seeing that
I'm not sure how to deal set up ipv6 I would like to completely disable
courier-mta (and imap for that matter) using ipv6 and default to ipv4.

I've set courierd:ESMTP_PREFER_IPV6_MX=0 but what other settings might
influence using ipv6 over ipv4?

Ubuntu xenial (16.04) using courier-mta 0.75.0-17+deb.sury.org~xenial+1

--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] maildrop vs courier-maildrop deb packages

[Mark Constable]

I know this is about deb packaging details but someone here might know
the answer to this question. The very latest ubuntu devel packages are
dropping courier-maildrop in favour of just using the maildrop package
and aside from the default /etc/courier/maildroprc moving to
/etc/maildroprc I've noticed another slight difference...

courier-maildrop package, where HOME is from the mysql homedir field...

Mar 17 05:12:19 gc3 authdaemond[7616]:
Authenticated: sysusername=, sysuserid=1001, sysgroupid=1001,
homedir=/home/u/goldcoast.org/home/admin,
address=ad...@goldcoast.org, fullname=, maildir=,
quota=524288000S, options=

Mar 17 05:12:19 gc3 courierlocal[7751]:id=blah,
from=,addr=:
maildrop: Changing to /home/u/goldcoast.org/home/admin

maildrop package, where HOME now seems to be from getent passwd...

Mar 17 06:11:29 gc3 courierlocal[7751]:id=blah,
from=,addr=:
maildrop: Changing to /home/u/goldcoast.org

I have uncommented this in /etc/maildroprc but the above getent HOME
field remains the same...

DEFAULT="$HOME/Maildir"

How can I get back the previous maildrop behaviour where it treats HOME
as from the virtual homedir field rather than the home field in /etc/passwd?

--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] maildrop vs courier-maildrop deb packages

[Mark Constable]

On 17/03/16 21:00, Sam Varshavchik wrote:
>> How can I get back the previous maildrop behaviour where it treats
>> HOME as from the virtual homedir field rather than the home field
>> in /etc/passwd?
>
> Most likely by explicitly invoking maildrop with the -d option.

I've read through most of this twice today...

http://www.courier-mta.org/maildrop/maildropfilter.html

but I can't seem to translate that info into how to "explicitly invoke"
the -d option in this particular use case...

./courierd:DEFAULTDELIVERY="|/usr/bin/maildrop -w 90"

Is something like this possible?

DEFAULTDELIVERY="|/usr/bin/maildrop -w 90 -d ${RECIPIENT}"


--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] maildrop vs courier-maildrop deb packages

[Mark Constable]

On 18/03/16 12:20, Sam Varshavchik wrote:
> Pedantically, it should be
>
> DEFAULTDELIVERY='|/usr/bin/maildrop -w 90 -V 9 -d "${RECIPIENT}"'
>
> to guard against a wildcard virtual domain alias allowing some clown
> to use an address with shell special characters.

Right, I tried that but when I did not get any debug output to tell me
what "maildrop: Changing to /home/etc" was I assumed that it was not
quite the right incarnation so I kept trying other combinations. Then
I reread your maildrop page again and sure enough...

-V is ignored when maildrop runs in delivery mode.

http://www.courier-mta.org/maildrop/maildrop.html

These 2 paragraphs seem to be the most relevant but at no point is it
obvious WHICH $HOME var is going to be used (getent or virtual) but if
I reread the 2nd parargraph a few more times then it could be obvious
that it was referring to the virtual $HOME (the one I want).

> If a filename is not specified on the command line, or if the -d
> option is used, maildrop will run in delivery mode. In delivery mode,
> maildrop changes to the home directory of the user specified by the
> -d option (or the user who is running maildrop if the -d option was
> not given) and reads $HOME/.mailfilter for filtering instructions.
> $HOME/.mailfilter must be owned by the user, and have no group or
> global permissions (maildrop terminates if it does).

> The -d option can also specify a name of a virtual account or
> mailbox. See the makeuserdb(1) manual page in the Courier
> Authentication library's documentation for more information.

Anyway, it seems to be working. I can set the getent $HOME to be root
owned (so that I can use SFTP/SSH chroots) and still have mail delivered
inside that area to the virtual $HOME as was possible with the
courier-maildrop deb package.

Sam, thank you once again... especially for your pedantic help :-)


--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] maildrop vs courier-maildrop deb packages

[Mark Constable]

On 17/03/16 22:27, Sam Varshavchik wrote:
>> >> How can I get back the previous maildrop behaviour where it treats
>> >> HOME as from the virtual homedir field rather than the home field
>> >> in /etc/passwd?
>> >
>> > Most likely by explicitly invoking maildrop with the -d option.
>>
>> I've read through most of this twice today...
>>
>> http://www.courier-mta.org/maildrop/maildropfilter.html
>>
>> but I can't seem to translate that info into how to "explicitly invoke"
>> the -d option in this particular use case...
>>
>> ./courierd:DEFAULTDELIVERY="|/usr/bin/maildrop -w 90"
>>
>> Is something like this possible?
>>
>> DEFAULTDELIVERY="|/usr/bin/maildrop -w 90 -d ${RECIPIENT}"
>
> Make them apostrophes. You don't want variable expansion at the time
> this setting is read, but rather when this is executed at delivery
> time.

I guess you meant something like this?

DEFAULTDELIVERY="|/usr/bin/maildrop -w 90 -V 9 -d '${RECIPIENT}'"

No difference with every permutation of the above I could think of.

***

To demonstrate the problem in case anyone else knows how to tweak the
regular maildrop deb package  to behave like the courier-maildrop package...

courier-maildrop package

Mar 17 05:12:19 gc3 authdaemond[7616]:
Authenticated: sysusername=, sysuserid=1001, sysgroupid=1001,
homedir=/home/u/goldcoast.org/home/admin,
address=ad...@goldcoast.org, fullname=, maildir=,
quota=524288000S, options=

Mar 17 05:12:19 gc3 courierlocal[7751]:id=blah,
from=,addr=:
maildrop: Changing to /home/u/goldcoast.org/home/admin

maildrop package

Mar 17 06:11:29 gc3 courierlocal[7751]:id=blah,
from=,addr=:
maildrop: Changing to /home/u/goldcoast.org


--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SNI for SSL negotiations

[Mark Constable]

>> Would mail clients like Thunderbird need to understand SNI as well
>> or would it be up to only the server daemon to present the right
>> certificate?
>
> Both. SNI is a protocol extension. Both the client and the server
> have to be explicitly coded to support it.

Thanks for the confirmation. According to this posting in 2011 the
author noted that Thunderbird does initiate the SSL handshake with
the hostname in plain text so it probably does do SNI. Promising.

http://forums.mozillazine.org/viewtopic.php?f=39=2316281

I also found this reference so I'll give it a try, even though the
custom Debian packages I use most likely do not use GnuTLS.

***

SNI

If the IMAP server is supposed to work for different domain names,
the TLS extension SNI comes into play. The way how Courier implements
this is:

Set TLS_CERTFILE to a base path, e.g.

TLS_CERTFILE=/etc/ssl/private/imap.pem

The concrete certificates must then be stored in files that are formed
by appending the domain name to the base path, e.g.

/etc/ssl/private/imap.pem.example.com

Courier will look up the correct certificate based on the host name
advertised during the TLS/SNI exchange


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SNI for SSL negotiations

[Mark Constable]

On 03/03/16 12:37, Sam Varshavchik wrote:
>> Is there any possibility that SNI negotiation can take place when
>> doing SSL handshakes with couriers daemons so that multiple SSL
>> certificates can be used on the same IP?
>
> I haven't yet found the time to investigate what needs to be done
>to support SNI with OpenSSL. OpenSSL's documentation was always
> difficult to decipher overall, good examples are hard to come by.

Okay, close with GnuTLS but not OpenSSL so not completely out of the
question, perhaps. It's just that now LetsEncrypt is becoming popular
it will be super easy to add real certificates to any and all vhosts
on a single server with a single IP.

Would mail clients like Thunderbird need to understand SNI as well
or would it be up to only the server daemon to present the right
certificate?

Might be a vaguely related example here...

https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L822

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] SNI for SSL negotiations

[Mark Constable]

I think I may have asked this question many years ago but just in
case things have changed. Is there any possibility that some of SNI
negotiation can take place when doing SSL handshakes with couriers
daemons so that multiple SSL certificates can be used on the same IP?

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] SPF failing again

[Mark Constable]

I have another SPF fail and this time it could be courier-mta at fault
because if I check with...

http://mxtoolbox.com/SuperTool.aspx?action=spf%3abounce.s7.exacttarget.com%3a136.147.176.7

it indicates this one should work, but...

Jan 21 15:49:18 s1 courieresmtpd: error,
relay=:::136.147.176.7,
from=:
517 SPF fail 
bounce-4814_html-122269605-10348-7213380-5...@bounce.s7.exacttarget.com:
Address does not pass the Sender Policy Fr...

~ dig txt bounce.s7.exacttarget.com
bounce.s7.exacttarget.com. 14399 IN TXT "spf2.0/pra 
include:cust-senderid.exacttarget.com -all"
bounce.s7.exacttarget.com. 14399 IN TXT "v=spf1 
include:cust-spf.exacttarget.com -all"

~ dig txt cust-senderid.exacttarget.com
cust-spf.exacttarget.com. 190 IN TXT "v=spf1 ip4:64.132.92.0/24 
ip4:64.132.88.0/23 ip4:66.231.80.0/20 ip4:68.232.192.0/20 ip4:199.122.120.0/21 
ip4:207.67.38.0/24 " "ip4:207.67.98.192/27 ip4:207.250.68.0/24 
ip4:209.43.22.0/28 ip4:198.245.80.0/20 ip4:136.147.128.0/20 
ip4:136.147.176.0/20 ip4:13.111.0.0/20 -all"

And sure enough we have a ip4:136.147.176.0/20 range which includes 
136.147.176.7
so going by this I would have expected even the bounce above to pass SPF. It's
what caused the bounce I am really trying to track down but this error is the
only thing I have to go on so far.

Is that 'ip4:207.67.38.0/24 " "ip4:207.67.98.192/27' part allowed in a SPF 
record?

Or anything obvious I might have missed?

***

Hmm, this is a bit odd...

~ dig bounce.s7.exacttarget.com
bounce.s7.exacttarget.com. 4753 IN A 66.231.91.54

~ dig -x 66.231.91.54
54.91.231.66.in-addr.arpa. 8133 IN PTR mx-in-2.exacttarget.com.

So is it possible courier is rejecting the mismatched forward and reverse 
records
for the originating domain (but that would be nothing to do with SPF)?

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Failing SPF from spf.protection.outlook.com

[Mark Constable]

I can't quite work out why this particular example is failing an SPF check.

Jan 27 10:49:46 s1 courieresmtpd: error,
relay=:::104.47.126.51,
from=:
517 SPF fail recept...@.com.au: Address does not pass the Sender Policy 
Framework

The IP is owned by M$ and it returns an outlook.com PTR...

~ dig +short -x 104.47.126.51
mail-pu1apc01on0051.outbound.protection.outlook.com.

Is it at all possible the google-site-verification TXT RR is confusing the 
issue?

~ dig +short txt .com.au
"v=spf1 includes:spf.protection.outlook.com -all"
"google-site-verification=IlCUVOxK5F8zXd5ATS9ffkVvBDS1ZkQJT-XXX"

Is it possible that 104.47.126.51 is not part of 
includes:spf.protection.outlook.com ?

Or is there something obvious I might be missing?

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Failing SPF from spf.protection.outlook.com

[Mark Constable]

On 27/01/16 12:20, Sam Varshavchik wrote:
> Use the full dig command. Is this two separate TXT records, or one
> single TXT record with two strings. If google-site-verification is a
> separate TXT record, it will definitely be ignored.

Sorry, yes, it was 2 distinct TXT records...

.com.au. 300 IN TXT "v=spf1 includes:spf.protection.outlook.com -all"
.com.au. 300 IN TXT "google-site-verification=IlCUVOx... etc"

> There are a bunch of nested includes here. Maybe one of them resulted
> in a stalled DNS lookup, and this is configured to be treated as a
> hard failure. The IP address looks fine to me.

I think I see the problem, includes != include...

v=spf1 includes:spf.protection.outlook.com -all

should be...

v=spf1 include:spf.protection.outlook.com -all

The domain admin at.com.au has made a mistake setting up the TXT record.

I hope you don't mind but while I am here would you/anyone mind giving me
a reminder how to "whitelist" the above until they fix the TXT record?


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] setgid(1) and setuid(1)

[Mark Constable]

I know this is not strictly a courier code issue but I'm trying to track
down a permissions issue and from this strace I am getting...

setgid(1)   = 0
getuid()= 0
setgroups(1, [1])   = 0
setuid(1)   = 0
chdir("/usr")   = 0
chdir("/var/lib/courier/tmp")   = 0
[... ending with ...]
sendto(3, "<19>Jan  2 19:05:47 submit: Permission denied", 45, MSG_NOSIGNAL, 
NULL, 0) = 45
unlink("145172/1451725547.16796.goldcoast.org") = -1 EACCES (Permission denied)

but there is nothing in /var/lib/courier/tmp.

My question; does that setgid(1) and setuid(1) mean to change to the
uid:gid of 1:1?

That is daemon:daemon on Debian systems whereas it should be 114:117
on my system for the "courier" user. If so then it would explain why
/var/lib/courier/tmp owned by courier:courier can't be written to by
a program changing to daemon:daemon.

Which probably means the packages I am testing are built with some kind
of internal daemon:daemon permissions whereas all external files are
given courier:courier, ie;...

./esmtpd:MAILGROUP=courier
./esmtpd:MAILUSER=courier

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] What config option controls -access=

[Mark Constable]

On 01/01/16 23:39, Sam Varshavchik wrote:
>> /usr/lib/courier/sbin/imapd references $IMAPACCESSFILE
>
> Right. Looks like a packaging bug. The imapd configuration file
>  should be setting IMAPACCESSFILE.

Thanks Sam and Gordon, I'm actually helping the guy putting some 0.75
*buntu packages together, up from 0.73, and I could not find any
reference to what the -access= arg should be for IMAP. It's only when
I did a "which makeimapaccess" after Gordons message that the penny
dropped. No doubt it works the same as smtpaccess. Could be handy.

These new 0.75 deb packages for "wily" (15.10) are proving ornery
because the packager has changed uid:gid from the previous "daemon"
user that Debian has used for a decade to the more common "courier"
user (in line with Archlinux and maybe RH/Centos). IMAP is working
okay but I'm seeing strange behavior with esmtpd.

I'll announce the packages here when they pass muster.

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] What config option controls -access=

[Mark Constable]

courier-mta 0.75.0-2+deb.sury.org~wily+2

My /etc/courier/imapd file has ACCESSFILE=/etc/courier/smtpaccess and yet
these 2 daemon instance below show -access=.dat.

Where do I set whatever affects the -access argument?

root 19325  0.0  0.0   4368  1268 ?S14:05   0:00 
/usr/sbin/courierlogger -pid=/var/run/courier/imapd.pid -start -name=imapd 
/usr/sbin/couriertcpd -address=0.0.0.0 -maxprocs=400 -maxperip=200 -access=.dat 
-nodnslookup -noidentlookup 143 /usr/lib/courier/courier/imaplogin 
/usr/bin/imapd Maildir

root 19326  0.0  0.0   6692   788 ?S14:05   0:00 
/usr/sbin/couriertcpd -address=0.0.0.0 -maxprocs=400 -maxperip=200 -access=.dat 
-nodnslookup -noidentlookup 143 /usr/lib/courier/courier/imaplogin 
/usr/bin/imapd Maildir

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] More recent debian/buntu packages anywhere?

[Mark Constable]

I've been using somewhat more recent packages available from here...

deb http://ppa.launchpad.net/ondrej/courier/ubuntu vivid main

but...

courier-mta 0.73.1-1.3+deb.sury.org~vivid+2
courier-imap 4.15-1.3+deb.sury.org~vivid+2
courier-authlib 0.66.3-1+deb.sury.org~wily+2

are still a good deal behind the latest upstream source from Sam and it
seems my plea to update them is not being looked into...

https://github.com/oerdnj/deb.sury.org/issues/136

so is anyone aware of any (PPA of) uptodate pre-built debs?

I'd normally build from source but the reason I stick to Courier is
because I can whittle it down to run on really small VPS/containers which
are way too small to do a compile.

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Unexpected SSL connection shutdown

[Mark Constable]

On Fri, 31 Jul 2015 01:07:38 PM Bowie Bailey wrote:
 Apparently, Outlook doesn't like something about my SSL setup. These 
 errors and the bounceback errors I have been provided by the sender 
 don't give any clues to the actual problem.
 
 I have the protocol set to SSL23, which should allow everything 
 according to the comments in the file.  Any suggestions?

There was a patch update to W8-ish a few months ago that disabled
support for SSL3 and we found we had to remove SSL3 altogether to
overcome that problem. I think Sam has dropped SSL3 by default in
the later releases. This is from 0.73.1...

courierd : TLS_CIPHER_LIST=TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH
esmtpd : TLS_CIPHER_LIST=TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH


--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] PHP Control Panel

[Mark Constable]

I've just spent a few days reviewing web control panels again and as
anyone knows who has looked there is nothing that supports courier-mta
out of the box, some support courier-imap (Froxlor, ISPConfig). I have
some code I've written myself but it's such a huge job to write a web
CP from scratch and I've been kicking my code along for 5 or 6 years
now and it's still not to the point where I could use it.

I'm at the point where I really can no longer justify not having either
a free or pay-for (cPanel/WHMCS) web panel system and still remain in
business much longer. The number of clients asking where is the cpanel
is becoming a very real issue but to adopt any of the current crop of
panels means giving up on courier-mta which I have resisted for over a
decade now.

If there is anyone out there that needs/wants a PHP control panel that
includes support for courier-mta then please respond to this thread.

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] [SOLVED] Recent Windows 8.1 update problem

[Mark Constable]

On Fri, 22 May 2015 07:07:13 AM Sam Varshavchik wrote:
  openssl dhparam -out /etc/ssl/dhparam.pem 2048
 
 mkdhparams already defaults to 2048 bit DH keys.

FWIW, maybe I have an old one but unless I do this I still get a
768bit DH param file...

~ rm /etc/courier/dhparams.pem
~ export DH_BITS=2048; mkdhparams
512 semi-random bytes loaded
Generating DH parameters, 2048 bit long safe prime, generator 2

vs

~ rm /etc/courier/dhparams.pem
~ mkdhparams
512 semi-random bytes loaded
Generating DH parameters, 768 bit long safe prime, generator 2

courier-ssl 0.73.1-1.3+deb.sury.org~utopic+2


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] [SOLVED] Recent Windows 8.1 update problem

[Mark Constable]

On Fri, 22 May 2015 07:07:13 AM Sam Varshavchik wrote:
  openssl dhparam -out /etc/ssl/dhparam.pem 2048
 
 mkdhparams already defaults to 2048 bit DH keys.

Right, good to know I can install courier first and just use it's
dhparam.pem for nginx too.

  TLS_DHPARAMS=/etc/ssl/dhparam.pem
  TLS_CIPHER_LIST=TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH
 
 It's surprising that having SSLv3 in there makes MS-Windows client
 refuse to connect to the server.

I haven't found any definitive info from them stating they have
dropped support for SSL3  and it only applies to a recently updated
Windows 8.1 machine (to mitigate the POODLE attack I guess.)

All I know is I found an old 768 bit dhparam.pem in use (could have
been 3 or 4 years old) so some combination of 2048 bit certificate,
2048 bit DH key and removal of SSL3 started working for upgraded 8.1
clients.

 But, if MS-Window is going to force everyone to finally drop SSL3,
 that's fine. I'll drop it from the default configuration too.

FWIW when I use ssllabs.com to test the same certificate via nginx it
lists emulated OS/browsers that rely on SSL3...

Android 2.3.7
IE 6 / XP
IE 8 / XP
Java 6/7/8

No great loss as everything else seems to work with TLS 1.0 or TLS 1.2.

A possible solution for ancient XP users is to insist they use Thunderbird.


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] [SOLVED] Recent Windows 8.1 update problem

[Mark Constable]

A related followup. This looks like the actual MS patch that caused
my particular problem with Outlook users not being able to connect
via SSL after a recent MS update. For some reason I had an old 768
bit dhparams.pem file and this link clearly states that MS will now
only accept a minimum of 1024 bit DH keys...

https://technet.microsoft.com/library/security/MS15-055

So *maybe* it's nothing to do with SSL3 but I'm not game enough to
put SSL3 back on a busy server just to test this out.


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] [SOLVED] Recent Windows 8.1 update problem

[Mark Constable]

On Tue, 19 May 2015 10:07:32 AM Alessandro Vesely wrote:
  No, but admittedly just a cheap chained certificate...
 
 What's the key length?  This article seems to imply it must be
 = 2048:
 https://www.sophos.com/en-us/support/knowledgebase/122327.aspx

Thanks for this (and Sams) hint about an older certificate being
at fault. It wasn't the first thing that occurred to because the
cert had been working up until the W8.1 upgrade and still worked
for all other clients.

However, just installing a new 2048 bit certificate didn't fix
our problem, it also required a 2048 bit DH key exchange and
disabling SSL3 as well...

openssl dhparam -out /etc/ssl/dhparam.pem 2048

and I modified these 2 settings in esmtpd and imapd...

TLS_DHPARAMS=/etc/ssl/dhparam.pem
TLS_CIPHER_LIST=TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH

Getting the chained certificates in the right order for nginx
and courier is yet another battle but that depends on the
particular cert in use.


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Recent Windows 8.1 update problem

[Mark Constable]

On Mon, 18 May 2015 07:03:21 AM Sam Varshavchik wrote:
  ie; IMAP port 143/none and SMTP port 587/none works for those Windows
  8.1 users who have had updates since the 12th May 2015.
 
 Are you using self-signed certificates for IMAP and SMTP?

No, but admittedly just a cheap chained certificate...

openssl s_client -CApath /etc/ssl/certs -connect 202.6.248.6:465
openssl s_client -CApath /etc/ssl/certs -connect 202.6.248.6:993
openssl s_client -CApath /etc/ssl/certs -connect 202.6.248.6:143 -starttls imap
openssl s_client -CApath /etc/ssl/certs -connect 202.6.248.6:587 -starttls smtp

 The IMAP logs you sent show nothing interesting except the Outlook is
 still not handling IMAP namespaces correctly,

Duh.

 and getting some errors, but it does not appear to stop it, it continues
 on its merry way.

Thanks for looking. I suspect the problem is before this at the authdaemon
stage. I guess trying to strace authdaemon might help but getting W8.1 and
Outlook and a similar not-so-busy test server set up is not going to be easy. 

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Recent Windows 8.1 update problem

[Mark Constable]

On Mon, 18 May 2015 11:35:07 AM Matus UHLAR - fantomas wrote:
 FWIW we found a workaround for now and that is to disable tls/ssl.
 
 I believe you understand that this is very bad workaround

The only alternative was to ask users to downgrade and disable OS upgrades.

One user had 2Gb of upgrades they were in the process of uninstalling
when we finally got hold of a new laptop and could try various combinations
until, as a last resort, we tried 143/none and 587/none and it worked!

 ie; IMAP port 143/none and SMTP port 587/none works for those Windows
 8.1 users who have had updates since the 12th May 2015.
 
 does the problem apply when trying imap/143/starttls and imaps/993,
 smtp/587/starttls and smtp/465/ssl ?

Yes, anything to do with encryption just stopped working immediately
after these users accepted the W8.1 upgrade.

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Recent Windows 8.1 update problem

[Mark Constable]

On Sun, 17 May 2015 09:41:47 PM Sam Varshavchik wrote:
  May 18 10:37:12 s1 courieresmtpd:
   error,relay=:::xx.xx.xx.xx,msg=502 ESMTP command error,cmd: DATA
 
 The SMTP error message would not have anything to do with the client's
 failure to talk IMAP. That's a dead end. Unless, for some reason, the client
 makes an smtp connection, for some reason.

As far as I can tell it's happening for SMTP and IMAP but not for POP.

Unfortunately I don't have W8.1 let alone Outlook myself.

And to reiterate, it only started happening after the most recent updates
last week... I guess one of M$s regular patch tuesday updates.

 It's true that there's not a lot to go by. In fact, without the actual error
 being shown – the actual error message, instead of meaningless dribble like
 error 0x800CCC0E – the only party here who could possibly know the answer
 is Microsoft.

Looks like a generic error message...

It is very common to receive the error message 0x800CCC0E when configuring an 
email account in Outlook and trying to send an e-mail, the reason why you get 
the error is because Outlook is not authenticating your account on the server 
while sending it, so the outgoing mail server rejects the message.

The advice is to set up My server requires authentification but all our
users already have this set up. 

 The only way this can be investigated further, is have a controlled
 environment with IMAGDEBUGFILE turned on, to capture what the client is
 sending, and what the response is.

Okay. I am waiting for the next client to call support with this problem
so I can touch imaplog.dat and capture some IMAP transaction details.


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Recent Windows 8.1 update problem

[Mark Constable]

Hi we are seeing everyone that updated their Windows 8.1 systems last
week no longer be able to authenticate with courier, and it only seems
to be courier at fault which may explain why we have not been able to
google for any solutions other than to advise clients to undo last
weeks updates.

I've got a screenshot of the error so I'll manually type it in here...

Task 'Syncronizing subscribed folders for user@domain' reported error
(0x800CCC0E): 'Outlook cannot synchronize subscribed folders for
user@domain. Error: Cannot connect to the server. If you continue
to receive this message, contact your server administrator or ISP.

I think I am seeing way too many of these but it's hard to nail down
which user belongs to which IP when a lot of them are dynamic...

May 18 10:37:12 s1 courieresmtpd:
 error,relay=:::xx.xx.xx.xx,msg=502 ESMTP command error,cmd: DATA

There is not a lot in the logs to go by. courier-mta 0.73, imap 4.15

Is anyone else aware of this problem and or have any info, or better
yet, some kind of workaround/solution?

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Recent Windows 8.1 update problem

[Mark Constable]

FWIW we found a workaround for now and that is to disable tls/ssl.

ie; IMAP port 143/none and SMTP port 587/none works for those Windows
8.1 users who have had updates since the 12th May 2015.

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] invalid UIDNEXT value

[Mark Constable]

I have no idea if this is a real bug or not but there seems to be a lot of 
these
in my local desktop logfile output from Kmail which uses the so called akonadi 
backend to fetch IMAP messages. This is a FWIW.

akonadi_imap_resource_0(2620) RetrieveItemsTask::onFinalSelectDone: Server bug: 
Your IMAP Server delivered an invalid UIDNEXT value. This is a known problem 
with Courier IMAP.

--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] invalid UIDNEXT value

[Mark Constable]

On 02/04/15 09:52, Sam Varshavchik wrote:
 Next, someone pointed out the fact that the client should not assume that
 the client will get a UIDNEXT. This was explicitly documented: If this is
 missing, the client can not make any assumptions about the next unique
 identifier value. So clients should be prepared to deal, gracefully, with
 the absence of the additional messages.

 After this was pointed out there were two basic options: 1) Deal with it, 2)
 Reach out and inquire about the possibility of implementing the additional
 messages. The option chosen was a variation of doing #1, and then throwing
 an temper tantrum.

No doubt a lack of IMAP expertise on their end and that the Kolab folks
(where there is some expertise) seem to depend on cyrus, and most other
people seem to use the postfix/dovecot combination.

So are you saying if they tried 2) above that you may have been responsive
with either workaround suggestions (for them) or even some future potential
courier-imap modifications?

If so then may I point to this thread in a KDE bugreport?

I completely missed this because I have been using Thunderbird for a few
years explicitly because their akonadi IMAP backend has been unusable. I
only noticed a day or so ago on a fresh Kubuntu 15.04 install when I tried
kmail/akonadi for a test to see if things have improved (as I have done 2
or 3 times a year for the last 3 or 4 years.) It has improved slightly but
akonadi downloads all headers everything I change folders so it's still
unusable. Kmail used to be a truly excellent client before they introduced
this separate akonadi backend system.


--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Aliasing

[Mark Constable]

On 27/02/15 02:51, Alessandro Vesely wrote:
 https://github.com/r-a-y/bp-reply-by-email

 The 'tag' element of the settings can be changed without forking.

Alessandro, you were dead right. When I went back into the BP Reply By Email
dashboard I noticed an Address Tag Separator setting and when I obviously
changed that from a + to a - it started working with my courier-mta
installation, with a .courier-default in the target users home directory.

So I'm pleased to report that Wordpress + BuddyPress + the Reply-By-Email
plugin does indeed work with courier simply by flipping that Tag setting.

--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Aliasing

[Mark Constable]

On 26/02/15 11:40, Sam Varshavchik wrote:
 But the best course of action is to wrap that third party app,
 somehow, and change the return address to use dashes instead of
 pluses. That would make things much easier.

Thanks, I can see that this is going to be the cleanest approach and
have forked this repo for further investigation...

https://github.com/r-a-y/bp-reply-by-email

It's part of a BuddyPress  plugin for Wordpress that extends the bbPress
forum plugin component to allow posting back into a forum via email.

I've just rediscovered Wordpress and am going to look into using it,
or rather it's admin interface, to eventually manage anything  to do with
Courier.  This reply-by-email functionality and this particular plugin
seems like a good place to start.

On 26/02/15 19:44, Matus UHLAR - fantomas wrote:
ciab+605e46207a16cd9170493949c2684fb1-...@renta.net

 what do you mean like that? Does the string after + change?

Yes. It's a key so the reply from the user can be matched with what's
on the originating server. A bit like a one-time-password (OTP) I guess.

 That means that the app is compatibile with sendmail and postfix that
  both use + sign to separate username from additional information.

I suspected as much.

 courier uses - as the separator, so if you could force the application
  to use - instead of +, you could use .courier-default in the ciab's
  home directory.

I'm still unsure how to handle the variable key part...

ciab-#key#-new

 Otherwise, maybe you could switch the application

Yep, as noted above I will try this.

 or try switching to sendmail/postfix.

That is not an option :-)

On 26/02/15 23:26, Alessandro Vesely wrote:
 It is also possible to use an alternative localmailfilter program.
 Using one similar to the one published at http://www.tana.it/sw/rcptfilter/

Interesting code. It seems like a bit of a sledgehammer to solve this
problem but it may come down to it so thanks for the link.



--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Development

[Mark Constable]

On 15/02/15 23:59, Sam Varshavchik wrote:
 Try adding line-height: 1.5 to the CSS for the navigation line, so when it  
 wraps on a mobile screen there will be extra spacing between the multiple  
 lines.

Bingo! It took a line-height of 1.7 on the whole body to work but now it's
100/100 and no need for any inline-block buttons.

 but, after all, the web site isn't really targeted at mobile devices in
 the first place.

Sure, but it could be. The point of chasing PageSpeed results is that it
ensures the page will load as fast as possible over a 3G network and if it
scores well there then it'll be blisteringly fast via nginx on a non-3G
network... and that is indeed a reasonable goal to chase (page load speed).
 
 The javascript drop-down provides links for navigating between major
 website sub-sections. I'd like to preserve some way of doing that.

See my latest suggestion...

. the h1 logo becomes the Home link
. Intro appended to the home index page
. Install could be appended to the Download page
. Links, Wiki and FAQ links could be added to the Docs page

Compare. One of them does not require pinching and zooming...

https://developers.google.com/speed/pagespeed/insights/?url=courier-mta.org

https://developers.google.com/speed/pagespeed/insights/?url=renta.net/courier

No initial Courier javascript link means that JS can go (better SEF/SEO) and
the CSS is a fairly remarkable 9 lines. Small enough to paste into each page
which avoids the above the fold issue (browser waiting for CSS to load
before being able to render the first visible part of the page).

--
body { font-family: sans-serif; line-height: 1.7; margin: 0 auto; width: 60em; }
h1, h2, h3 { line-height: 1; }
a { text-decoration: none; }
a:hover { text-decoration: underline;}
footer, .gplus { text-align: center; }
.advert { clear: both; }
.copyright { color: #7F7F7F; font-size: 75%; font-style: italic; }
.flag { float: right; margin-left: 0.5em; }
@media only screen and (max-width: 60em) { body { width: 92%; }}
--

Strictly speaking, the a, a:hover, .advert and .copyright could go too,
they're mostly just my personal preferences.

If this is in anyway close to being acceptable then it's just the head
header and footer tags that need to go into the other pages and I
certainly don't mind doing that for the static pages.


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Development

[Mark Constable]

On 15/02/15 01:46, Sam Varshavchik wrote:
 All of this is fixable with trivial CSS tweaking. [...]
 Right. The layout is simple enough so that a complete reengineering
 is overkill.

Totally agree. It's not often I get a chance to work with static pages
and page loading speed trumps glitz in this case. To me the main
problem is what to do with the navigation at the top. If you check
Google PageSpeed results you will see their only complaint (with CSS
and JS inline) is that the buttons are too close together for a touch
device, otherwise it would score 100 on my courier main page suggestion.
I've tried making my buttons even bigger but PageSpeed still won't gimme
100. See size tap targets (passes everything else)...

https://developers.google.com/speed/pagespeed/insights/?url=https://renta.net/courier

I think it comes down to 2 issues, what style for the top nav and then
that probably demands some rearrangment of those links. The first
javascript courier dropdown should go (not bookmarkable or SEF) and
those links get moved... somewhere else. Ie; the top nav links could
be as simple as...

 Home | Download | Documentation (or just Docs)

where Intro and Install get moved as links to the Download page and
FAQ, Wiki (the github one), Links and current dropdown links all get
moved to Documentation.

 For now, I pushed both git repos to github. We'll see what happens
 in the future.

Woohoo, thank you, from me at least :-)

 There are still some Sourceforge services that github can't really
 replace, though. Initially when I looked at it, a while ago, they
 really didn't offer any means of downloading packaged tarballs, only
 tagging commits as releases. Looks like they might have something now.
 
 Github also doesn't have mailing lists.

But not really needed because this current list works and I don't think
there is any reason you can't keep using the SF download service.

One tentative suggestion is to set up a cheap VPS that specializes in
running the latest release of courier and then run these mailing lists
from that instance of courier. It kind of seems appropriate to me to
manage these courier lists using courier-mlm on top of courier-mta :)

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Development

[Mark Constable]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/02/15 12:19, Sam Varshavchik wrote:
 Sure, and I already link to a Japanese language site that someone maintains.

Okay, cool.

 But out of curiosity – what exactly is the problem with viewing 
 www.courier- 
 mta.org from a mobile phone. I just tried it with Firefox mobile, and  
 everything looks perfect.

I had only been looking at it by making my FF browser window narrower.

I didn't realize you had an adsense ad up the top!

The top links are a problem and you've gone and added some funky javascript
for a dropdown menu which I never noticed before :)

. would you consider changing the doctype to HTML5?

. would you be adverse to adding some CSS3 media queries?

Here's one HTML5 and CSS3 validated attempt of just the front page...

https://renta.net/courier/

My Nexus 5 approves and even Pagespeed is reasonable...

https://developers.google.com/speed/pagespeed/insights/?url=https://renta.net/courier
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJU3t8HAAoJELvfH8Y84sh4a/sP/26wzZ5mdXRFHR2cRrBfSa9F
myqWsfsb6L+/2wiFCLQOmBSdrkIPkyFxAfiGcvRxgspJY3ZXOUPFE2WpujpTnM+m
dlgw4+0/3ZbG/OdkSiI2mZx6KK20i8B4Nt7ltGE90S+p164eZxsZKvTvRsLuNRct
2E3YHg1PPQ86whgylkdWcl6POc8rtFYd/pCTiN9sv+U7ngOjLtMHreiFS2EsbdEC
Y8nBRXvSIVrB8D6dXSkMKB0eAzZrCLI5ZFOuh5EYN65L7guqDroatsYjSVRjLlUe
pHCqVz6fyv519ZXSC8s+tcqVyORrbOghvumsifJM79P0jiVBCpj/VgA53H3uEr6O
7c1ZYuIhu6MkdrF105IDh55BUmYQRW/aem/RC0ahmEpfsBvcl/ZMM9r9fAydBCqP
SXDhFydDJ08BH7ULgqIT2SqmZkhh+gfLBTBE+1W9PpBr7izTibXCIelu4FJ8OewU
cV302S1H+kQ1ezK+/Y1c2rbgpUP2zPQc/v0QwUtA8/JugdiFs1q5fIJ50vP9r5Rl
FXy2TY3u1XnT9RQOVv9egIAsZQicGCkVYJE46MNueA0SVu9Q+J/nNc5fiZzsSQqO
KHYTsErTQrnxtJgI3hK+j7yCIA+EulhJaqMQcSDp0y7lBI5M2nWnBuY/Ydc117JQ
ntqvd1THE5n7zi3czsAx
=LJAq
-END PGP SIGNATURE-

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Development

[Mark Constable]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/02/15 23:42, Sam Varshavchik wrote:
 Would anyone entertain the possibility of updating the web site with a
 new design?
 
 That anyone would be me. In general, I'm happy to look at proposals for  
 tweaks to the web site's appearance. However, two things need to be kept in  
 mind:
 
 1) I'm naturally resistant to radical, inside-out rewrites. I'll be more  
 receptive to many, smaller changes, in steps.

Except in the case where a mobile friendly site is required as that would
involve serious re-engineering. I know you would argue it's not required
but a good deal of the rest of us would suggest it is and/or will be in
the coming years.

How would you feel if a few of us took the docfiles and see if we can
come up with a (most likely Bootstrap based) modern website?

What I mean is if we could come up with some system that was mobile
friendly and stay in sync with the canonical site that you could provide
an official link to it from your site?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJU3qfvAAoJELvfH8Y84sh4TfQQAJtYuPnU9sjJ8GIJK2QOxWso
e8EeykqnTMm7ZxOhm1OJe408JMmrIYONpTRL14nBieMeXmYREhwN30n0CF+NtzUY
PiutLH6gHKpmVOCxa4tkbWHOE78XYCddwq/rHhLKJBpC6fEU0C0fuo094Es30O49
JYqbFpZB9pHIxQMqvAgGIqH2Uhv/8aOR2sQvq2vUBBkFz1ecpqMv0rvf8n6pjdPT
dHh69Rgnk77Nl4ODiKmliA2Mh8wt5/o0ZYd+qCvHpTbbixYecPu+gehrNvZyDOl4
bTI6UiGaSOdSbzb23HeAViZwV7zDFdbZHISCfnbcSzAlvetM0iUzBSMbmy1zxYcI
Gg2bz8+CshZE6En6J8KcDGDAoF6Fc512SbPTBcu74k+N7eItsWMilUy7sj7BkQiv
3bRTXRdajG30LKPAoq34MzCMbYf0ej2qwMQOPiYEuZc2+ZxhkzwvVw1nNQqxMnUW
Ovx+x4jbosvQ4CN34GdzAV8i9ooNp9iGyj9ieWSFKahnDyQR+3b9Of2IFjms9F1/
kP/PhTUYGgoX+K0Q52IGsgsenEhpRp5YzzqGSLPBoMZn8gVMlXCrSFlOS2++LryU
1CAM2q5811UIDi6vuHJoOWVJQlasF7zBKtB9yKPe+xc6N0xtld/d5SFkeqS5eJOK
Y84fj6d0qd2E9bsgEmif
=3YAA
-END PGP SIGNATURE-

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Courier IMAP connectivity issues with iOS devices

[Mark Constable]

On 14/02/15 15:09, Abel Jeffcoat wrote:
 I was wondering if anyone has seen the issue when iOS devices
 cannot connect to the IMAP server? I’m running a Plesk v12
 server with Courier IMAP. 

So many different versions etc. One thing we've been caught out with
is that an incorrect profile can get stuck so try asking the client
to completely remove whatever profile it is an set it up from scratch.


--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Development

[Mark Constable]

On 14/02/15 12:47, Zachary Grafton wrote:
 On my mobile at least, with Chrome, the menu is extremely tiny and
 practically  impossible to use without zooming in about 15 times.

Yep, that was my main problem too. And slightly annoying was the lack
of a bit of padding down the sides of the body text.

 The nice thing about Bootstrap is that everything is much more
 consistent, especially with fonts  and the menu is much easier to use.

I love Bootstrap but the downside is loading time bloat. A CDN can help
but it doesn't avoid having to pull in ~200k inc jQuery at some point.

In the case of Sams site there are no forms and that is one of the main
benefits of using BS3. A few 100 bytes extra of CSS can provide simple
buttons and a single media query to toggle the body width.

 I was hoping when I asked my initial question that courier was on
 github and I just couldn't find it.

There is actually a courier-contrib repo on Github. I have asked in the
past if Sam would move from Sourceforge to Github but he seems to prefer
the Sourceforge arrangement. It's easier for him to produce the tarballs.

I think it would be practical to ask Sam to at least move the SF wiki
to the courier-contrib project at Github. That might get some more
contributions to much needed how-to documentation (beyond the excellent
but terse reference docs Sam already provides.)


--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Ports, SSL and STARTTLS for ESMTP

[Mark Constable]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/02/15 01:29, Hanno Böck wrote:
 But not sure this is the right place to discuss it, hope we
 don't annoy others with offtopic discussions.

I'm sure there are quite a few of us interested in current best
practices. It's certainly a surprise to me that the old school
SSL port 465 is now basically un-depreciated and has a serious
advantage of avoiding the STRIPSSL attack. I'm now considering
avoiding STARTSSL as a default setup and, if this proves to be
the right strategy, then I thank this thread for the heads up.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJU1jeHAAoJELvfH8Y84sh4erUP/2D/BfDg97LOH8SsAmhf5Z7d
paEz+TdUEKEmqEedCprVHeqlCecasd0YeKEvPFtJVrSub+FUJhABef3reHEgf/aS
NKSe3ROipELX2nzaRLuAo+g+/mp98J0khCQWfGADuGThyAjjCefy4bbkts9vWmLI
2hmQ3JrtuDDl/5GvWJyfA1mu6xfKwdoRceeDDocsXZ0ZWiYFqGGN1pizXwlDAs5S
KS01Q51adzm1Vqroyoeky/sPtb3iTcxPB2XdxXM6mOAcRBgmGDXqKT+m5nHlF+pP
rStOcDpSG3Z5QA5DeuQsqNl0+3AKy2SNrggMbfuV7Isli0AGujT9hMqpqqoNa/d2
7OHnzx/pEiJ2gYRi1h7za+vY97uzGMmwK5yk01dibH+dNg7i/8Am0rfD8ybzRE1N
qnnI69ZagZT82kOPdjXlvkmb4k+2rCx6lWisftrFsj1zm3HXZ2wWYCG0SeNvu0u1
NonagzOY8mfvv6BWluKZ64rLxv9oMWTIPyd2ezj9yU4ZFI4jTX4rSwXJka8vVKql
PPk16Fok26kfyFghrVHRqQkqOVILOk5VWVYJ/wR520LZRAXjTfy3Q2JEanqOMlCm
fI6BKFQvEHEtVuBOqdZLGQ0OLa6LYSe2WXVzDWopRYFEe8T5KRmr29sbyd1CCK8O
nsJkWFl7rM5Z+ZU5lsDa
=II1U
-END PGP SIGNATURE-

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] autoreply script

[Mark Constable]

On 03/02/15 07:34, Bowie Bailey wrote:
 I do something similar with my email when I go on vacation.  In 
 addition, I wrap it with a test that looks for spam, list mail, and bulk 
 mail headers and does not respond to those.
 
 If you are interested, it looks like this:
 
 if (! (/^X-Spam-Flag: YES/ || /^List-id:/ || /^Precedence: bulk/ || 
 /^Precedence: junk/) )
 {
 #send autoreply#
 }

Great, excellent addition, thank you Bowie!

https://github.com/svarshavchik/courier-contrib/pull/4


--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] autoreply script

[Mark Constable]

On 31/01/15 18:52, Jan Ingvoldstad wrote:
 Imagine being a recipient of this, and trying to make the flood stop.

Do you know how the courier mailbot program works?

 And imagine forgetting the last lines of the message!

The original message is attached to the autoresponse.

 Unix systems usually come with, or at least have a package for, a program
 for autoresponses.

And how is that meant to work with virtual users?

 This program is called vacation, and it does it just right. It's been
 around since the mid eighties.

If it was suitable I would been using it for the last 10 years.

The script emulates what I have been doing manually ever since we stopped
using sqwebmail which allowed clients to set up their own auto-responses.

Now this script allows other staff members to setup, edit, enable and
disable auto-responses without requiring me in the loop.

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] autoreply script

[Mark Constable]

I've been meaning to do this for the past decade...

#!/bin/bash
# autoreply 20150130 (C) Mark Constable ma...@renta.net (AGPL-3.0)
#
# A simple vacation autoreply script for courier-mta based mailservers.
#
# Depends on these conditions:
#
# - courier-imap/mta with courier-authdaemon and maildrop is installed
# - nano is installed (and stat, part of the coreutils package)
# - the MAILDIR variable below is set to the root of your maildir folders
# - the users .mailfilter is not used for anything else
#
# Usage:
#
# autoreply   - show simple usage text and exit
# autoreply fi- find all occurrences of autoreply.txt, and 
status
# autoreply sh email@address  - show the current autoreply.txt
# autoreply ed email@address  - edit/create an autoreply for email@address
# autoreply en email@address  - enable autoreply for user
# autoreply di email@address  - disable autoreply for user
# autoreply rm email@address  - completely remove users autoreply
#
#set -x

MAILDIRS=/home/u

test -z $1  echo Usage: autoreply 
sh(ow)|ed(it)|en(able)|di(sable)|rm(remove)|fi(indall) email@address  exit 1

if [ $1 = fi -a -z $2 ]; then
  echo Please be patient while all users are checked...
  echo
  while read -r AUTOREPLY
  do
HDIR=$(dirname $AUTOREPLY)
if [ -f $HDIR/.mailfilter ]; then
  ACTIVE=enabled
elif [ -f $HDIR/mailfilter ]; then
  ACTIVE=disabled
else
  ACTIVE=ERROR: mailfilter does not exist
fi
echo $HDIR $ACTIVE
  done  (find $MAILDIRS -type f -name autoreply.txt)
  exit 2
elif [ $1 != fi -a -z $2 ]; then
  echo Please provide an email address
  exit 2
fi 

HOMEDIR=$(authtest $2 2/dev/null | awk '/Home Directory:/ {print $3}')

if [ -z $HOMEDIR ]; then
  echo ERROR: No homedir for $2
  exit 2
fi

EMAIL=$2

show()
{
  if [ -f $HOMEDIR/autoreply.txt ]; then
if [ -f $HOMEDIR/.mailfilter ]; then
  echo Autoreply currently: Enabled
  echo
  grep ^SUBJECT $HOMEDIR/.mailfilter
elif [ -f $HOMEDIR/mailfilter ]; then
  echo Autoreply currently: Disabled
  echo
  grep ^SUBJECT $HOMEDIR/mailfilter
else
  echo Error: missing mailfilter, remove and re-setup
fi
echo
cat $HOMEDIR/autoreply.txt
  else
echo There is no autoreply for $EMAIL
  fi
}

edit()
{
  if [ ! -f $HOMEDIR/autoreply.txt ]; then
cat  EOS  $HOMEDIR/mailfilter
MAILTO=escape(\$RECIPIENT)
MAILFROM=escape(\$SENDER)
SUBJECT=Auto responder for $EMAIL
\`mailbot -t ./autoreply.txt -d ./autoreply -A To: \$MAILFROM -A From: 
\$MAILTO -s \$SUBJECT -T forwardatt \$SENDMAIL -f \$MAILTO\`
EOS
echo Type or paste the vacation autoreply text, ctrl-x to save and quit, 
and then ENABLE the autoreply when ready
echo
sleep 2
  fi
  nano -t -x -c $HOMEDIR/autoreply.txt
  MUID=$(stat -c %u $HOMEDIR)
  MGID=$(stat -c %g $HOMEDIR)
  chown $MUID:$MGID $HOMEDIR/{autoreply.txt,mailfilter}
  chmod 600 $HOMEDIR/{autoreply.txt,mailfilter}
}

enable()
{
  if [ -f $HOMEDIR/.mailfilter ]; then
echo Autoreply already enabled
  elif [ -f $HOMEDIR/mailfilter ]; then
mv $HOMEDIR/mailfilter $HOMEDIR/.mailfilter
echo Autoreply now enabled
  else
echo ERROR: mailfilter to activate autoreply does not exist, use EDIT to 
create one
  fi
}

disable()
{
  if [ -f $HOMEDIR/.mailfilter ]; then
mv $HOMEDIR/.mailfilter $HOMEDIR/mailfilter
echo Autoreply now disabled
  elif [ -f $HOMEDIR/mailfilter ]; then
echo Autoreply already disabled
  else
echo ERROR: mailfilter to activate autoreply does not exist, use EDIT to 
create one
  fi
}

remove()
{
  if [ -f $HOMEDIR/.mailfilter ]; then
echo Autoreply enabled, please disable first
  else
if [ -f $HOMEDIR/mailfilter ]; then
  rm $HOMEDIR/mailfilter
  echo Removed $HOMEDIR/mailfilter (autoreply activation script)
else
  echo Problem: no $HOMEDIR/mailfilter
fi
if [ -f $HOMEDIR/autoreply.txt ]; then
  rm $HOMEDIR/autoreply.*
  echo Removed $HOMEDIR/autoreply.txt (autoreply autoreply content)
else
  echo Problem: no $HOMEDIR/autoreply.txt
fi
  fi
}

case $1 in
  sh) show ;;
  ed) edit ;;
  en) enable ;;
  di) disable ;;
  rm) remove ;;
  *) echo Please provide one of sh, ed, en, di, rm, fi
esac

echo $(date +'%Y-%m-%d %X') $(whoami) $(basename $0) $*  
/var/log/history.log

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Kolab?

[Mark Constable]

Has anyone managed to get a recent installation of Kolab working with
courier-imap instead of the default cyrus?

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Read only mailbox (no deliveries)

[Mark Constable]

It's so hot here I can't think. If I wanted to have a read-only
backup mailbox that was populated from an active mailbox by
automatically moving messages older than 30 days from the active
mailbox to the backup mailbox then what would be the easiest
and simplest way to deny incoming deliveries to this alternate
backup mailbox?

--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Slow sending out port 587

[Mark Constable]

Thunderbird often hangs when picking up IMAP (starttls) and I've tried
all manner of tweaks but it still persists BUT now for the past week
trying to send email via port 587 is also taking up to 1 and 2 minutes
before the message actually gets accepted and sent from TB.

I've also been getting a huge amount of these, like 30,000 yesterday,
which I presume are hitting port 25 so I am not sure why these would
affect port 587.

Dec 16 17:01:45 s2 courieresmtpd: dropped blocked connection from 
:::96.45.25.223

I haven't touched the esmtpd MAXDAEMONS but increased esmtpd-msa 10 fold.

esmtpd MAXDAEMONS=40
esmtpd MAXPERC=5
esmtpd MAXPERIP=5
esmtpd-msa MAXDAEMONS=400
esmtpd-msa MAXPERC=200
esmtpd-msa MAXPERIP=200
esmtpd-ssl MAXDAEMONS=40
esmtpd-ssl MAXPERC=5
esmtpd-ssl MAXPERIP=5
imapd MAXDAEMONS=400
imapd MAXPERC=200
imapd MAXPERIP=200

I guess my question is if port 25 is getting hammered will that also
delay port 587's ability to handle incoming auth'd requests?

Bonus question, aside from fail2ban, has anyone got any rules for iptables
to block/drop on an OS level any courier-related authdaemon logins and
these port 25 access attempts?

courier-base 0.73.1-1.3+deb.sury.org~utopic+1 amd64
courier-imap 4.15-1.3+deb.sury.org~utopic+1 amd64

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] alias user in virtual tables

[Mark Constable]

Just a real low priority suggestion that may not be possible but having
to have an extra alias@domain user entry in a virtual password table
has always annoyed when using the same table with other services.

ATM I am seeing 2 SQL lookups, one to check user id/password and another
one to see if there is a alias@domain whereas the initial lookup could
include one extra field to check for the alias option. Save a SQL query
and also git rid of a lot of otherwise redundant alias database entries.

Surely it would be possible to have the authdaemon check the same users
entry and if there is a boolean yes/no alias column entry in a single
lookup?

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] smtpaccess and 517 rejects woes

[Mark Constable]

On 28/11/14 22:34, Marcin 'Rambo' Roguski wrote:
 Nov 28 12:31:04 goldsmith courieresmtpd: error,
 relay=:::178.63.50.70,from=-[edited]-@platon.com.pl:
  517 HELO mx1.evo.pl does not match :::178.63.50.70

The domain you want to whitelist is platon.com.pl so try...

platon.com.pl allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0,BOFHNOVRFY=1


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Turning accounts into honeypots

[Mark Constable]

On 07/11/14 21:52, Sam Varshavchik wrote:
 Is it possible to add authmysql twice (and have them behave differently)?

 Nope. You could list authmysql twice, but each instance uses the same config
 file.

Maybe falling over to different auth backends might work but, Sam, it would
be really neat to somehow have sane multiple auth options. For instance I
would love to have separate imap/pop and smtp auth passwords so if a users
incoming mail password is compromised the virus/bot still can't send out
using the same account (assuming the user takes advantage of multi passwords).



--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] MYSQL_MAILDIR_FIELD missing

[Mark Constable]

On 03/10/14 17:12, Matus UHLAR - fantomas wrote:
 for debian/ubuntu the config dir is /etc/courier/ for all courier packages
  except maildrop... (there's no reason to use /usr/local when the package
  is installed within the OS distribution)

Yes, it's a standard debian layout with packages from ...

https://launchpad.net/~ondrej/+archive/ubuntu/courier

which uses the same debian/rules as the standard older packages except for
a few tweaks for the unicode package and adding SQLite for courier-authlib.

Even though the mysql lookup seems to work (syslog and mysqls general log
both show an otherwise successful sql read) an authtest does fail with the
below so it seems (maybe) just after the db lookup that whatever is next
in the authdaemon pipeline fails...

[pid  9252] socket(PF_LOCAL, SOCK_STREAM, 0) = 6
[pid  9252] fcntl(6, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
[pid  9252] connect(6, {sa_family=AF_LOCAL, 
sun_path=/var/run/courier/authdaemon/socket}, 110) = 0
[pid  9252] fcntl(6, F_SETFL, O_RDONLY) = 0
[pid  9252] select(7, NULL, [6], NULL, {10, 0}) = 1 (out [6], left {9, 98})
[pid  9252] write(6, PRE . courier ma...@netserva.gol..., 43) = 43
[pid  9252] select(7, [6], NULL, NULL, {30, 0}) = 1 (in [6], left {29, 997494})
[pid  9252] read(6, 0x7fff55064f60, 8191) = -1 EACCES (Permission denied)
[pid  9252] close(6)= 0
[pid  9252] write(1, 450 Service temporarily unavaila..., 37) = 37


It may be an issue with the unprivileged LXC container I am testing and
if that is the case then whatever is the solution or workaround needs to
be sorted out. I will test with a privileged container and a remote VPS
with the same utopic distro and sury packages.


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] MYSQL_MAILDIR_FIELD missing

[Mark Constable]

courier-imap 4.15-1 and courier-authdaemon 0.66.1 on Ubuntu 14.10

I can't for the life of me figure out why MYSQL_MAILDIR_FIELD / maildir
is not returning a value?

Oct  3 11:59:41 netserva authdaemond: SQL query: SELECT username, , password, 
uid, gid, homedir, , quota, ,  FROM mail_users WHERE username = 
'ma...@netserva.goldcoast.org'
Oct  3 11:59:41 netserva authdaemond: Authenticated: sysusername=null, 
sysuserid=1, sysgroupid=1, homedir=/var/customers/mail/, 
address=ma...@netserva.goldcoast.org, fullname=null, maildir=null, 
quota=1S, options=null
Oct  3 11:59:41 netserva authdaemond: Authenticated: clearpasswd=, 
passwd=null

~ cat /etc/courier/authmysqlrc
MYSQL_CLEAR_PWFIELD password
MYSQL_DATABASE  netserva
MYSQL_GID_FIELD gid
MYSQL_HOME_FIELDhomedir
MYSQL_LOGIN_FIELD   username
MYSQL_MAILDIR_FIELD maildir
MYSQL_PASSWORD  
MYSQL_PORT  3306
MYSQL_QUOTA_FIELD   quota
MYSQL_SERVER127.0.0.1
MYSQL_UID_FIELD uid
MYSQL_USERNAME  netserva
MYSQL_USER_TABLEmail_users

~ mysql -BNe explain mail_users netserva
id  int(11) NO  PRI NULLauto_increment
email   varchar(255)NO  UNI
usernamevarchar(255)NO
passwordvarchar(128)NO
password_encvarchar(128)NO
uid int(11) NO  0
gid int(11) NO  0
homedir varchar(255)NO
maildir varchar(255)NO
postfix enum('Y','N')   NO  Y
domainidint(11) NO  0
customerid  int(11) NO  0
quota   varchar(15) NO  0
pop3tinyint(1)  NO  1
imaptinyint(1)  NO  1
mboxsizebigint(30)  NO  0

~ mysql -BNe select homedir,maildir from mail_users netserva
/var/customers/mail/markc/netserva.goldcoast.org/markc/Maildir

~ ll /var/customers/mail/markc/netserva.goldcoast.org/markc/Maildir
total 0
drwx-- 1 daemon daemon 0 Oct  3 11:28 cur/
drwx-- 1 daemon daemon 0 Oct  3 11:28 new/
drwx-- 1 daemon daemon 0 Oct  3 11:28 tmp/

~ grep DEFAULT /etc/courier/courierd (truncated)
courierd:DEFAULTDELIVERY=| /usr/bin/maildrop
courierd:MAILDROPDEFAULT=./Maildir

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] MYSQL_MAILDIR_FIELD missing

[Mark Constable]

On 03/10/14 12:30, Sam Varshavchik wrote:
 ~ grep DEFAULT /etc/courier/courierd (truncated)
 courierd:DEFAULTDELIVERY=| /usr/bin/maildrop
 courierd:MAILDROPDEFAULT=./Maildir

 What's courierd doing here? You said that you are running the courier-imap
 package, at the beginning.

Well ubuntu's idea of a split courier-imap package that gets installed
along side of courier-mta et al.

 This is probably a packaging issue with different/duplicated packages, using
 different configuration directories.
 ...
 You need to double-check where the Ubuntu package puts things.

All is where Ubuntu/Debian has always put things running as uid:gid 1:1.

Sam, everything is almost working because it would not get this far...

 Oct  3 11:59:41 netserva authdaemond: Authenticated: sysusername=null,
 sysuserid=1, sysgroupid=1, homedir=/var/customers/mail/,
 address=ma...@netserva.goldcoast.org, fullname=null, maildir=null,
 quota=1S, options=null

I have never used the MYSQL_MAILDIR_FIELD before and as you can see above
the returned maildir=null field is empty. Everything looks right to me
except for the maildir=null part which is preventing (I guess) mail being
added to and fetched from the right users maildir.

I am using custom built packages from a Ubuntu PPA and testing this in a
lxc container but I am also running exactly the same packages and distro
on my own public server where it's working okay, but on that server I do
not use MYSQL_MAILDIR_FIELD.

I'll try and duplicate the exact same working settings on my public server.

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Ubuntu/Debian package dependencies

[Mark Constable]

Would anyone happen to know which dependencies of the Ubuntu/Debian
courier packages that would force such crazy desktop related junk?

https://github.com/oerdnj/deb.sury.org/issues/18

If anyone on this list would like to cooperate with a lite debian
package then please contact me off-list.

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Ubuntu/Debian package dependencies

[Mark Constable]

On 12/09/14 16:46, Aidas Kasparas wrote:
 If anyone on this list would like to cooperate with a lite debian
 package then please contact me off-list.

 The lite package is not necessary. Problem lies in default
 configuration of apt system -- by default it installs all Recomended
 packages. I always switch that settings off as one of the first tasks
 during install.

Thank you Aidas. I have progressed using your suggestion...

apt-get install --no-install-recommends courier-authdaemon \
  courier-authlib courier-authlib-mysql courier-authlib-sqlite \
  courier-base courier-imap courier-imap-ssl courier-maildrop \
  courier-mta courier-mta-ssl courier-ssl

However the above courier-authlib still depends on expect which brings
in libtcl8.6 and tcl-expect, which I have no intention of using. From...

http://www.courier-mta.org/authlib/README_authlib.html

SqWebMail uses an expect script - as mentioned in the introduction - to
answer interactive prompts from passwd. The expect script expects to get
a plain, garden-variety, passwd command, which acts something like this:
[... example removed ...]
Systems that use a passwd command with very different prompts may find
that the default expect script will fail. In which case it will be
necessary to tweak the expect script to match the prompts from the
system's passwd command.

I would have thought a) expect would be a depends of SqWebMail and not
courier-authlib and b) I would also have used chpasswd from a script
as it's been available in the standard linux passwd package for as long
as I can remember. I have never used expect so maybe there are cases
where it is necessary.

Sam, is there any way that chpasswd could substitute for expect+tcl?

And if not, is it safe to assume that expect should only be a depends
for SqWebMail and not authlib (ie; when sqwebmail is not installed)?

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Couriertls SSL Error : no start line

[Mark Constable]

On 04/09/14 13:14, [Kreiz IT]Cédric GROSS wrote:
 I just upgrade courier-imap from version 4.12 to 4.15 and now I see in my
 log :

 imapd-ssl: couriertls: /usr/local/etc/courier-imap/ssl/imapds.pem:
 error:0906D06C:PEM routines:PEM_read_bio:no start line

Just a wild guess but do you have symlinks pointing to that pem file
or changed the setting in the imapd-ssl file... maybe permissions.

My ubuntu/debian servers default to...

./imapd-ssl:TLS_CERTFILE=/etc/courier/imapd.pem  (not imapds.pem)



--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Couriertls SSL Error : no start line

[Mark Constable]

On 04/09/14 19:26, [Kreiz IT]Cédric GROSS wrote:
 No symlink. Permission wasn't change.

 Same config file. Upgrade process changed it but I put back my previous
  config file. I checked diff between config files and it's only comments
  differ. So should be ok.

I can't really help other than to suggest moving your current pem files
somewhere safe and create a set of self-signed certs and confirm that
they do work, or not. If they work as expected then it narrows it down
to your copied pem files (pull them into a editor and make sure there
are no spaces or control chars). If there is still some errors with the
self signed certs then it's something to do with courier or SSL/TLS libs.



--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] authdaemond password debugging

[Mark Constable]

a) server running Debian 6 w/ courier-authdaemon 0.63.0-3
b) server running Ubuntu 14.04 w/ courier-authdaemon 0.63.0-6ubuntu1

b) server provides the below when a password fails...

Sep  2 11:35:45 s2 authdaemond:
  supplied password 'user_pw' does not match passwd 'db_pw'

a) does not provide the above line even though both have almost exactly
the same settings.

Why is a) not providing the 'does not match' line for failed passwords?


a) egrep -v ^(#|$) authdaemonrc | sort
authdaemonvar=/var/run/courier/authdaemon
authmodulelist=authmysql
authmodulelistorig=authuserdb authpam authpgsql authldap authmysql authcustom 
authpipe
daemons=20
DEBUG_LOGIN=2
DEFAULTOPTIONS=
LOGGEROPTS=

b) egrep -v ^(#|$) authdaemonrc | sort
authdaemonvar=/var/run/courier/authdaemon
authmodulelist=authmysql
authmodulelistorig=authuserdb authpam authpgsql authldap authmysql authcustom 
authpipe
daemons=5
DEBUG_LOGIN=2
DEFAULTOPTIONS=
LOGGEROPTS=



--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] authdaemond password debugging

[Mark Constable]

On 02/09/14 12:49, Sam Varshavchik wrote:
 Sep  2 11:35:45 s2 authdaemond:
   supplied password 'user_pw' does not match passwd 'db_pw'

 a) does not provide the above line even though both have almost exactly
 the same settings.

 Why is a) not providing the 'does not match' line for failed passwords?

 account found, password doesn't match, versus account not found.

Sam, thanks for the quick reply but it's a tad too cryptic :-)

In both cases the user exists if that's what you mean.

All I did on both servers, to test, was to change a current users pw
to something incorrect. Both provided a LOGIN FAILED but a) seemed to
be missing all the extra lines that reveal exactly what the incorrect
passwd is (which is what I am after).

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Latest Courier Ubuntu PPA Available

[Mark Constable]

Thanks to Ondřej Surý Ubuntu 12.04, 14.04 and 14.10 users can
now install the latest courier packages directly from a PPA.

https://launchpad.net/~ondrej/+archive/ubuntu/courier

courier-authlib 0.66.1
courier-mta 0.73.1
courier-imap 4.15-1

But no courier-authlib-sqlite package so I'll CC Ondřej.

Issues can be filed here so if anyone has a patch to also create
a courier-authlib-sqlite debian package then please post it to...

https://github.com/oerdnj/deb.sury.org/issues

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Separate service passwords

[Mark Constable]

Most of our brute force password attacks are against our pop service
and some of our breaches are where gullible clients respond to various
claims about give us your details or you will lose your account,
of which some recent spams were even branded with our domainname so
they would always look convincing to 1% or 2% of our clients.

Once the users pop/imap details are uncovered then they are used to
access the smtp ports to send out authenticated mail. Now we notice
there is a recent tendency to send out very slowly from a large range
of IPs (a botnet, particularly from south america) so the obvious
pump and dump of yesteryear is not detected and can go on for weeks
until we manually notice suspicious behaviour in the mail logs. The
only good thing about this recent trend, to stealthily send out spam
at roughly the frequency of a human, does not land us on a blacklist.

Anyway, one thing that would help mitigate this is to have separate
passwords for pop, imap and smtp servers and maybe even different ones
for each port in use.

Just to be able to have a two passwords, one for incoming mail and
a different one for outgoing mail, could make a difference so any
suggestions how to allow our clients to use different passwords for
the different courier-authdaemon family of services?

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Separate service passwords

[Mark Constable]

On 16/08/14 09:31, Sam Varshavchik wrote:
 Using mysql or postgres, you can use a custom query, and use
  the  $(service) variable.

Thank you Sam, Bernd and Lisa. I was completely unaware of this
variable so no doubt I will have some fun trying it out on some
larger installs with mysql (hopefully it applies to sqlite too).


--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Auto-Re: IMAP/SSL and ESMTP/SSL

[Mark Constable]

On 10/08/14 12:21, Charles Parkinson wrote:
 Ok, so that makes sense except for the fact that a CSR sent...

Perhaps an example will help. I concatenate PEM variations (which my
cert authority provides) of the key, the crt and the chained CA file to
/etc/ssl/server.pem then symlink the /etc/courier/{esmtpd,imapd,pop3d}.pem
required files to the single one in /etc/ssl, which looks like...

-BEGIN PRIVATE KEY-
[... private key...]
-END PRIVATE KEY-

-BEGIN CERTIFICATE-
[... cert from CA ...]
-END CERTIFICATE-

-BEGIN CERTIFICATE-
[... chained CA ...]
-END CERTIFICATE-


--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Offline maildir reader

[Mark Constable]

On 08/08/14 20:32, Lisa Muir wrote:
 Well if you batch rename the individual messages in Maildir/cur/*
 to something ending with *.eml then if they could download the
 Maildir folders then they can just click on them and they will open
 up in whatever is their default desktop mail program.

 This is probably the most sensible approach as it allows the files to be
 indexed and searched using suitable infrastructure that will also serve
 their existing files repository.

Just to be clear the then they can just click on them part refers to
the individual maildir messages renamed to something.eml, not the actual
folder containing them.

FWIW if the was a Maildir in the current directory then something like
this would copy and rename them...

mkdir EmlMsgs
for i in `ls -1 Maildir/cur`; do cp Maildir/cur/$i EmlMsgs/$i.eml; done

But Thunderbird, and probably other mail programs, would only allow
viewing them one at a time using this simplistic method.

--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Offline maildir reader

[Mark Constable]

On 08/08/14 21:06, Lisa Muir wrote:
 14 year old email, there must come a time where it goes into archives
 somewhere and I don't think a MUA is the appropriate place for that,
  but some searchable repository is.

I will be facing this same kind of issue. mhonarc is available as an
ubuntu package and this does work with a browser either locally or
online via a webserver, but it's not exactly searchable...

mkdir mailarchive
find Maildir \
   -type d \
   -regex .*\(new\|cur\) \
-exec mhonarc -mhpattern '^[^\.]' \
-add {} -outdir mailarchive \;

***

This is the only PHP something I could find, there is a mention of it
wrapping mhonarc to import into SQLite so that would then be searchable
but I'm not sure if it also provides the interface to SQLite...

https://github.com/wittiws/phonarc


--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] imapd seems to stall sometimes

[Mark Constable]

On 25/05/14 11:04, Sam Varshavchik wrote:
 Leaving off MAXPERC should not be a factor. It defaults to, internally,
  to MAXDAEMONS – effectively a no-op.

Right, thanks.

 I presume that you've eliminated the low hanging fruit of actually reaching
  the maximum number of connections.

Yes, barely a dozen imapds running on the server with a MAXDAEMONS of 400 and
I'd blame Thunderbird too but it wasn't happening 24 hours ago with Dovecot.

An lsof of the gamin/gam_server daemon looks okay. A previous time I experienced
something like this I had to change back to fam and remove gamin... years ago.

Woops, yes, this is using Ubuntu 14.04 x64 (both ends)...

courier-mta  0.68.2-1ubuntu3
courier-imap 4.10.0-20120615-1ubuntu3
courier-authlib-mysql0.63.0-6ubuntu1

 Once MAXDAEMONS is reached, though, couriertcpd stops accepting connections
  altogether... Those are the kinds of things to look at, here.

That is not the case in this situation. Here's a imap log dump from Thunderbird
in case something is obvious... at the point below I clicked on my Junk 
folder...

1759508352[7fa967a50370]: proposed url = INBOX.Junk folder for connection INBOX 
has To Wait = FALSE can run = FALSE
895477504[7fa938decd00]: 35ffa800:renta.net:S-INBOX:SendData: DONE

[.. then TB hangs here for more than a minute ...]

895477504[7fa938decd00]: ReadNextLine [stream=37b40c10 nb=0 needmore=1]
895477504[7fa938decd00]: 35ffa800:renta.net:S-INBOX:CreateNewLineFromSocket: 
clearing IMAP_CONNECTION_IS_OPEN - rv = 804b000e
895477504[7fa938decd00]: 35ffa800:renta.net:S-INBOX:TellThreadToDie: close 
socket connection
895477504[7fa938decd00]: 35ffa800:renta.net:S-INBOX:CreateNewLineFromSocket: 
(null)
1759508352[7fa967a50370]: creating protocol instance to retry queued 
url:imap://ma...@renta.net@renta.net:143/select.Junk
1759508352[7fa967a50370]: retrying  
url:imap://ma...@renta.net@renta.net:143/select.Junk
1759508352[7fa967a50370]: 3303c800:renta.net:NA:SetupWithUrl: clearing 
IMAP_CONNECTION_IS_OPEN
895477504[7fa938decd00]: ImapThreadMainLoop leaving [this=35ffa800]
963634944[7fa9337ae450]: ImapThreadMainLoop entering [this=3303c800]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:ProcessCurrentURL: entering
963634944[7fa9337ae450]: 
3303c800:renta.net:NA:ProcessCurrentURL:imap://markc%40renta%2e...@renta.net:143/select%3E.Junk:
  = currentUrl
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=256 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: * OK 
[CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS LOGINDISABLED] 
Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for 
distribution information.
963634944[7fa9337ae450]: 3303c800:renta.net:NA:SendData: 1 STARTTLS
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=37 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: 1 OK 
Begin SSL/TLS negotiation now.
963634944[7fa9337ae450]: 3303c800:renta.net:NA:SendData: 2 capability
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=133 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: * 
CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=27 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: 2 OK 
CAPABILITY completed
963634944[7fa9337ae450]: try to log in
963634944[7fa9337ae450]: IMAP auth: server caps 0x4C3325, pref 0x1006, failed 
0x0, avail caps 0x1004
963634944[7fa9337ae450]: (GSSAPI = 0x100, CRAM = 0x2, NTLM = 0x10, 
MSN =  0x20, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4)auth 
external IMAP login = 0x2000
963634944[7fa9337ae450]: trying auth method 0x1000
963634944[7fa9337ae450]: got new password
963634944[7fa9337ae450]: IMAP: trying auth method 0x1000
963634944[7fa9337ae450]: PLAIN auth
963634944[7fa9337ae450]: 3303c800:renta.net:NA:SendData: 3 authenticate plain
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=4 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: +
963634944[7fa9337ae450]: 3303c800:renta.net:NA:SendData: Logging suppressed for 
this command (it probably contained authentication information)
963634944[7fa9337ae450]: ReadNextLine [stream=37da8510 nb=16 needmore=0]
963634944[7fa9337ae450]: 3303c800:renta.net:NA:CreateNewLineFromSocket: 3 OK 
LOGIN Ok.
963634944[7fa9337ae450]: login succeeded
963634944[7fa9337ae450]: 3303c800:renta.net:A:SendData: 4 select INBOX.Junk


--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability 

Re: [courier-users] imapd seems to stall sometimes

[Mark Constable]

On 26/05/14 00:00, Sam Varshavchik wrote:
 Need to set IMAPDEBUGFILE on the server side, and collect the actual
  IMAP traffic.

Got it, thanks, doing that now.

 Even better yet would be to find the server process, and strace it.

It'll be tricky to find the right imapd process to attach to but I will
try that after watching the imaplog.dat until I get a clue what to look
for and/or pick up on where it, or TB, hangs.

 Or, turn off IMAPENHANCEDIDLE, to see if that makes a difference.

No sign of that option on this server with courier-imap 4.10.0. Is that
perhaps an option with a more recent version?


--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] imapd seems to stall sometimes

[Mark Constable]

On 26/05/14 00:00, Sam Varshavchik wrote:
 Or, turn off IMAPENHANCEDIDLE, to see if that makes a difference.

Ah right, I see, it's IMAP_ENHANCEDIDLE. It was 0 so I just flipped it to 1
with IMAP_USELOCKS=1 and see what happens. Then I'll set them both to 0 as
I rarely if ever use shared folders... and I don't think any clients even
know of the possibility of using shard folders.

Just now when clicking on a Junk folder, imaplog.dat showed...

[...]
11 OK FETCH completed.
WRITE: * BYE Disconnected for inactivity.
WRITE: * BYE Disconnected for inactivity.

[... long wait ...]

WRITE: * BYE Disconnected for inactivity.

[... shorter wait ...]

WRITE: 3 OK LOGIN Ok.
[...]

etc, then the folder view in TB was suddenly refreshed on a new login. So
something about being disconnected for inactivity then taking so long
for a new login. I thought if I used IDLE then my connection would persist
and re-logins, or at least not so many, would be the order of the day.

I'm using 143/TLS with a real certificate.


--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] imapd seems to stall sometimes

[Mark Constable]

I was using ISPConfig3 + postfix for the past year and finally got
around to unhitching myself from ISPConfig3 so I could run courier
again on this particular server. However since the changeover I've
noticed that Thunderbird seems to just hang and wait every half
a dozen'th time when I go to check my mail. I don't recall this
happening with Dovecot.

Is it possible there is a MAXPERC setting missing like in esmptd?

Or anything obvious to someone else (locks?) why imapd might hang
every now and then?

~ egrep -v ^(#|$) /etc/courier/imapd
ADDRESS=0
PORT=143
MAXDAEMONS=400
MAXPERIP=200
PIDFILE=/var/run/courier/imapd.pid
TCPDOPTS=-nodnslookup -noidentlookup
LOGGEROPTS=-name=imapd
IMAP_CAPABILITY=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG=IMAP4rev1 UIDPLUS CHILDREN NAMESPACE 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 
AUTH=CRAM-SHA256 IDLE
IMAP_PROXY=0
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_MAILBOX_SANITY_CHECK=1
IMAP_CAPABILITY_TLS=$IMAP_CAPABILITY AUTH=PLAIN
IMAP_CAPABILITY_TLS_ORIG=$IMAP_CAPABILITY_ORIG AUTH=PLAIN
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=131072
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/sbin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=YES
MAILDIRPATH=Maildir

~ egrep -v ^(#|$) /etc/courier/imapd-ssl
SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/courier/imapd-ssl.pid
SSLLOGGEROPTS=-name=imapd-ssl
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_KX_LIST=ALL
TLS_COMPRESSION=ALL
TLS_CERTS=X509
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

--
Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free.
http://p.sf.net/sfu/SauceLabs
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Problem after upgrade

[Mark Constable]

On 04/14/14 21:23, Vytautas Kasparavičius wrote:
 I'm getting following errors
 Apr 14 14:13:20 mail imapd-ssl: couriertls:
 /etc/pki/tls/certs/gdcertpack.pem: error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag
 Apr 14 14:13:27 mail esmtpd-ssl: couriertls:
 /etc/pki/tls/certs/gdcertpack.pem: error:0D0680A8:asn1 encoding
 routines:ASN1_CHECK_TLEN:wrong tag

It depends which part is being delimited...

cat server.key server.crt server.ca  /etc/courier/esmtpd.pem

~ cat /etc/courier/esmtpd.pem
-BEGIN PRIVATE KEY-
[ original private key ]
-END PRIVATE KEY-

-BEGIN CERTIFICATE-
[ cert returned from authority, or self signed ]
-END CERTIFICATE-

-BEGIN CERTIFICATE-
[ intermediate cert if chained (ie; cheap RapidSSL) ]
-END CERTIFICATE-


--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] courier imap troubles

[Mark Constable]

On 03/10/14 06:07, Sam Varshavchik wrote:
 Courier-IMAP never has any trouble creating any mailboxes, for the simple 
 reason
  that Courier-IMAP never creates any mailboxes.

Strictly speaking that is true but the OP may want to know that maildrop can 
create
a users mailbox if it doesn't already exist if it's set up to do so.


--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] authdaemond: segfault at 0 ip... error 4 in libc-2.18.so

[Mark Constable]

On 03/05/14 15:31, Anders Le Chevalier wrote:
 Mar  5 06:08:05 e350 authdaemond: zero rows returned
 Mar  5 06:08:05 e350 authdaemond: no password available to compare
 Mar  5 06:08:05 e350 authdaemond: authmysql: REJECT - try next module
 Mar  5 06:08:05 e350 authdaemond: FAIL, all modules rejected

That's normal if the SQL command failed for some other reason.

What I do in a situation like this is temporarily turn on MySQL general logging,
tail that logfile while logging it, copy the exact SQL statement used, then 
start
mysql at the CLI and manually paste in the SQL statement (some single and double
quoting may need to be altered) and see if there is an error.


--
Subversion Kills Productivity. Get off Subversion  Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951iu=/4140/ostg.clktrk
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users