[Dovecot] Corrupted transaction log file / record size too small
I recently upgradeded dovecot on one of our servers from version 1.0.10 to version 1.1.3. Ever since, we've been seeing occasional errors similar to this sequence (with the username and IP addresses elided): Sep 30 00:09:56 alcor dovecot: pop3-login: Login: [4954], , NNN.NNN.NN.NNN Sep 30 00:09:56 alcor dovecot: wrapper[5006]: pop3, , NNN.NNN.NN.NNN Sep 30 00:09:56 alcor dovecot: pop3[5006] , NNN.NNN.NN.NNN: Corrupted transaction log file /home//.imap/INBOX/dovecot.index.log: record size too small (type=0x40, offset=12224, size=0) Sep 30 00:09:56 alcor dovecot: pop3[5006] , NNN.NNN.NN.NNN: Couldn't init INBOX: Internal error occurred. Refer to server log for more information. [2008-09-30 00:09:56] Sep 30 00:09:56 alcor dovecot: pop3[5006] , NNN.NNN.NN.NNN: Mailbox init failed top=0/0, retr=0/0, del=0/0, size=0, xfer=0/95 System and dovecot configuration details are appended. I saw an archived mailing list message from January 2007 which may be relevant (www.mailinglistarchive.com/dovecot@dovecot.org/msg07908.html), in which the original poster's symptoms disappeared when he recompiled dovecot with gcc-3.4.0 instead of using gcc-3.1. In my case I used gcc-4.1.2, so I don't know if that's still relevant (and if so, what other version to use instead). In the output of `dovecot -n` which follows, /local/pkg/dovecot/localmods/wrapper.imap is a locally written program which registers the user's IMAP or POP connection in the lastlog file and also ensures that the user's shell is considered valid. I'd be surprised if this is relevant, but I've appended the source code in case it may be (and/or in case anyone else may find it useful!). I've been working around the problem by deleting the contents of ~user/.imap for affected users, but I'd really prefer to fix it properly. :-) Any suggestions would be gratefully received. Thanks, - Steven # server type = SunFire X4100 (two dual-core Opteron CPUs) # OS = Linux (Slamd64 12.0) # file system type = XFS # uname -a Linux alcor 2.6.25.2 #1 SMP Fri May 16 07:06:34 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux # dovecot --version 1.1.3 # (limit descriptors 4096; dovecot -n) # 1.1.3: /local/pkg/dovecot/root-dovecot-1.1.3/etc/dovecot.conf base_dir: /local/pkg/dovecot/data/var/run/dovecot syslog_facility: local0 protocols: imap imaps pop3 pop3s listen(default): *:143 listen(imap): *:143 listen(pop3): *:110 ssl_listen(default): *:993 ssl_listen(imap): *:993 ssl_listen(pop3): *:995 ssl_cert_file: /public/apache/ssl/combined.cert ssl_key_file: /public/apache/ssl/key.pem disable_plaintext_auth: no login_dir: /local/pkg/dovecot/data/var/run login_executable(default): /local/pkg/dovecot/root-dovecot-1.1.3/libexec/dovecot/imap-login login_executable(imap): /local/pkg/dovecot/root-dovecot-1.1.3/libexec/dovecot/imap-login login_executable(pop3): /local/pkg/dovecot/root-dovecot-1.1.3/libexec/dovecot/pop3-login login_user: nul-mail login_log_format_elements: [%p] %u %r %c login_greeting_capability(default): yes login_greeting_capability(imap): yes login_greeting_capability(pop3): no login_processes_count: 6 login_max_processes_count: 512 max_mail_processes: 1024 verbose_proctitle: yes first_valid_uid: 111 mail_location: mbox:~/:INBOX=/var/spool/mail/%u mail_full_filesystem_access: yes mail_executable(default): /local/pkg/dovecot/localmods/wrapper.imap mail_executable(imap): /local/pkg/dovecot/localmods/wrapper.imap mail_executable(pop3): /local/pkg/dovecot/localmods/wrapper.pop3 mail_plugin_dir(default): /local/pkg/dovecot/root-dovecot-1.1.3/lib/dovecot/imap mail_plugin_dir(imap): /local/pkg/dovecot/root-dovecot-1.1.3/lib/dovecot/imap mail_plugin_dir(pop3): /local/pkg/dovecot/root-dovecot-1.1.3/lib/dovecot/pop3 mail_log_prefix: %Ls[%p] %u, %r: imap_capability(default): IMAP4rev1 QUOTA SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS imap_capability(imap): IMAP4rev1 QUOTA SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS imap_capability(pop3): imap_client_workarounds(default): delay-newmail tb-extra-mailbox-sep imap_client_workarounds(imap): delay-newmail tb-extra-mailbox-sep imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_logout_format(default): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(imap): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_logout_format(pop3): top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, xfer=%i/%o auth default: cache_negative_ttl: 0 passdb: driver: shadow userdb: driver: passwd # source code for /local/pkg/dovecot/localmods/wrapper.imap # and /local/pkg/dovecot/localmods/wrapper.pop3 # follows: 8 cut here --8 /* * wrapper.c -- login wrapper program for dovecot * * Steven Winikoff *
Re: [Dovecot] Initial support for shared mailboxes
Timo Sirainen [EMAIL PROTECTED] writes:
Well, I actually started it today since it's needed for replication:
http://hg.dovecot.org/dovecot-1.2/rev/6dd0c6755afe
Mailboxes can't be listed yet (and I'm not planning on implementing that
anytime soon), but if you add the wanted mailboxes to subscriptions they
should be usable by clients. Configuration goes like:
namespace shared {
separator = /
# %%u gets expanded to the remote user. Instead of %%u you can
# also use %%n and %%d.
prefix = shared/%%u/
location = Maildir:/home/%%u/Maildir:INDEX=~/Maildir/shared/%%u
}
Sounds great, and it's an essential feature we need to make Dovecot work
with Kolab Server.
Is there a %%h, too? So that, if we have
mail_location = maildir:~
we can say:
namespace shared {
separator = /
prefix = users/%%u/
location = Maildir:%%h:INDEX=~/Maildir/shared/%%u
}
To make user-mailboxess accessible for other users?
If not, how hard would it be to implement?
Another (more specific) problem in this context: Is is it possible to
determine a users home calling an external program like checkpassword?
This would be needed in an setup, where the users $HOME is set by an
checkpassword program to an compute value, to access another users
mailbox.
cheers
sascha
--
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
pgp0uBfCeeg1U.pgp
Description: PGP signature
[Dovecot] dovecot quota messages problem
Hi. I have a question about quota messages (dovecot 1.1.3). I'm tryng to use quota messages for moving messages in a new folder when they reach a certin number(1). I made the script which is called when quota_warning condition is met. Then i made a rule to exclude that folder from quota, quota_rule3:folder:ignore The problem is that this folder is still counted in quota. I don't know if this is a bug or this is how ignore is suposed to work(maibe ignore works only for storage). -- View this message in context: http://www.nabble.com/dovecot-quota-messages-problem-tp19738722p19738722.html Sent from the Dovecot mailing list archive at Nabble.com.
[Dovecot] dovecot quota messages
Hi. I have a question about quota messages (dovecot 1.1.3). I'm trying to use quota messages for moving messages in a new folder when they reach a certain number(1). I made the script which is called when quota_warning condition is met. Then i made a rule to exclude that folder from quota, quota_rule3:folder:ignore The problem is that this folder is still counted in quota. I don't know if this is a bug or this is how ignore is supposed to work(maybe ignore works only for storage).
Re: [Dovecot] Initial support for shared mailboxes
On Tue, 2008-09-30 at 10:46 +0200, Sascha Wilde wrote:
namespace shared {
separator = /
# %%u gets expanded to the remote user. Instead of %%u you can
# also use %%n and %%d.
prefix = shared/%%u/
location = Maildir:/home/%%u/Maildir:INDEX=~/Maildir/shared/%%u
}
Sounds great, and it's an essential feature we need to make Dovecot work
with Kolab Server.
Is there a %%h, too? So that, if we have
mail_location = maildir:~
..
Another (more specific) problem in this context: Is is it possible to
determine a users home calling an external program like checkpassword?
This would be needed in an setup, where the users $HOME is set by an
checkpassword program to an compute value, to access another users
mailbox.
This would require doing a userdb lookup from dovecot-auth the same way
as deliver or expire-tool does it. So sure it'd be possible, but I'm not
really interested in implementing it yet. I think expire-tool is
currently using copypasted code from deliver, those could be merged
into some library function and then the namespace code could easily use
the same function.
signature.asc
Description: This is a digitally signed message part
[Dovecot] PKI Compliance Dovecot Server
Hello, I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only open port on our firewall): Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ? Thank You
Re: [Dovecot] PKI Compliance Dovecot Server
I *think* you can fix this in your config. ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM Consider yourself lucky you're not using UW. I believe you need to recompile it. Nessus thinks I'm good with the setting above. John Amit Thakkar wrote: Hello, I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only open port on our firewall): Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ? Thank You -- John Gray [EMAIL PROTECTED] AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711http://www.agora-net.com
Re: [Dovecot] PKI Compliance Dovecot Server
BTW. Dovecot v1.1 has by default: ssl_cipher_list = ALL:!LOW:!SSLv2 I'd think that's enough to fix this too. On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote: I *think* you can fix this in your config. ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM Consider yourself lucky you're not using UW. I believe you need to recompile it. Nessus thinks I'm good with the setting above. John Amit Thakkar wrote: Hello, I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only open port on our firewall): Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ? Thank You signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Initial support for shared mailboxes
Timo Sirainen [EMAIL PROTECTED] writes:
On Tue, 2008-09-30 at 10:46 +0200, Sascha Wilde wrote:
namespace shared {
separator = /
# %%u gets expanded to the remote user. Instead of %%u you can
# also use %%n and %%d.
prefix = shared/%%u/
location = Maildir:/home/%%u/Maildir:INDEX=~/Maildir/shared/%%u
}
Sounds great, and it's an essential feature we need to make Dovecot work
with Kolab Server.
Is there a %%h, too? So that, if we have
mail_location = maildir:~
..
Another (more specific) problem in this context: Is is it possible to
determine a users home calling an external program like checkpassword?
This would be needed in an setup, where the users $HOME is set by an
checkpassword program to an compute value, to access another users
mailbox.
This would require doing a userdb lookup from dovecot-auth the same way
as deliver or expire-tool does it.
I'm not quite sure what you mean by this here, are you referring to
the proposed `%%h' variable, too or only to my more specific problem
with computer HOME paths?
So sure it'd be possible, but I'm not
really interested in implementing it yet. I think expire-tool is
currently using copypasted code from deliver, those could be merged
into some library function and then the namespace code could easily use
the same function.
But is deliver currently able to utilize an external program to
get user data?
From reading the docs I got the impression that userdb only allows to
use data supplied by an arbitrary program by the Prefetch backend in
combination with an checkpassword passdb, and that deliver can't use
this mechanism as the user doesn't login when deliver is run.
So I guess what is needed is a new userdb backend which is explicitly
runs an arbitrary external program to get the user data (instead of
caching the passdb results).
What do you think?
cheers
sascha
--
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
pgpGQiBRx4f3e.pgp
Description: PGP signature
[Dovecot] create folder automatically
Hello.
I install a sieve rule automatically when a mailbox is created, like:
if exists X-Spam-Flag {
fileinto Junk;
stop;
}
However, sometimes, this folder does not exist. How create it automatically?
Thanks!
Regards,
--
-Nicolas.
Re: [Dovecot] Initial support for shared mailboxes
On Sep 30, 2008, at 6:08 PM, Sascha Wilde wrote: Is there a %%h, too? So that, if we have mail_location = maildir:~ .. Another (more specific) problem in this context: Is is it possible to determine a users home calling an external program like checkpassword? This would be needed in an setup, where the users $HOME is set by an checkpassword program to an compute value, to access another users mailbox. This would require doing a userdb lookup from dovecot-auth the same way as deliver or expire-tool does it. I'm not quite sure what you mean by this here, are you referring to the proposed `%%h' variable, too or only to my more specific problem with computer HOME paths? I think it's the same thing. So sure it'd be possible, but I'm not really interested in implementing it yet. I think expire-tool is currently using copypasted code from deliver, those could be merged into some library function and then the namespace code could easily use the same function. But is deliver currently able to utilize an external program to get user data? deliver will do the userdb lookup from dovecot-auth, which in turn can use the external program. So I guess what is needed is a new userdb backend which is explicitly runs an arbitrary external program to get the user data (instead of caching the passdb results). Right. Perhaps the passdb checkpassword code could be used as userdb too, just with an added extra variable specifying if it's a passdb or a userdb lookup. Or maybe instead of sending user \0 pass \0 it'd just send user. I'm not really sure. In any case I think the reply should be handled somewhat differently so that the checkpassword can't accidentally think it's doing a userdb lookup while it's really doing a passdb lookup and return success. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] disbale to responded to an unrequested SSL Certificate
Hi List, Hi dovecot-list, just a easy question today ;) Customer did on Server a PCI-Test to test security to fit worldpay requirements. They found a critical risk at pop3s. (and some other things) This is the Textmesage: Family: Remote Shell Access Critical 993/tcp 11875 Description: The remote host responded to an unrequested SSL Certificate. The remote SSL server should have sent back an Error message. This may indicate that the server is vulnerable to a remote flaw in the way that it handles unrequested certificates. You should manually inspect the SSL Server's configuration Background is that we use a wildcard-cert which is installed on ervery machine and fits to servername. So you have to use the accredited Hostname/Servername to make clean ssl connection pop3s/imaps without warnings etc. Problem should be that server sends no error when requested with other hostname. This is significant part from dovecot.conf protocols = imap imaps pop3 pop3s ssl_disable = no ssl_cert_file = /path/to/*.myhost.com.crt ssl_key_file = /path/to/*.myhost.com.key ssl_ca_file = /path/to/*.myhost.com.bundle.crt Is there a Config-Option to send error when ssl-connect ist not established to in cert accredited Hostname/Servername ? Did not found something like this or did not really understand function of the options. I do not know backgrounds to this issue. Cant decide if it would be a security risk or disproportionated wishes of securityexperts but i want to satisfy this costumer. How to handle thos? Thank you Andre could be the solution to set ssl_listen to hostname where dovecot is running? pretty easy... O.o my tests were successful but would like to obtain other opinions.. Thanks Andre
Re: [Dovecot] Initial support for shared mailboxes
Timo Sirainen [EMAIL PROTECTED] writes: On Sep 30, 2008, at 6:08 PM, Sascha Wilde wrote: Is there a %%h, too? So that, if we have mail_location = maildir:~ .. Another (more specific) problem in this context: Is is it possible to determine a users home calling an external program like checkpassword? This would be needed in an setup, where the users $HOME is set by an checkpassword program to an compute value, to access another users mailbox. This would require doing a userdb lookup from dovecot-auth the same way as deliver or expire-tool does it. I'm not quite sure what you mean by this here, are you referring to the proposed `%%h' variable, too or only to my more specific problem with computer HOME paths? I think it's the same thing. Is it? I might be wrong, but i thought for configurations where userdb doesn't depend on the passdb implementing %%h as the home directory of user %%u should be straight forward. Or am I missing something? [...] So I guess what is needed is a new userdb backend which is explicitly runs an arbitrary external program to get the user data (instead of caching the passdb results). Right. Perhaps the passdb checkpassword code could be used as userdb too, God, so we will try to go this way. just with an added extra variable specifying if it's a passdb or a userdb lookup. Or maybe instead of sending user \0 pass \0 it'd just send user. I'm not really sure. In any case I think the reply should be handled somewhat differently so that the checkpassword can't accidentally think it's doing a userdb lookup while it's really doing a passdb lookup and return success. Ack. I or someone else from the Kolab/Dovecot team will write a short proposal on the list as soon as we have one... ;-) cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/ Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner pgpsPFjZuUJPr.pgp Description: PGP signature
Re: [Dovecot] Initial support for shared mailboxes
On Sep 30, 2008, at 6:48 PM, Sascha Wilde wrote: On Sep 30, 2008, at 6:08 PM, Sascha Wilde wrote: Is there a %%h, too? So that, if we have mail_location = maildir:~ .. Another (more specific) problem in this context: Is is it possible to determine a users home calling an external program like checkpassword? This would be needed in an setup, where the users $HOME is set by an checkpassword program to an compute value, to access another users mailbox. This would require doing a userdb lookup from dovecot-auth the same way as deliver or expire-tool does it. I'm not quite sure what you mean by this here, are you referring to the proposed `%%h' variable, too or only to my more specific problem with computer HOME paths? I think it's the same thing. Is it? I might be wrong, but i thought for configurations where userdb doesn't depend on the passdb implementing %%h as the home directory of user %%u should be straight forward. Or am I missing something? I guess I just misunderstood what you meant. All I meant was that %%h expansion would always have to be done using a userdb lookup. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] create folder automatically
Nicolas Letellier wrote:
Hello.
I install a sieve rule automatically when a mailbox is created, like:
if exists X-Spam-Flag {
fileinto Junk;
stop;
}
However, sometimes, this folder does not exist. How create it automatically?
It is created automatically (at least on mine it does).
~Seth
Re: [Dovecot] create folder automatically
Seth Mattinen escreveu:
Nicolas Letellier wrote:
Hello.
I install a sieve rule automatically when a mailbox is created, like:
if exists X-Spam-Flag {
fileinto Junk;
stop;
}
However, sometimes, this folder does not exist. How create it automatically?
It is created automatically (at least on mine it does).
Indeed, the only way for deliver _not_ to create a folder that does not
exist is by giving the -n command line option, as stated in
http://wiki.dovecot.org/LDA .
--
Eduardo M Kalinowski
[EMAIL PROTECTED]
Re: [Dovecot] PKI Compliance Dovecot Server
FYI, Nessus scans are used for PCI Compliance. So if you've got all the plugins, you're good to go for vulnerability checks. IIRC, !SSLv2 was my solution when the SSL thing came up last year for PCI Compliance (previous job). Rick Timo Sirainen wrote: BTW. Dovecot v1.1 has by default: ssl_cipher_list = ALL:!LOW:!SSLv2 I'd think that's enough to fix this too. On Tue, 2008-09-30 at 10:23 -0400, John Gray wrote: I *think* you can fix this in your config. ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM Consider yourself lucky you're not using UW. I believe you need to recompile it. Nessus thinks I'm good with the setting above. John Amit Thakkar wrote: Hello, I work for an organization that uses a Secure Dovecot server for messaging, and recently we've had to undergo some security screenings for PKI compliance (credit card industry standards). However, the screening returned to us a failure due to the following reason (attributed to our Dovecot server, which runs on port 993 and is the only open port on our firewall): Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers fromseveral cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More] Is there a way that we can disable SSL 2.0 in Dovecot, or force it to use only TLS 1.0 ? Thank You
Re: [Dovecot] Managesieve Quota
On Mon, 2008-09-29 at 10:01 -0700, Seth Mattinen wrote: Timo Sirainen wrote: On Thu, 2008-09-25 at 09:40 -0700, Seth Mattinen wrote: Has anyone (is anyone) working on adding quota support to dovecot's managesieve server? I was thinking about giving it a shot myself and I'd hate to duplicate work. It would be something very basic like a max bytes setting and the total sieve storage per user isn't allowed to exceed it. I think it would be nice to be able to use the standard quota plugin with managesieve so that all the same backends and configuration could be used. The main problem I see is: Does anyone want (or need) to have the mail and sieve quota shared, instead of specifying separate limits for them? With shared quota the code will probably have to have some kind of sieve hardcoding or write some kind of state files so it knows where to look when recalculating quota. So preferrably no-one needs this. :) So without shared quota they could be configured as sievestorage and sievefiles which would also be visible using IMAP quota commands. Configuration could go like: quota = dict:::proxy::quota quota_rule = *:storage=100M:sievestorage=1M:sievefiles=10 No need for sharing from me. (In fact, I don't use mail quotas at all.) My only goal is to have some kind of sieve quota to prevent someone from filling the filesystem with garbage either intentionally or through a baldy written client. Maybe I'm overthinking the problem. There probably won't be more than a few scripts. It's probably simplest if the quota is always just recalculated by lstat()ing the files. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Managesieve Quota
Timo Sirainen wrote: Maybe I'm overthinking the problem. There probably won't be more than a few scripts. It's probably simplest if the quota is always just recalculated by lstat()ing the files. Pretty much what I was thinking about doing. Calculate total size of the sieve scripts and compare it to a config setting. In watching my customers use Sieve, there is never more than a few scripts since Sieve only lets you have one script active at a time anyway. If they create more than one it's so they can test changes. ~Seth
Re: [Dovecot] Managesieve Quota
On Tue, 2008-09-30 at 10:47 -0700, Seth Mattinen wrote: Timo Sirainen wrote: Maybe I'm overthinking the problem. There probably won't be more than a few scripts. It's probably simplest if the quota is always just recalculated by lstat()ing the files. Pretty much what I was thinking about doing. Calculate total size of the sieve scripts and compare it to a config setting. In watching my customers use Sieve, there is never more than a few scripts since Sieve only lets you have one script active at a time anyway. If they create more than one it's so they can test changes. I haven't looked at managesieve code, but it would also be nice if it wasn't possible to send it gigabytes of data and cause it to save it to disk and only after then check the quota. :) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Test environment question
Timo Sirainen wrote: On Mon, 2008-09-22 at 13:04 -0400, Stewart Dean wrote: Sep 22 11:54:13 egg mail:err|error dovecot: IMAP(sdean): posix_fallocate() faile d: Protocol not available See if this helps: http://hg.dovecot.org/dovecot-1.1/rev/ad13463328aa My apologies for not getting back to you...I was sick and out last week and am not exactly shining brightly this week :) I rebuilt with the patch you specified. I made sure that my imap session from my TBird client to my production (DC V1.0.15) server was shut down, that it was reconfigured NOT to periodically look for mail, and I have rechecked since then to make sure that there are no session in the PS table for it. When I started up on my DC V1.1.3 test server, I got the following messages: Sep 30 13:24:13 egg mail:info dovecot: Dovecot v1.1.3 starting up Sep 30 13:24:26 egg mail:info dovecot: imap-login: Login: user=sdean, method=P LAIN, rip=10.20.10.169, lip=192.246.229.31 Sep 30 13:24:28 egg mail:info dovecot: imap-login: Login: user=sdean, method=P LAIN, rip=10.20.10.169, lip=192.246.229.31 Sep 30 13:24:30 egg mail:err|error dovecot: IMAP(sdean): mbox sync: UID inserted in the middle of mailbox /var/spool/mail/sdean (646581 646564, seq=1125, idx_ msgs=1126) Sep 30 13:24:31 egg mail:err|error dovecot: IMAP(sdean): mbox sync: UID inserted in the middle of mailbox /var/spool/mail/sdean (646581 646564, seq=1125, idx_ msgs=1126) Sep 30 13:24:33 egg mail:err|error dovecot: IMAP(sdean): posix_fallocate() faile d: File exists Sep 30 13:24:33 egg mail:err|error dovecot: IMAP(sdean): file_set_size() failed with mbox file /var/spool/mail/sdean: File exists Sep 30 13:24:35 egg mail:err|error dovecot: IMAP(sdean): posix_fallocate() faile d: File exists Sep 30 13:24:35 egg mail:err|error dovecot: IMAP(sdean): file_set_size() failed with mbox file /var/spool/mail/sdean: File exists Sep 30 13:25:37 egg mail:info dovecot: ssl-build-param: SSL parameters regenerat ion completed Sep 30 13:27:42 egg mail:info dovecot: imap-login: Login: user=sdean, method=P LAIN, rip=10.20.10.169, lip=192.246.229.31 Sep 30 13:30:28 egg mail:info dovecot: imap-login: Login: user=sdean, method=P LAIN, rip=10.20.10.169, lip=192.246.229.31 I would assume that, when the test server started up, the index and such stuff it had from the last time it was run was grossly out of synch and that this is therefore just DC on the test server setting things right. Since then, as I wrote a message, DC on the test machine coughed out an errmsg relating to the Drafts folder, which again makes sense as it also likely out of sync: Sep 30 13:49:25 egg mail:info dovecot: imap-login: Login: user=sdean, method=P LAIN, rip=10.20.10.169, lip=192.246.229.31 Sep 30 13:51:03 egg mail:err|error dovecot: IMAP(sdean): mbox sync: UID inserted in the middle of mailbox /home/hcrc/sdean/mail/Drafts (9422 9403, seq=607, id x_msgs=651) Sep 30 13:51:04 egg mail:err|error dovecot: IMAP(sdean): mbox sync: UID inserted in the middle of mailbox /home/hcrc/sdean/mail/Drafts (9422 9403, seq=607, id x_msgs=651) Sep 30 13:53:45 egg mail:info dovecot: IMAP(sdean): Disconnected: Logged out byt es=73/3631 So there are two possibilities 1) That this just happens once (for any given folder), as long as the test DC server is the only one to ride heard on the folders and/or 2) even so, these messages shouldn't happen and something is wrong. I will watch it carefully for a day and see if I can confirm that #1 is true I have attached my original note with its copies of the dovecot -n output for both machines ---BeginMessage--- My production DC machine owns the mail filesystems and is running DC V1.0.15 and mbox folder format. I am looking to test V1.1.3 on another machine, which NFS mounts the mail filesystems, but has its own local index FS. I have made this test environment my default connection in TBird, and it seems to work just fine. Also, I have made sure that my TBird client isn't connecting to the production server (it has multiple accounts but I have turned off the cehck for mail when starting and check for new mail every N minutes functions, and then check the ps table to make sure there are no imap connections) However, I'm seeing two errmsgs in the maillog on the test machine: Sep 22 11:54:13 egg mail:err|error dovecot: IMAP(sdean): posix_fallocate() faile d: Protocol not available Sep 22 11:54:13 egg mail:err|error dovecot: IMAP(sdean): file_set_size() failed with mbox file /var/spool/mail/sdean: Protocol not available which appear to happen AFTER mail arrives at the production serverit seems to happen on my test server the next time my client goes to access mail AFTER mail has arrived at the production server. Subsequent client requests of the test server execute without error until AFTER the next time mail arrives at and my inbox is updated with it. Again, if I hadn't looked at the logs, I wouldn't know there was a problem...I can see
Re: [Dovecot] Managesieve Quota
Timo Sirainen wrote: On Tue, 2008-09-30 at 10:47 -0700, Seth Mattinen wrote: Timo Sirainen wrote: Maybe I'm overthinking the problem. There probably won't be more than a few scripts. It's probably simplest if the quota is always just recalculated by lstat()ing the files. Pretty much what I was thinking about doing. Calculate total size of the sieve scripts and compare it to a config setting. In watching my customers use Sieve, there is never more than a few scripts since Sieve only lets you have one script active at a time anyway. If they create more than one it's so they can test changes. I haven't looked at managesieve code, but it would also be nice if it wasn't possible to send it gigabytes of data and cause it to save it to disk and only after then check the quota. :) I have ;) That is currently possible as warned in the README and it definitely needs to be fixed. Regards, Stephan.
Re: [Dovecot] quota warnings clarification
Well... the main use for Quotas is for rejecting NEW messages at delivery time - not for controlling a static set of mailboxes. Are you saying you didn't even test by sending yourself a test message? -- The way I was testing was by setting the quota warning threshold low like 1%,2%,3% then sending myself test messages to try and generate a warning message. I would open my inbox in Thunderbird and see the quota level reach 1%,2% etc but no warning message. It was only when I actually deleted a message from my inbox (move to trash) that a warning was generated. Make the switch to the world#39;s best email. Get Yahoo!7 Mail! http://au.yahoo.com/y7mail
Re: [Dovecot] disbale to responded to an unrequested SSL Certificate
Andre Hübner wrote: Hi dovecot-list, just a easy question today ;) Customer did on Server a PCI-Test to test security to fit worldpay requirements. NB: PCI is not to fit Worldpay's requirements; but rather the body of PCI-DSS (Visa Mastercard). 1. What was the scanning tool? Qualys? 2. What level of severity was this flagged as? From when i've done PCI audit's, anything 2 needed addressing, anything =2 was able to pass. It may be the case your customer has nothing to worry about with regards to this specific warning... Cheers, -- Kind Regards, :: http://www.cjbuckley.net/ Chris Buckley :: http://photos.cjbuckley.net/
