Re: [Dovecot] dovecot stats

[Robert Schetterer]

Am 08.05.2013 11:25, schrieb Jan-Frode Myklebust:
 Thanks, nice graphs. I've attached a graph over LMTP delays per minute as
 seen from the postfix side on one of our servers. This includes delays
 caused by both delivery to dovecot LMTP, and also LMTP communication
 internally on the mailservers between postfix and amavis. Unfortunately it
 says nothing about the delivery time to each individual dovecot backend,
 since these are hiding behind dovecot director, and therefor we have no way
 of knowing which of our backends are slow (if any).
 
 
 
   -jf
 
 
 

 

i am not sure, i ll have to read more doku
perhaps it makes sense to use delay stuff in log for analyse i.e
after all i am not using directors, i have real loadbalancers

private/dovecot-lmtp], delay=1.4, delays=1.2/0/0/0.17, dsn=2.0.0,
status=sent

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[Dovecot] SSL problems on dovecot 2.1.7

[Steinar Bang]

When I upgraded my debian-based imap server from squeeze to wheezy
yesterday, SSL stopped working.

I am using a http://cacert.org signed server sertificate, and I am
reusing the certificates that were used on the 1.x dovecot of debian
squeeze.

My three MUAs that worked against the previous 1.x dovecot with the same
certificate, now fails in various ways.

Any hints and guesses as to how to debug this further will be highly
appreciated.  Even more appreciated will be a pin point of the issue. :-)

Here are the error messages from the MUAs:
 - Opera 12.15 on Windows 7 just reports:
   The connection with the IMAP server was unexpectedly interrupted.
 - Emacs24(w/linked-in gnutls)/Ma Gnus 0.8 (Gnus git HEAD) on Windows 7 says
   imap.mydomain.com certificate could not be verified.
 - Emacs23/Ma Gnus 0.8 (also Gnus git HEAD) on debian testing (with
   Emacs23 gnutls-cli is run in a subprocess), says:
   Opening connection to imap.mydomain.com via tls...
Opening TLS connection to `imap.mydomain.com'...
Opening TLS connection with `gnutls-cli --insecure -p 993 
imap.mydomain.com'...done
   Opening TLS connection to `imap.mydomain.com'...done
   Unable to open server nnimap+privat due to: Process *nnimap* not running

When I try running gnutls-cli from the command line of the debian
testing machine (the same gnutls-cli that is used by the emacs23/gnus
combo), it seems to connect ok (the transcript of that session is
below).

The config for the SSL, from /etc/dovecot/conf.d/10-ssl.conf, is:

# SSL/TLS support: yes, no, required. doc/wiki/SSL.txt
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = /etc/ssl/certs/imap_mydomain_com.pem
ssl_key = /etc/ssl/private/imap_mydomain_com.key


The access privileges of the files, are:
-rw-r--r-- 1 root root 2077 Mar 27 12:45 /etc/ssl/certs/imap_mydomain_com.pem
-rw--- 1 root root 3243 Jul 12  2011 /etc/ssl/private/imap_mydomain_com.key


What follows, is the transcript from the gnutls-cli session from a
debian testing machine to the server (which seems to be working as far
as I can tell...):

sb@edwards:~$ gnutls-cli -p 993 rainey.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: 
/home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'rainey.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1023 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root 
CA,OU=http://www.cacert.org,CN=CA Cert Signing 
Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, 
activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 
fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate does NOT match 'rainey.mydomain.com'
sb@edwards:~$ gnutls-cli -p 993 imap.mydomain.com
WARNING: gnome-keyring:: couldn't connect to: 
/home/sb/.cache/keyring-yeEdM3/pkcs11: No such file or directory
Resolving 'imap.mydomain.com'...
Connecting to '212.110.185.190:993'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1022 bits
 - Peer's public key: 1021 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `CN=imap.mydomain.com', issuer `O=Root 
CA,OU=http://www.cacert.org,CN=CA Cert Signing 
Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-SHA1, 
activated `2013-03-27 12:43:30 UTC', expires `2013-09-23 12:43:30 UTC', SHA-1 
fingerprint `86f8a501bca1e2b0eadc677bf05b103d298ce247'
- The hostname in the certificate matches 'imap.mydomain.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

* OK Waiting for authentication process to respond..
- Peer has closed the GnuTLS connection

Re: [Dovecot] Permission problem with LDA and dovecot 2.2.1

[Tobi]

Am 09.05.2013 02:30, schrieb Ben Morrow:

At  9PM +0200 on  8/05/13 you (Tobi) wrote:

Am 08.05.2013 19:21, schrieb Ben Morrow:

At  6PM +0200 on  7/05/13 you (Tobi) wrote:

I tried with removing the base_dir definition from my config, restartet
dovecot and checked with the commands you provided below:

root@nordkap:~# doveconf -d base_dir
base_dir = /usr/local/var/run/dovecot
root@nordkap:~# doveconf base_dir
base_dir = /usr/local/var/run/dovecot
root@nordkap:~# su vmail -s /bin/sh -c doveconf base_dir
base_dir = /usr/local/var/run/dovecot
   
for me it seems that all is build with /usr/local

OK, that's odd. I was wondering if you had some permission problem which
was stopping the lda from reading the config file, but apparently not.

Sorry my subject is a bit misleading ;-)

I wasn't confused by the subject: IIRC if LDA can't read a config file,
it will simply ignore it (on the grounds that it is often running as an
ordinary user and so might not be supposed to), meaning that if the
permissions on the config file were too restrictive the LDA running as
vmail might not have seen the base_dir setting. Apparently that's not
the case...


As I updated today to wheezy anyway I built dovecot again with the
following options:

./configure --prefix=/usr/local --localstatedir=/usr/local/var
--with-mysql --with-sql
make  make install
  
but as well with those after starting dovecot and postfix the errors of
the lda looking in /var/run occured again.

OK... interesting choice, now you understand why /usr/local/var is not
usually used, but anyway...

this localstatedir option was just a test to see if lda looks in the 
localstatedir specified with configure. At least in my case it is not. 
After that test I built again with localstatedir=/var (as suggested by 
Christian) and like that it works fine without the symlink

But after removing the symlink and restarting dovecot I get the errors again

May  7 17:47:57 nordkap dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: No such file or directory
May  7 17:47:57 nordkap dovecot: lda: Fatal: Internal error occurred.
Refer to server log for more information.
   

Are you sure you're running the right copy of dovecot-lda? I think you
mentioned xthread that you have a Debian-provided version installed as
well?

Yes I had the version from apt as well, but removed it today after
upgrading to wheezy. The lda is called from postfix by these lines in
master.cf

dovecot unix-   n   n   -   -   pipe
   flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f
${sender} -d ${user}@${nexthop}
  
so according to the path prefix it should be the correct copy of
deliver. Is there a switch to get the version from deliver? I tried the
usual -v and --version but no success. But even without the version I'm
99.99873% sure that the correct binary is used :-)

OK. So the next step is to try running deliver by hand, as vmail,
feeding it a mail from stdin, to see if that fails the same way. If it
does then I would next run it under strace, to see exactly what it's
trying to do and what files it's looking at.

You could also run ldd on deliver, just to make sure it's picking up the
right versions of the dovecot libraries. The hardcoded base_dir path
appears to be baked into libdovecot.so.0, so if you run

 strings /path/to/libdovecot.so.0 | grep /var

As I actually built with localstatedir=/var all the paths are correct

ldd /usr/local/libexec/dovecot/deliver
...
libdovecot.so.0 = /usr/local/lib/dovecot/libdovecot.so.0 
(0x7fc41bcd9000)

...

and

root@nordkap:~# strings /usr/local/lib/dovecot/libdovecot.so.0 | grep /var
/var/lib/dovecot/instances
/var/run/dovecot/config
/var/run/dovecot
/var/lib/dovecot
/var/run
/var/tmp

I will built dovecot again with localstatedir=/usr/local/var and 
re-check the paths with the commands above.


Thanks for all the help here, really a great list

tobi

[Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Steinar Bang]

After upgrading my IMAP server to the new debian stable, and upgrading
dovecot from 1.x to 2.1.7 in the process, dovecot no longer logs
anything to /var/log/mail.*.  The last entries there are from before the
upgrade, and no starts or error messages or failed login attempts, since
then, have been logged.

Does anyone know what might cause this?

doveconf -n doesn't mention any of the log settings.  Maybe the log
settings aren't picked up?  What could be done to make sure they are
picked up?

Here's the content of the /etc/dovecot/conf.d/10-logging.conf file:

##
## Log destination.
##

# Log file to use for error messages. syslog logs to syslog,
# /dev/stderr logs to stderr.
log_path = syslog

# Log file to use for informational messages. Defaults to log_path.
#info_log_path = 
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path = 

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use mail, you'll use local0..local7. Also other standard
# facilities are supported.
syslog_facility = mail

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no

# Show protocol level SSL errors.
#verbose_ssl = no

# mail_log plugin provides more event logging for mail processes.
plugin {
  # Events to log. Also available: flag_change append
  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
  # size and vsize are available only for expunge and copy events.
  #mail_log_fields = uid box msgid size
}

##
## Log formatting.
##

# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = %b %d %H:%M:%S 

# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=%u method=%m rip=%r lip=%l mpid=%e %c

# Login log format. %$ contains login_log_format_elements string, %s contains
# the data we want to log.
#login_log_format = %$: %s
 
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = %s(%u): 

# Format to use for logging mail deliveries. You can use variables:
#  %$ - Delivery status message (e.g. saved to INBOX)
#  %m - Message-ID
#  %s - Subject
#  %f - From address
#  %p - Physical size
#  %w - Virtual size
#deliver_log_format = msgid=%m: %$

Re: [Dovecot] IMAP SSL proxy (questions)

[Trever L. Adams]

On 05/08/2013 01:57 PM, Ben Morrow wrote:
 At 10AM -0600 on  8/05/13 you (Trever L. Adams) wrote:
 Hello everyone,

 I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to
 fit what I need.
 That page is for Dovecot 1.x, which is obsolete. You should be reading
 http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy .

 Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather
 not duplicate the certificates for the IMAP servers. Hence nginx doesn't
 seem to be a good choice either.

 I am hoping that since SSL has Client Hello which specifies the site
 requested the the following could be done:

 Client -  Proxy [SYN]
 Proxy - Client [SYN, ACK]
 Client - Proxy [ACK]
 Client - Proxy [SSL With Client Hello, having server_name in
 Extension: server_name and sub-fields]
 Do you have any evidence that common IMAP clients support sending SNI?
 I've just checked, and mutt (for example) appears not to.

   Proxy sees intended host
   Proxy - Intended Server [SYN/SYN+ACK/ACK sequence]
   Proxy - Intended Server [Replay SSL/Client Hello]
 Client - Proxy - Intended Server (Proxy is non decrypting
 Man-in-the-Middle, just acting as a pseudo-invisible relay)

 I know that something somewhat like this works because this is how
 Apache can do virtual hosts with SSL. Of course, it acts as the end
 point intended server, not a proxy. I believe it is also somewhat how
 Squid does SSL proxying, although I could be entirely wrong.
 More importantly, it only works with clients (browsers) which are new
 enough to send SNI. If you use, for instance, any version of IE on
 Windows XP, it will not work.

 Is this possible? Can this be implemented in dovecot?
 I don't believe so. 

 If not, does anyone know of such a project. Proxy needs to not have
 any exploitable holes and really only needs to understand enough SSL
 to get the server_name, pass through the connection, replaying Client
 Hello, and then knowing when to shut the connection.

 Just as a breif example, the use I have for this now is that I have
 several imap servers which all have IPv6 addresses, but have to share an
 IPv4 address. for SMTP side of things, this works well for all incoming
 email. (As an aside, does anyone know of a similar setup for SSL traffic
 on port 465 SSL for SMTP?)
 Similarly, I doubt this is possible for SMTP either, since the clients
 probably won't send SNI.

 Ben


Thank you Ben and Noel for your responses! I know Thunderbird on Linux
sends it. Right now my targets would be Thunderbird, K9 Mail and Android
Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I
will investigate K9 and Android later (as I have access to those). I do
not have access to the Apple ones at the moment.

K-9 on my Droid X2 does not support SNI.

Trever

Re: [Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Pascal Volk]

On 05/09/2013 02:02 PM Steinar Bang wrote:
 After upgrading my IMAP server to the new debian stable, and upgrading
 dovecot from 1.x to 2.1.7 in the process, dovecot no longer logs
 anything to /var/log/mail.*.  The last entries there are from before the
 upgrade, and no starts or error messages or failed login attempts, since
 then, have been logged.

Did you read /usr/share/doc/dovecot-core/{NEWS,README}.Debian.gz?

 Does anyone know what might cause this?
 
 doveconf -n doesn't mention any of the log settings.  Maybe the log
 settings aren't picked up?  What could be done to make sure they are
 picked up?

,--[ doveconf(1) ]--
| OPTIONS
| -n Show only settings with non-default values.
`--

 Here's the content of the /etc/dovecot/conf.d/10-logging.conf file:
 …

Please don't copy and paste stuff from files in Dovecot's configuration
directory. Always provide the output generated by `doveconf -n`.

,--[ doveadm-log(1) ]--
| COMMANDS
|log find
|doveadm log find [directory]
| 
|The  log  find command is used to show the location of the log files, 
to which dovecot(1) sends its log messages.  If dovecot(1) logs its messages 
through syslogd(8) and doveadm(1) could not find any
|log files, you can specify the directory where your syslogd writes its 
log files.
`--

Regards,
Pascal
-- 
The trapper recommends today: c01dcofe.1312...@localdomain.org

Re: [Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Steinar Bang]

 Steinar Bang s...@dod.no:

 Could the culprit be the syslogd?  Could the syslogd have gone AWOL
 during the debian upgrade?  That's a point of investigation, at least...

Indeed...
 rainey:~# dpkg -S /etc/syslog.conf 
 sysklogd: /etc/syslog.conf
 rainey:~# dpkg -l sysklogd
 Desired=Unknown/Install/Remove/Purge/Hold
 | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
 |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
 ||/ NameVersionArchitecture   
Description
 
+++-===-==-==-
 rc  sysklogd1.5-6  i386   System 
Logging Daemon

http://packages.debian.org/squeeze/sysklogd

Exists for squeeze and sid, but not for wheezy.

The preferred syslogd for debian is now rsyslog:
 http://wiki.debian.org/Rsyslog

apt-get install rsyslog pulled the new syslogd in, and now doveadm
log find reports meaningful values:

rainey:~# doveadm log find
Looking for log files from /var/log
Debug: /var/log/mail.log
Debug: /var/log/syslog
Info: /var/log/mail.log
Info: /var/log/syslog
Info: /var/log/mail.info
Warning: /var/log/mail.log
Warning: /var/log/mail.warn
Warning: /var/log/syslog
Warning: /var/log/mail.info
Error: /var/log/mail.log
Error: /var/log/mail.warn
Error: /var/log/mail.err
Error: /var/log/syslog
Error: /var/log/mail.info
Fatal: /var/log/mail.log
Fatal: /var/log/mail.warn
Fatal: /var/log/mail.err
Fatal: /var/log/syslog
Fatal: /var/log/mail.info

[Dovecot] Released Pigeonhole v0.3.5 for Dovecot v2.1.16

[Stephan Bosch]

Hello Dovecot users,

Before I release the first version of Pigeonhole v0.4, I quickly release 
a few small but important fixes for Pigeonhole v0.3.


Changelog v0.3.5:

- Sieve editheader extension: fixed interaction with the Sieve body
  extension. If used together, the deleteheader action could fail after
  a body test was performed.
- Test suite: fixed a time zone dependency in the Sieve date extension
  tests.

The release is available as follows:

http://www.rename-it.nl/dovecot/2.1/dovecot-2.1-pigeonhole-0.3.5.tar.gz
http://www.rename-it.nl/dovecot/2.1/dovecot-2.1-pigeonhole-0.3.5.tar.gz.sig

Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for 
more information. Have fun testing this new release and don't hesitate 
to notify me when there are any problems.


Regards,

--
Stephan Bosch
step...@rename-it.nl

Re: [Dovecot] change inbox dotlock name

[Chris Saldanha]

Axel Luttgens axelluttg...@swing.be wrote:
 But I fear I don't understand your problem description.
 Could you elaborate?

Hi Axel,

The issue is that the procmail port on FreeBSD doesn't acquire a dotlock 
when it's the default lock file (/var/mail/username.lock).  It prints 
that it's bypassing the dotlock and just does a lockf() lock after.  
Looking in the code for procmail, it seems that it's being too clever 
with a bunch of checks and so it doesn't try to get the lock -- it's 
decided it doesn't want to before doing it.


The permissions and runtime environment permit the lock, and the same 
lock is acquired correctly by dovecot when writing to the inbox.  I'm 
doing dotlock and then lockf() locking in all the mail software.


procmail's checks only seem to apply to the default lock file for the 
inbox.  If I specify an alternate name in the .procmailrc for the 
$ORGMAIL delivery of the message, then it will acquire any other lock I 
ask, including an alternate name in the /var/mail directory.


I'll dig into the procmail sources as needed to resolve it, but I had 
hoped that I could get dovecot to lock with a different filename, 
because that would resolve the issue with minimal hackery...


Cheers,
Chris

--
Chris Saldanha
Parliant Corporation

Re: [Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Reindl Harald]

Am 09.05.2013 16:11, schrieb Steinar Bang:
 Could the culprit be the syslogd?  Could the syslogd have gone AWOL
 during the debian upgrade?  That's a point of investigation, at least...
 
 Indeed...

 http://packages.debian.org/squeeze/sysklogd
 Exists for squeeze and sid, but not for wheezy.
 
 The preferred syslogd for debian is now rsyslog:
  http://wiki.debian.org/Rsyslog
 
 apt-get install rsyslog pulled the new syslogd in, and now doveadm
 log find reports meaningful values

and deb-packages does not support Obsoletes/Provides like RPM
or only the packager too stupid not break upgrades?




signature.asc
Description: OpenPGP digital signature

[Dovecot] Released Pigeonhole v0.4.0 for Dovecot v2.2.1.

[Stephan Bosch]

Hello Dovecot users,

I finally release the first version of Pigeonhole v0.4 for Dovecot v2.2. 
The main reason for the delay was that some unexpected (design) problems 
occurred with the new doveadm-sieve plugin, which allows synchronizing 
sieve scripts using doveadm sync.


One important change is that I incorporated the extprograms plugin into 
the main Pigeonhole release. With this plugin it is possible to execute 
administrator-controlled external programs (shell scripts) from the 
Sieve interpreter, e.g. for special message delivery, filtering and 
string manipulation.


The list of new features is not that impressive. I've been working on 
IMAP URLAUTH, IMAP CATENATE and HTTP support for Dovecot. Currently, I'm 
building an SMTP submission proxy server. After all that I plan to spend 
more time on Sieve development. One of the most important issues on my 
list is implementing support for using alternative types of storage 
(e.g. a database) for Sieve scripts, rather than only a filesystem 
directory as it is now.


Changelog v0.4.0:

+ Added doveadm-sieve plugin that provides the possibility to sync
  Sieve scripts using doveadm sync along with the user's mailboxes.
+ Added the Sieve extprograms plugin to the main Pigeonhole package. It
  is still a plugin, but it is now included so that a separate compile
  is no longer necessary and distributors are likely to include it. The
  extprograms plugin provides Sieve language extensions that allows
  executing (administrator-controlled) external programs for message
  delivery, message filtering and string manipulation. Refer to
  doc/plugins/sieve_extprograms.txt for more information.
+ Added debug message showing Pigeonhole version at initialization.
  Makes it very clear that the plugin is properly loaded.
+ Finished implementation of the Sieve include extension. It should now
  fully conform to RFC 6609. The main addition is the new :optional tag
  which  makes the include command ignore missing included scripts
  without an error.
+ Finished implementation of the Sieve environment extension as much as
  possible. Environment items location, phase and domain now also
  return a usable value.

The release is available as follows:

http://www.rename-it.nl/dovecot/2.2/dovecot-2.2-pigeonhole-0.4.0.tar.gz
http://www.rename-it.nl/dovecot/2.2/dovecot-2.2-pigeonhole-0.4.0.tar.gz.sig

Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for 
more information. Have fun testing this new release and don't hesitate 
to notify me when there are any problems.


Regards,

--
Stephan Bosch
step...@rename-it.nl

Re: [Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Steinar Bang]

 Reindl Harald h.rei...@thelounge.net:

 and deb-packages does not support Obsoletes/Provides like RPM or only
 the packager too stupid not break upgrades?

There isn't an obsolete-concept, AFAIK.  But there is a way to handle
upgrades that switch implementations, through a mechanism called virtual
packages.

Why that wasn't done here, I don't know.  Perhaps it was overlooked.

Re: [Dovecot] dovecot not logging after upgrade to 2.1.7 on debian

[Stan Hoeppner]

On 5/9/2013 9:11 AM, Steinar Bang wrote:

 The preferred syslogd for debian is now rsyslog:
  http://wiki.debian.org/Rsyslog

Did you happen to notice that rsyslog became the default syslog daemon
with the release of Lenny?  That was Feb 14, 2009, over 4 years ago.
Your system went through 3 distribution upgrades before you noticed.

There was no syslog virtual or metapackage.  The Lenny upgrade release
notes had instructions for manually replacing syslogd with rsyslog.  It
could not be done automatically.  I guess you missed this with Lenny,
and Debian assumed everyone did it, omitting this from subsequent
release notes.

-- 
Stan

Re: [Dovecot] Released Pigeonhole v0.4.0 for Dovecot v2.2.1.

[Charles Marcus]

On 2013-05-09 10:35 AM, Stephan Bosch step...@rename-it.nl wrote:

Hello Dovecot users,

I finally release the first version of Pigeonhole v0.4 for Dovecot v2.2.


Yay! Thanks so much Stephan.

One question though...


Currently, I'm building an SMTP submission proxy server.


Can you elaborate on this? Does this mean for example, that we could use 
dovecot as our submission server and auto-save-to-sent, avoiding the 
overhead of the 'Copy to Sent' behavior we are currently forced to use 
where a message is first uploaded when it is sent, then again when it is 
saved to the sent folder?


This would be awesome, as we deal with a lot of large attachments, and 
when people are working from home, it can take many many seconds (even a 
minute or so for very large attachments depending on their internet 
connection speed) to send, and then it has to do it all over again to 
save to sent.


Thanks again!

--

Best regards,

Charles

[Dovecot] Crossrealm Kerberos problems

[Jonathan Hanks]

I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information
at the end of the email.

I am working on a Kerberos/GSSAPI based setup that requires cross-realm
authentication.  I have regular GSSAPI working, I can log in using
pam_krb5 with password based logins or with the GSSAPI support when
using a kerberos ticket in the default realm.

However when I attempt to authenticate using cross realm authentication
the login fails (logs below).

After perusing the source code I beleive that the problem is as such:

All taking place in mech-gssapi.c

1. mech_gssapi_userok(...) calls mech_gssapi_krb5_userok
2. mech_gssapi_krb5_userok(...) calls krb5_kuserok(...) to verify that
the given Kerberos prinicpal can log in as the requested user.
3. The authentication process is running as the Dovecot user so:
  3a. krb5_kuserok(...) looks for ~dovecot/.k5login to authorize cross
realm logins
  3b. There is no ~dovecot/.k5login, thus no cross realm access is allowed
  3c. It should be looking at the users .k5login ~poptest/.k5login
  3d. This never happens and the login attempt fails


I have the server set up to use system users specifically so that I can
do cross-realm authentication.

Do I have some basic configuration error?  How do I change the
authentication process to run as the user requesting to login?  Should
that be allowed?

Another thought is to backport some of the patches proposed for 2.2 that
remove krb5_kuserok from the loop.

Thank you for any insight.  This server is not in production use so I
can experiment.


May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
gssapi(jonathan.hanks@SOME.REALM,198.129.xxx.xxx,qYAkv0zc9wDGgdAT):
Negotiated security layer
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
gssapi(jonathan.hanks@SOME.REALM,198.129.xxx.xxx,qYAkv0zc9wDGgdAT):
Negotiated security layer
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
client out: CONT#0111#011BQQF/wAMCpxNKQH///+YdY3lGMDBq6TWTfc=
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
client out: CONT#0111#011BQQF/wAMCpxNKQH///+YdY3lGMDBq6TWTfc=
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
client in: CONThidden
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth: Debug:
client in: CONThidden
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth:
gssapi(jonathan.hanks@SOME.REALM,198.129.xxx.xxx,qYAkv0zc9wDGgdAT):
User not authorized to log in as poptest
May  9 10:54:49 lakeview.ligo-wa.caltech.edu dovecot: auth:
gssapi(jonathan.hanks@SOME.REALM,198.129.xxx.xxx,qYAkv0zc9wDGgdAT):
User not authorized to log in as poptest


My config is as follows:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.7
auth_debug = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/mail.keytab
auth_mechanisms = plain login gssapi
auth_username_format = %u
auth_verbose = yes
listen = *
mail_location = mbox:~/mail:INBOX=/var/spool/mail/inbox/%u
mail_privileged_group = mail
passdb {
  args = dovecot
  driver = pam
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
mode = 0666
  }
}
service imap-login {
  inet_listener imap {
port = 0
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
port = 0
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
ssl_cert = /etc/ssl/certs/mail-server.pem
ssl_cipher_list = !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
ssl_key = /etc/ssl/private/mail-server.pem
userdb {
  driver = passwd
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
}
protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

-- 
Jonathan Hanks
General Computing Sys Admin
LIGO Hanford Observatory

Re: [Dovecot] Released Pigeonhole v0.4.0 for Dovecot v2.2.1.

[Stephan Bosch]

On 5/9/2013 6:05 PM, Charles Marcus wrote:

On 2013-05-09 10:35 AM, Stephan Bosch step...@rename-it.nl wrote:


Currently, I'm building an SMTP submission proxy server.


Can you elaborate on this?


It basically acts as a front-end to your normal MTA. First of all, it 
provides a convenient way to add SMTP AUTH support to any MTA. But the 
main goal for this project is to implement an SMTP submission server 
with full support for the LEMONADE profile 
(https://tools.ietf.org/html/rfc4550). It acts as a proxy server, so it 
doesn't queue anything; once the client sees a success reply for the 
message submission, it is already accepted in the actual MTA queue.


For authentication it uses the normal Dovecot login strategy. This means 
that after authentication, it can run with the user's privileges and 
access the user's mail storage directly. However, I also plan to provide 
support for running it as a completely unprivileged service.


Does this mean for example, that we could use dovecot as our 
submission server ...


Yes.

... and auto-save-to-sent, avoiding the overhead of the 'Copy to Sent' 
behavior we are currently forced to use where a message is first 
uploaded when it is sent, then again when it is saved to the sent folder?


Depends a bit on what you have in mind. The LEMONADE profile has a 
forward-without-download scheme for this, using the SMTP BURL extension 
(https://tools.ietf.org/html/rfc4468) and IMAP CATENATE 
(https://tools.ietf.org/html/rfc4469) and URLAUTH 
(https://tools.ietf.org/html/rfc4467). Using CATENATE, the client can 
combine existing message parts with new text to compose a new message. 
Using SMTP BURL and IMAP URLAUTH, the SMTP server can access that 
message directly from the IMAP server without the need for the client to 
download it first.


Some more direct approach is also possible, e.g. let the submission 
server store the message in the Sent folder implicitly (as Google 
apparently does). This has a few problems though, mainly that the mail 
client will have to be configured correctly not to store an additional 
copy of its own. Unfortunately, there is no standardized method of 
signalling this from server to client. Google probably filters out the 
duplicates, we don't really know. Also, which folder does the user use 
as Sent folder? We could use the IMAP SPECIAL-USE 
(https://www.ietf.org/rfc/rfc6154.txt) extension to find out. Anyway, 
adding support for implicitly storing sent messages in the \Sent folder 
should be easy enough, but it is not a fool-proof solution. Timo was 
discussing this a while back on the SMTP mailinglist, but people there 
weren't too enthusiastic about standardizing a feature like this so far.


This would be awesome, as we deal with a lot of large attachments, and 
when people are working from home, it can take many many seconds (even 
a minute or so for very large attachments depending on their internet 
connection speed) to send, and then it has to do it all over again to 
save to sent.


The LEMONADE profile is rather elaborate and not many clients or servers 
support it yet. I'm hoping that by providing a chicken, more eggs will 
follow soon.


To provide some sort of solution for the short term, I guess I'll just 
add an optional auto-save-to-sent feature. When the submission service 
has direct access to the user's mail storage, that is trivial to 
implement. However, if the submission service is unprivileged, that will 
be a little more difficult. Probably, in that case I'll make it use a 
special support service to perform the actual delivery to the sent 
folder. Any suggestions are welcome.


Regards,

Stephan.

Re: [Dovecot] Released Pigeonhole v0.4.0 for Dovecot v2.2.1.

[Timo Sirainen]

On 10.5.2013, at 0.23, Stephan Bosch step...@rename-it.nl wrote:

 Anyway, adding support for implicitly storing sent messages in the \Sent 
 folder should be easy enough, but it is not a fool-proof solution. Timo was 
 discussing this a while back on the SMTP mailinglist, but people there 
 weren't too enthusiastic about standardizing a feature like this so far.

I was thinking about continuing that after we have implemented something. It 
seems that the best idea really was the one I had in the beginning and Alexey 
also suggested:

250 2.0.0 [localcopy] Message accepted

Very IMAP-like instead of SMTP-like, but .. well, it's a very IMAP-specific 
feature in any case (until IMAP replacement protocol comes some day).

Re: [Dovecot] Released Pigeonhole v0.4.0 for Dovecot v2.2.1.

[Stephan Bosch]

On 5/9/2013 11:35 PM, Timo Sirainen wrote:

On 10.5.2013, at 0.23, Stephan Bosch step...@rename-it.nl wrote:


Anyway, adding support for implicitly storing sent messages in the \Sent folder 
should be easy enough, but it is not a fool-proof solution. Timo was discussing 
this a while back on the SMTP mailinglist, but people there weren't too 
enthusiastic about standardizing a feature like this so far.

I was thinking about continuing that after we have implemented something.


Yeah, good idea.

My patch queue (hg mq) is here:

http://hg.rename-it.nl/dovecot-2.2-patches/

The toplevel submission.patch also updates the Dovecot TODO file, so you 
can look there for what remains to be done. The auto-save-to-sent 
feature is not mentioned there  yet.



It seems that the best idea really was the one I had in the beginning and 
Alexey also suggested:

250 2.0.0 [localcopy] Message accepted

Very IMAP-like instead of SMTP-like, but .. well, it's a very IMAP-specific 
feature in any case (until IMAP replacement protocol comes some day).


ManageSieve uses this textual response-code style as well. :)

Some SMTP replies already have a somewhat structured text part, e.g. a 
domain name as the first word, or an optional mailbox specification 
enclosed in '' and ''. So, I don't think it would be completely 
strange to put it there.


Regards,

Stephan.