Re: Unable to get quotas working

[Noel Butler via dovecot]

On 01/06/2024 20:23, Adam Miller via dovecot wrote:


Thank you!

At the time, I was trying to get the most basic of quotas working which 
I have now successfully accomplished! I am happy report that I also 
have the warning emails working.


Excellent.

Is it possible that instead of a bash script for the warning emails to 
use a Python script instead?


Never been a fan of python, too much of a resource hog, even compared to 
perl, but as long as the variables are interpreted correctly, yes it 
should work.


I also must investigate load balancing or at the very least, 
determining the best approach to scalability and high availability.


We've used NFS for years without problems, never used dovecot's director 
service either, however we use hardware load balancers, done right, this 
is simplest and most robust method, add/delete/down-for-update front end 
servers at your will without affecting anything, as for backend, don't 
use junk, I've found EMC storage gear very reliable, but know that 
NetApp is too.


Over the years I've read about and witnessed many businesses with 
multi-day outages using clustered file systems that take out everything 
when they have a hissy fit, so I avoid them at all cost. NFS might be 
simplicity, but that means far fewer things to go wrong, and why some 
very large well known mail providers use it too.


--
Regards,
Noel Butler
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Unable to get quotas working

[Noel Butler via dovecot]

On 30/05/2024 20:06, Adam Miller via dovecot wrote:

however now I am having an issue trying to get the quota warning emails 
to work.


Your original post did not show a "service quota-warning" section where 
you tell dovecot what to run, I suggest you fully read everything to do 
with quota on the wiki (the relevant wiki files are also included in 
source packages)


--
Regards,
Noel Butler
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: master-users problem

[Noel Butler via dovecot]

Hi Barbara,
On 14/12/2023 00:08, Barbara M. wrote:

 passdb {
   args = /etc/dovecot/master-users
   driver = passwd-file
   master = yes
   result_success = continue
 }
 
try replacing result_success with  
pass = yes
 
 
--
Regards,
Noel Butler

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: possible doveadm expunge bug

[Noel Butler via dovecot]

On 18/09/2023 16:17, Aki Tuomi via dovecot wrote:


Aki, any ideas? Or have I have hit a ridiculously low 1000D hard coded
limit?

...and I know some troll will comment, so let me say yes I know I can
and will likely have to use nix's "find" to actually cull them, but if
doveadm has an  expunge option, it should do what it is asked of it :)

# doveconf -a
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.20 (149edcf2)
# OS: Linux 5.15.117 x86_64 Slackware 15.0 ext4

- Yes I know 2.3.21 was released 2 days ago, but I'm not seeing 
anything

in changelog/NEWS that's related

--
Regards,
Noel Butler
Hi!

Can you try using strace for the doveadm command to see what it's up 
to?


Aki


Aki,

Did you see anything out of the usual in the trace I sent you?

Just asking since I've manually cleaned up most folders, but left one 
incase you'd like me to try something, so no urgency :)


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

possible doveadm expunge bug

[Noel Butler via dovecot]

In my boredom, I was cleaning up my own public mailbox, do I really need 
lists/newsletters/forums posts from the 90's .. I think not, but lets 
still keep 5 years and expunge the rest... or try to... but expunge 
doesnt want too...


This error or lack of action, occurs on any mailbox, as an example

doveadm expunge -u my@email mailbox Lists.FreeRadius SAVEDBEFORE $

now for $, pick your value  5 y/Y for years doesn't appear to exist, so 
converting it into 30 odd weeks, 30w or 30W did nothing, but rough 
convert it down to days 1800D appears to do something - showing a delay 
before returning to command line, but in reality it does nothing, 1800, 
1500, 1200, nothing, only when I drop it to 1000D does it actually work, 
which is not suitable, since I'd like to keep 5 years worth.


Running doveadm -Dv  exp...  shows no errors just usual debug output 
about the base modules, quota stuff, and opening mailbox message 
followed then by user session closed, nothing at all anywhere that 
points to an error for executing this task, I did deliberately break it 
by altering the mailbox name to test and it rightfully did report the 
error the mailbox doesn't exist.


I thought it might be size related, freeradius one of the smaller lists 
having about 150k to nanog the biggest with over 400k message, but I 
have others, like monthly newsletters with over 20yrs worth, but only 
250 to 300 messages in their mailboxes that also fail, so it can't be 
barfing out at the size.


Aki, any ideas? Or have I have hit a ridiculously low 1000D hard coded 
limit?


...and I know some troll will comment, so let me say yes I know I can 
and will likely have to use nix's "find" to actually cull them, but if 
doveadm has an  expunge option, it should do what it is asked of it :)


# doveconf -a
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.20 (149edcf2)
# OS: Linux 5.15.117 x86_64 Slackware 15.0 ext4

- Yes I know 2.3.21 was released 2 days ago, but I'm not seeing anything 
in changelog/NEWS that's related


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Replication going away?

[Noel Butler via dovecot]

On 26/07/2023 22:43, Marc wrote:


A dns query for imap.web.de address records (IN A) returns two ip
addresses.

And I'm betting each IP is a hardware load balancer with crap load of
servers behind each :)


I am converting a bit to containers and there are so many applications 
that are not able to properly resolve and handle errors. Once they have 
an ip they stop doing anything. That it is nicely setup on the server 
side means nothing. If you do this for outgoing email, lots of email 
clients fail switching to the 2nd ip.


Interesting, if server end is using L4 DSR they shouldnt tell the 
difference, but I can't comment on containers or VM's, as we do not play 
in the virtual world, these things need as much raw power as possible.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Replication going away?

[Noel Butler via dovecot]

On 20/07/2023 05:55, Gerald Galster wrote:

A dns query for imap.web.de address records (IN A) returns two ip 
addresses.


And I'm betting each IP is a hardware load balancer with crap load of 
servers behind each :)


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Replication going away?

[Noel Butler via dovecot]

(I'm very late to this party so my comments may have been said at some 
point)


On 20/07/2023 03:53, Michael Peddemors wrote:

Real world is a bit different.. DNS Caching.. While DNS Round Robin is 
good enough to distribute loads, it isnt' a very good method for 
failover, even with a very short TTL.  Many home


No, history showed DNS round robin proved abysmal, it led to real load 
balancing hardware and software being born.


These changes don't affect us, we've never used director, hardware load 
balancers FTW, and no replicator, nightly snapshots and multiple levels 
of raid on a NAS backend, but I do see smaller installs where it may be 
preferable to buying a $200k NAS :)


However, for those with shoe string budgets, for load balancing, this 
can be overcome by a software version, there are some for no cost if you 
have a spare machine, you might even pick up a real cheap old hardware 
balancer on likes of ebay.


but it more of a last line failover, and during the time it takes for 
DNS to retry, and find another active node, an AWFUL lot of disgruntled 
customers will be calling ;)


Ahhh reminds me on the very early 90's :)

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler via dovecot]

On 05/06/2023 20:52, Eirik Rye wrote:


On 05/06/2023 11:14, Noel Butler via dovecot wrote:


[...]


Both of you should grow up and keep this argument outside the mailing 
list.


yes mum___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler via dovecot]

On 23/05/2023 17:23, Marc wrote:


there is a reason these things cost more than you'll earn in a year.

second post in a row showing your lack of knowledge in actual networks,
before you make an even bigger ass out of yourself, how about getting
some experience in the real world or spending some time researching 
from

actual information - not blogs

Since when has there ever been a relationship between money and
being good, money and intelligence etc. 2nd I have a hard time


welcome to reality, time for you to jump back in your short narrow 
minded bubble if thats your beliefs.


believing that are still companies out there that hardwire millions of 
logic circuits to create a load balancer that meets current day 
standards without the use of any software, and the


perhaps open your dark curtains some day, but since when do companies 
have to explain shit to a troll like you explaining why they do things 
the way they do.


Noel the only dumb ass here seems to be you. You are certainly not a 
good advocate for the EMC product compared to institutions like NASA 
and CERN that have >4000 drives in ceph solutions.


oh I hope your happy, I'm gonna lose a lot of sleep over that piss poor 
pathetic attempt to disparage me .  n o t ... better people have tried 
and failed over the past 30 years.


final words, I don't care how nasa cern or whoever run their network, 
christ, i'm not even in the same country as them so why would I care, 
and the fact they have a name that most, but not all, would recognise, 
means nothing, Microsoft is a big name too, as is google, bigger and 
more known, and they have made some monumental fuck ups. I get it your a 
fangirl, and you can never reason with people like you.


the end.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler]

On 22/05/2023 22:36, Marc wrote:


On EMC Unity there is a NAS server parameter that can be changed to


Maybe a bit to much of topic, but why EMC and not something like ceph? 
You rarely see any interesting comparisons on line (except of course 
the stupid ones listing features)


there is a reason these things cost more than you'll earn in a year.

second post in a row showing your lack of knowledge in actual networks,  
before you make an even bigger ass out of yourself, how about getting 
some experience in the real world or spending some time researching from 
actual information - not blogs


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler]

On 22/05/2023 22:33, Marc wrote:


used director. real (hardware) load balancers are actually smart and
exponentially more reliable and robust than server based :)

because there runs no software on it, right 


this statement here, shows what a clueless newbie you are

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler]

Nice to know, similar option doesn't exist on VNX's though

On 22/05/2023 17:30, Adrian M wrote:

On EMC Unity there is a NAS server parameter that can be changed to 
disable NFSv4 delegations  using the following command,
svc_nas  -param -facility nfsv4 -modify 
delegationsEnabled -value 0


On Sun, May 21, 2023 at 7:34 AM Noel Butler  
wrote:


NFSv4, a dozen front ends to an EMC backend, with v4 we added "noac 
lookupcache=none" in very early days - not sure if they are still 
needed.


otherwise just like when using NFSv3, no problems, and never used 
director. real (hardware) load balancers are actually smart and 
exponentially more reliable and robust than server based :)


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?

[Noel Butler]

On 20/05/2023 01:23, Adrian Minta wrote:


Hi Pierre,

when we tested NFSv4 couple of years ago,  we found out that NFSv4 has 
a caching feature witch delegate file caching to a specific client. 
This was a problem with same share mounted on multiple servers. The 
contention will explode the load on the clients due to I/O waits and in 
some cases crash the dovecot servers.


We didn't use dovecot director at that time since NFSv3 was behaving 
more nicely and just worked on our tests.


It seem that some NFSv4 flags exists and could mitigate this behaviour 
making it resemble NFSv3 but we didn't test them.


NFSv4, a dozen front ends to an EMC backend, with v4 we added "noac 
lookupcache=none" in very early days - not sure if they are still 
needed.


otherwise just like when using NFSv3, no problems, and never used 
director. real (hardware) load balancers are actually smart and 
exponentially more reliable and robust than server based :)


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: [Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

[Noel Butler]

On 07/07/2022 07:24, Aki Tuomi wrote:

On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news 
 wrote:


Affected product: Dovecot IMAP Server
Internal reference: DOV-5320
Vulnerability type: Improper Access Control (CWE-284)
Vulnerable version: 2.2
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed in main
Researcher credits: Julian Brook (julezman)
Vendor notification: 2022-05-06
CVE reference: CVE-2022-30550
CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Vulnerability Details:
When two passdb configuration entries exist in Dovecot configuration, 
which have the same driver and args settings, the incorrect 
username_filter and mechanism settings can be applied to passdb 
definitions. These incorrectly applied settings can lead to an 
unintended security configuration and can permit privilege escalation 
with certain configurations involving master user authentication.


Dovecot documentation does not advise against the use of passdb 
definitions which have the same driver and args settings. One such 
configuration would be where an administrator wishes to use the same 
pam configuration or passwd file for both normal and master users but 
use the username_filter setting to restrict which of the users is able 
to be a master user.


Risk:
If same passwd file or PAM is used for both normal and master users, 
it is possible for attacker to become master user.


Workaround:
Always authenticate master users from different source than regular 
users, e.g. using a separate passwd file. Alternatively, you can use 
global ACLs to ensure that only legimate master users have priviledged 
access.


Fix:
This has been fixed in main branch. See 
https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch


Two small corrections to this CVE notice... The service impacted is of 
course 'auth' not 'submission', and the version impacted is from 2.2 to 
2.3.19.1.


Aki


I wouldnt exactly call them  " small " corrections

its like saying the left window on your 2020 car can be pushed down 
easily to saying  oh wait its every window and you dont need a key to 
start the engine and btw its all cars from 2010 to 2022


And if its that serious where is the release, thats how dealing with 
CVE's works Aki, not a CVE statement saying go to gitbub.


That said, I'd assume everyone uses a separate db for support teams 
anyway, or I'd hope so/


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

pop3-login logging double Disconencted

[Noel Butler]

Hi all,

Wondering if anyone else is seeing this double Disconnected in the logs 
with current stable version, it only happens for pop3-login, and only 
with Too many commands...  other pop3-login logging with Disconnected 
like Connection closed (no auth attempts... etc   are fine


Example of anomaly -

pop3-login: Info: Disconnected: Disconnected: Too many bad commands (no 
auth attempts in ...


If anyone running 2.3.17.1 sees this or does not see it on Too many 
bad... or at all, kindly mind letting me know, not sure if something has 
gone haywire here or its a bug that needs reporting since logs indicate 
this only occurred after updating to the point 1 release.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: lda to lmtp

[Noel Butler]

BS. it was a simple question did she need to run this option or not, 
posting her config is immaterial and a waste of bandwith and everyones 
time.


I dont do drugs, but dealing with you I think its becoming a requirement 
so i'll settle for jack daniels black label instead


On 12/06/2021 23:02, Benny Pedersen wrote:


On 2021-06-12 13:42, Noel Butler wrote:


off your drugs again benny?
WTF should she provide all the config outputs, when she asked a simple
question about one option, and WTF clamav came from is beyond me


this is very important AFTER i replayed to help, not BEFORE,

keep your own drugs problems


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: lda to lmtp

[Noel Butler]

On 11/06/2021 22:14, Benny Pedersen wrote:


On 2021-06-11 12:42, Laura Steynes wrote:


so nobody


i am nobody then :)

it would be nice to see postconf -n, and doveconf -n

without this info its hard to help

but remember lda, ltmp is both signle recipient

where come clamav into the mix ?


off your drugs again benny?
WTF should she provide all the config outputs, when she asked a simple 
question about one option, and WTF clamav came from is beyond me



i dont know much, but its important to provide info to get help

On Sun, Jun 6, 2021 at 12:03 PM Laura Steynes
 wrote:

Hi,
Although dovecot-lda serves us fine, we only average 8k messages an
hour, peaking at 11k, over 4 machines (mostly for redundancy, we've
run this fine on just  1 machine, but sometimes clamav makes things
get upset, so we added some more especially since we are growing
rapidly, we decided to see if lmtp would be of benefit, so far, we
cant tell any difference, I guess it is only 120-130 messages a
minute, maybe if we were doing 200 a minute we might see gain?

The question is with lda we used postfix settings
destination_recipient_limit=1, we have not added this with lmtp,is
this needed?


This is probably more a question for postfix users list, might explain 
why noone here answered you, but no its not needed with lmtp, and 2 msgs 
a second, you want see any benefit over lda unless your running on a 386 
:)


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: [Dovecot-news] Headsup on feature removal

[Noel Butler]

On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote:

> I fully agree with this:
> 
>> Please consider holding off on removing features for the next major 
>> release, 2.4.0 instead.  It makes sense to retain, in as much as is 
>> possible, feature backwards compatibility across a major release.

I'm astonished that features are being removed in a dot release as well,
no other major project does this, hell, most don't like adding new
features in dot releases let alone stripping them out. 

None of the listed changes affect me that I can see, but I've been
around a long time and I'm flabbergasted that someone actually approved
this on dot release. 

Now although there is no real need for them to further upgrade to ensure
business continuity, if a serious exploit is released in the wild they
highly likely will get bitten. Stripping everything else at once in a
new major is perfectly acceptable, and, is the norm. 

-- 
Kind Regards, 

Noel Butler 

This Email, including attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate any part of
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 11/02/2019 09:48, Michael A. Peters via dovecot wrote:

> On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, 
> Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via 
> dovecot wrote:
> 
> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution, 
> 
> A general broad mailing list whitelist will be problematic, do work it needs 
> to look for specific list type hidden headers,  spammers and nasties will 
> incorporate those headers into their trash that impersonates mailing lists 
> and voila, they pass.

However the majority of spammers do not spam with a properly configured
Reverse DNS - so detect the list header and skip DMARC if list headers
are present AND Reverse DNS matched the HELO/EHLO

Also, DMARC isn't really anti-spam technology, it's anti-spoof
technology.

Rather than fake mail list headers, spammers will just use domains w/o a
DMARC policy. Much easier. 

I know your just nit picking but what the hell, I've got a few minutes
before my meeting 

anti spoofing is also anti spam, most legit emailers dont spoof, bad
guys love to, so anything that reduces noise in email can be considered
"anti spam" 

postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim,
whatever ... they all work to reduce noise and thats all the end users
care about. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 11/02/2019 09:46, Michael A. Peters via dovecot wrote:





However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header >and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO





A hell of a lot do, though (this is pretty average percentages here)

Accepted 70.07%
Rejected  29.93%
-
Total  100.00%
=

5xx Reject relay denied 4.27%
5xx Reject unknown user 7.93%
5xx Reject sender address 7.32%
5xx Reject unknown client host 52.44%
5xx Reject RBL 3.66%
5xx Reject milter 24.39%
=
Total 5xx Rejects 100.00%

unknown client host was high as 95% up till about 10 years ago, so they 
are slowly learning.





--
Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written 
authority
to do so. If you are not the intended recipient, please notify the 
sender
then delete all copies of this message including attachments, 
immediately.
Confidentiality, copyright, and legal privilege are not waived or lost 
by
reason of the mistaken delivery of this message. Only PDF and ODF 
documents

accepted, please do not send proprietary formatted documents

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:

> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution,

A general broad mailing list whitelist will be problematic, do work it
needs to look for specific list type hidden headers,  spammers and
nasties will incorporate those headers into their trash that
impersonates mailing lists and voila, they pass. there is no quick and
easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one
that gets narky at lists, and despite all the spf haters dreams, I've
never had a problem with spf and lists, and we were an early beta
adopter of spf) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:

> * Juri Haberland via dovecot:
> 
>> Blindly enabling DMARC checks without thinking about the consequences
>> for themselves should not be the problem of other well behaving
>> participants.
> 
> Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
> the issue was not on the receiving end, but the reject policy for the
> originating domain.
> 
> Personally, I choose to treat "reject" as if it was "quarantine",
> i.e. affected mail is rerouted to a specific folder.
> 
>> And Aki, please go back to "munge only if needed" - munging all
>> messages leads to a really bad "user experience".
> 
> Only speak for yourself please.
> 
> -Ralph

+1 (for entire post) 

... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around the
world, heh, like thats going to happen :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: BUG: sieve does not set seen-Flag

[Noel Butler]

On 07/12/2018 17:55, Jakobus Schürz wrote:

> Am 07.12.18 um 08:10 schrieb Noel Butler: 
> 
> On 07/12/2018 16:44, Aki Tuomi wrote: 
> 
> On 6.12.2018 6.54, Noel Butler wrote: 
> 
> On 06/12/2018 07:29, Jakobus Schürz wrote: 
> 
> that all and every Flag is set, except \Seen... I tried to figure out, whats 
> happening here... 
> 
> Paste what your sieve file contains now (no, I'm not going back over this 
> thread - its becoming as long as war and peace, and you may have changed it 
> since then) 
> 
> Please understand me right... It is nice for you, if dovecot does, what you 
> expect... It is nice. But here it does not work correctly. dovecot makes a 
> big mistake. And i try to give as much information, as i'm possible to 
> give... 
> 
> I doubt its dovecot, since no one else has reported this problem that I can 
> see - without going back to find the start of the thread. 
> 
> my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking 
> WHY??? 
> 
> Mind your tongue if you want help here, despite frustrations (man I must be 
> getting old and mellowing), no one here has to do shit for you, the fact it 
> works for everyone else, indicates there is a problem with your configuration 
> and yours alone - somewhere, and because you're the only one experiencing 
> this, it may be harder to trace the origin of. 
> 
> -- 
> Kind Regards, 
> 
> Noel Butler 
> 
> This Email, including any attachments, may contain legally privileged 
> information, therefore remains confidential and subject to copyright 
> protected under international law. You may not disseminate, discuss, or 
> reveal, any part, to anyone, without the authors express written authority to 
> do so. If you are not the intended recipient, please notify the sender then 
> delete all copies of this message including attachments, immediately. 
> Confidentiality, copyright, and legal privilege are not waived or lost by 
> reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] 
> documents accepted, please do not send proprietary formatted documents

I finally had some time to try this out, and wasn't able to reproduce
the problem with 2.3.4 and 0.5.4. 

I tried both Sieve and IMAPSieve, but I wonder if this is something
particular in your environment or settings, so I have to ask you to post
your `doveconf -n` once more. 

Aki 

Did he ever tell us what this is on, I saw stretch somewhere in thread
so I gather its debian, but is it on real hardware, or rpi, has he tried
using the source, who knows what happens when distros butcher things up
into 70 different sub packages :) Hi. sorry for my anger a few days
ago... 
And Aki... i reviewd the thread... you never asked me before for dovecot
-n. It is the first time.
I also wrote, that i use the packages from the dovecot-repo for debian.
So i was thinking, it is clear, which version i use. It's not
debian-repo, it is dovecot-repo, which i got from the
dovecot-release-notes.

My anger was, i wrote details, logmessages, behaviour... again and
again... and i got the every similar message "for me it works"... and "i
dont want to read the whole thread"... so i was angry, how often again i
should post the same again... 
Great sorry for my tongue. My hardware is a rented virtual server from a
cloudprovider in germany, where i have full permissions on it. The
filesystem is ext4.
I atteched my dovecot -n

The mails all are stored in maildir in /var/mail.
There is an extra dir /var/lib/dovecot/db... where index and control are
in separate directories.
The owner and group from all of this directories are all vmail:vmail
The permissions are 0700 (only vmail is allowed to read/write/execute in
this directories) 

And again... it's independed from MUA: When i move a message to another
folder, the message in the new folder is shown as recent and unseen. I
posted - i think - 3 times the logs from the copy/expunge-task, where
the "flags()" is empty on copy, but expunge from the original folder
shows the correct flags. If you want... i can do it a 4th time ;-)

I also asked for a possibility (which i do not know) to turn up the
debug-level more than i have now, to see, what happens, that i can post
it. maybe it is a permission-problem. I don't know.
Maybe there is a sieve-script working, which i don't know, which sets a
message to unseen and recent, if it arrives to a folder (i deactivated
all the sieve-scripts, but the behaviour was the same wrong).
There are two scripts for rspamd and spamassassin, which learn spam or
ham, depending a message is moved to or from Junk. I also commented the
lines out in the sievescript... no change. Every message which is new in
a Folder is set to recent and unseen.

Best regards 

Jakob 

and your current .dovecot.sieve file is?

-- 
Kind Regards, 

Noel Butler 

This 

Re: BUG: sieve does not set seen-Flag

[Noel Butler]

On 07/12/2018 16:44, Aki Tuomi wrote:

> On 6.12.2018 6.54, Noel Butler wrote: 
> 
> On 06/12/2018 07:29, Jakobus Schürz wrote: 
> 
> that all and every Flag is set, except \Seen... I tried to figure out, whats 
> happening here... 
> 
> Paste what your sieve file contains now (no, I'm not going back over this 
> thread - its becoming as long as war and peace, and you may have changed it 
> since then) 
> 
> Please understand me right... It is nice for you, if dovecot does, what you 
> expect... It is nice. But here it does not work correctly. dovecot makes a 
> big mistake. And i try to give as much information, as i'm possible to 
> give... 
> 
> I doubt its dovecot, since no one else has reported this problem that I can 
> see - without going back to find the start of the thread. 
> 
> my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking 
> WHY??? 
> 
> Mind your tongue if you want help here, despite frustrations (man I must be 
> getting old and mellowing), no one here has to do shit for you, the fact it 
> works for everyone else, indicates there is a problem with your configuration 
> and yours alone - somewhere, and because you're the only one experiencing 
> this, it may be harder to trace the origin of. 
> 
> -- 
> Kind Regards, 
> 
> Noel Butler 
> 
> This Email, including any attachments, may contain legally privileged 
> information, therefore remains confidential and subject to copyright 
> protected under international law. You may not disseminate, discuss, or 
> reveal, any part, to anyone, without the authors express written authority to 
> do so. If you are not the intended recipient, please notify the sender then 
> delete all copies of this message including attachments, immediately. 
> Confidentiality, copyright, and legal privilege are not waived or lost by 
> reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] 
> documents accepted, please do not send proprietary formatted documents

I finally had some time to try this out, and wasn't able to reproduce
the problem with 2.3.4 and 0.5.4. 

I tried both Sieve and IMAPSieve, but I wonder if this is something
particular in your environment or settings, so I have to ask you to post
your `doveconf -n` once more. 

Aki 

Did he ever tell us what this is on, I saw stretch somewhere in thread
so I gather its debian, but is it on real hardware, or rpi, has he tried
using the source, who knows what happens when distros butcher things up
into 70 different sub packages :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: BUG: sieve does not set seen-Flag

[Noel Butler]

On 06/12/2018 07:29, Jakobus Schürz wrote:

> that all and every Flag is set, except \Seen... I tried to figure out, whats 
> happening here...

Paste what your sieve file contains now (no, I'm not going back over
this thread - its becoming as long as war and peace, and you may have
changed it since then)

> Please understand me right... It is nice for you, if dovecot does, what you 
> expect... It is nice. But here it does not work correctly. dovecot makes a 
> big mistake. And i try to give as much information, as i'm possible to give...

I doubt its dovecot, since no one else has reported this problem that I
can see - without going back to find the start of the thread.

> my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking WHY???

Mind your tongue if you want help here, despite frustrations (man I must
be getting old and mellowing), no one here has to do shit for you, the
fact it works for everyone else, indicates there is a problem with your
configuration and yours alone - somewhere, and because you're the only
one experiencing this, it may be harder to trace the origin of. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Sieve broken after upgrade

[Noel Butler]

On 03/12/2018 09:28, Stephan Bosch wrote:

> Hi,
> 
> First of all, what are you using to send this e-mail? I am receiving this as 
> an attachment. (Anyone else seeing this? More mails from different senders 
> seem to be affected.)

Yep, those purporting to come from dovecot, as in  username via dovecot.


I think Aki's playing with settings that are not quite right yet :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Mailing list address harvested for spamming

[Noel Butler]

On 02/12/2018 10:16, Michael A. Peters wrote:

> On 12/01/2018 04:09 PM, Noel Butler wrote:
> 
>> Which is why it annoys me that some people on mailing lists feel the need to 
>> reply directly, rather than through mailing list.
> 
> Sometimes it is the MUA that is poorly designed that causes this.

I could have sworn I said that, oh yes, I see I did 

> Also, some lists set the "reply to" with the sender rather than the list.

Also covered (poorly configured) 

> Further, some user agents have a separate "reply" for replying to list 
> instead of original sender but human error results in wrong being clicked. 
> That's happened to me - causing me to accidentally reply to wrong address.

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Mailing list address harvested for spamming

[Noel Butler]

On 02/12/2018 05:31, M. Balridge wrote:

> Quoting dovecot-...@deemzed.uk:
> 
>> Not to stir the pot, but I notice my email address has recently been
>> harvested from this list for spamming purposes. This email address is
>> unique and not used for anything else.
>> 
>> I'd distinguish this from spam sent to the mailing list itself, which is
>> obviously different.
>> 
>> Is there anything further that could be done to prevent this?
> 
> It's practically impossible to "police" all of those who sign up for a mailing
> list that they do so for honest or constructive intentions. In addition,
> copies of this mailing list are archived by various online search engines and
> indexors, from content maintained or published by the list operators.
> 
> You're already using unique mail addresses, which is a sensible strategy, and
> one I use myself. In fact, I use a scheme whereby I don't need to change or
> update any back-end settings to deal with a multitude of unique and ad-hoc
> specified addresses for every vendor/supplier and interaction point I deal 
> with.
> 
> In short, if you use a public mailing list, expect that the address you use
> for it will be discovered and abused by the nefarious marketeers of the High
> Bit Seas.
> 
> Cordially,
> =Malcky=

Since he uses a unique address, it is trivial to write a rule to ensure
msgs come from dovecot.org and discard everything else, I do that on
LKML, works a treat. This address alone is a mailing list only address,
direct messages go to junk folder, which I visually scan occasionally,
and if I dont within 7 days, tuff, they're deleted automatically. 

Which is why it annoys me that some people on mailing lists feel the
need to reply directly, rather than through mailing list. 

(Yeah I know its also shortcomings of certain mailers and mailing
services (has gmail even fixed that yet) where hitting reply or reply
all should go to list.  Its also dumb when list admins dont set reply-to
list, the entire point of relying to a list, is, well, to the list) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: maildirlock time unit?

[Noel Butler]

Why is there even a lock on 'maildir' at all... 

unless this is not specific to maildir as specd in mail_location, I
might be missing something though, 'm only just now having my first
coffee of the day 

(we haven't migrated to 2.3 yet, since 2.2 is very stable) 

On 15/10/2018 23:46, Kris von Mach wrote:

> What is the time unit maildirlock will accept?
> 
> I've tried 20s, 20 sec, 20 secs, 20 seconds, all results in:
> Fatal: Invalid timeout value: 20s
> 
> And if you don't specify time unit you just get:
> Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
> 
> This is on 2.3.3. 2.2 worked fine without needing time unit specified.

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: DMARC mailing list rejections

[Noel Butler]

On 16/01/2018 15:23, Daniel Miller wrote:

> I get about a half dozen rejection messages from various servers when I post 
> to this list. Is there something I need to configure differently in my DMARC 
> record to be better compliant?
> 
> Daniel

DMARC is as evil as systemd - dont use either and all your pain will go
away

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Adding Sieve to Roundcube

[Noel Butler]

On 30/12/2017 00:46, @lbutlr wrote:

> Yes, but I have to install sieve and select a plugin for Roundcube and then 
> write some user docs on how to make filters and such.

AS per my previous, enable managesieve plugin which comes by default
with RC. 

This is a shitty howto thing I did 10 years ago, since I only ever
tolerated ubuntu for about 5 or 6 months I think it was about 2007ish
(must re-do it one day, since in 2017 we have much better tools for this
on linux LOL), but its still applicable and what I still use on my
private server for me/family/friends/friends_familes/etc, but it shows
it takes very little work to "document" it, your stressing for no
reason. 

https://mail.ausics.net/help/add_filter0.gif 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Adding Sieve to Roundcube

[Noel Butler]

On 30/12/2017 00:26, Aki Tuomi wrote:

>> On December 29, 2017 at 4:21 PM "@lbutlr" <krem...@kreme.com> wrote:
>> 
>> I'm planning on adding support for sieve to Roundcube here in the near 
>> future and am looking for any recommendations on read-mes on how to do this.
>> 
>> I am planning on waiting until 2.3.0 hits Freebsd Ports
>> 
>> -- 
>> No Sigs. Blame Apple.
> 
> managesieve is your best bet. Reading this 
> https://tools.ietf.org/html/rfc5804 should help.
> 
> Aki

Yes, which comes with RC and works fin 

OP,  copy  /plugins/managsieve/config.inc.php.dist to config.inc.php,
and enable the plugin in /config/config.inc.php in  $config[plugins]
arrayjust like every other plugin. 

done... 

--

Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Ubuntu Auth Issues with new repository code..

[Noel Butler]

On 28/12/2017 07:38, Howard Leadmon wrote:

> Saw the new repository notification, and figured what the heck I would try 
> letting it upgrade me from the current v2.2.22 release that apparently is in 
> the Ubuntu 16.04 packages, to the new repository release of v2.3.0.
> 
> I followed the info on repo.dovecot.org, and first it started bitching about 
> lmtp (dovecot: master: Fatal: service(lmtp) access(/usr/lib/dovecot/lmtp) 
> failed: No such file or directory), so I went back and installed the 
> dovecot-lmtpd package and that seemed to fix that issue.  Just FYI, I had 
> dovecot-core, dovecot-imapd, and dovecot-pop3d installed on the system.
> 
> OK, so now it started up, said it was 2.3.0 and I thought all was good, but 
> now all authentication is failing.  I turned on some of the logging 
> debugging, and am seeing the below:
> 
> dovecot: auth-worker(19578): Debug: pam(toss1,127.0.0.1,): 
> lookup service=dovecot
> dovecot: auth-worker(19578): Debug: pam(toss1,127.0.0.1,): 
> #1/1 style=1 msg=Password:
> dovecot: auth-worker(19578): pam(toss1,127.0.0.1,): 
> pam_authenticate() failed: System error
> dovecot: auth: Debug: client passdb out: FAIL#0111#011user=toss1
> dovecot: imap-login: Aborted login (auth failed, 1 attempts in 3 secs): 
> user=, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, 
> session=
> 
> I took and compared my auth files like 10-auth.conf, and 
> auth-system.conf.ext, and they are identical between the two versions, even 
> though they were overwritten as part of the upgrade.
> 
> If I just uninstall the 2.3.0 release, and install 2.2.22 back on the server, 
> it all just starts working again.So for now I am back on 2.2, but was 
> willing to give 2.3 a run if I can get it going.   Any ideas as to what to 
> look at to get this working, would be great.   As stated above, this is 
> Ubuntu Server 16.04.03, and I am also running Postfix and amavis-new, but 
> don't think they should really impact me using dovecot for email over POP3 or 
> IMAP..
> 
> ---
> Howard Leadmon
> PBW Communications, LLC
> http://www.pbwcomm.com

Why on earth you think you could upgrade versions by using two unrelated
and different repo's is beyond me. 

This has always been a problem, even back in the 90's with the RPMs, RH
v say for example Fresh, because package maintainers will package
differently. 

Its like trying to stick a cisco 1800 image on an ASR9K and expecting it
to work perfectly. 

Though we don't use deb or rpm based systems and haven't for about 15
years, if I was to, I think I'd be using the creators version, and not a
distro's version.

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: dovecot-lda without starting dovecot?

[Noel Butler]

On 07/11/2017 09:18, Stephan von Krawczynski wrote:

> On Mon, 6 Nov 2017 09:50:16 -0500
> Tanstaafl <tansta...@libertytrek.org> wrote:
> 
> On 11/6/2017, 4:01:19 AM, Stephan von Krawczynski <skraw...@ithnet.com>
> wrote: Still we are not content with it touching/locking dovecot.index.log. If
> someone pointed at one location in the code where this could be disabled we
> would implement a new param for switching that off.   
> ?
> 
> Dovecot's indexing is one of its main features, and WHY it is so much
> faster than others.
> 
> And you want to just turn it off? Good luck...

It seems you have not understood what I am talking about. Our
pre-dovecot lda
did not touch the index either. And it did not harm the imap/pop
procedure in
any way. So we know there is no need to fiddle with the index in the
process
of delivery into the maildirs to keep our performance as it was before. 

mail_location   Optionally disable indexes using   :INDEX=MEMORY  

don't use this on IMAP boxes, but is safe to use on SMTP and POP3's
boxes though 

eg: 

mail_location =
maildir:/var/vmail/%Ld/%1Ln/%1.1Ln/%2.1Ln/%Ln/Maildir:INDEX=MEMORY 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: moving from mysql to pgsql

[Noel Butler]

On 05/10/2017 02:06, Magnus wrote:

> Hello,
> 
> I hope that this mailing list is "alive", since I am looking for a solution 
> for my problem for a long time.
> 
> I would like to migrate my existing dovecot installation from mysql to pgsql. 
> But I have problems with the passwords when using pgsql.
> 
> The existing and working mysql-based installation looks like this:
> 
> dovecot-sql.conf.ext:
> 
> driver = mysql
> default_pass_scheme = SHA512-CRYPT
> 
> Users are created like this:
> 
> INSERT INTO mls_user (idx,domain,password,email)
> VALUES (1,99,ENCRYPT('Test'),'m...@alpenjodel.de');
> 
> This setup is working, which I can verify like this:
> 
> $ telnet localhost 143
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
> ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5
> AUTH=CRAM-MD5] Dovecot ready.
> 
> a login m...@alpenjodel.de Test
> OK
> 
> Now let's take a look at the pgsql version of the setup:
> 
> dovecot-sql.conf.ext:
> 
> driver = pgsql
> default_pass_scheme = SHA512-CRYPT
> 
> Users are created like this:
> 
> INSERT INTO mls_user (idx,domain,password,email)
> VALUES (1,99,crypt('Test',gen_salt('des')),'m...@alpenjodel.de');
> 
> This setup is not working:
> 
> $ telnet localhost 143
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
> ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5
> AUTH=CRAM-MD5] Dovecot ready.
> 
> a login m...@alpenjodel.de Test
> a NO [AUTHENTICATIONFAILED] Authentication failed.
> 
> Assumptions:
> 
> - I believe that the mysql encrypt function uses the crypt system call,
> which in turn uses the DES algorithm with a random salt.
> 
> - I believe that the same is done with the pgsql function call
> crypt('Test',gen_salt('des')).
> 
> But obviously some of these assumptions must be wrong.
> 
> Besides that, the variable "default_pass_scheme" is set to "SHA512-CRYPT" in 
> both cases. But obviously, not SHA but DES is used by the working mysql-based 
> setup. I don't understand that. Could someone please explain the relationship 
> between the default_pass_scheme variable and the encryption/hashing algorithm 
> used to store the user passwords?
> 
> And finally: What can I do to migrate to pgsql?
> 
> Thank you
> Magnus

Migrate? if the passwords are truly as designed already, it shouldnt
matter, it should read them, be it for mail, ftp, or httpd, they all
read the same thing mysql, or anything that reads sha512. 

What are you using to insert users, php? perl? , what does the database
entry look like? 

We use a perl backend to add members and hosts, in mysql mypassword
field is populated ascrypt($password, '$6$' . $salt) 

I can't help you if its php, i'll leave that for someone who knows php
and my php guru is off sick this week with the flu 

But does your database password field entry start with $6$ ? 
perhaps your mysql isnt using what you think? 

 As a test, this istesting123 in sha512 

$6$Z6I5oyWUed.tmNUs$0ScF2w3ejPWFAX/3F6DgMyWpbXLq0DD6blL8rwBpSHGWaZ9RiXlpo5PPZFoJPZWIuQMETELsXG2YtbsAc8K3q/


copy and paste that into a test users mysql password field directly, and
your pgsql directly and see if it works. 

incidentally, we use

default_pass_scheme = CRYPT 

Which handles all the subsystems crypt options including sha's -
providing your system is half modern, if its ten years old dont use
that, it'll be likely using the old 8 char limited crypt :)   (and dont
laugh the number of antique debian and RH boxes I've come across is
scary) 

anyway, so even as a fallback for testing you could insert even an md5
hash into a password field and it will work as well, I wont tell you not
to do this in production because of course you know better ;)

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Dovecot mail_location for fedora

[Noel Butler]

On 19/08/2017 07:17, Joseph Tam wrote:

> mail_location=~/.mail:INBOX=/var/spool/mail/%Ln 
> He should be good now, no idea why a fedora install wouldn't have that

Unless I missed something in a previous pst, "~/.mail" is not typical
for personal mail folder, but "~/mail" is.

Joseph Tam <jtam.h...@gmail.com> 

I thought that (from earlier example), but not having used mbox in 10
years, couldnt remember, I couldn't example mine because that would
throw OP completely 

(mail_location =
maildir:/var/vmail/%Ld/%1Ln/%1.1Ln/%2.1Ln/%Ln/Maildir:INDEX=MEMORY)

Since he's not replied, I dare say Aki's post helped him sort it out. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Dovecot mail_location for fedora

[Noel Butler]

Ahh thats it :) 

He should be good now, no idea why a fedora install wouldn't have that 

On 18/08/2017 19:43, Aki Tuomi wrote:

> mail_location=~/.mail:INBOX=/var/spool/mail/%Ln
> 
> Aki

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: Dovecot mail_location for fedora

[Noel Butler]

On 18/08/2017 06:15, Randy Gordey wrote:

> What is the syntax for dovecot mail_location when postfix delivers mail to
> /var/spool/mail/?
> 
> These are the old unix style mbox, one file per user.
> 
> Not setting mail_location in 10-mail.conf results in Auto not finding it.
> 
> mbox: /var/spool/mail/%u said mbox root directory can't be a file.

Its been over 10 years since I've run mbox, but i'm sure your format is
wrong, you're also not supposed to use spaces either, in fact I think
its telling you whats wrong, from memory, its mbox:~/mail: 
but I cant recall what otherstuff is I know the pathis in it but it
needs something before it, I just cant recall what, see the wiki, I'd be
highly surprised if it did not explain it. 

> mbox: /var/spool/mail/ tries to make Sent and Deleted Folders, etc.
> 
> maildir: /var/spool/mail/ closes the connection.

Thats not how maildir works you need to add the Maildir directory to it,
ie  maildir:/var/spool/mail/%n/Maildir 

but DO NOT USE THAT directory!  And its more than dovecot you need to
change if you're going to use maildir, so just fix up your mbox
settings. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: is a self signed certificate always invalid the first time?

[Noel Butler]

On 18/08/2017 17:12, voy...@sbt.net.au wrote:

> BUT, for a public web server where https is becoming mandatory, I'd still
> need a certificate from a recognized publisher, to avoid users geting
> 'warnings', is that so ?
> 
> (I'm currently using self issued for both mail and web)
> 
> thanks,
> 
> V

It depends on what you're uses are, self signed certs are OK for
smtp/pop3/imap, since most people are just concerned with "encryption"
in that case, but a different story if its web content, in particular,
shopping carts and the like, If you have clients content, definitely use
a real cert, maybe in 10 years letsencrypt might make the grade, but
until every bit of software and OS supports it and they offer insurance
levels like the bi boys do, you might as well be using a self signed
cert,  comodo are pretty cheap with basic insurance level on even the
most basic of their offerings. Do your research, though if using a paid
service, since some others are soon to be un-trusted. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: namespace configuration error

[Noel Butler]

On 16/08/2017 04:31, Jeff Ross wrote:

> namespace Snarf {
> hidden = yes
> list = no
> location = mbox:/home/%u/mbox:INBOX=/var/spool/mail/%u:INDEX=MEMORY
> prefix = ~~Snarfbox/

Is there supposed to be two tilde's here? (maybe perfectly valid, I
haven't looked into it) 

> separator = /
> }
> namespace default {
> inbox = yes
> location =
> prefix =
> separator = /
> }
> namespace inbox {
> location =

I'd add in separator under location, then get rid of the namespace
default block above it 

(Just comment it out, dont delete anything - til you get it sorted) 

> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =

comment this out too 

> }

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: migrating 2.1 to 3.x, sql pass scheme, pass value?

[Noel Butler]

On 15/08/2017 22:58, voy...@sbt.net.au wrote:

> On Tue, August 15, 2017 10:27 pm, Noel Butler wrote:
> 
>> HUH?
>> Are you trying to login to mysql using the hash itself?
> 
> Noel, thanks!!
> 
> oops, misunderstood instruction...
> 
> this is better:
> 
> USER voy...@x.tld
> +OK
> PASS **
> +OK Logged in.
> LIST
> +OK 0 messages:
> 
>> That wont work, and its not what you are supposed to be doing as evident
>> by fact you can login using plain password, you're looking in the wrong
>> area, since the database stores passwords hashed, you enter it in, in
>> plain text, the database them does its magic to convert what you entered
>> in, into a hash and does the matching in its own backend, so to speak.
> 
> what value should I have in /etc/dovecot/dovecot-mysql.conf
> in
> default_pass_scheme = ???
> 
> V

Use:   CRYPT 

This allows you to use whatever your system supports in your database
password fields, with modern OS's thats anything from md5 (shudder the
thought) to salted sha512 and probably more these days depending on what
other goodies your distro adds, dovecot will send it to the underlying
OS crypt function that does all the hard work. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: migrating 2.1 to 3.x, sql pass scheme, pass value?

[Noel Butler]

On 15/08/2017 22:23, Noel Butler wrote:

> On 15/08/2017 21:25, voy...@sbt.net.au wrote:
> 
>> On Tue, August 15, 2017 8:03 pm, Sami Ketola wrote:
>> On 15 Aug 2017, at 2.50, voy...@sbt.net.au wrote:
>> 
>> how do I generate hashed string from my password ? 
>> use this sql command:
>> 
>> GRANT SELECT ON vmail TO 'vmail'@'127.0.0.1' IDENTIFIED BY
>> PASSWORD('yourpassword');
>> 
>> or if you just want to see the hash:
>> 
>> SELECT PASSWORD('yourpassword');
> 
> Sami, thanks
> 
> I'm running in circles here.. I thought it worked once, but, couldn't
> repeat it after
> 
> OK, I've made user 'test' with pw 'test1234'
> 
> using keyborad to enter test1234 I get:
> 
> # mysql  -u test -p
> Enter password:
> Welcome to the MariaDB monitor.  Commands end with ; or \g.
> Your MariaDB connection id is 1377
> Server version: 10.1.19-MariaDB MariaDB Server
> 
> Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
> 
> MariaDB [(none)]> show databases;
> ++
> | Database   |
> ++
> | information_schema |
> | test   |
> ++
> 2 rows in set (0.00 sec)
> 
> MariaDB [(none)]>
> 
> NOW:
> 
> MariaDB [(none)]> SELECT PASSWORD('test1234');
> +---+
> | PASSWORD('test1234')  |
> +---+
> | *3D3B92F242033365AE5BC6A8E6FC3E1679F4140A |
> +---+
> 1 row in set (0.00 sec)
> 
> MariaDB [(none)]> quit
> 
> copied '*3D3B92F242033365AE5BC6A8E6FC3E1679F4140A' to buffer
> 
> paste from buffer below, fail
> 
> # mysql  -u test -p
> Enter password:
> ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using
> password: YES)
> 
> HUH? 
> 
> Are you trying to login to mysql using the hash itself? 
> 
> That wont work, and its not what you are supposed to be doing as evident
> by fact you can login using plain password, you're looking in the wrong
> area, since the database stores passwords hashed, you enter it in, in
> plain text, the database them does its magic to convert what you entered
> in, into a hash and does the matching in its own backend, so to speak. 
> 
> if you put in your dovecot sql file, the vmail password in plain text
> and not hashed output, it should work, you have to make sure the sql
> file is chmod 600 so any normal users with access cant read the file(s).
> 
> -- 
> Kind Regards, 
> 
> Noel Butler 
> 
> This Email, including any attachments, may contain legally privileged
> information, therefore remains confidential and subject to copyright
> protected under international law. You may not disseminate, discuss, or
> reveal, any part, to anyone, without the authors express written
> authority to do so. If you are not the intended recipient, please notify
> the sender then delete all copies of this message including attachments,
> immediately. Confidentiality, copyright, and legal privilege are not
> waived or lost by reason of the mistaken delivery of this message. Only
> PDF [1 [1]] and ODF [2 [2]] documents accepted, please do not send proprietary
> formatted documents 
> 
> Links:
> --
> [1] http://www.adobe.com/
> [2] http://en.wikipedia.org/wiki/OpenDocument

OK dunno wjhat happend with format but to simplify it: 

HUH? 

Are you trying to login to mysql using the hash itself? 

That wont work, and its not what you are supposed to be doing as evident
by fact you can login using plain password, you're looking in the wrong
area, since the database stores passwords hashed, you enter it in, in
plain text, the database them does its magic to convert what you entered
in, into a hash and does the matching in its own backend, so to speak. 

if you put in your dovecot sql file, the vmail password in plain text
and not hashed output, it should work, you have to make sure the sql
file is chmod 600 so any normal users with access cant read the file(s).


-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: migrating 2.1 to 3.x, sql pass scheme, pass value?

[Noel Butler]

On 15/08/2017 21:25, voy...@sbt.net.au wrote:

> On Tue, August 15, 2017 8:03 pm, Sami Ketola wrote:
> On 15 Aug 2017, at 2.50, voy...@sbt.net.au wrote:
> 
> how do I generate hashed string from my password ? 
> use this sql command:
> 
> GRANT SELECT ON vmail TO 'vmail'@'127.0.0.1' IDENTIFIED BY
> PASSWORD('yourpassword');
> 
> or if you just want to see the hash:
> 
> SELECT PASSWORD('yourpassword');

Sami, thanks

I'm running in circles here.. I thought it worked once, but, couldn't
repeat it after

OK, I've made user 'test' with pw 'test1234'

using keyborad to enter test1234 I get:

# mysql  -u test -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1377
Server version: 10.1.19-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.

MariaDB [(none)]> show databases;
++
| Database   |
++
| information_schema |
| test   |
++
2 rows in set (0.00 sec)

MariaDB [(none)]>

NOW:

MariaDB [(none)]> SELECT PASSWORD('test1234');
+---+
| PASSWORD('test1234')  |
+---+
| *3D3B92F242033365AE5BC6A8E6FC3E1679F4140A |
+---+
1 row in set (0.00 sec)

MariaDB [(none)]> quit

copied '*3D3B92F242033365AE5BC6A8E6FC3E1679F4140A' to buffer

paste from buffer below, fail

# mysql  -u test -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using
password: YES)

HUH? 

Are you trying to login to mysql using the hash itself? 

That wont work, and its not what you are supposed to be doing as evident
by fact you can login using plain password, you're looking in the wrong
area, since the database stores passwords hashed, you enter it in, in
plain text, the database them does its magic to convert what you entered
in, into a hash and does the matching in its own backend, so to speak. 

if you put in your dovecot sql file, the vmail password in plain text
and not hashed output, it should work, you have to make sure the sql
file is chmod 600 so any normal users with access cant read the file(s).


-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: migrating 2.1 to 3.x, sql pass scheme, pass value?

[Noel Butler]

hit enter too quickly (I've had one coffee all morning hehe) 

On 15/08/2017 08:54, Noel Butler wrote:

> Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. 
> 
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement. 
> 
> MariaDB [(none)]>

At this point issue >show databases;

the out put should include vmail 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: migrating 2.1 to 3.x, sql pass scheme, pass value?

[Noel Butler]

On 15/08/2017 08:18, voy...@sbt.net.au wrote:

> I've also dumped MySQL 'vmail' and imported database, created user vmail,
> vmailadmin
> 
> Aug 15 08:05:31 auth-worker(9763): Error: mysql(127.0.0.1): Connect failed
> to database (vmail): Access denied for user 'vmail'@'localhost' (using
> password: YES) - waiting for 1 seconds before retry

Forget looking at dovecot at teh moment, your problem maybe mysql (I'd
hope you meant mariadb but either way...) 

use command line mysql as vmail user from your dovecot machine to test
password further BEFORE tinkering with dovecot. 

~$ mysql -p -v vmail 

enter password  

If it's all good you'll see : 

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20970
Server version: 5.5.57-MariaDB Source distribution 

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. 

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement. 

MariaDB [(none)]> 

  

If not, look into mysql db and verifiy vmail user and perms (especially
for localhost), ensure you have reloaded privs as well. 

Set mysql debugging on if need be. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

signature.asc
Description: OpenPGP digital signature

Re: dovecot 2.2.31: linking error

[Noel Butler]

On 02/07/2017 03:33, Aki Tuomi wrote:

> On July 1, 2017 at 7:23 PM Rupert Gallagher <r...@protonmail.com> wrote:
> 
> I would rather choose what to install.
> Sent from ProtonMail Mobile
> 
> On Sat, Jul 1, 2017 at 1:02 PM, Sami Ketola <sami.ket...@dovecot.fi> wrote:
> 
> On 1 Jul 2017, at 13.08, Rupert Gallagher wrote: > > I tried compiling 
> without "--with-storage=maildir" and it terminated without error. I need to 
> enforce maildir, however. You can enforce maildir in configuration. Sami 
> @protonmail.com>

Unfortunately it's no longer possible with core storage drivers.

Just like passwd backends which we used to be able to select, now, sadly
dovecot is bloatware 

I can compile an entire freaking kernel 35% faster than dovecot :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: CVE-2016-8652 in dovecot

[Noel Butler]

On 03/12/2016 12:08, Jeremiah C. Foster wrote:

> On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: 
> On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 
> 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we have a bug in 
> dovecot, which
> merits a
> CVE. See details below. If you haven't configured any
> auth_policy_*
> settings you are ok. This is fixed with
> https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3
> 4be960cff13
> a5a725ae and
> https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d
> 57351fd42c6
> 7a8612fc
> 
> Important vulnerability in Dovecot (CVE-2016-8562) 
> Are you sure about the CVE number? According to Debian [1 [1]] and
> mitre [2 [2]], it's 
> for SIEMENS something, not Dovecot.
> 
> best regards,
> Jonas Wielicki
> 
> [1]: https://security-tracker.debian.org/tracker/CVE-2016-8562
> [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856
> 2

Ups, sent wrong number, correct is CVE-2016-8652. 
That is the same number, no? 

No, read it again. the wrong and pasted copie are 8 5 62, his revised is
8 6 52 

-- 
Kind Regard, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [3] and ODF [4] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] https://security-tracker.debian.org/tracker/CVE-2016-8562
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856
[3] http://www.adobe.com/
[4] http://en.wikipedia.org/wiki/OpenDocument

Re: NFSv4 and Maildir

[Noel Butler]

On 01/10/2016 08:27, Joseph Tam wrote:

we have a setup with (CentOS 6) Director+Dovecot, Maildir as storage 
on

NetApp NFS v3. Every time I try to switch to NFS v4 I found issue with
lock (and others). So for me NFSv4 with Maildir is "unstable" or need 
a

fine tuning that I don't know.


I found the same thing, and turning off write delegation seemed
to have solved the problem.  I still don't know why, though.

Joseph Tam 


write delegation is disabled by default on NetApp with v4, or have they 
changed this now?

0x7FD036C7.asc
Description: application/pgp-keys

Re: Deletion of mail from Junk mailbox

[Noel Butler]

On 02/07/2016 19:16, Doug Hardie wrote:

I have a pigeon sive running which directs some of my received mail to
the Junk folder.  That works just fine.  However, a couple minutes
later, it is moved to Deleted mailbox and deleted from Junk.  At first
I thought my client was doing that so I shut down the client and it
still happens.  Here are the log entries:

Jul  2 00:36:31 mail dovecot: imap(doug): copy from INBOX: box=Junk,
uid=10842, msgid=, size=3340,
from="jnilj" 
Jul  2 00:36:31 mail dovecot: imap(doug): delete: box=INBOX,
uid=55719, msgid=, size=3340,
from="jnilj" 
Jul  2 00:39:33 mail dovecot: imap(doug): copy from Junk: box=Deleted
Messages, uid=31049, msgid=,
size=3340, from="jnilj" 
Jul  2 00:39:33 mail dovecot: imap(doug): delete: box=Junk, uid=10842,
msgid=, size=3340, from="jnilj"

Jul  2 00:50:29 mail dovecot: imap(doug): expunge: box=Junk,
uid=10842, msgid=, size=3340,
from="jnilj" 
Jul  2 00:50:29 mail dovecot: imap(doug): expunge: box=INBOX,
uid=55719, msgid=, size=3340,
from="jnilj" 

Is this the intended way the Junk maibox is supposed to work?  I
couldn't find any settings that appear to control (or affect) this
behavior.

— Doug


and your dovecot version is?

I suggest you'll also need to show doveconf -n and example of sieve 
rules, because it doesnt seem right, certainly does not do that here.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

RE: Postfix and Dovecot LDA vs. LMTP

[Noel Butler]

On 26/06/2016 02:39, Michael Fox wrote:
The most crucial difference is that LDA is intended for delivering 
email

to a *real* user.

Aki



Thanks Aki.

Pardon my ignorance, but why does it matter?  In other words, what is
it that makes LDA better for a *real* user and LMTP better for a
virtual user?

Thanks,
Michael


We've used LDA for virtual users for a very very long time, though we 
use multiple front ends, each with postfix/dovecot and mysql (replicated 
DB) they all talk to one big storage backend via NFS (as do the 
pop3/imap/webmails servers), we looked at lmtp once but saw no 
advantages given the setup.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Pigeonhole 0.4.13 does not compile against dovecot 2.2.23

[Noel Butler]

On 31/03/2016 11:09, Stephan Bosch wrote:



Pigeonhole needs to be recompiled.

Regards,

Stephan.


hrmm it was, but process was ampersands so maybe somthing prior failed 
and it did not complete make install,  its late so ill look at it again 
tomorrow.




--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Pigeonhole 0.4.13 does not compile against dovecot 2.2.23

[Noel Butler]

On 31/03/2016 02:06, Stephan Bosch wrote:

Hi,

Op 3/30/2016 om 5:34 PM schreef Juan C. Blanco:

Hello, I supose that a new version of pigeonhole is on the way because
version 0.4.13 does not compile against dovecot 2.2.23

This is the error that I get

 gcc -DHAVE_CONFIG_H -I. -I. -I../../.. -I../../..
-I../../../src/lib-sieve -I../../../src/lib-sieve/util
-I../../../src/lib-sieve/plugins/environment
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/imap
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-lda
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lda
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-dict
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-dns
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-http
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-mail
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-imap
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-fs
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-charset
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-auth
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-master
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-ssl-iostream
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-compression
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-settings
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-test
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-sasl
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-stats
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-index
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/list
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/index
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/index/raw
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-imap-storage
-I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/plugins/quota
-DPKG_RUNDIR=\"\" -std=gnu99 -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -W
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
-Wstrict-aliasing=2 -I/usr/kerberos/include -I../../.. -MT
imap-sieve-storage.lo -MD -MP -MF .deps/imap-sieve-storage.Tpo -c
imap-sieve-storage.c  -fPIC -DPIC -o .libs/imap-sieve-storage.o
imap-sieve-storage.c: In function 
'imap_sieve_mailbox_transaction_run':

imap-sieve-storage.c:595: error: 'struct client' has no member named
'lda_set'
make[4]: *** [imap-sieve-storage.lo] Error 1


I don't know what that is, but it is definitely not Pigeonhole 0.4.13.
The code it is failing on is a recently added feature
(https://tools.ietf.org/html/rfc6785) that currently only lives in git
master.

Regards,

Stephan.




Regards.
Juan C. Blanco



http://dovecot.org/releases/2.2/dovecot-2.2.23.tar.gz
http://dovecot.org/releases/2.2/dovecot-2.2.23.tar.gz.sig

This is a bugfix-only release with various important fixes on top of
v2.2.22.

 - Various fixes to doveadm. Especially running commands via
   doveadm-server was broken.
 - director: Fixed user weakness getting stuck in some situations
 - director: Fixed a situation where directors keep re-sending
   different states to each others and never becoming synced.
 - director: Fixed assert-crash related to a slow "user killed" reply
 - Fixed assert-crash related to istream-concat, which could have
   been triggered at least by a Sieve script.





Starting dovecot POP3/IMAP daemon... doveconf: Error: Couldn't load 
plugin /usr/lib/dovecot/settings/libmanagesieve_login_settings.so: 
Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 
2.2.ABIv23(2.2.23))
doveconf: Error: Couldn't load plugin 
/usr/lib/dovecot/settings/libmanagesieve_settings.so: Module is for 
different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv23(2.2.23))
doveconf: Error: Couldn't load plugin 
/usr/lib/dovecot/settings/libpigeonhole_settings.so: Module is for 
different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv23(2.2.23))
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 232: Unknown setting: managesieve_logout_format

 Failed.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Email hosting provider

[Noel Butler]

On 28/03/2016 01:09, Andrew McGlashan wrote:

I love this on your about page:

On 27/03/2016 3:14 PM, Noel Butler wrote:

I don't need to understand German law, thats what my Frankfurt lawyers
do, I'd trust our data privacy far more in our Frankfurt site, then I
would ever trust US or UK, or AU.



"Ausics.* services are purely free and non commercial offerings, run 
and

funded by Brisbanite Noel Butler as a hobbyist service, it remains
separate from any commercial services, hosting or otherwise, and is
maintained by only a small group of people who may or may not have a
life, so just in case, please be patient if you need to contact us. "

 .. but "All key services are in-house in Brisbane  "

I was wondering about your preference for German servers / services. ?




No problems, my reference to Frankfurt storage refers to a "commercial 
operation"

certainly not the hobby one :)



Cheers
A.


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Email hosting provider

[Noel Butler]

On 26/03/2016 17:04, Stephan von Krawczynski wrote:

On Sat, 26 Mar 2016 13:34:34 +1000
Noel Butler <noel.but...@ausics.net> wrote:


On 21/03/2016 17:06, Andre Rodier wrote:
> Hello,
>
> Sorry if I am off topic a little.
>
> I am looking for an email host provider that supports dovecot, sieve
> and manage sieve. Ideally with the roundcube webmail and managesieve
> plugin
>
> Better if it is in Europe or switzerland. I don't mind paying a little.
>
> Thanks,
> André.

Hi Andre,

see www.webhostingtalk.com

There are a number of reliable and reasonable priced hosts in Germany
(best place if you value your privacy) and Netherlands.


You mean "best place if you have no idea of the german laws and whats 
really

going on" ...



I don't need to understand German law, thats what my Frankfurt lawyers 
do, I'd trust our data privacy far more in our Frankfurt site, then I 
would ever trust US or UK, or AU.


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Email hosting provider

[Noel Butler]

On 21/03/2016 17:06, Andre Rodier wrote:

Hello,

Sorry if I am off topic a little.

I am looking for an email host provider that supports dovecot, sieve
and manage sieve. Ideally with the roundcube webmail and managesieve
plugin

Better if it is in Europe or switzerland. I don't mind paying a little.

Thanks,
André.


Hi Andre,

see www.webhostingtalk.com

There are a number of reliable and reasonable priced hosts in Germany 
(best place if you value your privacy) and Netherlands.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: NetApp NFS vs. ZFS and NFS for Maildir

[Noel Butler]

It seems its troll time again on this list, ohh maybe its Harry in 
disguise... So I will play along, for today anyway :)



On 19/03/2016 18:11, Stephan von Krawczynski wrote:

On Sat, 19 Mar 2016 17:37:04 +1000
Noel Butler <noel.but...@ausics.net> wrote:


On 14/03/2016 18:49, Stephan von Krawczynski wrote:
>
>>
>> and you've never seen these cause problems with FS?  then you must be
>> a
>> newbie, in over 25 years I've seen it happen several times - yes even
>> after an apparent controlled shutdown.
>
> Maybe you're doing something wrong then. because in my last 21 years
> working
> exactly in this business I've not seen a single deadly fs-crash because
> of a
> power-outage. Not one. And we had of course several, all backed by UPS.

Consider yourself lucky, Most network admins whove been around large
busy ISP DC's have seen this in their lifetime, to not have seen one 
is

rare, go buy yourself a lotto ticket :)

>
> If your servers get drowned with water during a fire your fs is
> probably the
> least of your worries. You don't really plan to re-enable servers with
> water- or fire-damage, do you? That's probably why there shouldn't be a
> fireman pouring water in the first place.

This shows you dont understand structural engineering, the fire does 
not
have to be on your floor, it can be far away as two or so levels 
above,

with the high pressure water used - equating to a shitload of water,
there are ducts, shafts, other risers and so on that with a shit-tone 
of

water can easily penetrate fireblocks of floors below - dont take my
work,  go ask a fireman, or maybe watch the nightly news sometime
(building fire - many levels water affected blah blah blah)... so
keeping those boxes on via UPS's is asking for lots of charcoaled 
boards

and fried drives. IOW, total stupidity.

Should those machines be depowered as required by our building codes,
well, might take a few days of drying out but at least they will power
back up without error - yes, done it in risk assessments.




Obviously you must work for people that have not the slightest idea 
about
using hardware in a correct way and don't know when the time has come 
to throw


it away. Man, there is no way to let a drowned box survive. It is not 
back to


Wow, how long did you allege to have been in network/sys admin?  20 
years? Really? I think you made a typo and and it should have read 20 
minutes, ya know I have refrained from posting no here for a long time 
(apart from fact I rarely read the list), and I was not going to feed 
the trolls, but sometimes the smart mouthed know nothing, need to bitch 
slap upside the head so thats why I am devoting about 60 seconds to you.


Of course there is, networks dont throw away many hundreds of servers 
valued $7K to $10K, nor $100K+ storage systems, or $40K routers, LB's or 
switches, just because they got drenched - with power isolated.




normal when it is dry. If you don't get that I am pretty happy to be no
customer. This can only be an idea born in the sick mind of a 
controller who


You will never be a customer _or_employee_ of mine, trust me on that 
one!


didn't want to pay insurance in the first place. We are talking about 
serious


Got nothing to with insurance, it might take 2 days to dry out and get 
back up and running, it will take an awful lot longer to get offsite 
backups and restore every last one of them.


I hope your employer reads this list, because he/she should be seeing 
alarm bells from your comments.


corrosion effects here let alone that you have a hard time even 
knowning when


yep, you sure did fail basic engineering

your boxes are really dry. Your fireman on the other hand seem to be 
stuck in
the 80ths. Today there are solar panels almost everywhere _which you 
cannot

turn off_.


Wow, you really are clutching the fantasy straws arnt you, perhaps your 
country lacks modernisation, I can go to the side of my house and 
isolate the panels with a flick of a switch, strangely enough and I 
guess in your eyes horrifyingly called "solar isolator" that stops the 
panels providing power to my electrical circuits, yes, there might be 
power from panels to it, but thats not going to affect my power circuits 
or equipment




--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: NetApp NFS vs. ZFS and NFS for Maildir

[Noel Butler]

On 14/03/2016 18:49, Stephan von Krawczynski wrote:




and you've never seen these cause problems with FS?  then you must be 
a

newbie, in over 25 years I've seen it happen several times - yes even
after an apparent controlled shutdown.


Maybe you're doing something wrong then. because in my last 21 years 
working
exactly in this business I've not seen a single deadly fs-crash because 
of a

power-outage. Not one. And we had of course several, all backed by UPS.


Consider yourself lucky, Most network admins whove been around large 
busy ISP DC's have seen this in their lifetime, to not have seen one is 
rare, go buy yourself a lotto ticket :)




If your servers get drowned with water during a fire your fs is 
probably the

least of your worries. You don't really plan to re-enable servers with
water- or fire-damage, do you? That's probably why there shouldn't be a
fireman pouring water in the first place.


This shows you dont understand structural engineering, the fire does not 
have to be on your floor, it can be far away as two or so levels above, 
with the high pressure water used - equating to a shitload of water, 
there are ducts, shafts, other risers and so on that with a shit-tone of 
water can easily penetrate fireblocks of floors below - dont take my 
work,  go ask a fireman, or maybe watch the nightly news sometime 
(building fire - many levels water affected blah blah blah)... so 
keeping those boxes on via UPS's is asking for lots of charcoaled boards 
and fried drives. IOW, total stupidity.


Should those machines be depowered as required by our building codes, 
well, might take a few days of drying out but at least they will power 
back up without error - yes, done it in risk assessments.




--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: NetApp NFS vs. ZFS and NFS for Maildir

[Noel Butler]

On 14/03/2016 09:59, Stephan von Krawczynski wrote:

On Mon, 14 Mar 2016 09:32:42 +1000
Noel Butler <noel.but...@ausics.net> wrote:


On 13/03/2016 20:47, Stephan von Krawczynski wrote:
> On Sun, 13 Mar 2016 09:45:06 +
> James <li...@xdrv.co.uk> wrote:
>
>> On 11/03/2016 15:17, Stephan von Krawczynski wrote:
>>
>>  > zfs set sync=disabled ?
>>
>> Only if you are happy to loose data on power failure.
>
> I don't know the actual setup, but if you have no UPC you shouldn't
> host email
> services anyway.

I'm guessing you meant UPS, anyway, a UPS wont protect you from human
error.

Also, most buildings, at least in this country, have a fire emergency
shutoff requirement, meaning mains is isolated from the building, and
the back up gennies are also forbidden to be engaged - UPS's dont last
forever.


Guys, please don't argue on kindergarten level. The UPS is for backing 
a
sudden death, but not for running five days. Of course you can do a 
controlled
shutdown if battery level falls below a trigger value. And this is 
about all
you need: control. There is no fs error as long as you perform a 
regular


and you've never seen these cause problems with FS?  then you must be a 
newbie, in over 25 years I've seen it happen several times - yes even 
after an apparent controlled shutdown.


shutdown. If UPS-backup is forbidden in your country then I suggest 
moving to

civilized regions of the planet ;-)


Now whos on kindergarten level, do you really want fireman pouring water 
on fire on a level of a building thats powered up because some lamer has 
a generator running? really? I'm sure those firemen would gladly hand 
YOU the hose, the best UPS systems runtime we've seen under average load 
for a large ISP data centre is 21 mins, usually ample time to allow the 
generators to start up, come to full power, and switch in taking over 
the load, but thats not going to help during a building fire, once their 
depleted, their depleted.


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: NetApp NFS vs. ZFS and NFS for Maildir

[Noel Butler]

On 13/03/2016 20:47, Stephan von Krawczynski wrote:

On Sun, 13 Mar 2016 09:45:06 +
James  wrote:


On 11/03/2016 15:17, Stephan von Krawczynski wrote:

 > zfs set sync=disabled ?

Only if you are happy to loose data on power failure.


I don't know the actual setup, but if you have no UPC you shouldn't 
host email

services anyway.


I'm guessing you meant UPS, anyway, a UPS wont protect you from human 
error.


Also, most buildings, at least in this country, have a fire emergency 
shutoff requirement, meaning mains is isolated from the building, and 
the back up gennies are also forbidden to be engaged - UPS's dont last 
forever.


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Ubuntu packages

[Noel Butler]

On 06/03/2016 04:18, Robert Schetterer wrote:


for paranoid people, create you own repo
and for info dovecot had nice compiled from scratch to me in the past 
too



The only way to use dovecot IMHO is by source, you build in what you 
want and omit the junk (that some repo packagers want to include - 
because they need cater for many scenarios) that you have no need for, 
sadly though, dovecot has lapsed a bit in security in this respect since 
we used to be able to disable all non-wanted password types, but now we 
have many of them non configurable and get them built in whether we like 
it or not, its one of two gripes I've had with dovecot 2.x, otherwise, 
reasonable happy with it now days.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: severe fork() problems with new dovecot server

[Noel Butler]

On 02/03/2016 05:11, J. Niklas wrote:

On 01.03.2016 18:21, Dolf Schimmel wrote:

Recently I played around a little with cgroups where you can limit the 
max number of processes per cgroup.

Could it be that, perhaps, you've stumbled upon such a limit?
Systemd does contain all services by default  in their own cgroup 
afaik,

so it could be that you're using it unknowingly.


Yes, yes, \o/ ;-)

#> systemctl status dovecot.service
* dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor
preset: enabled)
  Drop-In: /etc/systemd/system/dovecot.service.d
   `-ulimits.conf
   Active: active (running) since Tue 2016-03-01 15:28:29; 4h 24min ago
 Main PID: 10098 (dovecot)
Tasks: 204 (limit: 512)
   CGroup: /system.slice/dovecot.service

There ist my "512". The way of systemd, ignoring all the config stuff
that has been there for decades while inposing its own, complex and 
very

sparsely documented ruleset on top is beginning to seriously annoy me.
At least I would have expected some sort of syslog message.

Just for the records, this can be changed by adding e.g.
TasksMax=4096
to the /etc/systemd/system/dovecot.service.d/ulimits.conf I cited
in my OP.

Now I'll have to wait and see how things will evolve tomorrow.
Thank you so much for the great hint!



even more proof that systemd is evil

--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: To what extent does/will Dovecot depend on systemd? was systemd changes...

[Noel Butler]

On 22/02/2016 17:14, Aki Tuomi wrote:

On 21.02.2016 19:10, Steve Litt wrote:

On Sun, 21 Feb 2016 10:03:15 +0100
Thomas Leuxner  wrote:

[snip]


https://github.com/dovecot/core/commit/53cc71cae88ee81fd7eae47aed743496f8c884a2

[snip]


The PID-File seems to be expected under yet another sub-dir
of /var/run/dovecot.

I wasn't aware that any Dovecot functionalities have become dependent
on systemd. Is this discussion simply about the unit file and PID file
location for Dovecot under systemd's process manager, or is Dovecot
starting to acquire systemd dependencies that will make it difficult 
to

run without systemd in the future?

Thanks,

SteveT

Steve Litt
February 2016 featured book: The Key to Everyday Excellence
http://www.troubleshooters.com/key

We do not depend on systemd, but unit files are provided and
automatically installed if enabled.

Aki


That's excellent news, because hell will freeze over before systemd is 
introduced to official slackware releases


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: Enterprise Repository Access?

[Noel Butler]

On 09/01/2016 22:06, mj wrote:



Compiling our own dovecot for production use sounds less appealing,



What's so un-appealing about building from source? It's then perfectly 
matched to your system.


Admittedly I can build kernels faster than latest dovecot's, but that's 
just the "make time"


./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
--with-mysql --without-pam --without-shadow --without-bsdauth   is 
done in seconds...


Nothing at all hard about that.


--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

Re: [Dovecot] 2.2.9

[Noel Butler]

On Sat, 2013-11-23 at 02:29 +0100, Benny Pedersen wrote:

 Nick Edwards skrev den 2013-11-22 17:17:
 
  I need a drink
 
 if you can find some to drink with, all problems with dovecot will 
 comeback tomorrow :=)
 
 i just made another sieve rule now
 
 


What has this to do with dovecot? Take your trolling off list please.

I'm starting to regret defending you against Harald, perhaps its YOU who
should be booted and not him
Nicks right about one thing though, you seem to have not taken your
medicated lately Benny.

(although you dont blindly go around abusing people on every list, and
in CC's and private, so we wont blacklist you :) )



attachment: face-smile.png

signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] 2.2.9

[Noel Butler]

On Fri, 2013-11-22 at 10:14 +0100, Ralf Hildebrandt wrote:

 * Thomas Leuxner t...@leuxner.net:
  * Ralf Hildebrandt ralf.hildebra...@charite.de 2013.11.22 09:44:
  
   Which patch?
  
  http://www.dovecot.org/list/dovecot/2013-November/093654.html
  
  Pigeonhole related patches.
 
 Damn. Those are biting me as well :/
 


These would be found if Timo reverted back to issuing RC's before any
official release, to iron out the niggly off-putting bugs, like most
software does, or gets his devs and a community of official testers each
with wildly different configurations and set ups, ASF have an excellent
model that could be followed, bunch of devs and testers who each report
on different distros and configs, why? because no single dev can imagine
and test every  possible configuration. it might just save dovecot's
good name, I recall a lot of damage was done to that in the circles I'm
in when 2.0 was released with patches nearly every few days and weeks, I
know a few ISP's and businesses that went back to courier or  Wu's
because major bugs were getting in often, though it has been a lot
better since 2.1 series, until this release that is :)



attachment: face-smile.png

signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] 2.2.9

[Noel Butler]

On Sat, 2013-11-23 at 04:06 +0200, Timo Sirainen In-Reply-To:
1385170783.4058.5.camel@tardis wrote:

 but there are about 3 of you who nowadays constantly seem to be wasting my 
 time on thinking about it.
 

no doubt, despite my one single post to them in long time, but being
informed that my name has been dragged into their shit fight a few
times, you of course include me in this gang of 3, frankly, I've had a
gutfull of your lengthy vendetta, it is after all why I rarely waste my
time here and the those I've helped have mostly been via private anyway,
now,  my time for lists is being more rare these days, I have far more
important activities to worry about in life, so it is with much pleasure
I inform you that you will need to find some other poor sucker to blame
for the trolls and idiots, I am removing myself from the dovecot
community forthwith, well, in 3 minutes, enough time for this message
to make it through mailman before I confirm unsub :)



oh before I go, ya know, if you reigned in the regular offenders like
other lists, nobody else would have needed to.




signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Dovecot 2.0.9 Quota Limit issues

[Noel Butler]

On Tue, 2013-11-12 at 10:00 -0800, David Johnson wrote:

 Hello,
 
 I've tried searching for information regarding this problem but haven't 
 found anything.
 
 Currently I have a Dovecot 2.0.9 with virtual users from a SQL table.  
 Right now I'm only using global quota limits.  Here is my quota setup:
 


2.0.9 is ancient and unsupported, but if it aint broke, who cares,
so


 plugin {
quota = maildir:User quota
quota_rule = *:storage=3G
quota_rule2 = Trash:storage=+100M
quota_rule3 = Archive:storage=+1G
quota_rule4 = Archive/2013:storage=+1G
quota_rule5 = Junk:ignore


Have you tried commenting out the Archive/2013 rule?  This might be the
conflict,  its like saying  OS / = 1G but  /home can have 3, kinda of
doesnt work :)
the rest looks ok to me




 According to the documentation this should allow the Archive folder to 
 have an additional 1G in it that is not counted toward the global 3G.  
 However I have users who have 2G in the Archive folder, and about 1G 
 elsewhere.  At this point they stop receiving emails due to quota exceeded.
 
 doveadm quota get -u user
 displays this:
 Quota name  Type  Value   Limit  %
 User quota  STORAGE 3150312 3145728 100
 User quota  MESSAGE8271   -  0
 
 If I change Archive:storage=+1G to Archive:ignore then they can receive 
 emails again.
 After the change doveadm quota get -u displays this:
 
 Quota name  Type  Value   Limit  %
 User quota  STORAGE 1266885 3145728 40
 User quota  MESSAGE8271   -  0
 
 Is there something I'm missing as to why this setup isn't working?
 
 Thanks!
 
 --
 David J.


attachment: face-smile.png

signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] blames for using maillists ?

[Noel Butler]

On 12/11/2013 05:59, Benny Pedersen wrote:

why do you not simply shut up?

# sieve rule
require [imap4flags];
# rule:[reindl]
if allof (header :contains From h.rei...@thelounge.net)
{
setflag [\\Seen,\\Flagged];
stop;
}



haha is this jackass still polluting the list?


Better still to forward to his upstream provider

if allof (header :contains From thelounge.net, header :contains 
From rhsoft.net)

{
redirect ab...@inode.at;
}

Re: [Dovecot] Dovecot MTA

[Noel Butler]

On 12/11/2013 04:28, Benny Pedersen wrote:

Edwardo Garcia skrev den 2013-11-11 11:58:
But is dovecot job to authenticate,  mysql replicate fine, it is 
dovecot
that is not fine by  ignoring desire effect by only talk localhost and 
not

any other unless locahost auth not respond.


so move to postgresql/mysql backend and change from dovecot to dbmail ?

why blame dovecot for using fs mail store ?

is your problem unstable nfs ?

give up and get google app mx :)



WTF drugs are you on? Or maybe its more to the point of what medication 
you're not taking.


Briefly reading, he;s talking about the same problem i and a few otehrs 
have brought up in the past (i gave up on it since Timo made it very 
clear he has no interest at all and Edward is really wasting his time) 
*dovecot authentication for users* unless I missed something, possible, 
so much noise on this list I rarely bother to read it anymore, and this 
mornings reading reaffirms why i dont

Re: [Dovecot] Problem with master user

[Noel Butler]

doveconf -n output is ordinarily required

however, at a guess, you have not defined auth_master_user_separator

On 08/11/2013 20:05, Jakub Krzyżewski wrote:

Hello.

I have problem as below:

Nov  8 10:41:52 store1 dovecot: auth: Debug:
auth(mas...@example.com,::1,master,/qEuMafqyAAB):
Master user lookup for login: jkr...@example.com
Nov  8 10:41:52 store1 dovecot: auth: Debug:
passwd-file(mas...@example.com,::1,master,/qEuMafqyAAB):
lookup: user=mas...@example.com file=/etc/dovecot/master-use
rs
Nov  8 10:41:52 store1 dovecot: auth: Debug:
password(mas...@example.com,::1,master,/qEuMafqyAAB):
Generating DIGEST-MD5 from user 'master', password 'test'
Nov  8 10:41:52 store1 dovecot: auth:
passdb(mas...@example.com,::1,master,/qEuMafqyAAB):
Master user logging in as jkr...@example.com
Nov  8 10:41:52 store1 dovecot: auth: Debug:
ldap(jkr...@example.com,::1,/qEuMafqyAAB): pass
search: base=dc=example,dc=com scope=subtree
filter=((locMailActive=TRUE)(|
(uid=jkr...@example.com)(uid=jkrzyz)(mailRoutingAddress=jkr...@example.com)))
fields=mailRoutingAddress,userPassword
Nov  8 10:41:52 store1 dovecot: auth: Debug:
ldap(jkr...@example.com,::1,/qEuMafqyAAB):
result: mailRoutingAddress=jkr...@example.com userPassword=test2
Nov  8 10:41:52 store1 dovecot: auth: Debug:
password(jkr...@example.com,::1,/qEuMafqyAAB):
Generating DIGEST-MD5 from user 'master', password 'test2'
Nov  8 10:41:52 store1 dovecot: auth: Debug:
password(jkr...@example.com,::1,/qEuMafqyAAB):
Credentials: d64221d543d7c9a809c7d6e424d87be8
Nov  8 10:41:52 store1 dovecot: auth:
digest-md5(jkr...@example.com,::1,/qEuMafqyAAB):
password mismatch

As you can see, password is check against user passdb and not
passwd-file, where master's password is stored.
Test is password of master user, test2 is password of jkrzyz
Setting pass=yes or no makes no difference.
What is wrong with my config?

dovecot --version
2.1.7

dovecot.conf snippet:

passdb {
  args = scheme=PLAIN /etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

/etc/dovecot/master-users:

master:{PLAIN}test
mas...@example.com:{PLAIN}test

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 05/11/2013 17:30, SATOH Fumiyasu wrote:

At Tue, 5 Nov 2013 08:10:46 +0100 (CET),
Steffen Kaiser wrote:

 http://batleth.sapienti-sat.org/projects/mb2md/

 The program has at least 2 bugs in it:

 . If the body has paragraph break (i.e., '\n') followed by the RFC822
   keyword 'From', the original message will loose the last half of
   the message and a phantom message will be created.

   Change from my notes:

 #   if ( /^From /
 # -to-
 #   if ( /^From .*? \d\d:\d\d:\d\d \d\d\d\d/

 . I never could figure out where the second bug was. This one created
   some messages with blank subject lines.

You have a badly formatted mbox file, if there is such distinction 
neccessary:


No. There are some variants of mbox format.
See https://en.wikipedia.org/wiki/Mbox#Family



RFC 4155

o Each message in the mbox database MUST be immediately preceded
by a single separator line, which MUST conform to the following
syntax:

   The exact character sequence of From;

   a single Space character (0x20);

   the email address of the message sender (as obtained from the
   message envelope or other authoritative source), conformant
   with the addr-spec syntax from RFC 2822;








http://manpages.ubuntu.com/manpages/precise/man5/mbox.5.html

 In  order  to  avoid misinterpretation of lines in message bodies 
which
  begin with the four characters From, followed by a  space  
character,
  the  mail  delivery  agent  must quote any occurrence of From  at 
the

  start of a body line.

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 05/11/2013 19:44, Bernd Petrovitsch wrote:

On Mon, 2013-11-04 at 19:29 +1000, Noel Butler wrote:
[...]
think in postfix   home_mailbox = Maildir/ will do it, with sendmail 
its

much more tricky and your best sticking with mbox, if exim, NFI - dont


Or - strategically - you use dovecot's LDA which should know where to
throw the mails in.



but using system users, you wouldnt use dovecot's LDA :)

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 05/11/2013 20:11, Daniele Nicolodi wrote:

On 05/11/2013 11:04, Noel Butler wrote:




but using system users, you wouldnt use dovecot's LDA :)


Why not?




pure overkill, your MTA already knows where it goes, it doesnt need to 
do any special lookups, would you use postfix virtual, to deliver local 
user? no, of course you wouldnt :)

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 05/11/2013 22:04, Daniele Nicolodi wrote:

On 05/11/2013 12:24, Noel Butler wrote:

On 05/11/2013 20:11, Daniele Nicolodi wrote:

On 05/11/2013 11:04, Noel Butler wrote:




but using system users, you wouldnt use dovecot's LDA :)


Why not?



pure overkill, your MTA already knows where it goes, it doesnt need to
do any special lookups, would you use postfix virtual, to deliver 
local

user? no, of course you wouldnt :)


Using dovecot-lda has nothing to do with postfix virtual users, it is
the only way I know to use sieve filtering and have messages indexed at
delivery.

Cheers,
Daniele


again, overkill, system users means users have full access to system 
account and can write procmail rules, if you dont allow that access, 
then you dont trust them, so you should be using virtual users.

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 06/11/2013 05:08, Benny Pedersen wrote:

Noel Butler skrev den 2013-11-05 12:24:

On 05/11/2013 20:11, Daniele Nicolodi wrote:

On 05/11/2013 11:04, Noel Butler wrote:



pure overkill, your MTA already knows where it goes, it doesnt need to
do any special lookups, would you use postfix virtual, to deliver
local user? no, of course you wouldnt :)


one day postfix will as exim support sieve, just wait :)


why would I wait, we use postifx and only in virtual users, very zippy, 
very resource nice, makes us very happy, but maybe you were meaning 
something esle, as I've just woken up so off to have some coffee, It 
might click later on :)

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 04/11/2013 14:33, Regan Yelcich wrote:

On 2/11/2013, at 11:40 pm, Noel Butler noel.but...@ausics.net wrote:


On 02/11/2013 20:25, Regan Yelcich wrote:

Can someone advise the best way to convert mailboxes from Mbox to
Maildir for Dovecot 2.17 on Ubuntu? Thanks.



mb2md.pl

http://batleth.sapienti-sat.org/projects/mb2md/



I don't need to do anything specific for Dovecot? It'll see the new
Maildir account and automatically create the indexes etc?


IIRC it shows you how to use it, you need to indicate where the new 
maildir is, if you have only a few, do them all manually, if you have 
many, write a quick bash or perl script to do them, and dovecot will 
create the indexes when they login.


You will need to tell dovecot to look for the new location though, if 
your using system users as I suspect you are, then maildir:~/Maildir 
should do it *but* dont forget to make sure your MTA knows to use 
maildir as well, I've not worked with system users for a decade, but I 
think in postfix   home_mailbox = Maildir/ will do it, with sendmail its 
much more tricky and your best sticking with mbox, if exim, NFI - dont 
use it :)

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 05/11/2013 01:16, Mark Moore wrote:


mb2md.pl

http://batleth.sapienti-sat.org/projects/mb2md/



The program has at least 2 bugs in it:

. If the body has paragraph break (i.e., '\n') followed by the RFC822
  keyword 'From', the original message will loose the last half of
  the message and a phantom message will be created.

  Change from my notes:

#   if ( /^From /
# -to-
#   if ( /^From .*? \d\d:\d\d:\d\d \d\d\d\d/

. I never could figure out where the second bug was. This one created
  some messages with blank subject lines.



Never noticed this, but, it was a very very long time ago I last used 
it, and since most users over here have always been pop3, probably never 
had many to convert in the first place when I did use it, so risk was so 
low. I think it was around the time we merged, and had to combine 
sendmail/dovecot and qmail/vpopmail/dovecot systems into just a 
postfix/dovecot solution, either we fluked it, or any affecteds didnt 
bother to report it.



Another annoyance was prefixing the newly created mail folders with a 
'.'




As Charles has already mentioned, thats how Maildir works

Re: [Dovecot] Best way from Mbox to Maildir using 2.17?

[Noel Butler]

On 02/11/2013 20:25, Regan Yelcich wrote:

Can someone advise the best way to convert mailboxes from Mbox to
Maildir for Dovecot 2.17 on Ubuntu? Thanks.




mb2md.pl

http://batleth.sapienti-sat.org/projects/mb2md/

Re: [Dovecot] OT: PHP session data storage

[Noel Butler]

On 29/10/2013 10:10, Michael Orlitzky wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/28/2013 04:10 PM, Reindl Harald wrote:


php_admin_value open_basedir /var/www/$domain/$host/
php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp
php_admin_value session.save_path /var/www/$domain/$host/tmp
php_admin_value sys_temp_dir /var/www/$domain/$host/tmp


oh no - do *not* place the sesiondata anywhere inside open_basdir
this is one of the badest things you can do because any otherwise
harmless script bypassed whatever security restriction will be able
to read *any* session data



You have a point, but I wouldn't go as far as to say it's one of the
worst things you can do. If a vulnerable PHP script allows an attacker
to (at least try to) read arbitrary files, then it's possible to read
session data that lies within open_basedir. Note that they can already
 read your database credentials out of config.php at that point.

But, if you put the session data under open_basedir, then it's easy to
restrict access to the entire /var/www/example.com hierarchy to the
one user that needs it: www.example.com. In the scenario I described,
I'm able to tell our customers that their websites are physically
separated from our other customers.

If there's a vulnerability in someone else's site, the kernel (via
filesystem ACLs) will prevent it from affecting yours. The web user
for example.NET truly cannot even traverse /var/www/example.COM, where
everything important to you is stored. This is robust against Apache,
Ruby, Python, etc. vulnerabilities as well -- not just PHP.

I already mentioned that I don't trust PHP. Our sites would be just as
secure if open_basedir stopped working tomorrow, since the filesystem
ACLs are what we trust to work. So, we trade the potential to read
sessions for that peace of mind. Not trying to downplay your
complaint, just pointing out another POV.


Some time ago, we too, evaluated the pros and cons given our design, and 
we too, decided on the lesser evil and keep it under open_basedir, have 
done for many many years without problem, of course I'm not so naive to 
think it may never one day be a problem for a single host, when running 
shared hosting there are always risks, in everything.

Re: [Dovecot] Encryption solution for messages at rest

[Noel Butler]

On 29/10/2013 03:19, Robert Schetterer wrote:




https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve




I got worried, laughed, and stopped reading at:

not only do you not have to edit any Postfix configuration (which by 
itself is an exercise in patience),



As you know, postfix can be done in your sleep, if he thinks he needs 
patience to do postfix, I should introduce him to sendmail configuration 
(which I also think is easy - but having used it for 15 years before 
moving to postix, I guess it would want to be easy LOL) :)

Re: [Dovecot] pigeonhole sources no more available

[Noel Butler]

u someone doesnt use DNSSEC... its been hijacked me thinks

http://www. medicalbits.  nl/    really?  :)


On Tue, 2013-10-29 at 14:05 +1100, m...@electronico.nc wrote:

 Hi all,
 Please excuse me for this message but I can't find the pigeonhole 
 sources available anymore.
 This page : http://pigeonhole.dovecot.org/download.html
 Points to (for latest sources) : 
 http://www.rename-it.nl/dovecot/2.2/dovecot-2.2-pigeonhole-0.4.2.tar.gz
 And it seems that : www.rename-it.nl
 is now : http://www.medicalbits.nl
 So we get 404 error ...
 Could someone point us the to right URL and, maybe, update 
 pigeonhole.dovecot.org ?
 Thanks in advance for your time.
 Nicolas


attachment: face-smile.png

signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Strange output from LIST command

[Noel Butler]

On 25/10/2013 17:20, azurIt wrote:

Od: Noel Butler noel.but...@ausics.net
Komu: dovecot@dovecot.org
Dátum: 25.10.2013 00:42
Predmet: Re: [Dovecot] Strange output from LIST command

On 24/10/2013 23:48, azurIt wrote:



How am i suppose to know that my report was even noticed by any
developer?

azur


http://dictionary.reference.com/browse/patience




This is NOT about patience.

azur


of course it is, you report an alleged bug, now you wait until developer 
notes, and attempts to reproduce it, and if he can commits a fix, else 
he will tell you he can not reproduce it.



I do see your point about needing confirmation the report was made, its 
why we use bugzilla, it would be beneficial if Timo did as well, but he 
chooses not to, he did give a reason for this, but it was many many 
years ago when he had more free time, now his time is scarce, one day he 
may reconsider it, so in meantime you need to wait it out, hence, 
patience. Dovecot does have a commercial side as Steffen alluded to, so 
if your bug is debilitating your business, you could always engage the 
commercial side of Dovecot, the fix which obviously is not affecting the 
masses, would likely gain priority.

Re: [Dovecot] Strange output from LIST command

[Noel Butler]

On 24/10/2013 23:48, azurIt wrote:



How am i suppose to know that my report was even noticed by any 
developer?


azur


http://dictionary.reference.com/browse/patience

Re: [Dovecot] fstat() errors on /srv/mail/username/dovecot.index.log

[Noel Butler]

Zach,

Thanks for following up with the list, though I dont and wont touch 
anything debian/insert-variant-distro-here, there are plenty here who 
do, and may in time appreciate your feedback if they strike same.



On 23/10/2013 00:14, Zach La Celle wrote:

On 10/17/2013 09:23 AM, Zach La Celle wrote:

On 10/17/2013 05:25 AM, Noel Butler wrote:

On 17/10/2013 00:08, Zach La Celle wrote:

Dovecot version 2.1.7
Ubuntu 12.04.3 LTS
Kernel 3.2.0-35-generic x86_64

I'm not sure exactly when this started occurring, but sporatically 
users

report issues receiving email, having email saved to Sent, etc.
Looking in dovecot.log, I see the following errors:

2013-10-16 09:53:20 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured,
session=PnoiBtzoBgB/AAAB
2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out 
in=93

out=846
2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out 
in=3616

out=495
2013-10-16 09:53:24 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured,
session=jE5kBtzoBwB/AAAB
2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out 
in=93

out=819
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:41 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured,
session=UDJlB9zoCAB/AAAB
2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out 
in=93

out=819
2013-10-16 09:54:12 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured,
session=6bI5CdzoCQB/AAAB
2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out 
in=93

out=846
2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out 
in=736

out=7064
2013-10-16 09:54:15 imap-login: Info: Login: user=user6, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured,
session=t+FnCdzoCgB/AAAB
2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out 
in=95

out=902
2013-10-16 09:54:20 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured,
session=c/q1CdzoCwB/AAAB
2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out 
in=93

out=846
2013-10-16 09:54:24 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured,
session=nOb3CdzoDAB/AAAB
2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out 
in=93

out=819

These errors are not confined to a single user, and do not occur 
with

the same frequency.



This isnt per chance on a NAS/SAN/DAS is it?


No, it is not on a SAN.  I saw that thread a while back, but this
doesn't seem to be related.

I originally was running the Dovecot shipped with the default Ubuntu
repositories (don't remember which version, but it was 1.*) and used 
a

backport to upgrade to 2.1.7 to see if that fixed it.  It did not.

Any ideas why this is happening?

gawd knows what debian (thats all ubuntu is, same package maintainers
99% of time) do to things, wouldnt be the first time they put out a
package that was kaput from get go, so doveconf -n  output will 
likely

be required


I can provide dovecot -n output if this doesn't answer the question,
but it might be an apparmor issue.  We recently enabled apparmor
protection, and it seems that it generated an ungodly amount of 
profiles
in complain mode.  So many, that it was causing issues with usage of 
the

openssl library.

Putting it in to enforce mode seems like it might fix the problem.  
I'll

post more information once this is confirmed or denied.

I'm replying to this post for completeness.  This was definitely a
problem with AppArmor in complain mode breaking IMAP.  It was 
generating

an incredible amount of logging information, and ended up blocking
access to the OpenSSL .so files every once in a while.

Putting AppArmor into enforce mode (after checking all of the rules and
verifying functionality) worked.  No more fstat() errors.

Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication

[Noel Butler]

On 23/10/2013 05:45, Rick Romero wrote:




IMHO, the problem with all out blocks on auth is the same as doing an 
all
out block based on SPF - so many IPs are shared you can easily get 
false

positives.



Blocks using SPF will not be FP's, they will be by your internal 
decision, so will be a genuine block 'hit', even if you don't keep your 
RR current, that's the admins fault, not the users, or blockers.



But I agree with you on the rest, since of those 500K IP's Marc claims 
to have I'd bet that 99% are hijacked innocent pc's/servers, and of 
them, 75% would likely be a one time usage.

Re: [Dovecot] fstat() errors on /srv/mail/username/dovecot.index.log

[Noel Butler]

On 17/10/2013 00:08, Zach La Celle wrote:

Dovecot version 2.1.7
Ubuntu 12.04.3 LTS
Kernel 3.2.0-35-generic x86_64

I'm not sure exactly when this started occurring, but sporatically 
users

report issues receiving email, having email saved to Sent, etc.
Looking in dovecot.log, I see the following errors:

2013-10-16 09:53:20 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured,
session=PnoiBtzoBgB/AAAB
2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out in=93
out=846
2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out in=3616
out=495
2013-10-16 09:53:24 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured,
session=jE5kBtzoBwB/AAAB
2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out in=93
out=819
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file
/srv/mail/user4/dovecot.index.log: No such file or directory
2013-10-16 09:53:41 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured,
session=UDJlB9zoCAB/AAAB
2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out in=93
out=819
2013-10-16 09:54:12 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured,
session=6bI5CdzoCQB/AAAB
2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out in=93
out=846
2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out in=736
out=7064
2013-10-16 09:54:15 imap-login: Info: Login: user=user6, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured,
session=t+FnCdzoCgB/AAAB
2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out in=95
out=902
2013-10-16 09:54:20 imap-login: Info: Login: user=user1, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured,
session=c/q1CdzoCwB/AAAB
2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out in=93
out=846
2013-10-16 09:54:24 imap-login: Info: Login: user=user3, 
method=PLAIN,

rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured,
session=nOb3CdzoDAB/AAAB
2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out in=93
out=819

These errors are not confined to a single user, and do not occur with
the same frequency.




This isnt per chance on a NAS/SAN/DAS is it?


I originally was running the Dovecot shipped with the default Ubuntu
repositories (don't remember which version, but it was 1.*) and used a
backport to upgrade to 2.1.7 to see if that fixed it.  It did not.

Any ideas why this is happening?


gawd knows what debian (thats all ubuntu is, same package maintainers 
99% of time) do to things, wouldnt be the first time they put out a 
package that was kaput from get go, so doveconf -n  output will likely 
be required

Re: [Dovecot] POP3 Setup help - more info

[Noel Butler]

On 15/10/2013 02:58, /dev/rob0 wrote:


In addition to the ignored replies in the other thread, I'll ask
this: why do you want to use POP3? IMAP can do everything POP3 can
do, and it's superior in many ways. POP3 should have died out a
decade ago.


Not sure what country he's in, but I'll comment on that comment :)
Some countries, disks are not cheap, for instance in Australia, disks 
and most hardware is on average over 200% more expensive, than the U.S., 
I've been given some pricing that makes it 350% dearer.


Most ISP's here, even the most largest ones, only offer pop3 - imap is 
reserved for those very few using webmail.


Of the very few that do offer imap, the take up rate over the years is 
negligible, such that it is not worth the effort, likely due to privacy 
which most aussies take seriously.


Although we are not as bad as the US with its publicised broad over 
reaching FISA warrants, it is still all too easy for law enforcement 
here to get warrants to secretly access your mail if on ISP servers, but 
bloody hard to do so if you use pop3 and have already d/l it to whatever 
device/client you choose to use.


Then there's the other law, yes, those obnoxious jackass interfering 
govt #$E# with nothing else to do but regulate everything but thin air 
(give em time they'll do that too), IOW, imap, providing a service where 
every single email is stored on servers, you are accountable for, and 
must be recovered, even if idiot1234 deletes a message by mistake and 
when you say, no, you deleted it tuff luck, you can be sued for their 
loss of data.


With pop3 that onus and risk is removed.

Re: [Dovecot] Transparent Migration from cyrus to dovecot

[Noel Butler]

On 12/10/2013 19:22, Daniel Parthey wrote:


No mail will be lost, since it should remain in the remote MTA's mail
queue for a while in order to be retried and delivered later.



No guarantee there, some services are broken and do not retry, hotmail 
used to, and I've heard in some cases, still does, do this, some 
marketing system (ok, so thats no loss) do this - there reasoning is 
because of such high outbound queues, it would only delay first runs and 
upset their clients, again, no loss to me, but one persons spam can be 
anothers ham.


It is after all why we have secondary MX's, on network, and if need be, 
off network.

Re: [Dovecot] SSL with startssl.com certificates

[Noel Butler]

On 10/10/2013 06:09, Eliezer Croitoru wrote:


I would imaging that 4k bits certificate handshake and validation can
take more then 1 sec..
Am I right about it?



hardly

and the size is not his problem.

he was given a test account on my network when I last saw this thread 
(few weeks back?), that uses startssl, and 4096 certs, his mail.app 
connected fine.

Re: [Dovecot] SSL with startssl.com certificates

[Noel Butler]

I can't recall if we previously discussed it, but, why the fascination 
with imaps, why not use TLS on 143, or wont that connect either? tried 
pop3 TLS ? pop3s?


and when you test, use -CAfile /path/to/(startssl's)CA.pem

I see no auth mech statement, so using hte default is limited, IIRC, 
login is re



auth_mechanisms = plain login



On 10/10/2013 10:51, Dan Langille wrote:

On Oct 9, 2013, at 6:33 PM, Noel Butler wrote:


On 10/10/2013 06:09, Eliezer Croitoru wrote:


I would imaging that 4k bits certificate handshake and validation can
take more then 1 sec..
Am I right about it?


hardly

and the size is not his problem.

he was given a test account on my network when I last saw this thread 
(few weeks back?), that uses startssl, and 4096 certs, his mail.app 
connected fine.


I would like to investigate that more if you like.  Others have
experienced problem connected to my test server.  I can't believe I've
created a non-functional Dovecot configuration.

One avenue I will purse: if I swap from 4096 to 2048, why does it work?

Here is a connection with a 4096 cert:

$ openssl s_ s_client -connect imaps.unixathome.org:993
CONNECTED(0003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0
s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel
Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---


Here is it with a 2048 cert:

$ openssl s_client -connect imaps.unixathome.org:993
CONNECTED(0003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0
s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel
Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

The only thing I change in the configuration is:

# MY KEYS
#ssl_cert = /usr/local/etc/ssl/dovecot.pem
#ssl_key  = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key

# My 2048 key
ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
ssl_key  = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key

Current configuration is:

# doveconf -n
# 2.2.6: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.1-RELEASE-p6 amd64
auth_debug = yes
auth_verbose = yes
first_valid_gid = 1001
first_valid_uid = 1001
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
passdb {
  args = scheme=SHA512-CRYPT /var/db/dovecot.users
  driver = passwd-file
}
protocols = imap
service imap-login {
  inet_listener imap {
address = 199.233.228.197
  }
  inet_listener imaps {
address = 199.233.228.197
  }
}
ssl_ca = /usr/local/etc/ssl/sub.class2.server.ca.pem
ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert
ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key
userdb {
  args = /var/db/dovecot.users
  driver = passwd-file
}
verbose_proctitle = yes

Re: [Dovecot] SSL with startssl.com certificates

[Noel Butler]

On 10/10/2013 13:36, Noel Butler wrote:

I can't recall if we previously discussed it, but, why the fascination
with imaps, why not use TLS on 143, or wont that connect either? tried
pop3 TLS ? pop3s?

and when you test, use -CAfile /path/to/(startssl's)CA.pem

I see no auth mech statement, so using hte default is limited, IIRC, 
login is re



auth_mechanisms = plain login





bugger..  stupid webmail... as I was trying to say, IIRC type login 
is required for ssl

,at least with winblow sclients, try adding the above and see what goes.
plain is preferred, but that's because TLS is preferred.

use the  local - int- ca   cert.pem
and remove the ssl_ca option

Re: [Dovecot] POP3 Setup help

[Noel Butler]

On 09/10/2013 03:40, Thomas I Higgins wrote:
I am lost as to what I am missing.  I am setting up dovecot 2.0.9 on a 
RHEL
6.4 machine as provided by my provider.  I have IMAP up and running, 
and I

have POP3 up and running.  Testing confirms this.  Also, if it makes a
difference, I enabled dovecot as my LDA.  Sendmail was setup as well 
due to

our 1.x version using it and I though I had to.  Anyway, everything is
working perfectly with the services, except the mail is sending to the
wrong location for POP.  I am trying to use Maildir for both services, 
but

it keeps delivering the POP3 mail to /var/spool/mail/u% instead of to
Maildir as specified in the configuration files.  I have rechecked 
every

setting at least twice and still can't see what I am doing wrong.  I
suppose I can use mbox and redirect after making the appropriate 
namespace
changes, but that has it's own potential drawbacks and seems more like 
a

kludge than the correct way around this (unless I misunderstand how it
should work).  Can anyone point me in the right direction on how to fix
this?

Thanks in advance,

Thomas Higgins


it's a lovely day here, but you must be far away and bad weather in 
between us, as my ESP doesnt seem to get through, so we'll have to 
revert to the old manual hard labour way by you executing doveconf -n , 
copy and pasting that output into a list reply.

Re: [Dovecot] Yet another going from 1.2 to 2.X question: authentication

[Noel Butler]

On 07/10/2013 14:17, Mauricio Tavares wrote:


  Makes sense, so I shall set them up as

/etc/dovecot/conf.d/10-master.conf
# http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

service auth {
unix_listener auth-userdb {
mode = 0600
user = virtual # User running Dovecot LDA's deliver
}

# Dovecot as SASL Auth
unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660
user = postfix
group = postfix
}
}



Looks good to me


Thanks for the help (and sorry for the late reply)! Now as soon as the
namespaces make sense to me and I figure out how to get sieve properly
configured I can do the upgrade.


hehe, no problems, I wont comment on namespaces since I don't use 
anything special in that regards, but sieve is easy to configure


service managesieve-login {
service_count = 1
process_min_avail = 0
vsz_limit = 64M
inet_listener sieve {
port = 4190
}
}

service managesieve {
process_limit = 1024
}

protocol sieve {
managesieve_max_line_length = 65536
managesieve_logout_format = bytes=%i/%o
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_max_compile_errors = 5
mail_max_userip_connections = 10
}


set...
in global:
protocols = pop3 imap sieve (assuming you use both pop3 and imap)


protocol lda:
 mail_plugins = $mail_plugins sieve


and in the plugin section, something like
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_vacation_min_period = 1d
sieve_vacation_default_period = 7d

...and you're all set

Re: [Dovecot] couple of errors on new setup

[Noel Butler]

On 06/10/2013 03:16, Dean Guenther wrote:




mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mail_privileged_group = mail
mbox_write_locks = fcntl



mbox over NFS has *never* been recommended, it is unsafe - for any 
pop/imap type server, not just dovecot. If its not too late, and since 
you are testing a new server it cant be, change to Maildir, it was 
designed specifically for this very reason.



also should use:

mail_fsync = yes
mail_nfs_index = yes
mail_nfs_storage = yes
mmap_disable = yes

Re: [Dovecot] couple of errors on new setup

[Noel Butler]

On 07/10/2013 04:58, Timo Sirainen wrote:

On 6.10.2013, at 4.04, Noel Butler noel.but...@ausics.net wrote:


mail_nfs_index = yes
mail_nfs_storage = yes


These are never recommended. They may be a kludgy workaround to avoid
worst problems, but they will never work 100% In the recommended
configurations (one Dovecot server or director cluster) you won't need
them.


Ahh OK, thanks, our configs have been carried over since early days when 
this recommended,  certainly never seen any errors with them on our 
cluster (and we don't use director).

Re: [Dovecot] retr errors

[Noel Butler]

On 07/10/2013 11:19, Bill Morgan wrote:

On 10/6/2013 5:58 PM, Daniel Parthey wrote:

Hi Bill,

any intercepting virus scanner or personal firewall software between 
your mail client and the dovecot server?


Regards
Daniel

McAfee



As I'm sure Daniel was implying, did you also test without these?
Also, do they provide webmail?  next time you get a stuck message, login 
to webmail and see if its OK there, try using only webmail for a week or 
two, if you have this trouble every day, you'll soon reproduce it, or 
rule out the ISP end.



and the ISP wasn't interested in the wireshark traces.


Baring in mind, that ISP tech support, is exactly that, ISP, Tech 
Support not Microsoft support, or apple support or whatever, the ISP 
can only support its services, not your local client software, if they 
can prove, and your ISP should have by process of elimination, for 
instance, webmail, you have no trouble, then they have ruled out an ISP 
related cause, and they are very within their rights to say not our 
problem.


Also remember, engineers tend to act/get-involved when complaints are 
en-mass, its to their advantage to look at it then, IOW, the care factor 
will increase with multiple people exhibiting the same problem over a 
short  or same period of time.




I know, I should change the ISP and see if the problem goes away. :-)



Sounds like a fair idea to me if you rule out everything on your end and 
can prove beyond doubt it is the ISP, else you'll just be moving the 
problem sideways, not up towards resolution.

Re: [Dovecot] fail2ban

[Noel Butler]

On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote:
 For dovecot 2.1
 
 as per wiki2,  is this still valid?  noticed a problem before and saw
 it does seem to be triggering, I use:
 

looks out dated

 filter.d/dovecot.conf

That'll never work, you need to change

 [Definition]
 failregex = (?: pop3-login|imap-login): (?:Authentication
to

failregex = (?: pop3-login|imap-login): .*(?:Authentication
^^

BUT, then, with the rest of your regex, it will only partly match
because its looking for , something like  ,TLS at the end  which
wont appear on failed imap/pop3 logins that dont use TLS, etc, so any
failed attempts using TLs, will be found, if they are not using it, they
will be missed (most miscreants likely wont be using it anyway)

I am NO python expert,  in fact, I know less than less about python, so
you'll best need to wait for someone who knows the answer, or ask on
fail2ban list, on how you can change that to match both, by changing
the last bit to
\(auth failed).*rip=(?Phost\S*) some variable here to match
on ,TLS or nothing at all

in meantime, you could repeat your failregex, like

failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|
Aborted login \(auth failed|Aborted login \(tried to use disabled|
Disconnected \(auth failed).*rip=(?Phost\S*),.*
(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?Phost\S*)


I think thats horrible, messy, yukky, but it likely might work :)  at
least until you find a better answer, there are some fail2ban fanbois on
this list, but as its the weekend, you may need to be patient.



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] fail2ban

[Noel Butler]

On Fri, 2013-10-04 at 21:55 +0200, Gordon Grubert wrote:


  
 
 this is no problem of dovecot. Nevertheless, for analysis, you can use
 fail2ban-regex when applying your filter to your logfile.
 


Kind of right, but the dovevcot wiki apparently contains wrong
information, so I think its fair enough it be brought up on this list
as per my previous, when someone comes up with simpler working example
than what I suggested, Timo can fix it



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] recipient_delimiter

[Noel Butler]

On Fri, 2013-09-27 at 07:29 +1000, voy...@sbt.net.au wrote:


 
 I have working dovecot 2.1.1 with postfix, only have virtual domains, all
 users in mysql;
 
 '+' delimiter is enabled in postfix, and, works OK
 
 postfix]# grep _delimiter main.cf
 # The recipient_delimiter parameter specifies the separator between
 
 recipient_delimiter = +
 
 BUT, I seem to have nothing in dovecot.conf:
 
 postfix]# cd /etc/dovecot
 dovecot]# grep delimiter *
 
 dovecot]# cd conf.d
 conf.d]# grep delimiter *
 15-lda.conf:#recipient_delimiter = +
 20-lmtp.conf:# the mail to the detail mailbox. See also
 recipient_delimiter and
 20-lmtp.c_org:# the mail to the detail mailbox. See also
 recipient_delimiter and
 
 should I also enter $recipient_delimiter = ‘+’  in my
 /etc/dovecot/dovecot.conf ?
 
 what will it add to this working setup, what am I missing?
 
 thanks for all pointers
 


Not needed, dovecot defaults to that setting, adding it in postfix is
all thats required to work




signature.asc
Description: This is a digitally signed message part