Re: Unable to get quotas working
On 01/06/2024 20:23, Adam Miller via dovecot wrote: Thank you! At the time, I was trying to get the most basic of quotas working which I have now successfully accomplished! I am happy report that I also have the warning emails working. Excellent. Is it possible that instead of a bash script for the warning emails to use a Python script instead? Never been a fan of python, too much of a resource hog, even compared to perl, but as long as the variables are interpreted correctly, yes it should work. I also must investigate load balancing or at the very least, determining the best approach to scalability and high availability. We've used NFS for years without problems, never used dovecot's director service either, however we use hardware load balancers, done right, this is simplest and most robust method, add/delete/down-for-update front end servers at your will without affecting anything, as for backend, don't use junk, I've found EMC storage gear very reliable, but know that NetApp is too. Over the years I've read about and witnessed many businesses with multi-day outages using clustered file systems that take out everything when they have a hissy fit, so I avoid them at all cost. NFS might be simplicity, but that means far fewer things to go wrong, and why some very large well known mail providers use it too. -- Regards, Noel Butler ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Unable to get quotas working
On 30/05/2024 20:06, Adam Miller via dovecot wrote: however now I am having an issue trying to get the quota warning emails to work. Your original post did not show a "service quota-warning" section where you tell dovecot what to run, I suggest you fully read everything to do with quota on the wiki (the relevant wiki files are also included in source packages) -- Regards, Noel Butler ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: master-users problem
Hi Barbara, On 14/12/2023 00:08, Barbara M. wrote: passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes result_success = continue } try replacing result_success with pass = yes -- Regards, Noel Butler ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: possible doveadm expunge bug
On 18/09/2023 16:17, Aki Tuomi via dovecot wrote: Aki, any ideas? Or have I have hit a ridiculously low 1000D hard coded limit? ...and I know some troll will comment, so let me say yes I know I can and will likely have to use nix's "find" to actually cull them, but if doveadm has an expunge option, it should do what it is asked of it :) # doveconf -a # 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.15.117 x86_64 Slackware 15.0 ext4 - Yes I know 2.3.21 was released 2 days ago, but I'm not seeing anything in changelog/NEWS that's related -- Regards, Noel Butler Hi! Can you try using strace for the doveadm command to see what it's up to? Aki Aki, Did you see anything out of the usual in the trace I sent you? Just asking since I've manually cleaned up most folders, but left one incase you'd like me to try something, so no urgency :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
possible doveadm expunge bug
In my boredom, I was cleaning up my own public mailbox, do I really need lists/newsletters/forums posts from the 90's .. I think not, but lets still keep 5 years and expunge the rest... or try to... but expunge doesnt want too... This error or lack of action, occurs on any mailbox, as an example doveadm expunge -u my@email mailbox Lists.FreeRadius SAVEDBEFORE $ now for $, pick your value 5 y/Y for years doesn't appear to exist, so converting it into 30 odd weeks, 30w or 30W did nothing, but rough convert it down to days 1800D appears to do something - showing a delay before returning to command line, but in reality it does nothing, 1800, 1500, 1200, nothing, only when I drop it to 1000D does it actually work, which is not suitable, since I'd like to keep 5 years worth. Running doveadm -Dv exp... shows no errors just usual debug output about the base modules, quota stuff, and opening mailbox message followed then by user session closed, nothing at all anywhere that points to an error for executing this task, I did deliberately break it by altering the mailbox name to test and it rightfully did report the error the mailbox doesn't exist. I thought it might be size related, freeradius one of the smaller lists having about 150k to nanog the biggest with over 400k message, but I have others, like monthly newsletters with over 20yrs worth, but only 250 to 300 messages in their mailboxes that also fail, so it can't be barfing out at the size. Aki, any ideas? Or have I have hit a ridiculously low 1000D hard coded limit? ...and I know some troll will comment, so let me say yes I know I can and will likely have to use nix's "find" to actually cull them, but if doveadm has an expunge option, it should do what it is asked of it :) # doveconf -a # 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.15.117 x86_64 Slackware 15.0 ext4 - Yes I know 2.3.21 was released 2 days ago, but I'm not seeing anything in changelog/NEWS that's related -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
On 26/07/2023 22:43, Marc wrote: A dns query for imap.web.de address records (IN A) returns two ip addresses. And I'm betting each IP is a hardware load balancer with crap load of servers behind each :) I am converting a bit to containers and there are so many applications that are not able to properly resolve and handle errors. Once they have an ip they stop doing anything. That it is nicely setup on the server side means nothing. If you do this for outgoing email, lots of email clients fail switching to the 2nd ip. Interesting, if server end is using L4 DSR they shouldnt tell the difference, but I can't comment on containers or VM's, as we do not play in the virtual world, these things need as much raw power as possible. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
On 20/07/2023 05:55, Gerald Galster wrote: A dns query for imap.web.de address records (IN A) returns two ip addresses. And I'm betting each IP is a hardware load balancer with crap load of servers behind each :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
(I'm very late to this party so my comments may have been said at some point) On 20/07/2023 03:53, Michael Peddemors wrote: Real world is a bit different.. DNS Caching.. While DNS Round Robin is good enough to distribute loads, it isnt' a very good method for failover, even with a very short TTL. Many home No, history showed DNS round robin proved abysmal, it led to real load balancing hardware and software being born. These changes don't affect us, we've never used director, hardware load balancers FTW, and no replicator, nightly snapshots and multiple levels of raid on a NAS backend, but I do see smaller installs where it may be preferable to buying a $200k NAS :) However, for those with shoe string budgets, for load balancing, this can be overcome by a software version, there are some for no cost if you have a spare machine, you might even pick up a real cheap old hardware balancer on likes of ebay. but it more of a last line failover, and during the time it takes for DNS to retry, and find another active node, an AWFUL lot of disgruntled customers will be calling ;) Ahhh reminds me on the very early 90's :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
On 05/06/2023 20:52, Eirik Rye wrote: On 05/06/2023 11:14, Noel Butler via dovecot wrote: [...] Both of you should grow up and keep this argument outside the mailing list. yes mum___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
On 23/05/2023 17:23, Marc wrote: there is a reason these things cost more than you'll earn in a year. second post in a row showing your lack of knowledge in actual networks, before you make an even bigger ass out of yourself, how about getting some experience in the real world or spending some time researching from actual information - not blogs Since when has there ever been a relationship between money and being good, money and intelligence etc. 2nd I have a hard time welcome to reality, time for you to jump back in your short narrow minded bubble if thats your beliefs. believing that are still companies out there that hardwire millions of logic circuits to create a load balancer that meets current day standards without the use of any software, and the perhaps open your dark curtains some day, but since when do companies have to explain shit to a troll like you explaining why they do things the way they do. Noel the only dumb ass here seems to be you. You are certainly not a good advocate for the EMC product compared to institutions like NASA and CERN that have >4000 drives in ceph solutions. oh I hope your happy, I'm gonna lose a lot of sleep over that piss poor pathetic attempt to disparage me . n o t ... better people have tried and failed over the past 30 years. final words, I don't care how nasa cern or whoever run their network, christ, i'm not even in the same country as them so why would I care, and the fact they have a name that most, but not all, would recognise, means nothing, Microsoft is a big name too, as is google, bigger and more known, and they have made some monumental fuck ups. I get it your a fangirl, and you can never reason with people like you. the end.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
On 22/05/2023 22:36, Marc wrote: On EMC Unity there is a NAS server parameter that can be changed to Maybe a bit to much of topic, but why EMC and not something like ceph? You rarely see any interesting comparisons on line (except of course the stupid ones listing features) there is a reason these things cost more than you'll earn in a year. second post in a row showing your lack of knowledge in actual networks, before you make an even bigger ass out of yourself, how about getting some experience in the real world or spending some time researching from actual information - not blogs -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
On 22/05/2023 22:33, Marc wrote: used director. real (hardware) load balancers are actually smart and exponentially more reliable and robust than server based :) because there runs no software on it, right this statement here, shows what a clueless newbie you are -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
Nice to know, similar option doesn't exist on VNX's though On 22/05/2023 17:30, Adrian M wrote: On EMC Unity there is a NAS server parameter that can be changed to disable NFSv4 delegations using the following command, svc_nas -param -facility nfsv4 -modify delegationsEnabled -value 0 On Sun, May 21, 2023 at 7:34 AM Noel Butler wrote: NFSv4, a dozen front ends to an EMC backend, with v4 we added "noac lookupcache=none" in very early days - not sure if they are still needed. otherwise just like when using NFSv3, no problems, and never used director. real (hardware) load balancers are actually smart and exponentially more reliable and robust than server based :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
On 20/05/2023 01:23, Adrian Minta wrote: Hi Pierre, when we tested NFSv4 couple of years ago, we found out that NFSv4 has a caching feature witch delegate file caching to a specific client. This was a problem with same share mounted on multiple servers. The contention will explode the load on the clients due to I/O waits and in some cases crash the dovecot servers. We didn't use dovecot director at that time since NFSv3 was behaving more nicely and just worked on our tests. It seem that some NFSv4 flags exists and could mitigate this behaviour making it resemble NFSv3 but we didn't test them. NFSv4, a dozen front ends to an EMC backend, with v4 we added "noac lookupcache=none" in very early days - not sure if they are still needed. otherwise just like when using NFSv3, no problems, and never used director. real (hardware) load balancers are actually smart and exponentially more reliable and robust than server based :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: [Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used
On 07/07/2022 07:24, Aki Tuomi wrote: On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news wrote: Affected product: Dovecot IMAP Server Internal reference: DOV-5320 Vulnerability type: Improper Access Control (CWE-284) Vulnerable version: 2.2 Vulnerable component: submission Report confidence: Confirmed Solution status: Fixed in main Researcher credits: Julian Brook (julezman) Vendor notification: 2022-05-06 CVE reference: CVE-2022-30550 CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) Vulnerability Details: When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication. Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. Risk: If same passwd file or PAM is used for both normal and master users, it is possible for attacker to become master user. Workaround: Always authenticate master users from different source than regular users, e.g. using a separate passwd file. Alternatively, you can use global ACLs to ensure that only legimate master users have priviledged access. Fix: This has been fixed in main branch. See https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch Two small corrections to this CVE notice... The service impacted is of course 'auth' not 'submission', and the version impacted is from 2.2 to 2.3.19.1. Aki I wouldnt exactly call them " small " corrections its like saying the left window on your 2020 car can be pushed down easily to saying oh wait its every window and you dont need a key to start the engine and btw its all cars from 2010 to 2022 And if its that serious where is the release, thats how dealing with CVE's works Aki, not a CVE statement saying go to gitbub. That said, I'd assume everyone uses a separate db for support teams anyway, or I'd hope so/ -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
pop3-login logging double Disconencted
Hi all, Wondering if anyone else is seeing this double Disconnected in the logs with current stable version, it only happens for pop3-login, and only with Too many commands... other pop3-login logging with Disconnected like Connection closed (no auth attempts... etc are fine Example of anomaly - pop3-login: Info: Disconnected: Disconnected: Too many bad commands (no auth attempts in ... If anyone running 2.3.17.1 sees this or does not see it on Too many bad... or at all, kindly mind letting me know, not sure if something has gone haywire here or its a bug that needs reporting since logs indicate this only occurred after updating to the point 1 release. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: lda to lmtp
BS. it was a simple question did she need to run this option or not, posting her config is immaterial and a waste of bandwith and everyones time. I dont do drugs, but dealing with you I think its becoming a requirement so i'll settle for jack daniels black label instead On 12/06/2021 23:02, Benny Pedersen wrote: On 2021-06-12 13:42, Noel Butler wrote: off your drugs again benny? WTF should she provide all the config outputs, when she asked a simple question about one option, and WTF clamav came from is beyond me this is very important AFTER i replayed to help, not BEFORE, keep your own drugs problems -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: lda to lmtp
On 11/06/2021 22:14, Benny Pedersen wrote: On 2021-06-11 12:42, Laura Steynes wrote: so nobody i am nobody then :) it would be nice to see postconf -n, and doveconf -n without this info its hard to help but remember lda, ltmp is both signle recipient where come clamav into the mix ? off your drugs again benny? WTF should she provide all the config outputs, when she asked a simple question about one option, and WTF clamav came from is beyond me i dont know much, but its important to provide info to get help On Sun, Jun 6, 2021 at 12:03 PM Laura Steynes wrote: Hi, Although dovecot-lda serves us fine, we only average 8k messages an hour, peaking at 11k, over 4 machines (mostly for redundancy, we've run this fine on just 1 machine, but sometimes clamav makes things get upset, so we added some more especially since we are growing rapidly, we decided to see if lmtp would be of benefit, so far, we cant tell any difference, I guess it is only 120-130 messages a minute, maybe if we were doing 200 a minute we might see gain? The question is with lda we used postfix settings destination_recipient_limit=1, we have not added this with lmtp,is this needed? This is probably more a question for postfix users list, might explain why noone here answered you, but no its not needed with lmtp, and 2 msgs a second, you want see any benefit over lda unless your running on a 386 :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: [Dovecot-news] Headsup on feature removal
On 19/03/2020 03:56, JAVIER MIGUEL RODRIGUEZ wrote: > I fully agree with this: > >> Please consider holding off on removing features for the next major >> release, 2.4.0 instead. It makes sense to retain, in as much as is >> possible, feature backwards compatibility across a major release. I'm astonished that features are being removed in a dot release as well, no other major project does this, hell, most don't like adding new features in dot releases let alone stripping them out. None of the listed changes affect me that I can see, but I've been around a long time and I'm flabbergasted that someone actually approved this on dot release. Now although there is no real need for them to further upgrade to ensure business continuity, if a serious exploit is released in the wild they highly likely will get bitten. Stripping everything else at once in a new major is perfectly acceptable, and, is the norm. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: offtopic: rant about thoughtless enabling DMARC checks
On 11/02/2019 09:48, Michael A. Peters via dovecot wrote: > On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, > Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via > dovecot wrote: > > fixing mailman will be the fail, solve it by letting opendkim and opendmarc > not reject detected maillist will be solution, > > A general broad mailing list whitelist will be problematic, do work it needs > to look for specific list type hidden headers, spammers and nasties will > incorporate those headers into their trash that impersonates mailing lists > and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO Also, DMARC isn't really anti-spam technology, it's anti-spoof technology. Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier. I know your just nit picking but what the hell, I've got a few minutes before my meeting anti spoofing is also anti spam, most legit emailers dont spoof, bad guys love to, so anything that reduces noise in email can be considered "anti spam" postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim, whatever ... they all work to reduce noise and thats all the end users care about. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: offtopic: rant about thoughtless enabling DMARC checks
On 11/02/2019 09:46, Michael A. Peters via dovecot wrote: However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header >and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO A hell of a lot do, though (this is pretty average percentages here) Accepted 70.07% Rejected 29.93% - Total 100.00% = 5xx Reject relay denied 4.27% 5xx Reject unknown user 7.93% 5xx Reject sender address 7.32% 5xx Reject unknown client host 52.44% 5xx Reject RBL 3.66% 5xx Reject milter 24.39% = Total 5xx Rejects 100.00% unknown client host was high as 95% up till about 10 years ago, so they are slowly learning. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents
Re: offtopic: rant about thoughtless enabling DMARC checks
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: > fixing mailman will be the fail, solve it by letting opendkim and opendmarc > not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. there is no quick and easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one that gets narky at lists, and despite all the spf haters dreams, I've never had a problem with spf and lists, and we were an early beta adopter of spf) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: offtopic: rant about thoughtless enabling DMARC checks
On 10/02/2019 07:38, Ralph Seichter via dovecot wrote: > * Juri Haberland via dovecot: > >> Blindly enabling DMARC checks without thinking about the consequences >> for themselves should not be the problem of other well behaving >> participants. > > Can you judge if DMARC is enabled "blindly"? No, I thought not. Also, > the issue was not on the receiving end, but the reject policy for the > originating domain. > > Personally, I choose to treat "reject" as if it was "quarantine", > i.e. affected mail is rerouted to a specific folder. > >> And Aki, please go back to "munge only if needed" - munging all >> messages leads to a really bad "user experience". > > Only speak for yourself please. > > -Ralph +1 (for entire post) ... and surely he does not expect those with a million plus users sit here and whitelist the million plus mailing lists that exist around the world, heh, like thats going to happen :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: BUG: sieve does not set seen-Flag
On 07/12/2018 17:55, Jakobus Schürz wrote: > Am 07.12.18 um 08:10 schrieb Noel Butler: > > On 07/12/2018 16:44, Aki Tuomi wrote: > > On 6.12.2018 6.54, Noel Butler wrote: > > On 06/12/2018 07:29, Jakobus Schürz wrote: > > that all and every Flag is set, except \Seen... I tried to figure out, whats > happening here... > > Paste what your sieve file contains now (no, I'm not going back over this > thread - its becoming as long as war and peace, and you may have changed it > since then) > > Please understand me right... It is nice for you, if dovecot does, what you > expect... It is nice. But here it does not work correctly. dovecot makes a > big mistake. And i try to give as much information, as i'm possible to > give... > > I doubt its dovecot, since no one else has reported this problem that I can > see - without going back to find the start of the thread. > > my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking > WHY??? > > Mind your tongue if you want help here, despite frustrations (man I must be > getting old and mellowing), no one here has to do shit for you, the fact it > works for everyone else, indicates there is a problem with your configuration > and yours alone - somewhere, and because you're the only one experiencing > this, it may be harder to trace the origin of. > > -- > Kind Regards, > > Noel Butler > > This Email, including any attachments, may contain legally privileged > information, therefore remains confidential and subject to copyright > protected under international law. You may not disseminate, discuss, or > reveal, any part, to anyone, without the authors express written authority to > do so. If you are not the intended recipient, please notify the sender then > delete all copies of this message including attachments, immediately. > Confidentiality, copyright, and legal privilege are not waived or lost by > reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] > documents accepted, please do not send proprietary formatted documents I finally had some time to try this out, and wasn't able to reproduce the problem with 2.3.4 and 0.5.4. I tried both Sieve and IMAPSieve, but I wonder if this is something particular in your environment or settings, so I have to ask you to post your `doveconf -n` once more. Aki Did he ever tell us what this is on, I saw stretch somewhere in thread so I gather its debian, but is it on real hardware, or rpi, has he tried using the source, who knows what happens when distros butcher things up into 70 different sub packages :) Hi. sorry for my anger a few days ago... And Aki... i reviewd the thread... you never asked me before for dovecot -n. It is the first time. I also wrote, that i use the packages from the dovecot-repo for debian. So i was thinking, it is clear, which version i use. It's not debian-repo, it is dovecot-repo, which i got from the dovecot-release-notes. My anger was, i wrote details, logmessages, behaviour... again and again... and i got the every similar message "for me it works"... and "i dont want to read the whole thread"... so i was angry, how often again i should post the same again... Great sorry for my tongue. My hardware is a rented virtual server from a cloudprovider in germany, where i have full permissions on it. The filesystem is ext4. I atteched my dovecot -n The mails all are stored in maildir in /var/mail. There is an extra dir /var/lib/dovecot/db... where index and control are in separate directories. The owner and group from all of this directories are all vmail:vmail The permissions are 0700 (only vmail is allowed to read/write/execute in this directories) And again... it's independed from MUA: When i move a message to another folder, the message in the new folder is shown as recent and unseen. I posted - i think - 3 times the logs from the copy/expunge-task, where the "flags()" is empty on copy, but expunge from the original folder shows the correct flags. If you want... i can do it a 4th time ;-) I also asked for a possibility (which i do not know) to turn up the debug-level more than i have now, to see, what happens, that i can post it. maybe it is a permission-problem. I don't know. Maybe there is a sieve-script working, which i don't know, which sets a message to unseen and recent, if it arrives to a folder (i deactivated all the sieve-scripts, but the behaviour was the same wrong). There are two scripts for rspamd and spamassassin, which learn spam or ham, depending a message is moved to or from Junk. I also commented the lines out in the sievescript... no change. Every message which is new in a Folder is set to recent and unseen. Best regards Jakob and your current .dovecot.sieve file is? -- Kind Regards, Noel Butler This
Re: BUG: sieve does not set seen-Flag
On 07/12/2018 16:44, Aki Tuomi wrote: > On 6.12.2018 6.54, Noel Butler wrote: > > On 06/12/2018 07:29, Jakobus Schürz wrote: > > that all and every Flag is set, except \Seen... I tried to figure out, whats > happening here... > > Paste what your sieve file contains now (no, I'm not going back over this > thread - its becoming as long as war and peace, and you may have changed it > since then) > > Please understand me right... It is nice for you, if dovecot does, what you > expect... It is nice. But here it does not work correctly. dovecot makes a > big mistake. And i try to give as much information, as i'm possible to > give... > > I doubt its dovecot, since no one else has reported this problem that I can > see - without going back to find the start of the thread. > > my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking > WHY??? > > Mind your tongue if you want help here, despite frustrations (man I must be > getting old and mellowing), no one here has to do shit for you, the fact it > works for everyone else, indicates there is a problem with your configuration > and yours alone - somewhere, and because you're the only one experiencing > this, it may be harder to trace the origin of. > > -- > Kind Regards, > > Noel Butler > > This Email, including any attachments, may contain legally privileged > information, therefore remains confidential and subject to copyright > protected under international law. You may not disseminate, discuss, or > reveal, any part, to anyone, without the authors express written authority to > do so. If you are not the intended recipient, please notify the sender then > delete all copies of this message including attachments, immediately. > Confidentiality, copyright, and legal privilege are not waived or lost by > reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] > documents accepted, please do not send proprietary formatted documents I finally had some time to try this out, and wasn't able to reproduce the problem with 2.3.4 and 0.5.4. I tried both Sieve and IMAPSieve, but I wonder if this is something particular in your environment or settings, so I have to ask you to post your `doveconf -n` once more. Aki Did he ever tell us what this is on, I saw stretch somewhere in thread so I gather its debian, but is it on real hardware, or rpi, has he tried using the source, who knows what happens when distros butcher things up into 70 different sub packages :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: BUG: sieve does not set seen-Flag
On 06/12/2018 07:29, Jakobus Schürz wrote: > that all and every Flag is set, except \Seen... I tried to figure out, whats > happening here... Paste what your sieve file contains now (no, I'm not going back over this thread - its becoming as long as war and peace, and you may have changed it since then) > Please understand me right... It is nice for you, if dovecot does, what you > expect... It is nice. But here it does not work correctly. dovecot makes a > big mistake. And i try to give as much information, as i'm possible to give... I doubt its dovecot, since no one else has reported this problem that I can see - without going back to find the start of the thread. > my dovecot does not copy the Seen-flag. It ignores it. But WHY. Fucking WHY??? Mind your tongue if you want help here, despite frustrations (man I must be getting old and mellowing), no one here has to do shit for you, the fact it works for everyone else, indicates there is a problem with your configuration and yours alone - somewhere, and because you're the only one experiencing this, it may be harder to trace the origin of. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Sieve broken after upgrade
On 03/12/2018 09:28, Stephan Bosch wrote: > Hi, > > First of all, what are you using to send this e-mail? I am receiving this as > an attachment. (Anyone else seeing this? More mails from different senders > seem to be affected.) Yep, those purporting to come from dovecot, as in username via dovecot. I think Aki's playing with settings that are not quite right yet :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Mailing list address harvested for spamming
On 02/12/2018 10:16, Michael A. Peters wrote: > On 12/01/2018 04:09 PM, Noel Butler wrote: > >> Which is why it annoys me that some people on mailing lists feel the need to >> reply directly, rather than through mailing list. > > Sometimes it is the MUA that is poorly designed that causes this. I could have sworn I said that, oh yes, I see I did > Also, some lists set the "reply to" with the sender rather than the list. Also covered (poorly configured) > Further, some user agents have a separate "reply" for replying to list > instead of original sender but human error results in wrong being clicked. > That's happened to me - causing me to accidentally reply to wrong address. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Mailing list address harvested for spamming
On 02/12/2018 05:31, M. Balridge wrote: > Quoting dovecot-...@deemzed.uk: > >> Not to stir the pot, but I notice my email address has recently been >> harvested from this list for spamming purposes. This email address is >> unique and not used for anything else. >> >> I'd distinguish this from spam sent to the mailing list itself, which is >> obviously different. >> >> Is there anything further that could be done to prevent this? > > It's practically impossible to "police" all of those who sign up for a mailing > list that they do so for honest or constructive intentions. In addition, > copies of this mailing list are archived by various online search engines and > indexors, from content maintained or published by the list operators. > > You're already using unique mail addresses, which is a sensible strategy, and > one I use myself. In fact, I use a scheme whereby I don't need to change or > update any back-end settings to deal with a multitude of unique and ad-hoc > specified addresses for every vendor/supplier and interaction point I deal > with. > > In short, if you use a public mailing list, expect that the address you use > for it will be discovered and abused by the nefarious marketeers of the High > Bit Seas. > > Cordially, > =Malcky= Since he uses a unique address, it is trivial to write a rule to ensure msgs come from dovecot.org and discard everything else, I do that on LKML, works a treat. This address alone is a mailing list only address, direct messages go to junk folder, which I visually scan occasionally, and if I dont within 7 days, tuff, they're deleted automatically. Which is why it annoys me that some people on mailing lists feel the need to reply directly, rather than through mailing list. (Yeah I know its also shortcomings of certain mailers and mailing services (has gmail even fixed that yet) where hitting reply or reply all should go to list. Its also dumb when list admins dont set reply-to list, the entire point of relying to a list, is, well, to the list) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: maildirlock time unit?
Why is there even a lock on 'maildir' at all... unless this is not specific to maildir as specd in mail_location, I might be missing something though, 'm only just now having my first coffee of the day (we haven't migrated to 2.3 yet, since 2.2 is very stable) On 15/10/2018 23:46, Kris von Mach wrote: > What is the time unit maildirlock will accept? > > I've tried 20s, 20 sec, 20 secs, 20 seconds, all results in: > Fatal: Invalid timeout value: 20s > > And if you don't specify time unit you just get: > Panic: BUG: No IOs or timeouts set. Not waiting for infinity. > > This is on 2.3.3. 2.2 worked fine without needing time unit specified. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: DMARC mailing list rejections
On 16/01/2018 15:23, Daniel Miller wrote: > I get about a half dozen rejection messages from various servers when I post > to this list. Is there something I need to configure differently in my DMARC > record to be better compliant? > > Daniel DMARC is as evil as systemd - dont use either and all your pain will go away -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Adding Sieve to Roundcube
On 30/12/2017 00:46, @lbutlr wrote: > Yes, but I have to install sieve and select a plugin for Roundcube and then > write some user docs on how to make filters and such. AS per my previous, enable managesieve plugin which comes by default with RC. This is a shitty howto thing I did 10 years ago, since I only ever tolerated ubuntu for about 5 or 6 months I think it was about 2007ish (must re-do it one day, since in 2017 we have much better tools for this on linux LOL), but its still applicable and what I still use on my private server for me/family/friends/friends_familes/etc, but it shows it takes very little work to "document" it, your stressing for no reason. https://mail.ausics.net/help/add_filter0.gif -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Adding Sieve to Roundcube
On 30/12/2017 00:26, Aki Tuomi wrote: >> On December 29, 2017 at 4:21 PM "@lbutlr" <krem...@kreme.com> wrote: >> >> I'm planning on adding support for sieve to Roundcube here in the near >> future and am looking for any recommendations on read-mes on how to do this. >> >> I am planning on waiting until 2.3.0 hits Freebsd Ports >> >> -- >> No Sigs. Blame Apple. > > managesieve is your best bet. Reading this > https://tools.ietf.org/html/rfc5804 should help. > > Aki Yes, which comes with RC and works fin OP, copy /plugins/managsieve/config.inc.php.dist to config.inc.php, and enable the plugin in /config/config.inc.php in $config[plugins] arrayjust like every other plugin. done... -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Ubuntu Auth Issues with new repository code..
On 28/12/2017 07:38, Howard Leadmon wrote: > Saw the new repository notification, and figured what the heck I would try > letting it upgrade me from the current v2.2.22 release that apparently is in > the Ubuntu 16.04 packages, to the new repository release of v2.3.0. > > I followed the info on repo.dovecot.org, and first it started bitching about > lmtp (dovecot: master: Fatal: service(lmtp) access(/usr/lib/dovecot/lmtp) > failed: No such file or directory), so I went back and installed the > dovecot-lmtpd package and that seemed to fix that issue. Just FYI, I had > dovecot-core, dovecot-imapd, and dovecot-pop3d installed on the system. > > OK, so now it started up, said it was 2.3.0 and I thought all was good, but > now all authentication is failing. I turned on some of the logging > debugging, and am seeing the below: > > dovecot: auth-worker(19578): Debug: pam(toss1,127.0.0.1,): > lookup service=dovecot > dovecot: auth-worker(19578): Debug: pam(toss1,127.0.0.1,): > #1/1 style=1 msg=Password: > dovecot: auth-worker(19578): pam(toss1,127.0.0.1,): > pam_authenticate() failed: System error > dovecot: auth: Debug: client passdb out: FAIL#0111#011user=toss1 > dovecot: imap-login: Aborted login (auth failed, 1 attempts in 3 secs): > user=, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, > session= > > I took and compared my auth files like 10-auth.conf, and > auth-system.conf.ext, and they are identical between the two versions, even > though they were overwritten as part of the upgrade. > > If I just uninstall the 2.3.0 release, and install 2.2.22 back on the server, > it all just starts working again.So for now I am back on 2.2, but was > willing to give 2.3 a run if I can get it going. Any ideas as to what to > look at to get this working, would be great. As stated above, this is > Ubuntu Server 16.04.03, and I am also running Postfix and amavis-new, but > don't think they should really impact me using dovecot for email over POP3 or > IMAP.. > > --- > Howard Leadmon > PBW Communications, LLC > http://www.pbwcomm.com Why on earth you think you could upgrade versions by using two unrelated and different repo's is beyond me. This has always been a problem, even back in the 90's with the RPMs, RH v say for example Fresh, because package maintainers will package differently. Its like trying to stick a cisco 1800 image on an ASR9K and expecting it to work perfectly. Though we don't use deb or rpm based systems and haven't for about 15 years, if I was to, I think I'd be using the creators version, and not a distro's version. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: dovecot-lda without starting dovecot?
On 07/11/2017 09:18, Stephan von Krawczynski wrote: > On Mon, 6 Nov 2017 09:50:16 -0500 > Tanstaafl <tansta...@libertytrek.org> wrote: > > On 11/6/2017, 4:01:19 AM, Stephan von Krawczynski <skraw...@ithnet.com> > wrote: Still we are not content with it touching/locking dovecot.index.log. If > someone pointed at one location in the code where this could be disabled we > would implement a new param for switching that off. > ? > > Dovecot's indexing is one of its main features, and WHY it is so much > faster than others. > > And you want to just turn it off? Good luck... It seems you have not understood what I am talking about. Our pre-dovecot lda did not touch the index either. And it did not harm the imap/pop procedure in any way. So we know there is no need to fiddle with the index in the process of delivery into the maildirs to keep our performance as it was before. mail_location Optionally disable indexes using :INDEX=MEMORY don't use this on IMAP boxes, but is safe to use on SMTP and POP3's boxes though eg: mail_location = maildir:/var/vmail/%Ld/%1Ln/%1.1Ln/%2.1Ln/%Ln/Maildir:INDEX=MEMORY -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: moving from mysql to pgsql
On 05/10/2017 02:06, Magnus wrote: > Hello, > > I hope that this mailing list is "alive", since I am looking for a solution > for my problem for a long time. > > I would like to migrate my existing dovecot installation from mysql to pgsql. > But I have problems with the passwords when using pgsql. > > The existing and working mysql-based installation looks like this: > > dovecot-sql.conf.ext: > > driver = mysql > default_pass_scheme = SHA512-CRYPT > > Users are created like this: > > INSERT INTO mls_user (idx,domain,password,email) > VALUES (1,99,ENCRYPT('Test'),'m...@alpenjodel.de'); > > This setup is working, which I can verify like this: > > $ telnet localhost 143 > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID > ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 > AUTH=CRAM-MD5] Dovecot ready. > > a login m...@alpenjodel.de Test > OK > > Now let's take a look at the pgsql version of the setup: > > dovecot-sql.conf.ext: > > driver = pgsql > default_pass_scheme = SHA512-CRYPT > > Users are created like this: > > INSERT INTO mls_user (idx,domain,password,email) > VALUES (1,99,crypt('Test',gen_salt('des')),'m...@alpenjodel.de'); > > This setup is not working: > > $ telnet localhost 143 > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID > ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 > AUTH=CRAM-MD5] Dovecot ready. > > a login m...@alpenjodel.de Test > a NO [AUTHENTICATIONFAILED] Authentication failed. > > Assumptions: > > - I believe that the mysql encrypt function uses the crypt system call, > which in turn uses the DES algorithm with a random salt. > > - I believe that the same is done with the pgsql function call > crypt('Test',gen_salt('des')). > > But obviously some of these assumptions must be wrong. > > Besides that, the variable "default_pass_scheme" is set to "SHA512-CRYPT" in > both cases. But obviously, not SHA but DES is used by the working mysql-based > setup. I don't understand that. Could someone please explain the relationship > between the default_pass_scheme variable and the encryption/hashing algorithm > used to store the user passwords? > > And finally: What can I do to migrate to pgsql? > > Thank you > Magnus Migrate? if the passwords are truly as designed already, it shouldnt matter, it should read them, be it for mail, ftp, or httpd, they all read the same thing mysql, or anything that reads sha512. What are you using to insert users, php? perl? , what does the database entry look like? We use a perl backend to add members and hosts, in mysql mypassword field is populated ascrypt($password, '$6$' . $salt) I can't help you if its php, i'll leave that for someone who knows php and my php guru is off sick this week with the flu But does your database password field entry start with $6$ ? perhaps your mysql isnt using what you think? As a test, this istesting123 in sha512 $6$Z6I5oyWUed.tmNUs$0ScF2w3ejPWFAX/3F6DgMyWpbXLq0DD6blL8rwBpSHGWaZ9RiXlpo5PPZFoJPZWIuQMETELsXG2YtbsAc8K3q/ copy and paste that into a test users mysql password field directly, and your pgsql directly and see if it works. incidentally, we use default_pass_scheme = CRYPT Which handles all the subsystems crypt options including sha's - providing your system is half modern, if its ten years old dont use that, it'll be likely using the old 8 char limited crypt :) (and dont laugh the number of antique debian and RH boxes I've come across is scary) anyway, so even as a fallback for testing you could insert even an md5 hash into a password field and it will work as well, I wont tell you not to do this in production because of course you know better ;) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Dovecot mail_location for fedora
On 19/08/2017 07:17, Joseph Tam wrote: > mail_location=~/.mail:INBOX=/var/spool/mail/%Ln > He should be good now, no idea why a fedora install wouldn't have that Unless I missed something in a previous pst, "~/.mail" is not typical for personal mail folder, but "~/mail" is. Joseph Tam <jtam.h...@gmail.com> I thought that (from earlier example), but not having used mbox in 10 years, couldnt remember, I couldn't example mine because that would throw OP completely (mail_location = maildir:/var/vmail/%Ld/%1Ln/%1.1Ln/%2.1Ln/%Ln/Maildir:INDEX=MEMORY) Since he's not replied, I dare say Aki's post helped him sort it out. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Dovecot mail_location for fedora
Ahh thats it :) He should be good now, no idea why a fedora install wouldn't have that On 18/08/2017 19:43, Aki Tuomi wrote: > mail_location=~/.mail:INBOX=/var/spool/mail/%Ln > > Aki -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: Dovecot mail_location for fedora
On 18/08/2017 06:15, Randy Gordey wrote: > What is the syntax for dovecot mail_location when postfix delivers mail to > /var/spool/mail/? > > These are the old unix style mbox, one file per user. > > Not setting mail_location in 10-mail.conf results in Auto not finding it. > > mbox: /var/spool/mail/%u said mbox root directory can't be a file. Its been over 10 years since I've run mbox, but i'm sure your format is wrong, you're also not supposed to use spaces either, in fact I think its telling you whats wrong, from memory, its mbox:~/mail: but I cant recall what otherstuff is I know the pathis in it but it needs something before it, I just cant recall what, see the wiki, I'd be highly surprised if it did not explain it. > mbox: /var/spool/mail/ tries to make Sent and Deleted Folders, etc. > > maildir: /var/spool/mail/ closes the connection. Thats not how maildir works you need to add the Maildir directory to it, ie maildir:/var/spool/mail/%n/Maildir but DO NOT USE THAT directory! And its more than dovecot you need to change if you're going to use maildir, so just fix up your mbox settings. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: is a self signed certificate always invalid the first time?
On 18/08/2017 17:12, voy...@sbt.net.au wrote: > BUT, for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ? > > (I'm currently using self issued for both mail and web) > > thanks, > > V It depends on what you're uses are, self signed certs are OK for smtp/pop3/imap, since most people are just concerned with "encryption" in that case, but a different story if its web content, in particular, shopping carts and the like, If you have clients content, definitely use a real cert, maybe in 10 years letsencrypt might make the grade, but until every bit of software and OS supports it and they offer insurance levels like the bi boys do, you might as well be using a self signed cert, comodo are pretty cheap with basic insurance level on even the most basic of their offerings. Do your research, though if using a paid service, since some others are soon to be un-trusted. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: namespace configuration error
On 16/08/2017 04:31, Jeff Ross wrote: > namespace Snarf { > hidden = yes > list = no > location = mbox:/home/%u/mbox:INBOX=/var/spool/mail/%u:INDEX=MEMORY > prefix = ~~Snarfbox/ Is there supposed to be two tilde's here? (maybe perfectly valid, I haven't looked into it) > separator = / > } > namespace default { > inbox = yes > location = > prefix = > separator = / > } > namespace inbox { > location = I'd add in separator under location, then get rid of the namespace default block above it (Just comment it out, dont delete anything - til you get it sorted) > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = comment this out too > } -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: migrating 2.1 to 3.x, sql pass scheme, pass value?
On 15/08/2017 22:58, voy...@sbt.net.au wrote: > On Tue, August 15, 2017 10:27 pm, Noel Butler wrote: > >> HUH? >> Are you trying to login to mysql using the hash itself? > > Noel, thanks!! > > oops, misunderstood instruction... > > this is better: > > USER voy...@x.tld > +OK > PASS ** > +OK Logged in. > LIST > +OK 0 messages: > >> That wont work, and its not what you are supposed to be doing as evident >> by fact you can login using plain password, you're looking in the wrong >> area, since the database stores passwords hashed, you enter it in, in >> plain text, the database them does its magic to convert what you entered >> in, into a hash and does the matching in its own backend, so to speak. > > what value should I have in /etc/dovecot/dovecot-mysql.conf > in > default_pass_scheme = ??? > > V Use: CRYPT This allows you to use whatever your system supports in your database password fields, with modern OS's thats anything from md5 (shudder the thought) to salted sha512 and probably more these days depending on what other goodies your distro adds, dovecot will send it to the underlying OS crypt function that does all the hard work. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: migrating 2.1 to 3.x, sql pass scheme, pass value?
On 15/08/2017 22:23, Noel Butler wrote: > On 15/08/2017 21:25, voy...@sbt.net.au wrote: > >> On Tue, August 15, 2017 8:03 pm, Sami Ketola wrote: >> On 15 Aug 2017, at 2.50, voy...@sbt.net.au wrote: >> >> how do I generate hashed string from my password ? >> use this sql command: >> >> GRANT SELECT ON vmail TO 'vmail'@'127.0.0.1' IDENTIFIED BY >> PASSWORD('yourpassword'); >> >> or if you just want to see the hash: >> >> SELECT PASSWORD('yourpassword'); > > Sami, thanks > > I'm running in circles here.. I thought it worked once, but, couldn't > repeat it after > > OK, I've made user 'test' with pw 'test1234' > > using keyborad to enter test1234 I get: > > # mysql -u test -p > Enter password: > Welcome to the MariaDB monitor. Commands end with ; or \g. > Your MariaDB connection id is 1377 > Server version: 10.1.19-MariaDB MariaDB Server > > Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. > > Type 'help;' or '\h' for help. Type '\c' to clear the current input > statement. > > MariaDB [(none)]> show databases; > ++ > | Database | > ++ > | information_schema | > | test | > ++ > 2 rows in set (0.00 sec) > > MariaDB [(none)]> > > NOW: > > MariaDB [(none)]> SELECT PASSWORD('test1234'); > +---+ > | PASSWORD('test1234') | > +---+ > | *3D3B92F242033365AE5BC6A8E6FC3E1679F4140A | > +---+ > 1 row in set (0.00 sec) > > MariaDB [(none)]> quit > > copied '*3D3B92F242033365AE5BC6A8E6FC3E1679F4140A' to buffer > > paste from buffer below, fail > > # mysql -u test -p > Enter password: > ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using > password: YES) > > HUH? > > Are you trying to login to mysql using the hash itself? > > That wont work, and its not what you are supposed to be doing as evident > by fact you can login using plain password, you're looking in the wrong > area, since the database stores passwords hashed, you enter it in, in > plain text, the database them does its magic to convert what you entered > in, into a hash and does the matching in its own backend, so to speak. > > if you put in your dovecot sql file, the vmail password in plain text > and not hashed output, it should work, you have to make sure the sql > file is chmod 600 so any normal users with access cant read the file(s). > > -- > Kind Regards, > > Noel Butler > > This Email, including any attachments, may contain legally privileged > information, therefore remains confidential and subject to copyright > protected under international law. You may not disseminate, discuss, or > reveal, any part, to anyone, without the authors express written > authority to do so. If you are not the intended recipient, please notify > the sender then delete all copies of this message including attachments, > immediately. Confidentiality, copyright, and legal privilege are not > waived or lost by reason of the mistaken delivery of this message. Only > PDF [1 [1]] and ODF [2 [2]] documents accepted, please do not send proprietary > formatted documents > > Links: > -- > [1] http://www.adobe.com/ > [2] http://en.wikipedia.org/wiki/OpenDocument OK dunno wjhat happend with format but to simplify it: HUH? Are you trying to login to mysql using the hash itself? That wont work, and its not what you are supposed to be doing as evident by fact you can login using plain password, you're looking in the wrong area, since the database stores passwords hashed, you enter it in, in plain text, the database them does its magic to convert what you entered in, into a hash and does the matching in its own backend, so to speak. if you put in your dovecot sql file, the vmail password in plain text and not hashed output, it should work, you have to make sure the sql file is chmod 600 so any normal users with access cant read the file(s). -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: migrating 2.1 to 3.x, sql pass scheme, pass value?
On 15/08/2017 21:25, voy...@sbt.net.au wrote: > On Tue, August 15, 2017 8:03 pm, Sami Ketola wrote: > On 15 Aug 2017, at 2.50, voy...@sbt.net.au wrote: > > how do I generate hashed string from my password ? > use this sql command: > > GRANT SELECT ON vmail TO 'vmail'@'127.0.0.1' IDENTIFIED BY > PASSWORD('yourpassword'); > > or if you just want to see the hash: > > SELECT PASSWORD('yourpassword'); Sami, thanks I'm running in circles here.. I thought it worked once, but, couldn't repeat it after OK, I've made user 'test' with pw 'test1234' using keyborad to enter test1234 I get: # mysql -u test -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 1377 Server version: 10.1.19-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; ++ | Database | ++ | information_schema | | test | ++ 2 rows in set (0.00 sec) MariaDB [(none)]> NOW: MariaDB [(none)]> SELECT PASSWORD('test1234'); +---+ | PASSWORD('test1234') | +---+ | *3D3B92F242033365AE5BC6A8E6FC3E1679F4140A | +---+ 1 row in set (0.00 sec) MariaDB [(none)]> quit copied '*3D3B92F242033365AE5BC6A8E6FC3E1679F4140A' to buffer paste from buffer below, fail # mysql -u test -p Enter password: ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES) HUH? Are you trying to login to mysql using the hash itself? That wont work, and its not what you are supposed to be doing as evident by fact you can login using plain password, you're looking in the wrong area, since the database stores passwords hashed, you enter it in, in plain text, the database them does its magic to convert what you entered in, into a hash and does the matching in its own backend, so to speak. if you put in your dovecot sql file, the vmail password in plain text and not hashed output, it should work, you have to make sure the sql file is chmod 600 so any normal users with access cant read the file(s). -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: migrating 2.1 to 3.x, sql pass scheme, pass value?
hit enter too quickly (I've had one coffee all morning hehe) On 15/08/2017 08:54, Noel Butler wrote: > Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. > > Type 'help;' or '\h' for help. Type '\c' to clear the current input > statement. > > MariaDB [(none)]> At this point issue >show databases; the out put should include vmail -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: migrating 2.1 to 3.x, sql pass scheme, pass value?
On 15/08/2017 08:18, voy...@sbt.net.au wrote: > I've also dumped MySQL 'vmail' and imported database, created user vmail, > vmailadmin > > Aug 15 08:05:31 auth-worker(9763): Error: mysql(127.0.0.1): Connect failed > to database (vmail): Access denied for user 'vmail'@'localhost' (using > password: YES) - waiting for 1 seconds before retry Forget looking at dovecot at teh moment, your problem maybe mysql (I'd hope you meant mariadb but either way...) use command line mysql as vmail user from your dovecot machine to test password further BEFORE tinkering with dovecot. ~$ mysql -p -v vmail enter password If it's all good you'll see : Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 20970 Server version: 5.5.57-MariaDB Source distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> If not, look into mysql db and verifiy vmail user and perms (especially for localhost), ensure you have reloaded privs as well. Set mysql debugging on if need be. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: dovecot 2.2.31: linking error
On 02/07/2017 03:33, Aki Tuomi wrote: > On July 1, 2017 at 7:23 PM Rupert Gallagher <r...@protonmail.com> wrote: > > I would rather choose what to install. > Sent from ProtonMail Mobile > > On Sat, Jul 1, 2017 at 1:02 PM, Sami Ketola <sami.ket...@dovecot.fi> wrote: > > On 1 Jul 2017, at 13.08, Rupert Gallagher wrote: > > I tried compiling > without "--with-storage=maildir" and it terminated without error. I need to > enforce maildir, however. You can enforce maildir in configuration. Sami > @protonmail.com> Unfortunately it's no longer possible with core storage drivers. Just like passwd backends which we used to be able to select, now, sadly dovecot is bloatware I can compile an entire freaking kernel 35% faster than dovecot :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: CVE-2016-8652 in dovecot
On 03/12/2016 12:08, Jeremiah C. Foster wrote: > On Fri, 2016-12-02 at 10:48 +0200, Aki Tuomi wrote: > On 02.12.2016 10:45, Jonas Wielicki wrote: On Freitag, 2. Dezember 2016 > 09:00:58 CET Aki Tuomi wrote: We are sorry to report that we have a bug in > dovecot, which > merits a > CVE. See details below. If you haven't configured any > auth_policy_* > settings you are ok. This is fixed with > https://git.dovecot.net/dovecot/core/commit/c3d3faa4f72a676e183f3 > 4be960cff13 > a5a725ae and > https://git.dovecot.net/dovecot/core/commit/99abb1302ae693ccdfe0d > 57351fd42c6 > 7a8612fc > > Important vulnerability in Dovecot (CVE-2016-8562) > Are you sure about the CVE number? According to Debian [1 [1]] and > mitre [2 [2]], it's > for SIEMENS something, not Dovecot. > > best regards, > Jonas Wielicki > > [1]: https://security-tracker.debian.org/tracker/CVE-2016-8562 > [2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856 > 2 Ups, sent wrong number, correct is CVE-2016-8652. That is the same number, no? No, read it again. the wrong and pasted copie are 8 5 62, his revised is 8 6 52 -- Kind Regard, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [3] and ODF [4] documents accepted, please do not send proprietary formatted documents Links: -- [1] https://security-tracker.debian.org/tracker/CVE-2016-8562 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-856 [3] http://www.adobe.com/ [4] http://en.wikipedia.org/wiki/OpenDocument
Re: NFSv4 and Maildir
On 01/10/2016 08:27, Joseph Tam wrote: we have a setup with (CentOS 6) Director+Dovecot, Maildir as storage on NetApp NFS v3. Every time I try to switch to NFS v4 I found issue with lock (and others). So for me NFSv4 with Maildir is "unstable" or need a fine tuning that I don't know. I found the same thing, and turning off write delegation seemed to have solved the problem. I still don't know why, though. Joseph Tamwrite delegation is disabled by default on NetApp with v4, or have they changed this now? 0x7FD036C7.asc Description: application/pgp-keys
Re: Deletion of mail from Junk mailbox
On 02/07/2016 19:16, Doug Hardie wrote: I have a pigeon sive running which directs some of my received mail to the Junk folder. That works just fine. However, a couple minutes later, it is moved to Deleted mailbox and deleted from Junk. At first I thought my client was doing that so I shut down the client and it still happens. Here are the log entries: Jul 2 00:36:31 mail dovecot: imap(doug): copy from INBOX: box=Junk, uid=10842, msgid=, size=3340, from="jnilj" Jul 2 00:36:31 mail dovecot: imap(doug): delete: box=INBOX, uid=55719, msgid= , size=3340, from="jnilj" Jul 2 00:39:33 mail dovecot: imap(doug): copy from Junk: box=Deleted Messages, uid=31049, msgid= , size=3340, from="jnilj" Jul 2 00:39:33 mail dovecot: imap(doug): delete: box=Junk, uid=10842, msgid= , size=3340, from="jnilj" Jul 2 00:50:29 mail dovecot: imap(doug): expunge: box=Junk, uid=10842, msgid= , size=3340, from="jnilj" Jul 2 00:50:29 mail dovecot: imap(doug): expunge: box=INBOX, uid=55719, msgid= , size=3340, from="jnilj" Is this the intended way the Junk maibox is supposed to work? I couldn't find any settings that appear to control (or affect) this behavior. — Doug and your dovecot version is? I suggest you'll also need to show doveconf -n and example of sieve rules, because it doesnt seem right, certainly does not do that here. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
RE: Postfix and Dovecot LDA vs. LMTP
On 26/06/2016 02:39, Michael Fox wrote: The most crucial difference is that LDA is intended for delivering email to a *real* user. Aki Thanks Aki. Pardon my ignorance, but why does it matter? In other words, what is it that makes LDA better for a *real* user and LMTP better for a virtual user? Thanks, Michael We've used LDA for virtual users for a very very long time, though we use multiple front ends, each with postfix/dovecot and mysql (replicated DB) they all talk to one big storage backend via NFS (as do the pop3/imap/webmails servers), we looked at lmtp once but saw no advantages given the setup. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Pigeonhole 0.4.13 does not compile against dovecot 2.2.23
On 31/03/2016 11:09, Stephan Bosch wrote: Pigeonhole needs to be recompiled. Regards, Stephan. hrmm it was, but process was ampersands so maybe somthing prior failed and it did not complete make install, its late so ill look at it again tomorrow. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Pigeonhole 0.4.13 does not compile against dovecot 2.2.23
On 31/03/2016 02:06, Stephan Bosch wrote: Hi, Op 3/30/2016 om 5:34 PM schreef Juan C. Blanco: Hello, I supose that a new version of pigeonhole is on the way because version 0.4.13 does not compile against dovecot 2.2.23 This is the error that I get gcc -DHAVE_CONFIG_H -I. -I. -I../../.. -I../../.. -I../../../src/lib-sieve -I../../../src/lib-sieve/util -I../../../src/lib-sieve/plugins/environment -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/imap -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-lda -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lda -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23 -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-dict -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-dns -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-http -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-mail -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-imap -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-fs -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-charset -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-auth -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-master -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-ssl-iostream -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-compression -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-settings -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-test -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-sasl -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-stats -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-index -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/list -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/index -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-storage/index/raw -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/lib-imap-storage -I/home/jc/rpmbuild/BUILD/dovecot-2.2.23/src/plugins/quota -DPKG_RUNDIR=\"\" -std=gnu99 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/kerberos/include -I../../.. -MT imap-sieve-storage.lo -MD -MP -MF .deps/imap-sieve-storage.Tpo -c imap-sieve-storage.c -fPIC -DPIC -o .libs/imap-sieve-storage.o imap-sieve-storage.c: In function 'imap_sieve_mailbox_transaction_run': imap-sieve-storage.c:595: error: 'struct client' has no member named 'lda_set' make[4]: *** [imap-sieve-storage.lo] Error 1 I don't know what that is, but it is definitely not Pigeonhole 0.4.13. The code it is failing on is a recently added feature (https://tools.ietf.org/html/rfc6785) that currently only lives in git master. Regards, Stephan. Regards. Juan C. Blanco http://dovecot.org/releases/2.2/dovecot-2.2.23.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.23.tar.gz.sig This is a bugfix-only release with various important fixes on top of v2.2.22. - Various fixes to doveadm. Especially running commands via doveadm-server was broken. - director: Fixed user weakness getting stuck in some situations - director: Fixed a situation where directors keep re-sending different states to each others and never becoming synced. - director: Fixed assert-crash related to a slow "user killed" reply - Fixed assert-crash related to istream-concat, which could have been triggered at least by a Sieve script. Starting dovecot POP3/IMAP daemon... doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libmanagesieve_login_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv23(2.2.23)) doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libmanagesieve_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv23(2.2.23)) doveconf: Error: Couldn't load plugin /usr/lib/dovecot/settings/libpigeonhole_settings.so: Module is for different ABI version 2.2.ABIv22(2.2.22) (we have 2.2.ABIv23(2.2.23)) doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 232: Unknown setting: managesieve_logout_format Failed. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Email hosting provider
On 28/03/2016 01:09, Andrew McGlashan wrote: I love this on your about page: On 27/03/2016 3:14 PM, Noel Butler wrote: I don't need to understand German law, thats what my Frankfurt lawyers do, I'd trust our data privacy far more in our Frankfurt site, then I would ever trust US or UK, or AU. "Ausics.* services are purely free and non commercial offerings, run and funded by Brisbanite Noel Butler as a hobbyist service, it remains separate from any commercial services, hosting or otherwise, and is maintained by only a small group of people who may or may not have a life, so just in case, please be patient if you need to contact us. " .. but "All key services are in-house in Brisbane " I was wondering about your preference for German servers / services. ? No problems, my reference to Frankfurt storage refers to a "commercial operation" certainly not the hobby one :) Cheers A. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Email hosting provider
On 26/03/2016 17:04, Stephan von Krawczynski wrote: On Sat, 26 Mar 2016 13:34:34 +1000 Noel Butler <noel.but...@ausics.net> wrote: On 21/03/2016 17:06, Andre Rodier wrote: > Hello, > > Sorry if I am off topic a little. > > I am looking for an email host provider that supports dovecot, sieve > and manage sieve. Ideally with the roundcube webmail and managesieve > plugin > > Better if it is in Europe or switzerland. I don't mind paying a little. > > Thanks, > André. Hi Andre, see www.webhostingtalk.com There are a number of reliable and reasonable priced hosts in Germany (best place if you value your privacy) and Netherlands. You mean "best place if you have no idea of the german laws and whats really going on" ... I don't need to understand German law, thats what my Frankfurt lawyers do, I'd trust our data privacy far more in our Frankfurt site, then I would ever trust US or UK, or AU. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Email hosting provider
On 21/03/2016 17:06, Andre Rodier wrote: Hello, Sorry if I am off topic a little. I am looking for an email host provider that supports dovecot, sieve and manage sieve. Ideally with the roundcube webmail and managesieve plugin Better if it is in Europe or switzerland. I don't mind paying a little. Thanks, André. Hi Andre, see www.webhostingtalk.com There are a number of reliable and reasonable priced hosts in Germany (best place if you value your privacy) and Netherlands. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: NetApp NFS vs. ZFS and NFS for Maildir
It seems its troll time again on this list, ohh maybe its Harry in disguise... So I will play along, for today anyway :) On 19/03/2016 18:11, Stephan von Krawczynski wrote: On Sat, 19 Mar 2016 17:37:04 +1000 Noel Butler <noel.but...@ausics.net> wrote: On 14/03/2016 18:49, Stephan von Krawczynski wrote: > >> >> and you've never seen these cause problems with FS? then you must be >> a >> newbie, in over 25 years I've seen it happen several times - yes even >> after an apparent controlled shutdown. > > Maybe you're doing something wrong then. because in my last 21 years > working > exactly in this business I've not seen a single deadly fs-crash because > of a > power-outage. Not one. And we had of course several, all backed by UPS. Consider yourself lucky, Most network admins whove been around large busy ISP DC's have seen this in their lifetime, to not have seen one is rare, go buy yourself a lotto ticket :) > > If your servers get drowned with water during a fire your fs is > probably the > least of your worries. You don't really plan to re-enable servers with > water- or fire-damage, do you? That's probably why there shouldn't be a > fireman pouring water in the first place. This shows you dont understand structural engineering, the fire does not have to be on your floor, it can be far away as two or so levels above, with the high pressure water used - equating to a shitload of water, there are ducts, shafts, other risers and so on that with a shit-tone of water can easily penetrate fireblocks of floors below - dont take my work, go ask a fireman, or maybe watch the nightly news sometime (building fire - many levels water affected blah blah blah)... so keeping those boxes on via UPS's is asking for lots of charcoaled boards and fried drives. IOW, total stupidity. Should those machines be depowered as required by our building codes, well, might take a few days of drying out but at least they will power back up without error - yes, done it in risk assessments. Obviously you must work for people that have not the slightest idea about using hardware in a correct way and don't know when the time has come to throw it away. Man, there is no way to let a drowned box survive. It is not back to Wow, how long did you allege to have been in network/sys admin? 20 years? Really? I think you made a typo and and it should have read 20 minutes, ya know I have refrained from posting no here for a long time (apart from fact I rarely read the list), and I was not going to feed the trolls, but sometimes the smart mouthed know nothing, need to bitch slap upside the head so thats why I am devoting about 60 seconds to you. Of course there is, networks dont throw away many hundreds of servers valued $7K to $10K, nor $100K+ storage systems, or $40K routers, LB's or switches, just because they got drenched - with power isolated. normal when it is dry. If you don't get that I am pretty happy to be no customer. This can only be an idea born in the sick mind of a controller who You will never be a customer _or_employee_ of mine, trust me on that one! didn't want to pay insurance in the first place. We are talking about serious Got nothing to with insurance, it might take 2 days to dry out and get back up and running, it will take an awful lot longer to get offsite backups and restore every last one of them. I hope your employer reads this list, because he/she should be seeing alarm bells from your comments. corrosion effects here let alone that you have a hard time even knowning when yep, you sure did fail basic engineering your boxes are really dry. Your fireman on the other hand seem to be stuck in the 80ths. Today there are solar panels almost everywhere _which you cannot turn off_. Wow, you really are clutching the fantasy straws arnt you, perhaps your country lacks modernisation, I can go to the side of my house and isolate the panels with a flick of a switch, strangely enough and I guess in your eyes horrifyingly called "solar isolator" that stops the panels providing power to my electrical circuits, yes, there might be power from panels to it, but thats not going to affect my power circuits or equipment -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: NetApp NFS vs. ZFS and NFS for Maildir
On 14/03/2016 18:49, Stephan von Krawczynski wrote: and you've never seen these cause problems with FS? then you must be a newbie, in over 25 years I've seen it happen several times - yes even after an apparent controlled shutdown. Maybe you're doing something wrong then. because in my last 21 years working exactly in this business I've not seen a single deadly fs-crash because of a power-outage. Not one. And we had of course several, all backed by UPS. Consider yourself lucky, Most network admins whove been around large busy ISP DC's have seen this in their lifetime, to not have seen one is rare, go buy yourself a lotto ticket :) If your servers get drowned with water during a fire your fs is probably the least of your worries. You don't really plan to re-enable servers with water- or fire-damage, do you? That's probably why there shouldn't be a fireman pouring water in the first place. This shows you dont understand structural engineering, the fire does not have to be on your floor, it can be far away as two or so levels above, with the high pressure water used - equating to a shitload of water, there are ducts, shafts, other risers and so on that with a shit-tone of water can easily penetrate fireblocks of floors below - dont take my work, go ask a fireman, or maybe watch the nightly news sometime (building fire - many levels water affected blah blah blah)... so keeping those boxes on via UPS's is asking for lots of charcoaled boards and fried drives. IOW, total stupidity. Should those machines be depowered as required by our building codes, well, might take a few days of drying out but at least they will power back up without error - yes, done it in risk assessments. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: NetApp NFS vs. ZFS and NFS for Maildir
On 14/03/2016 09:59, Stephan von Krawczynski wrote: On Mon, 14 Mar 2016 09:32:42 +1000 Noel Butler <noel.but...@ausics.net> wrote: On 13/03/2016 20:47, Stephan von Krawczynski wrote: > On Sun, 13 Mar 2016 09:45:06 + > James <li...@xdrv.co.uk> wrote: > >> On 11/03/2016 15:17, Stephan von Krawczynski wrote: >> >> > zfs set sync=disabled ? >> >> Only if you are happy to loose data on power failure. > > I don't know the actual setup, but if you have no UPC you shouldn't > host email > services anyway. I'm guessing you meant UPS, anyway, a UPS wont protect you from human error. Also, most buildings, at least in this country, have a fire emergency shutoff requirement, meaning mains is isolated from the building, and the back up gennies are also forbidden to be engaged - UPS's dont last forever. Guys, please don't argue on kindergarten level. The UPS is for backing a sudden death, but not for running five days. Of course you can do a controlled shutdown if battery level falls below a trigger value. And this is about all you need: control. There is no fs error as long as you perform a regular and you've never seen these cause problems with FS? then you must be a newbie, in over 25 years I've seen it happen several times - yes even after an apparent controlled shutdown. shutdown. If UPS-backup is forbidden in your country then I suggest moving to civilized regions of the planet ;-) Now whos on kindergarten level, do you really want fireman pouring water on fire on a level of a building thats powered up because some lamer has a generator running? really? I'm sure those firemen would gladly hand YOU the hose, the best UPS systems runtime we've seen under average load for a large ISP data centre is 21 mins, usually ample time to allow the generators to start up, come to full power, and switch in taking over the load, but thats not going to help during a building fire, once their depleted, their depleted. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: NetApp NFS vs. ZFS and NFS for Maildir
On 13/03/2016 20:47, Stephan von Krawczynski wrote: On Sun, 13 Mar 2016 09:45:06 + Jameswrote: On 11/03/2016 15:17, Stephan von Krawczynski wrote: > zfs set sync=disabled ? Only if you are happy to loose data on power failure. I don't know the actual setup, but if you have no UPC you shouldn't host email services anyway. I'm guessing you meant UPS, anyway, a UPS wont protect you from human error. Also, most buildings, at least in this country, have a fire emergency shutoff requirement, meaning mains is isolated from the building, and the back up gennies are also forbidden to be engaged - UPS's dont last forever. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Ubuntu packages
On 06/03/2016 04:18, Robert Schetterer wrote: for paranoid people, create you own repo and for info dovecot had nice compiled from scratch to me in the past too The only way to use dovecot IMHO is by source, you build in what you want and omit the junk (that some repo packagers want to include - because they need cater for many scenarios) that you have no need for, sadly though, dovecot has lapsed a bit in security in this respect since we used to be able to disable all non-wanted password types, but now we have many of them non configurable and get them built in whether we like it or not, its one of two gripes I've had with dovecot 2.x, otherwise, reasonable happy with it now days. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: severe fork() problems with new dovecot server
On 02/03/2016 05:11, J. Niklas wrote: On 01.03.2016 18:21, Dolf Schimmel wrote: Recently I played around a little with cgroups where you can limit the max number of processes per cgroup. Could it be that, perhaps, you've stumbled upon such a limit? Systemd does contain all services by default in their own cgroup afaik, so it could be that you're using it unknowingly. Yes, yes, \o/ ;-) #> systemctl status dovecot.service * dovecot.service - Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/dovecot.service.d `-ulimits.conf Active: active (running) since Tue 2016-03-01 15:28:29; 4h 24min ago Main PID: 10098 (dovecot) Tasks: 204 (limit: 512) CGroup: /system.slice/dovecot.service There ist my "512". The way of systemd, ignoring all the config stuff that has been there for decades while inposing its own, complex and very sparsely documented ruleset on top is beginning to seriously annoy me. At least I would have expected some sort of syslog message. Just for the records, this can be changed by adding e.g. TasksMax=4096 to the /etc/systemd/system/dovecot.service.d/ulimits.conf I cited in my OP. Now I'll have to wait and see how things will evolve tomorrow. Thank you so much for the great hint! even more proof that systemd is evil -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: To what extent does/will Dovecot depend on systemd? was systemd changes...
On 22/02/2016 17:14, Aki Tuomi wrote: On 21.02.2016 19:10, Steve Litt wrote: On Sun, 21 Feb 2016 10:03:15 +0100 Thomas Leuxnerwrote: [snip] https://github.com/dovecot/core/commit/53cc71cae88ee81fd7eae47aed743496f8c884a2 [snip] The PID-File seems to be expected under yet another sub-dir of /var/run/dovecot. I wasn't aware that any Dovecot functionalities have become dependent on systemd. Is this discussion simply about the unit file and PID file location for Dovecot under systemd's process manager, or is Dovecot starting to acquire systemd dependencies that will make it difficult to run without systemd in the future? Thanks, SteveT Steve Litt February 2016 featured book: The Key to Everyday Excellence http://www.troubleshooters.com/key We do not depend on systemd, but unit files are provided and automatically installed if enabled. Aki That's excellent news, because hell will freeze over before systemd is introduced to official slackware releases -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: Enterprise Repository Access?
On 09/01/2016 22:06, mj wrote: Compiling our own dovecot for production use sounds less appealing, What's so un-appealing about building from source? It's then perfectly matched to your system. Admittedly I can build kernels faster than latest dovecot's, but that's just the "make time" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-mysql --without-pam --without-shadow --without-bsdauth is done in seconds... Nothing at all hard about that. -- If you have the urge to reply to all rather than reply to list, you best first read http://members.ausics.net/qwerty/
Re: [Dovecot] 2.2.9
On Sat, 2013-11-23 at 02:29 +0100, Benny Pedersen wrote: Nick Edwards skrev den 2013-11-22 17:17: I need a drink if you can find some to drink with, all problems with dovecot will comeback tomorrow :=) i just made another sieve rule now What has this to do with dovecot? Take your trolling off list please. I'm starting to regret defending you against Harald, perhaps its YOU who should be booted and not him Nicks right about one thing though, you seem to have not taken your medicated lately Benny. (although you dont blindly go around abusing people on every list, and in CC's and private, so we wont blacklist you :) ) attachment: face-smile.png signature.asc Description: This is a digitally signed message part
Re: [Dovecot] 2.2.9
On Fri, 2013-11-22 at 10:14 +0100, Ralf Hildebrandt wrote: * Thomas Leuxner t...@leuxner.net: * Ralf Hildebrandt ralf.hildebra...@charite.de 2013.11.22 09:44: Which patch? http://www.dovecot.org/list/dovecot/2013-November/093654.html Pigeonhole related patches. Damn. Those are biting me as well :/ These would be found if Timo reverted back to issuing RC's before any official release, to iron out the niggly off-putting bugs, like most software does, or gets his devs and a community of official testers each with wildly different configurations and set ups, ASF have an excellent model that could be followed, bunch of devs and testers who each report on different distros and configs, why? because no single dev can imagine and test every possible configuration. it might just save dovecot's good name, I recall a lot of damage was done to that in the circles I'm in when 2.0 was released with patches nearly every few days and weeks, I know a few ISP's and businesses that went back to courier or Wu's because major bugs were getting in often, though it has been a lot better since 2.1 series, until this release that is :) attachment: face-smile.png signature.asc Description: This is a digitally signed message part
Re: [Dovecot] 2.2.9
On Sat, 2013-11-23 at 04:06 +0200, Timo Sirainen In-Reply-To: 1385170783.4058.5.camel@tardis wrote: but there are about 3 of you who nowadays constantly seem to be wasting my time on thinking about it. no doubt, despite my one single post to them in long time, but being informed that my name has been dragged into their shit fight a few times, you of course include me in this gang of 3, frankly, I've had a gutfull of your lengthy vendetta, it is after all why I rarely waste my time here and the those I've helped have mostly been via private anyway, now, my time for lists is being more rare these days, I have far more important activities to worry about in life, so it is with much pleasure I inform you that you will need to find some other poor sucker to blame for the trolls and idiots, I am removing myself from the dovecot community forthwith, well, in 3 minutes, enough time for this message to make it through mailman before I confirm unsub :) oh before I go, ya know, if you reigned in the regular offenders like other lists, nobody else would have needed to. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot 2.0.9 Quota Limit issues
On Tue, 2013-11-12 at 10:00 -0800, David Johnson wrote: Hello, I've tried searching for information regarding this problem but haven't found anything. Currently I have a Dovecot 2.0.9 with virtual users from a SQL table. Right now I'm only using global quota limits. Here is my quota setup: 2.0.9 is ancient and unsupported, but if it aint broke, who cares, so plugin { quota = maildir:User quota quota_rule = *:storage=3G quota_rule2 = Trash:storage=+100M quota_rule3 = Archive:storage=+1G quota_rule4 = Archive/2013:storage=+1G quota_rule5 = Junk:ignore Have you tried commenting out the Archive/2013 rule? This might be the conflict, its like saying OS / = 1G but /home can have 3, kinda of doesnt work :) the rest looks ok to me According to the documentation this should allow the Archive folder to have an additional 1G in it that is not counted toward the global 3G. However I have users who have 2G in the Archive folder, and about 1G elsewhere. At this point they stop receiving emails due to quota exceeded. doveadm quota get -u user displays this: Quota name Type Value Limit % User quota STORAGE 3150312 3145728 100 User quota MESSAGE8271 - 0 If I change Archive:storage=+1G to Archive:ignore then they can receive emails again. After the change doveadm quota get -u displays this: Quota name Type Value Limit % User quota STORAGE 1266885 3145728 40 User quota MESSAGE8271 - 0 Is there something I'm missing as to why this setup isn't working? Thanks! -- David J. attachment: face-smile.png signature.asc Description: This is a digitally signed message part
Re: [Dovecot] blames for using maillists ?
On 12/11/2013 05:59, Benny Pedersen wrote: why do you not simply shut up? # sieve rule require [imap4flags]; # rule:[reindl] if allof (header :contains From h.rei...@thelounge.net) { setflag [\\Seen,\\Flagged]; stop; } haha is this jackass still polluting the list? Better still to forward to his upstream provider if allof (header :contains From thelounge.net, header :contains From rhsoft.net) { redirect ab...@inode.at; }
Re: [Dovecot] Dovecot MTA
On 12/11/2013 04:28, Benny Pedersen wrote: Edwardo Garcia skrev den 2013-11-11 11:58: But is dovecot job to authenticate, mysql replicate fine, it is dovecot that is not fine by ignoring desire effect by only talk localhost and not any other unless locahost auth not respond. so move to postgresql/mysql backend and change from dovecot to dbmail ? why blame dovecot for using fs mail store ? is your problem unstable nfs ? give up and get google app mx :) WTF drugs are you on? Or maybe its more to the point of what medication you're not taking. Briefly reading, he;s talking about the same problem i and a few otehrs have brought up in the past (i gave up on it since Timo made it very clear he has no interest at all and Edward is really wasting his time) *dovecot authentication for users* unless I missed something, possible, so much noise on this list I rarely bother to read it anymore, and this mornings reading reaffirms why i dont
Re: [Dovecot] Problem with master user
doveconf -n output is ordinarily required however, at a guess, you have not defined auth_master_user_separator On 08/11/2013 20:05, Jakub Krzyżewski wrote: Hello. I have problem as below: Nov 8 10:41:52 store1 dovecot: auth: Debug: auth(mas...@example.com,::1,master,/qEuMafqyAAB): Master user lookup for login: jkr...@example.com Nov 8 10:41:52 store1 dovecot: auth: Debug: passwd-file(mas...@example.com,::1,master,/qEuMafqyAAB): lookup: user=mas...@example.com file=/etc/dovecot/master-use rs Nov 8 10:41:52 store1 dovecot: auth: Debug: password(mas...@example.com,::1,master,/qEuMafqyAAB): Generating DIGEST-MD5 from user 'master', password 'test' Nov 8 10:41:52 store1 dovecot: auth: passdb(mas...@example.com,::1,master,/qEuMafqyAAB): Master user logging in as jkr...@example.com Nov 8 10:41:52 store1 dovecot: auth: Debug: ldap(jkr...@example.com,::1,/qEuMafqyAAB): pass search: base=dc=example,dc=com scope=subtree filter=((locMailActive=TRUE)(| (uid=jkr...@example.com)(uid=jkrzyz)(mailRoutingAddress=jkr...@example.com))) fields=mailRoutingAddress,userPassword Nov 8 10:41:52 store1 dovecot: auth: Debug: ldap(jkr...@example.com,::1,/qEuMafqyAAB): result: mailRoutingAddress=jkr...@example.com userPassword=test2 Nov 8 10:41:52 store1 dovecot: auth: Debug: password(jkr...@example.com,::1,/qEuMafqyAAB): Generating DIGEST-MD5 from user 'master', password 'test2' Nov 8 10:41:52 store1 dovecot: auth: Debug: password(jkr...@example.com,::1,/qEuMafqyAAB): Credentials: d64221d543d7c9a809c7d6e424d87be8 Nov 8 10:41:52 store1 dovecot: auth: digest-md5(jkr...@example.com,::1,/qEuMafqyAAB): password mismatch As you can see, password is check against user passdb and not passwd-file, where master's password is stored. Test is password of master user, test2 is password of jkrzyz Setting pass=yes or no makes no difference. What is wrong with my config? dovecot --version 2.1.7 dovecot.conf snippet: passdb { args = scheme=PLAIN /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } /etc/dovecot/master-users: master:{PLAIN}test mas...@example.com:{PLAIN}test
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 05/11/2013 17:30, SATOH Fumiyasu wrote: At Tue, 5 Nov 2013 08:10:46 +0100 (CET), Steffen Kaiser wrote: http://batleth.sapienti-sat.org/projects/mb2md/ The program has at least 2 bugs in it: . If the body has paragraph break (i.e., '\n') followed by the RFC822 keyword 'From', the original message will loose the last half of the message and a phantom message will be created. Change from my notes: # if ( /^From / # -to- # if ( /^From .*? \d\d:\d\d:\d\d \d\d\d\d/ . I never could figure out where the second bug was. This one created some messages with blank subject lines. You have a badly formatted mbox file, if there is such distinction neccessary: No. There are some variants of mbox format. See https://en.wikipedia.org/wiki/Mbox#Family RFC 4155 o Each message in the mbox database MUST be immediately preceded by a single separator line, which MUST conform to the following syntax: The exact character sequence of From; a single Space character (0x20); the email address of the message sender (as obtained from the message envelope or other authoritative source), conformant with the addr-spec syntax from RFC 2822; http://manpages.ubuntu.com/manpages/precise/man5/mbox.5.html In order to avoid misinterpretation of lines in message bodies which begin with the four characters From, followed by a space character, the mail delivery agent must quote any occurrence of From at the start of a body line.
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 05/11/2013 19:44, Bernd Petrovitsch wrote: On Mon, 2013-11-04 at 19:29 +1000, Noel Butler wrote: [...] think in postfix home_mailbox = Maildir/ will do it, with sendmail its much more tricky and your best sticking with mbox, if exim, NFI - dont Or - strategically - you use dovecot's LDA which should know where to throw the mails in. but using system users, you wouldnt use dovecot's LDA :)
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 05/11/2013 20:11, Daniele Nicolodi wrote: On 05/11/2013 11:04, Noel Butler wrote: but using system users, you wouldnt use dovecot's LDA :) Why not? pure overkill, your MTA already knows where it goes, it doesnt need to do any special lookups, would you use postfix virtual, to deliver local user? no, of course you wouldnt :)
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 05/11/2013 22:04, Daniele Nicolodi wrote: On 05/11/2013 12:24, Noel Butler wrote: On 05/11/2013 20:11, Daniele Nicolodi wrote: On 05/11/2013 11:04, Noel Butler wrote: but using system users, you wouldnt use dovecot's LDA :) Why not? pure overkill, your MTA already knows where it goes, it doesnt need to do any special lookups, would you use postfix virtual, to deliver local user? no, of course you wouldnt :) Using dovecot-lda has nothing to do with postfix virtual users, it is the only way I know to use sieve filtering and have messages indexed at delivery. Cheers, Daniele again, overkill, system users means users have full access to system account and can write procmail rules, if you dont allow that access, then you dont trust them, so you should be using virtual users.
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 06/11/2013 05:08, Benny Pedersen wrote: Noel Butler skrev den 2013-11-05 12:24: On 05/11/2013 20:11, Daniele Nicolodi wrote: On 05/11/2013 11:04, Noel Butler wrote: pure overkill, your MTA already knows where it goes, it doesnt need to do any special lookups, would you use postfix virtual, to deliver local user? no, of course you wouldnt :) one day postfix will as exim support sieve, just wait :) why would I wait, we use postifx and only in virtual users, very zippy, very resource nice, makes us very happy, but maybe you were meaning something esle, as I've just woken up so off to have some coffee, It might click later on :)
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 04/11/2013 14:33, Regan Yelcich wrote: On 2/11/2013, at 11:40 pm, Noel Butler noel.but...@ausics.net wrote: On 02/11/2013 20:25, Regan Yelcich wrote: Can someone advise the best way to convert mailboxes from Mbox to Maildir for Dovecot 2.17 on Ubuntu? Thanks. mb2md.pl http://batleth.sapienti-sat.org/projects/mb2md/ I don't need to do anything specific for Dovecot? It'll see the new Maildir account and automatically create the indexes etc? IIRC it shows you how to use it, you need to indicate where the new maildir is, if you have only a few, do them all manually, if you have many, write a quick bash or perl script to do them, and dovecot will create the indexes when they login. You will need to tell dovecot to look for the new location though, if your using system users as I suspect you are, then maildir:~/Maildir should do it *but* dont forget to make sure your MTA knows to use maildir as well, I've not worked with system users for a decade, but I think in postfix home_mailbox = Maildir/ will do it, with sendmail its much more tricky and your best sticking with mbox, if exim, NFI - dont use it :)
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 05/11/2013 01:16, Mark Moore wrote: mb2md.pl http://batleth.sapienti-sat.org/projects/mb2md/ The program has at least 2 bugs in it: . If the body has paragraph break (i.e., '\n') followed by the RFC822 keyword 'From', the original message will loose the last half of the message and a phantom message will be created. Change from my notes: # if ( /^From / # -to- # if ( /^From .*? \d\d:\d\d:\d\d \d\d\d\d/ . I never could figure out where the second bug was. This one created some messages with blank subject lines. Never noticed this, but, it was a very very long time ago I last used it, and since most users over here have always been pop3, probably never had many to convert in the first place when I did use it, so risk was so low. I think it was around the time we merged, and had to combine sendmail/dovecot and qmail/vpopmail/dovecot systems into just a postfix/dovecot solution, either we fluked it, or any affecteds didnt bother to report it. Another annoyance was prefixing the newly created mail folders with a '.' As Charles has already mentioned, thats how Maildir works
Re: [Dovecot] Best way from Mbox to Maildir using 2.17?
On 02/11/2013 20:25, Regan Yelcich wrote: Can someone advise the best way to convert mailboxes from Mbox to Maildir for Dovecot 2.17 on Ubuntu? Thanks. mb2md.pl http://batleth.sapienti-sat.org/projects/mb2md/
Re: [Dovecot] OT: PHP session data storage
On 29/10/2013 10:10, Michael Orlitzky wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/28/2013 04:10 PM, Reindl Harald wrote: php_admin_value open_basedir /var/www/$domain/$host/ php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp php_admin_value session.save_path /var/www/$domain/$host/tmp php_admin_value sys_temp_dir /var/www/$domain/$host/tmp oh no - do *not* place the sesiondata anywhere inside open_basdir this is one of the badest things you can do because any otherwise harmless script bypassed whatever security restriction will be able to read *any* session data You have a point, but I wouldn't go as far as to say it's one of the worst things you can do. If a vulnerable PHP script allows an attacker to (at least try to) read arbitrary files, then it's possible to read session data that lies within open_basedir. Note that they can already read your database credentials out of config.php at that point. But, if you put the session data under open_basedir, then it's easy to restrict access to the entire /var/www/example.com hierarchy to the one user that needs it: www.example.com. In the scenario I described, I'm able to tell our customers that their websites are physically separated from our other customers. If there's a vulnerability in someone else's site, the kernel (via filesystem ACLs) will prevent it from affecting yours. The web user for example.NET truly cannot even traverse /var/www/example.COM, where everything important to you is stored. This is robust against Apache, Ruby, Python, etc. vulnerabilities as well -- not just PHP. I already mentioned that I don't trust PHP. Our sites would be just as secure if open_basedir stopped working tomorrow, since the filesystem ACLs are what we trust to work. So, we trade the potential to read sessions for that peace of mind. Not trying to downplay your complaint, just pointing out another POV. Some time ago, we too, evaluated the pros and cons given our design, and we too, decided on the lesser evil and keep it under open_basedir, have done for many many years without problem, of course I'm not so naive to think it may never one day be a problem for a single host, when running shared hosting there are always risks, in everything.
Re: [Dovecot] Encryption solution for messages at rest
On 29/10/2013 03:19, Robert Schetterer wrote: https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve I got worried, laughed, and stopped reading at: not only do you not have to edit any Postfix configuration (which by itself is an exercise in patience), As you know, postfix can be done in your sleep, if he thinks he needs patience to do postfix, I should introduce him to sendmail configuration (which I also think is easy - but having used it for 15 years before moving to postix, I guess it would want to be easy LOL) :)
Re: [Dovecot] pigeonhole sources no more available
u someone doesnt use DNSSEC... its been hijacked me thinks http://www. medicalbits. nl/ really? :) On Tue, 2013-10-29 at 14:05 +1100, m...@electronico.nc wrote: Hi all, Please excuse me for this message but I can't find the pigeonhole sources available anymore. This page : http://pigeonhole.dovecot.org/download.html Points to (for latest sources) : http://www.rename-it.nl/dovecot/2.2/dovecot-2.2-pigeonhole-0.4.2.tar.gz And it seems that : www.rename-it.nl is now : http://www.medicalbits.nl So we get 404 error ... Could someone point us the to right URL and, maybe, update pigeonhole.dovecot.org ? Thanks in advance for your time. Nicolas attachment: face-smile.png signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Strange output from LIST command
On 25/10/2013 17:20, azurIt wrote: Od: Noel Butler noel.but...@ausics.net Komu: dovecot@dovecot.org Dátum: 25.10.2013 00:42 Predmet: Re: [Dovecot] Strange output from LIST command On 24/10/2013 23:48, azurIt wrote: How am i suppose to know that my report was even noticed by any developer? azur http://dictionary.reference.com/browse/patience This is NOT about patience. azur of course it is, you report an alleged bug, now you wait until developer notes, and attempts to reproduce it, and if he can commits a fix, else he will tell you he can not reproduce it. I do see your point about needing confirmation the report was made, its why we use bugzilla, it would be beneficial if Timo did as well, but he chooses not to, he did give a reason for this, but it was many many years ago when he had more free time, now his time is scarce, one day he may reconsider it, so in meantime you need to wait it out, hence, patience. Dovecot does have a commercial side as Steffen alluded to, so if your bug is debilitating your business, you could always engage the commercial side of Dovecot, the fix which obviously is not affecting the masses, would likely gain priority.
Re: [Dovecot] Strange output from LIST command
On 24/10/2013 23:48, azurIt wrote: How am i suppose to know that my report was even noticed by any developer? azur http://dictionary.reference.com/browse/patience
Re: [Dovecot] fstat() errors on /srv/mail/username/dovecot.index.log
Zach, Thanks for following up with the list, though I dont and wont touch anything debian/insert-variant-distro-here, there are plenty here who do, and may in time appreciate your feedback if they strike same. On 23/10/2013 00:14, Zach La Celle wrote: On 10/17/2013 09:23 AM, Zach La Celle wrote: On 10/17/2013 05:25 AM, Noel Butler wrote: On 17/10/2013 00:08, Zach La Celle wrote: Dovecot version 2.1.7 Ubuntu 12.04.3 LTS Kernel 3.2.0-35-generic x86_64 I'm not sure exactly when this started occurring, but sporatically users report issues receiving email, having email saved to Sent, etc. Looking in dovecot.log, I see the following errors: 2013-10-16 09:53:20 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured, session=PnoiBtzoBgB/AAAB 2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out in=3616 out=495 2013-10-16 09:53:24 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured, session=jE5kBtzoBwB/AAAB 2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:41 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured, session=UDJlB9zoCAB/AAAB 2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:54:12 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured, session=6bI5CdzoCQB/AAAB 2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out in=736 out=7064 2013-10-16 09:54:15 imap-login: Info: Login: user=user6, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured, session=t+FnCdzoCgB/AAAB 2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out in=95 out=902 2013-10-16 09:54:20 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured, session=c/q1CdzoCwB/AAAB 2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:24 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured, session=nOb3CdzoDAB/AAAB 2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 These errors are not confined to a single user, and do not occur with the same frequency. This isnt per chance on a NAS/SAN/DAS is it? No, it is not on a SAN. I saw that thread a while back, but this doesn't seem to be related. I originally was running the Dovecot shipped with the default Ubuntu repositories (don't remember which version, but it was 1.*) and used a backport to upgrade to 2.1.7 to see if that fixed it. It did not. Any ideas why this is happening? gawd knows what debian (thats all ubuntu is, same package maintainers 99% of time) do to things, wouldnt be the first time they put out a package that was kaput from get go, so doveconf -n output will likely be required I can provide dovecot -n output if this doesn't answer the question, but it might be an apparmor issue. We recently enabled apparmor protection, and it seems that it generated an ungodly amount of profiles in complain mode. So many, that it was causing issues with usage of the openssl library. Putting it in to enforce mode seems like it might fix the problem. I'll post more information once this is confirmed or denied. I'm replying to this post for completeness. This was definitely a problem with AppArmor in complain mode breaking IMAP. It was generating an incredible amount of logging information, and ended up blocking access to the OpenSSL .so files every once in a while. Putting AppArmor into enforce mode (after checking all of the rules and verifying functionality) worked. No more fstat() errors.
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
On 23/10/2013 05:45, Rick Romero wrote: IMHO, the problem with all out blocks on auth is the same as doing an all out block based on SPF - so many IPs are shared you can easily get false positives. Blocks using SPF will not be FP's, they will be by your internal decision, so will be a genuine block 'hit', even if you don't keep your RR current, that's the admins fault, not the users, or blockers. But I agree with you on the rest, since of those 500K IP's Marc claims to have I'd bet that 99% are hijacked innocent pc's/servers, and of them, 75% would likely be a one time usage.
Re: [Dovecot] fstat() errors on /srv/mail/username/dovecot.index.log
On 17/10/2013 00:08, Zach La Celle wrote: Dovecot version 2.1.7 Ubuntu 12.04.3 LTS Kernel 3.2.0-35-generic x86_64 I'm not sure exactly when this started occurring, but sporatically users report issues receiving email, having email saved to Sent, etc. Looking in dovecot.log, I see the following errors: 2013-10-16 09:53:20 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured, session=PnoiBtzoBgB/AAAB 2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out in=3616 out=495 2013-10-16 09:53:24 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured, session=jE5kBtzoBwB/AAAB 2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:41 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured, session=UDJlB9zoCAB/AAAB 2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:54:12 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured, session=6bI5CdzoCQB/AAAB 2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out in=736 out=7064 2013-10-16 09:54:15 imap-login: Info: Login: user=user6, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured, session=t+FnCdzoCgB/AAAB 2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out in=95 out=902 2013-10-16 09:54:20 imap-login: Info: Login: user=user1, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured, session=c/q1CdzoCwB/AAAB 2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:24 imap-login: Info: Login: user=user3, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured, session=nOb3CdzoDAB/AAAB 2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 These errors are not confined to a single user, and do not occur with the same frequency. This isnt per chance on a NAS/SAN/DAS is it? I originally was running the Dovecot shipped with the default Ubuntu repositories (don't remember which version, but it was 1.*) and used a backport to upgrade to 2.1.7 to see if that fixed it. It did not. Any ideas why this is happening? gawd knows what debian (thats all ubuntu is, same package maintainers 99% of time) do to things, wouldnt be the first time they put out a package that was kaput from get go, so doveconf -n output will likely be required
Re: [Dovecot] POP3 Setup help - more info
On 15/10/2013 02:58, /dev/rob0 wrote: In addition to the ignored replies in the other thread, I'll ask this: why do you want to use POP3? IMAP can do everything POP3 can do, and it's superior in many ways. POP3 should have died out a decade ago. Not sure what country he's in, but I'll comment on that comment :) Some countries, disks are not cheap, for instance in Australia, disks and most hardware is on average over 200% more expensive, than the U.S., I've been given some pricing that makes it 350% dearer. Most ISP's here, even the most largest ones, only offer pop3 - imap is reserved for those very few using webmail. Of the very few that do offer imap, the take up rate over the years is negligible, such that it is not worth the effort, likely due to privacy which most aussies take seriously. Although we are not as bad as the US with its publicised broad over reaching FISA warrants, it is still all too easy for law enforcement here to get warrants to secretly access your mail if on ISP servers, but bloody hard to do so if you use pop3 and have already d/l it to whatever device/client you choose to use. Then there's the other law, yes, those obnoxious jackass interfering govt #$E# with nothing else to do but regulate everything but thin air (give em time they'll do that too), IOW, imap, providing a service where every single email is stored on servers, you are accountable for, and must be recovered, even if idiot1234 deletes a message by mistake and when you say, no, you deleted it tuff luck, you can be sued for their loss of data. With pop3 that onus and risk is removed.
Re: [Dovecot] Transparent Migration from cyrus to dovecot
On 12/10/2013 19:22, Daniel Parthey wrote: No mail will be lost, since it should remain in the remote MTA's mail queue for a while in order to be retried and delivered later. No guarantee there, some services are broken and do not retry, hotmail used to, and I've heard in some cases, still does, do this, some marketing system (ok, so thats no loss) do this - there reasoning is because of such high outbound queues, it would only delay first runs and upset their clients, again, no loss to me, but one persons spam can be anothers ham. It is after all why we have secondary MX's, on network, and if need be, off network.
Re: [Dovecot] SSL with startssl.com certificates
On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine.
Re: [Dovecot] SSL with startssl.com certificates
I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login On 10/10/2013 10:51, Dan Langille wrote: On Oct 9, 2013, at 6:33 PM, Noel Butler wrote: On 10/10/2013 06:09, Eliezer Croitoru wrote: I would imaging that 4k bits certificate handshake and validation can take more then 1 sec.. Am I right about it? hardly and the size is not his problem. he was given a test account on my network when I last saw this thread (few weeks back?), that uses startssl, and 4096 certs, his mail.app connected fine. I would like to investigate that more if you like. Others have experienced problem connected to my test server. I can't believe I've created a non-functional Dovecot configuration. One avenue I will purse: if I swap from 4096 to 2048, why does it work? Here is a connection with a 4096 cert: $ openssl s_ s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=VwhdJi0sLHP3BDtQ/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=imaps.unixathome.org/emailAddress=postmas...@unixathome.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Here is it with a 2048 cert: $ openssl s_client -connect imaps.unixathome.org:993 CONNECTED(0003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/description=3Hs89se3p9RsmJBG/C=US/ST=Pennsylvania/L=Media/O=Daniel Langille/CN=test1.langille.org/emailAddress=postmas...@langille.org i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority The only thing I change in the configuration is: # MY KEYS #ssl_cert = /usr/local/etc/ssl/dovecot.pem #ssl_key = /usr/local/etc/ssl/imaps.unixathome.org.nopassword.key # My 2048 key ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key Current configuration is: # doveconf -n # 2.2.6: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE-p6 amd64 auth_debug = yes auth_verbose = yes first_valid_gid = 1001 first_valid_uid = 1001 mail_debug = yes mail_location = maildir:~/Maildir mail_privileged_group = mail passdb { args = scheme=SHA512-CRYPT /var/db/dovecot.users driver = passwd-file } protocols = imap service imap-login { inet_listener imap { address = 199.233.228.197 } inet_listener imaps { address = 199.233.228.197 } } ssl_ca = /usr/local/etc/ssl/sub.class2.server.ca.pem ssl_cert = /usr/local/etc/ssl/2048/test1.langille.org.BUNDLE.cert ssl_key = /usr/local/etc/ssl/2048/test1.langille.org.nopassword.key userdb { args = /var/db/dovecot.users driver = passwd-file } verbose_proctitle = yes
Re: [Dovecot] SSL with startssl.com certificates
On 10/10/2013 13:36, Noel Butler wrote: I can't recall if we previously discussed it, but, why the fascination with imaps, why not use TLS on 143, or wont that connect either? tried pop3 TLS ? pop3s? and when you test, use -CAfile /path/to/(startssl's)CA.pem I see no auth mech statement, so using hte default is limited, IIRC, login is re auth_mechanisms = plain login bugger.. stupid webmail... as I was trying to say, IIRC type login is required for ssl ,at least with winblow sclients, try adding the above and see what goes. plain is preferred, but that's because TLS is preferred. use the local - int- ca cert.pem and remove the ssl_ca option
Re: [Dovecot] POP3 Setup help
On 09/10/2013 03:40, Thomas I Higgins wrote: I am lost as to what I am missing. I am setting up dovecot 2.0.9 on a RHEL 6.4 machine as provided by my provider. I have IMAP up and running, and I have POP3 up and running. Testing confirms this. Also, if it makes a difference, I enabled dovecot as my LDA. Sendmail was setup as well due to our 1.x version using it and I though I had to. Anyway, everything is working perfectly with the services, except the mail is sending to the wrong location for POP. I am trying to use Maildir for both services, but it keeps delivering the POP3 mail to /var/spool/mail/u% instead of to Maildir as specified in the configuration files. I have rechecked every setting at least twice and still can't see what I am doing wrong. I suppose I can use mbox and redirect after making the appropriate namespace changes, but that has it's own potential drawbacks and seems more like a kludge than the correct way around this (unless I misunderstand how it should work). Can anyone point me in the right direction on how to fix this? Thanks in advance, Thomas Higgins it's a lovely day here, but you must be far away and bad weather in between us, as my ESP doesnt seem to get through, so we'll have to revert to the old manual hard labour way by you executing doveconf -n , copy and pasting that output into a list reply.
Re: [Dovecot] Yet another going from 1.2 to 2.X question: authentication
On 07/10/2013 14:17, Mauricio Tavares wrote: Makes sense, so I shall set them up as /etc/dovecot/conf.d/10-master.conf # http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL service auth { unix_listener auth-userdb { mode = 0600 user = virtual # User running Dovecot LDA's deliver } # Dovecot as SASL Auth unix_listener /var/spool/postfix/private/dovecot-auth { mode = 0660 user = postfix group = postfix } } Looks good to me Thanks for the help (and sorry for the late reply)! Now as soon as the namespaces make sense to me and I figure out how to get sieve properly configured I can do the upgrade. hehe, no problems, I wont comment on namespaces since I don't use anything special in that regards, but sieve is easy to configure service managesieve-login { service_count = 1 process_min_avail = 0 vsz_limit = 64M inet_listener sieve { port = 4190 } } service managesieve { process_limit = 1024 } protocol sieve { managesieve_max_line_length = 65536 managesieve_logout_format = bytes=%i/%o managesieve_implementation_string = Dovecot Pigeonhole managesieve_max_compile_errors = 5 mail_max_userip_connections = 10 } set... in global: protocols = pop3 imap sieve (assuming you use both pop3 and imap) protocol lda: mail_plugins = $mail_plugins sieve and in the plugin section, something like sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_vacation_min_period = 1d sieve_vacation_default_period = 7d ...and you're all set
Re: [Dovecot] couple of errors on new setup
On 06/10/2013 03:16, Dean Guenther wrote: mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u mail_privileged_group = mail mbox_write_locks = fcntl mbox over NFS has *never* been recommended, it is unsafe - for any pop/imap type server, not just dovecot. If its not too late, and since you are testing a new server it cant be, change to Maildir, it was designed specifically for this very reason. also should use: mail_fsync = yes mail_nfs_index = yes mail_nfs_storage = yes mmap_disable = yes
Re: [Dovecot] couple of errors on new setup
On 07/10/2013 04:58, Timo Sirainen wrote: On 6.10.2013, at 4.04, Noel Butler noel.but...@ausics.net wrote: mail_nfs_index = yes mail_nfs_storage = yes These are never recommended. They may be a kludgy workaround to avoid worst problems, but they will never work 100% In the recommended configurations (one Dovecot server or director cluster) you won't need them. Ahh OK, thanks, our configs have been carried over since early days when this recommended, certainly never seen any errors with them on our cluster (and we don't use director).
Re: [Dovecot] retr errors
On 07/10/2013 11:19, Bill Morgan wrote: On 10/6/2013 5:58 PM, Daniel Parthey wrote: Hi Bill, any intercepting virus scanner or personal firewall software between your mail client and the dovecot server? Regards Daniel McAfee As I'm sure Daniel was implying, did you also test without these? Also, do they provide webmail? next time you get a stuck message, login to webmail and see if its OK there, try using only webmail for a week or two, if you have this trouble every day, you'll soon reproduce it, or rule out the ISP end. and the ISP wasn't interested in the wireshark traces. Baring in mind, that ISP tech support, is exactly that, ISP, Tech Support not Microsoft support, or apple support or whatever, the ISP can only support its services, not your local client software, if they can prove, and your ISP should have by process of elimination, for instance, webmail, you have no trouble, then they have ruled out an ISP related cause, and they are very within their rights to say not our problem. Also remember, engineers tend to act/get-involved when complaints are en-mass, its to their advantage to look at it then, IOW, the care factor will increase with multiple people exhibiting the same problem over a short or same period of time. I know, I should change the ISP and see if the problem goes away. :-) Sounds like a fair idea to me if you rule out everything on your end and can prove beyond doubt it is the ISP, else you'll just be moving the problem sideways, not up towards resolution.
Re: [Dovecot] fail2ban
On Fri, 2013-10-04 at 15:47 +1000, Nick Edwards wrote: For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: looks out dated filter.d/dovecot.conf That'll never work, you need to change [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication to failregex = (?: pop3-login|imap-login): .*(?:Authentication ^^ BUT, then, with the rest of your regex, it will only partly match because its looking for , something like ,TLS at the end which wont appear on failed imap/pop3 logins that dont use TLS, etc, so any failed attempts using TLs, will be found, if they are not using it, they will be missed (most miscreants likely wont be using it anyway) I am NO python expert, in fact, I know less than less about python, so you'll best need to wait for someone who knows the answer, or ask on fail2ban list, on how you can change that to match both, by changing the last bit to \(auth failed).*rip=(?Phost\S*) some variable here to match on ,TLS or nothing at all in meantime, you could repeat your failregex, like failregex = (?: pop3-login|imap-login): .*(?:Authentication failure| Aborted login \(auth failed|Aborted login \(tried to use disabled| Disconnected \(auth failed).*rip=(?Phost\S*),.* (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?Phost\S*) I think thats horrible, messy, yukky, but it likely might work :) at least until you find a better answer, there are some fail2ban fanbois on this list, but as its the weekend, you may need to be patient. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] fail2ban
On Fri, 2013-10-04 at 21:55 +0200, Gordon Grubert wrote: this is no problem of dovecot. Nevertheless, for analysis, you can use fail2ban-regex when applying your filter to your logfile. Kind of right, but the dovevcot wiki apparently contains wrong information, so I think its fair enough it be brought up on this list as per my previous, when someone comes up with simpler working example than what I suggested, Timo can fix it signature.asc Description: This is a digitally signed message part
Re: [Dovecot] recipient_delimiter
On Fri, 2013-09-27 at 07:29 +1000, voy...@sbt.net.au wrote: I have working dovecot 2.1.1 with postfix, only have virtual domains, all users in mysql; '+' delimiter is enabled in postfix, and, works OK postfix]# grep _delimiter main.cf # The recipient_delimiter parameter specifies the separator between recipient_delimiter = + BUT, I seem to have nothing in dovecot.conf: postfix]# cd /etc/dovecot dovecot]# grep delimiter * dovecot]# cd conf.d conf.d]# grep delimiter * 15-lda.conf:#recipient_delimiter = + 20-lmtp.conf:# the mail to the detail mailbox. See also recipient_delimiter and 20-lmtp.c_org:# the mail to the detail mailbox. See also recipient_delimiter and should I also enter $recipient_delimiter = ‘+’ in my /etc/dovecot/dovecot.conf ? what will it add to this working setup, what am I missing? thanks for all pointers Not needed, dovecot defaults to that setting, adding it in postfix is all thats required to work signature.asc Description: This is a digitally signed message part