Re: [Dovecot] thunderbird not connecting
- Original Message - From: cc young bangkokm...@gmail.com To: dovecot@dovecot.org Cc: Sent: Tuesday, 4 September 2012, 7:21 Subject: [Dovecot] thunderbird not connecting cannot get TB to recognize either pop3/s or imap/s server can connect just fine with: openssl s_client -connect ms1.myserver.net:993 . login ... but trying with TB /var/log/mail.log gets: dovecot: pop3-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx dovecot: imap-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx -- View this message in context: http://dovecot.2317879.n4.nabble.com/thunderbird-not-connecting-tp37389.html Sent from the Dovecot mailing list archive at Nabble.com. Thunderbird is not the best of clients out there. It's ok but not the best. I am using TB on my sites and found out that it has many issues. Can you be a bit more specific ? Are you trying to connect to Secure IMAP ? (993) on dovecot ? In that case, as far as I remember you have to fool Thunderbird during the mail account set up process. It's a bit crazy, I know but it's true. I have documented everything. Let me know where the hickup is and I'll try to get the docs and let you know how to work around this. HTH, s. I merely function as a channel that filters music through the chaos of noise - Vangelis
Re: [Dovecot] thunderbird not connecting
From: cc maco young bangkokm...@gmail.com To: Spyros Tsiolis sts...@yahoo.co.uk Sent: Tuesday, 4 September 2012, 9:42 Subject: Re: [Dovecot] thunderbird not connecting On Tue, Sep 4, 2012 at 12:59 PM, Spyros Tsiolis sts...@yahoo.co.uk wrote: - Original Message - From: cc young bangkokm...@gmail.com To: dovecot@dovecot.org Cc: Sent: Tuesday, 4 September 2012, 7:21 Subject: [Dovecot] thunderbird not connecting cannot get TB to recognize either pop3/s or imap/s server can connect just fine with: openssl s_client -connect ms1.myserver.net:993 . login ... but trying with TB /var/log/mail.log gets: dovecot: pop3-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx dovecot: imap-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx -- View this message in context: http://dovecot.2317879.n4.nabble.com/thunderbird-not-connecting-tp37389.html Sent from the Dovecot mailing list archive at Nabble.com. Thunderbird is not the best of clients out there. It's ok but not the best. I am using TB on my sites and found out that it has many issues. Can you be a bit more specific ? Are you trying to connect to Secure IMAP ? (993) on dovecot ? In that case, as far as I remember you have to fool Thunderbird during the mail account set up process. It's a bit crazy, I know but it's true. I have documented everything. Let me know where the hickup is and I'll try to get the docs and let you know how to work around this. HTH, right - trying to connect to Secure IMAP ? (993) on dovecot not in love with thunderbird, but need to access via linux and ms any help / insight would be wonderful Hi again, Taken from my docs . This is the first part for Mozilla Thunderbird setup. I've seen this work both on Win32 systems and linux systems (mainly Linux Mint). There's a part on pop3/smtp. I am sure you can skip that and do your own magic for those two protocols : Pre-Installation, Wizard Configuration -- During initial Thunderbird startup, the admin is greeted by a welcome window named “Mail Account Setup” Click on Cancel Installation Click on “Edit” - “Account Settings” New window pops up Click on “Add” New window pops up Fill in “Description” (e.g. “Name Surname mailbox”) On “Server Name” enter the IP address (e.g. 192.168.3.5) On “Port” enter the SMTP port (e.g. 25) On “Security and Authentication” → “Connection Security” enter none On “Authentication Method” choose Password transmitted insecurely On “Username” enter the users' username including the FQDN (e.g. n...@domain.gr) Click on OK From “Edit”, click on “Account Settings” From “Account Actions” click on “Add Mail Account” New windows pops up Enter in the same name for “Your name” Enter in the same e-mail address for “Email address” On “Password” enter in users' password Click on “Continue” then without waiting click on “Manual Config” Once “Manual Config” is clicked, thunderbird will allow the admin to perform additional configuration tasks For “Incoming” the admin will choose “IMAP”, Server Hostname will be set to the servers' IP address (again, 192.168.3.5) From “Port” choose “993” From “SSL” choose “SSL/TLS” From “Authentication” choose “Autodetect” For “Outgoing” the admin will let the “SMTP” option For “Server Hostname”, choose the same IP address (e.g. 192.168.3.5) For “Port” choose “25” For “SSL” choose “None” For “Authentication” choose “Normal Password” On the Username field, enter the full user name, e.g. “u...@domain.gr” Click on “Re-test” Click on “Create Account” Check on the “I understand the Risks” checkbox Click on “Create Account” Click on “Confirm Security Exception” Click on “OK” Hope this helps and best regards, Spyros I merely function as a channel that filters music through the chaos of noise - Vangelis
[Dovecot] problems with ssl cert
in conf.d/10-ssl.conf: ssl = yes ssl_cert = /etc/ssl/certs/ms1xxx.net.crt ssl_key = /etc/ssl/private/ms1.xxx.net.key when try to set up an account in thrunderbird, get /var/log/mail.log: imap-login: Disconnected (no auth attempts): rip=223.205.150.234, lip=xx.xx.xx.xx, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number openssl s_client -connect mail.myserver.com:993 - successful using the same cert in gning / chrome is successful, so think the cert is ok
[Dovecot] problem about pop3 using dovecot
I upgraded dovecot from 1.1 to 2.1.8 pop3/imap works but i have a problem. i use pop3 protocol on outlook 2010 for my account. and i set keep my mails on the server for 5 days or until i delete them. These settings were working old dovecot1.1. But when i upgraded it to 2.1.8. if i even delete a mail from outlook the server doesn't delete or old mails are not deleted. what can be the problem ? thanks -- View this message in context: http://dovecot.2317879.n4.nabble.com/problem-about-pop3-using-dovecot-tp37394.html Sent from the Dovecot mailing list archive at Nabble.com.
[Dovecot] Outlook 2013 imap specialuse RFC6154 XLIST
Hi, perhaps somebody wants to this --snip Microsoft® Outlook® 2013 Preview Outlook 2013 Preview implements the IMAP LIST extension specified in [RFC6154] as the XLIST command. ---snip taken out of [MS-STANOIMAP].pdf which zip you may download here http://msdn.microsoft.com/en-us/library/ee157124%28v=exchg.80%29 -- Best Regards MfG Robert Schetterer
Re: [Dovecot] problems with ssl cert
- Original Message - From: cc maco young bangkokm...@gmail.com To: dovecot@dovecot.org Cc: Sent: Tuesday, 4 September 2012, 10:50 Subject: [Dovecot] problems with ssl cert in conf.d/10-ssl.conf: ssl = yes ssl_cert = /etc/ssl/certs/ms1xxx.net.crt ssl_key = /etc/ssl/private/ms1.xxx.net.key when try to set up an account in thrunderbird, get /var/log/mail.log: imap-login: Disconnected (no auth attempts): rip=223.205.150.234, lip=xx.xx.xx.xx, TLS: SSL_read() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number openssl s_client -connect mail.myserver.com:993 - successful using the same cert in gning / chrome is successful, so think the cert is ok Hi again, Do a fresh Thunderbird installation and get rid of any folders related to thunderbird on either OS you have installed it on. s. I merely function as a channel that filters music through the chaos of noise - Vangelis
Re: [Dovecot] Outlook 2013 imap specialuse RFC6154 XLIST
Am 04.09.2012 10:30, schrieb Robert Schetterer: Hi, perhaps somebody wants to this --snip Microsoft® Outlook® 2013 Preview Outlook 2013 Preview implements the IMAP LIST extension specified in [RFC6154] as the XLIST command. ---snip taken out of [MS-STANOIMAP].pdf which zip you may download here http://msdn.microsoft.com/en-us/library/ee157124%28v=exchg.80%29 just for info, by small testing Outlook 2013 preview imap specialuse is working with dovecot at minimum for Trash and Sent i have set this mailbox Sent { special_use = \Sent auto=subscribe } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash auto=subscribe } examples are in /etc/dovecot/conf.d/15-mailboxes.conf couldnt test Archive/Drafts/Junk but they look Working i had my problems with some new gui functions *g the preview is only in english or spanish so dont know if it will work with other languages then english, lets hope so feel free to test yourself -- Best Regards MfG Robert Schetterer
Re: [Dovecot] thunderbird not connecting
From: cc maco young bangkokm...@gmail.com To: Spyros Tsiolis sts...@yahoo.co.uk Sent: Tuesday, 4 September 2012, 16:00 Subject: Re: [Dovecot] thunderbird not connecting On Tue, Sep 4, 2012 at 2:31 PM, Spyros Tsiolis sts...@yahoo.co.uk wrote: . . . . % . . . . . % . . . . . . . . what you showed is what I remember when I was last hacking in TB. now all options are gone. screenshot attached think I know problem. got tired of TB - no options, no feedback. ok if everything works; otherwise sucks. went to claws. they have actual messages, actual logs. had similar problem, but claws easily allowed me to override. see this: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2199 know my cert chain ok because http://www.sslshopper.com/ssl-checker.html checks chain ok anyway, thanks for your help, and goodbye thunderbird I remember being stuck on this. I know what you are saying. Give it another go. Tinker with it. You'll get there. If you're fed up with TB, that's another thing. However, you _can_ get round this. I know I did. Just my 2c, Regards, spyros I merely function as a channel that filters music through the chaos of noise - Vangelis
Re: [Dovecot] finding messages deleted before timespec
On Mon, Sep 03, 2012 at 01:31:18PM +0200, Sven Hartge wrote: Hi! [..] I want to use this to expunge all DELETED messages which have been in that state for 24h or longer. http://wiki2.dovecot.org/Tools/Doveadm/Expunge HTH Dennis [..]
Re: [Dovecot] doveadm command to block a user?
Il 03/09/2012 10:41, Angel L. Mateo ha scritto: Hello, Is there any command to be able to lock imap access to a specific user? With doveadm kick I could close his connections, but I want to avoid future ones too and just for imap. Any way to do it? I can do it by disable specific user at backend level, for example vpopmail can do it, but also with SQL can be simple. With specific query you can disable only IMAP, only POP and so on. In the password query you can insert something like this: WHERE username = '%u' AND active = '1' AND ((IF( %a=110, pop, 0 )) =1 OR (IF( %a=25, smtp , 0 )) =1 OR (IF(( %a = 143 ) AND '%l' = '127.0.0.1', webmail, 0 ) = 1 ) OR ( IF(( %a = 143 ) AND '%l' !='127.0.0.1', imap, 0 ) = 1)) Ciao -- Alessio Cecchi is: @ ILS - http://www.linux.it/~alessice/ on LinkedIn - http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux - http://www.cecchi.biz/ @ PLUG - ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
Re: [Dovecot] finding messages deleted before timespec
Dennis Guhl d...@dguhl.org wrote: On Mon, Sep 03, 2012 at 01:31:18PM +0200, Sven Hartge wrote: Hi! I want to use this to expunge all DELETED messages which have been in that state for 24h or longer. http://wiki2.dovecot.org/Tools/Doveadm/Expunge Yes, I know about doveadm expunge. I am searching for a search_query which only matches messages with the flag \Deleted whose flag has been set 24h or longer ago. Doing something like doveadm expunge -A mailbox \* DELETED is not the solution, since it will expunge all deleted mails without looking at the time when they have been deleted. Using savedbefore does not work either, since a message may have been saved 2 years ago but only recently deleted. Grüße, Sven. -- Sigmentation fault. Core dumped.
Re: [Dovecot] finding messages deleted before timespec
On 3.9.2012, at 14.31, Sven Hartge wrote: I want to use this to expunge all DELETED messages which have been in that state for 24h or longer. Dovecot doesn't keep track of that information, so you can't.
Re: [Dovecot] finding messages deleted before timespec
Timo Sirainen t...@iki.fi wrote: On 3.9.2012, at 14.31, Sven Hartge wrote: I want to use this to expunge all DELETED messages which have been in that state for 24h or longer. Dovecot doesn't keep track of that information, so you can't. I suspected this. Would be nice though. Grüße, Sven. -- Sigmentation fault. Core dumped.
[Dovecot] Anyone else seeing lots of random duplicate messages???
Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Charles
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
On 2012-09-04 12:37 PM, Charles Marcus cmar...@media-brokers.com wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Even this one was duplicated...
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
On 09/04/2012 12:40 PM, Charles Marcus wrote: On 2012-09-04 12:37 PM, Charles Marcus cmar...@media-brokers.com wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Even this one was duplicated... Not here :-) Phil
Re: [Dovecot] thunderbird not connecting
On 9/3/2012 11:21 PM, cc young wrote: cannot get TB to recognize either pop3/s or imap/s server can connect just fine with: openssl s_client -connect ms1.myserver.net:993 . login ... but trying with TB /var/log/mail.log gets: dovecot: pop3-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx dovecot: imap-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx What does TB activity manager say? -- Stan
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
On 9/4/2012 11:37 AM, Charles Marcus wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Nope. Make any changes to Postfix or your script recently? -- Stan
[Dovecot] [PATCH] Generalize HMAC implementation
Hello everyone and Timo in particular, about a year ago I implemented a SHA-1 variant of the HMAC(-MD5) present in Dovecot. I had always disliked this a bit, because it replicates a lot of code. This patch generalizes the HMAC function to take a hash_method struct as parameter, and changes existing code which uses the old HMAC function to use this new one. I'm not really sure this is actually a good idea, but I still felt I should provide the code in case you would want to merge it upstream. Attached is the patch as a hg export based on the revision of dovecot-2.2 current at the time of writing. Regards, Florian Zeitz # HG changeset patch # User Florian Zeitz flo...@babelmonkeys.de # Date 1346280236 -7200 # Node ID e2f682fab829c2ef23a050f884191f57e2fb5d60 # Parent 9bc2e718392ceaa327f14b50163232b629cd54d1 lib: Generalize hmac to be hash independent diff --git a/src/auth/mech-cram-md5.c b/src/auth/mech-cram-md5.c --- a/src/auth/mech-cram-md5.c +++ b/src/auth/mech-cram-md5.c @@ -7,7 +7,9 @@ #include ioloop.h #include buffer.h #include hex-binary.h -#include hmac-md5.h +#include hmac-cram-md5.h +#include hmac.h +#include md5.h #include randgen.h #include mech.h #include passdb.h @@ -50,7 +52,7 @@ { unsigned char digest[MD5_RESULTLEN]; -struct hmac_md5_context ctx; +struct hmac_context ctx; const char *response_hex; if (size != CRAM_MD5_CONTEXTLEN) { @@ -59,9 +61,10 @@ return FALSE; } + hmac_init(ctx, NULL, 0, hash_method_md5); hmac_md5_set_cram_context(ctx, credentials); - hmac_md5_update(ctx, request-challenge, strlen(request-challenge)); - hmac_md5_final(ctx, digest); + hmac_update(ctx, request-challenge, strlen(request-challenge)); + hmac_final(ctx, digest); response_hex = binary_to_hex(digest, sizeof(digest)); diff --git a/src/auth/mech-scram-sha1.c b/src/auth/mech-scram-sha1.c --- a/src/auth/mech-scram-sha1.c +++ b/src/auth/mech-scram-sha1.c @@ -9,7 +9,8 @@ #include auth-common.h #include base64.h #include buffer.h -#include hmac-sha1.h +#include hmac.h +#include sha1.h #include randgen.h #include safe-memset.h #include str.h @@ -44,23 +45,23 @@ const unsigned char *salt, size_t salt_size, unsigned int i, unsigned char result[SHA1_RESULTLEN]) { - struct hmac_sha1_context ctx; + struct hmac_context ctx; unsigned char U[SHA1_RESULTLEN]; unsigned int j, k; /* Calculate U1 */ - hmac_sha1_init(ctx, str, str_size); - hmac_sha1_update(ctx, salt, salt_size); - hmac_sha1_update(ctx, \0\0\0\1, 4); - hmac_sha1_final(ctx, U); + hmac_init(ctx, str, str_size, hash_method_sha1); + hmac_update(ctx, salt, salt_size); + hmac_update(ctx, \0\0\0\1, 4); + hmac_final(ctx, U); memcpy(result, U, SHA1_RESULTLEN); /* Calculate U2 to Ui and Hi */ for (j = 2; j = i; j++) { - hmac_sha1_init(ctx, str, str_size); - hmac_sha1_update(ctx, U, sizeof(U)); - hmac_sha1_final(ctx, U); + hmac_init(ctx, str, str_size, hash_method_sha1); + hmac_update(ctx, U, sizeof(U)); + hmac_final(ctx, U); for (k = 0; k SHA1_RESULTLEN; k++) result[k] ^= U[k]; } @@ -94,7 +95,7 @@ static const char *get_scram_server_final(struct scram_auth_request *request) { - struct hmac_sha1_context ctx; + struct hmac_context ctx; const char *auth_message; unsigned char server_key[SHA1_RESULTLEN]; unsigned char server_signature[SHA1_RESULTLEN]; @@ -104,17 +105,17 @@ request-server_first_message, ,, request-client_final_message_without_proof, NULL); - hmac_sha1_init(ctx, request-salted_password, - sizeof(request-salted_password)); - hmac_sha1_update(ctx, Server Key, 10); - hmac_sha1_final(ctx, server_key); + hmac_init(ctx, request-salted_password, + sizeof(request-salted_password), hash_method_sha1); + hmac_update(ctx, Server Key, 10); + hmac_final(ctx, server_key); safe_memset(request-salted_password, 0, sizeof(request-salted_password)); - hmac_sha1_init(ctx, server_key, sizeof(server_key)); - hmac_sha1_update(ctx, auth_message, strlen(auth_message)); - hmac_sha1_final(ctx, server_signature); + hmac_init(ctx, server_key, sizeof(server_key), hash_method_sha1); + hmac_update(ctx, auth_message, strlen(auth_message)); + hmac_final(ctx, server_signature); str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(server_signature))); str_append(str, v=); @@ -213,7 +214,7 @@ static bool verify_credentials(struct scram_auth_request *request, const unsigned char *credentials, size_t size) { -
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
On Tue, Sep 04, 2012 at 12:40:48PM -0400, Charles Marcus wrote: On 2012-09-04 12:37 PM, Charles Marcus cmar...@media-brokers.com wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Even this one was duplicated... I think you're seeing double. Check to see if someone spiked your coffee. :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: On Tue, Sep 04, 2012 at 12:40:48PM -0400, Charles Marcus wrote: On 2012-09-04 12:37 PM, Charles Marcus cmar...@media-brokers.com wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Even this one was duplicated... I think you're seeing double. Check to see if someone spiked your coffee. :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
[Dovecot] Custom auth process in dovecot 2
Hi, I'm trying to upgrade from dovecot-1.1.x to 2.1.7. We have our own custom auth server process (because we want to do our own password validation and for other reasons) that listens on a UNIX domain socket and speaks the dovecot auth protocol. In dovecot 1.1 we could configure this with auth external { socket connect { master { path = /var/run/dovecot/auth.sock } } } as per http://wiki.dovecot.org/MainConfig I haven't been able to figure out how to do this in 2.1.7, is it possible?
Re: [Dovecot] Custom auth process in dovecot 2
On 4.9.2012, at 23.01, Richard Platel wrote: I'm trying to upgrade from dovecot-1.1.x to 2.1.7. We have our own custom auth server process (because we want to do our own password validation and for other reasons) that listens on a UNIX domain socket and speaks the dovecot auth protocol. In dovecot 1.1 we could configure this with auth external { socket connect { master { path = /var/run/dovecot/auth.sock } } } as per http://wiki.dovecot.org/MainConfig I haven't been able to figure out how to do this in 2.1.7, is it possible? Possibility a) Disable the regular service auth, something like: service auth { unix_listener login/login { mode = 0 } } and then just create the /var/run/dovecot/login/login socket yourself. You may need/want to do this for other auth-related sockets too. Possibility b) Tell login processes to connect to your socket instead: service imap-login { executable = imap-login newlogin }
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
On 9/4/2012 1:07 PM, Stan Hoeppner s...@hardwarefreak.com wrote: On 9/4/2012 11:37 AM, Charles Marcus wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Nope. Make any changes to Postfix or your script recently? Nope... but, your reply made me actually take a closer look... It is only happening for emails that are filtered to folders (like my lists)... And now I realize it must be because I've been keeping Thunderbird open at two separate locations (we just opened another office about 5 minutes away, and I have an office/computer at both), and each has filtering enabled... I'll disable filtering on one, and see if that solves the problem (I expect it will)... Sorry for the noise... -- Best regards, Charles
Re: [Dovecot] Anyone else seeing lots of random duplicate messages???
Am 04.09.2012 23:02, schrieb Charles Marcus: On 9/4/2012 1:07 PM, Stan Hoeppner s...@hardwarefreak.com wrote: On 9/4/2012 11:37 AM, Charles Marcus wrote: Almost every message I'm getting through this list is duplicated, down to the same exact message-ID... Anyone else seeing this? Nope. Make any changes to Postfix or your script recently? Nope... but, your reply made me actually take a closer look... It is only happening for emails that are filtered to folders (like my lists)... And now I realize it must be because I've been keeping Thunderbird open at two separate locations (we just opened another office about 5 minutes away, and I have an office/computer at both), and each has filtering enabled... I'll disable filtering on one, and see if that solves the problem (I expect it will)... better use SIEVE filters on the server for moving list-messages to folders instead the overhead of TB which is in fact copy (download/upload) followed by delete so you have no problems with concurrent clients including mobile devices signature.asc Description: OpenPGP digital signature
Re: [Dovecot] finding messages deleted before timespec
On Tue, 4 Sep 2012, Sven Hartge wrote: I am searching for a search_query which only matches messages with the flag \Deleted whose flag has been set 24h or longer ago. Doing something like doveadm expunge -A mailbox \* DELETED is not the solution, since it will expunge all deleted mails without looking at the time when they have been deleted. Using savedbefore does not work either, since a message may have been saved 2 years ago but only recently deleted. You could work out a cron job that does a doveadm search ..., then diff it with one generated 24 hours ago, extract the common GID/UUIDs, then do a second pass to delete them. Not elegant, but it would probably work. (I just read the man page, and there doesn't seem to be an option to pipe the search like doveadm search ... | doveadm expunge You'll have to expunge one message at a time. Ugh.) Or maybe the advice don't worry, be happy applies here. I find that too many mistake mitigation features is counterproductive as users habitually relying on them, rather than being careful. Extending your grace period to a week will lessen the probability of this race condition. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] TIMO HELP! director ring wont stay connected
On 09/03/12 12:06, Timo Sirainen wrote: On 3.9.2012, at 21.26, Kelsey Cummings wrote: I've had 2x director ring up and running with production load on 2.1.8 with around 10,000 active connections for two weeks and everything has been working great - until this morning. There isn't anything obvious in the logs beyond the fact that the director connections started bouncing. It was not resolved by reloads or restarts or an upgrade to 2.1.9 (only the directors.) Did you try stopping both and then starting them again? That clears up all the state they have. I stopped both directors last night and they were able to stay in sync after they were restarted. Could corruption of the in memory state lead to the connections being dropped? If this happens again I'll try to get a tcpdump and an strace so the bug can get squashed. -K
Re: [Dovecot] TIMO HELP! director ring wont stay connected
On 3.9.2012, at 21.26, Kelsey Cummings wrote: passdb { args = proxy=y nopassword=y driver = static } I wonder if someone was doing a ton of logins for different usernames? This kind of setup where director doesn't verify the username can be attacked that way.
Re: [Dovecot] TIMO HELP! director ring wont stay connected
On 5.9.2012, at 3.58, Timo Sirainen wrote: On 3.9.2012, at 21.26, Kelsey Cummings wrote: passdb { args = proxy=y nopassword=y driver = static } I wonder if someone was doing a ton of logins for different usernames? This kind of setup where director doesn't verify the username can be attacked that way. Although the extra users should be freed from the memory after 15 minutes. Hmm. Once Dovecot supports moving existing connections from one backend server to another without the client noticing anything, the director could be simplified by using consistent hashing and when the number of backends changes, the director could start moving connections to their proper backends. During this move new connections would be handled by 1) if old backend = new backend just forward the connection there or 2) if they're different, request immediate move for that user's existing connections and wait for it to be finished before letting new connections finish. Or alternatively if the user isn't just being moved at that time, forward the connection to the old server and let it be part of the later move. The main difference here is that directors wouldn't need to keep any track of user - backend associations. The moving period could still be a bit tricky to handle well, especially since the situation can change again while a previous move is still going on.
Re: [Dovecot] TIMO HELP! director ring wont stay connected
On 9/4/2012 5:58 PM, Timo Sirainen wrote: On 3.9.2012, at 21.26, Kelsey Cummings wrote: passdb { args = proxy=y nopassword=y driver = static } I wonder if someone was doing a ton of logins for different usernames? This kind of setup where director doesn't verify the username can be attacked that way. It doesn't look like there was a higher than normal number of failed logins leading up to the connection issues. I'm going to write some more stats collection tools to track state on the directors and see what comes of it. Can the director proxy validate the username via a unix pw lookup but not check the password? -- Kelsey Cummings - k...@corp.sonic.net sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 Santa Rosa, CA 95407