Re: [Dovecot] Released Sieve v0.1.11 and ManageSieve v0.11.8 for Dovecot v1.2.3
Hello Dovecot users, Hi, Apart from unfinished development of the date extension, this is a set of bug-fix releases. A few portability issues were found, a few stupidities were fixed and the ManageSieve proxy now also works with TLS. Most notably, the include extension had an issue regarding the expansion of $HOME in the personal include path. I've built a project site at: http://pigeonhole.dovecot.org Changelog Sieve v0.1.11: + Built skeleton implementation for the date extension (RFC5260). It compiles, but it does not do anything useful yet. Therefore, it is not part of the default compilation. - Fixed ARM portability issues caused by char type not being signed on that platform. Reading optional operands from a binary would fail for action side effects. Also, an accidental mixup of an int return type with bool caused the interpreter to continue on ARM even though an error occured. - Removed direct stdint.h includes to prevent portability issues. - Fixed segfault bug in the handling of script open failures. - Include: improved user error messages and system log messages. - Fixed copy-paste mixup between sieve_after and sieve_before settings in the LDA Sieve plugin. If only a sieve_after script was active, nothing would have been executed. Patch by Mike Abbott. - Include: fixed a bug in HOME substitution in the sieve_dir path. Surfaced in ManageSieve. ... Have fun testing the new releases and don't hesitate to notify me when there are problems. build process for Sieve fails when --with-unfinished-features option is set: ... make[2]: Entering directory `/home/mihl/myroot/job/cvsf/dovecot/devel/dovecot-1.2.3/dovecot-1.2- sieve-0.1.11' make[2]: *** No rule to make target `doc/man/sieve-filter.1', needed by `all- am'. Stop. without this it works. Regards, Michal Hlavinka
[Dovecot] how secure is Dovecot when exposed to the Internet?
$ dovecot -n # 1.1.11: /etc/dovecot/dovecot.conf # OS: Linux 2.6.28-11-server x86_64 Ubuntu 9.04 protocols: imap imaps managesieve I need to make an IMAP (actually imaps) server available over the Internet. Unfortunately, VPN is not available (not all clients support VPN), so I will have to expose the imaps port to the Internet. My question is: how reliable is Dovecot in such a setup? I am not talking about encryption (protecting the traffic between server and client). I am talking about having the daemon exposed to anything coming in from the Internet, buffer overflows and stuff like that. What's the security history of this software in situations like this? -- Florin Andrei http://florin.myip.org/
Re: [Dovecot] how secure is Dovecot when exposed to the Internet?
On Aug 10, 2009, at 2:55 AM, Florin Andrei wrote: My question is: how reliable is Dovecot in such a setup? I am not talking about encryption (protecting the traffic between server and client). I am talking about having the daemon exposed to anything coming in from the Internet, buffer overflows and stuff like that. What's the security history of this software in situations like this? http://dovecot.org/security.html
Re: [Dovecot] how secure is Dovecot when exposed to the Internet?
Timo Sirainen wrote: http://dovecot.org/security.html OK, that's pretty convincing. Thanks. -- Florin Andrei http://florin.myip.org/
Re: [Dovecot] Released Sieve v0.1.11 and ManageSieve v0.11.8 for Dovecot v1.2.3
On Mon, 10 Aug 2009, Michal Hlavinka wrote:
build process for Sieve fails when --with-unfinished-features option is set:
...
make[2]: Entering directory
`/home/mihl/myroot/job/cvsf/dovecot/devel/dovecot-1.2.3/dovecot-1.2-
sieve-0.1.11'
make[2]: *** No rule to make target `doc/man/sieve-filter.1', needed by `all-
am'. Stop.
I have added a dummy sieve-filter.1 file to get it going. See the
attachment.
--
Wolfgang Friebel Deutsches Elektronen-Synchrotron DESY
Phone/Fax: +49 33762 77372/216Platanenallee 6
Mail: Wolfgang.Friebel AT desy.de D-15738 Zeuthen Germany.TH SIEVE-FILTER 1 8 August 2009
.SH NAME
sieve-filter \- Sieve filter for the Dovecot secure IMAP server
.SH SYNOPSIS
sieve-filter
[\fB-c\fR]
[\fB-m\fR \fIdefault-mailbox\fR]
[\fB-s\fR \fIscript-file\fR]
[\fB-x\fR \fIextension extension ...\fR]
\fIscript-file\fR \fImail-store\fR \fI[dest-mail-store]\fR
.SH DESCRIPTION
.PP
The \fBsieve-filter\fP command is part of the Sieve implementation for the
Dovecot secure
IMAP server. Sieve (RFC 5228) is a simple and highly extensible language for
filtering
e-mail messages. It can be implemented for any type of mail access protocol,
mail
architecture and operating system. The language cannot execute external
programs and in
its basic form it does not provide the means to cause infinite loops, making it
suitable
for running securely on mail servers where mail users have no permission run
arbitrary programs.
.PP
Using the \fBsieve-filter\fP command,
bla bla (to be done)
.SH OPTIONS
.TP
\fB-c\fP
Force compilation. By default, the compiled binary is stored on disk. When this
binary is found
during the next execution of \fBsieve-filter\fP and its modification time is
more recent than the
script file, it is used and the script is not compiled again. This option
forces the script to be
compiled, thus ignoring any present binary. Refer to \fBsievec\fP(1) for more
information about
Sieve compilation.
.TP
\fB-m\fP \fIdefault-mailbox\fP
The mailbox where the keep action stores the message. This is INBOX by
default.
\fB-s\fP \fIscript-file\fP
Specify additional scripts to be executed before the main script. Multiple
\fB-s\fP arguments are
allowed and the specified scripts are executed sequentially in the order
specified at the command
line.
.TP
\fB-x\fP \fIextension extension ...\fP
Set the available extensions. The parameter is a space-separated list of the
active extensions. By
prepending the extension identifiers with \fB+\fP or \fB-\fP, extensions can be
included or excluded
relative to the default set of extensions. If no extensions have a \fB+\fP or
\fB-\fP prefix, only
those extensions that are explicitly listed will be enabled. Unknown extensions
are ignored and a
warning is produced. By default, all supported extensions are available, except
for deprecated extensions
or those that are still under development.
For example \fB-x\fP +imapflags -enotify will enable the deprecated imapflags
extension along with all
extensions that are available by default, except for the enotify extension.
.SH DEBUG SUPPORT
.PP
To improve script debugging, the Sieve command line tools such as
\fBsieve-filter\fP support a custom
Sieve language extension called 'vnd.dovecot.debug'. It adds the
\fBdebug_print\fP command that allows
printing debug messages to \fBstdout\fP.
.PP
Example:
.PP
require vnd.dovecot.debug;
.PP
if header :contains subject hello {
.PP
debug_print Subject header contains hello!;
.PP
}
.PP
Other tools like \fBsievec\fP and \fBsieved\fP also recognize the
vnd.dovecot.debug extension. In contrast,
the actual Sieve plugin for the Dovecot LDA does not allow the use of the debug
extension. So, keep in mind that
scripts and compiled binaries that refer to de debug extension will fail to be
run by the Sieve plugin itself.
.PP
Note that it is not necessary to enable nor possible to disable the
availability of the debug extension with
the \fB-x\fP option.
.SH AUTHOR
.PP
The Sieve implementation for Dovecot was written by Stephan Bosch
step...@rename-it.nl.
.PP
Dovecot was written by Timo Sirainen t...@iki.fi.
.SH SEE ALSO
.BR sievec (1),
.BR sieved (1)
Re: [Dovecot] More effective mailbox fetching over high RTT link
Timo Sirainen t...@iki.fi wrote: On Sun, 2009-08-09 at 22:20 +0200, Andrzej Adam Filip wrote: Could you offer some suggestion how to fetch mailbox content over high RTT link (with negligible packet loss)? Currently I use IMAP+IDLE *but* it fails to use full available bandwidth due to high RTT and send command wait for response nature of POP3 and IMAP4 protocols. I'm not entirely sure what you want. Download all new messages automatically whenever they show up? It is maximum version of what I would like to get. ( maximum: IMAP+IDLE equivalent, acceptable: faster POP3) And by mailbox do you mean user or folder? So would you want to download all new mails in all folders? One folder is acceptable. All folders would be nice. And is it ok to create your own software to do the downloading? I was thinking about creating perl script for the task. If all of them were yes, the best you could right now would be to set up a virtual all mailbox containing all mailboxes. Then in IDLE you'd see whenever new messages pop up and then issue FETCH n:* BODY.PEEK[] or whatever. There's also IMAP NOTIFY extension that would allow your client to ask server to immediately send the message body instead of the client having to ask for it. But Dovecot doesn't currently support that. Or if you just always wanted to download all mails, again a virtual mailbox and FETCH 1:* BODY.PEEK[] gives you all mails. -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Men never make passes at girls wearing glasses. -- Dorothy Parker
Re: [Dovecot] virtual plugin and ACL
On Fri, 07 Aug 2009 15:23:32 -0400 Timo Sirainen t...@iki.fi wrote: That's because in private namespaces user owns the mails, and authenticated doesn't reduce the user's privileges. You could use owner instead. Also I don't think you should use ACLs at all here. It's easier and more secure to just make /var/mail/virtual non-writable to imap process. For example change file/dir owners to root and make them world-readable. Thank you, Timo. Both variants are working fine for me.
[Dovecot] inconsistency with expire-tool and expire dict
Hi!
Here is the problem:
passdb:
daniell:*::user=daniell2
userdb:
daniell2::uid:gid:gecos:home::
dovecot.conf:
plugin {
expire = SA.* 1
# (There are SA.HAM and SA.SPAM directories)
}
When copying a message to eg. the SA.HAM directory, then dovecot inserts this
into my expires table:
dovecot=# select * from expires ;
username | mailbox | expire_stamp
-+-+--
daniell | SA.HAM | 1249976454
^^^ wrong username
This causes an error when running expire-tool (after changing expire_stamp):
# /usr/local/sbin/dovecot --exec-mail ext /usr/local/libexec/dovecot/expire-
tool --test
Info: User lookup failed: daniell
Info: daniell/SA.HAM: no messages left
If I change the username field in the expires table... :
# UPDATE expires SET username = 'daniell2';
UPDATE 1
... expire-tool is fine:
# /usr/local/sbin/dovecot --exec-mail ext /usr/local/libexec/dovecot/expire-
tool --test
Info: daniell2/SA.HAM: timestamp 1249880093 (Mon Aug 10 06:54:53 2009) -
1249976454 (Tue Aug 11 09:40:54 2009)
Daniel
--
LÉVAI Dániel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: [Dovecot] Released Sieve v0.1.11 and ManageSieve v0.11.8 for Dovecot v1.2.3
Michal Hlavinka wrote: Hello Dovecot users, Hi, Have fun testing the new releases and don't hesitate to notify me when there are problems. build process for Sieve fails when --with-unfinished-features option is set: ... make[2]: Entering directory `/home/mihl/myroot/job/cvsf/dovecot/devel/dovecot-1.2.3/dovecot-1.2- sieve-0.1.11' make[2]: *** No rule to make target `doc/man/sieve-filter.1', needed by `all- am'. Stop. Fixed: http://hg.rename-it.nl/dovecot-1.2-sieve/rev/03cb0e6d4a35 Regards, Stephan
Re: [Dovecot] Listing shared mailboxes with a domainpart
Hy!
Am Freitag, den 07.08.2009, 14:13 -0400 schrieb Timo Sirainen:
On Fri, 2009-08-07 at 13:29 +0200, Mathias Tausig wrote:
I am currently configuring a new mailserver using postfix and dovecot
1.2.1. The filesystem strucutre in my spool directory is
user1/
user2/
domain/info/
domain/office/
I configured a shared namespace:
namespace shared {
separator = /
prefix = shared/%%d/%%n/
location = maildir:/var/spool/vmaildir/%%d/%%n/
I don't think you should use a shared namespace for this. You just want
everything in domain/ to be shared to users in that domain?
Not neccesarily everything. I want to be able to share i...@domain to
user1 and off...@domain to user2.
Do you have multiple domains?
Yes.
Do user1 and user2 contain @domain?
No. They can receive mails under various domains which are aggregated
into one domainless account.
[...]
If that doesn't do what you want, explain more clearly what you need.
I hope I was able to clarify my (desired) setup now.
Thanks for trying to help me.
cheers
Mathias
Re: [Dovecot] Mail not begin processed
Thank you for the response
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost
mydomain = paranoidandroid.co.za
myhostname = mail.paranoidandroid.co.za
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
master.cf:
--
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d
${recipient}
Many thanx
Timo Sirainen wrote:
On Sat, 2009-08-08 at 14:57 +0200, André Labuschagné wrote:
Aug 8 14:55:02 li73-31 postfix/qmgr[20163]: warning: connect to
transport private/dovecot: Connection refused
What does master.cf contain? Or postconf -n? This is anyway Postfix
configuration problem, nothing really to do with Dovecot (your transport
name just happens to be dovecot).
Re: [Dovecot] GSSAPI Authentication in v1.2.1
Phillip Macey wrote: In the release notes for v1.2.2, Timo said: Found and fixes several v1.2-specific bugs. Hopefully it's now stable for most people's usage. * GSSAPI: More changes to authentication. Hopefully good now. What were the GSSAPI changes? I am having problems with _some_ of my users using GSSAPI auth. I am using version 1.2.1. The client (thunderbird) reports that the server does not support 'secure authentication'. When I switch on auth_debug in dovecot, I see errors such as these in the logs: Aug 3 16:45:57 fury dovecot: auth(default): client in: AUTH1 GSSAPI service=imaplip=10.1.0.20 rip=10.8.5.72 lport=143 rport=4027 Aug 3 16:45:57 fury dovecot: auth(default): gssapi(?,10.8.5.72): Using all keytab entries Aug 3 16:45:57 fury dovecot: auth(default): client out: CONT 1 Aug 3 16:45:57 fury dovecot: imap-login: Disconnected: Input buffer full (auth failed, 1 attempts): method=GSSAPI, rip=10.8.5.72, lip=10.1.0.20 Other users work perfectly (eg. all of the user accounts I tested against). Would this have been a bug that was fixed in 1.2.2 or is it something else? If it is most likely something else, I will post `dovecot -n`. Same here (1.2.3), it's been working fine adding all possible principals to the keytab and setting: auth_gssapi_hostname = $ALL There are all sorts of resolvers out there that seem to mess with principal name selection on the clients all the time. Weird thing is this particular one didn't happen with 1.1.x -- Angel Marin http://anmar.eu.org/
Re: [Dovecot] sieve vacation response
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 7 Aug 2009, Timo Sirainen wrote: On Fri, 2009-08-07 at 20:26 +0200, Jure Pečar wrote: On Fri, 07 Aug 2009 13:57:57 -0400 Timo Sirainen t...@iki.fi wrote: Currently, you need to add all allowed aliases to the :addresses argument of the vacation command. My TODO list contains a new feature that lets you extract additional valid aliases directly from a dictionary (e.g. an SQL database). It is not at the top of my TODO list yet, but since you are not the only one needing this, I'll give it some more priority. I don't think the above really needs a dict? Rather maybe there's a way to have the script check the original unexpanded address. Is it stored in some specific header, or how would Dovecot/Sieve know about it? I agree - for example, we have X-Original-To. I'll suggest our team to match against that header. What about Delivered-To? Not all MTAs add this header, e.g. stock sendmail. In case of a stock sendmail installation there is _no_ evidence of the RCPT TOs at all, if there is not exactly one recipient. I would re-raise my suggestion to have: localPart -or- localp...@* matches any domain or - if I just read it, I prefer this - an admin-defined list of domains. This would at least won't require a dict and will fail, if one hosts at least two distinct domains and a mail is sent to localp...@example.com explicitly, but localp...@example.net implicitly (same local part, domain clash). Moreover, locally I have users, who do selectivly pick particular (recipient) domains, which to respond to, whereas others want that it just works. To trigger to fetch aliases from the dict should be controllable by each user, e.g. an empty :addresses list or a * in the list pulls the default from there or something like that. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSn/f0nWSIuGy1ktrAQJYxwf/eMrxbmKcxbAUphVjzMh7Nit6GuTEi2+W 3zdX3cOIxl8IZrSZWD+cxlS27AYrbwKBy2g5nL6v6fuwO+a24mfmgYbzzsPJxpvl zexldhqiEzlqtikuEUcMv0FBMqI9DJIIWTueENsN9PH0/GtfVk0gY0erbi2MW7I7 mwD9xbMvN2wnkG4Fe2bBcLBaneP0E2QJBZ3sniDfAIkrjdjrnmJbkWLRIOX3zleV WuXd343vmQ8JRYPriSpLqdBhmBCLJA/lyMGLJI3VrzFDxR/pGhCROoaRNydxEzmH p+tLTdiDHuFc3bmqI/iedTOicSUjM+PuHxIXMI8RhgDaioGaEKapiw== =8Ftl -END PGP SIGNATURE-
[Dovecot] getmail and Dovecot LDA deliver
Hello, my first post in this list. Hope it's the right place.:-) I'm having a problem running getmail together with Dovecot LDA for virtual users. To achive this I let getmail run under the user that owns the virtual email accounts-root. The problem is that getmail is running under the user vmail and therefore the emails received will be put into vmail's mailbox. But the emails getmail collected are actually for a virtual Dovecot user which has its maildir in a subdirectory of vmails home. The settings for the virtual users seem to be okay: I can login on Dovecot with virtual user account and I can send emails to Postfix for the virtual user. Postfix correctly uses devlier with the name of the virtual user and so the emails are going to the correct directory. For me it seems that getmail always uses the username under which getmail is currently running. As this must be a local user, getmails always announces this local user to deliver and deliver therefore puts the emails into the wrong account. My question is: How do I let deliver know that it should use a virtual user? I tried with the -d agrument in my getmail rc File, but deliver never accepts the parameter -d (always says unknown parameter -d). I tried as well to let getmail or deliver to be run as root, but then the emails will be delivered to roots home, which is not the goal too... Does anyone know a way how I can set getmail to handle emails for a virtual account properly? Any hint is appreciated as it already costed me hours of try-and-error Regards tobi -- View this message in context: http://www.nabble.com/getmail-and-Dovecot-LDA-deliver-tp24896318p24896318.html Sent from the Dovecot mailing list archive at Nabble.com.
Re: [Dovecot] getmail and Dovecot LDA deliver
On Aug 10, 2009, at 4:50 AM, spacejam wrote: My question is: How do I let deliver know that it should use a virtual user? I tried with the -d agrument in my getmail rc File, but deliver never accepts the parameter -d (always says unknown parameter -d). Either you're using some really ancient deliver version or the error message comes from getmail or something else besides deliver. So, what Dovecot version do you use? And also copypaste the exact error message (and maybe other messages too) that you get. And the getmailrc could help too.
Re: [Dovecot] getmail and Dovecot LDA deliver
Timo Sirainen wrote: On Aug 10, 2009, at 4:50 AM, spacejam wrote: My question is: How do I let deliver know that it should use a virtual user? I tried with the -d agrument in my getmail rc File, but deliver never accepts the parameter -d (always says unknown parameter -d). Either you're using some really ancient deliver version or the error message comes from getmail or something else besides deliver. So, what Dovecot version do you use? And also copypaste the exact error message (and maybe other messages too) that you get. And the getmailrc could help too. I compiled deliver from Dovecot-1.0.15 The -d parameter is accepted by deliver if Postfix invokes the mailbox_command to deliver emails to virtual accounts. The error message from deliver is something like deliver unknown argument -d username (I will check the exact message this evening after work). As well I will post the content of the destination section from my rc file which tries so invoke deliver for mail delivery to virtual account. I'm pretty sure that the error message comes from deliver as the program name (deliver) is mentioned in the logfiles with the error message -- View this message in context: http://www.nabble.com/getmail-and-Dovecot-LDA-deliver-tp24896318p24896701.html Sent from the Dovecot mailing list archive at Nabble.com.
Re: [Dovecot] Mail archive
ferna...@dfcom.com.br schrieb: Hi, I´m using dovecot at our storages, accounts is distributed among many storages (not entire domain), all of them with compression (when message 30Kb), nightly crontab script. Even though compression and many storages, we always have problems with disk space and need to migrate accounts. Have you ever implemented any archive solution working with dovecot ? Regards, Fernando you might give more info what kind of archive you exactly mean meanwhile study http://wiki.dovecot.org/HowTo/ReadOnlyArchive http://wiki.dovecot.org/Plugins/Zlib http://wiki.dovecot.org/Plugins/Expire Alternative dbox directory expiration -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Mail archive
I would like 'some process' to store old mails at a cheap storage. I know how to do it with symlinks, but I don´t know if it is the best option. So, I´m asking if dovecot improves it somehow. Fernando fernando at dfcom.com.br schrieb: Hi, I´m using dovecot at our storages, accounts is distributed among many storages (not entire domain), all of them with compression (when message 30Kb), nightly crontab script. Even though compression and many storages, we always have problems with disk space and need to migrate accounts. Have you ever implemented any archive solution working with dovecot ? Regards, Fernando you might give more info what kind of archive you exactly mean meanwhile study http://wiki.dovecot.org/HowTo/ReadOnlyArchive http://wiki.dovecot.org/Plugins/Zlib http://wiki.dovecot.org/Plugins/Expire Alternative dbox directory expiration -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Mail archive
ferna...@dfcom.com.br schrieb: I would like 'some process' to store old mails at a cheap storage. I know how to do it with symlinks, but I don´t know if it is the best option. So, I´m asking if dovecot improves it somehow. have you read ? http://wiki.dovecot.org/Plugins/Expire Alternative dbox directory expiration Fernando fernando at dfcom.com.br schrieb: Hi, I´m using dovecot at our storages, accounts is distributed among many storages (not entire domain), all of them with compression (when message 30Kb), nightly crontab script. Even though compression and many storages, we always have problems with disk space and need to migrate accounts. Have you ever implemented any archive solution working with dovecot ? Regards, Fernando you might give more info what kind of archive you exactly mean meanwhile study http://wiki.dovecot.org/HowTo/ReadOnlyArchive http://wiki.dovecot.org/Plugins/Zlib http://wiki.dovecot.org/Plugins/Expire Alternative dbox directory expiration -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] expire plugin no delete 1.2.1 / 1.2.2 / 1.2.3
Robert Schetterer schrieb: Timo Sirainen schrieb: On Tue, 2009-08-04 at 10:22 +0200, Robert Schetterer wrote: Info: maildir: data=/usr/local/virtual//root/:CONTROL=/usr/local/virtual//root/:INDEX=/usr/local/virtual//root/:INBOX=/usr/local/virtual//root/ Oh, right, this is the problem. You can't use %variables in mail_location setting. They get expanded too early. Since you're returning home anyway, use: mail_location = maildir:~/ HI Timo, ok i try this and report Hi, Timo sorry to say setting mail_location = maildir:~/ does not change anything mail is still not deleted, latest test were with 1.2.3 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] expire plugin no delete 1.2.1 / 1.2.2 / 1.2.3
On Aug 10, 2009, at 11:17 AM, Robert Schetterer wrote: Info: maildir: data=/usr/local/virtual//root/:CONTROL=/usr/local/virtual// root/:INDEX=/usr/local/virtual//root/:INBOX=/usr/local/virtual// root/ .. setting mail_location = maildir:~/ does not change anything mail is still not deleted, latest test were with 1.2.3 What does it log now?
Re: [Dovecot] rename() non-atomic on HFS? (was: Dovecot-1.1.15 panics)
On Aug 10, 2009, at 8:59 AM, Edgar Fuß wrote: [...] mv foo.tmp foo [...] [...] So, apparently HFS+'s rename() isn't really atomic after all.. Are you sure OS X's mv(1) simply calls rename(2)? Maybe some magic in mv(1) for ._xxx resource forks or directory hardlinks? I also wrote a C program that used rename() to verify it. Anyway, I heard it was also verified by Apple's HFS+ people.
Re: [Dovecot] getmail and Dovecot LDA deliver
Robert Schetterer wrote: just as an idea it may work using postfix sendmail [destination] type = MDA_external path = /path/to/sendmail ( parameters ) That was the idea. First I tried to use getmail_fetch which allows to specify a virtual username on the command line. It received the emails and put them into the virtual users Maildir. But with getmail_fetch I could not see to integrate the email received into Spamassassins scannig process. So the idea with sendmail was just the one which works as wished. So my rc File (dest part) looks like that [destination] type = MDA_external path = /usr/syno/mailstation/sbin/sendmail arguments = (vu...@virtual-domain.tld,) I know that I should update the dovecot as well but my system is a NAS system. And as I use this system for my email accounts I don't want to risk to update the dovecot. But next week I will receive a second NAS server which I will use for backups. But before I will try to install an up-to-date Dovecot-Version and see if everything works fine with the firmware from the manufactor. Best regards tobi -- View this message in context: http://www.nabble.com/getmail-and-Dovecot-LDA-deliver-tp24896318p24903371.html Sent from the Dovecot mailing list archive at Nabble.com.
[Dovecot] v2.0 configuration parsing
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense initially,
but then you start wondering how to handle e.g.:
1) User logs in to imap from 192.168.0.1. What is foo's value?
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
remote_ip 192.168.0.0/24 {
foo = bar
}
2) User logs in from 192.168.0.1 to 10.1.2.3. What is foo's value?
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
Any thoughts?
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense initially,
but then you start wondering how to handle e.g.:
1) User logs in to imap from 192.168.0.1. What is foo's value?
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
remote_ip 192.168.0.0/24 {
foo = bar
}
2) User logs in from 192.168.0.1 to 10.1.2.3. What is foo's value?
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
Any thoughts?
I think the easiest scheme to keep in my brain would be to evaluate the
blocks, in order, as if they were branches in code. Fooling around with
an arbitrary order of evaluation/specificity would be a recipe for
disaster (see, for example, any CSS engine).
So, something like,
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
would translate to,
if (protocol == imap) {
if (remote_ip matches 192.168.0.0/16) {
foo = foo
}
}
and then later,
remote_ip 192.168.0.0/24 {
foo = bar
}
would set the value of 'foo' to 'bar', since it would evaluate in a
similar fashion, and comes later in the config file.
It's easy to explain, easy to implement, and easy to debug. Ultimately,
the users are going to have to understand how it works in order to
configure Dovecot properly. Put the most general rules first, and then
override them is a practice with which most of us are already familiar.
Re: [Dovecot] v2.0 configuration parsing
Hi Timo,
What's your thought on the 'precedence order' (hope it make sense),
on protocol, remote_ip, local_ip?
From your sample 1, it would read equals (to most technical people) to
protocol imap
{
remote_ip 192.168.0.0/16
{
foo = foo
}
}
protocol ALL
{
remote_ip 192.168.0.0/24
{
foo = bar
}
}
If follow this syntax, sample 1's answer would be foo = foo, assuming
specific rules overwrite general rules, and assuming protocol is the
first order.
Sample 2 is tough, that's why I asked what's your thought on
precedence order. Restricting syntax to only remote before local (or
vice versa) should resolve it.
Joseph
On 10-Aug-09, at 1:57 PM, Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always
just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense
initially,
but then you start wondering how to handle e.g.:
1) User logs in to imap from 192.168.0.1. What is foo's value?
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
remote_ip 192.168.0.0/24 {
foo = bar
}
2) User logs in from 192.168.0.1 to 10.1.2.3. What is foo's value?
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
Any thoughts?
Re: [Dovecot] v2.0 configuration parsing
On Aug 10, 2009, at 11:57 AM, Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always
just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense
initially,
but then you start wondering how to handle e.g.:
1) User logs in to imap from 192.168.0.1. What is foo's value?
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
remote_ip 192.168.0.0/24 {
foo = bar
}
2) User logs in from 192.168.0.1 to 10.1.2.3. What is foo's value?
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
Any thoughts?
Figure out that they intersect and return an error!
Aria Stewart
aredri...@nbtsc.org
Re: [Dovecot] More effective mailbox fetching over high RTT link
On Sun, 09 Aug 2009 22:20:41 +0200 Andrzej Adam Filip andrzej.fi...@gmail.com wrote: Could you offer some suggestion how to fetch mailbox content over high RTT link (with negligible packet loss)? Currently I use IMAP+IDLE *but* it fails to use full available bandwidth due to high RTT and send command wait for response nature of POP3 and IMAP4 protocols. The entire purpose of the command tag in IMAP is to facilitate batching or concurrent commands. See RFC3501 section 5.5. It shouldn't be too difficult to batch requests for new messages, or even select all the new messages in one request for a single folder. -- Ben Winslow r...@bluecherry.net
Re: [Dovecot] v2.0 configuration parsing
Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense initially,
but then you start wondering how to handle e.g.:
1) User logs in to imap from 192.168.0.1. What is foo's value?
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
remote_ip 192.168.0.0/24 {
foo = bar
}
make it
protocols {
imap {
remote_ip x/16 {
foo = foo
}
}
all {
remote_ip x/24 {
foo = bar
}
}
}
2) User logs in from 192.168.0.1 to 10.1.2.3. What is foo's value?
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
I'd strongly suggest to use the same approach as firewalls (or exim):
first match wins. I love exim because I can configure it much like my
firewalls routers, and the fall through until something matches
syntax that most firewalls/ACLs use is well-understood flexible.
Kind regards,
Felix
--
Felix Schüren
Head of Network
---
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz, Mobilfunkpreise ggf. abweichend
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 14:33 -0400, Joseph Yee wrote:
Hi Timo,
What's your thought on the 'precedence order' (hope it make sense),
on protocol, remote_ip, local_ip?
I'm not sure if there is one.
Sample 2 is tough, that's why I asked what's your thought on
precedence order. Restricting syntax to only remote before local (or
vice versa) should resolve it.
Actually I don't think it would really solve much either.
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
remote_ip 10.1.2.3 {
local_ip 192.168.0.0/24 {
foo = bar
}
}
You could write this as:
local_ip 192.168.0.1 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
local_ip 192.168.0.0/24 {
remote_ip 10.1.2.3 {
foo = bar
}
}
You'd still have to decide if local_ip is more important than remote_ip,
or if it should just be done in order and it should always use either
first or last.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 20:47 +0200, Felix Schueren wrote:
make it
protocols {
imap {
remote_ip x/16 {
foo = foo
}
}
all {
remote_ip x/24 {
foo = bar
}
}
}
That's just a syntax change. The question is still about if it should
match the first one or the most specific one.
I'd strongly suggest to use the same approach as firewalls (or exim):
first match wins. I love exim because I can configure it much like my
firewalls routers, and the fall through until something matches
syntax that most firewalls/ACLs use is well-understood flexible.
Yeah, I'm beginning to think something like this would be good, with
perhaps some restrictions in how the configuration blocks could be used.
But is it better to use the first or the last match?..
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
Timo Sirainen wrote:
On Mon, 2009-08-10 at 20:47 +0200, Felix Schueren wrote:
make it
protocols {
imap {
remote_ip x/16 {
foo = foo
}
}
all {
remote_ip x/24 {
foo = bar
}
}
}
That's just a syntax change. The question is still about if it should
match the first one or the most specific one.
I'd strongly suggest to use the same approach as firewalls (or exim):
first match wins. I love exim because I can configure it much like my
firewalls routers, and the fall through until something matches
syntax that most firewalls/ACLs use is well-understood flexible.
Yeah, I'm beginning to think something like this would be good, with
perhaps some restrictions in how the configuration blocks could be used.
But is it better to use the first or the last match?..
If at all possible, I would much rather see an error thrown than
choosing which one to accept. To me, having Dovecot tolerate broken
configurations is less desirable than giving clear feedback for the user
to fix it. Anything from:
foo is defined more than once
overlapping ip declarations
remote_ip declaration in protocol imap conflicts with remote_ip
declaration in protocol all
I suppose if you really want to tolerate the brokenness - at least
include the error as a logged warning.
--
Daniel
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 12:09 -0700, Daniel L. Miller wrote:
If at all possible, I would much rather see an error thrown than
choosing which one to accept. To me, having Dovecot tolerate broken
configurations is less desirable than giving clear feedback for the user
to fix it. Anything from:
foo is defined more than once
overlapping ip declarations
remote_ip declaration in protocol imap conflicts with remote_ip
declaration in protocol all
It's not necessarily a broken configuration. For example you could have:
disable_plaintext_auth = yes # default also
remote_ip 192.168.0.0/16 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
That's an ok configuration, right? But then again, maybe one of those
IPs is a proxy to outside world and you don't want plaintext auth from
there:
remote_ip 192.168.123.44 {
disable_plaintext_auth = yes
}
But I guess if there truly are some conflicts it could warn about
them .. although that might be more work than it's worth. :)
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
Timo Sirainen wrote:
On Mon, 2009-08-10 at 12:09 -0700, Daniel L. Miller wrote:
If at all possible, I would much rather see an error thrown than
choosing which one to accept. To me, having Dovecot tolerate broken
configurations is less desirable than giving clear feedback for the user
to fix it. Anything from:
foo is defined more than once
overlapping ip declarations
remote_ip declaration in protocol imap conflicts with remote_ip
declaration in protocol all
It's not necessarily a broken configuration. For example you could have:
disable_plaintext_auth = yes # default also
remote_ip 192.168.0.0/16 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
That's an ok configuration, right? But then again, maybe one of those
IPs is a proxy to outside world and you don't want plaintext auth from
there:
remote_ip 192.168.123.44 {
disable_plaintext_auth = yes
}
But I guess if there truly are some conflicts it could warn about
them .. although that might be more work than it's worth. :)
Well - if those are not broken configs, then I guess I misunderstood the
question. I would expect the most restrictive test to govern, so:
remote_ip 192.168.0.0/16 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
remote_ip 192.168.10.0/8 {
# allow plaintext auth from intranet
disable_plaintext_auth = yes
}
remote_ip 192.168.0.1 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
connecting from 192.168.0.1 should result in disable_plaintext_auth = no.
--
Daniel-5276
Re: [Dovecot] More effective mailbox fetching over high RTT link
Ben Winslow r...@bluecherry.net wrote: On Sun, 09 Aug 2009 22:20:41 +0200 Andrzej Adam Filip andrzej.fi...@gmail.com wrote: Could you offer some suggestion how to fetch mailbox content over high RTT link (with negligible packet loss)? Currently I use IMAP+IDLE *but* it fails to use full available bandwidth due to high RTT and send command wait for response nature of POP3 and IMAP4 protocols. The entire purpose of the command tag in IMAP is to facilitate batching or concurrent commands. See RFC3501 section 5.5. It shouldn't be too difficult to batch requests for new messages, or even select all the new messages in one request for a single folder. Could you recommend tool/client program capable to use IMAP pipelining? -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu Virtue does not always demand a heavy sacrifice -- only the willingness to make it when necessary. -- Frederick Dunn
Re: [Dovecot] v2.0 configuration parsing
On 8/10/2009, Timo Sirainen (t...@iki.fi) wrote: Yeah, I'm beginning to think something like this would be good, with perhaps some restrictions in how the configuration blocks could be used. But is it better to use the first or the last match? For a filter (like a firewall), it makes sense to have the first match win. For config stuff, I think the LAST should win... at least, thats how postfix works... Or maybe even better, if you have the same setting defined twice, you could also detect this and issue a warning, like you do now for fd's set too low... -- Best regards, Charles
Re: [Dovecot] v2.0 configuration parsing
On 8/10/2009, Michael Orlitzky (mich...@orlitzky.com) wrote: It's easy to explain, easy to implement, and easy to debug. Ultimately, the users are going to have to understand how it works in order to configure Dovecot properly. Put the most general rules first, and then override them is a practice with which most of us are already familiar. One thing I'd like is to sort the simple one line foo = bar settings first (before the blocks) - in alphabetcial order. If it makes more sense to keep the blocks in a specific order, thats fine, otherwise you could alphabetize them too. Right now, if you have a lot of settings, finding any particular setting (ie, when troubleshooting) is much more difficult than it should be, especially for someone new to dovecot. -- Best regards, Charles
Re: [Dovecot] expire plugin no delete 1.2.1 / 1.2.2 / 1.2.3
Timo Sirainen schrieb:
On Mon, 2009-08-10 at 20:04 +0200, Robert Schetterer wrote:
as far i remember there was root ..
yes of course i am having
variables in namespaces i think i need them for my setup
expire-tool is currently incompatible with variables anywhere. v2.0
fixes this, but with v1.x you can't use them.
namespace private {
separator = /
prefix =
location =
maildir:/usr/local/virtual/%d/%u/:CONTROL=/usr/local/virtual/%d/%u/:INDEX=/usr/local/virtual/%d/%u/:INBOX=/usr/local/virtual/$
location = maildir:~/
should work here just fine. All of your directories point to the same
one, so there's no need to specify them separately.
list = yes
hidden = no
subscriptions = yes
}
namespace private {
prefix = virtual/
separator = /
location = virtual:/etc/dovecot/virtual:LAYOUT=maildir++
This is ok as it is.
hidden = yes
list = no
subscriptions= no
}
namespace private {
prefix = RealMails/
separator = /
list = no
hidden = yes
location =
maildir:/usr/local/virtual/%d/%u/:CONTROL=/usr/local/virtual/%d/%u/:INDEX=/usr/local/virtual/%d/%u/:INBOX=/usr/local/virtual/$
}
Here again it's the same. Actually you should just remove the location
setting from both RealMails/ and namespaces, so it'll just default to
mail_location setting.
only in the first default namespace, changing others may crash with
pop3 downloading special imap folders
As long as home points to the right directory there shouldn't be any
problems.
ok i ll try, and report
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: [Dovecot] v2.0 configuration parsing
On 8/10/2009, Charles Marcus (cmar...@media-brokers.com) wrote: One thing I'd like is to sort the simple one line foo = bar settings first (before the blocks) - in alphabetcial order. Of course, I meant with respect to doveconf -n output... or did you decide yet on the new command(s)? -- Best regards, Charles
Re: [Dovecot] v2.0 configuration parsing
Daniel L. Miller wrote:
Timo Sirainen wrote:
On Mon, 2009-08-10 at 12:09 -0700, Daniel L. Miller wrote:
If at all possible, I would much rather see an error thrown than
choosing which one to accept. To me, having Dovecot tolerate broken
configurations is less desirable than giving clear feedback for the
user to fix it. Anything from:
foo is defined more than once
overlapping ip declarations
remote_ip declaration in protocol imap conflicts with remote_ip
declaration in protocol all
It's not necessarily a broken configuration. For example you could have:
disable_plaintext_auth = yes # default also
remote_ip 192.168.0.0/16 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
That's an ok configuration, right? But then again, maybe one of those
IPs is a proxy to outside world and you don't want plaintext auth from
there:
remote_ip 192.168.123.44 {
disable_plaintext_auth = yes
}
But I guess if there truly are some conflicts it could warn about
them .. although that might be more work than it's worth. :)
Well - if those are not broken configs, then I guess I misunderstood the
question. I would expect the most restrictive test to govern, so:
remote_ip 192.168.0.0/16 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
remote_ip 192.168.10.0/8 {
# allow plaintext auth from intranet
disable_plaintext_auth = yes
}
remote_ip 192.168.0.1 {
# allow plaintext auth from intranet
disable_plaintext_auth = no
}
connecting from 192.168.0.1 should result in disable_plaintext_auth = no.
I agree - however, it makes the config harder to read, and you pretty
much need something like dovecotctl -acl -dump or an equivalent to
netstat -r or iptables -L to display them in the correct order if the
ruleset becomes complex. By using a first-match wins syntax, you make
the actual config file much simpler to read, as it maps to the running
process.
kind regards,
Felix
--
Felix Schüren
Head of Network
---
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
(*) 0,14 EUR/Min. aus dem dt. Festnetz, Mobilfunkpreise ggf. abweichend
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
Timo Sirainen wrote: This is something I figured out a few months ago, mainly because this one guy at work (hi, Stu) kept telling me my multi-master replication plan sucked and we should use some existing scalable database. (I guess it didn't go exactly like that, but that's the result anyway.) Ick, some people (myself included) hate the idea of storing mail in a database versus simple and almost impossible to screw up plain text files of maildir. Cyrus already does the whole mail-in-database thing. ~Seth
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
On Mon, 2009-08-10 at 14:33 -0700, Seth Mattinen wrote: Timo Sirainen wrote: This is something I figured out a few months ago, mainly because this one guy at work (hi, Stu) kept telling me my multi-master replication plan sucked and we should use some existing scalable database. (I guess it didn't go exactly like that, but that's the result anyway.) Ick, some people (myself included) hate the idea of storing mail in a database versus simple and almost impossible to screw up plain text files of maildir. Nothing forces you to switch from maildir, if you're happy with it :) But if you want to support millions of users, it's simpler to distribute the storage and disk I/O evenly across hundreds of servers using a database that was designed for it. And by databases I mean here some of those key/value-like databases, not SQL. (What's a good collective name for those dbs anyway? BASE and NoSQL are a couple names I've seen.) Cyrus already does the whole mail-in-database thing. No, Cyrus's mail database is very similar to how Dovecot works. Both have somewhat similar index files, both store one mail/file (with dbox/maildir). But Cyrus then also has some additional databases that screw up things.. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 13:57 -0400, Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always just
use whatever comes first in config or try some kind of a use most
specific rule.
I think it's possible to do both:
Use the most specific rule, but if it's also not the first rule, it's a
broken configuration and it'll fail. If there are ambiguity in
specificity, it's also an error.
(I'm also wondering about if it should be the first rule. Somehow to me
it comes more naturally that last settings always override previous
settings. If we really want to make first settings come first, then the
default settings must be at the bottom of dovecot.conf, or they'd need
some exception.)
Require the nesting to be in order:
local_ip {
remote_ip {
protocol {}
}
}
Any of the levels could be dropped out, but the ordering couldn't be
switched. Then we'll basically require that more specific blocks need to
be before less specific blocks, or the configuration reading will fail.
(Or vice versa? It somehow seems more natural to me..) The block
specificity is determined by the nesting order.
1) Simple example:
# allow plaintext auth from intranet, except from .123.1
remote_ip 192.168.123.1 {
disable_plaintext_auth = yes
}
remote_ip 192.168.0.0/16 {
disable_plaintext_auth = no
}
disable_plaintext_auth = yes
If the remote_ip blocks were switched, it would give an error.
2) More complex example:
Client connecting 192.168.0.1 - 10.1.2.3.
# this first match is used
local_ip 192.168.0.1/31 {
remote_ip 10.1.2.0/24 {
foo = foo
}
}
# ok, exact match (handle the same as duplicate settings in root,
# maybe optionally give a warning about them)
local_ip 192.168.0.1/31 {
remote_ip 10.1.2.0/24 {
foo = foo2
}
}
# error, local_ip more specific
local_ip 192.168.0.1 {
foo = xx
}
# ok, local_ip less specific, remote_ip less specific
local_ip 192.168.0.0/16 {
remote_ip 10.1.2.0/23 {
foo = bar
}
}
# error, remote_ip more or equal specific
local_ip 192.168.0.0/16 {
remote_ip 10.1.2.3 {
foo = baz1
}
remote_ip 10.1.2.0/24 {
foo = baz2
}
}
# error, protocol more specific
local_ip 192.168.0.0/16 {
protocol imap {
foo = x
}
}
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 17:59 -0400, Timo Sirainen wrote: (I'm also wondering about if it should be the first rule. Somehow to me I think first rule match is best approach, as someone else pointed out, its how many things that most people here would work with daily work, be it a server daemon configuration, iptables, or Cisco routers. The only exceptions that I can think of immediately is Apache, ircu, and DNews where last (entered in order) matching rule wins. Noel
Re: [Dovecot] v2.0 configuration parsing
On Tue, 2009-08-11 at 09:20 +1000, Noel Butler wrote: On Mon, 2009-08-10 at 17:59 -0400, Timo Sirainen wrote: (I'm also wondering about if it should be the first rule. Somehow to me I think first rule match is best approach, as someone else pointed out, its how many things that most people here would work with daily work, be it a server daemon configuration, iptables, or Cisco routers. Can you give me some other examples than firewalls or routing? signature.asc Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration parsing
On Mon, 2009-08-10 at 19:28 -0400, Timo Sirainen wrote: On Tue, 2009-08-11 at 09:20 +1000, Noel Butler wrote: On Mon, 2009-08-10 at 17:59 -0400, Timo Sirainen wrote: (I'm also wondering about if it should be the first rule. Somehow to me I think first rule match is best approach, as someone else pointed out, its how many things that most people here would work with daily work, be it a server daemon configuration, iptables, or Cisco routers. Can you give me some other examples than firewalls or routing? Postfix, (and as mentioned by another poster Exim never used it myself tho), and I think Sendmail as well, MailScanner, and I was wrong about Apache, first vhost matches (I just threw an alias into a 3 vhosts and it went to the first matching vhost) Noel
[Dovecot] QUOTA not appearing in CAPA
Hi,
ok, I've compiled it a few times, and made sure all of my settings are
correct, but the QUOTA is not appearing in the opening CAPA that comes
with the greeting.
I have it configured in the dovecot.conf like so:
protocol imap {
mail_plugins = quota imap_quota
}
and I can see when turning debugging on that the following is spit out
when starting :
Starting DovecotILoading modules from directory: /usr/local/lib/dovecot/imap
IModule loaded: /usr/local/lib/dovecot/imap/lib10_quota_plugin.so
IModule loaded: /usr/local/lib/dovecot/imap/lib11_imap_quota_plugin.so
IEffective uid=65534, gid=65534, home=/tmp
IQuota root: name= backend=maildir args=
IEffective uid=65534, gid=65534, home=/tmp
and then I see the following in the dovecot logs :
Aug 10 17:35:10 IMAP(xx...@simplenet.com): Info: Module loaded:
/usr/local/lib/dovecot/imap/lib10_quota_plugin.so
Aug 10 17:35:10 IMAP(xx...@simplenet.com): Info: Module loaded:
/usr/local/lib/dovecot/imap/lib11_imap_quota_plugin.so
when I log into the IMAP port, I get the following greeting :
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
So it seems there is no QUOTA support for the IMAP server to query for
the quota file...
can someone help me as to a direction to go here??? The reason I need it
is because I believe the web client relies on the QUOTA being in the
CAPA in order to show it...
Thanks,
Tim.
Re: [Dovecot] QUOTA not appearing in CAPA
On Mon, 2009-08-10 at 17:43 -0700, Tim Traver wrote: when I log into the IMAP port, I get the following greeting : * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. So it seems there is no QUOTA support for the IMAP server to query for the quota file... The greeting capability lists only capabilities relevant to pre-login session. You'll get the full list with either CAPABILITY command or automatically after logging in. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] QUOTA not appearing in CAPA
Timo, ok, upon further examination, I found that a later CAPABILITY command did indeed return QUOTA in its line... But I also looked in the code to find out what happens when a command is sent to get the quota like this : QUOT1 GETQUOTAROOT INBOX and I get the following back : * QUOTAROOT INBOX QUOT1 OK Getquotaroot completed. But I don't see a quota value in there anywhere. The maildirquota file is in place in the maildir, and has all of the correct permissions, unless you restrict it to have particular permissions before you read it... Thanks, Tim. Timo Sirainen wrote: On Mon, 2009-08-10 at 17:43 -0700, Tim Traver wrote: when I log into the IMAP port, I get the following greeting : * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. So it seems there is no QUOTA support for the IMAP server to query for the quota file... The greeting capability lists only capabilities relevant to pre-login session. You'll get the full list with either CAPABILITY command or automatically after logging in.
Re: [Dovecot] QUOTA not appearing in CAPA
On Mon, 2009-08-10 at 18:01 -0700, Tim Traver wrote: and I get the following back : * QUOTAROOT INBOX QUOT1 OK Getquotaroot completed. But I don't see a quota value in there anywhere. That means you either have unlimited quota or you don't have quota configured at all. Have you set up quota and quota_rule settings? http://wiki.dovecot.org/Quota/1.1 should explain them, if it doesn't help show your dovecot -n output. signature.asc Description: This is a digitally signed message part
[Dovecot] sieve/managesieve and spam filtering
Hello all, I've got a test environment setup in preparation for a move from qmail/vpopmail/courier to postfix/padmin/dovecot. I have a number of questions that seem to span multiple pieces of software, and this is one of them... Our policy with spam filtering is that a user should be able to turn it off (ie: not put tagged spam into a spam folder, but deliver to their inbox) if they want to. Currently qmailadmin and a custom squirrelmail plugin give people the option to do this by dumping a .qmail file in their directory that calls a common maildrop script that will deliver spam to the spam folder. It looks like I can emulate this with sieve and something that can speak to Dovecot's managesieve server. Where I'm stuck is that if I want users to be able to do other custom filtering using sieve, how do I go about making sure that my common spam delivery rule does not get clobbered? This really has me a bit stumped. I see there's a global sieverc that can be included, but I need something along the lines of a per-user include that brings in the spam filtering rule that will stick until the user explicitly deletes it. Any ideas? Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net sp...@bway.net - 212.655.9344
Re: [Dovecot] v2.0 configuration parsing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I completely agree with Michael's opinion.
Patrick.
On 2009-08-11 02:22, Michael Orlitzky wrote:
Timo Sirainen wrote:
I'm trying to figure out how exactly v2.0 should be parsing
configuration files. The most annoying part is if it should always just
use whatever comes first in config or try some kind of a use most
specific rule. The most specific kind of makes more sense initially,
but then you start wondering how to handle e.g.:
[...]
I think the easiest scheme to keep in my brain would be to evaluate the
blocks, in order, as if they were branches in code. Fooling around with
an arbitrary order of evaluation/specificity would be a recipe for
disaster (see, for example, any CSS engine).
So, something like,
protocol imap {
remote_ip 192.168.0.0/16 {
foo = foo
}
}
would translate to,
if (protocol == imap) {
if (remote_ip matches 192.168.0.0/16) {
foo = foo
}
}
and then later,
remote_ip 192.168.0.0/24 {
foo = bar
}
would set the value of 'foo' to 'bar', since it would evaluate in a
similar fashion, and comes later in the config file.
It's easy to explain, easy to implement, and easy to debug. Ultimately,
the users are going to have to understand how it works in order to
configure Dovecot properly. Put the most general rules first, and then
override them is a practice with which most of us are already familiar.
- --
STAR Software (Shanghai) Co., Ltd. http://www.star-group.net/
Phone:+86 (21) 3462 7688 x 826 Fax: +86 (21) 3462 7779
PGP key: E883A005 https://stshacom1.star-china.net/keys/patrick_nagel.asc
Fingerprint: E09A D65E 855F B334 E5C3 5386 EF23 20FC E883 A005
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkqA5IEACgkQ7yMg/OiDoAWaiQCgk1S6lu6JQTcg5VXzwzJxrjCG
AXcAoLD2xvbfFoMUrSW+3JrC+PA7c8Fz
=jChR
-END PGP SIGNATURE-
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
Timo Sirainen wrote: On Mon, 2009-08-10 at 14:33 -0700, Seth Mattinen wrote: Timo Sirainen wrote: This is something I figured out a few months ago, mainly because this one guy at work (hi, Stu) kept telling me my multi-master replication plan sucked and we should use some existing scalable database. (I guess it didn't go exactly like that, but that's the result anyway.) Ick, some people (myself included) hate the idea of storing mail in a database versus simple and almost impossible to screw up plain text files of maildir. Nothing forces you to switch from maildir, if you're happy with it :) But if you want to support millions of users, it's simpler to distribute the storage and disk I/O evenly across hundreds of servers using a database that was designed for it. And by databases I mean here some of those key/value-like databases, not SQL. (What's a good collective name for those dbs anyway? BASE and NoSQL are a couple names I've seen.) Why is a database a better choice than a clustered filesystem? It seems that you're adding a huge layer of complexity (a database) for something that's already solved (clusters). Queue directories and clusters don't mix well, but a read-heavy maildir/dbox environment shouldn't suffer the same problem. ~Seth
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
Seth Mattinen wrote: Ick, some people (myself included) hate the idea of storing mail in a database versus simple and almost impossible to screw up plain text files of maildir. Cyrus already does the whole mail-in-database thing. Why do you think 'maildir' isn't a database? Or to you does 'database' only mean SQL database? A database is a collection of information that is organized so that it can easily be accessed, managed, and updated. -- Curtis Maloney
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
Curtis Maloney wrote: Seth Mattinen wrote: Ick, some people (myself included) hate the idea of storing mail in a database versus simple and almost impossible to screw up plain text files of maildir. Cyrus already does the whole mail-in-database thing. Why do you think 'maildir' isn't a database? Or to you does 'database' only mean SQL database? Please, don't put words in my mouth. I'm not stupid. ~Seth
Re: [Dovecot] Scalability plans: Abstract out filesystem and make it someone else's problem
On Aug 11, 2009, at 12:41 AM, Seth Mattinen wrote: Nothing forces you to switch from maildir, if you're happy with it :) But if you want to support millions of users, it's simpler to distribute the storage and disk I/O evenly across hundreds of servers using a database that was designed for it. And by databases I mean here some of those key/value-like databases, not SQL. (What's a good collective name for those dbs anyway? BASE and NoSQL are a couple names I've seen.) Why is a database a better choice than a clustered filesystem? Show me a clustered filesystem that can guarantee that each file is stored in at least 3 different data centers and can scale linearly by simply adding more servers (let's say at least up to thousands). Clustered filesystems are also complex. They're much more complex than what Dovecot really requires.
Re: [Dovecot] QUOTA not appearing in CAPA
Timo Sirainen wrote: On Mon, 2009-08-10 at 18:01 -0700, Tim Traver wrote: and I get the following back : * QUOTAROOT INBOX QUOT1 OK Getquotaroot completed. But I don't see a quota value in there anywhere. That means you either have unlimited quota or you don't have quota configured at all. Have you set up quota and quota_rule settings? http://wiki.dovecot.org/Quota/1.1 should explain them, if it doesn't help show your dovecot -n output. Timo, I figured out something...The issue appeared to have been that no maildirsize file existed. Once I put the maildirsize file in there, then it sent back the quota parameters. But, isn't it supposed to create that file if it does not exist??? Or at least on delivery isn't it supposed to get created??? (I have quota plugin enabled in the lda as well) Thanks, Tim.
Re: [Dovecot] QUOTA not appearing in CAPA
On Aug 11, 2009, at 1:35 AM, Tim Traver wrote: I figured out something...The issue appeared to have been that no maildirsize file existed. Once I put the maildirsize file in there, then it sent back the quota parameters. But, isn't it supposed to create that file if it does not exist??? Or at least on delivery isn't it supposed to get created??? (I have quota plugin enabled in the lda as well) It sounds like you didn't set quota_rule.
Re: [Dovecot] QUOTA not appearing in CAPA
Timo Sirainen wrote:
On Aug 11, 2009, at 1:35 AM, Tim Traver wrote:
I figured out something...The issue appeared to have been that no
maildirsize file existed. Once I put the maildirsize file in there, then
it sent back the quota parameters.
But, isn't it supposed to create that file if it does not exist???
Or at least on delivery isn't it supposed to get created??? (I have
quota plugin enabled in the lda as well)
It sounds like you didn't set quota_rule.
Ok, that's a point of confusion then...
I send back the accounts quota value from my custom checkpasswd routine,
and want to us maildir quotas only.
So what would my quota_rule look like?
I have the following for the checkpasswd
passdb checkpassword {
# Path for checkpassword binary
args = /bin/checkpassword_dovecot_auth
}
quota = maildir
would it look like this :
quota_rule = maildir:
?
Thanks,
Tim.
