Re: [Dovecot] Quick and dirty server optimized for IMAP upload speed?
On 8/30/2009 11:34 PM, Adam McDougall wrote: The two biggest real bottlenecks: - Thunderbird is just slow at uploading to IMAP. With a bunch of small msgs it only does a few per second and you can tell the server is waiting for something to do. Did you try TBird 3.0b3? It has many, many IMAP improvements... Wow it sure is faster at uploading, thanks for mentioning it! Any chance you can follow-up with some comparisons, even if they are rough guesstimates on your part? Some of the other fixes include not downloading attachments every time you click on a message, allowing you to store messages offline 'on demand' (as you click on them), as opposed to forcing you to download an entire folder, controls for people with limited bandwidth and/or storage, etc... There are some things I really don't like about the UI, and none of my extensions I need work, so I don't use it yet for anything other than occasional testing, but I'm really looking forward to the release and some maturity... It combined with dovecot will provide a really most excellent imap experience. :) -- Best regards, Charles
Re: [Dovecot] expire plugin: columns not uniq
On Mon, 24 Aug 2009 13:33:15 -0400 Timo Sirainen t...@iki.fi wrote: On Mon, 2009-08-24 at 13:27 -0400, Timo Sirainen wrote: CREATE TRIGGER mergeexpire BEFORE INSERT ON expires FOR EACH ROW BEGIN UPDATE expires SET expire_stamp=NEW.expire_stamp WHERE username = NEW.username AND mailbox = NEW.mailbox; SELECT raise(ignore) WHERE (SELECT 1 FROM expires WHERE username = NEW.username AND mailbox = NEW.mailbox) IS NOT NULL; END; This seem some kind crudely to me, but it's working. That looks correct to me. Sorry for such lately response, I have just returned from vacation. Oh, except there's a small race condition if the first row is being added at the same time by two processes. That's why the PostgreSQL trigger is so much more complex. But it should be somewhat rare I guess.. Unless SQLite has some locks that prevent that? Anyway I was thinking that two processes run the UPDATE part of the trigger and then both try to INSERT. One of them succeeds and the other one fails. But the row gets added anyway and the timestamp is the same anyway, so it probably doesn't matter all that much, just logs an error. As far as I know, sqlite permits to write database changes(INSERT,UPDATE or DELETE) to only 1 process at the same time and when process is updating data - sqlite table is locking. This might be OS queue processing, because sqlite have no master process for handling such racing. In my understanding, if two identical INSERTs will be passed to database(and the record already exists) - trigger's UPDATE will be run twice, but consistently. My admissions can be faulty and sqlite experts should shed some light on this situation. The above trigger is working about a week in my setup - I have checked error log for this period - there is nothing related to database issues.
[Dovecot] Dovecot Erros in Logs
Different Error today: Aug 31 08:01:05 IMAP(user-folder): Panic: pool_data_stack_realloc(): stack frame changed Aug 31 08:01:05 IMAP(user-folder): Error: Raw backtrace: imap [0x49d0c8] - imap [0x49db63] - imap [0x49d386] - imap [0x4a79bb] - imap [0x49b3f5] - imap(buffer_write+0x72) [0x49b732] - imap(buffer_append_c+0x18) [0x49b848] - imap(mail_namespace_get_vname+0x4b) [0x46374b] - imap(mailbox_list_subscriptions_fill+0xf9) [0x42d559] - imap(maildir_list_iter_init+0x592) [0x42d202] - imap [0x41c953] - imap(cmd_list_full+0x261) [0x41cd01] - imap(cmd_lsub+0xe) [0x41d27e] - imap [0x4203f3] - imap [0x4203b8] - imap(client_handle_input+0x161) [0x420681] - imap(client_input+0x5f) [0x420f2f] - imap(io_loop_handler_run+0x109) [0x4a5949] - imap(io_loop_run+0x28) [0x4a4c98] - imap(main+0x712) [0x428b32] - /lib64/tls/libc.so.6(__libc_start_main+0xdb) [0x3170c1c40b] - imap [0x41940a] It seems to only happen to this one user. I cannot see anything odd about this user's folder. Dave
Re: [Dovecot] Quotas ignored on INBOX only
I think this is a bug in the 1.1.11 version bundled with ubuntu 9.0.4 I have switched back to an older version and quotas are now working fine. Thanks.
[Dovecot] v2.0 configuration paths
In Dovecot v2.0 I'm splitting dovecot-example.conf to multiple files. It's probably annoying to have tons of dovecot-*-example.conf files, so what do you think about: 1. Change default sysconfdir from $prefix/etc to $prefix/etc/dovecot (that's what most distros do anyway) 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. So new installations would then start with mv example/* . signature.asc Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration paths
El 31/08/09 12:03, Timo Sirainen escribió: In Dovecot v2.0 I'm splitting dovecot-example.conf to multiple files. It's probably annoying to have tons of dovecot-*-example.conf files, so what do you think about: 1. Change default sysconfdir from $prefix/etc to $prefix/etc/dovecot (that's what most distros do anyway) 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. So new installations would then start with mv example/* . Greetings * I'll would like to see a config dir like /etc/dovecot.d, and, inside it something like: network.example namespaces.example logging.example protocols.example security.example plugins.example But if i got to choose only from the two that you listed, i'll go for option 2. Kind Regards. -- Julio C. Ortega Equipo de Infraestructura ONUVA | Integración de Sistemas signature.asc Description: OpenPGP digital signature
Re: [Dovecot] v2.0 configuration paths
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julio C. Ortega said the following on 31/08/09 19:01: But if i got to choose only from the two that you listed, i'll go for option 2. IMHO the best solution is the Apache way: you can have either a monolithic httpd.conf file, or you can #include a single file, or you can #include a wildcard such as myconf/*.conf Ciao, luigi - -- / +--[Luigi Rosa]-- \ Go directly to jail. Do not pass Go, do not collect $200. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqcA7UACgkQ3kWu7Tfl6ZTwHQCgkFjdZHbeHaYQGcwGHFc12/Sd ElAAniA4H0RVvc9JqEoS2EHppXUe5NPJ =hSOA -END PGP SIGNATURE-
[Dovecot] dovecot-auth segfault with vpopmail 5.5.0 on amd64
Seeing dovecot-auth segfault on amd64 dovecot is 1.2.4 pertinent details below: ldd /usr/local/libexec/dovecot/dovecot-auth linux-vdso.so.1 = (0x7fffef1fe000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x7fe8e6bae000) libvpopmail.so = /usr/lib/libvpopmail.so (0x7fe8e6986000) libdl.so.2 = /lib/libdl.so.2 (0x7fe8e6782000) librt.so.1 = /lib/librt.so.1 (0x7fe8e657a000) libc.so.6 = /lib/libc.so.6 (0x7fe8e6229000) /lib64/ld-linux-x86-64.so.2 (0x7fe8e6de6000) libpthread.so.0 = /lib/libpthread.so.0 (0x7fe8e600e000) dovecot -n # 1.2.4: /etc/dovecot/dovecot.conf # OS: Linux 2.6.26-1-amd64 x86_64 Debian squeeze/sid base_dir: /var/run/dovecot log_path: /var/log/dovecot.log listen: 127.0.0.1:143 ssl_listen: *:993 ssl_cert_file: /var/qmail/control/servercert.pem ssl_key_file: /var/qmail/control/clientcert.pem disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_greeting: Computer Solutions IMAP Server login_max_connections: 4096 mail_max_userip_connections: 50 first_valid_uid: 89 first_valid_gid: 89 mail_debug: yes mail_drop_priv_before_exec: yes mail_plugins: quota imap_quota imap_client_workarounds: outlook-idle namespace: type: private prefix: INBOX. inbox: yes list: yes subscriptions: yes auth default: user: vpopmail passdb: driver: vpopmail userdb: driver: vpopmail plugin: quota: maildir this is the strace 16:59:30.529067 epoll_wait(7, {}, 7, 1788) = 0 16:59:32.317110 epoll_wait(7, {{EPOLLIN, {u32=17196288, u64=17196288}}}, 7, 5000) = 1 16:59:34.777612 read(8, AUTH\t1\tPLAIN\tservice=imap\tsecured..., 4074) = 134 16:59:34.50 --- SIGSEGV (Segmentation fault) @ 0 (0) --- and from a core dump gdb /usr/local/libexec/dovecot/dovecot-auth ./core GNU gdb (GDB) 6.8.50.20090628-cvs-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libcrypt.so.1...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libvpopmail.so...done. Loaded symbols for /usr/lib/libvpopmail.so Reading symbols from /lib/libdl.so.2...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/librt.so.1...done. Loaded symbols for /lib/librt.so.1 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libpthread.so.0...done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libnss_compat.so.2...done. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libnss_nis.so.2...done. Loaded symbols for /lib/libnss_nis.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Core was generated by `dovecot-auth'. Program terminated with signal 11, Segmentation fault. #0 0x in ?? () (gdb) (gdb) bt full #0 0x in ?? () No symbol table info available. #1 0x0041eb2d in vpopmail_lookup_vqp (request=0x1ae6548, vpop_user=0x7fff7a044830 lawrence, vpop_domain=0x7fff7a0447d0 shanghaiguide.com) at userdb-vpopmail.c:43 vpw = value optimized out #2 0x0041c9c6 in vpopmail_password_lookup (auth_request=0x7fff7a044830, cleartext=false, result_r=0x7fff7a0448d4) at passdb-vpopmail.c:65 vpop_user = lawrence, '\0' repeats 72 times vpop_domain = shanghaiguide.com, '\0' repeats 63 times vpw = value optimized out password = value optimized out #3 0x0041cc0d in vpopmail_verify_plain (request=0x7fff7a044830, password=0x1ad1278 123, callback=0x412390 auth_request_verify_plain_callback) at passdb-vpopmail.c:119 result = value optimized out scheme = value optimized out tmp_pass = value optimized out crypted_pass = value optimized out ret = value optimized out #4 0x0041221d in auth_request_verify_plain (request=0x1ae6548, password=0x1ad1278 123, callback=0x41ab00 plain_verify_callback) at auth-request.c:507 passdb = 0x1ad9a10 result = value optimized out cache_key = value optimized out __PRETTY_FUNCTION__ = auth_request_verify_plain #5 0x0041726e in mech_plain_auth_continue (request=0x1ae6548, data=0x1ad1250 , data_size=value optimized out) at mech-plain.c:58 authid = 0x1ad1250
Re: [Dovecot] v2.0 configuration paths
On Mon, Aug 31, 2009 at 01:28:50PM -0400, Timo Sirainen wrote: # main config, basically says !include conf.d/*.conf /etc/dovecot/dovecot.conf # the actual configs /etc/dovecot/conf.d/*.conf Why in another subdir? Why not everything in /etc/dovecot? Also, conf.d sounds so Linuxy. :-) Geert -- Geert Hendrickx -=- g...@telenet.be -=- PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages! pgpWWdOzwMxoh.pgp Description: PGP signature
Re: [Dovecot] v2.0 configuration paths
On Mon, 2009-08-31 at 19:51 +0200, Geert Hendrickx wrote: On Mon, Aug 31, 2009 at 01:28:50PM -0400, Timo Sirainen wrote: # main config, basically says !include conf.d/*.conf /etc/dovecot/dovecot.conf # the actual configs /etc/dovecot/conf.d/*.conf Why in another subdir? Why not everything in /etc/dovecot? Because of the part you dropped out of your quote. :) Some of the .conf files can't be included. For example there's: auth default { .. passdb sql { args = dovecot-sql.conf } } Perhaps some day that could become: auth default { .. passdb sql { !include dovecot-sql.conf } } In either case, if dovecot-sql.conf gets !included in the root level it'll generate errors about unknown settings. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration paths
On Mon, 2009-08-31 at 14:17 -0300, Eduardo M KALINOWSKI wrote: 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. So new installations would then start with mv example/* . However, I don't think anywhere under /etc is the best place for example configuration files. I think they belong rather under /usr/share, though is no big deal if they are elsewhere. Yeah, maybe that's better. $datarootdir/dovecot/example-config/ and if dovecot.conf isn't found when starting up mention the path to the example dir. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote: The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Ouch, can you go a little more slowly, please? I think I've joined the domain OK: ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...] But I have no idea how / where you add a service principal with ADSIEdit - can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!) gdh
[Dovecot] Active IMAP sessions per server?
Hi, I'm curious about some of the larger dovecot installs out there and what your current active user load looks like per server. Realistically, how many active IMAP sessions are some of you maintaining? At what point did you find the load became unmanageable? I know there's a lot of different factors involved in this, but I'm just looking to get a rough idea of what I can expect to be able to handle with dovecot. Any help is appreciated Regards, Brent
Re: [Dovecot] v2.0 configuration paths
On Mon, 2009-08-31 at 12:31 -0430, Julio C. Ortega wrote: I'll would like to see a config dir like /etc/dovecot.d, and, inside it something like: network.example namespaces.example logging.example protocols.example security.example plugins.example Hmm. I kind of like it, except several config files are context-specific and can't be included with simple !include *.conf. Hmm. They're probably going to be confusing in any case.. Maybe something like: # main config, basically says !include conf.d/*.conf /etc/dovecot/dovecot.conf # the actual configs /etc/dovecot/conf.d/*.conf # context-specific configs that get referenced in the .conf files /etc/dovecot/dovecot-sql.conf /etc/dovecot/dovecot-ldap.conf /etc/dovecot/dovecot-db.conf /etc/dovecot/dovecot-dict-sql.conf But if i got to choose only from the two that you listed, i'll go for option 2. Actually they weren't options. Just two steps. :) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] v2.0 configuration paths
On Seg, 31 Ago 2009, Timo Sirainen wrote: In Dovecot v2.0 I'm splitting dovecot-example.conf to multiple files. It's probably annoying to have tons of dovecot-*-example.conf files, so what do you think about: 1. Change default sysconfdir from $prefix/etc to $prefix/etc/dovecot (that's what most distros do anyway) That's a good change. 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. So new installations would then start with mv example/* . However, I don't think anywhere under /etc is the best place for example configuration files. I think they belong rather under /usr/share, though is no big deal if they are elsewhere. -- Eduardo M KALINOWSKI edua...@kalinowski.com.br
Re: [Dovecot] v2.0 configuration paths
On Mon, 2009-08-31 at 13:31 -0400, Timo Sirainen wrote: Yeah, maybe that's better. $datarootdir/dovecot/example-config/ No, $docdir/example-config/ of course, e.g. /usr/share/doc/dovecot/example-config/ signature.asc Description: This is a digitally signed message part
[Dovecot] Smartsieve patch on Dovecot wiki?
inline: sig.gif
Re: [Dovecot] v2.0 configuration paths
Hello, Dovecot. You wrote 31 августа 2009 г., 20:33:57: 1. Change default sysconfdir from $prefix/etc to $prefix/etc/dovecot (that's what most distros do anyway) Yes! 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. And yes! -- // Black Lion AKA Lev Serebryakov l...@serebryakov.spb.ru
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote: On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote: The kerberos setup is pretty easy.. 'net ads join' your server, go into the adsi editor and provide a imap and smtp SPN for the host, use 'net ads keytab' to put the imap and smtp SPNs in the system keytab, and then you are good to go. I test it with mutt first as the error messages are somewhat better. Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. ccimap:~# net ads testjoin Join is OK ccimap:~# net ads info LDAP server: 10.6.1.245 LDAP server name: orwell.ad.laterooms.com [...] Yah, thats good You also want kerberos and LDAP to work easily on your server machine: # kinit 'your AD user' # klist # ldapsearch uid='your AD user' SASL/GSSAPI authentication started [..] For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf: URI ldap://orwell.ad.laterooms.com BASE dc= kinit should work if you got this far with samba, but if you have troubles ensure that /etc/krb5.conf has at least: [libdefaults] default_realm = AD.LATEROOMS.COM # guessing dns_lookup_realm = true dns_lookup_kdc = true Once the above two are working your basic stuff is OK. (You can skip the ldap, but I find it is helpful) Also verify that 'hostname -f' returns what you want. Very important. But I have no idea how / where you add a service principal with ADSIEdit - can you point me in the right direction? Kerberos is still mainly a mystery to me (and I'm sure many others!) Hmm. So upon reviewing this, it seems samba has changed, in some ways it is better, others worse.. Hmm. (I'm using 3.3.2) Just do this: ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 ccimap:~# ldapsearch CN=ccimap servicePrincipalName SASL/GSSAPI authentication started [..] servicePrincipalName: imap/ccimap.ad.laterooms.com Unfortunately 'net ads keytab add' can only add SPNs without a hostname qualifier, so you cannot add another alias. This is bad if you have multiple names for your host. I can't think of an easy way to make that work with the new samba behavior. I'd probably patch samba to fix that.. Since samba now does the adsiedit part on its own you probably don't need to worry about it, but here is a posting explaining it: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Please note that Windows and Linux use different methods to resolve the SPN. If your reverse IP and SSL hostname are different you'll need extra help to make this work, as samba cannot do it by itself!! Easiest plan is to Not Do That. That should do the trick for both native GSSAPI and for winbind GSSAPI. The key part is that the kvno works. Make sure dovecot is setup with the: auth_gssapi_hostname = $ALL option, and turn on the 'gssapi' mechanism. Those steps should give you working kerberos and gssapi in dovecot. I like to start simple and test with mutt. 'kinit' a ticket for that user, setup mutt, and then give it a try. Then try thunderbird on linux then thunderbird on windows. The .muttrc config is simple: set spoolfile=imap://u...@ccimap.ad.laterooms.com/INBOX set folder=imap://u...@ccimap.ad.laterooms.com/ And 'kinit user' before hand. Use winbind to process ntlm messages. Setup winbind in smb.conf and test the authentication function: wbinfo -D AD.LATEROOMS.COM wbinfo -K user%pass wbinfo -a user%pass Then turn it on in dovecot I run plain password authentication for dovecot through pam. Right now I use pam_krb5.so, but pam_winbind.so is a better choice with a modern samba. exim piggy backs off dovecot-auth: dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1} dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1} dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1} I also drive all the Linux directory services through winbind and the rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos tickets on logon, and SSO for everything. Windows is the same. Jason
Re: [Dovecot] v2.0 configuration paths
How about this: http://dovecot.org/tmp/example-config/ or the same in: http://dovecot.org/tmp/example-config.tar.gz - master.conf needs more comments - mail.conf is kind of bloated, wonder if I could do something about it signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Active IMAP sessions per server?
On Mon, Aug 31, 2009 at 11:29 AM, Brent Bloxambre...@beanfield.com wrote: Hi, I'm curious about some of the larger dovecot installs out there and what your current active user load looks like per server. Realistically, how many active IMAP sessions are some of you maintaining? At what point did you find the load became unmanageable? I know there's a lot of different factors involved in this, but I'm just looking to get a rough idea of what I can expect to be able to handle with dovecot. Any help is appreciated Regards, Brent We see anywhere from 70-200 active IMAP sessions open at any given time it would seem. That's for a server with roughly 5000 mailboxes. All in all, they use little to no system resources because most of them are simply sitting there idle. Although, most customers use POP3 not IMAP because it's most mail client's default option. It's the POP3/leave messages on server people that seem to cause us problems. - N
Re: [Dovecot] v2.0 configuration paths
On Mon, 2009-08-31 at 12:33 -0400, Timo Sirainen wrote: In Dovecot v2.0 I'm splitting dovecot-example.conf to multiple files. It's probably annoying to have tons of dovecot-*-example.conf files, so what do you think about: 1. Change default sysconfdir from $prefix/etc to $prefix/etc/dovecot (that's what most distros do anyway) Good idea. 2. Install *.conf files to $sysconfdir/example/ without the -example part in any of the config files. Not so sure about that one, well yes into example/, but I'd still keep the word example in the filename, because no mater how well warned, there will always be those who blindly cp blah.conf ../ destroying any pre-existing files Cheers
[Dovecot] Dovecot POP question
Quick question, Have dovecot 1.1.16. Does Dovecot's POP handle sub folders? -- C. J. Keist Email: cj.ke...@colostate.edu UNIX/Network ManagerPhone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness'
Re: [Dovecot] Dovecot POP question
On Mon, 2009-08-31 at 15:00 -0600, CJ Keist wrote: Quick question, Have dovecot 1.1.16. Does Dovecot's POP handle sub folders? No, but for v1.2 see http://wiki.dovecot.org/Plugins/Virtual#Virtual_POP3_INBOX signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. Many thanks for taking the time on this - it is appreciated. Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD Just do this: ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms@ad.laterooms.com However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: http://nfsworld.blogspot.com/2005/06/using-active-directory-as-your-kdc-for.html Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7 I just don't want to type anything else in cause I poison 'pop3' too :) Cheers, Gavin
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote: On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote: Ouch, can you go a little more slowly, please? I think I've joined the domain OK: Sure.. Many thanks for taking the time on this - it is appreciated. NP, if you have success consider making a HOWTO for the dovcot wikki :) Also verify that 'hostname -f' returns what you want. Very important. Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD Good ccimap:~# net ads keytab add imap Then: ccimap:~ klist -k And verify you have imap/ entries Then verify kerberos is working with: ccimap:~# kvno imap/ccimap.ad.laterooms.com imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2 I get ccimap:/etc# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/ccimap.ad.laterooms@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com 7 imap/cci...@ad.laterooms.com Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. What version of samba is this? does 'net ads keytab create' fix it up? Check that you have use kerberos keytab = true In smb.conf ccimap:/etc# kvno imap/ccimap.ad.laterooms.com kvno: Server not found in Kerberos database while getting credentials for imap/ccimap.ad.laterooms@ad.laterooms.com This is fatal. If ldapsearch indicates that SPN exists then you are probably right that something has become damaged in AD. Otherwise you are just having wacky samba problems. However, before I received your message I had been following the 'old-school' ktpass.exe method and I think I have poisoned the 'imap' name as a result: Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out. The ktpass.exe method has so many problems, don't use it. Samba can generate all the keys directly itself now, there is no need for ktpass. Is 'imap' a magic hardcoded name that Thunderbird will use? If so, should creating 'pop3' using 'net ads keytab add' also do the business? I'd rather try that and get a basic working auth than try to unpick my AD problems just yet. The SPN service name is hardwired based on the protocol, imap, smtp and something for pop. I'm not sure what. :) I ask because if I do a random name 'net ads keytab add purmle' and then 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output: purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7 Hmm. You do need the '-U Administrator' or similarly privileged account for the keytab add. Otherwise I noticed that samba silently fails to update LDAP when it gets permission denied from ADS. The true test that it worked is the ldapsearch command I gave, or adsi edit. Jason
Re: [Dovecot] v2.0 configuration paths
Hi Timo, http://dovecot.org/tmp/example-config/ [..] - master.conf needs more comments - mail.conf is kind of bloated, wonder if I could do something about it Great. It's really nice like that. You might use numbers as prefixes if you want to keep a kind of priority for dovecot or usually more the user to give him a sense of what's important and what's less important (high number). It's the Debian Amavis way. conf.d/ 10-mail.conf 20-auth.conf 31-pop3.conf 32-imap.conf 50-master.conf 60-ssl.conf 85-plugins.conf 99-user-params.conf Anyway, what you have done, is perfect. That's a big step for clarity. mail.conf is not bloated, comments are needed so ... Cheers, Thomas.
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, 2009-08-31 at 15:35 -0600, Jason Gunthorpe wrote: NP, if you have success consider making a HOWTO for the dovcot wikki :) For sure. Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm - I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now. Check that you have use kerberos keytab = true Yep, it's there. Possibly, it would be good to start again. Go into AD, and delete the ccimap computer account, then re-do 'net ads join'. That should clean everything out. Bingo :) Freakin' awesome.. the damn thing actually works! Aug 31 23:13:02 ccimap dovecot: auth(default): client in: AUTH#0111#011GSSAPI#011service=imap#011lip=10.6.1.82#011rip=10.6.1.81#011lport=143#011rport=2807 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Obtaining credentials for i...@ccimap.ad.laterooms.com Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YIIExAYJKoZIhv (tons of stuff..) Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): security context state completed. Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWhtquLoCp5Nm03quJPTFS+yuNrBo3PWH+dP4RZPcsYxMDJHklCAQ84LGmQWUftFgKiryc9ZK0mZI07tNVyE4Oath4fCg2dxu+RPZvpbqIr7BIteHeg2MGPeHMg== Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011 Aug 31 23:13:02 ccimap dovecot: auth(default): gssapi(?,10.6.1.81): Negotiated security layer Aug 31 23:13:02 ccimap dovecot: auth(default): client out: CONT#0111#011YDAGCSqGSIb3EgECAgIBEQD/nXVwtOl9PTyrmeUqTZZLq61UowgQVqMIAf///wE= Aug 31 23:13:02 ccimap dovecot: auth(default): client in: CONT#0111#011YDYGCSqGSIb3EgECAgIBEQD/4AbCCa3SFaSVtGEbd6teOPapNaUhDQFFAQAAAG1qaWdncwE= Aug 31 23:13:02 ccimap dovecot: auth(default): client out: OK#0111#011user=mjiggs Aug 31 23:13:02 ccimap dovecot: auth(default): master in: REQUEST#0111#0115968#0111 Aug 31 23:13:02 ccimap dovecot: auth(default): passwd(mjiggs,10.6.1.81): lookup Aug 31 23:13:02 ccimap dovecot: auth(default): master out: USER#0111#011mjiggs#011system_user=mjiggs#011uid=10416#011gid=1#011home=/home/AD/mjiggs Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=mjiggs, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82 The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :) Thank you! :D Cheers Gavin.
Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)
On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote: Ok.. this is not too good, you should have many other entries too, several starting with host/ and CCIMAP$. The suggestion to remove the computer object (and the 'imapCcimap' user I bound the SPN to using ktpass) and 'net ads join' worked like a charm - I have lots more output in 'net ads keytab list' and kvno imap/ccimap.ad.laterooms.com works now. Snazzy Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=mjiggs, method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82 Yap, that is it The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out and let it do a gethostname() instead - now it works :) I thought Timo included this patch?? You need the $ALL for various cases, including, I think, exim.. All it says it match any entry in the keytab, not just imap/gethostbyname()@REALM. If you have AD and Linux servers it is worth kerberdizing everything (ssh, logins, imap, pop, smtp, apache, etc) the method you just used is basically how to do it for anything. Ie you can now turn on ssh kerberos via its config file, and with kerberdized putty on windows you get SSO ssh logins, etc. Jason