Re: [Dovecot] dovecot imap permission denied
Thanks a lot Timo, Creating directories for new users is not an issue. It's the permission that makes me headache. I tried the following sudo chmod o-r /home/$USER sudo chmod g+rw /home/$USER It did not work until I did chmod 777 /home. Is it safe to make home directory with permission 777? Thanks From: Timo Sirainen t...@iki.fi To: Daminto Lie dli...@yahoo.com.au Cc: dovecot@dovecot.org dovecot@dovecot.org Sent: Wednesday, 31 August 2011 3:02 PM Subject: Re: [Dovecot] dovecot imap permission denied On Tue, 2011-08-30 at 21:09 -0700, Daminto Lie wrote: Aug 31 13:50:57 server1 dovecot: IMAP(mike_lee): mkdir(/home/mike_lee/Maildir/.INBOX.Sent/cur) failed: Permission denied (euid=1004 egid=1003(companyusergroup) missing +w perm: /home) What I have tried to do is changing the permission for /home by typing sudo chmod 755 /home and this does not work. What does it mean by missing +w perm: /home? and wonder how to get around it? It means that Dovecot tries to deliver mails to mike_lee's Maildir, but /home/mike_lee/ directory itself doesn't exist, so Dovecot tries to create it, but it fails because the process doesn't have write permissions to /home. The best way to fix this would be to simply create the user home dirs with proper permissions before Dovecot ever tries to deliver mails to the user.
Re: [Dovecot] dovecot imap permission denied
On 31.8.2011, at 9.47, Daminto Lie wrote: Thanks a lot Timo, Creating directories for new users is not an issue. It's the permission that makes me headache. The error message you showed said that the user's home directory didn't exist, and the permission problem came only because it didn't exist and Dovecot tried to create it. I tried the following sudo chmod o-r /home/$USER sudo chmod g+rw /home/$USER It did not work until I did chmod 777 /home. Right, because only then did it have enough permissions to create the home dir. Is it safe to make home directory with permission 777? No.
Re: [Dovecot] auth: Error: LDAP: Connection lost to LDAP server, reconnecting
El 30/08/11 11:41, Timo Sirainen escribió: Yeah, that happens if the disconnection is noticed at the time when user is trying to authenticate. But if the disconnection is noticed immediately when there are no user requests, there is also no message logged about it. So, there must be any problem, because when my load balancer expires the connection it closes the tcp connection (it sends a fin packet). I guess that slapd too. But I'll check this... -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: [Dovecot] : error while loading shared libraries: libdovecot.so.0 (arm cross compile)
Hi. Sorry! I was thinking of Postfix (and Exim). That was my mistake, sorry again. Sadly Exim isn't available on my target platform. Thanks. -- Stephen Feyrer. On Wed, 31 Aug 2011 02:28:00 +0100, Timo Sirainen t...@iki.fi wrote: On 31.8.2011, at 3.00, Stephen Feyrer wrote: So it's still not working? I guess the libdovecot.so.0 simply isn't in library paths. Typically giving linker -rpath parameter pointing to libdovecot.so.0 makes this problem invisible, but I guess in your system it doesn't do this. I am planning to use Dovecot SASL with Sendmail as well, will this lack of shared libraries cause a problem? Really I should have thought of this before. I don't think Sendmail supports Dovecot SASL? If it does, it talks to Dovecot via UNIX socket and doesn't require any Dovecot libraries.
Re: [Dovecot] auth: Error: LDAP: Connection lost to LDAP server, reconnecting
El 31/08/11 08:54, Angel L. Mateo escribió: El 30/08/11 11:41, Timo Sirainen escribió: Yeah, that happens if the disconnection is noticed at the time when user is trying to authenticate. But if the disconnection is noticed immediately when there are no user requests, there is also no message logged about it. So, there must be any problem, because when my load balancer expires the connection it closes the tcp connection (it sends a fin packet). I guess that slapd too. But I'll check this... OK. You were right: * When openldap closes the connection because of the idle timeout, it sends a FIN packet. When dovecot needs the connections, it simply opens a new connection (without any log message). * When my load balancer closes the connection, it doesn't send anything, so dovecot thinks the connection is active. So, when auth needs it, it tries to send the search, then load balancer sends a RST packet, so dovecot logs the message and opens a new connection. So the solution is to configure oldap idletimeout parameter, dovecot auth_cache_ttl and load balancer timeout in order to avoid this last timeout to be reached. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: [Dovecot] auth: Error: LDAP: Connection lost to LDAP server, reconnecting
El 31/08/11 12:31, Angel L. Mateo escribió: * When openldap closes the connection because of the idle timeout, it sends a FIN packet. When dovecot needs the connections, it simply opens a new connection (without any log message). * When my load balancer closes the connection, it doesn't send anything, so dovecot thinks the connection is active. So, when auth needs it, it tries to send the search, then load balancer sends a RST packet, so dovecot logs the message and opens a new connection. So the solution is to configure oldap idletimeout parameter, dovecot auth_cache_ttl and load balancer timeout in order to avoid this last timeout to be reached. In fact, you could configure dovecot auth_cache_ttl bigger than the other, it doesn't apply. You need to configure it only if you don't want the connection to be really closed. If you just want to not log any message, configuring slapd timeout less than load balancer timeout is enough. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
[Dovecot] lmtp bouncing -- Invalid parameters (in reply to MAIL FROM command)
I just configured postfix' virtual_transport to point at my dovecot director, but am seeing occational problems like this: Aug 31 11:50:06 smtpgw postfix/lmtp[5339]: 69E2F5410D: to=em...@example.net, relay=loadbalancers.example.net[192.168.42.17]:24, delay=0.15, delays=0.14/0.01/0/0, dsn=5.5.4, status=bounced (host loadbalancers.example.net[192.168.42.17] said: 501 5.5.4 Invalid parameters (in reply to MAIL FROM command)) but can't find anything interesting in the dovecot logs.. Anybody have ideas for how to make postfix play nice with dovecot's lmtp ? smtpgws% rpm -q postfix postfix-2.3.3-2.1.el5_2 loadbalancers% rpm -q dovecot dovecot-2.0.13-2 backendmailstorers% rpm -q dovecot dovecot-2.0.13-2 -jf
Re: [Dovecot] lmtp bouncing -- Invalid parameters (in reply to MAIL FROM command)
On Wed, Aug 31, 2011 at 01:03:07PM +0200, Jan-Frode Myklebust wrote: I just configured postfix' virtual_transport to point at my dovecot director, but am seeing occational problems like this: Aug 31 11:50:06 smtpgw postfix/lmtp[5339]: 69E2F5410D: to=em...@example.net, relay=loadbalancers.example.net[192.168.42.17]:24, delay=0.15, delays=0.14/0.01/0/0, dsn=5.5.4, status=bounced (host loadbalancers.example.net[192.168.42.17] said: 501 5.5.4 Invalid parameters (in reply to MAIL FROM command)) Further digging shows that these messages are from an address containing quotes and spaces: mail from:a b@no.no 501 5.5.4 Invalid parameters Testing with postfix + dovecot lda (v1.2.16) the messages gets trough just fine. Is this auth_username_chars kicking in, or some other check of valid characters in lmtp from ? -jf
Re: [Dovecot] lmtp bouncing -- Invalid parameters (in reply to MAIL FROM command)
On Wed, 2011-08-31 at 13:21 +0200, Jan-Frode Myklebust wrote: mail from:a b@no.no 501 5.5.4 Invalid parameters This is fixed in v2.0.14.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
Why such hostility? I beg you pardon, sir. Nothing personal, but to the question like My car does not move you provide the answer Try to wipe screen and kick wheels. How do you think, if one digs into source code, has not he attempted more simple ways? Yes, I have read the manuals and wiki's before posting here. And I know what is wireshark and how to use it. And I did answer your second question about how principal should looks like. The matter of my question was how does the string in form of service@host agree with keytab entries in form of service/host@REALM. Now I do know the answer. It is controlled by the argument GSS_C_NT_HOSTBASED_SERVICE of function gss_import_name. Maybe I wrong, not running yet 2.0. You are wrong. There were some minor changes. See here, for example: http://www.dovecot.org/list/dovecot-cvs/2010-June/017143.html Make sure your client requesting correct principal in first place. Yes, I am sure. I examined logs of my Mozilla Thunderbird client. They look like this: *** Thunderbird logs ** 3712[5a9e240]: nsAuthSSPI::Init 3712[5a9e240]: InitSSPI 3712[5a9e240]: Using SPN of [imap/efim.test.local] 3712[5a9e240]: AcquireCredentialsHandle() succeeded. 3712[5a9e240]: entering nsAuthSSPI::GetNextToken() 3712[5a9e240]: InitializeSecurityContext: continue. * Wrong principal in request, Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system. It does agree. My host is named efim.test.local. Here is the contents of my krb5.keytab: *** krb5.keytab *** slot KVNO Principal - 14 imap/efim.test.lo...@romashka.lan 25 pop/efim.test.lo...@romashka.lan 36 smtp/efim.test.lo...@romashka.lan * I have already found out, that denial is generated somewhere inside krb5 libraries, not in Dovecot's modules. But I see no way to trace or debug kerberos calls. Source codes of kerberos libs are too complex for me to analyze. If you are interested in, you may join the parallel discussion of the topic on iXBT forum here: http://forum.ixbt.com/topic.cgi?id=76:10089 With best regards, Stanislav Klinkov.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 8:27 AM, Stanislav Klinkov wrote: Why such hostility? I beg you pardon, sir. Nothing personal, but to the question like My car does not move you provide the answer Try to wipe screen and kick wheels. How do you think, if one digs into source code, has not he attempted more simple ways? Yes, I have read the manuals and wiki's before posting here. And I know what is wireshark and how to use it. And I did answer your second question about how principal should looks like. The matter of my question was how does the string in form of service@host agree with keytab entries in form of service/host@REALM. Now I do know the answer. It is controlled by the argument GSS_C_NT_HOSTBASED_SERVICE of function gss_import_name. Maybe I wrong, not running yet 2.0. You are wrong. There were some minor changes. See here, for example: http://www.dovecot.org/list/dovecot-cvs/2010-June/017143.html Make sure your client requesting correct principal in first place. Yes, I am sure. I examined logs of my Mozilla Thunderbird client. They look like this: *** Thunderbird logs ** 3712[5a9e240]: nsAuthSSPI::Init 3712[5a9e240]: InitSSPI 3712[5a9e240]: Using SPN of [imap/efim.test.local] 3712[5a9e240]: AcquireCredentialsHandle() succeeded. 3712[5a9e240]: entering nsAuthSSPI::GetNextToken() 3712[5a9e240]: InitializeSecurityContext: continue. * I take these Thunderbird log entries to mean your workstation was able to get a kerberos ticket for imap/efim.test.local Wrong principal in request, Usually means the principal in the system keytab for your system doesn't agree with the hostname or DNS name of the system. It does agree. My host is named efim.test.local. Here is the contents of my krb5.keytab: *** krb5.keytab *** slot KVNO Principal - 14 imap/efim.test.lo...@romashka.lan 25 pop/efim.test.lo...@romashka.lan 36 smtp/efim.test.lo...@romashka.lan * The fact that you have different KVNOs for multiple services on the same host seems curious. How did you generate those keys and put them into krb5.keytab? Are you using Active Directory for Kerberos? If I ran ktpass multiple times to generate a new key for imap and then smtp, I would get the wrong principal in request error. When I ran ktpass once for IMAP and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno as ktpass generated the first time, then dovecot and smtp started working. I suppose that's weaker for security but chances are your mail SPNs (imap/pop/smtp) are tied to a single user or machine account anyway... I have already found out, that denial is generated somewhere inside krb5 libraries, not in Dovecot's modules. But I see no way to trace or debug kerberos calls. Source codes of kerberos libs are too complex for me to analyze. If you are interested in, you may join the parallel discussion of the topic on iXBT forum here: http://forum.ixbt.com/topic.cgi?id=76:10089 With best regards, Stanislav Klinkov.
Re: [Dovecot] [PATCH] Indexing mail attachments with Dovecot + Solr
On Mon, 2011-05-23 at 13:11 +0200, Antonio Perez-Aranda wrote: Indexing mail attachments with Dovecot + Solr. I've been looking at this and wondering about a few things: The example solrconfig.xml contains: requestHandler name=/update/extract class=org.apache.solr.handler.extraction.ExtractingRequestHandler startup=lazy .. !-- capture link hrefs but ignore div attributes -- str name=captureAttrtrue/str str name=fmap.alinks/str str name=fmap.divignored_/str /lst To me it looks like this requires that there exists a links field that is used for.. I guess content between a../a tags? Or also for the href URLS? In any case there's no links field in the schema.xml so I don't think this works? Similarly it looks like stuff between div../div is ignored here, which doesn't seem like a good idea. There is a new property for the section plugin to filter the mimetypes that you want to index. * fts_solr_mimetype files with this mimetype will be sent to solr. In v2.1 I've added a generic fts decoder script that can handle attachment decoding. The script contains stuff like: formats='application/pdf pdf application/x-pdf pdf application/msword doc .. So there already exists a place which can list supported MIME types and also what filename extensions they have, so if there's application/octet-stream with filename=foo.pdf, Dovecot's fts code can change the MIME type to application/pdf. This sounds like it could be useful for the Solr attachments too. Maybe instead of fts_solr_mimetype setting the script could be modified a bit so that it would even allow mixed Solr/script attachment extraction. For example: formats='+application/pdf pdf +application/x-pdf pdf application/msword doc' The + prefix could tell that the FTS backend (Solr) handles the MIME type instead of the script. So with above config Solr would decode .pdfs, but the script would decode .docs. I was also thinking that the attachment documents could contain some description fields as well, which could be useful if you're searching the Solr index directly instead of via Dovecot. Maybe fields like attachment_filename (parsed from Content-Disposition: header) and attachment_description (parsed from Content-Description: header). They could of course be empty if those fields don't exist (and probably should be optional anyway). Also there should be attachment_part field that would contain the IMAP MIME part number of the attachment (e.g. 2.1.3), so it would be easy to find and fetch the attachment. This could also be used as part of the ID string instead of the attachment_count.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
How did you generate those keys and put them into krb5.keytab? I logged onto my domain controller via RDP and issued the following commands: keytabs generation * ktpass -princ imap/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out imap.keytab ktpass -princ pop/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out pop.keytab ktpass -princ smtp/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out smtp.keytab Then I moved imap.keytab, pop.keytab and smtp.keytab onto my dovecot server machine and merged them into single file with ktutil: ** ktutil commands ** rkt imap.keytab rkt pop.keytab rkt smtp.keytab wkt krb5.keytab quit Are you using Active Directory for Kerberos? Yes, I am. and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn?
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 9:35 AM, Stanislav Klinkov wrote: How did you generate those keys and put them into krb5.keytab? I logged onto my domain controller via RDP and issued the following commands: keytabs generation * ktpass -princ imap/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out imap.keytab ktpass -princ pop/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out pop.keytab ktpass -princ smtp/efim.test.lo...@romashka.lan -mapuser dovecot -pass megasuperpassword -ptype KRB5_NT_SRV_HST -out smtp.keytab Then I moved imap.keytab, pop.keytab and smtp.keytab onto my dovecot server machine and merged them into single file with ktutil: ** ktutil commands ** rkt imap.keytab rkt pop.keytab rkt smtp.keytab wkt krb5.keytab quit I did exactly what you did when I was trying to get IMAP and SMTP Kerberized with AD (although I used KRB5_NT_PRINCIPAL in ktpass) and got the same error you were getting. It seemed like running ktpass multiple times invalidated the previous keytabs. What I did to fix it was run ktpass once for imap/fqdn@REALM and copy the hex key, kvno and encryption type to a text file somewhere. (You could also get these from klist -Kek imap keytab) Then I used ktutil to rkt the imap keytab and did addent -key -p smtp/fqdn@REALM -k kvno -e enc type, probably arcfour-hmac and then paste the hex key I got from ktpass. Since you're not using +rndPass in ktpass, you may be able to use -password instead of key in the addent command in ktutil, but I haven't used that method before. Then wkt the ticket somewhere and klist -Kek keytab and make sure that all entries have the same KVNO, hex key, and enc type but different principals. Then use your preferred method (setspn.exe or some graphical interface to AD's LDAP) to add entries to your dovecot user's servicePrincipalName attribute for each new principal you added to your keytab. The first ktpass should've put something there for you, just follow that example. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. That should try to get tickets for each of those services. If that doesn't work, then something is probably wrong with the servicePrincipalName attribute. One thing I should mention: servicePrincipalNames must be unique in AD, but I don't believe there are any controls to prevent you from making duplicates since it's just an LDAP attribute. The effect of this (as you can probably guess) is that IMAP, POP and SMTP effectively end up as aliases to the dovecot user in AD, using a single key. Are you using Active Directory for Kerberos? Yes, I am. and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn? I should've been more clear about LDAP/setspn. You can use setspn.exe command on one of your AD controllers, or Active Directory Users Computers or AD GP MMC interfaces (depending on if you have Win Server 2k3 or 2k8) to edit the servicePrincipalName attribute for your dovecot user in AD's LDAP store.
[Dovecot] Proprietary mail storage.
I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Another question is how will this affect Dovecot performance and how to avoid any significant degradation. Any help is appreciated.Thanks.
Re: [Dovecot] Proprietary mail storage.
Am 31.08.2011 16:24, schrieb Alex Cherniak: I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Another question is how will this affect Dovecot performance and how to avoid any significant degradation. Any help is appreciated.Thanks. did you looked at http://wiki2.dovecot.org/Plugins/Zlib ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Proprietary mail storage.
On 31.8.2011, at 17.24, Alex Cherniak wrote: I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz With mail-filter you can basically just put the messages through whatever program/script you want which gets the mail as input and outputs the wanted message body. I think the v2.0 mail-filter had some (potential?) bug, v2.1 mail-filter is anyway redesigned and should work perfectly. Another question is how will this affect Dovecot performance and how to avoid any significant degradation. I doubt it's going to be a problem.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the setting auth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation.
Re: [Dovecot] Proprietary mail storage.
Am 31.08.2011 16:52, schrieb Timo Sirainen: On 31.8.2011, at 17.24, Alex Cherniak wrote: I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz are there any examples or how too online for mail-filter ? With mail-filter you can basically just put the messages through whatever program/script you want which gets the mail as input and outputs the wanted message body. I think the v2.0 mail-filter had some (potential?) bug, v2.1 mail-filter is anyway redesigned and should work perfectly. Another question is how will this affect Dovecot performance and how to avoid any significant degradation. I doubt it's going to be a problem. -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Proprietary mail storage.
On 31.8.2011, at 18.04, Robert Schetterer wrote: Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz are there any examples or how too online for mail-filter ? For compiling look at the beginning of mail-filter-plugin.c For using add it to mail_plugins and: plugin { mail_filter_executable = /path/to/your/script.sh } A script could be for example (totally insecure and broken): #!/bin/sh sed s/Hello/Hi/ /tmp/foo cat /tmp/foo rm /tmp/foo Unfortunately you can't both read stdin and write to stdout at the same time because of some internal Dovecot problems with it. So you'll have to write it to a temp file and then output that after the entire input is read.
Re: [Dovecot] Proprietary mail storage.
Am 31.08.2011 17:14, schrieb Timo Sirainen: On 31.8.2011, at 18.04, Robert Schetterer wrote: Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz are there any examples or how too online for mail-filter ? For compiling look at the beginning of mail-filter-plugin.c For using add it to mail_plugins and: plugin { mail_filter_executable = /path/to/your/script.sh } A script could be for example (totally insecure and broken): #!/bin/sh sed s/Hello/Hi/ /tmp/foo cat /tmp/foo rm /tmp/foo Unfortunately you can't both read stdin and write to stdout at the same time because of some internal Dovecot problems with it. So you'll have to write it to a temp file and then output that after the entire input is read. sorry for silly question is there any known typical usage for that , or was this on the wishlist to solve some stuff ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Proprietary mail storage.
On 31.8.2011, at 18.17, Robert Schetterer wrote: Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz are there any examples or how too online for mail-filter ? .. sorry for silly question is there any known typical usage for that , or was this on the wishlist to solve some stuff ? It was originally written to be used with imapc (imap proxy) backend. You could use it for stuff like decode encrypted PGP mails or scan for viruses and drop them if found.
Re: [Dovecot] Password query returned multiple matches
On 31.8.2011, at 18.19, Simon Brereton wrote: Aug 30 22:41:45 mail dovecot: auth-worker(default): sql(sbrere...@domain.co.uk,64.88.168.84): Password query returned multiple matches .. password_query = SELECT EmailAdd AS user, Password AS password, concat('/var/spool/mail/virtual/',MailDirLoc) as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts WHERE Username='%u' AND active = '1'; Since the EmailAdd is unique I don't see how it can return multiple matches. You're querying with Username, not with EmailAdd, and apparently there are multiple rows where Username='sbrere...@domain.co.uk'.
Re: [Dovecot] Proprietary mail storage.
Am 31.08.2011 17:21, schrieb Timo Sirainen: On 31.8.2011, at 18.17, Robert Schetterer wrote: Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz are there any examples or how too online for mail-filter ? .. sorry for silly question is there any known typical usage for that , or was this on the wishlist to solve some stuff ? It was originally written to be used with imapc (imap proxy) backend. You could use it for stuff like decode encrypted PGP mails that sounds like a very good idea or scan for viruses and drop them if found. ok , thats solved i another way at my setup, but nice to have great idea anyway, thx for coding -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 07:35 AM, Stanislav Klinkov wrote: and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot host to add an entry to my keytab with the same key and kvno Sorry, I'm not sure in realizing what you mean. What is LDAP/setspn? I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. Trever -- First Law of System Requirements: Anything is possible if you don't know what you're talking about... -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Password query returned multiple matches
-Original Message- From: Timo Sirainen [mailto:t...@iki.fi] On 31.8.2011, at 18.19, Simon Brereton wrote: Aug 30 22:41:45 mail dovecot: auth-worker(default): sql(sbrere...@domain.co.uk,64.88.168.84): Password query returned multiple matches .. password_query = SELECT EmailAdd AS user, Password AS password, concat('/var/spool/mail/virtual/',MailDirLoc) as userdb_home, 999 as userdb_uid, 115 as userdb_gid FROM MailAccounts WHERE Username='%u' AND active = '1'; Since the EmailAdd is unique I don't see how it can return multiple matches. You're querying with Username, not with EmailAdd, and apparently there are multiple rows where Username='sbrere...@domain.co.uk'. Well, what do you know - there are two Usernames that at the same! I have no idea how that happened. Simon
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Aug 31, 2011, at 10:55 AM, Stanislav Klinkov wrote: Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the setting auth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? That is a very good question that I sadly don't have the answer to and I fear I misunderstood the initial problem. It's my understanding that auth_gssapi_hostname controls which entries in the keytab file dovecot will allow itself to use. If you enable debug auth logging in dovecot, do you see anything about which entry in your keytab file it's attempting to use? Also, do you see anything in your AD logs when you get the invalid principal error from the IP of your dovecot host? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation.
[Dovecot] Multiple domains to one inbox and temporary redirects...
Hi Can anyone point me to a howto to arrange for multiple domains to deliver to one inbox with Dovecot? For example, us...@example.com and us...@example.net should both be delivered to /var/spool/mail/virtual/example.net/user1 Currently, I have the dovecot LDA set as: dovecot unix - n n - - pipe flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} and in dovecot.conf: mail_location: maildir:/var/spool/mail/virtual/%d/%n For some domains only, I need to override that mail_location. Related to that, when user1 leave and user2 would like to receive user1's email, how can I get it so that email to us...@example.com is delivered to us...@example.com? Previously when I was using Postfix to deliver the mails, I could change the maildirloc in the DB - but I’m not sure how to accomplish this with dovecot LDA. Again, any pointers would be welcome. Thanks. Simon
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 31.08.2011 18:55, Stanislav Klinkov wrote: Thank you for sharing a very interesting experience, David. It seemed like running ktpass multiple times invalidated the previous keytabs. OK. Let us assume. But then how can you explain the fact that the settingauth_gssapi_hostname = $ALL in dovecot config solves all mentioned troubles at once? As well I just have run the following experiment. I re-generated one more keytab for service imap/test.efim.local only. So, it became the last-generated key. Then I copied it onto my dovecot server as the only krb.keytab file, and nothing changed. Also, I issued the following command on my AD domain controller: C:\Windows\system32setspn -L dovecot And the result was: * Registered ServicePrincipalNames for CN=dovecot,OU=Agents,DC=romashka,DC=lan: imap/efim.test.local smtp/efim.test.local pop/efim.test.local * Please note, that I have not apllied any magic to servicePrincipalName of AD user dovecot by setspn or other AD snap-ins. Early versions of ktpass only allowed only 1 serviceprincipialnames, thus every time you generate new it was overwrite old one. ktpass from win2008 seems fix this. To make sure everything should work, hop on a box where you have a valid user Kerberos ticket and do kvno imap/efim.test.local and kvno smtp/efim.test.local. Sorry, I might have not mentioned above. I run Mozilla Thunderbird on my Windows XP workstation. Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then klist, does it work for you? I do recommend tcpdump kerberos traffic between your client and server, this is usually helps me much better then any logging, flow easy to read in wireshark.
Re: [Dovecot] Multiple domains to one inbox and temporary redirects...
Simon Brereton wrote: Hi Can anyone point me to a howto to arrange for multiple domains to deliver to one inbox with Dovecot? For example, us...@example.com and us...@example.net should both be delivered to /var/spool/mail/virtual/example.net/user1 Currently, I have the dovecot LDA set as: dovecot unix - n n - - pipe flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} and in dovecot.conf: mail_location: maildir:/var/spool/mail/virtual/%d/%n For some domains only, I need to override that mail_location. Related to that, when user1 leave and user2 would like to receive user1's email, how can I get it so that email to us...@example.com is delivered to us...@example.com? Previously when I was using Postfix to deliver the mails, I could change the maildirloc in the DB - but I’m not sure how to accomplish this with dovecot LDA. I'm using Postfixadmin to manage users and have server alias-domains. All mail sent to an alias-domain is delivered to the other domain. Quite easy if you've got postfixadmin already setup. Otherwise I think you could configure virtual_alias_maps in postfix to something like hash:virtual_domains virtual_domains: @example.net@example.com N.
Re: [Dovecot] Multiple domains to one inbox and temporary redirects...
I'm using Sendmail, sample config below: On 8/31/2011 12:41 PM, Nick Rosier wrote: Simon Brereton wrote: Hi Can anyone point me to a howto to arrange for multiple domains to deliver to one inbox with Dovecot? For example, us...@example.com and us...@example.net should both be delivered to /var/spool/mail/virtual/example.net/user1 Currently, I have the dovecot LDA set as: dovecot unix - n n - - pipe flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} and in dovecot.conf: mail_location: maildir:/var/spool/mail/virtual/%d/%n For some domains only, I need to override that mail_location. Related to that, when user1 leave and user2 would like to receive user1's email, how can I get it so that email to us...@example.com is delivered to us...@example.com? Previously when I was using Postfix to deliver the mails, I could change the maildirloc in the DB - but I’m not sure how to accomplish this with dovecot LDA. I'm using Postfixadmin to manage users and have server alias-domains. All mail sent to an alias-domain is delivered to the other domain. Quite easy if you've got postfixadmin already setup. Otherwise I think you could configure virtual_alias_maps in postfix to something like hash:virtual_domains virtual_domains: @example.net@example.com N. We deliver multiple multiple domains to the single user name of the domain. ad...@nojunk-mail.com admin ad...@emailsecurity.us admin ad...@spam-zapper.com admin ad...@abs-comptech.com admin ad...@remote-pc-doc.com admin We use our Server Administrator tool to manage the mailboxes. Begin shameless plug: (Server Administrator - http://www.abs-comptech.com/serveradministrator.htm) end shameless plug -- Albert E. Whale, CHS CISA CISSP Senior Technology Security Director *ABS Computer Technology, Inc. * 412-635-7488 ext 100 aewh...@abs-comptech.com mailto:aewh...@abs-comptech.com www.ABS-CompTech.com http://www.ABS-CompTech.com attachment: aewhale.vcf
Re: [Dovecot] Multiple domains to one inbox and temporary redirects...
-Original Message- From: Nick Rosier [mailto:nick+dove...@bunbun.be] Simon Brereton wrote: Hi Can anyone point me to a howto to arrange for multiple domains to deliver to one inbox with Dovecot? For example, us...@example.com and us...@example.net should both be delivered to /var/spool/mail/virtual/example.net/user1 Currently, I have the dovecot LDA set as: dovecot unix - n n - - pipe flags=DRhu user=mailsystem argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} and in dovecot.conf: mail_location: maildir:/var/spool/mail/virtual/%d/%n For some domains only, I need to override that mail_location. Related to that, when user1 leave and user2 would like to receive user1's email, how can I get it so that email to us...@example.com is delivered to us...@example.com? Previously when I was using Postfix to deliver the mails, I could change the maildirloc in the DB - but I’m not sure how to accomplish this with dovecot LDA. I'm using Postfixadmin to manage users and have server alias-domains. All mail sent to an alias-domain is delivered to the other domain. Quite easy if you've got postfixadmin already setup. Otherwise I think you could configure virtual_alias_maps in postfix to something like hash:virtual_domains virtual_domains: @example.net@example.com Cheers Nick Of course that will do it. Thanks. Simon
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 10:30 AM, Nikolay Shopik wrote: Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then klist, does it work for you? I do recommend tcpdump kerberos traffic between your client and server, this is usually helps me much better then any logging, flow easy to read in wireshark. Under active directory, you cannot kinit as an SPN, only UPN (including MACHINE$ accounts). At least this is my experience. Trever -- Selfishness is really self-destruction in slow motion. -— Elder Neal A. Maxwell - Ensign, May 1999, 23 signature.asc Description: OpenPGP digital signature
[Dovecot] Thunderbird caching problem
Using a fairly simple dovecot config (which obviously needs some max limit tweaking) we have problems with IMAP synchronization between thunderbird clients. Two TB clients in the same IMAP mailbox will, from time to time, show different views of the same INBOX folders, when TB caching is enabled. The only fix is to right-click on the folder, go to Properties and use the Repair Folder option which repairs the local TB .msf cache file. Is there any server-side fix/workaround that would keep TB from regularly going out-of-sync ? This happens with TB3 and newer versions, in concert with either dovecot 1 or 2. The obvious fix is to disable TB local caching, which unfortunately also disables certain search features and can be a pain for large mailboxes. # dovecot -n # 2.0.13: /etc/dovecot/dovecot.conf doveconf: Warning: service auth { client_limit=4096 } is lower than required under max. load (7168) doveconf: Warning: service anvil { client_limit=2048 } is lower than required under max. load (3075) # OS: OpenBSD 5.0 amd64 ffs auth_default_realm = dovecot.org auth_mechanisms = plain digest-md5 cram-md5 apop auth_username_translation = :@ default_client_limit = 2048 default_internal_user = _dovecot default_login_user = _dovenull default_process_limit = 1024 disable_plaintext_auth = no first_valid_gid = 125 first_valid_uid = 125 mail_location = maildir:/mail/%d/%n/ managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date mbox_write_locks = fcntl mmap_disable = yes passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_path = /etc/dovecot/default.sieve } protocols = imap pop3 lmtp sieve service auth { unix_listener auth-userdb { user = mail } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } } ssl_cert = /etc/balls/balls-cert.pem ssl_key = /etc/balls/balls-key.pem userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lda { mail_plugins = sieve } protocol imap { imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags mail_max_userip_connections = 50 } protocol pop3 { mail_max_userip_connections = 50 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_save_uidl = yes pop3_uidl_format = %v-%u }
Re: [Dovecot] Proprietary mail storage.
Thanks, Timo. Technically, it's not a Maildir, but my plan is to re-create one with folders containing hard or symbolic links pointing to the real storage. Is it going to be a problem? On Wed, Aug 31, 2011 at 10:52 AM, Timo Sirainen t...@iki.fi wrote: On 31.8.2011, at 17.24, Alex Cherniak wrote: I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz With mail-filter you can basically just put the messages through whatever program/script you want which gets the mail as input and outputs the wanted message body. I think the v2.0 mail-filter had some (potential?) bug, v2.1 mail-filter is anyway redesigned and should work perfectly. Another question is how will this affect Dovecot performance and how to avoid any significant degradation. I doubt it's going to be a problem.
Re: [Dovecot] OT - small hd recommendation
On 8/30/2011 5:43 PM, Daniel L. Miller wrote: A little OT - but I've seen a few opinions voiced here by various admins and I'd like to benefit. RAID-10 is fine (note that the default mdadm RAID10 isn't actually RAID10, but it works well enough). RAID-6 won't be faster (and will probably be worse) although RAID-6 does do a bit better in a double-drive failure over RAID-10. The only way to get more performance out of (4) drives is to switch to 10k or 15k SAS (or SSDs). For more information - see the Linux RAID mailing list: http://vger.kernel.org/majordomo-info.html One problematic issue with consumer-grade SATA drives (which may or may not bite you) is that they will not time out on errors fast enough to keep mdadm happy. The enterprise grade drives are better about this (such as the ES.2 series), but for smaller arrays (6 drives or less) it's not as big of a deal. For bigger arrays, it's a definite issue, especially if you try and do RAID-6 over 8+ drives. If you're getting SMART errors, then it's time to swap the drives out. If mdadm is reporting sync errors or dropping drives from the array, then get your backups squared away ASAP before fiddling. My knee-jerk reaction when I hear 4-drive RAID-10 is that it has no hot-spare. Which means that as soon as 1 drive fails you're in dangerous territory (make sure it pages you automatically) since the array can't automatically repair. Make sure you can properly identify the drive that fails (via the serial numbers) and don't try a hot-swap. (Take a look at /dev/disk/by-id, /dev/disk/by-uuid, etc. Export a copy of that information on a daily/weekly basis off of the machine. In a software RAID environment, it gives you better information about which drive serial # failed rather then relying on lights.) Our mail server is 3-way RAID1 (triple mirror) for the OS and mail queue with a 5-disk RAID-10 (4+spare) for mail storage.
Re: [Dovecot] Thunderbird caching problem
On 08/31/2011 02:59 PM, Chris Cappuccio wrote: Using a fairly simple dovecot config (which obviously needs some max limit tweaking) we have problems with IMAP synchronization between thunderbird clients. Two TB clients in the same IMAP mailbox will, from time to time, show different views of the same INBOX folders, when TB caching is enabled. The only fix is to right-click on the folder, go to Properties and use the Repair Folder option which repairs the local TB .msf cache file. Is there any server-side fix/workaround that would keep TB from regularly going out-of-sync ? This happens with TB3 and newer versions, in concert with either dovecot 1 or 2. I ran into exactly this problem as well, it is infuriating. A workaround was discussed here awhile back. Sticking this in the protocol imap block of dovecot.conf solved the problem completely: imap_capability = IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDP LUS LIST-EXTENDED I18NLEVEL=1 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS That should all be one line; watch for wrappage. -Dave -- Dave McGuire Port Charlotte, FL
Re: [Dovecot] Thunderbird caching problem
Dave McGuire [mcgu...@neurotica.com] wrote: On 08/31/2011 02:59 PM, Chris Cappuccio wrote: Using a fairly simple dovecot config (which obviously needs some max limit tweaking) we have problems with IMAP synchronization between thunderbird clients. Two TB clients in the same IMAP mailbox will, from time to time, show different views of the same INBOX folders, when TB caching is enabled. The only fix is to right-click on the folder, go to Properties and use the Repair Folder option which repairs the local TB .msf cache file. Is there any server-side fix/workaround that would keep TB from regularly going out-of-sync ? This happens with TB3 and newer versions, in concert with either dovecot 1 or 2. I ran into exactly this problem as well, it is infuriating. A workaround was discussed here awhile back. Sticking this in the protocol imap block of dovecot.conf solved the problem completely: imap_capability = IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDP LUS LIST-EXTENDED I18NLEVEL=1 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS Interesting..How do I know that I really should be announcing all of these capabilities given my current dovecot version and config? With the config I posted, here's what I send out now * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Blahfart
Re: [Dovecot] Thunderbird caching problem
Chris Cappuccio wrote: Dave McGuire [mcgu...@neurotica.com] wrote: On 08/31/2011 02:59 PM, Chris Cappuccio wrote: Using a fairly simple dovecot config (which obviously needs some max limit tweaking) we have problems with IMAP synchronization between thunderbird clients. Two TB clients in the same IMAP mailbox will, from time to time, show different views of the same INBOX folders, when TB caching is enabled. The only fix is to right-click on the folder, go to Properties and use the Repair Folder option which repairs the local TB .msf cache file. Is there any server-side fix/workaround that would keep TB from regularly going out-of-sync ? This happens with TB3 and newer versions, in concert with either dovecot 1 or 2. I ran into exactly this problem as well, it is infuriating. A workaround was discussed here awhile back. Sticking this in the protocol imap block of dovecot.conf solved the problem completely: imap_capability = IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDP LUS LIST-EXTENDED I18NLEVEL=1 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS Interesting..How do I know that I really should be announcing all of these capabilities given my current dovecot version and config? With the config I posted, here's what I send out now * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Blahfart This is before login, you need to verify after login. Dovecot changes the capabilities it advertises after login. Remove CONDSTORE and QRESYNC; the CONDSTORE is the one messing it up for you. QRESYNC also implies CONDSTORE so you need to disable this one as well. N.
Re: [Dovecot] mail spool filesystem
On Fri, Aug 19, 2011 at 03:48:00AM -0500, Stan Hoeppner wrote: On 8/17/2011 9:42 AM, Adrian Ulrich wrote: I read that XFS is a good choice, but is not too reliable... Are you using Maildir or MBOX? In any case: XFS would be my last choice: XFS is nice if you are working with large files ( 2GB), but for E-Mail i'd stick with ext3 (or maybe even reiser3) as it works very well with small files. XFS was designed for parallelism, whether with large files or small, ... Anyone been using ZFS on FreeBSD for mail spool storage? -- Kelsey Cummings - k...@corp.sonic.net sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 Santa Rosa, CA 95407
Re: [Dovecot] mail spool filesystem
Kelsey Cummings wrote: On Fri, Aug 19, 2011 at 03:48:00AM -0500, Stan Hoeppner wrote: On 8/17/2011 9:42 AM, Adrian Ulrich wrote: I read that XFS is a good choice, but is not too reliable... Are you using Maildir or MBOX? In any case: XFS would be my last choice: XFS is nice if you are working with large files ( 2GB), but for E-Mail i'd stick with ext3 (or maybe even reiser3) as it works very well with small files. XFS was designed for parallelism, whether with large files or small, ... Anyone been using ZFS on FreeBSD for mail spool storage? I'm using ZFS on FreeBSD 8.2. But to be honest, this is a personal/private mail-system with limited mailboxes. I really like the snapshots in ZFS. Every night I make a snapshot which I send to another server for backup. Every hour I make a new snapshot from which I send the incremental to the backup-server. That way if the worst happens I will only loose 1 hour of mail. ZFS was built for data integrity, not speed so if it's speed you are looking for this might not be the fastest but maybe fast enough. N.
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. Jason
Re: [Dovecot] mail spool filesystem
Quoting Nick Rosier nick+dove...@bunbun.be: Kelsey Cummings wrote: On Fri, Aug 19, 2011 at 03:48:00AM -0500, Stan Hoeppner wrote: On 8/17/2011 9:42 AM, Adrian Ulrich wrote: I read that XFS is a good choice, but is not too reliable... Are you using Maildir or MBOX? In any case: XFS would be my last choice: XFS is nice if you are working with large files ( 2GB), but for E-Mail i'd stick with ext3 (or maybe even reiser3) as it works very well with small files. XFS was designed for parallelism, whether with large files or small, ... Anyone been using ZFS on FreeBSD for mail spool storage? I'm using ZFS on FreeBSD 8.2. But to be honest, this is a personal/private mail-system with limited mailboxes. I really like the snapshots in ZFS. Every night I make a snapshot which I send to another server for backup. Every hour I make a new snapshot from which I send the incremental to the backup-server. That way if the worst happens I will only loose 1 hour of mail. ZFS was built for data integrity, not speed so if it's speed you are looking for this might not be the fastest but maybe fast enough. I just migrated to FreeBSD 8.2 ZFS (6 drive u320 raidz + 16GB mirrored SSD ZIL) from OpenSolaris ZFS (10 drive sata raidz10). About 4k daily users. The new setup feels a little faster than the old, but honestly the old ran just fine under normal load. One of the things that pushed the migration was really more CPU for Thunderbird clients using compression, which caused a noticeable delay. Ditto on the snapshots. Rick
[Dovecot] thunderbird and subscriptions with sieve
Hi All, I'm a newbie trying to move mail out of my ISP onto a ubuntu (lucid) dovecot 1.2.9 server. Is there any way to automatically add folders created by sieve (GNU Mailutils 2.1) to the subscriptions file for a user? I'm currently testing spam, and if sieve created the folder with the first message, the thunderbird user does not see the new folder. Even more interesting, if the user then tries to create the Spam directory it thunderbird seems to quietly ignore the request and the user still cannot see the folder, but I digress... I can manually subscribe with thunderbird, but this won't scale for more complex sieve later by making the user responsible for finding everything. I can turn off subscription view in advanced settings on thunderbird, but we are trying to wean ourselves of of individual mail clients and I don't want to have to test this everywhere. Many thanks in advance! Kris -- Mr. Kristen J. Webb Teradactyl LLC. PHONE: 1-505-242-1091 EMAIL: kw...@teradactyl.com VISIT: http://www.teradactyl.com Home of the True incremental Backup System
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On Wed, 31 Aug 2011 14:39:56 -0600 Jason Gunthorpe articulated: On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote: I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. This all works a 1000% better if you use Samba to join the domain and create your keytab with the right SPNs. See my prior posts to this list for a formula. Using the MS kerberos compatability tools is painful, complicated and tends to make a mess. Samba will create a machine UPN and populate the system keytab appropriately. From a cron job you can use 'kinit -k' to maintain an active ticket for the machine UPN which dovecot can use for LDAP operations. I just got this link from a friend who uses Kerberos on several systems. http://www.microsoft.com/download/en/details.aspx?displaylang=enid=8350 I have no idea if it will work or help you or not. -- Jerry ✌ dovecot.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Everlasting peace will come to the world when the last man has slain the last but one. Adolf Hitler
[Dovecot] [PATCH] Allow verification of user's hash in doveadm-pw
Hi, It may be useful for testing purpose to know if a generated password hash correspond to a given clear password. This can be useful to check if a hash generated by another program can be verified by Dovecot without any errors. This patch adds the ability the verify a password hash using `doveadm pw` via the `-V` option. $ doveadm pw -s SSHA.hex Enter new password: Retype new password: {SSHA.HEX}58b910d947c60b35be3e12b0d9897c1f87dfa450e6d5a75c $ doveadm pw -s SSHA.hex -V{SSHA.HEX}58b910d947c60b35be3e12b0d9897c1f87dfa450e6d5a75c Enter new password: Retype new password: {SSHA.HEX}4fdf801f57870fb624bee60895c2308187837dfb3987ca06 (verified) When the user specify a hash, it is checked in place of the usual verification process. This works with all schemes. Just be sure to escape special characters or use simple quotes. $ doveadm pw -s MD5-CRYPT -V'{MD5-CRYPT}$1$R7thDyN.$E0G0czPE/h4S0Hn/b5oVW1' Enter new password: Retype new password: {MD5-CRYPT}$1$rp8nVSqq$gDAPM5iqv1yhBoDZIWsQ4/ (verified) Lets print a failed check: doveadm pw -s CRYPT -V{CRYPT}/uuE/ Enter new password: Retype new password: reverse password verification check failed FYI the word used for those test cases was password. Regards, ___ Jimmy Thrasibule spack.wo...@gmail.com # HG changeset patch # Parent 60f3d0b8900d667a8f8c360d3f1e5e9b4eeeb07a Allow user hash verification in doveadm-pw diff -r 60f3d0b8900d -r 2a28902f1975 src/doveadm/doveadm-pw.c --- a/src/doveadm/doveadm-pw.c Tue Aug 30 09:57:08 2011 +0300 +++ b/src/doveadm/doveadm-pw.c Wed Aug 31 23:36:33 2011 +0200 @@ -19,6 +19,7 @@ { const char *hash = NULL; const char *user = NULL; + const char *Vhash = NULL; const char *scheme = NULL; const char *plaintext = NULL; int ch, lflag = 0, Vflag = 0; @@ -27,7 +28,7 @@ random_init(); password_schemes_init(); - while ((ch = getopt(argc, argv, lp:r:s:u:V)) != -1) { + while ((ch = getopt(argc, argv, lp:r:s:u:V::)) != -1) { switch (ch) { case 'l': lflag = 1; @@ -47,6 +48,7 @@ break; case 'V': Vflag = 1; + Vhash = optarg; break; case '?': default: @@ -95,9 +97,20 @@ size_t size; const char *error; - if (password_decode(hash, scheme, raw_password, size) = 0) { - fprintf(stderr, reverse decode check failed\n); - exit(2); + if (Vhash != NULL) { + const char *Vscheme; + + if (Vscheme = password_get_scheme(Vhash)) { +if (password_decode(Vhash, Vscheme, raw_password, size) = 0) { + fprintf(stderr, reverse decode check failed\n); + exit(2); +} + } + } else { + if (password_decode(hash, scheme, raw_password, size) = 0) { +fprintf(stderr, reverse decode check failed\n); +exit(2); + } } if (password_verify(plaintext, user, scheme, @@ -117,5 +130,5 @@ struct doveadm_cmd doveadm_cmd_pw = { cmd_pw, pw, - [-l] [-p plaintext] [-r rounds] [-s scheme] [-u user] [-V] + [-l] [-p plaintext] [-r rounds] [-s scheme] [-u user] [-V[hash]] };
Re: [Dovecot] thunderbird and subscriptions with sieve
On 8/31/2011 10:48 PM, Kristen J. Webb wrote: Hi All, I'm a newbie trying to move mail out of my ISP onto a ubuntu (lucid) dovecot 1.2.9 server. Is there any way to automatically add folders created by sieve (GNU Mailutils 2.1) to the subscriptions file for a user? I'm currently testing spam, and if sieve created the folder with the first message, the thunderbird user does not see the new folder. Even more interesting, if the user then tries to create the Spam directory it thunderbird seems to quietly ignore the request and the user still cannot see the folder, but I digress... I can manually subscribe with thunderbird, but this won't scale for more complex sieve later by making the user responsible for finding everything. I can turn off subscription view in advanced settings on thunderbird, but we are trying to wean ourselves of of individual mail clients and I don't want to have to test this everywhere. Many thanks in advance! If you set lda_mailbox_autosubscribe to yes, it will subscribe folders created by Sieve automatically. However, afaik Thunderbird will not notice the subscription at first. You need to reconnect for that to be noticed. Regards, Stephan.
Re: [Dovecot] thunderbird and subscriptions with sieve
On 8/31/2011 7:15 PM, Stephan Bosch wrote: If you set lda_mailbox_autosubscribe to yes, it will subscribe folders created by Sieve automatically. However, afaik Thunderbird will not notice the subscription at first. You need to reconnect for that to be noticed. That's been my experience. Sometimes a refresh will pick it up, but Thunderbird tends to be very slow about picking up new folders until you restart Thunderbird. Note that in Dovecot v1, there's a flag that you set on the dovecot LDA to enable this behavior (lda_mailbox_autosubscribe was added in Dovecot v2): http://wiki.dovecot.org/LDA Note the -n and -s parameters. (Which get configured in master.cf if you're using Postfix. Not sure how that gets configured on other MTAs.)
Re: [Dovecot] Multiple domains to one inbox and temporary redirects...
On 8/31/2011 12:41 PM, Nick Rosier wrote: I'm using Postfixadmin to manage users and have server alias-domains. All mail sent to an alias-domain is delivered to the other domain. Quite easy if you've got postfixadmin already setup. Otherwise I think you could configure virtual_alias_maps in postfix to something like hash:virtual_domains virtual_domains: @example.net @example.com It's been a while since I played with virtual_alias_maps, but does that allow Postfix to say that account doesn't exist during the initial SMTP transaction? We try to reject as much as possible during the SMTP session to avoid any later bounces. I remember that one of the ways of doing it was bad as Postfix would accept, then a later step (maybe the LDA) would say whoops! can't deliver this. So we do it one by one by creating a virtual mailbox under the primary domain (us...@example.com) and then doing a virtual alias under the secondary domain (us...@example.net - us...@example.com).
[Dovecot] sorting order changed during migration from courier
Hello, I've been working to migrate to dovecot (debian stable: 1:1.2.15-7) from courier (debian old-stable: 4.4.0-2). I've setup everything and migrated a test user over to the new system, and ran the courier-dovecot-migrate.pl script. The user is using alpine (the free version of pine) and their sort order changed on move to dovecot. Originally it was the default in alpine, which is to sort based on arrival. If he changes the sort order in alpine to sort based on date, then things are back to how he expects it. I noticed that there are no known issues with pine (http://wiki.dovecot.org/Clients#Pine). Ideally, I would prefer if all the users who are migrated aren't presented with a different sort order than they were used to, as the support burden will be quite high. What is it about this migration that could have caused that, and more importantly, how can I fix it? I moved the mail from the original system to this system via rsync -a. The old system was an i686 machine and ext3, this new one is amd64 and ext4. thanks for any ideas! micah # dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.2 protocols: imap imaps pop3 pop3s disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login login_greeting: howdy, ready. login_processes_count: 10 login_max_processes_count: 256 first_valid_uid: 8 last_valid_uid: 8 first_valid_gid: 8 last_valid_gid: 8 mail_uid: 8 mail_gid: 8 mail_location: maildir:~/ maildir_copy_preserve_filename: yes maildir_very_dirty_syncs: yes mbox_write_locks: fcntl dotlock mail_executable(default): /maildir/postlogin_imap mail_executable(imap): /maildir/postlogin_imap mail_executable(pop3): /maildir/postlogin_pop mail_process_size: 512 mail_plugins(default): expire quota imap_quota mail_plugins(imap): expire quota imap_quota mail_plugins(pop3): expire quota mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 imap_client_workarounds(default): tb-extra-mailbox-sep delay-newmail imap_client_workarounds(imap): tb-extra-mailbox-sep delay-newmail imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh namespace: type: private separator: . prefix: INBOX. inbox: yes list: yes subscriptions: yes lda: postmaster_address: postmas...@riseup.net auth default: default_realm: riseup.net verbose: yes passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: prefetch dict: expire: mysql:/etc/dovecot/dovecot-dict-expire.conf -- pgpASf7RZiWzd.pgp Description: PGP signature
Re: [Dovecot] thunderbird and subscriptions with sieve
On 31.8.2011, at 23.48, Kristen J. Webb wrote: Is there any way to automatically add folders created by sieve (GNU Mailutils 2.1) to the subscriptions file for a user? You mean you're using Mailutils Sieve, not Dovecot Sieve? The only reasonable solution I can think of is: Mailutils Sieve would have to subscribe to newly created folders itself, maybe by patching it or if it supports running some script then doing it that way. With Dovecot v2.0 it could run doveadm mailbox subscribe $folder, but with v1.2 you'd have to write your own script. Any other solution would basically require always subscribing to all folders, which kind of defeats their whole purpose.
Re: [Dovecot] Proprietary mail storage.
Should work fine. On 31.8.2011, at 22.19, Alex Cherniak wrote: Thanks, Timo. Technically, it's not a Maildir, but my plan is to re-create one with folders containing hard or symbolic links pointing to the real storage. Is it going to be a problem? On Wed, Aug 31, 2011 at 10:52 AM, Timo Sirainen t...@iki.fi wrote: On 31.8.2011, at 17.24, Alex Cherniak wrote: I have a large existing read-only collection of mails packaged in individual zip files as rfc822 file+some additional info. Is it possible (and how difficult) to create a proprietary plugin (like gzip) which will open a zip file, extract mail and pass it back to Dovecot? Where do I start? If plugin is not the right approach, what is? Is it otherwise a Maildir? If yes, you could base your code on the zlib plugin, or perhaps more easily you could use mail-filter plugin: http://dovecot.org/patches/2.0/mail-filter.tar.gz With mail-filter you can basically just put the messages through whatever program/script you want which gets the mail as input and outputs the wanted message body. I think the v2.0 mail-filter had some (potential?) bug, v2.1 mail-filter is anyway redesigned and should work perfectly. Another question is how will this affect Dovecot performance and how to avoid any significant degradation. I doubt it's going to be a problem.