Re: [Dovecot] How to achieve proper privilege separation?
Unfortunately I can see, that in my case /usr/libexec/dovecot/imap
accesses both the inbox and the mail directories of the user as root.
Moreover, it creates the lock file as root. I can see no process running
as the user.
How could I teach dovecot to start the imap process as the user. What
configuration options I should blame?
Thx:
Dw.
dovecot -n
# 2.0.17 (684381041dc4+): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.6-hardened i686 Gentoo Base System release 2.0.3
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_worker_max_count = 16
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_gid = 99
first_valid_uid = 1000
hostname =
last_valid_gid = 65533
last_valid_uid = 1003
listen = *
mail_access_groups = mail
mail_full_filesystem_access = yes
mail_gid = mail
mail_location = mbox:~/mail/:INBOX=/var/spool/mail/%u
mail_max_keyword_length = 150
mail_privileged_group = mail
mail_uid = mail
passdb {
args = *
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster@
protocols = imap
service auth-worker {
user = root
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
service_count = 1
vsz_limit = 16 M
}
service imap {
process_limit = 4
vsz_limit = 64 M
}
ssl_cert = /etc/apache2/ssl/cert.pem
ssl_key = /etc/apache2/ssl/key.pem
userdb {
driver = passwd
}
verbose_proctitle = yes
protocol lda {
mail_plugins = sieve
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
imap_max_line_length = 64 k
}
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2012.Február 23.(Cs) 06:29 időpontban Timo Sirainen ezt írta:
On 23.2.2012, at 7.20, Tóth Attila wrote:
I'm using a simple mbox config with regular Unix users and pam
authentication.
I'm also using grsecurity. That's why I see what dovecot does in which
users' name. As times goes by and new versions are coming I can
frustratedly see, that more and more tasks are performed as root. Why?
Less tasks should be running as root now. The master process code is a lot
smaller.
When I used 1.x series of Dovecot, imap process started in the name of
the
user whose mbox was accessed.
Now I can see, that nearly every task is performed by root. Why? It even
tampers with the mail directories of each user as root instead of the
user
as it was usual long before.
The imap process starts as root, does a userdb lookup and then drops
privileges to that user. It worked this way before too, only the userdb
lookup code was done by master process.
Re: [Dovecot] How to achieve proper privilege separation?
On Thu, 2012-02-23 at 09:03 +0100, Tóth Attila wrote: Unfortunately I can see, that in my case /usr/libexec/dovecot/imap accesses both the inbox and the mail directories of the user as root. Moreover, it creates the lock file as root. I can see no process running as the user. How could I teach dovecot to start the imap process as the user. What configuration options I should blame? Well, that's strange. There shouldn't be any way for you to make imap access mails as root, even if you wanted to do that. If you log in as root, it'll fail with: Error: user root: Invalid settings in userdb: userdb returned 0 as uid Fatal: Invalid user settings. Refer to server log for more information. If there's a bug and it just somehow manages to get through that check, it fails with: Fatal: We couldn't drop root privileges So.. I'm not really sure what could be wrong. It makes me think maybe Gentoo's hardening features somehow mess this up, but I can't really think of how that could either. Set auth_debug=yes and mail_debug=yes. What does it log when logging in?
[Dovecot] v2.1.1 released
http://dovecot.org/releases/2.1/dovecot-2.1.1.tar.gz http://dovecot.org/releases/2.1/dovecot-2.1.1.tar.gz.sig v2.1.0 had a couple of bugs, but overall people have been pretty quiet about it. I'm hoping v2.1.2 won't need to be released for many more weeks. :) BTW. v2.2 branch has also been opened in hg. Not much stuff in there yet though. + dsync: If message with same GUID is saved multiple times in session, copy it instead of re-saving. - acl plugin + autocreated mailboxes crashed when listing mailboxes - doveadm force-resync: Don't skip autocreated mailboxes (especially INBOX). - If process runs out of fds, stop listening for new connections only temporarily, not permanently (avoids hangs with process_limit=1 services) - auth: passdb imap crashed for non-login authentication (e.g. smtp).
[Dovecot] Why is dovecot involved in my smtp process
I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I've got some very mad users. The 10-auth.conf file is pretty much stock except for allowing plain text logins. steve campbell
Re: [Dovecot] Why is dovecot involved in my smtp process
On 23.02.2012 16:16, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I've got some very mad users. The 10-auth.conf file is pretty much stock except for allowing plain text logins. Dovecot can be used as authentication source. It has its own implementation of SASL library which can be used instead of Cyrus SASL implementation. In Dovecot2 the config for auth is in 10-master.conf, service auth. Please see: for dovecot 1.x: http://wiki.dovecot.org/Sasl for dovecot 2.x: http://wiki2.dovecot.org/Sasl on the postfix side: http://www.postfix.org/SASL_README.html#server_dovecot -- Adam Szpakowski
Re: [Dovecot] duplicates with multiple To/CC and sieve redirect copy
On 23.02.2012 02:15, Stephan Bosch wrote: On 2/22/2012 12:15 AM, Adam Szpakowski wrote: Maybe there is a way to use a procmail with something like this: :0 Wh: msgid.lock | formail -D 8192 .msgid.cache But is there a safe way to use it together with sieve? Using Pigeonhole Sieve Pipe Plugin? There are a few options: * You can use Procmail as primary delivery agent and invoke dovecot-lda/sieve from within Procmail once Procmail has determined that it is not a duplicate. This is great option but if I understand correctly not when Postfix is using LMTP to talk to Dovecot. In this client of mine, the Postfix (MDA) and Dovecot (MAA) are in different physical locations and LMTP is tunnelled via SSH. * I've just created an alternative that implements something similar to the Procmail code you posted above, but from within Sieve itself. [cut] Great extension. I'll try and use it on one of the servers as soon as possible. Thanks for the work. BTW... There is another solution to my problem, which ends up to be implemented in this case. I'm using Postfix to BCC all mails on the domain level to the archive account. In this account I've set up all the logic which ends calling redirect :copy. This solution eliminates copies from multiple To/CC. -- Adam Szpakowski
Re: [Dovecot] Why is dovecot involved in my smtp process
On 2/23/2012 10:30 AM, Adam Szpakowski wrote: On 23.02.2012 16:16, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I've got some very mad users. The 10-auth.conf file is pretty much stock except for allowing plain text logins. Dovecot can be used as authentication source. It has its own implementation of SASL library which can be used instead of Cyrus SASL implementation. In Dovecot2 the config for auth is in 10-master.conf, service auth. Please see: for dovecot 1.x: http://wiki.dovecot.org/Sasl for dovecot 2.x: http://wiki2.dovecot.org/Sasl on the postfix side: http://www.postfix.org/SASL_README.html#server_dovecot That's all great, but what about sendmail. What should my pam.d/dovecot file look like, what should my dovecot.conf file look like, all this just runs me around in circles. Thanks for the pointers, but I've been over that a million times and nothing seems to work. steve
Re: [Dovecot] Why is dovecot involved in my smtp process
On 2012-02-23 10:16 AM, Steve Campbell campb...@cnpapers.com wrote: Why is dovecot involved in my smtp processes Because you told it to? and how do I fix this. Depends on what your intent is - what MTA you use - how it is configured - etc... I've got some very mad users. Don't make changes to an existing and/or go live with a new system without properly testing? The 10-auth.conf file is pretty much stock except for allowing plain text logins. This file is irrelevant unless you have your MTA configured to use dovecot-sasl... dovecot only *assists* an MTA in authenticating, it isn't an MTA. -- Best regards, Charles
Re: [Dovecot] duplicates with multiple To/CC and sieve redirect copy
Op 2/23/2012 4:37 PM, Adam Szpakowski schreef: On 23.02.2012 02:15, Stephan Bosch wrote: * I've just created an alternative that implements something similar to the Procmail code you posted above, but from within Sieve itself. [cut] Great extension. I'll try and use it on one of the servers as soon as possible. Thanks for the work. BTW... There is another solution to my problem, which ends up to be implemented in this case. I'm using Postfix to BCC all mails on the domain level to the archive account. In this account I've set up all the logic which ends calling redirect :copy. This solution eliminates copies from multiple To/CC. Ok, please keep me uprised. Once it is tested a bit more I'll add it to the main Pigeonhole package. This plugin does not add any dependencies, so this is no problem whatsoever. Regards, Stephan.
Re: [Dovecot] Why is dovecot involved in my smtp process
On 2/23/2012 10:47 AM, Charles Marcus wrote: On 2012-02-23 10:16 AM, Steve Campbell campb...@cnpapers.com wrote: Why is dovecot involved in my smtp processes Because you told it to? Where did I tell it to do this. and how do I fix this. Depends on what your intent is - what MTA you use - how it is configured - etc... Sendmail - pretty much default except I'm trying to use port submission (587). I've got some very mad users. Don't make changes to an existing and/or go live with a new system without properly testing? Unfortunately, switching over to a new server didn't show me most of the problems until after it had run a while. Dovecot is probably a great application, but the wiki sucks when you run sendmail, the help files are a little vague and run me around in circles. I postponed (actually move the server back to the old server) for a week to fix the problems I ran into upon first putting it into server. After fixing those, it was only later that the last batch of problems showed up. You right that I should have tested more, but that's not what I need to be hearing right now. Most of my conversions go without problems and I've been doing this for quite a few years (decades). The 10-auth.conf file is pretty much stock except for allowing plain text logins. This file is irrelevant unless you have your MTA configured to use dovecot-sasl... dovecot only *assists* an MTA in authenticating, it isn't an MTA. My sendmail configs don't even list dovecot. steve
Re: [Dovecot] Why is dovecot involved in my smtp process
I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. My guess is that your sasl2 configuration is configured to use your imap server to authenticate users. Check your sasl2 software's documentation.
[Dovecot] Can't connect to my mail server (postfix + dovecot, IMAP) with Thunderbird
Hi, I've a problem with Dovecot and Thunderbird. Actually I'm trying to setup a virtual host server mail with postfix + dovecot (2.0.9) on CentOS 6.2. This is my dovecot -n : http://pastebin.com/wZWAE5Cj (I guess the errors are not important, that's just saying there is some obsoletes values, I will fix that later until it's not inconvenient to setup correctly dovecot). I've a file to store password (/etc/dovecot/passwd) and when I'm trying to connect with telnet to my host on port 143 it works, after I can log myself with the command «a login u...@domain.tld passwd» and it works, this is the entire output of the telnet connection : http://pastebin.com/h10cQVqf but actually when I'm trying to connect with thunderbird I've an error about the password and the login, this is a screenshoot : http://images.koshie.fr/TB_problem.png and to finish, there is nothing into the log... The password and the user are corrects ! Of course, dovecot and postfix are started, this is the netstat -a | grep dovecot : http://pastebin.com/bwfsS4Tf If you need more informations tell me. PS : Excuse me for my bad english, also I'm new with dovecot. Cordially, GASPARD Kévin
Re: [Dovecot] Why is dovecot involved in my smtp process
On Thu, Feb 23, 2012 at 10:16:34AM -0500, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I would question that these failures are in fact related to what Sendmail is doing. Does Sendmail even support Dovecot SASL? AFAIK it does not, therefore there is no way that Dovecot could possibly interfere with SMTP AUTH in Sendmail. I've got some very mad users. And you are jumping to conclusions. I suggest that you take this matter to a Sendmail forum. When you do, provide all relevant configuration as well as complete logging to show the problem. No useful help is possible with what you posted here. The 10-auth.conf file is pretty much stock except for allowing plain text logins. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: [Dovecot] Why is dovecot involved in my smtp process
On 2/23/2012 11:23 AM, Peter A. Giessel wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. My guess is that your sasl2 configuration is configured to use your imap server to authenticate users. Check your sasl2 software's documentation. You're correct. This server is our smtp, imap, and pop server. All authentication is done there, supposedly through PAM, but dovecot seems to interfere with sendmail's smtp auth processes and overrides what typically was done in a non-interferred way with sasl.
[Dovecot] Can't connect to my mail server (postfix + dovecot, IMAP) with Thunderbird
I'm sorry, some one tell me my netstat (on IRC) is useless. Also my pastes will be destroyed in something like one day, that's stupid (that's originally for IRC), so this is the output of my : dovecot -n : http://pastebin.com/Tewcb7bm telnet : http://pastebin.com/6gY2puxF netstat -Nnap | grep dovecot : http://pastebin.com/yx2wxfWf Sorry for the error.
Re: [Dovecot] Why is dovecot involved in my smtp process
Hi Steve, At 07:16 23-02-2012, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I've got some very If you are using sendmail as the MTA, Dovecot is not involved for authentication on mail submission. The maillog line you provided does not contain enough information to tell what triggered the error. Regards, -sm
Re: [Dovecot] Why is dovecot involved in my smtp process
On 2/23/2012 11:33 AM, /dev/rob0 wrote: On Thu, Feb 23, 2012 at 10:16:34AM -0500, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I would question that these failures are in fact related to what Sendmail is doing. Does Sendmail even support Dovecot SASL? AFAIK it does not, therefore there is no way that Dovecot could possibly interfere with SMTP AUTH in Sendmail. Why is sendmail using Dovecot sasl when I have the regular sasl set up. If I turn off dovecot, telnet to 587, I get no failures in my logs. If I turn on dovecot and do the same, I get auth failures in my secure file. I've got some very mad users. And you are jumping to conclusions. I suggest that you take this matter to a Sendmail forum. When you do, provide all relevant configuration as well as complete logging to show the problem. No useful help is possible with what you posted here. In other words, don't use sendmail if I use dovecot? The 10-auth.conf file is pretty much stock except for allowing plain text logins. I'm really having problems following the logic here. Seems that postfix and dovecot are the only way to go if I use alternate ports with smtp auth. Is that what everyone is implying? I'll try to see what sendmail guys are saying, but I don't think they'll provide much as long as it involves dovecot. Thanks for the help steve
Re: [Dovecot] Why is dovecot involved in my smtp process
If you are using sendmail as the MTA, Dovecot is not involved for authentication on mail submission. The maillog line you provided does not contain enough information to tell what triggered the error. Not totally true. Typical cyrus sasl2 implementation used with sendmail uses an imap server for smtp authentication. I recall having to tweak the sasl2 configuration on my own sendmail server to talk correctly with dovecot. I don't recall the exact tweaks. I suggest reviewing the sasl2 implementation's documentation (the OP has not to my knowledge stated which sasl implementation he is using). It sounds like an sasl2 problem, not necessarily a dovecot problem.
[Dovecot] Settings for authentication without an extra password file
Hello, I'm new to dovecot, and, due to having an older version of an
OS installed on a test server, I'll be using an older version of
dovecot (dovecot-1.0-1.2) to provide IMAP services.
On this wiki page
(http://wiki.dovecot.org/BasicConfiguration?highlight=%28passwd.dovecot%29)
There are instructions for creating a separate dovecot password file:
echo $USER:{PLAIN}password passwd.dovecot
sudo mv passwd.dovecot /etc
So, it appears that two password files will be needed, one for dovecot
and one for regular system logins.
Is the statement above correct, or am I misreading something?
Is there a setting in dovecot.conf which will authenticate IMAP using
/etc/password and /etc/shadow, without a separate dovecot password
file?
Keith
Re: [Dovecot] Why is dovecot involved in my smtp process
On Thu, Feb 23, 2012 at 12:10:20PM -0500, Steve Campbell wrote: On 2/23/2012 11:33 AM, /dev/rob0 wrote: On Thu, Feb 23, 2012 at 10:16:34AM -0500, Steve Campbell wrote: Why is dovecot involved in my smtp processes and how do I fix this. I would question that these failures are in fact related to what Sendmail is doing. Does Sendmail even support Dovecot SASL? AFAIK it does not, therefore there is no way that Dovecot could possibly interfere with SMTP AUTH in Sendmail. Why is sendmail using Dovecot sasl when I have the regular sasl set up. Fortunately it seems that Peter has identified the issue: Cyrus SASL being configured to use IMAP for authentication. snip In other words, don't use sendmail if I use dovecot? I didn't say that at all, and did not mean to imply it. I'm really having problems following the logic here. Seems that postfix and dovecot are the only way to go if I use alternate ports with smtp auth. Is that what everyone is implying? One thing I *did* say is that what you posted was inadequate to be able to provide real help. And it seems that your issue is only tangentially related to Dovecot. I'll try to see what sendmail guys are saying, but I don't think they'll provide much as long as it involves dovecot. As Peter said, consult the Cyrus SASL documentation. If your SASL will be using IMAP for authentication, you need to ensure that it does so correctly for your Dovecot IMAP. As an alternative, change how Cyrus SASL is configured. The usual suggestion for Sendmail users is to use the same data backend for Cyrus SASL and Dovecot. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: [Dovecot] Can't connect to my mail server (postfix + dovecot, IMAP) with Thunderbird
On 2012-02-23 11:36 AM, GASPARD Kévin kevingasp...@lavabit.com wrote: Also my pastes will be destroyed in something like one day, that's stupid (that's originally for IRC), so this is the output of my : dovecot -n : http://pastebin.com/Tewcb7bm telnet : http://pastebin.com/6gY2puxF netstat -Nnap | grep dovecot : http://pastebin.com/yx2wxfWf Sorry for the error. Please don't do that... just post the output in the body of the email. For one it complicates things (people reading email from terminals will not be able to help you), and as well many people simply will not click URL shortened links like those in an email. There is no reason to not simply paste the contents into the email body. -- Best regards, Charles
Re: [Dovecot] Why is dovecot involved in my smtp process
http://dovecot.org/list/dovecot/2009-March/038435.html -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2012.Február 23.(Cs) 18:10 időpontban Steve Campbell ezt írta: On 2/23/2012 11:33 AM, /dev/rob0 wrote: On Thu, Feb 23, 2012 at 10:16:34AM -0500, Steve Campbell wrote: I've been trying to get smtp auth set up for days. All my sendmail and sasl2 stuff seems to be proper, but the user can't use the system on port 587, which is where I require authorization. Now I see where messages are in my maillog of the type: auth: pam_unix(dovecot:auth) : authentication failure Why is dovecot involved in my smtp processes and how do I fix this. I would question that these failures are in fact related to what Sendmail is doing. Does Sendmail even support Dovecot SASL? AFAIK it does not, therefore there is no way that Dovecot could possibly interfere with SMTP AUTH in Sendmail. Why is sendmail using Dovecot sasl when I have the regular sasl set up. If I turn off dovecot, telnet to 587, I get no failures in my logs. If I turn on dovecot and do the same, I get auth failures in my secure file. I've got some very mad users. And you are jumping to conclusions. I suggest that you take this matter to a Sendmail forum. When you do, provide all relevant configuration as well as complete logging to show the problem. No useful help is possible with what you posted here. In other words, don't use sendmail if I use dovecot? The 10-auth.conf file is pretty much stock except for allowing plain text logins. I'm really having problems following the logic here. Seems that postfix and dovecot are the only way to go if I use alternate ports with smtp auth. Is that what everyone is implying? I'll try to see what sendmail guys are saying, but I don't think they'll provide much as long as it involves dovecot. Thanks for the help steve
Re: [Dovecot] Failing: doveadm sync --remote host-- dsync mirror
Hi -- On 21.02.2012, at 23:03, Michael Grimm wrote: On 21.02.2012, at 22:57, Timo Sirainen wrote: Probably intentional. Even if it didn't give that error message, it would fail because v2.0 and v2.1 uses a slightly different protocol (I thought about making it backwards compatible, but that seemed like too much work and too much ugliness to code). Ok. Then I will try both servers upgraded to 2.1 within the next days. JFTR: It took me some time to find a working syntax ;-) My working 2.0.18 syntax threw the following error: vmail dsync -v -f -u test ssh vm...@remote-host.tld dsync -v -f -u test doveadm(vmail): Fatal: Unknown print formatter: -u dsync-local(test): Error: read() from worker server failed: EOF Omitting '-f' or '-v -f' results in: vmail dsync -v -u test ssh vm...@remote-host.tld dsync -v -u test dsync: illegal option -- u dsync-local(test): Error: read() from worker server failed: EOF Now I switched to the recommended new syntax as stated in http://wiki2.dovecot.org/Upgrading/2.1: vmail doveadm sync -v -f -u test ssh vm...@remote-host.tld doveadm sync -v -f -u test doveadm: illegal option -- v doveadm sync [-u user|-A] [-S socket_path] [-fR] [-m mailbox] dest ok, following those hints: vmail doveadm sync -u test -f ssh vm...@remote-host.tld doveadm sync -u test ssh: Could not resolve hostname dsync-server: hostname nor servname provided, or not known dsync-local(test): Error: read() from worker server failed: EOF dsync-local(test): Error: read() from worker server failed: EOF Hmm, 'man doveadm' doesn't show 'sync', and 'man sync' shows old syntax. Luckily, I remembered finding an mail of yours in http://www.dovecot.org/list/dovecot/2012-January/062933.html : | dsync mirror - doveadm mirror | dsync backup - doveadm backup | dsync server - doveadm dsync-server (could be hidden from the doveadm commands list) | I did this now, with mirror - sync. After some trial by error I finally found a working syntax: vmail doveadm sync -u test -f ssh vm...@remote-host.tld doveadm dsync-server -u test but as long I didn't get your http://wiki2.dovecot.org/Upgrading/2.1 wrong, it *should* work that way. Added it there. Therefore you might add a warning about different syntax as well? Please, don't get me wrong, I'm not complaining. This mail is JFTR, only. And, this mail might help others to save some time after an upgrade to 2.1 and those who mirror mailboxes sitting at different servers. Thanks and regards, Michael
Re: [Dovecot] How to achieve proper privilege separation?
In the mean time I've upgraded to 2.1. I've enabled debug logging and logged in. I suspect that hardening features can be blamed for my problem. After booting a previous kernel the behavior was reverted. Here is what I got. As I can make it out it uses the proper user for the imap process according to the logs. Thx: Dw. Feb 23 20:49:39 atoth dovecot: master: Dovecot v2.1.0 starting up (core dumps disabled) Feb 23 20:50:12 atoth dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16584) Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imapsecured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=50264 resp=hidden Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: Loading modules from directory: /usr/lib/dovecot/auth Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): lookup service=imap Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): #1/1 style=1 msg=Password: Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK 1 user=atoth Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST 3337879553 16584 1 0a36f4227122eb3d59466523e937b25b Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER3337879553 atoth system_groups_user=atothuid=1000gid=100 home=/home/atoth Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=atoth, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16587, secured Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000, gid=100, home=/home/atoth Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs: root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt= Feb 23 20:50:12 atoth dovecot: imap(atoth): Disconnected: Logged out in=44 out=747 Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16588) Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imapsecured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=50265 resp=hidden Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): lookup service=imap Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): #1/1 style=1 msg=Password: Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK 1 user=atoth Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST 401211393 16588 1 59b6d569049f955f31991ac3cfb1f54c Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER401211393 atoth system_groups_user=atothuid=1000gid=100 home=/home/atoth Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=atoth, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16589, secured Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000, gid=100, home=/home/atoth Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs: root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt= Feb 23 20:50:14 atoth dovecot: imap(atoth): Disconnected: Logged out in=42671 out=174898 Feb 23 20:50:14 atoth dovecot: auth: Debug: auth client connected (pid=16600) Feb 23 20:50:14 atoth dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imapsecured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=50276 resp=hidden Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): lookup service=imap Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug: pam(atoth,127.0.0.1): #1/1 style=1 msg=Password: Feb 23 20:50:14 atoth dovecot: auth: Debug: client out: OK 1 user=atoth Feb 23 20:50:14 atoth dovecot: auth: Debug: master in: REQUEST 3933732865 16600 1 8382f23ff412178311e55bf74162e4cd Feb 23 20:50:14 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup Feb 23 20:50:14 atoth dovecot: auth: Debug: master out: USER3933732865 atoth system_groups_user=atothuid=1000gid=100 home=/home/atoth Feb 23 20:50:14 atoth dovecot: imap-login: Login: user=atoth, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16601, secured Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Effective uid=1000, gid=100, home=/home/atoth Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
[Dovecot] From Maildir back to smtp
Not sure how this can be done. Right now I'm running a free backup MX record service. People point their high MX records to my servers and if they go down we store the email. When they come back up it's delivered. What I want to do is have a premium service that would allow them to view through IMAP the stored email. In order to do that I would have to deliver the email locally to a dovecot server - to a single account perhaps - and they can view/forward/delete etc. But - when their server comes back online I'd like to gather up all the delivered email stored in Maildir format and run it back into smtp for delivery. Has anyone even done something like this? Or is there an easier way that I'm missing? Thanks in advance
Re: [Dovecot] From Maildir back to smtp
Il 23/02/2012 21:41, Marc Perkel ha scritto: Not sure how this can be done. Right now I'm running a free backup MX record service. People point their high MX records to my servers and if they go down we store the email. When they come back up it's delivered. Hi, store how? In a queue with smtp server? What I want to do is have a premium service that would allow them to view through IMAP the stored email. In order to do that I would have to deliver the email locally to a dovecot server - to a single account perhaps - and they can view/forward/delete etc. But - when their server comes back online I'd like to gather up all the delivered email stored in Maildir format and run it back into smtp for delivery. If you store the messages in a queue you can configure your smtp (your MX) server to send a copy of all message it receive also to another mailbox, see always_bcc in posfix.
[Dovecot] How to limit max number of connections for ip address
Hi List: Does any one , knows if is possible configure dovecot for limit max number of connections for IP address? I would like to prevent future fork-bombing attacks for pop3 and imap login process in my email server. Our dovecot version is : 1.2.10 Thanks, Wilberth. smime.p7s Description: Firma criptográfica S/MIME
Re: [Dovecot] From Maildir back to smtp
On Thursday 23 February 2012 22:12:14 mail...@securitylabs.it wrote: Il 23/02/2012 21:41, Marc Perkel ha scritto: Not sure how this can be done. Right now I'm running a free backup MX record service. People point their high MX records to my servers and if they go down we store the email. When they come back up it's delivered. Hi, store how? In a queue with smtp server? What I want to do is have a premium service that would allow them to view through IMAP the stored email. In order to do that I would have to deliver the email locally to a dovecot server - to a single account perhaps - and they can view/forward/delete etc. But - when their server comes back online I'd like to gather up all the delivered email stored in Maildir format and run it back into smtp for delivery. Sounds like a job for serialmail, a sister package to qmail: Use serialmail to forward mail from a mailbox (in Maildir format which you have) to the primary MX when it's back up. I've provided a mailbox/forwarding secondary MX service for several clients using this method (esp. 'maildirsmtp' program from serialmail with cron). More info/help on the qmail or serialmail mailing lists; URL for serialmail is, http://cr.yp.to/serialmail.html (it includes man pages within the package) A couple of particular advantages of having secondary MX email in a mailbox as you suggest for forwarding: - Unlike mail in a queue, the messages don't expire, so if the primary MX takes forever to come back up that's fine (except for your disk storage) - Since the mail is in a mailbox you can access this with IMAP or POP3 as you suggest [until it's emptied when the primary MX returns] I've not considered running serialmail in an non-qmail environment, but it would probably still work for the purpose you have in mind if you're using a different MTA. If you store the messages in a queue you can configure your smtp (your MX) server to send a copy of all message it receive also to another mailbox, see always_bcc in posfix. cheers, Andrew.
Re: [Dovecot] How to limit max number of connections for ip address
On 24.2.2012, at 0.33, Wilberth Perez wrote: Does any one , knows if is possible configure dovecot for limit max number of connections for IP address? I would like to prevent future fork-bombing attacks for pop3 and imap login process in my email server. Our dovecot version is : 1.2.10 There is mail_max_userip_connections setting which limits IP+username combination. Typically that should be enough to prevent fork bombing, because users normally don't have more than one account. Or you mean when some IP keeps connecting even without actually loggin in? http://wiki.dovecot.org/LoginProcess has some settings related to this, which should normally be quite helpful if the limits are right.
Re: [Dovecot] How to achieve proper privilege separation?
On 23.2.2012, at 21.56, Tóth Attila wrote: In the mean time I've upgraded to 2.1. I've enabled debug logging and logged in. I suspect that hardening features can be blamed for my problem. After booting a previous kernel the behavior was reverted. OK. Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000, gid=100, home=/home/atoth This says that the IMAP is running as UID 1000. The code that produces this is: i_debug(Effective uid=%s, gid=%s, home=%s, dec2str(geteuid()), dec2str(getegid()), home); So if the process is still creating files as root, the kernel is lying..
Re: [Dovecot] How to achieve proper privilege separation?
On 24.2.2012, at 1.26, Timo Sirainen wrote: On 23.2.2012, at 21.56, Tóth Attila wrote: In the mean time I've upgraded to 2.1. I've enabled debug logging and logged in. I suspect that hardening features can be blamed for my problem. After booting a previous kernel the behavior was reverted. OK. BTW. It would be interesting to know if the attached patch causes it to fail with the hardening patches. euid.diff Description: Binary data
Re: [Dovecot] Settings for authentication without an extra password file
On 23.2.2012, at 19.31, Keith Christian wrote:
Hello, I'm new to dovecot, and, due to having an older version of an
OS installed on a test server, I'll be using an older version of
dovecot (dovecot-1.0-1.2) to provide IMAP services.
I think Dovecot v2.x works mostly on the same OSes as v1.x.
On this wiki page
(http://wiki.dovecot.org/BasicConfiguration?highlight=%28passwd.dovecot%29)
There are instructions for creating a separate dovecot password file:
echo $USER:{PLAIN}password passwd.dovecot
sudo mv passwd.dovecot /etc
So, it appears that two password files will be needed, one for dovecot
and one for regular system logins.
Only if you want to.
Is there a setting in dovecot.conf which will authenticate IMAP using
/etc/password and /etc/shadow, without a separate dovecot password
file?
Use passdb pam + userdb passwd (not passwd-file). See password + user databases
under http://wiki.dovecot.org/Authentication
Re: [Dovecot] Why is dovecot involved in my smtp process
From: Peter A. Giessel pgies...@mac.com: Not totally true. Typical cyrus sasl2 implementation used with sendmail uses an imap server for smtp authentication. I recall having to tweak the sasl2 configuration on my own sendmail server to talk correctly with dovecot. I don't recall the exact tweaks. Just to make it clear to the OP, I have a Dovecot/Sendmail/SASL working just fine (which is independent of dovecot). I suspect Peter hit the nail on the head here. Look at the contents of $SASL_INSTALL/lib/Sendmail.conf Mine is (only) pwcheck_method:saslauthd which I think looks up my name service backend via the login and plain plugins. I'm a little hazy on how this was set up, but if you are able to successfully login without dovecot, then it appears you have some sort of authentication stack that will try IMAP first, then fallback to your the other method. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Creating and interacting with array inside plugin
On 23.2.2012, at 18.19, Alex Baule wrote: ok, inside my expunged rewrite function i create the array like quota does, and append it to my array. struct emexis_ids_x_uis append_uis; append_uis.ids = _mail-uid; append_uis.uis_file = bodyFile; .. But when i do a foreach in this Array, my ids is OK, but my uis_file has tha same value every time (the value is the lasted value inserted). I guess the memory isn't permanently allocated for it, so you need to do: append_uis.uis_file = i_strdup(bodyFile); Note that you'll also need to later i_free() it to avoid leaking memory.
Re: [Dovecot] IMAP-proxy or not with sogo webmail and dovecot backend
On 22/02/2012 23:56, Ed W wrote: I think it has potential though. I think a lot of the current plugins on the website could easily be rewritten, likely without performance concerns, using a scripting based plugin system. I could see that some other big picture pieces could potentially benefit also One interesting test case for such a scripting hooks solution might be login restrictions. There seem to be regular requests for the ability to setup arbitrarily complicated restrictions on users per IP, attempts per second, etc (and my logging interest is kind of related also). Not trying to bump the item up any todo lists, just trying to chuck in some concrete ideas for actually testing a specific implementation... I guess a substantially more performance orientated area that seems to get some interest would be various spam, expunge, delete ideas and the hooks needed for those. These seem much more tricky to implement a scripting hook and still stay performant. Again just ideas for real things people might want to do? Cheers Ed W
[Dovecot] Dovecot 2.1 with custom OpenSSL fails to build
Hello Dovecot users!
There seems to be a new dependency in some modules (eg, lib-storage,
libdovecot-lda, libdovecot-ssl) on OpenSSL. In Dovecot 2.0, those
modules didn't require OpenSSL, but 2.1 does.
For the linking process the path to the OpenSSL library isn't
specified properly (SSL_LIBS). Dovecot fails to build if OpenSSL
is in a non-standard path. (Haven't checked if SSL_CFLAGS isn't
properly used as well.)
Example for lib-storage:
env SSL_CFLAGS=-I/usr/local/ssl/include SSL_LIBS=-L/usr/local/ssl/lib
-Wl,-R/usr/local/ssl/lib -lcrypto -lssl ./configure
--prefix=/usr/local/${DOVECOTVER} --with-ssl=openssl
--with-ssldir=/usr/local/${DOVECOTVER}/etc/dovecot/certs
make
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-master
-I../../src/lib-settings -I../../src/lib-mail -I../../src/lib-storage
-DPKG_RUNDIR=\/usr/local/Dovecot-2.1.1/var/run/dovecot\ -std=gnu99 -g -O2
-Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime
-Wstrict-aliasing=2 -I/usr/local/ssl/include -MT master-connection.o -MD -MP
-MF .deps/master-connection.Tpo -c -o master-connection.o master-connection.c
mv -f .deps/master-connection.Tpo .deps/master-connection.Po
/bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -g -O2 -Wall -W
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts
-Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
-I/usr/local/ssl/include -no-undefined -Wl,--as-needed -o indexer-worker
indexer-worker.o indexer-worker-settings.o master-connection.o
../../src/lib-storage/libdovecot-storage.la
../../src/lib-dovecot/libdovecot.la -export-dynamic -ldl -lrt
libtool: link: gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2
-I/usr/local/ssl/include -Wl,--as-needed -o .libs/indexer-worker
indexer-worker.o indexer-worker-settings.o master-connection.o
-Wl,--export-dynamic ../../src/lib-storage/.libs/libdovecot-storage.so
../../src/lib-dovecot/.libs/libdovecot.so -ldl -lrt -Wl,-rpath
-Wl,/usr/local/Dovecot-2.1.1/lib/dovecot
/usr/bin/ld: warning: libcrypto.so.1.0.0, needed by
../../src/lib-storage/.libs/libdovecot-storage.so, not found (try using -rpath
or -rpath-link)
/usr/bin/ld: warning: libssl.so.1.0.0, needed by
../../src/lib-storage/.libs/libdovecot-storage.so, not found (try using -rpath
or -rpath-link)
../../src/lib-storage/.libs/libdovecot-storage.so: undefined reference to
`OBJ_txt2nid'
../../src/lib-storage/.libs/libdovecot-storage.so: undefined reference to
`SSL_set_ex_data'
[...]
# ldd src/lib*/.libs/*.so
src/lib-dovecot/.libs/libdovecot.so:
linux-gate.so.1 = (0x00979000)
libdl.so.2 = /lib/libdl.so.2 (0x00c31000)
librt.so.1 = /lib/librt.so.1 (0x009ed000)
libc.so.6 = /lib/libc.so.6 (0x0054d000)
/lib/ld-linux.so.2 (0x00c12000)
libpthread.so.0 = /lib/libpthread.so.0 (0x008f4000)
src/lib-lda/.libs/libdovecot-lda.so:
linux-gate.so.1 = (0x0096d000)
libdovecot-storage.so.0 =
/usr/local/src/dovecot-2.1.1/src/lib-storage/.libs/libdovecot-storage.so.0
(0x00ae4000)
libdovecot.so.0 =
/usr/local/src/dovecot-2.1.1/src/lib-dovecot/.libs/libdovecot.so.0 (0x0011)
librt.so.1 = /lib/librt.so.1 (0x00189000)
libc.so.6 = /lib/libc.so.6 (0x00192000)
libcrypto.so.1.0.0 = not found
libssl.so.1.0.0 = not found
libdl.so.2 = /lib/libdl.so.2 (0x0031c000)
libpthread.so.0 = /lib/libpthread.so.0 (0x00ebc000)
/lib/ld-linux.so.2 (0x003f8000)
src/lib-sql/.libs/libdovecot-sql.so:
linux-gate.so.1 = (0x00a95000)
libdovecot.so.0 =
/usr/local/src/dovecot-2.1.1/src/lib-dovecot/.libs/libdovecot.so.0 (0x002b6000)
libdl.so.2 = /lib/libdl.so.2 (0x00ab8000)
librt.so.1 = /lib/librt.so.1 (0x0072a000)
libc.so.6 = /lib/libc.so.6 (0x008f7000)
/lib/ld-linux.so.2 (0x00ebd000)
libpthread.so.0 = /lib/libpthread.so.0 (0x00619000)
src/lib-ssl-iostream/.libs/libdovecot-ssl.so:
linux-gate.so.1 = (0x00da6000)
libcrypto.so.1.0.0 = not found
libssl.so.1.0.0 = not found
libdl.so.2 = /lib/libdl.so.2 (0x00df)
librt.so.1 = /lib/librt.so.1 (0x00112000)
libc.so.6 = /lib/libc.so.6 (0x00b5e000)
/lib/ld-linux.so.2 (0x00e76000)
libpthread.so.0 = /lib/libpthread.so.0 (0x005a6000)
src/lib-storage/.libs/libdovecot-storage.so:
linux-gate.so.1 = (0x006ed000)
libcrypto.so.1.0.0 = not found
libssl.so.1.0.0 = not found
libdovecot.so.0 =
/usr/local/src/dovecot-2.1.1/src/lib-dovecot/.libs/libdovecot.so.0 (0x00c66000)
libdl.so.2 = /lib/libdl.so.2 (0x00491000)
librt.so.1 = /lib/librt.so.1 (0x00be2000)
libc.so.6 = /lib/libc.so.6 (0x0011)
Re: [Dovecot] Creating and interacting with array inside plugin
Tks Timo... Em 23 de fevereiro de 2012 21:34, Timo Sirainen t...@iki.fi escreveu: On 23.2.2012, at 18.19, Alex Baule wrote: ok, inside my expunged rewrite function i create the array like quota does, and append it to my array. struct emexis_ids_x_uis append_uis; append_uis.ids = _mail-uid; append_uis.uis_file = bodyFile; .. But when i do a foreach in this Array, my ids is OK, but my uis_file has tha same value every time (the value is the lasted value inserted). I guess the memory isn't permanently allocated for it, so you need to do: append_uis.uis_file = i_strdup(bodyFile); Note that you'll also need to later i_free() it to avoid leaking memory.
