[Dovecot] password schemes in dovecot

[Public]

Hey there,

I'm using the latest dovecot 2.1.13

In the wiki http://wiki2.dovecot.org/Authentication/PasswordSchemes BLF-CRYPT 
is listed, but i can't use it. doveadm pw -l doesn't show it. And i'm unsure 
about how I am supposed to use the different SHA schemes, since they always 
output different hashes for the same password. MD5 is working fine, but I'd 
rather not use it. 
Is the wiki outdated or how do i get BLF-CRYPT working?

thanks,
simon

Re: [Dovecot] password schemes in dovecot

[Pascal Volk]

On 01/26/2013 01:04 AM Public wrote:
 Hey there,
 
 I'm using the latest dovecot 2.1.13
 
 In the wiki http://wiki2.dovecot.org/Authentication/PasswordSchemes BLF-CRYPT 
 is listed, but i can't use it. doveadm pw -l doesn't show it. And i'm 
 unsure about how I am supposed to use the different SHA schemes, since they 
 always output different hashes for the same password. MD5 is working fine, 
 but I'd rather not use it. 
 Is the wiki outdated or how do i get BLF-CRYPT working?

Your system's libc doesn't support Blowfish crypt, as mentioned in
doveadm-pw(1) http://wiki2.dovecot.org/Tools/Doveadm/Pw#section_options.

The crypt-hashes are salted hashes. `doveadm pw` generates a random
salt, each time it is invoked. Therefore you will see different hashes,
even when you enter the same password multiple times.


Regards,
Pascal
-- 
The trapper recommends today: defaced.1302...@localdomain.org

[Dovecot] doveadm user error messages

[Thomas Leuxner]

I use 'doveadm user' in some scripts and the exit codes are fine for my 
purposes. During tests it transpired that Dovecot 2.1 would give an error 
message when querying for non-existent users. Dovecot 2.2 just exits without a 
word. Not sure this is intended behaviour:

$ doveadm user foo
$ echo $?
67

$ id foo
id: foo: No such user

Regards
Thomas


signature.asc
Description: Digital signature

Re: [Dovecot] Trouble with expire plugin

[Gedalya]

On 01/09/2013 08:37 AM, Gedalya wrote:

On 01/09/2013 02:32 AM, Robert Schetterer wrote:

my daily cron job says:

#!/bin/sh
doveadm expunge -A mailbox Junk savedbefore 14d
doveadm expunge -A mailbox Trash savedbefore 30d
doveadm expunge -A mailbox Trash.* savedbefore 30d

do verbose logging during cron


Best Regards
MfG Robert Schetterer
No need, I have indeed already gone beyond the but I made a cron job, 
why isn't it working point.


mysql select * from expires;
.
.
.
7 rows in set (0.00 sec)

Complete doveadm output with domain masked:

# doveadm -D search -A mailbox Trash savedbefore 14d
doveadm(root): Debug: Loading modules from directory: 
/usr/lib/dovecot/modules
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/lib10_quota_plugin.so
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/lib20_expire_plugin.so
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/lib20_listescape_plugin.so
doveadm(root): Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/doveadm
doveadm(root): Debug: Skipping module doveadm_acl_plugin, because 
dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: 
undefined symbol: acl_user_module (this is usually intentional, so 
just ignore this message)
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
doveadm(root): Debug: Skipping module doveadm_zlib_plugin, because 
dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_zlib_plugin.so: 
undefined symbol: i_stream_create_deflate (this is usually 
intentional, so just ignore this message)
doveadm(root): Debug: Skipping module doveadm_fts_plugin, because 
dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: 
undefined symbol: fts_list_backend (this is usually intentional, so 
just ignore this message)
doveadm(root): Debug: expire: Searching only users listed in expire 
database
doveadm(root): Debug: expire: Stopping iteration on key 
shared/expire/je...@xx.com/Trash (1357165578  1356528524)



mysql select * from expires;
.
.
.
6 rows in set (0.00 sec)

The row being deleted: l...@xxx.com, Junk, 1350397036 (Tue Oct 16 
10:17:16 EDT 2012), all others at this point in time are younger than 
14 days.
So far it has seemed to me that running any search or expunge has the 
sole effect of deleting rows matching the savedbefore criteria, 
regardless of the mailbox criteria.


working with doveadm -omail_plugins=. leaving out expire seems 
to work fine.




I got it working. I know this worked before, I can't specify when it 
stopped working, but here is the story.


I have:
auth_default_realm = domain.com

in dovecot-sql.conf.ext I had:
iterate_query = SELECT userid as user, domain FROM email where deleted=0

Now it's working when I changed it to:
iterate_query = SELECT concat(userid, '@', domain) as username FROM 
email where deleted=0


I noticed this when running doveadm expunge (without expire plugin) and 
saw lines like the following:

doveadm(jeremy): Info: User no longer exists, skipping

This user exists, but on another domain, not the default one.

Users under the default domain come up as normal:
doveadm(hr): Debug: Added userdb setting: 
mail=maildir:/stor/mail/domains/domain.com/hr/hr/Maildir


After changing iterate query all users come up as fully qualified, like
doveadm(jer...@otherdomain.com): Debug: Added userdb setting: 
mail=maildir:/stor/mail/domains/otherdomain.com/je/jeremy/Maildir


So, with regards to the expires issue, I guess the reason why the 
expires table wasn't working is because it contains the full email 
address in the username field and doveadm here was working with the 
userid alone.


Is this a bug? The wiki clearly says that iterate_query can take the 
domain in a separate field, yet dovecot seems to ignore the domain field 
and use auth_default_realm.


Thanks,

Gedalya

Re: [Dovecot] password schemes in dovecot

[Daniel Parthey]

Pascal Volk wrote:
 On 01/26/2013 01:04 AM Public wrote:
  In the wiki http://wiki2.dovecot.org/Authentication/PasswordSchemes
  BLF-CRYPT is listed, but i can't use it. doveadm pw -l doesn't show it.
  And i'm unsure about how I am supposed to use the different SHA schemes,
  since they always output different hashes for the same password. MD5 is
  working fine, but I'd rather not use it. 
  Is the wiki outdated or how do i get BLF-CRYPT working?
 
 Your system's libc doesn't support Blowfish crypt, as mentioned in
 doveadm-pw(1) http://wiki2.dovecot.org/Tools/Doveadm/Pw#section_options.
 
 The crypt-hashes are salted hashes. `doveadm pw` generates a random
 salt, each time it is invoked. Therefore you will see different hashes,
 even when you enter the same password multiple times.

Does the doveadm pw tool provide a way to check a plaintext password
against a user's hash from the passdb? This would be useful to do some
security checks without actually logging the users in which would update
their lastlogin timestamp.

Regards
Daniel
-- 
https://plus.google.com/103021802792276734820

Re: [Dovecot] password schemes in dovecot

[Pascal Volk]

On 01/27/2013 11:21 PM Daniel Parthey wrote:
 Does the doveadm pw tool provide a way to check a plaintext password
 against a user's hash from the passdb? …

Check `doveadm pw -h` output. If it prints [-t hash], you can do
something like:

doveadm pw -t 
'{SHA256-CRYPT}$5$rounds=1000$0123456789abcdef$K/DksR0DT01hGc8g/kt9McEgrbFMKi9qrb1jehe7hn4'
Enter password to verify: 08/15!test~4711

{SHA256-CRYPT}$5$rounds=1000$0123456789abcdef$K/DksR0DT01hGc8g/kt9McEgrbFMKi9qrb1jehe7hn4
 (verified)


Regards,
Pascal
-- 
The trapper recommends today: f007ba11.1302...@localdomain.org

Re: [Dovecot] Duplicate supression mechanism

[Daniel Parthey]

Timo Sirainen wrote:
 On 18.1.2013, at 17.36, 3.lis...@adminlinux.com.br lis...@adminlinux.com.br 
 wrote:
 
  In a Dovecot 2.0.6 server I have an account x@domain and an alias
  y@domain - x@domain.
  
  When I send an email to x@domain with carbon copy to y@domain, X
  receives two messages on mailbox. Dovecot2 has any feature of duplicate
  suppression ?
 
 With v2.1 + Pigeonhole 0.3.1+ you can use vnd.dovecot.duplicate extension.
 
 http://www.ietf.org/id/draft-bosch-sieve-duplicate-00.txt

Dovecot 2.1.10 and Pigeonhole 0.3.3 with the following SIEVE rules

require [duplicate, fileinto, mailbox, regex,vacation,variables];

if duplicate {
  fileinto :create Trash/Duplicate;
}

results in .dovecot.sieve.log Error:

sieve: info: started log at Jan 28 04:44:17.
main script: line 3: error: require command: unknown Sieve capability 
`duplicate'.
main script: line 5: error: unknown test 'duplicate' (only reported once at 
first occurence).
main script: error: validation failed.

What is wrong?

Regards
Daniel
-- 
https://plus.google.com/103021802792276734820

Re: [Dovecot] Duplicate supression mechanism

[Stephan Bosch]

On 1/22/2013 1:04 PM, Timo Sirainen wrote:

On 18.1.2013, at 17.36, 3.lis...@adminlinux.com.br lis...@adminlinux.com.br 
wrote:


In a Dovecot 2.0.6 server I have an account x@domain and an alias
y@domain - x@domain.

When I send an email to x@domain with carbon copy to y@domain, X
receives two messages on mailbox. Dovecot2 has any feature of duplicate
suppression ?

With v2.1 + Pigeonhole 0.3.1+ you can use vnd.dovecot.duplicate extension.

http://www.ietf.org/id/draft-bosch-sieve-duplicate-00.txt


Ehmm, not that one. That is the official submission and that is not what 
Dovecot currently implements. You should use this as a reference for now:


http://hg.rename-it.nl/dovecot-2.1-pigeonhole/raw-file/tip/doc/rfc/spec-bosch-sieve-duplicate.txt

Don't forget to add vnd.dovecot.duplicate to sieve_extensions.

Regards,

Stephan.