Re: [Dovecot] IMAPS: Disable SSL connection without client certificate
Please do not top-post in an inline thread...
On 2013-06-29 2:38 AM, Ireneusz Szcześniak irek.szczesn...@gmail.com
wrote:
On 28.06.2013 23:34, Reindl Harald wrote:
Am 28.06.2013 23:31, schrieb Ireneusz Szcześniak:
I've been using Dovecot 2.1.8 on OpenBSD 5.2 i386 for about a month.
It works great. Dovecot serves IMAPS only,
and I'm using Thunderbird to access my mail.
I configured Dovecot to allow clients that present a valid
certificate when establishing SSL connection. I
configure my Thunderbird for SSL/TLS connection with normal
password. It works fine.
However, with my config anybody can connect to my server without
presenting a certificate
google dovecot ssl client certificate leads to
http://wiki.dovecot.org/SSL/DovecotConfiguration
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate,
you'll need these settings:
ssl_ca_file = /etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth default {
ssl_require_client_cert = yes
..
}
Thanks for your email. Yes, I looked before at that website before.
I'm using these options with Dovecot 2.1.8, among others:
auth_ssl_require_client_cert = yes
ssl_verify_client_cert = yes
ssl_ca = /etc/ssl/certs/cacertcrl.pem
I'm not sure why Reindl pointed you to the 1.x docs when you are using
2.x...
The setting has apparently changed in 2.x (note the addition of 'auth_'
to the 'require' setting):
From the wiki2 page:
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate,
you'll need these settings:
ssl_ca = /etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
#ssl_username_from_cert = yes
Linked: http://wiki2.dovecot.org/SSL/DovecotConfiguration
--
Best regards,
Charles
Re: [Dovecot] IMAPS: Disable SSL connection without client certificate
Am 29.06.2013 15:54, schrieb Charles Marcus:
well, this is for dovecot 1.x, but have you tried it?
Client certificate verification/authentication
If you want to require clients to present a valid SSL certificate, you'll
need these settings:
ssl_ca_file = /etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth default {
ssl_require_client_cert = yes
..
}
Thanks for your email. Yes, I looked before at that website before. I'm
using these options with Dovecot 2.1.8,
among others:
auth_ssl_require_client_cert = yes
ssl_verify_client_cert = yes
ssl_ca = /etc/ssl/certs/cacertcrl.pem
I'm not sure why Reindl pointed you to the 1.x docs when you are using 2.x...
because it is a good start-point and i do not need the feature
and in this case it should be enough that i start to google
for others at all
however, if you would have followed this thread you would have
realized that the OP demaned technical impossible things like
uhm openssl should reject the connction without cert before
running any dovecot code
signature.asc
Description: OpenPGP digital signature
[Dovecot] Dovecot METADATA plugin configuration
Debian Wheezy dovecot 2.2.4 (deb http://xi.rename-it.nl/debian/ stable-auto/dovecot-2.2.patched main) dovecot-metadata-plugin v14 /var/lib/dovecot 777 dovecot:dovecot /var/lib/dovecot/shared-metadata 700 dovecot:dovecot /var/run/dovecot 777 dovecot:dovecot /var/run/divecot/dict666 mail:dovecot Test1 - create calendar UTF7 mailbox (no errors in dovecot-error.log): [02-Jul-2013 15:47:51 +0400]: [4419] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to TU FKP IMAP server. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0001 ID (name Roundcube version 1.0-git php 5.4.4-14+deb7u2 os Linux command /?_task=calendar_action=calendar) [02-Jul-2013 15:47:51 +0400]: [4419] S: * ID (name Dovecot) [02-Jul-2013 15:47:51 +0400]: [4419] S: A0001 OK ID completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0002 AUTHENTICATE PLAIN [02-Jul-2013 15:47:51 +0400]: [4419] S: A0002 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE METADATA ANNOTATEMORE] Logged in [02-Jul-2013 15:47:51 +0400]: [4419] C: A0003 CREATE BCAEMAQxBD4ERwQ4BDk- [02-Jul-2013 15:47:51 +0400]: [4419] S: A0003 OK Create completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0004 SUBSCRIBE BCAEMAQxBD4ERwQ4BDk- [02-Jul-2013 15:47:51 +0400]: [4419] S: A0004 OK Subscribe completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0005 SETMETADATA BCAEMAQxBD4ERwQ4BDk- (/shared/vendor/kolab/folder-type event /private/vendor/kolab/folder-type NIL) [02-Jul-2013 15:47:51 +0400]: [4419] S: A0005 NO Mailbox does not exist. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0006 SETMETADATA BCAEMAQxBD4ERwQ4BDk- (/private/vendor/kolab/folder-type event) [02-Jul-2013 15:47:51 +0400]: [4419] S: A0006 NO Mailbox does not exist. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0007 LIST BCAEMAQxBD4ERwQ4BDk-/* [02-Jul-2013 15:47:51 +0400]: [4419] S: A0007 OK List completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0008 DELETE BCAEMAQxBD4ERwQ4BDk- [02-Jul-2013 15:47:51 +0400]: [4419] S: A0008 OK Delete completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0009 UNSUBSCRIBE BCAEMAQxBD4ERwQ4BDk- [02-Jul-2013 15:47:51 +0400]: [4419] S: A0009 OK Unsubscribe completed. [02-Jul-2013 15:47:51 +0400]: [4419] C: A0010 LOGOUT [02-Jul-2013 15:47:51 +0400]: [4419] S: * BYE Logging out [02-Jul-2013 15:47:51 +0400]: [4419] S: A0010 OK Logout completed. Test2 - create calendar ASCII mailbox: [02-Jul-2013 15:51:20 +0400]: [2611] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to TU FKP IMAP server. [02-Jul-2013 15:51:20 +0400]: [2611] C: A0001 ID (name Roundcube version 1.0-git php 5.4.4-14+deb7u2 os Linux command /?_task=calendar_action=calendar) [02-Jul-2013 15:51:20 +0400]: [2611] S: * ID (name Dovecot) [02-Jul-2013 15:51:20 +0400]: [2611] S: A0001 OK ID completed. [02-Jul-2013 15:51:20 +0400]: [2611] C: A0002 AUTHENTICATE PLAIN [02-Jul-2013 15:51:20 +0400]: [2611] S: A0002 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE METADATA ANNOTATEMORE] Logged in [02-Jul-2013 15:51:20 +0400]: [2611] C: A0003 CREATE Work [02-Jul-2013 15:51:20 +0400]: [2611] S: A0003 OK Create completed. [02-Jul-2013 15:51:20 +0400]: [2611] C: A0004 SUBSCRIBE Work [02-Jul-2013 15:51:20 +0400]: [2611] S: A0004 OK Subscribe completed. [02-Jul-2013 15:51:20 +0400]: [2611] C: A0005 SETMETADATA Work (/shared/vendor/kolab/folder-type event /private/vendor/kolab/folder-type NIL) [02-Jul-2013 15:51:50 +0400]: [2611] S: A0005 NO Setting entry failed. [02-Jul-2013 15:51:50 +0400]: [2611] C: A0006 SETMETADATA Work (/private/vendor/kolab/folder-type event) [02-Jul-2013 15:52:20 +0400]: [2611] S: A0006 NO Setting entry failed. [02-Jul-2013 15:52:20 +0400]: [2611] C: A0007 LIST Work/* [02-Jul-2013 15:52:20 +0400]: [2611] S: A0007 OK List completed. [02-Jul-2013 15:52:20 +0400]: [2611] C: A0008 DELETE Work [02-Jul-2013 15:52:20 +0400]: [2611] S: A0008 OK Delete completed. [02-Jul-2013 15:52:20 +0400]: [2611] C: A0009 UNSUBSCRIBE Work [02-Jul-2013 15:52:20 +0400]: [2611] S: A0009 OK Unsubscribe completed. [02-Jul-2013 15:52:20 +0400]: [2611] C: A0010 LOGOUT [02-Jul-2013 15:52:20 +0400]: [2611] S: * BYE Logging out [02-Jul-2013 15:52:20 +0400]: [2611] S: A0010 OK Logout completed. root@mail:/var/log/dovecot# cat dovecot-errors.log 2013-07-02 15:51:50 imap(ad...@tufkp.ru):
Re: [Dovecot] namespace delivery question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 27 Jun 2013, Laszlo Kiraly wrote: i...@domain.com - public, readable by user2 us...@domain.com - private us...@domain.com - private The mailboxes are virtual, authentication through pam (kerberos). The public mailbox doesn't have valid kerberos account. I couldn't find solution in the documentation, how can I manage the email delivery to the public namespace? There is a -m option in the lda delivery where you can give namespace prefix. Maybe it's good for this, but I couldn't find any information how can I do this with lmtp? If you set: lmtp_save_to_detail_mailbox = yes recipient_delimiter = # you could alias i...@domain.com to user#public.mailbox.fol...@domain.com . 1st option tells LMTP to use the detail (subaddress) as default mailbox, which is essentially the same as the -m option of the LDA. 2nd options sets the delimiter of user and detail. user must habe write permission to the folder. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUdLHeV3r2wJMiz2NAQJp/Qf+JG6RYpMbgP9K+POoaP4mFHPNr2NXcLlK RhO7GtOimZpyQZPeofStxJQwY4clRdKpKsmpMlhb1muXyvoHkB6Tn5TDO18Anqlq /Yp8li53rsx4hVptqI84tiZrPiPX52U7FJmM/j95a+gFelTOgOPFwNoTaIIMAQau qn1rVa4BYIhMUQTP4WJDnj+gs8Fd1LapajBcVR0yaMGkWKRLKjsOrgFzDaxQqpxk 8erJnGV68p+wEl0jnWEF2+U8XubvhqHJTbkrcBC7DsqONBzlXC7mc+xyycb+0okD 54dHI6YcSLvzDEI3uaOqoBxad4e2fvziEgYJ7Ph78aH80psAWNmu3A== =rJPs -END PGP SIGNATURE-
Re: [Dovecot] namespace delivery question
There is a -m option in the lda delivery where you can give namespace prefix. Maybe it's good for this, but I couldn't find any information how can I do this with lmtp? If you set: lmtp_save_to_detail_mailbox = yes recipient_delimiter = # you could alias i...@domain.com to What kind of alias do you think? At smtp time, like in the /etc/aliases? Eventually, i can configure exim to accept the # and / chars in the email address. user#public.mailbox.fol...@domain.com . 1st option tells LMTP to use the detail (subaddress) as default mailbox, which is essentially the same as the -m option of the LDA. 2nd options sets the delimiter of user and detail. user must habe write permission to the folder. Regards, - -- Steffen Kaiser Best regards: Király László
Re: [Dovecot] namespace delivery question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2 Jul 2013, Laszlo Kiraly wrote: There is a -m option in the lda delivery where you can give namespace prefix. Maybe it's good for this, but I couldn't find any information how can I do this with lmtp? If you set: lmtp_save_to_detail_mailbox = yes recipient_delimiter = # you could alias i...@domain.com to What kind of alias do you think? At smtp time, like in the /etc/aliases? Eventually, i can configure exim to accept the # and / chars in the email address. Yes, SMTP time aliases - exim aliases for a local address. I do this often. Actually, exim might use '+' or '-' as delimiter already, I'm not sure. No need to use # exactly. user#public.mailbox.fol...@domain.com . 1st option tells LMTP to use the detail (subaddress) as default mailbox, which is essentially the same as the -m option of the LDA. 2nd options sets the delimiter of user and detail. user must habe write permission to the folder. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUdLZd13r2wJMiz2NAQIICAf7BsJ2o8uUutSFCxk5gftAfRbFBWbnLrEz i4/NVueVZLl1AyOZ5GujLDmPhvPPNS8mL9+wMs1qKT1rrJz7q5BatDCj/LMp0YVr 8d/HM6g/8U4pwjZxq54S15fs0nZDR+XmPg+q4RcB8lAU+ns36rXEDb6EZ7M2b/RM vdNqJYWs9kVZe9WkUKrWv/scZh04dI3iutgdCkc+iMcJsSJw4TWM61RgolzN2+wd iowUbc6X9HTNnDWziaPt78HMLNVh70BOE8uMiJtcPytxpCmMWZo48lds79i3CKdc SLFI3oXH5P0hkHbUymCVNhI3aSJQwlu514VlVEVp9lTleH//f5C5JQ== =9ZIT -END PGP SIGNATURE-
Re: [Dovecot] flat file in tmpfs for dict quota
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 27 Jun 2013, Ken A wrote: I'm using dict quota like so: quota = dict:User quota::file:/[path]/quotas/%u [path]/quotas/ is a tmpfs. The idea is to do less work on disk. Other than forcing dovecot to rebuild quotas on a reboot, are there any downsides? I would say no, but to recalc the quota file might be more difficult that you think, make sure no logins or deliveries or automatic scripts change the content of the mail storage. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUdLaGl3r2wJMiz2NAQI43QgApVYnrUwp7bUNlPPvYIKhl+3H/5PcZHBX hLysrAEKN96Zx7kMFwmpNvfk0UIiAN9ON1n8F9OjJNTpmgsp8+VkDgn7BaKFHsWT BfJBYbxsiDwRk8tl3UJY/sdA/sReyZZpOttPJB+Rk37warF/W40BSzyS/+gWosJW /T9ptJwZixVQTLd0jQnjlZhC83ssRHiEBer49dXKmfdxQA3U8cTaRObHbd/eJV25 0blwBIlW8ueuGqwNEk6e/ja2nT1wvZwkzTvxAwnSLquj2DYwkNLd6DvfXXXoE1FN LBVMYHvJ3Yk2AkONytTpjbP+JyjSwWnyeI+NfTDmlQYp44XQ1+DkBw== =3ubQ -END PGP SIGNATURE-
[Dovecot] lmtp: Disable Delivered-To header
Hi, using LMTP, is it possible to disable the addition of the Delivered-To header to messages? Micha Krause
Re: [Dovecot] lmtp: Disable Delivered-To header
On 07/02/2013 04:14 PM Micha Krause wrote: Hi, using LMTP, is it possible to disable the addition of the Delivered-To header to messages? Maybe by reverting parts of this changeset: http://hg.dovecot.org/dovecot-2.2/rev/61c3124bba93 There is no configuration setting to accomplish that. Regards, Pascal -- The trapper recommends today: c01dcofe.1318...@localdomain.org
[Dovecot] LMTP Proxy
Trying to figure out Proxying with LMTP to a few back end storage servers
for quota checking before accepting email delivery on the front end nodes.
If I connect to the back end server directly via telnet, everything works
great.
If I use a front-end server to proxy to the back end server, I don't get
the same result.
Running 2.2.4 on both front and back end servers.
Any help would be appreciated.
--
backend dovecot.log:
dovecot: lmtp(72274): Error: userdb lookup(user@host*masteruser):
Disconnected unexpectedly
dovecot: auth: Fatal: master: service(auth): child 72272 killed with signal
11 (core not dumped)
--
front end dovecot.log:
dovecot: lmtp(7495): Debug: auth input:
user=user@host.comnopassword=hidden host=backend_server_ip
destuser=
u...@host.com*masteruser nologin=Y nodelay=Y proxy=Y pass=hidden port=2525
--
front end dovecot.conf:
lmtp_proxy = yes
protocols = lmtp
protocol lmtp {
postmaster_address = postmas...@mydomain.com
mail_plugins = quota
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf
driver = sql
}
}
service lmtp {
client_limit = 5
executable = lmtp
idle_kill = 0
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
inet_listener lmtp {
address = frontend_server_ip
port = 2525
}
}
--
backend dovecot.conf:
auth_master_user_separator = *
lmtp_rcpt_check_quota = yes
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf
driver = sql
master = yes
}
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf
driver = sql
}
service lmtp {
client_limit = 5
executable = lmtp -L
idle_kill = 0
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
inet_listener lmtp {
address = backend_server_ip
port = 2525
}
}
protocol lmtp {
info_log_path = /var/log/dovecot-lmtp.log
postmaster_address = postmas...@infowest.com
mail_plugins = quota
}
Re: [Dovecot] LMTP Proxy
Am 03.07.2013 02:20, schrieb Cassidy Larson: Trying to figure out Proxying with LMTP to a few back end storage servers for quota checking before accepting email delivery on the front end nodes how does LMTP proxy help here? you need a policyd at the MTA which rejects the message directly from the client by knowing about quota of the target because after the MTA has accepted it *always* results in a bounce and incoming mailflow is hardly via LMTP google: dovceot quota policyd postfix http://www.dovecot.org/list/dovecot/2009-June/040400.html signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dovecot corrupted transaction log
On 13/06/13 08:50, John Fawcett wrote:
On 13/06/13 04:31, Timo Sirainen wrote:
On Tue, 2013-06-11 at 00:34 +0200, John Fawcett wrote:
Hi I came across this error which happend immedately after a mail
delivery to the inbox. Should I look for the problem externally to
dovecot (ie. file system, operating system) or within dovecot? I never
saw this error before installing 2.2.1, with 2.2.2 I seemed to get even
more of them so currently back on 2.2.1
Jun 11 00:00:05 rosalia dovecot: imap(myemail@mydomain): Error:
Corrupted transaction log file
/var/vmail/mydomain/myemail@mydomain/dovecot.index.log seq 311: file
size shrank (1184 1304) (sync_offset=1304)
Are you using NFS or some other cluster filesystem with multiple
servers? If yes, see http://wiki2.dovecot.org/NFS. If not, show doveconf
-n and describe the setup more.
TImo
thanks for your response. There is no NFS involved. The file system
seems to be reiserfs (as reported by df -T) thogh I wonder why
fsck reports it would use fsck.ext2 (which I did not run).
It is a single server vpn container hosting a few sites and
low volume mail service. The operating system is centos 6.4
The setup is with postfix, amavisd and dovecot using sieve. Dovecot and
sieve are built from source
Clients are roundcube and usual mail clients mainly thunderbird.
I cannot link the errors to anything specific, except that they started
happening 5 minutes after upgrade to 2.2.1 from 2.1.5. The error happens on
multiple mailboxes. I never saw the error prior to that, looking at logs
back to
version 2.1.7.
Below is the dovecot -n output
Thanks
John
dovecot -n
# 2.2.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-028stab092.1 x86_64 CentOS release 6.4 (Final)
auth_mechanisms = plain login
dict {
expire = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_uid = 200
listen = 80.237.194.64
mail_plugins = quota expire
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
expire = Trash
expire2 = Trash/*
expire3 = Spam
expire4 = Postmaster
expire_dict = proxy::expire
fts = squat
fts_squat = partial=4 full=10
quota = dict:User quota::proxy::quota
quota_rule = *:storage=1G
quota_rule2 = Trash:storage=+100M
sieve = ~/sieve/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
service auth-worker {
user = $default_internal_user
}
service auth {
unix_listener auth-userdb {
group = mail
mode = 0660
}
}
service dict {
unix_listener dict {
group = mail
mode = 0660
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
ssl_cert = /etc/ssl/extcerts/mail.erba.tv.dovecot-bundle.crt
ssl_key = /etc/ssl/extcerts/mail.erba.tv.dovecot.nopass.key
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_plugins = quota expire sieve
}
protocol lda {
mail_plugins = quota expire sieve
}
protocol imap {
mail_plugins = quota expire imap_quota fts fts_squat
}
The log corruptions are continuing, I now have 2.2.4 installed. They always
seem to happen in proximty to a mail delivery.
Is there anything that anyone can suggest for how to get
a step closer to diagnoising the cause? Is there some debugging I can
put on that would be useful?
Thanks
John
Re: [Dovecot] dovecot corrupted transaction log
On 3.7.2013, at 4.10, John Fawcett john...@erba.tv wrote: Jun 11 00:00:05 rosalia dovecot: imap(myemail@mydomain): Error: Corrupted transaction log file /var/vmail/mydomain/myemail@mydomain/dovecot.index.log seq 311: file size shrank (1184 1304) (sync_offset=1304) Are you using NFS or some other cluster filesystem with multiple servers? If yes, see http://wiki2.dovecot.org/NFS. If not, show doveconf -n and describe the setup more. thanks for your response. There is no NFS involved. The file system seems to be reiserfs (as reported by df -T) thogh I wonder why fsck reports it would use fsck.ext2 (which I did not run). The log corruptions are continuing, I now have 2.2.4 installed. They always seem to happen in proximty to a mail delivery. Is there anything that anyone can suggest for how to get a step closer to diagnoising the cause? Is there some debugging I can put on that would be useful? If this problem is happening only because of reiserfs (and it kind of seems that way), I don't think there's anything that can be done except to move away from it. It's been a long time since I've heard of any problems related to Dovecot's handling of index files that didn't involve some non-POSIX filesystem, so I'm kind of thinking the problem has more to do with reiserfs than Dovecot. You could of course keep the maildirs in reiserfs and just move Dovecot's index files to tmpfs. That would work well as long as you didn't have to reboot (after reboot your performance would be more or less bad for a while).
Re: [Dovecot] lmtp: Disable Delivered-To header
On 2.7.2013, at 17.14, Micha Krause mi...@krausam.de wrote: using LMTP, is it possible to disable the addition of the Delivered-To header to messages? No. But why?
[Dovecot] dnsbl feature for dovecot
dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John
Re: [Dovecot] LMTP Proxy
On 3.7.2013, at 3.20, Cassidy Larson alanda...@gmail.com wrote: dovecot: auth: Fatal: master: service(auth): child 72272 killed with signal 11 (core not dumped) A crash is always a bug. It would be nice to be able to fix it. A gdb backtrace would be the easiest way to fix it. One possibility would be to a get a core dump, which could be kind of annoyingly difficult since it didn't already happen. One hopefully easier way would be to: 1. telnet localhost 143 2. In another terminal run: ps aux | grep dovecot/auth; gdb -p pid of that auth process cont do whatever to get the process to crash bt full
Re: [Dovecot] dnsbl feature for dovecot
On 3.7.2013, at 4.21, John Fawcett john...@erba.tv wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? You're talking about IMAP/POP3 connections? Possible, yeah .. possibly even without code changes by using tcpwrappers.
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John Let's back up a bit. This does not seem like a feature that Dovecot needs. Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Dem
Re: [Dovecot] LMTP Proxy
Timo, Does this give you what you need? #0 0x131bbdd4 in strcmp () from /lib/libc.so.7 No symbol table info available. #1 0x0040d0af in auth_find_service () No symbol table info available. #2 0x00413b38 in auth_request_set_login_username () No symbol table info available. #3 0x00413c72 in auth_request_set_username () No symbol table info available. #4 0x0040eedf in ?? () No symbol table info available. #5 0x0040f855 in ?? () No symbol table info available. #6 0x108c7a16 in io_loop_call_io () from /usr/local/lib/dovecot/libdovecot.so.0 No symbol table info available. #7 0x108c89d6 in io_loop_handler_run () from /usr/local/lib/dovecot/libdovecot.so.0 No symbol table info available. #8 0x108c79bd in io_loop_run () from /usr/local/lib/dovecot/libdovecot.so.0 No symbol table info available. #9 0x1087e443 in master_service_run () from /usr/local/lib/dovecot/libdovecot.so.0 No symbol table info available. #10 0x0041bb90 in main () No symbol table info available. On Tue, Jul 2, 2013 at 7:25 PM, Timo Sirainen t...@iki.fi wrote: On 3.7.2013, at 3.20, Cassidy Larson alanda...@gmail.com wrote: dovecot: auth: Fatal: master: service(auth): child 72272 killed with signal 11 (core not dumped) A crash is always a bug. It would be nice to be able to fix it. A gdb backtrace would be the easiest way to fix it. One possibility would be to a get a core dump, which could be kind of annoyingly difficult since it didn't already happen. One hopefully easier way would be to: 1. telnet localhost 143 2. In another terminal run: ps aux | grep dovecot/auth; gdb -p pid of that auth process cont do whatever to get the process to crash bt full
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 8:32 PM, Professa Dementia wrote: On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John Let's back up a bit. This does not seem like a feature that Dovecot needs. Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections. -- Stan
Re: [Dovecot] dnsbl feature for dovecot
On 7/2/2013 7:11 PM, Stan Hoeppner wrote: On 7/2/2013 8:32 PM, Professa Dementia wrote: On 7/2/2013 6:21 PM, John Fawcett wrote: dnsbl's are a popular method to prevent listed ips from making connections to mta software. cf. postscreen_dnsbl_sites in postfix Would it be possible to introduce such a feature in dovecot, so that connections can be denied based on a dnsbl lookup (where the precise dnsbls used are configurable)? John Let's back up a bit. This does not seem like a feature that Dovecot needs. Rather, what problem are you trying to solve? Maybe there is an existing or better way to accomplish it. Based on John's recent thread on postfix-users on the same general subject, I'd guess he's trying to stop rouge/malicious connections. That's my point. A self run IP blackhole list is almost useless. Distributed RBLs are much more effective. However, existing ones are based on spam sources, not malicious connections to POP or IMAP servers. Knowing the problem would be beneficial in determining a good solution. For certain types of connection abuse, Fail2Ban works remarkably well. But, without knowing his exact problem, it may not be the correct solution. Dem
