Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 12 Jan 2014, Greg Rivers wrote: On Sat, 11 Jan 2014, Steffen wrote: I have: ... deliverable: mailer local, user uid+detail instead of deliverable: mailer local, host detail, user gcr Hmm, see http://etutorials.org/Server+Administration/Sendmail/Part+I+Build+and+Install/Chapter+4.+Configure+sendmail.cf+with+m4/FEATUREpreserve_local_plus_detail/ My mc-file has this setting commented out (prefixed by dnl). Ah, I see where the processing differs. I had added this: SLocal_localaddr R $* $1 Remove from address R$+ + $*$: $1 Remove detail from address R$+ $: $(localuser $1 $: TEMPFAIL $) $1 Query socket map server, if that's a local user ROK $*$# ok yes, this preserves detail RREJECT $*$# error $@ 5.7.1 $: 550 User unknown RTEMPFAIL $* $# error $@ TEMPFAIL $: $1 try again later Does it work See the ROK line. The map is to verify if the user is local or not. In my system sendmail cannot do so on its own. Maybe the FEATURE above works for the standard config. FEATURE(`preserve_local_plus_detail') is actually one of the first things I tried when I started working on this problem, but it doesn't quite work with the standard configuration: $ sendmail -bv -d21.12 gcr+xy...@badger.tharned.org -rule matches: $@ $1 rewritten as: gcr + xyzzy rewrite: ruleset localaddrreturns: gcr + xyzzy gcr+xy...@badger.tharned.org... User unknown OK, that rings a bell: the problem is the w flag. It checks that a valid system exists. If you remove the w flag, you loose the system user validaty check and the .forward feature. You have four ways, IMHO: a) switch to LDA b) add Local_localaddr to validate the user yourself and accept that the .forward feature is not working c) I've patched sendmail's mailbox database code with a Dovecot stub, that queries the UserDB socket for validity of the users. If you use system users, you could probably just patch libsm/mbdb.c: mbdb_pw_lookup(name, user) to cut the +detail, something like: char *detailp; if(detailp = strchr(name, '+')) *detailp = '\0'; pw = getpwnam(name); if(detailp) *detailp = '+'; This code is untested and I don't know, if mbdb_pw_lookup() could get passed in a pointer to a constant, which would throw a SEGV or SIGBUS or whatever signal and dump core. d) try a PAM module in pam.d/sendmail, that strips the +detail before processing the request e) try to file a bug with sendmail. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUtUQY3D1/YhP6VMHAQI6aAf8D6Z+ba8G+PePQqyPmQY+D8ZBjFXm6dqj fT/MvAazs8YZJTs/vvxzZ9IWwQPbnSzBTCUdChouzxtA1NPHUwvO23hkR8oFaLT2 8wtfQCJ4e1BXclfqgGO/COJ632IvE7ygvhMmwAtV5+WHil8Ea1hyjTAwpzXUL4Im btkHvTkGiW/m2CZsaaIJ2keeMGK8ygWgU/7ZCtEi+2M4MF3WhGiGZznRAnAfkfr8 fk7ybicEpLD5VGpRc5+D47XT+KM6ViI/Wou3hVzGJ8MsbPxn6kIeRmZHY24xtPyW 5Q0YoD9nYUZorwN2LNAj15TRNztodwewZH3HUAoFYGAM3YVQWuRxTQ== =ye9c -END PGP SIGNATURE-
Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
On Tue, 14 Jan 2014, Steffen Kaiser wrote: FEATURE(`preserve_local_plus_detail') is actually one of the first things I tried when I started working on this problem, but it doesn't quite work with the standard configuration: $ sendmail -bv -d21.12 gcr+xy...@badger.tharned.org -rule matches: $@ $1 rewritten as: gcr + xyzzy rewrite: ruleset localaddrreturns: gcr + xyzzy gcr+xy...@badger.tharned.org... User unknown OK, that rings a bell: the problem is the w flag. It checks that a valid system exists. If you remove the w flag, you loose the system user validaty check and the .forward feature. Yes, I had considered that. You have four ways, IMHO: a) switch to LDA That's what I plan to do in the interim. b) add Local_localaddr to validate the user yourself and accept that the .forward feature is not working I can't do without .forward. c) I've patched sendmail's mailbox database code with a Dovecot stub, that queries the UserDB socket for validity of the users. If you use system users, you could probably just patch libsm/mbdb.c: mbdb_pw_lookup(name, user) to cut the +detail, something like: [snip] d) try a PAM module in pam.d/sendmail, that strips the +detail before processing the request These would be a last resort. e) try to file a bug with sendmail. Actually I did that yesterday. Claus Assmann is looking at it with me, so I'm sure to get more good advise. Thanks for looking at it and for your really useful suggestions. (BTW, options a through e is five ways, not four. :-) I'll keep this thread updated with my findings. -- Greg
[Dovecot] SSL/TLS handshake stays forever without timeout
Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks,
[Dovecot] Fatal: master: service(lmtp): child n killed with signal 11 (core dumped) - in mail_cache_header_fields_read
This is log from dovecot 2.1.17 (I had to downgrade from 2.2.10 because lot of problems) on CentOS 6.5: 2014-01-14T18:36:03+01:00 server/a.b.c.d dovecot: lmtp(5927): Fatal: master: service(lmtp): child 5927 killed with signal 11 (core dumped) # uname -a Linux server 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux (gdb) bt full #0 0x7fb14b9b3bb5 in mail_cache_header_fields_read () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #1 0x7fb14b9b19aa in mail_cache_open_and_verify () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #2 0x7fb14b9b35bd in mail_cache_register_get_list () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #3 0x7fb14b9a11a7 in index_mail_parse_header_init () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #4 0x7fb14b9a1ff8 in index_mail_cache_parse_init () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #5 0x7fb14b94c982 in maildir_save_add () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #6 0x7fb14b94ccd8 in maildir_save_begin () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #7 0x7fb14b031b23 in quota_save_begin () from /usr/local/dovecot/lib/dovecot/lib10_quota_plugin.so ---Type return to continue, or q return to quit--- No symbol table info available. #8 0x7fb14b982552 in mailbox_save_begin () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #9 0x7fb14b97ae8f in mail_storage_copy () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #10 0x7fb14b948ef6 in maildir_copy () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #11 0x7fb14ae25551 in notify_copy () from /usr/local/dovecot/lib/dovecot/lib15_notify_plugin.so No symbol table info available. #12 0x7fb14b031907 in quota_copy () from /usr/local/dovecot/lib/dovecot/lib10_quota_plugin.so No symbol table info available. #13 0x7fb14b9824aa in mailbox_copy () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-storage.so.0 No symbol table info available. #14 0x7fb14a9d7dc6 in act_store_execute () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-sieve.so.0 No symbol table info available. #15 0x7fb14a9ce0f4 in _sieve_result_implicit_keep () ---Type return to continue, or q return to quit--- from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-sieve.so.0 No symbol table info available. #16 0x7fb14a9cfe27 in sieve_result_execute () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-sieve.so.0 No symbol table info available. #17 0x7fb14a9df918 in sieve_multiscript_run () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-sieve.so.0 No symbol table info available. #18 0x7fb14ac2189e in lda_sieve_deliver_mail () from /usr/local/dovecot/lib/dovecot/lib90_sieve_plugin.so No symbol table info available. #19 0x7fb14bc1d305 in mail_deliver () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot-lda.so.0 No symbol table info available. #20 0x004054c3 in client_input_data_handle () No symbol table info available. #21 0x7fb14b6ba146 in io_loop_call_io () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot.so.0 No symbol table info available. #22 0x7fb14b6bb46d in io_loop_handler_run () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot.so.0 No symbol table info available. #23 0x7fb14b6ba0e8 in io_loop_run () ---Type return to continue, or q return to quit--- from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot.so.0 No symbol table info available. #24 0x7fb14b6a4043 in master_service_run () from /usr/local/dovecot-2.1.17/lib/dovecot/libdovecot.so.0 No symbol table info available. #25 0x00404096 in main () No symbol table info available. (gdb) MU smime.p7s Description: Kryptograficzna sygnatura S/MIME
[Dovecot] restored mails
Hello,
I am running dovecot 2.1 on debian wheezy . We are using maildir
format. one of our uses deleted content of INBOX folder during xmass.
he wants these messages back.
I had these mail on tape. I have restored them to his inbox/cur
directory but dovecot is not indexing them. Email client shows empty
inbox as well.
tried manually run:
doveadm index -u john -q INBOX
no change.
deleting indexes didn't help.
How to restore these email?
thanks
Woj
my config:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3
auth_debug = yes
auth_mechanisms = plain login cram-md5
auth_verbose = yes
listen = *
log_path = /var/log/dovecot.log
log_timestamp = %Y-%m-%d %H:%M:%S
login_greeting = IMAP Server is ready.
mail_debug = yes
mail_location =
maildir:~/Maildir:INDEX=~/dovecot-control/indexes:CONTROL=~/dovecot-control:LAYOUT=fs
mail_plugins = quota trash
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
driver = pam
}
passdb {
args = scheme=cram-md5 /etc/dovecot/passwd
driver = passwd-file
}
plugin {
antispam_backend = pipe
antispam_debug_target = syslog
antispam_mail_sendmail = /usr/bin/sa-learn-pipe.sh
antispam_pipe_program_notspam_arg = --ham
antispam_pipe_program_spam_arg = --spam
antispam_pipe_tmpdir = /tmp
antispam_spam = Junk;Spam
antispam_trash_pattern = Trash;Deleted *
antispam_verbose_debug = 0
autocreate = INBOX
autocreate2 = Sent
autocreate3 = Trash
autocreate4 = Drafts
autocreate5 = Junk
autosubscribe = INBOX
autosubscribe2 = Sent
autosubscribe3 = Trash
autosubscribe4 = Drafts
autosubscribe5 = Junk
quota = maildir:User quota
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
quota_warning3 = -storage=100%% quota-warning below %u
sieve = ~/.dovecot.sieve
sieve_default = /var/spool/dovecot/default.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/spool/dovecot/
trash = /etc/dovecot/dovecot-trash.conf.ext
}
protocols = imap sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
mode = 0666
}
}
service managesieve-login {
inet_listener sieve {
port = 2000
}
}
service quota-warning {
executable = script /usr/bin/dovecot-quota-warning.sh
user = postfix
}
ssl_ca = /etc/postfix/ssl/cacert.pem
ssl_cert = /etc/postfix/ssl/servercrt.pem
ssl_cipher_list =
ALL:!LOW:!SSLv2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-ADH-RC4-MD5:!ADH-DES-CBC3-SHA:!ADH-RC4-MD5:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-RC4-MD5:!RC4
ssl_key = /etc/postfix/ssl/serverkey.pem
userdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
userdb {
driver = passwd
}
protocol lda {
deliver_log_format = msgid=%m: %$
info_log_path = /var/log/dovecot-deliver.log
log_path = /var/log/dovecot-deliver.log
mail_plugins = quota trash autocreate sieve
postmaster_address = postmaster
quota_full_tempfail = yes
rejection_reason = Your message to %t was automatically rejected:%n%r
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep delay-newmail
tb-lsub-flags
mail_max_userip_connections = 10
mail_plugins = quota trash imap_quota autocreate antispam
}
1379333576.M520387P21423.pine,S=5016,W=5183:2,S
1389710739.M139355P6177.pine,S=38933,W=39648:2,Sd
1379340386.M670300P24951.pine,S=2282,W=2328:2,S
1389710937.M15977P6316.pine,S=20426,W=20831:2,Sd
1379342173.M207466P25909.pine,S=2649,W=2700:2,S
1389715067.M350398P8795.pine,S=18288,W=18549:2,Sd
1379343332.M808399P26628.pine,S=3862,W=3952:2,S
1389715305.M250290P8929.pine,S=4264,W=4346:2,Sd
1379343742.M248785P27359.pine,S=4772,W=4891:2,RS
1389723554.M26883P13831.pine,S=47655,W=47979:2,d
1379343783.M47728P27388.pine,S=22571,W=23053:2,S
root@pine:/home/john/Maildir/INBOX/cur#
Re: [Dovecot] panic!
In our previous episode (Monday, 13-Jan-2014), LuKreme said: Jan 13 19:09:07 mail dovecot: lda(j...@example.com): Panic: file mail-transaction-log-file.c: line 1148 (mail_transaction_log_file_get_highest_modseq_at): assertion failed: (offset = file-sync_offset) Jan 13 19:09:08 mail kernel: pid 8435 (dovecot-lda), uid 89: exited on signal 6 (core dumped) Jan 13 19:14:16 mail dovecot: lda(j...@example.com): Panic: file mail-transaction-log-file.c: line 1148 (mail_transaction_log_file_get_highest_modseq_at): assertion failed: (offset = file-sync_offset) Jan 13 19:14:16 mail kernel: pid 9648 (dovecot-lda), uid 89: exited on signal 6 (core dumped) No one? -- I mistook thee for thy better Hamlet Act III scene 4
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
On 01/14/2014 04:42 PM morrison wrote: Hi, I am a system admin and I am evaluating using dovecot as our email server. In my test, I found that if I telneted to 993 port and did not do anything or I telneted to 143 port, sent starttls command and then did not do anything, the connection stayed forever without timeout. This will make our mail server vulnerable to DOS attack. I dig into dovecot Wiki and did not find any solution. This seems to me that dovecot does not handle SSL/TLS handshake timeout. I am wondering if this is a known issue and will be fixed in near future. Thanks, Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(0003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real3m0.377s user0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes. Regards, Pascal -- The trapper recommends today: fabaceae.1401...@localdomain.org
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:26, schrieb Pascal Volk: Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): CONNECTED(0003) depth=0 CN = mail.… … . OK Pre-login capabilities listed, post-login capabilities have more. * BYE Disconnected for inactivity. closed real3m0.377s user0m0.016s sys 0m0.000s As you can see, Dovecot closed the connection after three minutes did you read the This will make our mail server vulnerable to DOS attack 3 minutes is *way too long* in case of a DOS attack if no single byte data is received there is no reason not to close the connection at least after 30 seconds signature.asc Description: OpenPGP digital signature
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Hi Pascal Am 14.01.14 20:26 schrieb Pascal Volk: On 01/14/2014 04:42 PM morrison wrote: Please define 'forever' I just did `time openssl s_client -connect mail.example.com:143 -starttls imap` (and nothing else): This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. Regards, Adrian.
Re: [Dovecot] SSL/TLS handshake stays forever without timeout
Am 14.01.2014 20:38 schrieb Adrian Zaugg: This is not the test morrison has suggested. Doing his test with telnet and thus not complete the SSL handshake, the connection stays open much longer than 3 Minutes. I closed the connection now manually after a little more than 2 hours. This is on Dovecot 2.1.7. same here with dovecot-2.2.10 $ date; telnet imaphost 143 Di 14. Jan 21:57:59 CET 2014 IMAP dialog . starttls . OK Begin TLS negotiation now. ... now it's 23:53 ant the tcp connection is still established. in contrast: postfix-2.11 $ date; telnet mx 25; date Di 14. Jan 23:42:45 CET 2014 SMTP dialog ... starttls 220 2.0.0 Ready to start TLS Connection closed by foreign host. Di 14. Jan 23:48:10 CET 2014 looks like postfix handle the timeout smarter. Andreas
[Dovecot] dsync mbox to maildir migration does not delete, deleted e-mails
Hello, I am planning to migrate all users from mbox to maildir. I am trying to do it with minimum downtime. (~100GB data) All users are currently using POP3. Dovecot version is 2.2.10 (latest). Command used is: dsync -u username mirror maildir:~/Maildir Process I plan is: (omitting steps related to sendmail / procmail) 1) keep dovecot running (with mail_location as mbox) 2) dsync for all users (this may take 3-4 hours or more) 3) (downtime starts) stop dovecot and sendmail (to stop new e-mails) 4) block pop3, imap ports on firewall (so users can not connect) 5) start dovecot (still with mbox) 6) dsync again to sync e-mails arrived between step 2 and 3 7) dsync again (just to make sure!) 8) (downtime ends) restart dovecot (with mail_location as maildir) Now, here is my problem. Lets say there is user joe, who has 50 NEW e-mails in mbox (INBOX). Step 2 perfectly syncs his 50 e-mails to 'new' folder of maildir. Now in the mean time, before step 3, he connected via POP3 and downloaded and deleted 50 e-mails. Now when we reach step 6 (re-sync), what I expected was dsync will detect that 50 e-mails are deleted and it will delete 50 e-mails from 'new' directory of maildir. But that is not happening. 50 e-mails are still there. I fear that these e-mails will be re-downloaded on his Outlook once I switch dovecot to maildir. This will happen for each and every user which will cause huge mess. So how to tell, dsync to delete non-existent e-mails which are no more there in mbox (INBOX)? Thanks in advance, Regards, A M
