authenticate plain, and virtual users
I'm running dovecot 2.2.14 on Archlinux. I've been using it with the isync syncing utility for quite some time with no problems, using the LOGIN authentication mechanism. Recently Isync was updated to support PLAIN, and I'm having trouble moving to that. The authenticate string that isync is sending is not the one that dovecot is expecting. I suspect this is because of how I have virtual users set up on my machine. This is a personal laptop, no other users, and so I didn't want to go through the rigmarole of creating more system users just for mail accounts. I also wanted everything stored under my home directory. So my dovecot config looks like this: # 2.2.14: /etc/dovecot/dovecot.conf # OS: Linux 3.16.4-1-ARCH i686 auth_verbose = yes disable_plaintext_auth = no info_log_path = /var/log/dovecot-info.log log_path = /var/log/dovecot.log mail_plugins = " fts fts_lucene" passdb { args = username_format=%u /etc/dovecot/passwd driver = passwd-file } plugin { fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. } protocols = imap ssl = no userdb { args = uid=eric gid=users home=/home/eric/.mail/%d/%n username_format=%u default_fields = mail=maildir:/home/eric/.mail/%d/%n/mail driver = static } My /etc/dovecot/passwd looks like this: e...@ericabrahamsen.net:{PLAIN}password1 e...@paper-republic.org:{PLAIN}password2 When isync tries to log into the local dovecot using PLAIN, it sends the base64-encoded version of this string: e...@paper-republic.org\0eric\0password2 With my current dovecot config, telnet experimentation shows that dovecot will accept either of these two: \0e...@paper-republic.org\0password2 e...@paper-republic.org\0e...@paper-republic.org\0password2 Ie, either with or without the authorization ID, just like it says at http://wiki2.dovecot.org/Debugging/Authentication Given that I'm unlikely to be able to change how isync sends the string (and that it's really doing the right thing), are there alterations I can make to my dovecot config to get it to accept the authenticate string that isync is sending? Ideally, can I do that without having to set up system users? I've already tried using the other fields in the passwd file, putting "eric" and "e...@paper-republic.org" into the UID fields, just in case. No dice. Thanks in advance for any advice! Eric
Re: dictionary attack defense
a) I read about auth_failure_delay even before I posted my question and I could not figure out the one-line explanation in the dovecot wiki: "Number of seconds to delay before replying to failed authentications." It's delaying a reply. Does that mean the hacker can keep asking as fast as he wants? Is it per user or per IP? b) I'm familiar with mail_max_userip_connections = x, but I'm not familiar with the time limit you mention. On 10/21/2014 5:02 PM, Reindl Harald wrote: Am 21.10.2014 um 23:28 schrieb Cliff Hayes: Does dovecot have any dictionary attack defenses yet? In the past I have had to implement defense from outside dovecot, but since dovecot is at the front lines and therefore is the first to know I'm hoping by now there is something we can set. For example, a limit on access failures per minut/hour/day or some such. If not why not? no - but you can set "auth_failure_delay = 5" and limit new connections per IP to something around 40 per 5 minutes and 100 per 30 minutes which stops many of them or at least limit the amount of tries dramatically
Re: dictionary attack defense
Am 22.10.2014 um 01:12 schrieb Benny Pedersen: On October 22, 2014 12:57:34 AM Anders Wegge Keller wrote: On Tue, 21 Oct 2014 16:28:46 -0500 Cliff Hayes wrote: > Does dovecot have any dictionary attack defenses yet? In my opinion, fail2ban is the right strategy to deal with a dictionary attack. Fokus should just be reversed to allow ip ranges not deny ip ranges *loool* signature.asc Description: OpenPGP digital signature
Re: dictionary attack defense
On Wed, 22 Oct 2014 01:12:02 +0200 Benny Pedersen wrote: > On October 22, 2014 12:57:34 AM Anders Wegge Keller wrote: > > > On Tue, 21 Oct 2014 16:28:46 -0500 > > Cliff Hayes wrote: > > > Does dovecot have any dictionary attack defenses yet? > > In my opinion, fail2ban is the right strategy to deal with a dictionary > > attack. > > Fokus should just be reversed to allow ip ranges not deny ip ranges Even if you have the luxury of not having users accessing their mail from all over the world, you still need to defend against a breach of safety on a legitimate users machine. Even in a strongly restricted corporate environment. -- //Wegge
Re: dictionary attack defense
On October 22, 2014 12:57:34 AM Anders Wegge Keller wrote: On Tue, 21 Oct 2014 16:28:46 -0500 Cliff Hayes wrote: > Does dovecot have any dictionary attack defenses yet? In my opinion, fail2ban is the right strategy to deal with a dictionary attack. Fokus should just be reversed to allow ip ranges not deny ip ranges
Re: dictionary attack defense
On Tue, 21 Oct 2014 16:28:46 -0500 Cliff Hayes wrote: > Does dovecot have any dictionary attack defenses yet? > In the past I have had to implement defense from outside dovecot, but > since dovecot is at the front lines and therefore is the first to know > I'm hoping by now there is something we can set. For example, a limit > on access failures per minut/hour/day or some such. If not why not? In my opinion, fail2ban is the right strategy to deal with a dictionary attack. Instead of adding a layer of attack detection and handling onto every outward facing service running on your server, you can centralize the detection and blocking at one place. -- //Wegge
Re: dictionary attack defense
Am 21.10.2014 um 23:28 schrieb Cliff Hayes: Does dovecot have any dictionary attack defenses yet? In the past I have had to implement defense from outside dovecot, but since dovecot is at the front lines and therefore is the first to know I'm hoping by now there is something we can set. For example, a limit on access failures per minut/hour/day or some such. If not why not? no - but you can set "auth_failure_delay = 5" and limit new connections per IP to something around 40 per 5 minutes and 100 per 30 minutes which stops many of them or at least limit the amount of tries dramatically signature.asc Description: OpenPGP digital signature
dictionary attack defense
Does dovecot have any dictionary attack defenses yet? In the past I have had to implement defense from outside dovecot, but since dovecot is at the front lines and therefore is the first to know I'm hoping by now there is something we can set. For example, a limit on access failures per minut/hour/day or some such. If not why not?
Re: Properly "locking" a useraccount (on a proxy)
for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account Setup postfix to check the recipient account is active, then set a temp new password while move mail to the new server, when its done change password back to user, and setup postfix to know its active again
Re: What is the correct way to configure the mail_location option for Mailidr format?
On October 21, 2014 7:04:38 PM deoren wrote: On 10/21/2014 11:44 AM, Benny Pedersen wrote: > On October 21, 2014 6:18:07 PM deoren > wrote: > >> mail_location = maildir:/var/vmail/%d/%n/Maildir >> sieve_dir = /var/vmail/sieve/%d/%n/sieve_dir > > mail_location = maildir:/var/vmail/%d/%n/.maildir > sieve_dir = /var/vmail/%d/%n/.sieve > > More simple, and more easy to tarball backup Thank you for the advice. Can you comment re these two approaches for configuring the 'mail_location' option? I assume the first is simply wrong? mail_location = maildir:/var/vmail/%d/%n mail_location = maildir:/var/vmail/%d/%n/.maildir Also, why do you use the '.maildir' folder name instead of 'Maildir'? Is that so it doesn't appear in the ls output by default? Some other reason perhaps? I agree that having the sieve scripts in a different location than the mail content is less than ideal. When the sieve scripts were originally stored in the /var/vmail/%d/%n directory they showed up within Thunderbird as folders, so to get things working again quickly I made sure to move the sieve scripts completely outside of where the mail content was stored. The cause was likely the 'mail_location' option being misconfigured (assuming that it really is, I'm still trying to nail that down), so once that is resolved I'm planning on moving them back. Thanks for the reply. I'm hoping rearranging the mail content will be just as easy to do. I just remember to use $HOME or ~ fetched here from mysql or static args, thus all none existing temp dirs will not be a problem, and it fits with maildrop and procmail, still running dovecot 1.2.17 with gentoo So $HOME/.maildir $HOME/.sieve Yes it will hide dirs in ls, but you can list hidded dirs with a option
Re: Permissions for shared mail don't work
On Sun, Oct 19, 2014 at 10:52:59AM +0200, Steffen wrote: > >> how do you deliver new messages to spam's INBOX? > > > > By sending an e-mail to spam.whate...@desfontain.es ? > > > > (I'm not sure I understand the question?) > > > > How does your MTA deliver the messages to the INBOX, do you use > Dovecor LDA, LMTP or the MTA? The MTA itself delivers it, I think. Here are my config files : - http://paste.fulltxt.net/xx31R (/etc/postfix/main.cf) - and http://paste.fulltxt.net/t9iXRBIH (/etc/postfix/master.cf) Best, Damien signature.asc Description: Digital signature
Re: Properly "locking" a useraccount (on a proxy)
Am 21.10.2014 um 20:37 schrieb Ralf Hildebrandt: > * Ralf Hildebrandt : > >> 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) > > I could of course put a mysql: query into postfix which would return > > user@domain retry: > > for the "locked" user. But I'm lazy and would prefer a single place / > a single query to lock the account > in sql postfixadmin schema there is an "active" flag 0 vs 1 per user smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, permit_mynetworks, check_recipient_access mysql:/etc/postfix/mysql_virtual_inactive_mailaddress.cf i use configured it as query = SELECT CONCAT('REJECT mailaddress %s is set in inactive mode') address FROM mailbox WHERE username='%s' AND active = '0' you may use not REJECT but http://www.postfix.org/access.5.html 421 text (Postfix 2.3 and later) which is tmp error dovecot site may look like this /etc/dovecot/dovecot-sql.conf.ext password_query = SELECT username as user, password, \ 1001 as userdb_uid, \ 1001 as userdb_gid, \ "/usr/local/virtual/%d/%u/" AS userdb_home, \ "maildir:/usr/local/virtual/%d/%u/" AS userdb_mail \ FROM mailbox WHERE username = '%u' AND active = '1' but to be honest, its a long time ago i tested this feature, and in real world nobody seems to use "active" settings however perhaps you can adapt this idea to fit in your setup somehow Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Multiple user attributes in LDAP userdb query strings
Hello list, I have an issue with dovecot and Ldap... Any help will be grateful... I have my virtual users stored in an Active Directory database. I am using 2 attributes in AD to locate the user account: mail (their primary email address) and proxyAddresses (a multivalue attribute containing their mail aliases). I also control the mount point in which the mail is located with another attribute in AD, in this case I used "pager". I have dovecot 1.2.15 and there are no immediate plans to upgrade it. I configured Dovecot's deliver process in order to integrate sieve capability. I have configured userdb ldap and passdb ldap in Dovecot and have set up master and client sockets. I am using maildir format for directory layout. The problem is to set the variables home and mail that will define the mail location. The format must be like this: home: /Mailboxes/// mail: /Mailboxes///Maildir So, for a particular user (Login: user1, smtp: us...@domain1.com, alias smtp: user1_al...@domain1.com) the variables will be: home: /Mailboxes/AdmUsers/user1/ mail: /Mailboxes/AdmUsers/user1/Maildir Active Directory has the values in: mail:(us...@domain1.com), proxyAddresses:(user1_al...@domain1.com), sAMAaccountName(user1). I have defined home and mail in dovecot-ldap.conf. # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # There are also other special fields which can be returned, see # http://wiki.dovecot.org/UserDatabase/ExtraFields user_attrs = pager=home=/mailboxes/%$/%u,mobile=quota_rule=*:storage=%$M If the mail is sent to the Principal SMTP (us...@domain1.com) in which the user part (%u) is the same as sAMAccountName, it works. The variable home is set correctly (home: /Mailboxes/AdmUsers/user1/). The problem is when the mail is sent to the smtp alias, in which the variable home is set incorrectly (home: /Mailboxes/AdmUsers/user1_alias/). There is a way to set two values to user_attrs?, in this case I would need to set pager and sAMAccountName (instead of %u), to it. Thanking you in anticipation... Attached is the out of dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-686 i686 Debian 6.0.7 log_path: /var/log/dovecot.log protocols: imap imaps pop3 pop3s disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_uid: 16343 mail_gid: 16343 mail_location: maildir:~/Maildir mail_debug: yes mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugins(default): autocreate deleted_to_trash quota imap_quota expire mail_plugins(imap): autocreate deleted_to_trash quota imap_quota expire mail_plugins(pop3): quota expire mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh lda: postmaster_address: postmas...@domain1.com mail_plugins: quota expire log_path: /var/log/dovecot.log auth default: mechanisms: gssapi gss-spnego login ntlm plain username_format: %Ln use_winbind: yes passdb: driver: pam userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail plugin: autocreate: Deleted Items autocreate: Sent Items autosubscribe: Deleted Items autosubscribe: Sent Items deleted_to_trash_folder: Sent Items quota: maildir:User quota quota_rule: *:storage=100M quota_rule2: Deleted Items:ignore quota_warning: storage=80%% /etc/dovecot/scripts/quota-warning.sh 80 quota_warning2: storage=90%% /etc/dovecot/scripts/quota-warning.sh 90 quota_warning3: storage=99%% /etc/dovecot/scripts/quota-exceeded.sh 100 expire: "Deleted Items" 1 "Deleted Items/*" 1 expire_dict: proxy::expire dict: expire: pgsql:/etc/dovecot/dovecot-dict-expire.conf " Notificacion Automatica: Este mensaje y cualquier archivo que se adjunte contiene informacion privilegiada y confidencial. Es para uso exclusivo del destinatario. Si usted ha recibido esta comunicacion por error, por favor avisenos inmediatamente. Automatic notification: This e-mail and any file transmitted with it are confidential and may be legally privileged.
2.2.14 and "Panic: file virtual-sync.c"
Hi, after upgrading to 2.2.14 (debian wheezy with apt source from rename-it.nl) I´ve got from time to time a panic in virtual plugin. Here are an excerpt from the log file: -- Oct 21 20:44:15 mailserver dovecot: imap(michael@DOMAIN): flag_change: box=Virtual.Ungelesen, uid=1, msgid=<54466f71.3050...@makomi.de>, size=1661, flags=(\Seen \Draft \Recent) Oct 21 20:44:15 mailserver dovecot: imap(michael@DOMAIN): Panic: file virtual-sync.c: line 1115 (virtual_sync_backend_box): assertion failed: (array_count(&bbox->sync_pending_removes) == 0) Oct 21 20:44:15 mailserver dovecot: imap(michael@DOMAIN): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x752af) [0x7f5f2630e2af] -> /usr/lib/dovecot/libdovecot .so.0(+0x7530e) [0x7f5f2630e30e] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f5f262c05de] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(virtual_storage_sync_init+0x266c ) [0x7f5f24abb9cc] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x35) [0x7f5f26601195] -> dovecot/imap(imap_sync_init+0x7a) [0x41faaa] -> dovecot/imap(cmd_sync_dela yed+0x190) [0x420710] -> dovecot/imap(client_handle_input+0x1d5) [0x417a35] -> dovecot/imap(client_input+0x72) [0x417d22] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x5b) [ 0x7f5f263200fb] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7f5f2632117b] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7f5f26320189] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f5f26320208] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f5f262c5ab3] -> dovecot/imap(main+0x2a1) [0x 40c311] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f5f25f2bead] -> dovecot/imap() [0x40c475] Oct 21 20:44:15 mailserver dovecot: imap(michael@DOMAIN): Fatal: master: service(imap): child 31075 killed with signal 6 (core dumps disabled) — Are the problem well-known? And what could I do? Thanks, Michael
Re: Properly "locking" a useraccount (on a proxy)
Hi, Am 21.10.2014 20:37, schrieb Ralf Hildebrandt: * Ralf Hildebrandt : 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) I could of course put a mysql: query into postfix which would return user@domain retry: for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account Why do you not put the mails on hold in some frontend postfix queue (i think you have) with a check_recipient_access table? We did that during our last migration from an old CGP system. Ok, it's not the elegant way but for us it worked.
Re: Properly "locking" a useraccount (on a proxy)
* Ralf Hildebrandt : > 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) I could of course put a mysql: query into postfix which would return user@domain retry: for the "locked" user. But I'm lazy and would prefer a single place / a single query to lock the account -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Properly "locking" a useraccount (on a proxy)
I'm preparing a migration of several mailboxes to another machine. The different useraccounts are distributed to different backend machines by means of a dovecot LMTP/IMAP/POP proxy. Proxying is working really well (now that the kernel does as it should). But how can I "lock" a user during migration? The plan is: * lock the user * kick the user (doveadm kick) * migrate mailbox (some rsync magic) * unlock the user again But how would I lock the user? What locking needs to achieve: 1) Disallow IMAP/POP login (that's easy!) 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server) Because currently, we're seeing dovecot trying local delivery on the proxy machine once an account is locked (probably because LMTP proxying uses passdb lookups, and since that one is failing it's using the userdb lookup?): Oct 21 20:15:27 lmtp(87892): Error: user sys4@test.invalid: Initialization failed: Namespace '': mkdir(/var/mail/test.invalid/sys4/mdbox/mailboxes) failed: Permission denied (euid=1(vmail) egid=1(vmail) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) Admittedly, this is somehow working. But it's not very elegant to use a side-effect. Is the a reserved userdb/passwd return value which will let dovecot "tempfail" in a n elegant fashion? -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: What is the correct way to configure the mail_location option for Mailidr format?
On 10/21/2014 11:44 AM, Benny Pedersen wrote: On October 21, 2014 6:18:07 PM deoren wrote: mail_location = maildir:/var/vmail/%d/%n/Maildir sieve_dir = /var/vmail/sieve/%d/%n/sieve_dir mail_location = maildir:/var/vmail/%d/%n/.maildir sieve_dir = /var/vmail/%d/%n/.sieve More simple, and more easy to tarball backup Thank you for the advice. Can you comment re these two approaches for configuring the 'mail_location' option? I assume the first is simply wrong? mail_location = maildir:/var/vmail/%d/%n mail_location = maildir:/var/vmail/%d/%n/.maildir Also, why do you use the '.maildir' folder name instead of 'Maildir'? Is that so it doesn't appear in the ls output by default? Some other reason perhaps? I agree that having the sieve scripts in a different location than the mail content is less than ideal. When the sieve scripts were originally stored in the /var/vmail/%d/%n directory they showed up within Thunderbird as folders, so to get things working again quickly I made sure to move the sieve scripts completely outside of where the mail content was stored. The cause was likely the 'mail_location' option being misconfigured (assuming that it really is, I'm still trying to nail that down), so once that is resolved I'm planning on moving them back. Thanks for the reply. I'm hoping rearranging the mail content will be just as easy to do.
Re: Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
* brd : > Ralf Hildebrandt wrote: > [...] > > We already optimized: > > snip > > net.ipv4.tcp_fin_timeout=5 > > # down from 30s > > net.ipv4.tcp_tw_reuse=1 > > net.ipv4.tcp_tw_recycle=1 > > # > > http://redis4you.com/articles.php?id=012&name=Redis+high+traffic+connection+issue > > just a note on enabling tcp_tw_recycle, it is known to have side-effects > and issues when you have lots of connections from the same source IP, such > as many clients behind same NAT IP or a reverse proxy > > see http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html Yes, we might want to disable that again. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: What is the correct way to configure the mail_location option for Mailidr format?
On October 21, 2014 6:18:07 PM deoren wrote: mail_location = maildir:/var/vmail/%d/%n/Maildir sieve_dir = /var/vmail/sieve/%d/%n/sieve_dir mail_location = maildir:/var/vmail/%d/%n/.maildir sieve_dir = /var/vmail/%d/%n/.sieve More simple, and more easy to tarball backup
only inbox folder after courier-imap migration
Hello, after courier-dovecot-migrate.pl, the only folder appears in webmail menu is "Inbox". The others still are in Maildir "Maildir/.myfolder" and contains its "dovecot-uidlist" and "dovecot-keywords" files. May I need to edit some file? -- Saludos!! Luciano Andino GNU/Linux user #185103 Santa Fe - Argentina ---
What is the correct way to configure the mail_location option for Mailidr format?
Short version: What is the correct way to configure the mail_location option for Mailidr format? I've long had it setup this way: mail_location = maildir:/var/vmail/%d/%n based on this guide: https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql Is that correct? Longer version: After upgrading from Dovecot v2.0.x to v2.2.x yesterday I'm coming to the conclusion that I've got it configured wrong. This is probably compounded by my bright idea of explicitly setting the path separator prior to the upgrade like so: separator = . Because we're using Maildir I thought it would be useful to explicitly set the separator value to what the default is for Maildir. I figured this would be a good way to remind myself what the separator is by default. I also figured while I was merging the conf changes between v2.0 and v2.2 I could roll that additional change in also. Looks like that was a bad idea to include unnecessary changes until things had stabilized. I should know better; I was too optimistic for my own good. Here is an example error message I ran into: stat(/var/vmail/example.com/username/.dovecot.lda-dupes/tmp) failed: Not a directory which is nearly identical (other than leading path) to what is shown here: http://www.dovecot.org/list/dovecot/2010-April/048227.html Steffen Kaiser responded with, "You should not (must not) have home == maildir root." That is when I double-checked the guide that I mentioned above and found that I had followed their directions exactly for that conf setting. Looking at some other guides/tutorials shows something more like: mail_location = maildir:/var/vmail/%d/%n/Maildir I assume the latter is how it's supposed to be done? If so, that would explain the problems I've had with Sieve scripts in the past until I explicitly set 'sieve_dir' like so: sieve_dir = /var/vmail/sieve/%d/%n/sieve_dir I did review the official docs here: http://wiki2.dovecot.org/MailLocation/Maildir but I didn't find where it explicitly warns against setting home == maildir root. It should probably be apparent, but it wasn't to me when I first configured that setting. Thanks in advance for your help. If it turns out that the linode.com guide is wrong I'll create a Pull request to have that guide updated.
Re: Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
Ralf Hildebrandt wrote: [...] > We already optimized: > snip > net.ipv4.tcp_fin_timeout=5 > # down from 30s > net.ipv4.tcp_tw_reuse=1 > net.ipv4.tcp_tw_recycle=1 > # > http://redis4you.com/articles.php?id=012&name=Redis+high+traffic+connection+issue just a note on enabling tcp_tw_recycle, it is known to have side-effects and issues when you have lots of connections from the same source IP, such as many clients behind same NAT IP or a reverse proxy see http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html -brd
Dovecot Auth Issue
Dear All I have been able to setup postfix and dovecot. Through command line, I can send mail out. Now I have installed roundcube in mail server side, and I am able to access like https://mydomain/webmail.com Login was failing. Then I debugged and modified settings in dovecot and using PAM for authentication. Now I trying to login to email server. I am not sure if authentication by dovecot and pam is successful. I enabled logging for dovecot. The below logs I get when a user "try" logs in. Oct 21 07:44:55 auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Oct 21 07:44:55 auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Oct 21 07:44:55 auth: Debug: auth client connected (pid=15357) Oct 21 07:44:55 auth: Debug: client in: AUTH1PLAIN service=imapsecuredlip=128.199.214.27rip=128.199.214.27 lport=993rport=43323resp=AHRyeUBsb2FkbXVsdGlwbGllci5jb20AdHJ5MTIz Oct 21 07:44:55 auth-worker: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Oct 21 07:44:55 auth-worker: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Oct 21 07:44:55 auth-worker: Debug: pam(try,128.199.214.27): lookup service=dovecot Oct 21 07:44:55 auth-worker: Debug: pam(try,128.199.214.27): #1/1 style=1 msg=Password: Oct 21 07:44:55 auth: Debug: client out: OK1user=try Oct 21 07:44:55 auth: Debug: master in: REQUEST157129113715357 1b3cc155dfd3bb2fd576bfeeceaf1ce3d Oct 21 07:44:55 auth: Debug: passwd(try,128.199.214.27): lookup *Oct 21 07:44:55 auth: Debug: master out: USER1571291137try home=/var/mail/mail=maildir:/var/mail/trysystem_groups_user=try uid=5001gid=5001*Oct 21 07:44:55 imap-login: Info: Login: user=, method=PLAIN, rip=128.199.214.27, lip=128.199.214.27, mpid=15361, TLS *Oct 21 07:44:55 imap(try): Info: Disconnected: Logged out bytes=29/399* >From the logs above (in bold), I hope auth is successful, then in last line why it is logging out.., I am confused , not sure if auth is completely successful or not. Kindly experts please help. Best Regards, Austin
Re: SMTP authentication setup
On 2014-10-21 07:40, Brian wrote: At my company we've had a longstanding problem of not being able to send email from devices outside of our internal network and any specific IP address that we open the relay to. As it turns out, SASL has never been set up. I need to set up SASL ASAP but none of the guides I've found seem to work. I recommend reading over these guides and doing outside research to fill in any blanks: * https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql * https://workaround.org/ispmail * http://wiki2.dovecot.org/Authentication/PasswordSchemes They walk you through setting up SASL for Postfix which uses Dovecot for auth. Dovecot in turn uses a MySQL database that you put together, but Dovecot supports many other auth sources such as LDAP that might be more relevant to your setup. It's worth mentioning (although you probably already know this) to double-check any recommendations you find in guides against official docs when it comes to security practices. For example, one guide recommends using the MD5 hashing algorithm (without a salt) to store passwords. I'm (very) far from being a security expert, but I recommend you research an alternative hashing scheme if you're setting up an auth source from scratch.
Re: 90-sieve.conf syntax - moving from v2.0.x to v2.2.x
On 2014-10-20 11:59, deoren wrote: Hi, I'm currently running version v2.0.x in production (using Maildir storage) and it's been working well. I'm interested in moving to version 2.2.x and am preparing a test server to do so. As I have been merging the conf file changes between the two versions I noticed syntax changes for the 90-sieve.conf file. There are now 'locations' and presumably to keep referring to local content I'll need to use the 'file:' location type. On my production box (v2.0.x) I have 90-sieve.conf configured like so: sieve = /var/vmail/sieve/%d/%n/.dovecot.sieve sieve_default = /var/vmail/sieve/global.sieve sieve_dir = /var/vmail/sieve/%d/%n/sieve_dir Inside of the /var/vmail/sieve/%d/%n/ directory (i.e., /var/vmail/sieve/example.com/testuser/) I find: drwxr-xr-x 3 vmail vmail 64 Oct 19 12:07 . drwxr-xr-x 9 vmail vmail 101 Jun 21 10:47 .. lrwxrwxrwx 1 vmail vmail 25 Jun 21 11:10 .dovecot.sieve -> sieve_dir/roundcube.sieve -rw--- 1 vmail vmail 3694 Oct 19 12:07 .dovecot.svbin drwx-- 3 vmail vmail 38 Oct 19 11:58 sieve_dir and that works well. I never did work out the new syntax, so I kept the older and so far it is working fine with v2.2.13. I did have to remove the old compiled versions of the Sieve scripts to get things working. I had at least one case (one specific account) where the script was recompiled automatically, but for the other accounts I did have to nuke the *.svbin file to force a recompilation of the Sieve scripts. Only in one case was a message logged (with debug mode enabled) re a version mismatch and the script recompiled automatically. It may not be the best way to do it, but this is what I did: rm -i $(find . -type f /var/vmail/sieve/example.com/ | grep svbin) After that the scripts began working as expected (using the older syntax which I mentioned in the last email). If anyone has any suggestions for updating the syntax for those configuration options I'd appreciate it. I couldn't make heads or tails of it. Everything I thought should work didn't.
Re: SMTP authentication setup
On 10/21/2014 8:49 AM, Reindl Harald wrote: > Am 21.10.2014 um 14:45 schrieb Charles Marcus: >> On 10/21/2014 8:40 AM, Brian wrote: >>> Also, instead of >>> submission inet n - - - - smtpd >>> I did: >>> 127.0.0.1:1025 inet n - - - - smtpd >>> >>> After all is done, however, I'm unable to send any mail. >> No surprise there. >> >> You *must* use the submission port if you want it to work. >> Not sure why you thought otherwise. > no, you can use any port you want if you configure the client on the > same one - but it must not only listen on 127.0.0.1 That was obviously my point.
Re: SMTP authentication setup
Am 21.10.2014 um 14:45 schrieb Charles Marcus: On 10/21/2014 8:40 AM, Brian wrote: Also, instead of submission inet n - - - - smtpd I did: 127.0.0.1:1025 inet n - - - - smtpd After all is done, however, I'm unable to send any mail. No surprise there. You *must* use the submission port if you want it to work. Not sure why you thought otherwise. no, you can use any port you want if you configure the client on the same one - but it must not only listen on 127.0.0.1 not postfix nor the client are interested in a specific port, that's why we have 587 *and* 588, 588 only opened for specific client IP's with other rate-limits signature.asc Description: OpenPGP digital signature
Re: SMTP authentication setup
Am 21.10.2014 um 14:40 schrieb Brian: At my company we've had a longstanding problem of not being able to send email from devices outside of our internal network and any specific IP address that we open the relay to. As it turns out, SASL has never been set up. I need to set up SASL ASAP but none of the guides I've found seem to work. This is the latest guide I tried: http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL I did everything on here minus the last part because it's on the same server. don't pretend - "postconf -n" and "dovecot -n" # dovecot service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } # postfix smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Also, instead of submission inet n - - - - smtpd I did: 127.0.0.1:1025 inet n - - - - smtpd that is complete nonsense * 1025 is not a standard port * the port only listens on localhost * no way to connect from outside After all is done, however, I'm unable to send any mail. Thunderbird just says sending message but doesn't send and I don't even get an error. I end up having to disable SASL again before I can send mail. because most likely 1025 is not opened in the firewall and even if since you misconfigured the server it could not connect Dovecot version 2.0.9 Postfix version 2.6.6 CentOS 6 I have Postfix, Dovecot, and ASSP on the same server signature.asc Description: OpenPGP digital signature
Re: SMTP authentication setup
On 10/21/2014 8:40 AM, Brian wrote: > Also, instead of > submission inet n - - - - smtpd > I did: > 127.0.0.1:1025 inet n - - - - smtpd > > After all is done, however, I'm unable to send any mail. No surprise there. You *must* use the submission port if you want it to work. Not sure why you thought otherwise.
SMTP authentication setup
At my company we've had a longstanding problem of not being able to send email from devices outside of our internal network and any specific IP address that we open the relay to. As it turns out, SASL has never been set up. I need to set up SASL ASAP but none of the guides I've found seem to work. This is the latest guide I tried: http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL I did everything on here minus the last part because it's on the same server. Also, instead of submission inet n - - - - smtpd I did: 127.0.0.1:1025 inet n - - - - smtpd After all is done, however, I'm unable to send any mail. Thunderbird just says sending message but doesn't send and I don't even get an error. I end up having to disable SASL again before I can send mail. Dovecot version 2.0.9 Postfix version 2.6.6 CentOS 6 I have Postfix, Dovecot, and ASSP on the same server. Thanks everyone. -- This email was Virus checked by Astaro Security Gateway. http://www.sophos.com
Re: Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
> >FYI: It was a kernel bug. > > Do you mind sharing the actual technical background. Which kernel > was affected and how? We didn't track it down to a specific bug, but we finally decided that our setup using multiple IPs for source and destination was OK and should work as intended - but it didn't. So we switched from Debians 3.2 kernel to a 3.14 from backports and - surprise - it worked as designed. Something in the 3.2 kernel limited the number of established connections to the frame given by the local port range, even incoming ones. I still don't know what, but I am quite sure it's not a new feature in 3.14 which makes our setup work, as it should be possible to have many connects from different source IPs on basically every linux kernel. There are other limits (as some TCP hashtable sizes) which can be tuned, but that was not the limit we were hitting... Old (not working): linux-image-3.2.0-4-amd64 3.2.63-2 New (working OK): linux-image-3.14-0.bpo.2-rt-amd64 3.14.15-2~bpo70+1 -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
Zitat von Ralf Hildebrandt : * Ralf Hildebrandt : > I'd guess you're running out of TCP ports. I think so too, but it's somewhat unlikely! We're using 10 outbound IP adresses! In a random fashion (and I'm seeing this on the backend server!) FYI: It was a kernel bug. Do you mind sharing the actual technical background. Which kernel was affected and how? Thanks Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Proxy problem: "imap-login: Error: proxy(USERNAME): connect(10.x.x.178, 993) failed: Cannot assign requested address (after 0 secs, local=10.x.x.104)"
* Ralf Hildebrandt : > > I'd guess you're running out of TCP ports. > > I think so too, but it's somewhat unlikely! We're using 10 outbound IP > adresses! In a random fashion (and I'm seeing this on the backend > server!) FYI: It was a kernel bug. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein