Re: [Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE
Op 18-4-2016 om 18:02 schreef Charles Marcus: Greetings Mike and Timo, A question about BURL support in Thunderbird came up, and while there is an open bug, it apparently is still not implemented. I'd love to see this get done, so I've been checking on the status of this in both postfix and dovecot... Can someone comment on whether or not this was ever fully/properly implemented? Status: URLAUTH - Fully implemented. CATENATE - Fully implemented. BURL - Not really a Dovecot concern, but we've created a Dovecot-based SMTP submission proxy that adds BURL and other advanced functionality to any SMTP backend. This feature is currently a set of patches that is scheduled to be merged for Dovecot v2.3. The Dovecot v2.3 branch was started just a few days ago. Regards, Stephan. */Charles/*/* */ On 1/14/2011 12:35 PM, Mike Abbottwrote: On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote: I don't think there's any need to send "anonymous_username" to imap process? It just seems to want to know if the current user is anonymous or not. That same thing has been in my TODO list for a while already because ManageSieve could use that information too. So committed now: http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16 I just tried out this change and it does not replace the need for the anonymous_username field. I only now fully understand the comment: /* this is an anonymous login, either via ANONYMOUS SASL mechanism or simply logging in as the anonymous user via another mechanism */ Since the change does not distinguish between those two cases it breaks the "authuser" access identifier for the anonymous user when he is logged in non-anonymously. I would not really care about this edge case except that the contributed implementation requires that the username in the IMAP URL matches the authenticated user's username even for the "anonymous" and "authuser" access identifiers, in violation of RFC 4467 section 4. (The implementation requires a match because Dovecot does not (can not) reach into another user's mail storage.) This means that the "anonymous" and "authuser" access identifiers only work for the anonymous user in the implementation; your change makes the "authuser" access identifier always fail for the anonymous user. The anonymous_username field in the original contributed patch does distinguish between SASL ANONYMOUS and logging in as the anonymous user via another mechanism, so the "anonymous" and "authuser" access identifiers work properly for the anonymous user (but not for any other user). If you can teach me how to make urlfetch_url() access any user's mail storage from an IMAP process logged in as a different user (subject to OS uid/gid permission constraints), I can make "anonymous" and "authuser" work for all users and use your change instead of the "anonymous_username" field. Alternatively, you could edit your change to add the "anonymous" indication to the auth reply only for SASL ANONYMOUS authentications rather than for all anonymous-user authentications, unless that would cause trouble for ManageSieve.
Re: [Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE
Greetings Mike and Timo, A question about BURL support in Thunderbird came up, and while there is an open bug, it apparently is still not implemented. I'd love to see this get done, so I've been checking on the status of this in both postfix and dovecot... Can someone comment on whether or not this was ever fully/properly implemented? */Charles/*/* */ On 1/14/2011 12:35 PM, Mike Abbottwrote: > On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote: > >> I don't think there's any need to send "anonymous_username" to imap >> process? It just seems to want to know if the current user is anonymous >> or not. That same thing has been in my TODO list for a while already >> because ManageSieve could use that information too. So committed now: >> http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16 > I just tried out this change and it does not replace the need for the > anonymous_username field. I only now fully understand the comment: > /* this is an anonymous login, either via ANONYMOUS >SASL mechanism or simply logging in as the > anonymous >user via another mechanism */ > Since the change does not distinguish between those two cases it breaks the > "authuser" access identifier for the anonymous user when he is logged in > non-anonymously. I would not really care about this edge case except that > the contributed implementation requires that the username in the IMAP URL > matches the authenticated user's username even for the "anonymous" and > "authuser" access identifiers, in violation of RFC 4467 section 4. (The > implementation requires a match because Dovecot does not (can not) reach into > another user's mail storage.) This means that the "anonymous" and "authuser" > access identifiers only work for the anonymous user in the implementation; > your change makes the "authuser" access identifier always fail for the > anonymous user. The anonymous_username field in the original contributed > patch does distinguish between SASL ANONYMOUS and logging in as the anonymous > user via another mechanism, so the "anonymous" and "authuser" access > identifiers work properly for the anonymous user (but not for any other user). > > If you can teach me how to make urlfetch_url() access any user's mail storage > from an IMAP process logged in as a different user (subject to OS uid/gid > permission constraints), I can make "anonymous" and "authuser" work for all > users and use your change instead of the "anonymous_username" field. > > Alternatively, you could edit your change to add the "anonymous" indication > to the auth reply only for SASL ANONYMOUS authentications rather than for all > anonymous-user authentications, unless that would cause trouble for > ManageSieve.
Re: antispam plugin pipe backend error when moving multiple emails
Hello, I'm bumping this because it still occurs with dovecot 2.2.22. my dovecot-antispam plugin configuration : antispam_allow_append_to_spam = no antispam_backend = pipe antispam_pipe_program = /usr/bin/rspamc antispam_pipe_program_args = -h;127.0.0.1:11334;-P; antispam_pipe_program_notspam_arg = learn_ham antispam_pipe_program_spam_arg = learn_spam antispam_pipe_tmpdir = /var/tmp antispam_spam = Junk antispam_trash = trash;Trash;Deleted Items;Deleted Messages zlib enabled: zlib_save = gz zlib_save_level = 9 When moving 2 or more messages from inbox to the Junk folder: "J47 NO [CANNOT] Failed to copy to temporary file (0.000 + 0.000 secs).”. Command attempted: “J47 UID MOVE 106318:106319 Junk" or sometimes "J123 NO [CANNOT] Failed to read mail beginning (0.000 + 0.000 secs).”. Command attempted: “J123 UID MOVE 170789:170790 Junk" and still have the "Cached message size smaller..." in dovecot logs. It occurs at least when header lines of an email contains Non-ASCII Text (rfc1342). Batches of full ascii emails are not affected. I can easily reproduce this from/to the Junk folder, but had unconfirmed reports of similar errors when batch moving mails across regular folders. Stéphane On 8 Nov 2015, at 11:50, Stéphane Cottin wrote: Hi, I've got some trouble with the dovecot antispam plugin and the pipe backend. I'm using dovecot 2.2.18 with maildirs and zlib compression enabled. When moving 2 or more emails at once from the Junk folder to another one, I always have the following error : "Failed to copy to temporary file" In the server logs : imap(v...@vvv.vvv): Error: read(zlib(/data/Maildir/.test/tmp/1446974366.M123890P936.vvv)) failed: Cached message size smaller than expected (13553 < 13562, box=test, UID=0) The same operation with one email at a time, on the same emails, works as expected. Stéphane
Re: GSSAPI authentication setup
On 18.04.2016 14:22, Braden McDaniel wrote: > On Mon, 2016-04-18 at 08:59 +0300, aki.tu...@dovecot.fi wrote: >>> On April 18, 2016 at 8:13 AM Braden McDaniel>>> wrote: >>> >>> >>> On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote: > > Did you check your setup against http://wiki2.dovecot.org/Authentication/Kerberos >>> I did. Of course, it's possible I've still managed to overlook >>> something. >>> Also can you provide klist -k on server? >>> I assume you mean the kerberos server: >>> >>> [root@knock ~]# >> Apologies, I ment your IMAP server. > [root@hinge ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- >3 host/hinge.endoframe@endoframe.net >3 host/hinge.endoframe@endoframe.net >4 host/hinge.endoframe@endoframe.net >2 imap/hinge.endoframe@endoframe.net > > There was previous case where gssapi did not work with Thunderbird. It apparently has some problems with GSSAPI usage. Also, did you ensure that your client has all the requisite principals? Can you try turning on auth_verbose=yes? Remember that kerberos is very DNS oriented, so missing/incorrect reverse records can also cause failures. Aki
Re: GSSAPI authentication setup
On Mon, 2016-04-18 at 08:59 +0300, aki.tu...@dovecot.fi wrote: > > > > On April 18, 2016 at 8:13 AM Braden McDaniel> > wrote: > > > > > > On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote: > > > > > > > > > > > > > > > Did you check your setup against > > > http://wiki2.dovecot.org/Authentication/Kerberos > > I did. Of course, it's possible I've still managed to overlook > > something. > > > > > > > > Also can you provide klist -k on server? > > I assume you mean the kerberos server: > > > > [root@knock ~]# > > Apologies, I ment your IMAP server. [root@hinge ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 3 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 4 host/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net 2 imap/hinge.endoframe@endoframe.net -- Braden McDaniel
Re: stats: Error: FIFO input error: CONNECT: Duplicate session ID
On 18.04.2016 10:12, Urban Loesch wrote: > Hi, > > yesterday I updatet to Dovecot EE version 2:2.2.23.1-1. > Now sometimes I see this errors in my logs: > > ... > Apr 18 09:02:19 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: > Duplicate session ID NjcCDoSAFFd/KQAAFMUCeg for user u...@domain1.com service > lmtp > Apr 18 09:04:05 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: > Duplicate session ID rjV1HtCGFFcoogAAFMUCeg for user u...@domain2.com service > lmtp > Apr 18 09:04:30 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: > Duplicate session ID Sqi0IMWAFFeRNQAAFMUCeg for user u...@domain3.com service > lmtp > ... > > The error only appears when a mail is sent to 2 ore more recipients > concurrently. > It's not ciritcal for me, all mails are getting delivered correctly. This is fixed in commit https://github.com/dovecot/core/commit/aeea3dbd1f4031634f7b318614adf51dcfc79f42 br, Teemu Huovila > > Thanks and regards > Urban Loesch
stats: Error: FIFO input error: CONNECT: Duplicate session ID
Hi, yesterday I updatet to Dovecot EE version 2:2.2.23.1-1. Now sometimes I see this errors in my logs: ... Apr 18 09:02:19 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID NjcCDoSAFFd/KQAAFMUCeg for user u...@domain1.com service lmtp Apr 18 09:04:05 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID rjV1HtCGFFcoogAAFMUCeg for user u...@domain2.com service lmtp Apr 18 09:04:30 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID Sqi0IMWAFFeRNQAAFMUCeg for user u...@domain3.com service lmtp ... The error only appears when a mail is sent to 2 ore more recipients concurrently. It's not ciritcal for me, all mails are getting delivered correctly. Thanks and regards Urban Loesch
Re: GSSAPI authentication setup
> On April 18, 2016 at 8:13 AM Braden McDanielwrote: > > > On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote: > > > > > > Did you check your setup against > > http://wiki2.dovecot.org/Authentication/Kerberos > > I did. Of course, it's possible I've still managed to overlook > something. > > > Also can you provide klist -k on server? > > I assume you mean the kerberos server: > > [root@knock ~]# > -- > Braden McDaniel Apologies, I ment your IMAP server. --- Aki Tuomi