Re: [Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE

[Stephan Bosch]

Op 18-4-2016 om 18:02 schreef Charles Marcus:

Greetings Mike and Timo,

A question about BURL support in Thunderbird came up, and while there is
an open bug, it apparently is still not implemented.

I'd love to see this get done, so I've been checking on the status of
this in both postfix and dovecot...

Can someone comment on whether or not this was ever fully/properly
implemented?


Status:

URLAUTH - Fully implemented.
CATENATE - Fully implemented.
BURL - Not really a Dovecot concern, but we've created a Dovecot-based 
SMTP submission proxy that adds BURL and other advanced functionality to 
any SMTP backend. This feature is currently a set of patches that is 
scheduled to be merged for Dovecot v2.3. The Dovecot v2.3 branch was 
started just a few days ago.


Regards,

Stephan.




*/Charles/*/*


*/
On 1/14/2011 12:35 PM, Mike Abbott  wrote:

On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote:


I don't think there's any need to send "anonymous_username" to imap
process? It just seems to want to know if the current user is anonymous
or not. That same thing has been in my TODO list for a while already
because ManageSieve could use that information too. So committed now:
http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16

I just tried out this change and it does not replace the need for the 
anonymous_username field.  I only now fully understand the comment:
 /* this is an anonymous login, either via ANONYMOUS
SASL mechanism or simply logging in as the anonymous
user via another mechanism */
Since the change does not distinguish between those two cases it breaks the "authuser" access identifier for the anonymous user when he is logged in 
non-anonymously.  I would not really care about this edge case except that the contributed implementation requires that the username in the IMAP URL matches 
the authenticated user's username even for the "anonymous" and "authuser" access identifiers, in violation of RFC 4467 section 4.  (The 
implementation requires a match because Dovecot does not (can not) reach into another user's mail storage.)  This means that the "anonymous" and 
"authuser" access identifiers only work for the anonymous user in the implementation; your change makes the "authuser" access identifier 
always fail for the anonymous user.  The anonymous_username field in the original contributed patch does distinguish between SASL ANONYMOUS and logging in as 
the anonymous user via another mechanism, so the "anonymous" and "authuser" access identifiers work properly for the anonymous user (but 
not for any other user).

If you can teach me how to make urlfetch_url() access any user's mail storage from an IMAP process logged in 
as a different user (subject to OS uid/gid permission constraints), I can make "anonymous" and 
"authuser" work for all users and use your change instead of the "anonymous_username" 
field.

Alternatively, you could edit your change to add the "anonymous" indication to 
the auth reply only for SASL ANONYMOUS authentications rather than for all anonymous-user 
authentications, unless that would cause trouble for ManageSieve.

Re: [Dovecot] Patch: 2.0 support for URLAUTH, BURL, CATENATE

[Charles Marcus]

Greetings Mike and Timo,

A question about BURL support in Thunderbird came up, and while there is
an open bug, it apparently is still not implemented.

I'd love to see this get done, so I've been checking on the status of
this in both postfix and dovecot...

Can someone comment on whether or not this was ever fully/properly
implemented?


*/Charles/*/*


*/
On 1/14/2011 12:35 PM, Mike Abbott  wrote:
> On Dec 5, 2010, at 11:17 PM, Timo Sirainen wrote:
>
>> I don't think there's any need to send "anonymous_username" to imap
>> process? It just seems to want to know if the current user is anonymous
>> or not. That same thing has been in my TODO list for a while already
>> because ManageSieve could use that information too. So committed now:
>> http://hg.dovecot.org/dovecot-2.0/rev/c41ba33b8e16
> I just tried out this change and it does not replace the need for the 
> anonymous_username field.  I only now fully understand the comment:
> /* this is an anonymous login, either via ANONYMOUS
>SASL mechanism or simply logging in as the 
> anonymous
>user via another mechanism */
> Since the change does not distinguish between those two cases it breaks the 
> "authuser" access identifier for the anonymous user when he is logged in 
> non-anonymously.  I would not really care about this edge case except that 
> the contributed implementation requires that the username in the IMAP URL 
> matches the authenticated user's username even for the "anonymous" and 
> "authuser" access identifiers, in violation of RFC 4467 section 4.  (The 
> implementation requires a match because Dovecot does not (can not) reach into 
> another user's mail storage.)  This means that the "anonymous" and "authuser" 
> access identifiers only work for the anonymous user in the implementation; 
> your change makes the "authuser" access identifier always fail for the 
> anonymous user.  The anonymous_username field in the original contributed 
> patch does distinguish between SASL ANONYMOUS and logging in as the anonymous 
> user via another mechanism, so the "anonymous" and "authuser" access 
> identifiers work properly for the anonymous user (but not for any other user).
>
> If you can teach me how to make urlfetch_url() access any user's mail storage 
> from an IMAP process logged in as a different user (subject to OS uid/gid 
> permission constraints), I can make "anonymous" and "authuser" work for all 
> users and use your change instead of the "anonymous_username" field.
>
> Alternatively, you could edit your change to add the "anonymous" indication 
> to the auth reply only for SASL ANONYMOUS authentications rather than for all 
> anonymous-user authentications, unless that would cause trouble for 
> ManageSieve.

Re: antispam plugin pipe backend error when moving multiple emails

[Stéphane Cottin]

Hello,

I'm bumping this because it still occurs with dovecot 2.2.22.

my dovecot-antispam plugin configuration :

  antispam_allow_append_to_spam = no
  antispam_backend = pipe
  antispam_pipe_program = /usr/bin/rspamc
  antispam_pipe_program_args = -h;127.0.0.1:11334;-P;
  antispam_pipe_program_notspam_arg = learn_ham
  antispam_pipe_program_spam_arg = learn_spam
  antispam_pipe_tmpdir = /var/tmp
  antispam_spam = Junk
  antispam_trash = trash;Trash;Deleted Items;Deleted Messages

zlib enabled:
  zlib_save = gz
  zlib_save_level = 9


When moving 2 or more messages from inbox to the Junk folder:

"J47 NO [CANNOT] Failed to copy to temporary file (0.000 + 0.000 
secs).”. Command attempted: “J47 UID MOVE 106318:106319 Junk"


or sometimes

"J123 NO [CANNOT] Failed to read mail beginning (0.000 + 0.000 
secs).”. Command attempted: “J123 UID MOVE 170789:170790 Junk"


and still have the "Cached message size smaller..." in dovecot logs.

It occurs at least when header lines of an email contains Non-ASCII Text 
(rfc1342).

Batches of full ascii emails are not affected.

I can easily reproduce this from/to the Junk folder, but had unconfirmed 
reports of similar errors when batch moving mails across regular 
folders.


Stéphane


On 8 Nov 2015, at 11:50, Stéphane Cottin wrote:


Hi,

I've got some trouble with the dovecot antispam plugin and the pipe 
backend.


I'm using dovecot 2.2.18 with maildirs and zlib compression enabled.

When moving 2 or more emails at once from the Junk folder to another 
one, I always have the following error : "Failed to copy to temporary 
file"


In the server logs :

imap(v...@vvv.vvv): Error: 
read(zlib(/data/Maildir/.test/tmp/1446974366.M123890P936.vvv)) failed: 
Cached message size smaller than expected (13553 < 13562, box=test, 
UID=0)


The same operation with one email at a time, on the same emails, works 
as expected.


Stéphane

Re: GSSAPI authentication setup

[Aki Tuomi]

On 18.04.2016 14:22, Braden McDaniel wrote:
> On Mon, 2016-04-18 at 08:59 +0300, aki.tu...@dovecot.fi wrote:
>>> On April 18, 2016 at 8:13 AM Braden McDaniel 
>>> wrote:
>>>
>>>
>>> On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote:
>
> Did you check your setup against
 http://wiki2.dovecot.org/Authentication/Kerberos
>>> I did.  Of course, it's possible I've still managed to overlook
>>> something. 
>>>
 Also can you provide klist -k on server?
>>> I assume you mean the kerberos server:
>>>
>>> [root@knock ~]# 
>> Apologies, I ment your IMAP server.
> [root@hinge ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>3 host/hinge.endoframe@endoframe.net
>3 host/hinge.endoframe@endoframe.net
>4 host/hinge.endoframe@endoframe.net
>2 imap/hinge.endoframe@endoframe.net
>
>
There was previous case where gssapi did not work with Thunderbird. It
apparently has some problems with GSSAPI usage. Also, did you ensure
that your client has all the requisite principals?

Can you try turning on auth_verbose=yes?

Remember that kerberos is very DNS oriented, so missing/incorrect
reverse records can also cause failures.

Aki

Re: GSSAPI authentication setup

[Braden McDaniel]

On Mon, 2016-04-18 at 08:59 +0300, aki.tu...@dovecot.fi wrote:
> > 
> > On April 18, 2016 at 8:13 AM Braden McDaniel 
> > wrote:
> > 
> > 
> > On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote:
> > > 
> > > > 
> > > > 
> > > > Did you check your setup against
> > > http://wiki2.dovecot.org/Authentication/Kerberos
> > I did.  Of course, it's possible I've still managed to overlook
> > something. 
> > 
> > > 
> > > Also can you provide klist -k on server?
> > I assume you mean the kerberos server:
> > 
> > [root@knock ~]# 
> 
> Apologies, I ment your IMAP server.

[root@hinge ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 
--
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   3 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   4 host/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net
   2 imap/hinge.endoframe@endoframe.net


-- 
Braden McDaniel 

Re: stats: Error: FIFO input error: CONNECT: Duplicate session ID

[Teemu Huovila]

On 18.04.2016 10:12, Urban Loesch wrote:
> Hi,
> 
> yesterday I updatet to Dovecot EE version 2:2.2.23.1-1.
> Now sometimes I see this errors in my logs:
> 
> ...
> Apr 18 09:02:19 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: 
> Duplicate session ID NjcCDoSAFFd/KQAAFMUCeg for user u...@domain1.com service 
> lmtp
> Apr 18 09:04:05 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: 
> Duplicate session ID rjV1HtCGFFcoogAAFMUCeg for user u...@domain2.com service 
> lmtp
> Apr 18 09:04:30 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: 
> Duplicate session ID Sqi0IMWAFFeRNQAAFMUCeg for user u...@domain3.com service 
> lmtp
> ...
> 
> The error only appears when a mail is sent to 2 ore more recipients 
> concurrently.
> It's not ciritcal for me, all mails are getting delivered correctly.
This is fixed in commit 
https://github.com/dovecot/core/commit/aeea3dbd1f4031634f7b318614adf51dcfc79f42

br,
Teemu Huovila
> 
> Thanks and regards
> Urban Loesch

stats: Error: FIFO input error: CONNECT: Duplicate session ID

[Urban Loesch]

Hi,

yesterday I updatet to Dovecot EE version 2:2.2.23.1-1.
Now sometimes I see this errors in my logs:

...
Apr 18 09:02:19 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID NjcCDoSAFFd/KQAAFMUCeg for user u...@domain1.com 
service lmtp
Apr 18 09:04:05 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID rjV1HtCGFFcoogAAFMUCeg for user u...@domain2.com 
service lmtp
Apr 18 09:04:30 dovecot1 dovecot: stats: Error: FIFO input error: CONNECT: Duplicate session ID Sqi0IMWAFFeRNQAAFMUCeg for user u...@domain3.com 
service lmtp

...

The error only appears when a mail is sent to 2 ore more recipients 
concurrently.
It's not ciritcal for me, all mails are getting delivered correctly.

Thanks and regards
Urban Loesch

Re: GSSAPI authentication setup

[aki . tuomi]

> On April 18, 2016 at 8:13 AM Braden McDaniel  wrote:
> 
> 
> On Sun, 2016-04-17 at 21:49 +0300, aki.tu...@dovecot.fi wrote:
> > > 
> > > Did you check your setup against
> > http://wiki2.dovecot.org/Authentication/Kerberos
> 
> I did.  Of course, it's possible I've still managed to overlook
> something. 
> 
> > Also can you provide klist -k on server?
> 
> I assume you mean the kerberos server:
> 
> [root@knock ~]# 
> -- 
> Braden McDaniel 

Apologies, I ment your IMAP server.
---
Aki Tuomi