Re: Dovecot 2.2.25 fails on SSL

[Joseph Tam]

Aki Tuomi wrote:


ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
linux-gate.so.1 =>  (0x00dca000)
libcrypto.so.1.0.0 => not found
...


Well, then it leaves only option of using /etc/ld.so.conf
so basically add your libssl location there.


You can also affect where shared libraries are loaded using the
LD_LIBRARY_PATH environment variable.  Try adding

LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH

to your service boot scripts.

Joseph Tam 

Alternate mail store of few users is disparaged unexpectedly

[Prakash Autade]

Hello,

We are using dovecot with mdbox and ALT store on S3(Simple Storage System).
We export the
mail_location=mdbox://mdbox:ALT=/altmailstore//mdbox
of user in extra parameters.
Today, alternate mail store of few users is disparaged unexpectedly which
resulted in mail loss.
We are unable to trace out why and when the alternate store is disparaged.
Our hypothesis is, the folder is removed during doveadm altmove.
We want to prevent this in future.
It will be great if someone helps to identify the root cause.


Dovecot version: 2.2.19

# dovecot -n
# 2.2.19: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-573.el6.x86_64 x86_64 CentOS Linux release 6.0 (Final)
auth_mechanisms = plain login
auth_verbose_passwords = plain
disable_plaintext_auth = no
mail_fsync = always
mail_gid = 65111
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " quota"
mail_uid = 65111
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 20 M
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
auto = create
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Items" {
auto = create
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
auto = create
special_use = \Trash
  }
  mailbox chat {
auto = create
  }
  prefix = INBOX.
  separator = .
  type = private
}
plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
  mail_log_fields = uid box msgid size
}
ssl_cert = 

Re: Dovecot 2.2.25 fails on SSL

[Andreas M. Kirchwitz]

Aki Tuomi  wrote:

> Well, then it leaves only option of using /etc/ld.so.conf
> so basically add your libssl location there.

That's not a working solution and not the purpose of /etc/ld.so.conf.

Currently, this is a real-life security issue in Dovecot 2.2.25,
because it compiles fine but then - to the user - silently fails
to use SSL. The user who doesn't know better reconfigures his
client and all security is gone. :-(

Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be
made to work. The question is just where to add the proper options,
or maybe "configure" is broken in some way.

I'm happy to try out more patches until the proper solution is
found. I've already tried adding SSL libs in various locations
during the build process but it hast always the same result
that it never gets past "configure".

Greetings, Andreas

Re: Dovecot 2.2.25 fails on SSL

[Aki Tuomi]

> On September 2, 2016 at 5:35 PM "Andreas M. Kirchwitz"  
> wrote:
> 
> 
> Aki Tuomi  wrote:
> 
> > Well, then it leaves only option of using /etc/ld.so.conf
> > so basically add your libssl location there.
> 
> That's not a working solution and not the purpose of /etc/ld.so.conf.
> 
> Currently, this is a real-life security issue in Dovecot 2.2.25,
> because it compiles fine but then - to the user - silently fails
> to use SSL. The user who doesn't know better reconfigures his
> client and all security is gone. :-(
> 
> Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be
> made to work. The question is just where to add the proper options,
> or maybe "configure" is broken in some way.
> 
> I'm happy to try out more patches until the proper solution is
> found. I've already tried adding SSL libs in various locations
> during the build process but it hast always the same result
> that it never gets past "configure".
> 
>   Greetings, Andreas

I tried various ways but wasn't able to get it to work. I can see if it can be 
fixed but it can take a while.

Aki

Re: index: namespace not selectable, and no info. :(

[Larry Rosenman]

anyone?

On Tue, Aug 30, 2016 at 1:45 PM, Larry Rosenman  wrote:

>
> thebighonker.lerctr.org ~ $ doveadm -D -v index \#ARCHIVE/2012/02/INBOX
> Debug: Loading modules from directory: /usr/local/lib/dovecot
> Debug: Module loaded: /usr/local/lib/dovecot/lib15_notify_plugin.so
> Debug: Module loaded: /usr/local/lib/dovecot/lib20_fts_plugin.so
> Debug: Module loaded: /usr/local/lib/dovecot/lib21_fts_lucene_plugin.so
> Debug: Module loaded: /usr/local/lib/dovecot/lib90_stats_plugin.so
> Debug: Loading modules from directory: /usr/local/lib/dovecot/doveadm
> Debug: Skipping module doveadm_acl_plugin, because dlopen() failed:
> /usr/local/lib/dovecot/doveadm/lib10_doveadm_acl_plugin.so: Undefined
> symbol "acl_user_module" (this is usually intentional, so just ignore this
> message)
> Debug: Skipping module doveadm_expire_plugin, because dlopen() failed:
> /usr/local/lib/dovecot/doveadm/lib10_doveadm_expire_plugin.so: Undefined
> symbol "expire_set_lookup" (this is usually intentional, so just ignore
> this message)
> Debug: Skipping module doveadm_quota_plugin, because dlopen() failed:
> /usr/local/lib/dovecot/doveadm/lib10_doveadm_quota_plugin.so: Undefined
> symbol "quota_user_module" (this is usually intentional, so just ignore
> this message)
> Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib10_doveadm_sieve_
> plugin.so
> Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib20_doveadm_fts_
> lucene_plugin.so
> Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib20_doveadm_fts_
> plugin.so
> doveadm(ler): Debug: Effective uid=1001, gid=1001, home=/home/ler
> doveadm(ler): Debug: Namespace inbox: type=private, prefix=, sep=,
> inbox=yes, hidden=no, list=yes, subscriptions=yes
> location=mbox:~/mail:INBOX=~/mail/INBOX
> doveadm(ler): Debug: fs: root=/home/ler/mail, index=, indexpvt=, control=,
> inbox=/home/ler/mail/INBOX, alt=
> doveadm(ler): Debug: Namespace archive: type=private, prefix=#ARCHIVE/,
> sep=/, inbox=no, hidden=no, list=no, subscriptions=yes
> location=mbox:~/MAILARCHIVE
> doveadm(ler): Debug: mbox: INBOX defaulted to /home/ler/MAILARCHIVE/inbox
> doveadm(ler): Debug: fs: root=/home/ler/MAILARCHIVE, index=, indexpvt=,
> control=, inbox=/home/ler/MAILARCHIVE/inbox, alt=
> doveadm(ler): Error: lucene: Failed to sync mailbox INBOX: Mailbox isn't
> selectable
> doveadm(ler): Error: Mailbox #ARCHIVE/2012/02/INBOX: Status lookup failed:
> Internal error occurred. Refer to server log for more information.
> [2016-08-30 13:41:57]
>
> NOTHING additional is logged in syslog.
>
> doveconf -n attached.
>
> I **CAN** select the mailbox in mutt using #ARCHIVE/2012/02/INBOX
>
>
> --
> Larry Rosenman http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
> US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281
>



-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281

Cannot subscribe to Public mailbox

[MI]

I'm trying to set up a Public mailbox, but when I try to subscribe to it in 
Thunderbird, nothing happens: it doesn't appear as a folder, and when I go back to 
the Subscribe window, it is unchecked again.


I use postfix local dlivery, which created a Maildir when a mail arrived for this 
mailbox: /home/others/sharedmail/Maildir/{cur,new,tmp}


(sharedmail is a system user so that Postfix can deliver the mail; it doesn't have a 
login shell or a password)


To make sure it is not a simple filesystem permissions problem, I did "chmod -R a+rwX 
Maildir/"


This is my current config ( I tried to keep it short by leaving only what might be 
relevant ):


   # dovecot -n
   # 2.1.7: /etc/dovecot/dovecot.conf
   # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.9
   ...
   mail_location = maildir:~/Maildir
   namespace {
  list = yes
  location = maildir:/home/others/sharedmail/Maildir
  prefix = Public.
  separator = .
  subscriptions = no
  type = public
   }
   namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox ...
...
  }
  prefix =
  separator = .
   }
   passdb {
  driver = pam
   }
   plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
   }
   protocols = " imap"
   service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
   }
   userdb {
  driver = passwd
   }


Also, I'm not sure about the difference between type=public and type=shared. But 
anyway, I tried both with the same result.

Force SSL/TLS and client certificate checking only for connections from Internet

[Konstantin Khomoutov]

(Please CC me if possible.)

I have Dovecot 2.2.13 (shipped with Debian 8 "Jessie") serving IMAP for
a small organization.  It's connected both to the Internet and to that
organization LAN.

I'd like to have Dovecot has rather tight security requirements for
connections made from the Internet and reasonably laxed requirements
for the LAN clients.

Due to Dovecot authenticating users against a LDAP database which is
also used for logging into the users' machines, we have to use
somewhat weak passwords (randomly generated but short) for most users.

Because of this I want to:
* Mandate the usage of TLS for the connections made from Internet;
* Require the clients to present their SSL certificates, and
* Verify the validity of these certificates.

The certificates are issued by our own CA, so it's not a problem to
verify them.

The first iteration was to set

  ssl = required

and

  disable_plaintext_auth = yes

which I then overrode with a "remote" section for LAN connections:

  remote 192.168.0.0/16 {
disable_plaintext_auth = no
ssl = yes
  }

The next iteration was to actually enable verification of the client
certificates.

I have set the "ssl_ca" variable appropriately, then

  ssl_require_crl = yes
  ssl_verify_client_cert = yes

and

  auth_ssl_require_client_cert = yes

Then I went on and attempted to override the latter two settings
for the LAN clients by appending them to my special "remote" section
to it read:

  remote 192.168.0.0/16 {
disable_plaintext_auth = no
ssl = yes
ssl_verify_client_cert = no
auth_ssl_require_client_cert = no
  }

But after restart Dovecot complained that I cannot use the
"auth_ssl_require_client_cert" setting in a "remote" section.

I have removed it in the hope that still having

  ssl_verify_client_cert = no

there would inhibit SSL certificate checks for the LAN clients
but apparently it did not.

So, to recap:

* I need to have tight TLS settings for the clients connecting
  from the Internet:
  - TLS is required;
  - The client must present a valid certificate (issued by a CA
we control).

* LAN clients should use relaxed security settings: TLS is okay
  but that's all.

How do I go about setting this?

(On a side note, I can supposedly get away installing stunnel and
making it proxy IMAP and IMAPS connections to Dovecot -- at least from
the documentation, it appears stunnel supports IMAP+STARTTLS, -- but
I would rather have all this handled solely by Dovecot.)

Re: initd script does not stop/restart all dovecot processes

[Christian Kivalo]

On 2016-09-02 12:15, Florent B wrote:

On 09/02/2016 11:57 AM, Aki Tuomi wrote:
On September 2, 2016 at 12:16 PM Florent B  
wrote:




Hi

You could look under /lib/systemd/system or similar. The .in file from 
repo gets a sed treatment during make install.


Aki Tuomi


Ok, but I use 2.2.24, and when I did "make install" from source, it did
not install any Dovecot service. Was it introduced in 2.2.25 ? "make
install" output does not show anything with "dovecot.service.in"...
i use ./configure with --with-systemdsystemunitdir=/etc/systemd/system/ 
and that installs the systemd.service and socket



That's why I need to copy initd script by myself, and did the same with
systemd unit file when you suggested me to try it.


--
 Christian Kivalo

Re: initd script does not stop/restart all dovecot processes

[Aki Tuomi]

> On September 2, 2016 at 12:16 PM Florent B  wrote:
> 
>

Hi 

You could look under /lib/systemd/system or similar. The .in file from repo 
gets a sed treatment during make install.

Aki Tuomi

Re: initd script does not stop/restart all dovecot processes

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 2 Sep 2016, Sami Ketola wrote:

On 01 Sep 2016, at 17:25, Florent B  wrote:

Hi everyone,

On Debian Jessie servers, I use initd script provided by Dovecot 2.2 (in
doc/dovecot-initd.sh) and when I stop or restart dovecot service, it
still remains some process :

ps aux | grep dove
dovecot   1798  0.0  0.1   9408  2116 ?S16:15   0:00
dovecot/anvil [1 connections]
root  1799  0.0  0.1   9544  2288 ?S16:15   0:00 dovecot/log
dovecot   1812  0.0  0.2  39144  5720 ?S16:15   0:00
dovecot/auth [0 wait, 0 passdb, 0 userdb]
root  1844  0.0  0.1  12728  2076 pts/0S+   16:16   0:00 grep dove


Is it expected ? "restart" does not work of course, and "start" after
"stop" too.

How can I fix this ?


Debian Jessie comes with systemd so you really should not use initscript 
anymore but
switch to systemd for starting dovecot. There is systemd service description 
file available
for you in case your vendor does not provide it in the package:

https://github.com/dovecot/core/blob/master/dovecot.service.in


I have the same experience, that Dovecot keeps running for a while. An 
immediate stop & start always fails. IMHO, that behaviour started with the 
introduction of anvil.


If the ps command lists all processes, that is what I see on Jessie and 
Squeeze as well.


@Florent: Please check, if the Dovecot processess dies after some timeout. 
I have patched the scripts to wait 5s then send an extra HUP and after 5s 
INT.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBV8ksh3z1H7kL/d9rAQJY8gf+NnFjsEKI3a4opD4Wkim8eGtQvkWkFEtA
Ywf7vS3cGzU2rJGqUq6X/zVjrW5oU5NUdePdR5nZqpkKz5+QR5jHluZ/zX4Cgmeh
ujKSIf4VZnUmvw9XG5RRFzUlTUkZilSGz97KtcnLcLJQj7KNhC39sFBPTUl6Li2X
2lwDpyNz+u5rhPti1LTKwooiGI2Pr5X6YT+aZQcebzj++0qLiwRha6Gmm5PWzgS4
mMsMe2zFwvKhP6/XuVWMzT9nsgmEQaeiDsu4u3A+TDRdFwfYrHvhyG0uh8SgG6a6
Vye30fy53e/KWzfXAE37m1zRyouHUuxSzHjr4YtM9K/E8rYBDWR0Ow==
=HdJT
-END PGP SIGNATURE-

Re: initd script does not stop/restart all dovecot processes

[Sami Ketola]

> On 01 Sep 2016, at 17:25, Florent B  wrote:
> 
> Hi everyone,
> 
> On Debian Jessie servers, I use initd script provided by Dovecot 2.2 (in
> doc/dovecot-initd.sh) and when I stop or restart dovecot service, it
> still remains some process :
> 
> ps aux | grep dove
> dovecot   1798  0.0  0.1   9408  2116 ?S16:15   0:00
> dovecot/anvil [1 connections]
> root  1799  0.0  0.1   9544  2288 ?S16:15   0:00 dovecot/log
> dovecot   1812  0.0  0.2  39144  5720 ?S16:15   0:00
> dovecot/auth [0 wait, 0 passdb, 0 userdb]
> root  1844  0.0  0.1  12728  2076 pts/0S+   16:16   0:00 grep dove
> 
> 
> Is it expected ? "restart" does not work of course, and "start" after
> "stop" too.
> 
> How can I fix this ?

Debian Jessie comes with systemd so you really should not use initscript 
anymore but 
switch to systemd for starting dovecot. There is systemd service description 
file available 
for you in case your vendor does not provide it in the package:

https://github.com/dovecot/core/blob/master/dovecot.service.in

Sami

Re: Dovecot 2.2.25 fails on SSL

[Aki Tuomi]

> On September 2, 2016 at 4:56 AM "Andreas M. Kirchwitz"  
> wrote:
> 
> 
> Aki Tuomi  wrote:
> 
> >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so
> >> linux-gate.so.1 =>  (0x00e8c000)
> >> libcrypto.so.1.0.0 => not found
> >> libssl.so.1.0.0 => not found
> >> librt.so.1 => /lib/librt.so.1 (0x00be4000)
> >> libc.so.6 => /lib/libc.so.6 (0x001a6000)
> >> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000)
> >> /lib/ld-linux.so.2 (0x007e7000)
> >>
> >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
> >> linux-gate.so.1 =>  (0x00dca000)
> >> libcrypto.so.1.0.0 => not found
> >> libssl.so.1.0.0 => not found
> >> librt.so.1 => /lib/librt.so.1 (0x00a7a000)
> >> libc.so.6 => /lib/libc.so.6 (0x0016)
> >> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000)
> >> /lib/ld-linux.so.2 (0x0056)
> >>
> >> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess
> >> with the newly introduced dcrypt stuff something with SSL went wrong.
> >>
> >> Would be great if that could be fixed so that SSL works again.
> >
> > Can you try the attached patch out?
> 
> Sorry for the late answer. (Away from computers. :-)
> 
> Tried the attached patch, applies fine, compiles fine,
> but the ssl/crypto libraries are still not found.
> 
> The additional "$(SSL_LIBS)" in both "Makefile.am" files
> doesn't properly make it into the resulting "Makefile" files.
> After "configure" is done, the resulting "Makefile" files are
> exactly the same in the original 2.2.25 version and patched
> 2.2.25 version (I guess they *should* contain the additional
> SSL libraries somewhere).
> 
> Just let me know if there's more I can try (no longer away
> from computers, so response time is faster :-)
> 
>   Sorry for the bad news ... Andreas

Well, then it leaves only option of using /etc/ld.so.conf

so basically add your libssl location there.

Aki