Re: Dovecot 2.2.25 fails on SSL
Aki Tuomi wrote: ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found ... Well, then it leaves only option of using /etc/ld.so.conf so basically add your libssl location there. You can also affect where shared libraries are loaded using the LD_LIBRARY_PATH environment variable. Try adding LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH to your service boot scripts. Joseph Tam
Alternate mail store of few users is disparaged unexpectedly
Hello, We are using dovecot with mdbox and ALT store on S3(Simple Storage System). We export the mail_location=mdbox://mdbox:ALT=/altmailstore//mdbox of user in extra parameters. Today, alternate mail store of few users is disparaged unexpectedly which resulted in mail loss. We are unable to trace out why and when the alternate store is disparaged. Our hypothesis is, the folder is removed during doveadm altmove. We want to prevent this in future. It will be great if someone helps to identify the root cause. Dovecot version: 2.2.19 # dovecot -n # 2.2.19: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-573.el6.x86_64 x86_64 CentOS Linux release 6.0 (Final) auth_mechanisms = plain login auth_verbose_passwords = plain disable_plaintext_auth = no mail_fsync = always mail_gid = 65111 mail_location = maildir:~/Maildir mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " quota" mail_uid = 65111 mdbox_rotate_interval = 1 days mdbox_rotate_size = 20 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Items" { auto = create } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } mailbox chat { auto = create } prefix = INBOX. separator = . type = private } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size } ssl_cert =
Re: Dovecot 2.2.25 fails on SSL
Aki Tuomiwrote: > Well, then it leaves only option of using /etc/ld.so.conf > so basically add your libssl location there. That's not a working solution and not the purpose of /etc/ld.so.conf. Currently, this is a real-life security issue in Dovecot 2.2.25, because it compiles fine but then - to the user - silently fails to use SSL. The user who doesn't know better reconfigures his client and all security is gone. :-( Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be made to work. The question is just where to add the proper options, or maybe "configure" is broken in some way. I'm happy to try out more patches until the proper solution is found. I've already tried adding SSL libs in various locations during the build process but it hast always the same result that it never gets past "configure". Greetings, Andreas
Re: Dovecot 2.2.25 fails on SSL
> On September 2, 2016 at 5:35 PM "Andreas M. Kirchwitz"> wrote: > > > Aki Tuomi wrote: > > > Well, then it leaves only option of using /etc/ld.so.conf > > so basically add your libssl location there. > > That's not a working solution and not the purpose of /etc/ld.so.conf. > > Currently, this is a real-life security issue in Dovecot 2.2.25, > because it compiles fine but then - to the user - silently fails > to use SSL. The user who doesn't know better reconfigures his > client and all security is gone. :-( > > Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be > made to work. The question is just where to add the proper options, > or maybe "configure" is broken in some way. > > I'm happy to try out more patches until the proper solution is > found. I've already tried adding SSL libs in various locations > during the build process but it hast always the same result > that it never gets past "configure". > > Greetings, Andreas I tried various ways but wasn't able to get it to work. I can see if it can be fixed but it can take a while. Aki
Re: index: namespace not selectable, and no info. :(
anyone? On Tue, Aug 30, 2016 at 1:45 PM, Larry Rosenmanwrote: > > thebighonker.lerctr.org ~ $ doveadm -D -v index \#ARCHIVE/2012/02/INBOX > Debug: Loading modules from directory: /usr/local/lib/dovecot > Debug: Module loaded: /usr/local/lib/dovecot/lib15_notify_plugin.so > Debug: Module loaded: /usr/local/lib/dovecot/lib20_fts_plugin.so > Debug: Module loaded: /usr/local/lib/dovecot/lib21_fts_lucene_plugin.so > Debug: Module loaded: /usr/local/lib/dovecot/lib90_stats_plugin.so > Debug: Loading modules from directory: /usr/local/lib/dovecot/doveadm > Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: > /usr/local/lib/dovecot/doveadm/lib10_doveadm_acl_plugin.so: Undefined > symbol "acl_user_module" (this is usually intentional, so just ignore this > message) > Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: > /usr/local/lib/dovecot/doveadm/lib10_doveadm_expire_plugin.so: Undefined > symbol "expire_set_lookup" (this is usually intentional, so just ignore > this message) > Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: > /usr/local/lib/dovecot/doveadm/lib10_doveadm_quota_plugin.so: Undefined > symbol "quota_user_module" (this is usually intentional, so just ignore > this message) > Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib10_doveadm_sieve_ > plugin.so > Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib20_doveadm_fts_ > lucene_plugin.so > Debug: Module loaded: /usr/local/lib/dovecot/doveadm/lib20_doveadm_fts_ > plugin.so > doveadm(ler): Debug: Effective uid=1001, gid=1001, home=/home/ler > doveadm(ler): Debug: Namespace inbox: type=private, prefix=, sep=, > inbox=yes, hidden=no, list=yes, subscriptions=yes > location=mbox:~/mail:INBOX=~/mail/INBOX > doveadm(ler): Debug: fs: root=/home/ler/mail, index=, indexpvt=, control=, > inbox=/home/ler/mail/INBOX, alt= > doveadm(ler): Debug: Namespace archive: type=private, prefix=#ARCHIVE/, > sep=/, inbox=no, hidden=no, list=no, subscriptions=yes > location=mbox:~/MAILARCHIVE > doveadm(ler): Debug: mbox: INBOX defaulted to /home/ler/MAILARCHIVE/inbox > doveadm(ler): Debug: fs: root=/home/ler/MAILARCHIVE, index=, indexpvt=, > control=, inbox=/home/ler/MAILARCHIVE/inbox, alt= > doveadm(ler): Error: lucene: Failed to sync mailbox INBOX: Mailbox isn't > selectable > doveadm(ler): Error: Mailbox #ARCHIVE/2012/02/INBOX: Status lookup failed: > Internal error occurred. Refer to server log for more information. > [2016-08-30 13:41:57] > > NOTHING additional is logged in syslog. > > doveconf -n attached. > > I **CAN** select the mailbox in mutt using #ARCHIVE/2012/02/INBOX > > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com > US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281 > -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281
Cannot subscribe to Public mailbox
I'm trying to set up a Public mailbox, but when I try to subscribe to it in Thunderbird, nothing happens: it doesn't appear as a folder, and when I go back to the Subscribe window, it is unchecked again. I use postfix local dlivery, which created a Maildir when a mail arrived for this mailbox: /home/others/sharedmail/Maildir/{cur,new,tmp} (sharedmail is a system user so that Postfix can deliver the mail; it doesn't have a login shell or a password) To make sure it is not a simple filesystem permissions problem, I did "chmod -R a+rwX Maildir/" This is my current config ( I tried to keep it short by leaving only what might be relevant ): # dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.9 ... mail_location = maildir:~/Maildir namespace { list = yes location = maildir:/home/others/sharedmail/Maildir prefix = Public. separator = . subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox ... ... } prefix = separator = . } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } userdb { driver = passwd } Also, I'm not sure about the difference between type=public and type=shared. But anyway, I tried both with the same result.
Force SSL/TLS and client certificate checking only for connections from Internet
(Please CC me if possible.) I have Dovecot 2.2.13 (shipped with Debian 8 "Jessie") serving IMAP for a small organization. It's connected both to the Internet and to that organization LAN. I'd like to have Dovecot has rather tight security requirements for connections made from the Internet and reasonably laxed requirements for the LAN clients. Due to Dovecot authenticating users against a LDAP database which is also used for logging into the users' machines, we have to use somewhat weak passwords (randomly generated but short) for most users. Because of this I want to: * Mandate the usage of TLS for the connections made from Internet; * Require the clients to present their SSL certificates, and * Verify the validity of these certificates. The certificates are issued by our own CA, so it's not a problem to verify them. The first iteration was to set ssl = required and disable_plaintext_auth = yes which I then overrode with a "remote" section for LAN connections: remote 192.168.0.0/16 { disable_plaintext_auth = no ssl = yes } The next iteration was to actually enable verification of the client certificates. I have set the "ssl_ca" variable appropriately, then ssl_require_crl = yes ssl_verify_client_cert = yes and auth_ssl_require_client_cert = yes Then I went on and attempted to override the latter two settings for the LAN clients by appending them to my special "remote" section to it read: remote 192.168.0.0/16 { disable_plaintext_auth = no ssl = yes ssl_verify_client_cert = no auth_ssl_require_client_cert = no } But after restart Dovecot complained that I cannot use the "auth_ssl_require_client_cert" setting in a "remote" section. I have removed it in the hope that still having ssl_verify_client_cert = no there would inhibit SSL certificate checks for the LAN clients but apparently it did not. So, to recap: * I need to have tight TLS settings for the clients connecting from the Internet: - TLS is required; - The client must present a valid certificate (issued by a CA we control). * LAN clients should use relaxed security settings: TLS is okay but that's all. How do I go about setting this? (On a side note, I can supposedly get away installing stunnel and making it proxy IMAP and IMAPS connections to Dovecot -- at least from the documentation, it appears stunnel supports IMAP+STARTTLS, -- but I would rather have all this handled solely by Dovecot.)
Re: initd script does not stop/restart all dovecot processes
On 2016-09-02 12:15, Florent B wrote: On 09/02/2016 11:57 AM, Aki Tuomi wrote: On September 2, 2016 at 12:16 PM Florent Bwrote: Hi You could look under /lib/systemd/system or similar. The .in file from repo gets a sed treatment during make install. Aki Tuomi Ok, but I use 2.2.24, and when I did "make install" from source, it did not install any Dovecot service. Was it introduced in 2.2.25 ? "make install" output does not show anything with "dovecot.service.in"... i use ./configure with --with-systemdsystemunitdir=/etc/systemd/system/ and that installs the systemd.service and socket That's why I need to copy initd script by myself, and did the same with systemd unit file when you suggested me to try it. -- Christian Kivalo
Re: initd script does not stop/restart all dovecot processes
> On September 2, 2016 at 12:16 PM Florent Bwrote: > > Hi You could look under /lib/systemd/system or similar. The .in file from repo gets a sed treatment during make install. Aki Tuomi
Re: initd script does not stop/restart all dovecot processes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2 Sep 2016, Sami Ketola wrote: On 01 Sep 2016, at 17:25, Florent Bwrote: Hi everyone, On Debian Jessie servers, I use initd script provided by Dovecot 2.2 (in doc/dovecot-initd.sh) and when I stop or restart dovecot service, it still remains some process : ps aux | grep dove dovecot 1798 0.0 0.1 9408 2116 ?S16:15 0:00 dovecot/anvil [1 connections] root 1799 0.0 0.1 9544 2288 ?S16:15 0:00 dovecot/log dovecot 1812 0.0 0.2 39144 5720 ?S16:15 0:00 dovecot/auth [0 wait, 0 passdb, 0 userdb] root 1844 0.0 0.1 12728 2076 pts/0S+ 16:16 0:00 grep dove Is it expected ? "restart" does not work of course, and "start" after "stop" too. How can I fix this ? Debian Jessie comes with systemd so you really should not use initscript anymore but switch to systemd for starting dovecot. There is systemd service description file available for you in case your vendor does not provide it in the package: https://github.com/dovecot/core/blob/master/dovecot.service.in I have the same experience, that Dovecot keeps running for a while. An immediate stop & start always fails. IMHO, that behaviour started with the introduction of anvil. If the ps command lists all processes, that is what I see on Jessie and Squeeze as well. @Florent: Please check, if the Dovecot processess dies after some timeout. I have patched the scripts to wait 5s then send an extra HUP and after 5s INT. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBV8ksh3z1H7kL/d9rAQJY8gf+NnFjsEKI3a4opD4Wkim8eGtQvkWkFEtA Ywf7vS3cGzU2rJGqUq6X/zVjrW5oU5NUdePdR5nZqpkKz5+QR5jHluZ/zX4Cgmeh ujKSIf4VZnUmvw9XG5RRFzUlTUkZilSGz97KtcnLcLJQj7KNhC39sFBPTUl6Li2X 2lwDpyNz+u5rhPti1LTKwooiGI2Pr5X6YT+aZQcebzj++0qLiwRha6Gmm5PWzgS4 mMsMe2zFwvKhP6/XuVWMzT9nsgmEQaeiDsu4u3A+TDRdFwfYrHvhyG0uh8SgG6a6 Vye30fy53e/KWzfXAE37m1zRyouHUuxSzHjr4YtM9K/E8rYBDWR0Ow== =HdJT -END PGP SIGNATURE-
Re: initd script does not stop/restart all dovecot processes
> On 01 Sep 2016, at 17:25, Florent Bwrote: > > Hi everyone, > > On Debian Jessie servers, I use initd script provided by Dovecot 2.2 (in > doc/dovecot-initd.sh) and when I stop or restart dovecot service, it > still remains some process : > > ps aux | grep dove > dovecot 1798 0.0 0.1 9408 2116 ?S16:15 0:00 > dovecot/anvil [1 connections] > root 1799 0.0 0.1 9544 2288 ?S16:15 0:00 dovecot/log > dovecot 1812 0.0 0.2 39144 5720 ?S16:15 0:00 > dovecot/auth [0 wait, 0 passdb, 0 userdb] > root 1844 0.0 0.1 12728 2076 pts/0S+ 16:16 0:00 grep dove > > > Is it expected ? "restart" does not work of course, and "start" after > "stop" too. > > How can I fix this ? Debian Jessie comes with systemd so you really should not use initscript anymore but switch to systemd for starting dovecot. There is systemd service description file available for you in case your vendor does not provide it in the package: https://github.com/dovecot/core/blob/master/dovecot.service.in Sami
Re: Dovecot 2.2.25 fails on SSL
> On September 2, 2016 at 4:56 AM "Andreas M. Kirchwitz"> wrote: > > > Aki Tuomi wrote: > > >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so > >> linux-gate.so.1 => (0x00e8c000) > >> libcrypto.so.1.0.0 => not found > >> libssl.so.1.0.0 => not found > >> librt.so.1 => /lib/librt.so.1 (0x00be4000) > >> libc.so.6 => /lib/libc.so.6 (0x001a6000) > >> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) > >> /lib/ld-linux.so.2 (0x007e7000) > >> > >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so > >> linux-gate.so.1 => (0x00dca000) > >> libcrypto.so.1.0.0 => not found > >> libssl.so.1.0.0 => not found > >> librt.so.1 => /lib/librt.so.1 (0x00a7a000) > >> libc.so.6 => /lib/libc.so.6 (0x0016) > >> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) > >> /lib/ld-linux.so.2 (0x0056) > >> > >> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess > >> with the newly introduced dcrypt stuff something with SSL went wrong. > >> > >> Would be great if that could be fixed so that SSL works again. > > > > Can you try the attached patch out? > > Sorry for the late answer. (Away from computers. :-) > > Tried the attached patch, applies fine, compiles fine, > but the ssl/crypto libraries are still not found. > > The additional "$(SSL_LIBS)" in both "Makefile.am" files > doesn't properly make it into the resulting "Makefile" files. > After "configure" is done, the resulting "Makefile" files are > exactly the same in the original 2.2.25 version and patched > 2.2.25 version (I guess they *should* contain the additional > SSL libraries somewhere). > > Just let me know if there's more I can try (no longer away > from computers, so response time is faster :-) > > Sorry for the bad news ... Andreas Well, then it leaves only option of using /etc/ld.so.conf so basically add your libssl location there. Aki