Re:Self-Signed Certificate issue
Try this: Create a directory and do the following in that directory. Create the file openssl.cnf with the following information: [ req ] default_md = sha2 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = US localityName = Boulder organizationName = Your orginizations name here organizationalUnitName = IT Department emailAddress = some email address at your company commonName = "Just a simple statement about the company" [ certauth ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true [ client ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth Just change the things you need to for you. Then issue the following command. openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout dovecot.key -x509 - days 365 -extensions certauth -outform PEM -out dovecot.pem -subj "/C=US/postalCode=0/ST=state/L=city/streetAddress=some street/O=company name/OU=IT Department/CN=dovecort cert/emailAddress=em...@yourcompany.com" Just change the C, O, OU, etc for your needs. Then verify the contents via: openssl x509 -noout -in dovecot.pem -subject openssl x509 -noout -in dovecot.pem -issuer openssl x509 -noout -in dovecot.pem -enddate openssl x509 -noout -in dovecot.pem -text This will show what is in the certificate. Now copy the pem & key files to where you want them. Restart dovecot. You may have to change the configuration to use the names just created. Dave Ryan On 09/23/16 11:07, Darryl Baker wrote: > My apologies if this is a repeat but my search of the archive did not turn > it up in the recent past. If this has been covered just point me at the > previous thread, please. > > I am running a small email site which I am moving from uw-imapd and Solaris > to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed > certificate for this site. I am using Thunderbird as the test client. I've > tried both the pre-built snakeoil certificate and building a special one > for dovecot. In /var/log/mail.err I keep getting what I am interpreting as > a missing CA cert. The message is: > > dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL > routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 > > > The certificate was created by: > > openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem > -keyout /etc/ssl/private/dovecot.pem > > > The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS > current patches. > > > *Darryl Baker* > >
Proxy IMAP/POP
Hello, I'm try configure dovecot to proxy imap and pop but I can't, follow my configurations: dovecot version = 2.2.10 My configuration: dovecot -n # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.18.35 x86_64 CentOS Linux release 7.2.1511 (Core) auth_mechanisms = plain login auth_username_format = %n disable_plaintext_auth = no mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } ssl = no ssl_cert = http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy and installed dovecot-mysql.x86_64, My server is a CentOS Linux release 7.2.1511 (Core) Anyone can help me? Thanks. Atenciosamente, Luis Miguel
Self-Signed Certificate issue
My apologies if this is a repeat but my search of the archive did not turn it up in the recent past. If this has been covered just point me at the previous thread, please. I am running a small email site which I am moving from uw-imapd and Solaris to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed certificate for this site. I am using Thunderbird as the test client. I've tried both the pre-built snakeoil certificate and building a special one for dovecot. In /var/log/mail.err I keep getting what I am interpreting as a missing CA cert. The message is: dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 The certificate was created by: openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS current patches. *Darryl Baker*
Re: Director keeping IMAP connections alive
Such connections do not exist on the front-end that connects to director hosts, so it's something between director and dovecot only. On Wed, Sep 21, 2016 at 1:16 PM, Webert de Souza Limawrote: > Hello, > > I have a 2 director - 2 dovecot set up in a cluster. > > From time to time I notice high usage of RAM by dovecot process, and > analyzing with doveadm who, > I see many users with dozens, even hundreds of PIDs. > > Inspecting those PIDs I see each one of them is an IMAP connection, coming > from either director process, and ESTABILISHED. > > A deeper analysis shows me that there ltos of connections from the same > users to BOTH dovecot instances, but as I am using director, this shouldn't > happen, right? Ok. The thing is, one of the dovecot instances have only old > connections (like 3 days old) and the other dovecot have some old and some > newer connections. > > So, director is redirecting recent connections to the right dovecot, as > expected, but it is keeping many of old and unused connections open, > consuming resources. > > output of doveconf -n from dovecot: > http://pastebin.com/trMEjeAs > > output of doveconf -n from director: > http://pastebin.com/EUpHYMKY > > Thanks. >
Re: Broken auth-* sockets.
On 2016-09-23 01:47, Aki Tuomi wrote: On September 23, 2016 at 3:16 AM ygris...@pyramidheadgroup.ca wrote: Hello. I am migrating my servers to Ubuntu and have been having an issue with Dovecot authenticator service. Exim is set up to use dovecot-auth, anticipating the question whether exim binary was compiled with support of Dovecot authenticator, it was: --- I thought that dovecot sockets are under /var/run/dovecot, not /var/dovecot, by default on Ubuntu 16.04. Anyways, to make sure dovecot actually is configured to listen on those sockets, you could stop dovecot, rm the socket files, and start dovecot to see if those sockets get created. Aki Ah, that's precisely right! Leftover sockets from previous configuration. Thank you very much, glad I asked.
NFSv4 and Maildir
Recently moving to newer storage platforms for mailbox storage so looking at moving mounts from NFSv3 with lots of issues with locking and caching to NFSv4. There seems to be a lot of benefits to v4 along with some other new features, namely “delegation”. So the question boils down to, to delegate or not delegate on Maildir storage. There may be many reasons based on actual platform why to do (or not to do this), but I want to get the general opinion from others that may have more experience with this. Our setup is several FreeBSD 10.x clients running Dovecot/Exim, NetApp NFS mail storage (probably moving to TrueNAS) and using F5 load balancers for client side connections/SSL offload. From what I’ve found (and what i’ve read in the RFC) is that delegation seems to work best when there is NOT a lot of file contention from clients accessing the same files. I realize that in some situations many people are using director to try and keep users on the same client; in our case we’re doing it with F5 iRules. The F5 iRules work great for POP3 and IMAP session persistence, but unfortunately that doesn’t work for SMTP and Dovecot LDA, so we still have possible race conditions from the MTA’s delivering into “INBOX”. (mostly dovecot indexes updating at the same time). So the big question is, who is using Dovecot with maildirs with NFSv4 mounts. What has your experience been? Are you using delegation? By choice and why did you come to that decision. I’m drawing up the conclusion that if you can *mostly* control client control to specific files (ie: directing access to a mailbox to come from one client), then delegation might be ok. However, if you’re not using director and have several NFS mail clients racing to access mailboxes, then delegation might turn into chaos. Your comments welcome and appreciated. -- Robert inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu
Re: Dict protocol changes string
On 29.07.2016 15:35, Nagy, Attila wrote: > Hi, > > I use pass and userdb with dict protocol in a similar way: > > key passdb { > key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: > %s^MClient-IP: %r > format = json > } > > (^M is an \r character, inserted with vi CTRL-v + enter) > > Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII > 13 into an ASCII 1 and an "r". > > Python printout from what I get with 2.2.25: > > 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: > pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' > > Is this change intentional? Why? Hi! Dict protocol escapes you newlines. You are expected to de-escape them yourself. Following escapes are done, you can de-escape them with your client. \x00 => \x10 \x01 => \x11 \t => \x1t \r => \x1r \n => \x1n The change has been made to avoid breakage if newlines or NULLs are injected into the data. Aki