Re: Postfix and Dovecot SASL: log NTLM username

[Aki Tuomi]

The problem is that the SASL message contains NTLM(v2) message, so it
would need to be decoded. We can see if there is something we can do
about this. At the moment it's not possible to log this.

Aki


On 23.05.2017 03:23, Bradley Giesbrecht wrote:
> dovecot 2.2.22
> postfix 3.1.1
>
> I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.
>
> Is there a way to log the SASL username?
>
> I think postfix is logging what Dovecot SASL is returning so I hope I am 
> asking on the right list.
>
>
> Regards,
> Bradley Giesbrecht (pixilla)

Postfix and Dovecot SASL: log NTLM username

[Bradley Giesbrecht]

dovecot 2.2.22
postfix 3.1.1

I’m seeing "SASL NTLM authentication failed: {long_hash}” in mail.log.

Is there a way to log the SASL username?

I think postfix is logging what Dovecot SASL is returning so I hope I am asking 
on the right list.


Regards,
Bradley Giesbrecht (pixilla)

Re: Dovecot pop3 feature

[A. Schulze]

Am 22.05.2017 um 14:07 schrieb Markus Eckerl:
> Is it possible to send a pop3 "LOGIN-DELAY" if the customers last login is 
> only a few seconds away? 

you may try postlogin script voodoo:
https://wiki.dovecot.org/PostLoginScripting#Last-login_tracking
https://wiki.dovecot.org/PostLoginScripting#Denying_connection_from_some_IP.2FUser

Andreas

Re: Configuration is not working with Thunderbird

[Quark]

I did all this & it still gives the same error.  I have connected with 
my android phone with no security with my current setup, however I still 
get the same error message from Dovecot.


May 22 08:54:30 ** dovecot: imap-login: Aborted login (no auth 
,attempts in 0 secs): user=<>, rip=***, lip=***, 
,session=<***>


I've tried to do all sorts of changes in the way that I attempt to login 
via Thunderbird & it gives me the same error.


Any suggestion on how to get Thunderbird to login?

On 05/22/2017 09:26 AM, Aki Tuomi wrote:

On May 22, 2017 at 4:03 PM Quark  wrote:


So, I have this error now:

May 22 08:54:30 ** dovecot: imap-login: Aborted login (no auth
attempts in 0 secs): user=<>, rip=***, lip=***,
session=<***>

I found this:  https://wiki2.dovecot.org/WhyDoesItNotWork

I have this set in my dovecot.conf: disable_plaintext_auth=yes


Do you have auth_mechanisms set? That seems to indicate that the client wasn't 
happy about the provided authentication options, or you forgot to use STARTTLS 
with port 143.

Try setting auth_mechanisms = plain login and see if it helps.

Aki


Same error, even when I try to connect port 143 instead of ssl (993).
Any suggestions on what I can do now?

On 05/22/2017 02:00 AM, Aki Tuomi wrote:

On 21.05.2017 20:48, Quark wrote:

Hi, I'm new to the list (and postfix / dovecot), so if I mistakenly
omit something, then please forgive me.

I cannot log into Thunderbird via IMAP with my configuration. However,
I can check the mail of each user by logging into their user account &
then using the "mail" command.  Is there something that is wrong with
my config to not allow me to log into Thunderbird (Version 52.1.1)?
I'm using Postfix 3.1.0 if that helps.  Any help would be greatly
appreciated.  Thanks!


Please turn on

auth_debug=yes

and inspect your logs, such as /var/log/syslog or similar, and see what
you can find or alternatively post them to list (not the whole log file,
mind).

Aki

Re: Backing up and restoring maildir folders

[Leonardo Rodrigues]

Backing up maildir is easy, just backup (and restore) the whole 
thing and, usually, that's as simple as that.


However, for saving some backup space if that's a matter, i would 
exclude only the 'dovecot.index.cache*' files, as these can be rebuilt 
(some performance hit after the restore, of course) but, in some 
servers, that makes almost a 10% difference to me.


Besides the cache files, you really should backup everything inside 
the maildir folders.



Em 22/05/17 13:40, Timothy D Legg escreveu:

Hello,

I am migrating to a different distribution of  Linux that involves
changing to an earlier version of dovecot (2.2.22 to 2.2.13).  As part of
this process, I will be copying several maildirs to the new machine.  One
of these has a number of files and directories that resemble this one
example:



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it

Backing up and restoring maildir folders

[Timothy D Legg]

Hello,

I am migrating to a different distribution of  Linux that involves
changing to an earlier version of dovecot (2.2.22 to 2.2.13).  As part of
this process, I will be copying several maildirs to the new machine.  One
of these has a number of files and directories that resemble this one
example:

cur/
dovecot.index
dovecot.index.cache
dovecot.index.log
dovecot.mailbox.log
dovecot-uidlist
dovecot-uidvalidity
dovecot-uidvalidity.59206030
.Drafts/
new/
.Sent/
subscriptions
tmp/
.Trash/

Is it good enough to simply stop dovecot and tar this folder, and others
like it, and copy them back to a similar location on the new installation?
 I haven't yet seen anything that resembles an official or standardized
backup/recovery method for dovecot.

With thanks and appreciation,

Tim Legg

core from 2.2.29.1

[Luciano Mannucci]

I've got this in my logfile, should I worry?

May 19 14:45:04 imap(liscia_mcs): Panic: file mail-index-transaction-update.c: 
line 19 (mail_index_transaction_lookup): assertion failed: (seq >= 
t->first_new_seq && seq <= t->last_new_seq)
May 19 14:45:04 imap(liscia_mcs): Error: Raw backtrace: 
/usr/lib/dovecot/libdovecot.so.0(+0x9cd16) [0xb7568d16] -> 
/usr/lib/dovecot/libdovecot.so.0(+0x9cd9f) [0xb7568d9f] -> 
/usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0xb74f204e] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(+0xe3ebf) [0xb76b7ebf] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(+0xe730c) [0xb76bb30c] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(mail_index_lookup_uid+0x1d) 
[0xb76bf47d] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(mail_cache_decision_state_update+0xac) 
[0xb769ff8c] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(mail_cache_lookup_headers+0x7f) 
[0xb76a23bf] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0xb2898) [0xb7686898] 
-> /usr/lib/dovecot/libdovecot-storage.so.0(index_mail_get_first_header+0xbf) 
[0xb768723f] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(mail_get_first_header+0x45) 
[0xb7601e95] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0xb4fc1) [0xb7688fc1] 
-> /usr/lib/dovecot/libdovecot-storage.so.0(+
 0xb518f) [0xb768918f] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(index_mail_close+0x136) [0xb76896e6] 
-> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_save_cancel+0x6c) 
[0xb761085c] -> dovecot/imap() [0x8052e1d] -> dovecot/imap() [0x805303c] -> 
/usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x67) [0xb7580997] -> 
/usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xeb) 
[0xb75823ab] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x45) 
[0xb7580a55] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x48) [0xb7580c18] 
-> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x2d) [0xb74fd1ad] -> 
dovecot/imap(main+0x344) [0x806dbc4] -> /lib/libc.so.6(__libc_start_main+0xfe) 
[0xb7357c2e]
May 19 14:45:04 imap(liscia_mcs): Fatal: master: service(imap): child 24082 
killed with signal 6 (core dumped)

Here is mi doveconf -n:

# 2.2.29.1 (e0b76e3): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.17 (e179378)
# OS: Linux 3.0.101-105-pae i686 openSUSE 11.4 (i586) ext3
auth_cache_size = 3 k
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
default_client_limit = 1249
default_vsz_limit = 712 M
disable_plaintext_auth = no
first_valid_gid = 0
first_valid_uid = 100
info_log_path = /var/log/dovecot/logfile.info
listen = *
log_path = /var/log/dovecot/logfile
login_greeting = Dovecot at Baobab ready.
login_trusted_networks = 127.0.0.0/8 212.45.144.0/24 192.168.134.0/24
mail_location = 
mbox:/var/spool/mailboxes/%u:INBOX=/var/spool/mail/%u:DIRNAME=mbox:INDEX=/var/dovecot_indexes/%u
maildir_copy_with_hardlinks = no
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
mbox_lock_timeout = 443 secs
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = .
  type = private
}
passdb {
  driver = pam
}
plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
}
protocols = pop3 imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imaps {
address = *
  }
  process_limit = 512
}
service pop3-login {
  chroot = 
  executable = pop3-login -D
  inet_listener pop3s {
address = *
  }
  process_limit = 512
}
ssl_ca = http://www.lesassaie.IT/

Re: Configuration is not working with Thunderbird

[Aki Tuomi]

> On May 22, 2017 at 4:03 PM Quark  wrote:
> 
> 
> So, I have this error now:
> 
> May 22 08:54:30 ** dovecot: imap-login: Aborted login (no auth 
> attempts in 0 secs): user=<>, rip=***, lip=***, 
> session=<***>
> 
> I found this:  https://wiki2.dovecot.org/WhyDoesItNotWork
> 
> I have this set in my dovecot.conf: disable_plaintext_auth=yes
> 

Do you have auth_mechanisms set? That seems to indicate that the client wasn't 
happy about the provided authentication options, or you forgot to use STARTTLS 
with port 143.

Try setting auth_mechanisms = plain login and see if it helps.

Aki

> Same error, even when I try to connect port 143 instead of ssl (993).  
> Any suggestions on what I can do now?
> 
> On 05/22/2017 02:00 AM, Aki Tuomi wrote:
> >
> > On 21.05.2017 20:48, Quark wrote:
> >> Hi, I'm new to the list (and postfix / dovecot), so if I mistakenly
> >> omit something, then please forgive me.
> >>
> >> I cannot log into Thunderbird via IMAP with my configuration. However,
> >> I can check the mail of each user by logging into their user account &
> >> then using the "mail" command.  Is there something that is wrong with
> >> my config to not allow me to log into Thunderbird (Version 52.1.1)?
> >> I'm using Postfix 3.1.0 if that helps.  Any help would be greatly
> >> appreciated.  Thanks!
> >>
> > Please turn on
> >
> > auth_debug=yes
> >
> > and inspect your logs, such as /var/log/syslog or similar, and see what
> > you can find or alternatively post them to list (not the whole log file,
> > mind).
> >
> > Aki

Re: Configuration is not working with Thunderbird

[Quark]

So, I have this error now:

May 22 08:54:30 ** dovecot: imap-login: Aborted login (no auth 
attempts in 0 secs): user=<>, rip=***, lip=***, 
session=<***>


I found this:  https://wiki2.dovecot.org/WhyDoesItNotWork

I have this set in my dovecot.conf: disable_plaintext_auth=yes

Same error, even when I try to connect port 143 instead of ssl (993).  
Any suggestions on what I can do now?


On 05/22/2017 02:00 AM, Aki Tuomi wrote:


On 21.05.2017 20:48, Quark wrote:

Hi, I'm new to the list (and postfix / dovecot), so if I mistakenly
omit something, then please forgive me.

I cannot log into Thunderbird via IMAP with my configuration. However,
I can check the mail of each user by logging into their user account &
then using the "mail" command.  Is there something that is wrong with
my config to not allow me to log into Thunderbird (Version 52.1.1)?
I'm using Postfix 3.1.0 if that helps.  Any help would be greatly
appreciated.  Thanks!


Please turn on

auth_debug=yes

and inspect your logs, such as /var/log/syslog or similar, and see what
you can find or alternatively post them to list (not the whole log file,
mind).

Aki

Dovecot pop3 feature

[Markus Eckerl]

Hi all,

we are using dovecot since several years without any problems or trouble.

Now we are having trouble with a few of our customers - they are trying 
to fetch their emails every few seconds (3-5!). These customers are 
using Microsoft Exchange Server and also all of these customers are 
cared by the same IT Professional...


Is it possible to send a pop3 "LOGIN-DELAY" if the customers last login 
is only a few seconds away? A simple firewall rule for rate limiting is 
not possible because most of them are business customers and they are 
connected using NAT.


In RFC2449 
 
I read that the pop3 capability "LOGIN-DELAY" exists. But it seems that 
dovecot does not offer this? Why?


Kind regards

Markus

Using Dovecot for a Geo-replicated World-wide Email Service

[Lennart Oldenburg]

Hello everyone,

my colleagues and I from Technische Universität Berlin are currently
looking into the best way to setup a Dovecot-powered email service that
is simultaneously accessible world-wide and still provides short
response times by redirecting users to the geographically-closest
cluster. We imagine the setup to make use of multiple data center
regions in public clouds around the world, e.g. in Amazon Web Services
(AWS) or Google Compute Platform (GCP). At the same time, state is
considered to be shared, i.e. changes made on file system in any local
cluster will have to be synchronized with all other clusters around the
globe (mailbox replication) and mailboxes might be manipulated from any
data center in the world, potentially at the same time. Naturally,
problems arise. We have multiple questions and would be very interested
in the best way to approach them based on your experiences and
recommendations:

1) Which path should we take replication-wise? Please keep in mind that
we are targeting replication between more than 2 clusters.
Traditionally, in a rather small local setup with mostly reliable
network, a distributed file system such as NFS or GlusterFS might be the
best option. Unfortunately, though, when scaling to more than 2 data
centers geographically-distributed around the globe, latency becomes
severe and distributed file systems might not be the way to go anymore.
What is your recommendation for replicating state?

2) We are mostly interested in providing short response times to client
requests while maintaining global state consistency (that is, avoiding
conflicts in state and not losing any user data). What are your
recommendations in that direction? Any particular performance
optimizations we could apply to Dovecot?

3) Is there a recommended way to measure and monitor Dovecot's service
quality? For example, is there a way to export "live" metrics of a
running Dovecot deployment to something such as Prometheus
(https://prometheus.io)?

4) Maildir as the way to represent mailboxes and deliver emails on file
system is kind of a given. I wonder, though, how well is dbox
replicatable? What happens when dbox files are synchronized (e.g. via
dsync) and a conflict arises? Does dbox offer a performance improvement
over Maildir?

5) We perceive Dovecot to come with many optimizations to speed up
"read" IMAP commands, i.e. non-state-changing ones. Is this perception
correct? Or is Dovecot able to use its various index and log files for
fast "write" IMAP commands (e.g. CREATE, DELETE, RENAME, APPEND, STORE,
...) as well?

6) Would DovecotPRO by Dovecot Oy offer any advantage to state
replication? For example, could the Object Storage Plugin be used to
replicate mailboxes through some object store service offered world-wide?

7) Is the setup we have in mind based on Dovecot a feasible solution for
world-wide email comparable to services like Gmail? If not, what would
you change or not do at all?

Please excuse if some questions might be of rather basic nature, we are
not at all Dovecot experts. I tried to gather as much information on
that topic as possible from the wiki and sources found online but I
might have missed an important page. In that case, please point me
towards existing resources on the questions raised above.


Thanks in advance and kind regards,
Lennart Oldenburg


0x4A70E1C7.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Sender address when notifying original recipient

[Stephan Bosch]

Op 22-5-2017 om 9:07 schreef Christoph Pleger:

Hello,

I am using sieve with notification of the original recipient in the 
case

that an email has been identified to contain a virus. After upgrading
dovecot from 2.2.21 to 2.2.29.1, I now detected that in these
notifications, their sender address is now , instead of
, like it was before.

Is it possible to revert to the old format?


No idea so far? Though I forgot to write that I also updated
pigeonhole, the change in the format of the sender address must be
caused by the updates, for I changed nothing else on my server.


That looks like a bug of some sort. What is your configuration (output
from `dovecot -n`)? What exact Sieve script demonstrates this behavior?


The output of 'dovecot -n' is attached.

The sieve script is:

if header :is "X-Virus-Status" "Yes"
{
discard;
notify :method "mailto" :options "christ...@plmail.de" :high :message 
"Hallo,


$env-from$ hat Ihnen eine Nachricht von $from$ mit dem Betreff 
$subject$ gesendet, die vom Virenscanner als infiziert erkannt und 
daher gelöscht wurde.


Mit freundlichen Grüßen
  postmas...@plmail.de";

stop;
}


This looks like a bug to me. For now, you can circumvent this by 
specifying the postmaster_address setting explicitly.


Regards,

Stephan.

Re: Sender address when notifying original recipient

[Christoph Pleger]

Hello,

I am using sieve with notification of the original recipient in the 
case

that an email has been identified to contain a virus. After upgrading
dovecot from 2.2.21 to 2.2.29.1, I now detected that in these
notifications, their sender address is now , instead of
, like it was before.

Is it possible to revert to the old format?


No idea so far? Though I forgot to write that I also updated
pigeonhole, the change in the format of the sender address must be
caused by the updates, for I changed nothing else on my server.


That looks like a bug of some sort. What is your configuration (output
from `dovecot -n`)? What exact Sieve script demonstrates this behavior?


The output of 'dovecot -n' is attached.

The sieve script is:

if header :is "X-Virus-Status" "Yes"
{
discard;
notify :method "mailto" :options "christ...@plmail.de" :high :message 
"Hallo,


$env-from$ hat Ihnen eine Nachricht von $from$ mit dem Betreff $subject$ 
gesendet, die vom Virenscanner als infiziert erkannt und daher gelöscht 
wurde.


Mit freundlichen Grüßen
  postmas...@plmail.de";

stop;
}

Regards
  Christoph
# 2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.devel (403042e)
# OS: Linux 3.16.0-4-armmp armv7l Debian 8.7 
auth_mechanisms = plain login
auth_username_format = %Ln
dict {
  expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
first_valid_uid = 200
last_valid_uid = 200
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_gid = vmail
mail_location = mdbox:~/mdbox
mail_plugins = " expire fts fts_lucene"
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext notify
namespace {
  inbox = yes
  location = 
  mailbox {
special_use = \Drafts
name = Drafts
  }
  mailbox {
special_use = \Junk
name = Junk
  }
  mailbox {
special_use = \Sent
name = Sent
  }
  mailbox {
special_use = \Sent
name = Sent Messages
  }
  mailbox {
special_use = \Trash
name = Trash
  }
  prefix = 
  name = inbox
}
passdb {
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/databases/users
  driver = passwd-file
}
plugin {
  antispam_backend = SPOOL2DIR
  antispam_spam = Spam
  antispam_spool2dir_notspam = %h/ham/%%020lu-%%05lu
  antispam_spool2dir_spam = %h/spam/%%020lu-%%05lu
  antispam_trash = Trash
  deleted_to_trash_folder = Trash
  expire = Spam
  expire2 = Trash
  expire_dict = proxy::expire
  fts = lucene
  fts_lucene = whitespace_chars=@. no_snowball
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_extensions = +notify
}
protocols = " imap lmtp sieve"
service replication-notify-fifo {
  name = aggregator
}
service anvil-auth-penalty {
  name = anvil
}
service auth-worker {
  name = auth-worker
}
service {
  unix_listener {
group = postfix
mode = 0660
user = postfix
path = /var/spool/postfix/private/auth
  }
  name = auth
}
service config {
  name = config
}
service dict-async {
  name = dict-async
}
service {
  unix_listener {
group = vmail
mode = 0660
user = vmail
path = dict
  }
  name = dict
}
service login/proxy-notify {
  name = director
}
service dns-client {
  name = dns_client
}
service doveadm-server {
  name = doveadm
}
service imap-hibernate {
  name = imap-hibernate
}
service {
  inet_listener {
address = 127.0.0.1
port = 143
name = imap
  }
  inet_listener {
port = 993
ssl = yes
name = imaps
  }
  vsz_limit = 128 M
  name = imap-login
}
service imap-urlauth {
  name = imap-urlauth-login
}
service imap-urlauth-worker {
  name = imap-urlauth-worker
}
service token-login/imap-urlauth {
  name = imap-urlauth
}
service {
  process_limit = 256
  vsz_limit = 256 M
  name = imap
}
service indexer-worker {
  name = indexer-worker
}
service indexer {
  name = indexer
}
service ipc {
  name = ipc
}
service {
  inet_listener {
address = 127.0.0.1
port = 10026
name = lmtp
  }
  unix_listener {
group = dspam
mode = 0660
user = root
path = lmtp
  }
  name = lmtp
}
service log-errors {
  name = log
}
service {
  inet_listener {
address = 127.0.0.1
port = 4190
name = sieve
  }
  vsz_limit = 64 M
  name = managesieve-login
}
service {
  process_limit = 128
  name = managesieve
}
service {
  inet_listener {
port = 0
name = pop3
  }
  inet_listener {
port = 0
ssl = yes
name = pop3s
  }
  name = pop3-login
}
service login/pop3 {
  name = pop3
}
service replicator-doveadm {
  name = replicator
}
service login/ssl-params {
  name = ssl-params
}
service stats-mail {
  name = stats
}
ssl_cert = 

Re: Configuration is not working with Thunderbird

[Aki Tuomi]

On 21.05.2017 20:48, Quark wrote:
> Hi, I'm new to the list (and postfix / dovecot), so if I mistakenly
> omit something, then please forgive me.
>
> I cannot log into Thunderbird via IMAP with my configuration. However,
> I can check the mail of each user by logging into their user account &
> then using the "mail" command.  Is there something that is wrong with
> my config to not allow me to log into Thunderbird (Version 52.1.1)? 
> I'm using Postfix 3.1.0 if that helps.  Any help would be greatly
> appreciated.  Thanks!
>

Please turn on

auth_debug=yes

and inspect your logs, such as /var/log/syslog or similar, and see what
you can find or alternatively post them to list (not the whole log file,
mind).

Aki