Re: Can Dovecot replace fetchmail?

2017-07-13 Thread Andrzej A. Filip 
Peter Chiochetti  wrote:
> Am 2017-07-13 um 09:34 schrieb Kenneth Porter:
>> I'm using fetchmail to grab mail for multiple accounts from an
>> external IMAP server and drop it into local mailboxes via SMTP. It
>> polls the remote server every two minutes. Can Dovecot replace this
>> functionality more elegantly, using IDLE to avoid the polling
>> necessary with fetchmail? I'd like to designate that mail for
>> specific accounts on the external server be moved to specific local
>> mailboxes.
>
> Just in case: fetchmail can /idle/ on an IMAP server as well, though
> with multiple accounts that needs some tuning, see
> eg. https://bugs.launchpad.net/bugs/1021699 or
> http://fnxweb.com/blog/2012/07/14/using-multiple-fetchmail-instances-for-instant-gratification/

fetchmail 6.3.4 supports option for pid-file location.
It simplifies the configuration.

-- 
A. Filip

passwd-file, getting invalid uid 0

2017-07-13 Thread Larry Rosenman 
Per my earlier post about system and virtual users, I have everything working, 
but I'm seeing the
following message, and wondering:
1) does it matter?
2) is there a way to suppress it?

I have an Exim /etc/aliases entry that sends root to me.

Jul 13 14:38:47 thebighonker dovecot: auth-worker(13055): Error: passwd-file 
/etc/passwd: User root has invalid UID '0'

doveconf -n:

# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: FreeBSD 11.1-PRERELEASE amd64  
auth_mechanisms = plain login
auth_realms = lerctr.org thebighonker.lerctr.org tbh.lerctr.org 
thejonesonair.com thejonesonair.net
default_vsz_limit = 1 G
deliver_log_format = msgid=%m: %$ (subject=%s from=%f size=%w)
doveadm_password =  # hidden, use -P to show it
lda_mailbox_autocreate = yes
listen = 192.147.25.65, ::
lmtp_save_to_detail_mailbox = yes
login_access_sockets = tcpwrap
mail_attribute_dict = file:%h/mail/.imap/dovecot-mail-attributes
mail_location = mbox:~/mail:INBOX=~/mail/INBOX
mail_log_prefix = "%s(%u/%p): "
mail_plugins = " fts fts_solr notify stats virtual"
mail_privileged_group = mail
mail_server_admin = mailto:l...@lerctr.org
mail_server_comment = LERCTR Mail Server
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext vacation-seconds editheader mboxmetadata 
servermetadata imapsieve vnd.dovecot.imapsieve
namespace archive {
  hidden = no
  list = no
  location = mbox:~/MAIL-ARCHIVE
  prefix = ARCHIVE/
  separator = /
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox INBOX {
auto = create
  }
  mailbox SENT {
special_use = \Sent
  }
  mailbox SPAM {
special_use = \Junk
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox virtual/Flagged {
special_use = \Flagged
  }
  mailbox virtual/all {
special_use = \All
  }
  prefix = 
}
namespace virtual {
  hidden = no
  list = yes
  location = virtual:~/MAIL-VIRTUAL:INDEX=MEMORY
  prefix = Virtual/
  separator = /
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
passdb {
  args = user=%Ln noauthenticate
  driver = static
  skip = authenticated
}
passdb {
  args = failure_show_msg=yes session=yes max_requests=20
  driver = pam
  skip = authenticated
}
plugin {
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://thebighonker.lerctr.org:8983/solr/dovecot/
  fts_tika = http://localhost:9998/tika/
  imapsieve_mailbox1_before = 
file:/usr/local/share/dovecot-pigeonhole/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = SPAM
  imapsieve_mailbox2_before = 
file:/usr/local/share/dovecot-pigeonhole/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = SPAM
  imapsieve_mailbox2_name = *
  imapsieve_url = sieve://thebighonker.lerctr.org
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
flag_change append
  mail_log_fields = uid box msgid size from subject vsize flags
  recipient_delimiter = +
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_execute_bin_dir = /usr/local/share/dovecot-pigeonhole/sieve
  sieve_extensions = +editheader +vacation-seconds +mboxmetadata +servermetadata
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_pipe_bin_dir = /usr/local/share/dovecot-pigeonhole/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  stats_command_min_time = 1 mins
  stats_domain_min_time = 12 hours
  stats_ip_min_time = 12 hours
  stats_memory_limit = 16 M
  stats_refresh = 5s
  stats_session_min_time = 15 mins
  stats_track_cmds = yes
  stats_user_min_time = 1 hours
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener auth-client {
mode = 0666
  }
  unix_listener auth-master {
mode = 0666
  }
}
service doveadm {
  inet_listener http {
port = 8080
ssl = yes
  }
}
service indexer-worker {
  drop_priv_before_exec = yes
}
service lmtp {
  inet_listener lmtp {
address = 127.0.0.1
port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  inet_listener sieve_deprecated {
port = 2000
  }
}
service stats {
  chroot = empty
  client_limit = 0
  drop_priv_before_exec = no
  executable = stats
  extra_groups = 
  fifo_listener stats-mail {
group = 
mode = 0666
user = 
  }
  fifo_listener stats-user {
group = 
mode = 0666
user = 
  }
  group = 
  idle_kill = 4294967295 secs
  privileged_group = 
  process_limit = 1
  process_min_avail = 0
  protocol = 
  service_count = 0
  type = 
  unix_listener stats {
group = 
mode = 0666
user = 
  }
  user = $default_internal_user

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Larry Rosenman 
Bingo, that works well.

 

Might it be useful to document this on the Wiki?

(some of the constructs used aren’t real clear there).

 

 

-- 

Larry Rosenman http://www.lerctr.org/~ler

Phone: +1 214-642-9640 E-Mail: larry...@gmail.com

US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281

 

 

 

From: Larry Rosenman 
Date: Thursday, July 13, 2017 at 6:36 AM
To: Aki Tuomi , Dovecot List 
Subject: Re: System users lookup via PAM: strip the domain name?

 

Ok,, I was half awake when I typed that 

 

 

 

Sent from my Sprint Samsung Galaxy S8+.

 

 Original message 

From: Aki Tuomi  

Date: 7/13/17 6:19 AM (GMT-06:00) 

To: Dovecot List , Larry Rosenman  

Subject: Re: System users lookup via PAM: strip the domain name? 

 

No it's intentionally %Ln to convert user1@domain into user1 for PAM.

Aki

> On July 13, 2017 at 2:03 PM Larry Rosenman  wrote:
> 
> 
> Is the %Ln on the 2nd passdb supposed to be a %Lu?
> 
> 
> Sent from my Sprint Samsung Galaxy S8+.
>  Original message From: Aki Tuomi  
> Date: 7/13/17  4:43 AM  (GMT-06:00) To: Dovecot List , 
> Larry Rosenman  Subject: Re: System users lookup via PAM: 
> strip the domain name? 
> No.
> 
> It's just a placeholder, like %u or %d.
> 
> Aki
> 
> > On July 13, 2017 at 10:57 AM Larry Rosenman  wrote:
> > 
> > 
> > Will %{original_username} set %d as well?
> > 
> > 
> > Sent from my Sprint Samsung Galaxy S8+.
> >  Original message From: Aki Tuomi  
> > Date: 7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List 
> > , Larry Rosenman  Subject: Re: 
> > System users lookup via PAM: strip the domain name? 
> > 
> > > On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> > > 
> > > 
> > > I have a need for the following:
> > > 
> > > Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) 
> > > wirhOUT @domain in /etc/passwd
> > > 
> > > Virtual Users in SQL (with full user@domain in the DB)
> > > 
> > >  
> > > 
> > > When I have auth_username_format = %Ln I can’t auth the Virtual Users, 
> > > and if I have auth_username_format = %Lu I can’t auth System users. 
> > > 
> > >  
> > > 
> > > Is there a compromise somewhere?
> > > 
> > >
> > 
> > You could try using %{original_username} in SQL.
> > 
> > Or you can try removing the auth_username_format and instead
> > 
> > passdb {
> >   driver = sql
> >   args = ...
> > }
> > passdb {
> >   driver = static
> >   args = user=%Ln noauthenticate
> > # you can remove next line if you want to always normalize your usernames
> >   skip = authenticated
> > }
> > passdb {
> >   driver = pam
> >   args = ...
> >   skip = authenticated
> > }
> > 
> > Aki

passwd-file unknown user even if known

2017-07-13 Thread Ricardo Branco 

I am seeing lots of passwd-file unknown user messages even when they are known 
and they can login.
I have several passwd files that are looked up with a deny file first, could the first check on the deny.%Ls file be 
generating this message then when it checks the next passdb driver it is found?

If so is there a way to suppress the error message until all drivers have been 
checked?

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Larry Rosenman 
Ok,, I was half awake when I typed that 


Sent from my Sprint Samsung Galaxy S8+.
 Original message From: Aki Tuomi  Date: 
7/13/17  6:19 AM  (GMT-06:00) To: Dovecot List , Larry 
Rosenman  Subject: Re: System users lookup via PAM: strip 
the domain name? 
No it's intentionally %Ln to convert user1@domain into user1 for PAM.

Aki

> On July 13, 2017 at 2:03 PM Larry Rosenman  wrote:
> 
> 
> Is the %Ln on the 2nd passdb supposed to be a %Lu?
> 
> 
> Sent from my Sprint Samsung Galaxy S8+.
>  Original message From: Aki Tuomi  
> Date: 7/13/17  4:43 AM  (GMT-06:00) To: Dovecot List , 
> Larry Rosenman  Subject: Re: System users lookup via PAM: 
> strip the domain name? 
> No.
> 
> It's just a placeholder, like %u or %d.
> 
> Aki
> 
> > On July 13, 2017 at 10:57 AM Larry Rosenman  wrote:
> > 
> > 
> > Will %{original_username} set %d as well?
> > 
> > 
> > Sent from my Sprint Samsung Galaxy S8+.
> >  Original message From: Aki Tuomi  
> > Date: 7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List 
> > , Larry Rosenman  Subject: Re: 
> > System users lookup via PAM: strip the domain name? 
> > 
> > > On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> > > 
> > > 
> > > I have a need for the following:
> > > 
> > > Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) 
> > > wirhOUT @domain in /etc/passwd
> > > 
> > > Virtual Users in SQL (with full user@domain in the DB)
> > > 
> > >  
> > > 
> > > When I have auth_username_format = %Ln I can’t auth the Virtual Users, 
> > > and if I have auth_username_format = %Lu I can’t auth System users. 
> > > 
> > >  
> > > 
> > > Is there a compromise somewhere?
> > > 
> > >
> > 
> > You could try using %{original_username} in SQL.
> > 
> > Or you can try removing the auth_username_format and instead
> > 
> > passdb {
> >   driver = sql
> >   args = ...
> > }
> > passdb {
> >   driver = static
> >   args = user=%Ln noauthenticate
> > # you can remove next line if you want to always normalize your usernames
> >   skip = authenticated
> > }
> > passdb {
> >   driver = pam
> >   args = ...
> >   skip = authenticated
> > }
> > 
> > Aki

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Aki Tuomi 
No it's intentionally %Ln to convert user1@domain into user1 for PAM.

Aki

> On July 13, 2017 at 2:03 PM Larry Rosenman  wrote:
> 
> 
> Is the %Ln on the 2nd passdb supposed to be a %Lu?
> 
> 
> Sent from my Sprint Samsung Galaxy S8+.
>  Original message From: Aki Tuomi  
> Date: 7/13/17  4:43 AM  (GMT-06:00) To: Dovecot List , 
> Larry Rosenman  Subject: Re: System users lookup via PAM: 
> strip the domain name? 
> No.
> 
> It's just a placeholder, like %u or %d.
> 
> Aki
> 
> > On July 13, 2017 at 10:57 AM Larry Rosenman  wrote:
> > 
> > 
> > Will %{original_username} set %d as well?
> > 
> > 
> > Sent from my Sprint Samsung Galaxy S8+.
> >  Original message From: Aki Tuomi  
> > Date: 7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List 
> > , Larry Rosenman  Subject: Re: 
> > System users lookup via PAM: strip the domain name? 
> > 
> > > On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> > > 
> > > 
> > > I have a need for the following:
> > > 
> > > Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) 
> > > wirhOUT @domain in /etc/passwd
> > > 
> > > Virtual Users in SQL (with full user@domain in the DB)
> > > 
> > >  
> > > 
> > > When I have auth_username_format = %Ln I can’t auth the Virtual Users, 
> > > and if I have auth_username_format = %Lu I can’t auth System users. 
> > > 
> > >  
> > > 
> > > Is there a compromise somewhere?
> > > 
> > >
> > 
> > You could try using %{original_username} in SQL.
> > 
> > Or you can try removing the auth_username_format and instead
> > 
> > passdb {
> >   driver = sql
> >   args = ...
> > }
> > passdb {
> >   driver = static
> >   args = user=%Ln noauthenticate
> > # you can remove next line if you want to always normalize your usernames
> >   skip = authenticated
> > }
> > passdb {
> >   driver = pam
> >   args = ...
> >   skip = authenticated
> > }
> > 
> > Aki

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Larry Rosenman 
Is the %Ln on the 2nd passdb supposed to be a %Lu?


Sent from my Sprint Samsung Galaxy S8+.
 Original message From: Aki Tuomi  Date: 
7/13/17  4:43 AM  (GMT-06:00) To: Dovecot List , Larry 
Rosenman  Subject: Re: System users lookup via PAM: strip 
the domain name? 
No.

It's just a placeholder, like %u or %d.

Aki

> On July 13, 2017 at 10:57 AM Larry Rosenman  wrote:
> 
> 
> Will %{original_username} set %d as well?
> 
> 
> Sent from my Sprint Samsung Galaxy S8+.
>  Original message From: Aki Tuomi  
> Date: 7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List , 
> Larry Rosenman  Subject: Re: System users lookup via PAM: 
> strip the domain name? 
> 
> > On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> > 
> > 
> > I have a need for the following:
> > 
> > Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) wirhOUT 
> > @domain in /etc/passwd
> > 
> > Virtual Users in SQL (with full user@domain in the DB)
> > 
> >  
> > 
> > When I have auth_username_format = %Ln I can’t auth the Virtual Users, and 
> > if I have auth_username_format = %Lu I can’t auth System users. 
> > 
> >  
> > 
> > Is there a compromise somewhere?
> > 
> >
> 
> You could try using %{original_username} in SQL.
> 
> Or you can try removing the auth_username_format and instead
> 
> passdb {
>   driver = sql
>   args = ...
> }
> passdb {
>   driver = static
>   args = user=%Ln noauthenticate
> # you can remove next line if you want to always normalize your usernames
>   skip = authenticated
> }
> passdb {
>   driver = pam
>   args = ...
>   skip = authenticated
> }
> 
> Aki

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Aki Tuomi 
No.

It's just a placeholder, like %u or %d.

Aki

> On July 13, 2017 at 10:57 AM Larry Rosenman  wrote:
> 
> 
> Will %{original_username} set %d as well?
> 
> 
> Sent from my Sprint Samsung Galaxy S8+.
>  Original message From: Aki Tuomi  
> Date: 7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List , 
> Larry Rosenman  Subject: Re: System users lookup via PAM: 
> strip the domain name? 
> 
> > On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> > 
> > 
> > I have a need for the following:
> > 
> > Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) wirhOUT 
> > @domain in /etc/passwd
> > 
> > Virtual Users in SQL (with full user@domain in the DB)
> > 
> >  
> > 
> > When I have auth_username_format = %Ln I can’t auth the Virtual Users, and 
> > if I have auth_username_format = %Lu I can’t auth System users. 
> > 
> >  
> > 
> > Is there a compromise somewhere?
> > 
> >
> 
> You could try using %{original_username} in SQL.
> 
> Or you can try removing the auth_username_format and instead
> 
> passdb {
>   driver = sql
>   args = ...
> }
> passdb {
>   driver = static
>   args = user=%Ln noauthenticate
> # you can remove next line if you want to always normalize your usernames
>   skip = authenticated
> }
> passdb {
>   driver = pam
>   args = ...
>   skip = authenticated
> }
> 
> Aki

Re: System users lookup via PAM: strip the domain name?

2017-07-13 Thread Larry Rosenman 
Will %{original_username} set %d as well?


Sent from my Sprint Samsung Galaxy S8+.
 Original message From: Aki Tuomi  Date: 
7/13/17  12:34 AM  (GMT-06:00) To: Dovecot List , Larry 
Rosenman  Subject: Re: System users lookup via PAM: strip 
the domain name? 

> On July 13, 2017 at 4:27 AM Larry Rosenman  wrote:
> 
> 
> I have a need for the following:
> 
> Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) wirhOUT 
> @domain in /etc/passwd
> 
> Virtual Users in SQL (with full user@domain in the DB)
> 
>  
> 
> When I have auth_username_format = %Ln I can’t auth the Virtual Users, and if 
> I have auth_username_format = %Lu I can’t auth System users. 
> 
>  
> 
> Is there a compromise somewhere?
> 
>

You could try using %{original_username} in SQL.

Or you can try removing the auth_username_format and instead

passdb {
  driver = sql
  args = ...
}
passdb {
  driver = static
  args = user=%Ln noauthenticate
# you can remove next line if you want to always normalize your usernames
  skip = authenticated
}
passdb {
  driver = pam
  args = ...
  skip = authenticated
}

Aki

Re: Can Dovecot replace fetchmail?

2017-07-13 Thread Peter Chiochetti 

Am 2017-07-13 um 09:34 schrieb Kenneth Porter:
I'm using fetchmail to grab mail for multiple accounts from an external 
IMAP server and drop it into local mailboxes via SMTP. It polls the 
remote server every two minutes. Can Dovecot replace this functionality 
more elegantly, using IDLE to avoid the polling necessary with 
fetchmail? I'd like to designate that mail for specific accounts on the 
external server be moved to specific local mailboxes.


Just in case: fetchmail can /idle/ on an IMAP server as well, though 
with multiple accounts that needs some tuning, see eg. 
https://bugs.launchpad.net/bugs/1021699 or 
http://fnxweb.com/blog/2012/07/14/using-multiple-fetchmail-instances-for-instant-gratification/



--
peter

Can Dovecot replace fetchmail?

2017-07-13 Thread Kenneth Porter 
I'm using fetchmail to grab mail for multiple accounts from an external 
IMAP server and drop it into local mailboxes via SMTP. It polls the remote 
server every two minutes. Can Dovecot replace this functionality more 
elegantly, using IDLE to avoid the polling necessary with fetchmail? I'd 
like to designate that mail for specific accounts on the external server be 
moved to specific local mailboxes.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Re: Master auth only

2017-07-13 Thread azurit 


Citát Sami Ketola :


On 12 Jul 2017, at 15.46, Rick Romero  wrote:
This is awesome, as I was just contemplating how to maintain  
persistence with 2FA.
Is it possible to use a passdb based on remote ip?  There's a  
username_filter, but I want to use a master password for webmail  
(which will use 2FA via Radius), and those IPs are known and  
non-routable.



passdb {
  driver = static
  args = password=masterpassword allow_nets=192.168.0.0/24
}

or can even use single ip like allow_nets=192.168.1.234

Sami




Thanks guys, i reworked it like this (i already allowed only proxy IP  
on firewall but thanks for suggestion, i added also allow_nets, just  
to be sure) and everything is working fine.


azur

Re: Master auth only

2017-07-13 Thread Sami Ketola 

> On 12 Jul 2017, at 15.46, Rick Romero  wrote:
> This is awesome, as I was just contemplating how to maintain persistence with 
> 2FA. 
> Is it possible to use a passdb based on remote ip?  There's a 
> username_filter, but I want to use a master password for webmail (which will 
> use 2FA via Radius), and those IPs are known and non-routable.


passdb {
  driver = static
  args = password=masterpassword allow_nets=192.168.0.0/24
}

or can even use single ip like allow_nets=192.168.1.234

Sami