Re: Dovecot and Letsencrypt certs

[Bill Shirley]

Oh, also I removed the '2>1> /dev/null' from the acme.sh crontab entry so that
it will always send an email; and entered this in sieve:
# --- let's encrypt ---
if header :contains "subject" "acme.sh" {
  if body :regex "Error[[:space:]]+renew" {
#    redirect :copy "b...@example.com";
    addflag "$label1";    # Thunderbird red
    stop;
  }
  if body :regex "-BEGIN CERTIFICATE-" {
#    redirect :copy "b...@example.com";
    addflag "$label4";    # Thunderbird blue
    stop;
  }
  fileinto "AASystemAdministration.Cron.certificate";
  stop;
}
The redirect :copy I enable for my other servers to forward a copy
to me.

HTH,
BIll


On 9/9/2017 3:16 PM, Bill Shirley wrote:

If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
  --keypath /etc/pki/dovecot/private/imap.example.com.pem \
  --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
  --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
  --reloadcmd    "systemctl reload dovecot.service"

HTH,
Bill

On 9/8/2017 9:56 AM, Darac Marjal wrote:

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
dovecot restart which fixed everything.


Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?


As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:


#!/bin/bash

set -e
set -u
set -o pipefail

if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
    echo " + Hook: Restarting Dovecot..."
    /usr/sbin/service dovecot restart
fi

That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
won't be restarted.


Hope that helps.




Should I just create a monthly cron to restart dovecot or is there something 
else?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Dovecot and Letsencrypt certs

[Bill Shirley]

If you're using acme.sh:
acme.sh --installcert -d imap.example.com \
  --keypath /etc/pki/dovecot/private/imap.example.com.pem \
  --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
  --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
  --reloadcmd    "systemctl reload dovecot.service"

HTH,
Bill

On 9/8/2017 9:56 AM, Darac Marjal wrote:

On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:

So this morning at 4am I was awoken to my mail clients getting certificate 
errors for an expired certificate.

I hopped on to the server and checked and… no, the LE certs renewed last month 
and are valid until November.

After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
dovecot restart which fixed everything.


Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?


As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:


#!/bin/bash

set -e
set -u
set -o pipefail

if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
    echo " + Hook: Restarting Dovecot..."
    /usr/sbin/service dovecot restart
fi

That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
won't be restarted.


Hope that helps.




Should I just create a monthly cron to restart dovecot or is there something 
else?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: offtopic: Solr compatible IMAP client

[Peter Chiochetti]

Am 2017-09-08 um 12:47 schrieb Andy Smith:


I've had a look at Thunderbird and you can use IMAP search, buy you have
to manually select it from an advanced search dialogue and it seems you
cannot make this the default behaviour.
Hello Andy, it is not that difficult to get a button in Thunderbird that 
does the lifting:


- install add-on "Custom Buttons"
- make a new button, code see attachment

"Search on Server" seems to be remebered by the dialogue itself…

--
peter
var selektor = "Inhalt"; // Localized name in search drop-down
openDialog(
"chrome://messenger/content/SearchDialog.xul",
"_blank",
"chrome,resizable,status,centerscreen,dialog=no",
{ folder: gFolderDisplay.displayedFolder }
).addEventListener(
"pageshow",
function tempFunction(event) {
this.removeEventListener(event.type, tempFunction, false);
var searchAttr0 = this.document.getElementById("searchAttr0");
searchAttr0.value = 
searchAttr0.valueIds[searchAttr0.valueStrings.indexOf(selektor)];
this.document.getAnonymousElementByAttribute(
this.document.getElementById("searchVal0"),
"class",
"search-value-textbox"
).focus();
},
false
);

Re: offtopic: Solr compatible IMAP client

[Greg Rivers]

On Saturday, September 09, 2017 10:01:03 Larry Rosenman wrote:
> Neomutt.
> https://www.neomutt.org/
> 
Also alpine.
https://www.washington.edu/alpine/

-- 
Greg Rivers

Re: offtopic: Solr compatible IMAP client

[Larry Rosenman]

Neomutt.
https://www.neomutt.org/


-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: larry...@gmail.com
US Mail: 5708 Sabbia Drive, Round Rock, TX 78665-2106
 

On 9/9/17, 9:58 AM, "dovecot on behalf of Andy Smith" 
 wrote:

Hi, 

  not sure if I'm allowed to go this off topic on here, sorry if not!
I've just installed Solr FTS for Dovecot and its great, as is Dovecot!
;) It works perfectly for fast searches using Roundcube, but can anyone
suggest any Windows and/or Linux mail clients that work well with IMAP
searches rather than doing their own searches on local copies of mails?
I've had a look at Thunderbird and you can use IMAP search, buy you have
to manually select it from an advanced search dialogue and it seems you
cannot make this the default behaviour. I also tried OperaMail but it
doesn't appear to work at all (only header is searchable without
downloading local copies). I'm pretty sure Outlook will only use its own
search engine on its local copy of data. 

thanks a lot, Andy. 

PS this guide was really helpful for setting up Solr FTS with a recent
release of Solr (I'm using 6.5), might be worth including a link
somewhere on the Dovecot wiki?: 

http://mor-pah.net/2016/08/15/dovecot-2-2-with-solr-6-or-5

offtopic: Solr compatible IMAP client

[Andy Smith]

Hi, 

  not sure if I'm allowed to go this off topic on here, sorry if not!
I've just installed Solr FTS for Dovecot and its great, as is Dovecot!
;) It works perfectly for fast searches using Roundcube, but can anyone
suggest any Windows and/or Linux mail clients that work well with IMAP
searches rather than doing their own searches on local copies of mails?
I've had a look at Thunderbird and you can use IMAP search, buy you have
to manually select it from an advanced search dialogue and it seems you
cannot make this the default behaviour. I also tried OperaMail but it
doesn't appear to work at all (only header is searchable without
downloading local copies). I'm pretty sure Outlook will only use its own
search engine on its local copy of data. 

thanks a lot, Andy. 

PS this guide was really helpful for setting up Solr FTS with a recent
release of Solr (I'm using 6.5), might be worth including a link
somewhere on the Dovecot wiki?: 

http://mor-pah.net/2016/08/15/dovecot-2-2-with-solr-6-or-5

Share Website certificate with SSL/STL Dovecot IMAP and Postifix SMTP

[Marco Marco]

Hi guys,


I've bought a certificate from the authority for my website to use to access in 
https mode.

Is it possible to share the same pairs to authenticate the emails sent by 
postfix and Dovecot in order to avoid that client as Hotmail.it or Gmail 
intercept these as Spam?


Thank you

Re: disable imap for ldap user

[Markus Rosjat]

no this is not the intented behaviour for thsi attribute.

In general every user can use pop3 but only a few can use imap so what I 
want is:


 - permit pop3 by default
 - check if the attribute is 0 or 1
 - depending on the result a user can login with imap protocol

regards

Markus

Am 08.09.2017 um 17:59 schrieb Ralph Seichter:

On 08.09.2017 17:11, Markus Rosjat wrote:


I have a LDAP dir with an attribute set to 0 or 1 and in my old setup
(a courier server) I used this attribute to map it to an authoption
called disableimap. This prevent users to access the mailbox with imap
protocol.

So the question is what should I set in dovecot to get the same
behaviour?


You can configure 'pass_filter' to discount entries with your disable-
flag. Affected users won't be able to authenticate with Dovecot, which
I assume is what you are trying to achieve.

-Ralph



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

What INTERNALDATE does dovecot with mbox storage set on a COPY'd message?

[Steinar Bang]

When a message is copied to a folder on dovecot with mbox storage, is
the mtime of the saved mbox file set to the time of the save?  

Or is the mtime set to the Date: field of the source message that is
saved?

If there is a difference in the behaviour, do someone know the dovecot
version number where the change happened?

The reason I'm asking is a problem reported on the Gnus imap client in
August 2016, where messaged moved by Gnus showed up with the wrong order
and/or wrong date in other imap clients.

(The reason for the different message ordering was that the other clients
use the INTERNALDATE and that was changed to the time of message move
when Gnus was used. Gnus use the Date of the source message)

Thanks!


- Steinar (Gnus user)

Re: Dovecot and Letsencrypt certs

[Вадим Бажов]

"writing a script to check the certs" - there is no need to write any
scripts. As one mentioned, it's done by a hook to certbot. Please read
the manuals for LE or certbot. The issue you have is quite common and
of course certbot designed to do it for you.
The manual: https://certbot.eff.org/docs/using.html#renewing-certificates.
Thats it. Problem solved.

2017-09-09 0:18 GMT+05:00 @lbutlr :
> On 08 Sep 2017, at 12:21, Ralph Seichter  wrote:
>> On 08.09.2017 19:51, @lbutlr wrote:
>>> How I would do it is IF the certificate is expired, the dovecot should
>>> check if there is a new cert and if so, load it.
>
>> New cert as in file modification date or checksum changed?
>
> Either one, but checksum is going to be more reliable.
>
>> Might work. Still, from what I seem to remember, Dovecot loads certificate 
>> data before dropping privileges, which is why reloading the data might be 
>> problematic without some changes.
>
> Can't dovecot reload itself? That could be a problem if not.
>
>> Not worth spending development effort on, IMO, given that Dovecot can easily 
>> be restarted by the external processes that update the cert (like Certbot 
>> hook, Ansible, etc.).
>
> All I'm saying is that it's a failure event that doesn't need to occur.
>
> --
> Apple broke AppleScripting signatures in Mail.app, so no random signatures.