Re: TLS problem after upgrading from v2.2 to v2.3

2018-01-06 Thread Jan Vejvalka 

Hi Goetz,

  thanks, I tried your list - and I quickly ran back, as I noticed
that this time I disconnected a user who is much less cooperative :-)

Jan


On 06.01.2018 20:47, Goetz Schultz wrote:

Hi Jan,

fair enough. You may want to try mine to see if it works - if yes,
it might be worthwhile digging deeper. Tbh I had not default settings
on for a long time.


Thanks and regards

Goetz R. Schultz

On 06/01/18 18:30, Jan Vejvalka wrote:

Thanks for your reply; I used the defaults, both before and after
the upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting
default changes. The new defaults broke the connection.

Jan




what are your settings?

Mine are below and they work just fine:

ssl_cipher_list = 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

Re: TLS problem after upgrading from v2.2 to v2.3

2018-01-06 Thread Goetz Schultz 
Hi Jan,

fair enough. You may want to try mine to see if it works - if yes, it
might be worthwhile digging deeper. Tbh I had not default settings on
for a long time.


Thanks and regards

  Goetz R. Schultz

On 06/01/18 18:30, Jan Vejvalka wrote:
> Thanks for your reply; I used the defaults, both before and after the
> upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default
> changes. The new defaults broke the connection.
> 
> Jan
> 
> 
> 
>> what are your settings?
>>
>> Mine are below and they work just fine:
>>
>> ssl_cipher_list =
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
>>
> 



signature.asc
Description: OpenPGP digital signature

Re: zlib plugin producing errors on 2.3.0

2018-01-06 Thread Timo Sirainen 
On 5 Jan 2018, at 18.33, Carsten Uppenbrink  wrote:
> 
> On 24.12.2017 15:58, Adam Weinberger wrote:
>> Hello,
>> I use the zlib and imap_zlib plugins on FreeBSD. As of 2.3.0, my logs
>> are producing these errors every so often, but AFAICT the messages
>> themselves aren't getting corrupted.
>> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion
>> failed: (zstream->ostream.finished ||
>> zstream->ostream.ostream.stream_errno != 0)
>> Fatal: master: service(imap): child 80128 killed with signal 6 (core
>> not dumped - set service imap { drop_priv_before_exec=yes })
>> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion
>> failed: (zstream->ostream.finished ||
>> zstream->ostream.ostream.stream_errno != 0)
>> Fatal: master: service(imap): child 80266 killed with signal 6 (core
>> not dumped - set service imap { drop_priv_before_exec=yes })
>> They always come in pairs like that. Following is my doveconf. Let
>> me know what else I can provide here. Thanks!
> 
> I had this errors in my logs, too.
> 
> It happens only to users who using K-9 Mail on Android. They all had a 
> setting enabled called "Use compression on network: Mobile, Wi-Fi, Other" in 
> "Incoming server settings". I didn't looked for other imap clients, because 
> without this setting enabled the errors vanished.
> 
> But it is likely that there are other imap clients who try to compress the 
> transfer.
> No stored mails are corrupted, it is only the connection somehow.

Oh, it's the imap_zlib plugin / IMAP COMPRESS extension that is crashing. Looks 
like it happens every time when COMPRESS-enabled client disconnects, so it's 
probably not visible to clients.

Removing IMAP ID command

2018-01-06 Thread Alex Hautequest 
Hello all. Happy 2018!

 

How can I disable the dovecot IMAP ID command, or hide the product name, so

one does not eyeball what server software I am running (which happens to be

v2.2.33.2)? Please see below for an example:

 

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE

AUTH=PLAIN AUTH=LOGIN] Ready.

* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE

AUTH=PLAIN AUTH=LOGIN

A001 OK Pre-login capabilities listed, post-login capabilities have more.

* ID ("name" "Dovecot")

A002 OK ID completed.

A003 BAD Error in IMAP command received by server.

* BYE Logging out

A004 OK Logout completed.

 

It does not seems POP3 advertises itself:

 

+OK Ready.

+OK

CAPA

TOP

UIDL

RESP-CODES

PIPELINING

AUTH-RESP-CODE

STLS

SASL

.

 

Thanks and regards,

 

Alex.

Re: Updated Dovecot 2.3.0 now getting 2 strange log errors

2018-01-06 Thread Florian Pritz 
On 03.01.2018 18:14, Tony wrote:
> I downgraded dovecot to 2.2.33.2 and pigeonhole 0.4.21 and can confirm 
> the reported problem does not exist with "permission denied" and 
> sendmail getting hung up/timing out.

The issue is that sendmail/maildrop/postdrop uses setgid to change to
the maildrop group (`stat $(which postdrop)`) and the
NoNewPrivileges=true setting in the service file explicitly disables
this (look in man systemd.exec). This settings appears to be new in 2.3[1].

What is somewhat infuriating is that this behaviour change is not
mentioned in the release notes/upgrade notes and the commit that
introduces the change changes multiple things and it doesn't explain why
things are changed. I'm happy to see service files that try to improve
security in an upstream repository though.

Does pigeonhole have any options to configure how mail is send when
using "redirect :copy" (possibly more commands, this is just what
triggered it here)? If not, support for injecting mail back via smtp
would be lovely. I'd like to reenable NoNewPrivileges at some point.

[1]
https://github.com/dovecot/core/commit/563c1e3b45bbb69bc67b75ff7a899699bea18e88#diff-5bbec0a0006d92d441b5c8fa72690f95

Florian



signature.asc
Description: OpenPGP digital signature

TLS problem after upgrading from v2.2 to v2.3

2018-01-06 Thread Jan Vejvalka 

Thanks for your reply; I used the defaults, both before and after the
upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default
changes. The new defaults broke the connection.

Jan




what are your settings?

Mine are below and they work just fine:

ssl_cipher_list = 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3

quota issue - fs backend troubles with mount

2018-01-06 Thread Arturo Bianchi 

Hi,
with the last update to version 2.2.33.2 I had problems with quota 
management; the plugin no longer reads the configuration correctly or 
something undocumented has changed!


Until the version 2.2.30.2 the mount parameter work well, now no longer; 
so with...


plugin {
  quota  = fs:HOME:mount=/home
  quota2 = fs:INBOX:mount=/var/spool
}

...the server no longer works and I read this in the log:

Debug: Module loaded: /usr/lib64/dovecot/lib10_quota_plugin.so
Debug: Quota root: name=HOME=fs args=mount=/home
Debug: Quota grace: root=HOME bytes=0 (10%)
Debug: Quota root: name=INBOX backend=fs args=mount=/var/spool
Debug: Quota grace: root=INBOX bytes=0 (10%)
Error: User initialization failed: Failed to initialize quota: Quota root HOME: 
fs quota init failed: Unknown parameter for backend fs: =/home


I saw that the method for acquiring the parameters was revised in the 
src/plugins/quota/quota-fs.c but I still could not understand why it 
fails!


Some advice?

Do I have a formatting problem or am I missing some news about it?


Thanks,
Arturo.

--
73s