Re: TLS problem after upgrading from v2.2 to v2.3
Hi Goetz, thanks, I tried your list - and I quickly ran back, as I noticed that this time I disconnected a user who is much less cooperative :-) Jan On 06.01.2018 20:47, Goetz Schultz wrote: Hi Jan, fair enough. You may want to try mine to see if it works - if yes, it might be worthwhile digging deeper. Tbh I had not default settings on for a long time. Thanks and regards Goetz R. Schultz On 06/01/18 18:30, Jan Vejvalka wrote: Thanks for your reply; I used the defaults, both before and after the upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default changes. The new defaults broke the connection. Jan what are your settings? Mine are below and they work just fine: ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
Re: TLS problem after upgrading from v2.2 to v2.3
Hi Jan, fair enough. You may want to try mine to see if it works - if yes, it might be worthwhile digging deeper. Tbh I had not default settings on for a long time. Thanks and regards Goetz R. Schultz On 06/01/18 18:30, Jan Vejvalka wrote: > Thanks for your reply; I used the defaults, both before and after the > upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default > changes. The new defaults broke the connection. > > Jan > > > >> what are your settings? >> >> Mine are below and they work just fine: >> >> ssl_cipher_list = >> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3 >> > signature.asc Description: OpenPGP digital signature
Re: zlib plugin producing errors on 2.3.0
On 5 Jan 2018, at 18.33, Carsten Uppenbrinkwrote: > > On 24.12.2017 15:58, Adam Weinberger wrote: >> Hello, >> I use the zlib and imap_zlib plugins on FreeBSD. As of 2.3.0, my logs >> are producing these errors every so often, but AFAICT the messages >> themselves aren't getting corrupted. >> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion >> failed: (zstream->ostream.finished || >> zstream->ostream.ostream.stream_errno != 0) >> Fatal: master: service(imap): child 80128 killed with signal 6 (core >> not dumped - set service imap { drop_priv_before_exec=yes }) >> Panic: file ostream-zlib.c: line 36 (o_stream_zlib_close): assertion >> failed: (zstream->ostream.finished || >> zstream->ostream.ostream.stream_errno != 0) >> Fatal: master: service(imap): child 80266 killed with signal 6 (core >> not dumped - set service imap { drop_priv_before_exec=yes }) >> They always come in pairs like that. Following is my doveconf. Let >> me know what else I can provide here. Thanks! > > I had this errors in my logs, too. > > It happens only to users who using K-9 Mail on Android. They all had a > setting enabled called "Use compression on network: Mobile, Wi-Fi, Other" in > "Incoming server settings". I didn't looked for other imap clients, because > without this setting enabled the errors vanished. > > But it is likely that there are other imap clients who try to compress the > transfer. > No stored mails are corrupted, it is only the connection somehow. Oh, it's the imap_zlib plugin / IMAP COMPRESS extension that is crashing. Looks like it happens every time when COMPRESS-enabled client disconnects, so it's probably not visible to clients.
Removing IMAP ID command
Hello all. Happy 2018! How can I disable the dovecot IMAP ID command, or hide the product name, so one does not eyeball what server software I am running (which happens to be v2.2.33.2)? Please see below for an example: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Ready. * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN A001 OK Pre-login capabilities listed, post-login capabilities have more. * ID ("name" "Dovecot") A002 OK ID completed. A003 BAD Error in IMAP command received by server. * BYE Logging out A004 OK Logout completed. It does not seems POP3 advertises itself: +OK Ready. +OK CAPA TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE STLS SASL . Thanks and regards, Alex.
Re: Updated Dovecot 2.3.0 now getting 2 strange log errors
On 03.01.2018 18:14, Tony wrote: > I downgraded dovecot to 2.2.33.2 and pigeonhole 0.4.21 and can confirm > the reported problem does not exist with "permission denied" and > sendmail getting hung up/timing out. The issue is that sendmail/maildrop/postdrop uses setgid to change to the maildrop group (`stat $(which postdrop)`) and the NoNewPrivileges=true setting in the service file explicitly disables this (look in man systemd.exec). This settings appears to be new in 2.3[1]. What is somewhat infuriating is that this behaviour change is not mentioned in the release notes/upgrade notes and the commit that introduces the change changes multiple things and it doesn't explain why things are changed. I'm happy to see service files that try to improve security in an upstream repository though. Does pigeonhole have any options to configure how mail is send when using "redirect :copy" (possibly more commands, this is just what triggered it here)? If not, support for injecting mail back via smtp would be lovely. I'd like to reenable NoNewPrivileges at some point. [1] https://github.com/dovecot/core/commit/563c1e3b45bbb69bc67b75ff7a899699bea18e88#diff-5bbec0a0006d92d441b5c8fa72690f95 Florian signature.asc Description: OpenPGP digital signature
TLS problem after upgrading from v2.2 to v2.3
Thanks for your reply; I used the defaults, both before and after the upgrade, cf. https://wiki2.dovecot.org/Upgrading/2.3 -> Setting default changes. The new defaults broke the connection. Jan what are your settings? Mine are below and they work just fine: ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SSLv2:!SSLv3
quota issue - fs backend troubles with mount
Hi, with the last update to version 2.2.33.2 I had problems with quota management; the plugin no longer reads the configuration correctly or something undocumented has changed! Until the version 2.2.30.2 the mount parameter work well, now no longer; so with... plugin { quota = fs:HOME:mount=/home quota2 = fs:INBOX:mount=/var/spool } ...the server no longer works and I read this in the log: Debug: Module loaded: /usr/lib64/dovecot/lib10_quota_plugin.so Debug: Quota root: name=HOME=fs args=mount=/home Debug: Quota grace: root=HOME bytes=0 (10%) Debug: Quota root: name=INBOX backend=fs args=mount=/var/spool Debug: Quota grace: root=INBOX bytes=0 (10%) Error: User initialization failed: Failed to initialize quota: Quota root HOME: fs quota init failed: Unknown parameter for backend fs: =/home I saw that the method for acquiring the parameters was revised in the src/plugins/quota/quota-fs.c but I still could not understand why it fails! Some advice? Do I have a formatting problem or am I missing some news about it? Thanks, Arturo. -- 73s