Re: VarExpandCrypt plugin usecase
> On February 9, 2018 at 3:40 AM ta...@vfemail.net wrote: > > > > Hai, > I found VarExpandCrypt plugin but not sure the usecase? Somewhere is > more documentation for it? > https://wiki2.dovecot.org/Plugins/VarExpandCrypt > Hi! var_expand_crypt plugin can be used for decrypting/encrypting variables. It's most common usecase would be to decrypt user credentials encrypted using reversible encryption (a.k.a. obfuscation). It can be used for other purposes too, like transmitting information from proxy to backend encrypted without using SSL. Aki
Re: Best mail encryption solution for per-user
> On February 9, 2018 at 8:31 AM Aki Tuomiwrote: > > > > > On February 9, 2018 at 3:20 AM ta...@vfemail.net wrote: > > > > > > > > Hai, > > > > Do you have advice about Dovecot plugins for mail encryption: > > > > https://wiki2.dovecot.org/Plugins/MailCrypt > > > > https://0xacab.org/riseuplabs/trees > > > > I like NaCL based encryption but the MailCrypt plugin is better > > because it's maintained by Dovecot developers (is this correct?) > > > > Hard to understand MailCrypt docs so may I ask, may I provide per user > > encryption? I don't like global because I want every user to have > > different encryption based on their password. But I don't see the > > useful of per-folder encryption. Docs for TREES are easier to > > understand it will work on a per-user encryption using the user > > password to decrypt the needed keys. > > > > How about indexing? Does native fast Dovecot indexing must be turned > > off for one of these or both? Is this a big performance hit? And how > > to turn off indexing on a per-user basis? > > > > Thank you so very mcuh > > > > > > Hi! > > Mail crypt plugin in dovecot core is indeed developed and maintained by us. > Turning on encryption is simple, but you'll have to consider key management > closely. > > The simple instructions are > > mail_plugins = $mail_plugins mail_crypt > mail_attribute_dict = file:%h/Maildir/dovecot-attributes > > plugin { > mail_crypt_curve = > mail_crypt_save_version = 2 > } > > This will turn on automatic key creation for folders and users. > > NOTE that the keys won't be encrypted in this scenario. > > To encrypt keys you have few choices. You can use a static password, static > ECC key, per-user password, per-user ECC key, per-user password protected ECC > key. > > With the per-user model, the easiest, if you don't let users change password > could be adding into userdb or passdb, mail_crypt_private_password = > %{sha512:password} > > If you want users to be able to change passwords, you either need to manage > the encryption passwords in user database, or call doveadm mailbox cryptokey > password during password change. > > Also we do not currently support DR keys, so if the per-user key is lost, you > will not be able to recover the mails. > Forgot to add that currently it's not possible to encrypt indexes due to how lib-index is designed. > Aki
Re: Best mail encryption solution for per-user
> On February 9, 2018 at 3:20 AM ta...@vfemail.net wrote: > > > > Hai, > > Do you have advice about Dovecot plugins for mail encryption: > > https://wiki2.dovecot.org/Plugins/MailCrypt > > https://0xacab.org/riseuplabs/trees > > I like NaCL based encryption but the MailCrypt plugin is better > because it's maintained by Dovecot developers (is this correct?) > > Hard to understand MailCrypt docs so may I ask, may I provide per user > encryption? I don't like global because I want every user to have > different encryption based on their password. But I don't see the > useful of per-folder encryption. Docs for TREES are easier to > understand it will work on a per-user encryption using the user > password to decrypt the needed keys. > > How about indexing? Does native fast Dovecot indexing must be turned > off for one of these or both? Is this a big performance hit? And how > to turn off indexing on a per-user basis? > > Thank you so very mcuh > > Hi! Mail crypt plugin in dovecot core is indeed developed and maintained by us. Turning on encryption is simple, but you'll have to consider key management closely. The simple instructions are mail_plugins = $mail_plugins mail_crypt mail_attribute_dict = file:%h/Maildir/dovecot-attributes plugin { mail_crypt_curve = mail_crypt_save_version = 2 } This will turn on automatic key creation for folders and users. NOTE that the keys won't be encrypted in this scenario. To encrypt keys you have few choices. You can use a static password, static ECC key, per-user password, per-user ECC key, per-user password protected ECC key. With the per-user model, the easiest, if you don't let users change password could be adding into userdb or passdb, mail_crypt_private_password = %{sha512:password} If you want users to be able to change passwords, you either need to manage the encryption passwords in user database, or call doveadm mailbox cryptokey password during password change. Also we do not currently support DR keys, so if the per-user key is lost, you will not be able to recover the mails. Aki
Re: Bounced message after update
okay weird - I read https://wiki2.dovecot.org/DomainLost I set auth_debug=yes to get a clearer indication if that was my problem. Tried again and it successfully went through. On 02/08/2018 05:46 PM, Michael A. Peters wrote: Hi - Updated from 2.2.27 to 2.3.0 server is webmail (roundcube) Sending worked before after update. Now it receives, but trying to send - this is the bounce in the log Feb 9 01:37:45 {hostname} postfix/pipe[22891]: 931FD2577: to=<{user}@{hostname}.{tld}>, relay=dovecot, delay=0.01, delays=0/0/0/0, dsn=5.3.0, status=bounced (command line usage error. Command output: lda: Fatal: Invalid -f parameter: Missing domain ) Feb 9 01:37:45 deviant postfix/qmgr[16492]: 931FD2577: removed {hostname}, {user}, {tld} are substitutions. Here's my lda config: protocol lda { log_path = /home/{hostname}/dovecot-deliver.log auth_socket_path = /var/run/dovecot/auth-master postmaster_address = postmaster@{hostname}.{tld} } Any suggestions (other than reverting) ? This worked just before the update. If it matters, Roundcube 1.3.4
Bounced message after update
Hi - Updated from 2.2.27 to 2.3.0 server is webmail (roundcube) Sending worked before after update. Now it receives, but trying to send - this is the bounce in the log Feb 9 01:37:45 {hostname} postfix/pipe[22891]: 931FD2577: to=<{user}@{hostname}.{tld}>, relay=dovecot, delay=0.01, delays=0/0/0/0, dsn=5.3.0, status=bounced (command line usage error. Command output: lda: Fatal: Invalid -f parameter: Missing domain ) Feb 9 01:37:45 deviant postfix/qmgr[16492]: 931FD2577: removed {hostname}, {user}, {tld} are substitutions. Here's my lda config: protocol lda { log_path = /home/{hostname}/dovecot-deliver.log auth_socket_path = /var/run/dovecot/auth-master postmaster_address = postmaster@{hostname}.{tld} } Any suggestions (other than reverting) ? This worked just before the update. If it matters, Roundcube 1.3.4
VarExpandCrypt plugin usecase
Hai, I found VarExpandCrypt plugin but not sure the usecase? Somewhere is more documentation for it? https://wiki2.dovecot.org/Plugins/VarExpandCrypt - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Best mail encryption solution for per-user
Hai, Do you have advice about Dovecot plugins for mail encryption: https://wiki2.dovecot.org/Plugins/MailCrypt https://0xacab.org/riseuplabs/trees I like NaCL based encryption but the MailCrypt plugin is better because it's maintained by Dovecot developers (is this correct?) Hard to understand MailCrypt docs so may I ask, may I provide per user encryption? I don't like global because I want every user to have different encryption based on their password. But I don't see the useful of per-folder encryption. Docs for TREES are easier to understand it will work on a per-user encryption using the user password to decrypt the needed keys. How about indexing? Does native fast Dovecot indexing must be turned off for one of these or both? Is this a big performance hit? And how to turn off indexing on a per-user basis? Thank you so very mcuh - ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
Re: How to grant user access to his .dovecot.sieve.log?
No, it won't work. "sieve_after" require user script to explicitly "keep" the message. If the script fails, the default action stores the message into INBOX, thus finishing executions of sieve scripts. So, in most wanted case the "sieve_after" which suppose to notify user about problems with his script will not be called. These logs contain messages about syntax errors which depend on the exact environment (say, the list of enabled Sieve extensions). Also they have reports about runtime problems like absent folder referenced in the script. It is a bad situation if user can not read these logs. I see a couple workarounds. First: a separate FilterSet which user can activate to get .dovecot.sieve.log when he wants. It can be something like === $ cat /srv/dovecot/seriv/.dovecot.sieve require ["vnd.dovecot.execute"]; # rule:[dovecot.sieve.log] if header :contains "subject" "dovecot.sieve.log" { execute "log_content.sh"; } === with === $ cat /usr/lib64/dovecot/sieve-extprograms/log_content.sh #!/bin/bash if test -s $HOME/.dovecot.sieve.log; then /usr/bin/mailx -s "sieve.log" $recipient < $HOME/.dovecot.sieve.log /usr/bin/echo -n '' > $HOME/.dovecot.sieve.log fi Second: a separate user, say "givemel...@imap.example.org" on my IMAP server. When user sends to this address a request, it replies with content of users .dovecot.sieve.log emptying it afterwards. It should have access to the "SENDER" external variable. If needed there should be 2 step authentication against forged "SENDER", sending cryptographically strong token and asking user to reply with the same token to authorize request and emptying log. But isn't it too much complexity for such thing as looking at the log? Even another way, with proposed httpd access, can be set up to work with apache of the version 2.4.8+, using "LocationMatch" and environment variable set to matched regex in "Require User" statement, like: === $ cat /etc/httpd/conf.d/userdir.conf UserDir /srv/dovecot Loglevel debug [^/]+)"> AllowOverride None AuthType Basic AuthName 'private logs' AuthBasicProvider file AuthUserFile /etc/httpd/users Require user %{env:MATCH_WHICHUSER} SSLRequireSSL DirectoryIndex .dovecot.sieve.log === Sure for this to work in production I will put "AuthBasicProvider ldap" and authenticate against the same LDAP server as dovecot uses. And I think I should place these sieve files into separate from mail directory like '/srv/sieve/', so that apache won't get access to mail. -- Regards, Sergey On Thu, Feb 8, 2018 at 3:43 AM, LuKremewrote: > On Feb 6, 2018, at 19:53, Sergey Ivanov wrote: > > Answering myself (not yet implemented, but I hope it will work): > > Using sieve extprograms extension and global "after" script, I can read > .dovecot.sieve.log into a sieve variable 'log_content' if this log is not > empty. I hope this log will be written before "after" script is called, but > will check if it is true. > > Then using sieve "notify" action with mailto:${user_mailaddress}? > body=${log_content}" > > Did that work? > > -- > This is my signature. There are many like it, but this one is mine. > > > > >
Re: Dovecot 2.3.0 assertion failure on LMTP delivery
Hi All, I have similar issue with Dovecot 2.3.0 on Centos 6. Is it possible to fix it now? Or we have to wait for 2.3.1 Thanks, Darek W dniu 2018-01-29 05:48, J. Nick Koston napisał(a): Hi Aki, Please see below: Thank you -Nick # gdb /usr/libexec/dovecot/lmtp ./3445 Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `dovecot/lmtp'. Program terminated with signal 6, Aborted. #0 0x7f297814d1f7 in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install dovecot-2.3.0-8.cp1162.x86_64 (gdb) back #0 0x7f297814d1f7 in raise () from /lib64/libc.so.6 #1 0x7f297814e8e8 in abort () from /lib64/libc.so.6 #2 0x7f29785a3eab in default_fatal_finish (type=, status=status@entry=0) at failures.c:228 #3 0x7f29785a3f9e in i_internal_fatal_handler (ctx=0x7ffe12c97a00, format=, args=) at failures.c:718 #4 0x7f2978517190 in i_panic (format=format@entry=0x7f29785df6a8 "file %s: line %d (%s): assertion failed: (%s)") at failures.c:306 #5 0x7f29785bf6bb in event_unref (_event=_event@entry=0x55ac2dab3ea8) at lib-event.c:148 #6 0x7f29788a1b64 in mail_storage_service_user_unref (_user=_user@entry=0x55ac2dab35a8) at mail-storage-service.c:1649 #7 0x55ac2cbd03fa in lmtp_local_rcpt_deinit (rcpt=0x55ac2dab3570) at lmtp-local.c:125 #8 0x55ac2cbd08dc in lmtp_local_deinit (_local=_local@entry=0x55ac2daa00f0) at lmtp-local.c:83 #9 0x55ac2cbcfa5a in client_state_reset (client=0x55ac2daa0028) at client.c:177 #10 0x7f297852e96c in smtp_server_connection_reset_state (conn=0x55ac2daaee40) at smtp-server-connection.c:1249 #11 0x7f297852c31d in smtp_server_command_completed (cmd=0x55ac2dab3998) at smtp-server-command.c:380 #12 0x7f297852f848 in smtp_server_connection_next_reply (conn=0x55ac2daaee40) at smtp-server-connection.c:623 #13 smtp_server_connection_send_replies (conn=0x55ac2daaee40) at smtp-server-connection.c:682 #14 smtp_server_connection_output (conn=0x55ac2daaee40) at smtp-server-connection.c:728 #15 0x7f29785cb990 in stream_send_io (fstream=0x55ac2da75dd0) at ostream-file.c:475 #16 0x7f29785bb4d5 in io_loop_call_io (io=0x55ac2dab75b0) at ioloop.c:614 #17 0x7f29785bcdaf in io_loop_handler_run_internal (ioloop=ioloop@entry=0x55ac2da6ac50) at ioloop-epoll.c:222 #18 0x7f29785bb5d2 in io_loop_handler_run (ioloop=ioloop@entry=0x55ac2da6ac50) at ioloop.c:666 #19 0x7f29785bb7f8 in io_loop_run (ioloop=0x55ac2da6ac50) at ioloop.c:639 #20 0x7f2978539bb3 in master_service_run (service=0x55ac2da6aae0, callback=callback@entry=0x55ac2cbcf3d0 ) at master-service.c:767 #21 0x55ac2cbcf1a6 in main (argc=1, argv=0x55ac2da6a8a0) at main.c:159 (gdb) bt full #0 0x7f297814d1f7 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x7f297814e8e8 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x7f29785a3eab in default_fatal_finish (type=, status=status@entry=0) at failures.c:228 backtrace = 0x55ac2da62088 "/usr/lib64/dovecot/libdovecot.so.0(+0xc8ee4) [0x7f29785a3ee4] -> /usr/lib64/dovecot/libdovecot.so.0(+0xc8f9e) [0x7f29785a3f9e] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f2978517190] -> /usr"... recursed = 0 #3 0x7f29785a3f9e in i_internal_fatal_handler (ctx=0x7ffe12c97a00, format=, args=) at failures.c:718 status = 0 #4 0x7f2978517190 in i_panic (format=format@entry=0x7f29785df6a8 "file %s: line %d (%s): assertion failed: (%s)") at failures.c:306 ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, timestamp_usecs = 0, log_prefix = 0x0} args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffe12c97af0, reg_save_area = 0x7ffe12c97a30}} #5 0x7f29785bf6bb in event_unref (_event=_event@entry=0x55ac2dab3ea8) at lib-event.c:148 event = 0x55ac2dab8180 __func__ = "event_unref" #6 0x7f29788a1b64 in mail_storage_service_user_unref (_user=_user@entry=0x55ac2dab35a8) at mail-storage-service.c:1649 user = 0x55ac2dab3e08 __func__ = "mail_storage_service_user_unref" #7 0x55ac2cbd03fa in lmtp_local_rcpt_deinit (rcpt=0x55ac2dab3570) at lmtp-local.c:125 No locals. #8 0x55ac2cbd08dc in lmtp_local_deinit (_local=_local@entry=0x55ac2daa00f0) at lmtp-local.c:83 rcptp_end = 0x55ac2da9fbb8 local = 0x55ac2dab8000 rcptp = 0x55ac2da9fbb0 #9 0x55ac2cbcfa5a in client_state_reset (client=0x55ac2daa0028) at client.c:177 No locals. #10 0x7f297852e96c in smtp_server_connection_reset_state (conn=0x55ac2daaee40) at smtp-server-connection.c:1249 No locals. #11 0x7f297852c31d in smtp_server_command_completed (cmd=0x55ac2dab3998) at smtp-server-command.c:380 hook_completed = #12 0x7f297852f848 in smtp_server_connection_next_reply (conn=0x55ac2daaee40) at smtp-server-connection.c:623 cmd = 0x55ac2dab3998 error = 0x0 i = #13 smtp_server_connection_send_replies
Re: How to grant user access to his .dovecot.sieve.log?
On Feb 6, 2018, at 19:53, Sergey Ivanovwrote: > Answering myself (not yet implemented, but I hope it will work): > Using sieve extprograms extension and global "after" script, I can read > .dovecot.sieve.log into a sieve variable 'log_content' if this log is not > empty. I hope this log will be written before "after" script is called, but > will check if it is true. > Then using sieve "notify" action with > mailto:${user_mailaddress}?body=${log_content}; Did that work? -- This is my signature. There are many like it, but this one is mine. >
Re: stats-writer failed: Permission denied
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 7 Feb 2018, Jakobus Schürz wrote: Since i compile my own dovecot (not using dovecot from debian), i get this error on each startup dovecot with systemd Feb 07 11:16:35 aldebaran dovecot[7455]: imap: Error: net_connect_unix(/usr/local/var/run/dovecot/stats-writer) failed: Permission denied Feb 07 11:16:35 aldebaran dovecot[7455]: imap: Error: net_connect_unix(/usr/local/var/run/dovecot/stats-writer) failed: Permission denied I can change the owner and/or permissions of the file, than it works till the next reboot. How can i set this correctly in my configs? check out something like: service stats { fifo_listener stats-mail { user = vmail mode = 0600 } } https://wiki2.dovecot.org/Services#unix_listeners_and_fifo_listeners - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWnwNqcQnQQNheMxiAQLyVwf8DBEV27Nz5VXG3ENcjkkTblDS1/7dkTHc ZWbBY9VfRMp8VzjCCFHRNcHiPB26Y9qeXlVjOnDkBJXtl+XvmH+2Stg+LALp5Elh mS4GZNbu2ydYz4w35DbDY1+3Yg29LTp6kzLbn6s9wWLci0CiJCxbHuHvXKhBPMNE VGTBoGRhh+VOLJmN5lduVPHz0BDMUzeB74I3vWLNrYgIlXG7+vezEMPG4SgiX0b7 pggzrUEcQPPGnFDGDzuGtK7XWVJUoYEnJ81BYBplf/p6dB9ExqlOLl9c8jmeglwb JsBI2UNp2BSANggKG0oCRfbkAUgeCPpIIejGnhNFGKujBNdz1lYDNA== =49Ge -END PGP SIGNATURE-