Re: Make fails with 2.3.0.1 & 2.2.34 on Mac OS X 10.7.5

[Aki Tuomi]

On 01.03.2018 07:34, James Brown wrote:
> On 1 Mar 2018, at 4:09 pm, Aki Tuomi  > wrote:
>>
>>
>>> On 01 March 2018 at 06:21 James Brown < jlbr...@bordo.com.au
>>> > wrote:
>>>
>>>
>>> Have tried 2.3.0, 2.3.0.1 & 2.2.34.
>>>
>>> Compile is failing for me.
>>>
>>> ./configure --with-mysql --with-ssl=openssl:
>>>
>>> ...
>>> checking for SSL_read in -lssl... yes
>>> checking openssl/ssl.h usability... yes
>>> checking openssl/ssl.h presence... yes
>>> checking for openssl/ssl.h... yes
>>> checking openssl/err.h usability... yes
>>> checking openssl/err.h presence... yes
>>> checking for openssl/err.h... yes
>>> checking if OpenSSL version is 1.0.1 or newer... true
>>> checking if OpenSSL version is 1.0.2 or better... true
>>> checking whether SSL_clear_options exists... no
>>> ...
>>> Any suggestions?
>>>
>>> Thanks,
>>>
>>> James.
>>>
>>
>> What SSL library and version?
>> --- 
>> Aki Tuomi
>
> OpenSSL
>
> $openssl version
> OpenSSL 1.0.2g  1 Mar 2016
>
> But I also have:
>
> $ /usr/local/bin/openssl version
> OpenSSL 1.1.0g  2 Nov 2017
>
> James.

Can you provide the cc call as well from make?

Aki

question about quota setting with postfix and dovecot

[Masaharu Kawada]

Dear dovecot-list,

I have questions regarding setting up quota with postfix(Maildir format)+
dovect. My main point of the question is to know how the user password is
used in quota in this case. Please see the below configuration info and my
questions are in the bottom.

Here are what have been done:



/etc/postfix/main.cf:

-
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
home_mailbox = Maildir/

mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT" -d "$USER"   <--Add
-


1.
/etc/dovecot/conf.d/10-auth.conf:

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext   <---Only enabled
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

2.
/etc/dovecot/conf.d/10-master.conf

service auth {
snip/
unix_listener auth-userdb {
mode = 0666  <---The permission for userdb 666
#user =
#group =
snip/

3.
/etc/dovecot/conf.d/10-mail.conf:

mail_location = maildir:~/Maildir
snip/
mail_plugins = $mail_plugins quota  <---set the plugin
snip/

4.
/etc/dovecot/conf.d/15-lda.conf:

snip/
postmaster_address = r...@example.com   <---Add postmaster
snip/
protocol lda {
mail_plugins = $mail_plugins<--set the plugin
}

5.
/etc/dovecot/conf.d/20-imap.conf:

protocol imap {
mail_plugins = $mail_plugins imap_quota   <--set the plugin
snip/

6.
/etc/dovecot/conf.d/20-pop3.conf:

snip/
protocol pop3 {
mail_plugins = $mail_plugins quota   <--set the plugin
snip/

7.
/etc/dovecot/conf.d/90-quota.conf:

plugin {<--set global quota
quota = maildir:
quota_rule = *:storage=100M
quota_rule2 = Trash:storage=+100M
}

8.
/etc/dovecot/conf.d/auth-passwdfile.conf.ext:

snip/
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users<--Path
for passwdfile
}

userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
}
snip/

9.
/etc/dovecot/users:

test004:{SSHA256}hFxB8tbyZrCCcwZKDaQEiUfojbRovOq8ECU0syPHQTCY0233:18222:18222::/home/test004::userdb_quota_rule=*:storage=1M
test005:{SSHA256}hFxB8tbyZrCCcwZKDaQEiUfojbRovOq8ECU0syPHQTCY0233:18223:18223::/home/test005::userdb_quota_rule=*:storage=1M
test006:{SSHA256}hFxB8tbyZrCCcwZKDaQEiUfojbRovOq8ECU0syPHQTCY0233:18224:18224::/home/test006::userdb_quota_rule=*:storage=1M

Note:The hashed password is created running the blow command:

# doveadm pw -s ssha256

10.
/etc/dovecot/dovecot.conf:

snip/
protocols = imap pop3 <--Available protocols
snip/

11.
# service postfix restart
# service dovcot restart


Question:
1./etc/dovecot/users is supposed to be seen instead of /etc/passwd for
authentification of imap and pops in receiving emails, isn't it?
2.If the answer for above question 1 is 'YES', then doesn't it require to
get all password in /etc/passwd hashed for each user and place all of them
into /etc/dovecot/users?
3.If the answer for above question 1 is 'NO', then what the hashed-password
in /etc/dovcot/users such as {SSHA256}hFX... used for?

Excuse me if those are silly questions, but I am not a dovecot person and
would very much appreciate it if anyone would kindly give me a hand on this.

Regards,
Masaharu Kawada

Re: v2.2.34 released

[A.L.E.C]

On 02/28/2018 10:20 PM, Timo Sirainen wrote:
>  + mail_attachment_detection_options setting controls when
>$HasAttachment and $HasNoAttachment keywords are set for mails.

Is this a new feature? I can't find any documentation about these keywords and 
configuration.

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]

PGP: 19359DC1 # Blog: https://kolabian.wordpress.com

Re: Make fails with 2.3.0.1 & 2.2.34 on Mac OS X 10.7.5

[James Brown]

On 1 Mar 2018, at 4:09 pm, Aki Tuomi > wrote:
> 
> 
>> On 01 March 2018 at 06:21 James Brown < jlbr...@bordo.com.au 
>> > wrote:
>> 
>> 
>> Have tried 2.3.0, 2.3.0.1 & 2.2.34.
>> 
>> Compile is failing for me.
>> 
>> ./configure --with-mysql --with-ssl=openssl:
>> 
>> ...
>> checking for SSL_read in -lssl... yes
>> checking openssl/ssl.h usability... yes
>> checking openssl/ssl.h presence... yes
>> checking for openssl/ssl.h... yes
>> checking openssl/err.h usability... yes
>> checking openssl/err.h presence... yes
>> checking for openssl/err.h... yes
>> checking if OpenSSL version is 1.0.1 or newer... true
>> checking if OpenSSL version is 1.0.2 or better... true
>> checking whether SSL_clear_options exists... no
>> ...
>> Any suggestions?
>> 
>> Thanks,
>> 
>> James.
>> 
> 
> What SSL library and version?
> --- 
> Aki Tuomi

OpenSSL

$openssl version
OpenSSL 1.0.2g  1 Mar 2016

But I also have:

$ /usr/local/bin/openssl version
OpenSSL 1.1.0g  2 Nov 2017

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Make fails with 2.3.0.1 & 2.2.34 on Mac OS X 10.7.5

[Aki Tuomi]

 
 
  
   
  
  
   
On 01 March 2018 at 06:21 James Brown <
jlbr...@bordo.com.au> wrote:
   
   

   
   

   
   
Have tried 2.3.0, 2.3.0.1 & 2.2.34.
   
   

   
   
Compile is failing for me.
   
   

   
   
./configure --with-mysql --with-ssl=openssl:
   
   

   
   
...
   
   
checking for SSL_read in -lssl... yes
   
   
checking openssl/ssl.h usability... yes
   
   
checking openssl/ssl.h presence... yes
   
   
checking for openssl/ssl.h... yes
   
   
checking openssl/err.h usability... yes
   
   
checking openssl/err.h presence... yes
   
   
checking for openssl/err.h... yes
   
   
checking if OpenSSL version is 1.0.1 or newer... true
   
   
checking if OpenSSL version is 1.0.2 or better... true
   
   
checking whether SSL_clear_options exists... no
   
   
...
   
   

   
   
No problems. But then ‘make’ ends with:
   
   

   
   
dcrypt-openssl.c:117: error: field 'ctx' has incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_ctx_hmac_destroy':
   
   
dcrypt-openssl.c:451: warning: implicit declaration of function 'HMAC_cleanup'
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_generate_ec_key':
   
   
dcrypt-openssl.c:555: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c:556: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_local':
   
   
dcrypt-openssl.c:588: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_peer':
   
   
dcrypt-openssl.c:668: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c:697: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c:698: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_store_private_key_dovecot':
   
   
dcrypt-openssl.c:1461: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c:1482: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c:1489: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_load_private_key':
   
   
dcrypt-openssl.c:1615: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_store_public_key':
   
   
dcrypt-openssl.c:1765: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_private_to_public_key':
   
   
dcrypt-openssl.c:1801: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_name2oid':
   
   
dcrypt-openssl.c:2062: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_old':
   
   
dcrypt-openssl.c:2112: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_private_key_id_old':
   
   
dcrypt-openssl.c:2135: error: dereferencing pointer to incomplete type
   
   
dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_evp':
   
   
dcrypt-openssl.c:2153: error: dereferencing pointer to incomplete type
   
   
make[3]: *** [libdcrypt_openssl_la-dcrypt-openssl.lo] Error 1
   
   
make[2]: *** [all-recursive] Error 1
   
   
make[1]: *** [all-recursive] Error 1
   
   
make: *** [all] Error 2
   
   

   
   
Any suggestions?
   
   

   
   
Thanks,
   
   

   
   
James.
   
   

   
  
  
   
  
  
   What SSL library and version?
  
  
   ---
   Aki Tuomi
   
 

Make fails with 2.3.0.1 & 2.2.34 on Mac OS X 10.7.5

[James Brown]

Have tried 2.3.0, 2.3.0.1 & 2.2.34.

Compile is failing for me.

./configure --with-mysql --with-ssl=openssl:

...
checking for SSL_read in -lssl... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
checking if OpenSSL version is 1.0.1 or newer... true
checking if OpenSSL version is 1.0.2 or better... true
checking whether SSL_clear_options exists... no
...

No problems. But then ‘make’ ends with:

dcrypt-openssl.c:117: error: field 'ctx' has incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_ctx_hmac_destroy':
dcrypt-openssl.c:451: warning: implicit declaration of function 'HMAC_cleanup'
dcrypt-openssl.c: In function 'dcrypt_openssl_generate_ec_key':
dcrypt-openssl.c:555: error: dereferencing pointer to incomplete type
dcrypt-openssl.c:556: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_local':
dcrypt-openssl.c:588: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_ecdh_derive_secret_peer':
dcrypt-openssl.c:668: error: dereferencing pointer to incomplete type
dcrypt-openssl.c:697: error: dereferencing pointer to incomplete type
dcrypt-openssl.c:698: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_store_private_key_dovecot':
dcrypt-openssl.c:1461: error: dereferencing pointer to incomplete type
dcrypt-openssl.c:1482: error: dereferencing pointer to incomplete type
dcrypt-openssl.c:1489: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_load_private_key':
dcrypt-openssl.c:1615: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_store_public_key':
dcrypt-openssl.c:1765: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_private_to_public_key':
dcrypt-openssl.c:1801: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_name2oid':
dcrypt-openssl.c:2062: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_old':
dcrypt-openssl.c:2112: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_private_key_id_old':
dcrypt-openssl.c:2135: error: dereferencing pointer to incomplete type
dcrypt-openssl.c: In function 'dcrypt_openssl_public_key_id_evp':
dcrypt-openssl.c:2153: error: dereferencing pointer to incomplete type
make[3]: *** [libdcrypt_openssl_la-dcrypt-openssl.lo] Error 1
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

Any suggestions?

Thanks,

James.




smime.p7s
Description: S/MIME cryptographic signature

Re: Using virtual folders with younger and index files

[Rob Hoelz]

Hi David,

Sorry, I do not - I just have two virtual folders that hold the last two weeks 
of mail, plus one that
holds flagged mails.

-Rob

On Tue, 27 Feb 2018 23:50:11 -0500
David Mehler  wrote:

> Hello Rob,
> 
> Do you by chance have a virtual/All folder which holds all your
> messages? If so, could I see that configuration?
> 
> Thanks.
> Dave.
> 
> 
> On 2/27/18, Rob Hoelz  wrote:
> > Hi list,
> >
> > I just encountered a problem while using dovecot's Virtual plugin
> > with 2.3.0.  I managed to solve the issue,
> > but I wanted to bring it to the attention of others on the list to
> > see if there exists a better solution, if
> > I found a bug, or if it's just a matter of updating documentation.
> >
> > I have a virtual folder to get the most recent two weeks of mails;
> > it looks something like this:
> >  
> >> INBOX
> >>   all younger 1209600  
> >
> > I made this folder back in October.  Lately, I started to notice
> > that the virtual folder had a surprising amount
> > of mail in it - I don't get 1,000 e-mails per week!  After some
> > doveadm commands, I realized that e-mails from
> > October were still present in my virtual folder!  Updating the
> > dovecot-virtual would clear away e-mails older than
> > two weeks (I needed to actually introduce a change, even if it was
> > just whitespace - just touching the file didn't
> > update things), and removing the dovecot index file also cleared
> > things away.  In then end, I ended up just telling
> > dovecot to disable on-disk indexes for that folder.
> >
> > I created this folder based on the examples on
> > https://wiki.dovecot.org/Plugins/Virtual - I'm wondering if I found
> > a bug or if that page should be changed to recommend disabling
> > on-disk indexes when using certain search query filters such as
> > "younger".  If the latter, I can always make the change - just let
> > me know!
> >
> > -Rob
> >  

[Dovecot-news] v2.2.34 released

[Timo Sirainen]

https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig 

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.
 * Linux: Core dumping is no longer enabled by default via
   PR_SET_DUMPABLE, because this may allow attackers to bypass
   chroot/group restrictions. Found by cPanel Security Team. Nowadays
   core dumps can be safely enabled by using "sysctl -w
   fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
   enabled by setting:
   import_environment=$import_environment PR_SET_DUMPABLE=1
 * doveconf output now includes the hostname.

 + mail_attachment_detection_options setting controls when
   $HasAttachment and $HasNoAttachment keywords are set for mails.
 + imap: Support fetching body snippets using FETCH (SNIPPET) or
   (SNIPPET (LAZY=FUZZY))
 + fs-compress: Automatically detect whether input is compressed or not.
   Prefix the compression algorithm with "maybe-" to enable the
   detection, for example: "compress:maybe-gz:6:..."
 + Added settings to change dovecot.index* files' optimization behavior.
   See https://wiki2.dovecot.org/IndexFiles#Settings
 + Auth cache can now utilize auth workers to do password hash
   verification by setting auth_cache_verify_password_with_worker=yes.
 + Added charset_alias plugin. See
   https://wiki2.dovecot.org/Plugins/CharsetAlias
 + imap_logout_format and pop3_logout_format settings now support all of
   the generic variables (e.g. %{rip}, %{session}, etc.)
 + Added auth_policy_check_before_auth, auth_policy_check_after_auth
   and auth_policy_report_after_auth settings.
 - v2.2.33: doveadm-server: Various fixes related to log handling.
 - v2.2.33: doveadm failed when trying to access UNIX socket that didn't
   require authentication.
 - v2.2.33: doveadm log reopen stopped working
 - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
 - v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
 - replication: dsync sends unnecessary replication notification for
   changes it does internally. NOTE: Folder creates, renames, deletes
   and subscribes still trigger unnecessary replication notifications,
   but these should be rather rare.
 - mail_always/never_cache_fields setting changes weren't applied for
   existing dovecot.index.cache files.
 - Fix compiling and other problems with OpenSSL v1.1
 - auth policy: With master user logins, lookup using login username.
 - FTS reindexed all mails unnecessarily after loss of
   dovecot.index.cache file
 - mdbox rebuild repeatedly fails with "missing map extension"
 - SSL connections may have been hanging with imapc or doveadm client.
 - cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and
   also timestamps weren't set to queries.
 - fs-crypt silently ignored public/private keys specified in
   configuration (mail_crypt_global_public/private_key) and just
   emitted plaintext output.
 - lock_method=dotlock caused crashes
 - imapc: Reconnection may cause crashes and other errors

___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

[Dovecot-news] v2.3.0.1 released

[Timo Sirainen]

https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz.sig 

Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about 
a month with a lot more changes.

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.
 * Linux: Core dumping is no longer enabled by default via
   PR_SET_DUMPABLE, because this may allow attackers to bypass
   chroot/group restrictions. Found by cPanel Security Team. Nowadays
   core dumps can be safely enabled by using "sysctl -w
   fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
   enabled by setting:
   import_environment=$import_environment PR_SET_DUMPABLE=1
 - imap-login with SSL/TLS connections may end up in infinite loop

___
Dovecot-news mailing list
Dovecot-news@dovecot.org
https://dovecot.org/mailman/listinfo/dovecot-news

v2.3.0.1 released

[Timo Sirainen]

https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz
https://dovecot.org/releases/2.3/dovecot-2.3.0.1.tar.gz.sig 

Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about 
a month with a lot more changes.

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.
 * Linux: Core dumping is no longer enabled by default via
   PR_SET_DUMPABLE, because this may allow attackers to bypass
   chroot/group restrictions. Found by cPanel Security Team. Nowadays
   core dumps can be safely enabled by using "sysctl -w
   fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
   enabled by setting:
   import_environment=$import_environment PR_SET_DUMPABLE=1
 - imap-login with SSL/TLS connections may end up in infinite loop

v2.2.34 released

[Timo Sirainen]

https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz
https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig 

 * CVE-2017-15130: TLS SNI config lookups may lead to excessive
   memory usage, causing imap-login/pop3-login VSZ limit to be reached
   and the process restarted. This happens only if Dovecot config has
   local_name { } or local { } configuration blocks and attacker uses
   randomly generated SNI servernames.
 * CVE-2017-14461: Parsing invalid email addresses may cause a crash or
   leak memory contents to attacker. For example, these memory contents
   might contain parts of an email from another user if the same imap
   process is reused for multiple users. First discovered by Aleksandar
   Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
   via HackerOne.
 * CVE-2017-15132: Aborted SASL authentication leaks memory in login
   process.
 * Linux: Core dumping is no longer enabled by default via
   PR_SET_DUMPABLE, because this may allow attackers to bypass
   chroot/group restrictions. Found by cPanel Security Team. Nowadays
   core dumps can be safely enabled by using "sysctl -w
   fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
   enabled by setting:
   import_environment=$import_environment PR_SET_DUMPABLE=1
 * doveconf output now includes the hostname.

 + mail_attachment_detection_options setting controls when
   $HasAttachment and $HasNoAttachment keywords are set for mails.
 + imap: Support fetching body snippets using FETCH (SNIPPET) or
   (SNIPPET (LAZY=FUZZY))
 + fs-compress: Automatically detect whether input is compressed or not.
   Prefix the compression algorithm with "maybe-" to enable the
   detection, for example: "compress:maybe-gz:6:..."
 + Added settings to change dovecot.index* files' optimization behavior.
   See https://wiki2.dovecot.org/IndexFiles#Settings
 + Auth cache can now utilize auth workers to do password hash
   verification by setting auth_cache_verify_password_with_worker=yes.
 + Added charset_alias plugin. See
   https://wiki2.dovecot.org/Plugins/CharsetAlias
 + imap_logout_format and pop3_logout_format settings now support all of
   the generic variables (e.g. %{rip}, %{session}, etc.)
 + Added auth_policy_check_before_auth, auth_policy_check_after_auth
   and auth_policy_report_after_auth settings.
 - v2.2.33: doveadm-server: Various fixes related to log handling.
 - v2.2.33: doveadm failed when trying to access UNIX socket that didn't
   require authentication.
 - v2.2.33: doveadm log reopen stopped working
 - v2.2.30+: IMAP stopped advertising SPECIAL-USE capability
 - v2.2.30+: IMAP stopped sending untagged OK/NO storage notifications
 - replication: dsync sends unnecessary replication notification for
   changes it does internally. NOTE: Folder creates, renames, deletes
   and subscribes still trigger unnecessary replication notifications,
   but these should be rather rare.
 - mail_always/never_cache_fields setting changes weren't applied for
   existing dovecot.index.cache files.
 - Fix compiling and other problems with OpenSSL v1.1
 - auth policy: With master user logins, lookup using login username.
 - FTS reindexed all mails unnecessarily after loss of
   dovecot.index.cache file
 - mdbox rebuild repeatedly fails with "missing map extension"
 - SSL connections may have been hanging with imapc or doveadm client.
 - cassandra: Using protocol v3 (Cassandra v2.1) caused memory leaks and
   also timestamps weren't set to queries.
 - fs-crypt silently ignored public/private keys specified in
   configuration (mail_crypt_global_public/private_key) and just
   emitted plaintext output.
 - lock_method=dotlock caused crashes
 - imapc: Reconnection may cause crashes and other errors

Re: compile-error on pigeonhole

[Stephan Bosch]

Op 2/28/2018 om 2:41 PM schreef Jakobus Schürz:
> Hi!
>
> I try to compile pigeonhole from git-sources and get this error:
>
>
> libtool: link: gcc -std=gnu99 -g -O2 -fstack-protector-strong
> -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes
> -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2
> -Wbad-function-cast -fno-builtin-strfti
> me -Wstrict-aliasing=2 -I../.. -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o
> .libs/sievec sievec-sievec.o -Wl,--export-dynamic
> ../../src/lib-sieve/.libs/libdovecot-sieve.so
> ../../src/lib-sieve-tool/.libs/libsieve-tool.a /usr/local/lib/dovecot
> /libdovecot-storage.so /usr/local/lib/dovecot/libdovecot-lda.so
> -L/usr/local/lib/dovecot /usr/local/lib/dovecot/libdovecot.so
> -Wl,-rpath -Wl,/usr/local/lib/dovecot
> ../../src/lib-sieve/.libs/libdovecot-sieve.so: undefined reference to
> `array_idx_get_space'
> collect2: error: ld returned 1 exit status
>
> I'm not able to compile pigeonhole.

What versions of Dovecot and Pigeonhole are you trying to compile?

Regards,

Stephan.

compile-error on pigeonhole

[Jakobus Schürz]

Hi!

I try to compile pigeonhole from git-sources and get this error:


libtool: link: gcc -std=gnu99 -g -O2 -fstack-protector-strong 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W -Wmissing-prototypes 
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 
-Wbad-function-cast -fno-builtin-strfti
me -Wstrict-aliasing=2 -I../.. -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o 
.libs/sievec sievec-sievec.o -Wl,--export-dynamic 
../../src/lib-sieve/.libs/libdovecot-sieve.so 
../../src/lib-sieve-tool/.libs/libsieve-tool.a /usr/local/lib/dovecot
/libdovecot-storage.so /usr/local/lib/dovecot/libdovecot-lda.so 
-L/usr/local/lib/dovecot /usr/local/lib/dovecot/libdovecot.so -Wl,-rpath 
-Wl,/usr/local/lib/dovecot
../../src/lib-sieve/.libs/libdovecot-sieve.so: undefined reference to 
`array_idx_get_space'

collect2: error: ld returned 1 exit status

I'm not able to compile pigeonhole.


Jakob

Re: dovecot.index.pvt reset, view is now inconsistent

[Marco Giunta]

Fun, I didn't read your message yesterday, but today I send an email 
like yours !!!


Cheers,
  Marco

On 2018-02-27 19:02, Rupert Gallagher wrote:
Problem solved by going in manually. The log message appears for empty 
"public" folders. Say, you have a folder X with subfolder Y, where X 
does not contain any e-mail. The log message disappears if you drop an 
email into X, then remove it. Puf, gone! So, there seems to be a baby 
bug in how dovecot manages the index in this case.






--
Marco Giunta - ITCS SysAdmin
Via Bonomea, 265
34136 - Trieste, Italy
Tel: +39-040-3787-503
Fax: +39-040-3787-244

BUG: Error: dovecot.index.pvt reset, view is now inconsistent when shared folder is new and empty

[Marco Giunta]

Hi,
I'm using Dovecot 2.2.33.2 on a RHEL 7, new installation. My log is full 
of :


Error: INDEX_FOLDER/dovecot.index.pvt reset, view is now inconsistent

or

Error: INDEX_FOLDER/dovecot.index.pvt view is inconsistent


when shared folder is never touched and empty.

UserA share X folder with UserB, if X folder is new (never 
touched) and empty every time UserB looks in that folder, an error 
appears in log file. If UserA copy a mail in X folder, no more 
errors. If UserA (or UserB) delete all mails in X folder (the folder 
is empty again), no more errors.


So the errors appear when UserB access a new (never touched) shared 
empty folder; if the folder is empty, but not new (p.e. UserA has 
already copied and deleted mails in that folder) error is logged only once.


Attached my configuration.

Thanks,
   Marco


--
Marco Giunta - ITCS SysAdmin
Via Bonomea, 265
34136 - Trieste, Italy
Tel: +39-040-3787-503
Fax: +39-040-3787-244

# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
(Core)  
auth_debug = yes
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = sha1:6
doveadm_password =  # hidden, use -P to show it
doveadm_port = 26001
first_valid_uid = 200
hostname = hostname.example.com
imap_client_workarounds = delay-newmail
imapc_features = rfc822.size fetch-headers
imapc_host = hostname.example.com
imapc_master_user = dovesuper
imapc_password =  # hidden, use -P to show it
imapc_user = %u
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = Delivered-To
listen = *
lmtp_hdr_delivery_address = original
lmtp_rcpt_check_quota = yes
login_trusted_networks = 10.0.0.0/30 10.0.0.0/30 10.0.0.0/23
mail_fsync = always
mail_gid = vmail
mail_home = /srv/mail/%1n/%n
mail_location = 
mdbox:~/dbox:ALT=/srv/archives/%1n/%n/dbox:INDEX=/srv/indexes/%1n/%n:VOLATILEDIR=/var/tmp/dovecot-volatile/%1n/%n
mail_plugins = acl mailbox_alias quota fts fts_solr
mail_prefetch_count = 20
mail_server_admin = mailto:postmas...@example.com
mail_shared_explicit_inbox = yes
mail_uid = vmail
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext vacation-seconds spamtest spamtestplus editheader 
imapflags notify
mbox_write_locks = fcntl
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 64 M
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Archives {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = 
  separator = /
}
namespace others {
  list = children
  location = 
mdbox:%%h/dbox:ALT=/srv/archives/%%1n/%%n/dbox:INDEX=/srv/indexes/%%1n/%%n:INDEXPVT=/srv/indexes/%1n/%n/shared/%%n:VOLATILEDIR=/var/tmp/dovecot-volatile/%1n/%n/shared/%%n
  prefix = Other Users/%%n/
  separator = /
  subscriptions = no
  type = shared
}
passdb {
  args = /etc/dovecot/passwd.masterusers
  default_fields = userdb_master_user=%{login_user}
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.masterusers.acl
  default_fields = userdb_acl_defaults_from_inbox=yes 
userdb_mail=mdbox:/srv/mail/%1{login_user}/%{login_user}/dbox:ALT=/srv/archives/%1{login_user}/%{login_user}/dbox:INDEX=/srv/indexes/%1{login_user}/%{login_user}:INDEXPVT=/srv/indexes/%1n/%n/master/%{login_user}:VOLATILEDIR=/var/tmp/dovecot-volatile/%1n/%n/master/%{login_user}
  driver = ldap
  master = yes
  pass = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.masterusers.noacl
  default_fields = userdb_master_user=%{login_user} 
userdb_mail=mdbox:/srv/mail/%1{login_user}/%{login_user}/dbox:ALT=/srv/archives/%1{login_user}/%{login_user}/dbox:INDEX=/srv/indexes/%1{login_user}/%{login_user}:INDEXPVT=/srv/indexes/%1n/%n/master/%{login_user}:VOLATILEDIR=/var/tmp/dovecot-volatile/%1n/%n/master/%{login_user}
  driver = ldap
  master = yes
  pass = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile:/srv/shared/dovecot/global-acls:cache_secs=300
  acl_shared_dict = fs:posix:prefix=/srv/shared/dovecot/shared-acls/
  fts = solr
  fts_autoindex = yes
  fts_autoindex_max_recent_msgs = 20
  fts_index_timeout = 60
  fts_solr = url=http://localhost:8983/solr/dovecot/
  last_login_dict = fs:posix:prefix=~/
  last_login_key = lastlogin
  mail_log_events = delete undelete expunge copy mailbox_delete