Re: maildirlock fails

[Aki Tuomi via dovecot]

On 12.4.2019 1.08, Martynas Bendorius via dovecot wrote:
> Hello,
>
> Maildirlock seems to panic on locking:
> [root@centos7 home]# /usr/libexec/dovecot/maildirlock 
> "/home/user/imap/domain.com/email/Maildir" 10
> Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
> Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0xd90ee) 
> [0x7f5bf02f10ee] -> /usr/lib/dovecot/libdovecot.so.0(+0xd9131) 
> [0x7f5bf02f1131] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) 
> [0x7f5bf0256efd] -> /usr/lib/dovecot/libdovecot.so.0(+0xf078c) 
> [0x7f5bf030878c] -> 
> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x36) 
> [0x7f5bf030b1f6] -> 
> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x56) [0x7f5bf03099c6] 
> -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f5bf0309be8] -> 
> /usr/libexec/dovecot/maildirlock(main+0x24a) [0x558ae0e032ca] -> 
> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f5befe6d3d5] -> 
> /usr/libexec/dovecot/maildirlock(+0x13a2) [0x558ae0e033a2]
>
> Is this a known issue?
>
> Thank you!
>
> --
> Best regards,
> Martynas Bendorius
>
>

What version is this?

Aki

Emails redownloading

[azurit--- via dovecot]

Hi,

recently, we had a problem on one of our mail servers and, after  
reboot, HDD with emails wasn't mounted into system. Until we fixed it,  
LOTS of users logged in (Dovecot allowed login and recreated directory  
structure of mailboxes) and saw empty mailboxes. Now they are  
redownloading all email, which isn't fun, as it's about 2 TB of data.


Anyway, is there a way how to prevent this in the future? Can i set  
Dovecot to disallow logins in such situations? Thanks.


azur

Re: High availability of Dovecot

[luckydog xf via dovecot]

It seems that  we got 2 solutions.

1. use DNS MX record and dsync plugin of dovecot. No shared storage.
2. use VIP and shared storage.

I'll try both of them, thank you guys.

On Thu, Apr 11, 2019 at 8:45 PM Gerald Galster via dovecot <
dovecot@dovecot.org> wrote:

>
>
> > Am 11.04.2019 um 13:45 schrieb Patrick Westenberg via dovecot <
> dovecot@dovecot.org>:
> >
> > Gerald Galster via dovecot schrieb:
> >
> >> mail1.yourdomain.com  IN A 192.168.10.1
> >> mail2.yourdomain.com  IN A 192.168.20.1
> >>
> >> mail.yourdomain.com   IN A 192.168.10.1
> >> mail.yourdomain.com   IN A 192.168.20.1
> >>
> >>
> >> mail1/mail2 is for direct connection (MTAs)
> >>
> >> Your users (outlook, thunderbird, ...) connect to mail.yourdomain.com
> >>  which returns the two ip addresses.
> >>
> >> In this scenario MUA just connects to mail.yourdomain.com
> >>  and randomly uses one of the two ips. You
> >> can't control which one, but this gives you active/active loadbalancing.
> >> In case one server is down the MUA just uses the other ip.
> >
> > Are you sure that this is working?
>
>
> yes, I'm running a two node dsync cluster in production for a few years
> without issues.
> The system was even working during a whole datacenter outage because the
> nodes reside
> in different, distant locations. I would'nt use a filesystem like ceph
> with distant
> locations due to latency issues. dsync replication is asynchronous, so
> there is no problem.
>
> Most cluster systems that use drbd, ceph, keepalived, pacemaker, whatever
> are operated
> within a single datacenter or datacenter park. If the datacenter goes
> down, your
> cluster is not reachable anymore. This is a rare event but within 10-15
> years it happens
> to a lot of datacenters.
>
> Best regards
> Gerald
>
>
>

Re: failed: read(/var/run/dovecot/dns-client)

[John Fawcett via dovecot]

On 11/04/2019 22:09, Laura Smith via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 11, 2019 9:01 PM, John Fawcett via dovecot 
>  wrote:
>
>> On 11/04/2019 10:02, Laura Smith via dovecot wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
>>> dovecot@dovecot.org wrote:
>>>
 On 11/04/2019 00:51, Laura Smith via dovecot wrote:

> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> dovecot@dovecot.org wrote:
>
>> On 11/04/2019 00:18, Laura Smith via dovecot wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> 
> wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> aki.tu...@open-xchange.com> wrote:
>
>>> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>> Sent with ProtonMail Secure Email.
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 22:13 Laura Smith via dovecot 
> dovecot@dovecot.org wrote:
> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>
>>> On 10 April 2019 21:26 Laura Smith via dovecot 
>>> dovecot@dovecot.org wrote:
>>>
>>> ==
>>>
>>> dsync( foo...@example.com): Error: 
>>> imapc(foobar.example.com:993): dns_lookup(foobar.example.com) 
>>> failed: read(/var/run/dovecot/dns-client) failed: 
>>> read(size=512) failed: Connection reset by peer
>>> This is dovecot's internal dns-client, and something goes wrong 
>>> when talking to the service.
>>> dsync( foo...@example.com): Error: Failed to initialize user: 
>>> imapc: Login to foobar.example.com failed: Disconnected from 
>>> server
>>> This is btw dsync service, not imap service.
>>>
>>> ===
>>>
>>> Initially I thought "oh no, not another AppArmor block".
>>> But then surely the second message would not appear if the DNS 
>>> lookup was not successful ?
>>> Also "dig foobar.example.com" works fine.
>>> How should I be troubleshooting this ? And if it is still 
>>> likely to be AppArmor, what is calling it ? "doveadm" itself or 
>>> something else ? What does "/var/run/dovecot/dns-client" do and 
>>> why doesn't dovecot use standard OS calls like everyone else ?
>>> Because the "standard OS call" is blocking and we would prefer 
>>> it to not block everything else.
>>> So many questions !
>>> Aki
>>> Thanks for your reply, but both those message are generated 
>>> from a simple :
>>> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com 
>>> imapc:
>>> So I don't know what you mean about dsync service failing ? 
>>> Surely the DNS lookup succeeded if the 'dsync service' failed 
>>> due to remote disconnect ?
>>> I'm still none the wiser as to where to start looking for 
>>> troubleshoting ?
>>> Did you check dovecot logs? Maybe there is something useful?
>>> Aki
>>> Only the same old cryptic message about dns-client ?
>>> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: 
>>> Permission denied
>>> Something prevents executing the dns-client binary.
>>> master: Error: service(dns_client): command startup failed, 
>>> throttling for 16 secs
>>> dns_client: Fatal: master: service(dns_client): child 14293 
>>> returned error 84 (exec() failed)
>>> Aki
>>> Yes but is it being called by doveadm directly or by some other 
>>> dovecot program ? If I'm going to have to go down the AppArmor 

Re: pigeonhole tests crashing in deleteheader.svtest

[Stephan Bosch via dovecot]

On 29/03/2019 10:23, Michal Hlavinka via dovecot wrote:

On 3/28/19 6:41 PM, Aki Tuomi via dovecot wrote:


On 28 March 2019 19:40 Michal Hlavinka via dovecot 
 wrote:


  Hi,

when trying to build dovecot 2.3.5.1 pigeonhole testsuite crashes in



Which version of pigeonhole are you using?


latest available - 0.5.5



Hmm, what platform are you compiling this on and what compiler are you 
using?


Regards,

Stephan.

Re: Mail account brute force / harassment

[Joseph Tam via dovecot]

On Thu, 11 Apr 2019, Marc Roos wrote:


Say for instance you have some one trying to constantly access an
account

Has any of you made something creative like this:

* configure that account to allow to login with any password
* link that account to something like /dev/zero that generates infinite
amount of messages
 (maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.

I think it would be interesting to be able to do such a thing.


As would finding the person responsible and outing them in public --
both are fantasies that do not scale to practice.

It's a costly countermeasure, and do you really want to engage in
an internet fistfight where your opponent has anonymity, access to
compromised servers or botnet, and no scruples against launching a DDoS
attacks against you?

Block them and move on.

Joseph Tam 

Secure Client-Initiated Renegotiation

[sergio via dovecot]

Hello.

I've just tested my system that runs dovecot 2.3.4.1 on debian buster 
with testssl.sh (https://testssl.sh/) and is says:


Secure Renegotiation (CVE-2009-3555)not vulnerable (OK)
Secure Client-Initiated Renegotiation   VULNERABLE (NOT ok), potential 
DoS threat


Is this a configuration or a compilation issue and how to solve it?

--
sergio.

maildirlock fails

[Martynas Bendorius via dovecot]

Hello,

Maildirlock seems to panic on locking:
[root@centos7 home]# /usr/libexec/dovecot/maildirlock 
"/home/user/imap/domain.com/email/Maildir" 10
Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0xd90ee) 
[0x7f5bf02f10ee] -> /usr/lib/dovecot/libdovecot.so.0(+0xd9131) [0x7f5bf02f1131] 
-> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f5bf0256efd] -> 
/usr/lib/dovecot/libdovecot.so.0(+0xf078c) [0x7f5bf030878c] -> 
/usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x36) 
[0x7f5bf030b1f6] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x56) 
[0x7f5bf03099c6] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) 
[0x7f5bf0309be8] -> /usr/libexec/dovecot/maildirlock(main+0x24a) 
[0x558ae0e032ca] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f5befe6d3d5] 
-> /usr/libexec/dovecot/maildirlock(+0x13a2) [0x558ae0e033a2]

Is this a known issue?

Thank you!

--
Best regards,
Martynas Bendorius

Re: decrypt.rb

[Dave via dovecot]

Aki, I just used the "EC key" instructions from the Dovecot MailCrypt wiki:
https://wiki.dovecot.org/Plugins/MailCrypt

"
In order to generate an EC key, you must first choose a curve from the
output of this command:
  > openssl ecparam -list_curves

If you choose the curve prime256v1, generate and EC key with the command:
  > openssl ecparam -name prime256v1 -genkey | openssl pkey -out
ecprivkey.pem

Then generate a public key out of your private EC key
  > openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
"

-Dave

I'm going on a limb and guess that there is something strange happening with 
ruby and openssl versions here.

The main point of the script is to show how the data can be decrypted, and can 
be used for small-scale data recovery as well.

Aki

Copy that.  I would agree that it seems to be something weird between 
OpenSSL and Ruby in this case.  Since I'm able to get it to work in my 
specific instance, and since it doesn't seem systemic outside of my 
situation, I'd say -- specific problem solved! :) Thanks for your help.

-Dave

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Thursday, April 11, 2019 9:01 PM, John Fawcett via dovecot 
 wrote:

> On 11/04/2019 10:02, Laura Smith via dovecot wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> > On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
> > dovecot@dovecot.org wrote:
> >
> > > On 11/04/2019 00:51, Laura Smith via dovecot wrote:
> > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> > > > dovecot@dovecot.org wrote:
> > > >
> > > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> > > > >
> > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
> > > > > > aki.tu...@open-xchange.com wrote:
> > > > > >
> > > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < 
> > > > > > > > dovecot@dovecot.org> wrote:
> > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > > > > > > > aki.tu...@open-xchange.com> wrote:
> > > > > > > >
> > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot 
> > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot 
> > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ==
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > > > > > > > imapc(foobar.example.com:993): 
> > > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: 
> > > > > > > > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > > > > > > > > > > This is dovecot's internal dns-client, and 
> > > > > > > > > > > > > > something goes wrong when talking to the service.
> > > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to 
> > > > > > > > > > > > > > initialize user: imapc: Login to foobar.example.com 
> > > > > > > > > > > > > > failed: Disconnected from server
> > > > > > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ===
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Initially I thought "oh no, not another AppArmor 
> > > > > > > > > > > > > > block".
> > > > > > > > > > > > > > But then surely the second message would not appear 
> > > > > > > > > > > > > > if the DNS lookup was not successful ?
> > > > > > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > > > > > How should I be troubleshooting this ? And if it is 
> > > > > > > > > > > > > > still likely to be AppArmor, what is calling it ? 
> > > > > > > > > > > > > > "doveadm" itself or something else ? What does 
> > > > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't 
> > > > > > > > > > > > > > dovecot use standard OS calls like everyone else ?
> > > > > > > > > > > > > > Because the "standard OS call" is blocking and we 
> > > > > > > > > > > > > > would prefer it to not block everything else.
> > > > > > > > > > > > > > So many questions !
> > > > > > > > > > > > > > Aki
> > > > > > > > > > > > > > Thanks for your reply, but both those message are 
> > > > > > > > > > > > > > generated from a simple :
> > > > > > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u 
> > > > > > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > > > > > So I don't know what you mean about dsync service 
> > > > > > > > > > > > > > failing ? Surely the DNS lookup succeeded if the 
> > > > > > > > > > > > > > 'dsync service' failed due to remote disconnect ?
> > > > > > > > > > > > > > I'm still none the wiser as to where to start 
> > > > > > > > > > > > > > looking for troubleshoting ?
> > > > > > > > > > > > > > Did you check dovecot logs? Maybe there is 
> > > > > > > > > > > > > > 

Re: failed: read(/var/run/dovecot/dns-client)

[John Fawcett via dovecot]

On 11/04/2019 10:02, Laura Smith via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
>  wrote:
>
>> On 11/04/2019 00:51, Laura Smith via dovecot wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
>>> dovecot@dovecot.org wrote:
>>>
 On 11/04/2019 00:18, Laura Smith via dovecot wrote:

> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>
>>> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> 
>>> wrote:
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
>>> aki.tu...@open-xchange.com> wrote:
>>>
> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
> wrote:
> Sent with ProtonMail Secure Email.
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>
>>> On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 21:26 Laura Smith via dovecot 
> dovecot@dovecot.org wrote:
> ==
> dsync( foo...@example.com): Error: imapc(foobar.example.com:993): 
> dns_lookup(foobar.example.com) failed: 
> read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
> Connection reset by peer
> This is dovecot's internal dns-client, and something goes wrong 
> when talking to the service.
> dsync( foo...@example.com): Error: Failed to initialize user: 
> imapc: Login to foobar.example.com failed: Disconnected from 
> server
> This is btw dsync service, not imap service.
> ===
> Initially I thought "oh no, not another AppArmor block".
> But then surely the second message would not appear if the DNS 
> lookup was not successful ?
> Also "dig foobar.example.com" works fine.
> How should I be troubleshooting this ? And if it is still likely 
> to be AppArmor, what is calling it ? "doveadm" itself or 
> something else ? What does "/var/run/dovecot/dns-client" do and 
> why doesn't dovecot use standard OS calls like everyone else ?
> Because the "standard OS call" is blocking and we would prefer it 
> to not block everything else.
> So many questions !
> Aki
> Thanks for your reply, but both those message are generated from 
> a simple :
> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com 
> imapc:
> So I don't know what you mean about dsync service failing ? 
> Surely the DNS lookup succeeded if the 'dsync service' failed due 
> to remote disconnect ?
> I'm still none the wiser as to where to start looking for 
> troubleshoting ?
> Did you check dovecot logs? Maybe there is something useful?
> Aki
> Only the same old cryptic message about dns-client ?
> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: 
> Permission denied
> Something prevents executing the dns-client binary.
> master: Error: service(dns_client): command startup failed, 
> throttling for 16 secs
> dns_client: Fatal: master: service(dns_client): child 14293 
> returned error 84 (exec() failed)
> Aki
> Yes but is it being called by doveadm directly or by some other 
> dovecot program ? If I'm going to have to go down the AppArmor 
> route, then I would prefer if you told me what was calling it 
> instead of me having to un-necessarily spend time doing straces !
> Also, should I be able to call dns-client directly myself ? (or 
> is there a way to do so to enable testing ?
> It is started by dovecot's master process when you connect to 
> dns-client unix socket. You can 

Re: auth-worker unknown user

[Laura Smith via dovecot]

On Thursday, April 11, 2019 5:49 PM, Aki Tuomi  
wrote:

> > On 11 April 2019 17:56 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > On Thursday, April 11, 2019 3:07 PM, Aki Tuomi aki.tu...@open-xchange.com 
> > wrote:
> >
> > > > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> 
> > > > wrote:
> > > > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < 
> > > > aki.tu...@open-xchange.com> wrote:
> > > >
> > > > > PAM is trying to lookup user@domain while you probably only have 
> > > > > user. PAM driver does not yet support username_format.
> > > >
> > > > > Aki
> > > >
> > > > But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm 
> > > > using /etc/dovecot/users ?  Or am I understanding you wrong?
> > >
> > > you have passdb block using pam. it is involved in the lookup process.
> > >
> > > Aki Tuomi
> >
> > > doveconf -n passdb userdb
> > > passdb {
> > >   args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
> > >   auth_verbose = yes
> > >   driver = passwd-file
> > > }
> > > userdb {
> > >   args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
> > >   auth_verbose = yes
> > >   driver = passwd-file
> > > }
>
> Looks OK now. PAM is quite often the culprit as it's part of the default 
> shipped config and can be often missed when setting things up.
>
> Aki


I guess for the future it might be nice to have an options in the params to 
enable overrides for shipped configs (e.g. something similar to '!important' in 
CSS land).

It would be nice to be able to make local.conf the source of truth instead of 
having to say 97.5% local.conf and then these few hacks of shipped configs 
(which may or may not get overwritten by package updates from the distros)

RE: Mail account brute force / harassment

[Marc Roos via dovecot]

 


 >
 >> B. With 500GB dump
 >> - the owner of the attacking server (probably hacked) will notice it 

 >> will be forced to take action.
 >
 >Unlikely. What is very likely is that your ISP shuts you don for 
network abuse.

If you not block the request, but allow it, and redirect to a /dev/zero 
device that
generates 500GB of messages. How can I ever be accused of network abuse.

Since your logics is not correct on this, how can I assume anything you 
write 
is correct?


 >> If abuse clouds are smart (most are) they would notice that 
attacking 
 >> my servers, will result in the loss of abuse nodes, hence they will 
 >> not bother me anymore.
 >
 >Not at all the case.
 >
 >> If every one would apply strategy B, the abuse problem would get 
less. 
 >
 >No. The abuse problem wold be far worse.
 >



-Original Message-
From: @lbutlr via dovecot [mailto:dovecot@dovecot.org] 
Sent: donderdag 11 april 2019 19:11
To: Peter via dovecot
Subject: Re: Mail account brute force / harassment

On 11 Apr 2019, at 04:43, Marc Roos via dovecot  
wrote:
> B. With 500GB dump
> - the owner of the attacking server (probably hacked) will notice it 
> will be forced to take action.

Unlikely. What is very likely is that your ISP shuts you don for network 
abuse.

> If abuse clouds are smart (most are) they would notice that attacking 
> my servers, will result in the loss of abuse nodes, hence they will 
> not bother me anymore.

Not at all the case.

> If every one would apply strategy B, the abuse problem would get less. 


No. The abuse problem wold be far worse.


--
I thank my lucky stars I'm not superstitious.

Re: Mail account brute force / harassment

[@lbutlr via dovecot]

On 11 Apr 2019, at 04:43, Marc Roos via dovecot  wrote:
> B. With 500GB dump
> - the owner of the attacking server (probably hacked) will notice it 
> will be forced to take action.

Unlikely. What is very likely is that your ISP shuts you don for network abuse.

> If abuse clouds are smart (most are) they would notice that attacking my 
> servers, will result in the loss of abuse nodes, hence they will not 
> bother me anymore. 

Not at all the case.

> If every one would apply strategy B, the abuse problem would get less. 

No. The abuse problem wold be far worse.


-- 
I thank my lucky stars I'm not superstitious.

Re: decrypt.rb

[Aki Tuomi via dovecot]

> On 11 April 2019 17:44 David Salisbury via dovecot  
> wrote:
> 
>  
> On 4/11/2019 1:50 AM, Aki Tuomi wrote:
> >
> >> ...
> >> So, not being an expert at encryption, what are the ramifications of
> >> those digests being read as different values in the two different
> >> places??   I do notice that the get_pubid_priv() function is internal to
> >> the decrypt.rb script and calls several OpenSSL functions.
> >>
> >> -Dave
> > Hmm... can you show me how you made the keypair for encryption? Maybe there 
> > is some difference?
> >
> > Aki
> >
> 
> Aki, I just used the "EC key" instructions from the Dovecot MailCrypt wiki:
> https://wiki.dovecot.org/Plugins/MailCrypt
> 
> "
> In order to generate an EC key, you must first choose a curve from the 
> output of this command:
>  > openssl ecparam -list_curves
> 
> If you choose the curve prime256v1, generate and EC key with the command:
>  > openssl ecparam -name prime256v1 -genkey | openssl pkey -out 
> ecprivkey.pem
> 
> Then generate a public key out of your private EC key
>  > openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
> "
> 
> -Dave

I'm going on a limb and guess that there is something strange happening with 
ruby and openssl versions here.

The main point of the script is to show how the data can be decrypted, and can 
be used for small-scale data recovery as well.

Aki

Re: auth-worker unknown user

[Aki Tuomi via dovecot]

> On 11 April 2019 17:56 Laura Smith via dovecot  wrote:
> 
>  
> On Thursday, April 11, 2019 3:07 PM, Aki Tuomi  
> wrote:
> 
> > > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> 
> > > wrote:
> > >
> > > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < 
> > > aki.tu...@open-xchange.com> wrote:
> > >
> > > > PAM is trying to lookup user@domain while you probably only have user. 
> > > > PAM driver does not yet support username_format. 
> > >
> > > > Aki
> > >
> > > But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm 
> > > using /etc/dovecot/users ?  Or am I understanding you wrong?
> >
> > you have passdb block using pam. it is involved in the lookup process. 
> >
> > ---
> > Aki Tuomi
> 
> > doveconf -n passdb userdb
> passdb {
>   args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
>   auth_verbose = yes
>   driver = passwd-file
> }
> userdb {
>   args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
>   auth_verbose = yes
>   driver = passwd-file
> }

Looks OK now. PAM is quite often the culprit as it's part of the default 
shipped config and can be often missed when setting things up.

Aki

Re: auth-worker unknown user

[Laura Smith via dovecot]

On Thursday, April 11, 2019 3:07 PM, Aki Tuomi  
wrote:

> > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
> >
> > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < 
> > aki.tu...@open-xchange.com> wrote:
> >
> > > PAM is trying to lookup user@domain while you probably only have user. 
> > > PAM driver does not yet support username_format. 
> >
> > > Aki
> >
> > But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm using 
> > /etc/dovecot/users ?  Or am I understanding you wrong?
>
> you have passdb block using pam. it is involved in the lookup process. 
>
> ---
> Aki Tuomi

> doveconf -n passdb userdb
passdb {
  args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
  auth_verbose = yes
  driver = passwd-file
}
userdb {
  args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
  auth_verbose = yes
  driver = passwd-file
}

Re: decrypt.rb

[David Salisbury via dovecot]

On 4/11/2019 1:50 AM, Aki Tuomi wrote:



...
So, not being an expert at encryption, what are the ramifications of
those digests being read as different values in the two different
places??   I do notice that the get_pubid_priv() function is internal to
the decrypt.rb script and calls several OpenSSL functions.

-Dave

Hmm... can you show me how you made the keypair for encryption? Maybe there is 
some difference?

Aki



Aki, I just used the "EC key" instructions from the Dovecot MailCrypt wiki:
https://wiki.dovecot.org/Plugins/MailCrypt

"
In order to generate an EC key, you must first choose a curve from the 
output of this command:

> openssl ecparam -list_curves

If you choose the curve prime256v1, generate and EC key with the command:
> openssl ecparam -name prime256v1 -genkey | openssl pkey -out 
ecprivkey.pem


Then generate a public key out of your private EC key
> openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
"

-Dave

LMTP, PAM session and home directory autocreation

[Ivars Strazdins via dovecot]

Hi,
mail is delivered by Dovecot's LMTP locally and I need user's home directory to 
be created if it doesn't exist yet.
There is a setting in Dovecot's configuration, "session=yes", in 
/etc/Dovecot/conf.d/auth-system.conf.ext, which should do that.

passdb {
 driver = pam
 args = session=yes dovecot
}

But I think it does not work in my setup because I do not see any PAM log entry 
for Dovecot in system log when this error happens:

Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Connect from local
Apr  9 13:01:55 mailhost dovecot: lmtp(2935, testuser): Error: User 
initialization failed: Namespace '': mkdir(/home/testuser/Maildir) failed: 
Permission denied (euid=174000327(testuser) egid=174000327(testuser
) missing +w perm: /home, dir owned by 0:0 mode=0755)
Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Disconnect from local: Successful 
quit

The error above seems expected, because it is not LMTP agent's job to create 
user's home directory but pam_oddjob_mkhomedir.so module should do that.
Right?

And there are common PAM log entries for every user session:

Apr  9 13:24:42 mailhost auth: pam_sss(dovecot:auth): authentication success; 
logname= uid=0 euid=0 tty=dovecot ruser=validuser rhost=::1 user= validuser
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session opened for 
user validuser by (uid=0)
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session closed for 
user validuser

How to debug this problem and find out why Dovecot does not open PAM session or 
- if I am wrong and it does, then what else is going wrong?
Home directory autocreation is configured with command "authconfig 
--enablemkhomedir --update" and it works if user logs into system via shell or 
webmail.

I tried to enable "mail_debug" in Dovecot's settings, but it did not give me 
any more information on PAM session.

Running on Centos 7.6, with Dovecot 2.2.36.

It looks like a common mistake or issue, because I am not alone: 
http://tinyurl.com/y6kjhsnw
Thank you very much in advance for your time.
Ivars


/etc/pam.d/dovecot
#%PAM-1.0
auth   required pam_nologin.so
auth   include  password-auth
accountinclude  password-auth
sessioninclude  password-auth




/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so




doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.10.1.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 
(Core)  
# Hostname: mailhost.example.com
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_username_format = %Ln
auth_verbose = yes
default_client_limit = 3500
default_process_limit = 500
disable_plaintext_auth = no
first_valid_uid = 203
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_plugins = " fts fts_lucene"
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
namespace inbox {
 inbox = yes
 list = yes
 location = 
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox "Sent Messages" {
   auto = subscribe
   

Re: auth-worker unknown user

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Thursday, April 11, 2019 3:07 PM, Aki Tuomi  
wrote:

> > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
> >
> > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < 
> > aki.tu...@open-xchange.com> wrote:
> >
> > > PAM is trying to lookup user@domain while you probably only have user. 
> > > PAM driver does not yet support username_format. 
> >
> > > Aki
> >
> > But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm using 
> > /etc/dovecot/users ?  Or am I understanding you wrong?
>
> you have passdb block using pam. it is involved in the lookup process. 

Well, I didn't but it seems to be the default example config (i.e its in 
auth-system.conf.ext, not my local.cf).

I commented it out, but now I get
"auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs 
one"

What am I missing to make it look in /etc/dovecot/users ?  My local.cf came 
from a known-good server so I don't understand why it hasn't implemented the 
changes that need to be done on this new one ?   What parameters am I missing ? 
  I'm lost and exhausted by struggling with dovecot these last few days.

Re: auth-worker unknown user

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   
On 11 April 2019 16:45 Laura Smith via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi <
aki.tu...@open-xchange.com> wrote:
   
   

   
   

 PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format. 

   
   

 Aki

   
   
But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm using /etc/dovecot/users ?  Or am I understanding you wrong?
   
  
  
   
  
  
   you have passdb block using pam. it is involved in the lookup process. 
  
  
   ---
Aki Tuomi
   
 

Re: auth-worker unknown user

[Laura Smith via dovecot]

On Thursday, April 11, 2019 2:02 PM, Aki Tuomi  
wrote:

> PAM is trying to lookup user@domain while you probably only have user. PAM 
> driver does not yet support username_format. 
>
> Aki

But /etc/dovecot/users file isn't pam ?   I don't need pam if if I'm using 
/etc/dovecot/users ?  Or am I understanding you wrong?

Re: Mail account brute force / harassment

[Anton Dollmaier via dovecot]

On 11.04.2019 13:25, James via dovecot wrote:

On 11/04/2019 11:43, Marc Roos via dovecot wrote:


A. With the fail2ban solution
   - you 'solve' that the current ip is not able to access you


It is only a solution if there are subsequent attempts from the same 
address.  I currently have several thousand addresses blocked due to 
dovecot login failures.  My firewall is set to log these so I can see 
that few repeat, those that do repeat have intervals of >1 week. 
Blocking these has minimal effect (other than to clog fail12ban and the 
firewall).



   - it will continue bothering other servers and admins


Which is why a dnsbl for dovecot is a good idea.  I do not believe the 
agents behind these login attempts are only targeting me, hence the 
addresses should be shared via a dnsbl.


Probably there's an existing solution for both problems (subsequent 
attempts and dnsbl):



https://github.com/PowerDNS/weakforced


It was also discussed recently on this list:


https://www.dovecot.org/list/dovecot/2019-March/114921.html



Has already been on my personal todo list for some time, so I have no 
experience how (good) it actually works.



Best,
Anton

Re: Mail account brute force / harassment

[James via dovecot]

On 11/04/2019 12:49, Marc Roos via dovecot wrote:

Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How
do you have one setup for dovecot connections?


Two answers:

1. I wrote my own very simple implementation but it does not share other 
people's data.  Sharing the key to viability so it is/was a pointless 
exercise.  Without sharing a hacker gets at least one free shot per 
server per address.  With sharing it is closer to one per address and 
less with honeypots.



2. I said "dnsbl for dovecot is a good idea", an idea.  When this was 
raised previously we were told it was not needed and it can all be done 
with tcp wrappers, fail2ban and allow_nets.


https://dovecot.org/list/dovecot/2013-July/091236.html
https://dovecot.org/list/dovecot/2014-June/096662.html

Re: auth-worker unknown user

[Aki Tuomi via dovecot]

 
 
  
   PAM is trying to lookup user@domain while you probably only have user. PAM driver does not yet support username_format. 
  
  
   
  
  
   Aki
  
  
   
On 11 April 2019 15:36 Laura Smith via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
pam(
foo...@example.com,192.0.1.1,<9zMTUUCGNfHZzMpL>): unknown user (SHA1 of given password: ff75068c2f4d700a49dae204d56477a5ffa5d23d)
   
   

   
   

   
   
The password is correct, i.e. 'echo -n 'passed' | openssl dgst -sha1' matches.
   
   

   
   
The user is setup correctly in /etc/dovecot/users (the /etc/dovecot/users was copied from another known-good server, so the syntax is correct and appropriate adjustments have been made for chmod and directory).
   
   

   
   
doveconf -N follows:
   
   

   
   
# 2.3.3 (dcead646b): /etc/dovecot/dovecot.conf
   
   
# Pigeonhole version 0.5.3 (f018bbab)
   
   
# OS: Linux 4.12.14-lp150.12.48-default x86_64
   
   
# Hostname: foobar
   
   
auth_mechanisms = plain login
   
   
auth_verbose = yes
   
   
auth_verbose_passwords = sha1
   
   
doveadm_password = # hidden, use -P to show it
   
   
first_valid_uid = 471
   
   
imapc_features = rfc822.size fetch-headers
   
   
imapc_host = foobar.example.com
   
   
imapc_password = # hidden, use -P to show it
   
   
imapc_port = 993
   
   
imapc_ssl = imaps
   
   
imapc_user = %u
   
   
mail_location = maildir:~/Maildir
   
   
mail_plugin_dir = /usr/lib64/dovecot/modules
   
   
mail_prefetch_count = 20
   
   
mailbox_list_index = yes
   
   
managesieve_notify_capability = mailto
   
   
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body environment mailbox date ihave enotify
   
   
namespace inbox {
   
   
inbox = yes
   
   
location =
   
   
mailbox Drafts {
   
   
special_use = \Drafts
   
   
}
   
   
mailbox Junk {
   
   
special_use = \Junk
   
   
}
   
   
mailbox Sent {
   
   
special_use = \Sent
   
   
}
   
   
mailbox "Sent Messages" {
   
   
special_use = \Sent
   
   
}
   
   
mailbox Trash {
   
   
special_use = \Trash
   
   
}
   
   
prefix =
   
   
}
   
   
passdb {
   
   
driver = pam
   
   
name =
   
   
}
   
   
plugin {
   
   
sieve = file:~/.dovecot.sieve
   
   
}
   
   
protocols = imap lmtp
   
   
service auth {
   
   
unix_listener /var/spool/postfix/private/dovecot-auth {
   
   
group = postfix
   
   
mode = 0660
   
   
user = postfix
   
   
}
   
   
}
   
   
service imap-login {
   
   
process_min_avail = 3
   
   
}
   
   
service lmtp {
   
   
process_min_avail = 5
   
   
unix_listener /var/spool/postfix/private/dovecot-lmtp {
   
   
group = postfix
   
   
mode = 0660
   
   
user = postfix
   
   
}
   
   
user = my_virtmailuser
   
   
}
   
   
service managesieve-login {
   
   
inet_listener sieve {
   
   
port = 4190
   
   
}
   
   
inet_listener sieves {
   
   
address =
   
   
port = 5190
   
   
ssl = yes
   
   
}
   
   
}
   
   
ssl = required
   
   
ssl_ca = 
   
ssl_cert = 
   
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
   
   
ssl_client_ca_dir = /etc/ssl/certs
   
   
ssl_dh = # hidden, use -P to show it
   
   
ssl_key = # hidden, use -P to show it
   
   
ssl_min_protocol = TLSv1.2
   
   
ssl_options = no_compression
   
   
ssl_prefer_server_ciphers = yes
   
   
userdb {
   
   
driver = passwd
   
   
name =
   
   
}
   
   
userdb {
   
   
args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
   
   
auth_verbose = yes
   
   
driver = passwd-file
   
   
name =
   
   
}
   
   
protocol lmtp {
   
   
mail_plugins = sieve
   
   
postmaster_address = 
foo...@example.com
   
   
}
   
   
protocol lda {
   
   
deliver_log_format = msgid=%m: %$
   
   
mail_plugins = sieve
   
   

Re: High availability of Dovecot

[Gerald Galster via dovecot]

> Am 11.04.2019 um 13:45 schrieb Patrick Westenberg via dovecot 
> :
> 
> Gerald Galster via dovecot schrieb:
> 
>> mail1.yourdomain.com  IN A 192.168.10.1
>> mail2.yourdomain.com  IN A 192.168.20.1
>> 
>> mail.yourdomain.com   IN A 192.168.10.1
>> mail.yourdomain.com   IN A 192.168.20.1
>> 
>> 
>> mail1/mail2 is for direct connection (MTAs)
>> 
>> Your users (outlook, thunderbird, ...) connect to mail.yourdomain.com
>>  which returns the two ip addresses.
>> 
>> In this scenario MUA just connects to mail.yourdomain.com
>>  and randomly uses one of the two ips. You
>> can't control which one, but this gives you active/active loadbalancing.
>> In case one server is down the MUA just uses the other ip.
> 
> Are you sure that this is working?


yes, I'm running a two node dsync cluster in production for a few years without 
issues.
The system was even working during a whole datacenter outage because the nodes 
reside
in different, distant locations. I would'nt use a filesystem like ceph with 
distant
locations due to latency issues. dsync replication is asynchronous, so there is 
no problem.

Most cluster systems that use drbd, ceph, keepalived, pacemaker, whatever are 
operated
within a single datacenter or datacenter park. If the datacenter goes down, your
cluster is not reachable anymore. This is a rare event but within 10-15 years 
it happens
to a lot of datacenters.

Best regards
Gerald

auth-worker unknown user

[Laura Smith via dovecot]

pam(foo...@example.com,192.0.1.1,<9zMTUUCGNfHZzMpL>): unknown user (SHA1 of 
given password: ff75068c2f4d700a49dae204d56477a5ffa5d23d)


The password is correct, i.e. 'echo -n 'passed' | openssl dgst -sha1' matches.

The user is setup correctly in /etc/dovecot/users (the /etc/dovecot/users was 
copied from another known-good server, so the syntax is correct and appropriate 
adjustments have been made for chmod and directory).

doveconf -N follows:

# 2.3.3 (dcead646b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.3 (f018bbab)
# OS: Linux 4.12.14-lp150.12.48-default x86_64
# Hostname: foobar
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1
doveadm_password = # hidden, use -P to show it
first_valid_uid = 471
imapc_features = rfc822.size fetch-headers
imapc_host = foobar.example.com
imapc_password = # hidden, use -P to show it
imapc_port = 993
imapc_ssl = imaps
imapc_user = %u
mail_location = maildir:~/Maildir
mail_plugin_dir = /usr/lib64/dovecot/modules
mail_prefetch_count = 20
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body environment mailbox date ihave enotify
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
  name =
}
plugin {
  sieve = file:~/.dovecot.sieve
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
  }
}
service imap-login {
  process_min_avail = 3
}
service lmtp {
  process_min_avail = 5
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
  user = my_virtmailuser
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  inet_listener sieves {
address =
port = 5190
ssl = yes
  }
}
ssl = required
ssl_ca =  was automatically rejected:%n%r
}
protocol imap {
  mail_max_userip_connections = 20
}

Re: High availability of Dovecot

[Stephan von Krawczynski via dovecot]

On Thu, 11 Apr 2019 16:44:40 +0800
luckydog xf via dovecot  wrote:

> Hi, list,
> [...]
>Thanks for any suggestions and ideas.
> 

Hm, it seems most of the people answering have no real experience in
production with suchs setups.
Basically do this:
- setup keepalived as a cluster director on both boxes for two VIP IPs where
one is master for each and backup for the other.
- configure keepalived to load-balance both servers on the services you want
(e.g. SMTP, POP3, IMAP, POP3S, IMAPS, ...)
- use a high persistence timeout so that the same client ends up mostly on the
same service/box
- you need several subnets to do this, so that your loadbalancing takes place
on another subnet (not the external VIPs)
- If either of the boxes fails, the other will take over the VIP and continue
to serve the configured mail services, load-balancing will leave out the dead
box
This _will_ work in production, I promise, but you should be experienced with
keepalived, arp, networking to do this setup.

-- 
Regards,
Stephan

Re: High availability of Dovecot

[Stephan von Krawczynski via dovecot]

On Thu, 11 Apr 2019 16:44:40 +0800
luckydog xf via dovecot  wrote:

> Hi, list,
> [...]
>Thanks for any suggestions and ideas.
> 

Hm, it seems most of the people answering have no real experience in
production with suchs setups.
Basically do this:
- setup keepalived as a cluster director on both boxes for two VIPs where
one is master for each and backup for the other.
- configure keepalived to load-balance both servers on the services you want
(e.g. SMTP, POP3, IMAP, POP3S, IMAPS, ...)
- use a high persistence timeout so that the same client ends up mostly on the
same service/box
- you need several subnets to do this, so that your loadbalancing takes place
on another subnet (not the external VIPs, neither the same subnet)
- If either of the boxes fails, the other will take over the VIP and continue
to serve the configured mail services, load-balancing will leave out the dead
box
This _will_ work in production, I promise, but you should be experienced with
keepalived, arp, networking to do this setup.

-- 
Regards,
Stephan

Re: Mail account brute force / harassment

[Odhiambo Washington via dovecot]

All your approaches are not well thought out.
The best solutions are always the simplest ones.
KISS principle dictates so.

On Thu, 11 Apr 2019 at 15:01, Marc Roos  wrote:

>
> How long have we been using the current strategy? Do we have less or
> more abuse clouds operating?
>
> "Let the others bother with their own problems." is a bit narrow minded
> view. If every one on this mailing list would have this attitude, there
> would be no single answer to your question.
>
>
> -Original Message-
> From: Odhiambo Washington [mailto:odhia...@gmail.com]
> Sent: donderdag 11 april 2019 12:54
> To: Marc Roos
> Cc: dovecot
> Subject: Re: Mail account brute force / harassment
>
> Marc,
>
> There is a strategy loosely referred to as "choose your battles well"
> :-)
> If you can, hack the server and dump the 500GB - you'll be using
> resources transferring the 500GB as the other server receives it. Two
> servers wasting resources because you think you are punishing an
> offender!
>
>
> On Thu, 11 Apr 2019 at 13:43,  wrote:
>
>
> Please do not assume anything other than what is written, it is a
> hypothetical situation
>
>
> A. With the fail2ban solution
>- you 'solve' that the current ip is not able to access you
>- it will continue bothering other servers and admins
>- you get the next abuse host to give a try.
>
> B. With 500GB dump
>  - the owner of the attacking server (probably hacked) will notice
> it
> will be forced to take action.
>
>
> If abuse clouds are smart (most are) they would notice that
> attacking my
> servers, will result in the loss of abuse nodes, hence they will
> not
> bother me anymore.
>
> If every one would apply strategy B, the abuse problem would get
> less.
> Don't you agree??
>
>
>
>
>
>
> -Original Message-
> From: Odhiambo Washington
> Sent: donderdag 11 april 2019 12:28
> To: Marc Roos
> Cc: dovecot
> Subject: Re: Mail account brute force / harassment
>
>
>
> On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot
>  wrote:
>
>
>
>
> Say for instance you have some one trying to constantly
> access an
> account
>
>
> Has any of you made something creative like this:
>
> * configure that account to allow to login with any
> password
> * link that account to something like /dev/zero that
> generates
> infinite
> amount of messages
>   (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
>
> I think it would be interesting to be able to do such a
> thing.
>
>
>
>
> Instead of being evil, just use fail2ban to address this problem
> :-)
>
> --
>
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
>
>
>
>
>
>
> --
>
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
>
>
>

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

RE: Mail account brute force / harassment

[Marc Roos via dovecot]

 
How long have we been using the current strategy? Do we have less or 
more abuse clouds operating? 

"Let the others bother with their own problems." is a bit narrow minded 
view. If every one on this mailing list would have this attitude, there 
would be no single answer to your question.


-Original Message-
From: Odhiambo Washington [mailto:odhia...@gmail.com] 
Sent: donderdag 11 april 2019 12:54
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment

Marc,

There is a strategy loosely referred to as "choose your battles well" 
:-) 
If you can, hack the server and dump the 500GB - you'll be using 
resources transferring the 500GB as the other server receives it. Two 
servers wasting resources because you think you are punishing an 
offender!


On Thu, 11 Apr 2019 at 13:43,  wrote:


Please do not assume anything other than what is written, it is a 
hypothetical situation


A. With the fail2ban solution
   - you 'solve' that the current ip is not able to access you
   - it will continue bothering other servers and admins
   - you get the next abuse host to give a try.

B. With 500GB dump
 - the owner of the attacking server (probably hacked) will notice 
it 
will be forced to take action.


If abuse clouds are smart (most are) they would notice that 
attacking my 
servers, will result in the loss of abuse nodes, hence they will 
not 
bother me anymore. 

If every one would apply strategy B, the abuse problem would get 
less. 
Don't you agree??






-Original Message-
From: Odhiambo Washington  
Sent: donderdag 11 april 2019 12:28
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment



On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
 wrote:




Say for instance you have some one trying to constantly 
access an 
account


Has any of you made something creative like this:

* configure that account to allow to login with any 
password
* link that account to something like /dev/zero that 
generates 
infinite 
amount of messages
  (maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.

I think it would be interesting to be able to do such a 
thing.




Instead of being evil, just use fail2ban to address this problem 
:-)  

-- 

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)






-- 

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

On 11.4.2019 11.11, Laura Smith via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 11, 2019 9:05 AM, Aki Tuomi  
> wrote:
>
>>> On 11 April 2019 11:02 Laura Smith via dovecot dovecot@dovecot.org wrote:
>>> ‐‐‐ Original Message ‐‐‐
>>> On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
>>> dovecot@dovecot.org wrote:
>>>
 On 11/04/2019 00:51, Laura Smith via dovecot wrote:

> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> dovecot@dovecot.org wrote:
>
>> On 11/04/2019 00:18, Laura Smith via dovecot wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> 
> wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> aki.tu...@open-xchange.com> wrote:
>
>>> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>> Sent with ProtonMail Secure Email.
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 22:13 Laura Smith via dovecot 
> dovecot@dovecot.org wrote:
> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>
>>> On 10 April 2019 21:26 Laura Smith via dovecot 
>>> dovecot@dovecot.org wrote:
>>>
>>> ==
>>>
>>> dsync( foo...@example.com): Error: 
>>> imapc(foobar.example.com:993): dns_lookup(foobar.example.com) 
>>> failed: read(/var/run/dovecot/dns-client) failed: 
>>> read(size=512) failed: Connection reset by peer
>>> This is dovecot's internal dns-client, and something goes wrong 
>>> when talking to the service.
>>> dsync( foo...@example.com): Error: Failed to initialize user: 
>>> imapc: Login to foobar.example.com failed: Disconnected from 
>>> server
>>> This is btw dsync service, not imap service.
>>>
>>> ===
>>>
>>> Initially I thought "oh no, not another AppArmor block".
>>> But then surely the second message would not appear if the DNS 
>>> lookup was not successful ?
>>> Also "dig foobar.example.com" works fine.
>>> How should I be troubleshooting this ? And if it is still 
>>> likely to be AppArmor, what is calling it ? "doveadm" itself or 
>>> something else ? What does "/var/run/dovecot/dns-client" do and 
>>> why doesn't dovecot use standard OS calls like everyone else ?
>>> Because the "standard OS call" is blocking and we would prefer 
>>> it to not block everything else.
>>> So many questions !
>>> Aki
>>> Thanks for your reply, but both those message are generated 
>>> from a simple :
>>> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com 
>>> imapc:
>>> So I don't know what you mean about dsync service failing ? 
>>> Surely the DNS lookup succeeded if the 'dsync service' failed 
>>> due to remote disconnect ?
>>> I'm still none the wiser as to where to start looking for 
>>> troubleshoting ?
>>> Did you check dovecot logs? Maybe there is something useful?
>>> Aki
>>> Only the same old cryptic message about dns-client ?
>>> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: 
>>> Permission denied
>>> Something prevents executing the dns-client binary.
>>> master: Error: service(dns_client): command startup failed, 
>>> throttling for 16 secs
>>> dns_client: Fatal: master: service(dns_client): child 14293 
>>> returned error 84 (exec() failed)
>>> Aki
>>> Yes but is it being called by doveadm directly or by some other 
>>> dovecot program ? If I'm going to have to go down the 

RE: Mail account brute force / harassment

[Marc Roos via dovecot]

Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How 
do you have one setup for dovecot connections?


-Original Message-
From: James via dovecot [mailto:dovecot@dovecot.org] 
Sent: donderdag 11 april 2019 13:25
To: dovecot@dovecot.org
Subject: Re: Mail account brute force / harassment

On 11/04/2019 11:43, Marc Roos via dovecot wrote:

> A. With the fail2ban solution
>- you 'solve' that the current ip is not able to access you

It is only a solution if there are subsequent attempts from the same 
address.  I currently have several thousand addresses blocked due to 
dovecot login failures.  My firewall is set to log these so I can see 
that few repeat, those that do repeat have intervals of >1 week. 
Blocking these has minimal effect (other than to clog fail12ban and the 
firewall).

>- it will continue bothering other servers and admins

Which is why a dnsbl for dovecot is a good idea.  I do not believe the 
agents behind these login attempts are only targeting me, hence the 
addresses should be shared via a dnsbl.

Re: High availability of Dovecot

[Patrick Westenberg via dovecot]

Gerald Galster via dovecot schrieb:

> mail1.yourdomain.com  IN A 192.168.10.1
> mail2.yourdomain.com  IN A 192.168.20.1
> 
> mail.yourdomain.com   IN A 192.168.10.1
> mail.yourdomain.com   IN A 192.168.20.1
> 
> 
> mail1/mail2 is for direct connection (MTAs)
> 
> Your users (outlook, thunderbird, ...) connect to mail.yourdomain.com
>  which returns the two ip addresses.
> 
> In this scenario MUA just connects to mail.yourdomain.com
>  and randomly uses one of the two ips. You
> can't control which one, but this gives you active/active loadbalancing.
> In case one server is down the MUA just uses the other ip.

Are you sure that this is working?

Regards
Patrick

-- 
Westenberg + Kueppers GbR  Spanische Schanzen 37
 Buero Koeln   47495 Rheinberg
pwestenb...@wk-serv.de Tel.: +49 (0)2843 90369-06
http://www.wk-serv.de  Fax : +49 (0)2843 90369-07
Gesellschafter: Sebastian Kueppers & Patrick Westenberg

Re: Mail account brute force / harassment

[James via dovecot]

On 11/04/2019 11:43, Marc Roos via dovecot wrote:


A. With the fail2ban solution
   - you 'solve' that the current ip is not able to access you


It is only a solution if there are subsequent attempts from the same 
address.  I currently have several thousand addresses blocked due to 
dovecot login failures.  My firewall is set to log these so I can see 
that few repeat, those that do repeat have intervals of >1 week. 
Blocking these has minimal effect (other than to clog fail12ban and the 
firewall).



   - it will continue bothering other servers and admins


Which is why a dnsbl for dovecot is a good idea.  I do not believe the 
agents behind these login attempts are only targeting me, hence the 
addresses should be shared via a dnsbl.

RE: Mail account brute force / harassment

[Marc Roos via dovecot]

 
If I am not mistaken dovecot has already limited concurrent 
accounts/ips. Furthermore I thought it would be obvious of course to 
utilize for this only unused resources and don't jeopardize a production 
environment. 

Furthermore it is logical to assume that one abuse host is not dedicated 
to me. So it probably has 50? other connections for every one of mine. 
So if it would be common practice to dump abuse to /dev/zero, the abuse 
host would be the first to 'die'. 


-Original Message-
From: Gerald Galster via dovecot [mailto:dovecot@dovecot.org] 
Sent: donderdag 11 april 2019 12:57
To: dovecot@dovecot.org
Subject: Re: Mail account brute force / harassment



Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot 
:

Please do not assume anything other than what is written, it is a 
hypothetical situation


A. With the fail2ban solution
  - you 'solve' that the current ip is not able to access you
  - it will continue bothering other servers and admins
  - you get the next abuse host to give a try.

B. With 500GB dump
- the owner of the attacking server (probably hacked) will notice 
it 
will be forced to take action.


If abuse clouds are smart (most are) they would notice that 
attacking my 
servers, will result in the loss of abuse nodes, hence they will 
not 
bother me anymore. 

If every one would apply strategy B, the abuse problem would get 
less. 
Don't you agree??



I disagree. If 100 servers "hack" your imap account and fetch 500GB then 
most likely your server is unreachable. If this is done over many 
servers then your rack switches become the bottleneck and uninvolved 
servers are affected too.

Your solution may work if traffic is expensive and limited but we're 
heading in the other direction: you can rent a server for 50 bucks with 
1gbit bandwidth and unmetered traffic e.g. at hetzner.de

Maybe you want to look into a solution like weakforced:

https://github.com/PowerDNS/weakforced
Wforce is a project by Dovecot, PowerDNS and Open-Xchange

Best regards
Gerald










-Original Message-
From: Odhiambo Washington  
Sent: donderdag 11 april 2019 12:28
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment



On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
 wrote:




Say for instance you have some one trying to constantly access an 
account


Has any of you made something creative like this:

* configure that account to allow to login with any password
* link that account to something like /dev/zero that generates 
infinite 
amount of messages
 (maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.

I think it would be interesting to be able to do such a thing.




Instead of being evil, just use fail2ban to address this problem 
:-)  

-- 

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Mail account brute force / harassment

[Gerald Galster via dovecot]

> Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot :
> 
> Please do not assume anything other than what is written, it is a 
> hypothetical situation
> 
> 
> A. With the fail2ban solution
>   - you 'solve' that the current ip is not able to access you
>   - it will continue bothering other servers and admins
>   - you get the next abuse host to give a try.
> 
> B. With 500GB dump
> - the owner of the attacking server (probably hacked) will notice it 
> will be forced to take action.
> 
> 
> If abuse clouds are smart (most are) they would notice that attacking my 
> servers, will result in the loss of abuse nodes, hence they will not 
> bother me anymore. 
> 
> If every one would apply strategy B, the abuse problem would get less. 
> Don't you agree??

I disagree. If 100 servers "hack" your imap account and fetch 500GB then
most likely your server is unreachable. If this is done over many servers
then your rack switches become the bottleneck and uninvolved servers are
affected too.

Your solution may work if traffic is expensive and limited but we're heading
in the other direction: you can rent a server for 50 bucks with 1gbit bandwidth
and unmetered traffic e.g. at hetzner.de 

Maybe you want to look into a solution like weakforced:

https://github.com/PowerDNS/weakforced 
Wforce is a project by Dovecot, PowerDNS and Open-Xchange

Best regards
Gerald



> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Odhiambo Washington  
> Sent: donderdag 11 april 2019 12:28
> To: Marc Roos
> Cc: dovecot
> Subject: Re: Mail account brute force / harassment
> 
> 
> 
> On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
>  wrote:
> 
> 
> 
> 
>   Say for instance you have some one trying to constantly access an 
>   account
>   
>   
>   Has any of you made something creative like this:
>   
>   * configure that account to allow to login with any password
>   * link that account to something like /dev/zero that generates 
> infinite 
>   amount of messages
> (maybe send an archive of virusses?)
>   * transferring TB's of data to this harassing client.
>   
>   I think it would be interesting to be able to do such a thing.
>   
>   
> 
> 
> Instead of being evil, just use fail2ban to address this problem :-)  
> 
> -- 
> 
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
> 
> 

Re: Mail account brute force / harassment

[Odhiambo Washington via dovecot]

Marc,

There is a strategy loosely referred to as "choose your battles well" :-)
Let the others bother with their own problems.
If you can, hack the server and dump the 500GB - you'll be using resources
transferring the 500GB as the
other server receives it. Two servers wasting resources because you think
you are punishing an offender!


On Thu, 11 Apr 2019 at 13:43, Marc Roos  wrote:

> Please do not assume anything other than what is written, it is a
> hypothetical situation
>
>
> A. With the fail2ban solution
>- you 'solve' that the current ip is not able to access you
>- it will continue bothering other servers and admins
>- you get the next abuse host to give a try.
>
> B. With 500GB dump
>  - the owner of the attacking server (probably hacked) will notice it
> will be forced to take action.
>
>
> If abuse clouds are smart (most are) they would notice that attacking my
> servers, will result in the loss of abuse nodes, hence they will not
> bother me anymore.
>
> If every one would apply strategy B, the abuse problem would get less.
> Don't you agree??
>
>
>
>
>
>
> -Original Message-
> From: Odhiambo Washington
> Sent: donderdag 11 april 2019 12:28
> To: Marc Roos
> Cc: dovecot
> Subject: Re: Mail account brute force / harassment
>
>
>
> On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot
>  wrote:
>
>
>
>
> Say for instance you have some one trying to constantly access an
> account
>
>
> Has any of you made something creative like this:
>
> * configure that account to allow to login with any password
> * link that account to something like /dev/zero that generates
> infinite
> amount of messages
>   (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
>
> I think it would be interesting to be able to do such a thing.
>
>
>
>
> Instead of being evil, just use fail2ban to address this problem :-)
>
> --
>
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
>
>
>

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Lua Push Notification Plugin

[Sami Ketola via dovecot]

Hi,

doveadm mailbox metadata get -u victim INBOX 
/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify

or doveadm mailbox metadata set

if you are not using appsuite as your mail frontend then you need to set the 
metadata manually or make sure that your mail frontend does set it.

Sami

> On 11 Apr 2019, at 11.50, Pabsky  wrote:
> 
> Sami,
> 
> the package 'appsuite' is not mentioned in the documentation, also I already 
> enabled imap metadata. 
> 
> What do you mean by 'It's not supposed to be a file. It's supposed to be a 
> attribute on the users INBOX'?
> 
> I'm attaching my dovecot configuration file for you to examine. Thanks Sami!
> 
> On 11/04/2019 4:37 PM, Sami Ketola wrote:
>> 
>> 
>>> On 11 Apr 2019, at 11.00, Pabsky via dovecot >> > wrote:
>>> 
>>> Thanks AKI! I'm a step closer to achieving my goals. 
>>> 
>>> However, I'm getting a new error as indicated from below:
>>> 
>>> Apr 11 01:45:34 lmtp(u...@mydomain.com 
>>> )<20801>: Debug: 
>>> push-notification-ox: Skipped because not active 
>>> (/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify
>>>  METADATA not set)
>>> Apr 11 01:45:34 lmtp(u...@mydomain.com 
>>> )<20801>: Debug: 
>>> push-notification: Push notification transaction completed
>>> 
>>> By the way, the file 
>>> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
>>> does not exist on my server.
>> 
>> It's not supposed to be a file. It's supposed to be a attribute on the users 
>> INBOX. Also you need to enable imap metadata or appsuite can't set the 
>> attribute.
>> 
>> Sami
>> 
>> 
> 

Passord change problem. (INTERNAL)

[Arvid via dovecot]

Hi,

We have a strange problem with login after password change.
We need to kill the auth_worker processes to activate the new password.
It doesn't work with SIGHUP on pid, it  doesn't help to run "doveadm auth cache 
flush".
It runs flush xx but the new password still doesn't work.
Are there any suggestions for how this can be resolved?

Our release is 2.3.5.

Arvid

RE: Mail account brute force / harassment

[Marc Roos via dovecot]

Please do not assume anything other than what is written, it is a 
hypothetical situation

 
A. With the fail2ban solution
   - you 'solve' that the current ip is not able to access you
   - it will continue bothering other servers and admins
   - you get the next abuse host to give a try.

B. With 500GB dump
 - the owner of the attacking server (probably hacked) will notice it 
will be forced to take action.


If abuse clouds are smart (most are) they would notice that attacking my 
servers, will result in the loss of abuse nodes, hence they will not 
bother me anymore. 

If every one would apply strategy B, the abuse problem would get less. 
Don't you agree??






-Original Message-
From: Odhiambo Washington  
Sent: donderdag 11 april 2019 12:28
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment



On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
 wrote:




Say for instance you have some one trying to constantly access an 
account


Has any of you made something creative like this:

* configure that account to allow to login with any password
* link that account to something like /dev/zero that generates 
infinite 
amount of messages
  (maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.

I think it would be interesting to be able to do such a thing.




Instead of being evil, just use fail2ban to address this problem :-)  

-- 

Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Mail account brute force / harassment

[Gerald Galster via dovecot]

> Am 11.04.2019 um 12:28 schrieb Odhiambo Washington via dovecot 
> :
> 
> 
> 
> On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot  > wrote:
> 
> 
> Say for instance you have some one trying to constantly access an 
> account
> 
> 
> Has any of you made something creative like this:
> 
> * configure that account to allow to login with any password
> * link that account to something like /dev/zero that generates infinite 
> amount of messages
>   (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
> 
> I think it would be interesting to be able to do such a thing.
> 
> 
> Instead of being evil, just use fail2ban to address this problem :-)  


fail2ban is a good solution. I don't see any benefits in granting access to 
pop/imap as well.
On the other hand if you to this with smtp, your service is probably abused for 
sending spam
which you could use to train your spam filters :-)

Best regards
Gerald

Re: High availability of Dovecot

[Gerald Galster via dovecot]

> Am 11.04.2019 um 11:48 schrieb luckydog xf :
> 
> As your statement, nothing speical is needed to do except setting up DNS MX 
> records, right?

MX records are for incoming MAIL:

yourdomain.com  IN MX 100 mail1.yourdomain.com 

yourdomain.com  IN MX 100 mail2.yourdomain.com 


-> both priority 100 = 50/50 load balancing (globally, not when checked on a 
single resolver!)

Then you need A Records ( for ipv6)

mail1.yourdomain.com IN A 192.168.10.1
mail2.yourdomain.com  IN A 192.168.20.1

mail.yourdomain.com  IN A 192.168.10.1
mail.yourdomain.com  IN A 192.168.20.1


mail1/mail2 is for direct connection (MTAs)

Your users (outlook, thunderbird, ...) connect to mail.yourdomain.com 
 which returns the two ip addresses.

In this scenario MUA just connects to mail.yourdomain.com 
 and randomly uses one of the two ips. You can't 
control which one, but this gives you active/active loadbalancing.
In case one server is down the MUA just uses the other ip. dsync replicates 
bi-directionally so that both servers are up-to-date.

You don't need shared storage, every server is a copy of the other. If you want 
to use shared storage, then dsync is not for you because there is nothing to 
sync at that stage.

I would use shared storage only if you need to have more than two servers. The 
above setup has no locking problems and is performant due to local filesystems.
It depends on how many users you have and how much storage you need. You could 
buy two 2HE servers with 24 2.5" disks each (up to 96 with 4 HE), which may be 
sufficient for your needs.

> User's mail store is running on shared storage, basically user's MUA connects 
> to primary MX , the backup one is used once Primary is down.

If you're not using Maildir beware of locking issues with concurrent access. It 
could crash indices.

> It's a native HA of email system? I'll test those solution out.

Yes, it works well with small setups. For big setups you'd typically use 
dovecot director, shared storage, object storage ... but you need more servers 
and it is way more complex and expensive.

Best regards
Gerald

Re: Mail account brute force / harassment

[Odhiambo Washington via dovecot]

On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot 
wrote:

>
>
> Say for instance you have some one trying to constantly access an
> account
>
>
> Has any of you made something creative like this:
>
> * configure that account to allow to login with any password
> * link that account to something like /dev/zero that generates infinite
> amount of messages
>   (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
>
> I think it would be interesting to be able to do such a thing.
>
>
Instead of being evil, just use fail2ban to address this problem :-)

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Mail account brute force / harassment

[Marc Roos via dovecot]

Say for instance you have some one trying to constantly access an 
account


Has any of you made something creative like this:

* configure that account to allow to login with any password
* link that account to something like /dev/zero that generates infinite 
amount of messages
  (maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.

I think it would be interesting to be able to do such a thing.

Re: High availability of Dovecot

[Jan Bramkamp via dovecot]

While possible it probably overkill. A simple failover proxy is enough
unless he requires a active-active setup.

On 11.04.19 11:54, Aki Tuomi via dovecot wrote:
> 
> On 11.4.2019 11.44, luckydog xf via dovecot wrote:
>> Hi, list,
>>
>>      I'm going to deploy postfix + dovecot + CephFS( as Mail Storage).
>> Basically I want to use two servers for them, which  is kind of HA.
>>  
>>     My idea is that using keepalived or Pacemaker to host a VIP, which
>> could fail over the other server once one is down. And I'll use
>> Haproxy or Nginx to schedule connections to one of those server based
>> on source IP( Session stickiness),  I'll use VIP as DNS record.etc, is
>> my plan doable?
>>
>>    I know MX could be server ones with different priority. But I think
>> it brings along shortage that DNS couldn't know Email server is up or
>> down, it just returns results to MUA, right?
>>
>>    Thanks for any suggestions and ideas. 
>>
>>     -
> 
> You could use dovecot configured as director in the front, it would
> assign users to backends and maintain that to avoid accessing same users
> on two backends.
> 
> Aki
> 

Re: High availability of Dovecot

[Aki Tuomi via dovecot]

On 11.4.2019 11.44, luckydog xf via dovecot wrote:
> Hi, list,
>
>      I'm going to deploy postfix + dovecot + CephFS( as Mail Storage).
> Basically I want to use two servers for them, which  is kind of HA.
>  
>     My idea is that using keepalived or Pacemaker to host a VIP, which
> could fail over the other server once one is down. And I'll use
> Haproxy or Nginx to schedule connections to one of those server based
> on source IP( Session stickiness),  I'll use VIP as DNS record.etc, is
> my plan doable?
>
>    I know MX could be server ones with different priority. But I think
> it brings along shortage that DNS couldn't know Email server is up or
> down, it just returns results to MUA, right?
>
>    Thanks for any suggestions and ideas. 
>
>     -

You could use dovecot configured as director in the front, it would
assign users to backends and maintain that to avoid accessing same users
on two backends.

Aki

Re: High availability of Dovecot

[Gerald Galster via dovecot]

>  I'm going to deploy postfix + dovecot + CephFS( as Mail Storage). 
> Basically I want to use two servers for them, which  is kind of HA.

you may consider dovecot's builtin dsync replication which works great with two 
servers (while there still is one little bug that may duplicate mails upon 
deletion with pop3 only under specific conditions)

> My idea is that using keepalived or Pacemaker to host a VIP, which could 
> fail over the other server once one is down. And I'll use Haproxy or Nginx to 
> schedule connections to one of those server based on source IP( Session 
> stickiness),  I'll use VIP as DNS record.etc, is my plan doable?
>I know MX could be server ones with different priority. But I think it 
> brings along shortage that DNS couldn't know Email server is up or down, it 
> just returns results to MUA, right?


DNS just returns your servers' ip addresses/mx records and does not know if 
they are up or down. You could combine that with an external monitoring system 
that modifies your dns entries but this is overkill (keep ttl in mind).
DNS resolvers return records in a round robin fashion so that you get 50/50 
active/active loadbalancing. SMTP does cope with delivery errors very well 
(e.g. greylisting is a temporary delivery error).
MTAs just connect to the second MX and try to deliver the mail. Even MUAs like 
Outlook, Apple Mail or Thunderbird are capable to use more than one ip - if the 
connection fails they connect to the second ip returned via DNS, without any 
user interaction.

Best regards
Gerald

Re: High availability of Dovecot

[Jean-Daniel Dupas via dovecot]

> Le 11 avr. 2019 à 10:44, luckydog xf via dovecot  a 
> écrit :
> 
> Hi, list,
> 
>  I'm going to deploy postfix + dovecot + CephFS( as Mail Storage). 
> Basically I want to use two servers for them, which  is kind of HA.
>  
> My idea is that using keepalived or Pacemaker to host a VIP, which could 
> fail over the other server once one is down. And I'll use Haproxy or Nginx to 
> schedule connections to one of those server based on source IP( Session 
> stickiness),  I'll use VIP as DNS record.etc, is my plan doable?
> 
>I know MX could be server ones with different priority. But I think it 
> brings along shortage that DNS couldn't know Email server is up or down, it 
> just returns results to MUA, right?
> 
>Thanks for any suggestions and ideas. 
> 
> -


If you just want HA and don't have scalability issue, the simplest solution is 
probably to deploy your mail stack on 2 servers, and use pacemaker to make sure 
it run only on one at once (with a VIP managed by pacemaker too).

For the storage, if you have a SAN, go with it, else you may use local DRBD 
partition with replication on the standby server.

High availability of Dovecot

[luckydog xf via dovecot]

Hi, list,

 I'm going to deploy postfix + dovecot + CephFS( as Mail Storage).
Basically I want to use two servers for them, which  is kind of HA.

My idea is that using keepalived or Pacemaker to host a VIP, which
could fail over the other server once one is down. And I'll use Haproxy or
Nginx to schedule connections to one of those server based on source IP(
Session stickiness),  I'll use VIP as DNS record.etc, is my plan doable?

   I know MX could be server ones with different priority. But I think it
brings along shortage that DNS couldn't know Email server is up or down, it
just returns results to MUA, right?

   Thanks for any suggestions and ideas.

-

Re: Lua Push Notification Plugin

[Sami Ketola via dovecot]

> On 11 Apr 2019, at 11.00, Pabsky via dovecot  wrote:
> 
> Thanks AKI! I'm a step closer to achieving my goals. 
> 
> However, I'm getting a new error as indicated from below:
> 
> Apr 11 01:45:34 lmtp(u...@mydomain.com 
> )<20801>: Debug: 
> push-notification-ox: Skipped because not active 
> (/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
> METADATA not set)
> Apr 11 01:45:34 lmtp(u...@mydomain.com 
> )<20801>: Debug: 
> push-notification: Push notification transaction completed
> 
> By the way, the file 
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
> does not exist on my server.

It's not supposed to be a file. It's supposed to be a attribute on the users 
INBOX. Also you need to enable imap metadata or appsuite can't set the 
attribute.

Sami

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Thursday, April 11, 2019 9:05 AM, Aki Tuomi  
wrote:

> > On 11 April 2019 11:02 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > ‐‐‐ Original Message ‐‐‐
> > On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
> > dovecot@dovecot.org wrote:
> >
> > > On 11/04/2019 00:51, Laura Smith via dovecot wrote:
> > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> > > > dovecot@dovecot.org wrote:
> > > >
> > > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> > > > >
> > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
> > > > > > aki.tu...@open-xchange.com wrote:
> > > > > >
> > > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < 
> > > > > > > > dovecot@dovecot.org> wrote:
> > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > > > > > > > aki.tu...@open-xchange.com> wrote:
> > > > > > > >
> > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot 
> > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot 
> > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ==
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > > > > > > > imapc(foobar.example.com:993): 
> > > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: 
> > > > > > > > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > > > > > > > > > > This is dovecot's internal dns-client, and 
> > > > > > > > > > > > > > something goes wrong when talking to the service.
> > > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to 
> > > > > > > > > > > > > > initialize user: imapc: Login to foobar.example.com 
> > > > > > > > > > > > > > failed: Disconnected from server
> > > > > > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ===
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Initially I thought "oh no, not another AppArmor 
> > > > > > > > > > > > > > block".
> > > > > > > > > > > > > > But then surely the second message would not appear 
> > > > > > > > > > > > > > if the DNS lookup was not successful ?
> > > > > > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > > > > > How should I be troubleshooting this ? And if it is 
> > > > > > > > > > > > > > still likely to be AppArmor, what is calling it ? 
> > > > > > > > > > > > > > "doveadm" itself or something else ? What does 
> > > > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't 
> > > > > > > > > > > > > > dovecot use standard OS calls like everyone else ?
> > > > > > > > > > > > > > Because the "standard OS call" is blocking and we 
> > > > > > > > > > > > > > would prefer it to not block everything else.
> > > > > > > > > > > > > > So many questions !
> > > > > > > > > > > > > > Aki
> > > > > > > > > > > > > > Thanks for your reply, but both those message are 
> > > > > > > > > > > > > > generated from a simple :
> > > > > > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u 
> > > > > > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > > > > > So I don't know what you mean about dsync service 
> > > > > > > > > > > > > > failing ? Surely the DNS lookup succeeded if the 
> > > > > > > > > > > > > > 'dsync service' failed due to remote disconnect ?
> > > > > > > > > > > > > > I'm still none the wiser as to where to start 
> > > > > > > > > > > > > > looking for troubleshoting ?
> > > > > > > > > > > > > > Did you check dovecot logs? Maybe there is 
> > > > > > > > > > 

Re: Lua Push Notification Plugin

[Aki Tuomi via dovecot]

It is supposed to be set by OX AppSuite when user logs in. That's why the IMAP 
METADATA extension needs to be enabled. 

Aki

> On 11 April 2019 11:00 Pabsky via dovecot  wrote:
> 
> 
> Thanks AKI! I'm a step closer to achieving my goals. 
> 
> However, I'm getting a new error as indicated from below:
> 
> Apr 11 01:45:34 lmtp(u...@mydomain.com)<20801>: 
> Debug: push-notification-ox: Skipped because not active 
> (/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
> METADATA not set)
> Apr 11 01:45:34 lmtp(u...@mydomain.com)<20801>: 
> Debug: push-notification: Push notification transaction completed
> 
> By the way, the file 
> /private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
> does not exist on my server. 
> 
> Again, I appreciate the help :)
>  
> > On 11 April 2019 07:57 Robust Coding via dovecot  
> > wrote:
> > 
> > 
> > Hi Admin,
> > 
> > I hope you consider reading and addressing my concern promptly.
> > 
> > For the past few days I've been setting up a VPS with cPanel and WHM 
> > pre-installed on Bluehost. I want to enable push notification plugin in 
> > Dovecot2.3.5. I tried OX and Lua plugins and got errors.
> > 
> > For using OX plugin:
> > push_notification_driver = 
> > ox:url=http://staging.mydomain.com/mail-notify/v1 
> > user_from_metadata
> > And got this error on runtime:
> > Error: push-notification-ox: Skipped because unable to get attribute: 
> > Mailbox 
> > attributes not enabled
> > 
>  
> mail_attribute_dict = file:%h/Maildir/dovecot-attributes
> 
> > When using Lua:
> > mail_plugins = $mail_plugins mail_lua notify push_notification 
> > push_notification_lua
> > 
> > plugin {
> >push_notification_driver = lua:file=/path/to/lua/push.lua
> > }
> > And got this order:
> > Plugin 'push_notification_lua' not found from directory /usr/lib64/dovecot
> > 
> 
> You do not have push_notification_lua installed.
> 
> > I think I'm missing something here but I can't figure it out. Please HELP!
> > 
> > Sincerely,
> > John Lopena
> > 
> > -- 
> > 
> > "Become a programmer - Lose your brain's virginity"
> 
> Aki

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

> On 11 April 2019 11:02 Laura Smith via dovecot  wrote:
> 
>  
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
>  wrote:
> 
> > On 11/04/2019 00:51, Laura Smith via dovecot wrote:
> >
> > > ‐‐‐ Original Message ‐‐‐
> > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> > > dovecot@dovecot.org wrote:
> > >
> > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> > > >
> > > > > ‐‐‐ Original Message ‐‐‐
> > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
> > > > > aki.tu...@open-xchange.com wrote:
> > > > >
> > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < 
> > > > > > > dovecot@dovecot.org> wrote:
> > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > > > > > > aki.tu...@open-xchange.com> wrote:
> > > > > > >
> > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot 
> > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > >
> > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot 
> > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > > >
> > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > > ==
> > > > > > > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > > > > > > imapc(foobar.example.com:993): 
> > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: 
> > > > > > > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > > > > > > > > > This is dovecot's internal dns-client, and something 
> > > > > > > > > > > > > goes wrong when talking to the service.
> > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to 
> > > > > > > > > > > > > initialize user: imapc: Login to foobar.example.com 
> > > > > > > > > > > > > failed: Disconnected from server
> > > > > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > > > > > ===
> > > > > > > > > > > > > Initially I thought "oh no, not another AppArmor 
> > > > > > > > > > > > > block".
> > > > > > > > > > > > > But then surely the second message would not appear 
> > > > > > > > > > > > > if the DNS lookup was not successful ?
> > > > > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > > > > How should I be troubleshooting this ? And if it is 
> > > > > > > > > > > > > still likely to be AppArmor, what is calling it ? 
> > > > > > > > > > > > > "doveadm" itself or something else ? What does 
> > > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't 
> > > > > > > > > > > > > dovecot use standard OS calls like everyone else ?
> > > > > > > > > > > > > Because the "standard OS call" is blocking and we 
> > > > > > > > > > > > > would prefer it to not block everything else.
> > > > > > > > > > > > > So many questions !
> > > > > > > > > > > > > Aki
> > > > > > > > > > > > > Thanks for your reply, but both those message are 
> > > > > > > > > > > > > generated from a simple :
> > > > > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u 
> > > > > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > > > > So I don't know what you mean about dsync service 
> > > > > > > > > > > > > failing ? Surely the DNS lookup succeeded if the 
> > > > > > > > > > > > > 'dsync service' failed due to remote disconnect ?
> > > > > > > > > > > > > I'm still none the wiser as to where to start looking 
> > > > > > > > > > > > > for troubleshoting ?
> > > > > > > > > > > > > Did you check dovecot logs? Maybe there is something 
> > > > > > > > > > > > > useful?
> > > > > > > > > > > > > Aki
> > > > > > > > > > > > > Only the same old cryptic message about dns-client ?
> > > > > > > > > > > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) 
> > > > > > > > > > > > > failed: Permission denied
> > > > > > > > > > > > > Something prevents executing the dns-client binary.
> > > > > > > > > > > > > master: Error: 

Re: Lua Push Notification Plugin

[Pabsky via dovecot]

Thanks AKI! I'm a step closer to achieving my goals.

However, I'm getting a new error as indicated from below:

Apr 11 01:45:34 lmtp(u...@mydomain.com)<20801>:*Debug: push-notification-ox: Skipped because not active 
(/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify 
METADATA not set)*
Apr 11 01:45:34 lmtp(u...@mydomain.com)<20801>:*Debug: push-notification: Push notification transaction completed *By the way, the file/private/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/http-notify* 
*does not exist on my server.


Again, I appreciate the help :)
**

On 11 April 2019 07:57 Robust Coding via dovecot  wrote:


Hi Admin,

I hope you consider reading and addressing my concern promptly.

For the past few days I've been setting up a VPS with cPanel and WHM 
pre-installed on Bluehost. I want to enable push notification plugin in 
Dovecot2.3.5. I tried OX and Lua plugins and got errors.


For using OX plugin:
push_notification_driver = ox:url=http://staging.mydomain.com/mail-notify/v1  
user_from_metadata

And got this error on runtime:
Error: push-notification-ox: Skipped because unable to get attribute: Mailbox 
attributes not enabled




mail_attribute_dict = file:%h/Maildir/dovecot-attributes


When using Lua:
mail_plugins = $mail_plugins mail_lua notify push_notification 
push_notification_lua


plugin {
   push_notification_driver = lua:file=/path/to/lua/push.lua
}
And got this order:
Plugin 'push_notification_lua' not found from directory /usr/lib64/dovecot



You do not have push_notification_lua installed.


I think I'm missing something here but I can't figure it out. Please HELP!

Sincerely,
John Lopena

--

"Become a programmer - Lose your brain's virginity"


Aki

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot 
 wrote:

> On 11/04/2019 00:51, Laura Smith via dovecot wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
> > dovecot@dovecot.org wrote:
> >
> > > On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi 
> > > > aki.tu...@open-xchange.com wrote:
> > > >
> > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < 
> > > > > > dovecot@dovecot.org> wrote:
> > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > > > > > aki.tu...@open-xchange.com> wrote:
> > > > > >
> > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot 
> > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > Sent with ProtonMail Secure Email.
> > > > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > >
> > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot 
> > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > > > > ==
> > > > > > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > > > > > imapc(foobar.example.com:993): 
> > > > > > > > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: 
> > > > > > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > > > > > > > > This is dovecot's internal dns-client, and something 
> > > > > > > > > > > > goes wrong when talking to the service.
> > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to initialize 
> > > > > > > > > > > > user: imapc: Login to foobar.example.com failed: 
> > > > > > > > > > > > Disconnected from server
> > > > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > > > > ===
> > > > > > > > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > > > > > > > But then surely the second message would not appear if 
> > > > > > > > > > > > the DNS lookup was not successful ?
> > > > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > > > How should I be troubleshooting this ? And if it is 
> > > > > > > > > > > > still likely to be AppArmor, what is calling it ? 
> > > > > > > > > > > > "doveadm" itself or something else ? What does 
> > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't 
> > > > > > > > > > > > dovecot use standard OS calls like everyone else ?
> > > > > > > > > > > > Because the "standard OS call" is blocking and we would 
> > > > > > > > > > > > prefer it to not block everything else.
> > > > > > > > > > > > So many questions !
> > > > > > > > > > > > Aki
> > > > > > > > > > > > Thanks for your reply, but both those message are 
> > > > > > > > > > > > generated from a simple :
> > > > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u 
> > > > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > > > So I don't know what you mean about dsync service 
> > > > > > > > > > > > failing ? Surely the DNS lookup succeeded if the 'dsync 
> > > > > > > > > > > > service' failed due to remote disconnect ?
> > > > > > > > > > > > I'm still none the wiser as to where to start looking 
> > > > > > > > > > > > for troubleshoting ?
> > > > > > > > > > > > Did you check dovecot logs? Maybe there is something 
> > > > > > > > > > > > useful?
> > > > > > > > > > > > Aki
> > > > > > > > > > > > Only the same old cryptic message about dns-client ?
> > > > > > > > > > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) 
> > > > > > > > > > > > failed: Permission denied
> > > > > > > > > > > > Something prevents executing the dns-client binary.
> > > > > > > > > > > > master: Error: service(dns_client): command startup 
> > > > > > > > > > > > failed, throttling for 16 secs
> > > > > > > > > > > > dns_client: Fatal: master: service(dns_client): child 
> > > > > > > > > > > > 14293 returned error 84 (exec() failed)
> > > > > > 

Re: decrypt.rb

[Aki Tuomi via dovecot]

> On 11 April 2019 00:49 David Salisbury via dovecot  
> wrote:
> 
>  
> >>>
> >> Yes. I gave it a try here, and it seems to work. Does it give any extra
> >> information if you include -i flag?
> >>
> >> Aki
> >>
> >
> > Yes, I had tried that, and it doesn't give much extra information, at 
> > least to my eye, that seems to help my issue.  Above the previous 
> > output it outputs the Version, Flags, Header length, Cipher algo, and 
> > Digest algo, and then the Key derivation Rounds. Then it does the 
> > previous output and exits as before.
> >
> > I tried using pry to debug through the script a little, and strace as 
> > well, but have not found anything pointing me in the direction of a 
> > solution or what may be causing it not to work for me yet. Will keep 
> > looking.
> >
> > Out of curiosity, what version of ruby were you using to run the 
> > script?  My ruby version is 2.5.1p57.
> >
> > -Dave
> 
> So, I found that in decrypt.rb there is a point where this section is 
> reached:
> 
> [code]
> unless our_key == nil
>     # decrypt data!
> [/code]
> 
> While testing I discovered that, for me, our_key was apparently equal to 
> nil because the code was never even making it into that block.  There 
> was a block right above that that was setting our_key to nil if a 
> certain condition happened, but I could tell that condition wasn't 
> happening as the accompanying error message wasn't printing.  Looking 
> farther up, I found:
> 
> [code]
> our_key = key if key[:digest] == options[:key_digest]
> [/code]
> 
> I printed the values of key[:digest] and options[:key_digest], and they 
> are in fact different.  Since our_key is nil by default, our_key was 
> just remaining nil, hence no decryption for me.
> 
> The key[:digest] variable is filled a little above that part of the code:
> 
> [code]
> (key[:type],key[:digest]) = options[:input].read(33).unpack('Ca*')
> [/code]
> 
> and options[:key_digest] is filled as the private key option is passed in:
> 
> [code]
> opts.on("-k","--key KEY", "Private key to decrypt file") do |k|
>    options[:key] = OpenSSL::PKey.read(File.open(k))
>    options[:key_digest] = get_pubid_priv(options[:key])
> end
> [/code]
> 
> It's apparently using the key from the command line to get the key 
> digest with the get_pubid_priv() function, and for some reason that 
> value is coming back as different than the key digest that is 
> ascertained by the "options[:input].read" line.
> 
> Out of curiosity, and since I know I'm using the correct key, I 
> commented out the if statement in the our_key line so as not to make the 
> comparison between the digests:
> 
> [code]
> our_key = key #if key[:digest] == options[:key_digest]
> [/code]
> 
>  and then it worked!  The script successfully decrypted the message!
> 
> So, not being an expert at encryption, what are the ramifications of 
> those digests being read as different values in the two different 
> places??   I do notice that the get_pubid_priv() function is internal to 
> the decrypt.rb script and calls several OpenSSL functions.
> 
> -Dave

Hmm... can you show me how you made the keypair for encryption? Maybe there is 
some difference?

Aki