Re: MailCrypt plugin questions
1. If I want per-user encryption am I correct I should configure global keys with all related settings override in the userdb lookup? 2. If I do not want to encrypt some user accounts, is it enough to omit the mail_crypt_global_private_key from the userdb lookup? In other word, mail_plugins still active with mail_crypt, will that cause user account to be encrypted unexpectedly if no private key is given? I found answer to this question, set mail_crypt_save_version=0 in userdb 3. Example command to create EC key does not ask for password, openssl ecparam command does not seem to have password arg. If I want password-protection should I use RSA key which the doc tell to be discouraged?
Re: Catch all for dovecot authentication?
as stated by Aki
> passdb {
> driver = static
> args = nopassword
>}
works fine and does what I want: accept any SMTP AUTH :-)
(Brings back memories of good fun I had with patched Qpopper snare
feeding custom messages to the hacker.)
Another alternative is to use the checkpassword hook that will accept
any username/password. The advantage is you can do post-analysis of
credentials as the script has access to them.
Joseph Tam
MailCrypt plugin questions
I read the mailcrypt plugin document on the wiki and had couple questions. 1. If I want per-user encryption am I correct I should configure global keys with all related settings override in the userdb lookup? 2. If I do not want to encrypt some user accounts, is it enough to omit the mail_crypt_global_private_key from the userdb lookup? In other word, mail_plugins still active with mail_crypt, will that cause user account to be encrypted unexpectedly if no private key is given? 3. Example command to create EC key does not ask for password, openssl ecparam command does not seem to have password arg. If I want password-protection should I use RSA key which the doc tell to be discouraged?
RE: Catch all for dovecot authentication?
No, And you incorrectly assume, that I am not taking such things into account. But I can excuse this type of reply, due to the mere fact that IT is saturated with "dumb fucks" (like to quote Zuckerberg). Don't the Americans have a nice saying for this "Assumption is the mother of all fuckups". If I am writing I want to send a user 5GB, I want to send a user 5GB. -Original Message- From: @lbutlr via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 23 mei 2019 10:06 To: @lbutlr via dovecot Subject: Re: Catch all for dovecot authentication? On 23 May 2019, at 01:44, Marc Roos via dovecot wrote: > I would like to redirect sometimes a user to a 5GB garbage messages mailbox. So you want to setup a service where random spammer/hacker can trivially DDOS your system? How many simultaneous 5GB streams can you handle? How much will your bandwidth bill be if you send 5GB a million times in a month? -- Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire. And riots. What gives? -- Mark Morford
Re: Catch all for dovecot authentication?
Marc,
as stated by Aki
> passdb {
> driver = static
> args = nopassword
>}
works fine and does what I want: accept any SMTP AUTH :-)
In my setup postfix has a catch-all anyway, so I can return
home=/dev/null in userdb
Saw the first tries on my server already. Just took 5min after enabling
SMTP AUTH :-)
@Aki: thanks a lot
Have a good one
--
tobi
Am 23.05.19 um 09:44 schrieb Marc Roos:
>
> I have the same, create your own dns blacklist. And have fail2ban add
> entries to it. The only problem I have on CentOS6 is that you need to
> combine log files for this, but it should be do-able.
>
> But I am also for this option, maybe it can be done via this userdb,
> specify an account where auth is not necessary. I would like to redirect
> sometimes a user to a 5GB garbage messages mailbox. Or if someone has
> collection of emails with virusses, available to download?
>
>
>
> -Original Message-
> From: Tobi via dovecot [mailto:dovecot@dovecot.org]
> Sent: donderdag 23 mei 2019 9:12
> To: dovecot@dovecot.org
> Subject: Catch all for dovecot authentication?
>
> Hi
>
> I'm aware that there are several good reasons not to do what I want, but
> in my use-case it would be an interesting feature. So please no
> discussions about the reasonableness
>
> I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is
> disabled. But as I daily have thousands of AUTH tries I thought it would
> be nice to be able to accept any AUTH request from postfix in dovecot.
>
> Is something like this possible with dovecot? If so any good description
> available on how to achieve?
>
> Thanks
>
> --
>
> tobi
>
>
>
Re: Catch all for dovecot authentication?
On 23 May 2019, at 01:44, Marc Roos via dovecot wrote: > I would like to redirect sometimes a user to a 5GB garbage messages mailbox. So you want to setup a service where random spammer/hacker can trivially DDOS your system? How many simultaneous 5GB streams can you handle? How much will your bandwidth bill be if you send 5GB a million times in a month? -- Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire. And riots. What gives? -- Mark Morford
RE: Catch all for dovecot authentication?
I have the same, create your own dns blacklist. And have fail2ban add entries to it. The only problem I have on CentOS6 is that you need to combine log files for this, but it should be do-able. But I am also for this option, maybe it can be done via this userdb, specify an account where auth is not necessary. I would like to redirect sometimes a user to a 5GB garbage messages mailbox. Or if someone has collection of emails with virusses, available to download? -Original Message- From: Tobi via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 23 mei 2019 9:12 To: dovecot@dovecot.org Subject: Catch all for dovecot authentication? Hi I'm aware that there are several good reasons not to do what I want, but in my use-case it would be an interesting feature. So please no discussions about the reasonableness I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is disabled. But as I daily have thousands of AUTH tries I thought it would be nice to be able to accept any AUTH request from postfix in dovecot. Is something like this possible with dovecot? If so any good description available on how to achieve? Thanks -- tobi
Re: more generic approach as for userdb? (was: Dict issue with PostgreSQL for last_login plugin (duplicate key))
On 23/05/2019 07:49, Steffen Kaiser via dovecot wrote: > On Wed, 22 May 2019, John Fawcett via dovecot wrote: > > > an update when insert fails seems to be a MySQL specific extension to > > standard Sql. So I think that it's clear that support for PostgreSql and > > Sqlite needs to be implemented. The same issue likely exist in other > > plugins too, for example expire. > > > My doubts are around the right solution to adopt. Initially I thought > > that there was a PostgreSql syntax similar to MySQL which could be > > easily added to the code, but closer inspection shows that the > > PostgreSql syntax requires specification of either a constraint name or > > the index column(s) for the primary/unique keys. > > You mean the "target" in ON CONFLICT target action, right? > http://www.postgresqltutorial.com/postgresql-upsert/ > Yes, whereas MySQL uses a generic syntax not requiring specific info, as far as I am aware PostgreSql requires the target. I tried without and got an error. > > Constraint names are nowhere specified in the dictionary map syntax and > > it's not possible either to identify with 100% certainty the primary key > > column(s). > > One could dive into Postgres-specifics to get it, but there are other > SQLs, too; the quota plugin advertises to use TRIGGERs to turn an > INSERT into an UPDATE silently, which is no general approach either. > https://wiki2.dovecot.org/Quota/Dict > > > 1) logic which always tries to update and falls back to insert if the > > update fails (or viceversa) for all sql dictionaries. > > > 2) updates to the map syntax so that either the constraint name or > > primary key columns can be specified. > > > Ideas are welcome. > > Maybe, one should drop the automatic at all and let the user specify > the commands manually like with the userdb/passwd. Hence, the generic > SQL preparation code is already present. There could/should/would be > documented lots of "best practice" settings for various backends. > > In fact, this approach would better fit into the open and more > "general" base idea Dovecot uses in other places, IMHO. > thanks for that suggestion, it would mean moving away from a syntax where other dictionary types use a map statement and sql wouldn't. > Kind regards, > > -- Steffen Kaiser
Re: Catch all for dovecot authentication?
On 23.5.2019 10.12, Tobi via dovecot wrote:
> Hi
>
> I'm aware that there are several good reasons not to do what I want, but
> in my use-case it would be an interesting feature. So please no
> discussions about the reasonableness
>
> I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is
> disabled. But as I daily have thousands of AUTH tries I thought it would
> be nice to be able to accept any AUTH request from postfix in dovecot.
>
> Is something like this possible with dovecot? If so any good description
> available on how to achieve?
>
> Thanks
>
> --
>
> tobi
You could try this in dovecot.
passdb {
driver = static
args = nopassword
}
Aki
Catch all for dovecot authentication?
Hi I'm aware that there are several good reasons not to do what I want, but in my use-case it would be an interesting feature. So please no discussions about the reasonableness I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is disabled. But as I daily have thousands of AUTH tries I thought it would be nice to be able to accept any AUTH request from postfix in dovecot. Is something like this possible with dovecot? If so any good description available on how to achieve? Thanks -- tobi
Re: more generic approach as for userdb? (was: Dict issue with PostgreSQL for last_login plugin (duplicate key))
> Maybe, one should drop the automatic at all and let the user specify > the commands manually like with the userdb/passwd. Hence, the generic > SQL preparation code is already present. There could/should/would be > documented lots of "best practice" settings for various backends. > > In fact, this approach would better fit into the open and more > "general" base idea Dovecot uses in other places, IMHO. > > Kind regards, > > -- Steffen Kaiser Hi! You can write completely custom last_login plugin by using mail-lua plugin, by having functions mail_user_created(user) and mail_user_deinit(user) in your Lua script. This of course requires v2.3.4 or later. Aki signature.asc Description: OpenPGP digital signature
