Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread Aki Tuomi 
If you are running gocryptfs with Dovecot, you need to ensure that Dovecot has 
access to the files even when you are not logged in. Perhaps gocryptfs is 
blocking access to processes not originating from your session?

Aki

> On 31/08/2022 07:14 EEST Austin Witmer  wrote:
> 
>  
> No, I am manually mounting it when I start my server. I then start dovecot.
> 
> Austin Witmer
> 
> > On Aug 30, 2022, at 9:40 PM, pe...@chubb.wattle.id.au wrote:
> > 
> > 
> >> 
> >> "Austin" == Austin Witmer  writes:
> > 
> > 
> > Austin> So, the location of my mail storage
> > Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem
> > Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault
> > Austin> here?
> > 
> > Is it automounted?  I've seen issues where dovecot tries to access a
> > file before the mount has finished, giving a pmerssions denied error.
> > 
> > Peter C

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread Austin Witmer 
No, I am manually mounting it when I start my server. I then start dovecot.

Austin Witmer

> On Aug 30, 2022, at 9:40 PM, pe...@chubb.wattle.id.au wrote:
> 
> 
>> 
>> "Austin" == Austin Witmer  writes:
> 
> 
> Austin> So, the location of my mail storage
> Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem
> Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault
> Austin> here?
> 
> Is it automounted?  I've seen issues where dovecot tries to access a
> file before the mount has finished, giving a pmerssions denied error.
> 
> Peter C

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread peter 
> "Austin" == Austin Witmer  writes:


Austin> So, the location of my mail storage
Austin> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem
Austin> mounted by gocryptfs. Do you think gocryptfs could be at fault
Austin> here?

Is it automounted?  I've seen issues where dovecot tries to access a
file before the mount has finished, giving a pmerssions denied error.

Peter C

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Jack Snodgrass 


I prefer to use a 2 db approach where I specify 2 different Database 
servers as opposed to HAproxy.



I see on: 
http://url7179.mylinuxguy.net/ls/click?upn=qw3mUGlvypxOIEjnzoVznczKsajdyZbXY6uGLmuK5J6I8VjNhJjPybLy8wVGpS-2Bj0XbXGjmYqz5kJ-2FqxxfqOlGg-2BYYTMl6kvDX9RScub4pw-3DiZ-y_HoH8w59qZ-2Bj-2BbJehmds8moczgghS3-2F0vIoq8mKxnoqHFUA-2FKFd9jq4TgdfEmAU-2FSWpM9f7B0SoDorUDEKzJ-2BtbrkdGth-2FAHpNmCyUfmKKbdLuOXK7lTXEQtvGP23U-2BfeI9z2hSI4rH3f0FegjA105MonT9Vz2ocF5jn91eKSHNAlUBEMEF2MRK6qsEeyDGF9EioRQPztEHQ-2FDT8KEsd2LA-3D-3D where it 
says:


*You can add multiple host parameters to the SQL connect string. Dovecot 
will do round robin load balancing between them. If one of them goes 
down, the others will handle the traffic.*


it would be really nice if that was expanded opon in the docs I am 
not sure WHO to ask that that be clarified.


I currently have:

connect = "host= dbname= user= password="

... would I use:

connect = "host= dbname= user= 
password= host= dbname= user= 
password="


and the system would just see host/host, dbname/dbname user/user 
password/password and automatically map the correct dbname/user/password 
to the correct host or it is assumed that the 2nd host is the only thing 
that changes and the dbname/user/password are the same? or do I use:


connect = "host= dbname= user= 
password= host2= dbname2= user2= 
password2="


to specify the host and host2 info?


"You can add multiple host parameters to the SQL connect string." is a 
bit lacking in info when you think about the possibility of having a 
different user/pass or dbname for the 2nd host instance.


I am going to play around with this on my production box... but having a 
bit more info in the docs would be preferred.



- jack



On 8/30/22 07:57 AM, Brendan Kearney wrote:


per http://url7179.mylinuxguy.net/ls/click?upn=qw3mUGlvypxOIEjnzoVznczKsajdyZbXY6uGLmuK5J6I8VjNhJjPybLy8wVGpS-2Bj0XbXGjmYqz5kJ-2FqxxfqOlF2WopHtP1GVbQbwTMhLwO0-3DmMmY_HoH8w59qZ-2Bj-2BbJehmds8moczgghS3-2F0vIoq8mKxnoqHFUA-2FKFd9jq4TgdfEmAU-2FS1-2BTtbS0DPgVfzdC3Hcin2PyMMheNIGpmO3VNfLEq9Zc-2FC3qlZMeaXUrfXw0x-2FkBZ9vXOXM-2FfFcdFCyfeFGdCfxg6PezBl3OKSoFan8uOOxh3hQqPQZZp6nhcucUPdb9bsuS8K14ww3Pk7ngaxQmzjw-3D-3D 
you can add more than one "host=" parameter in the "connect" 
directive, and leave dovecot to do round-robin load balancing. there 
will probably be a delay in processing while a failed database 
connection attempt times out.


or you can use a load balanced database footprint, using something 
like haproxy.  its not as simple as putting multiple databases behind 
haproxy and calling it done.  i use mariadb, which via galera, can do 
multi-primary HA, where all 3 primary instances can take write or read 
events.  you need to configure each mariadb instance with galara 
replication and then setup haproxy to properly attach to the databases 
and perform a service check.


postgresql or other databases may require different mechanisms to 
achieve fault tolerant HA.


On 8/30/22 4:18 AM, Sami Ketola wrote:




On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:


I am using this file:

dovecot-sql.conf.ext

and in there  I have a

connect = "host= dbname= user= 
password="



My  was down and I lost mail access for a few days before 
I realized that there was an issue.  How can I specify a backup 
server so that if my primary sql server goes down, a backup sql 
server will be queried?




Use haproxy.

Sami



--
jack - Southlake Texas - mylinuxguy.net

Re: where to setup virtual_mailbox_maps

2022-08-30 Thread dovecot 

On 08-30-2022 9:36 pm, frakass wrote:
I have a domain in virtual_mailbox_domains:
aaa.com

I have also the virtual_alias_domains which include:
bbb.com

I know how to forward x...@bbb.com to y...@aaa.com by setting up the file
"virtual_alias_maps":
x...@bbb.com y...@aaa.com

But, how can I setup virtual_mailbox_maps (if I name this correctly)? for
example, 1...@aaa.com forwards to 2...@aaa.com.



These are postfix questions posted to a dovecot mailing list.

virtual_mailbox_domains = Where you list domains that postfix is final 
destination for.
virtual_mailbox_maps = Is where you list virtual addresses and the mbox/maildir 
path for the virtual delivery agent.
virtual_alias_maps = Is where you list aliases such as x...@bbb.com -> 
y...@aaa.com and 1...@aaa.com -> 2...@aaa.com

An alias is an alias regardless if its to a local or remote address.

where to setup virtual_mailbox_maps

2022-08-30 Thread frakass 
Hello,

I have a domain in virtual_mailbox_domains:

aaa.com

I have also the virtual_alias_domains which include:

bbb.com

I know how to forward x...@bbb.com to y...@aaa.com by setting up the file
"virtual_alias_maps":

x...@bbb.com y...@aaa.com

(and run postmap after the changes.)

But, how can I setup virtual_mailbox_maps (if I name this correctly)? for
example, 1...@aaa.com forwards to 2...@aaa.com.

Thank you.

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread Austin Witmer 
See below . . .

> On Aug 30, 2022, at 1:41 PM, spi  wrote:
> 
> 
> 
> Am 30.08.22 um 20:43 schrieb Austin Witmer:
>> I’m am still getting the errors I mentioned previously. Maybe half a dozen 
>> of them per day . . .
>> 
>> So, the location of my mail storage 
>> (/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by 
>> gocryptfs. Do you think gocryptfs could be at fault here?
>> 
>> Austin Witmer
>> 
> 
> Before and after mounting: What are the mount folder's user/group 
> permissions? Who owns the mount folder (user/group)?
> 
> 

The owner is austin and group is austin before and after mounting the folder. I 
would need to verify that the owner is still the same before the folder is 
mounted sometime while my server is offline.
> If you do a "stat 
> /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
> " as the user dovecot is running as 
> (from your mail I see austin owns that file - is dovecot run as user austin?) 
> - do you also get an error?
> 
I would think that dovecot is running as user austin, but I’m not sure how to 
verify that?
> If you do get an error - could you create a small encrypted fs and mount it 
> to another folder, create a file there and check again for "stat file"? Play 
> with the permissions and user/group assignments. Still getting an error?
> 
> --
> Cheers
> spi

So here is one of the last log lines from my mail.err file.

Aug 30 23:09:11 mail dovecot: 
lmtp(u...@domain.com)<179137>: Error: 
open(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist.lock)
 failed: Operation not permitted
Aug 30 23:09:11 mail dovecot: 
lmtp(u...@domain.com)<179137>: Error: lmtp-server: conn 
unix:pid=179136,uid=112 [1]: rcpt u...@domain.com: Mailbox INBOX: 
file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist)
 failed: Operation not permitted
Aug 30 23:09:11 mail dovecot: 
lmtp(u...@domain.com)<179137>: Error: sieve: 
msgid=: failed to store 
into mailbox 'INBOX': Mailbox INBOX: 
file_dotlock_create(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist)
 failed: Operation not permitted
Aug 30 23:09:11 mail dovecot: 
lmtp(u...@domain.com)<179137>: Error: sieve: Execution 
of script /var/lib/dovecot/sieve/default.sieve was aborted due to temporary 
failure


Here is the stat command one of the files that dovecot seem to not be able to 
access.

austin@mail:/mnt/volume1/mailserver$ stat 
/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist
  File: /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot-uidlist
  Size: 60565   Blocks: 120IO Block: 4096   regular file
Device: 2bh/43d Inode: 146325  Links: 1
Access: (0660/-rw-rw)  Uid: ( 1000/  austin)   Gid: ( 1000/  austin)
Access: 2022-08-30 23:19:24.701469295 +
Modify: 2022-08-30 23:16:34.155318207 +
Change: 2022-08-30 23:16:34.163318308 +
 Birth: -

Is the problem that the x perm is missing from both the user and group for this 
file? I have tried different times to recursively apply wrx permissions to all 
the folders and files but it seems like dovecot must create files that it later 
cannot access. Or maybe I am not understanding this correctly?

Why am I getting these errors only about 1% of the time and the rest of the 
time it works fine? This seems to be randomly happening to various users on my 
server.

Thanks again to all of you for your help!

Austin Witmer

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Brendan Kearney 
presumably, you would have the same database parameters on different 
hosts, so only adding an additional "host=" parameter should suffice.  i 
would only add the additional parameters that are unique or different, 
and that should work.


connect = "host= host= dbname= 
user= password="


sorry to hear your going to test this in Prod. :(

On 8/30/22 6:10 PM, Jack Snodgrass wrote:



I prefer to use a 2 db approach where I specify 2 different Database 
servers as opposed to HAproxy.



I see on: 
https://doc.dovecot.org/configuration_manual/authentication/sql where 
it says:


*You can add multiple host parameters to the SQL connect string. 
Dovecot will do round robin load balancing between them. If one of 
them goes down, the others will handle the traffic.*


it would be really nice if that was expanded opon in the docs I am 
not sure WHO to ask that that be clarified.


I currently have:

connect = "host= dbname= user= 
password="


... would I use:

connect = "host= dbname= user= 
password= host= dbname= user= 
password="


and the system would just see host/host, dbname/dbname user/user 
password/password and automatically map the correct 
dbname/user/password to the correct host or it is assumed that the 2nd 
host is the only thing that changes and the dbname/user/password are 
the same? or do I use:


connect = "host= dbname= user= 
password= host2= dbname2= user2= 
password2="


to specify the host and host2 info?


"You can add multiple host parameters to the SQL connect string." is a 
bit lacking in info when you think about the possibility of having a 
different user/pass or dbname for the 2nd host instance.


I am going to play around with this on my production box... but having 
a bit more info in the docs would be preferred.



- jack



On 8/30/22 07:57 AM, Brendan Kearney wrote:


per https://doc.dovecot.org/configuration_manual/authentication/sql/, 
you can add more than one "host=" parameter in the "connect" 
directive, and leave dovecot to do round-robin load balancing.  there 
will probably be a delay in processing while a failed database 
connection attempt times out.


or you can use a load balanced database footprint, using something 
like haproxy.  its not as simple as putting multiple databases behind 
haproxy and calling it done.  i use mariadb, which via galera, can do 
multi-primary HA, where all 3 primary instances can take write or 
read events.  you need to configure each mariadb instance with galara 
replication and then setup haproxy to properly attach to the 
databases and perform a service check.


postgresql or other databases may require different mechanisms to 
achieve fault tolerant HA.


On 8/30/22 4:18 AM, Sami Ketola wrote:




On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:


I am using this file:

dovecot-sql.conf.ext

and in there  I have a

connect = "host= dbname= user= 
password="



My  was down and I lost mail access for a few days before 
I realized that there was an issue.  How can I specify a backup 
server so that if my primary sql server goes down, a backup sql 
server will be queried?




Use haproxy.

Sami



--
jack - Southlake Texas - mylinuxguy.net

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread spi 


Am 30.08.22 um 20:43 schrieb Austin Witmer:

I’m am still getting the errors I mentioned previously. Maybe half a
dozen of them per day . . .

So, the location of my mail storage
(/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted
by gocryptfs. Do you think gocryptfs could be at fault here?

Austin Witmer



Before and after mounting: What are the mount folder's user/group
permissions? Who owns the mount folder (user/group)?

If you do a "stat
/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
" as the user dovecot is
running as (from your mail I see austin owns that file - is dovecot run
as user austin?) - do you also get an error?

If you do get an error - could you create a small encrypted fs and mount
it to another folder, create a file there and check again for "stat
file"? Play with the permissions and user/group assignments. Still
getting an error?

--
Cheers
spi

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-30 Thread Austin Witmer 
I’m am still getting the errors I mentioned previously. Maybe half a dozen of 
them per day . . .

So, the location of my mail storage 
(/mnt/volume1/mailserver/plain/maildir/%d/%n/) is a filesystem mounted by 
gocryptfs. Do you think gocryptfs could be at fault here?

Austin Witmer

> On Aug 24, 2022, at 12:10 PM, lorek  wrote:
> 
> There are a number of issues that can appear to be ACL issues when in fact 
> its something else.
> 
> As other's have mentioned, AppArmor profiles and SELinux contexts can be 
> checked and are the most common. There are ACL permissions as well if you 
> enabled ACL (they are not enabled by default on Ubuntu server). 
> I've occasionally (rarely) seen some weird interactions with sockets between 
> MDA and MTA if the permissions on the directory were not set correctly.
> 
> Additionally, if a mount permission mask is being used, that can occasionally 
> cause similar issues as well, as is often the case with using an NTFS backing 
> filesystem for maildir that's been mounted with unix perms.
> There can also be some edge-cases with permissions in Ubuntu's flavored snap 
> containers as well as docker containers and custom sieves.
> 
> Its difficult to say with any accuracy what is causing your issue with the 
> information provided.
> 
> Have you increased the verbosity of the logging?
> 
> If all of the normal culprits do not stand out, maybe some others will have 
> an idea. 
> 
> As a final fallback you can always set a breakpoint and use a reverse 
> debugger. Its not going to be performant but it will at least narrow down 
> where the issue is coming from, and what the intermediate states were that 
> led to the error so you can save/replicate them moving forward for 
> resolution. Non-determinism can creep into code in a lot of different ways.
> 
> Best Regards,
> N
> 
> 
> On Tue, Aug 23, 2022 at 4:53 AM Austin Witmer  > wrote:
> Here is the output of dovecot -n
> 
> austin@mail:~$ doveconf -n
> # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.16 (09c29328)
> # OS: Linux 5.15.0-46-generic x86_64 Ubuntu 22.04.1 LTS 
> # Hostname: mail
> auth_mechanisms = plain login
> listen = *
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mail_privileged_group = mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character 
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
> copy include variables body enotify environment mailbox date index ihave 
> duplicate mime foreverypart extracttext
> namespace inbox {
>   inbox = yes
>   location = 
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> auto = subscribe
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Spam {
> auto = subscribe
>   }
>   mailbox Trash {
> auto = subscribe
> special_use = \Trash
>   }
>   prefix = 
> }
> passdb {
>   driver = pam
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> plugin {
>   sieve = 
> file:/mnt/volume1/mailserver/plain/sieve/%d/%n/scripts;active=/mnt/volume1/mailserver/plain/sieve/%d/%n/%n.sieve
>   sieve_before = /var/lib/dovecot/sieve/
>   sieve_global_dir = /var/lib/dovecot/sieve/
>   sieve_global_path = /var/lib/dovecot/sieve/default.sieve
>   sieve_user_log = 
> file:/mnt/volume1/mailserver/plain/sieve/%d/%n/sieve_error.log
> }
> protocols = imap lmtp pop3 imap lmtp sieve pop3
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
> port = 0
>   }
>   inet_listener imaps {
> port = 993
>   }
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
> port = 4190
>   }
>   service_count = 1
> }
> ssl = required
> ssl_cert =  
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_prefer_server_ciphers = yes
> userdb {
>   driver = passwd
> }
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf
>   driver = sql
> }
> protocol lmtp {
>   hostname = mail.mydomain.com 
>   mail_plugins = " sieve"
>   postmaster_address = postmas...@mydomain.com 
> 
> }
> protocol lda {
>   mail_plugins = " sieve"
> }
> 
> 
> Austin Witmer
> 
> 
>> On Aug 20, 2022, at 12:09 PM, Austin Witmer > > wrote:
>> 
>> And no, I don’t think I

Re: Dovecot mail-crypt webmail can't read encrypted messages

2022-08-30 Thread Serveria Support 
That's exactly what I'm trying to do. Both userdb and passwdb are 
referring to dovecot-mysql.conf:


userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}

dovecot-mysql.conf contains the following query only:

password_query = SELECT \
  username as "user", password, \
  '%w' AS userdb_mail_crypt_private_password \
  FROM mailbox WHERE username="%u";

It was taken from you tutorial (I was following this tutorial closely): 
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/


So what am I doing wrong? :)

On 2022-08-30 16:13, Aki Tuomi wrote:

You need to return the private password in your passdb query, like

SELECT  '%w' AS userdb_mail_crypt_private_password ...

not in your userdb query, as %w will not be available there.

Aki

On 30/08/2022 15:33 EEST Serveria Support  
wrote:



Update: I managed to remove the master user query so users are not
getting marked as master_user on login. However, that doesn't seem to
affect anything. I'm still unable to read encoded emails in webmail. 
No

new errors are showing up in the log. I have even created a brand new
user and all new keys via doveadm but still no go. Any suggestions?

On 2022-08-29 16:30, Serveria Support wrote:
> Upon closer review, it seems you're probably right: both users are in
> fact marked master_user. How is that possible? I haven't marked new
> user as a master_user. Are users marked master_user by default? What's
> even more interesting, /etc/dovecot/dovecot-master-users doesn't
> contain this user's data. Is it possible to unset this master_user
> flag somehow? I browsed through the db in mySQL but wasn't able to
> locate any master_users as well. Sorry for being such a noob... :)
>
> On 2022-08-29 11:33, Aki Tuomi wrote:
>> Hard to say.
>>
>> If you are logging is master_user, there will be different password
>> than normal user. Usually. With your setup, you can only access user's
>> mail if you are using the exact same password that the user was using.
>>
>> Your logs seem to indicate that you are logging as master_user, so you
>> are probably unable to access mails.
>>
>> Aki
>>
>>
>>> On 29/08/2022 10:51 EEST Serveria Support 
>>> wrote:
>>>
>>>
>>> Emm, sorry for the confusion, there are two users authenticating -
>>> master user "postmaster" and the second user called "test". I have
>>> just
>>> obfuscated users by replacing usernames with myuser. So no, this
>>> shouldn't be the issue.
>>>
>>> Any other suggestions?
>>>
>>> On 2022-08-29 10:30, Aki Tuomi wrote:
>>> >> On 29/08/2022 09:26 EEST Serveria Support 
>>> >> wrote:
>>> >>
>>> >>
>>> >> It's a testing install my main goal is to make it work. I will play
>>> >> around with password encryption before going live.
>>> >>
>>> >> I have enabled all possible debugging yet I can's see the value you
>>> >> mentioned in the log file. Could you please point me?
>>> >>
>>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
>>> >> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): query: SELECT
>>> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
>>> >> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
>>> >> AND
>>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
>>> >> domain.backupmx=0
>>> >> AND domain.active=1
>>> >
>>> > it's not set here.
>>> >
>>> >
>>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
>>> >> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): SELECT
>>> >> LOWER('myu...@mydomain.xyz') AS master_user,
>>> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
>>> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
>>> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
>>> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
>>> >> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
>>> >> AND
>>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
>>> >> domain.backupmx=0
>>> >> AND domain.active=1
>>> >
>>> > it's not set here either.
>>> >
>>> > So. You are doing master user login, and are wondering why user's
>>> > password is not available?
>>> >
>>> > Master user logins are not really compatible with using user's
>>> > password as encryption key.
>>> >
>>> > Aki
>>> >
>>> >>
>>> >> On 2022-08-29 07:56, Aki Tuomi wrote:
>>> >> >> On 28/08/2022 09:20 EEST Serveria Support 
>>> >> >> wrote:
>>> >> >>
>>> >> >>
>>> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user
>>> >> >> encryption.
>>> >> >>
>>> >> >> I have configured mail-crypt plugin as per official guide here:
>>> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>>> >> >>
>>> >> >> After that I created a user and an encrypted key by running this
>>> >> >> command: doveadm -o

Re: Dovecot mail-crypt webmail can't read encrypted messages

2022-08-30 Thread Aki Tuomi 
You need to return the private password in your passdb query, like

SELECT  '%w' AS userdb_mail_crypt_private_password ... 

not in your userdb query, as %w will not be available there.

Aki

> On 30/08/2022 15:33 EEST Serveria Support  wrote:
> 
>  
> Update: I managed to remove the master user query so users are not 
> getting marked as master_user on login. However, that doesn't seem to 
> affect anything. I'm still unable to read encoded emails in webmail. No 
> new errors are showing up in the log. I have even created a brand new 
> user and all new keys via doveadm but still no go. Any suggestions?
> 
> On 2022-08-29 16:30, Serveria Support wrote:
> > Upon closer review, it seems you're probably right: both users are in
> > fact marked master_user. How is that possible? I haven't marked new
> > user as a master_user. Are users marked master_user by default? What's
> > even more interesting, /etc/dovecot/dovecot-master-users doesn't
> > contain this user's data. Is it possible to unset this master_user
> > flag somehow? I browsed through the db in mySQL but wasn't able to
> > locate any master_users as well. Sorry for being such a noob... :)
> > 
> > On 2022-08-29 11:33, Aki Tuomi wrote:
> >> Hard to say.
> >> 
> >> If you are logging is master_user, there will be different password
> >> than normal user. Usually. With your setup, you can only access user's
> >> mail if you are using the exact same password that the user was using.
> >> 
> >> Your logs seem to indicate that you are logging as master_user, so you
> >> are probably unable to access mails.
> >> 
> >> Aki
> >> 
> >> 
> >>> On 29/08/2022 10:51 EEST Serveria Support  
> >>> wrote:
> >>> 
> >>> 
> >>> Emm, sorry for the confusion, there are two users authenticating -
> >>> master user "postmaster" and the second user called "test". I have 
> >>> just
> >>> obfuscated users by replacing usernames with myuser. So no, this
> >>> shouldn't be the issue.
> >>> 
> >>> Any other suggestions?
> >>> 
> >>> On 2022-08-29 10:30, Aki Tuomi wrote:
> >>> >> On 29/08/2022 09:26 EEST Serveria Support 
> >>> >> wrote:
> >>> >>
> >>> >>
> >>> >> It's a testing install my main goal is to make it work. I will play
> >>> >> around with password encryption before going live.
> >>> >>
> >>> >> I have enabled all possible debugging yet I can's see the value you
> >>> >> mentioned in the log file. Could you please point me?
> >>> >>
> >>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
> >>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
> >>> >> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): query: SELECT
> >>> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
> >>> >> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
> >>> >> AND
> >>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
> >>> >> domain.backupmx=0
> >>> >> AND domain.active=1
> >>> >
> >>> > it's not set here.
> >>> >
> >>> >
> >>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
> >>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
> >>> >> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): SELECT
> >>> >> LOWER('myu...@mydomain.xyz') AS master_user,
> >>> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
> >>> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
> >>> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
> >>> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
> >>> >> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
> >>> >> AND
> >>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
> >>> >> domain.backupmx=0
> >>> >> AND domain.active=1
> >>> >
> >>> > it's not set here either.
> >>> >
> >>> > So. You are doing master user login, and are wondering why user's
> >>> > password is not available?
> >>> >
> >>> > Master user logins are not really compatible with using user's
> >>> > password as encryption key.
> >>> >
> >>> > Aki
> >>> >
> >>> >>
> >>> >> On 2022-08-29 07:56, Aki Tuomi wrote:
> >>> >> >> On 28/08/2022 09:20 EEST Serveria Support 
> >>> >> >> wrote:
> >>> >> >>
> >>> >> >>
> >>> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user
> >>> >> >> encryption.
> >>> >> >>
> >>> >> >> I have configured mail-crypt plugin as per official guide here:
> >>> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
> >>> >> >>
> >>> >> >> After that I created a user and an encrypted key by running this
> >>> >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 
> >>> >> >> mailbox
> >>> >> >> cryptokey generate -u m...@example.org -URf (replacing dummy data 
> >>> >> >> ofc)
> >>> >> >>
> >>> >> >> I can log in to webmail (and Dovecot) just fine, emails are getting
> >>> >> >> sent
> >>> >> >> and delivered. I have also checked the storage and the messages seem
> >>> >> >> to
> >>> >> >> be stored encrypted.
> >>> >> >>
> >>> >> >> However, I can't read the emails in webmail

Re: Dovecot mail-crypt webmail can't read encrypted messages

2022-08-30 Thread Serveria Support 
Update: I managed to remove the master user query so users are not 
getting marked as master_user on login. However, that doesn't seem to 
affect anything. I'm still unable to read encoded emails in webmail. No 
new errors are showing up in the log. I have even created a brand new 
user and all new keys via doveadm but still no go. Any suggestions?


On 2022-08-29 16:30, Serveria Support wrote:

Upon closer review, it seems you're probably right: both users are in
fact marked master_user. How is that possible? I haven't marked new
user as a master_user. Are users marked master_user by default? What's
even more interesting, /etc/dovecot/dovecot-master-users doesn't
contain this user's data. Is it possible to unset this master_user
flag somehow? I browsed through the db in mySQL but wasn't able to
locate any master_users as well. Sorry for being such a noob... :)

On 2022-08-29 11:33, Aki Tuomi wrote:

Hard to say.

If you are logging is master_user, there will be different password
than normal user. Usually. With your setup, you can only access user's
mail if you are using the exact same password that the user was using.

Your logs seem to indicate that you are logging as master_user, so you
are probably unable to access mails.

Aki


On 29/08/2022 10:51 EEST Serveria Support  
wrote:



Emm, sorry for the confusion, there are two users authenticating -
master user "postmaster" and the second user called "test". I have 
just

obfuscated users by replacing usernames with myuser. So no, this
shouldn't be the issue.

Any other suggestions?

On 2022-08-29 10:30, Aki Tuomi wrote:
>> On 29/08/2022 09:26 EEST Serveria Support 
>> wrote:
>>
>>
>> It's a testing install my main goal is to make it work. I will play
>> around with password encryption before going live.
>>
>> I have enabled all possible debugging yet I can's see the value you
>> mentioned in the log file. Could you please point me?
>>
>> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
>> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): query: SELECT
>> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
>> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
>> AND
>> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> domain.backupmx=0
>> AND domain.active=1
>
> it's not set here.
>
>
>> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
>> sql(myu...@mydomain.xyz,xx.xx.xx.xx,): SELECT
>> LOWER('myu...@mydomain.xyz') AS master_user,
>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
>> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
>> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
>> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
>> mailbox.username='myu...@mydomain.xyz' AND mailbox.`enableimaptls`=1
>> AND
>> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> domain.backupmx=0
>> AND domain.active=1
>
> it's not set here either.
>
> So. You are doing master user login, and are wondering why user's
> password is not available?
>
> Master user logins are not really compatible with using user's
> password as encryption key.
>
> Aki
>
>>
>> On 2022-08-29 07:56, Aki Tuomi wrote:
>> >> On 28/08/2022 09:20 EEST Serveria Support 
>> >> wrote:
>> >>
>> >>
>> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user
>> >> encryption.
>> >>
>> >> I have configured mail-crypt plugin as per official guide here:
>> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>> >>
>> >> After that I created a user and an encrypted key by running this
>> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox
>> >> cryptokey generate -u m...@example.org -URf (replacing dummy data ofc)
>> >>
>> >> I can log in to webmail (and Dovecot) just fine, emails are getting
>> >> sent
>> >> and delivered. I have also checked the storage and the messages seem
>> >> to
>> >> be stored encrypted.
>> >>
>> >> However, I can't read the emails in webmail (just headers can be seen)
>> >> and in Dovecot logs I can see the following error:
>> >>
>> >> failed: Private key not available: Cannot decrypt key ### Cannot
>> >> decrypt
>> >> key ### <8632: Password not available (FETCH RFC822.HEADER)
>> >>
>> >> There seems to be an issue with mySQL query. The query I'm using
>> >> (Select
>> >> username as "user", password,"%w" as
>> >> userdb_mail_crypt_private_password
>> >> from mailbox;) seems to work just fine, when run from mysql prompt it
>> >> outputs the usernames and passwords, but the error is still there
>> >> (Cannot decrypt key ### Password not available).
>> >>
>> >> Any ideas? What am I missing
>> >
>> > Hi!
>> >
>> > First of all, it's super-unsafe to use user's password like that as
>> > private password, at least run it through SHA256. This prevents
>> > dovecot from doing expansions on it by accident.
>> >
>> >

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Brendan Kearney 
per https://doc.dovecot.org/configuration_manual/authentication/sql/, 
you can add more than one "host=" parameter in the "connect" directive, 
and leave dovecot to do round-robin load balancing. there will probably 
be a delay in processing while a failed database connection attempt 
times out.


or you can use a load balanced database footprint, using something like 
haproxy.  its not as simple as putting multiple databases behind haproxy 
and calling it done.  i use mariadb, which via galera, can do 
multi-primary HA, where all 3 primary instances can take write or read 
events.  you need to configure each mariadb instance with galara 
replication and then setup haproxy to properly attach to the databases 
and perform a service check.


postgresql or other databases may require different mechanisms to 
achieve fault tolerant HA.


On 8/30/22 4:18 AM, Sami Ketola wrote:




On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:


I am using this file:

dovecot-sql.conf.ext

and in there  I have a

connect = "host= dbname= user= 
password="



My  was down and I lost mail access for a few days before I 
realized that there was an issue.  How can I specify a backup server 
so that if my primary sql server goes down, a backup sql server will 
be queried?




Use haproxy.

Sami

Re: multiple / backup sql servers for sql server access

2022-08-30 Thread Sami Ketola 


> On 30. Aug 2022, at 5.13, Jack Snodgrass  wrote:
> 
> 
> 
> I am using this file: 
> 
> dovecot-sql.conf.ext
> 
> and in there  I have a 
> 
> connect = "host= dbname= user= password="
> 
> 
> 
> My  was down and I lost mail access for a few days before I 
> realized that there was an issue.  How can I specify a backup server so that 
> if my primary sql server goes down, a backup sql server will be queried?

Use haproxy.

Sami