dovecot lmtp and smtputf8

2023-10-23 Thread Kamil Jońca 


Does dovecot handle smtputf8?
Last articles regarding this are several years old.
Anything changed?
KJ
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

dovecot 2.0 supports EC private key?

2023-10-23 Thread Marc 


Does dovecot 2.0 supports EC private key?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

2023-10-23 Thread Aki Tuomi via dovecot 


> On 17/10/2023 03:26 EEST Jan Bramkamp  wrote:
> 
>  
> On 16.10.23 13:17, Pedro Ribeiro via dovecot wrote:
> > Hello to everyone!
> > Ooops, we are using SIS, guess the solution for a similar optimization will 
> > be
> > a native deduplicated filesystem.
> 
> A block level de-duplicating filesystem can only deduplicate data that 
> is aligned to block boundaries. E-mail attachments tend to move around 
> in to a different alignment in each copy stored into a different 
> mailbox. Unless the storage format is designed to split off the 
> attachments into files there is not much to be gained by block level 
> dedup. So for the foreseeable future I'll have to stay off Dovecot 3.x 
> or add four to five times more storage to both my IMAP servers since my 
> users love to send big documents to multiple recipients.
> 
> Is this an attempt to figuring out the pain tolerance of existing users 
> before they fork the project or pay up the Danegeld?
> 

SIS won't be available even if you paid up the Danegeld. You can use 
mail_attachment_fs with posix driver.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-23 Thread Aki Tuomi via dovecot 
Don't set tokeninfo url if you require POST query. It's not mandatory to set 
all endpoints.

Also if you are using jwt, you can also opt to do local validation instead.

Aki

> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot 
>  wrote:
> 
>  
> Hi,
> 
> I try to setup oauth2 authentication with dovecot 2.3.21.
> 
> The debug log of dovecot shows that it tries to do a HTTP GET request to 
> the tokeninfo url with the token appended to the end of the URL. This 
> gives a 404 error. The openidconnect server I use (keycloak) tells that 
> this API endpoint conforms to 
> https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint 
> which specifies that the request has to be a HTTP POST request.
> 
> So dovecot is trying do to something (GET request) which the OIDC 
> specification does not agree with (shall be POST request).
> 
> Here is the dovecot debug log of it:
> ---snip---
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: 
> request [Req1: GET 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci...:
>  
> Submitted (requests left=1)
> [...]
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
> SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
> where=0x1002, ret=1: SSL negotiation finished successfully
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
> SSL: where=0x1001, ret=1: SSL negotiation finished successfully
> Oct 17 12:11:19 imap syslogd: last message repeated 1 times
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
> SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
> SSL: where=0x1002, ret=1: SSL negotiation finished successfully
> Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn 
> :443 [1]: Got 404 response for request [Req1: GET 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci
> ---snip---
> 
> My passdb config (only showing the oauth part):
> ---snip---
> passdb {
>driver = oauth2
>mechanisms = oauthbearer xoauth2
>args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext
> }
> 
> passdb {
>driver = oauth2
>mechanisms = plain
>args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext
> }
> ---snip---
> 
> auth-oauth2.token.conf.ext:
> ---snip---
> openid_configuration_url = 
> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
> tokeninfo_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
> introspection_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
> introspection_mode = post
> active_attribute = active
> active_value = true
> client_id = myid
> client_secret = mysecret
> use_grant_password = no
> debug = yes
> username_attribute = email
> pass_attrs = pass=%{oauth2:access_token}
> ---snip---
> 
> auth-oauth2.plain.conf.ext:
> ---snip---
> openid_configuration_url = 
> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
> #tokeninfo_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
> introspection_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
> introspection_mode = post
> active_attribute = active
> active_value = true
> client_id = myid
> client_secret = mysecret
> use_grant_password = yes
> debug = yes
> username_attribute = email
> pass_attrs = host= proxy=y proxy_mech=xoauth2 
> pass=%{oauth2:access_token}
> ---snip---
> 
> On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I 
> can not find any way to tell that the tokeninfo url shall do a POST 
> request instead of a GET request.
> 
> I found something on reddit how to make it work with keycloak, but this 
> seems to be a workaround, and not a proper fix...
> The first comment at
>  
> https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/
> makes this work for me.
> 
> The working but not really up to the OIDC spec dovecot config is:
> 
> auth-oauth2.token.conf.ext:
> ---snip---
> openid_configuration_url = 
> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
> #tokeninfo_url = 
> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
> tokeninfo_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
> introspection_url = 
> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
> introspection_mode = auth
> #active_attribute = active
> #active_value = true
> client_id = myid
> client_secret = mysecret
> use_grant_password = no
> #debug = yes
> username_attribute = email
> pass_attrs = pass=%{oauth2:access_token}
> ---snip---
> 
> auth-oauth2.plain.conf.ext:
> ---snip---
>

Re: Question: ETA OpenSSL 3.0 Support

2023-10-23 Thread Aki Tuomi via dovecot 
I can't give a definitive ETA for 2.4 release, but it's not very far anymore.

Aki

> On 20/10/2023 11:25 EEST Niklas Meyer  wrote:
> 
>  
> Hi Aki,
> 
> yeah i already thought that. But a ETA is not set yet i presume from 
> this message?
> 
> Thanks for your reply!
> 
> Kind regards
> 
> Niklas aka. DerLinkman
> 
> mailcow: dockerized Developer
> 
> Am 19.10.2023 um 20:51 schrieb Aki Tuomi:
> >> On 17/10/2023 11:23 EEST Niklas Meyer  wrote:
> >>
> >>   
> >> Hello everyone,
> >>
> >> i stumbled across some serious problems with decrypting of e-mails if
> >> you use a Dovecot installation with OpenSSL 3.X so i started digging.
> >>
> >> It turns out that Dovecot is not OpenSSL 3.X ready yet, at least if you
> >> compile it yourself.
> >>
> >> The Debian Project adapted a OpenSSL 3.X patch to their repo version of
> >> Dovecot to make it run with Debian 12.
> >>
> >> Alpine Linux has not added a Workaround Patch for Dovecot yet.
> >>
> >> This is actually really bad if you want to Upgrade your Dovecot Server
> >> to a Distro which has OpenSSL 3.X as the new standard and you are not
> >> using their patched Repo Versions but instead compiling dovecot by
> >> yourself or install it from your package repos (which are not Debian 12
> >> compatible also, which is probably because of OpenSSL 3.X i presume?)
> >>
> >> However though i think that this compatibility should be added soon as
> >> more and more Distros are using OpenSSL 3.X.
> >>
> >> So: Is there a approx. ETA when the OpenSSL Compatibility the devs
> >> worked/are working on is coming?
> >>
> >> Thank you for your answers.
> >>
> >> Kind regards from Germany
> >>
> >> Niklas Meyer aka. DerLinkman
> >>
> >> ___
> >> dovecot mailing list -- dovecot@dovecot.org
> >> To unsubscribe send an email to dovecot-le...@dovecot.org
> > Hi!
> >
> > OpenSSL 3.0 support is already in main branch and will be in 2.4 release.
> >
> > Aki
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org