Re: Which DKIM application for postfix 3.9.0

[Jean-Daniel Dupas via dovecot]

Talking about completeness, you can also use rspamd (https://www.rspamd.com 
).
While it it design to to more than DKIM, it can be use for it.

I have an internal mailer relay based on postfix and rspamd that works great.


> Le 24 avr. 2024 à 09:40, infoomatic via dovecot  a écrit 
> :
> 
> Just for completeness sake I will throw some in:
> 
> *) https://launchpad.net/dkimpy-milter
> *) https://lib.rs/crates/dkim-milter
> *) https://github.com/fastmail/authentication_milter
> 
> I have not yet had time to look at them, so no comment on their usability.
> 
> regards,
> Robert
> 
> 
> On 24.04.24 00:06, Joseph Tam via dovecot wrote:
>> On Tue, Apr 23, 2024 at 7:33 AM  wrote:
>> 
 I am upgrading to postfix 3.9.0. I have not used DKIM in previous postfix 
 installs, but I
 would like to start now with the new google rules. I have done some 
 research and opendkim
  is the most recommended, however, other research states the opendkim has 
 been
 abandoned by it's maintainers. So I am looking for a good alternative dkim 
 software
 that will work with postfix that I can compile myself. I do not run on any 
 linux
 version, so therefore I can not just apt-get a new dkim application.
 I run Solaris and therefore need to compile my applications, postfix and 
 dkim.
 Any good suggestions will be appreciated.
>> 
>> I just rolled out a locally compiled opendkim on my mail server. It
>> works, but there
>> are a few gotchas.
>> 
>> Although it seems like a moribund project, there is a late beta
>> version that includes
>> some important patches, most notably the "Header:\n LongHeaderValue" bug that
>> needs fixing.  You can look at
>> 
>> https://sourceforge.net/p/opendkim/patches/
>> 
>> to find that patch, as well as others you deem important.  As DKIM standards
>> are not going to change soon, having end-of-line software is not as
>> bad as it seems
>> unless you need particular enhancements to make it work better in your
>> circumstances.
>> Once you get your setup dialed, you can probably set it and forget it.
>> 
>> Most of the headaches have actually been internal: local mail
>> injection via sendmail
>> would skip miltering, From header canonicalization by the MTA would not be
>> seen by the opendkim milter thereby creating messages with missing or invalid
>> signatures, and mailing list/auto reply/forwarder software mangling messages.
>> 
>> I think Postfix does a better job in this regard, so these issues may
>> not present itself.
>> (I did a Postfix/opendkim milter on an Ubuntu system and it was much
>> less hassle.)
>> 
>> You should look at *lots* of DMARC RUA reports.  People are doing crazy 
>> batsh*t
>> stuff with your mail domain.
>> 
>> Joseph Tam 
>> ___
>> dovecot mailing list -- dovecot@dovecot.org
>> To unsubscribe send an email to dovecot-le...@dovecot.org
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: panics

[Daniel Lange]

Am 27.03.24 um 18:49 schrieb Michael Grant via dovecot:

I could really use some help debugging issue.


Timo gave some debugging tips in a similar case cf.
https://dovecot.org/pipermail/dovecot/2023-March/126229.html

In case you know how to use gdb, that should work and might get a 
reproducer so this error can be mended for everybody.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Disable sieve redirect filters?

[Daniel Lange]

Am 21.03.24 um 17:06 schrieb jarl...@mxroute.com:
So my long winded question is, how can I disable redirect filters? I 
don't want users to be able to create them. But I want them to have 
access to the rest of the functions of the sieve filtering. Is this 
possible, or would this need to be an entirely new function contributed 
to the project's code?


Set sieve_max_redirects to 0 (zero)
cf. https://doc.dovecot.org/settings/pigeonhole/#sieve-max-redirects

Kind regards,
Daniel

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 18 oct. 2023 à 09:35, Marc  a écrit :
> 
>>  Dovecot has this option to store attachments separately not? So I am
>> not sure this is then still a problem.
>> 
>> 
>> 
>> Interesting. How do you tell dovecot to do that ?
>> 
> 
> I thought I read about something like this,
> 
> mail_location =  ATTACHMENTS=/attachment
> 
> but now you have made me read the docs[1] I can't really find it.
> 
> @Aki maybe if this SIS is phased out, it is good to offer a solution that 
> stores the attachments separately? I think that would allow current SIS users 
> to implement something alternative.
> 

Thanks for the pointer.
Thanks to it, I found it in the documentation. It was supposed to be defined 
like this in v2.0.0, but it is now a core setting (and is only available for 
sd/mdbox storage):

mail_attachment_dir
• Default: 
• Values: String
The directory in which to store mail attachments.

With sdbox and mdbox, mail attachments can be saved to external files, which 
also allows single-instance storage of them.

If no value is specified, attachment saving to external files is disabled.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 16:34, Marc  a écrit :




 The problem is a bit what everyone understands as s3. I associate
 this indeed also with an http endpoint on object storage. But the
 ceph
 plugin skips this http and talks directly to object store. I don't
 think
 you would like to operate on this http level. If I look at this page
 of
 ceph[1], it also looks like you do not want to get yourself involved
 in
 deduplication.

 [1]
 https://docs.ceph.com/en/reef/dev/deduplication/




 Moreover, following Filip remark about block deduplication, having
 any kind
 of deduplication that is not optimized for the email case (where
 attachments are always embed in slightly different documents) would
 make it
 ineffective.

Dovecot has this option to store attachments separately not? So I am not sure
this is then still a problem. 

Interesting. How do you tell dovecot to do that ? 


  Is it really worse bothering deploying a whole Ceph cluster
  for that ?


 No you should not get ceph just for this. But ceph brings you nice
 redundancy, distributed storage. I am totally fan of it.

Me too. I’m using it extensively to store multi terabytes of data, but it may
be overkill if you don’t need all of this.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 13:12, Marc  a écrit :


 Is s3 not to slow for this?

I think the clue is in the name "s3-
compatible".

Clearly calling out to "real" (AWS) S3
would be a non-starter.

But a local installation of something
like CEPH, MinIO or whatever on
 the
same LAN ? I'd think that should be
workable, no ?
   Do you know of anything that does this reliably?

   I tested a few years ago with ceph[1] but at that
   point there was some
 issues where it had a 2x write applification (on top of the 3x) if I
 remember correctly.
  All of this is if not dead end will be a lots of complexity
  and
 inefficiency and a lot of waste of money. Only the application know
 how to
 things efficiently and with consistency.

 S3-compatible storage is very good for multi-server installations
 where you
 need redundancy, availability. S3 is basically HTTP server so you can
 code
 your own logic on stored emails, balancers, caches, deduplication,
 compression, encryption it does't need to be off-the-shelf storage.

The problem is a bit what everyone understands as s3. I associate this indeed
also with an http endpoint on object storage. But the ceph plugin skips this
http and talks directly to object store. I don't think you would like to
operate on this http level. If I look at this page of ceph[1], it also looks
like you do not want to get yourself involved in deduplication.

[1]
https://docs.ceph.com/en/reef/dev/deduplication/


Moreover, following Filip remark about block deduplication, having any kind of
deduplication that is not optimized for the email case (where attachments are
always embed in slightly different documents) would make it ineffective.
Is it really worse bothering deploying a whole Ceph cluster for that ? 


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 16 oct. 2023 à 15:51, Marc  a écrit :
> 
>>> Hello to everyone!
>>> Ooops, we are using SIS, guess the solution for a similar optimization
>> will be
>>> a native deduplicated filesystem.
>> 
>> did you really mean deduplicated or distributed?
>> 
> 
> I think this duduplicating. Storage systems are offering such solutions. I 
> think ceph has something like this, although I am not sure for rbd disk 
> images. I think it makes more sense to have something like this done by a fs 
> or storage solution.

If you are using Ubuntu, OpenZFS is readily available, and support 
deduplication natively.
Else it is also available on other platforms, but may require more setup.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

user lookup fails username is SHA256 @domain

[Daniel Botting]

Hi all,

I'm currently building a replacement personal mailserver on Debian 11 
(hopefully upgrade it to 12 and it will continue to work).


My existing personal mailserver is serving a handful of mailboxes for 
three domains, virtual users, on an older version of Debian.


When I attempt to deliver mail to the server (using swaks) it is 
accepted by Exim and passed to lda, as per the logs below the lda is 
somehow seeing the CRYPT entry as if it was the local part?


Output from syslog:

Jul 16 09:50:02 imap2 dovecot: 
lda({SHA256-CRYPT}generated-sha@example.domain)<700316><>: Debug: 
auth-master: userdb lookup({SHA256-CRYPT}generated-sha@example.domain): 
Started userdb lookup
Jul 16 09:50:02 imap2 dovecot: 
lda({SHA256-CRYPT}generated-sha@example.domain)<700316><>: Debug: 
auth-master: conn unix:/run/dovecot/auth-userdb: Connecting
Jul 16 09:50:02 imap2 dovecot: 
lda({SHA256-CRYPT}generated-sha@example.domain)<700316><>: Debug: 
auth-master: conn unix:/run/dovecot/auth-userdb (pid=700293,uid=0): 
Client connected (fd=9)


Jul 16 09:50:02 imap2 dovecot: auth: Debug: master in: 
USER#0111#011{SHA256-CRYPT}generated-sha@example.domain#011service=lda
Jul 16 09:50:02 imap2 dovecot: auth: Username character disallowed by 
auth_username_chars: 0x7b (username: 
{SHA256-CRYPT}generated-sha@example.domain)

Jul 16 09:50:02 imap2 dovecot: auth: Debug: userdb out: NOTFOUND#0111
Jul 16 09:50:02 imap2 dovecot: 
lda({SHA256-CRYPT}generated-sha@example.domain)<700316><>: Debug: 
auth-master: userdb lookup({SHA256-CRYPT}generated-sha@example.domain): 
auth USER input:
Jul 16 09:50:02 imap2 dovecot: 
lda({SHA256-CRYPT}generated-sha@example.domain)<700316><>: Debug: 
auth-master: userdb lookup({SHA256-CRYPT}generated-sha@example.domain): 
Userdb lookup failed
Jul 16 09:50:02 imap2 dovecot: lda(700316): Debug: auth-master: conn 
unix:/run/dovecot/auth-userdb (pid=700293,uid=0): Disconnected: 
Connection closed (fd=9)


From what I've read 0x7b is hex for { so disallowed by 
auth_username_chars line is because of this problem.


Doveconf -n output:

# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.0-21-amd64 x86_64 Debian 11.6
# Hostname: mailserver.fqdn
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
mail_debug = yes
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/vmail/%d/passwd
  driver = passwd-file
}
protocols = " imap"
service auth {
  unix_listener auth-client {
    group = Debian-exim
    mode = 0660
  }
}
service stats {
  unix_listener stats-reader {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_cert = I followed 
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/ 
before posting to ensure I hadn't missed something obvious.


Any thoughts on this would be appreciated.

Thanks

Daniel

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re[2]: Possible hack via doveadm

[Daniel L. Miller via dovecot]

Thank you Jeremy and Bernardo.

Adding cert verification is something I'll have to delve into. Also 
possibly pushing the replication through the VPN.


It's been a while since I last setup my replication pair - everything's 
been working smoothly so I've forgotten some of the key items. 
Particularly the need to open an explicit port for the doveadm 
connection - which of course I do have on a non-standard port and up 
till now it hasn't been an issue. I was fighting multiple config issues 
at the time - including network setup - so I left the communication 
purely through the external IP's instead of being VPN dependent. I may 
change that.


Fail2ban and other guards have blocked most port scanning and other junk 
- this was the first time I saw such log lines in my mail log and it 
scared me. Now I know what to look for and what it means. Thanks again.


--
Daniel


-- Original Message --

From "jeremy ardley via dovecot" 

To dovecot@dovecot.org
Date 5/14/2023 4:03:28 PM
Subject Re: Possible hack via doveadm




On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If 
doveadm is communicating via the IMAP(S) ports then all I can do via 
firewall is block countries. Which of course I can but I'm asking 
about any additional hardening for Dovecot itself.




You can set up a doveadm service that requires client certificates

service doveadm {
  inet_listener {
port = 12345
  }
  ssl = yes
  ssl_cert = ___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Possible hack via doveadm

[Daniel Miller via dovecot]

I only allow explicit service traffic through. IMAPS, SMTPS, etc. If 
doveadm is communicating via the IMAP(S) ports then all I can do via 
firewall is block countries. Which of course I can but I'm asking about any 
additional hardening for Dovecot itself.


--
Daniel
On May 13, 2023 6:25:06 PM jeremy ardley via dovecot  
wrote:



On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:


May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm
client not compatible with this server (mixed old and new binaries?)
May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm
client not compatible with this server (mixed old and new binaries?)

Since I don't recognize those IPs, the first is out of Panama and the
other is Belize, I assume these are hostile attackers trying to
exploit something. How can I defend against this?


Set up a firewall rule that only allows access from an IP range you
control. For any other source, simply drop the connection.

You can get really fancy and use port forwarding using ssh to connect
from remote but appear as localhost to the server. This access can be
configured in dovecot as well as firewall


Jeremy
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Possible hack via doveadm

[Daniel L. Miller via dovecot]

I currently have two servers running with synchronization that I've been 
very happy with.  However, I'm seeing the following in my logs recently:


May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm 
client not compatible with this server (mixed old and new binaries?)
May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm 
client not compatible with this server (mixed old and new binaries?)


Since I don't recognize those IPs, the first is out of Panama and the 
other is Belize, I assume these are hostile attackers trying to exploit 
something. How can I defend against this?


--
Daniel
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Mailing list is being Spam Filtered by O-365

[White, Daniel E. (GSFC-770.0)[AEGIS] via dovecot]

From headers:

Received: from BL0GCC02FT014.eop-gcc02.prod.protection.outlook.com
(2a01:111:f400:7d05::209) by CYXPR09CA0010.outlook.office365.com
(2603:10b6:930:d4::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.25 via Frontend
Transport; Thu, 20 Apr 2023 11:49:06 +
Authentication-Results: spf=softfail (sender IP is 63.88.93.251)
smtp.mailfrom=open-xchange.com; dkim=fail (signature did not verify)
header.d=open-xchange.com;dmarc=fail action=oreject
header.from=open-xchange.com;compauth=none reason=452
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
open-xchange.com discourages use of 63.88.93.251 as permitted sender)

From: Aki Tuomi 
Date: Thursday, April 20, 2023 at 07:49
Subject: [EXTERNAL] Re: Mailing list is being Spam Filtered by O-365

On 20/04/2023 14:18 EEST White, Daniel E. (GSFC-770.0)[AEGIS] via dovecot 
mailto:dovecot@dovecot.org>> wrote:


Is there any chance that SPF and DKIM records could be added to appear in the 
headers ?

The gubba-mint folks are getting extremely medieval about email security.


Um? Those already are added? Or what do you mean?

Aki

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Mailing list is being Spam Filtered by O-365

[White, Daniel E. (GSFC-770.0)[AEGIS] via dovecot]

Is there any chance that SPF and DKIM records could be added to appear in the 
headers ?

The gubba-mint folks are getting extremely medieval about email security.

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

LDAP scheme for Dovecot

[Daniel Betschart]

I use an LDAP server for user administration, the users can manage
themselves with the LDAP Account Manager (LAM). I would like to give
the possibility to be able to define the quota per user.

LAM provides support for certain schemes, but the qmail scheme is
missing in the free variant. So I used the Courier scheme. Now, while
LAM correctly stores the value in bytes, it appends the letter S.
Unfortunately, the mail server Dovecot cannot do anything with this
letter S.

Is there a better scheme for Dovecot? I haven't found any until now. Or
can I remove the letter S at the end in the Dovecot configuration file
via regex?

Re: The end of Dovecot Director?

[Jean-Daniel]

If the community has enough resources to fork the whole project, it would 
probably be far more efficient and easier to just fork the Director component.

I’m not familiar enough with dovecot sources to tell if this is possible, but 
if the community really wants to keep Director alive, maybe it should start 
investigating if building it as an out of tree component is possible ?


> Le 2 nov. 2022 à 17:46, Jan Hugo Prins  a écrit :
> 
> I think the only thing they will gain is a community that is angry and will 
> in the end leave the product / fork the complete product.
> 
> Jan Hugo
> 
> On November 2, 2022 5:39:53 PM GMT+01:00, Brad Schuetz  wrote:
> On 11/2/22 03:54, Aki Tuomi wrote:
> On 02/11/2022 11:55 EET Frank Wall  wrote:
> 
>   On 2022-11-02 09:11, Aki Tuomi wrote:
> You can also see the email sent by others which shows how you can do
> this without replication, using proxy and passdb to direct users to
> right backend. Which is basically what director does.
> It's not the same thing.
> 
> It is not critical functionality. You can feasibly run a two-node
> dovecot system on NFS without having director.
> It seems to be critical enough to offer a replacement for paying
> customers, while at the same time leaving the community edition
> with no valid replacement.
> 
> 
> Ciao
> - Frank
> Can you tell me what kind of functionality you are unable to achieve with the 
> passdb solution?
> 
> Aki
> 
> Can you tell us what you are gaining (other than monitarily) by removing a 
> completely functionally working feature that numerous people are using?
> 
> Adding new paid features is one thing (i.e. nginx), taking away a feature to 
> replace it with a paid feature is something completely different.
> 
> -- 
> Brad
> 
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: adding caldav/carddav next to dovecot

[Jean-Daniel]

> Début du message réexpédié :
> 
> De: Tanstaafl 
> Objet: Rép. : adding caldav/carddav next to dovecot
> Date: 15 octobre 2022 à 16:11:43 UTC+2
> À: infoomatic , dovecot@dovecot.org
> 
> A HUGE second for SOGo
> 
> We used it for many years in a Gentoo/Dovecot/Postfix environment.
> 
> It was super fast/snappy, and extremely reliable, and works perfectly with 
> both Thunderbird AND Outlook (this was a huge plus for some of our users who 
> ridiculously preferred Outlook)...
> 
> they also offer implementation and ongoing support services at very 
> reasonable rates, but if you prefer to do everything yourself, the 
> documentation is perfectly adequate, and their email support list should 
> address any potential issues you might have.
> 
> SOGo rocks…

Out of curiosity, how many users do you have on SOGo ?

One big drawback I had when experimenting with it, is that its single threaded 
worker model scales poorly compared to a server design to support many 
thousands connections by worker.

Re: [EXTERNAL] Re: Client for a Windows User ?

[White, Daniel E. (GSFC-770.0)[AEGIS]]

Not helpful.
Which ones, if any, behave with Dovecot ?
I notice that Thunderbird is not listed.

From: dovecot  on behalf of Narcis Garcia 

Date: Tuesday, September 13, 2022 at 12:07
To: Dovecot SPM 
Subject: [EXTERNAL] Re: Client for a Windows User ?

https://gcc02.safelinks.protection.outlook.com/?url=https://en.wikipedia.org/wiki/Category:Windows_email_clientsdata=05|01|daniel.e.wh...@nasa.gov|b3ca2f99a64e42c46b5308da95a219e6|7005d45845be48ae8140d43da96dd17b|0|0|637986820715805399|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|3000|||sdata=ImhiXM1VB6jZv1juiyg0lFeCvD9Izft27B74qyfVFZ8=reserved=0


Narcis Garcia

__
I'm using this dedicated address because personal addresses aren't 
masked enough at this mail public archive. Public archive administrator 
should fix this against automated addresses collectors.
El 13/9/22 a les 18:01, White, Daniel E. (GSFC-770.0)[AEGIS] ha escrit:
Specifically, Windows 2016 server

I suggested Thunderbird.
Is there anything else ?

Is this current ?
https://gcc02.safelinks.protection.outlook.com/?url=https://wiki.dovecot.org/Clientsdata=05|01|daniel.e.wh...@nasa.gov|b3ca2f99a64e42c46b5308da95a219e6|7005d45845be48ae8140d43da96dd17b|0|0|637986820715805399|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|3000|||sdata=pKJenoDD3uT9v9e1izVN1DFdHNZqfpGkNYiM3EO5OmM=reserved=0

Client for a Windows User ?

[White, Daniel E. (GSFC-770.0)[AEGIS]]

Specifically, Windows 2016 server

I suggested Thunderbird.
Is there anything else ?

Is this current ?
https://wiki.dovecot.org/Clients

Re: Openmetrics label truncation

[Daniel Sabotta]

Hi Aki thanks for your reply,

I am using some dovecots behind a dovecot smtp proxy. Now I want to use OpenMetrics (with Pormetheus) to get metrics on 
which destination hosts the mails are delivered to. And my hostnames are longer than 32 characters.


I hope that explains my use case enough.


On 03.06.22 10:16 Aki Tuomi wrote:

On 03/06/2022 11:13 Daniel Sabotta  wrote:

  
Hello,


I'm using dovecot 2.3.18 and want to collect metrics with prometheus via 
openmetrics.

I need to label the metrics with the destination host name.
The configuration works fine, but the label value is truncated after 32 chars 
(and a '...' is added).

My config:

service stats {
inet_listener http {
  port = 9323
}
}

metric my_metric {
filter = event=smtp_client_transaction_finished
group_by = dest_host status_code
}

I wrote a simple patch, that fixes that for me:

diff --git a/src/stats/stats-metrics.c b/src/stats/stats-metrics.c
index 877c142546..30126563ff 100644
--- a/src/stats/stats-metrics.c
+++ b/src/stats/stats-metrics.c
@@ -357,7 +357,7 @@ stats_metric_sub_metric_alloc(struct metric *metric, const 
char *name, pool_t po
array_append_zero();
sub_metric = stats_metric_alloc(pool, metric->name, metric->set,
array_idx(, 0));
-   sub_metric->sub_name = p_strdup(pool, str_sanitize_utf8(name, 32));
+   sub_metric->sub_name = p_strdup(pool, str_sanitize_utf8(name, 63));
array_append(>sub_metrics, _metric, 1);
return sub_metric;
   }


Why are labels truncated after 32?
Is there a reason I do not see?
I found no reasons in the openmetrics specification [1].


Thanks in advance

Daniel


Can you epxlain us the usecase where you need such long labels?

Aki Tuomi

Openmetrics label truncation

[Daniel Sabotta]

Hello,

I'm using dovecot 2.3.18 and want to collect metrics with prometheus via 
openmetrics.

I need to label the metrics with the destination host name.
The configuration works fine, but the label value is truncated after 32 chars 
(and a '...' is added).

My config:

service stats {
  inet_listener http {
port = 9323
  }
}

metric my_metric {
  filter = event=smtp_client_transaction_finished
  group_by = dest_host status_code
}

I wrote a simple patch, that fixes that for me:

diff --git a/src/stats/stats-metrics.c b/src/stats/stats-metrics.c
index 877c142546..30126563ff 100644
--- a/src/stats/stats-metrics.c
+++ b/src/stats/stats-metrics.c
@@ -357,7 +357,7 @@ stats_metric_sub_metric_alloc(struct metric *metric, const 
char *name, pool_t po
array_append_zero();
sub_metric = stats_metric_alloc(pool, metric->name, metric->set,
array_idx(, 0));
-   sub_metric->sub_name = p_strdup(pool, str_sanitize_utf8(name, 32));
+   sub_metric->sub_name = p_strdup(pool, str_sanitize_utf8(name, 63));
array_append(>sub_metrics, _metric, 1);
return sub_metric;
 }


Why are labels truncated after 32?
Is there a reason I do not see?
I found no reasons in the openmetrics specification [1].


Thanks in advance

Daniel

Re: Fix lmtp_save_to_detail_mailbox to be case insensitive?

[Daniel Lange]

Am 22.05.22 um 11:33 schrieb Lucas Rolff:

Wouldn’t it be ideal to link to a LMTP documentation page that describes how to 
do the same thing under LTMP, and not link to LDA?


No, because that's not (easily) possible as others have pointed out 
already. FTR: It is possible but on the postfix side of things with 
multiple options. 
https://groups.google.com/g/mailing.postfix.users/c/1p0ubY726N8/m/D3s9V5PXHcIJ 
for the oldest solution I could find.


There is no need to use LMTP if people want to use +extension addressing 
in their small setups.

Re: Fix lmtp_save_to_detail_mailbox to be case insensitive?

[Daniel Lange]

Am 21.05.22 um 23:30 schrieb dove...@ptld.com:

Dovecot accepts the mail from postfix via LMTP. Dovecot already found the valid 
recipient and accepted the email.


You need to make postfix pass the extension as lowercase to Dovecot.

See https://wiki.dovecot.org/LDA/Postfix :

An example using address extensions (ie user+extens...@domain.com (don't 
forget to define the proper recipient_delimiter in Postfix's main.cf)) 
to deliver to the folder 'extension' in your maildir (If you wish to 
preserve the case of ${extension}, remove the 'hu' flags, ...


dovecot unix-   n   n   -   -  pipe
  flags=DRhu user=vmail:vmail 
argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d 
${user}@${nexthop} -m ${extension}

Re: [Rocky Linux 8.6] expire plugin file disappeared

[Daniel Lange]

Am 18.05.22 um 02:06 schrieb Masakazu Hirose:

I use Rocky Linux packages. Rocky or Redhat may fail to package.
"/usr/lib64/dovecot/lib20_expire_plugin.so" seems to have disappeared
in the new package.

[..]

May 18 08:21:22 xxx dovecot[3508407]: imap(yyy): Error: Plugin
'expire' not found from directory /usr/lib64/dovecot

# cat /etc/redhat-release
Rocky Linux release 8.6 (Green Obsidian)

# rpm -qa | grep dovecot
dovecot-2.3.16-2.el8.x86_64
dovecot-mysql-2.3.16-2.el8.x86_64


From https://dovecot.org/doc/NEWS

V2.3.14 2021-03-04  Aki Tuomi 
[..]
* Remove autocreate, expire, snarf and mail-filter plugins.

The plugin is gone since v2.3.14.

Re: [Dovecot-news] Dovecot v2.3.19 released

[Daniel J. Luke]

On May 10, 2022, at 2:33 AM, Aki Tuomi via Dovecot-news 
 wrote:
> We are pleased to release v2.3.19 of Dovecot.

As per usual now, you need this (small) patch to build on macOS (if there's 
some better way to submit this so it eventually makes it into a release, please 
redirect me):

--- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.0 -0400
+++ src/lib/ioloop-notify-kqueue.c  2021-06-21 12:10:16.0 -0400
@@ -11,6 +11,7 @@
 
 #include "ioloop-private.h"
 #include "llist.h"
+#include "time-util.h"
 #include 
 #include 
 #include 

-- 
Daniel J. Luke

Better not post your email password on a public mailing list, was: Re: no full syncs after upgrading to dovecot 2.3.18

[Daniel Lange]

Am 26.04.22 um 11:36 schrieb Paul Kudla (SCOM.CA Internet Services Inc.):

#imapc_host = mail.scom.ca
#imapc_password = Pk554669
#imapc_user = p...@scom.ca


I suggest to change that password immediately.

$ openssl s_client -crlf -connect mail.scom.ca:993
CONNECTED(0003)
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ 
AUTH=PLAIN AUTH=LOGIN] SCOM.CA Internet Services Inc. - Dovecot ready
A login p...@scom.ca Pk554669
A OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND 
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH 
LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE 
SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in
A status INBOX (messages)
* STATUS INBOX (MESSAGES 344)
A OK Status completed (0.002 + 0.000 + 0.001 secs).
^C

Kind regards,
Daniel

Re: how to setup IMAPs with letsencrypt

[Jean-Daniel Dupas]

> Le 22 avr. 2022 à 01:50, Jeremy Ardley  a écrit :
> 
> 
> 
> On 22/4/22 7:44 am, al...@coakmail.com  wrote:
>>> On 22/4/22 7:25 am, al...@coakmail.com  wrote:
>>> 
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>> 
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS 
> on port 993
> 

While it's true for SMTP, my experience is that IMAP clients prefer imaps in 
993 instead of STARTTLS. 

I have a server with only port 993 opened, and almost never had any issue with 
client configuration.

What is the current state of High Availability Dovecot ?

[White, Daniel E. (GSFC-770.0)[NICS]]

… without going to too much fuss ?

Searching the Internet produces a lot of old results and many overly 
complicated results.

My only complication is that I am using PostfixAdmin for mailbox management, 
and all the mailboxes are virtual.

Thanks.

Dovecot High Availability ?

[White, Daniel E. (GSFC-770.0)[NICS]]

Are there any current, free high availability strategies for Dovecot ?

Re: [Dovecot-news] Dovecot v2.3.18 released

[Daniel J. Luke]

On Feb 3, 2022, at 5:21 AM, Aki Tuomi via Dovecot-news 
 wrote:
> We are pleased to release v2.3.18 of Dovecot.

As with all recent releases, this needs the following patch to build on MacOS:

--- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.0 -0400
+++ src/lib/ioloop-notify-kqueue.c  2021-06-21 12:10:16.0 -0400
@@ -11,6 +11,7 @@
 
 #include "ioloop-private.h"
 #include "llist.h"
+#include "time-util.h"
 #include 
 #include 
 #include 

-- 
Daniel J. Luke

Non-unique Message ID in mail messages

[Daniel Ryšlink]

Hello!

I apologize for bringing perhaps trivial/well-known matter, but I am 
interested in your opinion.


RFC 5322 clearly states that mail messages SHOULD contain a Message ID 
identifier, but if the do contain it, it MUST be globally unique.


Despite this requirement, I have encountered senders (namely Spamcop) 
that sends obviously different (albeit related) messages called "Alert" 
and "Summary" (they are always related to the same incident and have the 
same Message ID). This creates all sorts of problems when processing 
these mails, namely with users that have local forwards from one domain 
to another (our mailserver hosts multiple domains), because for example 
Dovecot refuses to forward the second message, flagging it as a duplicate.


My question to you is - did you also encounter similar incorrect 
(according to RFC standards) problem, and if so, is there a way to 
persuade dovecot to perhaps determine the uniqueness of a message by 
other means than just checking the message ID (i.e. look at other 
identifiers, Subject, perhaps)? Because according to the log records, 
Spamcop does not seem to be the only offender.


Thanks in advance for any reactions, and if I did something wrong by 
writing this message, I apologize again in advance.


If required, I can provide samples of the Spamcop messages.

--

  --===--
--== Best Regards! ==--
  --===--

Daniel Ryšlink
Sysadmin @ Quantcom.cz
Czech Republic

Re[9]: Replicator bug report

[Daniel Miller]

It appears when I set vsz_limit=0 it works without crashing. So the 
problem appears when setting an explicit maximum.


--
Daniel

On 12/7/2021 9:57:29 PM, "Aki Tuomi"  wrote:




On 7 December 2021 23.10.50 UTC, Daniel Miller  wrote:

On 12/7/2021 12:29:49 PM, "Daniel Miller"  wrote:


service replicator {
vsz_limit = 2G
}

Aki


Tried that - got another one.



I just tried setting
service replicator {
   vcsz_limit = 5G
}
and I still get:
Dec  7 15:08:25 bubba dovecot: replicator: Panic: data stack: Out of
memory when allocating 4294967336 bytes
--
Daniel




This looks like a bug. We'll take a look.

Aki

Re: [Dovecot-news] Dovecot v2.3.17.1 Released

[Daniel J. Luke]

This release still needs the following patch to build on (newer) macOS:

--- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.0 -0400
+++ src/lib/ioloop-notify-kqueue.c  2021-06-21 12:10:16.0 -0400
@@ -11,6 +11,7 @@
 
 #include "ioloop-private.h"
 #include "llist.h"
+#include "time-util.h"
 #include 
 #include 
 #include 

> On Dec 7, 2021, at 5:44 AM, Aki Tuomi  wrote:
> We are happy to announce 2.3.17.1 patch release of Dovecot. This contains 
> some fixes for issues found after 2.3.17 release.

-- 
Daniel J. Luke

Re[7]: Replicator bug report

[Daniel Miller]

On 12/7/2021 12:29:49 PM, "Daniel Miller"  wrote:


service replicator {
   vsz_limit = 2G
}

Aki


Tried that - got another one.



I just tried setting
service replicator {
  vcsz_limit = 5G
}
and I still get:
Dec  7 15:08:25 bubba dovecot: replicator: Panic: data stack: Out of 
memory when allocating 4294967336 bytes

--
Daniel

vsz_limit

[Daniel Miller]

I just noticed, that when checking "doveconf -a" - all vsz_limit 
settings that are not explicitly given have a value of:

 18446744073709551615 B

I have this on two servers, one with an implicit default_vsz_limit=256M, 
the other with an explicit default_vsz_limit=2G.


Is this correct?
--
Daniel

Re[6]: Replicator bug report

[Daniel Miller]

comment = All my flagged messages
special_use = \Flagged
  }
  prefix = INBOX/virtual/
  separator = /
  subscriptions = no
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/mail/%d/shared-mailboxes
  fts = solr
  fts_autoindex = yes
  fts_autoindex_exclude = \Trash
  fts_autoindex_exclude2 = \Junk
  fts_autoindex_exclude3 = \Spam
  fts_enforced = no
  fts_index_timeout = 20s
  fts_solr = url=http://127.0.0.1:8983/solr/dovecot/ batch_size=2000
  mail_replica = tcp:10.23.1.10
  mailbox_alias_new3 = Deleted Messages
  mailbox_alias_old3 = Trash
  replication_sync_timeout = 2
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap lmtp sieve
replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives -n 
INBOX/Lists -x INBOX/virtual -x INBOX/shared

replication_max_conns = 5
service aggregator {
  fifo_listener replication-notify-fifo {
mode = 0600
user = vmail
  }
  unix_listener replication-notify {
mode = 0600
user = vmail
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = mail
mode = 0600
user = vmail
  }
}
service doveadm {
  inet_listener {
port = 10993
  }
  user = vmail
}
service imap-login {
  process_min_avail = 4
}
service imap-postlogin {
  executable = script-login /etc/dovecot/post-login.sh
  user = $default_internal_user
}
service imap {
  executable = imap imap-postlogin
  vsz_limit = 4 G
}
service indexer-worker {
  user = vmail
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = mail
mode = 0666
user = vmail
  }
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
mode = 0600
user = vmail
  }
  vsz_limit = 2 G
}
ssl_cert =   mail_plugins = fts fts_solr acl zlib virtual notify replication 
mailbox_alias sieve

  postmaster_address = postmas...@amfes.com
}
protocol imap {
  mail_plugins = fts fts_solr acl zlib virtual notify replication 
mailbox_alias imap_acl

}

--
Daniel

Re[4]: Replicator bug report

[Daniel Miller - CLOUD]

Use

gdb /path/to/replicator /path/to/core
bt full

Aki

root@bubba:/var/core# gdb /usr/lib/dovecot/replicator 
/var/core/11199.replicator

GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"

and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/dovecot/replicator...Reading symbols from 
/usr/lib/debug/.build-id/63/bc9a0e025f7ecba8e4906abc177b978bf6c2ad.debug...done.

done.
[New LWP 11199]
Core was generated by `dovecot/replicator'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51

51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51
set = {__val = {0, 1459, 1460, 94875967713912, 8, 
140599001568843, 153, 140599001377356, 140727459487856, 120, 
206158430224,
140727459488192, 140727459487984, 126291299233366272, 
94875967713888, 140599001144598}}

pid = 
tid = 
ret = 
#1  0x7fdfc13a58b1 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 
0x0}, sa_mask = {__val = {94875967711840, 18446744073709551615,
  1073741824, 94875967583248, 140599001120139, 
140599004035360, 140599001098972, 140599004035360, 126291299233366272,
  140599004035336, 140599001376562, 140727459488192, 
140599004035360, 140727459488192, 140599001376953, 140599004035360}},

  sa_flags = -1048313238, sa_restorer = 0x5}
sigs = {__val = {32, 0 }}
__cnt = 
__set = 
__cnt = 
__set = 
#2  0x7fdfc184e9d1 in default_fatal_finish (status=0, 
type=LOG_TYPE_PANIC) at failures.c:459
backtrace = 0x564a085a6a38 
"/usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) 
[0x7fdfc1840142] -> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) 
[0x7fdfc184025e] -> /usr/lib/dovecot/libdovecot.so.0(+0xf8a1e) 
[0x7fdfc"...

backtrace = 
recursed = 0
#3  fatal_handler_real (ctx=, format=, 
args=) at failures.c:471

status = 0
#4  0x7fdfc184eac1 in i_internal_fatal_handler (ctx=, 
format=, args=) at failures.c:872

No locals.
#5  0x7fdfc179b4a7 in i_panic (format=format@entry=0x7fdfc18b42d0 
"data stack: Out of memory when allocating %zu bytes")

at failures.c:524
ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, 
timestamp_usecs = 0, log_prefix = 0x0, log_prefix_type_pos = 0}

---Type  to continue, or q  to quit---
args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 
0x7ffdaa3ba310, reg_save_area = 0x7ffdaa3ba250}}
#6  0x7fdfc18474e8 in mem_block_alloc 
(min_size=min_size@entry=2147483648) at data-stack.c:386

block = 
prev_size = 
alloc_size = 4294967296
#7  0x7fdfc1847ae3 in t_malloc_real (size=size@entry=2147483648, 
permanent=permanent@entry=true) at data-stack.c:492

block = 
ret = 
alloc_size = 2147483648
warn = false
#8  0x7fdfc1847d6a in t_malloc_no0 (size=size@entry=2147483648) at 
data-stack.c:543

No locals.
#9  0x7fdfc1871f28 in pool_data_stack_realloc (pool=, 
mem=0x7fdf6bd5c038, old_size=1073741824, new_size=2147483648)

at mempool-datastack.c:173
dpool = 
new_mem = 
pool = 
new_size = 2147483648
mem = 0x7fdf6bd5c038
old_size = 1073741824
dpool = 
new_mem = 
dpool = 
new_mem = 
#10 0x7fdfc1842aa3 in p_realloc (new_size=2147483648, 
old_size=, mem=, pool=)

at mempool.h:120
No locals.
#11 buffer_alloc (buf=buf@entry=0x564a08567838, size=2147483648) at 
buffer.c:40

__func__ = "buffer_alloc"
---Type  to continue, or q  to quit---
#12 0x7fdfc1842fb4 in buffer_check_limits (data_size=32, 
pos=1073741792, buf=0x564a08567838) at buffer.c:85

new_alloc_size = 
new_size = 1073741824
new_size = 
max = 
new_alloc_size = 
#13 buffer_check_append_limits (data_size=32, buf=0x564a08567838) at 
buffer.c:117

No locals.
#14 buffer_append (_buf=0x564a08567838, data=0x564a08587410, 
data_size=32) at buffer.c:235

pos = 1073741792
buf = 0x564a08567838
#15 0x564a07e5a846 in array_append_i (count=1, data=0x564a08587410, 
array=) at 

Re[2]: Replicator bug report

[Daniel Miller]

-- Original Message --


Hi!

Can you instead submit gdb bt full output and doveconf -n?

Aki



Certainly - but I need to know how. The problem is during TCP 
replication.


Here is dovecot -n:

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17.1 (a1a0b892)
# OS: Linux 5.4.0-91-generic x86_64 Ubuntu 18.04.6 LTS xfs
# Hostname: bubba.amfes.lan
auth_cache_size = 4 k
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_hash_truncate = 8
auth_policy_server_api_header = Authorization: Basic 
d2ZvcmNlOnVsdHJhLXNlY3JldC1zZWN1cmUtc2FmZQ

auth_verbose = yes
default_login_user = nobody
default_vsz_limit = 2 G
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
doveadm_port = 10993
imap_capability = +SPECIAL-USE
listen = *
login_trusted_networks = 192.168.0.0/24
mail_attachment_detection_options = add-flags
mail_attachment_hash = %{sha512}
mail_attribute_dict = file:/var/mail/attributes
mail_gid = mail
mail_location = sdbox:/var/mail/%d/%n/sdbox
mail_plugins = fts fts_solr acl zlib virtual notify replication 
mailbox_alias

mail_prefetch_count = 10
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext

mdbox_rotate_size = 20 M
namespace archives {
  list = children
  location = mdbox:/var/mail/%d/%n/Archives/mdbox
  mailbox Unsorted {
auto = no
special_use = \Archive
  }
  prefix = INBOX/Archives/
  separator = /
  subscriptions = no
  type = private
}
namespace inbox {
  alias_for =
  hidden = no
  inbox = yes
  list = yes
  location =
  mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
  type = private
}
namespace lists {
  list = children
  location = mdbox:/var/mail/%d/%n/Lists/mdbox
  prefix = INBOX/Lists/
  separator = /
  subscriptions = no
  type = private
}
namespace subscriptions {
  hidden = yes
  list = no
  location =
  prefix =
  separator = /
  subscriptions = yes
  type = private
}
namespace usershares {
  list = yes
  location = sdbox:/var/mail/%%d/%%n/sdbox:NO-NOSELECT
  prefix = INBOX/shared/%%d/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace virtual {
  list = children
  location = virtual:/var/mail/%d/%n/virtual
  mailbox Flagged {
comment = All my flagged messages
special_use = \Flagged
  }
  prefix = INBOX/virtual/
  separator = /
  subscriptions = no
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/mail/%d/shared-mailboxes
  fts = solr
  fts_autoindex = yes
  fts_autoindex_exclude = \Trash
  fts_autoindex_exclude2 = \Junk
  fts_autoindex_exclude3 = \Spam
  fts_enforced = no
  fts_index_timeout = 20s
  fts_solr = url=http://127.0.0.1:8983/solr/dovecot/ batch_size=2000
  mail_replica = tcp:10.23.1.10
  mailbox_alias_new3 = Deleted Messages
  mailbox_alias_old3 = Trash
  replication_sync_timeout = 2
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
protocols = imap lmtp sieve
replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives -n 
INBOX/Lists -x INBOX/virtual -x INBOX/shared

replication_max_conns = 5
service aggregator {
  fifo_listener replication-notify-fifo {
mode = 0600
user = vmail
  }
  unix_listener replication-notify {
mode = 0600
user = vmail
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = mail
mode = 0600
user = vmail
  }
}
service doveadm {
  inet_listener {
port = 10993
  }
  user = vmail
}
service imap-login {
  process_min_avail = 4
}
service imap-postlogin {
  executable = script-login /etc/dovecot/post-login.sh
  user = $default_internal_user
}
service imap {
  executable = imap imap-postlogin
  vsz_limit = 4 G
}
service indexer-worker {
  user = vmail
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = mail
mode = 0666
user = vmail
  }
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
mode = 0600
user = vmail
  }
}
ssl_cert =   mail_plugins = fts fts_solr acl zlib virtual notify replication 
mailbox_alias sieve

  postmaster_address = 
}
protocol imap {
  mail_plugins = fts fts_solr acl zlib virtual notify replication 
mailbox_alias imap_acl

}


--
Daniel

Replicator bug report

[Daniel Miller]

I've run dovecot-sysreport -o  and generated a file - but it's a 
few gigs in size. Am I generating the core dump incorrectly? Should I do 
something different?


--
Daniel

Re[5]: Replication weirdness

[Daniel Miller - CLOUD]

Another update.

I dug deeper into the mailboxes - and found the "subscriptions" and 
actual mailboxes weren't correct in all cases. I guess when I shifted to 
the explicit INBOX/ namespace not all the existing boxes migrated 
correctly. So...after manually correcting all the "subscription" files, 
and manually moving the duplicated "Archives" folders to the correct 
locations nearly all the errors have gone.


I wish I'd gotten more inforrmative error messages, and processes 
certainly shouldn't have crashed, but since I obviously created the 
problem due to manually poking things and improper configuration I guess 
I can't complain too much.


I still have problems using the "-N" flag for syncing - but things seem 
to be working with the multiple explicit "-n" namespaces. I do still 
have the locking error appearing during long-running syncs - I don't see 
why Dovecot doesn't know that it's already syncing a given user before 
trying to start a second process. Probably something else I setup wrong 
but I don't know what.


--
Daniel

Re[4]: Replication weirdness

[Daniel Miller]

And some more messages...

Dec  3 15:10:58 bubba dovecot: 
doveadm(obfuscated)<1901>: Error: Mailbox Sent 
sync: mailbox_rename failed: Can't rename mailbox while it has aliases
Dec  3 15:10:58 bubba dovecot: 
doveadm(obfuscated)<1900>: Error: Duplicate 
mailbox GUID f4338038839caa613a1a0500b88bfabe for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
bcf4f82702a4aa616c079db5accb to INBOX/Sent


--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 3:13:55 PM
Subject: Re[3]: Replication weirdness


And...

The user who has both a "Sent" and a "Sent Messages" now has:

drwx--  3 vmail mail  24 Dec  3 09:56 Sent
lrwxrwxrwx  1 vmail mail   4 Nov 30 17:51 'Sent Messages' -> Sent
drwx--  3 vmail mail  24 Dec  3 15:10 'Sent Messages-temp-1'
drwx--  3 vmail mail  24 Dec  3 15:10 'Sent 
Messages-temp-fc30bd0a3a9aaa61c1180500b88bfabe'


and I got the following errors:

Dec  3 15:10:46 cloud1 dovecot: 
doveadm(obfuscated)<336247>: Error: Duplicate 
mailbox GUID 6aae8c39f3a3aa615a079db5accb for mailboxes Sent and 
Sent Messages-temp-1 - giving a new GUID 
63481f29f6a3aa6177210500b88bfabe to Sent
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Panic: file 
dsync-brain-mailbox.c: line 851 (dsync_brain_slave_recv_mailbox): 
assertion failed: (memcmp(dsync_box->mailbox_guid, 
local_dsync_box.mailbox_guid, sizeof(dsync_box->mailbox_guid)) == 0)
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Error: Raw 
backtrace: #0 fatal_handler_real[0x7fde7fd20060] -> #1 
i_internal_fatal_handler[0x7fde7fd20190] -> #2 i_panic[0x7fde7fc731ff] 
-> #3 dsync_brain_slave_recv_mailbox[0x55dde7b22900] -> #4 
dsync_brain_run[0x55dde7b20380] -> #5 
dsync_brain_run_io[0x55dde7b20b50] -> #6 
dsync_ibc_stream_input[0x55dde7b329c0] -> #7 
io_loop_call_io[0x7fde7fd36500] -> #8 
io_loop_handler_run_internal[0x7fde7fd37ac0] -> #9 
io_loop_handler_run[0x7fde7fd365c0] -> #10 io_loop_run[0x7fde7fd36740] 
-> #11 cmd_dsync_server_run[0x55dde7b04f60] -> #12 
doveadm_mail_next_user[0x55dde7b06850] -> #13 
doveadm_cmd_ver2_to_mail_cmd_wrapper[0x55dde7b077e0] -> #14 
doveadm_cmd_run_ver2[0x55dde7b17f00] -> #15 
client_connection_tcp_input[0x55dde7b1c6b0] -> #16 
io_loop_call_io[0x7fde7fd36500] -> #17 
io_loop_handler_run_internal[0x7fde7fd37ac0] -> #18 
io_loop_handler_run[0x7fde7fd365c0] -> #19 io_loop_run[0x7fde7fd36740] 
-> #20 master_service_run[0x7fde7fca87d0] -> #21 main[0x55dde7af7770] 
-> #22 __libc_start_main[0x7fde7f8f9fc0] -> #23 _start[0x55dde7af78d0]
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Fatal: master: 
service(doveadm): child 336245 killed with signal 6 (core dumped)
Dec  3 15:10:52 cloud1 dovecot: 
doveadm(obfuscated)<336253><2VTpM/ujqmF9IQUAuIv6vg>: Error: Duplicate 
mailbox GUID 63481f29f6a3aa6177210500b88bfabe for mailboxes INBOX/Sent 
and INBOX/Sent Messages-temp-1 - giving a new GUID 
cba35507fca3aa617d210500b88bfabe to INBOX/Sent
Dec  3 15:10:58 cloud1 dovecot: 
doveadm(obfuscated)<336258>: Error: Duplicate 
mailbox GUID dc3b4434fba3aa6166079db5accb for mailboxes Sent and 
Sent Messages-temp-1 - giving a new GUID 
60ad190102a4aa6182210500b88bfabe to Sent


--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 2:42:12 PM
Subject: Re[2]: Replication weirdness


And...one more.

I'm now seeing (again) messages like:

Dec  3 14:29:14 cloud1 dovecot: 
doveadm(obfuscated)<334017>: Error: Duplicate 
mailbox GUID bcb9ca36ae36aa617f0a9db5accb for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
fc30bd0a3a9aaa61c1180500b88bfabe to INBOX/Sent
Dec  3 14:38:59 cloud1 dovecot: 
doveadm(obfuscated)<334394>: Error: Duplicate 
mailbox GUID fc30bd0a3a9aaa61c1180500b88bfabe for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
f4338038839caa613a1a0500b88bfabe to INBOX/Sent


Having one message for the initial sync I suppose is reasonable. A 
second...maybe? But I'm getting nervous I'm about to start seeing the 
endless temp folders again.

--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 2:39:25 PM
Subject: Re: Replication weirdness


Another item.

Again, it may be a 2.3.13 issue and I'm now on 2.3.17. But...I had 
problem when using the "-N" parameter for dsync. So - I just have 
(had):


replication_dsync_parameters = -d -l 30 -U -x INBOX/virtual -x 
INBOX/shared


Now that things are working - I wanted to have my other namespaces 
sync as well. So I went to:


replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives 
-n INBOX/Lists -x INBOX/virtual -x INBOX/shared

Re[3]: Replication weirdness

[Daniel Miller]

And...

The user who has both a "Sent" and a "Sent Messages" now has:

drwx--  3 vmail mail  24 Dec  3 09:56 Sent
lrwxrwxrwx  1 vmail mail   4 Nov 30 17:51 'Sent Messages' -> Sent
drwx--  3 vmail mail  24 Dec  3 15:10 'Sent Messages-temp-1'
drwx--  3 vmail mail  24 Dec  3 15:10 'Sent 
Messages-temp-fc30bd0a3a9aaa61c1180500b88bfabe'


and I got the following errors:

Dec  3 15:10:46 cloud1 dovecot: 
doveadm(obfuscated)<336247>: Error: Duplicate 
mailbox GUID 6aae8c39f3a3aa615a079db5accb for mailboxes Sent and 
Sent Messages-temp-1 - giving a new GUID 
63481f29f6a3aa6177210500b88bfabe to Sent
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Panic: file 
dsync-brain-mailbox.c: line 851 (dsync_brain_slave_recv_mailbox): 
assertion failed: (memcmp(dsync_box->mailbox_guid, 
local_dsync_box.mailbox_guid, sizeof(dsync_box->mailbox_guid)) == 0)
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Error: Raw 
backtrace: #0 fatal_handler_real[0x7fde7fd20060] -> #1 
i_internal_fatal_handler[0x7fde7fd20190] -> #2 i_panic[0x7fde7fc731ff] 
-> #3 dsync_brain_slave_recv_mailbox[0x55dde7b22900] -> #4 
dsync_brain_run[0x55dde7b20380] -> #5 dsync_brain_run_io[0x55dde7b20b50] 
-> #6 dsync_ibc_stream_input[0x55dde7b329c0] -> #7 
io_loop_call_io[0x7fde7fd36500] -> #8 
io_loop_handler_run_internal[0x7fde7fd37ac0] -> #9 
io_loop_handler_run[0x7fde7fd365c0] -> #10 io_loop_run[0x7fde7fd36740] 
-> #11 cmd_dsync_server_run[0x55dde7b04f60] -> #12 
doveadm_mail_next_user[0x55dde7b06850] -> #13 
doveadm_cmd_ver2_to_mail_cmd_wrapper[0x55dde7b077e0] -> #14 
doveadm_cmd_run_ver2[0x55dde7b17f00] -> #15 
client_connection_tcp_input[0x55dde7b1c6b0] -> #16 
io_loop_call_io[0x7fde7fd36500] -> #17 
io_loop_handler_run_internal[0x7fde7fd37ac0] -> #18 
io_loop_handler_run[0x7fde7fd365c0] -> #19 io_loop_run[0x7fde7fd36740] 
-> #20 master_service_run[0x7fde7fca87d0] -> #21 main[0x55dde7af7770] -> 
#22 __libc_start_main[0x7fde7f8f9fc0] -> #23 _start[0x55dde7af78d0]
Dec  3 15:10:50 cloud1 dovecot: 
doveadm(obfuscated)<336245>: Fatal: master: 
service(doveadm): child 336245 killed with signal 6 (core dumped)
Dec  3 15:10:52 cloud1 dovecot: 
doveadm(obfuscated)<336253><2VTpM/ujqmF9IQUAuIv6vg>: Error: Duplicate 
mailbox GUID 63481f29f6a3aa6177210500b88bfabe for mailboxes INBOX/Sent 
and INBOX/Sent Messages-temp-1 - giving a new GUID 
cba35507fca3aa617d210500b88bfabe to INBOX/Sent
Dec  3 15:10:58 cloud1 dovecot: 
doveadm(obfuscated)<336258>: Error: Duplicate 
mailbox GUID dc3b4434fba3aa6166079db5accb for mailboxes Sent and 
Sent Messages-temp-1 - giving a new GUID 
60ad190102a4aa6182210500b88bfabe to Sent


--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 2:42:12 PM
Subject: Re[2]: Replication weirdness


And...one more.

I'm now seeing (again) messages like:

Dec  3 14:29:14 cloud1 dovecot: 
doveadm(obfuscated)<334017>: Error: Duplicate 
mailbox GUID bcb9ca36ae36aa617f0a9db5accb for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
fc30bd0a3a9aaa61c1180500b88bfabe to INBOX/Sent
Dec  3 14:38:59 cloud1 dovecot: 
doveadm(obfuscated)<334394>: Error: Duplicate 
mailbox GUID fc30bd0a3a9aaa61c1180500b88bfabe for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
f4338038839caa613a1a0500b88bfabe to INBOX/Sent


Having one message for the initial sync I suppose is reasonable. A 
second...maybe? But I'm getting nervous I'm about to start seeing the 
endless temp folders again.

--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 2:39:25 PM
Subject: Re: Replication weirdness


Another item.

Again, it may be a 2.3.13 issue and I'm now on 2.3.17. But...I had 
problem when using the "-N" parameter for dsync. So - I just have 
(had):


replication_dsync_parameters = -d -l 30 -U -x INBOX/virtual -x 
INBOX/shared


Now that things are working - I wanted to have my other namespaces 
sync as well. So I went to:


replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives 
-n INBOX/Lists -x INBOX/virtual -x INBOX/shared


This appears to be working (the sync is just starting)...but I'm 
seeing lock errors in the logs such as:
Dec  3 14:34:24 bubba dovecot: 
doveadm(dmil...@amfes.com)<31785>: Error: 
Couldn't lock /var/mail/amfes.com/dmiller/.dovecot-sync.lock: 
fcntl(/var/mail/amfes.com/dmiller/.dovecot-sync.lock, write-lock, 
F_SETLKW) locking failed: Timed out after 30 seconds (WRITE lock held 
by pid 31373)


Checking the pid in question I see it's actively syncing a folder in 
my mailbox. So I'm guessing, purely guessing, that by having multiple 
namespaces explicitly directed to sync Dovecot is trying to start a 
sync process for

Re[2]: Replication weirdness

[Daniel Miller]

And...one more.

I'm now seeing (again) messages like:

Dec  3 14:29:14 cloud1 dovecot: 
doveadm(obfuscated)<334017>: Error: Duplicate 
mailbox GUID bcb9ca36ae36aa617f0a9db5accb for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
fc30bd0a3a9aaa61c1180500b88bfabe to INBOX/Sent
Dec  3 14:38:59 cloud1 dovecot: 
doveadm(obfuscated)<334394>: Error: Duplicate 
mailbox GUID fc30bd0a3a9aaa61c1180500b88bfabe for mailboxes INBOX/Sent 
Messages and INBOX/Sent - giving a new GUID 
f4338038839caa613a1a0500b88bfabe to INBOX/Sent


Having one message for the initial sync I suppose is reasonable. A 
second...maybe? But I'm getting nervous I'm about to start seeing the 
endless temp folders again.

--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: "Daniel Miller" ; dovecot@dovecot.org
Sent: 12/3/2021 2:39:25 PM
Subject: Re: Replication weirdness


Another item.

Again, it may be a 2.3.13 issue and I'm now on 2.3.17. But...I had 
problem when using the "-N" parameter for dsync. So - I just have 
(had):


replication_dsync_parameters = -d -l 30 -U -x INBOX/virtual -x 
INBOX/shared


Now that things are working - I wanted to have my other namespaces sync 
as well. So I went to:


replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives 
-n INBOX/Lists -x INBOX/virtual -x INBOX/shared


This appears to be working (the sync is just starting)...but I'm seeing 
lock errors in the logs such as:
Dec  3 14:34:24 bubba dovecot: 
doveadm(dmil...@amfes.com)<31785>: Error: 
Couldn't lock /var/mail/amfes.com/dmiller/.dovecot-sync.lock: 
fcntl(/var/mail/amfes.com/dmiller/.dovecot-sync.lock, write-lock, 
F_SETLKW) locking failed: Timed out after 30 seconds (WRITE lock held 
by pid 31373)


Checking the pid in question I see it's actively syncing a folder in my 
mailbox. So I'm guessing, purely guessing, that by having multiple 
namespaces explicitly directed to sync Dovecot is trying to start a 
sync process for each of those namespaces - but all of them share a 
common lock and therefore only one operation is allowed at a time.


Am I correct, and whether or not I am - how can I correct these errors? 
Do I dare try going back to just "-N"?


--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: dovecot@dovecot.org
Sent: 12/3/2021 2:16:28 PM
Subject: Replication weirdness

First, I have to say this. After configuring everything correctly - 
and that means *everything* correctly - Dovecot replication Just 
Works. I'm not sure how (yes I do - Timo & Co. Magic) - but it does. 
Real-time new sync is near instantaneous.


Now the problem. Or the background for the problem. My primary server 
uses sdbox for primary storage, mdbox for archival storage, and 
fts-solr. I spun up a second server, using sdbox, mdbox, and 
fts-flatcurve. My namespaces are as defined below. As best I can tell 
(based on diff comparing two 'doveconf -n' outputs) my namespaces are 
the same on both servers.


namespace archives {
  list = children
  location = mdbox:/var/mail/%d/%n/Archives/mdbox
  mailbox Unsorted {
auto = no
special_use = \Archive
  }
  prefix = INBOX/Archives/
  separator = /
  subscriptions = no
  type = private
}
namespace inbox {
  alias_for =
  hidden = no
  inbox = yes
  list = yes
  location =
  mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
 }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
  type = private
}
namespace lists {
  list = children
  location = mdbox:/var/mail/%d/%n/Lists/mdbox
  prefix = INBOX/Lists/
  separator = /
  subscriptions = no
  type = private
}
namespace subscriptions {
  hidden = yes
  list = no
  location =
  prefix =
  separator = /
  subscriptions = yes
  type = private
}
namespace usershares {
  list = yes
  location = sdbox:/var/mail/%%d/%%n/sdbox:NO-NOSELECT
  prefix = INBOX/shared/%%d/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace virtual {
  list = children
  location = virtual:/var/mail/%d/%n/virtual
  mailbox Flagged {
comment = All my flagged messages
special_use = \Flagged
  }
  prefix = INBOX/virtual/
  separator = /
  subscriptions = no
}

I also have:
plugin {
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_new3 = Deleted Messages
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  mailbox_alias_old3 = Trash
}

This setup worked fine with my single server. Then I enabled 
replication - just on the primary. Dsync went to work (it seemed to 
take forever for the initial sync but that's what happens with large 
mailboxes and slow internet connections).


The problem came up with certain subfolde

Re: Replication weirdness

[Daniel Miller]

Another item.

Again, it may be a 2.3.13 issue and I'm now on 2.3.17. But...I had 
problem when using the "-N" parameter for dsync. So - I just have (had):


replication_dsync_parameters = -d -l 30 -U -x INBOX/virtual -x 
INBOX/shared


Now that things are working - I wanted to have my other namespaces sync 
as well. So I went to:


replication_dsync_parameters = -d -l 30 -U -n INBOX -n INBOX/Archives -n 
INBOX/Lists -x INBOX/virtual -x INBOX/shared


This appears to be working (the sync is just starting)...but I'm seeing 
lock errors in the logs such as:
Dec  3 14:34:24 bubba dovecot: 
doveadm(dmil...@amfes.com)<31785>: Error: 
Couldn't lock /var/mail/amfes.com/dmiller/.dovecot-sync.lock: 
fcntl(/var/mail/amfes.com/dmiller/.dovecot-sync.lock, write-lock, 
F_SETLKW) locking failed: Timed out after 30 seconds (WRITE lock held by 
pid 31373)


Checking the pid in question I see it's actively syncing a folder in my 
mailbox. So I'm guessing, purely guessing, that by having multiple 
namespaces explicitly directed to sync Dovecot is trying to start a sync 
process for each of those namespaces - but all of them share a common 
lock and therefore only one operation is allowed at a time.


Am I correct, and whether or not I am - how can I correct these errors? 
Do I dare try going back to just "-N"?


--
Daniel

-- Original Message --
From: "Daniel Miller" 
To: dovecot@dovecot.org
Sent: 12/3/2021 2:16:28 PM
Subject: Replication weirdness

First, I have to say this. After configuring everything correctly - and 
that means *everything* correctly - Dovecot replication Just Works. I'm 
not sure how (yes I do - Timo & Co. Magic) - but it does. Real-time new 
sync is near instantaneous.


Now the problem. Or the background for the problem. My primary server 
uses sdbox for primary storage, mdbox for archival storage, and 
fts-solr. I spun up a second server, using sdbox, mdbox, and 
fts-flatcurve. My namespaces are as defined below. As best I can tell 
(based on diff comparing two 'doveconf -n' outputs) my namespaces are 
the same on both servers.


namespace archives {
  list = children
  location = mdbox:/var/mail/%d/%n/Archives/mdbox
  mailbox Unsorted {
auto = no
special_use = \Archive
  }
  prefix = INBOX/Archives/
  separator = /
  subscriptions = no
  type = private
}
namespace inbox {
  alias_for =
  hidden = no
  inbox = yes
  list = yes
  location =
  mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
 }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
  type = private
}
namespace lists {
  list = children
  location = mdbox:/var/mail/%d/%n/Lists/mdbox
  prefix = INBOX/Lists/
  separator = /
  subscriptions = no
  type = private
}
namespace subscriptions {
  hidden = yes
  list = no
  location =
  prefix =
  separator = /
  subscriptions = yes
  type = private
}
namespace usershares {
  list = yes
  location = sdbox:/var/mail/%%d/%%n/sdbox:NO-NOSELECT
  prefix = INBOX/shared/%%d/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace virtual {
  list = children
  location = virtual:/var/mail/%d/%n/virtual
  mailbox Flagged {
comment = All my flagged messages
special_use = \Flagged
  }
  prefix = INBOX/virtual/
  separator = /
  subscriptions = no
}

I also have:
plugin {
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_new3 = Deleted Messages
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  mailbox_alias_old3 = Trash
}

This setup worked fine with my single server. Then I enabled 
replication - just on the primary. Dsync went to work (it seemed to 
take forever for the initial sync but that's what happens with large 
mailboxes and slow internet connections).


The problem came up with certain subfolders. And I believe it only 
happens with subfolders that have spaces in their names. I had two 
user's mailboxes (under Sent), one of which had a "Sent Messages" 
symlink alias for "Sent", that started generating tens or hundreds of 
duplicates during sync. Fortunately those subfolders only had a few 
mails in them. But I had trees looking like:


[...] (below is under /var/mail/domain/user/sdbox/mailboxes/Sent/)
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-1-temp-f80b1a00ce9aa961a86-temp-2
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-1-temp-f80b1a00ce9aa961a86-temp-3
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-023fa4271c9ca9611ade0400b88bfabe
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-023fa4271c9ca9611ad-temp-1

Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-1
Proposal Requests-temp-

Re[2]: No source packages in APT repo?

[Daniel Miller]

+1.

I *was* using the repo's packages for Ubuntu - but when I wanted to try 
fts-flatcurve I needed something to compile against. I'd rather do so 
against the repo sources if possible.


--
Daniel

-- Original Message --
From: "Shawn Heisey" 
To: dovecot@dovecot.org
Sent: 12/3/2021 1:45:26 PM
Subject: Re: No source packages in APT repo?


On 12/3/21 1:28 PM, Aki Tuomi wrote:

Is there a particular reason you need to build source packages?



There are sometimes moments when I want to test out a code change in a program 
I'm running on a server.  If a source package is available, I can make the 
change and build a new package that includes all of the Ubuntu customizations 
for that program plus the change I am testing.  To test, I just manually 
install the package.  To revert, I reinstall the original package with apt.  
Without a source package, testing might require complex steps with the upstream 
source and customization information that I may not have access to.

Thanks,
Shawn

Replication weirdness

[Daniel Miller]

First, I have to say this. After configuring everything correctly - and 
that means *everything* correctly - Dovecot replication Just Works. I'm 
not sure how (yes I do - Timo & Co. Magic) - but it does. Real-time new 
sync is near instantaneous.


Now the problem. Or the background for the problem. My primary server 
uses sdbox for primary storage, mdbox for archival storage, and 
fts-solr. I spun up a second server, using sdbox, mdbox, and 
fts-flatcurve. My namespaces are as defined below. As best I can tell 
(based on diff comparing two 'doveconf -n' outputs) my namespaces are 
the same on both servers.


namespace archives {
  list = children
  location = mdbox:/var/mail/%d/%n/Archives/mdbox
  mailbox Unsorted {
auto = no
special_use = \Archive
  }
  prefix = INBOX/Archives/
  separator = /
  subscriptions = no
  type = private
}
namespace inbox {
  alias_for =
  hidden = no
  inbox = yes
  list = yes
  location =
  mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
 }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
  type = private
}
namespace lists {
  list = children
  location = mdbox:/var/mail/%d/%n/Lists/mdbox
  prefix = INBOX/Lists/
  separator = /
  subscriptions = no
  type = private
}
namespace subscriptions {
  hidden = yes
  list = no
  location =
  prefix =
  separator = /
  subscriptions = yes
  type = private
}
namespace usershares {
  list = yes
  location = sdbox:/var/mail/%%d/%%n/sdbox:NO-NOSELECT
  prefix = INBOX/shared/%%d/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace virtual {
  list = children
  location = virtual:/var/mail/%d/%n/virtual
  mailbox Flagged {
comment = All my flagged messages
special_use = \Flagged
  }
  prefix = INBOX/virtual/
  separator = /
  subscriptions = no
}

I also have:
plugin {
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_new3 = Deleted Messages
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  mailbox_alias_old3 = Trash
}

This setup worked fine with my single server. Then I enabled replication 
- just on the primary. Dsync went to work (it seemed to take forever for 
the initial sync but that's what happens with large mailboxes and slow 
internet connections).


The problem came up with certain subfolders. And I believe it only 
happens with subfolders that have spaces in their names. I had two 
user's mailboxes (under Sent), one of which had a "Sent Messages" 
symlink alias for "Sent", that started generating tens or hundreds of 
duplicates during sync. Fortunately those subfolders only had a few 
mails in them. But I had trees looking like:


[...] (below is under /var/mail/domain/user/sdbox/mailboxes/Sent/)
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-1-temp-f80b1a00ce9aa961a86-temp-2
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-1-temp-f80b1a00ce9aa961a86-temp-3
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-023fa4271c9ca9611ade0400b88bfabe
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-023fa4271c9ca9611ad-temp-1

Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-1
Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-2
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-2-temp-1-temp-1

Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-3
Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-4
Proposal Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-5
Proposal 
Requests-temp-c6e003375e64a961c93d9db5accb-temp-2-temp-e2aa0f35c99ba96135659db5accb

[...]

I kept stopping, cleaning up the folders, and re-starting - and they 
kept regenerating. I tried renaming the folders to eliminate the spaces 
and I think that helped in one case - for the others I just moved the 
folders outside of the mail area completely to let the sync finish.


Now that it's been stable for a day or two - I enabled sync in the other 
direction. And after setting *all* the required parameters instead of 
just most of them...it's working. But...I'm nervous about moving the 
problem folders back over. I will say, if it makes any difference, my 
primary server *was* running version 2.3.13 and I just updated it to 
2.3.17. The remote is also 2.3.17.


--
Daniel

Re: v2.3.17 - dsync says invalid option -- E

[Daniel J. Luke]

On Oct 29, 2021, at 8:54 PM, Daniel J. Luke  wrote:
> On Oct 29, 2021, at 7:30 PM, Scott Ruckh  wrote:
>> On 2021-10-29 12:05, Daniel J. Luke wrote:
>>> Hello,
>>> I've got some scripts that archive off mail that stopped working with
>>> 2.3.17. Specifically this worksin 2.3.16:
>>> sudo -n /usr/local/bin/dsync -u dluke -m Sent -o
>>> mail_location=mbox:~/tmp/ mirror maildir:~/Maildir/
>>> but fails on 2.3.17 with the following error message:
>>> dsync: invalid option -- E
>> 
>> I don't use dsync, but is mirror a command?  
> 
> it used to be :)
> 
>> Has mirror been replaced with sync?
> 
> Maybe? I wouldn't expect it to (intentionally) change in a patch release, 
> though.

FWIW, I don't actually need dsync for this - a simple script to export the 
maildir as an mbox works fine.
-- 
Daniel J. Luke

Re: v2.3.17 - dsync says invalid option -- E

[Daniel J. Luke]

On Oct 29, 2021, at 7:30 PM, Scott Ruckh  wrote:
> On 2021-10-29 12:05, Daniel J. Luke wrote:
>> Hello,
>> I've got some scripts that archive off mail that stopped working with
>> 2.3.17. Specifically this worksin 2.3.16:
>> sudo -n /usr/local/bin/dsync -u dluke -m Sent -o
>> mail_location=mbox:~/tmp/ mirror maildir:~/Maildir/
>> but fails on 2.3.17 with the following error message:
>> dsync: invalid option -- E
> 
> I don't use dsync, but is mirror a command?  

it used to be :)

> Has mirror been replaced with sync?

Maybe? I wouldn't expect it to (intentionally) change in a patch release, 
though.

-- 
Daniel J. Luke

v2.3.17 - dsync says invalid option -- E

[Daniel J. Luke]

Hello,

I've got some scripts that archive off mail that stopped working with 2.3.17. 
Specifically this worksin 2.3.16:

sudo -n /usr/local/bin/dsync -u dluke -m Sent -o mail_location=mbox:~/tmp/ 
mirror maildir:~/Maildir/

but fails on 2.3.17 with the following error message: 

dsync: invalid option -- E

-- 
Daniel J. Luke

Re: Dovecot version 2.3.17 - mail replication stopped working

[Daniel Botting]

Hi Aki,

Thanks for confirming it's fixed in master, much appreciated.

Approximately when do you expect 2.3.18 to be released as we found the 
functionality provided by this option useful in our setup.


Best regards

Daniel

On 29/10/2021 10:04, Aki Tuomi wrote:

https://github.com/dovecot/core/commit/0407978a8fb0bb9fb4a8f88ce5bdb7f565ee7a84

Aki


On 28/10/2021 18:11 Aki Tuomi  wrote:

  
Appears option T got removed by accident. We'll fix it latest for 2.3.18, and we'll let you know once it's fixed in master. You can either rollback to 2.3.16 or remove -T from sync options in config.


Aki


On 28/10/2021 17:33 Daniel Botting  wrote:

  
Hi,


We upgraded to Dovecot 2.3.17 today and mail replication has stopped
working as expected, the error in mail.err is:

Oct 28 10:27:44 hostname dovecot: imap-login: Error:
net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or
directory

Oct 28 10:28:47 hostname dovecot: doveadm: Error: sync: invalid option
-- 'T'

This is constantly repeated afterwards

All the files in /var/run/dovecot have last modified time of 10:27

The permissions on both hosts for this file are:

srw-rw  1 root    dovecot    0 Oct 28 10:27 stats-writer=

OS: Debian 10.11

Doveconf -n output below:

# 2.3.17 (e2aa53df5b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17 (054dddfa)
# OS: Linux 4.19.0-18-amd64 x86_64 Debian 10.11
# Hostname: mailserver fqdn
auth_verbose = yes
default_vsz_limit = 0
doveadm_password = # hidden, use -P to show it
first_valid_gid = 8
first_valid_uid = 8
last_valid_gid = 8
last_valid_uid = 8
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_gid = 8
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext editheader imapflags
namespace inbox {
    inbox = yes
    location =
    mailbox Drafts {
      special_use = \Drafts
    }
    mailbox Junk {
      special_use = \Junk
    }
    mailbox Sent {
      special_use = \Sent
    }
    mailbox "Sent Messages" {
      special_use = \Sent
    }
    mailbox Trash {
      special_use = \Trash
    }
    prefix =
}
passdb {
    args = /etc/dovecot/dovecot-ldap.conf.ext
    driver = ldap
}
plugin {
    mail_replica = tcps:fqdn:port number
    sieve = ~/.dovecot.sieve
    sieve_dir = ~/sieve
    sieve_extensions = +editheader +imapflags
}
postmaster_address = postmaster@ourdomain
protocols = " imap sieve pop3"
replication_dsync_parameters = -d -N -l 15 -U -T 10
replication_max_conns = 24
service aggregator {
    fifo_listener replication-notify-fifo {
      user = mail
    }
    unix_listener replication-notify {
      user = mail
    }
}
service auth {
    unix_listener /var/run/dovecot-exim-bridge {
      mode = 0660
      user = Debian-exim
    }
}
service doveadm {
    inet_listener {
      port = 12345
      ssl = yes
    }
}
service imap-login {
    inet_listener imap {
      port = 143
    }
    inet_listener imaps {
      port = 993
      ssl = yes
    }
    process_limit = 512
    process_min_avail = 4
    service_count = 1
}
service imap {
    process_limit = 1024
}
service managesieve-login {
    inet_listener sieve {
      port = 4190
    }
    process_min_avail = 1
    service_count = 8
    vsz_limit = 256 M
}
service managesieve {
    process_limit = 1024
}
service replicator {
    process_min_avail = 1
    unix_listener replicator-doveadm {
      mode = 0666
    }
}
ssl = required
ssl_cert = 

--
Daniel Botting
Systems Administrator
Codethink Ltd.
3rd Floor Dale House,
35 Dale Street,
Manchester, M1 2HF
United Kingdom

http://www.codethink.co.uk/
We respect your privacy. See https://www.codethink.co.uk/privacy.html

Re: [Dovecot-news] Dovecot v2.3.17 released

[Daniel J. Luke]

On Oct 28, 2021, at 5:12 AM, Aki Tuomi  wrote:
> We are pleased to release v2.3.17 of Dovecot.

This patch is still needed to build on newer MacOS -

--- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.0 -0400
+++ src/lib/ioloop-notify-kqueue.c  2021-06-21 12:10:16.0 -0400
@@ -11,6 +11,7 @@
 
 #include "ioloop-private.h"
 #include "llist.h"
+#include "time-util.h"
 #include 
 #include 
 #include 

see also https://dovecot.org/pipermail/dovecot/2020-September/119963.html and 
https://dovecot.org/list/dovecot/2021-June/122375.html
-- 
Daniel J. Luke

Re: Dovecot version 2.3.17 - mail replication stopped working

[Daniel Botting]

Hi Aki,

Thanks for your quick response, much appreciated.

We've removed -T from our config and replication is now working again.

I'll keep an eye on the mailing list to see when it is fixed in master.

Best regards

Daniel

On 28/10/2021 16:11, Aki Tuomi wrote:

Appears option T got removed by accident. We'll fix it latest for 2.3.18, and 
we'll let you know once it's fixed in master. You can either rollback to 2.3.16 
or remove -T from sync options in config.


--
Daniel Botting
Systems Administrator
Codethink Ltd.
3rd Floor Dale House,
35 Dale Street,
Manchester, M1 2HF
United Kingdom

http://www.codethink.co.uk/
We respect your privacy. See https://www.codethink.co.uk/privacy.html

Dovecot version 2.3.17 - mail replication stopped working

[Daniel Botting]

Hi,

We upgraded to Dovecot 2.3.17 today and mail replication has stopped 
working as expected, the error in mail.err is:


Oct 28 10:27:44 hostname dovecot: imap-login: Error: 
net_connect_unix(/var/run/dovecot/stats-writer) failed: No such file or 
directory


Oct 28 10:28:47 hostname dovecot: doveadm: Error: sync: invalid option 
-- 'T'


This is constantly repeated afterwards

All the files in /var/run/dovecot have last modified time of 10:27

The permissions on both hosts for this file are:

srw-rw  1 root    dovecot    0 Oct 28 10:27 stats-writer=

OS: Debian 10.11

Doveconf -n output below:

# 2.3.17 (e2aa53df5b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17 (054dddfa)
# OS: Linux 4.19.0-18-amd64 x86_64 Debian 10.11
# Hostname: mailserver fqdn
auth_verbose = yes
default_vsz_limit = 0
doveadm_password = # hidden, use -P to show it
first_valid_gid = 8
first_valid_uid = 8
last_valid_gid = 8
last_valid_uid = 8
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_gid = 8
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext editheader imapflags

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  mail_replica = tcps:fqdn:port number
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +editheader +imapflags
}
postmaster_address = postmaster@ourdomain
protocols = " imap sieve pop3"
replication_dsync_parameters = -d -N -l 15 -U -T 10
replication_max_conns = 24
service aggregator {
  fifo_listener replication-notify-fifo {
    user = mail
  }
  unix_listener replication-notify {
    user = mail
  }
}
service auth {
  unix_listener /var/run/dovecot-exim-bridge {
    mode = 0660
    user = Debian-exim
  }
}
service doveadm {
  inet_listener {
    port = 12345
    ssl = yes
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 512
  process_min_avail = 4
  service_count = 1
}
service imap {
  process_limit = 1024
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 1
  service_count = 8
  vsz_limit = 256 M
}
service managesieve {
  process_limit = 1024
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl = required
ssl_cert = 

Dovecot, Last Login Plugin and PostfixAdmin

[White, Daniel E. (GSFC-770.0)[NICS]]

https://doc.dovecot.org/configuration_manual/lastlogin_plugin/

Is there any documentation about how to get the "Last Login" info into the 
PostfixAdmin database ?

Re: [Dovecot-news] v2.3.16 released

[Daniel J. Luke]

On Aug 6, 2021, at 7:42 AM, Timo Sirainen  wrote:
> https://dovecot.org/releases/2.3/dovecot-2.3.16.tar.gz
> https://dovecot.org/releases/2.3/dovecot-2.3.16.tar.gz.sig

The patch from https://dovecot.org/pipermail/dovecot/2021-June/122375.html is 
still necessary to build on newer Mac OS X (for the same reason). Tested on Mac 
OS version 11.5.1.

-- 
Daniel J. Luke

Re: [EXTERNAL] Sv: function for whitelisting IPs

[White, Daniel E. (GSFC-770.0)[NICS]]

The custom login script -- in Dovecot or Roundcube or … ?
Is there any documentation for such scripting ?

-Original Message-
From: dovecot  on behalf of Sebastian 

Reply-To: Dovecot Mailing List 
Date: Thursday, July 15, 2021 at 06:56
To: 'Mailing List' 
Subject: [EXTERNAL] Sv: function for whitelisting IPs

Most such functions would need to be custom.
You need to write a custom login script, which also accepts the user's IP 
as input to a function, which then checks if password is right.
And then it returns that password is invalid if IP isn't approved.

Then you just need to write some custom functions in roundcube or similiar 
to have the webmail insert the IP into a database.

Or just match it against a GeoIP database and save the latest country the 
webmail was logged in from, and then SMTP/IMAP is only approved for that 
country.
That reduces the attack surface greatly.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För White, 
Daniel E. (GSFC-770.0)[NICS]
Skickat: den 15 juli 2021 12:21
Till: Dovecot Mailing List 
Ämne: function for whitelisting IPs

Sebastian,

Do you have any examples of such a function and how/where it is used ?

-Original Message-
From: dovecot  on behalf of Sebastian 

Reply-To: Dovecot Mailing List 
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List' 
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission

Main problem is that not many clients do natively support multifactor.
Some clients, do popup a login dialog if the server rejects the 
password as invalid, which can be used to create a "cheaty variant" of 
multifactor, but some clients just popup an error dialog and tell the user to 
just correct password in settings.
Some clients even go as long as requiring the user to delete the 
account with wrong password and set up a new connection.

So no, it cannot be relied upon.

I have a better idea:
Have a function for whitelisting IPs, possible /24's or similiar, where 
a login to roundcube or other webmail client (with 2FA) will add the IP onto a 
whitelist for that account.
Or perhaps, just "set" the country of the account based on GeoIP.

When an account tries to login via IMAP or SMTP, you just check if IP 
and/or GeoIP country is right, and reject the login as invalid if so not.

The only thing a client needs to do to get his IMAP or SMTP client to 
work again if it stops working, is to login once via the web client.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Alex
Skickat: den 15 juli 2021 02:10
Till: dovecot@dovecot.org
Ämne: 2FA/MFA with IMAP & postfix/submission

Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
IMAP4 accounts, as well as postfix users using submission. Clients are
using primarily Outlook on Windows and old squirrelmail.

Are there multi-factor options available?

If it is not available, do you have any recommendations on where I
should look to do this?

All of the links related to this topic appear to be very old, or
limited to Linux PAM users.

function for whitelisting IPs

[White, Daniel E. (GSFC-770.0)[NICS]]

Sebastian,

Do you have any examples of such a function and how/where it is used ?

-Original Message-
From: dovecot  on behalf of Sebastian 

Reply-To: Dovecot Mailing List 
Date: Thursday, July 15, 2021 at 01:19
To: 'Mailing List' 
Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission

Main problem is that not many clients do natively support multifactor.
Some clients, do popup a login dialog if the server rejects the password as 
invalid, which can be used to create a "cheaty variant" of multifactor, but 
some clients just popup an error dialog and tell the user to just correct 
password in settings.
Some clients even go as long as requiring the user to delete the account 
with wrong password and set up a new connection.

So no, it cannot be relied upon.

I have a better idea:
Have a function for whitelisting IPs, possible /24's or similiar, where a 
login to roundcube or other webmail client (with 2FA) will add the IP onto a 
whitelist for that account.
Or perhaps, just "set" the country of the account based on GeoIP.

When an account tries to login via IMAP or SMTP, you just check if IP 
and/or GeoIP country is right, and reject the login as invalid if so not.

The only thing a client needs to do to get his IMAP or SMTP client to work 
again if it stops working, is to login once via the web client.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Alex
Skickat: den 15 juli 2021 02:10
Till: dovecot@dovecot.org
Ämne: 2FA/MFA with IMAP & postfix/submission

Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred
IMAP4 accounts, as well as postfix users using submission. Clients are
using primarily Outlook on Windows and old squirrelmail.

Are there multi-factor options available?

If it is not available, do you have any recommendations on where I
should look to do this?

All of the links related to this topic appear to be very old, or
limited to Linux PAM users.

High Availability Dovecot / Roundcube / PostfixAdmin ?

[White, Daniel E. (GSFC-770.0)[NICS]]

This is a new setup, running on RHEL 8 with the latest everything.

Has anyone out there set up a high availability pair of Dovecot servers - with 
Roundcube and PostfixAdmin - successfully ?

"Callahan's Law: Shared pain is lessened; shared joy, increased — thus do we 
refute entropy" (Spider Robinson)

Re: libdict_lua linking issues

[Daniel J. Luke]

On Tue, Jun 22, 2021 at 01:30:49PM +0200, Timo Sirainen wrote:
> > And on OmniOS / Solaris it failed with:
> > 
> > libtool: link: gcc -std=gnu99 -m64 -march=x86-64 -fPIC -Os -Wall -W 
> > -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith 
> > -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime 
> > -Wstrict-aliasing=2 -m64 -o test-dict test-dict.o  ./.libs/libdict.a 
> > ../lib-test/.libs/libtest.a ../lib/.libs/liblib.a -lsocket -lnsl -lsendfile
> > gcc: error: ./.libs/libdict_lua.a: No such file or directory
> > gmake[3]: *** [Makefile:630: test-dict-client] Error 1
> 
> Attached patch should work? You'll need to run autogen.sh again.

This works for me on MacOS both with and without lua (ran autoconf -fi since 
autogen.sh isn't in the source tarball).

Thanks!

-- 
Daniel J. Luke

Re: [Dovecot-news] Dovecot v2.3.15 released

[Daniel J. Luke]

On Jun 21, 2021, at 7:20 AM, Timo Sirainen  wrote:
> Here's a new release with some security fixes and quite a lot of other 
> changes as well.
> 
>  * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead.

Looks like it doesn't want to build w/o lua now.

On my MacOS system configure says:

checking whether we will be linking in Lua... no

... but after fixing the implicit i_gettimeofday declaration, build fails with:

/bin/sh ../../libtool  --tag=CC   --mode=link gcc  -std=gnu99 -g -O2 
-fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wall -W 
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts 
-Wformat=2 -Wbad-function-cast -Wno-duplicate-decl-specifier 
-Wstrict-aliasing=2 -I/opt/local/include   -no-undefined -L/opt/local/lib  -o 
libdict_lua.la
libtool: link: ar cru .libs/libdict_lua.a 
ar: no archive members specified

(this doesn't happen with 2.3.14.1)
-- 
Daniel J. Luke

Re: [Dovecot-news] Dovecot v2.3.14.1 released

[Daniel J. Luke]

On Jun 21, 2021, at 7:21 AM, Timo Sirainen  wrote:
> This is an "important fixes only" release in case you don't want to upgrade 
> to v2.3.15. There is no matching Pigeonhole release - use the same v2.3.14 
> instead.

Need this small patch to build on newer MacOS:

--- src/lib/ioloop-notify-kqueue.c.orig 2021-06-14 07:56:46.0 -0400
+++ src/lib/ioloop-notify-kqueue.c  2021-06-21 12:10:16.0 -0400
@@ -11,6 +11,7 @@
 
 #include "ioloop-private.h"
 #include "llist.h"
+#include "time-util.h"
 #include 
 #include 
 #include 

or it will error with:

ioloop-notify-kqueue.c:70:2: error: implicit declaration of function 
'i_gettimeofday' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
    i_gettimeofday(_timeval);
^

-- 
Daniel J. Luke

Re: sieve not updating headers?

[Daniel J. Luke]

On Jun 12, 2021, at 5:16 AM, Stephan Bosch  wrote:
>> I can see that my sieve_before script successfully sends the message off to 
>> spamc/spamd - however the message ends up in my mailbox with only the 
>> pre-existing X-Spam headers (I had expected them to be replaced or to see 
>> duplicates). I thought I'd try to just strip them from incoming mail so I 
>> used deleteheader, I got a trace saying it matches and deletes the headers, 
>> then sends the mail off to spamc/spamd - but the message that ends up in my 
>> mailbox has the headers that were presumably deleted.
> 
> I cannot reproduce this with master. Keep and implicit keep act the same. My 
> filter program successfully changes the message and the deleteheader commands 
> properly drop the indicated headers.
> 
> What version is this? What is your configuration (output from `dovecot -n`)

My before script sends to spamc or does deleteheader (as noted) but user script 
does:

# rule:[mailman lists with mailboxes]
if allof( header :matches "List-Id" "*<*.*",
mailboxexists "${2}" )
{
fileinto "${2}";
stop;
}

# rule:[discard duplicates]
if duplicate
{
discard;
}

keep;


I don't see header problems in mail that ends up ina fileinto'd mailbox, just 
my INBOX - I suspect it's interaction with the 'duplicate' implementation 
(which the RFC says operates on the original un-modified message).

dovecot -n output below -

# 2.3.14 (cee3cbc0d): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.14 (1b5c82b2)
# OS: Darwin 20.5.0 x86_64  
# Hostname: vroomfondel.geeklair.net
auth_username_format = %Ln
auth_verbose = yes
default_internal_group = mail
default_internal_user = _dovecot
default_login_user = _dovenull
first_valid_gid = 500
first_valid_uid = 501
last_valid_gid = 599
last_valid_uid = 599
login_greeting = geeklair.net mail ready.
mail_location = mbox:~/Mail/:INBOX=~/.mbox:INDEX=~/.dovecot-indexes
mail_plugins = fts fts_lucene zlib
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
namespace {
  inbox = yes
  location = 
  mailbox Drafts {
auto = no
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = no
special_use = \Trash
  }
  mailbox spam {
auto = create
special_use = \Junk
  }
  prefix = 
  separator = /
}
namespace archive {
  inbox = no
  list = no
  location = mbox:~/MailArchive/
  prefix = "#Archive/"
  separator = /
}
passdb {
  args = dovecot
  driver = pam
}
plugin {
  fts = lucene
  fts_autoindex = yes
  fts_autoindex_exclude = "#Archive/*"
  fts_lucene = whitespace_chars=@.
  recipient_delimiter = +
  sieve = file:~/.sieve;active=~/.dovecot.sieve
  sieve_before = /usr/local/etc/dovecot/sieve/before.sieve
  sieve_default = /usr/local/etc/dovecot/sieve/default.sieve
  sieve_default_name = file_spam
  sieve_filter_bin_dir = /usr/local/lib/dovecot/sieve-filter
  sieve_filter_exec_timeout = 720s
  sieve_global_extensions = +vnd.dovecot.filter +editheader
  sieve_plugins = sieve_extprograms
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /usr/local/var/spool/postfix/private/auth {
group = _postfix
mode = 0660
user = _postfix
  }
  user = root
}
service imap-login {
  inet_listener imaps {
port = 993
ssl = yes
  }
  process_min_avail = 1
  service_count = 0
}
service imap {
  vsz_limit = 512 M
}
service lmtp {
  unix_listener /usr/local/var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  process_min_avail = 0
  service_count = 0
  vsz_limit = 64 M
}
service managesieve {
  process_limit = 12
}
service pop3-login {
  inet_listener pop3 {
port = 0
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
  process_min_avail = 1
  service_count = 0
}
service pop3 {
  vsz_limit = 512 M
}
ssl_cert = 

Re: sieve not updating headers?

[Daniel J. Luke]

On Jun 11, 2021, at 9:54 AM, Daniel J. Luke  wrote:
> On Jun 11, 2021, at 3:51 AM, Vincent Brillault  
> wrote:
>>> It then falls through my personal sieve filter and hits the implicit
>>> keep at the end and ends up in my inbox - with the original headers.
>> 
>> I had a similar issue recently (with addheader, not deleteheader) and I
>> was pointed to the RFC:
>> https://datatracker.ietf.org/doc/html/rfc5293#section-5
>> 
>> ```
>> The deleteheader action does not affect Sieve's implicit keep.
>> ```
> 
> I haven't gone over the RFCs with a fine toothed comb, but having implicit 
> and explicit keep with different behaviors is surprising.
> 
>> My addheader case was solved by adding an explicit keep or a fileinto.
> 
> I added a keep; to then end of my before.sieve and it doesn't change the 
> behavior (with or without the deleteheaders I always see the other hosts 
> X-Spam headers in the delivered mail).

While that didn't work, adding a keep to the end of the user rules works - and 
even better, I don't need the deleteheaders (as it preserves the headers as set 
by the spamc filter).

This behavior is very surprising to me (I wouldn't expect rules ending with an 
explicit keep to be any different from rules ending with an implicit one), but 
at least it's working now - and hopefully being in the list archive will save 
someone else some time in the future.

-- 
Daniel J. Luke

Re: sieve not updating headers?

[Daniel J. Luke]

On Jun 11, 2021, at 3:51 AM, Vincent Brillault  
wrote:
>> It then falls through my personal sieve filter and hits the implicit
>> keep at the end and ends up in my inbox - with the original headers.
> 
> I had a similar issue recently (with addheader, not deleteheader) and I
> was pointed to the RFC:
> https://datatracker.ietf.org/doc/html/rfc5293#section-5
> 
> ```
> The deleteheader action does not affect Sieve's implicit keep.
> ```

I haven't gone over the RFCs with a fine toothed comb, but having implicit and 
explicit keep with different behaviors is surprising.

> My addheader case was solved by adding an explicit keep or a fileinto.

I added a keep; to then end of my before.sieve and it doesn't change the 
behavior (with or without the deleteheaders I always see the other hosts X-Spam 
headers in the delivered mail).
-- 
Daniel J. Luke

sieve not updating headers?

[Daniel J. Luke]

Hello,

I've recently converted from using procmail as an lda to using lmtp+sieve (and 
it's overall great).

My setup is currently doing post-queue spamassassin to pickup user rules (and 
to be substantially similar to how it worked before). It mostly works, but I 
get some mail forwarded from another host that also runs spamassassin, so the 
mail comes with X-Spam headers already set.

I can see that my sieve_before script successfully sends the message off to 
spamc/spamd - however the message ends up in my mailbox with only the 
pre-existing X-Spam headers (I had expected them to be replaced or to see 
duplicates). I thought I'd try to just strip them from incoming mail so I used 
deleteheader, I got a trace saying it matches and deletes the headers, then 
sends the mail off to spamc/spamd - but the message that ends up in my mailbox 
has the headers that were presumably deleted.

My before.sieve looks like this:

require ["vnd.dovecot.filter","editheader"];
 

 
# rule:[spamfilter] 
 
if size :under 10485760 
 
{   
 
deleteheader :matches "X-Spam-Flag" "*";

deleteheader :matches "X-Spam-Status" "*";  

deleteheader :matches "X-Spam-Level" "*";   

deleteheader :matches "X-Spam-Checker-Version" "*"; 


 
filter "spamc" ["-s","10485760","-U","/var/run/spamd.sock"];
 
}   
 

Trace file says:

  ## Started executing script 'before'
   6: size :under test
   6:   comparing message size 4197
   6:   with lower limit 10485760
   6: jump if result is false
   6:   not jumping
  11: deleteheader command 
  11:   deleting matching occurrences of header `X-Spam-Flag'
  11:   header `X-Spam-Flag' not found
  12: deleteheader command 
  12:   deleting matching occurrences of header `X-Spam-Status'
  12: starting `:matches' match with `i;ascii-casemap' comparator:
  12: matching value `No, score=-0.2 required=5.0 
tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_..
.'
  12:   with key `*' => 1
  12: deleting header with value `No, score=-0.2 required=5.0 
tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALI
D_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, 
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham au
tolearn_force=no version=3.4.2'
  12: finishing match with result: matched
  13: deleteheader command 
  13:   deleting matching occurrences of header `X-Spam-Level'
  13:   header `X-Spam-Level' not found
  14: deleteheader command 
  14:   deleting matching occurrences of header `X-Spam-Checker-Version'
  14: starting `:matches' match with `i;ascii-casemap' comparator:
  14: matching value `SpamAssassin 3.4.2 (2018-09-13) on 
braeburn.macports.org'
  14:   with key `*' => 1
  14: deleting header with value `SpamAssassin 3.4.2 (2018-09-13) on 
braeburn.macports.org'
  14: finishing match with result: matched
  16: filter action
  16:   execute program `spamc'
  16:   executed program successfully
  16:   changed message
  ## Finished executing script 'before'

It then falls through my personal sieve filter and hits the implicit keep at 
the end and ends up in my inbox - with the original headers.

So, two questions:
1. What am I missing?
2. Is there a way to match any X-Spam-* header? (when I tried deleteheader 
:matches "X-Spam*" it didn't match anything).

Thanks.

-- 
Daniel J. Luke

fts_autoindex_exclude for everything in a namespace?

[Daniel J. Luke]

Hi,

I've recently moved a system from using procmail to delivering via dovecot-lmtp 
w/ sieve - and it's great! I've got a copy of incoming mail going into mbox 
archives (that I compress after months end), and my mail log is full of "Error: 
fts: Failed to sync mailbox #Archive: Mailbox isn't selectable", though. I 
/think/ fts_autoindex_exclude = #Archive/* is what I want, but it doesn't seem 
to silence the error. I don't need the #Archive mailboxes visible to clients, 
but I don't mind if they are. I tried some setting the archive prefix = 
AutoArchive and setting list = yes, but that didn't silence the error.

I feel like I'm probably missing something obvious :)

dovecot 2.3.14 / pigenohole 0.5.14

relevant config from dovecot -n:

mail_location = mbox:~/Mail/:INBOX=~/.mbox:INDEX=~/.dovecot-indexes
mail_plugins = fts fts_lucene zlib

namespace {
  inbox = yes
  location =
  mailbox Drafts {
auto = no
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = no
special_use = \Trash
  }
  mailbox spam {
auto = create
special_use = \Junk
  }
  prefix =
  separator = /
}
namespace archive {
  inbox = no
  list = no
  location = mbox:~/MailArchive/
  prefix = "#Archive/"
  separator = /
}
plugin {
  fts = lucene
  fts_autoindex = yes
  fts_lucene = whitespace_chars=@.
  recipient_delimiter = +
  sieve = file:~/.sieve;active=~/.dovecot.sieve
  sieve_default = /usr/local/etc/dovecot/sieve/default.sieve
  sieve_default_name = file_spam
}

and the archive sieve script (which works) looks like this:

if currentdate :matches "month" "*"
{
set "month" "${1}";
}
if currentdate :matches "year" "*"
{
set "year" "${1}";
}
if true
{
fileinto :copy :create "#Archive/${year}-${month}";
}

-- 
Daniel J. Luke

mail-crypt-plugin: encrypted user keys

[Daniel Schuermann]

Hi,

I tried to enable encrypted folder keys using mail-crypt-plugin.
It works as expected when using unencrypted folder keys.
When I add

   mail_crypt_require_encrypted_user_key = yes

as shown below, I somehow manage to crash dovecot:

 dovecot: lmtp(82060): Fatal: master: service(lmtp):
  child 82060 killed with signal 6 (core not dumped -
  https://dovecot.org/bugreport.html#coredumps -
  set service lmtp { drop_priv_before_exec=yes })

 dovecot: lmtp(67814): Panic: file mail-user.c: line 229 (mail_user_deinit):
  assertion failed: ((*user)->refcount== 1)

 lmtp(root): Info: msgid=<07e3a23b2aaea...@mx.2718282.net>:
  save failed to INBOX: generate_keypair(INBOX) failed:
  mail_crypt_require_encrypted_user_key set,
  cannot generate user keypair without password or key

My config files:

# 2.3.14 (cee3cbc0d): /etc/mail/imap.conf
# OS: OpenBSD 6.9 amd64
auth_verbose = yes
debug_log_path = /var/log/dovecot
info_log_path = /var/log/dovecot
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_debug = yes
namespace inbox {
 ...
}
passdb {
  args = /etc/mail/imap-sqlite.conf
  driver = sql
}
plugin {
  mail_crypt_curve = secp521r1
  mail_crypt_require_encrypted_user_key = yes
  mail_crypt_save_version = 2
}
protocols = imap lmtp
service imap-login {
 ...
}
ssl = required
ssl_cert = 

Re: [EXTERNAL] Re: Help with "doveadm" - Socket ?

[White, Daniel E. (GSFC-770.0)[NICS]]

Many thanks, Alexander
Your information was on target.

-Original Message-
From: dovecot  on behalf of Alexander Dalloz 

Date: Monday, May 24, 2021 at 15:50
To: "dovecot@dovecot.org" 
Subject: Re: [EXTERNAL] Re: Help with "doveadm" - Socket ?

Am 24.05.2021 um 19:23 schrieb White, Daniel E. (GSFC-770.0)[NICS]:
> I found that /var/run/dovecot/doveadm-server is a socket
> but adding it does not help.
> 
> # doveadm mailbox status -A -S /var/run/dovecot/doveadm-server
> doveadm mailbox status [-u |-A] [-S ] [-t]  
 [...]
> 
> Am I missing something else ?

You must specify all mandatory parameters for doveadm mailbox status.

doveadm mailbox status -A -S /var/run/dovecot/doveadm-server -t messages 
INBOX

Specifying the socket is optional and not normally required.

Alexander

Re: [EXTERNAL] Re: Help with "doveadm" - Socket ?

[White, Daniel E. (GSFC-770.0)[NICS]]

A bit more detail:

I can do this:
# doveadm mailbox list -A
...
test_u Sent
test_u Trash
test_u Drafts
test_u public
test_u INBOX
...

But I cannot do this:
# doveadm mailbox status -A
doveadm mailbox status [-u |-A] [-S ] [-t]   [...]

I found this:
https://serverfault.com/questions/926034/do-i-need-a-dovecot-socket
that suggested:

Dovecot probably already listens in the sockets, this is a common configuration 
for dovecot. Try this command to verify.

ss -ntpl | grep -e :143 -e :993

I tried it and got 
# ss -ntpl | grep -e :143 -e :993 -e :995 
LISTEN 0  100   :::993 :::*  users:(("dovecot",2572,42))
LISTEN 0  100*:993  *:*  users:(("dovecot",2572,41))
LISTEN 0  100   :::995 :::*  users:(("dovecot",2572,27))
LISTEN 0  100*:995  *:*  users:(("dovecot",2572,26))
LISTEN 0  100   :::143 :::*  users:(("dovecot",2572,40))
LISTEN 0  100*:143  *:*  users:(("dovecot",2572,39))

I found that /var/run/dovecot/doveadm-server is a socket
but adding it does not help.

# doveadm mailbox status -A -S /var/run/dovecot/doveadm-server
doveadm mailbox status [-u |-A] [-S ] [-t]   [...]

Am I missing something else ?

-Original Message-
From: dovecot  on behalf of Aki Tuomi 

Date: Friday, May 21, 2021 at 17:02
To: Alexander Dalloz , "dovecot@dovecot.org" 
, "daniel.e.whi...@nasa.gov" <"daniel.e.white."@nasa.gov>
Subject: [EXTERNAL] Re: Help with "doveadm" - Socket ?


> On 21/05/2021 23:59 Alexander Dalloz  wrote:
> 
>  
> Am 21.05.2021 um 21:27 schrieb White, Daniel E. (GSFC-770.0)[NICS]:
> > doveadm [-f formatter] mailbox status [-A|-u user] [-S socket_path] 
[-t] fields mailbox ...
> > 
> > Where do I find this "socket_path", please ?
> > 
> > I am trying to untangle a very old CentOS 6 instance.
> > 
> > Thanks in advance.
> 
> It should be /var/run/dovecot/doveadm-server
> 
> Alexander

It can also be a tcp socket. Maybe give us bit more insight on what you are 
dealing with?

Aki

Help with "doveadm" - Socket ?

[White, Daniel E. (GSFC-770.0)[NICS]]

doveadm [-f formatter] mailbox status [-A|-u user] [-S socket_path] [-t] fields 
mailbox ...

Where do I find this "socket_path", please ?

I am trying to untangle a very old CentOS 6 instance.

Thanks in advance.

Re: [EXTERNAL] Re: Separating Dovecot and Postfix

[White, Daniel E. (GSFC-770.0)[NICS]]

Vielen Dank. (Google Translate)

LMTP seems the way to go.

-Original Message-
From: dovecot  on behalf of Heiko Schlittermann 

Organization: schlittermann -- internet & unix support
Date: Friday, May 14, 2021 at 11:08
To: 
Subject: [EXTERNAL] Re: Separating Dovecot and Postfix

Hi,

White, Daniel E. (GSFC-770.0)[NICS]  (Fr 14 Mai 
2021 14:37:15 CEST):
> I am struggling to update a very old set of mail servers.
> Some are supposed to be relays (MTAs by my understanding) while others 
are where the mailboxes live (MDA)

It depends on how your MTA hands-over the messages to the Mail Storage
Agend (MSA).

If both are on the same machine, in the same file system, there are
multiple methods:

- direct file system access: The MTA knows about the internal
  structure of the MSA and writes directly to the (mostly
  Maildir) mailboxes. This is considered bad practice.

- local delivery agent: `dovecot-deliver` read the message from standard
  input and - as part of the MSA - it knows about the internal structure
  and hides it from the MTA. This is good practice, but it may impose
  permission issues.

- LMTP: The MTA uses a variant of the SMTP protocol to push the message
  to the MSA, dovecot can listen on a Unix-Domain socket, as well as on
  an INET socket, and serve as an LMTP server. This is IMHO the best
  option, as it allows the best privilege separation, and addtionally
  it allows an easy migration from having both (MTA, MSA) on the same
  machine to separate machines.

If you have both (MTA, MSA) on distinct machines, then only LMTP is your
option. I'm pretty sure that Postfix can use LMTP over INET style network
connections. Depending on how you trust into your network, you should
consider using TLS for this connection.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -

Re: [EXTERNAL] Re: Separating Dovecot and Postfix

[White, Daniel E. (GSFC-770.0)[NICS]]

Many thanks, Jeff.
Online documentation is not clear.  Everything implies both are necessary.

-Original Message-
From: Josef 'Jeff' Sipek 
Date: Friday, May 14, 2021 at 08:40
To: Daniel White 
Cc: "dovecot@dovecot.org" 
Subject: [EXTERNAL] Re: Separating Dovecot and Postfix

On Fri, May 14, 2021 at 12:37:15 +0000, White, Daniel E. (GSFC-770.0)[NICS] 
wrote:
> I am struggling to update a very old set of mail servers.
> Some are supposed to be relays (MTAs by my understanding) while others are
> where the mailboxes live (MDA)
> 
> In rebuilding the MDA servers, is postfix required on the same server or
> can dovecot connect to postfix on a separate MTA server ?  The old MDAs
> have both installed, but the config files are a mess.

They can live on different servers.  I have two - one with postfix and
mailman, and a second one with dovecot.  Postfix delivers mail to dovecot
via lmtp.

Jeff.

Separating Dovecot and Postfix

[White, Daniel E. (GSFC-770.0)[NICS]]

I am struggling to update a very old set of mail servers.
Some are supposed to be relays (MTAs by my understanding) while others are 
where the mailboxes live (MDA)

In rebuilding the MDA servers, is postfix required on the same server or can 
dovecot connect to postfix on a separate MTA server ?  The old MDAs have both 
installed, but the config files are a mess.

Re: disable pop3 ports?

[Jean-Daniel]

Not sure what distribution you are using, but some distributions provide 
distincts package for dovecot-pop, so removing it may be enough.

This package main purpose it to install a file in 
/usr/share/dovecot/protocols.d/ which is then imported in the config by a line 
like "!include_try /usr/share/dovecot/protocols.d/*.protocol »

Also, make sure "doveconf protocols" does not include pop3

Presence of service pop3-login, service pop3 in config should not be enough to 
start listening on pop3 ports.



> Le 4 mai 2021 à 06:40, Dan Egli  a écrit :
> 
> I admit I don't quite understand dovecot's config yet, but this is driving me 
> batty. I was looking at my server and noticed that dovecot was listening on 
> the pop3 ports (110/TCP). Since I do not use pop3 at all, nor does anyone who 
> has ever or ever will connect to the server, that seems like a needless 
> waste. So I went through the config files and commented out every reference 
> to pop3 in them. But when I restart dovecot, it STILL opens a listener on 
> 110. How do I fix this? The ONLY external ports I want dovecot listening to 
> are imap4 and imap4s.
> 
> Thanks!
> 
> -- 
> Dan Egli
> From my Test Server
> 
> 

Re: Installation Question: Is a web server required ?

[White, Daniel E. (GSFC-770.0)[NICS]]

If you push the car off a cliff, it will fly for a few seconds.
Thanks for responding.

-Original Message-
From: dovecot  on behalf of Benny Pedersen 

Organization: junc.eu
Date: Wednesday, April 28, 2021 at 13:43
To: "dovecot@dovecot.org" 
Subject: [EXTERNAL] Re: Installation Question: Is a web server required ?

On 2021-04-28 19:28, White, Daniel E. (GSFC-770.0)[NICS] wrote:
> Can Dovecot be installed with Postfix and without being behind a web 
> server ?
> 
> I want a mail service that can only be accessed by POP3(s)/IMAP(s) and
> not by a web UI.

can a car fly without gasoline ? :=)

none of the above software require x11

not even roundcube

Re: Installation Question: Is a web server required ?

[White, Daniel E. (GSFC-770.0)[NICS]]

Thanks.
That is what we want.  Just mail, no extras

-Original Message-
From: dovecot  on behalf of Heiko Schlittermann 

Organization: schlittermann -- internet & unix support
Date: Wednesday, April 28, 2021 at 13:36
To: 
Subject: [EXTERNAL] Re: Installation Question: Is a web server required ?

White, Daniel E. (GSFC-770.0)[NICS]  (Mi 28 Apr 
2021 19:28:41 CEST):
> Can Dovecot be installed with Postfix and without being behind a web 
server ?
Yes.

> I want a mail service that can only be accessed by POP3(s)/IMAP(s) and 
not by a web UI.
Dovecot is a pure POP3/IMAP server. No Web-UI is required/provided.

(I think, there are other "modules" planned or working already, like
calendar or such. But maybe I'm confusing this with alternative mail
access server software.)

-- 
Heiko

Re: [EXTERNAL] Re: Installation Question: Is a web server required ?

[White, Daniel E. (GSFC-770.0)[NICS]]

Excellent.
The documentation is not clear about this.
We want the email users to use POP/IMAP clients.

Many thanks.

-Original Message-
From: Shaun Johnson 
Organization: LinuxMagic Inc.
Date: Wednesday, April 28, 2021 at 13:33
To: Daniel White 
Cc: "dovecot@dovecot.org" 
Subject: [EXTERNAL] Re: Installation Question: Is a web server required ?

On Wed, 28 Apr 2021 17:28:41 +
    "White, Daniel E. (GSFC-770.0)[NICS]"  wrote:

> Can Dovecot be installed with Postfix and without being behind a web
> server ?
> 
> I want a mail service that can only be accessed by POP3(s)/IMAP(s)
> and not by a web UI.
> 
> Thanks.
> 
> 
> 

Most definitely - web server is only required if you wanted things like
webmail access - or any type of management interface.  

Installation Question: Is a web server required ?

[White, Daniel E. (GSFC-770.0)[NICS]]

Can Dovecot be installed with Postfix and without being behind a web server ?

I want a mail service that can only be accessed by POP3(s)/IMAP(s) and not by a 
web UI.

Thanks.

Re: systemd timeout on startup after upgrade

[Jean-Daniel]

> Le 18 avr. 2021 à 08:22, Felix Zielcke  a écrit :
> 
> Am Sonntag, dem 18.04.2021 um 08:17 +0200 schrieb Jean-Daniel:
>> systemd don’t need pid files, and the executable must be started
>> without forking.
>> 
>> 
>> Can you show us the content fo the system dovecot.service file. As
>> long as it contains this line, it should be fine:
>> 
>> Type=simple
>> ExecStart=/usr/sbin/dovecot -F
> 
> Just before I saw your mail, I found now a solution.
> 
> The original dovecot.service has this:
> 
> [Service]
> Type=notify
> ExecStart=/usr/sbin/dovecot -F
> 
> which according to systemd.service man page needs a sd_notify() call
> from the running process. So somehow this is broken now?
> 
> I changed it to the following and now it works:
> 
> [Service]
> Type=forking
> ExecStart=/usr/sbin/dovecot
> 
> 
> 
> I don't know that much about systemd what of forking/exec/simple would
> be the best one.
> 

The forking type exists mainly for compatibility with executables that are not 
able to start without forking.

When an executable as a « foreground » mode, it is usually recommended to use 
it instead.

The snippet I posted come from the official dovecot ubuntu distribution (from 
https://repo.dovecot.org <https://repo.dovecot.org/>) (that’s the one I’m 
using).

Re: systemd timeout on startup after upgrade

[Jean-Daniel]

systemd don’t need pid files, and the executable must be started without 
forking.


Can you show us the content fo the system dovecot.service file. As long as it 
contains this line, it should be fine:

Type=simple
ExecStart=/usr/sbin/dovecot -F



> Le 18 avr. 2021 à 07:34, Felix Zielcke  a écrit :
> 
> Am Sonntag, dem 18.04.2021 um 01:04 +0200 schrieb Łukasz Szczepański:
>> If systemd doesn't recognize that service has started, that mean
>> probably pid file has other location than previously.
>> You can check what systemd is doing via strace:
>> 
>> strace -s 1024 systemctl start dovecot
>> 
> 
> strace doestn't show anything about opening a pid file.
> 
> There's a few repeated of these:
> 
> recvmsg(3, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="/org/freedesktop/systemd1/unit/dovecot_2eservice\0\0\0\0\0\0\0\0\2\1s\0\37\0\0\0org.freedesktop.DBus.Properties\0\3\1s\0\21\0\0\0PropertiesChanged\0\0\0\0\0\0\0\7\1s\0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\10sa{sv}as\0\0\0\35\0\0\0org.freedesktop.systemd1.Unit\0\0\0d\3\0\0\v\0\0\0ActiveState\0\1s\0\0\10\0\0\0inactive\0\0\0\0\0\0\0\0\f\0\0\0FreezerState\0\1s\0\7\0\0\0running\0\10\0\0\0SubState\0\1s\0\4\0\0\0dead\0\0\0\0\0\0\0\0\24\0\0\0StateChangeTimestamp\0\1t\0\0\0\0\0\5\252\316m8\300\5\0\35\0\0\0StateChangeTimestampMonotonic\0\1t\0\0\0\0\357v\2604\r\0\0\0\25\0\0\0InactiveExitTimestamp\0\1t\0\0\0\0\214kJZ8\300\5\0\36\0\0\0InactiveExitTimestampMonotonic\0\1t\0\0\0v8,!\r\0\0\0\24\0\0\0ActiveEnterTimestamp\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\35\0\0\0ActiveEnterTimestampMonotonic\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\23\0\0\0ActiveExitTimestamp\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\0\0\0ActiveExitTimestampMonotonic\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0InactiveEnterTimestamp\0\1t\0\0\0\5\252\316m8\300\5\0\37\0\0\0InactiveEnterTimestampMonotonic\0\1t\0\0\357v\2604\r\0\0\0\3\0\0\0Job\0\4(uo)\0\0\0\207\360\0\0#\0\0\0/org/freedesktop/systemd1/job/61575\0\0\0\0\0\17\0\0\0ConditionResult\0\1b\0\0\1\0\0\0\0\0\0\0\f\0\0\0AssertResult\0\1b\0\1\0\0\0\22\0\0\0ConditionTimestamp\0\1t\0\0\0\0\0\0\0005l\nn8\300\5\0\33\0\0\0ConditionTimestampMonotonic\0\1t\0\0\0\0\0\0\379\3544\r\0\0\0\17\0\0\0AssertTimestamp\0\1t\0\08l\nn8\300\5\0\30\0\0\0AssertTimest"...,
>  iov_len=1124}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, 
> MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 1124
> recvmsg(3, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="l\4\1\0013\3\0\0\7\0\0\0\276\0\0\0\1\1o\\0\0\0", 
> iov_len=24}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, 
> MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 24
> 
> And then it ends in a loop with a failing
> 
> recvmsg(3, {msg_namelen=0}, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = -1 EAGAIN (Die 
> Ressource ist zur Zeit nicht verfügbar)
> 
> The strange thing is, that strace mentions then even php7.4-fpm. Which should 
> have nothing to do with the `systemctl start dovecot`?
> 
> Anyone here has a bullseye system where this works?
> Maybe I also should report this to the Debian BTS.
> 

Re: JMAP support?

[Jean-Daniel]

The HTTP API is just for doveadm and is not related in anyway to JMAP AFAIK.

> Le 8 mars 2021 à 23:52, Philip  a écrit :
> 
> Didn't JMAP get included with v2.3 with the HTTP API?
> 
> https://www.dovecot.org/list/dovecot-news/2016-March/000313.html
> 
> Or maybe that was just for admin things.
> 
> Phil
> 
> On 09/03/2021 11:26, @lbutlr wrote:
>> On 08 Mar 2021, at 14:04, Leonardo Rodrigues  
>> wrote:
>>> Em 08/03/2021 16:43, @lbutlr escreveu:
 On 08 Mar 2021, at 02:15, Mark Constable  wrote:
 There doesn't seem to be much interest in JMAP ou there, which means it is 
 going to be pretty hard to get something working well unless you write it 
 yourself.
>>> Or sponsor its development, if the OP is so interested on it!
>> I checked and Roundcube-next appears to be a dead project, so I'd really not 
>> hold out much hope.
>> 

Dovecot cannot access mailcrypt decryption key

[Daniel Niewerth]

Hello everyone,

 

I have a problem with MailCrypt on my Dovecot installation.

I have two Dovecot servers with Maildir on a shared filesystem.

In front of the servers is a dovecot director, so that the connections of a user are always directed to the same backend server.  


The setup worked fine for almost a year.

Since a few weeks I have the occasional problem with my primary mailbox that Dovecot cannot access the decryption key. 

 

So far I have always solved the problem by restoring the servers completely from the last backup.

Of course this is not a proper solution. 

 

The following message appears in the logfile:


Nov 30 10:56:11 vsrv-dus6-mta01 dovecot: imap(daniel@xxx)<26699>: Error: Mailbox INBOX: UID=15338: read() failed: read(/var/vmail/mailboxes/xxx/daniel/mail/cur/1606576233.M400743P1901.vsrv-dus6-mta01,S=1958,W=2004:2,) failed: Decryption error: no private key available

Nov 30 10:58:39 vsrv-dus6-mta01 dovecot: imap(daniel@xxx)<26788>: Error: Mailbox INBOX: UID=15338: read() failed: read(/var/vmail/mailboxes/xxx/daniel/mail/cur/1606576233.M400743P1901.vsrv-dus6-mta01,S=1958,W=2004:2,) failed: Decryption error: no private key available

Nov 30 10:58:42 vsrv-dus6-mta01 dovecot: imap(daniel@xxx)<26792>: Error: Mailbox INBOX: UID=15338: read() failed: read(/var/vmail/mailboxes/xxx/daniel/mail/cur/1606576233.M400743P1901.vsrv-dus6-mta01,S=1958,W=2004:2,) failed: Decryption error: no private key available


 

The file "dovecot-attributes" exists and has not been changed according to the timestamp. I can open the file and view its contents. 

 


root@vsrv-dus6-mta01:~# ls -lh /var/vmail/mailboxes/xxx/daniel/Maildir/

total 7,5K

-rw--- 1 vmail vmail 7,3K Jan 27  2020 dovecot-attributes

root@vsrv-dus6-mta01:~#


 


When I run "doveadm mailbox cryptokey list" it returns an empty result. 

 


root@vsrv-dus6-mta01:~# doveadm mailbox cryptokey list -u daniel@xxx -U

doveadm(daniel@xxx): Warning: mailbox cryptokey list: Nothing was matched. Use -U or specify mask?

Folder Active Public ID                                                                                                                                                                          

root@vsrv-dus6-mta01:~#

 

root@vsrv-dus6-mta01:~# doveadm mailbox cryptokey list -u sabine@xxx -U

Folder Active Public ID                                                                                                                                                                                                      

       yes    xxx                                                                                                                                               

root@vsrv-dus6-mta01:~#


 

Can anyone tell me anything about the problem? 

 

 

My Dovecot version:


root@vsrv-dus6-mta01:~# dovecot --version

2.3.11.3 (502c39af9)

root@vsrv-dus6-mta01:~#

 

Best regards

Daniel

Re: Recovering expunged but not purged e-mails from mdbox with zlib compression

[Daniel Schütze]

Dear Aki

Thank you again.

Running

doveadm -Dv -o 
maillocation=mdbox_deleted:/usr/home/vmail/mail/username/mdbox/storage/file 
fetch -u username text all


Does dump messages out.

However the messages do not include two messages which are present in 
the mdbox file and which I recovered by hand and so am using as a test 
to see if I can extract them effectively.  These were in the Drafts 
mailbox so I've also run the command with mailbox Drafts at the end.


The output seems to be just dumping messages which are not expunged!

Daniel Schütze
Director

--

CWA International Ltd
5th Floor, 42 Trinity Square
London
EC3N 4DJ

(t) + 44 (0)20 7242 8444
(e) d...@cwa.uk.com
(w) http://www.cwa.international/
On 10/11/20 18:16, Aki Tuomi wrote:

On 10/11/2020 20:07 Daniel Schütze  wrote:


Dear Aki
Thank you. Unfortunately I'm struggling to get the right syntax for this as it 
looks like someone else was here too
https://dovecot.org/pipermail/dovecot/2018-July/112441.html
The location in my dovecot.conf is

mdbox:%%h/mdbox:INDEX=/indexdisk/indexes/%%n:INDEXPVT=~/mdbox/shared/%%n

This syntax is for accessing shared folders.

You probably should try

doveadm -Dv -o mail_location=mdbox_deleted:/path/to/mdbox fetch -u victim text 
ALL


I'm trying to fetch a message (for testing purposes now) based on it's guid as 
that is available from doveadm dump.
So my syntax is (based on the previous person who didn't get it to work).

doveadm -o 
"mail_location=mdbox_deleted:%%h/mdbox:INDEX=/indexdisk/indexes/%%n:INDEXPVT=~/mdbox/shared/%%n"
 fetch "body" guid (msg.guid from doveadm dump)


Doveadm does not support var expand, so this will not work. See above for 
syntax.


But that's getting no response. I've tried putting in the hard path in case 
there is any trouble with the %%h etc but that doesn't help either.
I've also tried the fetch with the subject of a known deleted message and also 
adding mailbox Drafts (as I know that's where it is or rather was) but to no 
avail.
Given doveadm dump gives msg.uid and no subject I'd prefer to use that in any 
case.
There are no error messages, I do with doveadm was a little more verbose to 
help over these bumps!

Any chance of a helping hand?





Aki




Daniel Schütze
  Director
  
  --
  
  CWA International Ltd

  5th Floor, 42 Trinity Square
  London
  EC3N 4DJ
  
  (t) + 44 (0)20 7242 8444

  (e) d...@cwa.uk.com
  (w) http://www.cwa.international/
On 10/11/20 10:53, Aki Tuomi wrote:


You can use mdbox_deleted driver to access mails with refcount 0. See
https://wiki2.dovecot.org/MailboxFormat/dbox

Aki

On 10.11.2020 12.42, Daniel Schütze wrote:


Yesterday I had to recover an e-mail which a user had deleted.  If I
understand this correctly the message was expunged but not purged
(doveadm purge had not been run).

This e-mail was clearly still in the mdbox stored with zlib
compression as I could tell using the doveadm dump command (doveadm
dump -t dbox filename).

I could however not reveal the e-mail with the normal doveadm fetch -u
username "body" guid (guid from dump output)

In the end I was able to recover the e-mail by cutting it out from the
mdbox and running gunzip over it, but this method was very fiddly and
would not have worked for a bulk job.  I appreciate I could have just
deleted the index files and gotten all the deleted messages back by
having the index rebuilt but that would have been the proverbial
"hammer to crack a nut".

Fortunately this e-mail had no attachment for me to worry about, as
those are also detached for sis by dovecot.

Can anyone tell me of a quick and easy way to recover one or multiple
e-mails marked as expunged but not purged which are stored in a mdbox
with zlib compression?  I'm sure I'll have to do this again the future
and my method wouldn't work with a folder!

Clearly if I was not using zlib compression I could just have read the
contents of the mdbox without any complication.


--
Daniel Schütze
Director

--

CWA International Ltd
5th Floor, 42 Trinity Square
London
EC3N 4DJ

(t) + 44 (0)20 7242 8444
(e) d...@cwa.uk.com
(w) http://www.cwa.international/

Re: Recovering expunged but not purged e-mails from mdbox with zlib compression

[Daniel Schütze]

Dear Aki

Thank you.  Unfortunately I'm struggling to get the right syntax for 
this as it looks like someone else was here too


https://dovecot.org/pipermail/dovecot/2018-July/112441.html

The location in my dovecot.conf is

mdbox:%%h/mdbox:INDEX=/indexdisk/indexes/%%n:INDEXPVT=~/mdbox/shared/%%n

I'm trying to fetch a message (for testing purposes now) based on it's 
guid as that is available from doveadm dump.


So my syntax is (based on the previous person who didn't get it to work).

doveadm -o 
"mail_location=mdbox_deleted:%%h/mdbox:INDEX=/indexdisk/indexes/%%n:INDEXPVT=~/mdbox/shared/%%n" 
fetch "body" guid (msg.guid from doveadm dump)


But that's getting no response.  I've tried putting in the hard path in 
case there is any trouble with the %%h etc but that doesn't help either.


I've also tried the fetch with the subject of a known deleted message 
and also adding mailbox Drafts (as I know that's where it is or rather 
was) but to no avail.


Given doveadm dump gives msg.uid and no subject I'd prefer to use that 
in any case.


There are no error messages, I do with doveadm was a little more verbose 
to help over these bumps!


Any chance of a helping hand?




Daniel Schütze
Director

--

CWA International Ltd
5th Floor, 42 Trinity Square
London
EC3N 4DJ

(t) + 44 (0)20 7242 8444
(e) d...@cwa.uk.com
(w) http://www.cwa.international/
On 10/11/20 10:53, Aki Tuomi wrote:

You can use mdbox_deleted driver to access mails with refcount 0. See
https://wiki2.dovecot.org/MailboxFormat/dbox

Aki

On 10.11.2020 12.42, Daniel Schütze wrote:

Yesterday I had to recover an e-mail which a user had deleted.  If I
understand this correctly the message was expunged but not purged
(doveadm purge had not been run).

This e-mail was clearly still in the mdbox stored with zlib
compression as I could tell using the doveadm dump command (doveadm
dump -t dbox filename).

I could however not reveal the e-mail with the normal doveadm fetch -u
username "body" guid (guid from dump output)

In the end I was able to recover the e-mail by cutting it out from the
mdbox and running gunzip over it, but this method was very fiddly and
would not have worked for a bulk job.  I appreciate I could have just
deleted the index files and gotten all the deleted messages back by
having the index rebuilt but that would have been the proverbial
"hammer to crack a nut".

Fortunately this e-mail had no attachment for me to worry about, as
those are also detached for sis by dovecot.

Can anyone tell me of a quick and easy way to recover one or multiple
e-mails marked as expunged but not purged which are stored in a mdbox
with zlib compression?  I'm sure I'll have to do this again the future
and my method wouldn't work with a folder!

Clearly if I was not using zlib compression I could just have read the
contents of the mdbox without any complication.


--
Daniel Schütze
Director

--

CWA International Ltd
5th Floor, 42 Trinity Square
London
EC3N 4DJ

(t) + 44 (0)20 7242 8444
(e) d...@cwa.uk.com
(w) http://www.cwa.international/

Recovering expunged but not purged e-mails from mdbox with zlib compression

[Daniel Schütze]

Yesterday I had to recover an e-mail which a user had deleted. If I 
understand this correctly the message was expunged but not purged 
(doveadm purge had not been run).


This e-mail was clearly still in the mdbox stored with zlib compression 
as I could tell using the doveadm dump command (doveadm dump -t dbox 
filename).


I could however not reveal the e-mail with the normal doveadm fetch -u 
username "body" guid (guid from dump output)


In the end I was able to recover the e-mail by cutting it out from the 
mdbox and running gunzip over it, but this method was very fiddly and 
would not have worked for a bulk job.  I appreciate I could have just 
deleted the index files and gotten all the deleted messages back by 
having the index rebuilt but that would have been the proverbial "hammer 
to crack a nut".


Fortunately this e-mail had no attachment for me to worry about, as 
those are also detached for sis by dovecot.


Can anyone tell me of a quick and easy way to recover one or multiple 
e-mails marked as expunged but not purged which are stored in a mdbox 
with zlib compression?  I'm sure I'll have to do this again the future 
and my method wouldn't work with a folder!


Clearly if I was not using zlib compression I could just have read the 
contents of the mdbox without any complication.



--
Daniel Schütze
Director

--

CWA International Ltd
5th Floor, 42 Trinity Square
London
EC3N 4DJ

(t) + 44 (0)20 7242 8444
(e) d...@cwa.uk.com
(w) http://www.cwa.international/

Re: Feature request.

[Jean-Daniel]

> Le 10 oct. 2020 à 11:38, @lbutlr  a écrit :
> 
> On 09 Oct 2020, at 02:16, Rogier Wolff  wrote:
>> It turns out that dovecot had been running uninterrupted since august
>> 13th, the certificate was renewed on september 7th and I suspect it
>> expired on october 7th.
> 
> The ACME protocol that LE uses has a specific feature for specifying a script 
> to run after a certificate updates. One of the common things to do in these 
> scripts is to restart services like apache and dovecot so they see the new 
> certs. Other common actions are copying the certs to specific locations on 
> the system (like, say, into jails) or even to other hardware.
> 
> This is the best, most reliable, and least fiddly solution.
> 


ACME protocol does not care about script run on renew, as it only specifies the 
network exchange between the ACME client and the ACME server. 
Running hook on script renew is the responsibility of each acme client, and so 
is specific to the client you are using.

All clients have there own way to do it:
- certbot.
- acmebot
- acmetool (which may be a good solution for people who don’t like dependencies 
installed by other solutions as this is a standalone binary)
- Kubernetes CertManager.


Just check the doc for the one you are using.

Re: Shared mailboxes setups and dictionaries

[Daniel Miller]

On 9/15/2020 10:07 AM, Matej Tyc wrote:

On 14. 09. 20 22:46, Daniel Miller wrote:

On 9/14/2020 1:19 PM, Matej Tyc wrote:

...

When learning about how ACL work in e.g. 
[...] so I can't use 
it to reverse-engineer the correct syntax.




The global ACLs are...global. They apply to all matching mailboxes 
system-wide. So to answer your question, yes "* user=foo lrw" means 
all mailboxes of all accounts are shared to the user foo. But...


Great, what about the format itself? Is it 
//? The documentation brings up, i.e. 
/j...@example.com/* shares all mailboxes of John from the example.com 
domain? Or have I overlooked a documentation page where the syntax is 
introduced?


No. You need to read the docs again:
   https://doc.dovecot.org/settings/plugin/acl/

Global ACLs live in their own little space - either filesystem based or 
file based. You specify who is *granted* global access - and the level 
of that global access applies system-wide. So if you grant 
"j...@example.com" global read/write access to all Inboxes - John will 
be able to access every Inbox of every user (however, he might not know 
that a given inbox exists - without explicit configuration or explicit 
sharing which updates the dictionary).


Next what https://wiki.dovecot.org/SharedMailboxes/Shared and 
https://wiki.dovecot.org/Dictionary describe is a possibility to 
reference LDAP data to define an ACL dictionary. Do I understand it 
correctly that if a LDAP database is the single source of truth, then 
I don't have to worry about updating dictionaries as long as LDAP 
itself is up-to-date, but I have to keep ACLs and LDAP in sync 
manually (or using an application)?
Again, a dictionary is a list of shared mailboxes - not ACL's. You can 
use any dictionary source Dovecot can read from - but if the 
dictionary also supports writing then any manipulation of ACLs will 
automatically update the dictionary.


What the above implies, and I will now state explicitly, is that while 
global ACLs provide *access* they do not *publish* that access. A 
dictionary must be manually updated to list those mailboxes.


What I understand is that ACLs are purely filesystem-based, i.e. no LDAP 
backend, and one has to sync LDAP to respective ACLs "manually".


If I follow what you have said, one could have an equal result with a 
database, syncing ACLs "manually" from LDAP, and doveadm will make sure 
that the database backend will be up-to-date.


First, I provide the disclaimer that I don't use LDAP. I had it years 
ago and I'm quite happy to leave it behind. So I can't give you current 
LDAP/Dovecot experience. However, a quick read of the page you reference 
shows LDAP is read-only. Which means while you could theoretically use 
LDAP for a global ACL source - trying to use it for per-user shares 
would require quite a bit of manual effort for every change. I believe 
the technical term for such a setup is "masochistic".


I totally understand the desire to have a single database for general 
config purposes - however I think you're trying to use a power drill as 
a hammer. Leave your authentication database, i.e. LDAP, alone and let 
your mail server do its thing. Consider the mail store an entity as a 
whole - not just the messages, but the format, the folder structure, and 
the ACLs as a "black box" and I think you'll save yourself a lot of 
frustration. Dovecot (in my own uninformed opinion) is designed to be 
(mostly) autonomous and file-based - any database support is just for 
user/passwords and leave it at that.


If you want per-user shares just use the example at the top of the wiki 
page. From my own config:


plugin {
acl = vfile
acl_shared_dict = file:/var/mail/%d/shared-mailboxes
}

based on a mail_location of "sdbox:/var/mail/%d/%n/sdbox".

--
Daniel

Re: Shared mailboxes setups and dictionaries

[Daniel Miller]

On 9/14/2020 1:19 PM, Matej Tyc wrote:

Hello,

I am relatively new to the world of MTAs and MDAs, and I try to set up 
shared mailboxes.


So far I have somehow succeeded - I have defined a shared namespace and 
I have managed to create per-mailbox ACL files thanks to the doveadm 
command.


However, I have been following these resources and there were bits that 
have puzzled me:


When learning about how ACL work in e.g. 
https://doc.dovecot.org/settings/plugin/acl/ - when one wishes to use 
the Global ACL file, how does one link it to a particular user's 
mailboxes? Examples that are listed in the documentation are far too 
generic. For example does "* user=foo lrw" imply that all mailboxes of 
all accounts are shared to the user foo? The doveadm command works only 
if dovecot is set up with per-mailbox ACL files, so I can't use it to 
reverse-engineer the correct syntax.




The global ACLs are...global. They apply to all matching mailboxes 
system-wide. So to answer your question, yes "* user=foo lrw" means all 
mailboxes of all accounts are shared to the user foo. But...


An interesting aspect to ACLs are dictionaries. I understood it as some 
kind of cache - if there is no dictionary or it is empty, then shared 
mailboxes don't work. Conversely, dictionary itself is not enough, one 
needs actual ACLs set up correctly. Is this a correct understanding?


The ACLs grant/deny access to a specific mailbox - when that mailbox is 
known to the client. But ACLs are never scanned or iterated over to 
generate a list of available mailboxes - that's where the dictionary 
comes in. The dictionary is a list of shared mailboxes - but that's all 
it is. So when a client queries the server for a list of available 
mailboxes the dictionary is consulted. The ACLs are then applied for 
each transaction whenever a client tries to read/write/access/whatever a 
specific mailbox. So theoretically, if you can manually specify the 
shared mailbox correctly, no dictionary is required for access.




Next what https://wiki.dovecot.org/SharedMailboxes/Shared and 
https://wiki.dovecot.org/Dictionary describe is a possibility to 
reference LDAP data to define an ACL dictionary. Do I understand it 
correctly that if a LDAP database is the single source of truth, then I 
don't have to worry about updating dictionaries as long as LDAP itself 
is up-to-date, but I have to keep ACLs and LDAP in sync manually (or 
using an application)?


Again, a dictionary is a list of shared mailboxes - not ACL's. You can 
use any dictionary source Dovecot can read from - but if the dictionary 
also supports writing then any manipulation of ACLs will automatically 
update the dictionary.


What the above implies, and I will now state explicitly, is that while 
global ACLs provide *access* they do not *publish* that access. A 
dictionary must be manually updated to list those mailboxes.


--
Daniel

dbox alternate storage and archived namespace

[Daniel Miller]

This may (and probably does) come under the heading of "really dumb 
ideas", but...


Before I develop this further I need to ask - is it possible to have a 
"primary" mail_location using single-dbox with an alternate storage 
using multi-dbox? This is *not* the same as different storages for 
different namespaces (already have that).

--
Daniel

Fwd: Dsync replication - delayed replication (Sync lock)

[Daniel Botting]

Dear Sirs,

Further to my last email have any list members seen this before and are 
able to offer advice on how to resolve this please.


I should note as well that we are running Dovecot from the upstream 
Debian packages at https://repo.dovecot.org/ce-2.3-latest/debian/buster .


Kind regards

Daniel



 Forwarded Message 
Subject:Dsync replication - delayed replication (Sync lock)
Date:   Tue, 1 Sep 2020 16:17:15 +0100
From:   Daniel Botting 
To: dovecot@dovecot.org



Hi,

*Our setup:*

Two Debian 10 machines that are setup to replicate mail between them, we 
have round robin DNS setup so a user can connect to either server.


*What should happen:*

Mail is delivered to either server and replicated across straight away 
to their mailbox on the other server so it does not matter which one 
they are connected to they will receive it fairly soon after delivery.


*What actually happens:*

In some instances the user will experience a delayed receipt of messages 
if they are not connected to the server that the message is initially 
delivered to, sometimes the delay is 5/10 minutes, we had a recent 
support ticket submitted where it was over an hour.


Error message seen in mail.err:

Sep  1 10:16:15  dovecot: 
dsync-local(): Error: Couldn't lock 
/path/to/mailbox/.dovecot-sync.lock: 
fcntl(/path/to/mailbox/.dovecot-sync.lock, write-lock, F_SETLKW) locking 
failed: Timed out after 30 seconds (WRITE lock held by pid 3697)


Process 3697 is dovecot/doveadm-server.

*Doveconf -n output:*

# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.5
# Hostname: 
auth_verbose = yes
default_vsz_limit = 0
doveadm_password = # hidden, use -P to show it
first_valid_gid = 8
first_valid_uid = 8
last_valid_gid = 8
last_valid_uid = 8
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_gid = 8
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex im
ap4flags copy include variables body enotify environment mailbox date 
index ihave duplicate mime foreverypart extracttext editheader imapfla

gs
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
 }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  mail_replica = tcps::
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +editheader +imapflags
}
postmaster_address = postmaster@
protocols = " imap sieve pop3"
replication_max_conns = 12
service aggregator {
  fifo_listener replication-notify-fifo {
    user = mail
  }
  unix_listener replication-notify {
    user = mail
  }
}
service auth {
  unix_listener /var/run/dovecot-exim-bridge {
    mode = 0660
    user = Debian-exim
  }
}
service doveadm {
  inet_listener {
    port = 
    ssl = yes
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 512
  process_min_avail = 4
  service_count = 1
}
service imap {
  process_limit = 1024
}
service managesieve-login {
  inet_listener sieve {
    port = 
  }
  process_min_avail = 1
  service_count = 8
  vsz_limit = 256 M
}
service managesieve {
  process_limit = 1024
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl = required
ssl_cert = 

Dsync replication - delayed replication (Sync lock)

[Daniel Botting]

Hi,

*Our setup:*

Two Debian 10 machines that are setup to replicate mail between them, we 
have round robin DNS setup so a user can connect to either server.


*What should happen:*

Mail is delivered to either server and replicated across straight away 
to their mailbox on the other server so it does not matter which one 
they are connected to they will receive it fairly soon after delivery.


*What actually happens:*

In some instances the user will experience a delayed receipt of messages 
if they are not connected to the server that the message is initially 
delivered to, sometimes the delay is 5/10 minutes, we had a recent 
support ticket submitted where it was over an hour.


Error message seen in mail.err:

Sep  1 10:16:15  dovecot: 
dsync-local(): Error: Couldn't lock 
/path/to/mailbox/.dovecot-sync.lock: 
fcntl(/path/to/mailbox/.dovecot-sync.lock, write-lock, F_SETLKW) locking 
failed: Timed out after 30 seconds (WRITE lock held by pid 3697)


Process 3697 is dovecot/doveadm-server.

*Doveconf -n output:*

# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.5
# Hostname: 
auth_verbose = yes
default_vsz_limit = 0
doveadm_password = # hidden, use -P to show it
first_valid_gid = 8
first_valid_uid = 8
last_valid_gid = 8
last_valid_uid = 8
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_gid = 8
mail_location = maildir:~/Maildir
mail_plugins = " notify replication"
mail_uid = 8
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex im
ap4flags copy include variables body enotify environment mailbox date 
index ihave duplicate mime foreverypart extracttext editheader imapfla

gs
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
 }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  mail_replica = tcps::
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +editheader +imapflags
}
postmaster_address = postmaster@
protocols = " imap sieve pop3"
replication_max_conns = 12
service aggregator {
  fifo_listener replication-notify-fifo {
    user = mail
  }
  unix_listener replication-notify {
    user = mail
  }
}
service auth {
  unix_listener /var/run/dovecot-exim-bridge {
    mode = 0660
    user = Debian-exim
  }
}
service doveadm {
  inet_listener {
    port = 
    ssl = yes
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 512
  process_min_avail = 4
  service_count = 1
}
service imap {
  process_limit = 1024
}
service managesieve-login {
  inet_listener sieve {
    port = 
  }
  process_min_avail = 1
  service_count = 8
  vsz_limit = 256 M
}
service managesieve {
  process_limit = 1024
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl = required
ssl_cert = 

Re: local stanza only generated for IPv6

[Jean-Daniel]

> Le 1 juil. 2020 à 06:50, Jeremy Ardley  a écrit :
> 
> I have a mail server with multiple IP addresses and associated DNS names
> 
> In the dovecot configuration I have a listen directive:
> 
> listen = mail.example.com.com,mail.otherexample.com,localhost
> 
> Multiple local stanzas are of the form:
> 
> local mail.example.com {
>   protocol imap {
>  ssl_cert =   ssl_key =  
>  service imaps_login {
>inet_listener imaps {
>  address=mail.example.com
>}
>inet_listener imap {
>  address=mail.example.com
>}
>  } 
>   }
> }
> 
> mail.example.com has IPv4 and IPv6 addresses in DNS
> 
> When I run doveconf -n the local configuration is only generated for the IPv6 
> address. I can test the operation on IPv6 using openSSL and see different 
> server certificates on different IP addresses as expected.
> 
> How do I force local generation for both IPv4 and IPv6 ?
> 
You can probably don’t use hostname for address directive, but instead space 
separated list of IP address you want to listen to.

And unless you need to disable dovecot on some interfaces, you don’t have to 
specify the listen directive, as it defaults to all IPv4 and IPv6 addresses.

Re: identify 143 vs 993 clients

[Jean-Daniel]

> Le 31 mai 2020 à 06:09, Peter  a écrit :
> 
> On 29/05/20 11:27 pm, mj wrote:
>> Thanks to all who participated in the interesting discussion.
>> It seems my initial thought might have been best after all, and 
>> discontinuing port 143 might be the safest way proceed.
> 
> Yes and no.  Some of the attack vectors mentioned are not reasonable and it 
> really depends on the client.  Thunderbird, for example, used to have 
> settings for plain text, TLS and "TLS if available", but the latter setting 
> has not been available for some time which forces the user to choose either 
> plain text or TLS at setup time now.  This means that the user would now have 
> to change the setting in their client for a downgrade attack to work.  I 
> can't speak for all MUAs but if they similarly have removed their "TLS if 
> available" option or if the users explicitly don't pick that option (you can 
> ask them not to in your setup instructions) then that type of downgrade 
> attack cannot occur.
> 
> The other possible downgrade attack which was not mentioned but is equally 
> mitigated by the client is where the MITM intercepts the connection, connects 
> to your server and issues a STARTTLS itself but presents the resulting 
> connection as plain text to the client.  This means that enforcing STARTTLS 
> on the server side will not prevent a plain text connection through a MITM 
> from the client.  But do keep in mind that if the client is configured 
> properly to only connect via TLS then it will refuse the connection if it is 
> not presented with a STARTTLS option that works.
> 
> So yes the safest way to go is to just use port 993, but as long as the 
> client is not set to a "TLS if available" option then port 143 is also safe.

I don’t think you can call an option safe if it relies on the users to properly 
configure their client. We all know that users are usually bad at following 
instructions ;-)

Re: identify 143 vs 993 clients

[Jean-Daniel]

> Le 29 mai 2020 à 11:17, Stuart Henderson  a écrit :
> 
> On 2020-05-26, mj  wrote:
>> Hi,
>> 
>> On 25/05/2020 23:04, Voytek wrote:
>>> jumping here with a question, if I use 143 with STARTTLS, and, force
>>> TLS/SSL in configuration, that's equivalent from security POV, isn't
>>> it? and, same for 110 STARTTLS? Or am I missing something?
>> Interesting point, after some googling, I think you are right, and as 
>> long as we have set "disable_plaintext_auth = yes" (and we have that) we 
>> should be fine keeping 143 open. Right?
> 
> In the case of 143, nothing stops the client *sending* a plaintext login
> request. Login may be denied, but the password is already leaked. Also
> if you have only the server side (not the client side) deny plaintext
> logins, a MITM can just strip off the STARTSSL capability from the server
> response.

And doing that it can as easily inject a LOGIN capability, making non-broken 
client also send the password in plain text. (Only broken client will send 
password if LOGIN is not present).

That’s why this RFC exists: https://tools.ietf.org/html/rfc8314 


> In a setting where you want to protect the clients from accidentally
> exposing secrets by misconfiguration, allowing only 993/995 (and 465 for
> SMTP; 25/587 have the same problem) is the safe way.

Port 25 is a special case and should never be used by client, but only for 
(unauthenticated) server to server communication.
There is no way to use implicit TLS for SMTP as the SMTP transport MX  
infrastructure has no way to specify a port.

Client should always use the submission port (587, or 465 for submission over 
TLS).

Re[2]: [EXT] Re: Support for MULTISEARCH

[Daniel Miller]

What client(s) use this and how? I've used virtual folders - by 
explicitly "subscribing" to them and then performing a search within 
them. By hiding the virtual folders how do you use them?


---
Daniel

-- Original Message --
From: "Joe Wong" 
To: "Aki Tuomi" 
Cc: dovecot@dovecot.org; "Peter" ; "Sami Ketola" 


Sent: 5/11/2020 4:51:14 AM
Subject: Re: [EXT] Re: Support for MULTISEARCH


On Mon, May 11, 2020 at 7:18 PM Aki Tuomi 
wrote:



 > On 11/05/2020 14:09 Joe Wong  wrote:
 >
 >
 >
 >
 >
 > On Mon, May 11, 2020 at 5:16 PM Aki Tuomi 
 wrote:
 > >
 > >  > On 11/05/2020 12:12 Joe Wong  wrote:
 > >  >
 > >  >
 > >  >
 > >  >
 > >  >
 > >  > On Sun, May 10, 2020 at 3:54 PM Sami Ketola 
 wrote:
 > >  > >
 > >  > >
 > >  > > > On 10. May 2020, at 1.51, Peter  wrote:
 > >  > > >
 > >  > > > Am 10.05.20 um 00:22 schrieb Daniel Miller:
 > >  > > >> Thank you - I'm aware of the virtual folder option and do use
 it. My interest is for a Windows client, EM Client, which I otherwise
 really enjoy. Unfortunately, they've implemented server-side searching only
 via MULTISEARCH - for reasons passing my understanding. So I was hoping to
 hear Dovecot either already had support or there were plans to implement it.
 > >  > > >
 > >  > > > Virtual folder does not scale. Thank you for naming a client
 that does multisearch!
 > >  > >
 > >  > > Virtual folder scales just fine. What makes you think it does not?
 > >  > >
 > >  > > We have customers that have users with thousand folders and
 millions of emails and still virtual folder scales.
 > >  > >
 > >  > > Sami
 > >  > >
 > >  >
 > >  > is this possible to *hide* the virtual folder from listing but make
 it SELECTable / EXAMINEable from IMAP?
 > >  >
 > >  >
 > >
 > >  namespace {
 > >  location = virtual:...
 > >  hidden = yes
 > >  }
 > >
 > >  Aki
 >
 >
 > * NAMESPACE (("" "/")) NIL NIL
 > a OK Namespace completed (0.001 + 0.000 secs).
 > a list "" "*"* LIST (\HasNoChildren \UnMarked) "/" FromL3
 > * LIST (\HasNoChildren \UnMarked) "/" Apple
 > * LIST (\HasNoChildren \UnMarked) "/" JunkMail
 > * LIST (\HasNoChildren \Marked \Trash) "/" Trash
 > * LIST (\HasNoChildren \UnMarked \Drafts) "/" Drafts
 > * LIST (\HasNoChildren \Marked) "/" SENT
 > * LIST (\HasNoChildren) "/" virtual* LIST (\HasNoChildren) "/" INBOX
 > a OK List completed (0.003 + 0.000 + 0.003 secs).
 >
 > It's now hidden in the namepsace but I can still see it in the folder
 list, is this expected?
 >

 Sorry, forgot to say

 hidden=yes
 list=no

 Aki



thanks it is working now.

Re[2]: Support for MULTISEARCH

[Daniel Miller]

Thank you - I'm aware of the virtual folder option and do use it. My 
interest is for a Windows client, EM Client, which I otherwise really 
enjoy. Unfortunately, they've implemented server-side searching only via 
MULTISEARCH - for reasons passing my understanding. So I was hoping to 
hear Dovecot either already had support or there were plans to implement 
it.


---
Daniel

-- Original Message --
From: "Teemu Huovila" 
To: dovecot@dovecot.org
Sent: 5/8/2020 5:49:34 AM
Subject: Re: Support for MULTISEARCH



On 6.5.2020 3.57, Daniel Miller wrote:

Does Dovecot presently support the MULTISEARCH command, or are there plans to 
do so?

If you mean RFC7377, that is not supported.  ref. https://www.imapwiki.org/Specs


I would suggest evaluating if searching a single virtual folder could work for 
your use case. ref. https://doc.dovecot.org/configuration_manual/virtual_plugin/

br,
Teemu


---
Daniel

Support for MULTISEARCH

[Daniel Miller]

Does Dovecot presently support the MULTISEARCH command, or are there 
plans to do so?


---
Daniel

Shared folder replication - query - can it be replicated?

[Daniel Botting]

Hi,

Further to my earlier posting to the mailing list this morning regarding 
replicating of public namespaces is it possible that a shared name space 
can be replicated:


https://wiki.dovecot.org/SharedMailboxes/Shared

We use LDAP, the thought being that an LDAP service account is created 
and the corresponding mailbox is shared to other mail users on the server.


Kind regards

Daniel

Public folder replication ( not replicating) - roadmap query

[Daniel Botting]

Hi,

We have a server pair running Dovecot 2.3.10 (latest stable) version 
directly from repo.dovecot.org and have mailbox and sieve replication 
working as required in production.


I have setup a test pair with the exact same configuration and on each 
server setup public name space for a  mailbox address such as jobs@ 
where multiple users would need to subscribe to this to view recruitment 
emails.


This is not replicating as per the advice on the below url:

- https://wiki.dovecot.org/Replication

Is there an easily maintainable workaround at this time and is this on 
the roadmap for the developers, if so what time scale is being envisaged?


Kind regards

Daniel

Re: got a listener on 993

[Jean-Daniel]

> Le 14 avr. 2020 à 18:57, A. Schulze  a écrit :
> 
> 
> 
> Am 13.04.20 um 20:52 schrieb David Mehler:
>> Hello,
>> 
>> Before I get in to my question is ssl on 993 or starttls on 143 better
>> from a security perspective?
> 
> implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3

One rational for this is to make sure broken clients don’t send  clear text 
credential on port 143, even if STARTTLS is required.

So from a security perspective, you can consider TLS on port 943 a better 
solution.

Re: Headsup on feature removal

[Daniel Miller]

-- Original Message --

[...]
To start, the following features are likely to be removed in next few releases 
of Dovecot.
[...]
 - mailbox alias plugin

Like autocreate, autosubscribe, and expire - Is there a built-in feature 
that makes this plugin obsolete?


---
Daniel