Re: Which DKIM application for postfix 3.9.0

[Jean-Daniel Dupas via dovecot]

Talking about completeness, you can also use rspamd (https://www.rspamd.com 
).
While it it design to to more than DKIM, it can be use for it.

I have an internal mailer relay based on postfix and rspamd that works great.


> Le 24 avr. 2024 à 09:40, infoomatic via dovecot  a écrit 
> :
> 
> Just for completeness sake I will throw some in:
> 
> *) https://launchpad.net/dkimpy-milter
> *) https://lib.rs/crates/dkim-milter
> *) https://github.com/fastmail/authentication_milter
> 
> I have not yet had time to look at them, so no comment on their usability.
> 
> regards,
> Robert
> 
> 
> On 24.04.24 00:06, Joseph Tam via dovecot wrote:
>> On Tue, Apr 23, 2024 at 7:33 AM  wrote:
>> 
 I am upgrading to postfix 3.9.0. I have not used DKIM in previous postfix 
 installs, but I
 would like to start now with the new google rules. I have done some 
 research and opendkim
  is the most recommended, however, other research states the opendkim has 
 been
 abandoned by it's maintainers. So I am looking for a good alternative dkim 
 software
 that will work with postfix that I can compile myself. I do not run on any 
 linux
 version, so therefore I can not just apt-get a new dkim application.
 I run Solaris and therefore need to compile my applications, postfix and 
 dkim.
 Any good suggestions will be appreciated.
>> 
>> I just rolled out a locally compiled opendkim on my mail server. It
>> works, but there
>> are a few gotchas.
>> 
>> Although it seems like a moribund project, there is a late beta
>> version that includes
>> some important patches, most notably the "Header:\n LongHeaderValue" bug that
>> needs fixing.  You can look at
>> 
>> https://sourceforge.net/p/opendkim/patches/
>> 
>> to find that patch, as well as others you deem important.  As DKIM standards
>> are not going to change soon, having end-of-line software is not as
>> bad as it seems
>> unless you need particular enhancements to make it work better in your
>> circumstances.
>> Once you get your setup dialed, you can probably set it and forget it.
>> 
>> Most of the headaches have actually been internal: local mail
>> injection via sendmail
>> would skip miltering, From header canonicalization by the MTA would not be
>> seen by the opendkim milter thereby creating messages with missing or invalid
>> signatures, and mailing list/auto reply/forwarder software mangling messages.
>> 
>> I think Postfix does a better job in this regard, so these issues may
>> not present itself.
>> (I did a Postfix/opendkim milter on an Ubuntu system and it was much
>> less hassle.)
>> 
>> You should look at *lots* of DMARC RUA reports.  People are doing crazy 
>> batsh*t
>> stuff with your mail domain.
>> 
>> Joseph Tam 
>> ___
>> dovecot mailing list -- dovecot@dovecot.org
>> To unsubscribe send an email to dovecot-le...@dovecot.org
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 18 oct. 2023 à 09:35, Marc  a écrit :
> 
>>  Dovecot has this option to store attachments separately not? So I am
>> not sure this is then still a problem.
>> 
>> 
>> 
>> Interesting. How do you tell dovecot to do that ?
>> 
> 
> I thought I read about something like this,
> 
> mail_location =  ATTACHMENTS=/attachment
> 
> but now you have made me read the docs[1] I can't really find it.
> 
> @Aki maybe if this SIS is phased out, it is good to offer a solution that 
> stores the attachments separately? I think that would allow current SIS users 
> to implement something alternative.
> 

Thanks for the pointer.
Thanks to it, I found it in the documentation. It was supposed to be defined 
like this in v2.0.0, but it is now a core setting (and is only available for 
sd/mdbox storage):

mail_attachment_dir
• Default: 
• Values: String
The directory in which to store mail attachments.

With sdbox and mdbox, mail attachments can be saved to external files, which 
also allows single-instance storage of them.

If no value is specified, attachment saving to external files is disabled.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 16:34, Marc  a écrit :




 The problem is a bit what everyone understands as s3. I associate
 this indeed also with an http endpoint on object storage. But the
 ceph
 plugin skips this http and talks directly to object store. I don't
 think
 you would like to operate on this http level. If I look at this page
 of
 ceph[1], it also looks like you do not want to get yourself involved
 in
 deduplication.

 [1]
 https://docs.ceph.com/en/reef/dev/deduplication/




 Moreover, following Filip remark about block deduplication, having
 any kind
 of deduplication that is not optimized for the email case (where
 attachments are always embed in slightly different documents) would
 make it
 ineffective.

Dovecot has this option to store attachments separately not? So I am not sure
this is then still a problem. 

Interesting. How do you tell dovecot to do that ? 


  Is it really worse bothering deploying a whole Ceph cluster
  for that ?


 No you should not get ceph just for this. But ceph brings you nice
 redundancy, distributed storage. I am totally fan of it.

Me too. I’m using it extensively to store multi terabytes of data, but it may
be overkill if you don’t need all of this.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 13:12, Marc  a écrit :


 Is s3 not to slow for this?

I think the clue is in the name "s3-
compatible".

Clearly calling out to "real" (AWS) S3
would be a non-starter.

But a local installation of something
like CEPH, MinIO or whatever on
 the
same LAN ? I'd think that should be
workable, no ?
   Do you know of anything that does this reliably?

   I tested a few years ago with ceph[1] but at that
   point there was some
 issues where it had a 2x write applification (on top of the 3x) if I
 remember correctly.
  All of this is if not dead end will be a lots of complexity
  and
 inefficiency and a lot of waste of money. Only the application know
 how to
 things efficiently and with consistency.

 S3-compatible storage is very good for multi-server installations
 where you
 need redundancy, availability. S3 is basically HTTP server so you can
 code
 your own logic on stored emails, balancers, caches, deduplication,
 compression, encryption it does't need to be off-the-shelf storage.

The problem is a bit what everyone understands as s3. I associate this indeed
also with an http endpoint on object storage. But the ceph plugin skips this
http and talks directly to object store. I don't think you would like to
operate on this http level. If I look at this page of ceph[1], it also looks
like you do not want to get yourself involved in deduplication.

[1]
https://docs.ceph.com/en/reef/dev/deduplication/


Moreover, following Filip remark about block deduplication, having any kind of
deduplication that is not optimized for the email case (where attachments are
always embed in slightly different documents) would make it ineffective.
Is it really worse bothering deploying a whole Ceph cluster for that ? 


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 16 oct. 2023 à 15:51, Marc  a écrit :
> 
>>> Hello to everyone!
>>> Ooops, we are using SIS, guess the solution for a similar optimization
>> will be
>>> a native deduplicated filesystem.
>> 
>> did you really mean deduplicated or distributed?
>> 
> 
> I think this duduplicating. Storage systems are offering such solutions. I 
> think ceph has something like this, although I am not sure for rbd disk 
> images. I think it makes more sense to have something like this done by a fs 
> or storage solution.

If you are using Ubuntu, OpenZFS is readily available, and support 
deduplication natively.
Else it is also available on other platforms, but may require more setup.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: how to setup IMAPs with letsencrypt

[Jean-Daniel Dupas]

> Le 22 avr. 2022 à 01:50, Jeremy Ardley  a écrit :
> 
> 
> 
> On 22/4/22 7:44 am, al...@coakmail.com  wrote:
>>> On 22/4/22 7:25 am, al...@coakmail.com  wrote:
>>> 
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>> 
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS 
> on port 993
> 

While it's true for SMTP, my experience is that IMAP clients prefer imaps in 
993 instead of STARTTLS. 

I have a server with only port 993 opened, and almost never had any issue with 
client configuration.

Re: New to dovecot admin, question about using LDAP for user-specific values

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 12:53, Gerben Wierda via dovecot  a 
> écrit :
> 
> 
>> On 13 Sep 2019, at 11:51, Jean-Daniel Dupas > <mailto:jddu...@xooloo.com>> wrote:
>> 
>> 
>> 
>>> Le 13 sept. 2019 à 09:29, Gerben Wierda via dovecot >> <mailto:dovecot@dovecot.org>> a écrit :
>>> 
>>> Nobody?
>>> 
>>>> On 10 Sep 2019, at 11:58, Gerben Wierda via dovecot >>> <mailto:dovecot@dovecot.org>> wrote:
>>>> 
>>>> I am new to dovecot administration. I’ve read the Wiki but that hasn’t 
>>>> given me the understanding I need.
>>>> 
>>>> When I query my LDAP (on macOS) on a value for user ‘gerben’, I can get 
>>>> that:
>>>> 
>>>> dumbledore:~ gerben$ dscl /LDAPv3/127.0.0.1 -read /users/gerben 
>>>> GeneratedUID
>>>> GeneratedUID: 780D870E-6B00-478E-AB70-3D3307215A82
>>>> 
>>>> I would like to use that value in dovecot settings, e.g. something like
>>>> 
>>>> user_attrs = \
>>>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>>>> 
>>>> 
>>>> Is this possible and if so what do I exactly need to do to get this 
>>>> working?
>> 
>> As the answer is in the question, it is hard to give you any hint about what 
>> should be done.
>> 
>> What is wrong with 
>> 
>> user_attrs = \
>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>> 
>> 
>> Did you try it ? Have you got any issue with it ?
> 
> I haven’t tried anything yet as I am trying to learn before I do anything 
> (and trial and error is a very slow method), but it seems to me that just 
> that line cannot be enough. Because how does “ldap:” know to go looking in 
> the LDAP structure at "/Users//“ in the LDAP “/LDAPv3/127.0.0.1”? 
> Somehow I shall have to tell dovecot that.

OK, so your question is more about how to configure LDAP in dovecot for basic 
usage.

If you want to query the LDAP, you first have to learn what its structure is, 
and then you should tell dovecot where to look at using the 'base' and 'scope' 
parameter and what to look at using the 'user_filter' parameter.

I never tried to access OpenDirectory using LDAP queries, so you will have to 
search online about how it should be done.

Re: Multiple certificate option SNI

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot 
>  a écrit :
> 
> Hi
> I have some problem with SNI and dovecot 2.2.36.4
> 
> Server debian 9.x ad dovecot-2.2.36.4
> 
> default server ssl cert is a wildcard like *.domain.com (digicert)
> 
> ssl_ca = /var/control/cert.pem
> ssl_cert =  
> I added for test another domain (in dns to) for another ssl (letsencrypt)
> 
> from https://wiki.dovecot.org/SSL/DovecotConfiguration
> 
> like:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  < /etc/dovecot/ssl/imap.mail.test.domain.com.key
> }
> 
> 
> doveconf -n:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  # hidden, use -P to show it
> }
> 
> Now I test like:
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
> 
> and dovecot show me default server cert (digicert) but not dedicated
> from letsencrypt
> 
> In DNS domain imap.mail.test.domain.com is not match *.domain.com
> 
> Any idea ?
> 

AFAIK, the -connect option of openssl is not use for SNI, but only for IP 
resolution.
To enable SNI, you have to explicitly pass it using '-servername' parameter.

Re: New to dovecot admin, question about using LDAP for user-specific values

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 09:29, Gerben Wierda via dovecot  a 
> écrit :
> 
> Nobody?
> 
>> On 10 Sep 2019, at 11:58, Gerben Wierda via dovecot > > wrote:
>> 
>> I am new to dovecot administration. I’ve read the Wiki but that hasn’t given 
>> me the understanding I need.
>> 
>> When I query my LDAP (on macOS) on a value for user ‘gerben’, I can get that:
>> 
>> dumbledore:~ gerben$ dscl /LDAPv3/127.0.0.1 -read /users/gerben GeneratedUID
>> GeneratedUID: 780D870E-6B00-478E-AB70-3D3307215A82
>> 
>> I would like to use that value in dovecot settings, e.g. something like
>> 
>> user_attrs = \
>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>> 
>> 
>> Is this possible and if so what do I exactly need to do to get this working?

As the answer is in the question, it is hard to give you any hint about what 
should be done.

What is wrong with 

user_attrs = \
  =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 


Did you try it ? Have you got any issue with it ?

submission configuration issues

[Jean-Daniel Dupas via dovecot]

Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the 
backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

"
EHLO example.com

250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is 
present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly reported. 
The raw log shows that unlike what the documentation says, 
dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open 
a connection to the backend and send a X-CLIENT command.


Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but 
it completely stops emitting X-CLIENT command to the backend 
and try to simply forward the command without authentication, which result in 
postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ?
Thanks.

Jean-Daniel

Re: Dovecot 2.3.0 TLS

[Jean-Daniel Dupas via dovecot]

> Le 18 juil. 2019 à 11:21, Alexandre Urban via dovecot  a 
> écrit :
> 
> Hello,
>  
> I don’t know who will read this message, but I found this thread: 
> https://www.mail-archive.com/search?l=dovecot@dovecot.org=subject:%22Dovecot+2.3.0+TLS%22=newest
> And I’m expected the same issue, I will try to explain to you (english is not 
> my native language, sorry)
>  
> Since Buster update, so Dovecot update too, I’m not able to connect to my 
> mail server from my iOS mail client (12.2)
> Thunderbird just work fine.
>  
> Here is my configuration:
>  
> Debian Buster (amd64)
> Dovecot: 2.3.4.1
> Postfix : 3.4.5
> OpenSSL: 1.1.1c
>  
> Dovecot configuration file:
>  
> ssl_min_protocol = TLSv1.2 (I tried different version)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2322 bytes and written 392 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -no_tls1_3 -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2423 bytes and written 310 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: ECDHE-RSA-AES256-GCM-SHA384
>  
> I think the “Secure Renegotiation IS NOT supported” with tls 1.3 could be an 
> issue, but I don’t what to do to fix the issue ?
>  
> Could you help me ?
> Let me know if you need more informations.
>  

I would rather look at the "Verify return code: 21 (unable to verify the first 
certificate)" error. 
Is your TLS certificat valid and trusted on your iOS device ?

IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3 (TLS1.3 
forbids any renegotiation).

Re: [bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

Sorry, I forgot to mention this is with the freshly released 2.3.7


> Le 12 juil. 2019 à 16:43, Aki Tuomi via dovecot  a écrit 
> :
> 
> Would you like to try with 2.3.7? It was released today.
> 
> Aki
>> On 12/07/2019 17:05 Jean-Daniel Dupas via dovecot < dovecot@dovecot.org 
>> <mailto:dovecot@dovecot.org>> wrote:
>> 
>> 
>> An other issue is that when 'request->passdb_success' is FALSE, the request 
>> fails but the error field is not set (as it is only set when 
>> request->failure is TRUE), which make it hard to create metrics for failed 
>> login attempts.
>> 
>> We have (assuming success were working as expected):
>> - success = yes -> means auth OK
>> - error is present -> means request failed for some reasons
>> - neither success nor error is present -> means requests failed for other 
>> reasons.
>> 
>> As we can't create metric filter testing field absence, getting the count of 
>> failed requests would mean create 2 metrics (one for success, one for all) 
>> and diff the 2 to get the count of failed attempts.
>> 
>> 
>>> Le 12 juil. 2019 à 15:31, Jean-Daniel Dupas via dovecot < 
>>> dovecot@dovecot.org <mailto:dovecot@dovecot.org>> a écrit :
>>> 
>>> Hi,
>>> 
>>> I'm playing with the new events, and encounter some issues:
>>> 
>>> First the 'auth_request_finished' event is documented as having a 
>>> 'successful' field, but in the code, the field is defined as 'success' 
>>> (e->add_str("success", "yes")).
>>> 
>>> But more important, in the function "auth_request_success_continue()" 
>>> (auth/auth-request.c:288), "auth_request_log_finished(request)" is call 
>>> (line 303) before updating the request status: "request->successful = TRUE" 
>>> (line 312)
>>> 
>>> So the log function never set the success field to "yes" as at this point 
>>> request->successful is still false.
>>> 
>>> Jean-Daniel
>>> 
>>> 
>>> 
> 
> ---
> Aki Tuomi

Re: [bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

An other issue is that when 'request->passdb_success' is FALSE, the request 
fails but the error field is not set (as it is only set when request->failure 
is TRUE), which make it hard to create metrics for failed login attempts.

We have (assuming success were working as expected):
- success = yes -> means auth OK
- error is present -> means request failed for some reasons
- neither success nor error is present -> means requests failed for other 
reasons.

As we can't create metric filter testing field absence, getting the count of 
failed requests would mean create 2 metrics (one for success, one for all) and 
diff the 2 to get the count of failed attempts.


> Le 12 juil. 2019 à 15:31, Jean-Daniel Dupas via dovecot  
> a écrit :
> 
> Hi,
> 
> I'm playing with the new events, and encounter some issues:
> 
> First the 'auth_request_finished' event is documented as having a 
> 'successful' field, but in the code, the field is defined as 'success' 
> (e->add_str("success", "yes")).
> 
> But more important, in the function "auth_request_success_continue()" 
> (auth/auth-request.c:288), "auth_request_log_finished(request)"  is call 
> (line 303) before updating the request status: "request->successful = TRUE" 
> (line 312)
> 
> So the log function never set the success field to "yes" as at this point 
> request->successful is still false.
> 
> Jean-Daniel
> 
> 
> 
> 

[bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

Hi,

I'm playing with the new events, and encounter some issues:

First the 'auth_request_finished' event is documented as having a 'successful' 
field, but in the code, the field is defined as 'success' 
(e->add_str("success", "yes")).

But more important, in the function "auth_request_success_continue()" 
(auth/auth-request.c:288), "auth_request_log_finished(request)"  is call (line 
303) before updating the request status: "request->successful = TRUE" (line 312)

So the log function never set the success field to "yes" as at this point 
request->successful is still false.

Jean-Daniel

Re: Getting login stats

[Jean-Daniel Dupas via dovecot]

> Le 11 juil. 2019 à 15:33, Michael Slusarz via dovecot  a 
> écrit :
> 
>> I'm trying to get some IMAP auth stats on a Dovecot 2.3.6 instance, but 
>> whatever I declare in metric, it always show 0.
> 
> None of these auth_* requests exist in 2.3.6.

Thank. So maybe the wiki should be updated as the section title that list 
theses event is:  "Authentication Server (v2.3.6)"

That said, the new documentation is better as it says "New in version v2.3.7".

As a side point, maybe the documentation link at 
"https://www.dovecot.org/documentation; should be updated to point on 
doc.dovecot.org instead of sending to the wiki ;-)


>> I tried using the following metrics:
>> 
>> 
>> 
>> metric auth_request_finished {
>>event_name = auth_request_finished
>> }
>> 
>> metric auth_passdb_request_finished {
>>event_name = auth_passdb_request_finished
>> }
>> 
>> metric auth_userdb_request_finished {
>>event_name = auth_userdb_request_finished
>> }
>> 
>> metric auth_client_request_started {
>> event_name = auth_client_request_started
>> }
>> 
>> metric auth_client_userdb_lookup_started {
>>event_name = auth_client_userdb_lookup_started
>> }
>> 
>> metric auth_client_passdb_lookup_started {
>> event_name = auth_client_passdb_lookup_started
>> }
>> 
>> metric auth_client_cache_flush_started {
>> event_name = auth_client_cache_flush_started
>> }
>> 
>> metric imap_command_finished {
>>event_name = imap_command_finished
>>filter {
>>name = LOGIN
>>}
>> }
>> 
>> 
>> But even after many successful logins, doveadm reports 0 for all events:
>> 
>> metric_name   fieldcount sum min max avg  median 
>> stddev %95   
>>
>> auth_request_finished duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_passdb_request_finished  duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_userdb_request_finished  duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_request_started   duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_userdb_lookup_started duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_passdb_lookup_started duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_cache_flush_started   duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> imap_command_finished duration 0 0   0   0   0.00 0  
>> 0.00   0

> 

Getting login stats

[Jean-Daniel Dupas via dovecot]

Hello,

I'm trying to get some IMAP auth stats on a Dovecot 2.3.6 instance, but 
whatever I declare in metric, it always show 0.

What I want basically is how many IMAP auth attempts there was on the server, 
and optional a way to filter on the auth attempt status (successful or failed).

My server uses a simple auth (with LDAP backend) and supports only 
"auth_mechanisms = plain login"



I tried using the following metrics:



metric auth_request_finished {
event_name = auth_request_finished
}

metric auth_passdb_request_finished {
event_name = auth_passdb_request_finished
}

metric auth_userdb_request_finished {
event_name = auth_userdb_request_finished
}

metric auth_client_request_started {
 event_name = auth_client_request_started
}

metric auth_client_userdb_lookup_started {
event_name = auth_client_userdb_lookup_started
}

metric auth_client_passdb_lookup_started {
 event_name = auth_client_passdb_lookup_started
}

metric auth_client_cache_flush_started {
 event_name = auth_client_cache_flush_started
}

metric imap_command_finished {
event_name = imap_command_finished
filter {
name = LOGIN
}
}


But even after many successful logins, doveadm reports 0 for all events:

metric_name   fieldcount sum min max avg  median stddev 
%95 
 
auth_request_finished duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_passdb_request_finished  duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_userdb_request_finished  duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_request_started   duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_userdb_lookup_started duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_passdb_lookup_started duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_cache_flush_started   duration 0 0   0   0   0.00 0  0.00   
0   
 
imap_command_finished duration 0 0   0   0   0.00 0  0.00   
0  

Re: Some questions

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 14:06, Bardot Jérôme via dovecot  a 
> écrit :
> 
> Le 09/07/2019 à 17:28, Daniel Miller via dovecot a écrit :
>> 
>> On 7/9/2019 6:17 AM, Jérôme Bardot via dovecot wrote:
>>> Hello,
>>> 
>>> This is my first email here.
>>> I want to understand well how dovecot is integrate with ldap in a
>>> postfix/dovecot/ldap setup.
>>> I use a debian server.
>> 
>> Perfectly!
>> 
>>> 
>>> More specifically what dovecot need in ldap to work.
>>> I saw we can use several "mode" related to virtual domain, etc. For
>>> "start" i only need one domain with several address.
>>> I currently use fusiondirectory for manage my ldap users. i guess i
>>> can use that schema to auto create users email
>>> (name.firstn...@domain.tld for ie) ?
>>> I also want to setup some aliases and share directory based on ldap
>>> group/role can i do it ?
>>> 
>>> An other question is can we have two domain name for imap.domain.tld
>>> && smtp.domain.tld ?
>> 
>> Yes.
> There is some documentation somewhere on it ?
>> 
>> Dovecot & Postfix have no "hard" schema, or database definition, or
>> particular fields. You need to create map files which tell each server
>> how to use the information from LDAP (or any other database). Each
>> server (Postfix & Dovecot) have their own configuration which is
>> separate from each other. So you need to start with one or the other.
>> Postfix questions should be asked on the Postfix list.
>> 
>> Everything you asked for above is easily doable - just start with one
>> step at a time. Ask specific questions when you get stuck.
> 
> The map part stuck me at this time. Can i found somewhere a list of
> field should/can be map ? I think i’m ok with postfix conf if i
> understand well i can delegate pretty all stuff to dovecot/ldap.
> 
> 
> An other question is :
> 
> For all vitual stuff i always use a new user (system) with a custom
> home, all stuff i read are not clear for me about this point. There is
> some diagram with technical stuff about dovecot ?
> 

You should start by reading https://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb

The main point if you use a single user is:

"If you're using a single UID and GID for all the users, you can specify them 
globally with mail_uid and mail_gid settings instead of returning them from 
LDAP."

Re: Dovecot behind Load Balancer

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 11:46, Paolo Daniele  a écrit :
> 
> 
> 
> Il 10/07/19 11:44, Jean-Daniel Dupas ha scritto:
>> 
>>> Le 10 juil. 2019 à 10:24, Paolo Daniele via dovecot  a 
>>> écrit :
>>> 
>>> 
>>> Il 10/07/19 10:20, Aki Tuomi ha scritto:
>>>>> On 12/06/2019 20:02 Paolo Daniele via dovecot  wrote:
>>>>> 
>>>>> 
>>>>>  Hi,
>>>>>  i've a question for you.
>>>>>  I've two dovecot imap/pop server behind a zen load balancer.
>>>>>  Load balancing is made by lx4nat so the public ip address of my load 
>>>>> balancer contact directly the dovecot servers.
>>>>>  Since few months i've a message from thunderbird that i've reached the 
>>>>> imap limit login for ip.
>>>>>  I've triend to increase the max user ip parameter but sometimes i've the 
>>>>> same problem.
>>>>>  It's a strange things that actually i'm able to mitigate by reduce the 
>>>>> number of cached connections in Thunderbird but it's not normal.
>>>>>  What do you think about that?
>>>>>  Maybe there's some tuning that you can suggest.
>>>>>  Thank you,
>>>>>  Paolo
>>>>> 
>>>> Have you ensured, by checking logs, that the connections are seen by 
>>>> dovecot to come from public IP addresses?
>>>> 
>>>> Also, thunderbird is known to open lots of concurrent connections.
>>>> 
>>>> Aki
>>> Yes,
>>> connections are coming from the ip address of load balancer (also checked 
>>> with a netstat -an)
>> If connection are seen as coming from the IP address of the load balancer, 
>> isn't it normal that dovecot complains ?
>> That means that dovecot sees all connections as coming from a single client, 
>> which would explain why you reach that limit.
>> 
>> 
> Yeah of course, but i've checked that i haven't reach the max_user_per_ip 
> limit by counting dovecot process coming from that ip address.
> So the strange and the reason why i'm writing to you :)

Don't know if this is still relevant in your dovecot version, but did you see 
this:

https://serverfault.com/questions/385187/dovecot-ignoring-maximum-number-of-imap-connections
 
<https://serverfault.com/questions/385187/dovecot-ignoring-maximum-number-of-imap-connections>

People had some issue by using the mail_max_userip_connections in the imap 
section and had to set it in the global section instead.

Re: Dovecot behind Load Balancer

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 10:24, Paolo Daniele via dovecot  a 
> écrit :
> 
> 
> Il 10/07/19 10:20, Aki Tuomi ha scritto:
>>> On 12/06/2019 20:02 Paolo Daniele via dovecot  wrote:
>>> 
>>> 
>>>  Hi,
>>>  i've a question for you.
>>>  I've two dovecot imap/pop server behind a zen load balancer.
>>>  Load balancing is made by lx4nat so the public ip address of my load 
>>> balancer contact directly the dovecot servers.
>>>  Since few months i've a message from thunderbird that i've reached the 
>>> imap limit login for ip.
>>>  I've triend to increase the max user ip parameter but sometimes i've the 
>>> same problem.
>>>  It's a strange things that actually i'm able to mitigate by reduce the 
>>> number of cached connections in Thunderbird but it's not normal.
>>>  What do you think about that?
>>>  Maybe there's some tuning that you can suggest.
>>>  Thank you,
>>>  Paolo
>>> 
>> Have you ensured, by checking logs, that the connections are seen by dovecot 
>> to come from public IP addresses?
>> 
>> Also, thunderbird is known to open lots of concurrent connections.
>> 
>> Aki
> Yes,
> connections are coming from the ip address of load balancer (also checked 
> with a netstat -an)

If connection are seen as coming from the IP address of the load balancer, 
isn't it normal that dovecot complains ? 
That means that dovecot sees all connections as coming from a single client, 
which would explain why you reach that limit.

Re: Cannot connect to DOVECOT from Roundcube using SSL on Port 993

[Jean-Daniel Dupas via dovecot]

> Le 19 juin 2019 à 11:34, zahn via dovecot  a écrit :
> 
> Hello
> 
> I try to connect to dovecot from roundcube using this setup:
> 
> $config['default_host'] = 'ssl://chogolisa.akadia.com';
> $config['default_port'] = 993;
> 
> and I get the following error message from dovecot:
> 
> Jun 19 11:30:21 chogolisa dovecot: imap-login: Disconnected (no auth attempts 
> in 0 secs): user=<>, rip=84.253.50.195, lip=84.253.50.195, TLS handshaking: 
> Connection closed, session=
> 
> When I try to connect from:
> 
> $config['default_host'] = 'tls://chogolisa.akadia.com';
> $config['default_port'] = 143;
> 
> it works !
> 
> Roundcube: 1.0.12
> Dovecot: 2.3.6
> 
> Can you help me ?


Look like your using a very old roundcube instance. Maybe you should start by 
updating it.
I'm using the same setting with roundcube 1.3.9 (ssl://hostname 
, port 993), and never had any issue connection dovecot.

Re: Mail account brute force / harassment

[Jean-Daniel Dupas via dovecot]

> Le 11 avr. 2019 à 12:23, Marc Roos via dovecot  a écrit :
> 
> 
> 
> Say for instance you have some one trying to constantly access an 
> account
> 
> 
> Has any of you made something creative like this:
> 
> * configure that account to allow to login with any password
> * link that account to something like /dev/zero that generates infinite 
> amount of messages
>  (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
> 
> I think it would be interesting to be able to do such a thing.

As long as you have infinite bandwidth, that may be fun, but it is not the case 
for most people operating a mail server I think.

For theses clients, I simply have fail2ban and DROP packages of blocked IP (I 
prefer to DROP because I don't want to waste resources responding that the 
connection is refused).

Re: High availability of Dovecot

[Jean-Daniel Dupas via dovecot]

> Le 11 avr. 2019 à 10:44, luckydog xf via dovecot  a 
> écrit :
> 
> Hi, list,
> 
>  I'm going to deploy postfix + dovecot + CephFS( as Mail Storage). 
> Basically I want to use two servers for them, which  is kind of HA.
>  
> My idea is that using keepalived or Pacemaker to host a VIP, which could 
> fail over the other server once one is down. And I'll use Haproxy or Nginx to 
> schedule connections to one of those server based on source IP( Session 
> stickiness),  I'll use VIP as DNS record.etc, is my plan doable?
> 
>I know MX could be server ones with different priority. But I think it 
> brings along shortage that DNS couldn't know Email server is up or down, it 
> just returns results to MUA, right?
> 
>Thanks for any suggestions and ideas. 
> 
> -


If you just want HA and don't have scalability issue, the simplest solution is 
probably to deploy your mail stack on 2 servers, and use pacemaker to make sure 
it run only on one at once (with a VIP managed by pacemaker too).

For the storage, if you have a SAN, go with it, else you may use local DRBD 
partition with replication on the standby server.

Re: Using SHA256/512 for SQL based password

[Jean-Daniel Dupas via dovecot]

> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot  
> a écrit :
> 
> 
> 
> On 2/13/19 8:30 AM, Aki Tuomi wrote:
>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
>>> 
>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
 
 Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
 :
 
> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
>>> I have trying to find how to set the dovecot-sql.conf for using
>>> SHA256/512.  I am going to start clean with the stronger format, not
>>> migrate from the old MD5.  It seems all I need is:
>> you maybe would like to have a look to the hashing algo ARGON2I
>> which is
>> currently recommended for new developments and deployments.
> Recommended by whom?
> 
> Can you provide a link?
 Sure, please see here:
 https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
 
> 
> And if I was adventurous about hashes, I would be looking more at
> Keccak.
> 
> 
> Check out my Internet Draft:
> 
> 
> draft-moskowitz-small-crypto-00.txt
 Thanks for the tip, will have a look for into it.
>>> Keccak is a general hashing function.  It was the first? of the
>>> hashing 'sponge' functions, that many have followed.  It is the basis
>>> of SHA3 (at Keccak's greatest strength).
>>> 
>>> Argon2 seems to be special-built for password hashing.  Thing is it is
>>> not supported on my CentOS7 system:
>>> 
>>> # doveadm pw -l
>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
>>> SHA256-CRYPT SHA512-CRYPT
>>> 
>>> Of course SHA3 is not listed either...
>>> 
>>> 
>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>> when compiling dovecot, so varying from packagers it might or not be
>> available. The CRYPT ones are available if crypt(3) supports them. In
>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
> 
> CentOS7 is on dovecot 2.2.36:
> 
> # doveadm pw -s ARGON2-CRYPT -p secret
> Fatal: Unknown scheme: ARGON2-CRYPT
> # doveadm pw -s ARGON2 -p secret
> Fatal: Unknown scheme: ARGON2
> 
> I tend to stay with the distro's rpms and not take on building and 
> maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org repo: 

# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Re: Ubuntu 18.04 (Bionic) packages now available

[Jean-Daniel Dupas]

> Le 25 nov. 2018 à 19:25, Michael Ludwig  a écrit 
> :
> 
> 
> Hello Dovecot-List,
> 
> so Ubuntu users now can get the latest dovecot version. As I am just building 
> a production mailserver for customers, this could come in handy, maybe.
> For a live production system, is it reasonable to switch from the main Ubuntu 
> Dovecot release to your newer packages?
> How long will the Dovecot team build these packages? When the team don't want 
> to build these packages anymore, how difficult will it be to switch back to 
> the Ubuntu maintained versions?
> 

I did the switch from mainstream to dovecot repo to upgrade from 2.2 to 2.3 on 
xenial, and appart one or two minor configurations changes, it worked just fine.

And more recently, I switched from a bionic-backport of cosmic release (used to 
get 2.3 on bionic) to this just released version using apt and it was 
transparent.

In my case, switching back to mainstream on the other hand would be harder, as 
I now rely on 2.3 specific features.

So I guess as long as you don't use features that are not yet released 
upstream, switching back should not be difficult.

Re: Dovecot send duplicated certificates when using ssl_alt_cert

[Jean-Daniel Dupas]

> Le 24 mai 2018 à 09:55, Aki Tuomi <aki.tu...@dovecot.fi> a écrit :
> 
> 
> 
> On 17.05.2018 16:33, @lbutlr wrote:
>> On 2018-05-16 (08:54 MDT), Jean-Daniel Dupas <jddu...@xooloo.com> wrote:
>>> My problem is that when connecting, dovecot includes 2 copies of Let's 
>>> Encrypt Authority X3 in the certificate chain.
>> I think Dovecot 2.2 also has this issue, if I remember previous posts 
>> accurately. Recommendations to include the full chain in the cert didn't 
>> seem to work.
>> 
> 
> Hi!
> 
> This is a thing that gets fixed in 2.3.2, but it's also OpenSSL version
> dependent, so if you are using older than 1.1.0, you'll get this issue,
> due to how OpenSSL deals with the certs.
> 

OK. Thank you for the (upcoming) fix.
That OpenSSL version limitation shouldn't be an issue for me.

dovecot 2.3 on Ubuntu 18.04 LTS

[Jean-Daniel Dupas]

Hello,

I'm running dovecot 2.3 from repo.dovecot.org  on 
ubuntu 16.04 LTS, and I'm wondering if there is a scheduled date for the 
release of the bionic package in that repository.

The Ubuntu mainstream version is based on the 2.2 branch, which prevent us to 
use it.

Thanks.

Dovecot send duplicated certificates when using ssl_alt_cert

[Jean-Daniel Dupas]

Hello,

I'm running dovecot 2.3.1 (c5a5c0c82) and trying to experiment with using both 
RSA and ECDSA certificates.

My configuration is as follow:

ssl_alt_cert =