RE: Ubuntu 16.04 dovecot-core requires deprecated ntpdate

[Michael Fox]

> > When I select the dovecot-core package in Synaptic, it also wants to
> install
> > ntpdate.
> Install packages at the command line using apt-get. It lets you better see
> and understand what's going on.
> dovecot-core /recommends/ ntpdate. This means you can install with apt-get
> --no-install-recommends and the Recommends will be shown but not
> installed, leaving the judgement to you.

Ahah!  OK Thanks.

 
> > Now the dovecot-core package evidently requires ntpdate.  I can't
> imagine
> > why this dependency would exist.  And I presume this dependency will
> prevent
> > me from removing ntpdate after I install dovecot-core.
> In apt-based systems, removing a package triggers removal of any depending
> packages, but not "recommending" packages.
> Just try 'apt-get remove ntpdate'. It will prompt you, and quite likely it
> will say it is about to remove ntpdate and no other package.
> It will do what it says it is going to do, and no more.

OK.  Thanks.

 
> > Is the Debian package maintainer on the list?
> He does read the list. In either case dovecot-core in ubuntu 17.04 and in
> Debian stretch and jessie don't have this Recommends.
> > I don't know what to do.  Any suggestions?
> Remove ntpdate, you'll be fine.

Great.  Thanks!

Michael

RE: Ubuntu 16.04 dovecot-core requires deprecated ntpdate

[Michael Fox]

> 
> So, this is obviously an Ubuntu packaging problem, so should be reported
> there.

I don't know where "there" is.  Can you tell me where?

Thanks,
Michael

Ubuntu 16.04 dovecot-core requires deprecated ntpdate

[Michael Fox]

I'm building a new Ubuntu 16.04 machine, including Dovecot.

When I select the dovecot-core package in Synaptic, it also wants to install
ntpdate.

 

Problem:  ntpdate has been replaced in Ubuntu with timedatectl.  In fact, if
ntpdate exists on the machine, ntpd will not work properly.

 

See:  https://help.ubuntu.com/lts/serverguide/NTP.html

See:  https://askubuntu.com/questions/769651/ntp-failed-to-synchronize-time

See:  https://ubuntu101.co.za/ubuntu/fix-ntp-on-ubuntu-16-starting-crashing/

http://www.ubuntugeek.com/install-and-configure-network-time-protocol-ntp-se
rverclients-on-ubuntu-16-04-server.html

. and more

 

Indeed, I had to remove ntpdate in order to make ntpd work.  I don't want to
break ntpd.

 

Now the dovecot-core package evidently requires ntpdate.  I can't imagine
why this dependency would exist.  And I presume this dependency will prevent
me from removing ntpdate after I install dovecot-core.

 

Is the Debian package maintainer on the list?

I don't know what to do.  Any suggestions?  

 

Thanks in advance,

Michael

 

 

 

 

 

RE: Dovecot source code audit

[Michael Fox]

Congratulations Timo and all.

Michael


> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Timo
> Sirainen
> Sent: Friday, January 13, 2017 9:17 AM
> To: Dovecot Mailing List 
> Subject: Dovecot source code audit
> 
> Mozilla sponsored source code audit for Dovecot. So thanks to them we have
> our first public code audit:
> https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot
> 
> Dates: October 2016 - January 2017
> 
> dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server
> deployments worldwide. The audit was performed by Cure53.
> 
> The team found the following problems:
> 
>   • 3 Low
> 
> The Cure53 team were extremely impressed with the quality of the dovecot
> code. They wrote: "Despite much effort and thoroughly all-encompassing
> approach, the Cure53 testers only managed to assert the excellent
> security-standing of Dovecot. More specifically, only three minor security
> issues have been found in the codebase, thus translating to an
> exceptionally good outcome for Dovecot, and a true testament to the fact
> that keeping security promises is at the core of the Dovecot development
> and operations."

RE: expunging all mailboxes

[Michael Fox]

> maybe the debug option '-D' gives a clue why it failes on your site?
> 
> doveadm -D expunge -u user@domain mailbox '*' savedbefore 2d

I don't see any errors in the debug output.  And if there was an error, one
would expect to see an error message when running the expunge command even
without debugging turned on.

Thanks for trying.  I've got to put this aside for a few days to meet a
deadline for another project.  I'll pick it up with more testing after that.

Michael

RE: expunging all mailboxes

[Michael Fox]

> Huh, it certainly did for me, although I used "all" instead of
> "savedbefore 30d" since I just wanted to empty the trash. What
> version of Dovecot? Mine is 2.2.27.

Well, not for me.
doveadm search -u user@domain ALL savedbefore 2d
-- returns some messages
doveadm expunge -u user@domain mailbox '*' savedbefore 2d
-- nothing shown, but no error
doveadm search -u user@domain ALL savedbefore 2d
-- returns the same messages as before

I've got 2.2.9 (Ubuntu package for 14.04)


> I guess that's reasonable for a critical application, but normally I
> would expect an IMAP client to request headers-only, or just recent
> messages. My phone's K9 client defaults to something like 2 weeks.

Right.  But your phone has 100s of kbps or even Mbps of bandwidth, full
duplex.  But when multiple users are sharing a simplex 56kbps radio channel,
even just the headers of old/irrelevant mail are to be avoided.

Michael

RE: expunging all mailboxes

[Michael Fox]

> doveadm expunge -u  mailbox '*' savedbefore 30d

That doesn't work for me either.  The command is accepted, but the messages
are not expunged.

I guess my search/fetch will just have to return the mailbox name, in
addition to other fields, and then I'll need to loop through the mailbox
names and perform multiple expunges for each user.  I understand the desire
to avoid accidents by requiring that the mailbox be specified.  But if
"mailbox ALL" or "mailbox '*' were allowed, that would still avoid the
accident and yet also avoid the inefficiency of having to perform multiple
expunges for one user.


*** Enhancement request:  provide a "mailbox all" or "mailbox '*'" option
for doveadm search_query so that expunge can be used to remove mail without
regard to which mailbox it's in.

 
> Are you sure you really want to do this? My server expunges Trash and
> Junk on a cycle, but reaching into other mailboxes seems iffy.

Yes.  I understand it's unusual.  This is an RF (radio) application for
emergency services.  We have to be efficient about channel utilization.
Users know they need to keep their mailboxes clean so that, at the start of
an emergency (or other incident), the channel is not clogged with
downloading lots of old, irrelevant mail.  If they haven't logged in for a
while, we'll keep it clear for them.

Michael

RE: expunging all mailboxes

[Michael Fox]

> > But is there a way tell it all mailboxes for a user?  For example,
> something
> > like:
> >
> > doveadm expunge -u user@domain mailbox ALL savedbefore 30d
> 
> try:
> doveadm expunge -u user@domain ALL savedbefore 30d
> 
> just like the example thats here:
> http://wiki2.dovecot.org/Tools/Doveadm/SearchQuery

I already tried that.  Did you?  
For me, expunge returns an error that says the mailbox must be listed.
Also, that example is for search, not expunge.

So, the original question remains:  is there a way to specify all mailboxes
for a user?

Michael

postlogin script - still confused

[Michael Fox]

> You need to use executable = script-login -- /path/post-login.sh -a -r -g
> note the double-dash. it tells getopt to stop processing arguments.
>
> Aki

OK. Thanks.  So let me make sure I have this right, since there is no syntax
defined on the wiki - just an example which doesn't show the above syntax.

The valid possibilities are:

  executable = script-login [-d] /path/script1 /path/script2 ...
-or-
  executable = script-login [-d] -- /path/script1 -a -r -g -s

In other words, I can either call multiple scripts, each with no arguments,
or I can call one script with arguments.  But I cannot call multiple
scripts, some with arguments, some without arguments.  Is that correct?  If
not, please show all valid syntax options.


Also, regarding the exec "$@" line shown at the end of the wiki examples.

If I pass arguments "-a -r -g -s" to my script, as in:
  executable = script-login -- /path/script1 -a -r -g -s

then doesn't the exec "$@" line at the end become:
  exec -a -r -g -s

And surely that's not right.  So, could you please explain in words the
purpose of the exec line at the end - what it does, why it's needed, and
what to do if I'm sending arguments to my postlogin script?

Thanks,
Michael

FW: postlogin script

[Michael Fox]

No response seen yet.  Trying again.

Surely someone knows how the postlogin scripts work and can answer these
questions easily...  Anyone? 

Thanks,
Michael


-Original Message-
From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Michael Fox
Sent: Sunday, December 11, 2016 8:48 AM
To: Dovecot Mailing List <dovecot@dovecot.org>
Subject: postlogin script

I'm using the postlogin service, following the examples in the wiki.  But I
can't find any documentation on the behavior (what's allowed/not allowed) of
the script-login binary.  So, some questions:

 

Question 1:

The examples show the following at the end of the post-login.sh script:
exec "$@"

My understanding is that this would exec each of the command line arguments
to the post-login.sh script.  But, there are no arguments sent to the
post-login.sh script in the examples.  So what is this line supposed to do?

 

Question 2:

One of the examples shows exporting some environmental variables, followed
by the above exec line:

export MAIL=maildir:/tmp/test

export USERDB_KEYS="$USERDB_KEYS mail"

exec "$@"

Now, I'm really confused.  Can someone explain step-by-step why this does
anything at all?

 

Question 3:

I'd like to be able to pass some information to the post-login.sh script,
such as the service (%s), as a positional parameter.  

For example:  executable = script-login /path/post-login.sh %Ls

Or even more explicitly:  executable = script-login /path/post-login.sh imap

But it appears that the script-login binary is expecting only script names
to be passed to it so that it can handle more than one script.  Is there a
way to pass arguments to the different scripts?

 

Thanks,

Michael

 

 

 

 

 

postlogin script

[Michael Fox]

I'm using the postlogin service, following the examples in the wiki.  But I
can't find any documentation on the behavior (what's allowed/not allowed) of
the script-login binary.  So, some questions:

 

Question 1:

The examples show the following at the end of the post-login.sh script:
exec "$@"

My understanding is that this would exec each of the command line arguments
to the post-login.sh script.  But, there are no arguments sent to the
post-login.sh script in the examples.  So what is this line supposed to do?

 

Question 2:

One of the examples shows exporting some environmental variables, followed
by the above exec line:

export MAIL=maildir:/tmp/test

export USERDB_KEYS="$USERDB_KEYS mail"

exec "$@"

Now, I'm really confused.  Can someone explain step-by-step why this does
anything at all?

 

Question 3:

I'd like to be able to pass some information to the post-login.sh script,
such as the service (%s), as a positional parameter.  

For example:  executable = script-login /path/post-login.sh %Ls

Or even more explicitly:  executable = script-login /path/post-login.sh imap

But it appears that the script-login binary is expecting only script names
to be passed to it so that it can handle more than one script.  Is there a
way to pass arguments to the different scripts?

 

Thanks,

Michael

 

 

 

 

 

RE: shared/public mailbox application

[Michael Fox]

> Basically we alias n...@domain.com to dove...@domain.com. doveadm@ has a
> sieve-Script which files into the public folder. You could also configure
> a postfix transport which does the job.

Ah.  OK.  That may be more complexity than I need for my situation.  So please 
bear with me as I try to understand this.

IF:

Postfix is already configured to deliver mail destined for the virtual domain 
"domain.com" to Dovecot
--and--
I create the NAMESPACE and NAME setup as you described
--and--
I create a Dovecot userdb entry for n...@domain.com (but no passdb entry)
--and--
I configure ACLs so that all domain.com users can read NAME's mailbox but only 
admin users can delete messages in NAME's mailbox
--and--
I configure the virtual INBOX for POP users to include "RealMails" and "NAME"

THEN, I'm thinking that:

Because there is no passdb entry, user n...@domain.com cannot log in
--and--
Because userdb defines NAME's home directory, incoming mail to n...@domain.com 
would be delivered to the NAME mailbox, just like any other user in domain.com, 
without the need for aliasing or sieve
--and--
Because of the ACLs, IMAP admin users would be able to delete/manage NAME's 
messages and everyone else would be able to read NAME's messages
--and--
Because of the virtual INBOX, POP users would be able to read the NAME messages.

Does that make sense?  Am I missing something?


> Its necessary to overlook the whole process chain to properly configure
> everything.

Yes!  Agreed!  That's why I'm trying to think through the whole thing before 
diving down a rabbit hole that leads to a dead end.

> And a lot of try out :)

For sure.  (Just as soon as I understand what I'm trying to do.)  ;-)

Michael

RE: shared/public mailbox application

[Michael Fox]

Thanks Tobias.  Thanks for the detailed reply.

 

I think I see what you’re doing.  But I’m unclear on something (since I’m a 
nube):

 

Can anyone send mail to n...@domain.com <mailto:n...@domain.com>  and have it 
appear in the public mailbox?  

 

If not, would it be enough to create a userdb entry which defines a pseudo-user 
NAME, including its home directory, such that imcoming mail addressed to 
n...@domain.com <mailto:n...@domain.com>  could be delivered into that mailbox?

 

Thanks,

Michael

 

 

 

From: Tobias Kirchhofer [mailto:tob...@kirchhofer.net] 
Sent: Monday, November 28, 2016 7:19 AM
To: Michael Fox <n...@mefox.org>
Cc: Dovecot Mailing List <dovecot@dovecot.org>
Subject: Re: shared/public mailbox application

 

Hi Michael,

we migrated from Cyrus Shared Folders to Dovecot Public Folder.

Our setup with Dovecot:

*   Public Namespace type=public
*   prefix=NAMESPACE
*   
location=maildir:/var/vmail/public/domain.com/folder:INDEXPVT=~/public/domain.com/NAME
*   list=children to show NAMESPACE only if acl is given
*   Restart Dovecot
*   cd /var/vmail/public/domain.com/NAMESPACE
*   mkdir .NAME
*   We utilise one user  <mailto:dove...@domain.com> dove...@domain.com to 
control acl
*   doveadm acl set -u  <mailto:dove...@domain.com> dove...@domain.com 
NAMESPACE/NAME user= <mailto:dove...@domain.com> dove...@domain.com all (this 
creates also the Maildir)
*   doveadm mailbox subscribe -u  <mailto:dove...@domain.com> 
dove...@domain.com NAMESPACE/NAME
*   dm acl set -u  <mailto:dove...@domain.com> dove...@domain.com 
NAMESPACE/NAME user= <mailto:firstname.lastn...@domain.com> 
firstname.lastn...@domain.com lookup read write write-seen write-deleted insert 
post expunge

User  <mailto:firstname.lastn...@domain.com> firstname.lastn...@domain.com can 
now subscribe to the public folder „NAMESPACE/NAME“.

With this base you could create a more specific setup which more precisely fits 
your need.

There are also other strategies achieving Shared Folders the Cyrus way. :)

Hope that helps.

Tobias

On 28 Nov 2016, at 15:38, Michael Fox wrote:

No answer. Trying again. Surely someone with experience with public
mailboxes can offer some insight on whether the application below should be
a public or shared namespace ...

Thanks
Michael

-Original Message-
From: dovecot [mailto: <mailto:dovecot-boun...@dovecot.org> 
dovecot-boun...@dovecot.org] On Behalf Of Michael Fox
Sent: Thursday, November 24, 2016 11:53 AM
To: Dovecot Mailing List  <mailto:dovecot@dovecot.org> dovecot@dovecot.org
Subject: shared/public mailbox application

I'm new to Dovecot and I need help configuring a shared or public mailbox -
I'm not sure which is appropriate. I've read the wiki and Peer's book and
neither appears to cover what I'd like to do. So I could use some specific
help on how to configure a solution for the following:

I'd like to create two real mailboxes, let's call them AAA and BBB. Let's
call the domain "mydomain". By "real", I mean that users aaa@mydomain and
bbb@mydomain can log into their own mailbox.

Anyone user can send mail to them, just like any other address:
aaa@mydomain or bbb@mydomain.

I'd like all IMAP users in mydomain to be able to read the messages in those
mailboxes.

I'd like all POP users in mydomain to also see those messages. (But I don't
think I need help with the virtual part).

I'd like only a few designated IMAP users to be able to delete the messages
in those mailboxes, including dummy users AAA and BBB themselves.

Ideally, I'd like them to appear in the client under a separate namespace
from shared mailboxes. Example:

INBOX

+--- the normal stuff.

Shared

+--- user1

+--- user2

Special

+--- AAA

+--- BBB

My confusion:

1) I don't know if this requires a shared namespace or a public
namespace. It "feels" like it's "public", since all users would have
access. But Peer's book and the wiki describe manually creating folders for
public namespaces and controlling the contents with manual file
manipulation, which leads me to believe that they can't be used for regular
mail (although the book and the wiki never say one way or the other). I
don't want to manually control files. I want to send mail to the mailbox
and delete (see above) it with a client.

2) There are several examples in Peer's book and the wiki, but none
seem to match what I want. (This is the problem with documentation that is
predominantly example-based). I guess I need more explanation of the
mechanical differences between shared and public and why one would pick one
over the other.

Can someone help? Please be as specific as you can.

Thanks much,

Michael

-- 
Tobias Kirchhofer
 <mailto:tob...@kirchhofer.net> tob...@kirchhofer.net

RE: shared/public mailbox application

[Michael Fox]

> 
> Hi,
> I did that in Linux (Ubuntu) by using symbolic links.
> In the INBOX of users that you want to see shared emails place a symlink
> to
> the shared INBOX.
> 
>   | 
>   |  | ...INBOX
>   |  | .Drafts (folder)
>   |  | .Trash (folder
>   |  | ...
>   |  | ~.Shared AAA --> ../aaa
>   |  | ~.Shared BBB --> ../bbb
>   | 
>   |  |  ...INBOX
>   |  | ...
>   |  | ~.Shared AAA --> ../aaa
>   |  | ~.Shared BBB --> ../bbb
>   | 
>   |  | ...INBOX
>   |  | ...
>   | 
>   |  | ...INBOX
>   |  | ...
> The only thing that could create problems are permissions. I use the same
> UID/GID for all users (vmail:vmail) so I don't have such problems.
> If you want special permissions for groups of users (some can delete
> emails
> in shared folders) you need to define the permission groups, add users you
> want to those groups and set rw permission and set group bit on shared
> folders.

Thanks Adrian.  That's an interesting idea.  I don't think it will fit what
I'm trying to do.  But thanks for taking the time to respond.  Every little
bit helps me learn how things work.

Michael  

FW: shared/public mailbox application

[Michael Fox]

No answer.  Trying again.  Surely someone with experience with public
mailboxes can offer some insight on whether the application below should be
a public or shared namespace ...

Thanks
Michael


-Original Message-
From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Michael Fox
Sent: Thursday, November 24, 2016 11:53 AM
To: Dovecot Mailing List <dovecot@dovecot.org>
Subject: shared/public mailbox application

I'm new to Dovecot and I need help configuring a shared or public mailbox -
I'm not sure which is appropriate.  I've read the wiki and Peer's book and
neither appears to cover what I'd like to do.  So I could use some specific
help on how to configure a solution for the following:

 

I'd like to create two real mailboxes, let's call them AAA and BBB.  Let's
call the domain "mydomain".  By "real", I mean that users aaa@mydomain and
bbb@mydomain can log into their own mailbox.

Anyone user can send mail to them, just like any other address:
aaa@mydomain or bbb@mydomain.

I'd like all IMAP users in mydomain to be able to read the messages in those
mailboxes.

I'd like all POP users in mydomain to also see those messages.  (But I don't
think I need help with the virtual part).

I'd like only a few designated IMAP users to be able to delete the messages
in those mailboxes, including dummy users AAA and BBB themselves.

Ideally, I'd like them to appear in the client under a separate namespace
from shared mailboxes.  Example:

 

INBOX

+--- the normal stuff.

Shared

+--- user1

+--- user2

Special

+--- AAA

+--- BBB

 

My confusion:

1)  I don't know if this requires a shared namespace or a public
namespace.  It "feels" like it's "public", since all users would have
access.  But Peer's book and the wiki describe manually creating folders for
public namespaces and controlling the contents with manual file
manipulation, which leads me to believe that they can't be used for regular
mail (although the book and the wiki never say one way or the other).   I
don't want to manually control files.  I want to send mail to the mailbox
and delete (see above) it with a client.

2)  There are several examples in Peer's book and the wiki, but none
seem to match what I want.  (This is the problem with documentation that is
predominantly example-based).  I guess I need more explanation of the
mechanical differences between shared and public and why one would pick one
over the other.

 

Can someone help?  Please be as specific as you can.

 

Thanks much,

Michael

 

 

 

shared/public mailbox application

[Michael Fox]

I'm new to Dovecot and I need help configuring a shared or public mailbox -
I'm not sure which is appropriate.  I've read the wiki and Peer's book and
neither appears to cover what I'd like to do.  So I could use some specific
help on how to configure a solution for the following:

 

I'd like to create two real mailboxes, let's call them AAA and BBB.  Let's
call the domain "mydomain".

Anyone user can send mail to them, just like any other address:
aaa@mydomain or bbb@mydomain.

I'd like all IMAP users in mydomain to be able to read the messages in those
mailboxes.

I'd like all POP users in mydomain to also see those messages.  (But I don't
think I need help with the virtual part).

I'd like only a few designated IMAP users to be able to delete the messages
in those mailboxes, including dummy users AAA and BBB themselves.

Ideally, I'd like them to appear in the client under a separate namespace
from shared mailboxes.  Example:

 

INBOX

+--- the normal stuff.

Shared

+--- user1

+--- user2

Special

+--- AAA

+--- BBB

 

My confusion:

1)  I don't know if this requires a shared namespace or a public
namespace.  It "feels" like it's "public", since all users would have
access.  But Peer's book and the wiki describe manually creating folders for
public namespaces and controlling the contents with manual file
manipulation, which leads me to believe that they can't be used for regular
mail (although the book and the wiki never say one way or the other).   I
don't want to manually control files.  I want to send mail to the mailbox
and delete (see above) it with a client.

2)  There are several examples in Peer's book and the wiki, but none
seem to match what I want.  (This is the problem with documentation that is
predominantly example-based).  I guess I need more explanation of the
mechanical differences between shared and public and why one would pick one
over the other.

 

Can someone help?  Please be as specific as you can.

 

Thanks much,

Michael

 

 

 

RE: autoexpunge clarification

[Michael Fox]

Thanks Philon.

In one of my situations, the potential for such old mail in accounts where the 
user is not receiving new mail or logging in is large.  For example, one 
application is for an emergency auxiliary mail service.  It can be heavily used 
during training, drills and, of course, emergencies.  But otherwise, any 
leftover mail will likely sit there until the next training, drill, or 
emergency.  The account is still valid and should not be removed.  But we'd 
like the mails to be removed so this old mail isn't dumped on the user the next 
time they connect, especially since some may connect via lower-speed radio 
links.

It looks like I'll definitely need to use the expunge plugin with a cron job.

Thanks again for the clarifications.  

Michael

RE: autoexpunge clarification

[Michael Fox]

Thanks Philon,

I did read the extra bullets, as indicated in my email below.  But your "When 
the user quits and thus closes his mailbox/connection" is more clear than 
"after the client is already disconnected", since the latter is really anytime, 
rather than at the time they quit.

I can guess that the bulletin about LMTP similarly means at the end of each 
time LMTP delivers mail to the mailbox.

Assuming that is true, then the problem I see with autoexpunge is that it 
doesn't address the case of a user that has not logged in nor received mail in 
that mailbox for the specified time.  Those messages would apparently stay 
forever.  Correct?

And, if that's true, then the cron job seems like the only way to expunge all 
old messages.  Correct?

Thanks,
Michael


 

> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Philon
> Sent: Wednesday, August 31, 2016 12:41 AM
> To: Michael Fox <n...@mefox.org>
> Cc: Dovecot Mailing List <dovecot@dovecot.org>
> Subject: Re: autoexpunge clarification
> 
> Hi Micheal,
> 
> the article is fine if you continue reading it to the next bullet points
> about IMAP, POP3 and LMTP. In short words…
> 
> When the user quits and thus closes his mailbox/connection, Dovecot
> quickly looks through the folders to clean up mails which are older then
> configured days.
> 
> In the past there was a cron job which could do this every n hours, days,
> … but this setting does this automatically. Still I prefer using cron
> which gives me more control over when this lookup happens.
> 
> User deinitialization is simply developer „slang" for user closes
> connection/quits his program.
> 
> 
> Philon
> 
> > Am 30.08.2016 um 14:41 schrieb Michael Fox <n...@mefox.org>:
> >
> > I'm trying to understand autoexpunge, but the documentation is just not
> > clear.  Hopefully, someone can clear up a few questions.
> >
> >
> >
> > http://wiki.dovecot.org/MailboxSettings says the following:
> >
> >
> >
> > autoexpunge=: (v2.2.20+) Automatically at user deinitialization
> > expunge all mails in this mailbox whose saved-timestamp is older than
> 
> > (e.g. autoexpunge=30d). This removes the need for expire plugin
> > <http://wiki.dovecot.org/Plugins/Expire>  if you don't care that the
> > expunging may not always happen in time.
> >
> >
> >
> > What does "at user deinitialization" mean?
> >
> >
> >
> > What does "if you don't care that the expunging may not always happen in
> > time" mean?
> >
> >
> >
> > I read the sub-bullets but they just aren't clear.  When exactly does
> > autoexpunge occur?
> >
> >
> >
> > Thanks,
> >
> > Michael
> >
> >

autoexpunge clarification

[Michael Fox]

I'm trying to understand autoexpunge, but the documentation is just not
clear.  Hopefully, someone can clear up a few questions.

 

http://wiki.dovecot.org/MailboxSettings says the following:

 

autoexpunge=: (v2.2.20+) Automatically at user deinitialization
expunge all mails in this mailbox whose saved-timestamp is older than 
(e.g. autoexpunge=30d). This removes the need for expire plugin
  if you don't care that the
expunging may not always happen in time.

 

What does "at user deinitialization" mean?

 

What does "if you don't care that the expunging may not always happen in
time" mean?

 

I read the sub-bullets but they just aren't clear.  When exactly does
autoexpunge occur?

 

Thanks,

Michael

 

RE: Dovecot book available again

[Michael Fox]

Thanks Peer,

I discovered it on Amazon a couple of days ago.  Received it today.  So far, 
it's exactly what I was hoping for.  I'm already learning new things!

Michael


> -Original Message-
> 
> after my publisher has to shut down his business at the end of last
> year, it took several months to organize everything.
> 
> But it's done! I'm happy to announce: The Dovecot book is available again.
> 
> You can order it at Createspace:
> 
> https://www.createspace.com/5942312
> 
> Or Amazon:
> 
> https://www.amazon.com/dp/1534895701
> https://www.amazon.co.uk/dp/1534895701
> https://www.amazon.de/dp/1534895701
> 

RE: Save user passwords in clear text

[Michael Fox]

> Is it possible to save user passwords as clear text through dovecot? I am
> currently using MD5 passwords and I allow only "plain and login”
> mechanisms but I want to switch my database to clear text as this will
> give me the ability to use more mechanisms such as CRAM-MD5. Is this
> possible?

I'm not sure if this is what you mean by saving passwords "through dovecot".  
But here's how to save a clear-text password when the passdb scheme is not 
plaintext.

Use the {PLAIN} prefix.  Example:

10-auth.conf:
  passdb {
driver = passwd-file
args = scheme=cram-md5 username_format=%n /path/passdb
  }

/path/passdb:
  username:{PLAIN}secret

User "username" can log in with password "secret"

Michael

RE: Dovecot password policy

[Michael Fox]

> A lot of “bots” try very simple passwords say less than X
> characters; over and over and over again before they give up.
> 
> I realize Dovecot mitigates this by slowing them down; but always nice to
> have another optional layer of defense to clip this kind of garbage closer
> to the door.

Check out fail2ban.  It's very useful for that sort of repeated bot attack.

Michael

RE: service-specific userdb affecting lmtp, quota-service

[Michael Fox]

 
> On Wed, 3 Aug 2016, Steffen Kaiser wrote:
> 
> >> Update:
> >>
> >> I was able to eliminate the /var/log/mail.err error messages (shown
> below)
> >> by creating a userdb.quota-status and userdb.lmtp passwd-file.
> However,
> >> since userdb.pop3 and userdb.imap will have different extra-fields
> values
> >> for namespace (different namespace/xxx/inbox=yes values) I can't simply
> >> create userdb.quota-status and userdb.lmtp as the union of userdb.pop3
> and
> >> userdb.imap.  At a minimum, the extra-fields namespace info has to be
> left
> >> out.
> >
> > do LMTP and Quota-status fail, if you symlink them to the imap version?

I didn't try a symlink because I intend to have separate users in
userdb.pop3 and userdb.imap so I can control who has imap access.  To allow
the two user lists to be independent, I made a unique union of the pop3 and
imap userdbs and used that for quota-status and lmtp.

  
 
> BTW: your posted conf does not contain the virtual plugin and its
> namespace.

Correct.  As I put in the previous email, I didn't get to that point.
First, I just commented out the "inbox=yes" declaration from "namespace
inbox {}" and then added it to the userdb.imap extra-fields but got an
error.

How embarrassing.  I just discovered a syntax error.  I was using:
  userdb_namespace=/namespace/inbox/inbox=yes
Instead of:
  userdb_namespace/inbox/inbox=yes

Now that's working.  

BTW, it turns out that both quota-status and lmtp need to see the value of
inbox=.  So I guess all of the userdb.%s files will include
userdb_namespace/inbox/inbox=yes, except for userdb.pop3 which will use
userdb_namespace/virtual/inbox=yes.

Next step is to configure the extra namespaces.

Thanks for your help so far Steffen.  

Michael
 

RE: service-specific userdb affecting lmtp, quota-service

[Michael Fox]

Update:

I was able to eliminate the /var/log/mail.err error messages (shown below)
by creating a userdb.quota-status and userdb.lmtp passwd-file.  However,
since userdb.pop3 and userdb.imap will have different extra-fields values
for namespace (different namespace/xxx/inbox=yes values) I can't simply
create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and
userdb.imap.  At a minimum, the extra-fields namespace info has to be left
out.  

So this creates the question:  For each service, which fields does the
userdb need to contain?  I can't find that documented anywhere.

For example, for the quota-status service, I presume the following are
needed:
-- username
-- home directory  (since mail_location = maildir:~/Maildir)
-- any "quota=" overrides in the extra-fields
-- nothing else

Is that right?


And I presume userdb.lmtp needs to return:
-- username
-- home directory  (since mail_location = maildir:~/Maildir)
-- nothing else

Is that right?

Thanks,
Michael


> -Original Message-
> 
> The service specific passwd-file userdb is causing quota-status and lmtp
> to
> fail.
> 
> Using:
> userdb {
>   args = ... /etc/dovecot/auth.d/%d/userdb.%s
> }
> 
> I'm getting the following in /var/log/mail.err when I try to send/receive
> mail:
> 
> Aug  1 15:46:57 n6mef-gw dovecot: auth: Error:
> passwd-file(mef...@email.n6mef.org):
> stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed:
> Address family not supported by protocol
> Aug  1 15:47:08 n6mef-gw dovecot: auth: Error:
> passwd-file(mef...@email.n6mef.org):
> stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address
> family
> not supported by protocol
> 
> I don't have a userdb.quota-status or userdb.lmtp.
> 
> Is there something else that needs to be in the configuration to prevent
> these services from needing their own userdb?
> 
> Thanks,
> Michael
> 
> 
> $ doveconf -n
> # 2.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
> auth_mechanisms = cram-md5
> auth_verbose = yes
> mail_gid = vmail
> mail_location = maildir:~/Maildir
> mail_plugins = " quota"
> mail_uid = vmail
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = /etc/dovecot/deny-users
>   deny = yes
>   driver = passwd-file
> }
> passdb {
>   args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
>   driver = passwd-file
> }
> plugin {
>   quota = maildir:User quota
>   quota_grace = 10%%
>   quota_rule = *:storage=50MB
>   quota_rule2 = Trash:storage=+10%%
>   quota_status_nouser = DUNNO
>   quota_status_overquota = 552 5.2.2 Mailbox is full
>   quota_status_success = DUNNO
>   quota_status_toolarge = 552 5.2.3 Message is too large
>   quota_warning = storage=90%% quota-warning 90 %n %d
>   quota_warning2 = storage=75%% quota-warning 75 %n %d
> }
> pop3_lock_session = yes
> protocols = pop3 imap lmtp
> service auth {
>   unix_listener /var/spool/postfix/private/dovecot-auth {
> group = postfix
> mode = 0660
> user = postfix
>   }
>   unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
>   }
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
>   }
> }
> service pop3 {
>   executable = pop3 postlogin
>   process_limit = 25
> }
> service postlogin {
>   executable = script-login /etc/dovecot/postlogin.sh
>   group = vmail
>   user = vmail
> }
> service quota-status {
>   client_limit = 1
>   executable = quota-status -p postfix
>   inet_listener {
> port = 12340
>   }
> }
> service quota-warning {
>   executable = /etc/dovecot/quota-warning.sh
>   user = vmail
> }
> ssl = required
> ssl_cert =  ssl_key =  ssl_protocols = !SSLv2 !SSLv3
> userdb {
>   args = username_format=%n /etc/dovecot/auth.d/%d/userdb.%s
>   default_fields = home=/var/vmail/%d/%n
>   driver = passwd-file
> }
> verbose_ssl = yes
> protocol lmtp {
>   postmaster_address = x
> }
> protocol imap {
>   mail_max_userip_connections = 10
> }
> protocol pop3 {
>   mail_max_userip_connections = 1
> }
> remote 192.168.7.0/24/24 {
>   ssl = yes
> }
> remote 192.168.7.0/27/27 {
>   ssl = no
> }
> $

service-specific userdb affecting lmtp, quota-service

[Michael Fox]

The service specific passwd-file userdb is causing quota-status and lmtp to
fail.

Using:
userdb {
  args = ... /etc/dovecot/auth.d/%d/userdb.%s
}

I'm getting the following in /var/log/mail.err when I try to send/receive
mail:

Aug  1 15:46:57 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed:
Address family not supported by protocol
Aug  1 15:47:08 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address family
not supported by protocol

I don't have a userdb.quota-status or userdb.lmtp.

Is there something else that needs to be in the configuration to prevent
these services from needing their own userdb?

Thanks,
Michael


$ doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
auth_mechanisms = cram-md5
auth_verbose = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_plugins = " quota"
mail_uid = vmail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/deny-users
  deny = yes
  driver = passwd-file
}
passdb {
  args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
  driver = passwd-file
}
plugin {
  quota = maildir:User quota
  quota_grace = 10%%
  quota_rule = *:storage=50MB
  quota_rule2 = Trash:storage=+10%%
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_status_toolarge = 552 5.2.3 Message is too large
  quota_warning = storage=90%% quota-warning 90 %n %d
  quota_warning2 = storage=75%% quota-warning 75 %n %d
}
pop3_lock_session = yes
protocols = pop3 imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service pop3 {
  executable = pop3 postlogin
  process_limit = 25
}
service postlogin {
  executable = script-login /etc/dovecot/postlogin.sh
  group = vmail
  user = vmail
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
port = 12340
  }
}
service quota-warning {
  executable = /etc/dovecot/quota-warning.sh
  user = vmail
}
ssl = required
ssl_cert = 

passwd-file extra-fields: inbox=yes

[Michael Fox]

I'd like to implement the virtual plugin so that POP3 users can see emails
in their own inbox and a public namespace.  As I understand it, I need to
set "inbox=yes" separately, depending on which service the user is using.
With passwd-file flat files, this means:

userdb {
args = ... /path/userdb.%s
}

userdb.imap:
set the extra fields for each user =
userdb_namespace/inbox/inbox=yes

userdb.pop3:
set the extra fields for each user =
userdb_namespace/virtual/inbox=yes

But without even getting to the virtual namespace part, I'm having
difficulty getting the extra fields setting to work for a regular IMAP user.


Specifically:
If I use the Dovecot default settings of namespace inbox, which includes
inbox=yes, and do NOT include the extra_fields value shown above, then IMAP
users can log in OK.

But if I comment out inbox=yes within namespace inbox, and then add the
extra fields to userdb.imap (as shown above), (and reload doveadm), then the
IMAP user is no longer able to login.  Thunderbird displays "Login to server
... failed." and I get the following in syslog (mail.err):

Aug  1 13:56:13 n6mef-gw dovecot: imap(mef...@email.n6mef.org): Error: user
mef...@email.n6mef.org: Initialization failed: namespace configuration
error: Duplicate namespace prefix: ""
Aug  1 13:56:13 n6mef-gw dovecot: imap(mef...@email.n6mef.org): Error:
Invalid user settings. Refer to server log for more information.

I'm at a loss for what's wrong.  Can someone help?  
Userdb.imap test entry and doveconf -n below.

Thanks,
Michael



Userdb.imap:
mefimpMichael E Fox -
mefimp:::userdb_namespace=/namespace/inbox/inbox=yes


$ doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
auth_mechanisms = cram-md5
auth_verbose = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_plugins = " quota"
mail_uid = vmail
namespace inbox {
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/deny-users
  deny = yes
  driver = passwd-file
}
passdb {
  args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
  driver = passwd-file
}
plugin {
  quota = maildir:User quota
  quota_grace = 10%%
  quota_rule = *:storage=50MB
  quota_rule2 = Trash:storage=+10%%
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_status_toolarge = 552 5.2.3 Message is too large
  quota_warning = storage=90%% quota-warning 90 %n %d
  quota_warning2 = storage=75%% quota-warning 75 %n %d
}
pop3_lock_session = yes
protocols = pop3 imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service pop3 {
  executable = pop3 postlogin
  process_limit = 25
}
service postlogin {
  executable = script-login /etc/dovecot/postlogin.sh
  group = vmail
  user = vmail
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
port = 12340
  }
}
service quota-warning {
  executable = /etc/dovecot/quota-warning.sh
  user = vmail
}
ssl = required
ssl_cert = 

RE: POP3 & IMAP inbox setting for virtual

[Michael Fox]

Thanks Steffen.  I'll give that a try.


> >
> > I think you mean by %s.  Correct?
> 
> yes, %s = %{service}
> 
> >> So, generate a passwd-file with namespace/inbox/inbox, make a script to
> >> strip this settings from it and dump into another file. This script is
> to
> >> run each time, the main file changes (or by cron), in order to keep
> both
> >> files in sync.
> >>
> >> Then:
> >>
> >> userdb {
> >>driver = passwd-file
> >>args = username_format=%n /etc/passwd.%s
> >>   # default_fields = uid=vmail gid=vmail home=/home/vmail/%u
> >> }
> >>
> >> Then symlink /etc/passwd.POP3 to the file with and /etc/passwd.IMAP
> (and
> >> any other that generates not-found errors) to the file without the
> virtual
> >> namespace.
> >
> > Hmm. But the goal is for both POP3 and IMAP to see both namespaces.
> POP3
> > would see both via the virtual namespace.  So, following the idea of
> > passwd-file per %s, it seems like I should do something like:
> >
> > .../passwd.pop3:
> > Set the "extra fields" = userdb_namespace/virtual/inbox=yes
> >
> > .../passwd.imap:
> > Set the "extra fields" = userdb_namespace/inbox/inbox=yes
> >
> > Does that make sense?
> 
> yes :-)
> 

RE: POP3 & IMAP inbox setting for virtual

[Michael Fox]

Thanks Steffen.

> you can select the passwd-file by %u , e.g. see the first example of
> passdb's on http://wiki2.dovecot.org/AuthDatabase/PasswdFile

I think you mean by %s.  Correct?

 
> So, generate a passwd-file with namespace/inbox/inbox, make a script to
> strip this settings from it and dump into another file. This script is to
> run each time, the main file changes (or by cron), in order to keep both
> files in sync.
> 
> Then:
> 
> userdb {
>driver = passwd-file
>args = username_format=%n /etc/passwd.%s
>   # default_fields = uid=vmail gid=vmail home=/home/vmail/%u
> }
> 
> Then symlink /etc/passwd.POP3 to the file with and /etc/passwd.IMAP (and
> any other that generates not-found errors) to the file without the virtual
> namespace.

Hmm. But the goal is for both POP3 and IMAP to see both namespaces.  POP3
would see both via the virtual namespace.  So, following the idea of
passwd-file per %s, it seems like I should do something like:

.../passwd.pop3:
Set the "extra fields" = userdb_namespace/virtual/inbox=yes

.../passwd.imap:
Set the "extra fields" = userdb_namespace/inbox/inbox=yes

Does that make sense?

Michael

POP3 & IMAP inbox setting for virtual

[Michael Fox]

Posted Monday 7/25.  Haven't seen a response.  Trying again:

 

---

 

This is a noobie question, so bear with me if it's not worded correctly:

 

Primary Requirements:

1)  I'd like to have two namespaces - one private/per-user, and one public
(visible by all logged-in users).

The public mailbox(s) would be used to distribute information to all users.

 

2)  I'd like both POP3 and IMAP users to see both namespaces.

As I understand it, this requires the use of the virtual plugin for POP3, in
order to create a virtual namespace which would mix together the private and
public namespaces into one mailbox. 

 

I have read:

http://wiki.dovecot.org/Plugins/Virtual

https://sys4.de/de/blog/2013/02/11/dovecot-virtual-setup-mit-globaler-sieve-
spamfilter-regel-fur-pop3-nutzer/ (via Google translation)

 

The example uses a CASE statement in the MySQL userdb query.  As I
understand it, this is done to set which namespace contains the inbox:  the
private namespace or the virtual namespace -- depending on if the user is
connected via the imap or pop3 service, respectively.  

 

Question:  how do I accomplish the same goal (setting the proper namespace
for the inbox) when using a passwd-file style flat file userdb?  

 

Thanks,

Michael

 

imap & pop3 using same mailbox with virtual plugin

[Michael Fox]

This is a noobie question, so bear with me if it's not worded correctly:

Primary Requirements:
1)  I'd like to have two namespaces - one private/per-user, and one public
(visible by all logged-in users).
The public mailbox would be used to distribute information to all users.

2)  I'd like both POP3 and IMAP users to see both namespaces.
As I understand it, this requires the use of the virtual plugin to create a
virtual namespace which would mix together the private and public namespaces
into one mailbox. 

I have read:
http://wiki.dovecot.org/Plugins/Virtual
https://sys4.de/de/blog/2013/02/11/dovecot-virtual-setup-mit-globaler-sieve-
spamfilter-regel-fur-pop3-nutzer/ (via Google translation)


I don't really understand the example MySQL code (too much "..." for me to
follow) in the above web pages.  As I understand it (and I could be very
wrong), the solution relies on a MySQL query to determine which namespace
should have inbox = yes -- the private namespace or the virtual namespace --
depending on if the user is an imap or pop3 user, respectively.

Question 1:  How would this be done on a user-by-user basis if the userdb is
a passwd-file flat file?  Would it be something like this?
-- Userdb extra fields for IMAP User: userdb_namespace/inbox/inbox=yes
-- Userdb extra fields for POP3 User: userdb_namespace/virtual/inbox=yes

Question 2:  If I want to allow any user to use either POP3 or IMAP, then
could I do it this way?

protocol imap {
  namespace inbox {
inbox = yes
  }
}
protocol pop3 {
  namespace virtual {
inbox = yes
  }
}

Thanks,
Michael

doveconf -n display error for "remote"

[Michael Fox]

Upon further testing, it seems that the issue below may only be a display
bug in doveconf.  In other words, the remote filter appears to work as
configured, even though it is displayed with duplicate prefix length by
doveconf.

Is this sufficient information to report a bug or is there some other
protocol?

Michael


---

Dovecot --version:  2.2.9

I configured the following in local.conf:

remote 192.168.7.128/27 {
  ssl = no
}
remote 192.168.7.0/24 {
  ssl = yes
}


But, when I run doveconf -n, I see:

remote 192.168.7.0/24/24 {
  ssl = yes
}
remote 192.168.7.128/27/27 {
  ssl = no
}

Note the repeated network prefix length  (/27/27 and /24/24).

RE: controlling STARTTLS by IP address

[Michael Fox]

KSB:
> Just curious, it is transferred in some RSxxx serial protocol?

The expectation is that the unencrypted traffic will be used for clients on an 
Ethernet network behind a radio operating on amateur radio frequencies 
according to FCC Part 97 rules.  The radio could be:
-- 56+kbps UHF, such as the upcoming UDRX-440 by NW Digital Radio
-- WiFi radio using BBHN or AREDN mesh software 
-- WiFi radio using commercial software, but operated under FCC Part 97 
(amateur radio) rules, instead of Part 15 (commercial/consumer) rules
-- ... or maybe something else

It won't be the bulk of our traffic, but it is important since it is part of 
the county's emergency communications plan.

I don't want to hijack this list with amateur radio stuff.  Curious hams can 
contact me off list at n6mef at mefox dot org.

Michael

RE: RE: controlling STARTTLS by IP address

[Michael Fox]

> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Jochen
> Bern
> Sent: Friday, July 15, 2016 12:46 AM
> To: dovecot@dovecot.org
> Subject: Re: RE: controlling STARTTLS by IP address
> 
> On 07/14/2016 11:52 PM, Michael Fox wrote:
> >> Seems like your firewall could redirect to a different port that
> doesn't
> >> offer starttls.
> > Yes, of course.  But that would require multiple ports, making the
> client
> > configuration cumbersome and error-prone.
> 
> No, the multiple ports would be on the *server* side, and "the firewall"
> (which could be iptables on the server itself) would DNAT the ever-same
> *client* side ports based on the clients' IPs.
> 
> Speaking of simplifying client configuration: Please note that STARTTLS
> and "must be plaintext" aren't mutually exclusive:
> 
> $ openssl ciphers 'NULL:eNULL:!ECDH:!DH'
> NULL-SHA256:NULL-SHA:NULL-MD5
> 
> https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
> 
> If you can get dovecot to use a different "ssl_cipher_list" per client
> subnet, instead of changing "ssl", you could keep all clients that
> support those ciphers configured so as to *require* STARTTLS.
> 
> Regards,
> 
> Jochen Bern
> Systemingenieur

Hmmm. Interesting.  I hadn't thought along those lines.  Something to
investigate.

Michael

RE: controlling STARTTLS by IP address

[Michael Fox]

> I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign"
> messages and not send them if the sign isn't correct.  The package itself
> is in plain text.

I'm not sure what the confusion or concern is.  The intention is to use
non-plaintext (but technically not encrypted) authentication without TLS
over ham frequencies.  Hashed challenge/response auth methods don't violate
the FCC rules.  Of course, without TLS encryption, the auth process is not
totally secure.  And, yes, the message itself would be in plain text.  But
it's the best we can do given the rules.  Think of it as packet radio on
steroids.

73,
Michael
N6MEF

RE: controlling STARTTLS by IP address

[Michael Fox]

> > I just thought to remind people that with some firewalls, there's always
> a way
> > to perform "silent" redirections using the DNAT target in the PREROUTING
> > table, i.e.,:
> >
> > -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
> >  --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
> >
> 
> That is basically what I meant without enough detail I guess.
> 

Yes.  Good point.  And thanks for the clarification.

As a Dovecot newbie, I'm curious.  What would be the syntax in dovecot to
configure a second pop3 listener?  Would it something like this?

service pop3-login {
  # POP3 for STARTTLS users
  inet_listener pop3 {
port = 110
ssl = yes
  }
  # POP3 for no TLS
  inet_listener pop3 {
port = xxx
ssl = no
  }
  # POP3 for 
  inet_listener pop3s {
port = 993
ssl = required
}

And shouldn't "inet_listener pop3s" really use ssl=required (as above),
instead of ssl=yes (as shown in the default 10-master.conf file)?

Thanks,
Michael

RE: controlling STARTTLS by IP address

[Michael Fox]

> You could try
> 
> remote x.x.x.x/y {
>ssl = no
> }
> 
> Aki

That works!  Thanks SO much!

Michael

RE: controlling STARTTLS by IP address

[Michael Fox]

> 
> You could try
> 
> remote x.x.x.x/y {
>ssl = no
> }
> 
> Aki

Wow.  OK.  But I can find no documentation on how to use that.

Would it be used inside service pop3-login, or at the top level?

And, does it apply the first match found?  For example:

  # Disable SSL for radio clients
  remote 192.168.1.0/24 {
  ssl = no
  }
  # Allow SSL for internal clients
  remote 192.168.0.0/16 {
  ssl = yes
  }
  # Require SSL for all others
  remote 0.0.0.0/0 {
  ssl = required
  }

Thanks,
Michael

RE: controlling STARTTLS by IP address

[Michael Fox]

> Are you 100% sure your interpretation of the FCC rules is correct?
Yes

> Do you really want passwords going out over RF unencrypted?
No.  I don't plan to use plaintext auth methods.

> As far as I know, only ham bands are not allowed to use encryption. Even
> baby monitors these days are DECT. (Mind you, not good encryption.)
Correct.  It is ham radio.

Michael

RE: controlling STARTTLS by IP address

[Michael Fox]

> Seems like your firewall could redirect to a different port that doesn't
> offer starttls.

Yes, of course.  But that would require multiple ports, making the client
configuration cumbersome and error-prone.

Michael

controlling STARTTLS by IP address

[Michael Fox]

On my POP3 server, I need to be able to control the use of STARTTLS by
client IP address.  Specifically:

* Clients on certain internal subnets (e.g., 192.168.1.0/24) must not have
the option to use TLS.  If the client tries to use STARTTLS, the option
should be rejected.  This is to satisfy US FCC rules regarding the use of
encryption over certain radio frequencies.
* All other internal clients (e.g., 192.168.0.0/16, but not 192.168.1.0/24)
should be able to use STARTTLS if they choose to.
* All external clients (0.0.0.0/0) will be required to use TLS.

Is there a way to control which clients are allowed to use STARTTLS
according to the client's IP address?

Thanks,
Michael



 

RE: quota-status service

[Michael Fox]

> 
> The way I understand it is, this Quota service was built specifically
> for postfix. (I only have postfix, have not used any other MTA)
> The "quota-status" executable is in you libexec directory. ( I compiled
> my dovecot instance, hence is is not in "regular" directory)

Thanks.  I also responded to Aki, but to close the loop:  evidently
quota-status is newer than the version of dovecot on my Ubuntu 12.04
machine.  So I'll need to upgrade.

> The "quota_status_*" are responses to postifx. AFAIK, these are the only
> 3 possible options.
> 
> Please see (
> https://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/ ) for
> a detailed info on this
> 
> When Postfix MTA is "inline" with the sender, and if you have correctly
> configured the quota service, it will check if the recipient's mailbox
> can accept mails. If the recipient is able to accept mail dovecot
> responds with "DUNNO" (as configured in "quota_status_success" ) to let
> postifx continue with its sender checks. if the recipient's mail box is
> unable to accept mails, the dovecot responds with "552 5.2.2 Mailbox is
> full" (as configured in "quota_status_overquota"), this will prevent
> postfix from accepting mail and will respond with 552 status .  All this
> is documented in that blog.
> 

Thanks.  I saw the link to Hildebrandt's blog on the wiki.  (BTW, his
Postfix book is still great!)  And I understood the example.  But it didn't
cover the answers to my questions. Aki covered most of them.

Thanks again,
Michael

RE: FW: quota-status service

[Michael Fox]

> No. But someone knew what to answer to them, you keep spamming the mailing
> list with repeated '???' instead of waiting, which *is* impolite. Someone
> WILL answer you when they have time to study your question and prepare an
> answer. As I said, if you think you should be entitled to timely
> responses, please consider purchasing a support agreement, so you can have
> an SLA. Support provided over mailing list is pro bono publico and no one
> gets paid doing it for you.

Understood.  And I don't think I'm "entitled" to anything.  The list is free.

But it may be helpful to understand this:  I figured that most people would 
want to use the quota-status service.  Therefore, most people must know 
something about it.  But there was no response at all, not even "I can help but 
it will take a couple of days", even though there was lots of other activity on 
the list.   So I did what is commonplace on some other lists by bumping it up 
to the top again.  No disrespect intended.  Every list has its own 
"personality".  I'll learn.

> 1. Quota status comes with dovecot-core, on my server (debian) it is in
> 
> ~$ ls -lah /usr/lib/dovecot/quota-status
> -rwxr-xr-x 1 root root 84K May 27 12:35 /usr/lib/dovecot/quota-status
> 
> Did you look there?

Yes.  I actually looked everywhere with find / ...
This machine is running Ubuntu 12.04, dovecot --version = 2.0.19

So, I just tried installing on another machine running Ubuntu 14.04, dovecot 
--version = 2.2.9.  It **is** there on that machine.

So, evidently, quota-status is not part of the older version.  I guess I'll 
need to upgrade since I prefer not to compile from source.

 
> You also are going to need ...
> [answers clipped]

Thank you.  All EXCELLENT information.  

quota_status_toolarge wasn't mentioned on the wiki.  I presume that refers to 
the individual message size being too large, correct?

Thanks again, this is what I needed.

Michael

RE: FW: quota-status service

[Michael Fox]

Aki:  Over the last three days, I've watched many other questions being asked 
and answered.  Were they also impolite to ask?

Peter:  What exactly was impolite about identifying missing information and 
listing the specific details that I'm looking for?

Aki & Peter:  Do either of you know the answers to at least some of my 
questions?

Michael

> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Peter
> Chiochetti
> Sent: Sunday, July 3, 2016 2:07 AM
> To: dovecot@dovecot.org
> Subject: Re: FW: quota-status service
> 
> Am 2016-07-03 um 10:43 schrieb Aki Tuomi:
> > If you need fast and timely support you can contact OX sales for an
> support agreement . It is somewhat impolite to except such from a public
> mailing list over weekend.
> 
> Nah, expecting such can be unreasonable,
> Impolite though the manner of expression
> 

FW: quota-status service

[Michael Fox]

??? 3rd request

-Original Message-
From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Michael Fox
Sent: Friday, July 1, 2016 5:56 PM
To: Dovecot Mailing List <dovecot@dovecot.org>
Subject: RE: quota-status service

???

 

From: Michael Fox [mailto:n...@mefox.org] 
Sent: Thursday, June 30, 2016 1:59 PM
To: Dovecot Mailing List (dovecot@dovecot.org) <dovecot@dovecot.org>
Subject: quota-status service

 

I'm trying to understand the quota-status service, but I can't find complete
documentation.

 

The quota-status service is mentioned here:  http://wiki.dovecot.org/Quota

 

And an example configuration is shown:

 

service quota-status {

executable = quota-status -p postfix

inet_listener {

port = 12340

# You can choose any port you want

}

client_limit = 1

}

 

But I can't find any information on quota-status.

"man quota-status" returns nothing.

I am unable to find a "quota-status" file on my machine.  Where is the
executable located?

What does the "-p postfix" option do?

Are there any other command line options?

The above wiki page shows three quota_status_* options in use:

quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"

Where are their meanings documented?

What are the allowed values?

Are there other quota_status_* options?

 

Thanks in advance.

 

Thanks,

Michael

 

 

 

RE: quota-status service

[Michael Fox]

???

 

From: Michael Fox [mailto:n...@mefox.org] 
Sent: Thursday, June 30, 2016 1:59 PM
To: Dovecot Mailing List (dovecot@dovecot.org) <dovecot@dovecot.org>
Subject: quota-status service

 

I'm trying to understand the quota-status service, but I can't find complete
documentation.

 

The quota-status service is mentioned here:  http://wiki.dovecot.org/Quota

 

And an example configuration is shown:

 

service quota-status {

executable = quota-status -p postfix

inet_listener {

port = 12340

# You can choose any port you want

}

client_limit = 1

}

 

But I can't find any information on quota-status.

"man quota-status" returns nothing.

I am unable to find a "quota-status" file on my machine.  Where is the
executable located?

What does the "-p postfix" option do?

Are there any other command line options?

The above wiki page shows three quota_status_* options in use:

quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"

Where are their meanings documented?

What are the allowed values?

Are there other quota_status_* options?

 

Thanks in advance.

 

Thanks,

Michael

 

 

 

quota-status service

[Michael Fox]

I'm trying to understand the quota-status service, but I can't find complete
documentation.

 

The quota-status service is mentioned here:  http://wiki.dovecot.org/Quota

 

And an example configuration is shown:

 

service quota-status {

executable = quota-status -p postfix

inet_listener {

port = 12340

# You can choose any port you want

}

client_limit = 1

}

 

But I can't find any information on quota-status.

"man quota-status" returns nothing.

I am unable to find a "quota-status" file on my machine.  Where is the
executable located?

What does the "-p postfix" option do?

Are there any other command line options?

The above wiki page shows three quota_status_* options in use:

quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"

Where are their meanings documented?

What are the allowed values?

Are there other quota_status_* options?

 

Thanks in advance.

 

Thanks,

Michael

 

 

 

RE: Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

> Actually we're one the way to get
> the book back into the shop into the next few weeks.
> 
> Peer


That's great news!  English version please!

Michael

RE: Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

> imho wiki is the way to go to be up2date with information, else it would
> make more sense to make more informative man pages in dovecot, that will
> never be outdated

I agree that the wiki is useful and important.  It just doesn't have any
depth regarding the "why" and "how" part of the equation.  For example, WHY
LMTP vs. LDA (just one example).  There are many config snippets with a
couple of lines of explanation and not much about how they fit into the big
picture.  And some config examples (like the default_fields and
override_fields issue I reported earlier) simply don't work.

In the Postfix world, there is an old Postfix book (older than Peer's book)
which goes into a lot of the "why" and "how".  It takes you through the
whole process from nothing to a full-fledged server and really gives you the
big picture.  All of that is still valid today.  Then the postfix website is
the place to go for up-to-date description of each config option.  Even
there, the web pages contain much more descriptive information about each
config option -- how it's used, when, why, side-effects, etc.

If I knew what I was doing, I'd offer to help add to the wiki.  But as a
newbie, I don't even know what I don't know.  ;-)

So I'm hoping that Peer's book will provide that overall big-picture and
that I can find an English copy somehow.

Michael

RE: Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

Thanks again Jan.

I appear to have basic LMTP working now (messages are delivered to virtual
mailboxes of valid recipients and non-existent recipients are rejected).
Cool.  Still lots more work to do.

But I think I could really use the Dovecot book.  I find the wiki to be
lacking in explanation.  So, too often I'm just copying without knowing the
reason why or how some things fit together.

Peer:  Is there any way to get an English copy of your book?

Michael



> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of "Jan
> Büren"
> Sent: Saturday, June 25, 2016 12:53 PM
> To: dovecot@dovecot.org
> Cc: Peer Heinlein 
> Subject: RE: Postfix and Dovecot LDA vs. LMTP
> 
> Hi Michael,
> we´ll actually the author is reading this list as well.
> Maybe he can help out here (cc).
> As far as I know went the publisher bancrupt and that´s why currently
> further prints and next books are delayed.
> 
> @Peer: Anyway, is there a english copy? More or less I am refering to the
> chapter LMTP with dovecot and postfix.
> 
> Hmm, just with the information in the dovecot wiki, there is at least the
> postfix part missing:
> http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
> 
> Best luck,
> > Thanks Jan.
> >
> > I've been trying to obtain an English copy of the Dovecot book for
> months,
> > prior to starting this project.  So far, I just can't find a copy.  It's
> > too
> > bad that the author/publisher won't do a second printing or, if they're
> > not
> > interested in making any more money, then release it to the public
> domain
> > as
> > a PDF.  Very frustrating.
> >
> > Michael
> >
> >
> >> -Original Message-
> >> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of "Jan
> >> Büren"
> >> Sent: Friday, June 24, 2016 10:00 AM
> >> To: dovecot@dovecot.org
> >> Subject: Re: Postfix and Dovecot LDA vs. LMTP
> >>
> >> Hi Michael,
> >>
> >> > I'd appreciate comments from experienced users of postfix with
> >> dovecot.
> >> > Are
> >> > you using Dovecot LDA or LMTP and why?
> >> I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04.
> >>
> >> LDA is the worser solution, this is best explained in chapter LTMP in
> >> Peers dovecot book, which is unluckily in german and more or less out
> of
> >> print.
> >>
> >> But you can easily grasp the configuration details and reverse engineer
> >> the technical german phrases ...
> >>
> >>
> >> >
> >> >
> >> >
> >> > Thanks much,
> >> >
> >> > Michael
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07
> >> DELUG-DVD Ausgabe
> >>
> >> Richardson & Büren GmbH
> >> Jan Büren
> >> Kölnstr. 311
> >> 53117 Bonn
> >>
> >> USt-IdNr. DE238288407
> >> Telefon: 0228 92 98 2012
> >>
> >>
> >> Durchwahl: 0228 92 97 8965
> >
> >
> 
> 
> --
> kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07
> DELUG-DVD Ausgabe
> 
> Richardson & Büren GmbH
> Jan Büren
> Weiherstraße 33a
> 53111 Bonn
> 
> USt-IdNr. DE238288407
> Telefon: 0228 92 98 2012
> 
> Durchwahl: 0228 92 97 8965

RE: Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

> The most crucial difference is that LDA is intended for delivering email
> to a *real* user.
> 
> Aki


Thanks Aki.

Pardon my ignorance, but why does it matter?  In other words, what is it that 
makes LDA better for a *real* user and LMTP better for a virtual user?

Thanks,
Michael

RE: Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

Thanks Jan.

I've been trying to obtain an English copy of the Dovecot book for months,
prior to starting this project.  So far, I just can't find a copy.  It's too
bad that the author/publisher won't do a second printing or, if they're not
interested in making any more money, then release it to the public domain as
a PDF.  Very frustrating.

Michael


> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of "Jan
> Büren"
> Sent: Friday, June 24, 2016 10:00 AM
> To: dovecot@dovecot.org
> Subject: Re: Postfix and Dovecot LDA vs. LMTP
> 
> Hi Michael,
> 
> > I'd appreciate comments from experienced users of postfix with dovecot.
> > Are
> > you using Dovecot LDA or LMTP and why?
> I have LMTP with dovecot running on Ubuntu 14.04 and Ubuntu 16.04.
> 
> LDA is the worser solution, this is best explained in chapter LTMP in
> Peers dovecot book, which is unluckily in german and more or less out of
> print.
> 
> But you can easily grasp the configuration details and reverse engineer
> the technical german phrases ...
> 
> 
> >
> >
> >
> > Thanks much,
> >
> > Michael
> >
> >
> >
> >
> 
> 
> --
> kivitendo mit Schnelleinstieg zu RB-Druckvorlagen im Linux-Magazin 07
> DELUG-DVD Ausgabe
> 
> Richardson & Büren GmbH
> Jan Büren
> Kölnstr. 311
> 53117 Bonn
> 
> USt-IdNr. DE238288407
> Telefon: 0228 92 98 2012
> 
> 
> Durchwahl: 0228 92 97 8965

Postfix and Dovecot LDA vs. LMTP

[Michael Fox]

I'm new to Dovecot and will be using it with Postfix.  I'm looking for
recommendations regarding the use of Dovecot's LDA or LMTP for virtual
mailbox delivery.

 

Many of the simple examples on the wiki use LDA.  So I've set that up
initially.  But apparently an advantage of LMTP is recipient verification.
So, as I understand it, LMTP would let Postfix know whether or not the
message was deliverable to a local virtual recipient without needing to have
a separate virtual recipients map in Postfix.  That sounds like a nice
simplification.

 

But I see in Ubuntu that the dovecot-lmtp package is not marked with the
Canonical support icon, like the pop, imap, and other packages are.  I don't
have a contract with Canonical.  But I'm wondering why they would not
support the lmtp package when they do support most of the others.  Is it
possible that the dovecot LMTP package is not as stable or reliable?

 

I'd appreciate comments from experienced users of postfix with dovecot.  Are
you using Dovecot LDA or LMTP and why?

 

Thanks much,

Michael

 

FW: error using default_fields in passwd-file

[Michael Fox]

I didn't see a response.  Sending again and adding doveconf -n output.  

 



 

I'm trying to put virtual user mail in:
/var/vmail//

 

I tried setting the home field in the userdb to /var/vmail/%d/%n

But apparently variable expansion doesn't happen in the userdb because the
Dovecot LDA created the literal directory /var/vmail/%d/%n/Maildir

 

So then I tried  to use default_fields as shown here:
http://wiki2.dovecot.org/AuthDatabase/PasswdFile

 

So I tried:

 

userdb {

  driver = passwd-file

  args = username_format=%n /etc/dovecot/auth.d/%d/passwd

  default_fields = home=/var/vmail/%d/%n

}

 

But when I reload doveadm I get:

 

doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line
87: Unknown setting: default_fields

 

I tried override_fields:

 

userdb {

  driver = passwd-file

  args = username_format=%n /etc/dovecot/auth.d/%d/passwd

  override_fields = home=/var/vmail/%d/%n

}

 

And I get the same type of error:

 

doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line
87: Unknown setting: override_fields

 

What gives?

 

Michael

 

doveconf -n:

 

# 2.0.19: /etc/dovecot/dovecot.conf

# OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS

auth_verbose = yes

disable_plaintext_auth = no

mail_gid = vmail

mail_location = maildir:~/Maildir

mail_uid = vmail

passdb {

  driver = pam

}

passdb {

  args = /etc/dovecot/deny-users

  deny = yes

  driver = passwd-file

}

passdb {

  args = username_format=%n /etc/dovecot/auth.d/%d/passwd

  driver = passwd-file

}

pop3_uidl_format = %08Xv%08Xu

protocols = pop3

service auth {

  unix_listener auth-userdb {

mode = 0600

user = vmail

  }

}

ssl = no

ssl_cert = 

error using default_fields in passwd-file

[Michael Fox]

I'm trying to put virtual user mail in:
/var/vmail//

 

I tried setting the home field in the userdb to /var/vmail/%d/%n

But apparently variable expansion doesn't happen in the userdb because the
Dovecot LDA created the literal directory /var/vmail/%d/%n/Maildir

 

So then I tried  to use default_fields as shown here:
http://wiki2.dovecot.org/AuthDatabase/PasswdFile

 

So my config is:

 

userdb {

  driver = passwd-file

  args = username_format=%n /etc/dovecot/auth.d/%d/passwd

  default_fields = home=/var/vmail/%d/%u

}

 

But when I reload doveadm I get:

 

doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line
87: Unknown setting: default_fields

 

I tried override_fields:

 

userdb {

  driver = passwd-file

  args = username_format=%n /etc/dovecot/auth.d/%d/passwd

  override_fields = home=/var/vmail/%d/%u

}

 

And I get the same type of error:

 

doveconf: Fatal: Error in configuration file /etc/dovecot/local.conf line
87: Unknown setting: override_fields

 

What gives?

 

Michael

 

 

RE: newbie userdb lookup problem

[Michael Fox]

> http://wiki.dovecot.org/LDA
> 
> Section virtual users, with lookup has the answer.

Thanks for the quick response Aki.

I presume you're referring to this:

service auth {
  unix_listener auth-userdb {
mode = 0600
user = vmail # User running dovecot-lda
#group = vmail # Or alternatively mode 0660 + dovecot-lda user in this group
  }
}

So, given that, then I'm still not clear on the following:
1)  User vmail is reading the userdb, not writing to the userdb.  So why mode 
0600?
2)  What should the owner, group and mode/permissions of the actual userdb flat 
file be for best security?

Michael

newbie userdb lookup problem

[Michael Fox]

I'm new to Dovecot and I'm having trouble getting basic, flat file userdb
lookups to work.  This must have been asked before, but if so, I can't find
it.

 

I'm following the basic setup here:
http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall with a few minor
differences.  Output of doveconf -n is below, as well as relevant entries
from postfix main.cf and master.cf.

 

When I send a message to a virtual user that will be handled by Dovecot,
Postfix hands it off to Dovecot LDA.  But I get the following error in the
log:

 

Jun 22 20:53:33 x dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=5000(vmail) egid=5000(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, dir owned by 0:0 mode=0755)

 

/var/run/dovecot/ is indeed owned by root:root with 0755 permissions.

The actual passwd file used for userdb/passdb is currently owned by
root:vmail with 0640 permissions.

 

I read http://wiki2.dovecot.org/UserIds but I just don't understand the
section on "Authentication process user".  It's very vague.  It doesn't
explain which service is used for which circumstances or how to correlate
the userdb/passdb file permissions with the service user/group settings for
best security.  

The http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall link mentions
nothing about having to modify the auth or auth-worker services.  

And the http://wiki2.dovecot.org/HowTo/VirtualUserFlatFilesPostfix page
mentions a new "doveauth" user which isn't described elsewhere and sets
service auth to user postfix and group postfix, something not mentioned
anywhere else.

/etc/doveconf/10-master.conf says that the service auth socket is typically
readable only by root.  Uhm.  OK.  Well, my passwd file is owned by root.  I
don't know how that relates to the socket.  So I don't understand the
problem.

Bottom line, each information source seems to say something completely
different.  I can't correlate the information in the above sources into any
actionable result.

 

Questions:

Basically, can someone please explain how the permissions for userdb and
passdb lookup work (i.e. file permissions vs. service permissions)?

What's the best solution to solve the above problem permission problem in
the most secure way?  Adjust the config of service auth?  If so, how and
why?  Or adjust my passwd file ownership?  If so, how and why?  I'm really
trying to understand the why, not just the what.

 

Thanks much.

 

Michael

 

 

Output of doveconf -n follows:

 

# 2.0.19: /etc/dovecot/dovecot.conf

# OS: Linux 3.13.0-86-generic i686 Ubuntu 12.04.5 LTS

auth_verbose = yes

disable_plaintext_auth = no

mail_gid = vmail

mail_location = maildir:~/Maildir

mail_uid = vmail

passdb {

  driver = pam

}

passdb {

  args = username_format=%n /var/vmail/auth.d/%d/passwd

  driver = passwd-file

}

pop3_uidl_format = %08Xv%08Xu

protocols = pop3

ssl = no

ssl_cert = http://wiki2.dovecot.org/LDA/Postfix

# Allows user+extens...@domain.com (recipient_deliminter = + in main.cf)

dovecot   unix  -   n   n   -   -   pipe

  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender}
-d ${user}@${nexthop} -m ${extension}