Re: Dovecot v2.2.36.1 released (Pigeonhole 0.4.24.1)
On 2019-02-05 13:07, Stephan Bosch via dovecot wrote: Hi, Here is the associated release for Pigeonhole: https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz https://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.24.1.tar.gz.sig Binary packages included in https://repo.dovecot.org/ + imapsieve: Added imapsieve_expunge_discarded setting which causes discarded messages to be expunged immediately. - Sieve scripts running in IMAPSIEVE or IMAP FILTER=SIEVE context that modify the message, store the message a second time, rather than replacing the originally stored unmodified message. - imapsieve: Fix crash when COPYing mails from a virtual mailbox when the source messages originate from more than a single real mailbox - imap_filter_sieve plugin: Implement the missing UID FILTER command. - imap_filter_sieve plugin: Fix FILTER to work with pipelining Regards, Stephan. Op 5-2-2019 om 14:01 schreef Aki Tuomi: https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username field. This may have allowed users with trusted certificate to specify any username in the authentication. This bug didn't affect Dovecot's Submission service. - pop3_no_flag_updates=no: Don't expunge RETRed messages without QUIT - director: Kicking a user assert-crashes if login process is very slow - lda/lmtp: Fix assert-crash with some Sieve scripts when mail_attachment_detection_options=add-flags-on-save - fs-compress: Using maybe-gz assert-crashed when reading 0 sized file - Snippet generation crashed with invalid Content-Type:multipart --- Aki Tuomi Open-Xchange Oy Is there going to be an equivalent 0.5.4.1 release with the same functionality but for Dovecot 2.3.x? Michael
Re: v2.3.3 release candidate released
On 2018-09-21 09:45, Timo Sirainen wrote: https://dovecot.org/releases/2.3/rc/dovecot-2.3.3.rc1.tar.gz https://dovecot.org/releases/2.3/rc/dovecot-2.3.3.rc1.tar.gz.sig Binary packages are also available in https://repo.dovecot.org/ in ce-2.3.3 repository (not ce-2.3-latest). * doveconf hides more secrets now in the default output. * ssl_dh setting is no longer enforced at startup. If it's not set and non-ECC DH key exchange happens, error is logged and client is disconnected. + Added log_debug= setting. + Added log_core_filter= setting. + quota-clone: Write to dict asynchronously + --enable-hardening attempts to use retpoline Spectre 2 mitigations + lmtp proxy: Support source_ip passdb extra field. + doveadm stats dump: Support more fields and output stddev by default. + push-notification: Add SSL support for OX backend. - NUL bytes in mail headers can cause truncated replies when fetched. - director: Conflicting host up/down state changes may in some rare situations ended up in a loop of two directors constantly overwriting each others' changes. - virtual plugin: Some searches used 100% CPU for many seconds - dsync assert-crashed with acl plugin in some situations. - mail_attachment_detection_options=add-flags-on-save assert-crashed with some specific Sieve scripts. - Mail snippet generation crashed with mails containing invalid Content-Type:multipart header. - Log prefix ordering was different for some log lines. - quota: With noenforcing option current quota usage wasn't updated. - auth: Kerberos authentication against Samba assert-crashed. - stats clients were unnecessarily chatty with the stats server. - imapc: Fixed various assert-crashes when reconnecting to server. - lmtp, submission: Fix potential crash if client disconnects while handling a command. - quota: Fixed compiling with glibc-2.26 / support libtirpc. - fts-solr: Empty search values resulted in 400 Bad Request errors - fts-solr: default_ns parameter couldn't be used - submission server crashed if relay server returned over 7 lines in a reply (e.g. to EHLO) It looks like the ce-2.3.3 repository (or at least https://repo.dovecot.org/ce-2.3.3/ubuntu/xenial/) is returning a 403. Michael
Re: Dovecot User Listing Error - getpwent() failed: Invalid Argument
I think this might be caused by glibc 2.28. I saw a similar error with the "doveadm purge" command after upgrading my system to that version. Michael Marley On 2018-08-31 13:10, Aki Tuomi wrote: I'll see if this is reproducible --- Aki Tuomi Dovecot oy Original message From: Reuben Farrelly Date: 31/08/2018 17:41 (GMT+02:00) To: Aki Tuomi , Dovecot Mailing List Subject: Re: Dovecot User Listing Error - getpwent() failed: Invalid Argument Sure: https://www.reub.net/files/dovecot/lightning-dovecot.conf https://www.reub.net/files/dovecot/thunderstorm-dovecot.conf Updated nightly. Reuben On 1/09/2018 12:26 am, Aki Tuomi wrote: Can you provide doveconf -n? --- Aki Tuomi Dovecot oy Original message From: Reuben Farrelly Date: 31/08/2018 17:12 (GMT+02:00) To: Aki Tuomi , Dovecot Mailing List Subject: Re: Dovecot User Listing Error - getpwent() failed: Invalid Argument No. Neither of those are installed on either system. Reuben On 1/09/2018 12:09 am, Aki Tuomi wrote: Could apparmor or selinux be causing this! --- Aki Tuomi Dovecot oy Original message From: Reuben Farrelly Date: 31/08/2018 16:50 (GMT+02:00) To: Dovecot Mailing List Subject: Dovecot User Listing Error - getpwent() failed: Invalid Argument Hi, I'm running dovecot-2.3 git and seeing on 2 of my Dovecot installations, the following message logged quite frequently: Aug 31 16:55:53 lightning.reub.net dovecot[7698]: auth-worker(7707): Error: getpwent() failed: Invalid argument Aug 31 16:55:53 lightning.reub.net dovecot[7698]: replicator: Error: User listing returned failure Aug 31 16:55:53 lightning.reub.net dovecot[7698]: replicator: Error: listing users failed, can't replicate existing data It appears that this could be having an effect on replication, but it's unclear because the secondary/replica doesn't see much traffic. Authentication is via PAM and the system is Gentoo Linux x86_64. passb driver = pam, userdb driver = static . doveadm user -u '*' shows the system users listed twice like this (is this a problem?) and then prints: reuben liam reuben liam Error: User listing returned failure Fatal: user listing failed To me that doesn't look right. Can anyone suggest what could be causing this? I don't recall seeing this message some time ago so I suspect it's a recent change in either dovecot, or pam or glibc etc.. Thanks, Reuben
Re: Ubuntu Auth Issues with new repository code..
On 12/27/17 4:38 PM, Howard Leadmon wrote: > Saw the new repository notification, and figured what the heck I > would try letting it upgrade me from the current v2.2.22 release that > apparently is in the Ubuntu 16.04 packages, to the new repository > release of v2.3.0. > > I followed the info on repo.dovecot.org, and first it started > bitching about lmtp (dovecot: master: Fatal: service(lmtp) > access(/usr/lib/dovecot/lmtp) failed: No such file or directory), so I > went back and installed the dovecot-lmtpd package and that seemed to > fix that issue. Just FYI, I had dovecot-core, dovecot-imapd, and > dovecot-pop3d installed on the system. > > OK, so now it started up, said it was 2.3.0 and I thought all was > good, but now all authentication is failing. I turned on some of the > logging debugging, and am seeing the below: > > dovecot: auth-worker(19578): Debug: > pam(toss1,127.0.0.1,): lookup service=dovecot > dovecot: auth-worker(19578): Debug: > pam(toss1,127.0.0.1,): #1/1 style=1 msg=Password: > dovecot: auth-worker(19578): pam(toss1,127.0.0.1,): > pam_authenticate() failed: System error > dovecot: auth: Debug: client passdb out: FAIL#0111#011user=toss1 > dovecot: imap-login: Aborted login (auth failed, 1 attempts in 3 > secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, > session= > > I took and compared my auth files like 10-auth.conf, and > auth-system.conf.ext, and they are identical between the two versions, > even though they were overwritten as part of the upgrade. > > If I just uninstall the 2.3.0 release, and install 2.2.22 back on the > server, it all just starts working again. So for now I am back on > 2.2, but was willing to give 2.3 a run if I can get it going. Any > ideas as to what to look at to get this working, would be great. As > stated above, this is Ubuntu Server 16.04.03, and I am also running > Postfix and amavis-new, but don't think they should really impact me > using dovecot for email over POP3 or IMAP.. > > --- > Howard Leadmon > PBW Communications, LLC > http://www.pbwcomm.com > Try adding "CAP_AUDIT_WRITE" to CapabilityBoundingSet in /lib/systemd/system/dovecot.service. I had the same problem when I upgraded to 2.3.0. Michael
Re: Dovecot 2.3-rc1 SMTP submission proxy always gives TLS required error even when already using TLS
On 2017-12-22 11:22, Michael Marley wrote: > On 2017-12-21 16:48, Stephan Bosch wrote: > > Op 12/18/2017 om 9:44 PM schreef Michael Marley: > > First of all, I apologize for my accidental empty message earlier. > > I just set up the SMTP submission proxy in Dovecot 2.3, but whenever I > try to connect to it, it always returns "530 5.7.0 TLS required." for > any sort of AUTH or MAIL command. This occurs even if TLS is being > used. It also occurs regardless of whether I connect with a real > client (Thunderbird) or manually with openssl s_client and regardless > of whether a loopback connection or a remote connection is used. Here > is the output of "dovecot -n". Please let me know if I can provide > any other data. Thanks! > Confirmed. Working on a fix. > > Regards, > > Stephan. I can confirm that it works correctly in 2.3.0, thanks! Michael I think I spoke too soon. It works correctly (requiring TLS but working once STARTTLS has been done) for remote connections, but it also is requiring TLS for loopback connections, even though the rest of Dovecot doesn't work this way. Michael
Re: Dovecot 2.3-rc1 SMTP submission proxy always gives TLS required error even when already using TLS
On 2017-12-21 16:48, Stephan Bosch wrote: > Op 12/18/2017 om 9:44 PM schreef Michael Marley: > >> First of all, I apologize for my accidental empty message earlier. >> >> I just set up the SMTP submission proxy in Dovecot 2.3, but whenever I >> try to connect to it, it always returns "530 5.7.0 TLS required." for >> any sort of AUTH or MAIL command. This occurs even if TLS is being >> used. It also occurs regardless of whether I connect with a real >> client (Thunderbird) or manually with openssl s_client and regardless >> of whether a loopback connection or a remote connection is used. Here >> is the output of "dovecot -n". Please let me know if I can provide >> any other data. Thanks! > > Confirmed. Working on a fix. > > Regards, > > Stephan. I can confirm that it works correctly in 2.3.0, thanks! Michael
Dovecot 2.3-rc1 SMTP submission proxy always gives TLS required error even when already using TLS
First of all, I apologize for my accidental empty message earlier. I just set up the SMTP submission proxy in Dovecot 2.3, but whenever I try to connect to it, it always returns "530 5.7.0 TLS required." for any sort of AUTH or MAIL command. This occurs even if TLS is being used. It also occurs regardless of whether I connect with a real client (Thunderbird) or manually with openssl s_client and regardless of whether a loopback connection or a remote connection is used. Here is the output of "dovecot -n". Please let me know if I can provide any other data. Thanks! # 2.3.0.rc1 (12aba5948): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.0.alpha1 (f60f2785) # OS: Linux 4.14.7-041407-generic x86_64 Ubuntu Bionic Beaver (development branch) auth_mechanisms = plain login auth_username_format = %Ln mail_location = mdbox:~/mdbox managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } postmaster_address = mich...@michaelmarley.com protocols = imap sieve lmtp submission service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imaps { port = 0 } } service lmtp { process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert =
Re: v2.3.0 release candidate released
On 2017-12-18 10:23, Timo Sirainen wrote: > https://dovecot.org/releases/2.3/rc/dovecot-2.3.0.rc1.tar.gz > https://dovecot.org/releases/2.3/rc/dovecot-2.3.0.rc1.tar.gz.sig > > It's finally time for v2.3 release branch! There are several new and exciting > features in it. I'm especially happy about the new logging and statistics > code, which will allow us to generate statistics for just about everything. > We didn't have time to implement everything we wanted for them yet, and there > especially aren't all that many logging events yet that can be used for > statistics. We'll implement those to v2.3.1, which might also mean that some > of the APIs might still change in v2.3.1 if that's required. > > We also have new lib-smtp server code, which was used to implement SMTP > submission server and do a partial rewrite for LMTP server. Please test these > before v2.3.0 to make sure we don't have any bad bugs left! > > BTW. The v2.3.0 will most likely be signed with a new PGP key ED409DA1. > > Some of the larger changes: > > * Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3 > * Logging rewrite started: Logging is now based on hierarchical events. > This makes it possible to do various things, like: 1) giving > consistent log prefixes, 2) enabling debug logging with finer > granularity, 3) provide logs in more machine readable formats > (e.g. json). Everything isn't finished yet, especially a lot of the > old logging code still needs to be translated to the new way. > * Statistics rewrite started: Stats are now based on (log) events. > It's possible to gather statistics about any event that is logged. > See http://wiki2.dovecot.org/Statistics for details > * ssl_dh setting replaces the old generated ssl-parameters.dat > * IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error > instead of [UNKNOWNCTE] > * Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by > default due to potential security reasons (found by cPanel Security > Team). > > + Added support for SMTP submission proxy server, which includes > support for BURL and CHUNKING extension. > + LMTP rewrite. Supports now CHUNKING extension and mixing of > local/proxy recipients. > + auth: Support libsodium to add support for ARGON2I and ARGON2ID > password schemes. > + auth: Support BLF-CRYPT password scheme in all platforms > + auth: Added LUA scripting support for passdb/userdb. > See https://wiki2.dovecot.org/AuthDatabase/Lua > - Input streams are more reliable now when there are errors or when > the maximum buffer size is reached. Previously in some situations > this could have caused Dovecot to try to read already freed memory. > - Output streams weren't previously handling failures when writing a > trailer at the end of the stream. This mainly affected encrypt and > zlib compress ostreams, which could have silently written truncated > files if the last write happened to fail (which shouldn't normally > have ever happened). > - virtual plugin: Fixed panic when fetching mails from virtual > mailboxes with IMAP BINARY extension. > - Many other smaller fixes
Crashing when run against OpenSSL 1.1.0c
Hi, I am running Dovecot 2.2.26.0 compiled against OpenSSL 1.1 and, since upgrading to OpenSSL 1.1.0c, the "lmtp" process has been crashing with SIGSEGV whenever it receives SIGINT. This always happens a minute or so after the lmtp process handles a message. It can also be manually reproduced by sending SIGINT to one of the running lmtp processes. I am compiling and running on an Ubuntu 17.04 x86_64 system using GCC 6.2. Here is the output of me reproducing it with gdb: (gdb) signal SIGINT Continuing with signal SIGINT. Program received signal SIGSEGV, Segmentation fault. 0x7f6748cc2fb0 in ?? () (gdb) bt #0 0x7f6748cc2fb0 in ?? () #1 0x7f674872ac60 in ossl_init_thread_stop (locals=) at crypto/init.c:336 #2 0x7f674872aee4 in OPENSSL_cleanup () at crypto/init.c:391 #3 0x7f67491052e0 in __run_exit_handlers (status=0, listp=0x7f674948c5d8 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:83 #4 0x7f674910533a in __GI_exit (status=) at exit.c:105 #5 0x7f67490eb3f8 in __libc_start_main (main=0x555b35fbfbc0 , argc=1, argv=0x7ffd4ede3588, init=, fini=, rtld_fini=, stack_end=0x7ffd4ede3578) at ../csu/libc-start.c:325 #6 0x555b35fbfe3a in _start () Here is the output of "doveconf -n": # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.devel (623ae77) # OS: Linux 4.8.7-040807-generic x86_64 Ubuntu Zesty Zapus (development branch) auth_mechanisms = plain login auth_username_format = %Ln mail_location = mdbox:~/mdbox mailbox_list_index = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } postmaster_address = mich...@michaelmarley.com protocols = imap sieve lmtp service auth { client_limit = 1624 unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imaps { port = 0 } } service lmtp { process_min_avail = 5 unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_ca = ) at crypto/init.c:336 #2 0x76ff7ee4 in OPENSSL_cleanup () at crypto/init.c:391 #3 0x778472e0 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x7784733a in exit () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x7782d3f8 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #6 0xf68a in _start () If there is anything I have missed or if there is any other way I can help, please let me know. Thanks, Michael Marley