Re: Maybe a bit offtopic, Sieve beaviour

2022-08-24 Thread Sean Kamath 
I recommend reading the RFC: 2.10.2 
 is where the Implicit 
Keep is described.

Basically, if you don’t take action on a message, there is an “implicit keep” 
that will save the mail in the default location.  If an action *is* taken on a 
message (that results in it being saved somewhere; i.e., ‘fileinto’), then the 
implicit keep is removed (since you have explicitly said where to put it).

So there’s the “keep” keyword (see 4.3 
), to “do what you would do 
in the implicit keep” (more or less).

So:

fileinto :create “ac” -> puts the message into “ac” and removes “implicit keep”
keep -> puts implicit keep back (more or less)

fileinto :copy :create “ac” -> puts a *COPY* of the message into “ac”, and the 
original retains “implicit keep”.

They do the same thing, though I try and avoid unnecessary extensions when I 
can.

Sean

> On Aug 24, 2022, at 07:29, João Silva  wrote:
> 
> 
> On 23/08/2022 13:03, Rob Sterenborg (Lists) wrote:
>> 
>> On 23-08-2022 11:44, João Silva wrote:
>>> Hi
>>> 
>>> If a sieve filter contains a rule
>>> 
>>> if header :regex ["From"] ["@xxx.com","@yyy.pt"] {
>>>  fileinto :create "ac";
>>> }
>>> 
>>> The mail should be copied to the folder ac and then proceed to other rules 
>>> that a user might have or I understood the
>>> 
>>> fileinto
>>> 
>>> wrong?
>>> 
>>> Using dovecot-pigeonhole-2.2.36-8.el7.x86_64
>>> 
>> 
>> I use it like this, and it works for me:
>> 
>> if address :is "From" "sender@domain" {
>>   fileinto :create "some_mail_folder";
>>   stop;
>> }
>> 
>> Almost 20 years ago, I figured out that I *need* the "stop;" line, but I 
>> don't remember why.
> 
> The stop; is needed to prevent further script actions on the email and that 
> is a very curious thing that I dont know if falls in the "bug or feature" 
> field.
> 
> if I use
> 
> if header :regex ["From"] ["@xxx.com","@yyy.pt"] {
>  fileinto :create "ac";
> 
> keep;
> 
> }
> 
> It delivers the mail in my Inbox which was my intention in the first place.
> 
> When I used the filter without the keep; and since I didn't had the stop; I 
> was expecting further actions on that email that will lead to the email end 
> up in the Inbox and that didn't happened.
> 
> So it apears that the fileinto rule have a stop; into it without the stop 
> being declared.
> 
> In a complex mail management scenario that can cause problems. So my question 
> is, "bug or feature"?
> 
> 
> 
>> 
>> 
>> -- 
>> Rob

Re: macOS ManageSieve client?

2022-02-19 Thread Sean Kamath 
Welp, I use https://github.com/philpennock/sieve-connect 


But that means editing .sieve files and then pushing them to the server.

Sean

> On Feb 19, 2022, at 06:20, Gerben Wierda  wrote:
> 
> I have a dovecot & dovecot-sieve running under MacPorts on my macOS ’server’. 
> I do a very low tech maintenance on sieve, by using the cli on the server and 
> edit sieve by hand for myself. I’d like to open this up to other users.
> 
> How do people use this from their macOS clients? For this, the ManageSieve 
> protocol exists and this is implemented by dovecot-sieve, but other than 
> installing roundcube and offering a web-based mail client that also supports 
> ManageSieve, is there another way? A ManageSieve client that directly runs on 
> the macOS client and interfaces with dovecot-sieve on the server?
> 
> After all, routing mail to different mailboxes better happens server-side so 
> that all clients profit.
> 
> Gerben Wierda (LinkedIn )
> R IT Strategy  (main site)
> Book: Chess and the Art of Enterprise Architecture 
> 
> Book: Mastering ArchiMate 
>

Re: silly quesiton [ot]

2022-01-30 Thread Sean Kamath 
> On Jan 30, 2022, at 10:55, Chris Bennett  
> wrote:
> 
> On Tue, Jan 25, 2022 at 03:50:12AM -0900, justina colmena ~biz wrote:
>> Maybe a future programming project idea: I want a system that will store all 
>> mail messages and user account info in, say, a postgresql transactional 
>> database, a little more manageable and reliable than ad hoc databasing with 
>> those flat files all over the place cluttering up the system.
>> 
> 
> I am in progress moving towards something like that.
> As of right now, perl,  dovecot for IMAP, neomutt and OpenSMTPD.
> 
> Right now, .neomuttrc files *only* exist during the usage of neomutt.
> They have random names, cannot be written to and are immediately erased
> after neomutt starts (not quits). That is a very small window of threat.
> 
> I would very much like to put all of the messages into PostgreSQL also
> instead of file folders under the user vmail.
> 
> This is just a side project.
> As I have been advised, there is no need to even write a configuration
> file at all, but there are some issues with dbh that I need to solve
> with a different database module.
> 
> If someone can read files that never exist, well...
> At some point you have to at least consider trusting something.
> That or just turn it all off and get another career.
> 
> -- 
> Chris Bennett

At some point you gotta ask yourself why you’re trusting your database more 
than your OS.

And why you don’t trust the OS to handle files in a trusted way, but do for 
memory.

Sean

Re: Sieve_before

2020-10-23 Thread Sean Kamath 


> On Oct 23, 2020, at 04:20, @lbutlr  wrote:
>> Does you To or CC address end with a .?
> 
> No, what I am trying to get is "user" and "example" in "u...@example.com 
> "

The question was meant to elucidate that the ‘match’ string ended with a ‘.’.  
I understand what you’re trying to do.

> That would break many things, but I will look into it. What I have done for 
> now and is working is a much more complicated process where I am manually 
> removing the '@' myself:

Perhaps (I am not sure if pigeonhole has it) the regex extension would be 
helpful: https://tools.ietf.org/id/draft-ietf-sieve-regex-01.html 


>> if address :matches ["To", "Cc"] ["*@*.*"] {
> 
> Thanks for the advice, I will definitely give that a go,

I’m unclear if the match line I supposed would set 1, 2 and 3, and you can 
ignore 3. 

Sean

Re: Sieve_before

2020-10-22 Thread Sean Kamath 



> On Oct 22, 2020, at 15:58, @lbutlr  wrote:
> 
> On 22 Oct 2020, at 15:46, @lbutlr  wrote:
>> And it doesn't explain why "if address :matches ["To", "Cc"] ["*@*."] {" 
>> also failed to match despite also showing the email address.
>> 
>>> “krem...@kreme.com” does not have a :detail part 
>>> (https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples talks about this).
>> 
>> And I am not asking for :detail
> 
> OK, fair enough. I looked at that line many times for some reason.
> But the first point still stand.

Does you To or CC address end with a .?

One problem I had with :matches (if I recall correctly, I can’t find where I 
ran into this) is that :matches has an implicit “^” and “$” wrapped around what 
you’re looking for.

“some random string”

then trying to :match “random” won’t match that string.  “*random*” *will* 
match (as will “some*” and “*string”).

Like I said, I’m not 100% sure, but I suspect if you add * to the end:

if address :matches ["To", "Cc"] ["*@*.*"] {

It might work.

Sean

Re: Sieve_before

2020-10-22 Thread Sean Kamath 


> On Oct 22, 2020, at 12:19, @lbutlr  wrote:
> 
> On 22 Oct 2020, at 10:05, @lbutlr  wrote:
>> require ["variables", "copy"];
>> 
>> if address :matches ["To", "Cc"] ["*@*."] {
>>  redirect :copy "backup+295.${1}.${2}@*example.com*";
>> }
> 
> I have tried this with similar results:
> 
> require ["copy", "variables", "envelope", "fileinto", "subaddress"];
> 
>   if envelope :matches :detail "to" "*" {
> set :lower "name" "${1}";
> redirect :copy "backup+295.${name}@@*example.com*";
>   }
> 
>  ## Started executing script 'bcc'
>   5: envelope test
>   5:   starting `:matches' match with `i;ascii-casemap' comparator:
>   5:   getting `to' part from message envelope
>   5:   extracting `detail' part from address 
>   5:   finishing match with result: not matched
>   5: jump if result is false
>   5:   jumping to line 7
>  ## Finished executing script 'bcc'
> 
> So why are these not matching? I can see the 'detail' right there, and this 
> matches examples that I see online.
> 
> (I've read, I think, every page google or DDG can find that contains 
> "redirect :copy" to no avail).
> 

If I read that bcc trace, it says “extracting ‘detail’ part from address 
mailto:krem...@kreme.com>>”.

“krem...@kreme.com ” does not have a :detail part 
(https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples 
 talks about this).

If it were “kremels+th...@kreme.com ” then the 
net line out to say “finished match with result: ‘thing’” or some such.

My notes from my sieve file:

# :localpart = :user+:detail
# address are :localpart @ :domain, or :user + :detail @ :domain
# See RFC5233

Sean

Re: Sieve and recipient_delimiter

2019-11-16 Thread Sean Kamath via dovecot 
From the Notes section of my sieve file, because I always forget this

# MORE NOTES:
# Using :localpart takes just the local part of an address
# header selects a header, address selects an address
# Looks like this is the spec:
# :localpart = :user+:detail
# address are :localpart @ :domain, or :user + :detail @ :domain
# See RFC5233

I use this bit for figuring out what :detail something (might) be going to:

 # Check to see if we have detail. . .
 if address :matches :detail "To" "*" {
  # Save name in ${detail} in all lowercase
  # Joe, joe, jOe thus all become 'joe'.
  # Note that we set it to lower, not first-cap
  # because we're going to use this name for a mailbox
  set :lower "detail" "${1}";
  set :lower "user" "${def_user}”;
 }

I don’t know where I got this from, but I am pretty sure it was on this list. 
:-)

I use it to bucket email based on detail (if no detail, it goes into the 
address’s default folder, otherwise it goes into the detail folder).

Sean


> On Nov 16, 2019, at 09:46, @lbutlr via dovecot  wrote:
> 
> I use recipient_delimiter addresseses quiet a bit, and I want to put several 
> of them into a mailbox
> 
> if anyof (header :contains ["to"] [ “FOO", “foo", “bar", “florin"]) {
>fileinto :create “later";
>stop;
> }
> 
> When I get an email addressed to me+...@example.com or me_flo...@example.com, 
> the messages end up in my inbox (Yes, I have both + and _ defined as 
> delimiters in postfix and in dovecot).
> 
> Is this because sieve is not seeing the delimiter? I am wondering this 
> because I have another rule that seems to be working fine that is largely the 
> same, but operates on domains:
> 
> if anyof ( header :contains ["From"] [“kreme.com", “localdomain1.tld”, 
>   "localdomain2.tld", "localdomain3.tld", “covisp.net” ]){
>   fileinto :create "priority";
> }
> 
> 
> 
> -- 
> She'd always tried to face towards the light. But the harder you stared into
> the brightness the harsher it burned into you until, at last, the temptation
> picked you up and bid you turn around to see how long, rich, strong and dark,
> streaming away behind you, your shadow had become- --Carpe Jugulum

Re: Migrating from Dovecot 1 to Dovecot 2

2017-11-05 Thread Sean Kamath 
On Nov 3, 2017, at 4:23 PM, Dovecot list  wrote:
> 
> Hello.
> I try to migrate about 200G of mails from one server to another.
> On the old i have Dovecot1 with Maildirs (without master pass etc.), on the
> new one i setup dovecot2 with mdbox. I need now to migrate (partialy, not
> all at once) mails from one to another.
> I can't find any solution that i can use? I dont have master password, and
> i want to mikgrate all mailaccont each other. Can anyone use me a working
> config for this ? Best will be that migratet dont want to be downloaded by
> mail client one more time.
> Thanks for any help.
> Best regards.

Hi.  I just did this.

All things considered, it went without impack.

It wasn’t perfect, as when someone was accessing their mailbox I’d get errors.  
So, for the final sync, I turned off the imap service for everything but the 
transfer (blocked at the firewall).

All things considered, it went well.  I’m sure this is jacked up and wrong and 
whatnot, but got my wife and kids (and me!) moved over with no hiccups hardly 
at all!

I still happen to have the config files I used:

I ended up doing some random crap that probably didn’t need to be done: Taking 
the output of dovecot -n and putting it in a template file (mostly to get the 
location of the sdbox’s I use).  Then I added the following after it:

imapc_host = old_dovecot1_host
imapc_port = 993
imapc_ssl = imaps
imapc_user = %%USER%%
imapc_password = %%PASSWORD%%
mail_fsync = never
imapc_ssl_verify = no
imapc_features = rfc822.size fetch-headers
# Read multiple mails in parallel, improves performance
mail_prefetch_count = 20

Now, I don’t know if this is all correct or not, but generally worked well.   
The imap_ssl_verify = no bit was because my cert expired in the middle of the 
migration.  Prior to that I had:

ssl_client_ca_file = /home//dovecot/certs/huh.crt

So, basically, I then wrote a script (I called it ‘synchrotron’ because that’s 
me):

#!/bin/sh

ACCTS=/home//conf.template # (the template file)

if [ `whoami` != "root" ]
then
echo "You should be root, my friend."
exit 1
fi

CONF=$(mktemp)

do_sync() {
UNAME=$1
PASS=$(grep "^$UNAME:" $ACCTS | cut -d: -f2)
if [ -z "$PASS" ]
then
echo "Unknown user $UNAME: No Password!"
return
fi
sed -e "s/%%USER%%/$UNAME/" -e "s/%%PASSWORD%%/$PASS/" $TEMPL > $CONF
START=`date +%s`
CMD="/usr/local/bin/doveadm -v -c $CONF backup -R -u $UNAME imapc:"
echo "START: $(date)"
echo "Running $CMD"
$CMD
ret=$?
STOP=`date +%s`
echo "STOP: Returned $ret $(date)"
rm -f $CONF
echo "Duration: $(expr $STOP '-' $START) seconds”
}

# This allows you to specify a user on the command line. . .
if [ $# -gt 0 ]
then
echo "Only doing a few users"
while [ $# -gt 0 ]
do
do_sync $1
shift
done
exit
fi

# Otherwise, do 'em all

# I like to log everything
exec >> /tmp/synchrotron.out 2>&1

for user in $(cut -d: -f1 $ACCTS)
do
do_sync $user
done

Re: Share Website certificate with SSL/STL Dovecot IMAP and Postifix SMTP

2017-09-10 Thread Sean Kamath 
In a word, yes.

I use the same cert for Dovecot and Sendmail.  I don’t bother with HTTP, but it 
would work just fine.

Certs are basically certs — you can use the same one in multiple places.

As for keeping it from things being seen as spam. . . I’m not sure how that 
would work.

Sean

> On Sep 8, 2017, at 3:05 AM, Marco Marco  wrote:
> 
> Hi guys,
> 
> 
> I've bought a certificate from the authority for my website to use to access 
> in https mode.
> 
> Is it possible to share the same pairs to authenticate the emails sent by 
> postfix and Dovecot in order to avoid that client as Hotmail.it or Gmail 
> intercept these as Spam?
> 
> 
> Thank you
>

Re: Dovecot POP3 STARTTLS works on Thunderbird but not on Gmail

2014-11-20 Thread Sean Kamath 
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

??

Sean

On Nov 16, 2014, at 5:39 AM, Aleš Grm ales@kopitarna.eu wrote:

 Ok, I tried on port 995, and on Gmail I get SSL error: unable to verify
 the first certificate. Certificate is not self-signed (using StartCOM).
 The log now shows:
 
 Nov 16 14:37:52 mail dovecot: auth: Debug: auth client connected (pid=31923)
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x10, ret=1:
 before/accept initialization [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: before/accept initialization [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 read client hello A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write server hello A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write certificate A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write server done A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 flush data [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002,
 ret=-1: SSLv3 read client certificate A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002,
 ret=-1: SSLv3 read client certificate A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 read client key exchange A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 read finished A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write session ticket A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write change cipher spec A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 write finished A [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2001,
 ret=1: SSLv3 flush data [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x20, ret=1:
 SSL negotiation finished successfully [209.85.213.23]
 Nov 16 14:37:52 mail dovecot: pop3-login: Warning: SSL: where=0x2002,
 ret=1: SSL negotiation finished successfully [209.85.213.23]
 Nov 16 14:37:53 mail dovecot: pop3-login: Warning: SSL alert: where=0x4008,
 ret=256: warning close notify [209.85.213.23]
 Nov 16 14:37:53 mail dovecot: pop3-login: Disconnected (no auth attempts in
 1 secs): user=, rip=209.85.213.23, lip=192.168.100.94, TLS: Disconnected,
 session=duAK+PkH5QDRVdUX
 ^C
 
 Could the form of public part of certificate be wrong? I'm using only .CRT.
 
 Kopitarna Sevnica d. d.
 
 Prvomajska ulica 8
 8290 SEVNICA
 SLOVENIA
 www.kopitarna.eu
 Cell: +386 31 899 993
 Land: +386 7 81 63 440
 
 On 16 November 2014 14:19, Reindl Harald h.rei...@thelounge.net wrote:
 
 
 Am 16.11.2014 um 14:05 schrieb Aleš Grm:
 
 I have configured Dovecot to work perfectly on Thundrebird using SSL
 certificates with STARTTLS on port 110. When I try to add this account on
 Gmail I get the error:
 
 In Gmail my settings include port 110 and the use of SSL is checked.
 Dovecot configuration:
 
 Any idea why does it work with Thunderbird and not with Gmail?
 
 
 surely - gmail wants 995 instead 110 (means not STARTTLS) and don't accept
 self signed certificates BTW

Re: [Dovecot] Enable mail logger plugin

2014-02-19 Thread Sean Kamath 

On Feb 19, 2014, at 1:24 PM, Alexandre Ellert aell...@numeezy.com wrote:
 Hello,
 
 I'm trying to get more info about user activity (especially when they delete 
 some email).
 So, I follow info from http://wiki2.dovecot.org/Plugins/MailLog to enabled 
 mail logger plugin, but I don't see anything in my logs.
 
 Can you tell me what I'm missing ?
 
 Thanks.
 
 # doveconf -n
 ...
 mail_location = maildir:/var/vmail/%d/%n/Maildir
 mail_plugins = quota mail_log notify
 mail_privileged_group = mail
 mail_uid = 5000
 ...
 protocol imap {
  mail_max_userip_connections = 80
  mail_plugins = quota imap_quota antispam
 }
 protocol pop3 {
  mail_max_userip_connections = 30
  mail_plugins = quota
 }
 

I see mail_plugins = quota mail_log notify at the top there, but in the 
protocol imap block it's mail_plugins = quota imap_quota antispam.
Doesn't the imap block override the global setting?

Sean

Re: [Dovecot] Allowing clients to test their Sieve scripts

2013-06-21 Thread Sean Kamath 

On Jun 19, 2013, at 1:00 AM, Steffen Kaiser skdove...@smail.inf.fh-brs.de 
wrote:
 On Fri, 14 Jun 2013, Frerich Raabe wrote:
 I then usually just run the sieve-test binary (part of the Pigeonhole 
 distribution) and send them the output. However, I was wondering - is there 
 maybe a way for them to try it themselves? Like, maybe a tiny web server 
 which just prints a form asking for a mail file and a sieve script, and then 
 it runs sieve-script and prints the output of that? I wonder how other 
 people do that.
 
 you are not referring to syntax errors, do you?
 
 Otherwise, this seems to be a nice idea to let users actually _test_ their 
 scripts. However, I wonder how educated they are, in order to paste in a 
 correct mail file incl. header and the like.

Better would be to let them submit a message from a folder, or all messages in 
a folder.  I.e., run Sieve on folder 'TestSieve', then users can just drag 
messages there and test it (or, if I had that functionality, copy them).

Just a thought.

Sean

Re: [Dovecot] dsync timeout?

2013-02-02 Thread Sean Kamath 

On Feb 1, 2013, at 8:09 AM, micah anderson mi...@riseup.net wrote:

 Sean Kamath kam...@moltingpenguin.com writes:
 
 On Jan 30, 2013, at 3:46 PM, micah anderson mi...@riseup.net wrote:
 Seems that only the above process was still around and no other dsync
 processes. I have three machines that all have this happening it seems.
 
 I wonder if there is a ssh configuration option I could set to make
 these die off.
 
 If the ssh process isn't sending anything, and just waiting for read()s, and 
 keepalives are turned off, the SSH session might never know the remote side 
 is long gone. . .
 
 If any data were transmitted, it would discover the remote side is turned 
 off.
 
 See man ssh_config and the option TCPKeepAlive.
 
 BTW: Since it's not on the command line, it's likely in /etc/ssh_config or 
 /etc/ssh/ssh_config.  Or ~/.ssh/config.
 
 In /etc/ssh/sshd_config on the server I'm sending to, TCPKeepAlive yes
 is set.

Did you check ~/.ssh/config for the user running the dsync?

 The default on this system, according to the man page, seems to be to
 have TCPKeepAlive set. 
 
 Perhaps I should set ServerAliveInterval?


Perhaps.  That states how long to send the KeepAlive packet.

There are many settings that can affect this, including

ServerAliveCountMax
ServerAliveInterval
TCPKeepAlive

There is also the sshd_config settings

ClientAliveCountMax
ClientAliveInterval
TCPKeepAlive

At this point, I think you need to see what's happening on both sides of the 
SSH connection.  I don't recall what system you're on, but for linux you can 
use netstat -anp (as root) to find out what process is connected to which port, 
and on linux and other systems you can use lsof to find out what is connected 
to ports.

Maybe the TCP port is open and valid and there's no data coming through?  This 
can happen if, for example, you have any port forwarding or X session 
forwarding through SSH (i.e., if ssh -X is the default) and something 
accidentally is holding that port open (this can happen in your regular shell 
if, for example, you have something open an X application and you forget 
(because you backgrounded it) -- you're logout of the server will hang until 
the X applications are closed.  Note that it isn't always a visible client that 
will do this. :-().

Sean

Re: [Dovecot] dsync timeout?

2013-01-30 Thread Sean Kamath 

On Jan 30, 2013, at 3:46 PM, micah anderson mi...@riseup.net wrote:
 Seems that only the above process was still around and no other dsync
 processes. I have three machines that all have this happening it seems.
 
 I wonder if there is a ssh configuration option I could set to make
 these die off.

If the ssh process isn't sending anything, and just waiting for read()s, and 
keepalives are turned off, the SSH session might never know the remote side is 
long gone. . .

If any data were transmitted, it would discover the remote side is turned off.

See man ssh_config and the option TCPKeepAlive.

BTW: Since it's not on the command line, it's likely in /etc/ssh_config or 
/etc/ssh/ssh_config.  Or ~/.ssh/config.

Sean

Re: [Dovecot] dovecot testinstallation does not tell how to quit

2012-12-27 Thread Sean Kamath 

On Dec 27, 2012, at 11:38 AM, Robert Moskowitz r...@htt-consult.com wrote:

 
 On 12/27/2012 01:33 PM, Reindl Harald wrote:
 
 Am 27.12.2012 19:28, schrieb Robert Moskowitz:
 I am having problems logging in with RoundCube, so thought I should see if 
 there were instructions for testing
 Dovecot login, and sure enough I found some at:
 
 wiki.dovecot.org/Testinstallation
 
 Well it works, so the problem is probably all RoundCube's, but this wiki 
 page is missing an important line about
 how to end the Telnet session without killing Telnet!  What is the 
 quit/exit command?  And please add this to the
 wiki!
 
 Oh, I just guessed it:
 
 a logout
 google imap quit telnet session leads to
 http://www.yuki-onna.co.uk/email/imap.html
 
 So there you have
 
 c logout
 
 and I got
 
 a logout
 
 to work as well.

Almost any identifier before the 'logout' will work.  IMAP protocol uses a 
tagged command structure, so that commands can be interleaved and replies will 
respond with the identifier provided.  I usually use '1 logout'.  Note 
identifiers can be reused as well ;-)

Sean

PS At least it's now in the mail archives. :-)

  But I might think that a testing doc can include this little tidbit, rather 
 than do yet another search.  Since this is a Dovecot test doc, I also might 
 think it would have POP3 testing instructions!  But I was happy to find the 
 IMAP.  Now to figure out why RoundCube fails to login with the same user that 
 I logged in via Telnet.
 
 Thanks for the pointer.

Re: [Dovecot] IPv6 SSL

2012-10-05 Thread Sean Kamath 

On Oct 5, 2012, at 10:20 PM, Luigi Rosa li...@luigirosa.com wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Nick Rosier said the following on 05/10/12 22:47:
 
 How do you enable this in Thunderbird? If by enabling IPv6 you mean you
 put in the IPv6 address in stead of the hostname, that's probably where
 you're wrong. The certificate contains your hostname, not the IP-address
 so the hostname verification check fails if you insert the IPv6 address
 (i.e. hostname.tld != 2001:470:1f09:203:fdbf:508e:4a29:56c5so your
 connection fails).
 
 Good point. But does not explain why it works if I put the IPv4 address of the
 server (the local LAN IPv4, not the public IPv4).
 
 I've verified this by changing the hostname to IPv6 in Thunderbird and
 got the same error as you do. You would get the same error if you
 configure the IPv4 address in TB.
 
 The server I am referring to has 2 NICs one with a public IP and the other
 with a local IP address (10.0.0.254)
 
 If I put 10.0.0.254 instead of the IPv6 address I can successfully connect
 using TLS:
 
 Oct  6 07:13:44 mail dovecot: imap-login: Login: user=lr...@hypertrek.info,
 method=CRAM-MD5, rip=10.0.0.155, lip=10.0.0.254, mpid=17812, TLS,
 session=LZhzDV3LMQAKE0Ob

And do you have a PTR record for 10.0.0.254?

Sean

Re: [Dovecot] Search extensions

2012-08-19 Thread Sean Kamath 

On Aug 18, 2012, at 7:57 PM, Timo Sirainen wrote:

 I'm thinking about adding at least one new SEARCH command extension to 
 Dovecot: ability to search from any headers in the mail, including MIME 
 headers in the body. So the idea is that you could somewhat quickly ask e.g. 
 show me all mails with pdf attachments:
 
 a search or x-anyheader application/pdf x-anyheader .pdf
 b fetch $ bodystructure
 
 The client can verify the results with the fetch. The x-anyheader can 
 already be implemented without changes to full text search plugin, because 
 all backends store message/MIME headers and body text separately.
 
 So, questions for the list, especially client developers:
 
 1) What's a better name for x-anyheader? :)
 
 2) Any other ideas about search extensions you'd want to see? Maybe I could 
 get this standardized at some point.
 
 I think one other thing missing has been show me messages that have 
 attachments. I've thought about maybe creating a $hasattachments keyword for 
 that, which the server could automatically set for new mails that it thinks 
 has attachments (and clients can set/unset the keyword if wanted).

At work we've flipped to Google mail (I run Dovecot at home).  99.9% of the 
time I just cry.

Once feature of their search capability that sometimes is nice is the ability 
to not only see if it has an attachment (has:attachment) but the ability to 
search for the attachments by a specific name (filename:text).  That can be, 
and has proven, useful.  I suspect this could turn into a nightmare, however.  
Ditto something like has N attachments (sometime I dearly wish I had at times 
-- I want to find that damn message with like 10 attachments).  Or math around 
number of attachments.

My $0.02.

Sean

Re: [Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-19 Thread Sean Kamath 

On Jul 18, 2012, at 12:51 AM, Sean Kamath wrote:
 Since dovecot-lda is passed the -d option, it's using that (and only that) 
 for delivery.  Since there's no X-Original-To: header, it doesn't really have 
 any option (since the non-envelope-to address might not exist, or point to 
 something other than the end user's mailbox, etc).
 
 It would appear that I have two options:
 
 1) Figure out what macro(s) is(are) valid to pass to dovecot-lda with the -a 
 option in the sendmail config file (sendmail.cf).
 
 2) Get sendmail to put X-Original-To: address in the header.
 
 Both would appear to be a sendmail issue, not a dovecot/pigeonhole issue.

OK, for the archives:

I went with Option 2.  In my sendmail.mc, I added:

LOCAL_CONFIG
H?${u}?X-Original-To: $u

This adds the header X-Original-To with the envelope recipient as the value.

Seems like a hack, but what can you do?  It works.

BTW: No one asked, but I thought I'd just mention that the reason I want to use 
the envelope recipient address is many bulk-mailing lists will use blind 
addressing, so you can't use the To: or Cc: headers effectively.

Anyway, sorry for the noise everyone.

Sean

Re: [Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-18 Thread Sean Kamath 
On Jul 17, 2012, at 3:18 AM, Charles Marcus wrote:
 I really thought it would be a simple here's what you missed, since
 the logs are relatively uninformative...
 
 The point is, what may appear to be uninformative to you may tell Timo (or 
 someone else who knows what to look for) all they need to know to pinpoint 
 the problem.

Whilst I would normally agree, at the same time I've had a fair amount of 
experience with dovecot and sendmail (been running them for over 10 years).  
Pigeonhole is new to me, however. . .

 One thing I did notice is that you are sending this mail from an internal 
 IP... since most people use very different checks for such mail (bypassing 
 many/most checks), maybe you should be testing from an external address (one 
 that comes in from outside your network)?

So I have a DMZ that houses the mail server for my domain, which is where the 
private addresses are.  Connections are passed through the OpenBSD router to 
the mail server.   So testing from an external address would be essentially the 
same (since the connection to the SMTP server talks to the sendmail process as 
the /usr/lib/sendmail process).  Regardless, my original tests were sending 
mail from the Mac off-network.

 Also, it is always recommended when setting up a new server to start with the 
 latest version... for 2.0.x that would be 2.0.19, but the latest is 2.1.8...

When I set it up, 2.0.13 _was_ the latest. :-)

I was hoping to avoid the pain of recompiling dovecot and pigeonhole.  Not that 
big a deal, I guess. . .

 lda_original_recipient_header = X-Original-To
 lmtp_save_to_detail_mailbox = yes
 
 Ok, I think this is the problem...
 
 Dovecot's LMTP currently does NOT preserve the x-original-to header... in 
 fact, brought this up recently (I was one of the ones interested in Timo 
 adding support for it) on this (and the postfix, which is what I use) on this 
 very list:
 
 http://www.dovecot.org/list/dovecot/2012-April/065075.html
 
 Apparently, after Timo discussed this on the postfix list, he determined that 
 it would not be a very significant change for him to make to add support for 
 this header in LMTP and that he would get to it sooner than later, but as of 
 now, it has not been added.

Actually, I'm not using lmtp.  I whacked the lmtp_save_to_detail_mailbox in an 
effort to see if that was the issue before I realized I don't have it turned on.

dovecot.conf has:

protocols = imap

though in 20-managesieve.conf I have:

protocols = $protocols sieve

I just turned it off and restarted dovecot (though lmtp was not running) and 
re-ran the test with the same result.

So, I think what's going on is pretty straightforward.  The local mailer 
definition in the sendmail.cf file is:

Mlocal, P=/usr/local/libexec/dovecot/dovecot-lda, F=lsDFMAw5:/|@qSPhn9, 
S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix,
A=/usr/local/libexec/dovecot/dovecot-lda -d $u

This is more or less right out of the wiki.

Since dovecot-lda is passed the -d option, it's using that (and only that) for 
delivery.  Since there's no X-Original-To: header, it doesn't really have any 
option (since the non-envelope-to address might not exist, or point to 
something other than the end user's mailbox, etc).

It would appear that I have two options:

1) Figure out what macro(s) is(are) valid to pass to dovecot-lda with the -a 
option in the sendmail config file (sendmail.cf).

2) Get sendmail to put X-Original-To: address in the header.

Both would appear to be a sendmail issue, not a dovecot/pigeonhole issue.

Everything I find on the web seems to center around how to use plus addressing 
to accept mail from multiple email address and filter it into a single address 
for delivery, only to have the local delivery agent break it back out again.  
That's not my issue. :-(

Sean


Sean

Re: [Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-17 Thread Sean Kamath 

On Jul 16, 2012, at 3:44 AM, Charles Marcus wrote:
 dovecot -n output maybe
 
 Certainly (wasn't on the list of things to put in a post on the web
 site, so I missed it):
 
 Which website?


http://www.dovecot.org/mailinglists.html

And I missed it, it says use dovecot -n when showing your configuration.

 http://dovecot.org/bugreport.html

I was sure it wasn't a bug, it was a screwup on my part in the configuration, 
so I didn't read the bugreport page.

 I have suggested that Timo put a short simple list of troubleshooting 
 suggestions (ie, asking for dovecot -n output and basic non-verbose logs 
 (unless/until asked for verbose logs)) in the welcome message when 
 subscribing to the list (like postfix does)... but in all honesty, most 
 people don't read those either.

Well, there could also be a dovecot-bugreport script.  Much as I hate 'em, 
sometimes they work...

 Regardless, providing configuration details and logs exhibiting the problem 
 is one the most basic requirements when asking for help on any email support 
 list I've ever been on...

I really thought it would be a simple here's what you missed, since the logs 
are relatively uninformative. . .  

 Not sure how anyone was supposed to guess that you were using sendmail 
 either...
 
 And even when you replied to toms message suggesting you provide some logs, 
 you still didn't...
 
 We'll be happy to try to help you, but we'll need your help in order to do 
 that...

Thank you, I recall from years ago how responsive and kind people are on this 
mailing list.  I certainly wasn't trying to be cryptic.

Here's the complete set of everything.  I wrote a little script to do this 
repeatedly, to make it easy to make changes and try again.

Note that in the last test, it works.  Simply adding X-Original-To: 
rewards+t...@enoent.net and sending the same message with /usr/lib/sendmail 
-t  msg will do what's expected.

Sean


Dovecot -n output:

Command: dovecot -n

# 2.0.13: /etc/dovecot/dovecot.conf
# OS: SunOS 5.10 sun4u  
base_dir = /var/run/dovecot/
hostname = mail.enoent.net
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
lmtp_save_to_detail_mailbox = yes
mail_location = sdbox:~/Mail:INDEX=/var/dovecot/indices/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
passdb {
  driver = pam
}
plugin {
  recipient_delimiter = +
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/.sieve
}
protocols = imap sieve
ssl_cert = /etc/mail/certs/server.crt
ssl_key = /etc/mail/certs/server.key
userdb {
  driver = passwd
}
protocol lda {
  mail_plugins =  sieve
}


Sendmail version:

Command: echo quit | /usr/lib/sendmail -bs | head -1

220 spector.dmz.enoent.net ESMTP Sendmail 8.14.5/8.14.5/Submit; Tue, 17 Jul 
2012 00:26:52 -0700 (PDT)


Sieve Script

Command: cat /home/rewards/.dovecot.sieve

require [fileinto, envelope, subaddress];

if header :contains subject [test] {
 fileinto subtest;
}

if envelope :detail to test {
  fileinto plustest;
  stop;
}


Email Message

Command: cat /tmp/email.tst

From: rewa...@enoent.net
To: rewards+t...@enoent.net
Subject: sieve test

This is a test


Syslog Ouput

Command: sed 's/ //' /tmp/syslog.diff

4555,4568d4554
Jul 17 00:26:52 spector.dmz.enoent.net sendmail[7665]: [ID 801593 mail.info] 
q6H7Qqld007665: from=rewards, size=89, class=0, nrcpts=1, 
msgid=201207170726.q6h7qqld007...@spector.dmz.enoent.net, 
relay=rewards@localhost
Jul 17 00:26:53 spector.dmz.enoent.net sendmail[7667]: [ID 702911 mail.info] 
STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1/SSLv3, verify=NOT, 
cipher=DHE-RSA-AES256-SHA, bits=256/256
Jul 17 00:26:53 spector.dmz.enoent.net sendmail[7665]: [ID 702911 mail.info] 
STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, 
cipher=DHE-RSA-AES256-SHA, bits=256/256
Jul 17 00:26:53 spector.dmz.enoent.net milter-greylist: [ID 751742 mail.info] 
q6H7Qq2g007667: Sender IP 127.0.0.1 and address 
rewa...@spector.dmz.enoent.net are SPF-compliant, bypassing greylist
Jul 17 00:26:53

[Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-15 Thread Sean Kamath 
Hi all,

So, it's been a while.  I'm just ramping back up with Dovecot after a hiatus of 
a few years.

I've been using it fine, complete with Sieve, for about a year, with little or 
no issues.

I finally got around to setting up a second account, to start figuring out how 
I want to do some plus address filtering.

In a nutshell, I want to put mail for foo+bar in foo's 'bar' folder.  That's in 
the wiki.

I did this:


require [fileinto, envelope, subaddress];

if header :contains subject [test] {
 fileinto Test;
}

if envelope :detail to test {
  fileinto test;
  stop;
}

So, this fails miserably.  No error message, nothing in the logs, no nothing.  
Yet, when I run

sieve-test .dovecot.sieve /path/to/testmessage

it works just fine.  I even run

sieve-test -e .dovecot.sieve /path/to/testmessage

and it files it just fine into the folder.

I tried adding some debug logging, but it looks like vnd.dovecot.debug isn't in 
my version.

I searched the archives, and found a bit about adding (explicitly) the 
delimiter to the plugin section of 90-sieve.conf.  So I did that.

I'm running 2.0.13 of dovecot, and pigeonhole 0.2.3 on Solaris 10.

Before I dive in and upgrade everything, am I missing something simple?  The 
test bit works just fine (and in another account as well), so I think 
something's just not seeing the detail in subaddressing when mail is delivered 
(even though it works just fine with sieve-test).

Thanks,
Sean

Re: [Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-15 Thread Sean Kamath 

On Jul 15, 2012, at 4:34 AM, Charles Marcus wrote:
 On 2012-07-15 4:50 AM, Sean Kamath kam...@moltingpenguin.com wrote:
 Before I dive in and upgrade everything, am I missing something simple?
 
 dovecot -n output maybe?

Certainly (wasn't on the list of things to put in a post on the web site, so 
I missed it):

# 2.0.13: /etc/dovecot/dovecot.conf
# OS: SunOS 5.10 sun4u  
base_dir = /var/run/dovecot/
hostname = mail.enoent.net
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
lmtp_save_to_detail_mailbox = yes
mail_location = sdbox:~/Mail:INDEX=/var/dovecot/indices/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date
passdb {
 driver = pam
}
plugin {
 recipient_delimiter = +
 sieve = ~/.dovecot.sieve
 sieve_dir = ~/.sieve
}
protocols = imap sieve
ssl_cert = /etc/mail/certs/server.crt
ssl_key = /etc/mail/certs/server.key
userdb {
 driver = passwd
}
protocol lda {
 mail_plugins =  sieve
}

Sean

Re: [Dovecot] Issues with Plus addressing and detail part of subaddress.

2012-07-15 Thread Sean Kamath 

On Jul 15, 2012, at 1:27 PM, Tom Hendrikx wrote:

 On 15-07-12 13:34, Charles Marcus wrote:
 On 2012-07-15 4:50 AM, Sean Kamath kam...@moltingpenguin.com wrote:
 Before I dive in and upgrade everything, am I missing something simple?
 
 dovecot -n output maybe?
 
 Adding some log output of a message that, according to you, should have
 been delivered to folder Bar but ended up somewhere else, would be nice
 too.
 Be sure to include both logging of dovecot and the MTA talking to
 dovecot (you didn't mention which one).

Heh.  I spent 1/2 an hour rerunning all the tests, gathering detailed logs, the 
whole nine yards and then, as an afterthought, added this:


Here's the relevant portion of my sendmail.mc file for the MAILER definition of 
dovecot-lda:

FEATURE(`local_procmail', 
`/usr/local/libexec/dovecot/dovecot-lda',`/usr/local/libexec/dovecot/dovecot-lda
 -d $u')
MODIFY_MAILER_FLAGS(`LOCAL', `-f')
MAILER(procmail)


Sure enough, since there is no X-Original-To header in the messages, and I 
don't specify the -a option to dovecot-lda, there's failure.

Does anyone happen to know the right way to get that full address through?  The 
only note about anything remotely related to this is in the dovecot-lda which 
states that -d is not necessary with system users (all my accounts will be 
system users).

Sean

Re: [Dovecot] Webmail app ... again.

2008-08-14 Thread Sean Kamath 


On Aug 13, 2008, at 10:32 PM, Timo Sirainen wrote:


On Aug 14, 2008, at 1:26 AM, Sean Kamath wrote:

But the big killer is scaleability and handling multiple servers,  
which is why some sort of front end like IMAPProxy are attractive.


I've heard that imapproxy isn't all that useful with Dovecot once  
auth cache is enabled and set large enough. It'll then just  
basically replace Dovecot's process fork(s) with the overhead of its  
own.




Oops, good point, I'd forgotten about that whole discussion from a few  
months ago.


So the only real benefit to keeping cached connections would be in  
saving the TCP overhead, I guess...


Sean

Re: [Dovecot] Webmail app ... again.

2008-08-13 Thread Sean Kamath 


On Aug 13, 2008, at 4:03 PM, Roderick A. Anderson wrote:


Daniel L. Miller wrote:

Geert Hendrickx wrote:

On Wed, Aug 13, 2008 at 04:37:11PM -0400, Timo Sirainen wrote:

One thing that would be nice, that pretty much no webmail does,  
is to
keep a stateful connection open all the time (or at least some of  
the
time) instead of creating tons of short-lived connections that  
ask the
same stuff over and over again. With a stateful connection you  
could
basically run IDLE and wait for changes there instead of asking  
all  the
time is there new mail? is there new mail now? what about   
now?.


I'm sure native support would be better, but how is this  
different from using Squirrelmail with IMAPProxy?


Very interesting.  I was thinking of hos to do something similar to  
IMAPProxy.  Now I may not have to reinvent that wheel.


Seems to me you could use something like mod_perl to have state- 
keeping processes running that can keep the connections alive, going  
IDLE after 10 seconds or so after the last request they got.  You can  
limit the number of open connections from any given process with LRU  
queuing, but I don't have suggestions on how to tie which process gets  
which request.  Perhaps by writing a middle-layer service that all the  
processes talk to?


But the big killer is scaleability and handling multiple servers,  
which is why some sort of front end like IMAPProxy are attractive.


Good luck

Sean

Re: [Dovecot] Server power loss and Dovecot is already running with PID xxx

2008-07-01 Thread Sean Kamath 


On Jul 1, 2008, at 12:51 AM, Timo Sirainen wrote:

Is this already a known problem?
Should the start-up logic be made more robust (e.g. check whether a
process corresponding to the PID actually exists)?


It already checks if the PID exists, but it doesn't check what that
process is (and I don't think there is a portable way to do it  
anyway).

I don't think it's too much to ask to delete the master.pid if in rare
situations it fails to start due to a PID conflict.


This is a pet peeve of mine for many services started at boot time.   
Since the ordering of service startup is usually fairly static, a  
*LOT* of times process IDs are nearly identical on boot.  Depending on  
which way they go, if they drift towards earlier, you'll have the PID  
in use.  This drove me NUTS with Sun's LDAP server.


Many recent OSes are now using memory-based filesystems for /var/run,  
or otherwise clear out /var/run at boot time.  But if a process stores  
its PID somewhere else, you're SOL (much like Sun One Directory Server  
does).


The problem with having to remove a master.pid file on boot is that  
you might have a BUNCH of clients or customers that are using your  
system, and you're either asleep at 3am when the server kicked over,  
or in another state.  It's not a problem if you have staff watching  
machines reboot. ;-)


Sorry, had to kibitz.

Sean

PS I often times add a 'rm $PID' line in the init.d script, and let a  
server die because it couldn't bind to the port.  That doesn't work  
with everything, though.

Re: [Dovecot] Throttle New Connections?

2007-11-19 Thread Sean Kamath 


On Nov 19, 2007, at 9:24 AM, Joe Allesi -X (joallesi - Coyote Creek  
Consulting at Cisco) wrote:



All,

Is anyone using iptables (recent module), or any other alternatives,  
to

throttle the number of new imap or pop connections per minute? We have
some applications that like to login every second to pull mail using
imap, so we'd like to protect the entire dovecot server from these
applications. We've already made the change over to high-perf mode,  
but
we still need some type of denial of service protection. Any real- 
world

data would be appreciated.


Yeah, I throttle initial connections per IP to something like 15 or  
20.  I started doing this after I got hit with a little more than 600  
connections/second for a few minutes.


I use OpenBSD with pf.

Sean

Re: [Dovecot] Time just moved backwards

2007-04-08 Thread Sean Kamath 


On Apr 8, 2007, at 11:00 AM, Bill Cole wrote:


At 7:25 PM +0200 4/8/07, Chaos Engine wrote:

Hi there,
I got a daily cron (rdate to local time server) job wich adjusts  
time and

which constantly gives me headache.


Which is one reason (out of many) NTP was invented. :-)


Every day my dovecot suicides with:

dovecot: Time just moved backwards by 11 seconds. This might  
cause a lot of

problems, so I'll just kill myself now.

Of course my onboard clock is constantly off by more than 5 secs.


How of course?

The last time I had a machine's NTP synch stop working, it diverged  
less than 2 seconds from reality in a week. Looking at a few  
machines where the LOM cards have RTC's independent of the  
motherboard RTC's, I see divergence of 0-4 seconds  over the past 2  
months.


MANY cheap PC RTCs drift like a log on the ocean in a hurricane.  The  
fact you mention a LOM card sort of indicates you might be looking at  
a Sun or the like.  Their clocks are better.





I don't want
to abandon time synchronization and I want to use dovecot.


Frankly, using 'rdate' is not time synchronization.  It's time  
*setting* on a regular basis.  It's like calling 'time' on the phone  
every few minutes/hours and setting your watch to what it says.  And  
what you are rdating you clock to?  Another machine that has a  
drifting RTC?  NTP has the concept of tiers, so you can trust the  
Atomic Clock above the GPS Clock above the machine you think is  
pretty good, which in turn is above you (broken, but better than  
nothing) RTC.



Maybe a
-HUP signal would do? What do you propose?


3 options

1. Repair your hardware. Gaining 5 seconds per day is not normal,  
and really should not be tolerated in a system that has to converse  
with other machines.


Not always an option. :-)

2. Set up something that will do the adjustment for you on a more  
continuous basis. Xntpd will track your drift and keep you more in  
sync on a continuous basis by slewing the clock rather than  
stepping it back daily.


NTP is a LOT smarter than anyone realizes.  It's best to use this,  
because MANY *really smart* people have invested more time than is  
reasonable in solving way more problems than you'll even encounter  
running a machine.


3. Make that cron job smarter but stopping Dovecot (and anything  
else that might care about time moving backwards) ahead of the  
change, and then waiting until your clock is back ahead of that to  
restart them.


There are technical strategies (e.g. Maildir naming) which rely on  
the assumption of the clock never repeating the same second twice.


It's not just dovecot, by the way.  MANY things don't like have time  
move backward, like Cron, at, etc.  You should *NEVER* have the clock  
jump back in time (except during DST changes -- yuk).


The correct way to handle time on Unix systems is to set the clock at  
boot (rdate, ntpdate, etc), and then *skew* the clock, so time slows  
down to match the right time.  It can always jump forward, but NTP  
only jumps by a (settable) maximum amount per time-quantum.  This  
prevents things like make, and NFS caching, and a bunch of other  
stuff just work.


As far as I know, all shipping OSes now have a working NTP client,  
and it's VERY easy to just add


server pool.ntp.org

to the ntpd.conf file, and you're good to go on reboot.

Sean

Re: [Dovecot] IP Tables block for POP3 attacks with Dovecot

2007-04-08 Thread Sean Kamath 


On Apr 8, 2007, at 9:20 AM, Pete Dubler wrote:

Has anyone implemented a script to block IPs which are attacking on  
POP3 ports using dovecot logs to indicate repetitive failed login  
attempts?


sshblack does this nicely for ssh (port 22) attacks by monitoring  
the /var/log/secure file.  I am considering rewriting this to POP3  
port (110), but if it has already been done, I sure don't need the  
practice.


Gotta love PF on OpenBSD (and FreeBSD).  It was a simple addition to  
the pass rule:


pass in quick on $ext_if proto tcp from any to $imaphost port \
 $imap_tcp_bf_svcs flags S/SA keep state  (max-src-conn 25, \
 max-src-conn-rate 10/1, overload my-imap-bf flush global) \
 label $dstaddr:$dstport:$proto

This limits a host to 25 connections, 10 per second.  If they exceed  
either, they're dumped into the my-imap-bf table, which is blocked  
earlier in the file with a


block quick from my-imap-bf

:-)

I used the values I did because I had some 600 connection in 40 seconds.

Sean

Re: [Dovecot] Time just moved backwards

2007-04-08 Thread Sean Kamath 


On Apr 8, 2007, at 2:20 PM, Bill Cole wrote:
You should *NEVER* have the clock jump back in time (except during  
DST changes -- yuk).


DST changes (at least on sane systems) do not change the system  
clock time. Time zones are a cosmetic feature, i.e. how humans are  
shown a description of time.  For example, the following are  
different ways of displaying exactly the same time:


12:03 PM -0700 4/8/07
15:03 PM EDT 4/8/07
14:03 PM EST 4/8/07
19:03 PM - 4/8/07
00:03 PM +0500 4/9/07


I'd just like to publicly proclaim that I'm an idiot.  I knew that.   
And it wasn't even at 4am, which is my usual excuse.  This after two  
to three weeks of the stupid DST change here in the US.


It is important for people to understand how much simpler it is now  
to run  basically functional and non-abusive NTP than it was even 5  
years ago. The work put into making pool.ntp.org usable has  
essentially eliminated the need to think much about NTP for most  
sites.


Absolutely!  It's been standard on Macs for some time (it's how it  
syncs with time.apple.com, etc).  It's just braindead easy for one or  
two machines.  If you have more than that, making one or two machines  
as broadcast/multicast servers and having everything use them is  
straightforward, too.


Sean

Re: [Dovecot] Throttling Logins

2007-03-21 Thread Sean Kamath 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Mar 21, 2007, at 11:22 AM, Timo Sirainen wrote:
http://dovecot.org/tools/imaptest.c is a nice tool to try stress  
testing

logins. Use it something like: imaptest user=dummy password=something
clients=100 - select=0


The issue is not to be able to let someone run even more attempts at  
logging in faster. . . :-)



Some people want to limit number of connections coming to one user, so
this kind of blacklisting feature could be implemented at the same  
time.

Maybe for v2.0 or something..


Yeah, I know, and that's fine.  What I'm hoping for is something like  
if host X connects 600 times, start telling it to go away for a few  
hours. :-)


Sean
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGAhiUA7vyqo9ewCgRAllKAJ0XvV1QX8R117tJG0UUiFLT3RlL1QCeMksx
aV8g3GdQ6X+8boMxQe+EO1w=
=mlIA
-END PGP SIGNATURE-