Re: long mail_location value formatting

[k v]

In the multi-line example, the backslash (\) was missing due to message 
formatting
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

long mail_location value formatting

[k v]

Hello!

The mail_location value with all the necessary keys can be quite long, for 
example:
mail_location = 
mdbox:~/mdbox:VOLATILEDIR=/dev/shm/dovecot/volatile/%d/%n:LISTINDEX=/dev/shm/dovecot/listindex/%d/%n/dovecot.list.index:ALT=/var/dovecot-alt/%d/%n/mdbox
When trying to split a value into multiple lines like:

mail_location = \
  mdbox:~/mdbox: \
  VOLATILEDIR=/dev/shm/dovecot/volatile/%d/%n: \
  LISTINDEX=/dev/shm/dovecot/listindex/%d/%n/dovecot.list.index: \
  ALT=/var/dovecot-alt/%d/%n/mdbox

according to the documentation 
https://doc.dovecot.org/configuration_manual/config_file/index.html#long-lines, 
each new line adds a whitespace, which breaks the value:
doveadm config mail_location
mail_location = mdbox:~/mdbox: VOLATILEDIR=/dev/shm/dovecot/volatile/%d/%n: 
LISTINDEX=/dev/shm/dovecot/listindex/%d/%n/dovecot.list.index: 
ALT=/var/dovecot-alt/%d/%n/mdbox

doveadm mailbox list -u m...@example.com
doveadm(m...@example.com): Error: Namespace '': Unknown setting:  VOLATILEDIR

Is it possible to split the value into multiple lines for better readability? 
Maybe add functionality to trim extra spaces when reading the mail_location 
value?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dovecot lmtp and smtputf8

[k v]

Using the changes described in this pull request 
https://github.com/dovecot/core/pull/190, you can add SMTPUTF8 capability to 
the Dovecot LMTP server. Work on the patch is still in progress, and UTF8 
support is not complete. However, you can use the following trick:

Enable SMTPUTF8 support in Postfix, but make emails with UTF8 characters as 
aliases so that the final recipient doesn't have UTF8 characters. Even in this 
case, on the LMTP side, you need to announce the UTF8 capability, which will be 
possible if you apply the changes from the pull request.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Replicator service in Dovecot 2.4 CE

[k v]

On the documentation page for the upgrade to version 2.4 at 
https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/, it 
is mentioned that instead of the 'replicator' service 
(https://doc.dovecot.org/configuration_manual/replication/#replication-with-dsync),
 it is necessary to use an NFS cluster file system.

Are you completely removing support for 'replication-with-dsync' starting from 
version 2.4?
Are there any plans for built-in tools to implement an active/active or 
active/passive cluster in the community edition?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

RE: submission_host auth

[k v]

> There is no way for a forwarded email to SASL authenticate because no one is 
> logged in or involved in the process of LMTP receiving mail for delivery from 
> "the world". How is the MTA supposed to know the SASL password for 
> st...@work.com?

dovecot auth with "master user" when sending emails via sumbission_host;
postfix:
1. using smtpd_sender_login_maps allow master user send messages with any mail 
from, like that:
smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp
---
login_map.regexp:
/^mas...@example.com$/ .*

OR

2. in postfix master.cf declare dedicatet submission port allowed only for 
dovecot, without reject_sender_login_mismatch, like that:
2525   inet  n   -   n   -   -   smtpd
   -o smtpd_helo_restrictions=permit_sasl_authenticated
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_sender_restrictions=permit_sasl_authenticated

I think it's better than
mynetworks = 10.0.1.0/24 #whole subnet, container ip assigned dynamically :(
with
smtpd_sender_restrictions =
   permit_mynetworks
smtpd_relay_restrictions =
   permit_mynetworks

What about SPF in the described scenario, you are right, SPF will be broken. 
Well.. its implementation feature





От: dovecot  от имени dove...@ptld.com 

Отправлено: 17 января 2023 г. 23:18
Кому: dovecot@dovecot.org 
Тема: Re: submission_host auth

> Let's say we have dovecot + sieve plugin container.
> Dovecot configured to use remote SMTP submission host to send messages:
> submission_host = postfix.example.com:587


I reviewed my config to see how i did it. I think you are right and SASL isn't 
used here. I have dovecot and postfix on the same machine and in dovecot i set
 submission_host = localhost:25

Then in my sieve filters i set
 sieve_redirect_envelope_from = sender

I use SPF, DKIM, and DMARC

To test this i have (fictitious) st...@work.com with a forward filter to 
perso...@home.com
I sent an email from custo...@random.com to st...@work.com
@work.com server then sends a forwarded email to perso...@home.com with 
To:st...@work.com and From:custo...@random.com

Checking the @home.com logs i can see that SPF failed because @work.com server 
sent an email from @random.com, however it had valid DKIM signatures from both 
@work.com and @random.com so DMARC passed and the email was accepted.

I guess if the @random.com mail server only implemented SPF and not included a 
DKIM signature and DMARC policy then the @home.com server would have rejected 
the forwarded email.

I know this might not be the best solution you are looking for, but it is the 
best i could figure out to allow sieve forwarding. There is no way for a 
forwarded email to SASL authenticate because no one is logged in or involved in 
the process of LMTP receiving mail for delivery from "the world". How is the 
MTA supposed to know the SASL password for st...@work.com?

RE: submission_host auth

[k v]

Thanks for the reply, postfix + dovecot sasl configured and working properly. 
My question is about "adding dovecot authentication when sending emails via 
submission_host".

Let's say we have dovecot + sieve plugin container.
Dovecot configured to use remote SMTP submission host to send messages:
submission_host = postfix.example.com:587

User f...@example.com has the following sieve script:
require ["fileinto", "copy", "vacation", "date", "relational"] ;
redirect :copy "b...@example.com";
keep;

b...@example.com sending email to f...@example.com

dovecot lmtp log:
lmtp(f...@example.com)<7670>: Info: sieve: 
msgid=<63fce409f26b1a67785a475a00034...@mail.example.com>: redirect action: 
failed to redirect message to : 
smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 : 
Recipient address rejected: Access denied (permanent failure)
lmtp(f...@example.com)<7670>: Info: sieve: 
msgid=<63fce409f26b1a67785a475a00034...@mail.example.com>: stored mail into 
mailbox 'INBOX'
lmtp(f...@example.com)<7670>: Info: sieve: Execution of 
script /var/dovecot/example.com/foo/foo.sieve failed, but implicit keep was 
successful (user logfile /var/dovecot/example.com/foo/foo.sieve.log may reveal 
additional details)

sieve.log
error: msgid=<63fce409f26b1a67785a475a00034...@mail.example.com>: redirect 
action: failed to redirect message to : 
smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 : 
Recipient address rejected: Access denied (permanent failure).

postfix log:
NOQUEUE: reject: RCPT from unknown[10.0.1.4]: 554 5.7.1 : 
Recipient address rejected: Access denied; from= 
to=

redirect :copy action failed, its expected behavior, dovecot do not auth when 
sending email via submisson_host.
If there is setting like
submission_host_master_user = mas...@example.com
submission_host_master_password = masterpass
to do authentication as master user in postfix who can send email as any user...




От: dovecot  от имени dove...@ptld.com 

Отправлено: 17 января 2023 г. 18:25
Кому: dovecot@dovecot.org 
Тема: Re: submission_host auth

> When using dovecot container with sieve plugin there is no sendmail to use 
> for sending email for sieve redirect action for example. We can use 
> submission_host instead 
> https://doc.dovecot.org/settings/core/#core_setting-submission_host but there 
> is no way to specify credentials for auth in remote MTA. Submission_relay_* 
> settings e.g. submission_relay_master_user relate to dovecot submission 
> service. Using something like permit_mynetworks in remote MTA is not 
> acceptable for security reasons.
>
> Is it possible to add authorization in the remote MTA using submission_host?


You start the auth service in dovecot, then tell the MTA to use it.
For example, if you use postfix this explains how:

   https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/

submission_host auth

[k v]

When using dovecot container with sieve plugin there is no sendmail to use for 
sending email for sieve redirect action for example. We can use submission_host 
instead https://doc.dovecot.org/settings/core/#core_setting-submission_host but 
there is no way to specify credentials for auth in remote MTA. 
Submission_relay_* settings e.g. submission_relay_master_user relate to dovecot 
submission service. Using something like permit_mynetworks in remote MTA is not 
acceptable for security reasons.

Is it possible to add authorization in the remote MTA using submission_host?

hostname in director_mail_servers setting

[k v]

director_mail_servers setting uses IP Adresses as values 
https://doc.dovecot.org/settings/core/#core_setting-director_mail_servers
As described in the documentation, hostnames are converted to addresses when 
the configuration is read https://doc.dovecot.org/settings/types/#ip-addresses

This is acceptable in host or virtual machine environment, but becomes a 
problem in a containerized environment. When any backend container is 
restarted, its address will change and users related to this backend can no 
longer connect, but backend (available with new IP address) can process request
for example,
director_mail_servers = dovecot-1 dovecot-2 dovecot-3
becomes in runtime (with one successfully connectetd user f...@example.com)

doveadm director status
mail server ip  tag vhosts  state   state changed   users
10.0.71.3   100 up  -   0
10.0.71.4   100 up  -   1
10.0.71.5   100 up  -   0

where
dovecot-1 10.0.71.3, dovecot-2 10.0.71.4, dovecot-3 10.0.71.5

When dovevecot-2 backend container restarts, and becomes new IP address, user 
can't connect to related backend:
imap-login: Info: proxy(f...@example.com,10.0.71.4:143): Started proxying to 
<10.0.71.4> () (0.009 secs)
imap-login: Error: proxy(f...@example.com,10.0.71.4:143): connect(10.0.71.4, 
143) failed: No route to host (after 28 secs, 3 reconnects, 
local=10.0.71.13:41066)

My suggestion to developers: resolve backend hostnames to IP address on every 
request to director_mail_servers

It's not about dovemon service with active health checks from dovecot pro, just 
dynamic hostname resolve