Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Sami Ketola

> On 4 Dec 2017, at 19.59, Webert de Souza Lima  wrote:
> 
> On Mon, Dec 4, 2017 at 9:16 AM, Sami Ketola  wrote:
> 
>> 
>> With every other tool you will face end users needing to  invalidate their
>> local caches and
>> redownloading all headers if not also all mail bodies.
>> 
>> Sami
>> 
>> 
> I don't think so. Been using imapsync for large scale migrations from
> external servers to our dovecot setup. Users don't even see it when the key
> is switched (DNS changes).
> Go for it.

You are wrong. There is no way to assign IMAP UID:s over IMAP protocol. It 
simply does not support it.
With imapsync there is absolutely no way to preserve them and you will face 
problems with IMAP UID:s
not matching the cached mail anymore.

Trust us. We have run multiple migrations at scale of 10+ million users.

Sami



Can passdb be bypassed for non-plaintext authentication mechanisms

2017-12-04 Thread Mark Foley
I am using Active directory authentication via gssapi for most users.  In 
dovecot.conf I have:

auth_mechanisms = plain login gssapi
auth_use_winbind = yes

I also have

passdb { driver = shadow }
userdb { driver = passwd }

for those few users who are NOT AD users.

Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot 
ALWAYS first looks
them up in shadow, which ALWAYS fails. 

The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases 
can't be used with
non-plaintext authentication mechanisms."

Is there a way to bypass checking passdb (and userdb?) for these mechanism?

--Mark


Re: Howto authenticate smartPhone via Active Directory

2017-12-04 Thread Mark Foley
mj - thanks! That the first useful example I've received from any forum/list. 
I'm getting ready
to try my config (have to do so after hours), but I have some probably 
simple-minded questions:

Your example is not the complete dovecot-ldap.conf.ext file, right? Have you 
just given me
differences in your config from the "original"? You've kept the hosts, base, 
ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that 
something I need
in order to make this work?

Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs 
here, or is that
litterally what you have there?

My dnpass (original) is:

dnpass = 

your example is:

dnpass = top_secret

Again, are the assigned values meta-syntax (meta-syntax in configs is not 
obvious to me unless
it is bold, underlined, italicized and colored ... or uses brackets or some 
other convention)?
If meta, what is actually supposed to go there?

With your "this user/passwd filter". Can you tell me why you have 
"userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* 
different from
my installed original.

You don't mention the user_attrs/pass_attrs settings. Is this because you use 
the originals or
because you have commented them out? My current settings are:

user_attrs  = quotaFieldAD=quota_rule=*:storage=%$MB
pass_attrs  = userPassword=password

My auth_mechanisms are:

auth_mechanisms = plain login gssapi

Is this sufficient for ldap?

Thanks for your help --Mark

btw - I have been running Dovecot with AD for years, but for local Domain users 
authenticating
via GSSAPI.  Remote users (e.g. smartPhones) don't have that mechanism that I'm 
aware of.
Currently they are authenticated via shadow, but I'd like to remove AD users 
from /etc/passwd. 

On Mon, 4 Dec 2017 09:04:57 +0100 mj  wrote
>
> Hi Mark,
>
> Just to let you know that we are running dovecot with AD. (and I guess: 
> *many* people are running that combination)
>
> It worked without issues, we are using in dovecot-ldap.conf.ext:
>
>  > auth_bind = yes
>
> this user/passwd filter:
> > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
>
>  > dn = cn=search_dovecit,cn=users,dc=company,dc=com
>  > dnpass = top_secret
>
> And not the 3268 port, but regular 389.
>
> Hope that helps.
>
> MJ
>
>
>
> On 12/04/2017 01:38 AM, Mark Foley wrote:
> > Unfortunately, I tried for weeks to figure out passdb ldap without success. 
> > I guess I'm just
> > not knowledgeable enough about how to use ldap and Active Directory. The 
> > dovecot wiki
> > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it 
> > says is:
> > 
> > Active Directory
> > 
> > When connecting to AD, you may need to use port 3268. Then again, not all 
> > LDAP fields are
> > available in port 3268. Use whatever works. 
> > http://technet.microsoft.com/en-us/library/cc978012.aspx
> > 
> > I have not been able to find an example of someone using Dovecot and ldap 
> > with AD.
> > 
> > However, I have had some success with CheckPassword
> > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
> > wrote to do
> > ntlm_auth, I am able to authenticate the smartPhone user and pass the 
> > required parameters back
> > to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
> > pointing to my
> > checkpassword executable.
> > 
> > passdb {
> >   driver = checkpassword
> > args = /user/util/bin/checkpassword
> > }
> > userdb {
> >   driver = prefetch
> > }
> > 
> > The one issue I have with this at the moment is that dovecot runs 
> > checkpassword for every user,
> > smartphone or otherwise:
> > 
> > Dec 03 18:56:32 auth-worker(14903): Info: 
> > shadow(charmaine,192.168.0.52,): unknown user  - trying 
> > the next passdb
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): execute: 
> > /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): Received input:
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): exit_status=1
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): Credentials:
> > Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   
> > user=charmaine  original_user=charmaine@HPRS.LOCAL
> > Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1   
> > 586863e54c57c999ee5731906a59257csession_pid=14907 
> > request_auth_token
> > Dec 03 18:56:32 auth-worker(14903): Debug: 
> > passwd(charmaine,192.168.0.52,): lookup
> > Dec 03 18:56:32 auth-worker(14903): Debug: 
> > 

Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Steve Litt
On Mon, 4 Dec 2017 12:53:15 -0800 (PST)
Joseph Tam  wrote:

> "Davide Marchi"  writes:
> 
> >> UW-IMAP's mailutil, imapsync, YippieMove and Larch.  
> 
> Whatever you use, *don't* use UW-IMAP's mailutil unless you got lots
> of time to kill.  It is dreadfully slow -- I used it to export some of
> my users' mailboxes to Gmail or other remote mail servers, and I could
> almost cut the messages faster.
> 
> Like Aki said, if you have the same mailbox format and FS access on
> both sides, rsync is much simpler.  You can also try exporting the
> old mailboxes via NFS, and with some artful symlinks, march through
> your user mailboxes replacing the symlinks with the instantiated
> local copies and have almost zero downtime.
> 
> Joseph Tam 

Another possibility is to use an email client like Claws-Mail, which is
very fast, create two accounts: One for the old IMAP, one for the new
one, and just copy trees.

SteveT

Steve Litt 
November 2017 featured book: Troubleshooting: Just the Facts
http://www.troubleshooters.com/tjust


Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Joseph Tam

"Davide Marchi"  writes:


UW-IMAP's mailutil, imapsync, YippieMove and Larch.


Whatever you use, *don't* use UW-IMAP's mailutil unless you got lots
of time to kill.  It is dreadfully slow -- I used it to export some of
my users' mailboxes to Gmail or other remote mail servers, and I could
almost cut the messages faster.

Like Aki said, if you have the same mailbox format and FS access on both
sides, rsync is much simpler.  You can also try exporting the
old mailboxes via NFS, and with some artful symlinks, march through your user
mailboxes replacing the symlinks with the instantiated local copies and
have almost zero downtime.

Joseph Tam 


Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Webert de Souza Lima
On Mon, Dec 4, 2017 at 9:16 AM, Sami Ketola  wrote:

>
> With every other tool you will face end users needing to  invalidate their
> local caches and
> redownloading all headers if not also all mail bodies.
>
> Sami
>
>
I don't think so. Been using imapsync for large scale migrations from
external servers to our dovecot setup. Users don't even see it when the key
is switched (DNS changes).
Go for it.

Regards,

Webert Lima
DevOps Engineer at MAV Tecnologia
*Belo Horizonte - Brasil*



Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Michael Slusarz
> On December 4, 2017 at 8:46 AM Paolo  wrote:
> 
> 
> Il 04/12/2017 14:33, x9p ha scritto:
> >
> >> Can I use this tool even if I do not know the other remote server
> >> typology?
> >>
> > sure. just need both IMAP ports reachable and valid user/pass for both
> > servers.
> I think Davide was asking about dsync. If so, the answer is no: dsync 
> works only when both servers are Dovecot and needs some additional 
> configuration to work through the network (see 
> https://wiki2.dovecot.org/Replication).

This is entirely incorrect.  The source platform for dsync can be ANY IMAP/POP 
server.

The recommended tool for migrating into Dovecot is dsync.  You don't need any 
other tool, and other tools aren't going to preserve state so they are pretty 
much worthless for a real-world in-place migration.

michael


Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Paolo

Il 04/12/2017 14:33, x9p ha scritto:



Can I use this tool even if I do not know the other remote server
typology?


sure. just need both IMAP ports reachable and valid user/pass for both
servers.
I think Davide was asking about dsync. If so, the answer is no: dsync 
works only when both servers are Dovecot and needs some additional 
configuration to work through the network (see 
https://wiki2.dovecot.org/Replication).
I don't know about imapsync but I suppose it is a generic IMAP tool that 
replicates mailboxes using IMAP protocol as a client between two servers.


Cheers
Paolo



Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread x9p
>> Hi,
>>
>> I vouch for imapsync. Have used it in the past with quite a big amount
>> of
>> emails.
>>
>> cheers.
>>
>> x0p
>
> Ah, thanks  x0!
>

welcome!

>
> Can I use this tool even if I do not know the other remote server
> typology?
>

sure. just need both IMAP ports reachable and valid user/pass for both
servers.

cheers.

x9p





Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Davide Marchi

[..]

Hi,

I vouch for imapsync. Have used it in the past with quite a big amount 
of

emails.

cheers.

x0p


Ah, thanks  x0!


Also if you have fs access on both servers, and you are using maildir,
plain rsync works just as well.

Aki


no, I've not fs access on both servers! :-/

If you want to preserve IMAP UID:s and possibly also POP3 UIDL:s then 
dovecot internal

dsync is the only tool that can do it.

With every other tool you will face end users needing to  invalidate 
their local caches and

redownloading all headers if not also all mail bodies.

Sami



Can I use this tool even if I do not know the other remote server 
typology?


Many thanks to all!!

Davide



--
firma

cosmogoniA 
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e


Re: Dovecot lmtp doesn't log

2017-12-04 Thread Stephan Bosch



Op 4-12-2017 om 11:08 schreef Tomislav Perisic:
Im sure because dovecot from server A takes the email from the MTA and 
proxies it to the dovecot on server B that doesnt have an MTA.


Right. Forgot about that part.

Regards,

Stephan.

On 4 Dec 2017 10:54, "Stephan Bosch" > wrote:




Op 1-12-2017 om 15:30 schreef Tomislav Perisic:

Hi,

Thanks for replying.

initially logging was done via syslog, and the custom log file
for mail.* facility was /var/log/maillog. Everything was
logged normally (dovecot login logouts, sieve scripts, extra
debugging lines) but nothing regarding LMTP. I would receive
the email in my inbox but I wouldnt be able to see anything in
the logs regarding this. After that i turned off syslog and
used the direct dovecot logging to a separate file. Again, it
was logging everything except of LMTP (mail debug is turned on).

Does anyone have a working configuration regarding this that
they don't have a problem with LMTP logging? If yes could you
please send me your config and dovecot version to compare.

Or if anyone has any other ideas.


Are you sure Dovecot LMTP  is even being used? Your MTA may be
delivering messages directly, without involving Dovecot. Check the
MTA logs.






Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Sami Ketola

> On 3 Dec 2017, at 23.23, Davide Marchi  wrote:
> 
> Hi Friends,
> I would like to ask you a suggestion:
> I need to migrate a imap server to a new one and then dismiss the old one.
> Reading from relative Dovecot documentation page 
> (https://wiki.dovecot.org/Migration), more tools are shown:
> 
> UW-IMAP's mailutil, imapsync, YippieMove and Larch.
> 
> The each mail servers are Linux based, one of this (mine) is Dovecot.
> Based on your experience which of these tools would be preferable to use?

If you want to preserve IMAP UID:s and possibly also POP3 UIDL:s then dovecot 
internal 
dsync is the only tool that can do it. 

With every other tool you will face end users needing to  invalidate their 
local caches and 
redownloading all headers if not also all mail bodies.

Sami



Re: Dovecot lmtp doesn't log

2017-12-04 Thread Tomislav Perisic
Im sure because dovecot from server A takes the email from the MTA and
proxies it to the dovecot on server B that doesnt have an MTA.

On 4 Dec 2017 10:54, "Stephan Bosch"  wrote:

>
>
> Op 1-12-2017 om 15:30 schreef Tomislav Perisic:
>
>> Hi,
>>
>> Thanks for replying.
>>
>> initially logging was done via syslog, and the custom log file for mail.*
>> facility was /var/log/maillog. Everything was logged normally (dovecot
>> login logouts, sieve scripts, extra debugging lines) but nothing regarding
>> LMTP. I would receive the email in my inbox but I wouldnt be able to see
>> anything in the logs regarding this. After that i turned off syslog and
>> used the direct dovecot logging to a separate file. Again, it was logging
>> everything except of LMTP (mail debug is turned on).
>>
>> Does anyone have a working configuration regarding this that they don't
>> have a problem with LMTP logging? If yes could you please send me your
>> config and dovecot version to compare.
>>
>> Or if anyone has any other ideas.
>>
>>
> Are you sure Dovecot LMTP  is even being used? Your MTA may be delivering
> messages directly, without involving Dovecot. Check the MTA logs.
>
> Regards,
>
> Stephan.
>
> Thank you.
>>
>>
>> On Thu, Nov 30, 2017 at 2:34 PM, Stephan Bosch  s.bo...@ox.io>> wrote:
>>
>>
>>
>> Op 25-11-2017 om 13:00 schreef Tomislav Perisic:
>>
>> Does anyone have any idea regarding this?
>>
>> On 17 Nov 2017 11:36, "Tomislav Perisic"
>> > wrote:
>>
>> Hi,
>>
>> We have 2 servers, server A and server B.
>>
>> Server A has:
>>
>> Postfix
>> dovecot-2.2.33.2-1.el6.x86_64
>>
>> Server B has:
>>
>> dovecot-2.2.33.2-1.el6.x86_64
>> dovecot-pigeonhole-2.2.33.2-1.el6.x86_64
>>
>> Server A receives email on postfix, dovecot then takes that
>> email from
>> postfix and proxies it to Server B Dovecot. Dovecot on Server
>> B takes the
>> proxied email and delivers it with lmtp to the user inboxes.
>>
>> The problem is that the dovecot on server B Doesn't log
>> anything regarding
>> the emails that are being delivered to the mailbox via lmtp.
>>
>> Dovecot on server A logs everything perfectly regarding the
>> proxy, so my
>> assumption is that there is an issue with Dovecot lmtp
>> logging. We changed
>> the logging from syslog directly to a file and we noticed the
>> same problem,
>> missing log entries.
>>
>> We also tried turning on verbose logging and it didn't help.
>>
>>
>> Are you sure you're looking in the right place?
>>
>> You can find out where logs are written using `doveadm log find`.
>>
>> Especially with mail_debug enabled, you should see a lot of log
>> messages for an LMTP delivery.
>>
>> Regards,
>>
>> Stephan.
>>
>>
>>
>> Server B:
>>
>> Red Hat  6.7 x86_64
>>
>> rpm -qa | grep dove
>> dovecot-2.2.33.2-1.el6.x86_64
>> dovecot-pigeonhole-2.2.33.2-1.el6.x86_64
>>
>> doveconf -n
>>
>> # 2.2.33.2 : /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.21
>> auth_cache_negative_ttl = 0
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_verbose = yes
>> listen = *
>> mail_debug = yes
>> mail_gid = mail
>> mail_location = maildir:~/Maildir
>> mail_plugins = " quota zlib"
>> mail_uid = vmail
>> managesieve_notify_capability = mailto
>>
>> namespace inbox {
>>inbox = yes
>>location =
>>mailbox Drafts {
>>  auto = subscribe
>>  special_use = \Drafts
>>}
>>mailbox Sent {
>>  auto = subscribe
>>  special_use = \Sent
>>}
>>mailbox Spam {
>>  auto = subscribe
>>  special_use = \Junk
>>}
>>mailbox Trash {
>>  auto = subscribe
>>  special_use = \Trash
>>}
>>mailbox Virus {
>>  auto = subscribe
>>}
>>
>> plugin {
>>quota = maildir:User quota
>>sieve_extensions = +editheader
>>sieve_max_actions = 32
>>sieve_max_redirects = 4
>>sieve_max_script_size = 1M
>>sieve_quota_max_scripts = 0
>>sieve_trace_debug = yes
>>sieve_trace_level = matching
>>sieve_vacation_dont_check_recipient = yes
>>sieve_vacation_send_from_recipient = yes
>>sieve_vacation_use_original_recipient = yes
>>zlib_save = gz
>>zlib_save_level = 6
>> }
>> protocols = imap pop3 lmtp sieve
>> service auth {
>>

Re: Dovecot lmtp doesn't log

2017-12-04 Thread Stephan Bosch



Op 1-12-2017 om 15:30 schreef Tomislav Perisic:

Hi,

Thanks for replying.

initially logging was done via syslog, and the custom log file for 
mail.* facility was /var/log/maillog. Everything was logged normally 
(dovecot login logouts, sieve scripts, extra debugging lines) but 
nothing regarding LMTP. I would receive the email in my inbox but I 
wouldnt be able to see anything in the logs regarding this. After that 
i turned off syslog and used the direct dovecot logging to a separate 
file. Again, it was logging everything except of LMTP (mail debug is 
turned on).


Does anyone have a working configuration regarding this that they 
don't have a problem with LMTP logging? If yes could you please send 
me your config and dovecot version to compare.


Or if anyone has any other ideas.



Are you sure Dovecot LMTP  is even being used? Your MTA may be 
delivering messages directly, without involving Dovecot. Check the MTA logs.


Regards,

Stephan.


Thank you.


On Thu, Nov 30, 2017 at 2:34 PM, Stephan Bosch > wrote:




Op 25-11-2017 om 13:00 schreef Tomislav Perisic:

Does anyone have any idea regarding this?

On 17 Nov 2017 11:36, "Tomislav Perisic"
> wrote:

Hi,

We have 2 servers, server A and server B.

Server A has:

Postfix
dovecot-2.2.33.2-1.el6.x86_64

Server B has:

dovecot-2.2.33.2-1.el6.x86_64
dovecot-pigeonhole-2.2.33.2-1.el6.x86_64

Server A receives email on postfix, dovecot then takes that
email from
postfix and proxies it to Server B Dovecot. Dovecot on Server
B takes the
proxied email and delivers it with lmtp to the user inboxes.

The problem is that the dovecot on server B Doesn't log
anything regarding
the emails that are being delivered to the mailbox via lmtp.

Dovecot on server A logs everything perfectly regarding the
proxy, so my
assumption is that there is an issue with Dovecot lmtp
logging. We changed
the logging from syslog directly to a file and we noticed the
same problem,
missing log entries.

We also tried turning on verbose logging and it didn't help.


Are you sure you're looking in the right place?

You can find out where logs are written using `doveadm log find`.

Especially with mail_debug enabled, you should see a lot of log
messages for an LMTP delivery.

Regards,

Stephan.



Server B:

Red Hat  6.7 x86_64

rpm -qa | grep dove
dovecot-2.2.33.2-1.el6.x86_64
dovecot-pigeonhole-2.2.33.2-1.el6.x86_64

doveconf -n

# 2.2.33.2 : /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21
auth_cache_negative_ttl = 0
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
listen = *
mail_debug = yes
mail_gid = mail
mail_location = maildir:~/Maildir
mail_plugins = " quota zlib"
mail_uid = vmail
managesieve_notify_capability = mailto

namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox Spam {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   mailbox Virus {
     auto = subscribe
   }

plugin {
   quota = maildir:User quota
   sieve_extensions = +editheader
   sieve_max_actions = 32
   sieve_max_redirects = 4
   sieve_max_script_size = 1M
   sieve_quota_max_scripts = 0
   sieve_trace_debug = yes
   sieve_trace_level = matching
   sieve_vacation_dont_check_recipient = yes
   sieve_vacation_send_from_recipient = yes
   sieve_vacation_use_original_recipient = yes
   zlib_save = gz
   zlib_save_level = 6
}
protocols = imap pop3 lmtp sieve
service auth {
   unix_listener auth-userdb {
     group = mail
     mode = 0666
     user = vmail
   }
}
service lmtp {
   inet_listener lmtp {
     port = xx
   }
}
service managesieve-login {
   inet_listener sieve {
     port = xx
   }
   service_count = 1
}

protocol lmtp {
   mail_plugins = " quota zlib sieve mail_log notify"
}
protocol imap {
   mail_plugins = " quota zlib imap_quota imap_zlib"
}
protocol sieve {
  

Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Aki Tuomi
Also if you have fs access on both servers, and you are using maildir,
plain rsync works just as well.

Aki


On 04.12.2017 00:17, Harondel J. Sibble wrote:
> Imapsync for sure. Have used it for both IMAP to IMAP and IMAP to Exchange 
> migrations. Works great.
>
>
>> On Dec 3, 2017, at 2:08 PM, x9p  wrote:
>>
>> Hi,
>>
>> I vouch for imapsync. Have used it in the past with quite a big amount of
>> emails.
>>
>> cheers.
>>
>> x0p
>>
>>> Hi Friends,
>>> I would like to ask you a suggestion:
>>> I need to migrate a imap server to a new one and then dismiss the old
>>> one.
>>> Reading from relative Dovecot documentation page
>>> (https://wiki.dovecot.org/Migration), more tools are shown:
>>>
>>> UW-IMAP's mailutil, imapsync, YippieMove and Larch.
>>>
>>> The each mail servers are Linux based, one of this (mine) is Dovecot.
>>> Based on your experience which of these tools would be preferable to
>>> use?
>>>
>>>
>>> Thank you very much
>>>
>>> Davide
>>>
>>



Re: Recommended tool for migrating IMAP servers

2017-12-04 Thread Harondel J. Sibble
Imapsync for sure. Have used it for both IMAP to IMAP and IMAP to Exchange 
migrations. Works great.


> On Dec 3, 2017, at 2:08 PM, x9p  wrote:
> 
> Hi,
> 
> I vouch for imapsync. Have used it in the past with quite a big amount of
> emails.
> 
> cheers.
> 
> x0p
> 
>> Hi Friends,
>> I would like to ask you a suggestion:
>> I need to migrate a imap server to a new one and then dismiss the old
>> one.
>> Reading from relative Dovecot documentation page
>> (https://wiki.dovecot.org/Migration), more tools are shown:
>> 
>> UW-IMAP's mailutil, imapsync, YippieMove and Larch.
>> 
>> The each mail servers are Linux based, one of this (mine) is Dovecot.
>> Based on your experience which of these tools would be preferable to
>> use?
>> 
>> 
>> Thank you very much
>> 
>> Davide
>> 
> 
> 



Use multiple mbox locations

2017-12-04 Thread bapt x
Hello,

With GNU mailutils on Debian 9, we receive mails in /var/mail/
but when we read mails with the "mail" command, they are moved in a file
~/mbox: "Saved 1 message in /home//mbox".
I use Roundcube webmail with Dovecot but if I also use use the "mail"
command to read emails, Roundcube will not display old messages anymore
since they were moved to ~/mbox.
So is their a way to tell Dovecot that we want to lookup for emails both in
/var/mail/ and ~/mbox?
I saw https://wiki.dovecot.org/Namespaces#Mixed_mbox_and_Maildir but I it
did not work if when I tried to add 2 times a mbox location.

Thanks for your help.


Re: Howto authenticate smartPhone via Active Directory

2017-12-04 Thread mj



On 12/04/2017 09:01 AM, Aki Tuomi wrote:

It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.


No. As far as I know, samba in AD mode always does ldap. (AD *is* just 
that: microsoft-ized ldap)


And you should configure dovecot simply as a regular ldap client. That's 
what we do, anyway.


MJ


Re: Howto authenticate smartPhone via Active Directory

2017-12-04 Thread mj

Hi Mark,

Just to let you know that we are running dovecot with AD. (and I guess: 
*many* people are running that combination)


It worked without issues, we are using in dovecot-ldap.conf.ext:

> auth_bind = yes

this user/passwd filter:

= (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))


> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass = top_secret

And not the 3268 port, but regular 389.

Hope that helps.

MJ



On 12/04/2017 01:38 AM, Mark Foley wrote:

Unfortunately, I tried for weeks to figure out passdb ldap without success. I 
guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The 
dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says 
is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP 
fields are
available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with 
AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required 
parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
pointing to my
checkpassword executable.

passdb {
  driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword 
for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: 
shadow(charmaine,192.168.0.52,): unknown user  - trying the 
next passdb
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Received input:
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): exit_status=1
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Credentials:
Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   user=charmaine  
original_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1   
586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): username changed charmaine 
-> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001  
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003gid=1 
  home=/home/HPRS/charmaine   
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 
auth_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next 
passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also 
succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My 
mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-Original Message-
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi 
To: Mark Foley , dovecot@dovecot.org

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

 Original message 
From: Mark Foley 
Date: 03/12/2017  21:18  (GMT+02:00)
To: dovecot@dovecot.org
Subject: Re: Howto authenticate smartPhone via Active Directory

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-

Date: Sun, 03 Dec 2017 15:22:56 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi 
To: Mark Foley , dovecot@dovecot.org

Actually you are authenticating gssapi clients from ad and everyone else from 
shadow. maybe you need to configure pam module?
---Aki TuomiDovecot oy

 Original message 
From: Mark Foley 
Date: 03/12/2017  06:03  (GMT+02:00)
To: dovecot@dovecot.org
Subject: Howto authenticate smartPhone 

Re: Howto authenticate smartPhone via Active Directory

2017-12-04 Thread Aki Tuomi
You might get better results with
https://wiki.dovecot.org/HowTo/ActiveDirectoryNtlm

It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.

Aki


On 04.12.2017 02:38, Mark Foley wrote:
> Unfortunately, I tried for weeks to figure out passdb ldap without success. I 
> guess I'm just
> not knowledgeable enough about how to use ldap and Active Directory. The 
> dovecot wiki
> https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it 
> says is:
>
> Active Directory
>
> When connecting to AD, you may need to use port 3268. Then again, not all 
> LDAP fields are
> available in port 3268. Use whatever works. 
> http://technet.microsoft.com/en-us/library/cc978012.aspx
>
> I have not been able to find an example of someone using Dovecot and ldap 
> with AD.
>
> However, I have had some success with CheckPassword
> (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
> wrote to do
> ntlm_auth, I am able to authenticate the smartPhone user and pass the 
> required parameters back
> to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
> pointing to my
> checkpassword executable. 
>
> passdb {
> driver = checkpassword
>   args = /user/util/bin/checkpassword
> }
> userdb {
> driver = prefetch
> }
>
> The one issue I have with this at the moment is that dovecot runs 
> checkpassword for every user,
> smartphone or otherwise:
>
> Dec 03 18:56:32 auth-worker(14903): Info: 
> shadow(charmaine,192.168.0.52,): unknown user  - trying the 
> next passdb
> Dec 03 18:56:32 auth: Debug: 
> checkpassword(charmaine,192.168.0.52,): execute: 
> /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> Dec 03 18:56:32 auth: Debug: 
> checkpassword(charmaine,192.168.0.52,): Received input: 
> Dec 03 18:56:32 auth: Debug: 
> checkpassword(charmaine,192.168.0.52,): exit_status=1
> Dec 03 18:56:32 auth: Debug: 
> checkpassword(charmaine,192.168.0.52,): Credentials: 
> Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   
> user=charmaine  original_user=charmaine@HPRS.LOCAL
> Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1 
>   586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token
> Dec 03 18:56:32 auth-worker(14903): Debug: 
> passwd(charmaine,192.168.0.52,): lookup
> Dec 03 18:56:32 auth-worker(14903): Debug: 
> passwd(charmaine,192.168.0.52,): username changed charmaine 
> -> HPRS\charmaine
> Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001  
> HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003gid=1   
> home=/home/HPRS/charmaine   
> auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 
> auth_user=charmaine@HPRS.LOCAL
> Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, 
> rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=
> Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)
>
> Notice after the "shadow" auth fails it says, "unknown user - trying the next 
> passdb", which is
> checkpassword (which apparently succeeds), then it goes on to gssapi which 
> also succeeds.  Is
> there a way to only have it do checkpassword if all shadow and gssapi fail? 
> My mechanisms are:
>
> auth_mechanisms = plain login gssapi
>
> THX, --Mark
>
> --Mark
>
> -Original Message-
> Date: Sun, 03 Dec 2017 22:28:53 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi 
> To: Mark Foley , dovecot@dovecot.org
>
> with passdb ldap i guess.
>
> ---Aki Tuomi
> Dovecot oy
>
>  Original message 
> From: Mark Foley  
> Date: 03/12/2017  21:18  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Re: Howto authenticate smartPhone via Active Directory 
>
> Yes, you are right. This link: 
> https://www.redips.net/linux/android-email-postfix-auth/#section2
> shows:
>
> passdb pam {
> }
>
> used for authenticating Android.  Problem #1 is that Slackware does not ship 
> with PAM and the
> AD/DC Samba4 does not use it. It is used on Slackware for a domain member, 
> but I'm not sure I
> should try configuring PAM on the AD/DC.
>
> Is there some otherway I can get authentication using domain credentials 
> besides pam? the phone
> can send user and password.
>
> --Mark
>
> -Original Message-
>> Date: Sun, 03 Dec 2017 15:22:56 +0200
>> Subject: Re: Howto authenticate smartPhone via Active Directory
>> From: Aki Tuomi 
>> To: Mark Foley , dovecot@dovecot.org
>>
>> Actually you are authenticating gssapi clients from ad and everyone else 
>> from shadow. maybe you need to configure pam module?
>> ---Aki TuomiDovecot oy
>>
>>  Original message 
>> From: Mark Foley  
>> Date: 03/12/2017  06:03  (GMT+02:00) 
>> To: dovecot@dovecot.org 
>> Subject: Howto authenticate smartPhone via Active Directory 
>> I have a