[Dovecot] [PATCH] Support GSS-SPNEGO natively
I cooked this up while trying to figure out why thunderbird on Windows
w/ SSPI was not working, but it turned out thunderbird does not use
it, so I haven't been able to test it yet. I'm presenting it for
discussion only, unless someone else can try it :)
Modern versions of MIT kerberos support GSS-SPNEGO natively, but are
only willing to negotiate for kerberos tickets and not NTLM
messages.
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.
Having this work means the other gssapi policy knobs in dovecot, like
auth_gssapi_hostname, work properly. Instead of 'whatever it is that
samba does'. I guess it fixes the concerns about winbind
accesses blocking (although don't the gssapi calls block??)
In light of this it is really only useful to use winbind if you want
to support NTLM as kerberos will do the necessary exchanges with the
kdc for an Active Directory domain. In truth a proper and complete
design would somehow layer the built in NTLM module under the SPNEGO
negotiation and only pass NTLM messages off to samba but I doubt
anyone cares with NTLM being rather obsolete.
--- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11
23:52:15.0 -0600
@@ -417,4 +424,21 @@
mech_gssapi_auth_free
};
+/* MTI Kerberos > 1.5 supports SPNEGO for Kerberos tickets internally.
+ Nothing else needs to be done here. Note however that this does not
+ support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+"GSS-SPNEGO",
+
+MEMBER(flags) 0,
+
+MEMBER(passdb_need_plain) FALSE,
+MEMBER(passdb_need_credentials) FALSE,
+
+mech_gssapi_auth_new,
+mech_gssapi_auth_initial,
+mech_gssapi_auth_continue,
+mech_gssapi_auth_free
+};
+
#endif
--- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.0 -0600
@@ -72,6 +72,7 @@
extern struct mech_module mech_anonymous;
#ifdef HAVE_GSSAPI
extern struct mech_module mech_gssapi;
+extern struct mech_module mech_gssapi_spnego;
#endif
void mech_init(void)
@@ -86,6 +87,7 @@
mech_register_module(&mech_anonymous);
#ifdef HAVE_GSSAPI
mech_register_module(&mech_gssapi);
+ mech_register_module(&mech_gssapi_spnego);
#endif
}
@@ -101,5 +103,6 @@
mech_unregister_module(&mech_anonymous);
#ifdef HAVE_GSSAPI
mech_unregister_module(&mech_gssapi);
+ mech_unregister_module(&mech_gssapi_spnego);
#endif
}
Re: [Dovecot] GlusterFS
I was afraid somebody was going to say that. Thanks for your reply, I'll try that sometime later this week. I'll report back how it all went. Kind regards, Jeroen Koekkoek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aria Stewart Sent: Monday, August 11, 2008 6:32 PM To: Dovecot Mailing List Subject: Re: [Dovecot] GlusterFS On Aug 11, 2008, at 10:22 AM, Timo Sirainen wrote: > On Aug 7, 2008, at 3:57 AM, Jeroen Koekkoek wrote: > >> I receive the following error message. >> >> Aug 7 09:38:51 mta2 dovecot: POP3([EMAIL PROTECTED]): >> nfs_flush_fcntl: >> fcntl(/var/vmail/domain.tld/somebody/Maildir/dovecot.index, F_RDLCK) >> failed: Function not implemented > > Dovecot tries to flush kernel's data cache. You might need volume plocks type features/posix-locks subvolumes posix end-volume Or equivalent in your glusterfs configuration > > >> I think that I can disable mail_nfs_index to fix these messages. Has >> anybody had the same problem, if so, how did you solve it? > > You could disable mail_nfs_index, but that if the same mailbox is > accessed concurrently from multiple servers that will probably cause > index corruption. > Aria Stewart [EMAIL PROTECTED]
Re: [Dovecot] proxy_maybe and IPv6
Timo Sirainen wrote: On Aug 11, 2008, at 10:53 PM, Timo Sirainen wrote: On Aug 11, 2008, at 8:23 AM, Matthieu Herrb wrote: If an IPv4 address is specified as 'host', a dovecot proxy is created for clients connecting using IPv6 to this server, and symmetrically if the proxy is specified as an IPv6 address, clients connecting through IPv4 will get forwarded to the v6 address. Is there a way to avoid that? If you're using SQL passdb, you could probably return host as either IPv4 or IPv6 depending on if %l or %r is an IPv4 or IPv6 address? Other than that I don't really see an easy way to handle this, because dovecot-auth has to be the one to decide if the proxying should be done or not, and it doesn't know all the IP addresses the Dovecot installation is listening on. Or actually if Dovecot supported multiple proxy hosts it could contain both the IPv4 and IPv6 address and then Dovecot could check to see if any of them already matches. But this is pretty low on my TODO list.. Thanks for the answer. We're using LDAP here for the passdb, so we'll have to live with that until multiple proxies are implemented. -- Matthieu Herrb
[Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts
I saw some past chatter on this in the list archives, but here is
another stab and another rational.
This patch follows a similar patch to openssh in that it allows any
key in the specified keytab to match the incoming host key. This is
necessary for multihomed hosts. See:
https://bugzilla.mindrot.org/show_bug.cgi?id=928
IMAP/POP seem to be a strong candidate to be multihomed because they
are very likely to have an internal to a firewall and external to a
firewall name. Due to the way MIT kerberos handles host name
resolution via reverse IP lookup this can often result in multiple
principle names and there is simply nothing to be done about it. This
is my situation..
When you add windows into the mix, which uses a totally different set
of rules to determine the principle all hope seems to be lost to have
a single service principle name for an imap server :( I was able to
make things work for my environment using only the
auth_gssapi_hostname feature if only MIT kerberos was used, but as
soon as windows SSPI was involved it choose a different hostname.
Thus we want to have GSSAPI to match any service principle in the keytab.
As far as security concerns go, the admin can configure the keytab for
dovecot to be seperate from the system key tab and contain only valid
imap SPNs, but in truth it probably doesn't matter.
I choose to just use the magic configurable:
auth_gssapi_hostname = $ALL
rather than introduce more configurables
FWIW, after applying this I now am happy to say I have an Active
Directory KDC, with dovecot providing gssapi auth to thunderbird on
both linux (mit kerb 1.6) and windows (sspi)..
--- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11
23:52:15.0 -0600
@@ -101,6 +101,13 @@
gss_name_t gss_principal;
const char *service_name;
+if (strcmp(request->auth->gssapi_hostname,"$ALL") == 0) {
+ auth_request_log_info(request, "gssapi",
+"Using all keytab entires");
+ *ret = GSS_C_NO_CREDENTIAL;
+ return GSS_S_COMPLETE;
+ }
+
if (strcasecmp(request->service, "POP3") == 0) {
/* The standard POP3 service name with GSSAPI is
called
just "pop". */
Re: [Dovecot] proxy_maybe and IPv6
On Aug 11, 2008, at 10:53 PM, Timo Sirainen wrote: On Aug 11, 2008, at 8:23 AM, Matthieu Herrb wrote: If an IPv4 address is specified as 'host', a dovecot proxy is created for clients connecting using IPv6 to this server, and symmetrically if the proxy is specified as an IPv6 address, clients connecting through IPv4 will get forwarded to the v6 address. Is there a way to avoid that? If you're using SQL passdb, you could probably return host as either IPv4 or IPv6 depending on if %l or %r is an IPv4 or IPv6 address? Other than that I don't really see an easy way to handle this, because dovecot-auth has to be the one to decide if the proxying should be done or not, and it doesn't know all the IP addresses the Dovecot installation is listening on. Or actually if Dovecot supported multiple proxy hosts it could contain both the IPv4 and IPv6 address and then Dovecot could check to see if any of them already matches. But this is pretty low on my TODO list.. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] proxy_maybe and IPv6
On Aug 11, 2008, at 8:23 AM, Matthieu Herrb wrote: If an IPv4 address is specified as 'host', a dovecot proxy is created for clients connecting using IPv6 to this server, and symmetrically if the proxy is specified as an IPv6 address, clients connecting through IPv4 will get forwarded to the v6 address. Is there a way to avoid that? If you're using SQL passdb, you could probably return host as either IPv4 or IPv6 depending on if %l or %r is an IPv4 or IPv6 address? Other than that I don't really see an easy way to handle this, because dovecot-auth has to be the one to decide if the proxying should be done or not, and it doesn't know all the IP addresses the Dovecot installation is listening on. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] problems with sieve and lda
On 11 Aug 2008 at 8:24, Eduardo M KALINOWSKI wrote: > How are you calling deliver in postfix? Do you see in postfix's logs the > messages being handled to deliver? Well, I seem to have made the problem worse as I was adjusting settings throughout the day. Here's where I am at, if I now enable mailbox_transport = dovecot I get the following in /var/log/maillog and mail doesn't get delivered Aug 11 18:21:50 servername postfix/local[9858]: warning: connect #7 to subsystem private/dovecot: Connection refused Aug 11 18:22:00 servername postfix/local[9858]: warning: connect #8 to subsystem private/dovecot: Connection refused Aug 11 18:22:10 servername postfix/local[9858]: warning: connect #9 to subsystem private/dovecot: Connection refused Aug 11 18:22:20 servername postfix/local[9858]: warning: connect #10 to subsystem private/dovecot: Connection refused Aug 11 18:22:30 servername postfix/local[9858]: fatal: connect #11 to subsystem private/dovecot: Connection refused Aug 11 18:22:31 servername postfix/qmgr[9838]: warning: premature end-of- input on private/local socket while reading input attribute name Aug 11 18:22:31 servername postfix/qmgr[9838]: warning: private/local socket: malformed response Aug 11 18:22:31 servername postfix/qmgr[9838]: warning: transport local failure -- see a previous warning/fatal/panic logfile record for the problem description Aug 11 18:22:31 servername postfix/master[9836]: warning: process /usr/libexec/postfix/local pid 9858 exit status 1 Aug 11 18:22:31 servername postfix/master[9836]: warning: /usr/libexec/postfix/local: bad command startup -- throttling Aug 11 18:22:31 servername postfix/qmgr[9838]: 25BC982BF7: to=<[EMAIL PROTECTED]>, orig_to=<[EMAIL PROTECTED]>, relay=none, delay=101, delays=0.04/101/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) disable that setting in main.cf, restart postfix and flush the queue and all is good again. This happen's with both the config file I was working on today and also with the one I had yesterday when I started this thread. Looks like I was getting this yesterday too, but slightly different Aug 10 18:29:17 servername postfix/local[11905]: warning: connect #1 to subsystem private/dovecot: No such file or directory Aug 10 18:29:27 servername postfix/local[11905]: warning: connect #2 to subsystem private/dovecot: No such file or directory Aug 10 18:29:37 servername postfix/local[11905]: warning: connect #3 to subsystem private/dovecot: No such file or directory Although I suspect that was when I had enabled the transport changes in master.cf just for testing purposes. The logs show connection refused stuff only happening today. Googling's coming up with squat. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Re: [Dovecot] Auto Vacation replies again
CJ Keist schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fixed it!! In the file src/sieve_cmu.c line 744: smtp_client = smtp_client_open(src->addr, NULL, &f); change to: smtp_client = smtp_client_open(src->addr, src->fromaddr, &f); First of all, this does not control the content of the From: header line, but rather the FROM SMTP envelope field. This behavior is implemented as such on purpose. From RFC5230 (http://www.ietf.org/rfc/rfc5230.txt): 5.1. SMTP MAIL FROM Address The SMTP MAIL FROM address of the message envelope SHOULD be set to <>. [...] This is primarily recommended to prevent other (more stupid) auto-responders to generate a response to your vacation response (see also RFC3834 - 3.3. Message envelope). In general I would recommend adjusting the filter accordingly, because vacation replies are likely not going to be the only thing it will chew on when it is configured to bite things that have an empty return path (e.g. mailer daemon status reports and the like). Regards, Stephan.
Re: [Dovecot] Auto Vacation replies again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fixed it!! In the file src/sieve_cmu.c line 744: smtp_client = smtp_client_open(src->addr, NULL, &f); change to: smtp_client = smtp_client_open(src->addr, src->fromaddr, &f); CJ Keist wrote: > Sorry to bring this up again. > > I have now configured my test server to pass all email messages off to > our central campus email filter gateway. This gateway scans all email > traffic for viruses/spam before being delivered to any local mail servers. > Once I did this my auto vacation replies are getting canned due to the > fact the from header line is empty in the reply message. You can see > that it is empty from my mail logs (soon after the line where is > executes my .dovecot.sievec file): > > Aug 11 13:24:51 mail2.engr.colostate.edu dovecot: [ID 107833 mail.info] > auth(default): new auth connection: pid=15539 > Aug 11 13:24:51 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID > 197553 mail.info] connect from akron.colostate.edu[129.82.103.160] > Aug 11 13:24:52 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID > 197553 mail.info] setting up TLS connection from > akron.colostate.edu[129.82.103.160] > Aug 11 13:24:52 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID > 197553 mail.info] Anonymous TLS connection established from > akron.colostate.edu[129.82.103.160]: TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits) > Aug 11 13:24:53 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID > 197553 mail.info] 44DEC599C3: client=akron.colostate.edu[129.82.103.160] > Aug 11 13:24:53 mail2.engr.colostate.edu postfix/cleanup[15547]: [ID > 197553 mail.info] 44DEC599C3: > message-id=<[EMAIL PROTECTED]> > Aug 11 13:24:53 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID > 197553 mail.info] disconnect from akron.colostate.edu[129.82.103.160] > Aug 11 13:24:53 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 > mail.info] 44DEC599C3: from=<[EMAIL PROTECTED]>, size=1875, > nrcpt=1 (queue active) > Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 315030 > mail.info] Loading modules from directory: > /userM/mail-services/dovecot/lib/dovecot/lda > Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 619685 > mail.info] Module loaded: > /userM/mail-services/dovecot/lib/dovecot/lda/lib90_cmusieve_plugin.so > Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 848615 > mail.info] mbox: > data=/top/admin/ENS/people/cjay/home/:INBOX=/userM/mail/cjay > Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 885103 > mail.info] fs: root=/top/admin/ENS/people/cjay/home, index=, control=, > inbox=/userM/mail/cjay > Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 223526 > mail.info] cmusieve: Using sieve path: > /top/admin/ENS/people/cjay/home/.dovecot.sieve > Aug 11 13:24:54 mail2.engr.colostate.edu deliver(cjay): [ID 507699 > mail.info] cmusieve: Executing script > /top/admin/ENS/people/cjay/home/.dovecot.sievec > Aug 11 13:24:54 mail2.engr.colostate.edu deliver(cjay): [ID 725890 > mail.info] > msgid=<[EMAIL PROTECTED]>: > sent vacation response to <[EMAIL PROTECTED]> > Aug 11 13:24:54 mail2.engr.colostate.edu postfix/pickup[13201]: [ID > 197553 mail.info] B9798599C5: uid=10946 from=<> > Aug 11 13:24:54 mail2.engr.colostate.edu postfix/cleanup[15547]: [ID > 197553 mail.info] B9798599C5: > message-id=<[EMAIL PROTECTED]> > Aug 11 13:24:54 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 > mail.info] B9798599C5: from=<>, size=772, nrcpt=1 (queue active) > Aug 11 13:24:55 mail2.engr.colostate.edu deliver(cjay): [ID 702911 > mail.info] > msgid=<[EMAIL PROTECTED]>: > saved mail to INBOX > Aug 11 13:24:55 mail2.engr.colostate.edu postfix/smtp[1]: [ID 197553 > mail.info] B9798599C5: to=<[EMAIL PROTECTED]>, > relay=parker.colostate.edu[129.82.103.125]:25, delay=0.89, > delays=0.09/0.51/0.03/0.25, dsn=2.0.0, status=sent (250 2.0.0 > m7BJOur1516324 Message accepted for delivery) > Aug 11 13:24:55 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 > mail.info] B9798599C5: removed > Aug 11 13:24:55 mail2.engr.colostate.edu postfix/local[15549]: [ID > 197553 mail.info] 44DEC599C3: to=<[EMAIL PROTECTED]>, > relay=local, delay=2.7, delays=0.26/0.19/0/2.2, dsn=2.0.0, status=sent > (delivered to command: /userM/mail-services/dovecot/libexec/dovecot/deliver) > Aug 11 13:24:55 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 > mail.info] 44DEC599C3: removed > > Again, my info: > > OS: Solaris 10 sparc on T2000 > postfix: 2.5.2 > dovecot: 1.1.2 > sieve plug: 1.1.5 > > dovecot -n: > # 1.1.2: /userM/mail-services/dovecot/etc/dovecot.conf > Warning: fd limit 256 is lower than what Dovecot can use under full load > (more than 3072). Either grow the limit or change > login_max_processes_count and max_mail_processes settings > base_dir: /userM/mail-services/dovecot/var/run/dovecot/ > protocols: imap imaps pop3 pop3s > ssl_cert_file: /userM/mail-services/dovecot/etc/ssl/dovecot.pem > ssl_key_file: /userM/mail-services/dovecot
[Dovecot] Auto Vacation replies again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry to bring this up again. I have now configured my test server to pass all email messages off to our central campus email filter gateway. This gateway scans all email traffic for viruses/spam before being delivered to any local mail servers. Once I did this my auto vacation replies are getting canned due to the fact the from header line is empty in the reply message. You can see that it is empty from my mail logs (soon after the line where is executes my .dovecot.sievec file): Aug 11 13:24:51 mail2.engr.colostate.edu dovecot: [ID 107833 mail.info] auth(default): new auth connection: pid=15539 Aug 11 13:24:51 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID 197553 mail.info] connect from akron.colostate.edu[129.82.103.160] Aug 11 13:24:52 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID 197553 mail.info] setting up TLS connection from akron.colostate.edu[129.82.103.160] Aug 11 13:24:52 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID 197553 mail.info] Anonymous TLS connection established from akron.colostate.edu[129.82.103.160]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Aug 11 13:24:53 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID 197553 mail.info] 44DEC599C3: client=akron.colostate.edu[129.82.103.160] Aug 11 13:24:53 mail2.engr.colostate.edu postfix/cleanup[15547]: [ID 197553 mail.info] 44DEC599C3: message-id=<[EMAIL PROTECTED]> Aug 11 13:24:53 mail2.engr.colostate.edu postfix/smtpd[15539]: [ID 197553 mail.info] disconnect from akron.colostate.edu[129.82.103.160] Aug 11 13:24:53 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 mail.info] 44DEC599C3: from=<[EMAIL PROTECTED]>, size=1875, nrcpt=1 (queue active) Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 315030 mail.info] Loading modules from directory: /userM/mail-services/dovecot/lib/dovecot/lda Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 619685 mail.info] Module loaded: /userM/mail-services/dovecot/lib/dovecot/lda/lib90_cmusieve_plugin.so Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 848615 mail.info] mbox: data=/top/admin/ENS/people/cjay/home/:INBOX=/userM/mail/cjay Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 885103 mail.info] fs: root=/top/admin/ENS/people/cjay/home, index=, control=, inbox=/userM/mail/cjay Aug 11 13:24:53 mail2.engr.colostate.edu deliver(cjay): [ID 223526 mail.info] cmusieve: Using sieve path: /top/admin/ENS/people/cjay/home/.dovecot.sieve Aug 11 13:24:54 mail2.engr.colostate.edu deliver(cjay): [ID 507699 mail.info] cmusieve: Executing script /top/admin/ENS/people/cjay/home/.dovecot.sievec Aug 11 13:24:54 mail2.engr.colostate.edu deliver(cjay): [ID 725890 mail.info] msgid=<[EMAIL PROTECTED]>: sent vacation response to <[EMAIL PROTECTED]> Aug 11 13:24:54 mail2.engr.colostate.edu postfix/pickup[13201]: [ID 197553 mail.info] B9798599C5: uid=10946 from=<> Aug 11 13:24:54 mail2.engr.colostate.edu postfix/cleanup[15547]: [ID 197553 mail.info] B9798599C5: message-id=<[EMAIL PROTECTED]> Aug 11 13:24:54 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 mail.info] B9798599C5: from=<>, size=772, nrcpt=1 (queue active) Aug 11 13:24:55 mail2.engr.colostate.edu deliver(cjay): [ID 702911 mail.info] msgid=<[EMAIL PROTECTED]>: saved mail to INBOX Aug 11 13:24:55 mail2.engr.colostate.edu postfix/smtp[1]: [ID 197553 mail.info] B9798599C5: to=<[EMAIL PROTECTED]>, relay=parker.colostate.edu[129.82.103.125]:25, delay=0.89, delays=0.09/0.51/0.03/0.25, dsn=2.0.0, status=sent (250 2.0.0 m7BJOur1516324 Message accepted for delivery) Aug 11 13:24:55 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 mail.info] B9798599C5: removed Aug 11 13:24:55 mail2.engr.colostate.edu postfix/local[15549]: [ID 197553 mail.info] 44DEC599C3: to=<[EMAIL PROTECTED]>, relay=local, delay=2.7, delays=0.26/0.19/0/2.2, dsn=2.0.0, status=sent (delivered to command: /userM/mail-services/dovecot/libexec/dovecot/deliver) Aug 11 13:24:55 mail2.engr.colostate.edu postfix/qmgr[15988]: [ID 197553 mail.info] 44DEC599C3: removed Again, my info: OS: Solaris 10 sparc on T2000 postfix: 2.5.2 dovecot: 1.1.2 sieve plug: 1.1.5 dovecot -n: # 1.1.2: /userM/mail-services/dovecot/etc/dovecot.conf Warning: fd limit 256 is lower than what Dovecot can use under full load (more than 3072). Either grow the limit or change login_max_processes_count and max_mail_processes settings base_dir: /userM/mail-services/dovecot/var/run/dovecot/ protocols: imap imaps pop3 pop3s ssl_cert_file: /userM/mail-services/dovecot/etc/ssl/dovecot.pem ssl_key_file: /userM/mail-services/dovecot/etc/ssl/privkey.pem ssl_parameters_regenerate: 0 ssl_cipher_list: MEDIUM:!LOW disable_plaintext_auth: no login_dir: /userM/mail-services/dovecot/var/run/dovecot/login login_executable(default): /userM/mail-services/dovecot/libexec/dovecot/imap-login login_executable(imap): /userM/mail-services/dovecot/libexec/dovecot/imap-login login_executable(pop3): /userM/mail-services/dovecot/l
Re: [Dovecot] problems with sieve and lda
On 11 Aug 2008 at 6:35, Charles Marcus wrote: > If I'm not mistaken, sieve support has improved dramatically in the > latest versions (1.1.2 being the current). > > Use the atrpms repo... Sure, I see that in the version history, but that won't necessarily solve the current problem I am having where deliver is not triggering at all. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Re: [Dovecot] problems with sieve and lda
On 11 Aug 2008 at 8:24, Eduardo M KALINOWSKI wrote: > To use -d ACCOUNT, you need a master socket where deliver looks up > user information: see the "Virtual Users" section in > http://wiki.dovecot.org/LDA . But if you are not using virtual users > (and only used -d to test), you should not need it. Yes, that's what I figured, the lda/postfix link in the wiki makes it seem really simple, change one setting and you're done. > How are you calling deliver in postfix? Do you see in postfix's logs the > messages being handled to deliver? Exactly as noted at the wiki page above which says all I need to do is enter the proper path to deliver in mailbox_command in main.cf. With this set, emails make it to the inbox but I never see ANY reference to deliver in the logs, it's only when I run the deliver command manually from the cli or enabled the changes in the master.cf that anything shows up in the deliver log. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Re: [Dovecot] GlusterFS
On Aug 11, 2008, at 10:22 AM, Timo Sirainen wrote: On Aug 7, 2008, at 3:57 AM, Jeroen Koekkoek wrote: I receive the following error message. Aug 7 09:38:51 mta2 dovecot: POP3([EMAIL PROTECTED]): nfs_flush_fcntl: fcntl(/var/vmail/domain.tld/somebody/Maildir/dovecot.index, F_RDLCK) failed: Function not implemented Dovecot tries to flush kernel's data cache. You might need volume plocks type features/posix-locks subvolumes posix end-volume Or equivalent in your glusterfs configuration I think that I can disable mail_nfs_index to fix these messages. Has anybody had the same problem, if so, how did you solve it? You could disable mail_nfs_index, but that if the same mailbox is accessed concurrently from multiple servers that will probably cause index corruption. Aria Stewart [EMAIL PROTECTED]
Re: [Dovecot] GlusterFS
On Aug 7, 2008, at 3:57 AM, Jeroen Koekkoek wrote: I receive the following error message. Aug 7 09:38:51 mta2 dovecot: POP3([EMAIL PROTECTED]): nfs_flush_fcntl: fcntl(/var/vmail/domain.tld/somebody/Maildir/dovecot.index, F_RDLCK) failed: Function not implemented Dovecot tries to flush kernel's data cache. I think that I can disable mail_nfs_index to fix these messages. Has anybody had the same problem, if so, how did you solve it? You could disable mail_nfs_index, but that if the same mailbox is accessed concurrently from multiple servers that will probably cause index corruption. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Cyrus vs Dovecot
On Aug 11, 2008, at 10:57 AM, Mathieu Kretchner wrote: High Performance without hacking conf files ! http://wiki.dovecot.org/PerformanceTuning lists some of the things you can tune, but the defaults should be pretty good (although some default settings prefer reliability/security over performance). PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Cyrus vs Dovecot
On 8/11/2008, Mathieu Kretchner ([EMAIL PROTECTED]) wrote: So here is my next environment : how many mailbox ? 5000 with adequate hardware/RAM, no problem how many users ? 6000 again - with adequate hardware/RAM, no problem Concurrent access/usage will dictate if you need more than one server. what kind of access ? IMAP(s), POP3(s), webmail no problem - webmail is separate of course, use whichever webmail app you like how many server ? 2 (how to configure this with dovecot ? hearthbeat ? is it better with 1 big hardware ? ) Timo is working on integrated replication right now, but it does currently have proxy capability that I understand works well and makes this fairly painless, although I haven't used it... But I'm not sure if you are talking about 2 REDUNDANT servers (for fail-over in the event the primary fails), or 2 active/load-balanced servers... proxy would work for load-balancing, and you can configure anything to use heartbeat, no? Database user ? LDAP no problem Mail DB ? Cyrus maildir You'll have to convert to standard maildir: http://wiki.dovecot.org/Migration/Cyrus Capability ? Sieve / Quota On latest version (1.1.2 currently), no problem, but a newer/full rewrite to provide native sieve capability is in progress, which will provide much better control High Performance without hacking conf files ! this is one of dovecots strongest points imo... -- Best regards, Charles
Re: [Dovecot] Cyrus vs Dovecot
Charles Marcus a écrit : On 8/11/2008, Mathieu Kretchner ([EMAIL PROTECTED]) wrote: But, at present, we need to have a secure / reliable / fast with all the properties that must fit a real e-mail server in order to support our new e-mail IMAP architecture, so the question is (because we have only 2 options) Why should I choose dovecot instead of Cyrus ? Because it is secure / reliable / faster than cyrus - and *much* easier to install/configure? You'll have more chance of a specific answer if you provide more specifics as to what 'properties that must fit a real email server' means to you. So here is my next environment : how many mailbox ? 5000 how many users ? 6000 what is in use now ? Cyrus what kind of access ? IMAP(s), POP3(s), webmail how many server ? 2 (how to configure this with dovecot ? hearthbeat ? is it better with 1 big hardware ? ) Database user ? LDAP Mail DB ? Cyrus maildir Capability ? Sieve / Quota High Performance without hacking conf files ! begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
[Dovecot] Good news for CPanel users
In response to a feature request for cpanel to have native support for dovecot: Rudimentary support was added in 11.23. Full support for Dovecot will be available in 11.24. -- Marshal Newrock 517-679-0699 x223 FreedomBI, LLC - http://www.freedombi.com signature.asc Description: PGP signature
Re: [Dovecot] Cyrus vs Dovecot
On 8/11/2008, Mathieu Kretchner ([EMAIL PROTECTED]) wrote: But, at present, we need to have a secure / reliable / fast with all the properties that must fit a real e-mail server in order to support our new e-mail IMAP architecture, so the question is (because we have only 2 options) Why should I choose dovecot instead of Cyrus ? Because it is secure / reliable / faster than cyrus - and *much* easier to install/configure? You'll have more chance of a specific answer if you provide more specifics as to what 'properties that must fit a real email server' means to you. -- Best regards, Charles
[Dovecot] nombre de compte imap/ rapide rapide
find . -type d -mindepth 2 -maxdepth 3 -print | sort | uniq | grep -vE "user$" | wc -l begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] Cyrus vs Dovecot
Marcin Gryszkalis a écrit : On Monday of August 11 2008, Proskurin Kirill wrote: And Timo help a lot for many people in this list. Confirmed. Timo (and other users) doesn't leave any (non trivial) question unanswered, wiki is full of useful info, important bugs are fixed quick (follow mercurial repo) and new versions are released often - dovecot is one of best supported open source projects I know... regards Indeed It's a good point for us that this is a big project with a lot of involved developers ! But, at present, we need to have a secure / reliable / fast with all the properties that must fit a real e-mail server in order to support our new e-mail IMAP architecture, so the question is (because we have only 2 options) Why should I choose dovecot instead of Cyrus ? Thanks begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
[Dovecot] proxy_maybe and IPv6
Hi, Using dovecot 1.1.2 on a dual-stack server, with the 'proxy_maybe' attribute to forward some clients to another server, it seems that only clients connecting with the same protocol version as the one used by address in the 'host' attribute in the password db are recognized as local. If an IPv4 address is specified as 'host', a dovecot proxy is created for clients connecting using IPv6 to this server, and symmetrically if the proxy is specified as an IPv6 address, clients connecting through IPv4 will get forwarded to the v6 address. Is there a way to avoid that? -- Matthieu Herrb smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] problems with sieve and lda
Harondel J. Sibble wrote: > Following the wiki here for system users > > http://wiki.dovecot.org/LDA/Postfix > > I never get any info in the logs about cmusieve, the only way I see anything > show up is if I add the transport settings to postfix/master.cf or see below > > >From reading the list archives, as best as I can tell, the only time I need > to make the changes in postfix's master.cf is if I am using a virtual > environment, otherwise for local delivery, all I need is the mailbox_command > setting in postfix/main.cf > > However with that setting, I get nothing! If I then run deliver from the > command line as per a couple of mailling postings, > > cat /etc/hosts | /usr/libexec/dovecot/deliver -d [EMAIL PROTECTED] -f > [EMAIL PROTECTED] > > I get > > deliver([EMAIL PROTECTED]): Aug 10 22:07:17 Info: Loading modules > from directory: /usr/lib/dovecot/lda > deliver([EMAIL PROTECTED]): Aug 10 22:07:17 Info: Module loaded: > /usr/lib/dovecot/lda/lib90_cmusieve_plugin.so > deliver([EMAIL PROTECTED]): Aug 10 22:07:17 Error: Can't connect to > auth server at /var/run/dovecot/auth-master: No such file or directory > To use -d ACCOUNT, you need a master socket where deliver looks up user information: see the "Virtual Users" section in http://wiki.dovecot.org/LDA . But if you are not using virtual users (and only used -d to test), you should not need it. How are you calling deliver in postfix? Do you see in postfix's logs the messages being handled to deliver? -- Deadwood, n.: Anyone in your company who is more senior than you are. Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb
Re: [Dovecot] GlusterFS
From: "Ed W" <[EMAIL PROTECTED]> Sent: Sunday, August 10, 2008 11:09 AM I'm also interested to hear how it works out? It appears that the straightline speed is high for gluster, but it's per file performance has enough overhead that it's a signficant problem for maildir type applications which manipulate lots of small files? Possibly it works very well if you go mbox though? FUSE kernel driver from 2.6.24 was unusable. Fuse client saw changed file modes ie: from 640 to 666. With fuse driver delivered with glusterfs file modes were the same as on exporting server. It was performing very well when clients were moving some large files, but when it comes to mail traffic wait time and system load on client nodes started increasing. At last glusterfs stop working due segfault in io-cache.so or libglusterfs.so. Mail nodes were using glusterfs-1.3.7 and fuse-2.7.2glfs8, mail was delivered into maildirs Pawel.
Re: [Dovecot] Cyrus vs Dovecot
On Monday of August 11 2008, Proskurin Kirill wrote: > And Timo help a lot for many people in this list. Confirmed. Timo (and other users) doesn't leave any (non trivial) question unanswered, wiki is full of useful info, important bugs are fixed quick (follow mercurial repo) and new versions are released often - dovecot is one of best supported open source projects I know... regards -- Marcin Gryszkalis, PGP 0x9F183FA3 jabber jid:[EMAIL PROTECTED], gg:2532994 http://the.fork.pl
Re: [Dovecot] problems with sieve and lda
On 8/11/2008, Harondel J. Sibble ([EMAIL PROTECTED]) wrote: dovecot-1.0.7-2.el5 dovecot-sieve-1.0.2-6.el5 If I'm not mistaken, sieve support has improved dramatically in the latest versions (1.1.2 being the current). Use the atrpms repo... -- Best regards, Charles
Re: [Dovecot] Cyrus vs Dovecot
Mathieu Kretchner wrote: First of all : forgive me for my poor English Hello all, I've to compare cyrus with dovecot for my work. Because these are the only solutions that could fit our needs. Unfortunately I really don't know a lot about dovecot and I would like to have some of its assets. So I know this can scared you, but If you have some asset for dovecot, It could be great and a lot more FAIR !! Thank you in advance for your advice. Hello, sorry for my english too. Im start migration from Cyrus to Dovecot not far ago. Im have only 500 maildirs, but... For now im can say what Dovecot is faster in IMAP. Im use my maildir with 4 emails with many many subfolders - it is much faster. Security: http://dovecot.org/security.html Migration: http://wiki.dovecot.org/Migration And so on. Many answers to your questions on dovecot.org. In this list someone post his load average grafs on *really* heavy load servers. Search it. Only thing what dovecot is not supported against Cyrus is replication, but it is planed on roadmap. P.S. Im start to hate cyrus then this happened and happened again with no answer from developers: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2007-November/027889.html And this: http://lists.andrew.cmu.edu/pipermail/info-cyrus/2008-May/029163.html P.P.S. Dovecot is really on heavy development and seems to be best IMAP daemon on opensource now. And Timo help a lot for many people in this list. -- Best regards, Proskurin Kirill
Re: [Dovecot] Cyrus vs Dovecot
* Mathieu Kretchner <[EMAIL PROTECTED]>: > First of all : forgive me for my poor English > > Hello all, > > I've to compare cyrus with dovecot for my work. Because these are the > only solutions that could fit our needs. > Unfortunately I really don't know a lot about dovecot and I would like to > have some of its assets. All I can tell you is that I would never touch cyrus. I heard so many bad things and read so many posts on the postfix-users and other lists that I can only recommend dovecot, which I use. -- Ralf Hildebrandt ([EMAIL PROTECTED]) [EMAIL PROTECTED] Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de "It's easy to cry 'bug' when the truth is that you've got a complex system and sometimes it takes a while to get all the components to co-exist peacefully."-Doug Vargas
