[Dovecot] [PATCH] Allow GSSAPI to work with multihomed hosts
I saw some past chatter on this in the list archives, but here is
another stab and another rational.
This patch follows a similar patch to openssh in that it allows any
key in the specified keytab to match the incoming host key. This is
necessary for multihomed hosts. See:
https://bugzilla.mindrot.org/show_bug.cgi?id=928
IMAP/POP seem to be a strong candidate to be multihomed because they
are very likely to have an internal to a firewall and external to a
firewall name. Due to the way MIT kerberos handles host name
resolution via reverse IP lookup this can often result in multiple
principle names and there is simply nothing to be done about it. This
is my situation..
When you add windows into the mix, which uses a totally different set
of rules to determine the principle all hope seems to be lost to have
a single service principle name for an imap server :( I was able to
make things work for my environment using only the
auth_gssapi_hostname feature if only MIT kerberos was used, but as
soon as windows SSPI was involved it choose a different hostname.
Thus we want to have GSSAPI to match any service principle in the keytab.
As far as security concerns go, the admin can configure the keytab for
dovecot to be seperate from the system key tab and contain only valid
imap SPNs, but in truth it probably doesn't matter.
I choose to just use the magic configurable:
auth_gssapi_hostname = $ALL
rather than introduce more configurables
FWIW, after applying this I now am happy to say I have an Active
Directory KDC, with dovecot providing gssapi auth to thunderbird on
both linux (mit kerb 1.6) and windows (sspi)..
--- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11
23:52:15.0 -0600
@@ -101,6 +101,13 @@
gss_name_t gss_principal;
const char *service_name;
+if (strcmp(request-auth-gssapi_hostname,$ALL) == 0) {
+ auth_request_log_info(request, gssapi,
+Using all keytab entires);
+ *ret = GSS_C_NO_CREDENTIAL;
+ return GSS_S_COMPLETE;
+ }
+
if (strcasecmp(request-service, POP3) == 0) {
/* The standard POP3 service name with GSSAPI is
called
just pop. */
Re: [Dovecot] proxy_maybe and IPv6
Timo Sirainen wrote: On Aug 11, 2008, at 10:53 PM, Timo Sirainen wrote: On Aug 11, 2008, at 8:23 AM, Matthieu Herrb wrote: If an IPv4 address is specified as 'host', a dovecot proxy is created for clients connecting using IPv6 to this server, and symmetrically if the proxy is specified as an IPv6 address, clients connecting through IPv4 will get forwarded to the v6 address. Is there a way to avoid that? If you're using SQL passdb, you could probably return host as either IPv4 or IPv6 depending on if %l or %r is an IPv4 or IPv6 address? Other than that I don't really see an easy way to handle this, because dovecot-auth has to be the one to decide if the proxying should be done or not, and it doesn't know all the IP addresses the Dovecot installation is listening on. Or actually if Dovecot supported multiple proxy hosts it could contain both the IPv4 and IPv6 address and then Dovecot could check to see if any of them already matches. But this is pretty low on my TODO list.. Thanks for the answer. We're using LDAP here for the passdb, so we'll have to live with that until multiple proxies are implemented. -- Matthieu Herrb
Re: [Dovecot] GlusterFS
I was afraid somebody was going to say that. Thanks for your reply, I'll try that sometime later this week. I'll report back how it all went. Kind regards, Jeroen Koekkoek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aria Stewart Sent: Monday, August 11, 2008 6:32 PM To: Dovecot Mailing List Subject: Re: [Dovecot] GlusterFS On Aug 11, 2008, at 10:22 AM, Timo Sirainen wrote: On Aug 7, 2008, at 3:57 AM, Jeroen Koekkoek wrote: I receive the following error message. Aug 7 09:38:51 mta2 dovecot: POP3([EMAIL PROTECTED]): nfs_flush_fcntl: fcntl(/var/vmail/domain.tld/somebody/Maildir/dovecot.index, F_RDLCK) failed: Function not implemented Dovecot tries to flush kernel's data cache. You might need volume plocks type features/posix-locks subvolumes posix end-volume Or equivalent in your glusterfs configuration I think that I can disable mail_nfs_index to fix these messages. Has anybody had the same problem, if so, how did you solve it? You could disable mail_nfs_index, but that if the same mailbox is accessed concurrently from multiple servers that will probably cause index corruption. Aria Stewart [EMAIL PROTECTED]
[Dovecot] [PATCH] Support GSS-SPNEGO natively
I cooked this up while trying to figure out why thunderbird on Windows
w/ SSPI was not working, but it turned out thunderbird does not use
it, so I haven't been able to test it yet. I'm presenting it for
discussion only, unless someone else can try it :)
Modern versions of MIT kerberos support GSS-SPNEGO natively, but are
only willing to negotiate for kerberos tickets and not NTLM
messages.
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.
Having this work means the other gssapi policy knobs in dovecot, like
auth_gssapi_hostname, work properly. Instead of 'whatever it is that
samba does'. I guess it fixes the concerns about winbind
accesses blocking (although don't the gssapi calls block??)
In light of this it is really only useful to use winbind if you want
to support NTLM as kerberos will do the necessary exchanges with the
kdc for an Active Directory domain. In truth a proper and complete
design would somehow layer the built in NTLM module under the SPNEGO
negotiation and only pass NTLM messages off to samba but I doubt
anyone cares with NTLM being rather obsolete.
--- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11
23:52:15.0 -0600
@@ -417,4 +424,21 @@
mech_gssapi_auth_free
};
+/* MTI Kerberos 1.5 supports SPNEGO for Kerberos tickets internally.
+ Nothing else needs to be done here. Note however that this does not
+ support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+GSS-SPNEGO,
+
+MEMBER(flags) 0,
+
+MEMBER(passdb_need_plain) FALSE,
+MEMBER(passdb_need_credentials) FALSE,
+
+mech_gssapi_auth_new,
+mech_gssapi_auth_initial,
+mech_gssapi_auth_continue,
+mech_gssapi_auth_free
+};
+
#endif
--- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.0 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.0 -0600
@@ -72,6 +72,7 @@
extern struct mech_module mech_anonymous;
#ifdef HAVE_GSSAPI
extern struct mech_module mech_gssapi;
+extern struct mech_module mech_gssapi_spnego;
#endif
void mech_init(void)
@@ -86,6 +87,7 @@
mech_register_module(mech_anonymous);
#ifdef HAVE_GSSAPI
mech_register_module(mech_gssapi);
+ mech_register_module(mech_gssapi_spnego);
#endif
}
@@ -101,5 +103,6 @@
mech_unregister_module(mech_anonymous);
#ifdef HAVE_GSSAPI
mech_unregister_module(mech_gssapi);
+ mech_unregister_module(mech_gssapi_spnego);
#endif
}
[Dovecot] Fwd: [MORG] IMAP5 List
If anyone's interested, especially client developers. It's been a bit quiet there after the initial rush. Begin forwarded message: From: Randall Gellens [EMAIL PROTECTED] Date: August 1, 2008 5:08:39 AM EDT To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [MORG] IMAP5 List At the MORG BOF, a discussion as to if the proposed IMAP extensions would merely further add to the existing problem with IMAP being too hard to get right, for both clients and servers, let to a revival of the IMAP5 discussion (previous held during the IMAP EAI discussions). Here, IMAP5 refers to a Big Switch (new port and version) to distinguish this revision from current IMAP. The goal is to delete as much as possible from IMAP. A new mailing list now exists for this discussion on drastically slimming-down IMAP to make it easier to implement clients and servers. == To subscribe, click here: mailto:[EMAIL PROTECTED] . == It's been observed that most IMAP clients suck and that it's hard for both clients and servers to implement. One reason IMAP is hard to implement is that it has a lot of options. Often there are several alternative ways to accomplish something. It also has considerable functionality. Is it possible and desirable to start with the current set of (IMAP + all extensions) and consider subtracting as much as possible? The resulting protocol would still be IMAP, but not backwards-compatible with today's IMAP, since some currently-mandated items are likely to be deleted. General information about the IMAP5 mailing list is at: https://www.ietf.org/mailman/listinfo/imap5 . You can subscribe and manage your subscription at https://www.ietf.org/mailman/listinfo/imap5 . -- Randall Gellens Opinions are personal;facts are suspect;I speak for myself only -- Randomly-selected tag: --- If Murphy's Law can go wrong, it will. ___ MORG mailing list [EMAIL PROTECTED] https://www.ietf.org/mailman/listinfo/morg Note Well: http://www.ietf.org/maillist.html PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Cyrus vs Dovecot
Charles Marcus a écrit : On 8/11/2008, Mathieu Kretchner ([EMAIL PROTECTED]) wrote: So here is my next environment : how many mailbox ? 5000 with adequate hardware/RAM, no problem how many users ? 6000 again - with adequate hardware/RAM, no problem Ok it seems to be great, but wath do you consider to be an adequate hardware/RAM for this kind of environment ? Concurrent access/usage will dictate if you need more than one server. what kind of access ? IMAP(s), POP3(s), webmail no problem - webmail is separate of course, use whichever webmail app you like yes, of course, this will be an other discussion :) how many server ? 2 (how to configure this with dovecot ? hearthbeat ? is it better with 1 big hardware ? ) Timo is working on integrated replication right now, but it does currently have proxy capability that I understand works well and makes this fairly painless, although I haven't used it... But I'm not sure if you are talking about 2 REDUNDANT servers (for fail-over in the event the primary fails), or 2 active/load-balanced servers... proxy would work for load-balancing, and you can configure anything to use heartbeat, no? I've explicitly post a fuzzy question to have this kind of answer ! Thanks I've a better global view of dovecot now. Database user ? LDAP Here is an other problem : we don't have uid/gid stored in our LDAP database. Do we have to configure dovecot with a dovecot specific user/group ? no problem Mail DB ? Cyrus maildir You'll have to convert to standard maildir: http://wiki.dovecot.org/Migration/Cyrus Thanks for the url, I've already seen it before and the script cyrus2courrier seems good but we wonder why you didn't mention imapsync ? (maybe because for mass migration we must have a clear password file?) Capability ? Sieve / Quota On latest version (1.1.2 currently), no problem, but a newer/full rewrite to provide native sieve capability is in progress, which will provide much better control High Performance without hacking conf files ! this is one of dovecots strongest points imo... Indeed, we bench cyrus and dovecot from scratch and dovecot seems to be realy fast ! begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] Cyrus vs Dovecot
Timo Sirainen a écrit : On Aug 11, 2008, at 10:57 AM, Mathieu Kretchner wrote: High Performance without hacking conf files ! http://wiki.dovecot.org/PerformanceTuning lists some of the things you can tune, but the defaults should be pretty good (although some default settings prefer reliability/security over performance). Thanks, we'll try to test with those configurations! begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] Cyrus vs Dovecot
On Aug 12, 2008, at 3:41 AM, Mathieu Kretchner wrote: Database user ? LDAP Here is an other problem : we don't have uid/gid stored in our LDAP database. Do we have to configure dovecot with a dovecot specific user/group ? Yes, one or more (for one you have mail_uid/gid settings with v1.1). See http://wiki.dovecot.org/UserIds no problem Mail DB ? Cyrus maildir You'll have to convert to standard maildir: http://wiki.dovecot.org/Migration/Cyrus Thanks for the url, I've already seen it before and the script cyrus2courrier seems good but we wonder why you didn't mention imapsync ? (maybe because for mass migration we must have a clear password file?) Most importantly imapsync doesn't preserve message UIDs. cyrus2courier is also faster since it doesn't have to write all the mail data, just rename the files. Capability ? Sieve / Quota On latest version (1.1.2 currently), no problem, but a newer/full rewrite to provide native sieve capability is in progress, which will provide much better control High Performance without hacking conf files ! this is one of dovecots strongest points imo... Indeed, we bench cyrus and dovecot from scratch and dovecot seems to be realy fast ! Benchmarking IMAP servers for real-world usage is a bit difficult. http://imapwiki.org/Benchmarking PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Cyrus vs Dovecot
Mathieu Kretchner wrote: Charles Marcus a écrit : On 8/11/2008, Mathieu Kretchner ([EMAIL PROTECTED]) wrote: So here is my next environment : how many mailbox ? 5000 with adequate hardware/RAM, no problem how many users ? 6000 again - with adequate hardware/RAM, no problem Ok it seems to be great, but wath do you consider to be an adequate hardware/RAM for this kind of environment ? Hi, we are providing Mail-Service (POP3, IMAP; either TLS or SSL) to 22000 students here at my university. There are 2 machines running as active-passive cluster with DRBD to sync the maildata. Each box is a 4 core Intel(R) Xeon(R) CPU 5160 @ 3.00GHz with 8 gigs RAM. After a tuneup for DRBD and upgrade to dovecot 1.1 average load is around 1.0. HTH Philipp
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) -- Angel Marin http://anmar.eu.org/
Re: [Dovecot] Fwd: [MORG] IMAP5 List
--On Tuesday, August 12, 2008 3:17 AM -0400 Timo Sirainen [EMAIL PROTECTED] wrote: If anyone's interested, especially client developers. It's been a bit quiet there after the initial rush. Very interesting. Thanks for the forward. I'll send this on to the Mulberry developer list. One thing I'd like to see is the ability of the server to notify the client of updates on any folder, not just subscribed or open ones. From what I understand, the client must poll all unsubscribed folders, which can be expensive. If one has a lot of folders (mine count well over 100, due to the large number of mailing lists to which I subscribe, and that I filter to them on the server side), the time to find new mail can be large and costly on the server.
[Dovecot] restricting shared folders access
Hi all, I have a dovecot setup with virtual users and a passwd-file passdb. All users have the same uid and gid. Recently I got my public folders working using namespaces and they work great. However, now I'm trying to share a folder between a limited number of users and so far I failed to get it working. Symlinks aren't an option because users need to be able to create subfolders of the shared folder so I'm trying to do it with namespaces but I'm not sure how to restrict access to a limited number of users. I tried doing it with groups. I made sure that the shared folder's group is set to 'staff' and the mode is 070, I also changed the group of a few virtual users to 'staff'. However, when I try accessing the shared folder I get a permission denied error (although the user is in the staff group). Can someone please recommend the best way to do this? Should I look into ACL's? Many thanks, Andrew.
[Dovecot] dovecot sieve sends vacation messages with null envelope sender
I am using this simple sieve script to do vacation:
require [fileinto, vacation];
if exists X-Spam-Flag {
stop;
}
vacation
:days 1
:subject Out of office reply
:addresses [email address hidden, email address hidden ]
I am on vacation until 2008-08-07.
If you have something urgent, please contact: Jan Novak email address
hidden
;
I use sql lookups for users and passwords. For some reason the default
location ~/.dovecot-sieve did not work for some reason. However I prefer
to put sieve scripts to /var/lib/sieve and when I added additional field
to lookup with this location it started to work.
But it sends vacation messages with null envelope sender, which is in my
opinion undesirable, because many vacation messages are caught in spam
filters.
I think there could be same sender on envelope.
In dovecot-sieve/src/sieve-cmu.c around line 380 is a call to
smtp_client_open(src-addr, NULL, f);
NULL could be replaced with src-fromaddr
Maybe some more patching may be necesary. I found similar patch for
cyrus-imapd at
http://oss.digirati.com.br/mail/cyrus.html
http://oss.digirati.com.br/mail/cyrus.html
My current system:
1) Ubuntu 8.04.1
[EMAIL PROTECTED]:~$ dovecot --version
1.0.15
It is a backported package from ubuntu intrepid ibex. However the same
applies for dovecot 1.0.10 which is in ubuntu 8.04.
Summary:
I expect messages sent by vacation recipe should have envelope from same
as user's e-mail address. This is then writen to Return-Path: header by
receiving MTA
NULL envelope from is used, resulting (in my case) to Return-Path:
rewriten by postfix to Return-Path: MAILER-DAEMON by receiving MTA
--- dovecot-sieve/src/sieve-cmu.c 2008-07-29 23:55:58.0 +0200
+++ ../dovecot-1.0.10/dovecot-sieve/src/sieve-cmu.c 2008-07-29 22:51:08.0 +0200
@@ -377,7 +377,7 @@
script_data_t *sdata = (script_data_t *) sc;
sieve_msgdata_t *md = mc;
-smtp_client = smtp_client_open(src-addr, NULL, f);
+smtp_client = smtp_client_open(src-addr, src-fromaddr, f);
outmsgid = deliver_get_new_message_id();
fprintf(f, Message-ID: %s\r\n, outmsgid);
begin:vcard
fn;quoted-printable:Josef Li=C5=A1ka
n;quoted-printable:Li=C5=A1ka;Josef
org;quoted-printable:CHL po=C4=8D=C3=ADta=C4=8De, s.r.o.
adr;quoted-printable;quoted-printable:;;St=C5=99edn=C3=AD 1249;=C4=8Cerno=C5=A1ice;;252 28;Czech Republic
email;internet:[EMAIL PROTECTED]
title:root
tel;cell:+420 776 026526
x-mozilla-html:FALSE
url:http://www.chl.cz
version:2.1
end:vcard
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
Am 12.08.2008 13:32 schrieb Josef Liška: … But it sends vacation messages with null envelope sender, which is in my opinion undesirable, because many vacation messages are caught in spam filters. I think there could be same sender on envelope. In dovecot-sieve/src/sieve-cmu.c around line 380 is a call to smtp_client_open(src-addr, NULL, f); NULL could be replaced with src-fromaddr Hi Josef, this is not a bug - it's a _fetaure_ :-) This morning Stephan Bosch wrote: http://www.dovecot.org/list/dovecot/2008-August/032799.html Regards, Pascal
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
Josef Liška schreef: But it sends vacation messages with null envelope sender, which is in my opinion undesirable, because many vacation messages are caught in spam filters. I think there could be same sender on envelope. In dovecot-sieve/src/sieve-cmu.c around line 380 is a call to smtp_client_open(src-addr, NULL, f); NULL could be replaced with src-fromaddr [...] Summary: I expect messages sent by vacation recipe should have envelope from same as user's e-mail address. This is then writen to Return-Path: header by receiving MTA NULL envelope from is used, resulting (in my case) to Return-Path: rewriten by postfix to Return-Path: MAILER-DAEMON by receiving MTA Interesting. I've seen a very similar suggestion yesterday. However, as I explained in the previous post, the use of a non-null envelope from field is discouraged by the Sieve vacation RFC (5230) and also by a more generic RFC (3834) describing the do's and dont's regarding auto-responders: http://www.dovecot.org/list/dovecot/2008-August/032799.html It puzzles me why spam filters would reject messages with a return path, which is a very common an valid use of the SMTP protocol. What spam filter are we talking about anyway? Regards, Stephan.
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
On 8/12/2008, Josef Liaka ([EMAIL PROTECTED]) wrote: But it sends vacation messages with null envelope sender, which is in my opinion undesirable, It is not only desirable, as Stephan already pointed out to someone else, it is per the spec: This behavior is implemented as such on purpose. From RFC5230 (http://www.ietf.org/rfc/rfc5230.txt): 5.1. SMTP MAIL FROM Address The SMTP MAIL FROM address of the message envelope SHOULD be set to . [...] because many vacation messages are caught in spam filters. So what? Many people consider them spam already. Please don't muck with things like this unless you have a really, really good reason... -- Best regards, Charles
Re: [Dovecot] Fwd: [MORG] IMAP5 List
And I wish to deity. that the IMAP protocol had feedback elements to inform the user of appropriate usage of IT resources, such as green/yellow/red indicators denoting info on the size of messages about to be sent, quotas, etc. Oh, yes, and that the imap alert, part of UWIMAP be made part of the core standard -- Stewart Dean, Unix System Admin, Henderson Computer Resources Center of Bard College, Annandale-on-Hudson, New York 12504 [EMAIL PROTECTED] voice: 845-758-7475, fax: 845-758-7035
Re: [Dovecot] Cyrus vs Dovecot
Hi, we are providing Mail-Service (POP3, IMAP; either TLS or SSL) to 22000 students here at my university. There are 2 machines running as active-passive cluster with DRBD to sync the maildata. Each box is a 4 core Intel(R) Xeon(R) CPU 5160 @ 3.00GHz with 8 gigs RAM. After a tuneup for DRBD and upgrade to dovecot 1.1 average load is around 1.0. HTH Philipp Impressive ! You'll be my contact for next few months :) How many Megabyte does the datamail size ? (total and per user?) Have you tune your conf file following this link : http://wiki.dovecot.org/PerformanceTuning ? Do you have Mail data or index on a NFS server (NAS) ? Actually that the point of interest, we would like to take advantage of our NAS because it manages so well automatic snapshot and incremental backup that would be a really good security for data mail users. Does anybody have such IMAP architecture ? PS : awesome mailing list... so reactive ! begin:vcard fn:Mathieu Kretchner n:Kretchner;Mathieu org:INRIA;Syslog adr;dom:;;2007 route des lucioles - BP93;Sophia Antipolis;;06902 CEDEX email;internet:[EMAIL PROTECTED] tel;work:04 92 38 76 67 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [Dovecot] Cyrus vs Dovecot
Mathieu Kretchner wrote: PS : awesome mailing list... so reactive ! Welcome to dovecot. :-) What i may say - you should try a dovecot and 99% of your question will expire. P.S. Please tune your mail client to make reply-to field to dovecot@dovecot.org then you write a message here. P.P.S. http://www.google.com/search?client=operarls=ruq=cyrus+DB+ERRORsourceid=operaie=utf-8oe=utf-8 -- Best regards, Proskurin Kirill
Re: [Dovecot] Install from source of dovecot 1.1.2
Thanks for everyone's input. I was already sudoed to root before running any of the operations so it wasn't that. May have been that --with-storages error I'd made. I tried your config John, with mods for my system and besides having to add the dovecot user/group manually it seems to be running just fine now. Thanks! 2008/8/10 John and Catherine Allen [EMAIL PROTECTED]: I also install from source on my Debian system and I keep the configure options in a little script which currently looks like this: #!/bin/bash #configure flags for compilation compatible with gentoo emerge #john allen #9.5.2005 #modified 19.11.2006 #modified 26.1.2008 for kirtley ./configure \ --with-pam \ --without-deliver \ --with-storages=maildir \ --prefix=/usr \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --datadir=/usr/share \ --sysconfdir=/etc/dovecot \ --localstatedir=/var I can't see any problem with your configure options, so as Charles says maybe there's another dovecot somewhere on your system. Have you tried the command which dovecot? John -- John Allen Bofferdange, Luxembourg [EMAIL PROTECTED] http://allenlux.dyndns.org -- Don't just do something...sit there!
Re: [Dovecot] Auto Vacation replies again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephan, Thank you. I understand what you are saying in trying to keep a vicious cycle of auto-replies responding to each other. But in our environment I don't have any choice as our central virus/spam email gateway will can any message without a valid from address in the headers. I will forward this on to our central IT guys that maintain the email gateway, but I don't hold much hope that they will listen ;). Stephan Bosch wrote: CJ Keist schreef: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fixed it!! In the file src/sieve_cmu.c line 744: smtp_client = smtp_client_open(src-addr, NULL, f); change to: smtp_client = smtp_client_open(src-addr, src-fromaddr, f); First of all, this does not control the content of the From: header line, but rather the FROM SMTP envelope field. This behavior is implemented as such on purpose. From RFC5230 (http://www.ietf.org/rfc/rfc5230.txt): 5.1. SMTP MAIL FROM Address The SMTP MAIL FROM address of the message envelope SHOULD be set to . [...] This is primarily recommended to prevent other (more stupid) auto-responders to generate a response to your vacation response (see also RFC3834 - 3.3. Message envelope). In general I would recommend adjusting the filter accordingly, because vacation replies are likely not going to be the only thing it will chew on when it is configured to bite things that have an empty return path (e.g. mailer daemon status reports and the like). Regards, Stephan. - -- C. J. Keist Email: [EMAIL PROTECTED] UNIX/Network ManagerPhone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIoZ0yA29OFr7C6jcRAt3TAJ4iQyaHtd7lMcm4g9Gp7ezcJQvrNACfT7JU Z1OFdj2ZZHRuQgc+HhaxdTM= =6G+3 -END PGP SIGNATURE-
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Josef,
This is exactly same situation in our environment as well. I had to
make the same change as you stated. Our central virus/spam email
gateway also cans any message with out a valid from address in the mail
headers. I would think most virus/spam systems will do the same.
I understand the concept of having the from empty, namely to keep
another automated system from replying back to your vacation reply, but
what do we do to keep our vacation replies being canned by anti-spam
systems?? Maybe this should be a option in the configuration file to
let the Admin decide whether to fill in the from address field, or a
[EMAIL PROTECTED] default, or just empty?
Josef Liška wrote:
I am using this simple sieve script to do vacation:
require [fileinto, vacation];
if exists X-Spam-Flag {
stop;
}
vacation
:days 1
:subject Out of office reply
:addresses [email address hidden, email address hidden ]
I am on vacation until 2008-08-07.
If you have something urgent, please contact: Jan Novak email address
hidden
;
I use sql lookups for users and passwords. For some reason the default
location ~/.dovecot-sieve did not work for some reason. However I prefer
to put sieve scripts to /var/lib/sieve and when I added additional field
to lookup with this location it started to work.
But it sends vacation messages with null envelope sender, which is in my
opinion undesirable, because many vacation messages are caught in spam
filters.
I think there could be same sender on envelope.
In dovecot-sieve/src/sieve-cmu.c around line 380 is a call to
smtp_client_open(src-addr, NULL, f);
NULL could be replaced with src-fromaddr
Maybe some more patching may be necesary. I found similar patch for
cyrus-imapd at
http://oss.digirati.com.br/mail/cyrus.html
http://oss.digirati.com.br/mail/cyrus.html
My current system:
1) Ubuntu 8.04.1
[EMAIL PROTECTED]:~$ dovecot --version
1.0.15
It is a backported package from ubuntu intrepid ibex. However the same
applies for dovecot 1.0.10 which is in ubuntu 8.04.
Summary:
I expect messages sent by vacation recipe should have envelope from same
as user's e-mail address. This is then writen to Return-Path: header by
receiving MTA
NULL envelope from is used, resulting (in my case) to Return-Path:
rewriten by postfix to Return-Path: MAILER-DAEMON by receiving MTA
- --
C. J. Keist Email: [EMAIL PROTECTED]
UNIX/Network ManagerPhone: 970-491-0630
Engineering Network ServicesFax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIoZ2UA29OFr7C6jcRAgz8AKCpNJtUd1eGamCIqmIbGB025G1diQCfYBUT
OTvTBgnWmGwsvJiX2fz4AyU=
=XBNO
-END PGP SIGNATURE-
[Dovecot] restrict webmail access
Hi I'm using dovecot imap with ldap accounts. User management interface is phamm. Internal clients connect directly using imap client. External clients must use webmail (squirrelmail). But not everyone is supposed to use webmail. Is there any way to control who is allowed to log in from a specific IP (webmail ip)? Thanx for suggestions Jan
Re: [Dovecot] Fwd: [MORG] IMAP5 List
On Aug 12, 2008, at 6:04 AM, Kenneth Porter wrote: One thing I'd like to see is the ability of the server to notify the client of updates on any folder, not just subscribed or open ones. From what I understand, the client must poll all unsubscribed folders, which can be expensive. If one has a lot of folders (mine count well over 100, due to the large number of mailing lists to which I subscribe, and that I filter to them on the server side), the time to find new mail can be large and costly on the server. Lemonade group is working on NOTIFY extension for that. But that's only the protocol part, server would still have to be able to optimize it somehow internally. For Dovecot that would mean I should finish/fix mailbox list indexes. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Auto Vacation replies again
CJ Keist escreveu: Stephan, Thank you. I understand what you are saying in trying to keep a vicious cycle of auto-replies responding to each other. But in our environment I don't have any choice as our central virus/spam email gateway will can any message without a valid from address in the headers The messages do have a valid from address in the headers - but their Envelope From address is empty, as the RFC recommends. These are two different things.
[Dovecot] NFS vs CIFS - and Dovecot
I've seen a number of posts discussing NFS based storage and issues with Dovecot. When the term NFS is used - does this exclusively refer to the Linux NFS network file system, or is it a generic reference to any network file system? I don't recall seeing any posts referencing issues with CIFS or SMBFS - is this because no one is using it, or because it just works instead of fiddling with NFS? -- Daniel
Re: [Dovecot] NFS vs CIFS - and Dovecot
On Aug 12, 2008, at 12:27 PM, Daniel L. Miller wrote: I've seen a number of posts discussing NFS based storage and issues with Dovecot. When the term NFS is used - does this exclusively refer to the Linux NFS network file system, or is it a generic reference to any network file system? I don't recall seeing any posts referencing issues with CIFS or SMBFS - is this because no one is using it, or because it just works instead of fiddling with NFS? I've only tested NFS, but since similar workarounds work for FUSE it's likely that they also work for CIFS/SMBFS. But there are additional issues with them, like you probably can't use ':' character (needed by Maildir) and I don't know if hard links are supported. I wouldn't recommend using without heavy stress testing. :) PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
Hi, On Tue, Aug 12, 2008 at 08:26:28AM -0600, CJ Keist wrote: I understand the concept of having the from empty, namely to keep It's not just a concept but a rule set by some RFCs. another automated system from replying back to your vacation reply, but what do we do to keep our vacation replies being canned by anti-spam systems?? Maybe this should be a option in the configuration file to Then those systems violates RFCs, because it's compulsory to accept the null originator. Even there is a DNS based list which tries to block domains (of course only if you use it in your MTA) don't accept it. http://www.rfc-ignorant.org/policy-dsn.php Also NDRs (bounces) come with the null originator, so rejecting them makes the concept of e-mail partly dead (sender will not be notified that her/his mail cannot be delivered. yes, of course it's good idea to try to avoid to accept mails THEN sending back NDRs, but ...) -- - Gábor
Re: [Dovecot] Auto Vacation replies again
On 8/12/2008, CJ Keist ([EMAIL PROTECTED]) wrote: I understand what you are saying in trying to keep a vicious cycle of auto-replies responding to each other. But in our environment I don't have any choice as our central virus/spam email gateway will can any message without a valid from address in the headers. I will forward this on to our central IT guys that maintain the email gateway, but I don't hold much hope that they will listen ;) . My advice? Throw away the gateway and find one that works correctly. Doing this results in your users NOT getting 99.99% of valid/legitimate DSN notifications (since they all use the NULL sender, as prescribed by the RFCs). Blocking all messages with a NULL sender is not only violating the RFCs, and will possibly result in your getting on certain blacklists, like dsn.rfc-ignorant.org, it is lazy and dumb. But, to each his own... -- Best regards, Charles
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote: Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO.. For instance in mailnews/imap/src/nsImapServerResponseParser.cpp Where it parses the CAPABILITY reply it only looks for AUTH=GSSAPI Then when it goes to do the auth DoGSSAPIStep1 creates a sasl-gssapi which creates either a kerb-gss or a kerb-sspi and both of those set PACKAGE_KERBEROS to disable SPNEGO. I've been assuming AUTH=GSS-SPNEGO is only used by outlook? Jason
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote: This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this. Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) and the version is new enough? (although don't the gssapi calls block??) Yes, but it was cleverly hidden so I hadn't thought about it before ;) So yes, I suppose some day GSSAPI calls should be done in auth worker processes. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.
Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal)
and the version is new enough?
It has been ages since I touched autoconf, but this is the test that
libapace-mod-auth-kerb uses:
# If SPNEGO is supported by the gssapi libraries, we shouln't build our support.
# SPNEGO is supported as of Heimdal 0.7, and MIT 1.5.
gssapi_supports_spnego=
AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO)
ac_save_CFLAGS=$CFLAGS
CFLAGS=$KRB5_CPPFLAGS
ac_save_LDFLAGS=$LDFLAGS
LDFLAGS=$KRB5_LDFLAGS
AC_TRY_RUN([
#include string.h
#include krb5.h
#ifdef HEIMDAL
#include gssapi.h
#else
#include gssapi/gssapi.h
#endif
int main(int argc, char** argv)
{
OM_uint32 major_status, minor_status;
gss_OID_set mech_set;
gss_OID_desc spnego_oid_desc = {6, (void *)\x2b\x06\x01\x05\x05\x02};
int SPNEGO = 0;
major_status = gss_indicate_mechs(minor_status, mech_set);
if (GSS_ERROR(major_status))
return 1;
else {
unsigned int i;
for (i=0; i mech_set-count !SPNEGO; i++) {
gss_OID tmp_oid = mech_set-elements[i];
if (tmp_oid-length == spnego_oid_desc.length
!memcmp(tmp_oid-elements, spnego_oid_desc.elements,
tmp_oid-length)) {
SPNEGO = 1;
break;
}
}
gss_release_oid_set(minor_status, mech_set);
return (!SPNEGO);
}
}],
[ if test $? -eq 0; then
AC_MSG_RESULT(yes)
AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO)
gssapi_supports_spnego=yes
else
AC_MSG_RESULT(no)
fi],
[AC_MSG_RESULT(no)])
Jason
[Dovecot] About domains in antispam plugin
Hi there, I have the problem that the antispam filter is looking in a different subdirectory (I think is the domain subfolder) than the actuallly used i.e., The following error message is constant: ~ Aug 12 12:07:58 mail dspam[4540]: Unable to open file for reading: /var/spool/dspam/data/local/itadmin/itadmin.sig/48a1c36c24 9461173910573.sig: No such file or directory Aug 12 12:07:58 mail dspam[4541]: Unable to open file for reading: /var/spool/dspam/data/local/itadmin/itadmin.sig/48a1c36c24 9461173910573.sig: No such file or directory ~ The file in the error exists but in a different subdirectory than the one AntiSpam Plugin is looking: ~ ls -l /var/spool/dspam/data/local/itadmin/itadmin.sig/48a1c36c249461173910573.sig ls: cannot access /var/spool/dspam/data/local/itadmin/itadmin.sig/48a1c36c249461173910573.sig: No such file or directory ls -l /var/spool/dspam/data/mydomain.com/itadmin/itadmin.sig/48a1c36c249461173910573.sig -rw-rw 1 root dspam 968 Aug 12 12:07 /var/spool/dspam/data/mydomain.com/itadmin/itadmin.sig/48a1c36c249461173910573.sig ~ I looked at the /etc/dovecot/dovecot.conf for a line containing a local doman vs mydomain.com but there's nothing even in the comments. So If there's something I'm missing I'd be glad you to enlight me. Thanks a lot in advance for you help. Rgds, Eduardo
Re: [Dovecot] Error 89
On Aug 8, 2008, at 3:55 AM, Hodges wrote: Just installed dovecot 1.1.2. downloaded from dovecot.org. Seemed to compile and install OK but I get the following error when I try to start it child 28410 (auth) returned error 89 (fatal failure) This shows that dovecot-auth process exited. Doesn't it show any other error message before that line? There was a bug related to the logging though, this patch should help for it: http://hg.dovecot.org/dovecot-1.1/rev/1dc2dd3cd902 PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Auth message
On Aug 8, 2008, at 2:01 AM, Pavel Shirov wrote: Recently my network was scanned. Various services was scanned, and checking the logs of mail server the following string draw my attention: mail dovecot: pop3-login: Disconnected: user=ttejmgpfip, method=PLAIN, rip=87.228.15.180, lip=x.x.x.x This looks weird to me, because pop3-login: Disconnected looks like succesful login attempt to me. It's prefixed with pop3-login, so it was the pre-login process that disconnected the client. The user couldn't have logged in. Running dovecot 1.0.rc15 (CentOS 5). Here is how my sql auth done: rc15 is pretty old. The logging messages (and a lot of other stuff) have improved since then. password_query = SELECT password FROM mailbox WHERE active = '1' AND (LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u') user_query = SELECT maildir as home, 6000 AS uid, 6000 AS gid, domain FROM mailbox WHERE LEFT(username, INSTR(username, '@')-1) = '%u' OR username = '%u' Dovecot escapes all the usernames, and actually unless you've changed auth_username_chars it doesn't even let any weird characters near the SQL queries. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Possible bug in v1.1.1
On Aug 8, 2008, at 1:17 AM, John Wood wrote: Can you still reproduce this crash? http://dovecot.org/bugreport.html lists some things about how to get a core dump. I changed things to try to get a core and, of course, for nearly a 2 weeks got nothing at all. Figures. After you released 1.1.2 I went ahead and updated. A few days later I got a nice core waiting for me. Unfortunately I made the mistake of not watching the ports build and didn't see that that it lacked -g, so the backtrace is only partially useful. It doesn't show much more than that it most likely died in FETCH command. A lot of the function call order is impossible so the backtrace was somehow wrong/corrupted. In an attempt to stop wasting your time I have recompiled with -g and an now running that set of binaries. The next time this happens I should have useful backtrace for 1.1.2. Thanks. I doubt the message itself had anything to do with it. Just deleting dovecot.index.cache probably fixes the issue? Anyway I just tried causing the Broken MIME parts error myself. I couldn't get Dovecot to crash (and the problem got fixed automatically). I've not gone as far as doing that. All of the users on this system use mbox format, so if you think it would help I can just run a find | xargs to remove all of the dovecot.index.cache files. However, if I do this I may deny you the chance to see what keeps causing this. Would you prefer I leave it and try for another core? The crashes do not happen enough that users are screaming for my blood, yet :) Just leave them for now :) PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Dovecot crashing
On Aug 8, 2008, at 12:34 PM, Erinn Looney-Triggs wrote: Dovecot is crashing on a certain user inbox which is in mbox format as well as one of the users other mbox files. The crash doesn't exactly match what is listed in the aforementioned wiki page, so I thought their might be some other insight into this process or how to fix it. Here is the error in the log files: Aug 8 09:26:07 localhost dovecot: IMAP(user): UIDVALIDITY changed (1216167307 - 1218134720) in mbox file /var/mail/user Why did it change? Does it change often? It should never change. The MboxProblems wiki page shows the possible reasons for this. Aug 8 09:26:07 localhost dovecot: Panic: IMAP(user): file index- sync.c: line 39 (index_mailbox_set_recent_uid): assertion failed: (seq_range_exists(ibox-recent_flags, uid)) This is a bug caused by the UIDVALIDITY change. I think it happens only once though and after the next login it works? Anyway I should try to get this fixed. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] SSL Certifcates
On Aug 8, 2008, at 5:06 PM, Stephen Feyrer wrote: Thanks, I will persevere. I would like to point out that I'm only using PAM as it seems the best way to get email to system users. I am open to another method that might work. Anything that allows you to log in without password checking. For example a passwd-file containing only valid usernames and nopassword field. Or maybe SQLite query always returning success. My pam.d/imap file now looks like this. # Provided by mailbase (dont remove this line!) # Standard pam.d file for mail service packages. # $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common- pamd-include,v 1.1 2005/04/29 13:07:50 ticho Exp $ #auth required pam_nologin.so auth required pam_allow.so auth include system-auth accountinclude system-auth sessioninclude system-auth This fails the authentication. Yes, because you're still doing a system-auth lookup. You want to allow anyone to log in with any user/pass combination, so only keep the pam_allow.so line there. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Corrupted index cache files
On Aug 8, 2008, at 9:59 PM, Mike Abbott wrote: I see these errors more often than I'd like from Dovecot-1.1.2 on Mac OS X 10.5.4 (names and numbers elided): One or more users? Corrupted index cache file %s: Corrupted virtual size for uid=%d: %d != %d Corrupted index cache file %s: Broken virtual size for mail UID %d Corrupted index cache file %s: used_file_size too large How bad are these? As long as Dovecot detects the corruption, the errors are transparent to users since Dovecot fixes them automatically. What should I look for to find out why they happen? Other details: File system is HFS+ Mail store is maildir Hardware is Intel (Mac Pro) Post your dovecot -n output? Can you reproduce these easily with my imaptest tool? http://imapwiki.org/ImapTest One problem with HFS+ is that hard links are more or less buggy. But v1.1's default settings should include dotlock_use_excl=yes. You maybe should set maildir_copy_with_hardlinks=no, but that shouldn't cause this bug. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Mail quota usage errors
On Aug 8, 2008, at 10:30 PM, Jeff Koch wrote: We're using dovecot with qmail and vpopmail and are having problems with major inaccuracies in the mail quota usage maintained in the maildirsize file. Although the file starts off accurate after we delete it and force a rebuild it quickly becomes inaccurate. It doesn't seem to be catching new mail added to the directories. New mails that are added by your MDA or by IMAP client? Sounds like your MDA just doesn't know about the quota? How are you delivering the mails? PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] restricting shared folders access
On Aug 12, 2008, at 6:07 AM, Andrew Von Cid wrote: I have a dovecot setup with virtual users and a passwd-file passdb. All users have the same uid and gid. Recently I got my public folders working using namespaces and they work great. However, now I'm trying to share a folder between a limited number of users and so far I failed to get it working. Symlinks aren't an option because users need to be able to create subfolders of the shared folder so I'm trying to do it with namespaces but I'm not sure how to restrict access to a limited number of users. I tried doing it with groups. I made sure that the shared folder's group is set to 'staff' and the mode is 070, I also changed the group of a few virtual users to 'staff'. However, when I try accessing the shared folder I get a permission denied error (although the user is in the staff group). How exactly are you changing virtual users' groups? You said you're using a single UID and GID, so from the OS point of view there's only a single user. Can someone please recommend the best way to do this? Should I look into ACL's? Either that or use a different UID for all users (or the staff users). With ACLs you could create dovecot-acl file with either: a) Listing all the users who have access to it and their permissions b) List staff group's access, and have your userdb return acl_groups=staff extra field for the staff users. This will work only with v1.1. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] restrict webmail access
On Aug 12, 2008, at 10:35 AM, Jan wrote: I'm using dovecot imap with ldap accounts. User management interface is phamm. Internal clients connect directly using imap client. External clients must use webmail (squirrelmail). But not everyone is supposed to use webmail. Is there any way to control who is allowed to log in from a specific IP (webmail ip)? So you want to deny webmail access to some users but still allow them to log in directly via IMAP? You could do that with SQL passdb or checkpassword script, but there's really no way to do it with LDAP. Well, or one last possibility would be to allow the user to log in but immediately disconnect him by checking the access in post-login script: http://wiki.dovecot.org/PostLoginScripting PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] restrict webmail access
Am 12.08.2008 16:35 schrieb Jan: Hi I'm using dovecot imap with ldap accounts. User management interface is phamm. Internal clients connect directly using imap client. External clients must use webmail (squirrelmail). But not everyone is supposed to use webmail. Is there any way to control who is allowed to log in from a specific IP (webmail ip)? Hi Jan, yes, it's possible to restrict the access for some/all users to a given network range. More information: http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets Regards, Pascal
Re: [Dovecot] restrict webmail access
On Aug 12, 2008, at 2:40 PM, Pascal Volk wrote: Am 12.08.2008 16:35 schrieb Jan: Hi I'm using dovecot imap with ldap accounts. User management interface is phamm. Internal clients connect directly using imap client. External clients must use webmail (squirrelmail). But not everyone is supposed to use webmail. Is there any way to control who is allowed to log in from a specific IP (webmail ip)? Hi Jan, yes, it's possible to restrict the access for some/all users to a given network range. More information: http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets There's no negative though, so it's not possible to deny access from given network range.. Well, except using an extra passdb with deny=yes. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Procmail versus Dovecot LDA
On Aug 7, 2008, at 3:55 PM, Kenneth Porter wrote: --On Thursday, August 07, 2008 3:37 PM -0400 Timo Sirainen [EMAIL PROTECTED] wrote: If you used Dovecot's deliver, the deny passwd should have worked, but I've no idea about procmail. I'll note that I'm using procmail because of the ability to filter and run SpamAssassin from it. Does the Dovecot LDA provide the equivalent? (I know there's Sieve, though haven't looked into how one uses it.) If so, how hard is it to migrate my procmailrc files? Typically you'd run SpamAssassin first and Dovecot deliver after that. Sieve doesn't allow executing external binaries. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Can't purge folders in Trash with listescape loaded in 1.1.2
http://dovecot.org/patches/1.1/listescape-plugin.c should help. I also committed a couple of fixes to hg to fix the error message. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
Jason Gunthorpe wrote: On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote: Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO.. ok now rereading it again, I didn't make it clear what part of your message I was referring to :) I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options. -- Angel Marin http://anmar.eu.org/
Re: [Dovecot] [PATCH] Support GSS-SPNEGO natively
On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote: Jason Gunthorpe wrote: On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote: Jason Gunthorpe wrote: I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO.. ok now rereading it again, I didn't make it clear what part of your message I was referring to :) I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options. Oh right, in the end it did work. It turned out thunderbird was trying to use a different SPN than the linux environment. Since that SPN was not configured in AD thunderbird just bailed with an unhelpfull message :( FWIW, near as I can tell, thunderbird seems to use an SPN derived from the SSL cetrficate on Windows while on Linux it uses an SPN derived from the reverse lookup of the server's IP. In the end configuring the alternative SPN and using the multihoming patch I sent out made it all work. Now only outlook does not do single sign on.. Has anyone got outlook and dovecot to do SSO? Does the NTLM winbind patch make that work? Thanks, Jason
Re: [Dovecot] Procmail versus Dovecot LDA
I'll note that I'm using procmail because of the ability to filter and run SpamAssassin from it. Typically you'd run SpamAssassin first and Dovecot deliver after that. Is anyone here doing this for virtual users who could describe what they did? Bonus points for actual configuration files :-) Thanks, /jordan
Re: [Dovecot] stopping dovecot
On Jul 26, 2008, at 8:29 PM, Timo Sirainen wrote: On Jul 26, 2008, at 10:05 PM, Arkadiusz Miskiewicz wrote: I think the imap-login processes will hang around if there are SSL or proxy connections through them (but perhaps they shouldn't be listen-ing for new connections?). It would be good if existing clients were not disconnected but starting dovecot would be possible. That's how daemons for other services behave. This is how it should work, but for some reason netstat still shows the process as listening even after closing the listener file descriptors. I'll try to figure out later what the problem is. Perhaps some stupid mistake that I'm not noticing now, or perhaps it has something to do with the fd being opened by the master process and transferred to a forked child process.. Fixed: http://hg.dovecot.org/dovecot-1.1/rev/0e880665fcba PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Procmail versus Dovecot LDA
Jordan Hayes wrote: I'll note that I'm using procmail because of the ability to filter and run SpamAssassin from it. Typically you'd run SpamAssassin first and Dovecot deliver after that. Is anyone here doing this for virtual users who could describe what they did? Bonus points for actual configuration files :-) Thanks, /jordan What SMTP server are you running? -- Daniel
Re: [Dovecot] Integrate Patch
On Jul 24, 2008, at 3:10 PM, aledr wrote:
Is It possible to integrate this patch into next dovecot's releases?
It implements the -w ( disable webmail [IMAP from localhost*] access
) option when using vpopmail.
I'd rather not hardcode 127.0.0.1 address. Could you try if this patch
works:
http://hg.dovecot.org/dovecot-1.2/rev/30e4c3360e76
So you'll use it like:
passdb vpopmail {
args = webmail=127.0.0.1
}
If it's ok, I can commit the code to v1.1 tree as well.
PGP.sig
Description: This is a digitally signed message part
Re: [Dovecot] Dovecot-auth connection problem
On Jul 29, 2008, at 12:20 AM, Alexey Gorbov wrote: I have this messages in log: Jul 29 00:02:56 10.0.4.16 dovecot: imap-login: Can\'t connect to auth server at default: Resource temporarily unavailable Has this happened more than once? In this way users can't connect top pop3, imap services. Dovecot restart only help me to restore my services. How long did it happen until you restarted? It sounds like dovecot-auth process got stuck for some reason. If it happens again, you could: 1) Run strace -p `pidof dovecot-auth` for a few seconds and save the output (if you have multiple dovecot-auth processes, then strace the one which doesn't have -w parameter) 2) Run gdb -p `pidof dovecot-auth` (again the process without -w) and bt full after that. passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf What SQL database are you using? PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Quota does not apply.
On Aug 4, 2008, at 3:02 PM, Dario Ale wrote: But, if I configure a high global quota and a small quota for INBOX, sent a mail that is more big that quota for INBOX, then quota is not applied and the mail is delivered to INBOX. The quota configuration doesn't really work the way you think it works. dovecot: Aug 04 15:47:03 Info: IMAP(dario.a): Quota rule: root= mailbox=* bytes=209715200 (0%) messages=0 (0%) dovecot: Aug 04 15:47:03 Info: IMAP(dario.a): Quota rule: root= mailbox=.mbox bytes=10485760 (0%) messages=0 (0%) The second quota rule matches to a mailbox called .mbox. If you wanted it to match INBOX, you should have used INBOX there. Quota code sees only the virtual mailbox names, not the physical file/directory names. Secondly, you can't reduce the quota for specific mailboxes. With the above configuration you're giving .mbox mailbox 10 MB of more space (so 210 MB total). Sounds like what you want to do is change your MTA configuration not to allow incoming mails larger than 10 MB. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Dovecot 1.1.1 + zlib plugin + mbox crash
On Aug 5, 2008, at 11:44 AM, Dean Brooks wrote: Is there a way to implement a --without-bzlib style option so people can disable compilation of some of these plugins? Added: http://hg.dovecot.org/dovecot-1.1/rev/0dd6386cbc93 PGP.sig Description: This is a digitally signed message part
[Dovecot] sieve - Sendmail process terminated abnormally, exit status 70
How do we start troubleshooting this?
deliver([EMAIL PROTECTED]): Aug 12 18:27:19 Error: Sendmail process
terminated abnormally, exit status 70
deliver([EMAIL PROTECTED]): Aug 12 18:27:19 Info: sieve runtime error:
Vacation: Error sending mail
deliver([EMAIL PROTECTED]): Aug 12 18:27:19 Info:
msgid=[EMAIL PROTECTED]: saved mail to INBOX
deliver([EMAIL PROTECTED]): Aug 12 18:27:19 Error:
sieve_execute_bytecode(/var/vmail/example.com/user//Home/.dovecot.sievec)
failed
It seems to only choke on the vacation portion. It creates entries in
the .dovecot.lda-dupes file. But then dies while sending the reply
e-mail.
The contents of the user's .dovecot.sieve file is:
-
require [fileinto, include, vacation];
# Move spam to spam folder
if exists X-Spam-Flag {
fileinto spam;
# Stop here so that we do not reply on spams
stop;
}
include :personal sieve-vacation;
-
And the file looks like:
-
require [vacation];
vacation
# Reply at most once a day to a same sender
:days 1
:subject Out of office reply
# List of recipient addresses which are included in the auto replying.
# If a mail's recipient is not on this list, no vacation reply is
sent for it.
:addresses [EMAIL PROTECTED]
blah blah blah blah blah blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah
blah blah blah,
[EMAIL PROTECTED];
-
If I comment out the include :personal sieve-vacation; line, then it
works, but obviously not the vacation portion. Deliver does at least
not die horribly.
I get the same error if I move the content of the vacation include file
into the main .dovecot.sieve file.
# ls -la /usr/local/libexec/dovecot/lda/
-rwsr-xr-x 1 root root 802824 Aug 12 18:12 deliver
# ls -la /usr/libexec/dovecot/
total 5728
drwxr-xr-x 2 root root 4096 Jul 31 04:04 .
drwxr-xr-x 11 root root 4096 Jul 25 04:39 ..
-rwxr-xr-x 1 root root 58416 Jul 24 06:32 checkpassword-reply
-rwxr-xr-x 1 root root 666128 Jul 24 06:32 convert-tool
-rwxr-xr-x 1 root root 802824 Jul 24 06:32 deliver
-rwxr-xr-x 1 root root 164176 Jul 24 06:32 dict
-rwxr-xr-x 1 root root 350384 Jul 24 06:32 dovecot-auth
-rwxr-xr-x 1 root root 674176 Jul 24 06:32 expire-tool
-rwxr-xr-x 1 root root 59200 Jul 24 06:32 gdbhelper
-rwxr-xr-x 1 root root 245872 Jul 24 06:32 idxview
-rwxr-xr-x 1 root root 854488 Jul 24 06:32 imap
-rwxr-xr-x 1 root root 157216 Jul 24 06:32 imap-login
-rwxr-xr-x 1 root root 61248 Jul 24 06:32 listview
-rwxr-xr-x 1 root root 61800 Jul 24 06:32 logview
-rwxr-xr-x 1 root root 74200 Jul 24 06:32 maildirlock
-rwxr-xr-x 1 root root931 Jul 24 06:27 mkcert.sh
-rwxr-xr-x 1 root root 787464 Jul 24 06:32 pop3
-rwxr-xr-x 1 root root 149152 Jul 24 06:32 pop3-login
-rwxr-xr-x 1 root root 83968 Jul 24 06:32 rawlog
-rwxr-xr-x 1 root root 165152 Jun 11 03:21 sievec
-rwxr-xr-x 1 root root 157216 Jun 11 03:21 sieved
-rwxr-xr-x 1 root root 62584 Jul 24 06:32 ssl-build-param
(output of yum list)
dovecot.x86_64 :1.1.2-2_77.el5 installed
dovecot-sieve.x86_64 1.1.5-8.el5 installed
I'm not finding any AVC errors in the SELinux audit.log file. And I'm
not sure what other switches I can turn on to get better error
information as to what sendmail/deliver are choking on in this virtual
(setuid) environment where we use Dovecot as the LDA.
Re: [Dovecot] Auto Vacation replies again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you all for the input and the rfc url. To my surprise the central IT dept. is going to make the change to allow the envelope from to be empty! I'm pretty sure it was the rfc url I gave them to help my cause. So I'm reverting the code back to the original state. Charles Marcus wrote: On 8/12/2008, CJ Keist ([EMAIL PROTECTED]) wrote: I understand what you are saying in trying to keep a vicious cycle of auto-replies responding to each other. But in our environment I don't have any choice as our central virus/spam email gateway will can any message without a valid from address in the headers. I will forward this on to our central IT guys that maintain the email gateway, but I don't hold much hope that they will listen ;) . My advice? Throw away the gateway and find one that works correctly. Doing this results in your users NOT getting 99.99% of valid/legitimate DSN notifications (since they all use the NULL sender, as prescribed by the RFCs). Blocking all messages with a NULL sender is not only violating the RFCs, and will possibly result in your getting on certain blacklists, like dsn.rfc-ignorant.org, it is lazy and dumb. But, to each his own... - -- C. J. Keist Email: [EMAIL PROTECTED] UNIX/Network ManagerPhone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIohcFA29OFr7C6jcRAhotAKDH0tZz/zVL/z7VLMHhKAG+mTvTVgCg3XwR n8jdXJOrZk0biQt04cUUkWI= =Bhdt -END PGP SIGNATURE-
[Dovecot] IMAP inbox: cannot delete tagged messages or change their tag
Hello, a bit of a problem with Dovecot. Version is 1.0.15 and is a default install (no changes to config) from FC8 repository... except that Dovecot is configured to use Maildir I have a user on the system who uses the tags in Thunderbird (Important, Personal etc). When she tags the messages they cannot be deleted and their tags cannot be changed. When deleting a message from the IMAP inbox it momentarily disappears and moves a copy to the Trash but when the IMAP inbox is reloaded the message reappears. The same happens when I try to change a tag: it comes back with the previous tag. Untagged messages can be freely deleted. Also, this problem does not happen if the messages are in a IMAP folder. They can be freely deleted. The problem seems specific to Dovecot, not Thunderbird, as I am able to tag and delete messages in another IMAP account. Also, accessing the same IMAP account using OS X Mail the messages come back after deleting them. Where should I start looking for a solution to this problem?
Re: [Dovecot] Procmail versus Dovecot LDA
Typically you'd run SpamAssassin first and Dovecot deliver after that. Is anyone here doing this for virtual users who could describe what they did? Bonus points for actual configuration files :-) What SMTP server are you running? Sendmail.
Re: [Dovecot] Fwd: [MORG] IMAP5 List
Timo, Thanks for bringing it up. I dealt with i18n MUA. I would love to see i18n from IMAPEXT (http://www.ietf.org/rfc/rfc5255.txt) be part of IMAP5, the mechanism, not all language translations, of course :) And I guess no MUA needs to 'ENABLE' anything in IMAP5. Joseph PS. I had subscribed to the mailing list :) Timo Sirainen wrote: If anyone's interested, especially client developers. It's been a bit quiet there after the initial rush. Begin forwarded message: From: Randall Gellens [EMAIL PROTECTED] Date: August 1, 2008 5:08:39 AM EDT To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [MORG] IMAP5 List At the MORG BOF, a discussion as to if the proposed IMAP extensions would merely further add to the existing problem with IMAP being too hard to get right, for both clients and servers, let to a revival of the IMAP5 discussion (previous held during the IMAP EAI discussions). Here, IMAP5 refers to a Big Switch (new port and version) to distinguish this revision from current IMAP. The goal is to delete as much as possible from IMAP. A new mailing list now exists for this discussion on drastically slimming-down IMAP to make it easier to implement clients and servers. == To subscribe, click here: mailto:[EMAIL PROTECTED]. == It's been observed that most IMAP clients suck and that it's hard for both clients and servers to implement. One reason IMAP is hard to implement is that it has a lot of options. Often there are several alternative ways to accomplish something. It also has considerable functionality. Is it possible and desirable to start with the current set of (IMAP + all extensions) and consider subtracting as much as possible? The resulting protocol would still be IMAP, but not backwards-compatible with today's IMAP, since some currently-mandated items are likely to be deleted. General information about the IMAP5 mailing list is at: https://www.ietf.org/mailman/listinfo/imap5. You can subscribe and manage your subscription at https://www.ietf.org/mailman/listinfo/imap5. -- Randall Gellens Opinions are personal;facts are suspect;I speak for myself only -- Randomly-selected tag: --- If Murphy's Law can go wrong, it will. ___ MORG mailing list [EMAIL PROTECTED] https://www.ietf.org/mailman/listinfo/morg Note Well: http://www.ietf.org/maillist.html
Re: [Dovecot] problems with sieve and lda
On 11 Aug 2008 at 8:24, Eduardo M KALINOWSKI wrote: How are you calling deliver in postfix? Do you see in postfix's logs the messages being handled to deliver? Hmm, oddly enough, adding a .forward in the users home dir with | /usr/libexec/dovecot/deliver Then everything works. Any ideas why? According to everything I've read including the wiki, that shouldn't be necessary. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Re: [Dovecot] Procmail versus Dovecot LDA
Hello! You can use sendmail/MailScanner/Spamassassin/deliver/procmail. Maybe you find my procmail patch usefull. http://markmail.org/message/v4gga3ba75xqemra http://www.dovecot.org/list/dovecot/2007-March/020787.html If you need any help just let me know it. BTW: Timo please fix the bugs regarding deliver and dovecot index bugs as already discussed. Scanning large mailbox folders takes a lot of time. If you need any help just let me know it. Ciao, Gerhard -- http://www.wiesinger.com/ On Tue, 12 Aug 2008, Jordan Hayes wrote: I'll note that I'm using procmail because of the ability to filter and run SpamAssassin from it. Typically you'd run SpamAssassin first and Dovecot deliver after that. Is anyone here doing this for virtual users who could describe what they did? Bonus points for actual configuration files :-) Thanks, /jordan
Re: [Dovecot] Fwd: [MORG] IMAP5 List
On Aug 12, 2008, at 9:52 PM, Joseph Yee wrote: Timo, Thanks for bringing it up. I dealt with i18n MUA. I would love to see i18n from IMAPEXT (http://www.ietf.org/rfc/rfc5255.txt ) be part of IMAP5, the mechanism, not all language translations, of course :) Dovecot v1.1+ currently supports I18LEVEL=1. Maybe more in future. :) Are you interested more in the comparator selection or the language translations? I don't see the LANGUAGE extension all that useful since most clients won't show the server-given error messages to users anyway.. And I guess no MUA needs to 'ENABLE' anything in IMAP5. I guess we'll see. PGP.sig Description: This is a digitally signed message part
