Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 09:14 -0600, Manuel Delgado wrote:
> Hi Ranbir
> 
> I've worked with freeIPA a little, but without your doveconf or some other
> context information, it is difficult to identify the issue.

Crap...I meant to include that. Here's what it looks like when I enable
GSSAPI:


# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-229.11.1.el7.x86_64 x86_64 CentOS Linux release 7.1.1503 
(Core)  
auth_default_realm = theinside.rnr
auth_gssapi_hostname = mailman02.theinside.rnr
auth_krb5_keytab = /etc/imap.keytab
auth_mechanisms = gssapi
auth_realms = theinside.rnr
hostname = imap.thesandhufamily.ca
listen = 1.1.0.0
mail_gid = virtual
mail_location = maildir:~/Maildir
mail_plugins = quota acl
mail_uid = virtual
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
namespace {
  location = maildir:/var/spool/mail/thesandhufamily.ca/public
  prefix = Public.
  separator = .
  subscriptions = no
  type = public
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = 
}
plugin {
  acl = vfile
  quota = maildir:User quota
  quota_rule = *:storage=500M
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster@%d
protocols = imap lmtp
service auth-worker {
  user = $default_internal_user
}
service auth {
  inet_listener {
address = 1.1.0.0
port = 17900
  }
  unix_listener auth-userdb {
group = virtual
mode = 0600
user = virtual
  }
}
service imap-login {
  process_min_avail = 5
}
service imap {
  process_limit = 10
}
service lmtp {
  inet_listener lmtp {
address = 1.1.0.0
port = 24
  }
}
ssl = required
ssl_cert = 

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 17:07 +0200, Benny Pedersen wrote:
> Kanwar Ranbir Sandhu skrev den 2015-09-07 16:47:
> 
> > Kerberos + Dovecot apparently works really well, but not for
> > me...yet. :(
> 
> you choiced to use a precompiled problem from redhat, no ?

Yes. Well, not Red Hat directly - I'm using CentOS.

> back to your problem, are you sure maintainer at redhat enabled kerberos 
> auth login ?

Yes, I can see AUTH=GSSAPI when I telnet to the server and get a list of
Dovecot's capabilities.

> if need more help ask the maintainer for the rpm package, or still 
> convenced its a bug in dovecot show dovecot -n, i have lost if you 
> already have, but lets take it from there on

I don't think it's a bug in Dovecot. I have feeling I have a
misconfiguration, but I can't figure out what it is.

I sent my config in a reply to another list member's message. Maybe the
broken part will jump out now.

Thanks,

Ranbir

-- 
Kanwar R.S. Sandhu

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Sun, 2015-09-06 at 17:41 -0400, Kanwar Ranbir Sandhu wrote:
> I've followed official documentation from Red Hat and read numerous wiki 
> articles on how to configure Dovecot to get it to use GSSAPI correctly. 
> I don't think I've done anything incorrectly, but it refuses to work. 
> This is the error I'm seeing:
> 
> mailman02 dovecot: imap-login: Disconnected (tried to use unsupported 
> auth mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, 
> session=
> 
> I don't understand why no username is being passed.  My mail client is 
> Evolution 3.10.4.

Anyone? I could really use some help with trouble shooting my setup.

Kerberos + Dovecot apparently works really well, but not for
me...yet. :(

Ranbir

-- 
Kanwar R.S. Sandhu

Re: Dovecot and IPA

[Benny Pedersen]

Kanwar Ranbir Sandhu skrev den 2015-09-07 16:47:


Kerberos + Dovecot apparently works really well, but not for
me...yet. :(


you choiced to use a precompiled problem from redhat, no ?

if you used freebsd or gentoo there whould only be learning curve left

back to your problem, are you sure maintainer at redhat enabled kerberos 
auth login ?


if need more help ask the maintainer for the rpm package, or still 
convenced its a bug in dovecot show dovecot -n, i have lost if you 
already have, but lets take it from there on

Re: Dovecot and IPA

[Manuel Delgado]

Hi Ranbir

I've worked with freeIPA a little, but without your doveconf or some other
context information, it is difficult to identify the issue.

Regards,

Manuel Delgado

---
*Usuario Linux* *#520940 *

Mag. Computación e Informática
Universidad de Costa Rica
Centro de Informática



On Mon, Sep 7, 2015 at 8:47 AM, Kanwar Ranbir Sandhu <
m3fr...@thesandhufamily.ca> wrote:

> On Sun, 2015-09-06 at 17:41 -0400, Kanwar Ranbir Sandhu wrote:
> > I've followed official documentation from Red Hat and read numerous wiki
> > articles on how to configure Dovecot to get it to use GSSAPI correctly.
> > I don't think I've done anything incorrectly, but it refuses to work.
> > This is the error I'm seeing:
> >
> > mailman02 dovecot: imap-login: Disconnected (tried to use unsupported
> > auth mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS,
> > session=
> >
> > I don't understand why no username is being passed.  My mail client is
> > Evolution 3.10.4.
>
> Anyone? I could really use some help with trouble shooting my setup.
>
> Kerberos + Dovecot apparently works really well, but not for
> me...yet. :(
>
> Ranbir
>
> --
> Kanwar R.S. Sandhu
>

Re: Dovecot and IPA

[Timo Sirainen]

> On 07 Sep 2015, at 00:41, Kanwar Ranbir Sandhu  
> wrote:
> 
> Hello,
> 
> I'm trying to get Dovecot to use GSSAPI for authentication. I have an IPA 
> server on CentOS 7 with a bunch of my servers attached to the IPA domain, 
> including the server running Dovecot.
> 
> I've followed official documentation from Red Hat and read numerous wiki 
> articles on how to configure Dovecot to get it to use GSSAPI correctly. I 
> don't think I've done anything incorrectly, but it refuses to work. This is 
> the error I'm seeing:
> 
> mailman02 dovecot: imap-login: Disconnected (tried to use unsupported auth 
> mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, 
> session=

It says "tried to use unsupported auth mechanism". In your later mail you say 
that telnet shows AUTH=GSSAPI in capabilities. So that would mean that the 
client isn't using AUTHENTICATE GSSAPI but something else.

Set auth_debug=yes and/or see what the client actually does by enabling 
pre-login rawlog: http://wiki2.dovecot.org/Debugging/Rawlog

Re: Dovecot and IPA

[Benny Pedersen]

Kanwar Ranbir Sandhu skrev den 2015-09-07 19:29:


I tried it for shits and giggles: no change. :( I'm still seeing the
same problem.


dovecot is buildt with security in mind...

using namebased gid or uid is not secure

it might just still works, but its not secure

Re: Dovecot and IPA

[Benny Pedersen]

Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02:


  args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/


uid and gid must be nummeric just like output from id

id virtual

make the args have same info

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 18:39 +0200, Benny Pedersen wrote:
> Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02:
> 
> >   args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/
> 
> uid and gid must be nummeric just like output from id
> 
> id virtual
> 
> make the args have same info

That's never caused any issues before. In fact, in my normal
configuration (i.e. no GSSAPI auth) it works just fine. 

Is GSSAPI auth the only auth method that needs a numeric ID?


Regards,

Ranbir

-- 
Kanwar R.S. Sandhu

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 13:29 -0400, Kanwar Ranbir Sandhu wrote:
> I tried it for shits and giggles: no change. :( I'm still seeing the
> same problem.

I forget to add some additional errors I've seen in the logs:

http://pastebin.ca/3155329

-- 
Kanwar R.S. Sandhu

Re: Dovecot and IPA

[Manuel Delgado]

>From the first message I noted this:

mailman02 dovecot: imap-login: Disconnected (tried to use unsupported auth
> mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS,
> session=


It seems that your client is not using GSSAPI, but PLAIN instead.

About your config:

On Mon, Sep 7, 2015 at 10:02 AM, Kanwar Ranbir Sandhu <
m3fr...@thesandhufamily.ca> wrote:

>
>
> auth_default_realm = theinside.rnr
> auth_realms = theinside.rnr
>
In my configs I was forced to use REALM in uppercase. When I used it
lowercase I had issues mainly with PAM.


> auth_krb5_keytab = /etc/imap.keytab

Double-check that your keytab is correctly authorized in IPA and it's still
valid. In my case I had to setup a cron to refresh the keytab. (Remember
chown it, so Dovecot can read it)

Regards,
Manuel Delgado

---
*Usuario Linux* *#520940 *

Mag. Computación e Informática
Universidad de Costa Rica
Centro de Informática

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 18:39 +0200, Benny Pedersen wrote:
> Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02:
> 
> >   args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/
> 
> uid and gid must be nummeric just like output from id
> 
> id virtual
> 
> make the args have same info

I tried it for shits and giggles: no change. :( I'm still seeing the
same problem.

-- 
Kanwar R.S. Sandhu

Re: How about an option to disbale headers? (was Re: Patch for "doveadm -f table" nit)

[Timo Sirainen]

On 07/03/2015 05:48 PM, Gedalya wrote:
> On 05/24/2015 03:08 AM, Gedalya wrote:
>> On 03/20/2015 02:47 PM, Timo Sirainen wrote:
>>> Added -h parameter now to hg.
>>
>> Using 2.2.18.
>> With -f table this behaves as expected, however with -t tab the output
>> seems to include the separating tabs of the header line prepended to
>> the first line of output.
>> In other words, the header line is printed partially - only the tabs,
>> no actual headers and no newline.
> 
> Timo?

Fixed: http://hg.dovecot.org/dovecot-2.2/rev/b8f09586ab33

Re: [Dovecot] dsync replication errors

[Gedalya]

On 02/17/2013 03:21 AM, Timo Sirainen wrote:

Although there's still some mail
duplication problem with maildir that doesn't log any errors about it.
I'm not sure why that happens.


While you're around, Timo :-)

I've had such an issue recently with 2.2.18, using Maildir, where emails 
were being replicated circularly creating more and more duplicate copies.
Replication should have been unidirectional in reality since changes 
were being made on one side only.
Nothing coherent was being logged. Only "Warning: Maildir 
/srv/mail/domains/.../Maildir: Expunged message reappeared, giving a new 
UID .. " appearing on the receiving side.
Is there any intelligence on the matter, or should I isolate this down 
and report it from scratch?

Re: [Patch] Fix hang in safe_sendfile on SmartOS

[Sebastian Wiedenroth]

> Am 07.09.2015 um 21:34 schrieb Timo Sirainen :
> 
> On 07/16/2015 06:03 PM, Sebastian Wiedenroth wrote:
>> Fix hang in safe_sendfile on SmartOS
>> 
>> The call to sendfile on SmartOS can fail with EOPNOTSUPP. This is a valid 
>> error
>> code and documented in the man page. This error code needs to be handled or
>> else dovecot will retry the sendfile call endlessly and hang.
> 
> Committed .. However, I think a more important bug is that it hangs.
> It's definitely not supposed to hang. Which process was it that was
> hanging How can I reproduce that? I can only get it to disconnect the
> IMAP client.


Thanks!

It was the managesieve process that was hanging.
To trigger it we used sieve-connect [1] like this:
sieve-connect -u d...@example.com mailbox.example.com

To find the issue we used a dtrace script [2].
With an unpatched version it would show:

CPU IDFUNCTION:NAME
  0   4623 safe_sendfile:return 7 4 fd7fffdff8b8 154 -> 
77
  0   4623 safe_sendfile:return 7 4 fd7fffdff8b8 
9223372036854775807 -> 77
  0   4623 safe_sendfile:return 7 4 fd7fffdff8b8 
9223372036854775807 -> 77

and then just repeat the last line as it retried the call forever. This is 
where it hangs, spinning on the cpu.

After looking at the code I confirmed the issue with a dtrace one-liner that 
tracks the sendfilev syscall:

dtrace -n 'syscall::sendfilev:return {printf("%d %x\n", arg0, errno)}'

This showed that the call returned with EOPNOTSUPP (0x7a):
  0   6155 sendfilev:return -1 7a

The man page lists this as a valid error code and handling it the same way as 
EAFNOSUPPORT fixed the issue for us.
There are a few more error codes in the man page that currently are not handled 
by dovecot.
This might be something to look into in the future.

I hope this answer provides the details you’re looking for.

Best regards,
Sebastian 

[1] https://github.com/philpennock/sieve-connect
[2] https://gist.github.com/wiedi/4b4ebe5f92ac5b54951b

Re: Null deference pointer in dovecot-2.2.18

[Timo Sirainen]

These are all false positives. I added some asserts that hopefully get
rid of two of the warnings. I couldn't really think of a way to nicely
avoid the mail-index-fsck.c warning.

http://hg.dovecot.org/dovecot-2.2/rev/06b884831f25

On 07/15/2015 06:07 AM, 吴迪 wrote:
> Dear,
> 
> 
>  use our static analysis tools, I find some bugs (Null deference pointer) 
> for dovecot-2.2.18. Null deference pointer bugs often make program crashes,  
> Please confim them, Thanks!  
> 
> 
>   1. dovecot-2.2.18/src/config/config-request.c   332
> 
> 
>   'setting_export_section_name(ctx->prefix, def, children[i], i);',  
> pointer 'children' in line 202  assigned  NULL and if  branch 'case 
> SET_DEFLIST_UNIQUE'  not execute, so pointer 'children' is always NULL.   It 
> load to a bug of null deference pointer In line 332.
> 
> 
>   The  same bugs also appeared in :
> 
> 
>   1. dovecot-2.2.18/src/lib-index/mail-index-fsck.c   line 170 or 174, 
> pointer 'kw_rec ' mybe NULL.
> 
> 
>2.dovecot-2.2.18/src/lib-storage/mail-search-args-simplify line 349, 
> pointer 'prev_arg' mybe NULL.
> 
> 
> 
> 
> 
> 
> best wishes~
> 
> 
> Amy
> 
> 
> 

Re: Is it a bug when you move mail between namespaces....

[Timo Sirainen]

On 09/08/2015 12:56 AM, Larry Rosenman wrote:
> that the fts data gets lost?

All full text search backends are now implemented so that if you
copy/move mails, the mails need to be indexed again the destination folder.

Alternative would be to index mails only with their GUIDs and have a
GUID => { folder GUID, IMAP UID } mapping and filter the mails based on
that. But such reverse index doesn't exist quite yet.

Re: Is it a bug when you move mail between namespaces....

[Larry Rosenman]

It doesn't in my current 2.2.18 setup with the config I posted.


On Mon, Sep 7, 2015 at 5:22 PM, Timo Sirainen  wrote:

> It should.
>
> On 08 Sep 2015, at 01:01, Larry Rosenman  wrote:
>
> should fts_autoindex handle that case?
>
>
> On Mon, Sep 7, 2015 at 5:00 PM, Timo Sirainen  wrote:
>
>> On 09/08/2015 12:56 AM, Larry Rosenman wrote:
>> > that the fts data gets lost?
>>
>> All full text search backends are now implemented so that if you
>> copy/move mails, the mails need to be indexed again the destination
>> folder.
>>
>> Alternative would be to index mails only with their GUIDs and have a
>> GUID => { folder GUID, IMAP UID } mapping and filter the mails based on
>> that. But such reverse index doesn't exist quite yet.
>>
>
>
>
> --
> Larry Rosenman http://www.lerctr.org/~ler
> Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
>
>
>


-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961

Re: Is it a bug when you move mail between namespaces....

[Timo Sirainen]

It should.

> On 08 Sep 2015, at 01:01, Larry Rosenman  wrote:
> 
> should fts_autoindex handle that case?
> 
> 
> On Mon, Sep 7, 2015 at 5:00 PM, Timo Sirainen  > wrote:
> On 09/08/2015 12:56 AM, Larry Rosenman wrote:
> > that the fts data gets lost?
> 
> All full text search backends are now implemented so that if you
> copy/move mails, the mails need to be indexed again the destination folder.
> 
> Alternative would be to index mails only with their GUIDs and have a
> GUID => { folder GUID, IMAP UID } mapping and filter the mails based on
> that. But such reverse index doesn't exist quite yet.
> 
> 
> 
> -- 
> Larry Rosenman http://www.lerctr.org/~ler 
> 
> Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com 
> 
> US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961

Re: [Patch] Fix hang in safe_sendfile on SmartOS

[Timo Sirainen]

On 07 Sep 2015, at 23:19, Sebastian Wiedenroth 
 wrote:
> 
> 
>> Am 07.09.2015 um 21:34 schrieb Timo Sirainen :
>> 
>> On 07/16/2015 06:03 PM, Sebastian Wiedenroth wrote:
>>> Fix hang in safe_sendfile on SmartOS
>>> 
>>> The call to sendfile on SmartOS can fail with EOPNOTSUPP. This is a valid 
>>> error
>>> code and documented in the man page. This error code needs to be handled or
>>> else dovecot will retry the sendfile call endlessly and hang.
>> 
>> Committed .. However, I think a more important bug is that it hangs.
>> It's definitely not supposed to hang. Which process was it that was
>> hanging How can I reproduce that? I can only get it to disconnect the
>> IMAP client.
> 
> 
> Thanks!
> 
> It was the managesieve process that was hanging.
> To trigger it we used sieve-connect [1] like this:
>   sieve-connect -u d...@example.com mailbox.example.com

Thanks. I did find a bug in Pigeonhole with this when issuing a GET command :)

Also I see now why it's looping, more or less. sendfile() is still indicating 
that it's sending some data (by updating s_offset) even though it's returning a 
failure. I wonder if reverting the earlier EOPNOTSUPP change and applying this 
patch causes it to assert-crash instead of going to infinite loop? 
http://hg.dovecot.org/dovecot-2.2/rev/f6dd24658fb1

Re: [Dovecot] dsync replication errors

[Timo Sirainen]

On 08 Sep 2015, at 01:16, Gedalya  wrote:
> 
> On 02/17/2013 03:21 AM, Timo Sirainen wrote:
>> Although there's still some mail
>> duplication problem with maildir that doesn't log any errors about it.
>> I'm not sure why that happens.
> 
> While you're around, Timo :-)
> 
> I've had such an issue recently with 2.2.18, using Maildir, where emails were 
> being replicated circularly creating more and more duplicate copies.
> Replication should have been unidirectional in reality since changes were 
> being made on one side only.
> Nothing coherent was being logged. Only "Warning: Maildir 
> /srv/mail/domains/.../Maildir: Expunged message reappeared, giving a new UID 
> .. " appearing on the receiving side.
> Is there any intelligence on the matter, or should I isolate this down and 
> report it from scratch?

dsync bugs usually take a lot of time to debug. Unless there's an easily 
reproducible way to break it, I try to avoid spending time on it. Also in this 
case the bug might be in Maildir code instead of dsync code.

Re: Is it a bug when you move mail between namespaces....

[Larry Rosenman]

should fts_autoindex handle that case?


On Mon, Sep 7, 2015 at 5:00 PM, Timo Sirainen  wrote:

> On 09/08/2015 12:56 AM, Larry Rosenman wrote:
> > that the fts data gets lost?
>
> All full text search backends are now implemented so that if you
> copy/move mails, the mails need to be indexed again the destination folder.
>
> Alternative would be to index mails only with their GUIDs and have a
> GUID => { folder GUID, IMAP UID } mapping and filter the mails based on
> that. But such reverse index doesn't exist quite yet.
>



-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 23:15 +0200, Benny Pedersen wrote:
> change password before debug logs
> 
> then run debug
> 
> change password
> 
> paste it
> 
> is safe

Here's the in rawlog:

1441680001.046492 B1 AUTHENTICATE GSSAPI
1441680001.051720
YIICZQYJKoZIhvcSAQICAQBuggJUMIICUKADAgEFoQMCAQ6iBwMFACCjggFlYYIBYTC
CAV2gAwIBBaEPGw1USEVJTlNJREUuUk5SoiowKKADAgEDoSEwHxsEaW1hcBsXbWFpbG1hbj
AyLnRoZWluc2lkZS5ybnKjggEXMIIBE6ADAgESoQMCAQKiggEFBIIBAQc2ZO0LqkT03rNse
kmt522hC/aiXw/TLsQmI687pJUmMCky/aeyFpOr4SL3fcvd7PD4FXh193hgo+XUfky8eoCc
L8Ajd3ck/wg0qGd3sHmiwJAmrRNf/eCrENv6GbHqKjIq+S7fo9UesVWFuF+UgRVLWmOBZfM
fX7oj6i4U4vBT5SwxHZ+YQtxf7oDl1cXPz7s+53AXe7rr9HoCheavTu7h682l2nPkw8+U1j
ZiwXXstZtf5eG/K+wDe8omDzehDB5SaqeZ2nQNtr7CeRxgBGpDjtajVf5jkFf2GBDsZDeoG
ABLAF++RcLxdyDQvVRFe0EeLs1qUXxX9ThNwTmnbCfRpIHRMIHOoAMCARKigcYEgcP4Mqy1
HrNRK79HY89oRG9tpP0FyDuWd38xXd/pKfqFl0NDkENdBHXUSsyOVKYsNFSncf1EIRL2s1s
fWnV1Folk2HB/JvtEJD3eA1+f5wSXiT5pcmc/5tE+Bdf8n8wC0ExGx3RrM0cffjr/CgR7SE
6z9MHUn2UPGIFyoq7zDFrD5ILV5KyZd2zm86prr8tziEZ3wmYQbVsx3rEG1lJ193Z++S2yj
57+fGoJ7jA56GXNChfB/hFNx4xs2QSzCjccy0D+3RI=
1441680001.087279 
1441680001.087982 BQQE/wAMFP2szwH///9yYW5iaXKB/Devj+/oz2utdNs=

Here's the out rawlog:

144168.950204 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN
-REFERRALS ID ENABLE IDLE LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
1441680001.049592 + 
1441680001.085562 +
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv03ycmqWKFL9
foDag8BqF5je64ekOG0UCpcDfT4v3ZwNLLhZL/Fo0THb+xD09LJcGM2AtTzRMFFV8V7YHSV
L1q+/X9exo0mxU6tMeHmXhMDq71PDcqB5zKdCpTmhakqny5x/vLM47xlnzj+oqwgnY
1441680001.087338 + BQQF/wAMJbP26AH///8IAt4FH+6nauwY4Oc=
1441680001.096713 B1 NO [UNAVAILABLE] Temporary authentication
failure. [mailman02.theinside.rnr:2015-09-08 02:40:01]
1441680001.096726 * OK Waiting for authentication process to respond..


Ranbir

-- 
Kanwar R.S. Sandhu

Is it a bug when you move mail between namespaces....

[Larry Rosenman]

that the fts data gets lost?

doveconf -n attached

-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 (c) E-Mail: larry...@gmail.com
US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961


doveconf.ler.out
Description: Binary data

Re: How to "Windows Authenticate"

[Mark Foley]

Comments interspersed with yours ...

--Mark

-Original Message-
> Date: Sun, 06 Sep 2015 20:00:11 -0500
> From: Rick Romero 
> To: dovecot@dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
>   Hmm.  I would expect to see 'm...@hprs.com'.  Whatever your full domain
> name is.

Full user@domain would be mark@hprs.local

> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> mapping.  Your AD users shouldn't be in there when all is said and done. 

I was thinking this too.  I don't know why NTLM would need a userdb at all.  It
should just use something like ntlm_auth (which is configured in
auth_winbind_helper).

What if I simply removed the userdb?  What would you recommend for userdb, 
passdb?

> Well, at when I did a Samba4 install as a DC it still behaved like a Samba3
> member, and there were no AD users in the local unix passwd files.
>
> What does wbinfo -u provide?  It should list all your users - especially
> because it's an DC.  Whatever wbinfo -u shows, you may need to adjust
> another config file to match waht Dovecot is receiving. 

$ wbinfo -u

Administrator
Guest
krbtgt
dns-mail
mark
sogo
**arr
**ress
**mith
**nee
**ris
**atterson
**armaine
**tkeson
**mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing
with user mark.

>
> I assume /etc/nsswitch.conf has been modified to use Samba?
>

Unless the Samba provision did something to nnswitch, I've done nothing; nor
have I seen anything in the Samba or dovecot wikis suggesting changes.  Remember
also that the Samba4 AD/DC works perfectly with redirected folders and users
logging on to any Windows workstations, and works perfectly with things wanting
"Windows Authentication" like SQLserver, so the "Windows Authentication" does
work at some level.  My /etc/nsswitch.conf is:

passwd: compat
group:  compat

hosts:  files dns
networks:   files

services:   files
protocols:  files
rpc:files
ethers: files
netmasks:   files
netgroup:   files
bootparams: files

automount:  files
aliases:files

> Sorry I haven't done this, but it doesn't seem like anyone else has either
> - so I'm just shooting in the dark here trying to get you steered in the
> right direction...
>
> Rick

Yeah, I can't seem to find a soul on the planet who has actually done this. If I
get it figured out I'll post with a suggestion to Timo to wiki-ize it.

I'm a bit puzzled that no one appears to have done this. I would think that a
Samba4 AD/DC in a office environment with lots of Windows workstations running
Outlook would be about the most common environment there is; especially now that
Small Business Server is no longer sold and Server Essentials does not support
Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping
along with SBS2008/11, or putting their email in Outlook.com? Seems like the
Samba4/dovecot/Outlook combo would be an ideal migration.

I appreciate your help.

>
> Quoting Mark Foley :
>
> > More info ...
> >
> > My dovecot error log shows:
> >
> > Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM   
> > service=imap
> > Sep 05 16:45:19 auth: Debug: client passdb out: OK      1     
> >  user=mark@hprs  original_user=mark@HPRS
> > Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713     
>  10219 
> >  1       f56352c207cb8f6dea4d264b2c0f8dc1     
>  session_pid=10220     
> >  request_auth_token
> > Sep 05 16:45:19 auth-worker(5498): Debug:
> > shadow(mark@hprs,192.168.0.58): lookup
> > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
> > unknown user
> > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       
> 998899713
> >
> > whereas the successful 'plain login' config'ed mechanism (before adding
> > NTLM
> > config) have:
> >
> > Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210):
> > lookup
> >
> > The failed ntlm look-up is looking up user mark@hprs in shadow, which it
> > doesn't
> > find. Is there a way to strip the "@hprs" bit from the user so it can
> > find the
> > correct entry in /etc/shadow? That might fix the problem.
> >
> > --Mark
> >
> > -Original Message-
> > From: Mark Foley 
> > Date: Sat, 05 Sep 2015 17:12:50 -0400
> > To: dovecot@dovecot.org
> > Subject: Re: How to "Windows Authenticate"
> >
> > Rick et al,
> >
> > The link you gave was a start, but is targeted for Samba3 and is
> > assuming a
> > probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot,
> > and
> > includes setting up kerberos.
> >
> > I'm using a Samba4 AD/DC with integrated kerberos (so I don't think
> > there is any
> > setup I can do there).  Nevertheless I've followed the instructions
> > otherwise;
> > specifically adding to 10-auto.conf the following recommended lines:
> >
> > auth_use_winbind = yes
> > auth_winbind_helper_path = /usr/bin/ntlm_auth
> > 

Re: Dovecot and IPA

[Kanwar Ranbir Sandhu]

On Mon, 2015-09-07 at 20:37 +0300, Timo Sirainen wrote:
> It says "tried to use unsupported auth mechanism". In your later mail
> you say that telnet shows AUTH=GSSAPI in capabilities. So that would
> mean that the client isn't using AUTHENTICATE GSSAPI but something
> else.

I'd been considering that perhaps my version of Evolution was too old,
so I upgraded from Fedora 20 to Fedora 22: still doesn't work. :/

> Set auth_debug=yes and/or see what the client actually does by
> enabling pre-login rawlog: http://wiki2.dovecot.org/Debugging/Rawlog

Alright, I enabled it. I have some logs, but I'm not clear on what I
should and shouldn't include here. Can I just copy and paste both in
and out logs verbatim without inadvertently giving up my passwords or
something??

Regards,

Ranbir

-- 
Kanwar R.S. Sandhu

Re: NOTIFY regression: 2.18 no longer notifies of events in INBOX

[Timo Sirainen]

Fixed:

http://hg.dovecot.org/dovecot-2.2/rev/fa979ccfa34c
http://hg.dovecot.org/dovecot-2.2/rev/f600285c3df2

On 07/26/2015 06:50 PM, Guilhem Moulin wrote:
> Here is an example with APPEND
> 
> $ /usr/lib/dovecot/imap
> S1: * PREAUTH [CAPABILITY IMAP4rev1 … MOVE NOTIFY SPECIAL-USE] Logged in 
> as guilhem
> C1: a1 NOTIFY SET (INBOXES (MessageNew MessageExpunge FlagChange))
> S1: a1 OK NOTIFY completed (0.000 secs)
> 
> $ /usr/lib/dovecot/imap
> S2: * PREAUTH [CAPABILITY IMAP4rev1 … MOVE NOTIFY SPECIAL-USE] Logged in 
> as guilhem
> C2: a2 APPEND INBOX {1+}
> C2: x
> S2: a2 OK [APPENDUID 1384472528 26085] Append completed (0.229 secs).
> 
> With 2.13 from Debian Jessie, S1 sends a notification for the new
> message in INBOX, as expected:
> 
> S1: * STATUS INBOX (MESSAGES 4333 UIDNEXT 26086 UNSEEN 1)
> 
> However it doesn't with 2.18 from Debian Sid, as if ‘INBOX’ was excluded
> from the mailbox filter ‘INBOXES’.  It does send a notification for
> ‘virtual/unseen’ instead (as expected), but nothing for ‘INBOX’.
> 
> S1: * STATUS virtual/unseen (MESSAGES 3 UIDNEXT 15186 UNSEEN 3)
> 
> This is INBOX-specific because APPENDING the message to another mailbox
> triggers the notification on both 2.13 and 2.18 as expected:
> 
> S1: * STATUS test (MESSAGES 2 UIDNEXT 3 UNSEEN 2)
> S1: * STATUS virtual/unseen (MESSAGES 2 UIDNEXT 15195 UNSEEN 2)
> 
> I attach the ‘dovecot -n’ output for both 2.13 and 2.18.
> 

Re: bug in acl_defaults_from_inbox option

[Timo Sirainen]

On 07/28/2015 06:13 PM, Marco Giunta wrote:
> Hi at all,
> there is a bug in in acl_defaults_from_inbox option: if you define it
> with ANY value ('yes', 'no', 'whatyouwant', 'xxx') it acts like the
> value is ALWAYS 'yes', and Dovecot enable it; the only way to disable
> it, is comment it or delete from configuration file.
> 
> With 'acl_defaults_from_inbox = no', or 'acl_defaults_from_inbox =
> whatyouwant', all my folders get ACLs from INBOX; in my case I want to
> only share INBOX, but also all other folders were shared.

This happens to all boolean settings inside plugin {}. Not ideal, but
also not something that will get fixed without some larger settings code
changes.

Re: Dovecot and IPA

[Benny Pedersen]

Kanwar Ranbir Sandhu skrev den 2015-09-07 22:58:


Alright, I enabled it. I have some logs, but I'm not clear on what I
should and shouldn't include here. Can I just copy and paste both in
and out logs verbatim without inadvertently giving up my passwords or
something??


change password before debug logs

then run debug

change password

paste it

is safe

Re: charset-iconv.c panic

[Timo Sirainen]

On 07/29/2015 04:02 PM, mihaiush wrote:
> Hi,
> 
> I have a mailbox where indexing fails with the following error:
> 
> # /opt/dovecot2/bin/doveadm -c /tmp/dovecot.conf -o
> mail_location=/tmp/skesselring index '*'
> doveadm(root): Panic: file charset-iconv.c: line 132 (charset_to_utf8):
> assertion failed: (*src_size - pos <= CHARSET_MAX_PENDING_BUF_SIZE)

Is it possible for you to send the broken mail to me? Otherwise it would
be pretty difficult to figure out how to fix this.

Also applying this patch would make it a bit clearer where the problem
is: http://hg.dovecot.org/dovecot-2.2/rev/9fdbb3b220ec

> ctx = {mail = 0x23639b0, update_ctx = 0x2355980, content_type =
> 0x2371540 "text/*", content_disposition = 0x2371fa0 "attachment;
> filename=\"PTT-20141109-WA0001.amr\"", body_parser = 0x23832a0, word_buf =

So the problem is with indexing an attachment called "PTT-20141109
WA0001.amr".

Re: RFC 5465 (NOTIFY) violation: missing HIGHESTMODSEQ in initial STATUS responses

[Timo Sirainen]

Oh, and this was also fixed a week ago:
http://hg.dovecot.org/dovecot-2.2/rev/238a34ad1ab0

On 07/19/2015 08:40 PM, Guilhem Moulin wrote:
> Quoting RFC 5465 (NOTIFY):
> 
>“If the NOTIFY command enables MessageNew, MessageExpunge,
> AnnotationChange, or FlagChange notifications for a mailbox other
> than the currently selected mailbox, and the client has specified
> the STATUS indicator parameter, then the server MUST send a STATUS
> response for that mailbox before NOTIFY's tagged OK. […]
> If either AnnotationChange or FlagChange are included and
> the server also supports the CONDSTORE [RFC4551] and/or QRESYNC
> [RFC5162] extensions, the STATUS response MUST contain UIDVALIDITY
> and HIGHESTMODSEQ.” —
> https://tools.ietf.org/html/rfc5465#section-3.1
> 
> While unsolicited STATUS responses include HIGHESTMODSEQ indeed, the initial
> STATUS responses (caused by the presence of the STATUS indicator) do not:
> 
> ~$ /usr/lib/dovecot/imap
> * PREAUTH [CAPABILITY IMAP4rev1 … CONDSTORE QRESYNC … NOTIFY SPECIAL-USE] 
> Logged in as guilhem
> a ENABLE QRESYNC
> * ENABLED QRESYNC
> a OK Enabled (0.000 secs).
> b NOTIFY SET STATUS (SUBSCRIBED (MessageNew MessageExpunge FlagChange))
> * STATUS INBOX (MESSAGES 9069 UIDNEXT 109398 UIDVALIDITY 1312585007 
> UNSEEN 0)
> […]
> b OK NOTIFY completed (0.008 secs).
> [time passes… a new message is delivered to INBOX]
> * STATUS INBOX (MESSAGES 9070 UIDNEXT 109399 UNSEEN 1 HIGHESTMODSEQ 22216)
> 
> This defeats the purpose of the STATUS indicator for disconnected
> clients since they have to issue separate STATUS commands (or a LIST
> command if LIST-{EXTENDED,STATUS} have been advertized) to find out
> which mailboxes have got a new HIGHESTMODSEQ.
> 
> Cheers,
> 

Re: "NOTIFY SET (mailboxes INBOX (...))" crashes the IMAP client

[Timo Sirainen]

On 07/26/2015 07:00 PM, Guilhem Moulin wrote:
> On Sun, 19 Jul 2015 at 19:21:16 +0200, Guilhem Moulin wrote:
>> The "subtree" mailbox filter has the same problem, but the
>> non-parameterized ones ("inboxes", "personal" and "subscribed") work
>> fine.
> 
> Actually there are further problem with the INBOX namespace, to which I'm
> subscribed:
> 
> $ /usr/lib/dovecot/imap
> S1: * PREAUTH [CAPABILITY IMAP4rev1 … MOVE NOTIFY SPECIAL-USE] Logged in 
> as guilhem
> C1: a1 LIST "" (INBOX TRASH) RETURN (SUBSCRIBED)
> S1 * LIST (\Subscribed \UnMarked) "/" TRASH
> S1 * LIST (\Subscribed) "/" INBOX
> S1: a1 OK List completed (0.003 secs).
> C1: b1 NOTIFY SET (SUBSCRIBED (MessageNew MessageExpunge FlagChange))
> S1: b1 OK NOTIFY completed (0.002 secs).
> 
> $ /usr/lib/dovecot/imap
> S2: * PREAUTH [CAPABILITY IMAP4rev1 … MOVE NOTIFY SPECIAL-USE] Logged in 
> as guilhem
> C2: a2 APPEND INBOX {1+}
> C2: x
> S2: a2 OK [APPENDUID 1384472528 26087] Append completed (0.008 secs).
> 
> This crashes S1 as well:
> 
> S1: imap(guilhem): Panic: file mail-storage.c: line 1511 
> (mailbox_is_subscribed): assertion failed: (box->list->subscriptions != NULL)

Fixed: http://hg.dovecot.org/dovecot-2.2/rev/73acc7075146

Re: question on autch cache parameters

[Timo Sirainen]

Fixed: http://hg.dovecot.org/dovecot-2.2/rev/b7f7ad2bc4d0

> On 05 Aug 2015, at 17:30, matthias lay  wrote:
> 
> Hi list,
> 
> I have a question on auth caching in 2.2.18.
> 
> I am using acl_groups for a master user, appended in a static userdb file
> 
> # snip ###
> master@uma:{SHA}=::userdb_acl_groups=umareadmaster
> allow_nets=127.0.0.1
> # snap ###
> 
> and use this group in a global ACL file.
> I discovered this only works on first NOT-cached login
> 
> 
> 
> environment in imap-postlogin script on first login:
> 
> 
> AUTH_TOKEN=e96b5a32ceb2cafc4460c210ad2e92e3d7ab388c
> MASTER_USER=master@uma
> SPUSER=private/pdf
> LOCAL_IP=127.0.0.1
> USER=pdf
> AUTH_USER=master@uma
> PWD=/var/run/dovecot
> USERDB_KEYS=ACL_GROUPS HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> SHLVL=1
> HOME=/var/data/vmail/private/pdf
> ACL_GROUPS=umareadmaster
> IP=127.0.0.1
> _=/usr/bin/env
> 
> 
> on the second cached login it looks like this
> 
> 
> AUTH_TOKEN=12703b11932f233520f6d4b33559c33aeb1cfc7f
> MASTER_USER=master@uma
> SPUSER=private/pdf
> LOCAL_IP=127.0.0.1
> USER=pdf
> AUTH_USER=master@uma
> PWD=/var/run/dovecot
> USERDB_KEYS=HOME SPUSER MASTER_USER AUTH_TOKEN AUTH_USER
> SHLVL=1
> HOME=/var/data/vmail/private/pdf
> IP=127.0.0.1
> _=/usr/bin/env
> 
> so the ACL_GROUPS is gone.
> 
> is this intended to be like that.
> so groups not included in cache and I have to find another approach?
> 
> anybody else encountered similar problems with some auth Variables and
> caching?
> 
> 
> Greetz Matze

Re: Dovecot and IPA

[Benny Pedersen]

Peter Chiochetti skrev den 2015-09-07 20:21:


dovecot is buildt with security in mind...
using namebased gid or uid is not secure
it might just still works, but its not secure

Benny, where did you learn all this?


not here, since no one care :)

time for my own coffee break after a long day

Re: [Patch] Fix hang in safe_sendfile on SmartOS

[Timo Sirainen]

On 07/16/2015 06:03 PM, Sebastian Wiedenroth wrote:
> Fix hang in safe_sendfile on SmartOS
> 
> The call to sendfile on SmartOS can fail with EOPNOTSUPP. This is a valid 
> error
> code and documented in the man page. This error code needs to be handled or
> else dovecot will retry the sendfile call endlessly and hang.

Committed .. However, I think a more important bug is that it hangs.
It's definitely not supposed to hang. Which process was it that was
hanging How can I reproduce that? I can only get it to disconnect the
IMAP client.

Re: How to "Windows Authenticate"

[Rick Romero]

 Hmm.  I would expect to see 'm...@hprs.com'.  Whatever your full domain
name is.

It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
mapping.  Your AD users shouldn't be in there when all is said and done. 
Well, at when I did a Samba4 install as a DC it still behaved like a Samba3
member, and there were no AD users in the local unix passwd files.

What does wbinfo -u provide?  It should list all your users - especially
because it's an DC.  Whatever wbinfo -u shows, you may need to adjust
another config file to match waht Dovecot is receiving. 

I assume /etc/nsswitch.conf has been modified to use Samba?

Sorry I haven't done this, but it doesn't seem like anyone else has either
- so I'm just shooting in the dark here trying to get you steered in the
right direction...

Rick

Quoting Mark Foley :


More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM   
service=imap
Sep 05 16:45:19 auth: Debug: client passdb out: OK      1     
 user=mark@hprs  original_user=mark@HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713     

 10219 

 1       f56352c207cb8f6dea4d264b2c0f8dc1     

 session_pid=10220     

 request_auth_token
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       

998899713


whereas the successful 'plain login' config'ed mechanism (before adding
NTLM
config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210):
lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it
doesn't
find. Is there a way to strip the "@hprs" bit from the user so it can
find the
correct entry in /etc/shadow? That might fix the problem.

--Mark

-Original Message-
From: Mark Foley 
Date: Sat, 05 Sep 2015 17:12:50 -0400
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is
assuming a
probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot,
and
includes setting up kerberos.

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think
there is any
setup I can do there).  Nevertheless I've followed the instructions
otherwise;
specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth
mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth
has
global r/w privilege.

I did not specify the static userdb since these users are configued in
/etc/passwd and I thought that would work; example given in link (could
that be
an issue?):

userdb static {
  args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
  mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
  allow_all_users=yes
}

This didn't work. Also, existing, working Outlook connections using
'logon'
(i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure
Password Authentication (SPA)' and also checked: More Settings >
Outgoing Server

My outgoing server (SMTP) requires authentication' and 'Use same
settings as


my incoming mail server'.  Note that on the "Change Account" dialog
(where the
SPA checkbox is) the 'User Name' and 'Password' retained their values
and were
not grayed out as I would have expected if using AD authentication.

After doing the above and clicking 'Test Account Settings' I was
re-promted to
enter a password - also not expected. At bottom are the Dovecot log
message I
received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC
should be
a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log
messages.


doveconf -n


# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = 
NTLM       

service=imap        session=HXssGAYf0ADAqAA6       

lip=192.168.0.2     

  rip=192.168.0.58        lport=143        rport=52944
Sep 05 16:45:19 auth: Debug: client passdb out: CONT        1
Sep 05 16:45:19 auth: Debug: client passdb out: OK        1     

 

user=mark@hprs        original_user=mark@HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST        998899713   

   

10219        1        f56352c207cb8f6dea4d264b2c0f8dc1       
session_pid=10220        request_auth_token
Sep 05 16:45:19 auth-worker(5498): Debug:

Re: Dovecot and IPA

[Peter Chiochetti]

Am 2015-09-07 um 19:47 schrieb Benny Pedersen:

Kanwar Ranbir Sandhu skrev den 2015-09-07 19:29:


I tried it for shits and giggles: no change. :( I'm still seeing the
same problem.


dovecot is buildt with security in mind...

using namebased gid or uid is not secure

it might just still works, but its not secure


Benny, where did you learn all this?

--
peter

Re: Dovecot 2.2.18 Panic: file index-mail-binary.c

[Timo Sirainen]

On 28 Jul 2015, at 10:12, Michael Borgelt  wrote:
> 
> Hi,
> I got the following in my dovecot log's on an particular email message with 
> dovecot-imap.
> 
> ---snip---
> Jul 28 08:42:11 hermes dovecot: imap(mborgelt): Panic: file 
> index-mail-binary.c: line 354 (blocks_count_lines): assertion failed: (ret == 
> -1)

Not sure why this wasn't more commonly happening, but here's the fix: 
http://hg.dovecot.org/dovecot-2.2/rev/865405fce42e

Re: "NOTIFY SET (mailboxes INBOX (...))" crashes the IMAP client

[Timo Sirainen]

On 07/19/2015 08:21 PM, Guilhem Moulin wrote:
> Hi list,
> 
> The NOTIFY extension (RFC 5465) works fine for mailboxes in the "virtual/"
> namespace, but it crashes the IMAP client when used with a mailbox in
> the empty "" namespace:

Fixed: http://hg.dovecot.org/dovecot-2.2/rev/fae5feef70af

> ~$ /usr/lib/dovecot/imap
> * PREAUTH [CAPABILITY IMAP4rev1 … NOTIFY SPECIAL-USE] Logged in as guilhem
> a NAMESPACE
> * NAMESPACE (("" "/")("virtual/" "/")) NIL NIL
> a OK Namespace completed.
> b NOTIFY SET (mailboxes virtual/all (MessageNew MessageExpunge))
> b OK NOTIFY completed (0.001 secs).
> c NOTIFY SET (mailboxes INBOX (MessageNew MessageExpunge))
> imap(guilhem): Panic: file mail-namespace.c: line 679 
> (mail_namespace_find): assertion failed: (ns != NULL)
> imap(guilhem): Error: Raw backtrace: …
> Aborted
> 
> The "subtree" mailbox filter has the same problem, but the
> non-parameterized ones ("inboxes", "personal" and "subscribed") work
> fine.
> 
> You'll find the output of ‘dovecot -n’ enclosed.
> Cheers,
>