Moving Maildir folders

2016-07-15 Thread Mark Foley 
Our office had a user leave.  Another user is taking over her duties and needs 
reference to the
departing user's email.  I've copied that entire departed user's Maildir 
structure to the current
user:

mv olduser/Maildir/.* curuser/Maildir/.olduser

I did change permission and ownership on curuser/Maildir/.olduser to be the 
target user. I did
not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, 
etc.) as I thought
that would be bad.

Nevertheless, the curuser cannot see this new olduser folder (which should be 
at the same level
as Inbox, Junk Mail, etc.).  I did manually add olduser to the 
curuser/Maildir/subscriptions
file, but still nothing. 

So, what did I do wrong and how do I fix it?

THX -- Mark

doveconf -n display error for "remote"

2016-07-15 Thread Michael Fox 
Upon further testing, it seems that the issue below may only be a display
bug in doveconf.  In other words, the remote filter appears to work as
configured, even though it is displayed with duplicate prefix length by
doveconf.

Is this sufficient information to report a bug or is there some other
protocol?

Michael


---

Dovecot --version:  2.2.9

I configured the following in local.conf:

remote 192.168.7.128/27 {
  ssl = no
}
remote 192.168.7.0/24 {
  ssl = yes
}


But, when I run doveconf -n, I see:

remote 192.168.7.0/24/24 {
  ssl = yes
}
remote 192.168.7.128/27/27 {
  ssl = no
}

Note the repeated network prefix length  (/27/27 and /24/24).

RE: controlling STARTTLS by IP address

2016-07-15 Thread Michael Fox 
KSB:
> Just curious, it is transferred in some RSxxx serial protocol?

The expectation is that the unencrypted traffic will be used for clients on an 
Ethernet network behind a radio operating on amateur radio frequencies 
according to FCC Part 97 rules.  The radio could be:
-- 56+kbps UHF, such as the upcoming UDRX-440 by NW Digital Radio
-- WiFi radio using BBHN or AREDN mesh software 
-- WiFi radio using commercial software, but operated under FCC Part 97 
(amateur radio) rules, instead of Part 15 (commercial/consumer) rules
-- ... or maybe something else

It won't be the bulk of our traffic, but it is important since it is part of 
the county's emergency communications plan.

I don't want to hijack this list with amateur radio stuff.  Curious hams can 
contact me off list at n6mef at mefox dot org.

Michael

Re: Doveadm error

2016-07-15 Thread aki . tuomi 

> On July 12, 2016 at 4:30 PM László Károlyi  wrote:
> 
> 
> Hey everyone,
> 
> I've got a weird error since I upgraded to the latest dovecot on my FreeBSD 
> box:
> 
> root@postfixjail /# doveadm quota recalc -u x...@xxx.com
> doveadm(x...@xxx.com): Error: dict-client: Commit failed: Deinit
> fish: 'doveadm quota recalc -u xxx@…' terminated by signal SIGSEGV (Address 
> boundary error)
> root@postfixjail /# dovecot --version
> 2.2.25 (7be1766)
> root@postfixjail /# dovecot -n
> # 2.2.25 (7be1766): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.15 (97b3da0)
> # OS: FreeBSD 10.3-STABLE amd64
> auth_cache_negative_ttl = 0
> auth_cache_ttl = 0
> auth_mechanisms = plain login cram-md5 digest-md5
> auth_realms = flix.hu
> base_dir = /usr/local/var/run/dovecot/
> default_login_user = nobody
> dict {
>   quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
>   quota_rule2 = Trash:bytes=+100M
> }
> listen = *
> login_trusted_networks = 127.0.0.0/24
> mail_location = mdbox:~/mdbox
> mail_plugins = quota
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character 
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
> copy include variables body enotify environment mailbox date index ihave 
> duplicate mime foreverypart extracttext vnd.dovecot.pipe
> mdbox_rotate_size = 20 M
> namespace {
>   inbox = yes
>   location =
>   prefix =
>   separator = .
> }
> passdb {
>   args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> plugin {
>   quota = dict:User quota::proxy::quota
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
>   sieve_extensions = +vnd.dovecot.pipe
>   sieve_pipe_bin_dir = /usr/local/etc/email-responder
>   sieve_plugins = sieve_extprograms
> }
> postmaster_address = postmas...@flix.hu
> protocols = imap pop3 lmtp sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
>   }
>   unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
>   }
> }
> service dict {
>   unix_listener dict {
> mode = 0600
> user = vmail
>   }
> }
> service imap-login {
>   process_min_avail = 3
>   service_count = 1
> }
> service managesieve-login {
>   inet_listener sieve {
> port = 4190
>   }
>   process_min_avail = 2
>   service_count = 1
> }
> service managesieve {
>   process_limit = 1024
>   process_min_avail = 2
> }
> service pop3-login {
>   process_min_avail = 3
>   service_count = 1
> }
> ssl = required
> ssl_cert =  ssl_key =  userdb {
>   driver = prefetch
> }
> userdb {
>   args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> protocol lda {
>   mail_plugins = quota sieve
> }
> protocol lmtp {
>   mail_plugins = quota sieve
> }
> protocol sieve {
>   mail_plugins = quota sieve
>   managesieve_max_line_length = 65536
> }
> protocol imap {
>   mail_max_userip_connections = 20
>   mail_plugins = quota imap_quota
> }
> protocol pop3 {
>   mail_max_userip_connections = 15
>   mail_plugins = quota
> }
> root@postfixjail /# uname -a
> FreeBSD postfixjail.xxx.com 10.3-STABLE FreeBSD 10.3-STABLE #19 r302639: Tue 
> Jul 12 13:54:21 CEST 2016 r...@flix.hu:/usr/obj/usr/src/sys/MYKERNEL  
> amd64
> 
> There seems no difference of which virtual mailbox I want dovecot to quota 
> recalculate, it always fails with this error message.
> 
> Any suggestions?
> 
> Cheers,
> --
> László Károlyi
> http://linkedin.com/in/karolyi


Hi

This bug is being fixed. 

Aki

Doveadm error

2016-07-15 Thread László Károlyi 
Hey everyone,

I've got a weird error since I upgraded to the latest dovecot on my FreeBSD box:

root@postfixjail /# doveadm quota recalc -u x...@xxx.com
doveadm(x...@xxx.com): Error: dict-client: Commit failed: Deinit
fish: 'doveadm quota recalc -u xxx@…' terminated by signal SIGSEGV (Address 
boundary error)
root@postfixjail /# dovecot --version
2.2.25 (7be1766)
root@postfixjail /# dovecot -n
# 2.2.25 (7be1766): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.15 (97b3da0)
# OS: FreeBSD 10.3-STABLE amd64
auth_cache_negative_ttl = 0
auth_cache_ttl = 0
auth_mechanisms = plain login cram-md5 digest-md5
auth_realms = flix.hu
base_dir = /usr/local/var/run/dovecot/
default_login_user = nobody
dict {
  quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
  quota_rule2 = Trash:bytes=+100M
}
listen = *
login_trusted_networks = 127.0.0.0/24
mail_location = mdbox:~/mdbox
mail_plugins = quota
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext vnd.dovecot.pipe
mdbox_rotate_size = 20 M
namespace {
  inbox = yes
  location =
  prefix =
  separator = .
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  quota = dict:User quota::proxy::quota
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +vnd.dovecot.pipe
  sieve_pipe_bin_dir = /usr/local/etc/email-responder
  sieve_plugins = sieve_extprograms
}
postmaster_address = postmas...@flix.hu
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
}
service dict {
  unix_listener dict {
mode = 0600
user = vmail
  }
}
service imap-login {
  process_min_avail = 3
  service_count = 1
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  process_min_avail = 2
  service_count = 1
}
service managesieve {
  process_limit = 1024
  process_min_avail = 2
}
service pop3-login {
  process_min_avail = 3
  service_count = 1
}
ssl = required
ssl_cert = http://linkedin.com/in/karolyi



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: controlling STARTTLS by IP address

2016-07-15 Thread KSB 

On 2016.07.15. 11:03, Michael Fox wrote:

I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign"
messages and not send them if the sign isn't correct.  The package itself
is in plain text.


I'm not sure what the confusion or concern is.  The intention is to use
non-plaintext (but technically not encrypted) authentication without TLS
over ham frequencies.  Hashed challenge/response auth methods don't violate
the FCC rules.  Of course, without TLS encryption, the auth process is not
totally secure.  And, yes, the message itself would be in plain text.  But
it's the best we can do given the rules.  Think of it as packet radio on
steroids.

73,
Michael
N6MEF



Just curious, it is transferred in some RSxxx serial protocol?

--
KSB

RE: RE: controlling STARTTLS by IP address

2016-07-15 Thread Michael Fox 


> -Original Message-
> From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Jochen
> Bern
> Sent: Friday, July 15, 2016 12:46 AM
> To: dovecot@dovecot.org
> Subject: Re: RE: controlling STARTTLS by IP address
> 
> On 07/14/2016 11:52 PM, Michael Fox wrote:
> >> Seems like your firewall could redirect to a different port that
> doesn't
> >> offer starttls.
> > Yes, of course.  But that would require multiple ports, making the
> client
> > configuration cumbersome and error-prone.
> 
> No, the multiple ports would be on the *server* side, and "the firewall"
> (which could be iptables on the server itself) would DNAT the ever-same
> *client* side ports based on the clients' IPs.
> 
> Speaking of simplifying client configuration: Please note that STARTTLS
> and "must be plaintext" aren't mutually exclusive:
> 
> $ openssl ciphers 'NULL:eNULL:!ECDH:!DH'
> NULL-SHA256:NULL-SHA:NULL-MD5
> 
> https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES
> 
> If you can get dovecot to use a different "ssl_cipher_list" per client
> subnet, instead of changing "ssl", you could keep all clients that
> support those ciphers configured so as to *require* STARTTLS.
> 
> Regards,
> 
> Jochen Bern
> Systemingenieur

Hmmm. Interesting.  I hadn't thought along those lines.  Something to
investigate.

Michael

RE: controlling STARTTLS by IP address

2016-07-15 Thread Michael Fox 
> I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign"
> messages and not send them if the sign isn't correct.  The package itself
> is in plain text.

I'm not sure what the confusion or concern is.  The intention is to use
non-plaintext (but technically not encrypted) authentication without TLS
over ham frequencies.  Hashed challenge/response auth methods don't violate
the FCC rules.  Of course, without TLS encryption, the auth process is not
totally secure.  And, yes, the message itself would be in plain text.  But
it's the best we can do given the rules.  Think of it as packet radio on
steroids.

73,
Michael
N6MEF

Re: RE: controlling STARTTLS by IP address

2016-07-15 Thread Jochen Bern 
On 07/14/2016 11:52 PM, Michael Fox wrote:
>> Seems like your firewall could redirect to a different port that doesn't
>> offer starttls.
> Yes, of course.  But that would require multiple ports, making the client
> configuration cumbersome and error-prone.

No, the multiple ports would be on the *server* side, and "the firewall"
(which could be iptables on the server itself) would DNAT the ever-same
*client* side ports based on the clients' IPs.

Speaking of simplifying client configuration: Please note that STARTTLS
and "must be plaintext" aren't mutually exclusive:

$ openssl ciphers 'NULL:eNULL:!ECDH:!DH'
NULL-SHA256:NULL-SHA:NULL-MD5

https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES

If you can get dovecot to use a different "ssl_cipher_list" per client
subnet, instead of changing "ssl", you could keep all clients that
support those ciphers configured so as to *require* STARTTLS.

Regards,

Jochen Bern
Systemingenieur

-- 

LINworks GmbH

Fon:+49 6151 9067-231
Fax:+49 6151 9067-299
E-Mail: jochen.b...@linworks.de
Web:http://www.LINworks.de/

NEC IT Infrastrukturprodukte vom Deutschland Distributor
Server, Storage, Virtualisierung, Management Software
Shop: http://www.NEC-Store.de/

Briefanschrift: Postfach 10 01 21 · 64201 Darmstadt · DE
Hausanschrift: Robert-Koch-Straße 9 · 64331 Weiterstadt · DE
Geschäftsführer: Metin Dogan, Nils Manegold, Oliver Michel
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 85202

MAX21-Unternehmensgruppe





smime.p7s
Description: S/MIME Cryptographic Signature

authentication failed: Connection lost to authentication server

2016-07-15 Thread Zhang Huangbin 
Dear all,

I got error "authentication failed: Connection lost to authentication server", 
i turned on debug mode in Postfix/Dovecot, but this is the error i can get.

All other errors point to sasl auth failure, what does "connection lost to 
authentication server" means? How can i exactly know what the problem is and 
how to fix it?

Here's my Dovecot/Postfix configuration, with Active Directory integration.

- dovecot.conf: http://pastebin.com/7T05kvmH
- dovecot-ldap.conf: http://pastebin.com/DtkAg01v
- Postfix main.cf: http://pastebin.com/Z9Wihmvr

Dovecot/Postfix and AD are running in the same network (192.168.10.X), no 
firewall between them.

Thanks for your help. :)

Re: controlling STARTTLS by IP address

2016-07-15 Thread KSB 

On 2016.07.15. 2:07, M. Balridge wrote:



I just thought to remind people that with some firewalls, there's always a way
to perform "silent" redirections using the DNAT target in the PREROUTING
table, i.e.,:

-t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
 --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}

If you're using a Linux iptables firewall, you wouldn't need to expose the
different port to the client, but would make use of the NAT subsystem to
redirect the connection from certain IP#s->POP3 to the service port where
you've denied TLS.

No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in
fact, the firewall would continue to DROP packets sent to it from elsewhere if
you have a default-deny policy in effect.

=R=



If you're just changing port, better use REDIRECT target.

--
KSb

RE: controlling STARTTLS by IP address

2016-07-15 Thread Michael Fox 
> > I just thought to remind people that with some firewalls, there's always
> a way
> > to perform "silent" redirections using the DNAT target in the PREROUTING
> > table, i.e.,:
> >
> > -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \
> >  --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT}
> >
> 
> That is basically what I meant without enough detail I guess.
> 

Yes.  Good point.  And thanks for the clarification.

As a Dovecot newbie, I'm curious.  What would be the syntax in dovecot to
configure a second pop3 listener?  Would it something like this?

service pop3-login {
  # POP3 for STARTTLS users
  inet_listener pop3 {
port = 110
ssl = yes
  }
  # POP3 for no TLS
  inet_listener pop3 {
port = xxx
ssl = no
  }
  # POP3 for 
  inet_listener pop3s {
port = 993
ssl = required
}

And shouldn't "inet_listener pop3s" really use ssl=required (as above),
instead of ssl=yes (as shown in the default 10-master.conf file)?

Thanks,
Michael