Moving Maildir folders
Our office had a user leave. Another user is taking over her duties and needs reference to the departing user's email. I've copied that entire departed user's Maildir structure to the current user: mv olduser/Maildir/.* curuser/Maildir/.olduser I did change permission and ownership on curuser/Maildir/.olduser to be the target user. I did not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, etc.) as I thought that would be bad. Nevertheless, the curuser cannot see this new olduser folder (which should be at the same level as Inbox, Junk Mail, etc.). I did manually add olduser to the curuser/Maildir/subscriptions file, but still nothing. So, what did I do wrong and how do I fix it? THX -- Mark
doveconf -n display error for "remote"
Upon further testing, it seems that the issue below may only be a display bug in doveconf. In other words, the remote filter appears to work as configured, even though it is displayed with duplicate prefix length by doveconf. Is this sufficient information to report a bug or is there some other protocol? Michael --- Dovecot --version: 2.2.9 I configured the following in local.conf: remote 192.168.7.128/27 { ssl = no } remote 192.168.7.0/24 { ssl = yes } But, when I run doveconf -n, I see: remote 192.168.7.0/24/24 { ssl = yes } remote 192.168.7.128/27/27 { ssl = no } Note the repeated network prefix length (/27/27 and /24/24).
RE: controlling STARTTLS by IP address
KSB: > Just curious, it is transferred in some RSxxx serial protocol? The expectation is that the unencrypted traffic will be used for clients on an Ethernet network behind a radio operating on amateur radio frequencies according to FCC Part 97 rules. The radio could be: -- 56+kbps UHF, such as the upcoming UDRX-440 by NW Digital Radio -- WiFi radio using BBHN or AREDN mesh software -- WiFi radio using commercial software, but operated under FCC Part 97 (amateur radio) rules, instead of Part 15 (commercial/consumer) rules -- ... or maybe something else It won't be the bulk of our traffic, but it is important since it is part of the county's emergency communications plan. I don't want to hijack this list with amateur radio stuff. Curious hams can contact me off list at n6mef at mefox dot org. Michael
Re: Doveadm error
> On July 12, 2016 at 4:30 PM László Károlyiwrote: > > > Hey everyone, > > I've got a weird error since I upgraded to the latest dovecot on my FreeBSD > box: > > root@postfixjail /# doveadm quota recalc -u x...@xxx.com > doveadm(x...@xxx.com): Error: dict-client: Commit failed: Deinit > fish: 'doveadm quota recalc -u xxx@…' terminated by signal SIGSEGV (Address > boundary error) > root@postfixjail /# dovecot --version > 2.2.25 (7be1766) > root@postfixjail /# dovecot -n > # 2.2.25 (7be1766): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.15 (97b3da0) > # OS: FreeBSD 10.3-STABLE amd64 > auth_cache_negative_ttl = 0 > auth_cache_ttl = 0 > auth_mechanisms = plain login cram-md5 digest-md5 > auth_realms = flix.hu > base_dir = /usr/local/var/run/dovecot/ > default_login_user = nobody > dict { > quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext > quota_rule2 = Trash:bytes=+100M > } > listen = * > login_trusted_networks = 127.0.0.0/24 > mail_location = mdbox:~/mdbox > mail_plugins = quota > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment mailbox date index ihave > duplicate mime foreverypart extracttext vnd.dovecot.pipe > mdbox_rotate_size = 20 M > namespace { > inbox = yes > location = > prefix = > separator = . > } > passdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > plugin { > quota = dict:User quota::proxy::quota > sieve = ~/.dovecot.sieve > sieve_dir = ~/sieve > sieve_extensions = +vnd.dovecot.pipe > sieve_pipe_bin_dir = /usr/local/etc/email-responder > sieve_plugins = sieve_extprograms > } > postmaster_address = postmas...@flix.hu > protocols = imap pop3 lmtp sieve > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vmail > mode = 0600 > user = vmail > } > } > service dict { > unix_listener dict { > mode = 0600 > user = vmail > } > } > service imap-login { > process_min_avail = 3 > service_count = 1 > } > service managesieve-login { > inet_listener sieve { > port = 4190 > } > process_min_avail = 2 > service_count = 1 > } > service managesieve { > process_limit = 1024 > process_min_avail = 2 > } > service pop3-login { > process_min_avail = 3 > service_count = 1 > } > ssl = required > ssl_cert = ssl_key = userdb { > driver = prefetch > } > userdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > protocol lda { > mail_plugins = quota sieve > } > protocol lmtp { > mail_plugins = quota sieve > } > protocol sieve { > mail_plugins = quota sieve > managesieve_max_line_length = 65536 > } > protocol imap { > mail_max_userip_connections = 20 > mail_plugins = quota imap_quota > } > protocol pop3 { > mail_max_userip_connections = 15 > mail_plugins = quota > } > root@postfixjail /# uname -a > FreeBSD postfixjail.xxx.com 10.3-STABLE FreeBSD 10.3-STABLE #19 r302639: Tue > Jul 12 13:54:21 CEST 2016 r...@flix.hu:/usr/obj/usr/src/sys/MYKERNEL > amd64 > > There seems no difference of which virtual mailbox I want dovecot to quota > recalculate, it always fails with this error message. > > Any suggestions? > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi Hi This bug is being fixed. Aki
Doveadm error
Hey everyone, I've got a weird error since I upgraded to the latest dovecot on my FreeBSD box: root@postfixjail /# doveadm quota recalc -u x...@xxx.com doveadm(x...@xxx.com): Error: dict-client: Commit failed: Deinit fish: 'doveadm quota recalc -u xxx@…' terminated by signal SIGSEGV (Address boundary error) root@postfixjail /# dovecot --version 2.2.25 (7be1766) root@postfixjail /# dovecot -n # 2.2.25 (7be1766): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.15 (97b3da0) # OS: FreeBSD 10.3-STABLE amd64 auth_cache_negative_ttl = 0 auth_cache_ttl = 0 auth_mechanisms = plain login cram-md5 digest-md5 auth_realms = flix.hu base_dir = /usr/local/var/run/dovecot/ default_login_user = nobody dict { quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext quota_rule2 = Trash:bytes=+100M } listen = * login_trusted_networks = 127.0.0.0/24 mail_location = mdbox:~/mdbox mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vnd.dovecot.pipe mdbox_rotate_size = 20 M namespace { inbox = yes location = prefix = separator = . } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { quota = dict:User quota::proxy::quota sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/local/etc/email-responder sieve_plugins = sieve_extprograms } postmaster_address = postmas...@flix.hu protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-login { process_min_avail = 3 service_count = 1 } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 2 service_count = 1 } service managesieve { process_limit = 1024 process_min_avail = 2 } service pop3-login { process_min_avail = 3 service_count = 1 } ssl = required ssl_cert = http://linkedin.com/in/karolyi signature.asc Description: Message signed with OpenPGP using GPGMail
Re: controlling STARTTLS by IP address
On 2016.07.15. 11:03, Michael Fox wrote: I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign" messages and not send them if the sign isn't correct. The package itself is in plain text. I'm not sure what the confusion or concern is. The intention is to use non-plaintext (but technically not encrypted) authentication without TLS over ham frequencies. Hashed challenge/response auth methods don't violate the FCC rules. Of course, without TLS encryption, the auth process is not totally secure. And, yes, the message itself would be in plain text. But it's the best we can do given the rules. Think of it as packet radio on steroids. 73, Michael N6MEF Just curious, it is transferred in some RSxxx serial protocol? -- KSB
RE: RE: controlling STARTTLS by IP address
> -Original Message- > From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Jochen > Bern > Sent: Friday, July 15, 2016 12:46 AM > To: dovecot@dovecot.org > Subject: Re: RE: controlling STARTTLS by IP address > > On 07/14/2016 11:52 PM, Michael Fox wrote: > >> Seems like your firewall could redirect to a different port that > doesn't > >> offer starttls. > > Yes, of course. But that would require multiple ports, making the > client > > configuration cumbersome and error-prone. > > No, the multiple ports would be on the *server* side, and "the firewall" > (which could be iptables on the server itself) would DNAT the ever-same > *client* side ports based on the clients' IPs. > > Speaking of simplifying client configuration: Please note that STARTTLS > and "must be plaintext" aren't mutually exclusive: > > $ openssl ciphers 'NULL:eNULL:!ECDH:!DH' > NULL-SHA256:NULL-SHA:NULL-MD5 > > https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES > > If you can get dovecot to use a different "ssl_cipher_list" per client > subnet, instead of changing "ssl", you could keep all clients that > support those ciphers configured so as to *require* STARTTLS. > > Regards, > > Jochen Bern > Systemingenieur Hmmm. Interesting. I hadn't thought along those lines. Something to investigate. Michael
RE: controlling STARTTLS by IP address
> I'm not a FCC lawyer, just a ham. Seems to me all you could do is "sign" > messages and not send them if the sign isn't correct. The package itself > is in plain text. I'm not sure what the confusion or concern is. The intention is to use non-plaintext (but technically not encrypted) authentication without TLS over ham frequencies. Hashed challenge/response auth methods don't violate the FCC rules. Of course, without TLS encryption, the auth process is not totally secure. And, yes, the message itself would be in plain text. But it's the best we can do given the rules. Think of it as packet radio on steroids. 73, Michael N6MEF
Re: RE: controlling STARTTLS by IP address
On 07/14/2016 11:52 PM, Michael Fox wrote: >> Seems like your firewall could redirect to a different port that doesn't >> offer starttls. > Yes, of course. But that would require multiple ports, making the client > configuration cumbersome and error-prone. No, the multiple ports would be on the *server* side, and "the firewall" (which could be iptables on the server itself) would DNAT the ever-same *client* side ports based on the clients' IPs. Speaking of simplifying client configuration: Please note that STARTTLS and "must be plaintext" aren't mutually exclusive: $ openssl ciphers 'NULL:eNULL:!ECDH:!DH' NULL-SHA256:NULL-SHA:NULL-MD5 https://www.openssl.org/docs/manmaster/apps/ciphers.html#EXAMPLES If you can get dovecot to use a different "ssl_cipher_list" per client subnet, instead of changing "ssl", you could keep all clients that support those ciphers configured so as to *require* STARTTLS. Regards, Jochen Bern Systemingenieur -- LINworks GmbH Fon:+49 6151 9067-231 Fax:+49 6151 9067-299 E-Mail: jochen.b...@linworks.de Web:http://www.LINworks.de/ NEC IT Infrastrukturprodukte vom Deutschland Distributor Server, Storage, Virtualisierung, Management Software Shop: http://www.NEC-Store.de/ Briefanschrift: Postfach 10 01 21 · 64201 Darmstadt · DE Hausanschrift: Robert-Koch-Straße 9 · 64331 Weiterstadt · DE Geschäftsführer: Metin Dogan, Nils Manegold, Oliver Michel Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 85202 MAX21-Unternehmensgruppe smime.p7s Description: S/MIME Cryptographic Signature
authentication failed: Connection lost to authentication server
Dear all, I got error "authentication failed: Connection lost to authentication server", i turned on debug mode in Postfix/Dovecot, but this is the error i can get. All other errors point to sasl auth failure, what does "connection lost to authentication server" means? How can i exactly know what the problem is and how to fix it? Here's my Dovecot/Postfix configuration, with Active Directory integration. - dovecot.conf: http://pastebin.com/7T05kvmH - dovecot-ldap.conf: http://pastebin.com/DtkAg01v - Postfix main.cf: http://pastebin.com/Z9Wihmvr Dovecot/Postfix and AD are running in the same network (192.168.10.X), no firewall between them. Thanks for your help. :)
Re: controlling STARTTLS by IP address
On 2016.07.15. 2:07, M. Balridge wrote: I just thought to remind people that with some firewalls, there's always a way to perform "silent" redirections using the DNAT target in the PREROUTING table, i.e.,: -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \ --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT} If you're using a Linux iptables firewall, you wouldn't need to expose the different port to the client, but would make use of the NAT subsystem to redirect the connection from certain IP#s->POP3 to the service port where you've denied TLS. No client would need to be made aware of the "secret" ${NOTLSPOP3PORT}, and in fact, the firewall would continue to DROP packets sent to it from elsewhere if you have a default-deny policy in effect. =R= If you're just changing port, better use REDIRECT target. -- KSb
RE: controlling STARTTLS by IP address
> > I just thought to remind people that with some firewalls, there's always > a way > > to perform "silent" redirections using the DNAT target in the PREROUTING > > table, i.e.,: > > > > -t nat -A PREROUTING -i ${EXTIF} -s ${NOTLSSOURCES} -p tcp --dport 110 \ > > --syn -j DNAT --to-destination ${DOVECOT}:${NOTLSPOP3PORT} > > > > That is basically what I meant without enough detail I guess. > Yes. Good point. And thanks for the clarification. As a Dovecot newbie, I'm curious. What would be the syntax in dovecot to configure a second pop3 listener? Would it something like this? service pop3-login { # POP3 for STARTTLS users inet_listener pop3 { port = 110 ssl = yes } # POP3 for no TLS inet_listener pop3 { port = xxx ssl = no } # POP3 for inet_listener pop3s { port = 993 ssl = required } And shouldn't "inet_listener pop3s" really use ssl=required (as above), instead of ssl=yes (as shown in the default 10-master.conf file)? Thanks, Michael