Re:Self-Signed Certificate issue

[dovecot]

  
Try this:

Create a directory and do the following in that directory.

Create the file openssl.cnf with the following information:

[ req ]
default_md = sha2
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = US
localityName = Boulder
organizationName = Your orginizations name here
organizationalUnitName = IT Department
emailAddress = some email address at your company
commonName = "Just a simple statement about the company"

[ certauth ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ client ]
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth


Just change the things you need to for you.

Then issue the following command.

openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout 
dovecot.key -x509 -
days 365 -extensions certauth -outform PEM -out dovecot.pem -subj 
"/C=US/postalCode=0/ST=state/L=city/streetAddress=some street/O=company 
name/OU=IT Department/CN=dovecort cert/emailAddress=em...@yourcompany.com"

Just change the C, O, OU, etc for your needs.

Then verify the contents via:

openssl x509 -noout -in dovecot.pem -subject
openssl x509 -noout -in dovecot.pem -issuer
openssl x509 -noout -in dovecot.pem -enddate

openssl x509 -noout -in dovecot.pem -text

This will show what is in the certificate.

Now copy the pem & key files to where you want them.

Restart dovecot. You may have to change the configuration to use the names just 
created.

Dave Ryan

On 09/23/16 11:07, Darryl Baker wrote:
> My apologies if this is a repeat but my search of the archive did not turn
> it up in the recent past. If this has been covered just point me at the
> previous thread, please.
>
> I am running a small email site which I am moving from uw-imapd and Solaris
> to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed
> certificate for this site. I am using Thunderbird as the test client. I've
> tried both the pre-built snakeoil certificate and building a special one
> for dovecot. In /var/log/mail.err I keep getting what I am interpreting as
> a missing CA cert. The message is:
>
> dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
>
>
> The certificate was created by:
>
> openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem
> -keyout /etc/ssl/private/dovecot.pem
>
>
> The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS
> current patches.
>
>
> *Darryl Baker*
>
>

Proxy IMAP/POP

[Luis Miguel Flores dos Santos]

Hello, I'm try configure dovecot to proxy imap and pop but I can't, follow my 
configurations:

dovecot version = 2.2.10

My configuration:

dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.18.35 x86_64 CentOS Linux release 7.2.1511 (Core)
auth_mechanisms = plain login
auth_username_format = %n
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
ssl = no
ssl_cert = http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
and installed dovecot-mysql.x86_64,
My server is a CentOS Linux release 7.2.1511 (Core)

Anyone can help me?

Thanks.



Atenciosamente,

Luis Miguel

Self-Signed Certificate issue

[Darryl Baker]

My apologies if this is a repeat but my search of the archive did not turn
it up in the recent past. If this has been covered just point me at the
previous thread, please.

I am running a small email site which I am moving from uw-imapd and Solaris
to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed
certificate for this site. I am using Thunderbird as the test client. I've
tried both the pre-built snakeoil certificate and building a special one
for dovecot. In /var/log/mail.err I keep getting what I am interpreting as
a missing CA cert. The message is:

dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48


The certificate was created by:

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem
-keyout /etc/ssl/private/dovecot.pem


The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS
current patches.


*Darryl Baker*

Re: Director keeping IMAP connections alive

[Webert de Souza Lima]

Such connections do not exist on the front-end that connects to director
hosts, so it's something between director and dovecot only.

On Wed, Sep 21, 2016 at 1:16 PM, Webert de Souza Lima  wrote:

> Hello,
>
> I have a 2 director - 2 dovecot set up in a cluster.
>
> From time to time I notice high usage of RAM by dovecot process, and
> analyzing with doveadm who,
> I see many users with dozens, even hundreds of PIDs.
>
> Inspecting those PIDs I see each one of them is an IMAP connection, coming
> from either director process, and ESTABILISHED.
>
> A deeper analysis shows me that there ltos of connections from the same
> users to BOTH dovecot instances, but as I am using director, this shouldn't
> happen, right? Ok. The thing is, one of the dovecot instances have only old
> connections (like 3 days old) and the other dovecot have some old and some
> newer connections.
>
> So, director is redirecting recent connections to the right dovecot, as
> expected, but it is keeping many of old and unused connections open,
> consuming resources.
>
> output of doveconf -n from dovecot:
> http://pastebin.com/trMEjeAs
>
> output of doveconf -n from director:
> http://pastebin.com/EUpHYMKY
>
> Thanks.
>

Re: Broken auth-* sockets.

[ygrishin]

On 2016-09-23 01:47, Aki Tuomi wrote:

On September 23, 2016 at 3:16 AM ygris...@pyramidheadgroup.ca wrote:


Hello.

I am migrating my servers to Ubuntu and have been having an issue with
Dovecot authenticator service.

Exim is set up to use dovecot-auth, anticipating the question whether
exim binary was compiled with support of Dovecot authenticator, it 
was:

---


I thought that dovecot sockets are under /var/run/dovecot, not
/var/dovecot, by default on Ubuntu 16.04.

Anyways, to make sure dovecot actually is configured to listen on
those sockets, you could stop dovecot, rm the socket files, and start
dovecot to see if those sockets get created.

Aki


Ah, that's precisely right! Leftover sockets from previous 
configuration.


Thank you very much, glad I asked.

NFSv4 and Maildir

[Robert Blayzor]

Recently moving to newer storage platforms for mailbox storage so looking at 
moving mounts from NFSv3 with lots of issues with locking and caching to NFSv4.

There seems to be a lot of benefits to v4 along with some other new features, 
namely “delegation”.

So the question boils down to, to delegate or not delegate on Maildir storage. 
There may be many reasons based on actual platform why to do (or not to do 
this), but I want to get the general opinion from others that may have more 
experience with this. Our setup is several FreeBSD 10.x clients running 
Dovecot/Exim, NetApp NFS mail storage (probably moving to TrueNAS) and using F5 
load balancers for client side connections/SSL offload.

From what I’ve found (and what i’ve read in the RFC) is that delegation seems 
to work best when there is NOT a lot of file contention from clients accessing 
the same files. I realize that in some situations many people are using 
director to try and keep users on the same client; in our case we’re doing it 
with F5 iRules. The F5 iRules work great for POP3 and IMAP session persistence, 
but unfortunately that doesn’t work for SMTP and Dovecot LDA, so we still have 
possible race conditions from the MTA’s delivering into “INBOX”. (mostly 
dovecot indexes updating at the same time).

So the big question is, who is using Dovecot with maildirs with NFSv4 mounts. 
What has your experience been? Are you using delegation?  By choice and why did 
you come to that decision.

I’m drawing up the conclusion that if you can *mostly* control client control 
to specific files (ie: directing access to a mailbox to come from one client), 
then delegation might be ok. However, if you’re not using director and have 
several NFS mail clients racing to access mailboxes, then delegation might turn 
into chaos.


Your comments welcome and appreciated.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu

Re: Dict protocol changes string

[Aki Tuomi]

On 29.07.2016 15:35, Nagy, Attila wrote:
> Hi,
>
> I use pass and userdb with dict protocol in a similar way:
>
> key passdb {
>   key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol:
> %s^MClient-IP: %r
>   format = json
> }
>
> (^M is an \r character, inserted with vi CTRL-v + enter)
>
> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII
> 13 into an ASCII 1 and an "r".
>
> Python printout from what I get with 2.2.25:
>
> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass:
> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4'
>
> Is this change intentional? Why?

Hi!

Dict protocol escapes you newlines. You are expected to de-escape them
yourself.

Following escapes are done, you can de-escape them with your client.

\x00 => \x10
\x01 => \x11
\t => \x1t
\r => \x1r
\n => \x1n

The change has been made to avoid breakage if newlines or NULLs are
injected into the data.

Aki