Re: System load spike on dovecot reload

[Christian Balzer]

Hello,

On Fri, 21 Apr 2017 10:43:47 +0200 d...@evilcigi.eu wrote:

> Hi everyone,
> 
> I'm running dovecot with quite a lot of users and lots of active imap 
> connections (like 20'000). I'm using different user IDs for users, so I 
> need to have imap {service_count=1} - i.e. I have a lots of imap 
> processes running.
>
We peaked out at 65k imap processes before upgrading to a version where
imap-hibernate more or less works, but we're using a common ID.
---
dovecot   119157  0.1  0.0  59364 52216 ?SApr01  48:25 
dovecot/imap-hibernate [15137 connections]
---

The service_count parameter in this context is not doing what you think it
does, I have it at 200 these days and that will allow imap (or pop3)
processes to be recycled (they are labeled with "idling" when waiting for a
new client), not having one imap process serve multiple clients. 
---
mail  591307  0.0  0.0  29876  4712 ?SApr20   0:00 dovecot/imap 
[idling]
mail  735323  0.0  0.0  27396  4196 ?S13:20   0:00 dovecot/pop3 
[idling]
---

The advantage (for me at least) is that the dovecot master process doesn't
have to to spin up a new mail processes each time during logins.

Since this process is quite single-threaded, it becomes a bottleneck
eventually.
  
> Everything works fine, until I reload dovecot configuration. When that 
> happen, every client is forced to relogin in the same time and that 
> causes a huge system load spike (2-3000 5 min load).
> 
Unless you're making a change that affects the dovecot master process,
restarting everything isn't needed and you should set 
"shutdown_clients = no". 
You could still kick users with "dovecot kick" at a leisurely pace, but
security problems with the mail processes are rare.

> I was thinking that it would be great, if dovecot wouldn't kick all the 
> users in the same time during reload, but somehow gradually, during 
> specified interval. I'm aware of the shutdown_clients directive that 
> could help, but I don't like it - 

I've very much gotten to like it, once things got huge and busy.

> I do want the clients get disconnected 
> on dovecot shutdown and also I want them to relogin in reasonably short 
> time after reload.
> 
> Is something like that possible with dovecot or does it make sense to 
> implement that in the future versions?
> 
Run a dovecot proxy (if you have single box with all these users on it,
Mr. Murphy would like a word with you) and set 
"login_proxy_max_disconnect_delay" to something that suits you.

Christian
-- 
Christian BalzerNetwork/Systems Engineer
ch...@gol.com   Global OnLine Japan/Rakuten Communications
http://www.gol.com/

imap service count>1 (was System load spike ...)

[Joseph Tam]

I'm running dovecot with quite a lot of users and lots of active imap
connections (like 20'000). I'm using different user IDs for users, so I
need to have imap {service_count=1} - i.e. I have a lots of imap
processes running.


I had a misconception this service's service_count was non-adjustable.

(https://wiki.dovecot.org/Services on imap service)

service_count can be changed from 1 if only a single UID is used
for mail users. This is improves performance, but it's less
secure, because bugs in code may leak email data from another
user's earlier connection.

How easy would it be to implement a hybrid solution that maps all
imap service for a unique UID to a single worker process.  It would
result in modest performance gain for busy servers, and data leakage
security would be minimal.

Joseph Tam 

Re: Re: Pipe to PHP script using Sieve Extprograms

[Thomas]

Oops, the configuration files in conf.d weren't included. They are now.

I am now seeing the follow errors showing up in the maillogs:

   dovecot: master: Error: bind(/var/run/dovecot/sieve-pipe/php)
   failed: No such file or directory
   dovecot: master: Fatal: Failed to start listeners

I may be completely wrong here, but isn't it supposed to create this on 
its own since it's a unix listener?


The service looks like this now:

   service php {
  # Define the executed script as parameter to the sieve service
  executable = script /etc/dovecot/sieve-pipe/php.sh

  # Use some unprivileged user for executing the program
  user = dovenull

  # The unix socket located in the sieve_pipe_socket_dir (as
   defined in the
  # plugin {} section above)
  unix_listener sieve-pipe/php {
# LDA/LMTP must have access
user = vmail
mode = 0600
  }
   }

Re: System load spike on dovecot reload

[KT Walrus]

> On Apr 21, 2017, at 4:43 AM, d...@evilcigi.eu wrote:
> 
> Hi everyone,
> 
> I'm running dovecot with quite a lot of users and lots of active imap 
> connections (like 20'000). I'm using different user IDs for users, so I need 
> to have imap {service_count=1} - i.e. I have a lots of imap processes running.
> 
> Everything works fine, until I reload dovecot configuration. When that 
> happen, every client is forced to relogin in the same time and that causes a 
> huge system load spike (2-3000 5 min load).
> 
> I was thinking that it would be great, if dovecot wouldn't kick all the users 
> in the same time during reload, but somehow gradually, during specified 
> interval. I'm aware of the shutdown_clients directive that could help, but I 
> don't like it - I do want the clients get disconnected on dovecot shutdown 
> and also I want them to relogin in reasonably short time after reload.

You could run a Dovecot IMAP proxy in a Docker container on your server and run 
a separate Dovecot IMAP server in another container. Once both containers are 
up and running, enable the Dovecot IMAP proxy to start sending IMAP sessions to 
the IMAP server. When the time comes to change the Dovecot configuration, 
deploy another instance of Dovecot IMAP server with the new configuration. Once 
the new container is up and running, configure Dovecot IMAP proxy to direct a 
few specific test users to the new Dovecot IMAP server. When satisfied that the 
new server can handle new user sessions, configure Dovecot IMAP proxy to direct 
all new sessions to the new instance. After everything seems to be working fine 
for a period of time, start kicking users on the old Dovecot IMAP server off 
(at a comfortable pace) so they will reconnect to the new Dovecot IMAP server. 
When the old Dovecot IMAP server is no longer managing any sessions, it can be 
removed from the server (that is, the Docker container stopped and eventually 
removed completely).

Since all containers are running on the same host server, the old and new 
Dovecot containers will be configured to access the same Dovecot mail storage 
by mounting the host storage to both containers.

I think Docker containers are the easiest way to manage Dovecot in production.

Kevin

System load spike on dovecot reload

[d...@evilcigi.eu]

Hi everyone,

I'm running dovecot with quite a lot of users and lots of active imap 
connections (like 20'000). I'm using different user IDs for users, so I 
need to have imap {service_count=1} - i.e. I have a lots of imap 
processes running.


Everything works fine, until I reload dovecot configuration. When that 
happen, every client is forced to relogin in the same time and that 
causes a huge system load spike (2-3000 5 min load).


I was thinking that it would be great, if dovecot wouldn't kick all the 
users in the same time during reload, but somehow gradually, during 
specified interval. I'm aware of the shutdown_clients directive that 
could help, but I don't like it - I do want the clients get disconnected 
on dovecot shutdown and also I want them to relogin in reasonably short 
time after reload.


Is something like that possible with dovecot or does it make sense to 
implement that in the future versions?


Thank you.

Dave.

Re: Pipe to PHP script using Sieve Extprograms

[Stephan Bosch]

Op 4/21/2017 om 6:08 PM schreef Thomas:
> Hello,
>
> I seem to be having some issues trying to setup a pipe to PHP scripts
> using Sieve Extprograms. I am trying to allow each individual mailbox
> to setup its own PHP pipe rules (in other words, each user should be
> able to pipe incoming emails to a user defined PHP script).
>
> I have the following lines in my main Sieve configuration file
> (/etc/dovecot/conf.d/90-sieve.conf):
>
>sieve_extensions = +vnd.dovecot.pipe
>sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
>sieve_plugins = sieve_extprograms
>

I don't see these settings in your dovecot -n output below.

>
> I have configured a Sieve service that looks like this
> (/etc/dovecot/conf.d/90-sieve-extprograms.conf):
>
>service php {
>   # Define the executed script as parameter to the sieve service
>   executable = /var/run/dovecot/sieve-pipe/php.sh
>
>   # Use some unprivileged user for executing the program
>   user = dovenull
>
>   # The unix socket located in the sieve_pipe_socket_dir (as
>defined in the
>   # plugin {} section above)
>   unix_listener sieve-pipe/php {
> # LDA/LMTP must have access
> user = vmail
> mode = 0600
>   }
>}
>
>
>
> Contents of /var/run/dovecot/sieve-pipe/php.sh:
>
>#!/usr/bin/php
>
>
>
> Sieve script for one of my mailboxes:
>
>require ["fileinto", "regex", "date", "relational", "vacation"];
>require ["mailbox", "imap4flags", "vnd.dovecot.pipe"];
>
># Move spam to spam folder
>if header :contains "X-Spam-Flag" "YES" {
>   fileinto "Junk";
>   # Stop here so that we do not reply on spams
>   stop;
>}
>
>pipe :try "php /var/www/web2/piping.php supp...@example.com"
>
>keep;
>
>
>
> This results however in the following error in my log file:
>
>main script: line 5: error: require command: unknown Sieve
>capability `vnd.dovecot.pipe'.
>main script: line 14: error: unknown command 'pipe' (only reported
>once at first occurence).
>main script: error: validation failed.
>
>
> I am also not quite confident I have set this up correctly. Am I
> heading in the right direction for what I am trying to achieve?
>
> Dovecot version: 2.2.10
>
> dovecot -n:
>
># 2.2.10: /etc/dovecot/dovecot.conf
># OS: Linux 3.10.0-514.16.1.el7.x86_64 x86_64 CentOS Linux release
>7.3.1611 (Core)
>auth_mechanisms = plain login
>disable_plaintext_auth = no
>listen = *,[::]
>log_timestamp = "%Y-%m-%d %H:%M:%S "
>mail_plugins = " quota"
>mail_privileged_group = vmail
>managesieve_notify_capability = mailto
>managesieve_sieve_capability = fileinto reject envelope
>encoded-character vacation subaddress comparator-i;ascii-numeric
>relational regex imap4flags copy include variables body enotify
>environment mailbox date ihave
>passdb {
>   args = /etc/dovecot-sql.conf
>   driver = sql
>}
>plugin {
>   quota = dict:user::file:/var/vmail/%d/%n/.quotausage
>   sieve = /var/vmail/%d/%n/.sieve
>}
>protocols = imap pop3
>service auth {
>   unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
>   }
>   unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
>   }
>   user = root
>}
>service imap-login {
>   client_limit = 1000
>   process_limit = 500
>}
>service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
>   }
>}
>ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3
>userdb {
>   driver = prefetch
>}
>userdb {
>   args = /etc/dovecot-sql.conf
>   driver = sql
>}
>protocol imap {
>   mail_plugins = quota imap_quota
>}
>protocol pop3 {
>   mail_plugins = quota
>   pop3_uidl_format = %08Xu%08Xv
>}
>protocol lda {
>   mail_plugins = sieve quota
>   postmaster_address = root@localhost
>}
>protocol lmtp {
>   mail_plugins = quota sieve
>   postmaster_address = webmaster@localhost
>}

Pipe to PHP script using Sieve Extprograms

[Thomas]

Hello,

I seem to be having some issues trying to setup a pipe to PHP scripts 
using Sieve Extprograms. I am trying to allow each individual mailbox to 
setup its own PHP pipe rules (in other words, each user should be able 
to pipe incoming emails to a user defined PHP script).


I have the following lines in my main Sieve configuration file 
(/etc/dovecot/conf.d/90-sieve.conf):


   sieve_extensions = +vnd.dovecot.pipe
   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
   sieve_plugins = sieve_extprograms


I have configured a Sieve service that looks like this 
(/etc/dovecot/conf.d/90-sieve-extprograms.conf):


   service php {
  # Define the executed script as parameter to the sieve service
  executable = /var/run/dovecot/sieve-pipe/php.sh

  # Use some unprivileged user for executing the program
  user = dovenull

  # The unix socket located in the sieve_pipe_socket_dir (as
   defined in the
  # plugin {} section above)
  unix_listener sieve-pipe/php {
# LDA/LMTP must have access
user = vmail
mode = 0600
  }
   }



Contents of /var/run/dovecot/sieve-pipe/php.sh:

   #!/usr/bin/php



Sieve script for one of my mailboxes:

   require ["fileinto", "regex", "date", "relational", "vacation"];
   require ["mailbox", "imap4flags", "vnd.dovecot.pipe"];

   # Move spam to spam folder
   if header :contains "X-Spam-Flag" "YES" {
  fileinto "Junk";
  # Stop here so that we do not reply on spams
  stop;
   }

   pipe :try "php /var/www/web2/piping.php supp...@example.com"

   keep;



This results however in the following error in my log file:

   main script: line 5: error: require command: unknown Sieve
   capability `vnd.dovecot.pipe'.
   main script: line 14: error: unknown command 'pipe' (only reported
   once at first occurence).
   main script: error: validation failed.


I am also not quite confident I have set this up correctly. Am I heading 
in the right direction for what I am trying to achieve?


Dovecot version: 2.2.10

dovecot -n:

   # 2.2.10: /etc/dovecot/dovecot.conf
   # OS: Linux 3.10.0-514.16.1.el7.x86_64 x86_64 CentOS Linux release
   7.3.1611 (Core)
   auth_mechanisms = plain login
   disable_plaintext_auth = no
   listen = *,[::]
   log_timestamp = "%Y-%m-%d %H:%M:%S "
   mail_plugins = " quota"
   mail_privileged_group = vmail
   managesieve_notify_capability = mailto
   managesieve_sieve_capability = fileinto reject envelope
   encoded-character vacation subaddress comparator-i;ascii-numeric
   relational regex imap4flags copy include variables body enotify
   environment mailbox date ihave
   passdb {
  args = /etc/dovecot-sql.conf
  driver = sql
   }
   plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve = /var/vmail/%d/%n/.sieve
   }
   protocols = imap pop3
   service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
  user = root
   }
   service imap-login {
  client_limit = 1000
  process_limit = 500
   }
   service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
   }
   ssl_cert = 

Re: Host ... is being updated before previous update had finished

[Mark Moseley]

Timo/Aki/Docecot guys, any hints here? Is this a bug? Design issue?

On Fri, Apr 7, 2017 at 10:10 AM Mark Moseley  wrote:

> On Mon, Apr 3, 2017 at 6:04 PM, Mark Moseley 
> wrote:
>
>> We just had a bunch of backend boxes go down due to a DDoS in our
>> director cluster. When the DDoS died down, our director ring was a mess.
>>
>> Each box had thousands (and hundreds per second, which is a bit much) of
>> log lines like the following:
>>
>> Apr 03 19:59:29 director: Warning: director(10.1.20.10:9090/left): Host
>> 10.1.17.15 is being updated before previous update had finished (up ->
>> down) - setting to state=down vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.10:9090/left): Host
>> 10.1.17.15 is being updated before previous update had finished (down ->
>> up) - setting to state=up vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.10:9090/left): Host
>> 10.1.17.15 is being updated before previous update had finished (up ->
>> down) - setting to state=down vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.10:9090/left): Host
>> 10.1.17.15 is being updated before previous update had finished (down ->
>> up) - setting to state=up vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.10:9090/left): Host
>> 10.1.17.15 is being updated before previous update had finished (up ->
>> down) - setting to state=down vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.2:9090/right): Host
>> 10.1.17.15 is being updated before previous update had finished (down ->
>> up) - setting to state=up vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.2:9090/right): Host
>> 10.1.17.15 is being updated before previous update had finished (up ->
>> down) - setting to state=down vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.2:9090/right): Host
>> 10.1.17.15 is being updated before previous update had finished (down ->
>> up) - setting to state=up vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.2:9090/right): Host
>> 10.1.17.15 is being updated before previous update had finished (up ->
>> down) - setting to state=down vhosts=100
>> Apr 03 19:59:29 director: Warning: director(10.1.20.2:9090/right): Host
>> 10.1.17.15 is being updated before previous update had finished (down ->
>> up) - setting to state=up vhosts=100
>>
>> This was on every director box and the status of all of the directors in
>> 'doveadm director ring status' was 'handshaking'.
>>
>> Here's a sample packet between directors:
>>
>> 19:51:23.552280 IP 10.1.20.10.56670 > 10.1.20.1.9090: Flags [P.], seq
>> 4147:5128, ack 0, win 0, options [nop,nop,TS val 1373505883 ecr
>> 1721203906], length 981
>>
>> Q.  [f.|.HOST   10.1.20.10  90901006732 10.1.17.15
>>  100 D1491260800
>> HOST10.1.20.10  90901006733 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006734 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006735 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006736 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006737 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006738 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006739 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006740 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006741 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006742 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006743 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006744 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006745 10.1.17.15  100
>> U1491260800
>> HOST10.1.20.10  90901006746 10.1.17.15  100
>> D1491260800
>> HOST10.1.20.10  90901006747 10.1.17.15  100
>> U1491260800
>> SYNC10.1.20.10  90901011840 7   1491263483  3377546382
>>
>> I'm guessing that D1491260800 is the user hash (with D for down), and the
>> U version is for 'up'.
>>
>> I'm happy to provide the full tcpdump (and/or doveconf -a), though the
>> tcpdump is basically all identical the one I pasted (same hash, same host).
>>
>> This seems pretty fragile. There should be some sort of tie break for
>> that, instead of bringing the entire cluster to its knees. Or just drop the
>> backend host completely. Or something, anything besides hosing things
>> pretty badly.
>>
>> This is 2.2.27, on both the directors and backend. If the answer is
>> upgrade to 2.2.28, then I'll upgrade immediately. I see
>> commit a9ade104616bbb81c34cc6f8bfde5dab0571afac mentions the same error but
>> the commit predates 2.2.27 by a month and a half.
>>
>> In the meantime, is there any doveadm command I could've done to fix
>> this? I tried removing the host 

Issue with POP3s TLS/SSL on port 995 on Outlook 2016

[Bhushan Bhosale]

Dear Team,

I'm facing issue with POP3s TLS/SSL on port 995 only for outlook2016. It's 
working fine with dovecot v2.2.28 on test environment.
Is the dovecot v2.2.28 is stable released? I can  upgrade the version from 
v2.1.17 to v2.2.28 on production if its stable version.
Kindly confirm and provide the proper solution.

Thanks and Regards,

Bhushan
Previous Mail:==I have faced issue with email downloading in the email 
client by using pop3s SSL port 995 in dovecot v2.1.17 for outlook client 2016 
on production environment. 
As per my troubleshooting on my test environment, I have upgraded dovecot 
version v2.2.28, and changed paramer "ssl_dh_parameters_length = 2048" and 
"verbose_ssl = yes", The issue seems to be resolved in dovecot v2.2.28.
What can i do to resolve this issue in dovecot v2.1.17? Kindly help.

Re: Feature Request - Director Balance

[Timo Sirainen]

On 20 Apr 2017, at 17.35, Webert de Souza Lima  wrote:
> 
> Hi,
> 
> often I run into the situation where a dovecot server goes down for
> maintenance, and all users get concentrated in the remaining dovecot server
> (considering I have 2 dovecot servers only).
> 
> When that dovecot server comes back online, director server will send new
> users to it, but the dovecot server that was up all the time will still
> have tons of clients mapped to it.
> 
> I suggest the director servers to always try to balance load between
> servers, in the way:
> 
> - if a server has several more connections than other, mark it to
> re-balance
> - when a user connected to this loaded server disconnects, map it to
> another server (that is per definition not the same server) immediately.
> 
> that way it would gracefully re-balance, not killing existing connections,
> just waiting for them to finish.

You could effectively do this by shrinking the director_user_expire time. But 
if it's too low, it causes director to be a bit more inefficient when assigning 
users to backends. Also if backends are doing any background work (e.g. full 
text search indexing) director might move the user away too early. But setting 
it to e.g. 5 minutes would likely help a lot.

There's of course also the doveadm director flush, which can be used to move 
users between backends, but that requires killing the connections for now. I've 
some future plans to make it possible to move connections between backends 
without disconnecting the IMAP client.

Re: namespace assertion failed

[Timo Sirainen]

On 20 Apr 2017, at 19.29, Elisamuel Resto  wrote:
> 
> Hello,
> 
> I'm trying to figure out if this is a configuration issue or an actual bug.
> Dovecot does start, but if anybody tries to log in or if you run sievec you
> get an assertion fail and a coredump.
> 
> ---
> sievec(root): Panic: file mail-namespace.c: line 709 (mail_namespace_find):
> assertion failed: (ns != NULL)
> sievec(root): Error: Raw backtrace:
> /usr/lib/dovecot/libdovecot.so.0(+0x9c3a2) [0x7ff70e2133a2] ->
> /usr/lib/dovecot/libdovecot.so.0(+0x9c429) [0x7ff70e213429] ->
> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7ff70e1a5e41] ->
> /usr/lib/dovecot/libdovecot-storage.so.0(mail_namespace_find+0xc8)
> [0x7ff70e4e03a8] -> /usr/lib/dovecot/modules/lib11_trash_plugin.so(+0x1e56)

Trash plugin was broken in 2.2.28. Use 2.2.29.

Re: [BUG] config-parser.c: line 89 - crash on comma in namespace mailbox

[Timo Sirainen]

On 17 Apr 2017, at 15.45, Alek  wrote:
> 
> Hi!
> On the latest versions (2.2.28, 2.2.29.x) we get crash on dovecot config 
> parse.
> Error in config parser when checking namespace mailbox name. 
> Reason: comma in mailbox name.
> Worked well in versions < 2.2.22. Do not know if it was working on 
> 2.2.23-2.2.27, skipped this versions.
> 
> Example:
> namespace inbox {
>  mailbox ",BEAEMAQyBDsENQQ9BD0ESwQ1-" {
>special_use = \Sent
>  }
> }
> 
> doveconf: Panic: file config-parser.c: line 89 (config_add_type): assertion 
> failed: (ret > 0)

Crash isn't good, but you're not supposed to be using mUTF-7 names in here (or 
anywhere in Dovecot configs). Did it ever really even work?

> Info:
> ,BEAEMAQyBDsENQQ9BD0ESwQ1- - is a valid mailbox name for russian 
> Outlook folder "Отправленные".

You should be using this name as UTF-8 directly.

Re: LDAP schema ?

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 21 Apr 2017, Mihai Badici wrote:

On Friday 21 April 2017 08:36:47 Steffen Kaiser wrote:

On Tue, 18 Apr 2017, Dave Dodd wrote:

I am trying to determine the correct LDAP schema I need to use to have
either mailLocation or mailboxPath available ?

Should I be just adding this to one of my own custom objectClasses ?


Surprisingly, lots of installations seem to work with standard schemas -
if you believe internet search results.

Dovecot's LDAP connection is very generic, so maybe it's easier to adopt
Dovecot to an existing infrastructure than vice verse.

However, I have added several Dovecot related attributes and some
objectclasses to my schema, esp. to support the generic userdb_import .

--
Steffen Kaiser

Let me summarize:
In fact, when using the /etc/passwd the only information dovecot need is the
username and the password.
So if you switch to ldap you only need those attributes. ( The e-mail address
is not needed by dovecot, but is needed for MTA)
You can then use the inetorgperson schema without problems.
But, since you want to use LDAP, you probably want to take advantage of the
user managements tools, you want to use a Global Address List, maybe multiple
servers etc.
When I started to configure my template, i searched for a schema with
"vacation" attribute. I even wrote a postfix filter who used this attribute to
generate autoresponder messages. I found ispenv2.ldif , i still use it, even I
switched to sieve for autoresponder so i don't need vacation anymore.
But ispenv2 has also some nice attributes for managing users "ISP style":
details about payment, contract, price, user disabled etc

In the mean time I started to use parts from the kolab project. So I consider
to start using also their schema in the future, because it has some attributes
useful for enterprise usage scenario ( and because I want to have some
compatibility)

So, at the end, the reason for choosing a schema or extending the existing one
is not related mainly to the mail system ( which works great with
inetorgperson schema, for example) but rather to the organizational model you
use .


Yes, my thinking, too. I have:

quota
mail location (as override for some users)
import (generic, for anything else, e.g. some users have a home override 
or specific system_uids or groups)


Actually I discovered import too late, otherwise I would not have added 
quota and mail location as stand alone attributes.


There are some other local attributes for other services, so they don't 
hurt. :)


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWPm3tnz1H7kL/d9rAQKoAQgAl4XHW+0DW6+gk1O6AAJu0+5+nRP6756g
4a3hl/+7o3qBOOMma8kPxy6IEWAQu0cCI9r3CVeR8aCLL3HNPgArhv+eOH9FWL1n
I3DSutLQDTZbb1jMafAuBiykA5A04vk3SAsHA24UgwmjSK2rEkM29U91FEW9umrm
jcolgrLJrloWG1JAaePaNopx7TneDBbHFLlwn4to0t8Ra0OHAA60tEuF0EfXPWLl
2QJz+hq1gPhQ2K3C1dSSK7e7AAdX/Nvm/x7ehXFHpq1KAGnMteeAaDuk1nD+f43F
S5wgcASFOzIMKD2NxkMvBbvR79Ly0YHmJ4JFVa9SBwBOzGQ0dUPxwA==
=cFDV
-END PGP SIGNATURE-

Re: LDAP schema ?

[Mihai Badici]

On Friday 21 April 2017 08:36:47 Steffen Kaiser wrote:
> On Tue, 18 Apr 2017, Dave Dodd wrote:
> > I am trying to determine the correct LDAP schema I need to use to have
> > either mailLocation or mailboxPath available ?
> > 
> > Should I be just adding this to one of my own custom objectClasses ?
> 
> Surprisingly, lots of installations seem to work with standard schemas -
> if you believe internet search results.
> 
> Dovecot's LDAP connection is very generic, so maybe it's easier to adopt
> Dovecot to an existing infrastructure than vice verse.
> 
> However, I have added several Dovecot related attributes and some
> objectclasses to my schema, esp. to support the generic userdb_import .
> 
> --
> Steffen Kaiser
Let me summarize:
In fact, when using the /etc/passwd the only information dovecot need is the 
username and the password.
So if you switch to ldap you only need those attributes. ( The e-mail address 
is not needed by dovecot, but is needed for MTA)
You can then use the inetorgperson schema without problems.
But, since you want to use LDAP, you probably want to take advantage of the 
user managements tools, you want to use a Global Address List, maybe multiple 
servers etc.
When I started to configure my template, i searched for a schema with 
"vacation" attribute. I even wrote a postfix filter who used this attribute to 
generate autoresponder messages. I found ispenv2.ldif , i still use it, even I 
switched to sieve for autoresponder so i don't need vacation anymore.
But ispenv2 has also some nice attributes for managing users "ISP style": 
details about payment, contract, price, user disabled etc

In the mean time I started to use parts from the kolab project. So I consider 
to start using also their schema in the future, because it has some attributes 
useful for enterprise usage scenario ( and because I want to have some 
compatibility)

So, at the end, the reason for choosing a schema or extending the existing one 
is not related mainly to the mail system ( which works great with 
inetorgperson schema, for example) but rather to the organizational model you 
use . 

Re: LDAP schema ?

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 18 Apr 2017, Dave Dodd wrote:


I am trying to determine the correct LDAP schema I need to use to have either
mailLocation or mailboxPath available ?

Should I be just adding this to one of my own custom objectClasses ?


Surprisingly, lots of installations seem to work with standard schemas - 
if you believe internet search results.


Dovecot's LDAP connection is very generic, so maybe it's easier to adopt 
Dovecot to an existing infrastructure than vice verse.


However, I have added several Dovecot related attributes and some 
objectclasses to my schema, esp. to support the generic userdb_import .


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWPmof3z1H7kL/d9rAQLM3QgAxZuHXpkwx5sgC/r36QieikePAKvj2xTX
IyyhnXoCaBKlT0+1b9jZtEkCaIf56Fujom2btTQ7H0oD67mMQ1CeW4dUpmRztOUY
Xi0HpirI0T8AzQwKQ7EUSoFrddHEXwV3nQZ2kuiwLQtlDp8w/h1Yuej3B+tEI32x
ra84B6DlyW9RuWluvVoRE419hDfZxVGVqgD4REw4uhg4xiIPK4pSWMKXceVgrFR9
LX9/wQsBLh5VSwz20Z+3BI2Ydq79r7MfZkAAUdu1FZnJR7eWOUJxRuzy3VM+XKmt
RmlJpf46l+gj11mw4JSgZ6NoFEv1c9p5w15kysNbb0B9ZkbQXexSdw==
=x0G+
-END PGP SIGNATURE-

Re: namespace assertion failed

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 20 Apr 2017, Elisamuel Resto wrote:


I'm trying to figure out if this is a configuration issue or an actual bug.


The assertion certainly is a bug, but you should post your config, too, in 
order to let Timo, Aki,& Co. see, how to reproduce the issue.



Dovecot does start, but if anybody tries to log in or if you run sievec you


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWPmkR3z1H7kL/d9rAQI3DAf8C/4TsH8wICLPa3JslyRp3QJHC5cXfCQs
xS9WTmgSVALqKfz5D0rWbJkjRwdv9QeiXPXwLwLiV57CFYlQIUuWXzEtnv8JNbot
FsrzkpLfnJX6hxosgexNE6k+TKrUfkcQCoR13hBNOLbvtcZtXuqzWF6tDrSfzWI5
tzPvfLnwPXOZFphNnTf+SIYcONbAyBK/pCOgaTFb+eoTbaAguytNQH/diURE7EZQ
cEWLoflQnO7iaNwv6x5WtkDOhKV3nzWA1bnyfnA9BqYdeLtSGW1VO0WsH8/iBVCT
Yu2D51AfFqISchZbBiWmwQYwgOG0iFhGguT8kxRr/ryD2XcB+EhozA==
=k6fh
-END PGP SIGNATURE-