Re: Disconnected: Inactivity (no auth attempts in 180 secs)

[Joseph Tam]

Alexandre  wrote:


I can send and receive mails using:
IMAP 143 with TLS


OK, IMAP STARTTLS is working in some sense.  (Your MTA handles
SMTP, not dovecot.)


The hangup occours inside of my LAN using Outlook 2016, and Outside
also trying access on 4G from my Android smartphone.

My goal is enable also POP3s and IMAPs using TLS.


[voluminous diagnostics]

I can't really see from what you present what the problem is.
Can you report the output of

openssl s_client -starttls imap {imap-server}:143
openssl s_client -starttls pop3 {imap-server}:110

(from both inside and outside), as well as any matching log entries.

Joseph Tam 

Disconnected: Inactivity (no auth attempts in 180 secs)

[Alexandre]

Hi,

 

I hope you guys can understand me since english is not my nativelanguage.

 

I am trying setup dovecot for imap and pop3 on FreeBSD 10.3 and is notworking 
on IMAPS or POP3S, currently My setup is:

OS = FreeBSD 10.3 ( I did not get enough time for update to 11)

Postfix = 3.2.3

Dovecot = 2.2.33.2 (d6601f4ec)

OpenSSL =1.0.1s-freebsd

SSL Certificate = Let's Encrypt

 

 

I can send and receive mails using:

IMAP 143 with TLS

SMTP 587 with TLS

 
Usually on Linux distros works pretty easy, when I don't forgetsomething this 
should be working on first try, but, after spend 2 weeks workingon it after 
arrive from job without found any solution, I am trying the luckasking for help 
from your guys expert on dovecot.
The hangup occours inside of my LAN using Outlook 2016, and Outside also trying 
access on 4G from my Android smartphone.

 

My goal is enable also POP3s and IMAPs using TLS.

 

This is my data:

 

Dovecot –n:

 

 

#2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf

# Pigeonhole version 0.4.21 (92477967)

# OS: FreeBSD 10.3-RELEASE-p22 amd64 zfs

auth_debug = yes

auth_debug_passwords = yes

auth_mechanisms = plain login

auth_verbose = yes

auth_verbose_passwords = yes

hostname = mail.mydomain.com

imap_client_workarounds = delay-newmail tb-extra-mailbox-septb-lsub-flags

lda_mailbox_autocreate = yes

lda_mailbox_autosubscribe = yes

lda_original_recipient_header = X-Original-To

mail_attachment_fs = sis-queue posix

mail_attachment_hash = %{sha512}

mail_debug = yes

mail_location = maildir:/usr/local/vmail/%d/%n:LAYOUT=fs

mail_plugins = quota acl

mail_privileged_group = vmail

mailbox_list_index = yes

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelopeencoded-character 
vacation subaddress comparator-i;ascii-numeric relationalregex imap4flags copy 
include variables body enotify environment mailbox dateindex ihave duplicate 
mime foreverypart extracttext

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location = 

  mailbox Archives {

    auto = subscribe

    special_use = \Archive

  }

  mailbox Drafts {

    auto = subscribe

    special_use = \Drafts

  }

  mailbox Junk {

    auto = subscribe

    special_use = \Junk

  }

  mailbox Sent {

    auto = subscribe

    special_use = \Sent

  }

  mailbox "SentMessages" {

    auto = subscribe

    special_use = \Sent

  }

  mailbox Trash {

    auto = subscribe

    special_use = \Trash

  }

  mailbox virtual/All {

    auto = subscribe

    comment = All my messages

    special_use = \All

  }

  mailbox virtual/Flagged {

    auto = subscribe

    comment = All my flaggedmessages

    special_use = \Flagged

  }

  prefix = 

}

passdb {

  args =/usr/local/etc/dovecot/dovecot-sql.conf.ext

  driver = sql

}

plugin {

  acl = vfile

  quota = maildir:User quota

  quota_max_mail_size = 100M

  quota_rule = *:storage=1G

  quota_rule2 =Archive:storage=+1G

  quota_rule3 =Trash:storage=+100M

  quota_warning = storage=80%%quota-warning 80 %u

  sieve =/usr/local/vmail/%d/%n/.dovecot.sieve

  sieve_before =/usr/local/vmail/sieve/before.d/

  sieve_dir = /usr/local/vmail/%d/%n

  sieve_global_dir =/usr/local/vmail/sieve/%d

  sieve_global_path =/usr/local/vmail/sieve/%d/default.sieve

}

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

postmaster_address = postmas...@mydomain.com

protocols = imap pop3 lmtp sieve

quota_full_tempfail = yes

service auth-worker {

  user = vmail

}

service auth {

  unix_listener/var/spool/postfix/private/auth {

    group = postfix

    mode = 0660

    user = postfix

  }

  unix_listener auth-userdb {

    group = vmail

    mode = 0600

    user = vmail

  }

}

service dict {

  unix_listener dict {

    mode = 0600

    user = vmail

  }

}

service imap-login {

  inet_listener imap {

    port = 143

  }

  inet_listener imaps {

    port = 993

    ssl = yes

  }

  process_min_avail = 2

}

service lmtp {

  unix_listener/var/spool/postfix/private/dovecot-lmtp {

    group = postfix

    mode = 0600

    user = postfix

  }

}

service managesieve-login {

  inet_listener sieve {

    port = 4190

  }

  process_min_avail = 0

  service_count = 1

  vsz_limit = 64 M

}

service pop3-login {

  inet_listener pop3 {

    port = 110

  }

  inet_listener pop3s {

    port = 995

    ssl = yes

  }

}

service quota-warning {

  executable = script/usr/local/bin/quota-warning.sh

  unix_listener quota-warning {

    user = vmail

  }

  user = dovecot

}

ssl = required

ssl_ca = , rip=192.168.0.95, lip=10.0.0.32, 
TLShandshaking, session=<+Xf>

Oct 25 06:49:38 mail postfix/submission/smtpd[9400]: connect 
fromunknown[192.168.0.95]:50860

Oct 25 06:49:38 mail postfix/submission/smtpd[9400]: Anonymous TLSconnection 
established from unknown[192.168.0.95]:50860: TLSv1.2 with 
cipherECDHE-RSA-AES256-SHA384 (256/256 bits)

Oct 25 06:49:38 mail dovecot: auth: Debug: auth client connected (pid=0)

Oct 

Re: Password encription

[Joseph Tam]

Aki,


(Not speaking for Aki)


I understand that salted passwords saved in my database and stronger hash
algorithm course that it will require more processor time/power to crack my
passwords.

But only when hackers have direct access to my database what means that
hackers have access to my passwords hashes (eg. hackers stolen my database).

My Dovecot use passwords saved in database as SHA256 and hackers can use
only SMTP, IMAP or POP3 services to try crack it using dictionary attack (I
understand that they using plain text dictionaty passwords).

Stronger hash algorithm and salt is useful when hackers have direct access
to my database but when they use services as SMTP, IMAP or POP3
to crack passwords only longer and more complicated password can be more
secure.

I do not understand this correctly ?


Yes, your understanding is basically correct.  However, history gives lots
of examples of broken systems that explicitly or implicitly relied on one
critical system not failing -- they lacked defense in depth or resilience.

Examples are "this system has no bugs", "my system does not leak hashes",
"this algorithm is unbreakable", "we'll never see a CAT5 hurricane", etc.
If these critical assumption ever becomes untrue, the foundation of your
defense crumbles.

If you narrow your attack definition to only include in-protocol remote
brute forcing, then any decent password will take far too long to break
that way (esp. with throttling controls that are built-in).  Your log
files will overflow recording the attempts long before you can expect a
password to be cracked.  However, you're still susceptable to the qwerty
passwords.  If this is your *only* line of defense, it is brittle.

A robustly secure system will overlap protection: strong hashes, password
compliance systems, brute force countermeasures, file permissions/OS
hardening, network origins vetting, anti-DoS measures, etc.

Keep this picture in mind that I found on CLCERT

https://www.clcert.cl/humor/img/weakest-link-road.jpg

Joseph Tam 

Re: How to limit Apple Mail (desktop)?

[Robert Schetterer]

Am 30.10.2017 um 17:50 schrieb Robert Schetterer:
> Am 30.10.2017 um 10:38 schrieb Rupert Gallagher:
>> By default, Apple Mail downloads all e-mails from  server's account. 
>> Previous versions of this client allowed to opt-out. The latest two 
>> versions? however, only allow to opt-out from downloading the attachments.
>>
>> The stress on the server is unbearable. We cannot ask users to be 
>> considerate: this is the default behaviour of Apple Mail.
>>
>> We need a server-side solution to the problem.
>>
>> Please share your ideas.
>>
> 
> first check if you can ident Apple Mail versions related, i recent have
> none in my  log , but i.e Android does
> 
> ---log
> ID sent: name=com.samsung.android.email.provider, os=android,
> os-version=7.0; NRD90M, vendor=samsung, x-android-device-model=SM-G930F
> -
> 
> then you need a procedure for limiti have no idea which one
> 
> Best Regards
> MfG Robert Schetterer
> 

I dont know Apple Mail very good, but as workaround you might use sieve
to presort mails on the server at incomming in (sub)folders which arent
synced at default i.e in a date named folder, for sure users ( you
should know your apple mail users ) then need configure an extra
subscribe on these folders. Perhaps a combi with virtual folders may
usefull , for now not better idea , iam nearly sure this is not what you
you expected and/or wanted

seems google has a feature to "hide" mails

see

https://www.guidingtech.com/44581/prevent-mail-app-space-mac/

however if feel very strange with this

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: How to limit Apple Mail (desktop)?

[Robert Schetterer]

Am 30.10.2017 um 10:38 schrieb Rupert Gallagher:
> By default, Apple Mail downloads all e-mails from  server's account. Previous 
> versions of this client allowed to opt-out. The latest two versions? however, 
> only allow to opt-out from downloading the attachments.
> 
> The stress on the server is unbearable. We cannot ask users to be 
> considerate: this is the default behaviour of Apple Mail.
> 
> We need a server-side solution to the problem.
> 
> Please share your ideas.
> 

first check if you can ident Apple Mail versions related, i recent have
none in my  log , but i.e Android does

---log
ID sent: name=com.samsung.android.email.provider, os=android,
os-version=7.0; NRD90M, vendor=samsung, x-android-device-model=SM-G930F
-

then you need a procedure for limiti have no idea which one

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

LDAP authentication and shadowExpire

[Mantas Gegužis]

Hi,

I am trying to configure Dovecot (2.2.27) with LDAP passdb,  
specifically with authentication binds  
(https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds).


Atribute shadowExpire has a unix time stamp value. Is there a way to  
write pass_filter like shadowExpire

Re: Dovecot and the Maildir path

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 30 Oct 2017, Will Merkens wrote:


But when I look in the mail server at /var/spool/maildir the testuser is not 
created inside of userful.com but at the same level as userful.com contrary to 
the
%d in mail_location settings.

doveadm -D mailbox list -u 'testu...@userful.com'


this command bypasses passdb.


Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testu...@userful.com,192.168.123.39,): result: 
uid=testuser; uid unused
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testu...@userful.com,192.168.123.39,): username changed 
testu...@userful.com -> testuser
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testuser,192.168.123.39,): result: uid=testuser


your passdb strips the domain.


Any ideas and any settings files that I need to post.


Check the LDAP settings for "user" extra field

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWfcwcXz1H7kL/d9rAQLpSggAnTWizpyk6wNDRuT//m1r0MaPM/8FriPF
NOSdMwOktUblanmlf1OWWsqF/LonTIltscqIhcd8eVz2n/XNcYc9v6Bbe2lhKcLr
eQRXX8U901d0TbwMM5c2TRAhyGYAypttTdNnmTwwk9qo4SxW+Dwv3llWx5Rj0OEK
ZkOT/2ud/39R5lO4TdR5UirUP2C2MWLS8PDQPXfvUzhiFWJt9hQnrekuuJ7L8P8X
3w+CqUynUIVMI7KeHDc/42P+i6E99aI0YB9G+ctxplICUxLL8XnTdnGHAb20ueHR
ym7EQlQx0+qhH1laCtvZZ4lFUCIVmBU3Oqxfyr74KWzryDiwOvlZTQ==
=vWu2
-END PGP SIGNATURE-

Dovecot and the Maildir path

[Will Merkens]

System basics
    Centos 7.3
    Dovecot 2.2.32 (dfbe293d4)


I am working on a replacement mail server for work and one of the features I 
wanted was ldap authentication

After much fiddling I got it to work.

But I encountered a issue where two different methods of testing a mail account 
resulted in the
mail_location being different

I set  mail_location = maildir:/var/spool/maildir/%d/%n/Maildir in dovecot.conf

when I test the authentication and to see if the folders are created correctly 
on first use I have two results depending on how I test.

First test was from openssl

    openssl s_client -connect mail2:993

I have no problem connecting, I issue the following commands

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
a login testu...@userful.com 
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH 
LIST-STATUS
BINARY MOVE] Logged in
a list "" *
* LIST (\HasNoChildren) "." INBOX
a OK List completed (0.001 + 0.000 secs).
* BYE Disconnected for inactivity.
closed

But when I look in the mail server at /var/spool/maildir the testuser is not 
created inside of userful.com but at the same level as userful.com contrary to 
the
%d in mail_location settings.

Now second method

doveadm -D mailbox list -u 'testu...@userful.com'

This correctly creates the user under the domain as specified.

for logs I have from journalctl

for openssl

Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: client in: AUTH    2 
   PLAIN    service=imap    secured   
session=VgBmvMNcQoTAqHsn    lip=192.168.
123.236    rip=192.168.123.39    lport=993    rport=33858    
resp=AHRlc3R1c2VyQHVzZXJmdWwuY29tADk5dGVzdHVzZXI5OQ== (previous base64 data may
contain sensitive data)
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testu...@userful.com,192.168.123.39,): bind search: 
base=ou=People,dc=userful,dc=ca
filter=(&(objectClass=posixAccount)(uid=testuser))
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testu...@userful.com,192.168.123.39,): result: 
uid=testuser; uid unused
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testu...@userful.com,192.168.123.39,): username changed 
testu...@userful.com -> testuser
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testuser,192.168.123.39,): result: uid=testuser
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: client passdb out: OK    
2    user=testuser    original_user=testu...@userful.com
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: master in: REQUEST    
2784755713    10725    2    d4a357fe811a1da8bd725b82fc1da2ab   
session_pid=11051    request_auth_token
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testuser,192.168.123.39,): user search: 
base=ou=People,dc=userful,dc=ca scope=subtree
filter=(&(objectClass=posixAccount)(uid=testuser)) 
fields=homeDirectory,uidNumber,gidNumber
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testuser,192.168.123.39,): result: 
homeDirectory=/nfs/home/test-user uidNumber=6000
gidNumber=1000; homeDirectory,uidNumber,gidNumber unused
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: 
ldap(testuser,192.168.123.39,): result: 
homeDirectory=/nfs/home/test-user uidNumber=6000
gidNumber=1000
Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: master userdb out: USER  
  2784755713    testuser    home=/nfs/home/test-user   
uid=6000    gid=1000    
auth_token=29e6ac32c85cf1b69eeabbe8e4f8e4810e9a3468    
auth_user=testu...@userful.com
Oct 30 07:37:12 mail2 dovecot[10722]: imap-login: Login: user=, 
method=PLAIN, rip=192.168.123.39, lip=192.168.123.236, mpid=11051, TLS,
session=



for doveadm

Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: master in: USER    1 
   testu...@userful.com    service=doveadm
Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): 
user search: base=ou=People,dc=userful,dc=ca scope=subtree
filter=(&(objectClass=posixAccount)(uid=testuser)) 
fields=homeDirectory,uidNumber,gidNumber
Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): 
result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000;
homeDirectory,uidNumber,gidNumber unused
Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): 
result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000
Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: userdb out: USER    1
    testu...@userful.com    home=/nfs/home/test-user    uid=6000   
gid=1000

Any ideas and any settings files that I need to post.




-- 
William Merkens
IT Support Analyst
Userful Corporation
+1 

Re: Bug: lmtp proxy does not quote local parts with spaces

[David Zambonini]

On 26/10/2017 19:33, David Zambonini wrote:
> On 26/10/2017 18:38, Alexander Dalloz wrote:
>> Am 26.10.2017 um 12:20 schrieb David Zambonini:
>>>
>>> There seems to be a bug with RFC822 processing in ltmp proxying that
>>> doesn't
>>> quote local parts that, for example, contain spaces.
>>
>> Newer related RFCs are RFC 5321 and 5322.
> 
> Typo, meant to say RFC2822, which they still supercede, not that the
> local-part spec has changed. :)
> 
>>
>> [ ... ]
>>
>>> MAIL FROM:\r\n
>>> RCPT TO:\r\n
>>>
>>> 501 5.5.4 Invalid.parameters\r\n
>>
>> That recipient address is totally invalid. It is neither just a local
>> part without a domain, nor a plussed address destination.
>>
>> Check your setup with i.e.
>>
>> RCPT TO:<"Junk E-mail"@deemzed.uk>
>>
>> or
>>
>> RCPT TO:<"test+Junk E-mail"@deemzed.uk>
> 
> Apologies, I was attempting to cut the config down at the time the dump
> was taken. Correcting (I can provide config privately, but not share to
> list), I still get:
> 
> MAIL FROM:\r\n
> RCPT TO:<"deemzed.uk+Junk E-mail"@mailbox.localhost>\r\n
> DATA\r\n
> (etc)
> .\r\n
> 
> 501 5.5.4 Invalid parameters\r\n
> 
> QUIT\r\n
> 
> from director -> dovecot LMTP network dump:
> 
> I could have a look at
> starting to get a fix together tomorrow with an aim to providing a pull
> request, if it turns out there are no side-effects to treating
> lmtp_rcpt.address like this and you'd like an example of what I mean.

My apologies for not adding your address on my initial response, Alexander - not
sure if you noticed what I replied with or not.

Nope, this isn't going to happen. I'm not familiar with the dovecot internals
but lmtp uses just the address string in the form of "full address with quotes
stripped from local part but otherwise not decoded" and nothing else throughout,
which touches on quite a bit of code. It makes it indeterminate and not always
possible to reassemble the original, it's a bit of a trainwreck.

The sanest option to me seems to me to be to store a decoded local part and
domain in addition to the detail in mail_recipient, and keeping a now properly
rfc822 encoded address in sync with it. However, this would cause a deviation
from existing behaviour for the full original user (the quotes would be seen).

I'm between a rock and a hard place here - at the very least I'd like this bug
to be officially recognised.

-- 
David Zambonini

How to limit Apple Mail (desktop)?

[Rupert Gallagher]

By default, Apple Mail downloads all e-mails from  server's account. Previous 
versions of this client allowed to opt-out. The latest two versions? however, 
only allow to opt-out from downloading the attachments.

The stress on the server is unbearable. We cannot ask users to be considerate: 
this is the default behaviour of Apple Mail.

We need a server-side solution to the problem.

Please share your ideas.

Replication to wrong mailbox

[Ralf Becker]

It happened now twice that replication created folders and mails in the
wrong mailbox :(

Here's the architecture we use:
- 2 Dovecot (2.2.32) backends in two different datacenters replicating
via a VPN connection
- Dovecot directors in both datacenters talks to both backends with
vhost_count of 100 vs 1 for local vs remote backend
- backends use proxy dict via a unix domain socket and socat to talk via
tcp to a dict on a different server (kubernetes cluster)
- backends have a local sqlite userdb for iteration (also containing
home directories, as just iteration is not possible)
- serving around 7000 mailboxes in a roughly 200 different domains

Everything works as expected, until dict is not reachable eg. due to a
server failure or a planed reboot of a node of the kubernetes cluster.
In that situation it can happen that some requests are not answered,
even with Kubernetes running multiple instances of the dict.
I can only speculate what happens then: it seems the connection failure
to the remote dict is not correctly handled and leads to situation in
which last mailbox/home directory is used for the replication :(

When it happened the first time we attributed it to the fact that the
Sqlite database at that time contained no home directory information,
which we fixed after. This first time (server failure) took a couple of
minutes and lead to many mailboxes containing mostly folders but also
some new arrived mails belonging to other mailboxes/users. We could only
resolve that situation by rolling back to a zfs snapshot before the
downtime.

The second time was last Friday night during a (much shorter) reboot of
a Kubernetes node and lead only to a single mailbox containing folders
and mails of other mailboxes. That was verified by looking at timestamps
of directories below $home/mdbox/mailboxes and files in $home/mdbox/storage.
I can not tell if adding the home directory to the Sqlite database or
the shorter time of the failure limited the wrong replication to a
single mailbox.

Can someone with more knowledge of the Dovecot code please check/verify
how replication deals with failures in proxy dict. I'm of cause happy to
provide more information of our configuration if needed.

Here is an exert of our configuration (full doveconf -n is attached):

passdb {
  args = /etc/dovecot/dovecot-dict-master-auth.conf
  driver = dict
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-dict-auth.conf
  driver = dict
}
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-dict-auth.conf
  driver = dict
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}

dovecot-dict-auth.conf:
uri = proxy:/var/run/dovecot_auth_proxy/socket:backend
password_key = passdb/%u/%w
user_key = userdb/%u
iterate_disable = yes

dovecot-dict-master-auth.conf:
uri = proxy:/var/run/dovecot_auth_proxy/socket:backend
password_key = master/%{login_user}/%u/%w
iterate_disable = yes

dovecot-sql.conf:
driver = sqlite
connect = /etc/dovecot/users.sqlite
user_query = SELECT home,NULL AS uid,NULL AS gid FROM users WHERE userid
= '%n' AND domain = '%d'
iterate_query = SELECT userid AS username, domain FROM users

-- 
Ralf Becker
EGroupware GmbH [www.egroupware.org]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 631 31657-0

# 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.20 (7cd71ba)
# OS: Linux 4.4.0-97-generic x86_64  
auth_cache_negative_ttl = 2 mins
auth_cache_size = 10 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_chars = 
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#"
default_client_limit = 3500
default_process_limit = 512
disable_plaintext_auth = no
doveadm_password =  # hidden, use -P to show it
doveadm_port = 12345
first_valid_uid = 90
listen = *
log_path = /dev/stderr
mail_access_groups = dovecot
mail_gid = dovecot
mail_location = mdbox:~/mdbox
mail_log_prefix = "%s(%u %p): "
mail_max_userip_connections = 200
mail_plugins = acl quota notify replication mail_log
mail_uid = dovecot
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave vnd.dovecot.debug
mbox_min_index_size = 1000 B
mdbox_rotate_size = 50 M
namespace inboxes {
  inbox = yes
  location = 
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Templates {
auto = subscribe
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
}
namespace subs {
  hidden = yes
  list = no
  location = 
  prefix = 
  separator = /
}
namespace users {

Re: dovecot-2.3 (-git) Warning and Fatal Compile Error

[Teemu Huovila]

On 30.10.2017 09:10, Aki Tuomi wrote:
> 
> 
> On 30.10.2017 00:23, Reuben Farrelly wrote:
>> Hi Aki,
>>
>> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
 On October 29, 2017 at 1:55 PM Reuben Farrelly
  wrote:


 Hi again,

 Chasing down one last problem which seems to have been missed from my
 last email:

 On 20/10/2017 9:22 PM, Stephan Bosch wrote:
>
> Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
>> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>>> On 18 Oct 2017, at 6.34, Reuben Farrelly 
>>> wrote:
 This problem below is still present in 2.3 -git, as of version
 2.3.devel
 (6fc40674e)

>>> Secondly, this ssl_dh messages is always printed from doveconf:
>>>
>>> doveconf: Warning: please set ssl_dh=>> doveconf: Warning: You can generate it with: dd
>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>> -inform der > /etc/dovecot/dh.pem
>>>
>>> Yet the file is there:
>>>
>>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>>
>>> And the config is there as well:
>>>
>>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>>> ssl_dh = >> doveconf: Warning: please set ssl_dh=>> doveconf: Warning: You can generate it with: dd
>>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>>> -inform der > /etc/dovecot/dh.pem
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>>    ssl_dh = -BEGIN DH PARAMETERS-
>>> thunderstorm dovecot #
>>>
>>> It appears that this warning is being triggered by the presence of
>>> the ssl-parameters.dat file because when I remove it the warning
>>> goes away. Perhaps the warning could be made a bit more specific
>>> about this file being removed if it is not required because at the
>>> moment the warning message is not related to the trigger.
>>>
>>> Thanks,
>>> Reuben
 Thanks,
 Reuben
>>> It is triggered when there is ssl-parameters.dat file *AND* there is
>>> no ssl_dh=< explicitly set in config file.
>>>
>>> Aki
>>
>> I have this already in my 10-ssl.conf file:
>>
>> lightning dovecot # /etc/init.d/dovecot reload
>> doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd
>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>> -inform der > /etc/dovecot/dh.pem
>>  * Reloading dovecot configs and restarting auth/login processes
>> ...  [ ok ]
>> lightning dovecot #
>>
>> However:
>>
>> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
>> # gives on startup when ssl_dh is unset.
>> ssl_dh=> lightning dovecot #
>>
>> and the file is there:
>>
>> lightning dovecot # ls -la /etc/dovecot/dh.pem
>> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
>> lightning dovecot #
>>
>> So it is actually configured and yet the warning still is present.
>>
>> Reuben
> 
> Hi!
> 
> I gave this a try, and I was not able to repeat this issue. Perhaps you
> are still missing ssl_dh somewhere?
> 
> Aki
> 
Hello

Just a guess, but at this point I would recommend reviewing the output of 
"doveconf -n" to make sure the appropriate settings are present.

br,
Teemu

Re: dovecot-2.3 (-git) Warning and Fatal Compile Error

[Aki Tuomi]

On 30.10.2017 00:23, Reuben Farrelly wrote:
> Hi Aki,
>
> On 30/10/2017 12:43 AM, Aki Tuomi wrote:
>>> On October 29, 2017 at 1:55 PM Reuben Farrelly
>>>  wrote:
>>>
>>>
>>> Hi again,
>>>
>>> Chasing down one last problem which seems to have been missed from my
>>> last email:
>>>
>>> On 20/10/2017 9:22 PM, Stephan Bosch wrote:

 Op 20-10-2017 om 4:23 schreef Reuben Farrelly:
> On 18/10/2017 11:40 PM, Timo Sirainen wrote:
>> On 18 Oct 2017, at 6.34, Reuben Farrelly 
>> wrote:
>>> This problem below is still present in 2.3 -git, as of version
>>> 2.3.devel
>>> (6fc40674e)
>>>
>> Secondly, this ssl_dh messages is always printed from doveconf:
>>
>> doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd
>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>> -inform der > /etc/dovecot/dh.pem
>>
>> Yet the file is there:
>>
>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem
>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem
>>
>> And the config is there as well:
>>
>> thunderstorm dovecot # doveconf -P | grep ssl_dh
>> ssl_dh = > doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd
>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
>> -inform der > /etc/dovecot/dh.pem
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>>    ssl_dh = -BEGIN DH PARAMETERS-
>> thunderstorm dovecot #
>>
>> It appears that this warning is being triggered by the presence of
>> the ssl-parameters.dat file because when I remove it the warning
>> goes away. Perhaps the warning could be made a bit more specific
>> about this file being removed if it is not required because at the
>> moment the warning message is not related to the trigger.
>>
>> Thanks,
>> Reuben
>>> Thanks,
>>> Reuben
>> It is triggered when there is ssl-parameters.dat file *AND* there is
>> no ssl_dh=< explicitly set in config file.
>>
>> Aki
>
> I have this already in my 10-ssl.conf file:
>
> lightning dovecot # /etc/init.d/dovecot reload
> doveconf: Warning: please set ssl_dh= doveconf: Warning: You can generate it with: dd
> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh
> -inform der > /etc/dovecot/dh.pem
>  * Reloading dovecot configs and restarting auth/login processes
> ...  [ ok ]
> lightning dovecot #
>
> However:
>
> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf
> # gives on startup when ssl_dh is unset.
> ssl_dh= lightning dovecot #
>
> and the file is there:
>
> lightning dovecot # ls -la /etc/dovecot/dh.pem
> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem
> lightning dovecot #
>
> So it is actually configured and yet the warning still is present.
>
> Reuben

Hi!

I gave this a try, and I was not able to repeat this issue. Perhaps you
are still missing ssl_dh somewhere?

Aki