Re: Username character disallowed by auth_username_chars: 0x13

2017-11-28 Thread Aki Tuomi 

> On November 29, 2017 at 5:58 AM Alex  wrote:
> 
> 
> Hi, I'm receiving the following messages in my mail logs that I
> haven't seen before:
> 
> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
> Username character disallowed by auth_username_chars: 0x13 (username:
> AB?)
> Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
> Username character disallowed by auth_username_chars: 0x13 (username:
> AB?)
> 
> There's thousands of them, from hundreds of different IP addresses. I
> suspect it's an exploit attempt, but does anyone know which?
> 
> I've added a fail2ban entry, but I'd also like to make sure my dovecot
> is not vulnerable. This is on a fc25 system with all updates.

0x13 is carriage return, so it could just be a mistake in the spam robots code.

Aki

Re: Lua Auth

2017-11-28 Thread Aki Tuomi 

> On November 29, 2017 at 4:37 AM Mark Moseley  wrote:
> 
> 
> Just happened to be surfing the docs and saw this. This is beyond awesome:
> 
> https://wiki2.dovecot.org/AuthDatabase/Lua
> 
> Any words of wisdom on using it? I'd be putting a bunch of mysql logic in
> it. Any horrible gotchas there? When it says 'blocking', should I assume
> that means that a auth worker process will *not* accept any new auth
> lookups until both auth_passdb_lookup() and auth_userdb_lookup() have
> completed (in which I'd be doing several mysql calls)? If that's the case,
> I assume that the number of auth workers should be bumped up.
> 
> And is a 2.3 release fairly imminent?

Hi!

This feature was added very recently, and there is very little operational 
experience on it. As the docs should say, blocking=yes means that an auth 
worker is used, and yes, it will block each auth worker during authentication, 
but what we tried, it should perform rather nicely.

The most important gotcha is to always test your lua code rigorously, because 
there is not much we can do to save you.

It should be present in master branch, so if someone feels like trying it out, 
please let us know if you find any bugs or strangeness. It's not present in 
nightlies yet.

We are planning on releasing 2.3.0 this year.

Aki

Username character disallowed by auth_username_chars: 0x13

2017-11-28 Thread Alex 
Hi, I'm receiving the following messages in my mail logs that I
haven't seen before:

Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
Username character disallowed by auth_username_chars: 0x13 (username:
AB?)
Nov 28 22:45:31 bwipropemail dovecot: auth: login(?,179.210.41.21):
Username character disallowed by auth_username_chars: 0x13 (username:
AB?)

There's thousands of them, from hundreds of different IP addresses. I
suspect it's an exploit attempt, but does anyone know which?

I've added a fail2ban entry, but I'd also like to make sure my dovecot
is not vulnerable. This is on a fc25 system with all updates.

Lua Auth

2017-11-28 Thread Mark Moseley 
Just happened to be surfing the docs and saw this. This is beyond awesome:

https://wiki2.dovecot.org/AuthDatabase/Lua

Any words of wisdom on using it? I'd be putting a bunch of mysql logic in
it. Any horrible gotchas there? When it says 'blocking', should I assume
that means that a auth worker process will *not* accept any new auth
lookups until both auth_passdb_lookup() and auth_userdb_lookup() have
completed (in which I'd be doing several mysql calls)? If that's the case,
I assume that the number of auth workers should be bumped up.

And is a 2.3 release fairly imminent?

Re: XDOVECOT capability?

2017-11-28 Thread Teemu Huovila 


On 28.11.2017 20:04, Hogne Vevle wrote:
> Hi!
> 
> Here and there, I'm seeing mentions of a "XDOVECOT" capability - e.g. on 
> https://documentation.open-xchange.com/7.8.2/middleware/components/search/crossfolder_fts_in_mail.html
>  .
> 
> However, I can't seem to find any documentation on what this actually does. 
> 
> We need to add this capability to our servers in order for certain 
> functionality of Open Xchange App Suite to work properly (as seen in the link 
> above), but we don't want to blindly update our entire Dovecot cluster just 
> because their docs tell us to :) 
> 
> Can someone, please, shed some light on what other effects we can expect to 
> see after enabling this capability, if any? Or is it simply a way of telling 
> clients that "Hey, I'm a Dovecot server" - nothing else?
This last statement is correct. It is only used to assure the client that the 
functionality is there. The various features are enabled by their respective 
settings.

br,
Teemu

> 
> Cheers,
> 
> - Hogne
>

Re: How to make dovecot access a MySQL database with a certain domain?

2017-11-28 Thread Tobi 
The @localhost part is correct if you connecting to mysql at 127.0.0.1. It's 
the rdns of the connecting client. 
Are you sure that the user postfix has access rights to postfix database? Can 
you connect on cli using something like
mysql -upostfix -ppostfix postfix 
?


Am 28. November 2017 19:08:12 MEZ schrieb Spike98 :
>I am trying to make a mail server with Postfix using the Dovecot
>software. At the time of wanting to access my server from a mail
>client, it does not let me access and see the logs of my server with
>the command:
>
>$ service dovecot status
>with the following error:
>
>dovecot: auth-worker(2769): Error: mysql(127.0.0.1): Connect failed to
>database (postfix): Access denied for user 'postfix'@'localhost' (using
>password: YES) - waiting for 125 seconds before retry
>
>From what I understand of this error is that it is trying to enter
>'postfix' @ 'localhost' instead of the domain that I specify when I
>made the database that is mydomain.com
>
>How can you make dovecot go to MySQL with post...@mydomain.com instead
>of localhost
>
>This is my Dovecot configuration
>
>/etc/dovecot/dovecot-sql.conf.ext
>
>driver=mysql
>
>default_pass_scheme=PLAIN-MD5
>
>connect=host=127.0.0.1 dbname=postfix user=postfix password=postfix
>
>password_query=SELECT username,domain,password FROM usuarios WHERE
>username='%n' AND domain='%d'
>
>user_query=SELECT 1007 as uid, 1007 as gid,
>concat("maildir:/var/vmail",domain,'/',username,'/') as mail FROM
>usuarios WHERE username='%n' AND domain='%d'
>
>iterate_query=SELECT username,domain FROM usuarios

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: How to make dovecot access a MySQL database with a certain domain?

2017-11-28 Thread Roger Klorese 
Replace 127.0.0.1 with the domain name.
On Tue, Nov 28, 2017 at 10:08 AM Spike98  wrote:

> I am trying to make a mail server with Postfix using the Dovecot software.
> At the time of wanting to access my server from a mail client, it does not
> let me access and see the logs of my server with the command:
>
> $ service dovecot status
> with the following error:
>
> dovecot: auth-worker(2769): Error: mysql(127.0.0.1): Connect failed to
> database (postfix): Access denied for user 'postfix'@'localhost' (using
> password: YES) - waiting for 125 seconds before retry
>
> From what I understand of this error is that it is trying to enter
> 'postfix' @ 'localhost' instead of the domain that I specify when I made
> the database that is mydomain.com
>
> How can you make dovecot go to MySQL with post...@mydomain.com instead of
> localhost
>
> This is my Dovecot configuration
>
> /etc/dovecot/dovecot-sql.conf.ext
>
> driver=mysql
>
> default_pass_scheme=PLAIN-MD5
>
> connect=host=127.0.0.1 dbname=postfix user=postfix password=postfix
>
> password_query=SELECT username,domain,password FROM usuarios WHERE
> username='%n' AND domain='%d'
>
> user_query=SELECT 1007 as uid, 1007 as gid,
> concat("maildir:/var/vmail",domain,'/',username,'/') as mail FROM usuarios
> WHERE username='%n' AND domain='%d'
>
> iterate_query=SELECT username,domain FROM usuarios

Re: Imapsieve plugin?

2017-11-28 Thread Bruce 
Thanks jeff.   That answers my question.  This is where the question 
came from: 
https://words.bombast.net/rspamd-with-postfix-dovecot-debian-stretch/


I was working on the sieve configuration and saw all the calls to 
imap-sieve etc.



On 11/27/2017 11:27 PM, Jeff wrote:

On 11/27/17 2:41 AM, Bruce wrote:

Debian stretch.
Dovecot 2.2.27

I was working with a document that references the imapsieve plugin.  
It references the /etc/dovecot/conf.d/90-imapsieve.conf file.


The only reference I've found for it is 
https://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/IMAPSieve#Configuration.


I've got dovecot-managedsieve and dovecot-sieve already installed.  
Am I missing something obvious here?


Bruce M.
While you might be missing an empty file or commented-out example, 
dovecot.conf generally includes


  !include conf.d/*.conf

  !include_try local.conf

which will read in the contents of those files.

I personally like to keep everything in local.conf,
or at least out of the distro-supplied files
so I'm not surprised after an upgrade.

I don't see the 90-imapsieve.conf file in the git repo either
https://github.com/dovecot/core/tree/master/doc/example-config/conf.d

Jeff

How to make dovecot access a MySQL database with a certain domain?

2017-11-28 Thread Spike98 
I am trying to make a mail server with Postfix using the Dovecot software. At 
the time of wanting to access my server from a mail client, it does not let me 
access and see the logs of my server with the command:

$ service dovecot status
with the following error:

dovecot: auth-worker(2769): Error: mysql(127.0.0.1): Connect failed to 
database (postfix): Access denied for user 'postfix'@'localhost' (using 
password: YES) - waiting for 125 seconds before retry

From what I understand of this error is that it is trying to enter 'postfix' @ 
'localhost' instead of the domain that I specify when I made the database that 
is mydomain.com

How can you make dovecot go to MySQL with post...@mydomain.com instead of 
localhost

This is my Dovecot configuration

/etc/dovecot/dovecot-sql.conf.ext

driver=mysql

default_pass_scheme=PLAIN-MD5

connect=host=127.0.0.1 dbname=postfix user=postfix password=postfix

password_query=SELECT username,domain,password FROM usuarios WHERE 
username='%n' AND domain='%d'

user_query=SELECT 1007 as uid, 1007 as gid, 
concat("maildir:/var/vmail",domain,'/',username,'/') as mail FROM usuarios 
WHERE username='%n' AND domain='%d'

iterate_query=SELECT username,domain FROM usuarios

XDOVECOT capability?

2017-11-28 Thread Hogne Vevle 
Hi!

Here and there, I'm seeing mentions of a "XDOVECOT" capability - e.g. on 
https://documentation.open-xchange.com/7.8.2/middleware/components/search/crossfolder_fts_in_mail.html
 .

However, I can't seem to find any documentation on what this actually does. 

We need to add this capability to our servers in order for certain 
functionality of Open Xchange App Suite to work properly (as seen in the link 
above), but we don't want to blindly update our entire Dovecot cluster just 
because their docs tell us to :) 

Can someone, please, shed some light on what other effects we can expect to see 
after enabling this capability, if any? Or is it simply a way of telling 
clients that "Hey, I'm a Dovecot server" - nothing else?

Cheers,

- Hogne

Re: ManageSieve: authenticate "EXTERNAL" not behaving correctly

2017-11-28 Thread Stephan Bosch 



Op 28-10-2017 om 17:18 schreef Stephan Bosch:

Op 10/26/2017 om 1:32 PM schreef Marc Weustink:

Hi,

I've enabled client certificate authentication for imap and
managesieve. When I use Thunderbird with the sieve plugin it tries to
login, but times out.

Initially I reported this to the sieve plugin, but we came to the
conclusion that it managesieve is misbehaving.

https://github.com/thsmi/sieve/issues/94

Thunderbird (win10-64) 52.4.0 (32bit)
Sieve 0.2.3k
Dovecot (Ubuntu 16.04.3 LTS) 2.2.33.1-1 (sid)


What happens is the following (p=plugin sends m=managesieve sends)

p:authenticate "EXTERNAL" ""
m:""

The response is unexpected. According to RFC 5804 an empty
challenge/response is sent as an empty string. So I would expect:

p:authenticate "EXTERNAL" ""
m:OK "Logged in."



With the use of gnutls-cli I could reproduce (c=I send m=managesieve
sends)
  gnutls-cli --starttls --x509keyfile marc_mail.key --x509certfile
marc_mail.crt -p sieve 172.17.1.4

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" ""
m:""
c:""
m:OK "Logged in."


However if I try the "imap" syntax (rfc4959) I get logged in at once

...
m:OK "TLS negotiation successful."
c:authenticate "EXTERNAL" "="
m:OK "Logged in."

Note that this is an imap only extention, "=" is an invalid base64
encoding.

Will get back on this later.


This was actually a Dovecot problem. Merged yesterday:

https://github.com/dovecot/core/commit/451698c60d7b3a763742c8e99503ab30596036f0
https://github.com/dovecot/core/commit/e4b72bd73bfffda7906faa248eab31f936cfc6fa
https://github.com/dovecot/core/commit/ad3e5fb08578161731085cfc025659753d2682cb
https://github.com/dovecot/core/commit/981f260cfa17a22faf4ff047e479e63cad01aa65

Regards,

Stephan.