imap-login director is not restarted after each auth request
Hi imap-login by default in mail server is restarted after every login request keeping security in mind to avoid leak of critical data. But in a director config, the imap-login director process is not restarted on each auth request. Can somebody explain why this design decision is taken? -- Kalyanasundaram http://blogs.eskratch.com/ https://github.com/kalyanceg/
understanding dovecot director passdb configuration
Hey All I am very new to dovecot ecosystem. Found the software really robust and secure. Kudos to the team!!! We are setting up dovecot imap servers sharing a single nfs mount point. So to avoid nfs cache issues, we are setting up dovecot director. We are using dovecot version 2.2.10. While going through the documentation of dovecot director I stumbled across the following lines in passdb configuration https://wiki2.dovecot.org/Director "Note that while this is the simplest director configuration, users will be assigned to a backend before they have been authenticated. A director configured this way can be attacked by sending it a large number of unknown users. To prevent this, the director should be configured to authenticate the user and might make use of a master password to log into the backend servers." I understand on static passdb config dovecot assigns a user to a machine in the list of backends by using md5(username)%number_of_mail_servers. But other than this calculation it does not incur any other resources. It does have tcp connection with the system which is trying to do bruteforce. If we move to authenticating users directly at the director server, the director servers imap-login director service should be anyways loaded on an attack. Is it anything to do that the imap-login will contact auth process asynchronously and keep itself free? I am pretty sure I am overlooking some point on the above statement. Can somebody throw some light on that? -- Kalyanasundaram http://blogs.eskratch.com/ https://github.com/kalyanceg/
Re: dovecot solr and users
Try running doveadm -Dv index -A inbox
Aki
On 26.02.2018 08:40, David Mehler wrote:
> Hello,
>
> I'm trying to get fts searching done with dovecot. I keep getting the
> below error. Any help appreciated?
>
> Thanks.
> Dave.
>
> #doveadm index -A inbox
> doveadm(u...@example.com): Info: User no longer exists, skipping
>
>
> #doveconf -n
> # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)
> # OS: FreeBSD 11.1-RELEASE-p4 amd64
> auth_cache_size = 10 M
> auth_default_realm = example.com
> auth_realms = example.com example2.com
> dict {
> acl = mysql:/usr/local/etc/dovecot/shared-folders.conf
> sqlquota = mysql:/usr/local/etc/dovecot/quota.conf
> }
> first_valid_gid = 999
> first_valid_uid = 999
> hostname = mail.example.com
> imap_idle_notify_interval = 10 mins
> last_valid_gid = 999
> last_valid_uid = 999
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> listen = 127.0.0.1
> lmtp_rcpt_check_quota = yes
> mail_access_groups = vmail
> mail_fsync = never
> mail_gid = vmail
> mail_home = /home/vmail/mailboxes/%d/%n
> mail_location = maildir:~/mail:LAYOUT=fs
> mail_plugins = acl mail_log notify quota quota_clone trash virtual
> welcome zlib fts fts_solr
> mail_privileged_group = vmail
> mail_server_admin = mailto:postmas...@example.com
> mail_uid = vmail
> mailbox_list_index = yes
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
> namespace {
> hidden = no
> list = yes
> location =
> maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
> mailbox TestFolder {
> auto = subscribe
> comment = Public Folder for message sharing
> }
> prefix = public/
> separator = /
> subscriptions = yes
> type = public
> }
> namespace {
> list = yes
> location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln
> prefix = shared/%%u/
> separator = /
> subscriptions = yes
> type = shared
> }
> namespace {
> location = virtual:/usr/local/etc/dovecot/virtual
> mailbox All {
> auto = subscribe
> comment = All my messages
> special_use = \All
> }
> prefix = virtual/
> separator = /
> }
> namespace inbox {
> inbox = yes
> location =
> mailbox Archive {
> auto = no
> special_use = \Archive
> }
> mailbox Archives {
> auto = subscribe
> special_use = \Archive
> }
> mailbox "Deleted Messages" {
> auto = no
> autoexpunge = 30 days
> special_use = \Trash
> }
> mailbox Drafts {
> auto = subscribe
> special_use = \Drafts
> }
> mailbox Junk {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
> }
> mailbox "Junk E-mail" {
> auto = no
> autoexpunge = 30 days
> special_use = \Junk
> }
> mailbox Sent {
> auto = subscribe
> special_use = \Sent
> }
> mailbox "Sent Items" {
> auto = no
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> auto = no
> special_use = \Sent
> }
> mailbox Spam {
> auto = subscribe
> autoexpunge = 30 days
> special_use = \Junk
> }
> mailbox Trash {
> auto = subscribe
> autoexpunge = 30 days
> special_use = \Trash
> }
> mailbox virtual/All {
> comment = All my messages
> special_use = \All
> }
> prefix =
> separator = /
> type = private
> }
> passdb {
> args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
> driver = sql
> }
> plugin {
> acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
> acl_anyone = allow
> acl_globals_only = yes
> acl_shared_dict = proxy::acl
> fts = solr
> fts_autoindex = yes
> fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
> imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve
> imapsieve_mailbox1_causes = COPY
> imapsieve_mailbox1_name = Spam
> imapsieve_mailbox2_before = file:/home/vmail/sieve/global/learn-ham.sieve
> imapsieve_mailbox2_causes = COPY
> imapsieve_mailbox2_from = Spam
> imapsieve_mailbox2_name = *
> last_login_dict = proxy::lastlogin
> last_login_key = last-login/%u
> mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
> mail_log_fields = uid box msgid size
> quota = count:User quota
> quota_clone_dict = proxy::sqlquota
> quota_exceeded_message = Storage quota for this account has been
> exceeded, please try again later.
> quota_grace = 10%%
> quota_status_nouser = DUNNO
> quota_status_overquota = 552 5.2.2 Mailbox is full
> quota_status_success = DUNNO
> quota_vsizes = true
> quota_warning = storage=100%% quota-exceeded 100 %u
> quota_warning2 = storage=95%% quota-warning 95 %u
> quota_warning3 =
dovecot solr and users
Hello,
I'm trying to get fts searching done with dovecot. I keep getting the
below error. Any help appreciated?
Thanks.
Dave.
#doveadm index -A inbox
doveadm(u...@example.com): Info: User no longer exists, skipping
#doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: FreeBSD 11.1-RELEASE-p4 amd64
auth_cache_size = 10 M
auth_default_realm = example.com
auth_realms = example.com example2.com
dict {
acl = mysql:/usr/local/etc/dovecot/shared-folders.conf
sqlquota = mysql:/usr/local/etc/dovecot/quota.conf
}
first_valid_gid = 999
first_valid_uid = 999
hostname = mail.example.com
imap_idle_notify_interval = 10 mins
last_valid_gid = 999
last_valid_uid = 999
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1
lmtp_rcpt_check_quota = yes
mail_access_groups = vmail
mail_fsync = never
mail_gid = vmail
mail_home = /home/vmail/mailboxes/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_plugins = acl mail_log notify quota quota_clone trash virtual
welcome zlib fts fts_solr
mail_privileged_group = vmail
mail_server_admin = mailto:postmas...@example.com
mail_uid = vmail
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
namespace {
hidden = no
list = yes
location =
maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public
mailbox TestFolder {
auto = subscribe
comment = Public Folder for message sharing
}
prefix = public/
separator = /
subscriptions = yes
type = public
}
namespace {
list = yes
location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace {
location = virtual:/usr/local/etc/dovecot/virtual
mailbox All {
auto = subscribe
comment = All my messages
special_use = \All
}
prefix = virtual/
separator = /
}
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = subscribe
special_use = \Archive
}
mailbox "Deleted Messages" {
auto = no
autoexpunge = 30 days
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = no
autoexpunge = 30 days
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
autoexpunge = 30 days
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
mailbox virtual/All {
comment = All my messages
special_use = \All
}
prefix =
separator = /
type = private
}
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
acl_anyone = allow
acl_globals_only = yes
acl_shared_dict = proxy::acl
fts = solr
fts_autoindex = yes
fts_solr = url=http://127.0.0.1:8983/solr/dovecot/
imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/home/vmail/sieve/global/learn-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
last_login_dict = proxy::lastlogin
last_login_key = last-login/%u
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size
quota = count:User quota
quota_clone_dict = proxy::sqlquota
quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
quota_grace = 10%%
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_vsizes = true
quota_warning = storage=100%% quota-exceeded 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_warning5 = storage=75%% quota-warning 75 %u
sieve = ~/.dovecot.sieve
sieve_before = /home/vmail/sieve/before.d
sieve_default = /home/vmail/sieve/default.sieve
sieve_dir = ~/sieve
sieve_extensions = +notify +imapflags
sieve_global_dir = /home/vmail/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
Unexpected config results with local_name + multiple SSL certs
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot
seems broken somehow.
Application is Dovecot listening for many SSL sites...
Likely I've missed adding something simple to the config, related
to local_name usage.
Be great if someone can point out what I've missed, to setup
multiple SSL certs for different host.domain entries in config.
Thanks.
___
This works as expected... where the SNI server name is returned...
#local_name imap.cydec.com {
ssl_cert = &1 | egrep ^subject
subject=/CN=imap.cydec.com
___
This fails...
local_name imap.cydec.com {
ssl_cert = &1 | egrep ^subject
# Empty, so no servername match
___
Full openssl output shows no cert being returned...
service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com
CONNECTED(0004)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 199 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher:
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519576210
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
___
Config seems correct, with local_name uncommented...
dovecot -n
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
debug_log_path = /var/log/dovecot.log
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = dovecot
driver = pam
}
protocols = " imap pop3"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
userdb {
driver = passwd
}
local_name imap.cydec.com {
ssl_cert =
