imap-login director is not restarted after each auth request
Hi imap-login by default in mail server is restarted after every login request keeping security in mind to avoid leak of critical data. But in a director config, the imap-login director process is not restarted on each auth request. Can somebody explain why this design decision is taken? -- Kalyanasundaram http://blogs.eskratch.com/ https://github.com/kalyanceg/
understanding dovecot director passdb configuration
Hey All I am very new to dovecot ecosystem. Found the software really robust and secure. Kudos to the team!!! We are setting up dovecot imap servers sharing a single nfs mount point. So to avoid nfs cache issues, we are setting up dovecot director. We are using dovecot version 2.2.10. While going through the documentation of dovecot director I stumbled across the following lines in passdb configuration https://wiki2.dovecot.org/Director "Note that while this is the simplest director configuration, users will be assigned to a backend before they have been authenticated. A director configured this way can be attacked by sending it a large number of unknown users. To prevent this, the director should be configured to authenticate the user and might make use of a master password to log into the backend servers." I understand on static passdb config dovecot assigns a user to a machine in the list of backends by using md5(username)%number_of_mail_servers. But other than this calculation it does not incur any other resources. It does have tcp connection with the system which is trying to do bruteforce. If we move to authenticating users directly at the director server, the director servers imap-login director service should be anyways loaded on an attack. Is it anything to do that the imap-login will contact auth process asynchronously and keep itself free? I am pretty sure I am overlooking some point on the above statement. Can somebody throw some light on that? -- Kalyanasundaram http://blogs.eskratch.com/ https://github.com/kalyanceg/
Re: dovecot solr and users
Try running doveadm -Dv index -A inbox Aki On 26.02.2018 08:40, David Mehler wrote: > Hello, > > I'm trying to get fts searching done with dovecot. I keep getting the > below error. Any help appreciated? > > Thanks. > Dave. > > #doveadm index -A inbox > doveadm(u...@example.com): Info: User no longer exists, skipping > > > #doveconf -n > # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.21 (92477967) > # OS: FreeBSD 11.1-RELEASE-p4 amd64 > auth_cache_size = 10 M > auth_default_realm = example.com > auth_realms = example.com example2.com > dict { > acl = mysql:/usr/local/etc/dovecot/shared-folders.conf > sqlquota = mysql:/usr/local/etc/dovecot/quota.conf > } > first_valid_gid = 999 > first_valid_uid = 999 > hostname = mail.example.com > imap_idle_notify_interval = 10 mins > last_valid_gid = 999 > last_valid_uid = 999 > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > listen = 127.0.0.1 > lmtp_rcpt_check_quota = yes > mail_access_groups = vmail > mail_fsync = never > mail_gid = vmail > mail_home = /home/vmail/mailboxes/%d/%n > mail_location = maildir:~/mail:LAYOUT=fs > mail_plugins = acl mail_log notify quota quota_clone trash virtual > welcome zlib fts fts_solr > mail_privileged_group = vmail > mail_server_admin = mailto:postmas...@example.com > mail_uid = vmail > mailbox_list_index = yes > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext imapflags notify imapsieve vnd.dovecot.imapsieve > namespace { > hidden = no > list = yes > location = > maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public > mailbox TestFolder { > auto = subscribe > comment = Public Folder for message sharing > } > prefix = public/ > separator = / > subscriptions = yes > type = public > } > namespace { > list = yes > location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln > prefix = shared/%%u/ > separator = / > subscriptions = yes > type = shared > } > namespace { > location = virtual:/usr/local/etc/dovecot/virtual > mailbox All { > auto = subscribe > comment = All my messages > special_use = \All > } > prefix = virtual/ > separator = / > } > namespace inbox { > inbox = yes > location = > mailbox Archive { > auto = no > special_use = \Archive > } > mailbox Archives { > auto = subscribe > special_use = \Archive > } > mailbox "Deleted Messages" { > auto = no > autoexpunge = 30 days > special_use = \Trash > } > mailbox Drafts { > auto = subscribe > special_use = \Drafts > } > mailbox Junk { > auto = no > autoexpunge = 30 days > special_use = \Junk > } > mailbox "Junk E-mail" { > auto = no > autoexpunge = 30 days > special_use = \Junk > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > mailbox "Sent Items" { > auto = no > special_use = \Sent > } > mailbox "Sent Messages" { > auto = no > special_use = \Sent > } > mailbox Spam { > auto = subscribe > autoexpunge = 30 days > special_use = \Junk > } > mailbox Trash { > auto = subscribe > autoexpunge = 30 days > special_use = \Trash > } > mailbox virtual/All { > comment = All my messages > special_use = \All > } > prefix = > separator = / > type = private > } > passdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > plugin { > acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 > acl_anyone = allow > acl_globals_only = yes > acl_shared_dict = proxy::acl > fts = solr > fts_autoindex = yes > fts_solr = url=http://127.0.0.1:8983/solr/dovecot/ > imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve > imapsieve_mailbox1_causes = COPY > imapsieve_mailbox1_name = Spam > imapsieve_mailbox2_before = file:/home/vmail/sieve/global/learn-ham.sieve > imapsieve_mailbox2_causes = COPY > imapsieve_mailbox2_from = Spam > imapsieve_mailbox2_name = * > last_login_dict = proxy::lastlogin > last_login_key = last-login/%u > mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename > mail_log_fields = uid box msgid size > quota = count:User quota > quota_clone_dict = proxy::sqlquota > quota_exceeded_message = Storage quota for this account has been > exceeded, please try again later. > quota_grace = 10%% > quota_status_nouser = DUNNO > quota_status_overquota = 552 5.2.2 Mailbox is full > quota_status_success = DUNNO > quota_vsizes = true > quota_warning = storage=100%% quota-exceeded 100 %u > quota_warning2 = storage=95%% quota-warning 95 %u > quota_warning3 =
dovecot solr and users
Hello, I'm trying to get fts searching done with dovecot. I keep getting the below error. Any help appreciated? Thanks. Dave. #doveadm index -A inbox doveadm(u...@example.com): Info: User no longer exists, skipping #doveconf -n # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: FreeBSD 11.1-RELEASE-p4 amd64 auth_cache_size = 10 M auth_default_realm = example.com auth_realms = example.com example2.com dict { acl = mysql:/usr/local/etc/dovecot/shared-folders.conf sqlquota = mysql:/usr/local/etc/dovecot/quota.conf } first_valid_gid = 999 first_valid_uid = 999 hostname = mail.example.com imap_idle_notify_interval = 10 mins last_valid_gid = 999 last_valid_uid = 999 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes listen = 127.0.0.1 lmtp_rcpt_check_quota = yes mail_access_groups = vmail mail_fsync = never mail_gid = vmail mail_home = /home/vmail/mailboxes/%d/%n mail_location = maildir:~/mail:LAYOUT=fs mail_plugins = acl mail_log notify quota quota_clone trash virtual welcome zlib fts fts_solr mail_privileged_group = vmail mail_server_admin = mailto:postmas...@example.com mail_uid = vmail mailbox_list_index = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify imapsieve vnd.dovecot.imapsieve namespace { hidden = no list = yes location = maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=~/mail/public:INDEXPVT=~/mail/public:INDEX=~/mail/public mailbox TestFolder { auto = subscribe comment = Public Folder for message sharing } prefix = public/ separator = / subscriptions = yes type = public } namespace { list = yes location = maildir:~/mail/:INDEX=~/mail/shared/%%Ld/%%Ln prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace { location = virtual:/usr/local/etc/dovecot/virtual mailbox All { auto = subscribe comment = All my messages special_use = \All } prefix = virtual/ separator = / } namespace inbox { inbox = yes location = mailbox Archive { auto = no special_use = \Archive } mailbox Archives { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { auto = no autoexpunge = 30 days special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = no autoexpunge = 30 days special_use = \Junk } mailbox "Junk E-mail" { auto = no autoexpunge = 30 days special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Items" { auto = no special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } mailbox virtual/All { comment = All my messages special_use = \All } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 acl_anyone = allow acl_globals_only = yes acl_shared_dict = proxy::acl fts = solr fts_autoindex = yes fts_solr = url=http://127.0.0.1:8983/solr/dovecot/ imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/home/vmail/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * last_login_dict = proxy::lastlogin last_login_key = last-login/%u mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = count:User quota quota_clone_dict = proxy::sqlquota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = ~/.dovecot.sieve sieve_before = /home/vmail/sieve/before.d sieve_default = /home/vmail/sieve/default.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags sieve_global_dir = /home/vmail/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
Unexpected config results with local_name + multiple SSL certs
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot seems broken somehow. Application is Dovecot listening for many SSL sites... Likely I've missed adding something simple to the config, related to local_name usage. Be great if someone can point out what I've missed, to setup multiple SSL certs for different host.domain entries in config. Thanks. ___ This works as expected... where the SNI server name is returned... #local_name imap.cydec.com { ssl_cert = &1 | egrep ^subject subject=/CN=imap.cydec.com ___ This fails... local_name imap.cydec.com { ssl_cert = &1 | egrep ^subject # Empty, so no servername match ___ Full openssl output shows no cert being returned... service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com CONNECTED(0004) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 199 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1519576210 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- ___ Config seems correct, with local_name uncommented... dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 auth_debug = yes auth_debug_passwords = yes auth_verbose = yes debug_log_path = /var/log/dovecot.log disable_plaintext_auth = no info_log_path = /var/log/dovecot.log log_path = /var/log/dovecot.log mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = dovecot driver = pam } protocols = " imap pop3" service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } userdb { driver = passwd } local_name imap.cydec.com { ssl_cert =