Re: Assistance with doveadm backup...

[SH Development via dovecot]

Here is my command:

[root@mail maelstrombackups] #mkdir -p vmailbackup
[root@mail vmail]# chown: vmail:vmail /mnt/maelstrombackups/vmailbackup
[root@mail vmail]# doveadm backup -u jeff 
maildir:/mnt/maelstrombackups/vmailbackup

Only gives me the usage list, doesn’t work.

Jeff

> On Feb 21, 2019, at 1:29 AM, Sami Ketola  wrote:
> 
> 
> 
>> On 21 Feb 2019, at 7.04, SH Development via dovecot  
>> wrote:
>> 
>> Not really.  The suggestions in the post seemed to be:
>> 
>> 1. Tar the whole directory, which I have tried in the past, but a 130G 
>> directory takes over 18 hours to tar.
>> 2. It was also suggested to rsync the directory, but the question was 
>> brought up, and not answered, about whether it was advisable to copy live 
>> mail, thus the need for doveadm sync/backup.
>> 
>> Based on what I’ve read about doveadm backup, this is what I need, I am just 
>> having a hard time formulating the syntax for the command.
>> 
> 
> root@ketola ~]# mkdir -p /backup/sami
> root@ketola ~]# chown vmail:vmail /backup/sami
> root@ketola ~]# doveadm backup -u sami Maildir:/backup/sami
> 
> root@ketola ~]# du -hs /backup/sami
> 211M /backup/sami
> 
> does this help?
> 
> Sami

Re: Assistance with doveadm backup...

[Sami Ketola via dovecot]

> On 21 Feb 2019, at 7.04, SH Development via dovecot  
> wrote:
> 
> Not really.  The suggestions in the post seemed to be:
> 
> 1. Tar the whole directory, which I have tried in the past, but a 130G 
> directory takes over 18 hours to tar.
> 2. It was also suggested to rsync the directory, but the question was brought 
> up, and not answered, about whether it was advisable to copy live mail, thus 
> the need for doveadm sync/backup.
> 
> Based on what I’ve read about doveadm backup, this is what I need, I am just 
> having a hard time formulating the syntax for the command.


root@ketola ~]# mkdir -p /backup/sami
root@ketola ~]# chown vmail:vmail /backup/sami
root@ketola ~]# doveadm backup -u sami Maildir:/backup/sami

root@ketola ~]# du -hs /backup/sami
211M /backup/sami

does this help?

Sami

Re: Assistance with doveadm backup...

[SH Development via dovecot]

Sorry for being such a newbie when it comes to scripting.  Created a directory 
for the backups on the network mounted volume.  Changed the appropriate path 
and am getting this:

dsync(root): Error: user nfsnobody: Initialization failed: Namespace 'INBOX.': 
mkdir(/mnt/maelstrombackups/vmailbackup/nfsnobody) failed: Permission denied 
(euid=5000(vmail) egid=5000(vmail) missing +w perm: 
/mnt/maelstrombackups/vmailbackup, euid is not dir owner)
dsync(root): Fatal: User init failed
Backup done for user: nfsnobody ...
dsync(root): Error: user vmail: Initialization failed: Namespace 'INBOX.': 
mkdir(/mnt/maelstrombackups/vmailbackup/vmail) failed: Permission denied 
(euid=5000(vmail) egid=5000(vmail) missing +w perm: 
/mnt/maelstrombackups/vmailbackup, euid is not dir owner)
dsync(root): Fatal: User init failed
Backup done for user: vmail …

After running the script, I suddenly have two new directories in my vmail 
folder, “nfsnobody” and “vmail”.  What are these users?

Jeff


> On Feb 20, 2019, at 10:32 PM, Kenren Taisho  wrote:
> 
> No worries, that simple script should get you to a start though. Just replace 
> the path with a mounted NFS share if you want it to reside in a network 
> volume.
> 
> On Thu, Feb 21, 2019 at 12:10 PM SH Development  
> wrote:
> My apologies, you are absolutely right.  Will post this in the correct forum.
> 
> Spent the last couple of hours poring through the postfix list and just 
> forgot where I was at.
> 
> Jeff
> 
> 
> 
>> On Feb 20, 2019, at 8:55 PM, Kenren Taisho  wrote:
>> 
>> Hi Jeff,
>> 
>> This should be better off to dovecot's mailing list. 
>> But just to get you started, this is the first thing that came to mind:
>> 
>> example:
>> 
>> for users in `doveadm user "*"`; do
>> LOCALPART=${users%%@*}
>> dsync -v -f -u $users backup maildir:/tmp/backup/$LOCALPART
>> echo "Backup done for user: $users ..." 
>> done
>> 
>> HTH
>> 
>> 
>> On Thu, Feb 21, 2019 at 9:55 AM SH Development  
>> wrote:
>> I am having trouble locating examples of how to use doveadm backup.  All the 
>> examples I see are for sync.  I simply want to create a backup to a network 
>> volume of the email server's vmail folders.  The goal here is to have a 
>> reasonably current backup should the main drive on the email server go south.
>> 
>> We currently authenticate our users from a mysql database.  User’s mailboxes 
>> are stored as domainname/username/Maildir
>> 
>> I assume what I will wind up on the network volume is a duplicate directory 
>> structure as the vmail folder on the email server?
>> 
>> Can someone help get me started here?
>> 
>> Jeff
> 

Re: Assistance with doveadm backup...

[SH Development via dovecot]

Not really.  The suggestions in the post seemed to be:

1. Tar the whole directory, which I have tried in the past, but a 130G 
directory takes over 18 hours to tar.
2. It was also suggested to rsync the directory, but the question was brought 
up, and not answered, about whether it was advisable to copy live mail, thus 
the need for doveadm sync/backup.

Based on what I’ve read about doveadm backup, this is what I need, I am just 
having a hard time formulating the syntax for the command.

Jeff

> On Feb 20, 2019, at 10:45 PM, @lbutlr via dovecot  wrote:
> 
> On Feb 20, 2019, at 21:11, SH Development via dovecot  > wrote:
>> Can someone help get me started here?
> 
> Does this help?
> 
> https://unix.stackexchange.com/questions/489331/what-is-the-correct-way-to-use-doveadm-to-backup-emails
>  
> 
> 
> -- 
> This is my signature. There are many like it, but this one is mine.
> 

Re: Assistance with doveadm backup...

[@lbutlr via dovecot]

On Feb 20, 2019, at 21:11, SH Development via dovecot  
wrote:
> Can someone help get me started here?

Does this help?

https://unix.stackexchange.com/questions/489331/what-is-the-correct-way-to-use-doveadm-to-backup-emails

-- 
This is my signature. There are many like it, but this one is mine.

Assistance with doveadm backup...

[SH Development via dovecot]

I am having trouble locating examples of how to use doveadm backup.  All the 
examples I see are for sync.  I simply want to create a backup to a network 
volume of the email server's vmail folders.  The goal here is to have a 
reasonably current backup should the main drive on the email server go south.

We currently authenticate our users from a mysql database.  User’s mailboxes 
are stored as domainname/username/Maildir

I assume what I will wind up on the network volume is a duplicate directory 
structure as the vmail folder on the email server?

Can someone help get me started here?

Jeff

LMTP and public mailboxes?

[Eric Abrahamsen via dovecot]

Hi,

I've been using postfix and dovecot for a few years, and have been doing
public mailboxes with dovecot-lda, using a postfix transport that looks
like (line wrapped for the mailer):

my-public-transport unix - n n - - pipe
  flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u  -e \
  /usr/lib/dovecot/dovecot-lda -f ${sender} -d  -m public/${user}

So messages first passed to spamassassin, using my own personal config
for bayes rules, then to dovecot-lda, using my user for auth, and
finally delivering to a public/* mailbox, with acl rules for access.

I'm moving spamassassin to a mimedefang milter, so that's out of the
equation; and LDA to LMTP, so the postfix config simply becomes:

virtual_transport = lmtp:unix:private/dovecot-lmtp

That's much nicer, but I'm not sure how to handle the public mailbox
using LMTP.

How are people doing this? While Googling I saw a recommendation to
create a virtual user for the public mailboxes, and then presumably
Postfix would map "i...@mydomain.com" to "publicuser+i...@mydomain.com"
and I would go from there. But that seems a little weird: I don't want
anyone to be able to log in as publicuser, nor to send mail as that user
(Postfix uses Dovecot for auth). Yet I don't seem to be able to pass
other arguments to lmtp, that might indicate which user to use for auth.

Does anyone have a clean solution for this?

Thanks in advance,
Eric

Re: Virus scan + removal on a mdbox mail storage

[Christoph Haas via dovecot]

Hello David,

- Nachricht von David Pottage via dovecot  -
 Datum: Wed, 20 Feb 2019 14:56:51 +
   Von: David Pottage via dovecot 
Antwort an: David Pottage 
   Betreff: Re: Virus scan + removal on a mdbox mail storage
An: dovecot@dovecot.org



On 2019-02-20 01:46, Christoph Haas via dovecot wrote:

I need advice on how virus scan and removal can be done on a _mdbox_
mail storage?

On a maildir storage the virus scanner (e.g. clamav etc.) can detect
and remove a email that is infected, since every email and attachment
are stored in separate files.

But in mdbox the emails and attachments are compressed together in one
ore more mdbox-files ...

I am anxious to convert my mail storage for virus scanning into
maildir format, since I don't know if a virus or crypto trojan con be
activated with this converting action =:-o


To clarify: You want to convert your mail storage from mdbox to  
maildir, but you want to scan for viruses first?


NO! My mail storage is mdbox. And at the moment I have no intention to  
convert it to Maildir!


But I know, that virus detection and deletion is much easier with  
Maildir, since every mail is represented by a file. So if there is one  
mail infected, the file can easily deleted - also by external  
antivirus tools. Also there are no indices with Maildir.


On the opposite in the mdbox mail storage several mails are  
represented by one mdbox-file, so I'm looking for a way to detect and  
if necessary remove infected mails without damaging my mdbox storage  
or the indices.


One idea was to convert the mdbox storage for virus scanning on the  
fly to Maildir do the antivirus stuff and then vice versa. But this  
produces quite a lot of overhead ...


--> so I need a better way


You are doing things in the wrong order.

Firstly converting mail storage format is very unlikely to trigger a  
virus. For that to happen the virus author would need to find and  
write an exploit for dovecot that will trick it into treating email  
as executable code. While not impossible that is quite unlikely  
because there is no normal situation where dovecot will execute  
email as code. Also it is unlikely that a virus writer will target  
dovecot when Microsoft exchange is much more common and would be a  
higher value target.


Secondly, as a rule you want to scan email for viruses as it arrives  
and leaves, not when it is at rest in user mailboxes, again it is  
possible that a new virus will be discovered some time after the  
email arrives so a retrospective scan would find it, but that won't  
help you much because most users read their email and open  
attachments soon after the email arrives.


I'm completely with you! I have of course configured my postfix with  
Amavisd-new and all that stuff. But viruses evolve quite faster than  
detection patterns of e.g. Clam-AV.


So it is likely, that Clam-AV didn't detect a virus when scanning the  
mail-traffic on arrival and the malware now resides in the  
mdbox-storage.


For this situation an afterward virus scan of the existing mail  
storage on a regular basis seems to me an appropriate method to get  
rid of viruses, trojans etc. that were not detected on arrival and  
reside like a time bomb in my mail storage...


Btw.: what virus scanners besides Clam-AV are the people on this list  
using? And how is the virus scanner implemented: via Amavisd-new or  
e.g. rspamd or ...?

- I hope this question is not too offtopic for the dovecot list!

So my advice is to do the conversion to maildir now, then scan all  
the files as a one off, and going forward you should configure your  
email transport daemon (postfix, exim etc) to pass incoming (and  
possibly outgoing) email through clamav.


--
David Pottage



- Ende der Nachricht von David Pottage via dovecot  
 -


Cheers
Christoph.

P.S.: excuse my English - I'm no native speaker ...

--
Christoph Haas


binBMlAUlNpd8.bin
Description: Öffentlicher PGP-Schlüssel


pgpiePGwQChRc.pgp
Description: Digitale PGP-Signatur

Re: Using SHA256/512 for SQL based password

[Yassine Chaouche via dovecot]

On 2/20/19 3:28 PM, Robert Moskowitz via dovecot wrote:


Here's how I configured my roundcube's password plugin to keep things 
together ($roundcubefolder/plugins/password/config.php)


$config['password_algorithm']    = 'dovecot';
$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
$config['password_query']    = "UPDATE mail.users SET password=%P WHERE 
email=%u LIMIT 1";

I left other fields alone.

Yassine.

Thanks much better info than I was seeing in my googling.  Except I 
would not use %p:


// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as 
follows:

// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if 
available

// otherwise DES.
// %D is replaced with the dovecotpw-crypted version of the new password
[...]

%D seems to be what I want...

the rcmail_config[] syntax you pasted in your mail indicates you're 
using a very old version of roundcube. Here's the relevant content of my 
version of the password plugin :


// The SQL query used to change the password.

// The query can contain the following macros that will be expanded as follows:

//  %p is replaced with the plaintext new password

//  %P is replaced with the crypted/hashed new password

// according to configured password_method
[...}

// Deprecated macros:

//  %c is replaced with the crypt version of the new password, MD5 if 
available

// otherwise DES. More hash function can be enabled using the 
password_crypt_hash

// configuration parameter.

//  %D is replaced with the dovecotpw-crypted version of the new password
[...]


Notice the difference b/w %p and %P. Also notice that %D is marked as 
deprecated.




And in mysql, I believe the table is mailbox.

Oh that depends entirely on your choice of naming and what table 
structure you have chosen.


I got from: 
https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/



Ah, it seems Aki and I have already visited this link before ^^'

Yassine.

Re: Virus scan + removal on a mdbox mail storage

[David Pottage via dovecot]

On 2019-02-20 01:46, Christoph Haas via dovecot wrote:

I need advice on how virus scan and removal can be done on a _mdbox_
mail storage?

On a maildir storage the virus scanner (e.g. clamav etc.) can detect
and remove a email that is infected, since every email and attachment
are stored in separate files.

But in mdbox the emails and attachments are compressed together in one
 ore more mdbox-files ...

I am anxious to convert my mail storage for virus scanning into
maildir format, since I don't know if a virus or crypto trojan con be
activated with this converting action =:-o


To clarify: You want to convert your mail storage from mdbox to maildir, 
but you want to scan for viruses first?


You are doing things in the wrong order.

Firstly converting mail storage format is very unlikely to trigger a 
virus. For that to happen the virus author would need to find and write 
an exploit for dovecot that will trick it into treating email as 
executable code. While not impossible that is quite unlikely because 
there is no normal situation where dovecot will execute email as code. 
Also it is unlikely that a virus writer will target dovecot when 
Microsoft exchange is much more common and would be a higher value 
target.


Secondly, as a rule you want to scan email for viruses as it arrives and 
leaves, not when it is at rest in user mailboxes, again it is possible 
that a new virus will be discovered some time after the email arrives so 
a retrospective scan would find it, but that won't help you much because 
most users read their email and open attachments soon after the email 
arrives.


So my advice is to do the conversion to maildir now, then scan all the 
files as a one off, and going forward you should configure your email 
transport daemon (postfix, exim etc) to pass incoming (and possibly 
outgoing) email through clamav.


--
David Pottage

Re: Using SHA256/512 for SQL based password

[Robert Moskowitz via dovecot]

On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote:

On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
I have trying to find how to set the dovecot-sql.conf for using 
SHA256/512.  I am going to start clean with the stronger format, not 
migrate from the old MD5.  It seems all I need is:

[...] default_pass_scheme = SHAxxx-CRYPT [...]


How do your users change their password ?



Many never do!  Those that do, use the Roundcube plugin, or ask me to 
change their password via the Postfixadmin manager.  Sigh.


Here's how I configured my roundcube's password plugin to keep things 
together ($roundcubefolder/plugins/password/config.php)


$config['password_algorithm']    = 'dovecot';
$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
$config['password_query']    = "UPDATE mail.users SET password=%P WHERE 
email=%u LIMIT 1";

I left other fields alone.

Yassine.

Thanks much better info than I was seeing in my googling.  Except I 
would not use %p:


// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as 
follows:

// %p is replaced with the plaintext new password
// %c is replaced with the crypt version of the new password, MD5 if 
available

// otherwise DES.
// %D is replaced with the dovecotpw-crypted version of the new password
// %o is replaced with the password before the change
// %n is replaced with the hashed version of the new password
// %q is replaced with the hashed password before the change
// %h is replaced with the imap host (from the session info)
// %u is replaced with the username (from the session info)
// %l is replaced with the local part of the username
// (in case the username is an email address)
// %d is replaced with the domain part of the username
// (in case the username is an email address)



%D seems to be what I want...

And in mysql, I believe the table is mailbox.

$rcmail_config['password_query']  =  "UPDATE mailbox SET password = %D, modified = 
NOW() WHERE username = %u";


I got from: 
https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/


thanks!

Re: Using SHA256/512 for SQL based password

[Robert Moskowitz via dovecot]

On 2/20/19 9:06 AM, @lbutlr via dovecot wrote:

On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot  
wrote:

libsodium does not help with CentOS7 and Dovecot 2.3:

This is what your HTML message looks like here:

Re: Using SHA256/512 for SQL based password

[@lbutlr via dovecot]

On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot  
wrote:
> 
> libsodium does not help with CentOS7 and Dovecot 2.3:

This is what your HTML message looks like here:

Re: Using SHA256/512 for SQL based password

[Robert Moskowitz via dovecot]

On 2/20/19 8:38 AM, Aki Tuomi wrote:

On 20 February 2019 15:10 Robert Moskowitz via dovecot  
wrote:



  
  
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:


  


  
On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:


  


  

On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < 
dovecot@dovecot.org> wrote:
  



  



  
On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org>
  
wrote:
  



  

Jean-Daniel Dupas via dovecot wrote:
  
  
  

Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
  

< dovecot@dovecot.org > a écrit :
  
  
  
  



  

ARGON2 support is added in dovecot v2.3. It also needs to be enabled
  

when compiling dovecot, so varying from packagers it might or not be
  

available. The CRYPT ones are available if crypt(3) supports them. In
  

dovecot v2.3 we have added bcrypt support regardless of crypt(3)
  
support.
  
  

CentOS7 is on dovecot 2.2.36:
  
  

# doveadm pw -s ARGON2-CRYPT -p secret
  

Fatal: Unknown scheme: ARGON2-CRYPT
  

# doveadm pw -s ARGON2 -p secret
  

Fatal: Unknown scheme: ARGON2
  
  

I tend to stay with the distro's rpms and not take on building and
  

maintaining myself.
  
  

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm
  
pw -l )
  

With dovecot from the dovecot.org < http://dovecot.org> repo:
  

# doveadm pw -s ARGON2I -p secret
  
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
  

Also from dovecot.org < http://dovecot.org> repo:
  

doveadm pw -s ARGON2I -p secret
  
Fatal: Unknown scheme: ARGON2I
  


  

Marc
  



  
It works for me over here:
  



  
[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
  
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
  



  



  
--
  
Best regards,
  
Odhiambo WASHINGTON,
  
Nairobi,KE
  
+254 7 3200 0004/+254 7 2274 3223
  
"Oh, the cruft.", grep ^[^#] :-)
  



  
I'll check next week if and why argon is missing from ce packages.
  
---

  Aki Tuomi

  
Marc,


  
ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium.


  
  libsodium does not help with CentOS7 and Dovecot 2.3:
  
  Installing : libsodium-1.0.17-1.el7.armv7hl 1/1

  Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1
  
  Installed:

  libsodium.armv7hl 0:1.0.17-1.el7
  
  Complete!

  [root@klovia ~]# doveadm pw -s ARGON2I -p secret
  Fatal: Unknown scheme: ARGON2I
  [root@klovia ~]# doveadm pw -l
  MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR 
CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 
PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT 
SHA512-CRYPT
  
  Previously installed argon2:
  
  grep -n argon /var/log/yum.log*

  /var/log/yum.log:128:Feb 13 09:01:01 Installed: 
libargon2-20161029-2.el7.armv7hl
  /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
  


Hi!

Just installing libsodium is not enough. It's not compiled into dovecot centos7 
packages because the libsodium in centos7 (not epel) is not recent enough.


It was worth the try

Re: Using SHA256/512 for SQL based password

[Aki Tuomi via dovecot]

> On 20 February 2019 15:10 Robert Moskowitz via dovecot  
> wrote:
> 
> 
> 
>  
>  
> On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:
> 
>  
> > 
> > 
> >  
> > On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:
> > 
> >  
> > > 
> > > 
> > >  
> > > > On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < 
> > > > dovecot@dovecot.org> wrote:
> > > >  
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > >  
> > > > On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < 
> > > > dovecot@dovecot.org>
> > > >  
> > > > wrote:
> > > >  
> > > > 
> > > > 
> > > >  
> > > > > Jean-Daniel Dupas via dovecot wrote:
> > > > >  
> > > > > >
> > > > >  
> > > > > >
> > > > >  
> > > > > >> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
> > > > >  
> > > > > >> < dovecot@dovecot.org > a écrit :
> > > > >  
> > > > > >>
> > > > >  
> > > > > >>
> > > > >  
> > > > > >>
> > > > >  
> > > > > 
> > > > > 
> > > > >  
> > > > > >>> ARGON2 support is added in dovecot v2.3. It also needs to be 
> > > > > >>> enabled
> > > > >  
> > > > > >>> when compiling dovecot, so varying from packagers it might or not 
> > > > > >>> be
> > > > >  
> > > > > >>> available. The CRYPT ones are available if crypt(3) supports 
> > > > > >>> them. In
> > > > >  
> > > > > >>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
> > > > >  
> > > > > support.
> > > > >  
> > > > > >>
> > > > >  
> > > > > >> CentOS7 is on dovecot 2.2.36:
> > > > >  
> > > > > >>
> > > > >  
> > > > > >> # doveadm pw -s ARGON2-CRYPT -p secret
> > > > >  
> > > > > >> Fatal: Unknown scheme: ARGON2-CRYPT
> > > > >  
> > > > > >> # doveadm pw -s ARGON2 -p secret
> > > > >  
> > > > > >> Fatal: Unknown scheme: ARGON2
> > > > >  
> > > > > >>
> > > > >  
> > > > > >> I tend to stay with the distro's rpms and not take on building and
> > > > >  
> > > > > >> maintaining myself.
> > > > >  
> > > > > >
> > > > >  
> > > > > > And for the record, the hash names are ARGON2I and ARGON2ID (see 
> > > > > > doveadm
> > > > > >  
> > > > > > pw -l )
> > > > >  
> > > > > > With dovecot from the dovecot.org < http://dovecot.org> repo:
> > > > >  
> > > > > > # doveadm pw -s ARGON2I -p secret
> > > > >  
> > > > > {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk
> > > >  
> > > > > Also from dovecot.org < http://dovecot.org> repo:
> > > >  
> > > > > doveadm pw -s ARGON2I -p secret
> > > > >  
> > > > > Fatal: Unknown scheme: ARGON2I
> > > >  
> > > > > 
> > > >  
> > > > > Marc
> > > >  
> > > > 
> > > > 
> > > >  
> > > > It works for me over here:
> > > >  
> > > > 
> > > > 
> > > >  
> > > > [wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
> > > >  
> > > > {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU
> > > >  
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > >  
> > > > --
> > > >  
> > > > Best regards,
> > > >  
> > > > Odhiambo WASHINGTON,
> > > >  
> > > > Nairobi,KE
> > > >  
> > > > +254 7 3200 0004/+254 7 2274 3223
> > > >  
> > > > "Oh, the cruft.", grep ^[^#] :-)
> > >  
> > > 
> > > 
> > >  
> > > I'll check next week if and why argon is missing from ce packages.
> > >  
> > > --- 
> > >  Aki Tuomi
> > > 
> >  
> > Marc,
> > 
> >  
> > ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due 
> > to libsodium.
> > 
>  
>  libsodium does not help with CentOS7 and Dovecot 2.3:
>  
>  Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 
>  Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1 
>  
>  Installed:
>  libsodium.armv7hl 0:1.0.17-1.el7 
>  
>  Complete!
>  [root@klovia ~]# doveadm pw -s ARGON2I -p secret 
>  Fatal: Unknown scheme: ARGON2I
>  [root@klovia ~]# doveadm pw -l
>  MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR 
> CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 
> PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT 
> SHA512-CRYPT 
>  
>  Previously installed argon2:
>  
>  grep -n argon /var/log/yum.log*
>  /var/log/yum.log:128:Feb 13 09:01:01 Installed: 
> libargon2-20161029-2.el7.armv7hl
>  /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
>  
>

Hi!

Just installing libsodium is not enough. It's not compiled into dovecot centos7 
packages because the libsodium in centos7 (not epel) is not recent enough.

Aki

Re: Using SHA256/512 for SQL based password

[Robert Moskowitz via dovecot]

On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote:



On 17.2.2019 10.46, Aki Tuomi via dovecot wrote:


On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < 
dovecot@dovecot.org > wrote:



On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < 
dovecot@dovecot.org >

wrote:


Jean-Daniel Dupas via dovecot wrote:
>
>
>> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot
>> < dovecot@dovecot.org  dovecot@dovecot.org >> a écrit :

>>
>>
>>

>>> ARGON2 support is added in dovecot v2.3. It also needs to be 
enabled
>>> when compiling dovecot, so varying from packagers it might or 
not be
>>> available. The CRYPT ones are available if crypt(3) supports 
them. In

>>> dovecot v2.3 we have added bcrypt support regardless of crypt(3)
support.
>>
>> CentOS7 is on dovecot 2.2.36:
>>
>> # doveadm pw -s ARGON2-CRYPT -p secret
>> Fatal: Unknown scheme: ARGON2-CRYPT
>> # doveadm pw -s ARGON2 -p secret
>> Fatal: Unknown scheme: ARGON2
>>
>> I tend to stay with the distro's rpms and not take on building and
>> maintaining myself.
>
And for the record, the hash names are ARGON2I and ARGON2ID (see 
doveadm

pw -l )
With dovecot from the dovecot.org < http://dovecot.org> repo:
# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk 


Also from dovecot.org < http://dovecot.org> repo:
doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I

Marc


It works for me over here:

[wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU 




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)


I'll check next week if and why argon is missing from ce packages.
---
Aki Tuomi


Marc,

ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, 
due to libsodium.




libsodium does not help with CentOS7 and Dovecot 2.3:

  Installing : 
libsodium-1.0.17-1.el7.armv7hl   1/1
  Verifying  : 
libsodium-1.0.17-1.el7.armv7hl   1/1


Installed:
  libsodium.armv7hl 0:1.0.17-1.el7

Complete!
[root@klovia ~]# doveadm pw -s ARGON2I -p secret
Fatal: Unknown scheme: ARGON2I
[root@klovia ~]# doveadm pw -l
MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN 
CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 
PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT 
SHA256-CRYPT SHA512-CRYPT


Previously installed argon2:

grep -n argon /var/log/yum.log*
/var/log/yum.log:128:Feb 13 09:01:01 Installed: 
libargon2-20161029-2.el7.armv7hl
/var/log/yum.log:129:Feb 13 09:01:01 Installed: 
argon2-20161029-2.el7.armv7hl

Re: sieve filter not working

[Stephan Bosch via dovecot]

Op 20-2-2019 om 9:30 schreef subin ks via dovecot:
I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian 9.6. I'm 
trying to set a Sieve filter which will redirect all emails from 
`info` (i.e. .info) TLD to another email. This is the filter:


require ["regex"];
# rule:[test]
if header :regex "from" "info$"
{
redirect "su...@domain.com ";
}

It's not being honored; all emails from .info TLD ends up in the inbox 
and none are redirected. Let me know what I'm doing wrong.


You should use the "address" test instead. This parses the header for 
addresses. Using the "header" test this way is unreliable. For example, 
an address wrapped in <...> is not handled well by your attempt.


So, this is better:

if address :matches :domain "from" "*.info" {
redirect "su...@domain.com ";
}

Regards,

Stephan.

Re: sieve filter not working -- matchtype

[Martin Johannes Dauser via dovecot]

Scott, you are right. And I guess it's computed faster too.

# rule:[test]
if header :matches "from" "*.info"
{
redirect "su...@domain.com";
}

Even a TLD like "*.superinfos" may be included:
"*@*.*info*"

Greetings
Martin

On Wed, 2019-02-20 at 08:47 +, Scott M. via dovecot wrote:
> Why do you use regex ?
> 
> You can just use matches: https://p5r.uk/blog/2011/sieve-tutorial.htm
> l#matchtype
> 
> 
> 
> 
> 
> On Wed, Feb 20, 2019 at 03:31 AM, subin ks via dovecot  ot.org> wrote:
> I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian 9.6.
> I'm trying to set a Sieve filter which will redirect all emails from
> `info` (i.e. .info) TLD to another email. This is the filter:
> 
> require ["regex"];
> # rule:[test]
> if header :regex "from" "info$"
> {
>   redirect "su...@domain.com";
> }
> 
> It's not being honored; all emails from .info TLD ends up in the
> inbox and none are redirected. Let me know what I'm doing wrong.
> 
> Thanks.
> 

Re: Error sending email from client

[Yassine Chaouche via dovecot]

On 2/18/19 2:29 PM, Latin Bishop via dovecot wrote:


Feb 18 08:26:41 pepino postfix/smtps/smtpd[5328]: warning: unknown smtpd restriction: 
"permit_ssl_authenticated"


Try to change

permit_ssl_authenticated

to

permit_s*a*sl_authenticated

(+a)

But as Sami said this is a postfix issue and you should have more 
replies in the postfix list instead.


Yassine.

Re: Using SHA256/512 for SQL based password

[Yassine Chaouche via dovecot]

On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote:
I have trying to find how to set the dovecot-sql.conf for using 
SHA256/512.  I am going to start clean with the stronger format, not 
migrate from the old MD5.  It seems all I need is:

[...] default_pass_scheme = SHAxxx-CRYPT [...]


How do your users change their password ?

Here's how I configured my roundcube's password plugin to keep things 
together ($roundcubefolder/plugins/password/config.php)


$config['password_algorithm']    = 'dovecot';

$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';

$config['password_dovecotpw_method'] = 'SHA512-CRYPT';

$config['password_query']    = "UPDATE mail.users SET password=%P WHERE 
email=%u LIMIT 1";

I left other fields alone.

Yassine.

Re: sieve filter not working -- wildcard missing

[Martin Johannes Dauser via dovecot]

On Wed, 2019-02-20 at 10:37 +0100, Martin Johannes Dauser via dovecot
wrote:
> On Wed, 2019-02-20 at 10:18 +0100, Martin Johannes Dauser via dovecot
> wrote:
> > Hi!
> > 
> > You forgot the wildcard '.*' (= Match zero or more instances of any
> > single character, except newline)
> > 
> > require ["regex"];
> > # rule:[test]
> > if header :regex "from" ".*info$"
> > {
> >     redirect "su...@domain.com";
> > }
> > 
> > With this rule, you are filtering emails from toplevel domain
> > '*.info'
> > or new domains that might occur in future (e.g '*.superinfo'). If
> > you
> > want to restrict to classic tld '*.info' change the regex to
> > 
> > ".*\.info$"
> 
> Oh, and if you want to include a TLD like "*.superinfos" The regex
> needs to be
> 
> ".*\..*info[^.]$"

ARGH, I forgot a star:
".*\..*info[^.]*$"

> 
> > 
> > 
> > The draft lists a table of common regex in section2:
> > https://tools.ietf.org/html/draft-murchison-sieve-regex-08#section-
> > 2
> > 
> > 
> > There are online regex checker like https://regex101.com thought
> > not
> > specific to sieve's regex, which can be used to test your regular
> > expressions. Sieve's regex are quite standard though.
> > 
> > Greetings
> > Martin
> > 
> > 
> > On Wed, 2019-02-20 at 14:00 +0530, subin ks via dovecot wrote:
> > > I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian
> > > 9.6.
> > > I'm trying to set a Sieve filter which will redirect all emails
> > > from
> > > `info` (i.e. .info) TLD to another email. This is the filter:
> > > 
> > > require ["regex"];
> > > # rule:[test]
> > > if header :regex "from" "info$"
> > > {
> > >   redirect "su...@domain.com";
> > > }
> > > 
> > > It's not being honored; all emails from .info TLD ends up in the
> > > inbox and none are redirected. Let me know what I'm doing wrong.
> > > 
> > > Thanks.
> > > 

Re: index problems after update

[Aki Tuomi via dovecot]

> On 18 February 2019 09:28 Hajo Locke via dovecot  wrote:
> 
> 
> Hello,
>  
>  it seems we need a dovecot developers opinion. May be we hit a bug or cant 
> help ourselves.
>  
>  
>

Core dump with backtrace would help, if possible to acquire. Please refer to 
https://dovecot.org/bugreport.html for information how to get a core dump.

Aki

Re: sieve filter not working -- wildcard missing

[Martin Johannes Dauser via dovecot]

On Wed, 2019-02-20 at 10:18 +0100, Martin Johannes Dauser via dovecot
wrote:
> Hi!
> 
> You forgot the wildcard '.*' (= Match zero or more instances of any
> single character, except newline)
> 
> require ["regex"];
> # rule:[test]
> if header :regex "from" ".*info$"
> {
>   redirect "su...@domain.com";
> }
> 
> With this rule, you are filtering emails from toplevel domain
> '*.info'
> or new domains that might occur in future (e.g '*.superinfo'). If you
> want to restrict to classic tld '*.info' change the regex to
> 
> ".*\.info$"

Oh, and if you want to include a TLD like "*.superinfos" The regex
needs to be

".*\..*info[^.]$"

> 
> 
> The draft lists a table of common regex in section2:
> https://tools.ietf.org/html/draft-murchison-sieve-regex-08#section-2
> 
> 
> There are online regex checker like https://regex101.com thought not
> specific to sieve's regex, which can be used to test your regular
> expressions. Sieve's regex are quite standard though.
> 
> Greetings
> Martin
> 
> 
> On Wed, 2019-02-20 at 14:00 +0530, subin ks via dovecot wrote:
> > I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian 9.6.
> > I'm trying to set a Sieve filter which will redirect all emails
> > from
> > `info` (i.e. .info) TLD to another email. This is the filter:
> > 
> > require ["regex"];
> > # rule:[test]
> > if header :regex "from" "info$"
> > {
> > redirect "su...@domain.com";
> > }
> > 
> > It's not being honored; all emails from .info TLD ends up in the
> > inbox and none are redirected. Let me know what I'm doing wrong.
> > 
> > Thanks.
> > 

Re: sieve filter not working -- wildcard missing

[Martin Johannes Dauser via dovecot]

Hi!

You forgot the wildcard '.*' (= Match zero or more instances of any
single character, except newline)

require ["regex"];
# rule:[test]
if header :regex "from" ".*info$"
{
    redirect "su...@domain.com";
}

With this rule, you are filtering emails from toplevel domain '*.info'
or new domains that might occur in future (e.g '*.superinfo'). If you
want to restrict to classic tld '*.info' change the regex to

".*\.info$"


The draft lists a table of common regex in section2:
https://tools.ietf.org/html/draft-murchison-sieve-regex-08#section-2


There are online regex checker like https://regex101.com thought not
specific to sieve's regex, which can be used to test your regular
expressions. Sieve's regex are quite standard though.

Greetings
Martin


On Wed, 2019-02-20 at 14:00 +0530, subin ks via dovecot wrote:
> I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian 9.6.
> I'm trying to set a Sieve filter which will redirect all emails from
> `info` (i.e. .info) TLD to another email. This is the filter:
> 
> require ["regex"];
> # rule:[test]
> if header :regex "from" "info$"
> {
>   redirect "su...@domain.com";
> }
> 
> It's not being honored; all emails from .info TLD ends up in the
> inbox and none are redirected. Let me know what I'm doing wrong.
> 
> Thanks.
> 

Re: sieve filter not working

[Scott M. via dovecot]

Why do you use regex ?

You can just use matches: 
https://p5r.uk/blog/2011/sieve-tutorial.html#matchtype 
(https://p5r.uk/blog/2011/sieve-tutorial.html#matchtype)
On Wed, Feb 20, 2019 at 03:31 AM, subin ks via dovecot  wrote: I've Dovecot and 
dovecot-sieve v 2.2.27 installed on a Debian 9.6. I'm trying to set a Sieve 
filter which will redirect all emails from `info` (i.e. .info) TLD to another 
email. This is the filter:
require ["regex"];
# rule:[test]if header :regex "from" "info$"{ redirect "su...@domain.com 
(mailto:su...@domain.com)";}

It's not being honored; all emails from .info TLD ends up in the inbox and none 
are redirected. Let me know what I'm doing wrong.
Thanks.

sieve filter not working

[subin ks via dovecot]

I've Dovecot and dovecot-sieve v 2.2.27 installed on a Debian 9.6. I'm
trying to set a Sieve filter which will redirect all emails from `info`
(i.e. .info) TLD to another email. This is the filter:

require ["regex"];
# rule:[test]
if header :regex "from" "info$"
{
redirect "su...@domain.com";
}

It's not being honored; all emails from .info TLD ends up in the inbox and
none are redirected. Let me know what I'm doing wrong.

Thanks.