Re: Force TCP socket disconnect on imap login failure?

[Péter Márton]

Just for clarification (this probably won't help achieve your primary
goal to reset the connections):
Iptables can block future connections _and_ stop existing connections
to receive (and send) packets (even the command you posted). What it
can't do is closing existing connections (sending a FIN).
If the example you show can not block existing connections you have
somewhere before the chain a RELATED, ESTABLISHED rule with ACCEPT as
target. This is a common mistake. Your fail2ban rules have to come
_before_ you check for related and established connections.

I never tested this, but you could try using "-j REJECT --reject-with
tcp-reset" instead of DROP. Then at least a RST would be sent.

Hippo Man  ezt írta (időpont: 2022. máj. 23., H, 23:17):
>
> OOPS! I incorrectly copied and pasted the iptables command in my previous 
> message. Here is the correct iptables command:
>
> iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d 
> aaa.bbb.ccc.ddd -j DROP
>
> This command successfully blocks *future* connections to ports 143 and 993 
> from that IP address, but as I mentioned, it doesn't kill the currently open 
> connection.
>
> --
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.
>
>
> On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:
>>
>> Thank you, but fail2ban doesn't do what I need. Here is why ...
>>
>> I have used fail2ban and also my own homegrown log monitor program for this 
>> purpose. In both cases, I can detect the failed imap logins and then cause 
>> the following command to be run ...
>>
>> iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP
>>
>> However, this does not drop connections that are existing and already open. 
>> It will only drop *future* connections from that IP address to port 143.
>>
>> This is why I want to kill the existing connection. Even after that 
>> "iptables" command is issued, the entity which is connected to the imap port 
>> can continue to send more and more imap commands.
>>
>> If I can drop the TCP connection as soon as an imap login fails and also 
>> issue that kind of "iptables" command, then the client would have to 
>> reconnect in order to retry other login attempts. Those future connections 
>> would then be successfully blocked by that iptables rule.
>>
>> And even if I issue a "tcpdrop" command instead of just the "iptables" 
>> command, it doesn't kill the already-open connection. It just force-blocks 
>> future connections.
>>
>> I'm thinking of patching the dovecot source code to create a personal 
>> version which immediately disconnects from the socket after login failure. 
>> Of course, I would prefer not to do that, if there is another way to 
>> accomplish this.
>>
>> --
>>  hippo...@gmail.com
>>  Take a hippopotamus to lunch today.
>>
>>
>> On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins  wrote:
>>>
>>> Look at fail2ban.
>>> Should be able to do that for you.
>>>
>>> Jan Hugo
>>>
>>>
>>> On 5/23/22 21:11, Lloyd Zusman wrote:
>>>
>>> I'm running dovecot 2.2.13 under Debian 8.
>>>
>>> I'd like to force an immediate TCP socket disconnect after any imap login 
>>> attempt that fails.
>>>
>>> Right now, if invalid credentials are supplied during an imap login, the 
>>> client can keep retrying logins with different credentials. However, I want 
>>> to prevent that from occurring by causing the socket connection to be 
>>> closed as soon as there is any failed login attempt.
>>>
>>> I haven't been able to find any dovecot configuration setting which could 
>>> control this behavior, but I'm hoping that I just missed something.
>>>
>>> Thank you very much for any suggestions.
>>>
>>> --
>>>  hippo...@gmail.com
>>>  Take a hippopotamus to lunch today.
>>>
>>>

Re: Force TCP socket disconnect on imap login failure?

[John Tulp]

i googled a little, i was just curious about your question.

found a stackoverflow question which, answered, says that using gdb one
can close the fd, after using lsof to find it out.

oh, and your iptables command... you have the address aaa. etc with a
-d, i think you mean the source ip address of the connection, -s,
right ?

if you want, i can provide that link.



On Mon, 2022-05-23 at 17:16 -0400, Hippo Man wrote:
> OOPS! I incorrectly copied and pasted the iptables command in my
> previous message. Here is the correct iptables command:
> 
> iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d
> aaa.bbb.ccc.ddd -j DROP
> 
> 
> This command successfully blocks *future* connections to ports 143 and
> 993 from that IP address, but as I mentioned, it doesn't kill the
> currently open connection.
> 
> 
> 
> -- 
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.
> 
> 
> 
> 
> On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:
> 
> Thank you, but fail2ban doesn't do what I need. Here is
> why ...
> 
> 
> I have used fail2ban and also my own homegrown log monitor
> program for this purpose. In both cases, I can detect the
> failed imap logins and then cause the following command to be
> run ...
> 
> 
> iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j
> DROP
> 
> 
> However, this does not drop connections that are existing and
> already open. It will only drop *future* connections from that
> IP address to port 143.
> 
> 
> 
> This is why I want to kill the existing connection. Even after
> that "iptables" command is issued, the entity which is
> connected to the imap port can continue to send more and more
> imap commands.
> 
> 
> If I can drop the TCP connection as soon as an imap login
> fails and also issue that kind of "iptables" command, then the
> client would have to reconnect in order to retry other login
> attempts. Those future connections would then be successfully
> blocked by that iptables rule.
> 
> 
> And even if I issue a "tcpdrop" command instead of just the
> "iptables" command, it doesn't kill the already-open
> connection. It just force-blocks future connections.
> 
> 
> I'm thinking of patching the dovecot source code to create a
> personal version which immediately disconnects from the socket
> after login failure. Of course, I would prefer not to do that,
> if there is another way to accomplish this.
> 
> 
> 
> -- 
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.
> 
> 
> 
> 
> On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins
>  wrote:
> 
> Look at fail2ban.
> Should be able to do that for you.
> 
> Jan Hugo
> 
> 
> On 5/23/22 21:11, Lloyd Zusman wrote:
> 
> > I'm running dovecot 2.2.13 under Debian 8.
> > I'd like to force an immediate TCP socket disconnect
> > after any imap login attempt that fails.
> > 
> > Right now, if invalid credentials are supplied
> > during an imap login, the client can keep retrying
> > logins with different credentials. However, I want
> > to prevent that from occurring by causing the socket
> > connection to be closed as soon as there is any
> > failed login attempt.
> > 
> > I haven't been able to find any dovecot
> > configuration setting which could control this
> > behavior, but I'm hoping that I just missed
> > something.
> > 
> > Thank you very much for any suggestions.
> > 
> > 
> > -- 
> >  hippo...@gmail.com
> >  Take a hippopotamus to lunch today.
> > 
> 
> 

Re: enable/control fts-tika debug logging in Dovecot 2.3.18 + Tika Server 2.4.0?

[PGNet Dev]

On 5/23/22 8:16 PM, Michael Slusarz wrote:

Unfortunately, Tika has not yet been converted to events/categories with the 
ability to more granularly enable debugging just for this component.


Aha! Thx.


It's probably easier to just look at tika's debugging logs.  The default log level 
(at least in Tika 2.3) will output an INFO line for every attachment indexed:> 
INFO  [qtp235162442-22] 16:15:19,905 
org.apache.tika.server.core.resource.TikaResource /tika (text/calendar)


I've been poking at slf4j; thought that's what tika 2x uses.
So far, haven't been able to get a peep out of it. :-/  Need to go a'googlin'

OTOH, with `mail_debug = on`, I see these,

...
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: request [Req1: PUT http://127.0.0.1/tika/]: Submitted (requests 
left=1)
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: request [Req1: PUT http://127.0.0.1/tika/]: Waiting for request 
to finish
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: queue http://127.0.0.1:9998: Connection to peer 127.0.0.1:9998 
claimed request [Req1: PUT http://127.0.0.1:9998/tika/]
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: conn 127.0.0.1:9998 [1]: Claimed request [Req1: PUT 
http://127.0.0.1:9998/tika/]
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: request [Req1: PUT http://127.0.0.1/tika/]: Sent header
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: request [Req1: PUT http://127.0.0.1/tika/]: Send more (sent 
5562, buffered=5570)
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
 Debug: http-client: request [Req1: PUT http://127.0.0.1/tika/]: Waiting for request 
to finish
2022-05-23 20:49:37 
indexer-worker(myu...@example.com):
...

, which looks promising.

But, so far, body Search exec, from within TBird, is not returning anything 
that I know is in that PDF.  Which is the 'problem' I'm trying to log in order 
to debug ...

Re: enable/control fts-tika debug logging in Dovecot 2.3.18 + Tika Server 2.4.0?

[Michael Slusarz]

> On 05/23/2022 5:27 PM PGNet Dev  wrote:
> 
> how to correctly turn on debug/verbose logging for fts-tika use in/by dovecot?

mail_debug = yes

This turns on HTTP debugging for the outgoing Tika requests.

Unfortunately, Tika has not yet been converted to events/categories with the 
ability to more granularly enable debugging just for this component.

It's probably easier to just look at tika's debugging logs.  The default log 
level (at least in Tika 2.3) will output an INFO line for every attachment 
indexed:

INFO  [qtp235162442-22] 16:15:19,905 
org.apache.tika.server.core.resource.TikaResource /tika (text/calendar)

michael

enable/control fts-tika debug logging in Dovecot 2.3.18 + Tika Server 2.4.0?

[PGNet Dev]

i run

dovecot-2.3.18-1.fc36.x86_64

i've installed Apache Tika, v 2.4.0

ls -al tika-server-standard-2.4.0.jar
-rw-r--r-- 1 root root 59M May  2 09:53 
tika-server-standard-2.4.0.jar


tika's listening

telnet 127.0.0.1 9998
  Trying 127.0.0.1...
  Connected to 127.0.0.1.
  Escape character is '^]'.
  telnet>

and responds to a test

curl \
-T /tmp/test.pdf \
http://127.0.0.1:9998/meta

  pdf:unmappedUnicodeCharsPerPage,0,0,0,0,0,0,0,0,0,0,0,0,0,0
  pdf:PDFVersion,1.4
  xmp:CreatorTool,Adobe InDesign 15.1 (Macintosh)
  pdf:hasXFA,false
  access_permission:modify_annotations,true
  access_permission:can_print_degraded,true
  
X-TIKA:Parsed-By-Full-Set,org.apache.tika.parser.DefaultParser,org.apache.tika.parser.pdf.PDFParser
  dcterms:created,2020-08-13T14:55:46Z
  language,en
  dcterms:modified,2020-09-24T23:38:28Z
  dc:format,application/pdf; version=1.4
  xmpMM:DocumentID,xmp.id:8a612346-9d03-4caf-8ebf-da6f3716ed0a
  pdf:docinfo:creator_tool,Adobe InDesign 15.1 (Macintosh)
  access_permission:fill_in_form,true
  pdf:docinfo:modified,2020-09-24T23:38:28Z
  pdf:hasCollection,false
  pdf:encrypted,false
  pdf:hasMarkedContent,true
  Content-Type,application/pdf
  dc:language,en-US
  pdf:producer,Adobe PDF Library 15.0
  access_permission:extract_for_accessibility,true
  access_permission:assemble_document,true
  xmpTPg:NPages,14
  pdf:hasXMP,true
  
pdf:charsPerPage,84,676,1653,1914,814,1022,645,1221,1087,732,887,1295,1263,149
  access_permission:extract_content,true
  
xmpMM:DerivedFrom:DocumentID,xmp.did:b98726d4-04c4-48f5-88be-0a48a0074356
  access_permission:can_print,true
  pdf:docinfo:trapped,false
  
X-TIKA:Parsed-By,org.apache.tika.parser.DefaultParser,org.apache.tika.parser.pdf.PDFParser
  
xmpMM:DerivedFrom:InstanceID,xmp.iid:3dd6a91f-a114-4d63-804e-e2b749c15075
  pdf:annotationTypes,null
  access_permission:can_modify,true
  pdf:docinfo:producer,Adobe PDF Library 15.0
  pdf:docinfo:created,2020-08-13T14:55:46Z
  pdf:annotationSubtypes,Link


in dovecot config, i've added

plugin {
fts_tika = http://127.0.0.1:9998/tika/
}

and

log_debug = (category=fts-flatcurve OR category=fts-tika)

on message receipt, I see verbose logs for fts-flatcurve, as expected, but not 
a trace of output from fts-tika, in dovecot logs

how to correctly turn on debug/verbose logging for fts-tika use in/by dovecot?

Re: doveadm mailbox status -u p...@scom.ca -t all (syntax)

[Paul Kudla (SCOM.CA Internet Services Inc.)]

thanks




Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 6:40 PM, Patrick Domack wrote:

doveadm mailbox status -t all -u 'p...@scom.ca' '*'

Re: doveadm mailbox status -u p...@scom.ca -t all (syntax)

[Patrick Domack]

Don't you mean:

doveadm mailbox status -t all -u 'p...@scom.ca' '*'


Quoting "Paul Kudla (SCOM.CA Internet Services Inc.)" :


&

# doveadm mailbox status -t all -u 'p...@scom.ca' 'p...@scom.ca'


doveadm(p...@scom.ca): Error: Mailbox p...@scom.ca: Failed to lookup


mailbox status: Character not allowed in mailbox name: '.'
messages=0 recent=0 unseen=0 vsize=0

&

# doveadm mailbox status -t all 'p...@scom.ca'

doveadm(root): Error: Couldn't drop privileges: User is missing UID  
(see mail_uid setting)



sorry just can not figure it out??






Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 5:34 PM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:



Ok I know this is a general question and at my level I should be  
able to figure this out


all i want is the complete status of an inbox ?





# doveadm mailbox status -u p...@scom.ca -t all

keeps returning 


doveadm mailbox status [-u |-A] [-S ]   
 [...]


ie no specific error.

and no status answer

just looking for default info ?

Re: doveadm mailbox status -u p...@scom.ca -t all (syntax)

[Paul Kudla (SCOM.CA Internet Services Inc.)]

&

# doveadm mailbox status -t all -u 'p...@scom.ca' 'p...@scom.ca'


doveadm(p...@scom.ca): Error: Mailbox p...@scom.ca: Failed to lookup


mailbox status: Character not allowed in mailbox name: '.'
messages=0 recent=0 unseen=0 vsize=0

&

# doveadm mailbox status -t all 'p...@scom.ca'

doveadm(root): Error: Couldn't drop privileges: User is missing UID (see 
mail_uid setting)



sorry just can not figure it out??






Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 5:34 PM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:



Ok I know this is a general question and at my level I should be able to 
figure this out


all i want is the complete status of an inbox ?





# doveadm mailbox status -u p...@scom.ca -t all

keeps returning 


doveadm mailbox status [-u |-A] [-S ]  
 [...]


ie no specific error.

and no status answer

just looking for default info ?

doveadm mailbox status -u p...@scom.ca -t all (syntax)

[Paul Kudla (SCOM.CA Internet Services Inc.)]

Ok I know this is a general question and at my level I should be able to 
figure this out


all i want is the complete status of an inbox ?





# doveadm mailbox status -u p...@scom.ca -t all

keeps returning 


doveadm mailbox status [-u |-A] [-S ]  
 [...]


ie no specific error.

and no status answer

just looking for default info ?


--


Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

Re: dovecot-fts-solr Solr9 support

[Shawn Heisey]

On 5/17/2022 11:32 AM, PGNet Dev wrote:

CaffeineCache  _should_ be a solution for both series.
I'm just starting to do a bit of testing, but so far, indexing/search 
with Caffeine seems quicker, at least.
I do not yet know in which case(s) CaffeineCache is _not_ an 
appropriate solution.


CaffeineCache was added in Solr 8.3.0.  So it is not available in all 
8.x releases.


https://issues.apache.org/jira/browse/SOLR-8241

I know more than a little bit about Solr's caches.  I am the author of 
LFUCache, added way back in Solr 3.6.0.  That is an extremely naive 
"intro to programming" implementation, but it works.


https://issues.apache.org/jira/browse/SOLR-2906

Caffeine is a highly optimized and battle-tested cache, with very good 
performance.  Shortly after it was added to Solr, all the other cache 
implementations were deprecated, and then removed in 9.0.0.


I should probably see if I can write some end to end instructions for 
installing Solr and configuring dovecot to use it.


Having something well-vetted and doc'd will be useful.


If I ever find any time I will definitely work on that.

Thanks,
Shawn

Re: Force TCP socket disconnect on imap login failure?

[Hippo Man]

OOPS! I incorrectly copied and pasted the iptables command in my previous
message. Here is the correct iptables command:

iptables -I INPUT -p tcp -m multiport --destination-port 143,993 -d
aaa.bbb.ccc.ddd -j DROP

This command successfully blocks *future* connections to ports 143 and 993
from that IP address, but as I mentioned, it doesn't kill the currently
open connection.

-- 
 hippo...@gmail.com
 Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:54 PM Hippo Man  wrote:

> Thank you, but fail2ban doesn't do what I need. Here is why ...
>
> I have used fail2ban and also my own homegrown log monitor program for
> this purpose. In both cases, I can detect the failed imap logins and then
> cause the following command to be run ...
>
> iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP
>
> However, this does not drop connections that are existing and already
> open. It will only drop *future* connections from that IP address to port
> 143.
>
> This is why I want to kill the existing connection. Even after that
> "iptables" command is issued, the entity which is connected to the imap
> port can continue to send more and more imap commands.
>
> If I can drop the TCP connection as soon as an imap login fails and also
> issue that kind of "iptables" command, then the client would have to
> reconnect in order to retry other login attempts. Those future connections
> would then be successfully blocked by that iptables rule.
>
> And even if I issue a "tcpdrop" command instead of just the "iptables"
> command, it doesn't kill the already-open connection. It just force-blocks
> future connections.
>
> I'm thinking of patching the dovecot source code to create a personal
> version which immediately disconnects from the socket after login failure.
> Of course, I would prefer not to do that, if there is another way to
> accomplish this.
>
> --
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.
>
>
> On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins  wrote:
>
>> Look at fail2ban.
>> Should be able to do that for you.
>>
>> Jan Hugo
>>
>>
>> On 5/23/22 21:11, Lloyd Zusman wrote:
>>
>> I'm running dovecot 2.2.13 under Debian 8.
>>
>> I'd like to force an immediate TCP socket disconnect after any imap login
>> attempt that fails.
>>
>> Right now, if invalid credentials are supplied during an imap login, the
>> client can keep retrying logins with different credentials. However, I want
>> to prevent that from occurring by causing the socket connection to be
>> closed as soon as there is any failed login attempt.
>>
>> I haven't been able to find any dovecot configuration setting which
>> could control this behavior, but I'm hoping that I just missed something.
>>
>> Thank you very much for any suggestions.
>> --
>>  hippo...@gmail.com
>>  Take a hippopotamus to lunch today.
>>
>>
>>

Re: Force TCP socket disconnect on imap login failure?

[Paul Kudla (SCOM.CA Internet Services Inc.)]

Ok would like to help and I DO understand the issue at hand.

It took me with custom programming 5 years of tinkering to get to what i 
have today.


So a few questions / comments ??

Are you running an sql database or just user-db (local) to do the lookups ?

sql gives you some major flexability on how to track and ignore ip 
blocks etc etc etc upon logins.


Issues to consider (I will explain the system i wrote for SCOM.CA as I 
went though a lot to get here and you like most are probably 
experiencing the same hack attempts.)


Note I am not trying to get off topic but you need to think about stuff 
like this through a bit.


You also have to consider people trying to send through postfix as it is 
the same issue in reverse.


Under SCOM I do the following (only meant to be a guideline):

1. i have a common syslogger running that ALL logging goes through.

2. I then have conditions against anything being logged that will 
trigger an event.


3. The event triggered in your case would be seeing a line like

   auth: sql(t...@dereilanatureinn.ca,220.194.140.110,
   <5H72HLPfTp/cwoxu>): unknown user

   pop3-login: Disconnected: Connection closed (auth failed, 1 attempts 


   in 3 secs): user=, method=PLAIN, rip=110.44.124.224,
   lip=65.39.148.18



there are other conditions but you get the idea.

Ok from here it starts getting complicated.

The idea is to keep the rift raft out and allow good users in.

Easier said then done.

I track all bad logins from all bad ip addresses and then run a seperate 
database table that tracks that.


the ip address that gets tracked lands in two places,

the firewall tables (which for me are global)

&

the user in my database.

if a user is unknown (example above) then at least the first condition 
will catch a bad hack attempt based on ip. Most hack attempts by ip 
address usually keep sending common login names (like admin, ftp, 
ftpuser etc etc) hoping to match to a common account.


for the user (which is relative here) i let 30 attempts go by every 30 
minutes and 500 per month, after which the user is blocked via auth in 
sql and will have to call to get unlocked. Usually the ip address is 
blacklisted before the username is so its not that much of a deal.


afterwhich it becomes part of the user query to lock out the userfrom 
anywhere as they are obviously getting hacked.


when an ip is doing the hacking then i count using the same formula and 
then blacklist it internal to all of my servers (thus a database makes 
it earier to track)


I run freebsd and thus use pf firewall, iptables can do the same with 
the same info you just need to build the tables and uodate them. (i 
update mine every 10 minutes, i find pf does this quicker on large 
lables (like 10,000 blocked) )



Now for the issue at hand that you are asking about:

I am sure that the c programming could be patched along the line to do 
exactly what you are asking,


However Issues that pop up.

so you hang up on the connection, they will probably just login again 
anyways which means without tracking the ip & username stats and 
updating accordingly it will really not change anything at the end of 
the day.


In my experience I see people / servers etc constantly hacking my side 
and what i generally described above turned out to be the only real fix, 
and not even really that guarenteed to work!


I do get ip's that get blacklisted by accident (i do the whole class 'c' 
as the 'c' block is usually all the same guy) but i get a good one maybe 
every few months, usually when i block it there are not many complaints 
after that.



I know the above is complicated, fyi i track postfix's sasl auth's as 
well but in that case to get a username & ip address on one syslog line 
i had to patch the sasl auth c file to get a log entry that was useable.


Postfix simply will NOT provide the info on one line.

Between both of the conditions above the server's remain fairly useable 
and secured.


the CSF firewall option below IS valid but i find you need to track IP 
address & username or you end up blocking stuff you dont want to


also on another note IPV6 (at least in canada) is becoming a pain for isp's

many cable companies, dsl providers etc are assigning an ipv6 address 
and then converting it to ipv4 on the way out the door from their 
networks using double natting ?


Issue is you can have 10,000 people all sharing that same ip address and 
if you block it then that will prevent other 'good' people from logging 
in, again back to tracking the username in this case gives you an out if 
the hacker is just using a list obtained elsewhere on the net.



Food for thought.


Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 3:26 PM, dovecot-boun...@dovecot.org wrote:


On 2022-05-23 20:11, Lloyd Zusman wrote:

Re: Force TCP socket disconnect on imap login failure?

[Hippo Man]

Thank you, but fail2ban doesn't do what I need. Here is why ...

I have used fail2ban and also my own homegrown log monitor program for this
purpose. In both cases, I can detect the failed imap logins and then cause
the following command to be run ...

iptables -I INPUT -p tcp --destination-port aaa.bbb.ccc.ddd -j DROP

However, this does not drop connections that are existing and already open.
It will only drop *future* connections from that IP address to port 143.

This is why I want to kill the existing connection. Even after that
"iptables" command is issued, the entity which is connected to the imap
port can continue to send more and more imap commands.

If I can drop the TCP connection as soon as an imap login fails and also
issue that kind of "iptables" command, then the client would have to
reconnect in order to retry other login attempts. Those future connections
would then be successfully blocked by that iptables rule.

And even if I issue a "tcpdrop" command instead of just the "iptables"
command, it doesn't kill the already-open connection. It just force-blocks
future connections.

I'm thinking of patching the dovecot source code to create a personal
version which immediately disconnects from the socket after login failure.
Of course, I would prefer not to do that, if there is another way to
accomplish this.

-- 
 hippo...@gmail.com
 Take a hippopotamus to lunch today.


On Mon, May 23, 2022 at 4:24 PM Jan Hugo Prins  wrote:

> Look at fail2ban.
> Should be able to do that for you.
>
> Jan Hugo
>
>
> On 5/23/22 21:11, Lloyd Zusman wrote:
>
> I'm running dovecot 2.2.13 under Debian 8.
>
> I'd like to force an immediate TCP socket disconnect after any imap login
> attempt that fails.
>
> Right now, if invalid credentials are supplied during an imap login, the
> client can keep retrying logins with different credentials. However, I want
> to prevent that from occurring by causing the socket connection to be
> closed as soon as there is any failed login attempt.
>
> I haven't been able to find any dovecot configuration setting which could
> control this behavior, but I'm hoping that I just missed something.
>
> Thank you very much for any suggestions.
> --
>  hippo...@gmail.com
>  Take a hippopotamus to lunch today.
>
>
>

Re: Force TCP socket disconnect on imap login failure?

[Jan Hugo Prins]

Look at fail2ban.
Should be able to do that for you.

Jan Hugo


On 5/23/22 21:11, Lloyd Zusman wrote:

I'm running dovecot 2.2.13 under Debian 8.

I'd like to force an immediate TCP socket disconnect after any imap 
login attempt that fails.


Right now, if invalid credentials are supplied during an imap login, 
the client can keep retrying logins with different credentials. 
However, I want to prevent that from occurring by causing the socket 
connection to be closed as soon as there is any failed login attempt.


I haven't been able to find any |dovecot| configuration setting which 
could control this behavior, but I'm hoping that I just missed something.


Thank you very much for any suggestions.

--
hippo...@gmail.com
 Take a hippopotamus to lunch today.

Force TCP socket disconnect on imap login failure?

[Lloyd Zusman]

I'm running dovecot 2.2.13 under Debian 8.

I'd like to force an immediate TCP socket disconnect after any imap login
attempt that fails.

Right now, if invalid credentials are supplied during an imap login, the
client can keep retrying logins with different credentials. However, I want
to prevent that from occurring by causing the socket connection to be
closed as soon as there is any failed login attempt.

I haven't been able to find any dovecot configuration setting which could
control this behavior, but I'm hoping that I just missed something.

Thank you very much for any suggestions.
-- 
 hippo...@gmail.com
 Take a hippopotamus to lunch today.

Many Thanks to the Programmers

[Paul Kudla (SCOM.CA Internet Services Inc.)]

I am still in testing mode with 2.3.19 but the replication with the 
folders over 300+ seems to be fixed


everything synced ok on its own within 30 minutes

Again MUSH APPRECIATED !

Moving to 2.3.19 was woth it!

--


Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

Re: mail_replica in userdb?

[Coy Hile]

> On May 23, 2022, at 11:42 AM, Paul Kudla (SCOM.CA Internet Services Inc.) 
>  wrote:
> 
> 
> So are you ok now

I don’t know that. I don’t know if what I’m trying to do is actually supported 
as yet. I’m going to setup the downstream replica for this box after I finish 
work today and try to cut-over to this new setup completely. If the error 
message goes away once I’ve configured bidirectional replication, I’d say I’m 
good, but we’ll find that out empirically.

Appreciate your help, Paul and Aki.  The replication seems to work, but I still 
see that particular error. Need to test that one more thing is working on the 
new box.


--
Coy Hile
coy.h...@coyhile.com






signature.asc
Description: Message signed with OpenPGP

Re: mail_replica in userdb?

[Paul Kudla (SCOM.CA Internet Services Inc.)]

So are you ok now

I'm a postgresql kinda guy never got around to ldap as that was mostly 
windows based!


fyi



Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 11:18 AM, Coy Hile wrote:




On May 23, 2022, at 11:00 AM, Paul Kudla (SCOM.CA Internet Services Inc.) 
 wrote:


ok there is more to replica setup

user-db error seems to indicate the sql iterate it not setup or not returning 
stuff properly

can you specify what you are using for a sql setup (if any)

can help from there?




Ah, on the new side, I am using LDAP, rather than SQL, setup thusly in 
dovecot-ldap.conf.ext (once I removed all the comments and blank lines):

  '/^$/d'
hosts = ldap.coyhile.com
dn = uid=dovecotquery,ou=people,dc=coyhile,dc=com
dnpass = [redacted]
base = ou=People,dc=coyhile,dc=com
scope = subtree
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=%n,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
iterate_attrs = maildrop=user
iterate_filter = (objectClass=posixAccount)


--
Coy Hile
coy.h...@coyhile.com

Re: mail_replica in userdb?

[Coy Hile]

> On May 23, 2022, at 11:00 AM, Paul Kudla (SCOM.CA Internet Services Inc.) 
>  wrote:
> 
> 
> ok there is more to replica setup
> 
> user-db error seems to indicate the sql iterate it not setup or not returning 
> stuff properly
> 
> can you specify what you are using for a sql setup (if any)
> 
> can help from there?
> 


Ah, on the new side, I am using LDAP, rather than SQL, setup thusly in 
dovecot-ldap.conf.ext (once I removed all the comments and blank lines):

 '/^$/d'
hosts = ldap.coyhile.com
dn = uid=dovecotquery,ou=people,dc=coyhile,dc=com
dnpass = [redacted]
base = ou=People,dc=coyhile,dc=com
scope = subtree
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=%n,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
iterate_attrs = maildrop=user
iterate_filter = (objectClass=posixAccount)


--
Coy Hile
coy.h...@coyhile.com






signature.asc
Description: Message signed with OpenPGP

Re: mail_replica in userdb?

[Paul Kudla (SCOM.CA Internet Services Inc.)]

my apologies i read through the other posts after responding

you are using ldap ?




Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 11:00 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:



ok there is more to replica setup

user-db error seems to indicate the sql iterate it not setup or not 
returning stuff properly


can you specify what you are using for a sql setup (if any)

can help from there?




Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 3:20 AM, Aki Tuomi wrote:




On 22/05/2022 02:32 Coy Hile  wrote:

I seem to have got replication working from an older instance to a 
newer one (insofar as the data are present on the new box) that I’m 
looking to stand up to replace a newer box. In this case, nothing is 
configured to talk to the new machine yet, so the replication is 
unidirectional (old -> new).


However, I’m seeing an error like like this repeatedly in syslog:

2022-05-21T23:23:15.295252+00:00 basement-imap01 dovecot: 
doveadm(h...@coyhile.com): Error: sync: User has no mail_replica in 
userdb


What setting did I miss?



plugin {
   mail_replica = 
}

https://doc.dovecot.org/settings/plugin/replication-plugin/

Aki

Re: mail_replica in userdb?

[Paul Kudla (SCOM.CA Internet Services Inc.)]

ok there is more to replica setup

user-db error seems to indicate the sql iterate it not setup or not 
returning stuff properly


can you specify what you are using for a sql setup (if any)

can help from there?




Happy Monday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services 
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca

On 5/23/2022 3:20 AM, Aki Tuomi wrote:




On 22/05/2022 02:32 Coy Hile  wrote:

  
I seem to have got replication working from an older instance to a newer one (insofar as the data are present on the new box) that I’m looking to stand up to replace a newer box. In this case, nothing is configured to talk to the new machine yet, so the replication is unidirectional (old -> new).


However, I’m seeing an error like like this repeatedly in syslog:

2022-05-21T23:23:15.295252+00:00 basement-imap01 dovecot: 
doveadm(h...@coyhile.com): Error: sync: User has no mail_replica in userdb

What setting did I miss?



plugin {
   mail_replica = 
}

https://doc.dovecot.org/settings/plugin/replication-plugin/

Aki

Re: mail_replica in userdb?

[Coy Hile]

> On May 23, 2022, at 3:20 AM, Aki Tuomi  wrote:
> 
>> 
>> On 22/05/2022 02:32 Coy Hile  wrote:
>> 
>> 
>> I seem to have got replication working from an older instance to a newer one 
>> (insofar as the data are present on the new box) that I’m looking to stand 
>> up to replace a newer box. In this case, nothing is configured to talk to 
>> the new machine yet, so the replication is unidirectional (old -> new).
>> 
>> However, I’m seeing an error like like this repeatedly in syslog:
>> 
>> 2022-05-21T23:23:15.295252+00:00 basement-imap01 dovecot: 
>> doveadm(h...@coyhile.com): Error: sync: User has no mail_replica in userdb
>> 
>> What setting did I miss?
>> 
> 
> plugin {
> mail_replica = 
> }
> 
> https://doc.dovecot.org/settings/plugin/replication-plugin/
> 
> Aki


The way I read that, it configures a location to where a machine will replicate 
data. At present, I’m trying to turn up the new box slowly (haven’t yet 
configured LDA or appropriate TLS settings, for example), so my intent was that 
this host not replicate any of its data anywhere, yet.  Eventually, I’ll have 
data moving hostA <—> hostB bidirectionally.

Is the phased approach I was trying to take not something supported?

--
Coy Hile
coy.h...@coyhile.com






signature.asc
Description: Message signed with OpenPGP

Re: SQL user_query quota_rule for *:messages=

[James]

On 23/05/2022 08:18, Aki Tuomi wrote:


Is it possible to override the message count limit with an SQL
user_query (and password_query)?




I tried returning userdb_quota_rule2 in the SQL but it did not work.
"SELECT ... '*:messages=' || maxcount AS userdb_quota_rule2 ...;"


Ref:
https://doc.dovecot.org/configuration_manual/authentication/user_database_extra_fields/#authentication-user-database-extra-fields


If you are returning that from userdb, you should not return it with `userdb_` 
prefix.


Thank you, correct advice, my mistake.  I have a combined password_query 
and made the mistake of adding userdb_ prefix in both.


This has enabled the user limit for messages (as well as storage) and I 
can see over messages count causes defer like for over storage. 
Progress!  Thank you for the help.



For reference the quota warning for messages is also working (from 
dovecot.conf):

  quota_warning6 = messages=90%% quota-warning 90 %u
Testing this was my objective which required setting a very low per user 
value for a test account.  Thank you.

Re: Dovecot 2.3.18 and OpenMetrics-Prometheus problem

[Aki Tuomi]

> On 25/03/2022 08:41 Aki Tuomi  wrote:
> 
>  
> > On 17/03/2022 17:54 Aki Tuomi  wrote:
> > 
> >  
> > > On 17/03/2022 17:23 Christian Rößner  wrote:
> > > 
> > >  
> > > Hi,
> > > 
> > > > Am 17.03.2022 um 10:43 schrieb Eirik Rye :
> > > > 
> > > > On 25/02/2022 11:50, Christian Rößner wrote:
> > > >> dovecot_sieve_actions_total{"duration_10001_10"} 88
> > > > 
> > > > This label specification is invalid (it's missing the label name).
> > > > 
> > > > Everything else seems valid, so I assume a workaround may be to comment 
> > > > out the "sieve_actions" metric you have declared.
> > > 
> > > thank you very much. Indeed that helped me a lot. @Aki: So this seems 
> > > really to be a bug in Dovecot. Can you confirm this?
> > > 
> > > Regards
> > > 
> > > Christian 
> > > -- 
> > 
> > Christian, can you provide your doveconf -n? I'd like to see how you've 
> > defined the metrics.
> > 
> > Aki
> 
> Thanks for the doveconf -n, although you didn't send it to list...
> 
> I tried to reproduce this issue but failed. Can you try reproducing the issue 
> again, and if successful, take `gcore ` and send it to me 
> directly. Thanks.
> 
> Aki

Hi!

This issue has been finally fixed with 
https://github.com/dovecot/core/commit/51c187ff486a4e5a819fef46664b94fac93951c8.patch

Aki

Re: mail_replica in userdb?

[Aki Tuomi]

> On 22/05/2022 02:32 Coy Hile  wrote:
> 
>  
> I seem to have got replication working from an older instance to a newer one 
> (insofar as the data are present on the new box) that I’m looking to stand up 
> to replace a newer box. In this case, nothing is configured to talk to the 
> new machine yet, so the replication is unidirectional (old -> new).
> 
> However, I’m seeing an error like like this repeatedly in syslog:
> 
> 2022-05-21T23:23:15.295252+00:00 basement-imap01 dovecot: 
> doveadm(h...@coyhile.com): Error: sync: User has no mail_replica in userdb
> 
> What setting did I miss?
> 

plugin {
  mail_replica = 
}

https://doc.dovecot.org/settings/plugin/replication-plugin/

Aki

Re: SQL user_query quota_rule for *:messages=

[Aki Tuomi]

> On 20/05/2022 16:41 James  wrote:
> 
>  
> Hello,
> 
> dovecot.conf sets the system default quota for storage and message count:
> 
> plugin {
> ...
>quota_rule = *:storage=1G
>quota_rule2 = *:messages=1
> ...
> }
> 
> This quota_rule for the storage is overridden by an SQL user_query in 
> dovecot-sql.conf:
> 
> user_query = "SELECT ... '*:storage=' || maxstorage || 'M'  AS 
> userdb_quota_rule, ...;"
> 
> Is it possible to override the message count limit with an SQL 
> user_query (and password_query)?
> 
> 
> 
> 
> I tried returning userdb_quota_rule2 in the SQL but it did not work. 
> "SELECT ... '*:messages=' || maxcount AS userdb_quota_rule2 ...;"
> 
> 
> Ref:
> https://doc.dovecot.org/configuration_manual/authentication/user_database_extra_fields/#authentication-user-database-extra-fields

If you are returning that from userdb, you should not return it with `userdb_` 
prefix.

Aki