Re: Wildcard !include statements fail if nothing matches
On Wed, Apr 17, 2024 at 10:08:14AM +0300, Aki Tuomi via dovecot wrote: > You should use !include_try instead. See https://doc.dovecot.org/ > configuration_manual/config_file/#including-config-files Yes, I'm familiar with !include_try, and it clearly works fine. This report is about an inconsistency between the documentation for !include (not !include_try) and the behavior. The documentation for wildcards with respect to !include states that "It’s not an error if wildcards don’t result in any matching files." Please consider updating the documentation to match the actual behavior. noah ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
Il giorno mer 17 apr 2024 alle ore 15:31 Aki Tuomi ha scritto: > If you have version with Lua support, you can make a passdb with lua that > base64 encodes the plain password. Then it should work. I'm not using lua currently, and i'm planning to move the server to a new one with users on DB, that's why i'm looking for a quick workaround, just to migrate all password to the new schema before the server migration. Is not possible to use a plain passdb file ? If not, even with a dirty workaround, i'll do the schema change on the new server with accounts on DB but i really prefere to do this before, not after the migration. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
If you have version with Lua support, you can make a passdb with lua that
base64 encodes the plain password. Then it should work.
Aki
On 17/04/2024 15:56 EEST Gandalf Corvotempesta via dovecot
wrote:
Il giorno mer 17 apr 2024 alle ore 14:22 Benny Pedersen via dovecot
ha scritto:
i am not an expert in postlogin scripts, but please show it
The issue is not the postlogin script, but dovecot. It's dovecot that
tries to expand a variable BEFORE sending it to the script
userdb {
args = username_format=%u /etc/dovecot/passwd
driver = passwd-file
#default_fields = plain_pass=%w
}
if it not working simple remove % in passwords would not
solve it ?
Seriously ? oviously asking all customers to change their password to
remove a char is not a solution..
Il giorno mer 17 apr 2024 alle ore 14:22 Benny Pedersen via dovecot
ha scritto:
>
Gandalf Corvotempesta via dovecot skrev den 2024-04-17 08:
31:
im following the docs to change the password
schema
docs says that i have to pass the clear password
to the post login
script
but using %w doesn't work if the clear password
has a "%" inside as
it's
being expanded as variabile
in example with a password "test%Ypass" dovecot
is trying to expand %Y
before passing it to the post login script
i am not an expert in postlogin scripts, but please show it
if it not working simple remove % in passwords would not
solve it ?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
Il giorno mer 17 apr 2024 alle ore 14:22 Benny Pedersen via dovecot
ha scritto:
> i am not an expert in postlogin scripts, but please show it
The issue is not the postlogin script, but dovecot. It's dovecot that
tries to expand a variable BEFORE sending it to the script
userdb {
args = username_format=%u /etc/dovecot/passwd
driver = passwd-file
#default_fields = plain_pass=%w
}
> if it not working simple remove % in passwords would not solve it ?
Seriously ? oviously asking all customers to change their password to
remove a char is not a solution..
Il giorno mer 17 apr 2024 alle ore 14:22 Benny Pedersen via dovecot
ha scritto:
>
> Gandalf Corvotempesta via dovecot skrev den 2024-04-17 08:31:
> > im following the docs to change the password schema
> >
> > docs says that i have to pass the clear password to the post login
> > script
> > but using %w doesn't work if the clear password has a "%" inside as
> > it's
> > being expanded as variabile
> >
> > in example with a password "test%Ypass" dovecot is trying to expand %Y
> > before passing it to the post login script
>
> i am not an expert in postlogin scripts, but please show it
>
> if it not working simple remove % in passwords would not solve it ?
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
Gandalf Corvotempesta via dovecot skrev den 2024-04-17 08:31: im following the docs to change the password schema docs says that i have to pass the clear password to the post login script but using %w doesn't work if the clear password has a "%" inside as it's being expanded as variabile in example with a password "test%Ypass" dovecot is trying to expand %Y before passing it to the post login script i am not an expert in postlogin scripts, but please show it if it not working simple remove % in passwords would not solve it ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Uppercase username emails are rejected
On 17/04/2024 12:42 EEST Marc via dovecot wrote: No they aren't. The *host part* is case insensitive because the DNS is, Indeed. Letsencrypt is utilizing this characteristic, they query the same hostname every time with different randomized(?) capitalizations. I have no idea what the logics behind this is. Preventing this from showing in logs? Preventing rate limiters to be triggered? No idea why they do this. >, but erroneously slip onto or all the time, I suppose ...), :D ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org This is a DNS hardening thing to make it harder to spoof replies. DNS name comparison is still case insensitive. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Uppercase username emails are rejected
> > No they aren't. The *host part* is case insensitive because the DNS is, Indeed. Letsencrypt is utilizing this characteristic, they query the same hostname every time with different randomized(?) capitalizations. I have no idea what the logics behind this is. Preventing this from showing in logs? Preventing rate limiters to be triggered? No idea why they do this. >, but erroneously slip onto or all > the time, I suppose ...), :D ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Uppercase username emails are rejected
On 17.04.24 08:43, Aki Tuomi wrote: On 17/04/24 00:51, John Stoffel via dovecot wrote: >> "Peter" == Peter via dovecot writes: Generally speaking you want auth to be case- sensitive, but go ahead and try it to see if it fixes the issue. Umm... not for emails you don't. Since the j...@stoffel.org and j...@stoffel.org and j...@stoffel.org are all the same email address No they aren't. The *host part* is case insensitive because the DNS is, but nothing in the RFCs suggests that the *user part* may be (generally) treated as such. That only came about when the makers of a certain, famously case insensitive OS started selling a mail server software better aligned with their habits. (Back with SunOS, when account names automatically yielded deliverable e-mail addresses, my dpt. had a standing rule that admins would have an unprivileged account like, e.g., "bern" and a separate UID=0 account "Bern" for the admin work. Luckily, the login(1) triggered its OH, IT SEEMS THAT THIS TERMINAL SUPPORTS ONLY SINGLE CASE mode only if the username was *entirely* in uppercase, not on the first character ...) Having that said, nothing keeps you from setting up your MTA/MDA so as to ignore case entirely (because people manually entering addresses never make typos, but erroneously slip onto or all the time, I suppose ...), but it's a major no-no for (intermediate) MTAs. Unfortunately some systems uppercase (or downcase) your email when sending mail to you. In particular, websites you create an account on, apparently in fear that joe@shmoe would otherwise be able to create multiple accounts with Joe@shmoe, jOe@shmoe etc. etc.. They rarely object to plussed user addresses or single-person-owned domains that could have a catchall configured, though ... (I *should* have tried a user part with "ß" on an upcaseing online service back when that umlaut officially *didn't have* an uppercase version ... ;-) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: doveadm import error: quota: Unknown namespace: INBOX/
doveadm -o plugin/quota= ... Aki On 17/04/2024 10:25 EEST Ralf Becker via dovecot wrote: Noone an idea? No longer been able to restore mailboxes seems a little scary ... Ralf Am 12.04.24 um 14:07 schrieb Ralf Becker via dovecot: Dovecot version is 2.3.20 and I try to restore a folder hierarchy from an older snapshot of the mailbox (folders in question have been deleted): sudo -u dovecot doveadm -Dv import -u p...@xyz.de -s mdbox:$ (pwd)/pbs-2024-03- 19/mdbox INBOX mailbox 'projekte/8-BZ/*' I'm getting the following error: Apr 12 10:52:18 doveadm(p...@xyz.de): Error: quota: Unknown namespace: INBOX/ I also tried restoring in a (not existing) restore folder: Restore-2024-03-19 and using search query "mailbox 'projekte/8-BZ'", all give the same result :( Any ideas what might be wrong, I did this many times before, and it worked, so I'm puzzeled ... Here is the full output of doveadm import command above and doveconf -n: ... -- Ralf Becker EGroupware GmbH [www.egroupware.org] Handelsregister HRB Kaiserslautern 3587 Geschäftsführer Birgit und Ralf Becker Leibnizstr. 17, 67663 Kaiserslautern, Germany Telefon +49 631 31657-0 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: doveadm import error: quota: Unknown namespace: INBOX/
Noone an idea? No longer been able to restore mailboxes seems a little scary ... Ralf Am 12.04.24 um 14:07 schrieb Ralf Becker via dovecot: Dovecot version is 2.3.20 and I try to restore a folder hierarchy from an older snapshot of the mailbox (folders in question have been deleted): sudo -u dovecot doveadm -Dv import -u p...@xyz.de -s mdbox:$(pwd)/pbs-2024-03- 19/mdbox INBOX mailbox 'projekte/8-BZ/*' I'm getting the following error: Apr 12 10:52:18 doveadm(p...@xyz.de): Error: quota: Unknown namespace: INBOX/ I also tried restoring in a (not existing) restore folder: Restore-2024-03-19 and using search query "mailbox 'projekte/8-BZ'", all give the same result :( Any ideas what might be wrong, I did this many times before, and it worked, so I'm puzzeled ... Here is the full output of doveadm import command above and doveconf -n: ... -- Ralf Becker EGroupware GmbH [www.egroupware.org] Handelsregister HRB Kaiserslautern 3587 Geschäftsführer Birgit und Ralf Becker Leibnizstr. 17, 67663 Kaiserslautern, Germany Telefon +49 631 31657-0 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Wildcard !include statements fail if nothing matches
You should use !include_try instead. See https://doc.dovecot.org/ configuration_manual/config_file/#including-config-files Aki On 17/04/2024 00:00 EEST Noah Meyerhans via dovecot wrote: Forwarding this report from Debian bug #1068478. Please see the full report for more context. [1] Per the documentation on "Including config files", "It’s not an error if wildcards don’t result in any matching files." [2] However, that statement does not seem to reflect the actual behavior of the code. Some relevant snippets of code from src/config/config-parser.c: from config_parse_line(): if (strcmp(key, "!include") == 0) return CONFIG_LINE_TYPE_INCLUDE; if (strcmp(key, "!include_try") == 0) return CONFIG_LINE_TYPE_INCLUDE_TRY; This return value is later handled with a case statement in config_parser_apply_line(): case CONFIG_LINE_TYPE_INCLUDE: case CONFIG_LINE_TYPE_INCLUDE_TRY: (void)settings_include(ctx, fix_relative_path(value, ctx->cur_input), type == CONFIG_LINE_TYPE_INCLUDE_TRY); break; The result of the "type == CONFIG_LINE_TYPE_INCLUDE_TRY" statement is passed as the bool ignore_errors parameter to bool ignore_errors(), so if it evaluates to false as it does when type == CONFIG_LINE_TYPE_INCLUDE, then we return an error: case GLOB_NOMATCH: if (ignore_errors) return 0; ctx->error = "No matches"; return -1; The code is pretty straightforward in how it handles this scenario, so maybe the documentation should be clarified? Thanks noah 1. https://bugs.debian.org/1068478 2. https://doc.dovecot.org/configuration_manual/config_file/ #including-config-files ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Uppercase username emails are rejected
On 17/04/2024 08:27 EEST Peter via dovecot wrote: On 17/04/24 00:51, John Stoffel via dovecot wrote: >> "Peter" == Peter via dovecot writes: On 14/04/24 12:09, John Stoffel via dovecot wrote: I think you need to update both places, so that your username and password checks are done with lowercase usernames. Generally speaking you want auth to be case- sensitive, but go ahead and try it to see if it fixes the issue. Umm... not for emails you don't. Since the j...@stoffel.org and j...@stoffel.org and j...@stoffel.org are all the same email address... should they be different logins? Not for email... There is a difference between expecting $random_stranger to get the case correct on an email address and expecting a user to get his own email address correct for the purpose of logging in, also keeping in mind that the user will generally get it entered *once* in their MUA and the MUA will store it for future logins expecting the case to be correct is not a huge ask in this scenario. Also keep in mind that the username is not always going to be the same as the email address, in fact Dovecot is perfectly capable of having usernames that are entirely different to the email address that is associated with them. In general, usernames should NOT be case sensitive, that way leads madness. Passwords on the other hand... Both usernames and passwords are part of the authentication credentials. When you allow any authentication credential to be case-insensitive then you decrease the difficulty of any brute-force attack by quite a bit. There is no good reason to make usernames case-insensitive and very good reasons not to. Peter ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org Unfortunately some systems uppercase (or downcase) your email when sending mail to you. In general I would advocate using auth_username_format=%Ln or %Lu to normalize to lowercase. I dont believe you would really get that much benefit from mixed case address. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Wildcard !include statements fail if nothing matches
Forwarding this report from Debian bug #1068478. Please see the full report for more context. [1] Per the documentation on "Including config files", "It’s not an error if wildcards don’t result in any matching files." [2] However, that statement does not seem to reflect the actual behavior of the code. Some relevant snippets of code from src/config/config-parser.c: from config_parse_line(): if (strcmp(key, "!include") == 0) return CONFIG_LINE_TYPE_INCLUDE; if (strcmp(key, "!include_try") == 0) return CONFIG_LINE_TYPE_INCLUDE_TRY; This return value is later handled with a case statement in config_parser_apply_line(): case CONFIG_LINE_TYPE_INCLUDE: case CONFIG_LINE_TYPE_INCLUDE_TRY: (void)settings_include(ctx, fix_relative_path(value, ctx->cur_input), type == CONFIG_LINE_TYPE_INCLUDE_TRY); break; The result of the "type == CONFIG_LINE_TYPE_INCLUDE_TRY" statement is passed as the bool ignore_errors parameter to bool ignore_errors(), so if it evaluates to false as it does when type == CONFIG_LINE_TYPE_INCLUDE, then we return an error: case GLOB_NOMATCH: if (ignore_errors) return 0; ctx->error = "No matches"; return -1; The code is pretty straightforward in how it handles this scenario, so maybe the documentation should be clarified? Thanks noah 1. https://bugs.debian.org/1068478 2. https://doc.dovecot.org/configuration_manual/config_file/#including-config-files ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
im following the docs to change the password schema docs says that i have to pass the clear password to the post login script but using %w doesn't work if the clear password has a "%" inside as it's being expanded as variabile in example with a password "test%Ypass" dovecot is trying to expand %Y before passing it to the post login script Il mer 17 apr 2024, 08:24 Aki Tuomi ha scritto: > Can you explain what you are trying to do? > > Aki > > On 16/04/2024 21:36 EEST Gandalf Corvotempesta via dovecot < > dovecot@dovecot.org> wrote: > > > guys any help ? > Is not possible to change the password schema when using passwd file ? > > Il giorno sab 13 apr 2024 alle ore 14:48 Gandalf Corvotempesta > ha scritto: > > > > any clue? > > Il gio 11 apr 2024, 21:57 Gandalf Corvotempesta < > gandalf.corvotempe...@gmail.com> ha scritto: > > > > >> I'm following the guide for changing the password schema. > >> Everything works as expected (i'm using a static passwd file), but > >> when the plain password has a % inside, dovecot is trying to expand > >> that, triggering an error: > >> > >> Apr 11 21:33:55 mail02 dovecot: pop3(x)<3962994><4soGPNcVXsoln9W6>: > >> Error: Failed to expand plugin setting plain_pass = 'x%Yxx!%': > >> Unknown variable '%Y' > >> > >> How can I block the variable expansion inside %w ? > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Variable expansion on %w
Can you explain what you are trying to do? Aki On 16/04/2024 21:36 EEST Gandalf Corvotempesta via dovecot wrote: guys any help ? Is not possible to change the password schema when using passwd file ? Il giorno sab 13 apr 2024 alle ore 14:48 Gandalf Corvotempesta ha scritto: > any clue? Il gio 11 apr 2024, 21:57 Gandalf Corvotempesta ha scritto: > >> I'm following the guide for changing the password schema. >> Everything works as expected (i'm using a static passwd file), but >> when the plain password has a % inside, dovecot is trying to expand >> that, triggering an error: >> >> Apr 11 21:33:55 mail02 dovecot: pop3 (x)<3962994><4soGPNcVXsoln9W6>: >> Error: Failed to expand plugin setting plain_pass = 'x%Yxx!%': >> Unknown variable '%Y' >> >> How can I block the variable expansion inside %w ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
