[SOLVED] Re: doveadm SSL problem with recent update
On 10/25/20 6:02 AM, Arjen de Korte wrote: > > # SSL/TLS support: yes, no, required. > ssl = no > > !include_try 10-ssl.conf.ext Thank you very much. This did exactly what I needed.
doveadm SSL problem with recent update
With a recent update, I started seeing this: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 14: ssl_cert: Can't open file /etc/letsencrypt/live/SERVER/fullchain.pem: Permission denied 1 4 * * * vmail /usr/bin/doveadm expunge -A mailbox MAILBOXINQUESTION savedbefore 1w is one of the crontab entries I am seeing this for. Is there an option to keep doveadm from trying to use the ssl cert from that configuration file? I do not want to have the vmail user having access to the pem cert. Thank you. Trever
Re: pigeonhole question: filtering on delivered-to in case of fetchmail
> On 15 Jul 2019, at 18:11, Trever L. Adams via dovecot <https://dovecot.org/mailman/listinfo/dovecot>> wrote: > >/So, one of the problems I am seeing is that people are trying to fake > >/>/users into revealing information by sending from an outside domain but > >/>/with an internal reply to address and claiming to be administration, IT > >/>/or what not. / > You should not accept external mail claiming to be from your domain unless > that mail comes via authenticated submission. But if the reply to is going to > an internal address… > > I’m puzzled by exactly what you mean here. Are you saying that users on your > system are trying to phish other users on your system? > > >/I can set up something that will reject if from is outside the domain by > >/>/reply to is internal. The problem is in some setups, there are fetchmail > >/>/setups. I do not want to reject these with a message. Which is what I am > >/>/currently doing for the others. Maybe I should discard them all without > >/>/rejecting. / > I haven’t used fetch mail in many many years, so I can’t answer anything > specifically about it, but if you use it to allow external senders to send > mail via your system in a way that is not authenticated then you should not > do that. I do NOT allow email claiming to be from my domains. The problem is "forgery" of Reply-To headers. It isn't really forgery as far as I know there is now method to check this anywhere. People are allowed to put what they want there. The setups in question do NOT allow unauthenticated submission with a FROM from the internal domain. I have erased the email in question, so I cannot give an exact example but it is something like this: From: someth...@devcubesomething.org (I remember cube and dev in the domain) To: trever@thedomain (yes it was sent to me, thankfully not one of the other users) Reply-To: info@thedomain (yes, stupid account to use, but that was it) Subject: Your account will be deleted/deactivated Some nonsense about having failed to follow directions and if I don't click the link below, the account would be deleted. It was NOT talking about an account on another system, but the email account itself. So, as you see, it is coming from an outside domain. As the sieve code showed, I am testing for where reply-to claims to be for internal domain, but the from is NOT from it. This email was a good example of that. signature.asc Description: OpenPGP digital signature
pigeonhole question: filtering on delivered-to in case of fetchmail
So, one of the problems I am seeing is that people are trying to fake users into revealing information by sending from an outside domain but with an internal reply to address and claiming to be administration, IT or what not. I can set up something that will reject if from is outside the domain by reply to is internal. The problem is in some setups, there are fetchmail setups. I do not want to reject these with a message. Which is what I am currently doing for the others. Maybe I should discard them all without rejecting. However, my question is this: Since such fetchmail messages will usually end up with two (at least two?!?) Delivered-To headers, one for the fetchmail delivery and one for the original target address's/system's delivery is it possible to do something like this and have it work? require ["fileinto", "regex","reject"]; if address :regex "Reply-To" ".*@<%= @name -%>" { if not address :regex "From" ".*@<%= @name -%>" { if not header :regex "Delivered-To" " .*@<%= @name -%> { reject "We do not allow emails from outside our system to give Reply-To into our system!"; stop; } } } Please, not the <% =@name -%> is just that this is from a puppet module I use to maintain these systems. It is the domain name for the mail system. An example would be .*@middleearth.sapphiresunday.org here. Thank you for any help in figuring this out. The reason I want a reject in the case of non-fetchmail email is to let users know if they try to do it (as many have multiple email accounts) and may try it. But in fetchmail cases, no need to leak to the outside world that users are doing fetchmail and what their account is in the other system. Thank you. Trever signature.asc Description: OpenPGP digital signature
Re: Discard mail with from date older than xxxx
On 1/24/19 10:07 AM, Per Jessen wrote: > > Sorry, I misunderstood. > > I rely on spamassasssin to deal with spam. > > > /Per > > You still led me to the correct solution. I use dspam. Occassionally some odd spams get through. Usually they are using this date trick (not that it fools dspam). The problem is the content is novel. So, I am using this to catch what cannot be caught the other ways. Trever signature.asc Description: OpenPGP digital signature
Re: Discard mail with from date older than xxxx
On 1/24/19 6:01 AM, Trever L. Adams wrote: > On 1/24/19 12:15 AM, Per Jessen wrote: >> Trever L. Adams wrote: >> >>> I know that sieve doesn't do math. The file would be created >>> externally. >>> >>> Based on examples in section 4.4 of >>> https://tools.ietf.org/html/rfc5260#section-4 >>> >>> I figured something like this would work. >>> >>> if date :value "le" :originalzone "date" "date" "2018-10-25" { >>> fileinto "SPAM"; >>> stop; >>> } >>> >>> However, I get the following. >>> >>> spam: line 41: error: unknown tagged argument ':value' for the date >>> test (reported only once at first occurrence). >>> spam: error: validation failed. >>> sievec(root): Fatal: failed to compile sieve script 'spam.sieve' >>> >>> Does anyone have any advice on how to get this working? >> Hi Trever >> >> here is a snippet I use occasionally: >> >> if allof( >> currentdate :zone "+0200" :value "ge" "iso8601" "2017-09-04T00:00:00+02:00", >> currentdate :zone "+0200" :value "le" "iso8601" "2017-09-06T18:09:00+02:00" >> ) >> >> >> HTH >> Per > > Please, correct me if I am wrong. This looks at the system clock. I need > to look at the date in the email (Date header). I am trying to catch > spam that hides 6-9 months in the past (in the last week I have had two > from August 2018 show up... obviously forged header, but...). > > Thanks. > > Trever > > Thank you Per. My problem was I wasn't requiring relational. With it, this works: if date :originalzone :value "le" "date" "date" "2018-10-26" { fileinto "SPAM"; stop; } I am sorry for the noise. Obviously, anyone using the above snippet will need something to modify the date on a regular basis so it is say 90 days in the past or what not. Thank you again. Trever signature.asc Description: OpenPGP digital signature
Re: Discard mail with from date older than xxxx
On 1/24/19 12:15 AM, Per Jessen wrote: > Trever L. Adams wrote: > >> I know that sieve doesn't do math. The file would be created >> externally. >> >> Based on examples in section 4.4 of >> https://tools.ietf.org/html/rfc5260#section-4 >> >> I figured something like this would work. >> >> if date :value "le" :originalzone "date" "date" "2018-10-25" { >> fileinto "SPAM"; >> stop; >> } >> >> However, I get the following. >> >> spam: line 41: error: unknown tagged argument ':value' for the date >> test (reported only once at first occurrence). >> spam: error: validation failed. >> sievec(root): Fatal: failed to compile sieve script 'spam.sieve' >> >> Does anyone have any advice on how to get this working? > Hi Trever > > here is a snippet I use occasionally: > > if allof( > currentdate :zone "+0200" :value "ge" "iso8601" "2017-09-04T00:00:00+02:00", > currentdate :zone "+0200" :value "le" "iso8601" "2017-09-06T18:09:00+02:00" > ) > > > HTH > Per Please, correct me if I am wrong. This looks at the system clock. I need to look at the date in the email (Date header). I am trying to catch spam that hides 6-9 months in the past (in the last week I have had two from August 2018 show up... obviously forged header, but...). Thanks. Trever signature.asc Description: OpenPGP digital signature
Discard mail with from date older than xxxx
I know that sieve doesn't do math. The file would be created externally. Based on examples in section 4.4 of https://tools.ietf.org/html/rfc5260#section-4 I figured something like this would work. if date :value "le" :originalzone "date" "date" "2018-10-25" { fileinto "SPAM"; stop; } However, I get the following. spam: line 41: error: unknown tagged argument ':value' for the date test (reported only once at first occurrence). spam: error: validation failed. sievec(root): Fatal: failed to compile sieve script 'spam.sieve' Does anyone have any advice on how to get this working? Thank you. Trever signature.asc Description: OpenPGP digital signature
Re: Dovecot With DSpam AntiSpam Plugin Replacement With Sieve
Thank you for this. I have a DSPAM setup that did work with the suggested scrips, but I used the old dovecot antispam plugin and enjoyed the signature method. I am going to try this out next week to see if it works for me. If it does, I will love this. Thanks again. Trever On 02/24/2018 02:02 PM, col...@nxtgn.com wrote: > Hello > > I have recently had to rebuild my email server, it is a small server > for my various email accounts and I also host the email for a clients > business. > > Switched to Dovecot from Courier many years ago, and it has been a > very reliable solution With the new rebuild I have updated it to > Dovecot 2.2.33.2 with PigeonHole 4.21, it runs DSpam 3.10.2 to scan > and tag all incoming mails as Spam or not then a Sieve rule to put the > Spam emails into the Spam folder, I was also using the DSpam Antispam > plugin to enable moving messages from one folder to another to teach > failures to DSpam, this works well for my and my client. > > Doing the rebuild I saw that the AntiSpam plugin had been deprecated > and the preferred solution now was to use Sieve Filters, so I > implemented that and had struggled with it for a few hours until I > finally got it working. > > It may be something about my setup but I am not sure it is, but the > suggested way of doing it here > https://wiki.dovecot.org/HowTo/AntispamWithSieve did not work for me > and I don't think it was ever going to. > > Here are the shell scripts and sieve filters that I came up with that > work for me, your mileage may vary. > > I use DSpam as a standalone binary not as a daemon so you may need to > add the --client option on the dspam command line in the shell scripts > if you run DSpam in daemon mode. > > === report-spam.sieve === > > require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", > "variables"]; > > > if environment :matches "imap.user" "*" { > set "userid" "${1}"; > if header :matches "X-DSPAM-Signature" "*" > { > set "signature" "${1}"; > } > } > > pipe :copy "learn-spam.sh" [ "${userid}", "${signature}" ]; > > === report-ham.sieve === > > require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", > "variables"]; > > if environment :matches "imap.mailbox" "*" { > set "mailbox" "${1}"; > } > > if string "${mailbox}" "Trash" { > stop; > } > > if environment :matches "imap.user" "*" { > set "userid" "${1}"; > if header :matches "X-DSPAM-Signature" "*" > { > set "signature" "${1}"; > } > } > > pipe :copy "learn-ham.sh" [ "${userid}", "${signature}" ]; > > === learn-spam.sh === > > #!/bin/sh > exec /usr/local/bin/dspam --user ${1} --signature=${2} --class=spam > --source=error > > === learn-ham.sh === > > #!/bin/sh > exec /usr/local/bin/dspam --user ${1} --signature=${2} > --class=innocent --source=error > > > I hope this saves someone some time or gives someone some tips > signature.asc Description: OpenPGP digital signature
Re: Postfix + saslauthd SASL With Kerberos (FreeIPA) unable to send mail
On 10/02/2017 07:00 PM, Anvar Kuchkartaev wrote: > Hello I just finished setting up FreeIPA with Dovecot + Postfix + Saslauthd. > I can easily access to mails using imap via dovecot with gssapi > authentication and postfix also delivering mails very well. But I cannot send > email from postfix using gssapi authentication (plain and login > authentication working fine) because saslauthd is not specifying realm when > requesting service from freeipa domain. > > warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No key table entry found matching > smtp/mx0.aegisnet.eu@) > > right form of request is smtp/mx0.aegisnet...@aegisnet.eu > > I googled alot but couldn't find any solution to solve this problem. How to > configure saslauthd well that it will use realm to contact with freeipa. > > Best Regards... > You may need to consider setting auth_realms and/or auth_default_realm. I saw something similar without such being set. Trever signature.asc Description: OpenPGP digital signature
Re: Replacement for antispam plugin
On 02/12/2017 05:28 PM, Stephan Bosch wrote: > > Actually, Pigeonhole should be able to do that too: > > https://github.com/dovecot/pigeonhole/blob/master/doc/plugins/sieve_extprograms.txt#L112 > > Yes, I need to update the wiki. > > > Regards, > > Stephan. > For DSPAM, with --client, one also needs a --user set. http://hg.dovecot.org/dovecot-antispam-plugin/file/5ebc6aae4d7c/src/dspam.c did this. Is there a way to feed this into the scripts mentioned? I imagine this is imap.user or imap.email, but how would one pass it to the script? Thank you. Trever signature.asc Description: OpenPGP digital signature
[Dovecot] Problems with login_log_format (possible bug?)
login_log_format = %$: %s login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}> These are the defaults, at least on a Fedora system. According to http://wiki2.dovecot.org/Variables, this should record for user@REALM when seeing the following Apr 30 18:08:40 TeaSet dovecot: auth: Debug: auth(user,...,): username changed user -> user@REALM. If I wanted just user, user=<%u> should be changed to user=<%orig_user>. However, I only get user not user@REALME in imap-login log lines. I wouldn't mind this, but auth_username_format cannot be used in passed{} and I haven't been able to get pam_krb5 to uppercase the realm for it alone. (Everything else depends on it being lowercase.) I can make this work by just passing the user name part of username in the client, but then imap-login still doesn't have the required information for the same reason. Anyone have any suggestions? Thank you, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Fedora Rpm of Dovecot Antispam plugin
On 02/10/2014 06:14 PM, David Mehler wrote: > Hello, > > Quick question, does anyone have a fedora 17 rpm or a rel src.rpm that > can be rebuilt, of the dovecot antispam plugin? > > Thanks. > Dave. > Hello Dave, I can provide you with a SPEC file if that is what you are after. I do not publish my RPM/SRPM for various reasons, but I am happy to share the SPEC. I used it from before 17 and am using it with Fedora 20 now. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
On 07/09/2013 10:02 PM, Timo Sirainen wrote: > On 8.7.2013, at 12.31, Trever L. Adams > wrote: > >> I am not sure how to get the symbols necessary, however the following is >> the backtrace (this is Fedora 19 latest everything): >> >> Jul 8 03:23:02 MX dovecot: auth: Fatal: block_alloc(2147483648): Out of >> memory >> [0x7f97a9526ac1] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_open+0x5c) >> [0x7f97a62f058c] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_bind+0x5c9) >> [0x7f97a62f0cd9] -> >> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind+0x96) > There's a bug in v2.2.4 with LDAP SASL binds. > http://hg.dovecot.org/dovecot-2.2/rev/2dd27b0e7e49 > > I'll try to get v2.2.5 out this week. Been a bit lazy these few weeks with a > "vacation". :) > > Only some basic testing so far, but I wanted to report that everything seems to be working perfectly. Thank you again, Timo. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
On 07/09/2013 10:02 PM, Timo Sirainen wrote: > On 8.7.2013, at 12.31, Trever L. Adams > wrote: > >> I am not sure how to get the symbols necessary, however the following is >> the backtrace (this is Fedora 19 latest everything): >> >> Jul 8 03:23:02 MX dovecot: auth: Fatal: block_alloc(2147483648): Out of >> memory >> [0x7f97a9526ac1] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_open+0x5c) >> [0x7f97a62f058c] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_bind+0x5c9) >> [0x7f97a62f0cd9] -> >> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind+0x96) > There's a bug in v2.2.4 with LDAP SASL binds. > http://hg.dovecot.org/dovecot-2.2/rev/2dd27b0e7e49 > > I'll try to get v2.2.5 out this week. Been a bit lazy these few weeks with a > "vacation". :) > > Thank you for the information Timo. I hope your "vacation" was great! Thanks again, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
On 07/08/2013 04:45 AM, Trever L. Adams wrote: > On 07/08/2013 04:00 AM, Eugene wrote: > > Hi Trever, > > > Actually the first line seems to suggest an attempt to allocate 2GB > block. The question is why it wants to do that =) > > > Best wishes > > Eugene > > > And I have no reason why. > > Thank you for your help, > Trever > In 2.2.3 did mailbox handling change? I use maildir. Some of the folders do have a lot of messages, but very few large ones (I believe my postfix setup limits things to 10M per message). Also, this happens on any login kerberos or not. I have an LDAP that is used to test for accounts (this is where it says it is crashing), Kerberos for Authentication and PAM which looks at the LDAP/Kerberos. Nothing but dovecot software changes between working and non-working. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/08/2013 04:00 AM, Eugene wrote: > Hi Trever, > > Actually the first line seems to suggest an attempt to allocate 2GB block. The question is why it wants to do that =) > > Best wishes > Eugene > And I have no reason why. Thank you for your help, Trever -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJR2phXAAoJENEtz1LOYsizxKwQAJDqwTY2ooYJ9cHjrsQo6p6H xKMXBh3G+3rNkNfrdw1OKFKuTESh92lbA6wjPEEKnNl5ZAkarJZJQcR2qtp5IT3+ L/YRZiuSFNK/UKzhxMopnbp4gntE+Fq5Ch6SMNkNfm2iHgsO5YAbQAhOJadH9JI2 KICFb6SmWCVsZ4JynzioGIBRnY+ka881BUgPBtQJfjjGn2C76IWaPtJuc8cyEWGq +yPXUStCawRnV+EAeC8s/KWEND+Ys3Mm5Z5p2ad+vYI4M0FzCdqAH/v+zO/KvQNX oJsvzcecLg0zbI+O8fIXX3wD/5imzQweDaY/kOV1WayEby+GXAY1VByrVttq7H49 IIYVWlVj2uwDbw4IoTnKqBCf3/bp6isTbHiPqts/vq5dD45ssjT+fQ9qmpkE0BJQ rGdOQH2Bt+tPIu3m3C+Mm5r/1ygaHp+ZBCKZzl2wDoZUmavh7g2NG9HOKXtj0jEk s6HTDrfAIoGRRCCPOc72bJanzrCqHIs8Jg+/M9SNKCmBk0oYO1MdnShVofg8Cgx1 o+Y8NPeWmwVvmFuZ6lZflSkCKP8o3ajgqyYfyCO2Gzj+nDs6mAwo2Z0BL/AuFpUZ N+BL8NuNA26pXlLZ61Q/1q/e/Uz4+tRDGYbhSXoKs5gaKjvtm58xL2ZcxdM2QZfN /9szf1Ihr62NkbXFumSX =zyeX -END PGP SIGNATURE-
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/08/2013 04:15 AM, Reindl Harald wrote: > > > Am 08.07.2013 12:00, schrieb Eugene: >> Actually the first line seems to suggest an attempt to allocate 2GB block. The question is why it wants to do that =) > > sure taht there is no stupid client trying to store a some GB > draft on the server? i had a year ago a apple-mail client > where the user selected the wrong attachment (6 GB MP4) > and apple-mail insisted to store it a draft on the server > repeating this every time the server came back after crashing > even after changing the password as the client found a open > connection from before > > if the client is inside the LAN with GBE this goes fast > > The crash happens on any Kerberos login. I am the only user on the system at the moment and while I have a few drafts, they are small. To do crash, I just do "yum upgrade; service dovecot restart" then try to login. Instant crash. If I then do a forced down grade, do the login, it works. Trever -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJR2pN1AAoJENEtz1LOYsizylMP/2LDQQjzoUjk2koPmR48r/Xs 9NvmRr1xcvi4jjYic1qT1NJgOO8jHT93smV8whX0LDa49scIu4TwBxAqOcMH/lSh +zqcGo5mj1zA3Qu7e81EcV34raFXfNKPOqGRzmKf68aKO0ktMLINXlEhPzbfxeoH r3CxukFzKjzA0ZZh1XtFzgX1SdnttiqjZYVVqy7YMS5mph+pRxE7UPtLSXS9vJck cQAM75B7WGCDIT9hPW2YFz4GXEDtx8bgMrzeEXNe1MdTxXi/+jIzBDmRdsOmJ7fS lmooFETcjZBv36OGReLYipu5juG34Z0EpiWJTy1DbcnOL5XwAdoErIx2VbZ+r+Aj 5fFEhQT/bpsEo+GBb59zPRE5b22Y3LgNFBwQ1m0zie/GJTSUi89M2mKugQ5l5s0O fPEwdtQT7VYWr1iZVrDaQBA6xAqTMaz/XxH8JByE/nYAXYQflW/4PU/qeh6qCNxE VJeyVAfcuIZGKtzvepye/8ZZxKLRHVcP/dq/0um3xWozUiG6se7V3TWfQ2DhIOEj TJhN0Ygcm+iQmyUBIN82ga4j4KUvZTIJ9h6CeRTlqznuxMzXI5UH+Q38fASqUCZN nRT7bMGhYwP7w9sioRj+8nZqxkLqpT/pxwPvQpZt3HTD6VFjsvQ9RClx4Ylmztom KumkGNlet79FuLKq1MSL =GEz4 -END PGP SIGNATURE-
Re: [Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 07/08/2013 03:43 AM, Reindl Harald wrote: > > > Am 08.07.2013 11:31, schrieb Trever L. Adams: >> Jul 8 03:23:02 MX dovecot: auth: Fatal: master: service(auth): child >> 9650 returned error 83 (Out of memory (service auth { vsz_limit=256 MB >> }, you may need to increase it)) >> >> Any help would be greatly appreciated > > look at the last line of your quote > I am afraid that that doesn't fix the problem Reindl. Jul 8 03:51:56 MX dovecot: auth: Fatal: block_alloc(2147483648): Out of memory Jul 8 03:51:56 MX dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x5f437) [0x7f5774b6b437] -> /usr/lib64/dovecot/libdovecot.so.0(+0x5f4fe) [0x7f5774b6b4fe] -> /usr/lib64/dovecot/libdovecot.so.0(i_error+0) [0x7f5774b2c70f] -> /usr/lib64/dovecot/libdovecot.so.0(+0x72ee8) [0x7f5774b7eee8] -> /usr/lib64/dovecot/libdovecot.so.0(+0x72f1f) [0x7f5774b7ef1f] -> /usr/lib64/dovecot/libdovecot.so.0(sasl_client_new+0x31) [0x7f5774b62ac1] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_open+0x5c) [0x7f577192c58c] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_bind+0x5c9) [0x7f577192ccd9] -> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind+0x96) [0x7f577192fe46] -> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind_s+0xe1) [0x7f5771930041] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(db_ldap_connect+0x146) [0x7f5771b6b286] -> dovecot/auth(userdb_init+0x1a) [0x7f577501c9ea] -> dovecot/auth(auths_init+0xc9) [0x7f5775004e29] -> dovecot/auth(main+0x335) [0x7f5775004225] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f5774124b75] -> dovecot/auth(+0xe43d) [0x7f577500443d] Jul 8 03:51:56 MX dovecot: master: Error: service(auth): command startup failed, throttling for 2 secs Jul 8 03:51:56 MX dovecot: auth: Fatal: master: service(auth): child 1744 returned error 83 (Out of memory (service auth { vsz_limit=512 MB }, you may need to increase it)) I do not think that dovecot has increased its memory usage by more than 100%. Thank you, Trever -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJR2oxjAAoJENEtz1LOYsiz4s4P/1g5GHweaH0L7GfZeDypYx8V 0tRTtMHkW66IpgQ9V7ZTlFO6jbrQGiqQyiaKy1s5Fx1gYbDwJ6fEgVqNqM1w1L8U hnw78a2piCFu4lOtatooAWoudtkR5/4VUSKXId9fCLayTFWRhE1TkBP74+KfAqCa CipHazwpZpYR4PShHooUPn54mxYupFmwL3GQZKP0rglIB/VUwpXXm6QJaX3+Nfnf 0jrSQEn/vbrV9kOiH7/FauzXfQl/23a1odpzgcgvaqXO0oAL0r/8OoF7CZhSTPsJ bs97T/G8PV4zFnTug1XjbvPY5xDh2F8ZbcgEE63y72c4Ncjs0njFxlAS/1rfu7cl k0URC2IfRm8dFcfa67xNpNH+aOxlaCP0/r5/0WEQg+VjzfNUNMwNq29uXjiZvYd8 ojFgfeyBtHepZkgg/YmtE39wIbLh83vizBcQVF96en4NCjvtfeUZkFdlR6F9TvY8 CiJj2eZ3sI/WHdenpv83nxGmKlIj6dg0tbmXuYrO1067L+zBbW3tcHebxqqcDQ/u PGsDKkaLZvmw+is/iJwnlvhfAyeMzbn5/r+IST24K3h4oyVv0DSyVvrXaxOG0DB0 NGMYoiNc+3oqbN4OKR9E+SZvyJDFS/oGAP0j2mbnmTiCdmKbhsBJQVy+1uoLt+sL 1WPrhMM2ElUuLT9+5J3f =luLp -END PGP SIGNATURE-
[Dovecot] Crashes with 2.2.4 setup that worked perfectly with 2.2.2 (.2.3 also crashes)
I am not sure how to get the symbols necessary, however the following is the backtrace (this is Fedora 19 latest everything): Jul 8 03:23:02 MX dovecot: auth: Fatal: block_alloc(2147483648): Out of memory Jul 8 03:23:02 MX dovecot: auth: Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x5f437) [0x7f97a952f437] -> /usr/lib64/dovecot/libdovecot.so.0(+0x5f4fe) [0x7f97a952f4fe] -> /usr/lib64/dovecot/libdovecot.so.0(i_error+0) [0x7f97a94f070f] -> /usr/lib64/dovecot/libdovecot.so.0(+0x72ee8) [0x7f97a9542ee8] -> /usr/lib64/dovecot/libdovecot.so.0(+0x72f1f) [0x7f97a9542f1f] -> /usr/lib64/dovecot/libdovecot.so.0(sasl_client_new+0x31) [0x7f97a9526ac1] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_open+0x5c) [0x7f97a62f058c] -> /lib64/libldap-2.4.so.2(ldap_int_sasl_bind+0x5c9) [0x7f97a62f0cd9] -> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind+0x96) [0x7f97a62f3e46] -> /lib64/libldap-2.4.so.2(ldap_sasl_interactive_bind_s+0xe1) [0x7f97a62f4041] -> /usr/lib64/dovecot/auth/libauthdb_ldap.so(db_ldap_connect+0x146) [0x7f97a652f286] -> dovecot/auth(userdb_init+0x1a) [0x7f97a99e09ea] -> dovecot/auth(auths_init+0xc9) [0x7f97a99c8e29] -> dovecot/auth(main+0x335) [0x7f97a99c8225] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f97a8ae8b75] -> dovecot/auth(+0xe43d) [0x7f97a99c843d] Jul 8 03:23:02 MX dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jul 8 03:23:02 MX dovecot: auth: Fatal: master: service(auth): child 9650 returned error 83 (Out of memory (service auth { vsz_limit=256 MB }, you may need to increase it)) Any help would be greatly appreciated. Thank you, Trever
Re: [Dovecot] dovecot 2.0 -> 2.2.1 sieve problem
On 05/15/2013 02:01 PM, Stephan Bosch wrote: > On 5/15/2013 9:37 PM, Trever L. Adams wrote: >> On 05/15/2013 10:39 AM, Stephan Bosch wrote: >> When trying to compile this version, I am getting the following. I am >> not sure what is causing it. dovecot compiles fine. Pigeonhole is >> compiling, but then failing. >> >> PASS: 2 tests succeeded. >> >> Test case: ./tests/multiscript/conflicts.svtest: >> >> testsuite(root): Panic: pool_data_stack_realloc(): stack frame changed > > Oh. Well, it is a good thing we have a test suite. > > This should fix it: > > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/04ad3c2f0765 > > Regards, > > Stephan. > > That did the trick. Thank you very much. For Fedora users who may find this: https://bugzilla.redhat.com/show_bug.cgi?id=963417 Again, thank you! Trever
Re: [Dovecot] dovecot 2.0 -> 2.2.1 sieve problem
On 05/15/2013 10:39 AM, Stephan Bosch wrote: > > This looks like a rather old version of Pigeonhole (pre-release v0.4). > > Due to the following change a Pigeonhole version should be logged when > mail_debug is enabled: > > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/44721c50833e > > I see nothing like that in your logs, so you're running something older. > > This change is probably what fixes your trouble: > > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/f43c7609497c > > From the package name you provided I cannot tell which version (or > rather hg revision) of Pigeonhole you are running. The released > v0.4.0 should work. > > Regards, > > Stephan. > When trying to compile this version, I am getting the following. I am not sure what is causing it. dovecot compiles fine. Pigeonhole is compiling, but then failing. PASS: 2 tests succeeded. Test case: ./tests/multiscript/conflicts.svtest: testsuite(root): Panic: pool_data_stack_realloc(): stack frame changed testsuite(root): Error: Raw backtrace: /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(+0x5e1c7) [0x7f4e5d4801c7] -> /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(default_fatal_handler+0x2a) [0x7f4e5d48021a] -> /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(i_fatal+0) [0x7f4e5d442025] -> /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(+0x720da) [0x7f4e5d4940da] -> /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(+0x5a8ed) [0x7f4e5d47c8ed] -> /root/rpmbuild/BUILD/dovecot-2.2.1/src/lib-dovecot/.libs/libdovecot.so.0(buffer_write+0xa3) [0x7f4e5d47cc73] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(rfc2822_header_append+0x146) [0x7f4e5dc1fb46] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(rfc2822_header_printf+0xb1) [0x7f4e5dc1fd21] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(sieve_action_reject_mail+0x35f) [0x7f4e5dc3c7df] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(+0x43093) [0x7f4e5dc41093] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(sieve_result_execute+0x248) [0x7f4e5dc34468] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/testsuite/.libs/lt-testsuite(testsuite_result_execute+0x21) [0x7f4e5e0b6f31] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/testsuite/.libs/lt-testsuite(+0x10c84) [0x7f4e5e0bac84] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(sieve_interpreter_continue+0xce) [0x7f4e5dc3179e] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/lib-sieve/.libs/libdovecot-sieve.so.0(sieve_interpreter_run+0x2b) [0x7f4e5dc3192b] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/testsuite/.libs/lt-testsuite(main+0x2d4) [0x7f4e5e0b3eb4] -> /lib64/libc.so.6(__libc_start_main+0xf5) [0x7f4e5ce7fb75] -> /root/rpmbuild/BUILD/dovecot-2.2.1/dovecot-2-2-pigeonhole-a32b12ab5ea6/src/testsuite/.libs/lt-testsuite(+0xa075) [0x7f4e5e0b4075] make: *** [tests/multiscript/conflicts.svtest] Aborted Thank you, Trever
Re: [Dovecot] dovecot 2.0 -> 2.2.1 sieve problem
On 05/15/2013 10:39 AM, Stephan Bosch wrote: > On 5/15/2013 5:25 PM, Trever L. Adams wrote: >> On 05/15/2013 09:18 AM, Timo Sirainen wrote: >>> What do you get in logs with auth_debug=yes and mail_debug=yes? >> with auth_debug=yes and mail_debug=yes > > This looks like a rather old version of Pigeonhole (pre-release v0.4). > > Due to the following change a Pigeonhole version should be logged when > mail_debug is enabled: > > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/44721c50833e > > I see nothing like that in your logs, so you're running something older. > > This change is probably what fixes your trouble: > > http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/f43c7609497c > > From the package name you provided I cannot tell which version (or > rather hg revision) of Pigeonhole you are running. The released > v0.4.0 should work. > > Regards, > > Stephan. > I am sorry for assuming that dovecot and pigeonhole were in the same respository. They are packaged from one SRPM in Fedora. It appears that the following is the hg information, so yes, it is old: repo: d31c1c993bcf9897297b1c6a7d4fd3a7bbc4eff8 node: 99eec511aa2c03df4a7dcb2cd1506163b49e419b branch: default latesttag: 0.3.3 latesttagdistance: 22 I will file the appropriate bug there. Thank you TImo and Stephan for your help! Trever -- "I have sworn upon the altar of God, eternal hostility against every form of tyranny over the mind of man." -- Thomas Jefferson"
Re: [Dovecot] dovecot 2.0 -> 2.2.1 sieve problem
On 05/15/2013 09:18 AM, Timo Sirainen wrote: > On 15.5.2013, at 18.05, Trever L. Adams > wrote: > >> I have been racking my brain trying to figure out why some may not see >> what I am seeing. The only odd part of my configuration that others may >> not have is: >> >> import_environment = TZ KRB5CCNAME=... >> >> This was added, if I remember right, at the request of myself and >> another so that LDAP configuration could identify with GSSAPI base >> kerberos. I do use it. > Can't really be related. > >> userdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } > What does this file contain? hosts = DOMAIN base = dc=middleearth,dc=sapphiresunday,dc=org ldap_version = 3 user_attrs = userPrincipalName=user user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrincipalName=%u))) dn = MX$@DOMAIN sasl_bind = yes sasl_mech = GSSAPI sasl_realm = DOMAIN #sasl_authz_id = MX$@DOMAIN # For using doveadm -A: iterate_attrs = userPrincipalName=user iterate_filter = (objectClass=person) This configuration works for everything but sieve. It used to work for everything. > > What do you get in logs with auth_debug=yes and mail_debug=yes? > > with auth_debug=yes and mail_debug=yes May 15 09:20:17 MX postfix/cleanup[13965]: 695311409F9: message-id=<20130515152017.695311409F9@MX.DOMAIN> May 15 09:20:17 MX opendkim[650]: 695311409F9: DKIM-Signature header added (s=default, d=DOMAIN) May 15 09:20:17 MX postfix/qmgr[759]: 695311409F9: from=, size=562, nrcpt=1 (queue active) May 15 09:20:17 MX dovecot: lmtp(14233): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt= May 15 09:20:17 MX dovecot: lmtp(14233): Connect from local May 15 09:20:17 MX dovecot: lmtp(14233): Debug: Loading modules from directory: /usr/lib64/dovecot May 15 09:20:17 MX dovecot: lmtp(14233): Debug: Module loaded: /usr/lib64/dovecot/lib90_sieve_plugin.so May 15 09:20:17 MX dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth May 15 09:20:17 MX dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so May 15 09:20:17 MX dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth May 15 09:20:17 MX dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so May 15 09:20:17 MX dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth May 15 09:20:17 MX dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so May 15 09:20:17 MX dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat May 15 09:20:17 MX dovecot: auth: Debug: master in: USER#0111#011trever@DOMAIN#011service=lmtp May 15 09:20:17 MX dovecot: auth: Debug: ldap(trever@DOMAIN): user search: base=dc=middleearth,dc=sapphiresunday,dc=org scope=subtree filter=(&(objectClass=person)(|(mail=trever@DOMAIN)(sAMAccountName=trever@DOMAIN)(userPrincipalName=trever@DOMAIN))) fields=userPrincipalName May 15 09:20:17 MX dovecot: auth: Debug: ldap(trever@DOMAIN): result: userPrincipalName=trever@DOMAIN; userPrincipalName unused May 15 09:20:17 MX dovecot: auth: Debug: auth(trever@DOMAIN): username changed trever@DOMAIN -> trever@DOMAIN May 15 09:20:17 MX dovecot: auth: Debug: ldap(trever@DOMAIN): result: userPrincipalName=trever@DOMAIN May 15 09:20:17 MX dovecot: auth: Debug: userdb out: USER#0111#011trever@DOMAIN May 15 09:20:17 MX dovecot: lmtp(14233): Debug: auth input: trever@DOMAIN May 15 09:20:17 MX dovecot: lmtp(14233): Debug: changed username to trever@DOMAIN May 15 09:20:17 MX dovecot: lmtp(14233): Debug: Added userdb setting: plugin/=yes May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: Effective uid=500, gid=500, home=/home/vmail/DOMAIN/trever May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: maildir++: root=/home/vmail/DOMAIN/trever/Maildir, index=, indexpvt=, control=, inbox=/home/vmail/DOMAIN/trever/Maildir, alt= May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: qDM7HrGnk1GZNwAApwKjnA: sieve: executed before user's personal Sieve script(1): (null) May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: qDM7HrGnk1GZNwAApwKjnA: sieve: executed before user's personal Sieve script(2): (null) I don't think the above two lines are accurate that the scripts ran. I have one that should stuff anything from heirloom mail client into a folder (to test things) and it isn't working. May 15 09:20:17 MX dovecot: lmtp(14233, trever@DOMAIN): Debug: qDM7HrGnk1GZNwAApwKjnA: sieve: using the following location for user's Sieve script: /home/vmail/DOMAIN/trever/.dovecot.sieve;name=main script May 15 09:20:17 MX dov
Re: [Dovecot] dovecot 2.0 -> 2.1 sieve problem
On 05/14/2013 02:56 PM, Stephan Bosch wrote: > On 5/14/2013 9:35 PM, Trever L. Adams wrote: >> On 05/14/2013 01:29 PM, Stephan Bosch wrote: >>> On 5/14/2013 8:54 PM, Trever L. Adams wrote: >>>> I had a completely working setup before. I upgraded, now I get: >>>> >>>> Error: 7LUaNYqHklG6EAAApwKjnA: sieve: execution of script (null) >>>> failed, >>>> but implicit keep was successful >>>> >>>> sieve = /home/vmail/%Ld/%Ln/.dovecot.sieve >>>> sieve_dir = /home/vmail/%Ld/%Ln/sieve (this was ~/sieve) >>>> >>>> I am not quite sure what is going on. Is anyone else seeing this? Any >>>> idea on what has changed? (I am not readily seeing it in changelogs or >>>> mailing lists.) >>> What is the exact version of Pigeonhole you're upgrading to? >> dovecot-2.2.1-2.fc19.x86_64 >> dovecot-pigeonhole-2.2.1-2.fc19.x86_64 > > That is not 2.1, right? Sorry, I had been at it for many hours when I looked at the version. You are correct. I have been racking my brain trying to figure out why some may not see what I am seeing. The only odd part of my configuration that others may not have is: import_environment = TZ KRB5CCNAME=... This was added, if I remember right, at the request of myself and another so that LDAP configuration could identify with GSSAPI base kerberos. I do use it. > >> It won't run ANY sieves even the sieve_before, directory or specific >> sieve file. > > The error you see is a bug in any case because of the '(null)' script > location. > > You can enable mail_debug to see more information. > > Could you also provide dovecot -n output here? > > Regards, > > Stephan. > > # 2.2.1: /etc/dovecot/dovecot.conf # OS: Linux 3.9.1-301.fc19.x86_64 x86_64 Fedora release 19 (Schrödinger’s Cat) auth_gssapi_hostname = MX.DOMAIN auth_mechanisms = gssapi gss-spnego login plain auth_realms = DOMAIN auth_username_format = %u import_environment = TZ KRB5CCNAME=/etc/dovecot/krb5.cc lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_gid = vmail mail_home = /home/vmail/%Ld/%Ln mail_location = maildir:~/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox INBOX.Dangerous { auto = subscribe } mailbox INBOX.Infected { auto = subscribe } mailbox Junk { special_use = \Junk } mailbox SPAM { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { antispam_backend = dspam antispam_dspam_args = --client;--user;%u;--source=error;--signature=%%s antispam_dspam_result_header = X-DSPAM-Result antispam_signature = X-DSPAM-Signature antispam_spam = SPAM antispam_trash = trash;Trash;Deleted Items sieve = /home/vmail/%Ld/%Ln/.dovecot.sieve sieve_before = /etc/dovecot/sieve sieve_dir = /home/vmail/%Ld/%Ln/sieve sieve_global_dir = /etc/dovecot/sieve/ } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 } } service imap-login { inet_listener imap { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } ssl = required ssl_cert =
Re: [Dovecot] dovecot 2.0 -> 2.1 sieve problem
On 05/14/2013 01:29 PM, Stephan Bosch wrote: > On 5/14/2013 8:54 PM, Trever L. Adams wrote: >> I had a completely working setup before. I upgraded, now I get: >> >> Error: 7LUaNYqHklG6EAAApwKjnA: sieve: execution of script (null) failed, >> but implicit keep was successful >> >> sieve = /home/vmail/%Ld/%Ln/.dovecot.sieve >> sieve_dir = /home/vmail/%Ld/%Ln/sieve (this was ~/sieve) >> >> I am not quite sure what is going on. Is anyone else seeing this? Any >> idea on what has changed? (I am not readily seeing it in changelogs or >> mailing lists.) > > What is the exact version of Pigeonhole you're upgrading to? > > Regards, > > Stephan. > dovecot-2.2.1-2.fc19.x86_64 dovecot-pigeonhole-2.2.1-2.fc19.x86_64 It won't run ANY sieves even the sieve_before, directory or specific sieve file. Trever -- "Concentrate all your thoughts upon the work at hand. The sun's rays do not burn until brought to a focus." -- Alexander Graham Bell
[Dovecot] dovecot 2.0 -> 2.1 sieve problem
I had a completely working setup before. I upgraded, now I get: Error: 7LUaNYqHklG6EAAApwKjnA: sieve: execution of script (null) failed, but implicit keep was successful sieve = /home/vmail/%Ld/%Ln/.dovecot.sieve sieve_dir = /home/vmail/%Ld/%Ln/sieve (this was ~/sieve) I am not quite sure what is going on. Is anyone else seeing this? Any idea on what has changed? (I am not readily seeing it in changelogs or mailing lists.) Thank you, Trever -- "A right is not what someone gives you; it's what no one can take from you." -- Ramsey Clark
Re: [Dovecot] IMAP SSL proxy (questions)
On 05/08/2013 01:57 PM, Ben Morrow wrote: > At 10AM -0600 on 8/05/13 you (Trever L. Adams) wrote: >> Hello everyone, >> >> I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to >> fit what I need. > That page is for Dovecot 1.x, which is obsolete. You should be reading > http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy . > >> Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather >> not duplicate the certificates for the IMAP servers. Hence nginx doesn't >> seem to be a good choice either. >> >> I am hoping that since SSL has "Client Hello" which specifies the site >> requested the the following could be done: >> >> Client - > Proxy [SYN] >> Proxy -> Client [SYN, ACK] >> Client -> Proxy [ACK] >> Client -> Proxy [SSL With "Client Hello", having server_name in >> Extension: server_name and sub-fields] > Do you have any evidence that common IMAP clients support sending SNI? > I've just checked, and mutt (for example) appears not to. > >> Proxy sees intended host >> Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] >> Proxy -> Intended Server [Replay SSL/Client Hello] >> Client <-> Proxy <-> Intended Server (Proxy is non decrypting >> Man-in-the-Middle, just acting as a pseudo-invisible relay) >> >> I know that something somewhat like this works because this is how >> Apache can do virtual hosts with SSL. Of course, it acts as the end >> point intended server, not a proxy. I believe it is also somewhat how >> Squid does SSL proxying, although I could be entirely wrong. > More importantly, it only works with clients (browsers) which are new > enough to send SNI. If you use, for instance, any version of IE on > Windows XP, it will not work. > >> Is this possible? Can this be implemented in dovecot? > I don't believe so. > >> If not, does anyone know of such a project. Proxy needs to not have >> any exploitable holes and really only needs to understand enough SSL >> to get the server_name, pass through the connection, replaying Client >> Hello, and then knowing when to shut the connection. >> >> Just as a breif example, the use I have for this now is that I have >> several imap servers which all have IPv6 addresses, but have to share an >> IPv4 address. for SMTP side of things, this works well for all incoming >> email. (As an aside, does anyone know of a similar setup for SSL traffic >> on port 465 SSL for SMTP?) > Similarly, I doubt this is possible for SMTP either, since the clients > probably won't send SNI. > > Ben > > Thank you Ben and Noel for your responses! I know Thunderbird on Linux sends it. Right now my targets would be Thunderbird, K9 Mail and Android Mail on Android, and Apple Mail and whatever the equivalent is on iOS. I will investigate K9 and Android later (as I have access to those). I do not have access to the Apple ones at the moment. K-9 on my Droid X2 does not support SNI. Trever
[Dovecot] IMAP SSL proxy (questions)
Hello everyone, I have seen: http://wiki.dovecot.org/HowTo/ImapProxy. It doesn't seem to fit what I need. Unfortunately, I cannot use TLS. I have to use SSL. Also, I would rather not duplicate the certificates for the IMAP servers. Hence nginx doesn't seem to be a good choice either. I am hoping that since SSL has "Client Hello" which specifies the site requested the the following could be done: Client - > Proxy [SYN] Proxy -> Client [SYN, ACK] Client -> Proxy [ACK] Client -> Proxy [SSL With "Client Hello", having server_name in Extension: server_name and sub-fields] Proxy sees intended host Proxy <-> Intended Server [SYN/SYN+ACK/ACK sequence] Proxy -> Intended Server [Replay SSL/Client Hello] Client <-> Proxy <-> Intended Server (Proxy is non decrypting Man-in-the-Middle, just acting as a pseudo-invisible relay) I know that something somewhat like this works because this is how Apache can do virtual hosts with SSL. Of course, it acts as the end point intended server, not a proxy. I believe it is also somewhat how Squid does SSL proxying, although I could be entirely wrong. Is this possible? Can this be implemented in dovecot? If not, does anyone know of such a project. Proxy needs to not have any exploitable holes and really only needs to understand enough SSL to get the server_name, pass through the connection, replaying Client Hello, and then knowing when to shut the connection. Just as a breif example, the use I have for this now is that I have several imap servers which all have IPv6 addresses, but have to share an IPv4 address. for SMTP side of things, this works well for all incoming email. (As an aside, does anyone know of a similar setup for SSL traffic on port 465 SSL for SMTP?) Thank you for any help, Trever
Re: [Dovecot] dovecot antispam plugin is not woking
On 04/30/2013 05:47 AM, Eugene Paskevich wrote: > On Tue, 30 Apr 2013 12:36:44 +0300, Ravi Kanchan > wrote: > >> and plugin configuration is given below: >> >> protocol imap { >> mail_plugins = " antispam autocreate" >> } >> protocol pop3 { >> mail_plugins = antispam autocreate >> } > > I'm not sure this plugin could be used with POP3. I am pretty sure that it cannot be used with POP3. It requires IMAP. Trever
Re: [Dovecot] Virtual users - what is better Maildir or mbox?
On 06/26/2012 07:11 AM, Wojciech Puchar wrote: >> The only draw back I see with maildir is one file per message. This > > it is mostly adventage. Agreed. > >> makes it resilient to corruption that mbox sees (if a message gets >> corrupted, you erase one message and that corruption won't propagate >> even if you leave it in place). In many setups this also leads to MUCH >> faster system. On unix systems this doesn't just waste disk space, it > > even with 32kB block/4kB fragment filesystem under FreeBSD which is my > common setup, it isn't that a problem. > i just checked one of my users folder - 2.3GB in 8500 files. the > average is 270 kilobytes per mail. > > checked few others and it looks similar. > > > dovecot's own storage system can do something in between - packing > smallest messages by a few in one file. > >> could lead to inode (or whatever your *nix of choice calls it) >> depletion. > you decide how much inode you need while creating filesystem on every > unix system, except filesystems where it is allocated on demand. Yes, as I noted, I haven't seen this. But it could be an annoyance depending on how things were created and when. I don't believe all file systems can do allocation on demand. I don't know. > > as of latter discussion about what microsoft recommends with linux > (being of course expert of everything) - i would keep silent. > The only reason I know what they recommend is it came up on several sites that described how to setup the service principals. I read something recently on Samba lists that explains why this may be their recommendation. The funny thing is, it really isn't any different than on their systems unless they think that because it is their system the keytab is some how miraculously going to stay more secure than it would on other systems. Sorry if I seemed like I was claiming to be some super expert. I just had a lot of help to pull things together. If he was struggling to find things, I would like to help. Trever -- "Fairy tales are more than true; not because they tell us that dragons exist, but because they tell us that dragons can be beaten." -- G.K. Chesterton
Re: [Dovecot] Virtual users - what is better Maildir or mbox?
> b) Make sure your local samba setup is joined to the domain. Make sure > it writes an appropriate krb5.keytab (/etc/krb5.keytab in my setup) as > part of its password management, etc. > > net ads keytab add smtp/mail_server_fqdn > net ads keytab add imap/mail_server_fqdn > > > You may have to edit the sam.ldb on your S4 server as many times S3 > doesn't create the principals ( /usr/local/samba/bin/ldbedit -H > /usr/local/samba/private/sam.ldb sAMAccountName=mailserverhostname$ > should do the trick and add userPrincipalName so that it has > imap/MAILSERVER_FQDN and smtp/MAILSERVER_FQDN, each being its own > userPrincipalName, this should give the machine account 3 > userPrincipalName lines) Sorry to anyone who was following what I wrote. I made a mistake. This should NOT be userPrincipalName, it should be servicePrincipalName. (There should already be 1 or 2 such lines that says HOST/host or HOST/host.fqdn) Trever
Re: [Dovecot] Virtual users - what is better Maildir or mbox?
On 06/25/2012 01:52 AM, Kaya Saman wrote: > On Mon, Jun 25, 2012 at 8:37 AM, Trever L. Adams > wrote: >> On 06/25/2012 01:20 AM, Kaya Saman wrote: >> >> Now what I would like to know is, which is better for "virtual >> hosting" Maildir or mbox? >> >> >> Basically my requirement is that I would like to separate users via >> either individual folders and then put each user's mbox or Maildir in >> the created directory, or simply name each mbox or Maildir according >> to the user name. >> >> >> First up is this possible? >> >> >> Secondly, how would I go about doing it? >> >> Sorry, I missed this at first. It is quite simple. I don't store it in >> passwd or any other place, since you are doing vmail, you might find this >> easiest: >> >> in /etc/dovecot/conf.d/10-mail.conf (where mail_location is): >> >> mail_home = /home/vmail/%Ld/%Ln >> mail_location = maildir:~/Maildir >> >> in /etc/dovecot/conf.d/10-mail.conf (after paragraph “# System user and >> group used to access mails...”): >> >> mail_uid=vmail >> mail_gid=vmail >> >> Obviously, vmail may not be your user for vmail. Also, some of my notes may >> no longer be accurate for location, just find where it exists and edit. >> >> I hope this helps. Of course, this is a Maildir setup. mbox is probably very >> similar, but I have had too many mbox style mail queues go south losing all >> of the mail (or more than one would like), so I do Maildir, even though it >> isn't necessarily the best use of disk space. >> >> Trever >> -- >> "I do not fear computers. I fear the lack of them." -- Isaac Asimov > Thanks for the responses! > > Sorry if I reply to every single one in this email however, I am using > Gmail's awful Web UI so I don't really have much control over what I'm > doing.. > > > To start with the reason I'm not using LDAP is because I couldn't find > enough information on how to set it up! I did post here a couple of > times but got no responses.. so I figured it was something that > people either didn't know or found trivial. Sorry, I missed these. I have been busy. Tim and others were very kind and helped me figure things out. I do not have any web sites where I can post things, so I will give an overview here and if you need help, either follow up privately or here. > > I'll take a look at the above config for Maildir format as briefly > playing around with mbox it seems that folders on the / root (parent) > IMAP directory are stored separately. It may be better if everything > got stored under the Maildir heading I've previously **only** ever > worked with Maildir but I was told that there are some benefits to > mbox which is why I decided to try to use it here! > > Regards, > > > Kaya > The only draw back I see with maildir is one file per message. This makes it resilient to corruption that mbox sees (if a message gets corrupted, you erase one message and that corruption won't propagate even if you leave it in place). In many setups this also leads to MUCH faster system. On unix systems this doesn't just waste disk space, it could lead to inode (or whatever your *nix of choice calls it) depletion. I haven't yet seen this in my setups. I archive most of my personal mail, so I have at least some of my mail going back to 1998, I think. Kerberos Directions: Microsoft suggests on linux systems that you create an account (separate from the HOST account) and add the appropriate user principal names. There are pros and cons to this, their way is a and doing it as part of the host account is b. a) On S4 dc (replace MAILSERVER_HOST and MAILSERVER_FQDN with host and host.example.org, in lowercase as I use the caps only to help me see what I need to change, respectively as fits your domain - i.e. not example.org and create some long random password and put it wherever you see $RANDOMPASSWORD) : /usr/local/samba/sbin/samba-tool newuser mail-MAILSERVER_HOST /usr/local/samba/sbin/samba-tool spn add imap/MAILSERVER_FQDN mail-MAILSERVER_HOST /usr/local/samba/sbin/samba-tool spn add smtp/MAILSERVER_FQDN mail-MAILSERVER_HOST /root/samba-master/source4/scripting/bin/ktpass.sh --out /tmp/mail.keytab --princ smtp/MAILSERVER_FQDN --path-to-ldbsearch /usr/local/samba/bin/ --pass $RANDOMPASSWORD /root/samba-master/source4/scripting/bin/ktpass.sh --out /tmp/mail.keytab --princ imap/MAILSERVER_FQDN --path-to-ldbsearch /usr/local/samba/bin/ --pass $RANDOMPASSWORD /root/samba-master/source4/scripting/bin/ktpass.sh --out /tmp/mail.keytab --princ mail-MAILSERVER_HOST --path-to-ldbsearch /usr/local/samba/bin/ --pass $RANDOMPASSWOR
Re: [Dovecot] Virtual users - what is better Maildir or mbox?
On 06/25/2012 01:20 AM, Kaya Saman wrote: > Now what I would like to know is, which is better for "virtual > hosting" Maildir or mbox? > > > Basically my requirement is that I would like to separate users via > either individual folders and then put each user's mbox or Maildir in > the created directory, or simply name each mbox or Maildir according > to the user name. > > > First up is this possible? > > > Secondly, how would I go about doing it? > Sorry, I missed this at first. It is quite simple. I don't store it in passwd or any other place, since you are doing vmail, you might find this easiest: in /etc/dovecot/conf.d/10-mail.conf (where mail_location is): mail_home = /home/vmail/%Ld/%Ln mail_location = maildir:~/Maildir in /etc/dovecot/conf.d/10-mail.conf (after paragraph “# System user and group used to access mails...”): mail_uid=vmail mail_gid=vmail Obviously, vmail may not be your user for vmail. Also, some of my notes may no longer be accurate for location, just find where it exists and edit. I hope this helps. Of course, this is a Maildir setup. mbox is probably very similar, but I have had too many mbox style mail queues go south losing all of the mail (or more than one would like), so I do Maildir, even though it isn't necessarily the best use of disk space. Trever -- "I do not fear computers. I fear the lack of them." -- Isaac Asimov
Re: [Dovecot] Virtual users - what is better Maildir or mbox?
On 06/25/2012 01:20 AM, Kaya Saman wrote: > Hi, > > I'm trying to configure a server to use SAMBA and Winbind to > authenticate to Active Directory I managed to get this portion up > and running even the Dovecot portion. > > For reference something similar to this guide: > > http://www.whitneytechnologies.com/?p=119 > > > However PAM is slightly different: > > > # cat /etc/pam.d/dovecot > authsufficient pam_krb5.so no_user_check validate > account sufficient pam_permit.so > > > This is what my dovecot.conf file looks like: If you are using Samba 4 (possibly recent versions of S3), any reason you are not doing krb5 and ldap (for account verification, not authentication) on dovecot instead of through pam? It is a bit harder to setup, but no text passwords. I still do pam_krb5 for devices that cannot do kerberos. I am using Maildir, but my setup is currently largely idle. Trever -- "Marxist Law of Distribution of Wealth: Shortages will be divided equally among the peasants." -- Unknown
Re: [Dovecot] Problems since upgrading to 2.1.6 from 2.0.20
On 06/07/2012 12:05 AM, Trever L. Adams wrote: > Hello Everyone, > > I saw the text about the change and needing to define an inbox namespace. > Everything seems to work fine except doveadm. I get the following from a > cronjob that has worked well for years now. > > doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox > doesn't exist: TRASH > doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox > doesn't exist: TRASH > doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox > doesn't exist: TRASH > > The cronjob is: > > 1 4 * * * doveadm expunge -A mailbox TRASH SAVEDBEFORE 30D > > > What is the problem? I have tried to find documentation and do searches for > others having the same problem. I do not know if I am just missing something > or what. > > Any help would be greatly appreciated. > > Thank you, > Trever > > Sorry everyone. Trash was the right name. This used to work. The other boxes I am seeing the problem on are created when used. I am sorry to have sounded an alarm. Trever -- "Advise your legislators, when they make laws for larceny, burglary, or any felony, to make the penalty applicable to work upon roads, public works, or any place where the culprit can be taught more wisdom and more virtue, and become more enlightened. Rigor and seclusion will never do as much to reform the propensities of men as reason and friendship." -- Joseph Smith, Jr. signature.asc Description: OpenPGP digital signature
[Dovecot] Problems since upgrading to 2.1.6 from 2.0.20
Hello Everyone, I saw the text about the change and needing to define an inbox namespace. Everything seems to work fine except doveadm. I get the following from a cronjob that has worked well for years now. doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox doesn't exist: TRASH doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox doesn't exist: TRASH doveadm(acco...@example.com): Error: Syncing mailbox TRASH failed: Mailbox doesn't exist: TRASH The cronjob is: 1 4 * * * doveadm expunge -A mailbox TRASH SAVEDBEFORE 30D What is the problem? I have tried to find documentation and do searches for others having the same problem. I do not know if I am just missing something or what. Any help would be greatly appreciated. Thank you, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 10:30 AM, Nikolay Shopik wrote: > > Can you do kinit -k imap/imap/efim.test.lo...@romashka.lan and then > klist, does it work for you? > > I do recommend tcpdump kerberos traffic between your client and > server, this is usually helps me much better then any logging, flow > easy to read in wireshark. > Under active directory, you cannot kinit as an SPN, only UPN (including MACHINE$ accounts). At least this is my experience. Trever -- "Selfishness is really self-destruction in slow motion." -— Elder Neal A. Maxwell - Ensign, May 1999, 23 signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab
On 08/31/2011 07:35 AM, Stanislav Klinkov wrote: > > >> and added the SPN for smtp using LDAP/setspn and used ktutil on the dovecot >> host to add an entry to my keytab with the same key and kvno > Sorry, I'm not sure in realizing what you mean. What is "LDAP/setspn"? > > I have only followed part of this. It the original poster's problem is that the LDAP database is not being able to be accessed with an SPN ticket, this is because SPNs are not allowed to log in in AD. You need to use a user account (including MACHINE$ accounts). It took me forever to figure this out. To use this, you need a cron job that creates/renews tickets from time to time for the user/machine account. Then you use Dovecot's environment setup configuration to set the KRB5_CC (or whatever it is called, my head is elsewhere) env variable to that Kerberos ticket cache that was created in the cronjob. This cache needs to be readable by dovecot and should be owned by its user. Trever -- First Law of System Requirements: "Anything is possible if you don't know what you're talking about..." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dovecot-antispam + spamassassin
On 07/24/2011 02:26 AM, Yann Leboulanger wrote: > Hi, > > I recently saw this a branch [1] of your git repository when > dovecot-antispam has support of spamassassin. Is it intentional to not > add it to the official release? > > Are there any plan to officially support spamassassin? > > [1] > http://www.freenux.org/cgi-bin/gitweb.cgi?p=dovecot-antispam.git;a=shortlog;h=refs/heads/spamassassin > > Thanks That tree is ANCIENT! I believe Eugene's tree does contain spamassassin code. Trever -- "Selfishness is really self-destruction in slow motion." -— Elder Neal A. Maxwell - Ensign, May 1999, 23 signature.asc Description: OpenPGP digital signature
[Dovecot] [SOLVED] Re: possible bug leading to lmtp crashes
On 06/07/2011 06:18 AM, Timo Sirainen wrote: > O > I don't see why that would matter, but I think this will help: > http://hg.dovecot.org/dovecot-2.0/rev/c0734f08b3f3 Thank you, Timo. This did indeed fix the crash completely. As a side note, World IPv6 day was a success with Dovecot here under heavy usage. The ONLY problem is ok in dual stack environments and that is that LDAP wouldn't connect with IPv6. It always used IPv4. Thank you. Trever -- "A modest woman, dressed out in all her finery, is the most tremendous object in the whole creation." -- Goldsmith signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 06/07/2011 06:18 AM, Timo Sirainen wrote: > On Mon, 2011-06-06 at 22:57 -0600, Trever L. Adams wrote: >> >> Ok, I think I have figured out the cause, but no the problem in the >> code. There were three machines TS, PP, ST. TS and ST had identical >> configurations with auth_username_format = %Lu. PP had it = %u. PP >> started crashing when I changed it to %Lu. > I don't see why that would matter, but I think this will help: > http://hg.dovecot.org/dovecot-2.0/rev/c0734f08b3f3 > It may be too early to be certain, but in 13 hours I haven't seen a crash on any of the three machines. This indeed may have fixed it all. How strange that various things seemed to be the cause and ... well... weren't. Thank you. I will let you know in about 2 days time if the fix was complete. Again, thank you, Trever -- "Yesterday is gone. Tomorrow is too far for me. Today is what I have, and what I fight for." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 05/19/2011 07:20 AM, Trever L. Adams wrote: > > May 17 04:01:02 dovecot: auth: Panic: file ../../src/lib/array.h: line > 189 (array_idx_i): assertion failed: (idx * array->element_size < > array->buffer->used) > > This is usually repeated 2 or more times near a crash. On the machine > that doesn't crash, I NEVER see this. On the machines that crash, there > isn't (or doesn't seem to be) a 1:1 correlation. ** THERE IS A 1:1 FOUND > LATER ** > > Trever Ok, I think I have figured out the cause, but no the problem in the code. There were three machines TS, PP, ST. TS and ST had identical configurations with auth_username_format = %Lu. PP had it = %u. PP started crashing when I changed it to %Lu. As mentioned the kerberos/ldap setup is Samba4 here. PP had administrator and guest all lower case, ST had administrator but Guest. TS had Administrator and Guest. When I changed all auth_username_format=%u and ST Guest to guest (in userPrincipalName, I didn't mess with anything else), ST and PP stopped having any problems (at least for the last 6 hours even with things like the doveadm calls below which would always have at least one crash). I just changed TS to be administrator and guest and did the doveadm and some other things. No crashes. So, why is this the case when it will deliver (dovecot deliver) the email but will cause crashes some times? I do not know why. And logins work to imaps. The doveadm: doveadm expunge -A mailbox TRASH savedbefore 30d doveadm expunge -A mailbox SPAM savedbefore 30d doveadm expunge -A mailbox SPAM savedbefore 2d SEEN doveadm expunge -A mailbox Dangerous savedbefore 1w doveadm expunge -A mailbox Infected savedbefore 1w (complete backtraces of some things found at: https://bugzilla.redhat.com/show_bug.cgi?id=697325) Thank you, Trever Adams -- "To fall in love is to create a religion that has a fallible god." -- JLB signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 05/19/2011 07:20 AM, Trever L. Adams wrote: > > The assert: > > May 17 04:01:02 dovecot: auth: Panic: file ../../src/lib/array.h: line > 189 (array_idx_i): assertion failed: (idx * array->element_size < > array->buffer->used) > > This is usually repeated 2 or more times near a crash. On the machine > that doesn't crash, I NEVER see this. On the machines that crash, there > isn't (or doesn't seem to be) a 1:1 correlation. > > Trever This bug still exists in Dovecot 2.0.13. I am sorry I had thought it was fixed. Again, two machines are crashing with the above message, the third doesn't. Trever -- "The only true happiness comes from squandering ourselves for a purpose." -- William Cowper signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dovecot-antispam dependencies
On 05/22/2011 09:59 AM, Bradley Giesbrecht wrote: > > It would be nice to make a release of Eugene's dovecot-antispam-plugin so > packages can be made. > > I can find no version or tag info at > http://hg.dovecot.org/dovecot-antispam-plugin/. > > -- > Bradley Giesbrecht Bradley, Just use the latest versions of the files. It works fine (a long time of using it on three servers here, one of which sees thousands of emails every few hours). If you want a rpm spec, I have made one. Trever -- "millihelen, n.: The amount of beauty required to launch one ship." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dovecot-antispam dependencies
On 05/22/2011 01:21 AM, Sven Schwyn wrote: > Hi > > There's currently a version block for the dovecot and dovecot-antispam > packages in Gentoo. Dependencies indicate that dovecot-2.0.11 does not accept > dovecot-antispam-1.3. Is this correct or should it work? If not: How about > the current rc of version 1.4? > > Cheers, -sven I believe you will find a much cleaned up version here: http://hg.dovecot.org/dovecot-antispam-plugin/ It will work. Thanks to Eugene for his work. Trever -- "Black holes are where God divided by zero." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 05/11/2011 06:27 AM, Timo Sirainen wrote: > > That patch only was supposed to make it crash elsewhere, not actually > fix anything. :) > > I just noticed that some asserts were matching the crash times on the different machines. What is strange, I just verified that other than the ldap setup (which only differs where needed for each domain) the configuration of all three machines match perfectly. The two that crash both git the same assert, while the third does not. One that crashes has 384M, the other 2 have 512M. They are pretty much identical installs in every way. The assert: May 17 04:01:02 dovecot: auth: Panic: file ../../src/lib/array.h: line 189 (array_idx_i): assertion failed: (idx * array->element_size < array->buffer->used) This is usually repeated 2 or more times near a crash. On the machine that doesn't crash, I NEVER see this. On the machines that crash, there isn't (or doesn't seem to be) a 1:1 correlation. Trever -- "If destruction be our lot, we must ourselves be its author and finisher. As a nation of freemen, we must live through all time or die by suicide." -- Abraham Lincoln signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 05/11/2011 06:27 AM, Timo Sirainen wrote: > > That patch only was supposed to make it crash elsewhere, not actually > fix anything. :) Yes, that is what I thought. Funny thing is, in 24 hours, it used to crash a dozen times or more, on two of the three machines (the other was much slower). I do not have any asserts in /var/log/maillog that aren't "normal" also, no new crashes. I will keep letting it run. Thank you, Trever -- "Science helps a lot, but people built perfectly good brick walls long before they knew why cement works." -- Alan Cox signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 05/09/2011 10:19 AM, Timo Sirainen wrote: > > I wonder if it crashes earlier with this patch? > http://hg.dovecot.org/dovecot-2.0/rev/3ada82147977 > Thank you, Timo. I think this may have indeed fixed it. I would like to wait a day or two more before saying definitively, but so far it looks like it has fixed the problem. It also seems to have solved another crash you asked me to duplicate and provide a backtrace for (which I was unable to do). Trever -- "If a revolution destroys a systematic government, but the systematic patterns of thought that produced that government are left intact, then those patterns will repeat themselves in the succeeding government." -- Robert M. Pirsig signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 04/26/2011 05:00 PM, Timo Sirainen wrote: > On 26.4.2011, at 20.12, Trever L. Adams wrote: > >> I am finding it interested that abrt seems to say that environment is >> empty/corrupted. I am attaching more backtraces to the Fedora bug >> (https://bugzilla.redhat.com/show_bug.cgi?id=697325). > I think this is a generic bug in LDAP code when using SASL authentication. It > just shouldn't be crashing here: > >> #6 db_ldap_request_queue_next (conn=0x1c6ed90) at db-ldap.c:343 > That code around it looks a bit weird.. I'll look at it closer tomorrow. > > By chance were you able to isolate and fix this bug? Thank you, Trever -- "Women reason with the heart and are much less often wrong than men who reason with the head." -- DeLescure signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 04/25/2011 09:12 AM, Trever L. Adams wrote: > > As I look at the code in the hg reference above, I think there is a bug. > If HOME should be preserved as first, and some of these others may be > critical to proper operation, they should be preserved automatically, no > matter what the configuration says. This seems to be contrary to the > code and to the top of the page (commit comment?). > > So, based on the code, I think HOME, USER, TZ should always be > preserved. Depending on system compilation (according to ifdefs), GDB, > LISTEN_PIDS and LISTEN_FDS should also be preserved. Is this what is > causing my crash? I am still experimenting. > > I have three systems doing this. Two were Fedora 15 current and one > Fedora 14 current. I have upgraded F14 to F15 to help remove variability. > > Trever Sorry for responding to my own posts. Neither of the following fix it: import_environment = HOME USER TZ KRB5CCNAME=/etc/dovecot/krb5.cc LISTEN_FDS LISTEN_PIDS GDB import_environment = KRB5CCNAME=/etc/dovecot/krb5.cc I am finding it interested that abrt seems to say that environment is empty/corrupted. I am attaching more backtraces to the Fedora bug (https://bugzilla.redhat.com/show_bug.cgi?id=697325). It should be noted that machines with more memory pressure crash more often. Thank you for any help, Trever -- "All this technology has somehow made you a stranger in your own land." -- Robert M. Pirsig signature.asc Description: OpenPGP digital signature
Re: [Dovecot] possible bug leading to lmtp crashes
On 04/20/2011 05:59 AM, Trever L. Adams wrote: > I have been using Samba 4 kerberos and ldap with dovecot. Samba 4 > changed a while back (resulting in me asking for help) which requires > kerberos auth for ldap lookups. My setup worked perfectly before hand. > Before and after were with dovecot-2.0.11 and the after also happens > with 2.0.11. > > The only changes were (in my ldap.conf for dovecot -- changes are new > lines starting with *, * is not in the conf, just showing changes): > > Reference: http://hg.dovecot.org/dovecot-2.0/rev/cec7fa92ff48 > Reference: https://bugzilla.redhat.com/show_bug.cgi?id=697325 (backtrace > via abrtd is included here) As I look at the code in the hg reference above, I think there is a bug. If HOME should be preserved as first, and some of these others may be critical to proper operation, they should be preserved automatically, no matter what the configuration says. This seems to be contrary to the code and to the top of the page (commit comment?). So, based on the code, I think HOME, USER, TZ should always be preserved. Depending on system compilation (according to ifdefs), GDB, LISTEN_PIDS and LISTEN_FDS should also be preserved. Is this what is causing my crash? I am still experimenting. I have three systems doing this. Two were Fedora 15 current and one Fedora 14 current. I have upgraded F14 to F15 to help remove variability. Trever -- Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged a $100 proof-reading fee. See US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C) and Sec.227(b)(3)(C). signature.asc Description: OpenPGP digital signature
[Dovecot] possible bug leading to lmtp crashes
I have been using Samba 4 kerberos and ldap with dovecot. Samba 4 changed a while back (resulting in me asking for help) which requires kerberos auth for ldap lookups. My setup worked perfectly before hand. Before and after were with dovecot-2.0.11 and the after also happens with 2.0.11. The only changes were (in my ldap.conf for dovecot -- changes are new lines starting with *, * is not in the conf, just showing changes): hosts = example.org base = dc=example,dc=org ldap_version = 3 user_attrs = userPrincipalName=user user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrincipalName=%u))) *dn = MACHINEACCOUNT$@EXAMPLE.ORG *sasl_bind = yes *sasl_mech = GSSAPI *sasl_realm = EXAMPLE.ORG *#sasl_authz_id = MACHINEACCOUNT$@EXAMPE.ORG # For using doveadm -A: iterate_attrs = userPrincipalName=user iterate_filter = (objectClass=person) in dovecot.conf: import_environment = TZ KRB5CCNAME=/etc/dovecot/krb5.cc With that do any of the following lines from the referenced hg rev set mean I am missing anything on my import_environment variable? Or is it all good? 10.15 +/* */ 10.16 +#ifdef HAVE_SYSTEMD 10.17 +# define ENV_SYSTEMD " LISTEN_PID LISTEN_FDS" 10.18 +#else 10.19 +# define ENV_SYSTEMD "" 10.20 +#endif 10.21 +#ifdef DEBUG 10.22 +# define ENV_GDB " GDB" 10.23 +#else 10.24 +# define ENV_GDB "" 10.25 +#endif 10.26 +/* */ 10.27 + 10.28 static const struct master_settings master_default_settings = { 10.29 .base_dir = PKG_RUNDIR, 10.30 .libexec_dir = PKG_LIBEXECDIR, 10.31 + .import_environment = "TZ" ENV_SYSTEMD ENV_GDB, If I am not missing anything, then there seems to be a problem with kerberos sasl with ldap lookups. Thank you, Trever Adams Reference: http://hg.dovecot.org/dovecot-2.0/rev/cec7fa92ff48 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=697325 (backtrace via abrtd is included here) -- "Avert misunderstanding by calm, poise, and balance." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
On 02/09/2011 04:17 PM, Timo Sirainen wrote: > On Sat, 2011-02-05 at 20:49 -0700, Trever L. Adams wrote: >> Timo, is it possible for you to add that "import_environment >> =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc" > So you've tried that doing this via auth.sh script that sets those > before calling dovecot/auth works? Yes, this works. It was a difference in how Samba/Windows AD use/or don't use SPNs but allow UPNs that was causing the problem. Can you push the patch that has DOVECOT_PRESERVER_ENVS into a stable release sometime soon? With documentation on the variables that used to be preserved and probably should be? This is fantastic. Sorry for the long delay in my responses; I am very grateful. Trever -- "It was as true as taxes is. And nothing's truer than them." -- Charles Dickens (1812-70) signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
On 02/05/2011 09:40 PM, Jason Gunthorpe wrote: > On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote: > >>> Isn't it called KRB5CCNAME? >> Yes. Some things (Amanda, at least from the directions, I haven't done >> it yet) actually still use service principals which are KRB5_KTNAME. For >> credentials in most clients, yes, KRB5CCNAME and that does work. > Amanda is doing what I described below internally. The keytab file > contains kerberos shared secrets so Amanda uses that to get a TGT. You > can't use kerberos without a TGT. The fact it is using a SPN or UPN > shared secret doesn't matter at the client. Great to know. Thank you. >> Yes, this refresh is EXACTLY what I have been trying to avoid with >> service principals. I am starting to wish that Samba 4 supported SASL >> CRAM-MD5 or something so that I could just use that; no refresh. > Put the kinit -k line in a crontab. That command gets a fresh TGT for > the machine account. > > Service principles just avoid having to create a new UPN in MIT > kerberos. In AD kerberos a SPN cannot get a TGT so that is > undoable. The machine account works in very similarly to how a SPN > would be used in MIT kerberos except that it is a UPN at the > KDC. Samba writes a keytab entry for the machine account that > contains the shared secret which lets kinit -k work. Ok, I had to use SPNs for part of the setup. I am now using the UPN they run under for my tests and everything seems to work ok. I cannot test it directly in Dovecot as the Linux distro I am using doesn't have the Postfix counterpart needed just yet, but the kinit -k works from the keytab I have setup. Hopefully I can test that soon. >> Thank you for all your input. I am afraid this is the same problem I am >> going to hit with Postfix (it does a similar setup to Dovecot, I am just >> not running the recent version yet that supports it). > Yes. Same answer, run it pointing to the same CC cache you setup for > dovecot. > > Be aware that both the keytab and the creditial cache are 'password > equilvients' and must be protected. > > Jason Yes, I was aware of this. Thank you very much for the reminder. So, all this time I just needed to be able to set an environment variable and since Samba and AD don't allow you to login using SPNs, just use the UPN I had the SPNs under for this CC setup. Thank you, Trever Adams -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
This is very good. A safe default (no import_environment) maybe TZ USER and HOME. Just to maintain functionality if people don't set this up. -Original message- From: Timo Sirainen To: Dovecot Mailing List Cc: "Trever L. Adams" Sent: Wed, Feb 9, 2011 23:55:06 GMT+00:00 Subject: Re: [Dovecot] LDAP and GSSAPI problems On Thu, 2011-02-10 at 01:17 +0200, Timo Sirainen wrote: > (does this really need to be set over and over or can the master process > set it and have the environment inherited... it has been a long time > since I did any coding related to environment variables accross forks, > etc.)? Environment is inherited, but Dovecot explicitly clears it at the startup of each process, so any unnecessary stuff gets dropped out. But it would be possible to add e.g. DOVECOT_PRESERVE_ENVS that lists which environments variables should be preserved. http://hg.dovecot.org/dovecot-2.0/rev/cec7fa92ff48
Re: [Dovecot] LDAP and GSSAPI problems
On 02/05/2011 06:35 PM, Jason Gunthorpe wrote: > On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote: >> On 02/02/2011 04:17 PM, Timo Sirainen wrote: >>> It does set that, but only on first GSSAPI authentication. I guess it >>> wouldn't hurt moving it to do it always. If that script helps you, I can >>> do this change. >> It appears that the script you recommended doesn't do the trick. Does >> /usr/libexec/dovecot/auth clear the environment. Even doing it manually >> from the command line the openldap stuff doesn't seem to pick up the >> KRB5_KTNAME environment variable. > Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. > Presumably if dovecot has SASL setup properly for Openldap then it > will work just fine if KRB5CCNAME is properly exported to it. > > However! Be aware that the TGT must be refreshed periodically, that > is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. >> I can kinit on the command line and get auth to work, but the kinit >> doesn't hold over to the dovecot process (for good reasons I am sure). > > The *ideal* world would be if dovecot supported an in-memory ticket > cache that it stored a TGT for a given UPN that it initializes using a > given keytab. This is what samba does internally and realistically is > required to use kerberos as a client. I would prefer an SPN if it were at all possible. On reading that again, I think we are saying about the same thing. This would be fantastic. Heck, if I knew how to do that manually I could just script it, but, being new to Kerberos and LDAP I am missing a lot as I read the documentation, I am sure. > IMHO, doing ldap without kerb is kinda sketchy unless you completely > trust your network - it is easy to spoof ldap replies, kerb fixes > that and has low overhead compared to ssl. > > Jason Yes, this is exactly the reasons I am trying to get there. The problem is the refresh. Somehow I need to get around having to refresh the CC or use a keytab with SPNs. Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Timo, is it possible for you to add that "import_environment =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc" (does this really need to be set over and over or can the master process set it and have the environment inherited... it has been a long time since I did any coding related to environment variables accross forks, etc.)? This will solve all the problems (whether keytab or credentialcache) other than the fact that OpenLDAP as a client won't work with a keytab (SPN) and that Kerberos will require a refresh of the credential cache. Thank you Jason and Timo for helping me find a good solution, Trever -- "All that is necessary for the triumph of evil is that enough good men do nothing." -- Edmund Burke signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
Thank you Jason for your answer. This has helped a great deal. I haven't even gotten to the step of SSH yet. That will help me greatly. On 02/05/2011 06:53 PM, Jason Gunthorpe wrote: > > 5) Setup dovecot.. > > Set these things in the config > > auth_use_winbind = yes > > mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. > 6) Setup exim.. > > I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. > 7) Setup openssh > > in sshd_config > > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > GSSAPIStrictAcceptorCheck yes > > Jason Thank you much. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
On 02/02/2011 04:17 PM, Timo Sirainen wrote: > > It does set that, but only on first GSSAPI authentication. I guess it > wouldn't hurt moving it to do it always. If that script helps you, I can > do this change. It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure). Some how this needs to be fixed so that GSSAPI through SASL will work. I am not sure where to go from here as I am learning LDAP as I mess with this stuff. Is there anyone on the list who has any ideas? (I would prefer this be service principals as well, if possible.) Thank you, Trever Adams -- "All this technology has somehow made you a stranger in your own land." -- Robert M. Pirsig signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
On 02/02/2011 02:38 PM, Timo Sirainen wrote: > On Wed, 2011-02-02 at 14:29 -0700, Trever L. Adams wrote: >> dn = smtp/mailhost.example@example.org >> sasl_bind = yes >> sasl_mech = GSSAPI >> sasl_realm = EXAMPLE.ORG >> sasl_authz_id = smtp/mailhost.example@example.org > LDAP SASL authentication goes through Cyrus SASL library, nothing > Dovecot can do about it, except for me to write my own LDAP library. Ok. I can understand that. >> Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup >> for the GSSAPI user login. > So this setting is never used. If that's the problem, you could try if > you can work around it in a bit kludgy way: > > service auth { > executable = /usr/local/bin/auth-wrapper.sh > } > > Which contains: > > #!/bin/sh > export KRB5_KTNAME=/etc/dovecot/krb5.keytab > exec /usr/local/libexec/dovecot/auth -k I thought I saw a patch on the mailing list in 2007 that set KRB5_KTNAME if auth_krb5_keytab was set in the configuration. I guess it was either ntlm specific or was not accepted. Postfix (the other half of my solution -- though the version I am using doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the configuration, to set what environment variables it should not unset and even define new ones (an example -- import_environment = KRB5_KTNAME=/etc/dovecot/krb5.keytab). This may be a good solution for Dovecot specifically for things like this. I would rather not have to run bash or any other shell just to set the environment variable. I will for the time being. Thank you, as always, Trever -- signature.asc Description: OpenPGP digital signature
[Dovecot] LDAP and GSSAPI problems
This is a continuation of a problem I have been having. Samba 4 has recently changed to require binds. I need LDAP to verify users exist. I am using Kerberos (GSSAPI) as the passdb. Samba can handle GSSAPI/Kerberos SASL binds. I have the following in my dovecot-ldap setup for userdb: dn = smtp/mailhost.example@example.org sasl_bind = yes sasl_mech = GSSAPI sasl_realm = EXAMPLE.ORG sasl_authz_id = smtp/mailhost.example@example.org Which gives me the following error. Debug: ldap(trever): user search: base=dc=example,dc=org scope=subtree filter=(&(objectClass=person)(|(mail=trever)(sAMAccountName=trever)(userPrincipalName=trever))) fields=userPrincipalName dovecot: auth: Error: LDAP: binding failed (dn smtp/mailhost.example@example.org): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_97' not found) Additionally, I have "auth_krb5_keytab = /etc/dovecot/krb5.keytab" setup for the GSSAPI user login. The credential cache should be that file should it not? If not, how do I go about setting that up so that it will work. Thank you, Trever -- "The only true happiness comes from squandering ourselves for a purpose." -- William Cowper signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP binds
On 12/30/2010 02:55 AM, Timo Sirainen wrote: > > So you're only talking about using ldap for userdb? Can't you just set > dn and dnpass to whatever user (that has access to list all users)? > Correct, ldap only for userdb. I found some old documentation that used "bind" and "bind_pw" I think it was. That didn't work. I was just going through some of my old dovecot ml stuff that I have saved. I just found the dn and dnpass you mention (it doesn't seem to be in the documentation, btw). I will likely not be able to try it out until tomorrow. This is in an AD setup (Samba4). Do you or anyone else know if I need to use a special port and whether ssl or tls (S4 no longer allows anonymous binds and I want to make sure this is as secure as possible)? Thank you, Trever Adams -- "I am not sure what this is, but an `F' would only dignify it." -- English Professor signature.asc Description: OpenPGP digital signature
[Dovecot] LDAP binds
I am using 2.0.8. Anonymous binds are no longer supported in the environment I am using. I need to change my userdb ldap setup to bind. I believe the ldap server does Kerberos (or can) authentication. My users are authenticating using Kerberos or Kerberos/PAM. This needs to stay in place. Can anyone suggest how I might go about changing my setup to work? My current ldap setup is as follows (the directories, user id, etc are set statically in the configuration elsewhere): tls = yes hosts = MAILSERVER base = dc=middleearth,dc=sapphiresunday,dc=org ldap_version = 3 user_attrs = userPrincipalName=user user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrincipalName=%u))) # For using doveadm -A: iterate_attrs = userPrincipalName=user iterate_filter = (objectClass=person) Thank you, Trever Adams -- "Seize the day, put no trust in the morrow!" -- Quintus Horatius Flaccus (Horace) signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dovecot-antispam-plugin for dovecot-2.0
On 11/17/2010 10:19 AM, Antonio Perez-Aranda wrote: > I'm migrating a customized dovecot-antispam-plugin from > dovecot-antispam-plugn-1.3 which doesn't run in dovecot-2.0 > > Are any body using dovecot-antispam-plugin adapted to 2.0 from > mercurial on a production system? > > This is the adapted version to dovecot 2.0 > http://hg.dovecot.org/dovecot-antispam-plugin/ > I use it with DSPAM. It works wonderfully. It actually solved a problem or two (requiring work arounds) I was having with the original. Eugene (I hope I have his name right) did a fantastic job and did it quickly. Do make sure you read the information about configuration changes. There are a few VERY important ones. Trever -- "The era of setting this up as a competition between Apple and Microsoft is over, as far as I'm concerned." -- S. Jobs signature.asc Description: OpenPGP digital signature
Re: [Dovecot] anti-spam+anti-malware suggestions
On 10/21/2010 07:37 AM, Fabricio Archanjo wrote: > Does someone run dspam or just me?? > I like very much this antispam solution. > I use it with Eugene's port/fork of dovecot-antispam to dovecot 2.0. I use it with amavisd. I use postfix in the mix. On machines where people don't care about dangerous file extensions and rewrapping virus containing emails instead of just erasing them, I will use clamav-milter. I find it works VERY well. Trever -- "Yesterday is gone. Tomorrow is too far for me. Today is what I have, and what I fight for." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
On 10/19/2010 07:56 AM, Trever L. Adams wrote: > On 10/19/2010 06:16 AM, Trever L. Adams wrote: >> Samba4 doesn't automatically set the userPrincipalName to >> imap/f.q@realm or smtp/f.q@realm when setting up an SPN. This >> was the problem. For some reason it works fine for imap but not smtp. >> >> I have reported this as a possible bug to Samba4. I am documenting it >> here in case someone else has problems. >> >> Trever > Ok, so it is documented for others. It appears that it is a "bug" in Thunderbird due to the windows PAC in the kerberos ticket. Assuming you have followed instructions elsewhere and userPrincipalName is set properly in the AD, make sure you have the right line_length_limit for postfix. If you are using dovecot sasl with postfix and are using Thunderbird in Windows (part of an AD domain) and using smtp kerberos authentication, make sure you have line_length_limit = 2176 in postfix's main.cf. Thanks to Wietse for his help. Trever -- "It is difficult to legislate morality in the absence of moral legislators." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
On 10/19/2010 06:16 AM, Trever L. Adams wrote: > > Samba4 doesn't automatically set the userPrincipalName to > imap/f.q@realm or smtp/f.q@realm when setting up an SPN. This > was the problem. For some reason it works fine for imap but not smtp. > > I have reported this as a possible bug to Samba4. I am documenting it > here in case someone else has problems. > > Trever Unfortunately this only fixes Linux. It seems that Windows is sending larger Kerberos tickets than Linux. I do not know if this is a postfix, dovecot or thunderbird bug. The fact it works in imap makes me think it is not dovecot, but I am still trying to figure things out. For the time being, those wishing to follow this in the other software, I just sent a message to postfix mailing list with the subject: smtpd_chat_query, dovecot sasl, AD, Samba4. Thanks, Trever -- "I'm all in favor of keeping dangerous weapons out of the hands of fools. Let's start with typewriters." -- Solomon Short signature.asc Description: OpenPGP digital signature
Re: [Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
On 10/15/2010 09:50 PM, Trever L. Adams wrote: > Thanks to Timo, I have solved all but one of my problems. For back > ground, I am using Samba4 as an AD. I have the userdb working from LDAP > just fine and kerberos authenetication for dovecot's IMAP server working > fine. The problem is using dovecot's SASL with postfix. I also have > plain/login working in imap and smtp. Both use pam_krb5 through pam to > authenticate clients that don't have kerberos, and for now smtp. When > trying to do smtp kerberos, I get the following: > > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer > than 2048: AUTH GSSAPI ... > dovecot: auth: Debug: client in: > AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp= > dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for > s...@mailserver_fqdn > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Unspecified GSS failure. Minor code may provide more information > dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: > Invalid message type > postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI > authentication failed: > dovecot: auth: Debug: client out: FAIL#0111 > > # klist -k /etc/dovecot/krb5.keytab > Keytab name: WRFILE:/etc/dovecot/krb5.keytab > KVNO Principal > > -- >2 imap/mailserver_f...@domain_realm >2 smtp/mailserver_f...@domain_realm > > The client is Thunderbird. > > Any help would be greatly appreciated. I have made sure that the file > has proper permissions. I have regenerated the smtp cert making suer the > password is accurate. I have done everything I know to try. The only > thing that I am guess remains is something is broken with Thunderbird's > kerberos setup for smtp. > > Thank you very much, > Trever > Samba4 doesn't automatically set the userPrincipalName to imap/f.q@realm or smtp/f.q@realm when setting up an SPN. This was the problem. For some reason it works fine for imap but not smtp. I have reported this as a possible bug to Samba4. I am documenting it here in case someone else has problems. Trever -- "The amount of time between slipping on the peel and landing on the pavement is precisely 1 bananosecond." -- Unknown signature.asc Description: OpenPGP digital signature
[Dovecot] gssapi problems (postfix sasl through dovecot, dovecot imap working fine)
Thanks to Timo, I have solved all but one of my problems. For back ground, I am using Samba4 as an AD. I have the userdb working from LDAP just fine and kerberos authenetication for dovecot's IMAP server working fine. The problem is using dovecot's SASL with postfix. I also have plain/login working in imap and smtp. Both use pam_krb5 through pam to authenticate clients that don't have kerberos, and for now smtp. When trying to do smtp kerberos, I get the following: postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: request longer than 2048: AUTH GSSAPI ... dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=smtp#011nologin#011lip=SERVER_IP#011rip=CLIENT_IP#011secured#011resp= dovecot: auth: Debug: gssapi(?,CLIENT_IP): Obtaining credentials for s...@mailserver_fqdn dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,CLIENT_IP): While processing incoming data: Invalid message type postfix/smtpd[6197]: warning: CLIENT_FQDN[CLIENT_IP]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0111 # klist -k /etc/dovecot/krb5.keytab Keytab name: WRFILE:/etc/dovecot/krb5.keytab KVNO Principal -- 2 imap/mailserver_f...@domain_realm 2 smtp/mailserver_f...@domain_realm The client is Thunderbird. Any help would be greatly appreciated. I have made sure that the file has proper permissions. I have regenerated the smtp cert making suer the password is accurate. I have done everything I know to try. The only thing that I am guess remains is something is broken with Thunderbird's kerberos setup for smtp. Thank you very much, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba4 Active Directory and Doveadm
On 10/15/2010 07:46 AM, Timo Sirainen wrote: > On Fri, 2010-10-15 at 07:17 -0600, Trever L. Adams wrote: > >> Fantastic. I am not. Postfix, is validating user existence. I read >> somewhere I can turn off Dovecot LDA validation, but now I am unable to >> find the page. > http://wiki2.dovecot.org/UserDatabase/Static / allow_all_users > >>>>> Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): >>>>> child 16375 killed with signal 11 (core dumps disabled) >>> Can you get a gdb backtrace? First enable core dumps with "ulimit -c >>> unlimited" and once you have core file see >>> http://dovecot.org/bugreport.html >> I am not sure this is necessary. > A crash is a bug in any case that I'd like to fix. A good backtrace > would make it easier for me to do that. Alright, I will try to get that to you by Monday. I have to finish my messing with things until after business hours. >> The problem seems to be in this >> dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)= >> >> I get that for all fields in the AD. It looks like I am going to have to >> do a bind of some kind. > You mean the "?unknown?" part? I think the problem here is that I hadn't > thought that LDAP attributes are case-insensitive. You should have used > sAMAccountName, not samaccountname in the iterate_attrs. But I suppose > I'll need to fix this myself too. That was the problem. It seems to have fixed the ldap problem. Below is the auth log. TeaSet dovecot: auth: Debug: ldap: iterate: base=dc=snowyriver,dc=sapphiresunday,dc=org scope=subtree filter=(objectClass=person) fields=sAMAccountName dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER1 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=SOME_USER2 dovecot: auth: Debug: ldap(?): result: sAMAccountName(user)=... dovecot: auth: Debug: master in: USER#0112#011root#011service=doveadm dovecot: auth: Debug: passwd(root): lookup dovecot: auth: Debug: master out: USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root dovecot: auth: Debug: master in: USER#0113#011bin#011service=doveadm dovecot: auth: Debug: passwd(bin): lookup dovecot: auth: Debug: master out: USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin However, the problem is still there. I can't erase the root account. How do I use doveadm? I need the expunge command working. The below is why I wondered if the mail_uid and mail_gid were not being honored. #doveadm search -A mailbox INBOX from VALID_FROM doveadm(root): Error: user root: Invalid settings in userdb: userdb returned 0 as uid doveadm(root): Error: User lookup failed: Invalid user settings. Refer to server log for more information. doveadm(bin): Error: user bin: Couldn't drop privileges: Mail access for users with UID 1 not permitted (see first_valid_uid in config file). doveadm(bin): Error: User init failed doveadm: Error: Failed to iterate through some users If I can fix this, I only have two problems left. If I have a auth_default_realm the plain/login users (smart phones and the like) cannot connect (via pam_krb5 kerberos method). Second, using dovecot auth with postfix, kerberos logins do not work. The plain/login do. I have been trying to figure out the FAIL code. I haven't been able to. I have the ticket in the right place, it has the right formats (imap one works from the same file). It has the right password. dovecot: auth: Debug: auth client connected (pid=9022) dovecot: auth: Debug: client in: AUTH#0#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp= dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for s...@fqdn dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Invalid message type postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0 postfix/smtpd[9022]: disconnect from CLIENT_FQDN[IP_ADDR] postfix/smtpd[9022]: connect from CLIENT_FQDN[IP_ADDR] postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: request longer than 2048: AUTH GSSAPI AUTH_DATA dovecot: auth: Debug: client in: AUTH#01112#011GSSAPI#011service=smtp#011nologin#011lip=10.0.1.13#011rip=IP_ADDR#011secured#011resp= dovecot: auth: Debug: gssapi(?,IP_ADDR): Obtaining credentials for s...@fqdn dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Unspecified GSS failure. Minor code may provide more information dovecot: auth: gssapi(?,IP_ADDR): While processing incoming data: Invalid message type postfix/smtpd[9022]: warning: CLIENT_FQDN[IP_ADDR]: SASL GSSAPI authentication failed: dovecot: auth: Debug: client out: FAIL#0
Re: [Dovecot] Samba4 Active Directory and Doveadm
On 10/15/2010 06:22 AM, Timo Sirainen wrote: > On Fri, 2010-10-15 at 06:14 -0600, Trever L. Adams wrote: > >> Is there some global option like mail_location for homedirectory? That >> is one I am not finding one with google or with grep in the configuration. > That's exactly what the mail_home is. I don't know why it wouldn't work > for you. My apologies, I misread it as mail_location. I have fixed this. Thank you. mail_home = /home/vmail/%d/%n mail_location = maildir:~/Maildir >> >> I have done this as well. The problem with removing all of this is I use >> Dovecot's deliver (LDA). It needs a way of finding which users do and do >> not exist. Is there a better way to do this? > Assuming you're not using auth_bind=yes with ldap, LDA can check the > user's existence by doing a passdb lookup instead. Fantastic. I am not. Postfix, is validating user existence. I read somewhere I can turn off Dovecot LDA validation, but now I am unable to find the page. >> The only problem that is there is this: I need doveadm expunge -A. This >> is where I am having the problem. I guess this doesn't use the user_ >> stuff. It uses the iterate_attrs right? > Right. > >>> Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child >>> 16375 killed with signal 11 (core dumps disabled) > Can you get a gdb backtrace? First enable core dumps with "ulimit -c > unlimited" and once you have core file see > http://dovecot.org/bugreport.html I am not sure this is necessary. The problem seems to be in this dovecot: auth: Debug: ldap(?): result: sAMAccountName(?unknown?)= I get that for all fields in the AD. It looks like I am going to have to do a bind of some kind. I am having a heck of a time doing this. As I said, I am learning ldap as I am doing this. Samba4 (it seems) and Windows AD servers themselves do SASL authentication, but I am having a hard time getting this to work. If you wouldn't mind helping there: dn = CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org dnpass = correct password sasl_bind = yes sasl_mech = gssapi sasl_realm = EXAMPLE.ORG So, the user is the same as is in the AD for the service principal smtp/host. So, it already has a ticket. The rest of the ldap file is pretty much the same as before (with the modifications we have been talking about). With that I get: auth: Error: LDAP: binding failed (dn CN=SMTP-SERVICE-PRINCIPAL-USER,CN=Users,DC=example,DC=org): Local error, SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address) I am thinking I should add gss-spnego to the mech, but haven't done so. > Also: > >> iterate_attrs = uid=samaccountname > this should be: > > iterate_attrs = samaccountname=user Yes, that is working MUCH better. Still the problem with empty fields mentioned above is the killer. Thank you, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba4 Active Directory and Doveadm
On 10/14/2010 11:07 AM, Timo Sirainen wrote: > > This can be alternatively done by putting to dovecot.conf: > > mail_home = /home/vmail/%d/%n I actually have that as well. > Don't put this here, rather just do it like everyone else: > > mail_location = maildir:~/ > > But then again, you should also read > http://wiki2.dovecot.org/VirtualUsers/Home I have this as well, or similar. I do not have a homedirectory set that seems to work at the moment, so I have it as a full path. Thank you for the VirutalUsers/Home. This will help. I spent a lot of time reading various documentation and somehow missed this. Is there some global option like mail_location for homedirectory? That is one I am not finding one with google or with grep in the configuration. > > This isn't right. You probably wanted =uid=vmail, =gid=vmail. But this > is again done easier by setting: > > mail_uid = vmail > mail_gid = vmail > > So all in all, your user_attrs could probably just be empty and you > should probably remove userdb ldap completely from your config to avoid > unnecessary userdb lookups. I have done this as well. The problem with removing all of this is I use Dovecot's deliver (LDA). It needs a way of finding which users do and do not exist. Is there a better way to do this? I may be able to turn this off. I do use postfix and I believe it is already looking up the users. I seem to remember there was an option to turn this off in Dovecot (the looking up of the user for LDA). The only problem that is there is this: I need doveadm expunge -A. This is where I am having the problem. I guess this doesn't use the user_ stuff. It uses the iterate_attrs right? vmail and root are NOT in the AD LDAP. This is what I get when I run doveadm search -A mailbox INBOX from VALID_FROM > Oct 15 05:48:06 TeaSet dovecot: auth: Error: auth worker: Aborted request: > Worker process died unexpectedly > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master in: > USER#0112#011root#011service=doveadm > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: passwd(root): lookup > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master out: > USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master in: > USER#0113#011bin#011service=doveadm > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: passwd(bin): lookup > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: master out: > USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin > Oct 15 05:48:06 TeaSet dovecot: master: Error: service(auth-worker): child > 16375 killed with signal 11 (core dumps disabled) > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Loading modules from directory: > /usr/lib64/dovecot/auth > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libauthdb_ldap.so > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Oct 15 05:48:06 TeaSet dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libmech_gssapi.so > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: LIST#0111 > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: ldap: iterate: > base=dc=example,dc=com scope=subtree filter=(objectClass=person) fields= > Oct 15 05:48:50 TeaSet dovecot: auth: Error: auth worker: Aborted request: > Worker process died unexpectedly > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: > USER#0112#011root#011service=doveadm > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: passwd(root): lookup > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master out: > USER#0112#011root#011system_groups_user=root#011uid=0#011gid=0#011home=/root > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master in: > USER#0113#011bin#011service=doveadm > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: passwd(bin): lookup > Oct 15 05:48:50 TeaSet dovecot: auth: Debug: master out: > USER#0113#011bin#011system_groups_user=bin#011uid=1#011gid=1#011home=/bin > Oct 15 05:48:50 TeaSet dovecot: master: Error: service(auth-worker): child > 16398 killed with signal 11 (core dumps disabled) Thank you for your help, Trever -- "The strength of the Constitution lies entirely in the determination of each citizen to defend it. Only if every single citizen feels duty bound to do his share in this defense are the constitutional rights secure." -- Albert Einstein signature.asc Description: OpenPGP digital signature
[Dovecot] doveadm doesn't seem to honor mail_location, mail_uid, mail_gid
I am adjusting the recommended ldap configuration to match active directory instead of the standard posixaccount layout. The problem is that doveadm seems to ignore mail_uid and mail_gid along with (possibly) mail_location. This is a setup with all virtual users (all ldap, not system accounts). Everything works in postfix and standard dovecot operation, it is only doveadm which doesn't work. Ldap queries return everything but these entries (as they do not exist in AD). These items I have tried setting in the configuration and in environment variables. Any help would be GREATLY appreciated. Thank you, Trever -- "The three Rs of Microsoft support: Retry, Reboot, Reinstall." -- Unknown signature.asc Description: OpenPGP digital signature
[Dovecot] Samba4 Active Directory and Doveadm
When executing: doveadm search -A mailbox INBOX from SOMEBODY I am getting: doveadm(root): Error: user root: Invalid settings in userdb: userdb returned 0 as uid doveadm(root): Error: User lookup failed: Invalid user settings. Refer to server log for more information. doveadm(bin): Error: user bin: Couldn't drop privileges: Mail access for users with UID 1 not permitted (see first_valid_uid in config file). doveadm(bin): Error: User init failed doveadm: Error: Failed to iterate through some users hosts =FQDN base = dc=example,dc=com ldap_version = 3 user_attrs = =homeDirectory=/home/vmail/%d/%n, =mail=maildir:/home/vmail/%d/%n, uid=vmail, gid=vmail user_filter = (&(objectClass=person)(|(mail=%u)(sAMAccountName=%u)(userPrinicipalName=%u))) # For using doveadm -A: iterate_attrs = uid=samaccountname iterate_filter = (objectClass=person) I can receive email and login just fine. The problem is when doing doveadm stuff. I do not know ldap (learning as I go). I need to set the uid/guid to vmail (500 in this case if vmail can't be used). Any help would be greatly appreciated. I do not have sfu or rfc2xxx enabled as this requires changing things with Samba 4 that I would rather avoid at the moment. Thank you for any help, Trever -- "Virtue does not always demand a heavy sacrifice -- only the willingness to make it when necessary." -- Frederick Dunn signature.asc Description: OpenPGP digital signature
Re: [Dovecot] status of antispam plugin for DC 2.x ?
On 08/31/2010 10:54 AM, e-frog wrote: > > $ hg clone http://hg.dovecot.org/dovecot-antispam-plugin/ > $ ./autogen.sh > $ ./configure prefix=/usr > $ make > $ make install > > works for me... > > configure checks for the file dovecot-config. If prefix is /usr it > expects the file under /usr/lib/dovecot/ Unfortunately there is no dspam backend yet. This is a killer for me. Trever -- "millihelen, n.: The amount of beauty required to launch one ship." -- Unknown signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Fully kerberized mail system
On 08/24/2010 02:45 AM, Dr Matthew Williams wrote: > Hello, > > Is it possible to use Dovecot in a fully kerberized mail system? > > We have configured authentication via kerberos, now we would like the > imap deamon to access a kerberized nfs file system. Has any one any > experiences? > > Regards, > > Matthew. I do not know if dovecot is setup to do it, but you will need to look at delegation. Many, but not all, kerberos aware programs can do delegation nor accept delegation. Trever -- "Before you ask more questions, think about whether you really want to know the answers." -- Gene Wolfe, "The Claw of the Conciliator" signature.asc Description: OpenPGP digital signature
Re: [Dovecot] mailbox_storage_vfuncs: mailbox_open -> ? in 2.0
On 07/13/2010 01:47 PM, Timo Sirainen wrote: > > You're actually a bit late :) Eugene Paskevich > has been working on it for a while now and apparently it's nearly done. > We were just about to put the repo to hg.dovecot.org. > Well, that will save me from having to find a way to host a git tree. Thank you for letting me know. The last few hours have been fun and I have learned a little about dovecot's internals. Thank you Eugene. Will this become an included plugin in the dovecot distribution? Eugene, would you be interested in some comments on fixing the build system so that it can be packaged in RPM easily (all plugin versions compiled)? Right now, I do the trick through RPM, but I think they can all be moved into the Makefile without too much trouble. Thank you Eugene and Timo. Trever
[Dovecot] mailbox_storage_vfuncs: mailbox_open -> ? in 2.0
Hello, I am working on fixing dovecot-antispam to work with dovecot 2.0. I am down to three errors/warnigns that concern me. The one I need help from those more familiar with dovecot internals is in the subject. What happened to mailbox_open? Did it disappear? Did it get renamed? It appears that I am needing to override some methods: if (need_folder_hook) { /* override save_init to override want_mail, we need that */ box->v.save_begin = antispam_save_begin; box->v.save_finish = antispam_save_finish; box->v.transaction_begin = antispam_mailbox_transaction_begin; box->v.transaction_commit = antispam_mailbox_transaction_commit; box->v.transaction_rollback = antispam_mailbox_transaction_rollback; box->v.copy = antispam_copy; } if (need_keyword_hook) box->v.mail_alloc = antispam_mailbox_mail_alloc; Thank you for any help. Trever -- A traveler on the information superhighway who often stops and looks around...
Re: [Dovecot] dovecot-antispam for dovecot 2.0?
To be honest, I don't really have a whole lot of time for this project any more, I'd be happy if somebody wanted to adopt it more fully. johannes I may not be the best person for this as I do not have a way of hosting the git tree and I am not super familiar with dovecot's internals, but I think I can help out a bit. Trever
Re: [Dovecot] pigeonhole, regex, UTF-8
On 07/13/2010 10:16 AM, Stephan Bosch wrote: The standard regexp library does not support unicode and I was not planning to write my own regexp compiler any time soon. I wouldn't want to write one as well. As a matter of fact, I haven't looked at TRE before. I'm quite interested though, since it is backwards compatible with POSIX and seems to be available in most systems. I'll give it a closer look, also in terms of compatibility with the latest draft of the Sieve regex extension specification. Regards, Stephan. There are a few odd things about the wide character support in TRE. Either you need to convert each message to wchar_t and make sure you set the system encoding to wchar_t, or you need to set the system encoding for each message, which may or may not mess up your UTF-8 regex. My project is an Internet Classifier (used with things like Squid proxy to make a filter). I convert everything to wchar_t (using iconv with info gathered from headers) and use the wide character versions of the functions. That way I know everything is just fine. I then have the program set the system encoding (at least the environment variable for the given session) to UTF-8 before I do any of the regex compiling. Everything works wonderfully and quite quickly. I am not sure TRE is available on all systems where dovecot is designed to be compiled. I know it is for most, if not all, Unix-like systems. I use it in Fedora. Anyway, thank you your work on pigeonhole. Trever
[Dovecot] pigeonhole, regex, UTF-8
Hello, I am just learning about pigeonhole and thinking of using it. I see that regex doesn't supportf UTF-8. Any particular reason for this? If it is a library problem is the library, have you looked at tre? I am using it in a project (I am using it in wchar_t mode because elsewhere all date is converted to wchar_t). It does work with UTF-8. Thanks, Trever
Re: [Dovecot] antispam plugin problem
On 05/11/2010 12:02 AM, Danila wrote: > > May 11 10:54:09 evil imap: antispam: mail copy: src spam: 0, dst spam: 1, src > unsure: 0 > May 11 10:54:09 evil imap: antispam: /usr/local/bin/dspam --source=error > --class=spam --signature=4be87a9f953248352114216 --client --user vmail > May 11 10:54:09 evil imap: antispam: executing /usr/local/bin/dspam failed: > 13 (uid=1009, gid=1010) > > uid=1009, gid=1010 is vmail user > > %> grep vmail /usr/local/etc/dspam.conf > Trust vmail > > Thanks > > Is dovecot running as vmail or as user dovecot? I had a similar problem and had to add "trust dovecot". Once I did that, the problem went away. Trever -- A traveler on the information superhighway who often stops and looks around... signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
Timo Sirainen wrote: >> I really want to use kerberos/SPNEGO everywhere I can for various >> reasons. The LDAP would be for the configuration. > Do you actually want the IMAP/POP3 clients to use Kerberos? For > plaintext auth I don't see any benefit in Dovecot using Kerberos > rather than LDAP (and it doesn't support that, except via pam_kerberos > or whatever I guess). But for clients to use Kerberos (GSSAPI) and > authenticate against AD while Dovecot is in the middle... I've no > idea. I guess that's possible somehow. You have all of the Kerberos/GSSAPI/SPNEGO stuff done. It is just a matter of can I still have the configuration (for user directories, etc.) done in LDAP? http://wiki.dovecot.org/Authentication/Mechanisms/Winbind?highlight=%28spnego%29 for the SNPEG/Kerberos I am not using this via Plain Text. This is for AD and Kerberos domains. (Yes, I understand that if I want to do straight kerberos, I use http://wiki.dovecot.org/Authentication/Kerberos instead. But instead of userdb static, can it be userdb ldap or some such? > There's no great way to do this.. A couple of kludgy ways. Like chmod > 01777 /var/mail. Or override mail_executable setting to a script that > still runs as root and can create the directory with proper > permissions. http://wiki.dovecot.org/PostLoginScripting Alright, I am going to have to find another way for this part. The other part (Kerberos and LDAP together), I do need. LDAP for configuration, Kerberos (or NTLM in some cases for SPNEGO) for authentication. Trever Adams signature.asc Description: OpenPGP digital signature
[Dovecot] Samba AD and Dovecot
Hello All, I haven't seen the answer to this, maybe I am just using the wrong searches. I have two queries related to this: 1) I have seen how to configure for LDAP and Kerberos. AD uses both together. All user information is in AD/LDAP and authentication is AD/Kerberos. How can I configure Dovecot to use both appropriately? 2) I can cause Samba to create certain directories on login, etc. However, I am needing to do this for Dovecot (and Postfix using Dovecot deliver). I would prefer to use Dovecot functionality for this, not Samba.This is not the autocreate folder/subscribe stuff, at least I think not. For example if I have a directory /var/mail/domain/user. Can I have Dovecot auto create (with proper permissions) the domain/user part? These would be used for maildir. Thank you, Trever Adams signature.asc Description: OpenPGP digital signature
Re: [Dovecot] data retention and e-discovery rules
Timo Sirainen wrote: One possibility is http://wiki.dovecot.org/Plugins/Lazyexpunge This is exactly what I am looking for, except two things: The cron job shown on that URL seems to not work off of the date the message was deleted. Am I correct? The URL mentions that it should be possible to keep the user from accessing the namespaces, is this under the namespace configuration? Thank you, Trever Adams signature.asc Description: OpenPGP digital signature
[Dovecot] data retention and e-discovery rules
Hello All, I am in the United States where we have e-discovery rules. Some organizations have to retain data for a certain amount of time, others are required to have a data retention policy. This means that while it should probably be possible for a user to "delete" an email so they do not see it. The server needs to store it, possibly in a tree that mirrors the folder setup of the user (so if it is in "Sales" folder, it should move to namespace "hidden", or similar, in folder "Sales"). Is there anything like this in dovecot? Is it possible to use cron jobs to see when the message was deleted (Maildir) and erase it based on policy? (Python scripts are fine if the users password isn't needed.) Thank you, Trever Adams signature.asc Description: OpenPGP digital signature
Re: [Dovecot] anti spam measures
Jakob Curdes wrote: Still no ideas. Sigh. JC Sorry, then I am afraid I do nnot know what the problem is. Good luck. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] anti spam measures
Jakob Curdes wrote: No, I don't have that in dc.conf : # expire plugin # Trash and its children 7d, Spam 30d # expire = backup 7 Spam 30 # expire = backup 7 spam 30 expire_dict = proxy::expire expire = backup 7 spam 30 # If you have a non-default path to auth-master, set also: auth_socket_path = /var/run/dovecot/auth-master # end expire Thats all (plus a dict line and the plugin call in the imap section). So my problem lies elsewhere :: = (( JC I assumed you pasted the antispam configuration at the end. The place I mentioned is in the antispam section. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] anti spam measures
Jakob Curdes wrote: I was the other one having this problem. Where exactly is that line? I was just looking at the whole thing again and re-testing, without any success. Cheers, Jakob In dovecot.conf, look near the very bottom, in the crm 114 section of your antispam configuration. You will find that crm114's spam signature is likely uncommented. Comment it. Problem solved, at least here. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] dspam integration
Yes, bad form to reply to myself. I forgot to ask, does CRM114 have database backends or just filesystem backends? Trever On Sat, 2007-11-24 at 01:16 -0700, Trever L. Adams wrote: > Johannes, et al. > > On Tue, 2007-11-20 at 14:29 +0100, Johannes Berg wrote: > > > But it's slow. Especially with bulk moves > > > > True. I use crm114 now which is a lot faster :) > > How are you finding CRM114? Is it faster than dspam w/ the hash driver? > How is the accuracy? Are there any other important facts I should ask > about? > > Which MTA are you using? How are you integrating it? > > Thank you, > Trever Adams > > P.S. Johannes, last time I tried your new plugin I was having problems > with Thunderbird appending to the "Sent" folder. I haven't had time to > track it down yet. > -- > "Whatever you do will be insignificant, but it is very important that > you do it." -- Gandhi -- "Stop searching forever. Happiness is just next to you." -- Unknown signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dspam integration
Johannes, et al. On Tue, 2007-11-20 at 14:29 +0100, Johannes Berg wrote: > > But it's slow. Especially with bulk moves > > True. I use crm114 now which is a lot faster :) How are you finding CRM114? Is it faster than dspam w/ the hash driver? How is the accuracy? Are there any other important facts I should ask about? Which MTA are you using? How are you integrating it? Thank you, Trever Adams P.S. Johannes, last time I tried your new plugin I was having problems with Thunderbird appending to the "Sent" folder. I haven't had time to track it down yet. -- "Whatever you do will be insignificant, but it is very important that you do it." -- Gandhi signature.asc Description: This is a digitally signed message part
[Dovecot] --enable-headers-install problem in 1.0.5
I am trying to get a SPEC file for an RPM to build a devel package. I have it working, except for one thing. 1.0.5 doesn't actually install the headers with that option to configure found in the subject. It does create the directory, but it doesn't put the files there. Timo, is this a known/unknown bug, or am I doing something stupid? Thanks, Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] alert function, V2
Stewart Dean wrote: My thanks to Timo. Over here in the US, we just had another college campus shooting, but this time the campus was locked down and no more than the initial two victims were shot (not fatally). Implementing the imap alert function will give our college administration immediate emergency notification to anyone using email. Timo Sirainen wrote: http://dovecot.org/patches/1.0/imap-alert-plugin.c I would like to see this as part of the standard dovecot package with some documentation. Is this possible for 1.1? Trever Adams
Re: [Dovecot] dovecot dspam plugin using libdspam
Hi, the git address has changed. git clone git://git.cynapses.org/gladiac/dovecot-dspam-plugin.git -- andreas Hello, Andreas, I have not had a chance to look at your plugin. I am wondering if you have updated the plugin for the API changes in 1.1 alpha series (particularly alpha6). If so, I am at a point I can test the plugin out and possibly contribute code. Thank you for a quick response, Trever Adams
Re: [Dovecot] dovecot dspam plugin using libdspam
Johannes Berg wrote: Note that passing dspam the signature is likely more efficient. There are two possibilities: (1) dspam extracts the signature -> dovecot is more efficient at extracting headers because of cache (2) dspam uses the mail -> it has to re-tokenize etc which afaik it doesn't if you give it the signature and it loads things from disk johannes This is correct, the signature is attached, so to say, to a already tokenized version of the message. This is a large part of the overhead of dspam. Also, to do a retrain, you need a pristine message. So if a signature has been attached or any headers added in any way since it was processed by dspam it won't be a true retrain. We want to use signatures if it is present, if not, then we can use the raw message. I would suggest the code do an if on the present of the signature. I haven't yet looked a the code. Maybe tomorrow. (I am a bit behind on my schedule.) Trever
Re: [Dovecot] dovecot dspam plugin using libdspam
Andreas, Please, do not take this poorly. I am simply asking questions to make sure this patch/plugin is a good idea in the form you suggest. I am a user of the other patch. I am wondering if this is worth it. Your patch, if it links against libdspam will "bloat" dovecot. What do we gain? Not every message goes through dspam (the fork, exec, etc.). It is only those that were classified incorrectly. I agree with many of your suggested changes. Additionally, most open source projects seem to use autoconf/automake. What do we gain by switching to cmake instead of making it work some how with dovecots autoconf/automake system? Depending on your answers, I will try your patch and help you clean it up. Trever Adams Andreas Schneider wrote: Hi, I've found the dovecot dspam plugin and looked at the code. I forks and calls the dspam binary for every mail. I didn't like this behavior, so I've migrated it to use libdspam. The plugin still needs more love: * Use cmake instead of a Makefile * Make the spam folder configurable in the dovecot.conf * Code cleanup and more comments. Please test. Comments and patches are welcome ;) http://www.cynapses.org/tmp/dovecot-dspam-plugin-0.1.tar.gz Cheers, -- andreas
Re: [Dovecot] Copyright notices in code
Timo Sirainen wrote: I thought about committing this change to all .c files: Removed all Copyright Timo Sirainen comments. They weren't always correct and the year numbers were rarely updated when something was changed. Copyright is owned by the creator by default in practically all countries, there's no need to advertise it everywhere. Can anyone think of reasons why this wouldn't be a good idea? It is always a good idea to spell out the copyright anyway. Besides, you can't gaurantee that no one will use one file somewhere else, before long the question of ownership and license becomes an issue if these aren't spelled out in each file. Just my over careful 2 cents. Trever
Re: [Dovecot] Problems with BEFORE searches.
On Fri, 2007-05-11 at 17:08 +0200, Johannes Berg wrote: > Interesting. I just noticed another bug too, it pads with spaces: > " 1-May-07 ..." > Yes, I caught this too. > Or maybe just replace it all with: > > sentbefore = time.strftime("%d-%b-%Y", time.localtime(time.time() - > float(sys.argv[1]) * 24 * 60 * 60)) > > johannes I like this last version better. I will use it instead of my version of your other version. It is much cleaner. However, your code still lacks conn.expunge(). My testing shows this is necessary (at least if you are using Maildir, I imagine it is even more necessary with mbox). I suggest you add it before you close the connection. Thanks for your help Timo and Johannes. Trever -- If it's there and you can see it, it's REAL If it's there and you can't see it, it's TRANSPARENT If it's not there and you can see it, it's VIRTUAL If it's not there and you can't see it, it's GONE! -- Unknown signature.asc Description: This is a digitally signed message part
[Dovecot] Problems with BEFORE searches.
Ok, I am trying to modify some code given to me by the author of the dspam plugin for dovecot (sorry the name eludes me). I am modifying it to handle UNSEEN differently than SEEN. Below is the python code. I am not a python programmer, but I get the basic idea. ok, uids = conn.search(None, 'BEFORE', unreadsentbefore, 'SEEN') "11-May-2007 06:18:29 -0600" is the value of unreadsentbefore. However, this doesn't match any emails even though they are all dated as 5/10 and they have all been read for several hours (the time was the current to figure out why it isn't working). Is there a problem with BEFORE and SEEN together? Is there a BEFORE bug in the system? Some of the messages are -500 and others, I am not sure. Thanks, Trever Adams
Re: [Dovecot] dovecot-dspam-integration
On Wed, 2007-05-09 at 16:09 +0200, Johannes Berg wrote: > On Tue, 2007-05-08 at 04:06 -0600, Trever L. Adams wrote: > I don't use --daemon right now, it was crashing too much and losing > mail. YMMV. > You have to limit the number of connections to 1. For some reason it locks up if there are more than 1. > Well, you control how long the .sig files are kept around. I keep them a > week longer than my spam folder contents. > > johannes How are you cleaning up the folder contents? Trever -- "If destruction be our lot, we must ourselves be its author and finisher. As a nation of freemen, we must live through all time or die by suicide." -- Abraham Lincoln signature.asc Description: This is a digitally signed message part