Re: Certificate and showing a sign-cert not there

2022-02-08 Thread Plutocrat 

  
  
Random addition to this thread, in case it helps ... recently had
  a client reporting certificate problems after Letsencrypt changed
  their root certificate late last year. Long story short: it boiled
  down to the fact he was using an ancient version of Outlook which
  didn't have the necessary root certificates to verify the new
  Letsencrypt cross-signed root cert. More recent versions of
  Outlook were fine. So maybe that's another line of inquiry? 

P.

On 09/02/2022 09.56, justina colmena
  ~biz wrote:


  
  
  You shouldn't need a root in the full
  chain, because the client already has to have the root cert, but
  you do need all the links in the chain up to the root.
  
  On February 8, 2022 4:13:06 PM AKST,
Wayne Spivak  wrote:

  
Justina,
 
The vendor I have, which is having the
  difficulty is still saying he gets a self-signed cert… but
  as I showed in my last email after I added Intermediate to
  the certificate, everything was ok.
 
So ServerCert, Intermediate, Root in
  same file should solve this?
 
Wayne

  
From: dovecot
   On Behalf Of justina
  colmena ~biz
  Sent: Tuesday, February 8, 2022 2:44 PM
  To: dovecot@dovecot.org
  Subject: Re: Certificate and showing a
  sign-cert not there
  

 
In
  general:
  
  Lots of mail servers out in the wild do not require TLS or
  even bother to verifying TLS certificates when connecting
  to a remote server on port 25.
  
  However, desktop and mobile email *clients* tend to be
  much stricter about verifying server certificates when
  connecting via SSL or TLS, mainly to protect user
  passwords.
  
  Sometimes the server certificate needs to be presented
  with a "full chain" appended to it for verification. That
  has been an issue before when I've used some certs,
  particularly StartSSL before Letsencrypt started offering
  free certs.

  On February 8, 2022 5:53:34 AM AKST,
Wayne Spivak 
wrote:
  
Hi –
 
I am running Postfix 3.6.4 with
  Dovecot 2.3.17.1 (476cd46418).
 
I have a multi-signed cert from
  Entrust.
 
The cert works fine on port 25.
 
However, on Port 587 I get an
  error: c
 
[root@mcq wbs]# openssl s_client
  -connect mcq.sbanetweb.com:993 -servername
  mcq.sbanetweb.com
CONNECTED(0003)
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify error:num=20:unable to get
  local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify error:num=21:unable to
  verify the first certificate
verify return:1
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify return:1
---
Certificate chain
0 s:C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com

     i:C = US, O = "Entrust, Inc.",
OU = See www.entrust.net/legal-terms,
OU = "(c) 2012 Entrust, Inc. - for authorized use
only", CN = Entrust Certification Authority - L1K

 
 
[root@mcq wbs]# dovecot -n
# 2.3.17.1 (476cd46418):
  /etc/dovecot/dovecot.conf
# OS: Linux 5.16.5-200.fc35.x86_64
  x86_64 Fedora release 35 (Thirty Five)
# Hostname: mcq.sbanetweb.com
auth_mechanisms = plain login
disable_plaintext_auth = no
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
   

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz 
You shouldn't need a root in the full chain, because the client already has to 
have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak  wrote:
>Justina,
>
> 
>
>The vendor I have, which is having the difficulty is still saying he gets a 
>self-signed cert… but as I showed in my last email after I added Intermediate 
>to the certificate, everything was ok.
>
> 
>
>So ServerCert, Intermediate, Root in same file should solve this?
>
> 
>
>Wayne
>
>From: dovecot  On Behalf Of justina colmena ~biz
>Sent: Tuesday, February 8, 2022 2:44 PM
>To: dovecot@dovecot.org
>Subject: Re: Certificate and showing a sign-cert not there
>
> 
>
>In general:
>
>Lots of mail servers out in the wild do not require TLS or even bother to 
>verifying TLS certificates when connecting to a remote server on port 25.
>
>However, desktop and mobile email *clients* tend to be much stricter about 
>verifying server certificates when connecting via SSL or TLS, mainly to 
>protect user passwords.
>
>Sometimes the server certificate needs to be presented with a "full chain" 
>appended to it for verification. That has been an issue before when I've used 
>some certs, particularly StartSSL before Letsencrypt started offering free 
>certs.
>
>On February 8, 2022 5:53:34 AM AKST, Wayne Spivak  > wrote:
>
>Hi –
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
>  , OU = "(c) 2012 Entrust, Inc. - for 
> authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list = 
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

-- 
Sent from my Android device with K-9 Mail.

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread Wayne Spivak 
Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a 
self-signed cert… but as I showed in my last email after I added Intermediate 
to the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot  On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot@dovecot.org
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:wspi...@sbanetweb.com> > wrote:

Hi –

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
mcq.sbanetweb.com

CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
 , OU = "(c) 2012 Entrust, Inc. - for 
authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert =

/usr/libexec/dovecot/anvil crashes immediately

2022-02-08 Thread Friedrich Kink 

Dear list,

I built a dovecot package for openindiana (which is a Solaris 
derivative) from latest version 2.3.18. Everything compiles and builds 
fine without any issue. Even subsequent installation and startup of main 
dovecot process works as expected. But execution of 
/usr/libexec/dovecot/anvil immediately crashes. To get some more 
meaningful backtrace I compiled with -g. Below some facts of my 
environment and a backtrace. Maybe some of you are more familiar with 
this kind of issue as I, and can give some hint or share ideas how to 
nail down the problem. Or can it be a configuration issue? BTW it is 
running in a so-called zone. And former versions, I don't know exactly 
but I believe up to 2.3.17, did not show this crash.


gcc --version
gcc (OpenIndiana 7.5.0-il-0) 7.5.0

Configure parameters:

gcc_OPT = -g

CONFIGURE_OPTIONS+= --sysconfdir=/etc \
    --localstatedir=/var \
    --with-gssapi=plugin \
    --with-ldap=plugin \
    --with-sql=plugin \
    --with-lua=plugin \
    --with-ssl=openssl \
    --with-ioloop=poll \
    --with-notify=none \
    --with-sodium \
    --with-mysql \
    --with-pgsql \
    --enable-static=no \
    --without-systemd \
    SSL_CFLAGS=-I/usr/openssl/1.1/include \
    SSL_LIBS="-L/usr/openssl/1.1/lib/amd64 -lssl 
-lcrypto" \

    LDFLAGS="-lldap_r"

Backtrace:

(gdb) bt full
#0  0x7fff5d2e6f2a in _lwp_kill () from /lib/64/libc.so.1
No symbol table info available.
#1  0x7fff5d2dd7f0 in thr_kill () from /lib/64/libc.so.1
No symbol table info available.
#2  0x7fff5d27ae7e in raise () from /lib/64/libc.so.1
No symbol table info available.
#3  0x7fff5d254ad8 in abort () from /lib/64/libc.so.1
No symbol table info available.
#4  0x7ffef05367c0 in default_fatal_finish (type=LOG_TYPE_PANIC, 
status=0) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/failures.c:459
    backtrace = 0x4178b8 
"/usr/lib/amd64/dovecot/libdovecot.so.0.0.0'backtrace_append_libc+0x4c 
[0x7ffef0522042] -> 
/usr/lib/amd64/dovecot/libdovecot.so.0.0.0'backtrace_append+0x18 
[0x7ffef05221c5] -> /usr/lib/amd64/dovecot/li"...

    recursed = 0
#5  0x7ffef0536827 in fatal_handler_real (ctx=0x7fffb820, 
format=0x7ffef05d8730 "file %s: line %d (%s): assertion failed: (%s)", 
args=0x7fffb850)
    at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/failures.c:471

    status = 0
#6  0x7ffef0536871 in default_fatal_handler (ctx=0x7fffb820, 
format=0x7ffef05d8730 "file %s: line %d (%s): assertion failed: (%s)", 
args=0x7fffb850)
    at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/failures.c:479

No locals.
#7  0x7ffef0536aed in i_panic (format=0x7ffef05d8730 "file %s: line 
%d (%s): assertion failed: (%s)") at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/failures.c:524
    ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, 
timestamp_usecs = 0, log_prefix = 0x0, log_prefix_type_pos = 0}
    args = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 
0x7fffb930, reg_save_area = 0x7fffb870}}
#8  0x7ffef056048b in io_loop_handle_add (io=0x42d7c0) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/ioloop-poll.c:94

    ctx = 0x423180
    condition = IO_READ
    old_count = 3221223792
    index = 0
    old_events = 59
    fd = 4
    __func__ = "io_loop_handle_add"
#9  0x7ffef055c1ab in io_add_file (ioloop=0x423070, fd=4, 
condition=IO_READ, source_filename=0x7ffef05d9f48 
"/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/lib-signals.c",
    source_linenum=192, callback=0x7ffef05698f4 , 
context=0x0) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/ioloop.c:72

    io = 0x42d7c0
    __func__ = "io_add_file"
#10 0x7ffef055c27a in io_add_to (ioloop=0x423070, fd=4, 
condition=IO_READ, source_filename=0x7ffef05d9f48 
"/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/lib-signals.c",
    source_linenum=192, callback=0x7ffef05698f4 , 
context=0x0) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/ioloop.c:94

    io = 0x7ffef0609aa0 
    __func__ = "io_add_to"
#11 0x7ffef0569289 in lib_signals_init_io (l=0x420a00) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/lib-signals.c:192

    __func__ = "lib_signals_init_io"
#12 0x7ffef056933c in lib_signals_ioloop_ref (ioloop=0x423070) at 
/usr/src/myoi-userland/components/mail/dovecot/dovecot-2.3.18/src/lib/lib-signals.c:205

    l = 0x420a00
#13 0x7ffef0569507 in signal_handler_switch_ioloop (h=0x4209c0) at

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz 
In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak  wrote:
>Hi -
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
> , OU = "(c) 2012 Entrust, Inc. - for
>authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list =
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
>CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
>S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
>6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
>28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
>-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
>8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
>L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
>ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread Wayne Spivak 
Hi Christian,

Thanks for answering.  I think you found my issue.

I now get:

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com
CONNECTED(0003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
---

I hope this fixes the issue?

THANK YOU

Wayne


-Original Message-
From: dovecot  On Behalf Of Christian Kivalo
Sent: Tuesday, February 8, 2022 11:48 AM
To: dovecot@dovecot.org
Subject: Re: Certificate and showing a sign-cert not there



On 2022-02-08 15:53, Wayne Spivak wrote:
> Hi -
> 
> I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
> 
> I have a multi-signed cert from Entrust.
> 
> The cert works fine on port 25.
Certificates on port 25 verify ok for me.
> 
> However, on Port 587 I get an error: c
Certificates on port 587 verify ok for me.
> 
> [root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 
> -servername mcq.sbanetweb.com

Now you check port 993? For me the certificates also don't verify on port
993.

Have you built your certificate file correctly?
The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates.
For port 993 you only send one certificate.

> 
> CONNECTED(0003)
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=20:unable to get local issuer certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=21:unable to verify the first certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify return:1
> 
> ---
> 
> Certificate chain
> 
>  0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN 
> = mcq.sbanetweb.com
> 
>i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = 
> Entrust Certification Authority - L1K
> 
> [root@mcq wbs]# dovecot -n
> 
> # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
> 
> # OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty
> Five)
> 
> # Hostname: mcq.sbanetweb.com
> 
> auth_mechanisms = plain login
> 
> disable_plaintext_auth = no
> 
> mbox_write_locks = fcntl
> 
> namespace inbox {
> 
>   inbox = yes
> 
>   location =
> 
>   mailbox Drafts {
> 
> special_use = \Drafts
> 
>   }
> 
>   mailbox Junk {
> 
> special_use = \Junk
> 
>   }
> 
>   mailbox Sent {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox "Sent Messages" {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox Trash {
> 
> special_use = \Trash
> 
>   }
> 
>   prefix =
> 
> }
> 
> passdb {
> 
>   driver = pam
> 
> }
> 
> protocols = imap
> 
> service auth {
> 
>   unix_listener /var/spool/postfix/private/auth {
> 
> group = postfix
> 
> mode = 0666
> 
> user = postfix
> 
>   }
> 
>   unix_listener auth-userdb {
> 
> group = postfix
> 
> mode = 0666
> 
> user = postfix
> 
>   }
> 
> }
> 
> service imap-login {
> 
>   inet_listener imap {
> 
> port = 143
> 
>   }
> 
>   inet_listener imaps {
> 
> port = 993
> 
> ssl = yes
> 
>   }
> 
> }
> 
> service submission-login {
> 
>   inet_listener submission {
> 
> port = 587
> 
>   }
> 
> }
> 
> ssl = required
> 
> ssl_cert = https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7

> 
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE
> S256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA25
> 6:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE
>

Re: Too many wait in auth process

2022-02-08 Thread itanguy 




On 8. Feb 2022, at 12.27, itan...@univ-brest.fr wrote:

service auth-worker {
   client_limit = 1
   idle_kill = 0
   process_limit = 600
   process_min_avail = 0
   service_count = 1
   vsz_limit = 18446744073709551615 B
}

What dovecot version is this? with 2.3.17 or later you should probably use 
service_count=0 here.

That would prevent auth-worker process from dying after each authentication and 
then need for new process to be spawned for each authentication.


Yes, it is 2.3.17.
I give a try, it's slighty better. There is a little fewer stalled auth 
processes.
But I didn't manage to go more than 2000 clients although in production 
it's more than 8000 connections.
Maybe, it's because I didn't find how to make persistent connections 
with imaptest and there was too many login/logout. I use delay to make 
client during around 5 seconds


So I increase this delay up to 120s, this slow down login/logout and 
decrease processes stuck in wait auth queue.


I think I will go this way to simulate normal load on this server.
But that doesn't simulate a reboot of service while clients are connected.

Thank you all,
Ismaël

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread Christian Kivalo 




On 2022-02-08 15:53, Wayne Spivak wrote:

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

Certificates on port 25 verify ok for me.


However, on Port 587 I get an error: c

Certificates on port 587 verify ok for me.


[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993
-servername mcq.sbanetweb.com


Now you check port 993? For me the certificates also don't verify on 
port 993.


Have you built your certificate file correctly?
The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates.
For port 993 you only send one certificate.



CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify return:1

---

Certificate chain

 0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
= mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
[1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN =
Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty
Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert = 
In what order are the certificates in here?

See 
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7




ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

Links:
--
[1] http://www.entrust.net/legal-terms


--
 Christian Kivalo

Config for filtering (ignoring) specific mbox mail folders?

2022-02-08 Thread John Hardin 

Folks:

I'm migrating to Dovecot to provide IMAP services for my personal network.

I have more than a couple of decades of mail in multiple (1000+) mbox 
mail files, but I don't care to expose all of those to IMAP.


Is there any way to filter out what mail folders Dovecot will LIST and 
provide access to using globs or regular expressions? I'd prefer to avoid 
rearranging the mbox files (e.g. to subdirectories) if possible.


I looked through the Dovecot documentation and didn't see anything 
promising, and I couldn't find any discussion of the topic online. The 
feature that looked like it might be closest was Namespaces, but I 
couldn't see how to use that to ignore specific mbox files.


Is there any facility within Dovecot (or a plugin) to filter out / ignore 
mail folders by name, RE or file glob?


Thanks in advance!


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread Jorge Bastos 
One extra thing, this to be 200% perfect, was the ability to send a 
message to the sender telling that the message got queue due to the end 
user's mailbox being full.


would it be possible? this may be postfix related but if anyone can 
help.


Thanks,

On 2022-02-08 14:22, Jorge Bastos wrote:


Hi Lucas,

Oh, it's so damn simple!
Thank you!!

Thank you all others aswell, i've read all info sent, thanks!!

Jorge

On 2022-02-07 22:57, Lucas Rolff wrote:

An option is to use  
https://doc.dovecot.org/settings/core/#core_setting-quota_full_tempfail 
- you can configure it e.g.


protocol lda {
quota_full_tempfail = yes
}

On 7 Feb 2022, at 23:41, Jorge Bastos  wrote:

Howdy,

I don't know if this is dovecot specific and i guess it may not be at 
100% so I ask for help.


I want postfix not to discard the message imediatly when a mailbox is 
full, i mean when postfix tries to deliver it to dovecot lmtp.
Is it possible to change the behavior to something like what postfix 
does when he tries to deliver a message to an external server and the 
server is unaccessible for 4 days (the default i guess), and if in that 
period discard it.


Does this exists? At least i know gmail does something similar to this.

I've tried to google a bit but didn't found info that could lead me to 
this configuration.


Thanks in advanced,
Jorge

Certificate and showing a sign-cert not there

2022-02-08 Thread Wayne Spivak 
Hi -

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com

CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
 , OU = "(c) 2012 Entrust, Inc. - for
authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert =

Re: sieve: destination folder lookup in database?

2022-02-08 Thread Hadmut Danisch 



On 08.02.22 15:37, Sami Ketola wrote:
Maybe you should check the extdata plugin for pigeonhole: 
https://doc.dovecot.org/configuration_manual/sieve/plugins/extdata/



I had seen that. But after reading that page it appeared to my rather as 
a lookup for static data, e.g. the vacation message as given in the page 
as an example.



I've seen from the example, that sieve can lookup the vacation message 
with the box owner's mail address as an index, configured in 
/etc/dovecot/pigeonhole-sieve.dict, i.e. vacation message per recipient, 
but not how to use the sender's address as an index to lookup the folder 
name.




regards

Hadmut

Re: sieve: destination folder lookup in database?

2022-02-08 Thread Sami Ketola 


> On 8. Feb 2022, at 3.59, Hadmut Danisch  wrote:
> 
> I found that dovecot's sieve has some database connections, e.g. LDAP or
> 
> https://doc.dovecot.org/configuration_manual/sieve/dict/
> 
> but rather to receive the whole sieve script for a given recipient as the 
> owner of the mailbox.
> 
> 
> Is there a way to determine the target folder where to drop a mail into 
> quickly by the sender's address, even for thousands, without the need to 
> compare every single one of them?


Maybe you should check the extdata plugin for pigeonhole: 
https://doc.dovecot.org/configuration_manual/sieve/plugins/extdata/ 


Sami

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread Jorge Bastos 

Hi Lucas,

Oh, it's so damn simple!
Thank you!!

Thank you all others aswell, i've read all info sent, thanks!!

Jorge

On 2022-02-07 22:57, Lucas Rolff wrote:

An option is to use  
https://doc.dovecot.org/settings/core/#core_setting-quota_full_tempfail 
- you can configure it e.g.


protocol lda {
quota_full_tempfail = yes
}


On 7 Feb 2022, at 23:41, Jorge Bastos  wrote:

Howdy,

I don't know if this is dovecot specific and i guess it may not be at 
100% so I ask for help.


I want postfix not to discard the message imediatly when a mailbox is 
full, i mean when postfix tries to deliver it to dovecot lmtp.
Is it possible to change the behavior to something like what postfix 
does when he tries to deliver a message to an external server and the 
server is unaccessible for 4 days (the default i guess), and if in 
that period discard it.


Does this exists? At least i know gmail does something similar to 
this.


I've tried to google a bit but didn't found info that could lead me to 
this configuration.


Thanks in advanced,
Jorge

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread Anne Bennett 


>> I want postfix not to discard the message imediatly when a mailbox is
>> full, i mean when postfix tries to deliver it to dovecot lmtp.

> if you set "quota_full_tempfail" to "yes" in dovecots lda.conf, it
> should answer with a temporary failure-code 422 instead of permanent
> 522. (at least the code of lmtp_local_rcpt_reply_overquota() says so)

Here's another possibility, via Postfix's configuration:

  # Convert over quota to temporary failure.
  lmtp_delivery_status_filter = pcre:/local/data/postfix/pcre_lmtp_dsn_filter
  lmtp_reply_filter   = pcre:/local/data/postfix/pcre_lmtp_dsn_filter

  # warn sender if temporarily undeliverable, just like sendmail would.
  delay_warning_time = 4h

... where pcre_lmtp_dsn_filter contains something like this, adapted
as needed to the actual messages generated at your site:

  # Convert 5xx permanent failure to 4xx temporary failure:
  /^5(\d\d) 5(\.\d+\.\d+ \S+ Not enough disk quota)/ 4$1 4$2



Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8

Re: Too many wait in auth process

2022-02-08 Thread Sami Ketola 



> On 8. Feb 2022, at 12.27, itan...@univ-brest.fr wrote:
> 
> service auth-worker {
>   client_limit = 1
>   idle_kill = 0
>   process_limit = 600
>   process_min_avail = 0
>   service_count = 1
>   vsz_limit = 18446744073709551615 B
> }

What dovecot version is this? with 2.3.17 or later you should probably use 
service_count=0 here.

That would prevent auth-worker process from dying after each authentication and 
then need for new process to be spawned for each authentication.

Sami

sieve script to alter subject of incoming message after lookup

2022-02-08 Thread Marc 
Is it possible with sieve to :

1. get sender of an email
2. lookup if this sender is present in an mailbox
3. if the sender is known, change the subject of the email.
   if the sender is not known, do nothing.
4. put/leave message in inbox.


or maybe use dictionary (not really familiar with this)

1. get sender of an email
2. lookup if this sender is present in an dictionary
3. if the sender is known, change the subject of the email.
   if the sender is not known, do nothing.
4. put/leave message in inbox.

But then I need something like
1. if message is dragged into a specific mailbox/folder
2. add sender to dictionary

1. if message is removed from a specific mailbox/folder
2. remove sender from dictionary

Re: Too many wait in auth process

2022-02-08 Thread itanguy 

Hello,

thank you for your advices and sorry to not have detailed infra


ismael> I'm currently benchmarking new hardware aimed to serve around
ismael> 70k users For now, our IMAP server have 13k users.

This doesn't help us help you.  Is this a new rasperry Pi 4?  Is it a
Dual CPU AMD Rzyzen with 128gb of memory and fast NVMe disks?  What is
your system setup?


Sorry, I have two servers to bench :

- first one (a model like our current IMAP servers) is 18To HDD, 256Go 
RAM, 8c/16th


- second (new one aimed to serve many more customers) is 24 x 14 TO (HDD 
SAS), 192GB DDR4 2,6Ghz, 12c/24t - 2.4GHz/3.5GHz


OS is FreeBSD 12.2



ismael> To run imaptest, I've spwan some bench clients.

Are these tests run from remote hosts?  What kind of network are you
using?


Yes, imaptest is running from kvm remote virtual machines in the same DC.
They are some networks hops between them, but few.



ismael> Each bench client can run imaptest with 1000 clients.
ismael> More than 1000 clients will load CPU of this bench client

ismael> imaptest command (command are chosen from usage stat on our other IMAP 
servers):

ismael> imaptest host=x port=xxx userfile=userfile mbox=/root/dovecot-crlf
ismael> pass=s seed=123 clients=1000 select=194 uidfetch=94 noop=70
ismael> status=82 append=49 fetch=276 list=12 store=19 expunge=22
ismael> msubs=4 search=4 logout=1 delete=81 no_pipelining

ismael> With one bench client, everything runs smoothly.

ismael> # ps aux | grep dovecot | awk '{print $11,$12,$13,$14,$15,$16,$17,$18}' 
| sort | uniq -c
ismael>      1 anvil: [221 connections] (anvil)
ismael>    1 auth: [13 wait, 0 passdb, 0 userdb] (auth)
ismael>    1 dovecot/config
ismael>    1 dovecot/imap
ismael>   84 dovecot/imap-login
ismael>    1 dovecot/log
ismael>   20 dovecot/pop3-login
ismael>    1 grep dovecot
ismael>    1 stats: [1307 connections] (stats)

ismael> When a second instance bench instance start imaptest, clients
ismael> of first and second instance begin to stall :

ismael>  1400 stalled for 20 secs in command: 1 LOGIN"fakeuser644@mailbench"  
"password"

So how is your dovecot authentication setup?  Are you using a mysql
backend?  LDAP?  Where is the server you're querying against?  Are you
running mysql on the same server you're running dovecot on?


In production, we use a remote galera cluster.
On benchmarking, for now, I use static for passdb and a file for userdb.




Are you running multiple dovecot servers with dovecot director in
front of them to help spread the load and to offer resilience if/when
a backend server fails?


No. I'm directly benchmarking backend.




ismael> And :

ismael> # ps aux | grep dovecot | awk '{print $11,$12,$13,$14,$15,$16,$17,$18}' 
| sort | uniq -c
ismael>    1 anvil: [221 connections] (anvil)
ismael>    1 auth: [1227 wait, 0 passdb, 0 userdb] (auth)
ismael>    1 dovecot/config
ismael>    1 dovecot/imap
ismael>   37 dovecot/imap-login
ismael>    1 dovecot/log
ismael>   20 dovecot/pop3-login
ismael>    1 grep dovecot
ismael>    1 stats: [680 connections] (stats)

ismael> Every auth go in wait, number of connection decreases.

ismael> Using mysql or a password file give same results.

Where is mysql located?
Remote one, but I'll go, for now, with a passwd-file to exclude 
potentials DB problems at the beginning of benchmarking.


ismael> I have used different values for service_count with also no success.

Post your configuration details.


#doveconf -n

auth_cache_negative_ttl = 0
auth_cache_size = 100 M
auth_cache_ttl = 2 mins
auth_failure_delay = 5 secs
auth_master_user_separator = *
auth_username_chars = 
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%+
auth_username_translation = %@
auth_verbose = yes
auth_worker_max_count = 500
base_dir = /var/run/dovecot/
default_client_limit = 10
disable_plaintext_auth = no
imap_idle_notify_interval = 30 secs
listen = 
login_greeting = xx
login_trusted_networks = xxx
mail_gid = 
mail_uid = 
mailbox_list_index = no
namespace {
  inbox = yes
  location =
  prefix = INBOX.
  separator = .
  type = private
}
namespace {
  hidden = yes
  inbox = no
  list = no
  location =
  prefix =
  separator = .
  type = private
}
passdb {
  args = password=#hidden_use-P_to_show#
  driver = static
}
plugin {
  acl = vfile
  quota = maildir:User quota
}
protocols = imap pop3

service anvil {
  client_limit = 97000
  unix_listener anvil-auth-penalty {
    mode = 00
  }
}
service auth-worker {
  client_limit = 1
  idle_kill = 0
  process_limit = 600
  process_min_avail = 0
  service_count = 1
  vsz_limit = 18446744073709551615 B
}
service auth {
  client_limit = 0
  idle_kill = 0
  process_limit = 1
  process_min_avail = 1
  service_count = 0
  vsz_limit = 1000 M
}
service imap-login {
  client_limit = 26000
  process_min_avail = 16
  service_count = 0
  vsz_limit = 1 G
}
service imap {
  drop_priv_before_exec = yes
  process_limit = 1
}

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread Narcis Garcia 

__
I'm using this dedicated address because personal addresses aren't 
masked enough at this mail public archive. Public archive administrator 
should fix this against automated addresses collectors.

El 8/2/22 a les 10:02, dc...@dvl.werbittewas.de ha escrit:



Am 07.02.22 um 23:41 schrieb Jorge Bastos:


I want postfix not to discard the message imediatly when a mailbox is
full, i mean when postfix tries to deliver it to dovecot lmtp.
Is it possible to change the behavior to something like what postfix
does when he tries to deliver a message to an external server and the
server is unaccessible for 4 days (the default i guess), and if in that
period discard it.


if you set "quota_full_tempfail" to "yes" in dovecots lda.conf, it
should answer with a temporary failure-code 422 instead of permanent
522. (at least the code of lmtp_local_rcpt_reply_overquota() says so)

as lmtp is similar to smtp, postfix or any other MTA should honor this
and keep the message in queue until the temporary failure goeas away or
the queue-timeout (in Postfix!) is reached.

d.



Thank you. I'll try this.

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread dc-ml 



Am 07.02.22 um 23:41 schrieb Jorge Bastos:

> I want postfix not to discard the message imediatly when a mailbox is
> full, i mean when postfix tries to deliver it to dovecot lmtp.
> Is it possible to change the behavior to something like what postfix
> does when he tries to deliver a message to an external server and the
> server is unaccessible for 4 days (the default i guess), and if in that
> period discard it.

if you set "quota_full_tempfail" to "yes" in dovecots lda.conf, it
should answer with a temporary failure-code 422 instead of permanent
522. (at least the code of lmtp_local_rcpt_reply_overquota() says so)

as lmtp is similar to smtp, postfix or any other MTA should honor this
and keep the message in queue until the temporary failure goeas away or
the queue-timeout (in Postfix!) is reached.

d.

Re: On mailbox full, retry for 4 days or similar instead of reject

2022-02-08 Thread Aki Tuomi 


> On 08/02/2022 09:09 Narcis Garcia  wrote:
> 
>  
> +1
> 
> 
> 
> Narcis Garcia
> 
> __
> I'm using this dedicated address because personal addresses aren't 
> masked enough at this mail public archive. Public archive administrator 
> should fix this against automated addresses collectors.
> El 7/2/22 a les 23:41, Jorge Bastos ha escrit:
> > Howdy,
> > 
> > I don't know if this is dovecot specific and i guess it may not be at 
> > 100% so I ask for help.
> > 
> > I want postfix not to discard the message imediatly when a mailbox is 
> > full, i mean when postfix tries to deliver it to dovecot lmtp.
> > Is it possible to change the behavior to something like what postfix 
> > does when he tries to deliver a message to an external server and the 
> > server is unaccessible for 4 days (the default i guess), and if in that 
> > period discard it.
> > 
> > Does this exists? At least i know gmail does something similar to this.
> > 
> > I've tried to google a bit but didn't found info that could lead me to 
> > this configuration.
> > 
> > Thanks in advanced,
> > Jorge
> > 

Hi!

LMTP has no queueing mechanism, so the retry should be done with Postfix. Maybe 
ask in the postfix list how to make it treat LMTP quota/disk full as temporary 
error? 

Aki