Re: OpenBSD site’s new look

[justina colmena ~biz]

Any low cost VPS providers that support OpenBSD? I ask because I'm stuck on 
OpenVZ Linux-kernel-only "paravirtualization" etc. w/ a wiki or two floating 
around.

The "KVM" VPS solutions offered by some providers will run OpenBSD, ɓut then 
the underlying hardware gets hacked and that's been well reported by the 
OpenBSD team, but no move to fix h/w & microcode bugs on the part of mfgs.

People are "at work" on or off the clock or on strike and no amateur or small 
business stuff allowed. The professionals flooded us out with too many drugs on 
the scene.

On June 5, 2023 5:25:39 PM AKDT, Katherine Mcmillan  wrote:
>Hi TJ,
>
>I think you may have made a small oversight in your redesign:
>I'm seeing a lot of Arial, a fine font choice, and the standard Times New 
>Roman, but no weaponized Comic Sans 
>(http://www.openbsd.org/papers/bsdcan14-libressl/mgp00025.html)? What's with 
>that?
>
>-Katie
>
>From: owner-advoc...@openbsd.org  on behalf of 
>Liam Martin 
>Sent: 05 June 2023 21:02
>To: advocacy@openbsd.org 
>Subject: Re: OpenBSD site’s new look
>
>Attention : courriel externe | external email
>
>Wow, that looks like the original UI design (a.k.a bad).
>
>On 6/5/2023 5:36 PM, T.J. Townsend wrote:
>>> Hello,
>>>
>>> I designed a new look (concept) for OpenBSD’s site and was wondering if the 
>>> project would like to adopt it.
>>>
>>> https://youngunix.github.io
>> no thanks
>>
>
>--
>***/
>/***

Re: How to get a server listed in the IMAP Test wiki?

[justina colmena ~biz]

On February 24, 2023 10:19:54 AM EST, Timo Sirainen  wrote:
> If you want, you can post them publicly here in case someone else wants to 
> verify.

Who are you doxxing? What other crimes are you confessing to publicly?

-- 
https://justina.abeja.colmena.biz/

Re: How to get a server listed in the IMAP Test wiki?

[justina colmena ~biz]

Something I can't quite place finger on here. Altogether too much Mafia, in the 
bulk email business generally, and I know Switzerland borders on Italy ...

This sounds, (albeit vaguely,) altogether too much like the thieves I seem to 
have fallen amongst lately. Two stolen trucks, three stolen laptops, another 
one wrecked, three or four stolen cell phones, passwords GPG keys, city hall 
hookers and towers and parking masters took everything the first moment I 
turned my back on it. Smashed the windows, hot wired the ignition at 4am 
assaulted me, mugged me in the street after I made a police complaint. I barely 
made it away alive. Another cop trying to arrest me without a warrant as I 
hopped a plane took a flight away from the city hall lynch mob. And the corrupt 
corporate-paid cops who previously stole my car, cell phone, digital camera, 
photos and laptop in another state, too.

And that's only the latest such violent attack. In real life. People plannimg 
crimes and getting away with crimes in real life. Bragging about it online is 
always what what gets them caught in the end.

And so far the thieves and robbers and assailants are apparently not being 
prosecuted at all for the violent crimes they are committing but they were 
forced to let me go since there were no charges they could file against the 
victim of their horrible crimes and atrocities under color of law. And City 
Hall is still in the bedroom & bathroom business to boot.

On February 24, 2023 2:29:41 AM EST, Leander Beernaert 
 wrote:
>Hey Timo,
>
>Thanks for the quick turnaround, once we have the test results I'll contact 
>you again.
>
>Should I also include instructions on how to run the a self contained server 
>with a dummy backend so you can independently verify our results?
>
>Leander Beernaert
>Proton AG
>
>--- Original Message ---
>On Thursday, February 23rd, 2023 at 8:59 PM, Timo Sirainen  
>wrote:
>
>> On 23. Feb 2023, at 16.13, Leander Beernaert  
>> wrote:
>>
>>> Hey,
>>>
>>> We recently announced Gluon (https://github.com/ProtonMail/gluon/) our IMAP 
>>> server library we are using in Proton 
>>> Bridge(https://github.com/ProtonMail/proton-bridge). We would love to have 
>>> it have it listed in the IMAP Server Compliancy Status wiki page 
>>> (https://imapwiki.org/ImapTest/ServerStatus). What do we need to do or whom 
>>> do we need to contact to make this happen?
>>
>> There was so much spam that we disabled all outside access to the wiki. 
>> Maybe we should move it to github/sphinx similarly to doc.dovecot.org so we 
>> could get pull requests instead. For now just email me what you want there 
>> and I can add it.
>>
>>> Additionally, We have been using running imaptest 
>>> (https://github.com/dovecot/imaptest) against our server library, but due 
>>> to variety of configuration parameters, we would really appreciate it (if 
>>> possible) if someone could point out to us the test setup used to validate 
>>> each of those servers.
>>
>> I updated the page to specify how the different columns can be tested. It's 
>> the same for all servers.
-- 
https://justina.abeja.colmena.biz/

Re: replicator: Panic: data stack: Out of memory when allocating 268435496 bytes

[justina colmena ~biz]

On Thursday, January 5, 2023 10:53:13 PM AKST Aki Tuomi wrote:
> On January 6, 2023 3:56:39 AM GMT+02:00, Gerben Wierda 
 wrote:
> >Jan 06 00:50:31 replicator: Panic: data stack: Out of memory when
> >allocating 268435496 bytes Jan 06 00:50:32 replicator: Fatal: master:
>  ...
> service replicator {
>   vsz_limit = 2G
> }
> 
> because replicator might have to use more memory, especially for larger
> indexes.
> 
> Aki
That's probably as good a short-term fix as any, but a longer term fix will 
probably require effectively "going on a diet," losing weight, cracking down on 
memory leaks, matching up every malloc() and free() and getting leaner and 
meaner with the memory allocation and Big-O time & space complexity of 
algorithms.
-- 
https://justina.abeja.colmena.biz/

signature.asc
Description: This is a digitally signed message part.

Re: Permissions for dovecot logging

[justina colmena ~biz]

On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote:
> > On 30/12/2022 05:25 EET James Moe  wrote:
> >   Permission is still denied.
> >   Where do I find information about "status=80/n/a"?
> > 
> >   I did not include all two of the syslog entries in the previous message:
> > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
> > /data01/var/log/dovecot.log: Permission denied
> > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main
> > process exited, code=exited, status=80/n/a
> 
> Maybe you have selinux or apparmor involved? On rhel based systems, selinux
> logs into /var/log/audit/audit.log, dmesg -T is another good thing to
> check.
> 
Status=80 I assume is the exit code dovecot threw when it couldn't open the 
log file. Whatever "int main()" is programmed to return.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>  Dovecot fails to start with the error:
> Can't open log file /data01/var/log/dovecot.log: Permission denied
That error message is typical of a simple unix permission issue, nothing to do 
with selinux etc.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>   Permissions:
> drwxrwxr-x 1 root   users 104 Feb 25  2018 /data01/
> drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/
> drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/
> drwxrwxr-x 1 dovecotusers  22 Dec 27 15:47 /data01/var/log/dovecot/
> 
>   "dovecot" is a member of "users".
> 
>   What "permission" am I missing?

If the process isn't running with an effective group id of "users", then it 
cannot access that directory simply by virtue of being a member of that group. 
The main program has to call setegid() with the proper group id before 
attempting to access those files.

On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote:
> If you want to run log as `dovecot`, you can do so with
> 
> service log {
>   user = dovecot
> }

Maybe try something like this:

service log {
   user = dovecot
   group = users
 }

Otherwise you might not have the process running with the right effective group 
id to access the log file location by unix group permissions.
-- 
https://justina.abeja.colmena.biz/

Re: sasl service for other app

[justina colmena ~biz]

Okay.  Let's try this. With the snippet you posted from
"/etc/dovecot/conf.d/10-master.conf "
inside the "service auth {...}" section. 

This is from my "/etc/postfix/master.cf"

> submission inet n   -   n   -   -   smtpd
> #  -o syslog_name=postfix/submission
> 
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous



On Thursday, December 8, 2022 4:49:06 AM AKST Shawn Heisey wrote:
> On 12/7/22 21:53, Henry R wrote:
> > can dovecot run as a general sasl service for other apps? such as webdav.
> 
> I am using dovecot to provide authentication for postfix submission. 
> This is the config in postfix:
> 
> smtpd_sasl_type = dovecot
> # Referring to /var/spool/postfix/private/auth
> smtpd_sasl_path = private/auth
> 
> In /etc/dovecot/conf.d/10-master.conf I have this:
> 
>unix_listener /var/spool/postfix/private/auth {
>  mode = 0666
>  user = postfix
>  group = postfix
>}
> 
> If the application supports using a socket for sasl, then I would
> imagine that Dovecot should work.
> 
> Postfix is using the same postfixadmin database for email addresses that
> Dovecot is, but for authentication, it's all Dovecot.
> 
> I should probably look into Dovecot's submission support so I don't need
> to have postfix using that auth socket, just haven't found the time.
> 
> Thanks,
> Shawn


-- 
https://justina.abeja.colmena.biz/

Re: sasl service for other app

[justina colmena ~biz]

So this should allow postfix to piggyback on top of whatever dovecot auth 
is being used.


On Thursday, December 8, 2022 4:49:06 AM AKST, Shawn Heisey wrote:

On 12/7/22 21:53, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.


I am using dovecot to provide authentication for postfix 
submission.  This is the config in postfix:


smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth

In /etc/dovecot/conf.d/10-master.conf I have this:

  unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
  }

If the application supports using a socket for sasl, then I 
would imagine that Dovecot should work.


Postfix is using the same postfixadmin database for email 
addresses that Dovecot is, but for authentication, it's all 
Dovecot.


I should probably look into Dovecot's submission support so I 
don't need to have postfix using that auth socket, just haven't 
found the time.


Thanks,
Shawn





--
https://justina.abeja.colmena.biz/

Re: sasl service for other app

[justina colmena ~biz]

https://doc.dovecot.org/configuration_manual/authentication/sql/#password-verification-by-sql-server

Perfect. However on Postfix it is more finicky.

https://www.postfix.org/SASL_README.html#auxprop_sql

Tip
If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, 
see section "Using saslauthd with PAM", and configure PAM to look up the 
encrypted passwords with, for example, the pam_mysql module. You will not be able to use 
any of the methods that require access to plaintext passwords, such as the shared-secret 
methods CRAM-MD5 and DIGEST-MD5.


On Thursday, December 8, 2022 10:17:11 AM AKST, Alessio Cecchi wrote:

Yes,

we are using dovecot, also, for SASL only as authentication provider.

Here some relevants parts of the configuration:

# probably not necessary but dovecot requires it so i set it to /tmp/

mail_location = maildir:/tmp/%u/Maildir:INDEX=memory

# setup a mysql database with your users and password
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

# here is the most important part, with this you can query SASL 
via port "12345" or via socket

service auth {
  inet_listener {
port = 12345
  }
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}

# SASL don't support SSL
ssl = no

Ciao

Il 08/12/22 05:53, Henry R ha scritto:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.

Re: sasl service for other app

[justina colmena ~biz]

I suppose. Essentially create a database table and supply a custom SQL 
query for authentication. Program a PHP web form with a token to reset user 
password with a recovery email, etc. Postgres/nginx should be just as easy 
as mysql/apache. -- 


On Wednesday, December 7, 2022 10:48:27 PM AKST, Robert Schetterer wrote:

Am 08.12.22 um 06:14 schrieb justina colmena ~biz:

On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.


For some reason I use cyrus-sasl with postfix, but I can't get 
it to work with dovecot. Ideas? Pointers to docs online?


usally its more easy to configure dovecot,postfix with a 
database like mysql, mysql auth with i.e apache should be easy 
then

Re: sasl service for other app

[justina colmena ~biz]

On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.


For some reason I use cyrus-sasl with postfix, but I can't get it to work 
with dovecot. Ideas? Pointers to docs online?

Re: Doveadm Move Query

[justina colmena ~biz]

Sounds like a boss at work. An "admin" doing off-beat SQL-like stuff on 
people's email. I'm a little disconcerted. I don't really use these 
commands myself or see a good use case for them, or the whole 
infrastructure built up on "doveadm" commands.


These are general purpose mailbox utilities. Something that would be much 
less confusing to fork off into a totally separate project independent of 
Dovecot. There is sifting and sorting for spam and porn and scams, but that 
isn't really a "dove(cot) admin" job.


https://wiki.dovecot.org/Tools/Doveadm
https://wiki.dovecot.org/Tools/Doveadm/Move
https://wiki.dovecot.org/Tools/Doveadm/SearchQuery

I have several virtual mailboxes but dovecot knows nothing about them. 
Postfix is configured to deliver mail for my virtual mailboxes, and my 
desktop & mobile email clients are configured with "identities" to respond 
to them.



On Thursday, December 1, 2022 12:25:52 AM AKST, Simon B wrote:

On Tue, 2 Aug 2022 at 12:58, Paul Kudla (SCOM.CA Internet Services
Inc.)  wrote:

ok u...@domain.com needs to exist before any operations can be done on it.

I discovered that dovecot does not consider a virtual mailbox active
until it is returned in the user database

see : doveadm user '*'

both accounts MUST be returned in the list (user@.net & user@.com) ...


Thanks Paul.

I finally got around to looking at this again, and for my own benefit,
and perhaps anyone else in the future, the format that eventually
worked was:

doveadm -Dv move -u u...@destination.com INBOX  user user @source.net
MAILBOX INBOX ALL

However...

the -v option does NOT as the man page indicates produce any kind of
progress counter.

 -v Enables verbosity, including progress counter.

On a medium mailbox (~1000 messages) it took about 3 minutes, with no
indication anything was being done until the prompt returned.  Maybe I
need -D -v and not -Dv?

AND,

it moved all the mails from
/var/spool/mail/virtual/source.net/user/cur but none of the emails
from  /var/spool/mail/virtual/source.net/user/new

And I have not been able to figure how to move those...

Simon

Re: moving messages between namespaces go into purge

[justina colmena ~biz]

That particular feature seems to work for me as documented. People have to 
play first-name games with mass-marketed emails, and clients crash for 
various reasons.


On Wednesday, November 30, 2022 9:23:44 AM AKST, Aki Tuomi wrote:
The reason is that MOVING a mail is same COPYING and EXPUNGING 
a mail. mdbox format retains deleted messages, even if they 
result from moving. It's not a queue as such.


With mdbox format you are supposed to run purge periodically in any case.

I am not sure what justina is again rambling about...

Aki


On 30/11/2022 19:34 EET justina colmena ~biz  wrote:

 
Mails stored as individual files in a "Maildir/" can 
conceivably be "moved" 
within the O/S file system rather than copied, but the default flatfile 
Mailbox format does require a copy-and-purge, as far as I know. ...

Re: moving messages between namespaces go into purge

[justina colmena ~biz]

Mails stored as individual files in a "Maildir/" can conceivably be "moved" 
within the O/S file system rather than copied, but the default flatfile 
Mailbox format does require a copy-and-purge, as far as I know.


/etc/postfix/main.cf:
   # DELIVERY TO MAILBOX
   #
   # The home_mailbox parameter specifies the optional pathname of a
   # mailbox file relative to a user's home directory. The default
   # mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
   # "Maildir/" for qmail-style delivery (the / is required).
   #
   #home_mailbox = Mailbox
   home_mailbox = Maildir/


On Wednesday, November 30, 2022 8:24:40 AM AKST, Marc wrote:
I think it would be nice to have an option where the moving of 
messages between namespaces (by automated server scripts) would 
not result in messages ending up in the 'purge' queue.


Currently when you move these copied messages, they end up in 
the purge queue combined with messages that users deleted. I am 
more or less forced to purge the mailbox after moving GB's while 
I prefer not to do this, because I would like to keep the 
opportunity to recover from the purge queue.


Maybe there is a way to 'deduplicate' this purge queue?

Re: Can't figure out why managesieve (pigeonhole) can't connect

[justina colmena ~biz]

On Tuesday, November 22, 2022 8:25:19 AM AKST, PGNet Dev wrote:
first, confirm that you can connect/authenticate to Dovecot's 
managesieve server without Roundcube in the picture.


e.g., show the output of a successful 'openssl s_client ...' 
sieve authentication session


Subject line says it all?  I am using Roundcube, and every 


I don't like the sounds of this discussion at all, and it's not because I 
don't want it to take place or because I don't want to be aware of it. 
"Security first" is and ought to be the absolute rule, but there's a 
pernicious kid sister attitude of «fausse naïveté» showing up everywhere 
with everything email-related.


Filtering and sieving are absolute necessities, too, for obvious reasons, 
but these authentication issues with half-baked development and 
here-be-dragons code showing up in official releases are very alarming.


We need to build much stronger defenses for our email online against 
nation-state political spammers as well as aggressive drug cartels 
promoting and compelling unethical & illegal "products" and "services" 
online.

Re: [trojita] Compiling on WinXP 32bit?

[justina colmena ~biz]

This is the only email I have received on anything KDE related for some 
time, and the project website http://trojita.flaska.net/ appears to be down 
at present.


I would note two bugs:

1. The application still tends to lock up or freeze when sorting or 
searching a large number of emails, although this issue has been much 
improved since previous versions segfaulted and crashed in the same 
situations. I would suggest to make sure a good efficient "quicksort" 
algorithm is being used, and try "valgrind" or other heavy duty memory leak 
analysis on the code.


2. There does not appear to be a convenient menu option to print out emails 
in hard copy format or save to PDF with a suitable format for printing, as 
the case may be.


On Thursday, August 11, 2022 4:25:43 PM AKDT, Jan Kundrát wrote:

On středa 10. srpna 2022 2:01:33 CEST, Marisa Giancarla wrote:
Is it possible to compile this for WinXP 32bit? I am looking 
for a email client to be the basis of my project so I am 
curious if Trojita would be a good fit...


Our goal is to be reasonably portable, and in the past people 
reported that Trojitá builds on Windows just fine. That said, we 
have no regular CI coverage on Windows, and XP is an EOL-ed 
platform, so I have no clue how the Qt story looks like in 
there.


Why don't you give it a try and report back how well it works?

Cheers,
Jan

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Trojitá, a fast Qt IMAP e-mail client
http://www.trojita.flaska.net/

I also use

http://opendkim.org/ 
http://www.trusteddomain.org/opendmarc/


as milters on Postfix

Active development, I'm sure they could all use some help, or forks for 
alternatives, I don't know, I'm not involved in development per se, just a 
user, and I have to get off the property of any of these places with my 
code before anything happens. All that Finnish osalliyhdistys and by the 
time a Swede gets online all hell breaks loose./


On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote:

On 2022-10-11 14:05, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-10-11 13:42: ...


Indeed, it's because you set the following headers in dkim signing headers:-

from : subject :
date : to : message-id

Although not sure why you've added some space, as per standards 
I think only colon separated list its the compliant format like 
the following:-


from:subject:date:to:message-id

Anyhow this is my final update, the previous headers set which 
I included wasnt perfect as cc header was causing a trouble, 
given it can fail at some point e.g. when replying more than one 
time to the same recipient through a mailing list, and mind me 
OX and iRedMail, I had to check your signing headers set, 
hopefully you are ok for me to present it here as the optimal 
one to avoid DKIM failures:-


OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
:mime-version:content-transfer-encoding:content-type:from

iRedMail seems to be the best headers set given it includes 
X-Mailer header, which enhances signature validity, when client 
uses specific mail client app, although it can be faked yet one 
must know which client app the sender would use and if was able 
to have information to this length I guess signature validity 
would be an easy task to break it further.


Also, I was advised by a friend to duplicate the signing 
headers in order to disallow spoofing signature further, while I 
couldnt see how nor populate a proof of concept, I removed it 
but if someone understand it, I would appreciate their 
elaboration, surely with thanks :)


Good luck.

Zakaria.

Re: The end of Dovecot Director?

[justina colmena ~biz]

Nginx is an excellent suggestion for the purpose. However I do not like 
German client certificates. That is far too much "proof" of identification 
18/21++ on a public network with nowhere to hide and those of us who are 
not German citizens and do not have the advantage of a friendly local 
police jurisdiction with massive international clout and an assumed 
legitimacy for all the online surveillance, policing, and copping with 
unfounded sex charges etc. being pressed online.


Not that I care much for alcohol, but the analogy that comes to mind with 
such "proof" of identity presented across the internet as a public 
certificate is that of "public drunkenness," versus, say, "drinking 
privately in one's quarters," i.e., making an encrypted connection, and 
only then within the encrypted channel establishing identity and 
authorization with a username and password or other means of 
authentication.


On Friday, October 21, 2022 3:29:36 AM AKDT, spi wrote:

Am 21.10.22 um 13:14 schrieb Amol Kulkarni:

Nginx has an mail proxy for pop, imap, smtp.
Can it be used instead of director ?



Nginx can authenticate imap/smtp (and probably pop3) users. If you that,
you can define a backend server the session is routed to. Currently I
use that approach to authenticate users by client certificates and route
them to the appriopriate backend (well, I only have one ;-).

--
Cheers
spi

Re: The end of Dovecot Director?

[justina colmena ~biz]

You still need in some sense one coherent file system to store and retrieve 
the mail messages. Although a load-balance cluster would still be quite 
useful for rejecting the bulk of unauthorized connections.


I am sure in many cases a small/medium server can in fact sit and function 
quite adequately behind a large enterprise load balancing firewall and 
proxy, given the typical quantities of spam "out there" and the large 
number of bad connections typically attempted on any given system.


On Thursday, October 20, 2022 9:19:59 PM AKDT, Zhang Huangbin wrote:



On Oct 21, 2022, at 4:19 AM, Antonio Leding  wrote:

My understanding is that Director is targeted toward large 
enterprise mail installations that will incorporate several 
servers for a given function. In such an environment, Director 
would be the fore-person\traffic-cop keeping things organized & 
squared-away.


Director is used when you setup frontend servers in a 
load-balance cluster, proxy imap/pop3/lmtp/managesieve requests 
to backend Dovecot servers.


I setup load-balance cluster for clients with HAProxy + 
KeepAlived + Dovecot Director running in frontend servers, so 
sad we have to find an alternative to replace Director in such 
case.


It's not about "small/medium" servers, but the demand of 
imap/pop3/lmtp proxy service, especially in load-balance 
cluster.



Zhang Huangbin, founder of:
- iRedMail: Open source email server solution: https://www.iredmail.org/
- Spider: Lightweight, on-premises Email Archiving Software: 
https://spiderd.io

Re: Multidomain ssl config ?

[justina colmena ~biz]

Yeah. You get a better spam score and a better rep for your server if the 
hostname you use as an MX record matches the reverse DNS for its IP 
address(es) as well and everything is correct as recommended by rfc docs. 
If there's outgoing mail it's all going to use the same hostname as the 
"ehlo" I.D. anyways, isn't it?


The big bosses and professionals are cracking down on servers etc., aren't 
they? I just recently tried to set up an alternate/backup server from a 
different provider in a very authoritarian country in northwestern/central 
Europe, but they borked my billing information terminated service and 
screwed up my domain renewal and caused a lot of other grief elsewhere in 
addition. Barely managed to save myself and stay online.


So we're going to see more small and medium sites kicked off the internet, 
and even having had one's own website and email means we're not welcome on 
FB, TWTR, and friends. Just squash the competition for interstate commerce, 
because the cartels are taking over.


On Wednesday, June 29, 2022 1:25:18 PM AKDT, Paul Kudla (SCOM.CA Internet 
Services Inc.) wrote:

John please send me a direct email address


I understand what you need and my customers are all seperate 
certs per domain on both sides



I spent over three months setting stuff up


I wil send complete instructions for both postfix & dovecot


Plus auto scripts etc


You will need to be running a postgresql database for my stuff 
to work without mods



And running python 2.xx


  
 thanks - paul 
   Paul Kudla  SCOM.CA Internet Services Inc.004-1009 
Byron Street South   Whitby, Ontario - Canada   L1N 4S3
Toronto   416.642.7266   Main   1.866.411.7266   Fax   
1.888.892.7266   

On Jun 29, 2022 at 16:39:29 EDT, John Stoffel 
 wrote:



"Maurizio" == Maurizio Caloro  writes:


Maurizio> on postfix now this seems to run, and with dovecot i need
Maurizio> also handle this two domains, but appairing this error
Maurizio> messages. like:

Why aren't you just using a single domain as the MX record for all the
domains? Then you only need one SSL cert pair for all of this, and if
you publish the right SPF records, each domain can send from the same
MX host as well.




Maurizio> Jun 29 20:49:28 Dovecot/imap-login: Info: 
Disconnected (no auth attempts in 0 secs): user=<>,
Maurizio> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: 
SSL_accept() failed: error:14094416:SSL routines:
Maurizio> ssl3_read_bytes:sslv3 alert certificate unknown: SSL 
alert number 46, session=


Maurizio> Running with Debian Buster

Maurizio> # dovecot --version
Maurizio> 2.3.4.1 (f79e8e7e4)

Maurizio> # nmail.caloro.ch
Maurizio> local_name nmail.caloro.ch {
Maurizio>  ssl_cert =   ssl_key =   }
Maurizio> # nmail.calm-ness.ch
Maurizio> local_name nmail.calm-ness.ch {
Maurizio>  ssl_cert =   ssl_key =   }

Maurizio> thanks for possible help

Re: One-off backup

[justina colmena ~biz]

Is that a divorce? Or else a little bit better spelling and respect for the 
lady is called for? And I don't like criminals serving bogus law papers and 
hacking into my mail any more than anyone else does.

On October 10, 2022 6:57:39 AM AKDT, Ian Evans  wrote:
>I run a small email server for me and the missus. Six dovecot users.
>
>Our host is migrating our server instance. They usually (99.% lol) go
>off without a hitch.
>
>As we don't have dovecot running elsewhere, I'm assuming doveadm is the
>wrong tool.
>
>If we want to make a one-off backup prior to the migration, is shutting
>down postfix and running
>tar czf mailstorage.tgz /path/to/mail okay?
>
>Thanks.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Freesurfer] Virtual Machine password

[Justina Lee]

External Email - Use Caution

To whom it may concern,

I am currently installing the Virtual Machine to run Freesurfer. I was
prompted with a password and was wondering if anyone could share with me
the password.

Thank you for your help and time.

Sincerely,
Justina
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
The information in this e-mail is intended only for the person to whom it is 
addressed.  If you believe this e-mail was sent to you in error and the e-mail 
contains patient information, please contact the Mass General Brigham 
Compliance HelpLine at https://www.massgeneralbrigham.org/complianceline 
<https://www.massgeneralbrigham.org/complianceline> .
Please note that this e-mail is not secure (encrypted).  If you do not wish to 
continue communication over unencrypted e-mail, please notify the sender of 
this message immediately.  Continuing to send or respond to e-mail after 
receiving this message means you understand and accept this risk and wish to 
continue to communicate over unencrypted e-mail. 

Re: [Freesurfer] Freeview does not show images

[Justina Lee]

External Email - Use Caution

Hi  Ruopeng,

I tried to run the glxgears command in the WSL Ubuntu subsystem, but it
doesn't show me the gears. I am having the same issue as this thread linked
here: 
https://secure-web.cisco.com/1_nwpKy6edOMjc8Fb4TT_DQsKayIHq7yz6rjZXWYrhXvOMtkPtnDTAgvyHwlJknIz0NqjN44E48l9HTzHWpxTRB7K9qfWEddgLzY-N8DwQ9LJuanknR3cqBZCSGGybx3kfCwXL0JqnlBMKd4YPRiOBQ0tvJnklmkeHvAu0bOaW_5y3ABUG-9zqwhYo-JKOs-npIB2AdvV4eRkQ6-M0I8iPV2U8PHw1JoFhE100pzdpkEHDewV_Z7VJaoHYTWjJR4LPr_DMg2vecc2aM_SIu4Zgmk3bNNQ0II7UXChxgZatN8b6T1b4ayMSM8cKseJiDTbEG_czfPEz8ArXDVdM5yDMQ/https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fwslg%2Fissues%2F654
 I followed the advice
and downloaded the latest Intel Graphics Driver, but this did not seem to
fix the issue for me.

I also looked at the corresponding debian package installer in accordance
with my ubuntu version, and the same error occurs. How can I add a 3D
accelerator or GPU acceleration so that the glxgears command can show me
the gears?

Thanks for your help and time.

Sincerely,
Justina

On Thu, Oct 6, 2022 at 3:39 PM Wang, Ruopeng  wrote:

> Are you able to run glxgears command? Do you see spinning gears?
>
> Ruopeng
>
> On Oct 6, 2022, at 4:28 AM, Justina Lee  wrote:
>
> External Email - Use Caution
>
> To whom this may concern and can help,
>
> I am currently trying to run Freeview under the Windows Subsystem Linux
> System. I can successfully download and open images, but nothing seems to
> be showing on my end (see image attached at the end).
>
> In order to find out what is preventing the X-server from correctly
> displaying graphics, I have tried to run the $ xeyes command and the eyes
> pop up, meaning that the X-windows server is working fine.
>
> Upon checking the WSL Version, I am currently using the WSL version 2.
>
> I have entered the two commands as follows:
>
> $ *echo "export XDG_RUNTIME_DIR=$HOME/.xdg" >> $HOME/.bashrc*
> $ *echo "export DISPLAY=:0" >> $HOME/.bashrc*
> Then I exited Ubuntu, and tried to run freeview again (attempting to open
> a data file T1.mgz.) This still did not produce any image in freeview,
> although it opened it up. I tried changing the window, contrast, and
> brightness but to no avail.
>
> Is there another solution?
>
> Terribly sorry and thank you so much for your time.
>
> Sincerely,
> Justina
> 
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://secure-web.cisco.com/1WnT6NTLBRgxmkk3-R2n2p04lt2tGn26udaUgJC5fZtxvIiMIuALxT5pys4_JvCa0FMfu4ZXIZ1b3XI6Xxbwf0aYDc1iIdoFPvnkWTyqq2svpb13a-TJLgvMLpKTRTInXc1YJujW8YnwFsdijjczsZHBqQUq5MIGYufQSd0DuREDl3rt-1cD1RZ-vvtcNbYeF71u9l-DSKjxnMqBXvW49tfJu4H4HMODjtmL-Pvsg24kpgrVUw4-vWYGWPO5IXshp7TRAm-nDDsyv4MgG0wOwwkVTgTgi6F_G1Cp4EFm_lZyW-Kz0lG0LdOc4-D2-onMqKrn6fZeGCds681_025FHtg/https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer
>
>
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://secure-web.cisco.com/1WnT6NTLBRgxmkk3-R2n2p04lt2tGn26udaUgJC5fZtxvIiMIuALxT5pys4_JvCa0FMfu4ZXIZ1b3XI6Xxbwf0aYDc1iIdoFPvnkWTyqq2svpb13a-TJLgvMLpKTRTInXc1YJujW8YnwFsdijjczsZHBqQUq5MIGYufQSd0DuREDl3rt-1cD1RZ-vvtcNbYeF71u9l-DSKjxnMqBXvW49tfJu4H4HMODjtmL-Pvsg24kpgrVUw4-vWYGWPO5IXshp7TRAm-nDDsyv4MgG0wOwwkVTgTgi6F_G1Cp4EFm_lZyW-Kz0lG0LdOc4-D2-onMqKrn6fZeGCds681_025FHtg/https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer
> The information in this e-mail is intended only for the person to whom it
> is addressed.  If you believe this e-mail was sent to you in error and the
> e-mail contains patient information, please contact the Mass General
> Brigham Compliance HelpLine at
> https://secure-web.cisco.com/1fT_KBdsTFaF5gIIzpF30IppH2zkspMVda73nT48BDaRIK2seAIIJk9mGgyHfZ9Nl8TmdNQ65QiZGBPYxJ8Wl6pPAR8mUR--oX_h0C9RM8L_kjIS0LEtm20N1fbw5P5T20coSLajUs6FXtP2buNRICH8LTC7fVYluJFsl9wuJr4FGNM1bBYrqFEBdo34NDe2y9T6WcevYlTOjCojNMw_wrikn7Axku0zfeP6_ZNnWlq83iqfzp_LS04AdcCEEJrvxxSnRLiMdN6mbJaUVD38qs8FncyzuNmRc4457amWH5AnCycNYM0oVGFWM-xP6BRlAAhcmcOfX_0Vj7-otySUjkw/https%3A%2F%2Fwww.massgeneralbrigham.org%2Fcomplianceline
>  <
> https://secure-web.cisco.com/1fT_KBdsTFaF5gIIzpF30IppH2zkspMVda73nT48BDaRIK2seAIIJk9mGgyHfZ9Nl8TmdNQ65QiZGBPYxJ8Wl6pPAR8mUR--oX_h0C9RM8L_kjIS0LEtm20N1fbw5P5T20coSLajUs6FXtP2buNRICH8LTC7fVYluJFsl9wuJr4FGNM1bBYrqFEBdo34NDe2y9T6WcevYlTOjCojNMw_wrikn7Axku0zfeP6_ZNnWlq83iqfzp_LS04AdcCEEJrvxxSnRLiMdN6mbJaUVD38qs8FncyzuNmRc4457amWH5AnCycNYM0oVGFWM-xP6BRlAAhcmcOfX_0Vj7-otySUjkw/https%3A%2F%2Fwww.massgeneralbrigham.org%2Fcomplianceline>
>  .
>
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
The information in this e-mail is in

Re: [Freesurfer] Freeview does not display image

[Justina Lee]

External Email - Use Caution

Hello R,

Sorry I wasn’t so clear on my part. I am using ubuntu linux on the windows
subsystem linux (WSL). I followed these instructions at
https://secure-web.cisco.com/1p8Cin-EJEpeRx1cZi8s231xYYwEa73Ljn6cCDVMGOudNzx-clBR6sZUCDMeSmSC85H7RtRtyEHdxO6j7DqYMFXEEle0HWR03qo71o_mjxHnvDmseEhe6KVuhPF3a9EM59Nka9FTcsYt1gVTr_HvvTbhHKoEmZ7oV9i3KeY7rIQGCvfTf9bQme8kx7TWvoWnm5VKZSHSvq48kfOuo2C6lIY_MAf92M9I1KgyaWazv2MhWZWGikJgOV2nw4QC69vFLjpH3ctxn4UIMJLn7bY8klGzGH6U_lmVmi2m4Q1eV11REMBdDeMc-XzcjqJYUvXvg-Th-bs5WT8twMoaIT9Yw2A/https%3A%2F%2Fsurfer.nmr.mgh.harvard.edu%2Ffswiki%2FFS7_wsl
 to download the WSL,
X-server, and the freesurfer.

 Is it still possible to fix the problem here internally or should I follow
the instructions sent from the link previously to download Virtual Box and
run freesurfer in this way? I have been trying to open the zip file Ubuntu
compressed image but it seems to keep crashing as I load it. I will keep
trying if the first way aforementioned is not possible.

Thank you and hope this has become alittle clearer.

Sincerely,
Justina


On Mon, Oct 3, 2022 at 8:35 PM fsbuild  wrote:

> External Email - Use Caution
>
>
> Hello Justina,
>
> We need to know what your setup is on Windows for running Linux in order
> to help with running freeview.  It reads like you are not using VirtualBox
> to run the Linux Ubuntu OS,
>
>  I do not have VirtualBox installed 
>
>
> So it’s not clear to me how you are currently running Ubuntu Linux on your
> Windows machine in order to run freeview or other freesurfer commands.  Are
> you running Ubuntu linux with the Windows Subsystem for Linux (WSL)?  Maybe
> you are connecting remotely to a linux machine via VNC or the like from
> your Windows machine ?
>
> If you don’t mind running freesurfer 7..2.0 (instead of the newest 7.3.2
> release), there is a smaller version of the VM to download from *MailScanner
> has detected a possible fraud attempt from "secure-web.cisco.com" claiming
> to be* 
> https://secure-web.cisco.com/1paaB_cgPVQ7btidlPguZcJsmtliH8F8hjmenNiwMMKj6psPWB7PbCzz88mGy5PUxJ4_RYJHEnEgzOrASI38A31sVxjVmfxfUSo9L9FoxfPo2Av_MQ6ngrK-iKSLjkEbUggeuaoXemH1U78dhZuZM2A4CAL_oLkIUIFvyvWpHvLbzriR6DhJXh-EgzZuO82YSUqI3pVfRIQ1T5aFoSn8Y-hAXTf-f5_IS6TEMtEMFUpxxu98IMgpvc-KXmk-Wzm8NyBtiXkhuju9KJHm65VHaV7mHETaWMKcy3_JUxpNDLu3RFKJJlU9p2uLb6LOYUMWA_NvQjUVmIQKA27QoJS_YzA/https%3A%2F%2Fsurfer.nmr.mgh.harvard.edu%2Ffswiki%2FVM_67
> <https://secure-web.cisco.com/1nGqawfrSjzBkLop5W-SrkfQ2ibvmMoS5qotzl9aEXpoPbx8_8oZjitfcumpYwJzIif-wByimOIG0sV2h8pSCgX9w6OEOFEhgkJVHSFViAa9o6K5k7LpzYBn0K7WN1P-7Dh8TSOSMCYv3wV9ZWcWY6-I8SrPHmKs5tRLZT4R-CVmoTNgDd_naVSpFLVaVLBV8VE0fbOEyTJzRgR08Cvslb1_3U1Cz1l5k1JGUw_7lqG49yLe_HS-LpZ9PHoc_hH4vTBzHdnPsDFVFmmRZ_9MyWPJqnqMVibdj1FLfCFam6PSnzQlydbNsqCw_9NjdGDiu/https%3A%2F%2Fsurfer.nmr.mgh.harvard.edu%2Ffswiki%2FVM_67>
> with setup instructions under that link.   But you would still need to
> download and install VirtualBox on your Windows machine and then download
> and install the Freesurfer Software.
>
> - R.
>
> On Oct 3, 2022, at 09:35, Justina Lee  wrote:
>
> External Email - Use Caution
>
>
> To whom that can provide any insight,
>
> I am currently using Ubuntu on windows to open freeview to show some data.
> My issue at hand is that freeview does not show any images, despite
> changing the window levels (contrast and brightness). Using the command
> freeview -v works, and I am able to run it smoothly. When I try to open an
> mgz file, it runs fine, but I am unable to see anything.
>
>  I do not have VirtualBox installed and tried to take this advice from
> previous but I ran across the problem of downloading the course Virtual
> Machine. I do think that I do not need to download the VirtualBox and can
> continue using Ubuntu on Windows.
>
> What could be the issue with this? Should I be downloading the Virtual
> machine to run Freeview?
>
> Thank you so much for your time and I hope that my issue is not too big of
> a problem to solve.
>
> Sincerely,
> Justina
>
>
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://secure-web.cisco.com/1XBB9mVISZMBi-_VRhIEm62UucxuNsrx0F-92EzExHgsYK_1D4N3Dg9If49qUFuo11Cdn9sLRgmZ46jVvgxo6jP2o7lsQu7bhK6-Kmis1M884MqF9f3CYVJizJM92RHyc69rt33Kug3_Ex5lc4S1Lwy1cldPGDcO_12gxyVoS4xQ-hQmsLuMF7olr9OaTaR26WjwJWv4kYz5JakPSmgFQy7NhpuCBXaLebRmKHa1vfKdNlLrIUghVJSKuVtEfHAnLhlbZo47AY4-dhZ8SMj_Rj1aC0lyrwn1GLDDeTFoQpIZAmkO-44ho_t6mBBm3YoPQ8xfugoEGeHNuUuP6rwOAXw/https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer
>
>
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mg

[Freesurfer] Freeview does not display image

[Justina Lee]

External Email - Use Caution

To whom that can provide any insight,

I am currently using Ubuntu on windows to open freeview to show some data.
My issue at hand is that freeview does not show any images, despite
changing the window levels (contrast and brightness). Using the command
freeview -v works, and I am able to run it smoothly. When I try to open an
mgz file, it runs fine, but I am unable to see anything.

 I do not have VirtualBox installed and tried to take this advice from
previous but I ran across the problem of downloading the course Virtual
Machine. I do think that I do not need to download the VirtualBox and can
continue using Ubuntu on Windows.

What could be the issue with this? Should I be downloading the Virtual
machine to run Freeview?

Thank you so much for your time and I hope that my issue is not too big of
a problem to solve.

Sincerely,
Justina
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
The information in this e-mail is intended only for the person to whom it is 
addressed.  If you believe this e-mail was sent to you in error and the e-mail 
contains patient information, please contact the Mass General Brigham 
Compliance HelpLine at https://www.massgeneralbrigham.org/complianceline 
<https://www.massgeneralbrigham.org/complianceline> .
Please note that this e-mail is not secure (encrypted).  If you do not wish to 
continue communication over unencrypted e-mail, please notify the sender of 
this message immediately.  Continuing to send or respond to e-mail after 
receiving this message means you understand and accept this risk and wish to 
continue to communicate over unencrypted e-mail. 

RE: Re[4]: Pigeonhole redirect is adding a message-id header when it already exists

[justina colmena ~biz]

These are real people with bank accounts? Get paid? Have money for breakfast 
lunch dinner and a roof over their heads?

Just asking because my own bank account stupidly enough requires a phone number 
to log in online whether or not I even have an email address.

And the POTS (Plain Old Telephone Service) system, including cell phone 
service, unlike the internet at large which is based on open standards, is a 
highly proprietary closed-source-only multinational corporate fee-for-service 
system based on billing and debt collections for long distance calls, mostly 
owned by fraudsters, blackmailers, thieves, extortioners and hackers, and 
subject to strict intellectual property restrictions and intelligence 
surveillance by various governments and nation-states as well as court orders 
relating to domestic violence restraining orders, no-contact orders and various 
other "established" service of process in local small town court systems to 
obstruct or deny access.

AT and friends have been around since the early railroad days, and there are 
people who need to be SERVED here like no one has ever been served in over 150 
years in the United States.

On October 1, 2022 3:52:43 AM AKDT, Marc  wrote:
>> >Oct  1 13:31:46  sendmail[30321]: 291BVjjx030318:
>> to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp,
>> pri=122536, relay=gmail-smtp-in.l.google.com. [142.250.102.27],
>> dsn=2.0.0, stat=Sent (OK  1664623906 gs19-
>> 20020a1709072d1300b00777a40d515dsi4096082ejc.456 - gsmtp)
>> >
>> >I just tested for you, enabled the sieve forward, send test mail and
>> the forward is being accepted by google.
>> >
>> >
>> 
>> Thanks for the test. However, does your test mail had a "bogus"
>> Message-ID header in it like I tried to explain ?
>> 
>
>You wrote in the original email the message was rejected. Sorry I don't have 
>login access to my gmail test account anymore since the google @#$%@#$% wanted 
>to have me add a phone number. 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

Redownloading freesurfer seems to have done the trick, but I still come
across the issue with loading data and seeing nothing on freeview. Hope you
can help me with this tiny problem.

Sincerely,
Justina

On Fri, Sep 30, 2022 at 10:10 AM Justina Lee  wrote:

> Hi Paul,
>
> Thank you for all your help with some technical issues.
> I was wondering if you could help me with one tiny issue I have been
> unable to solve, which is the usage of freeview on my computer.
> The installation has been completed successfully, but when I try to open
> any data, I seem to not see anything. Upon trying again recently, now
> opening freeview does not seem to work at all. (For example, trying to run
> the command freeview -v T1.mgz does not produce a freeview to open up on
> another window.)
> Could you help me with this? I'm sorry for the troubles once more.
>
> Sincerely,
> Justina
>
> On Thu, Sep 15, 2022 at 4:00 PM Wighton, Paul 
> wrote:
>
>> One more note:
>>
>> The command:
>> export SUBJECTS_DIR=/home/ylee6/ADIPA_data
>>
>> May or may not work, depending on the type of shell environment you are
>> using.  If it doesn't work, you can try:
>> setenv SUBJECTS_DIR /home/ylee6/ADIPA_data
>>
>> To set the environment variable
>>
>> -Paul
>> --
>> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
>> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Wighton, Paul <
>> pwigh...@mgh.harvard.edu>
>> *Sent:* Thursday, September 15, 2022 9:56 AM
>> *To:* Freesurfer support list 
>> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command
>> not found
>>
>> Hi Justina,
>>
>> Ok so on your computer, the subjects are located in
>> /home/ylee6/ADIPA_data, but the SUBJECTS_DIR environment variable is set to
>> /usr/local/freesurfer/7.3.2/subjects.
>>
>> There are two ways we can fix this.
>>
>> 1) We can change the SUBJECTS_DIR environment variable and then run
>> segmentHA_T1.sh:
>>
>> export SUBJECTS_DIR=/home/ylee6/ADIPA_data
>> segmentHA_T1.sh 26
>>
>> 2) Or, we can pass the subjects dir as a parameter to segmentHA_T1.sh,
>> telling it to use that directory instead of the environment variable:
>>
>> segmentHA_T1.sh 26 /home/ylee6/ADIPA_data
>>
>> You were close with your command "segmentHA_T1.sh 26
>> [/usr/local/freesurfer/7.3.2/subjects]"! Just FYI when you see a parameter
>> in square brackets ([]) it means the parameter is optional, you shouldn't
>> include the brackets when running the command.
>>
>> Glad I could be helpful,
>>
>> -Paul
>> --
>> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
>> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
>> justinale...@gmail.com>
>> *Sent:* Thursday, September 15, 2022 7:51 AM
>> *To:* Freesurfer support list 
>> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command
>> not found
>>
>>
>> External Email - Use Caution
>>
>> Hi Paul,
>>
>> Thank you for your help tremendously throughout this process.
>>
>> Firstly, attached you will find the requested recon-all.log for the
>> subject 26 (originally located in the path
>> /home/ylee6/ADIPA_data/26/scripts), in which at the end of the log you
>> can see that the recon-all is completed successfully.
>>
>> Secondly, with the output from the 'env' command you can see it described
>> as such below:
>>
>> SHELL=/bin/bash
>> WSL_DISTRO_NAME=Ubuntu
>> OS=Linux
>> MINC_BIN_DIR=/usr/local/freesurfer/7.3.2/mni/bin
>> FSFAST_HOME=/usr/local/freesurfer/7.3.2/fsfast
>> FREESURFER=/usr/local/freesurfer/7.3.2
>> MNI_DATAPATH=/usr/local/freesurfer/7.3.2/mni/data
>> FS_OVERRIDE=0
>> NAME=LAPTOP-63HA9ANS
>> PWD=/home/ylee6/ADIPA_data/26/mri
>> LOGNAME=ylee6
>> FUNCTIONALS_DIR=/usr/local/freesurfer/7.3.2/sessions
>> MOTD_SHOWN=update-motd
>> HOME=/home/ylee6
>> LANG=C.UTF-8
>> WSL_INTEROP=/run/WSL/8_interop
>> MINC_LIB_DIR=/usr/local/freesurfer/7.3.2/mni/lib
>>
>> LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

Thank you for all your help with some technical issues.
I was wondering if you could help me with one tiny issue I have been unable
to solve, which is the usage of freeview on my computer.
The installation has been completed successfully, but when I try to open
any data, I seem to not see anything. Upon trying again recently, now
opening freeview does not seem to work at all. (For example, trying to run
the command freeview -v T1.mgz does not produce a freeview to open up on
another window.)
Could you help me with this? I'm sorry for the troubles once more.

Sincerely,
Justina

On Thu, Sep 15, 2022 at 4:00 PM Wighton, Paul 
wrote:

> One more note:
>
> The command:
> export SUBJECTS_DIR=/home/ylee6/ADIPA_data
>
> May or may not work, depending on the type of shell environment you are
> using.  If it doesn't work, you can try:
> setenv SUBJECTS_DIR /home/ylee6/ADIPA_data
>
> To set the environment variable
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Wighton, Paul <
> pwigh...@mgh.harvard.edu>
> *Sent:* Thursday, September 15, 2022 9:56 AM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
> Hi Justina,
>
> Ok so on your computer, the subjects are located in
> /home/ylee6/ADIPA_data, but the SUBJECTS_DIR environment variable is set to
> /usr/local/freesurfer/7.3.2/subjects.
>
> There are two ways we can fix this.
>
> 1) We can change the SUBJECTS_DIR environment variable and then run
> segmentHA_T1.sh:
>
> export SUBJECTS_DIR=/home/ylee6/ADIPA_data
> segmentHA_T1.sh 26
>
> 2) Or, we can pass the subjects dir as a parameter to segmentHA_T1.sh,
> telling it to use that directory instead of the environment variable:
>
> segmentHA_T1.sh 26 /home/ylee6/ADIPA_data
>
> You were close with your command "segmentHA_T1.sh 26
> [/usr/local/freesurfer/7.3.2/subjects]"! Just FYI when you see a parameter
> in square brackets ([]) it means the parameter is optional, you shouldn't
> include the brackets when running the command.
>
> Glad I could be helpful,
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Thursday, September 15, 2022 7:51 AM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> Thank you for your help tremendously throughout this process.
>
> Firstly, attached you will find the requested recon-all.log for the
> subject 26 (originally located in the path
> /home/ylee6/ADIPA_data/26/scripts), in which at the end of the log you
> can see that the recon-all is completed successfully.
>
> Secondly, with the output from the 'env' command you can see it described
> as such below:
>
> SHELL=/bin/bash
> WSL_DISTRO_NAME=Ubuntu
> OS=Linux
> MINC_BIN_DIR=/usr/local/freesurfer/7.3.2/mni/bin
> FSFAST_HOME=/usr/local/freesurfer/7.3.2/fsfast
> FREESURFER=/usr/local/freesurfer/7.3.2
> MNI_DATAPATH=/usr/local/freesurfer/7.3.2/mni/data
> FS_OVERRIDE=0
> NAME=LAPTOP-63HA9ANS
> PWD=/home/ylee6/ADIPA_data/26/mri
> LOGNAME=ylee6
> FUNCTIONALS_DIR=/usr/local/freesurfer/7.3.2/sessions
> MOTD_SHOWN=update-motd
> HOME=/home/ylee6
> LANG=C.UTF-8
> WSL_INTEROP=/run/WSL/8_interop
> MINC_LIB_DIR=/usr/local/freesurfer/7.3.2/mni/lib
>
> LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

This seems to have done the trick. Thank you for guiding me through this
process, I really appreciate all your help.

My last question refers to this comment when trying to run the
segmentHA_T1.sh command:

Cannot find wmparc.mgz or norm.mgz or talairach.xfm for the subject.
Has the subject been procesed with recon-all?

I am sure that I am referring to the right path where the files are located
as well as processing the subject with recon-all already. Is there
something that I am missing?

Thank you so much for your time.

Sincerely,
Justina


On Tue, Sep 13, 2022 at 9:05 PM Wighton, Paul 
wrote:

> I think we are on the right track, but it looks like there was a space
> between FREESURFER_HOME and the equal (=) sign? It also looks like there
> was no space between '$FREESURFER_HOME' and './fs_install_mcr'?
>
> The command should be copied exactly as written:
> sudo FREESURFER_HOME=$FREESURFER_HOME ./fs_install_mcr R2019b
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:57 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> I have taken your advice and run the command as shown below:
>
> ylee6@LAPTOP-63HA9ANS:~$ cd /usr/local/freesurfer/7.3.2/bin
> ylee6@LAPTOP-63HA9ANS:/usr/local/freesurfer/7.3.2/bin$ sudo
> FREESURFER_HOME =$FREESURFER_HOME./fs_install_mcr R2019b
> sudo: FREESURFER_HOME: command not found
>
> The same problem persists yet again :( Does the problem lie somewhere else?
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:49 PM Wighton, Paul 
> wrote:
>
> Ah ok, let's try this:
>
> cd /usr/local/freesurfer/7.3.2/bin
> sudo FREESURFER_HOME=$FREESURFER_HOME ./fs_install_mcr R2019b
>
> We are appending `./` to fs_install_mcr to tell it it's in the same
> directory.  We are also passing the definition of FREESURFER_HOME into the
> 'sudo'ed' environment, because the install script relies on that.
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:37 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> I have entered the command under this directory 
> ylee6@LAPTOP-63HA9ANS:/usr/local/freesurfer/7.3.2/bin$
> sudo fs_install_mcr R2019b and the following error persists. (sudo:
> fs_install_mcr: command not found)
>
> Could there be a reason for this?
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:33 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> Are you in the right directory (/usr/local/freesurfer/7.3.2/bin)?
>
> Can you try `cd /usr/local/freesurfer/7.3.2/bin` then `sudo fs_install_mcr
> R2019b`?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:28 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
>     External Email - Use Caution
>
> Hi Paul,
>
> When I try to run the installation command with sudo, the following error
> command shows:
>
> sudo: fs_install_mcr: command not found
>
> I'm terribly sorry for the inconvenience.
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:23 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> Ok so it looks like the install script is getting further and has
> extracted the matlab runtime environment into a temporary directory
> (/tmp/tmp.nGZQXYOgR8/install-target/v97) but during the final step, it is
> trying to move that temporary directory to a location inside the FreeSurfer
> directory (/usr/local/freesurfer/7.3.2/MCRv97) and it is once again running
> into a 'Permission Denied' error.
>
> Can you try re-installing the matlab runtime by running `sudo
> fs_install_mcr R2019b` so that the install script has permissions to write
> to the FreeSurfer directory?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Just

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

I have taken your advice and run the command as shown below:

ylee6@LAPTOP-63HA9ANS:~$ cd /usr/local/freesurfer/7.3.2/bin
ylee6@LAPTOP-63HA9ANS:/usr/local/freesurfer/7.3.2/bin$ sudo FREESURFER_HOME
=$FREESURFER_HOME./fs_install_mcr R2019b
sudo: FREESURFER_HOME: command not found

The same problem persists yet again :( Does the problem lie somewhere else?

Sincerely,
Justina

On Tue, Sep 13, 2022 at 8:49 PM Wighton, Paul 
wrote:

> Ah ok, let's try this:
>
> cd /usr/local/freesurfer/7.3.2/bin
> sudo FREESURFER_HOME=$FREESURFER_HOME ./fs_install_mcr R2019b
>
> We are appending `./` to fs_install_mcr to tell it it's in the same
> directory.  We are also passing the definition of FREESURFER_HOME into the
> 'sudo'ed' environment, because the install script relies on that.
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:37 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> I have entered the command under this directory 
> ylee6@LAPTOP-63HA9ANS:/usr/local/freesurfer/7.3.2/bin$
> sudo fs_install_mcr R2019b and the following error persists. (sudo:
> fs_install_mcr: command not found)
>
> Could there be a reason for this?
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:33 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> Are you in the right directory (/usr/local/freesurfer/7.3.2/bin)?
>
> Can you try `cd /usr/local/freesurfer/7.3.2/bin` then `sudo fs_install_mcr
> R2019b`?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:28 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> When I try to run the installation command with sudo, the following error
> command shows:
>
> sudo: fs_install_mcr: command not found
>
> I'm terribly sorry for the inconvenience.
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:23 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> Ok so it looks like the install script is getting further and has
> extracted the matlab runtime environment into a temporary directory
> (/tmp/tmp.nGZQXYOgR8/install-target/v97) but during the final step, it is
> trying to move that temporary directory to a location inside the FreeSurfer
> directory (/usr/local/freesurfer/7.3.2/MCRv97) and it is once again running
> into a 'Permission Denied' error.
>
> Can you try re-installing the matlab runtime by running `sudo
> fs_install_mcr R2019b` so that the install script has permissions to write
> to the FreeSurfer directory?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 1:58 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Thank you Paul for your help!
>
>
> This seems to have solved the issue, as I can now run the command
> fs_install_mcr R2019b. It has ended successfully with this end message
> stated below:
>
>
>
> mv: cannot move '/tmp/tmp.nGZQXYOgR8/install-target/v97' to
> '/usr/local/freesurfer/7.3.2/MCRv97': Permission denied
>
>
>
> I think this problem persists with my next issue, which is using the
> command segmentHA_T1.sh. When I try to run this command again it gives me
> the following error:
>
>
>
> ERROR: cannot find Matlab 2019b runtime in location:
>
>
>
> /usr/local/freesurfer/7.3.2/MCRv97
>
>
>
> It is looking for either:
>
>   bin/glnxa64/libmwlaunchermain.so(Linux 64b) or
>
>   bin/maci64/libmwlaunchermain.dylib (Mac 64b)
>
>
>
> The hippocampal/amygdala and brainstem modules require the (free) Matlab
> runtime.
>
> You will need to download the Matlab Compiler Runtime (MCR) for Matlab
> 2019b.
>
> To do so, please run the following command (you might need root
> permissions):
>
>
>
> fs_install_mcr R2019b
>
>
>
> I have seen that the path

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

I have entered the command under this directory
ylee6@LAPTOP-63HA9ANS:/usr/local/freesurfer/7.3.2/bin$
sudo fs_install_mcr R2019b and the following error persists. (sudo:
fs_install_mcr: command not found)

Could there be a reason for this?

Sincerely,
Justina

On Tue, Sep 13, 2022 at 8:33 PM Wighton, Paul 
wrote:

> Hi Justina,
>
> Are you in the right directory (/usr/local/freesurfer/7.3.2/bin)?
>
> Can you try `cd /usr/local/freesurfer/7.3.2/bin` then `sudo fs_install_mcr
> R2019b`?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 2:28 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Hi Paul,
>
> When I try to run the installation command with sudo, the following error
> command shows:
>
> sudo: fs_install_mcr: command not found
>
> I'm terribly sorry for the inconvenience.
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 8:23 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> Ok so it looks like the install script is getting further and has
> extracted the matlab runtime environment into a temporary directory
> (/tmp/tmp.nGZQXYOgR8/install-target/v97) but during the final step, it is
> trying to move that temporary directory to a location inside the FreeSurfer
> directory (/usr/local/freesurfer/7.3.2/MCRv97) and it is once again running
> into a 'Permission Denied' error.
>
> Can you try re-installing the matlab runtime by running `sudo
> fs_install_mcr R2019b` so that the install script has permissions to write
> to the FreeSurfer directory?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 1:58 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Thank you Paul for your help!
>
>
> This seems to have solved the issue, as I can now run the command
> fs_install_mcr R2019b. It has ended successfully with this end message
> stated below:
>
>
>
> mv: cannot move '/tmp/tmp.nGZQXYOgR8/install-target/v97' to
> '/usr/local/freesurfer/7.3.2/MCRv97': Permission denied
>
>
>
> I think this problem persists with my next issue, which is using the
> command segmentHA_T1.sh. When I try to run this command again it gives me
> the following error:
>
>
>
> ERROR: cannot find Matlab 2019b runtime in location:
>
>
>
> /usr/local/freesurfer/7.3.2/MCRv97
>
>
>
> It is looking for either:
>
>   bin/glnxa64/libmwlaunchermain.so(Linux 64b) or
>
>   bin/maci64/libmwlaunchermain.dylib (Mac 64b)
>
>
>
> The hippocampal/amygdala and brainstem modules require the (free) Matlab
> runtime.
>
> You will need to download the Matlab Compiler Runtime (MCR) for Matlab
> 2019b.
>
> To do so, please run the following command (you might need root
> permissions):
>
>
>
> fs_install_mcr R2019b
>
>
>
> I have seen that the pathway for fs_install_mcr is located in the
> usr/local/freesurfer/7.3.2 instead of in the location stated in the error
> above. When I try to search this location there is no such existing
> directory. This can be the same for bin/glnxa64/libmwlaunchermain.so.
>
>
>
> Do I need to create a new file for where the runtime should be stored? Or
> create a file for the bin/glnxa64/libmwlaunchermain.so to be stored? Should
> the fs_installl_mcr R2019b be stored under bin for this command to work?
>
> Hope you can continue to help me with my follow-up issue, I appreciate it
> a lot.
>
> Thank you so much.
>
>
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 4:35 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> It looks like the matlab installer is trying to use unzip but it can't
> find it.
>
> Can you try running:
> `sudo apt-get install unzip`
>
> To install unzip then try the matlab installer again?
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of You Na Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 9:01 AM
> *To:* freesurfer@nmr.mgh.harvard.edu 
> *Sub

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Hi Paul,

When I try to run the installation command with sudo, the following error
command shows:

sudo: fs_install_mcr: command not found

I'm terribly sorry for the inconvenience.

Sincerely,
Justina

On Tue, Sep 13, 2022 at 8:23 PM Wighton, Paul 
wrote:

> Hi Justina,
>
> Ok so it looks like the install script is getting further and has
> extracted the matlab runtime environment into a temporary directory
> (/tmp/tmp.nGZQXYOgR8/install-target/v97) but during the final step, it is
> trying to move that temporary directory to a location inside the FreeSurfer
> directory (/usr/local/freesurfer/7.3.2/MCRv97) and it is once again running
> into a 'Permission Denied' error.
>
> Can you try re-installing the matlab runtime by running `sudo
> fs_install_mcr R2019b` so that the install script has permissions to write
> to the FreeSurfer directory?
>
> -Paul
>
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of Justina Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 1:58 PM
> *To:* Freesurfer support list 
> *Subject:* Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> Thank you Paul for your help!
>
>
> This seems to have solved the issue, as I can now run the command
> fs_install_mcr R2019b. It has ended successfully with this end message
> stated below:
>
>
>
> mv: cannot move '/tmp/tmp.nGZQXYOgR8/install-target/v97' to
> '/usr/local/freesurfer/7.3.2/MCRv97': Permission denied
>
>
>
> I think this problem persists with my next issue, which is using the
> command segmentHA_T1.sh. When I try to run this command again it gives me
> the following error:
>
>
>
> ERROR: cannot find Matlab 2019b runtime in location:
>
>
>
> /usr/local/freesurfer/7.3.2/MCRv97
>
>
>
> It is looking for either:
>
>   bin/glnxa64/libmwlaunchermain.so(Linux 64b) or
>
>   bin/maci64/libmwlaunchermain.dylib (Mac 64b)
>
>
>
> The hippocampal/amygdala and brainstem modules require the (free) Matlab
> runtime.
>
> You will need to download the Matlab Compiler Runtime (MCR) for Matlab
> 2019b.
>
> To do so, please run the following command (you might need root
> permissions):
>
>
>
> fs_install_mcr R2019b
>
>
>
> I have seen that the pathway for fs_install_mcr is located in the
> usr/local/freesurfer/7.3.2 instead of in the location stated in the error
> above. When I try to search this location there is no such existing
> directory. This can be the same for bin/glnxa64/libmwlaunchermain.so.
>
>
>
> Do I need to create a new file for where the runtime should be stored? Or
> create a file for the bin/glnxa64/libmwlaunchermain.so to be stored? Should
> the fs_installl_mcr R2019b be stored under bin for this command to work?
>
> Hope you can continue to help me with my follow-up issue, I appreciate it
> a lot.
>
> Thank you so much.
>
>
>
> Sincerely,
> Justina
>
> On Tue, Sep 13, 2022 at 4:35 PM Wighton, Paul 
> wrote:
>
> Hi Justina,
>
> It looks like the matlab installer is trying to use unzip but it can't
> find it.
>
> Can you try running:
> `sudo apt-get install unzip`
>
> To install unzip then try the matlab installer again?
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of You Na Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 9:01 AM
> *To:* freesurfer@nmr.mgh.harvard.edu 
> *Subject:* [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> To whom it may concern,
>
>
>
> Apologies for my first post, I was a little bit confounded as to how I can
> reach for help.
>
> I would like to use the segmentation of hippocampal subfields and the
> nuclei of the amygdala.
> Currently, I am working with Ubuntu on windows with Freesurfer 7.3.2.
>
>
> I am trying to install MATLAB Runtime 2019b to run the command
> segmentHA_T1.sh for the segmentation as described above. The following
> command shows the corresponding error:
>
>
>
> ylee6@LAPTOP-63HA9ANS: /usr/local/freesurfer/7.3.2/bin$ fs_install_mcr
> R2019b
>
>   % Total% Received % Xferd  Average Speed   TimeTime Time
> Current
>
>  Dload  Upload   Total   SpentLeft
> Speed
>
> 100 2657M  100 2657M0 0  10.0M  0  0:04:25  0:04:25 --:--:--
> 10.1M
>

Re: [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not found

[Justina Lee]

External Email - Use Caution

Thank you Paul for your help!


This seems to have solved the issue, as I can now run the command
fs_install_mcr R2019b. It has ended successfully with this end message
stated below:



mv: cannot move '/tmp/tmp.nGZQXYOgR8/install-target/v97' to
'/usr/local/freesurfer/7.3.2/MCRv97': Permission denied



I think this problem persists with my next issue, which is using the
command segmentHA_T1.sh. When I try to run this command again it gives me
the following error:



ERROR: cannot find Matlab 2019b runtime in location:



/usr/local/freesurfer/7.3.2/MCRv97



It is looking for either:

  bin/glnxa64/libmwlaunchermain.so(Linux 64b) or

  bin/maci64/libmwlaunchermain.dylib (Mac 64b)



The hippocampal/amygdala and brainstem modules require the (free) Matlab
runtime.

You will need to download the Matlab Compiler Runtime (MCR) for Matlab
2019b.

To do so, please run the following command (you might need root
permissions):



fs_install_mcr R2019b



I have seen that the pathway for fs_install_mcr is located in the
usr/local/freesurfer/7.3.2 instead of in the location stated in the error
above. When I try to search this location there is no such existing
directory. This can be the same for bin/glnxa64/libmwlaunchermain.so.



Do I need to create a new file for where the runtime should be stored? Or
create a file for the bin/glnxa64/libmwlaunchermain.so to be stored? Should
the fs_installl_mcr R2019b be stored under bin for this command to work?

Hope you can continue to help me with my follow-up issue, I appreciate it a
lot.

Thank you so much.



Sincerely,
Justina

On Tue, Sep 13, 2022 at 4:35 PM Wighton, Paul 
wrote:

> Hi Justina,
>
> It looks like the matlab installer is trying to use unzip but it can't
> find it.
>
> Can you try running:
> `sudo apt-get install unzip`
>
> To install unzip then try the matlab installer again?
>
> -Paul
> --
> *From:* freesurfer-boun...@nmr.mgh.harvard.edu <
> freesurfer-boun...@nmr.mgh.harvard.edu> on behalf of You Na Lee <
> justinale...@gmail.com>
> *Sent:* Tuesday, September 13, 2022 9:01 AM
> *To:* freesurfer@nmr.mgh.harvard.edu 
> *Subject:* [Freesurfer] Freesurfer: fs_install_mcr: Unzip command not
> found
>
>
> External Email - Use Caution
>
> To whom it may concern,
>
>
>
> Apologies for my first post, I was a little bit confounded as to how I can
> reach for help.
>
> I would like to use the segmentation of hippocampal subfields and the
> nuclei of the amygdala.
> Currently, I am working with Ubuntu on windows with Freesurfer 7.3.2.
>
>
> I am trying to install MATLAB Runtime 2019b to run the command
> segmentHA_T1.sh for the segmentation as described above. The following
> command shows the corresponding error:
>
>
>
> ylee6@LAPTOP-63HA9ANS: /usr/local/freesurfer/7.3.2/bin$ fs_install_mcr
> R2019b
>
>   % Total% Received % Xferd  Average Speed   TimeTime Time
> Current
>
>  Dload  Upload   Total   SpentLeft
> Speed
>
> 100 2657M  100 2657M0 0  10.0M  0  0:04:25  0:04:25 --:--:--
> 10.1M
>
> /usr/local/freesurfer/7.3.2/bin/fs_install_mcr: line 62: unzip: command
> not found
>
>
>
> I am currently struggling to find the solution to this issue. Is the
> installation not in the correct path? Is MATLAB Runtime installed at all?
> Should an already existing matlab file be deleted?
> Any help would be much appreciated.
>
>
>
> Sincerely,
>
> Justina
>
>
>
>
>
>
>
> Sent from Mail
> <https://secure-web.cisco.com/1JF-rDYMVgKJTrVPsWHUacVbsZGxWoxGE8qofNJGanBLzB5H4xG_TSIyr-kKCyfB-OL5ahOLtropBWGT0WNStX9nlY96XmLI4PEcLyxRbpYACqwCkjWGnJ97rPRssexnOq1RJRlrOg_69B_HLSu5yX5bgMIHOh0IfF9pQcTT3TVu3DK8hZxWZSK0gfICgCNrQacXt91cfezI3FeQnjTGxoKqOqzHBsXJaNuI8JxuVMfCrweNj79o9pN5_cVgjrPSCSa5uR_IxkKANQ87K9laDUXpbpf1YpKyxu3k05hdqJLTPSgkt-wfEOgojaS7t3BsJWoxyJ2fHAPhk2SP958H0aA/https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D550986>
> for Windows
>
>
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://secure-web.cisco.com/13hztnzjV4NG8MRS_WPAvkQDaoH3MtDTzQGVDegG1V9tB3vNAeQxThejPX_wGtCRjJ3QWFM_JqnS5VBaOktcLzveKxjIX3MA5p2FjSdBZCoFXLtQ8Z1KyKvtTr-aGSjUmS03KRcPg02rCBvEhWmoJbDCQsf8zWfExuxR-u4fl-PYnkCrPWM9hUnmXrZd2WEFL8AmEvxNDuEdQuaMSEDPGPtvx0RN5AfCTFUb79CJ6vuveAr1iWf0-gU3NHQNZ1vKIkflLgYP8q2yBFTSLhEcUy23TWxVYYoANhKGSeUYuR2Lsdk56Uy1D8vvtTbV9Gc1XKCXLh1Ig_3pL6k_OJiakhw/https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer
> The information in this e-mail is intended only for the person to whom it
> is addressed.  

Re: convert mdbox to maildir

[justina colmena ~biz]

On August 14, 2022 9:46:54 AM AKDT, lutz.niede...@gmx.net wrote:
>Yes, you are right.  The problems are not of technical nature.
>...
>We do what the customer wants us to do.  And yes, they pay pretty well for 
>working on weekends.
>...
I'm sure there are more than enough professional mental health services 
available in any given district or locality, but I'm not sure why they are 
being discussed on a technical mailing list.

If your job is technical in nature, and that's what your customers are paying 
you for, then those problems of a technical nature are precisely what you'd 
better be focusing on.

Mostly I am a semi-technical do-it-yourselfer on the principle that I just 
can't tolerate the p*rn-surfing techie crowd from Silicon Valley, CA, and I 
find that most of the time if you want the job done right, you'd better do it 
yourself, especially if it's something very specific or technical.

Which is what many people have done and consequently why so much free and open 
source software exists in the first place.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: convert mdbox to maildir

[justina colmena ~biz]

*My* inbox gets filled with thousands of emails, more or less commercial 
content and trivial notifications from shopping online, and postfix crashes and 
will not accept new messages if the file "/var/mail/justina" becomes too large.

Configuring postfix to deliver the mail to "~/Maildir" solved that problem.

I still need to configure a sieve or a filter or some nicer mechanism to clear 
out messages that are either outright spam or too old or no longer of interest 
to me.

On August 13, 2022 10:00:36 AM AKDT, Marc  wrote:
>> 
>> We need to move all users from one (pretty old) installation of dovecot
>> to a new one.
>> The old one uses mdbox for users' mailboxes and maildir for
>> shared/public mailboxes.
>> The new one must be maildir only.
>
>why did you decide to move to maildir?
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: RHEL9 Repository

[justina colmena ~biz]

On August 5, 2022 3:30:57 PM AKDT, Peter  wrote:
>The main site doesn't currently support https but the repositories do, also 
>all packages are cryptographically signed and the signing keys are served off 
>of a secure server.
>
>The info on the site is public information that doesn't really need to be 
>secure.
>
In which case any actual content on the said site becomes injected with 
ultra-persistent linux-targeted adware, spyware, and pop-ups by any given third 
party in transit, which craps up my phone and slows down my desktop browser to 
a crawl, and then I have to update my adblocker, re-up all my security settings 
and fix all the other things that break due to spam malicious advertising on 
the internet. Plain old http is simply maddening these days. Leave the front 
door wide open for online hustlers and thieves, yeah, some people have bank 
accounts or manage actual money on their computers.

I would highly encourage a use of basic https all around: certbot/letsencrypt 
is currently free and there are many other low-cost options for https in 
conjunction with any given hosting service or platform.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: RHEL9 Repository

[justina colmena ~biz]

/_!_\

The connection to ghettoforge.org is not secure

You are seeing this warning because this site does not support HTTPS. _Learn 
more_

[Go back]
[Continue to site]

On August 5, 2022 4:06:46 AM AKDT, Peter  wrote:
>For those who have been asking, GhettoForge 9 is now released with dovecot23 
>packages for all EL9 distributions in the gf-plus repository. These are built 
>against Rocky Linux 9 and should install and run on any EL9 distro including, 
>but not limited to:
>
>* Rocky Linux 9
>* Red Hat Enterprise Linux 9
>* Oracle Linux 9
>* Alma Linux 9
>* Scientific Linux 9
>...and more
>
>This provides the latest stable version of dovecot-2.3.19.1
>
>Please see the instructions at the following link for how to install and run 
>packages from the gf-plus repository:
>http://ghettoforge.org/index.php/Usage
>
>...and let me know if you have any difficulties or questions with these 
>packages.
>
>
>Peter Ajamian
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Tracing Sieve actions

[justina colmena ~biz]

Thank you. I will have to look at "basic configuration" for sieving although I 
don't want things crashing on production.

I get too much mail at a publicly available address -- and while SPF+DKIM+DMARC 
does cut down on the bulk of obvious spam -- the spam that does get through is 
a little bit too "legitimate" to eliminate without special sieving rules.

This stuff really needs to be configurable per user without abusing root 
privileges and without futzing at the command line, or else it just isn't 
useful to the end user on the desktop or mobile device. Sieving needs to be 
either an email client thing, or else a standard interface for rules that can 
be configured and uploaded to Dovecot from the email client / reader software.

https://doc.dovecot.org/configuration_manual/sieve/configuration/#basic-configuration

On July 19, 2022 10:35:40 PM AKDT, Aki Tuomi  wrote:
>
>> On 20/07/2022 09:34 EEST Doug Hardie  wrote:
>> 
>>  
>> I encountered an interesting problem that one originator was being dumped 
>> into the Deleted file directly by my sieve.  The sieve file was quite large 
>> and it was not obvious which entry was causing the issue.  I recall there 
>> was a way to get sieve-test to show what is going on and which lines it 
>> used, but I could not replicate it tonight for anything.  I ended up having 
>> to change all the deliver to the Deleted files to something else and test 
>> one at a time to find the offending entry.  It took a long time.  How do you 
>> get sieve-test to show the actual path it took through the file?
>> 
>> -- Doug
>
>Hi Doug, take a loot at 
>https://doc.dovecot.org/configuration_manual/sieve/configuration/#trace-debugging
>
>It might help.
>
>Kind regards,
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

[justina colmena ~biz]

What? No user serviceable parts inside your car? It's a federal felony to raise 
the hood for any reason. You've got to see an authorized dealer or a 
professional mechanic for every little thing on a used car because cars are 
closed source proprietary and it's illegal to circumvent anything etc. Elon 
Musk is hard at work.

On July 7, 2022 12:59:13 PM AKDT, Noel Butler  wrote:
>On 07/07/2022 07:24, Aki Tuomi wrote:
>
>>> On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news 
>>>  wrote:
>>> 
>>> Affected product: Dovecot IMAP Server
>>> Internal reference: DOV-5320
>>> Vulnerability type: Improper Access Control (CWE-284)
>>> Vulnerable version: 2.2
>>> Vulnerable component: submission
>>> Report confidence: Confirmed
>>> Solution status: Fixed in main
>>> Researcher credits: Julian Brook (julezman)
>>> Vendor notification: 2022-05-06
>>> CVE reference: CVE-2022-30550
>>> CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
>>> 
>>> Vulnerability Details:
>>> When two passdb configuration entries exist in Dovecot configuration, which 
>>> have the same driver and args settings, the incorrect username_filter and 
>>> mechanism settings can be applied to passdb definitions. These incorrectly 
>>> applied settings can lead to an unintended security configuration and can 
>>> permit privilege escalation with certain configurations involving master 
>>> user authentication.
>>> 
>>> Dovecot documentation does not advise against the use of passdb definitions 
>>> which have the same driver and args settings. One such configuration would 
>>> be where an administrator wishes to use the same pam configuration or 
>>> passwd file for both normal and master users but use the username_filter 
>>> setting to restrict which of the users is able to be a master user.
>>> 
>>> Risk:
>>> If same passwd file or PAM is used for both normal and master users, it is 
>>> possible for attacker to become master user.
>>> 
>>> Workaround:
>>> Always authenticate master users from different source than regular users, 
>>> e.g. using a separate passwd file. Alternatively, you can use global ACLs 
>>> to ensure that only legimate master users have priviledged access.
>>> 
>>> Fix:
>>> This has been fixed in main branch. See 
>>> https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
>> 
>> Two small corrections to this CVE notice... The service impacted is of 
>> course 'auth' not 'submission', and the version impacted is from 2.2 to 
>> 2.3.19.1.
>> 
>> Aki
>
>I wouldnt exactly call them  " small " corrections
>
>its like saying the left window on your 2020 car can be pushed down easily to 
>saying  oh wait its every window and you dont need a key to start the engine 
>and btw its all cars from 2010 to 2022
>
>And if its that serious where is the release, thats how dealing with CVE's 
>works Aki, not a CVE statement saying go to gitbub.
>
>That said, I'd assume everyone uses a separate db for support teams anyway, or 
>I'd hope so/
>
>-- 
>Regards,
>Noel Butler
>
>This Email, including attachments, may contain legally privileged information, 
>therefore at all times remains confidential and subject to copyright protected 
>under international law. You may not disseminate this message without the 
>authors express written authority to do so.   If you are not the intended 
>recipient, please notify the sender then delete all copies of this message 
>including attachments immediately. Confidentiality, copyright, and legal 
>privilege are not waived or lost by reason of the mistaken delivery of this 
>message.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Is multi factor authentication practical/feasible?

[justina colmena ~biz]

Guns are banned and there's a night guard with a Big Mag flashlight or a 
billy club walking the beat around the bank, kicking a homeless man who 
fell asleep on the sidewalk to tell him wake up or your pocket's going be 
picked clean by morning, because you've got too much money in your name for 
your own good anyways, if you've got any teeth left in your mouth or can 
afford the dentist's bill for that.


On Saturday, July 2, 2022 12:15:09 AM AKDT, Marc wrote:

I have a small client whose insurance company insists they
have MFA for their email to be covered under some kind of data
protection policy. Currently I have the client set up on a Debian box
for the email server coupled with roundcube for webmail. Most the users
just use roundcube but some also use their mobile devices to check ...


The two factor became necessary for the big 'moron' companies 
who decided to start using email addresses as logins so it was 
easier to track people, because in that situation you only have 
to try commonly used passwords or passwords used at a different 
application.
If you stay with an username that is not published publicly, 
the commonly known password is still useless, since you do not 
have the username.
I think for a small organization you can push this 
implementation at the insurance company. Unless of course they 
do not think ios and windows are not secure enough to store your 
username ;)

Re: Is multi factor authentication practical/feasible?

[justina colmena ~biz]

I don't see why not.

Dovecot and Postfix are entirely configurable to connect to and use any 
desired authentication mechanism through certain basic interfaces.


The main problem I have experienced with MFA is a continual battle with 
extortion, "long cons," and thievery in law -- that the thieves are able to 
obtain one of the necessary factors for authentication -- a dongle or cell 
phone app or access to a cell phone number, or surveillance intelligence on 
calls or texts, whatnot -- whether by force or deception -- and then deny 
the targeted individual access to his or her own account.


Later on, after the victim has given up, the thieves are able to obtain the 
other factors for authentication, and then proceed to social-engineer a 
false account recovery using the victim's stolen I.D. -- and then they 
often as not falsely report the victim to gullible or complicit police 
forces as the thief.


If the victim cannot be successfully accused of theft in court, the 
"thieves in law" at work with inside help in government and law enforcement 
communities are able to cast identity theft as a mental illness akin to 
dissociative identity disorder -- to which the government offers nothing 
but a mental health "recovery" plan which does not include any actual 
recovery of the stolen assets in a person's name.


* https://www.identitytheft.gov/
* https://www.robodeidentidad.gov/

Casting identity theft as a mental health issue further enables thieves to 
take control of a victim's finances by possibly being appointed as 
guardians or payees in court. For the same reasons of legalized theft, 
extortion, and wrongful appropriation through state, local, military and 
federal court systems, individuals with similar names to known criminals 
are not allowed to hold significant assets in their names or possess 
firearms or obtain employment in sensitive positions in the United States.


* https://en.wikipedia.org/wiki/Thief_in_law

On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
I have a small client whose insurance company insists they have 
MFA for their email to be covered under some kind of data 
protection policy. Currently I have the client set up on a 
Debian box for the email server coupled with roundcube for 
webmail. Most the users just use roundcube but some also use 
their mobile devices to check email. Maybe one person uses 
outlook. There’s about 5 to 10 users total. 

I know roundcube offers a MFA plugin. But I don’t have the 
foggiest idea how of an iPhone, Android device, or Outlook could 
all be set up to work with MFA with a standard dovecot/postfix 
setup. Are there any practical solutions for easily implementing 
MFA that could work across multiple devices?

Re: [EXT] Re: Dovecot v2.3.19 released

[justina colmena ~biz]

So there's an "honest abe" -- with a "dv" attached the name -- and it's time to 
change the locks on the doors -- because apparently a couple of girls at the 
bank are working overtime doing loans and repossessions online and something is 
being served at a local bar or pub and a SWAT team is being called out Friday 
night or very early Saturday with fabricated criminal charges on any "hackers" 
who happen to be posting here 

On May 11, 2022 1:43:39 PM AKDT, "A. Schulze"  wrote:
>
>
>Am 11.05.22 um 07:26 schrieb Michael Tokarev:
>>> You are using something like `libssl-dv` instead of libssl, hence me 
>>> asking. It does not appear to be using the stock libssl.
>
>Hello Aki & Michael
>
>I reviewed my build and indeed found a glitch. So: sorry for the noise.
>dovecot-2.3.19 can be built with Debian/11 + Debian/openssl-1.1.1n
>
>I'm also able to build with my own openssl-1.1.1 version.
>The error occurred because I tried to build with my own openssl-3.0.2 which 
>worked with dovecot-2.3.18
>But maybe this was unsupported anyway.
>
>Andreas
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: disabling namespace in special-userdb on dovecot 2.2

[justina colmena ~biz]

I have no idea what that's all about!

But my dovecot system keeps bogging down & lot of my emails are disappearing 
and being eaten alive before I can read them ...

On April 20, 2022 4:01:38 AM AKDT, Marc  wrote:
>> 
>> Currently I have such special-userdb file
>> 
>> test:x:1:2:testaccount_descr:/home/users/testaccount:/bin/false:userdb_
>> mail=mbox:~/mbox:INBOX=/home/users/testaccount/inbox:INDEX=/home/users/testacco
>> unt/index
>> 
>> However I am still getting errors of a default configured namespace that 
>> still
>> seems to be active. Is there a way to disable this namespace or reconfigure
>> this in the userdb file? (When I was testing this on a dovecot 2.3 I did not
>> run into this)
>> 
>
>userdb_mail_debug=yes userdb_namespace/archives/disabled=yes

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: temporary block incoming messages to specific user

[justina colmena ~biz]

So the file "/var/mail/username" is a "system inbox" for the user, typically a 
flat file that will accept new mail no matter what as long as it isn't too 
large, which would indicate that the user's mailbox is full.

Some of the early text clients, mutt etc. would move any mail in the 
"/var/mail/username" inbox to a local inbox in "/home/username/Maildir" or 
"/home/username/mbox" as soon as it is seen or read from the system inbox.

Are you blocking the user from logging in, or do you just want incoming mail 
for that user to sit in the general queue until you have that person's account 
set up?

IMHO dovecot or other clients should ideally pick up any mail in the system 
inbox "/var/mail/username" and move it to a local maildir inbox in the user's 
home folder as expeditiously as possible for any further reading or sorting.

On April 20, 2022 4:39:24 AM AKDT, Marc  wrote:
>Is it possible to block incoming messages from being delivered to a specific 
>user in such a way that the MTA will try again later. I do not want these 
>message to bounce. (eg while doing some manual maintenance on the user)?
>
>
>
>
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Apache Solr 8.11.1 and Log4J Vulnerability

[Tate, Justina (DTMB)]

Hello,

Can you please explain how we can go about upgrading Log4J to greater than 
2.16.0.

Thank you,
Justina Tate , MBA
Senior IT Business Analyst
Michigan Department of Technology, Management & Budget Agency Services 
supporting Attorney General and MSHDA
201 N. Washington Square, Ste. 900, Lansing, MI 48933
Office:  (517) 241-2926
Email:  tat...@michigan.gov<mailto:tat...@michigan.gov>
LEGAL NOTICE:
This e-mail is for the exclusive use of the intended recipient(s), and may 
contain privileged and confidential information. Any unauthorized review, use, 
disclosure or duplication of this email is expressly prohibited. If you are not 
an intended recipient, please notify the sender immediately, delete the e-mail 
from your computer, and do not copy or disclose it to anyone else. Your receipt 
of this message is not intended to waive any applicable legal privilege, and 
does not constitute an electronic signature or provide consent to contract 
electronically.

Re: [EXT] AW: AW: AW: invalid lz4 chunk size??

[justina colmena ~biz]

What's with the "AW: AW: AW:" business? It sounds for all the world like a guy 
outbid at the Sotheby's auction or something like that. There's got to be a lot 
of artwork online with that fancy lz4 compression algorithm.

On March 16, 2022 2:32:32 AM AKDT, Joachim Lindenberg  
wrote:
>What might go wrong? Or should I copy the directory myself from remote? What 
>can go wrong with that?
>Thanks, Joachim
>
>-Ursprüngliche Nachricht-
>Von: Aki Tuomi  
>Gesendet: Wednesday, 16 March 2022 11:31
>An: Joachim Lindenberg 
>Betreff: Re: [EXT] AW: AW: AW: invalid lz4 chunk size??
>
>It might, I can't promise it =)
>
>Aki
>
>> On 16/03/2022 12:29 Joachim Lindenberg  wrote:
>> 
>>  
>> With remote I am referring to the second instance of mailcow including 
>> dovecot I am running, which has dovecot replication active. I am observing 
>> the issue on just one box. Thus I am hoping  that when I remove the user 
>> mail directory on one host, replication will restore it from remote. 
>> Thanks, Joachim
>> 
>> -Ursprüngliche Nachricht-
>> Von: Aki Tuomi 
>> Gesendet: Wednesday, 16 March 2022 11:17
>> An: Joachim Lindenberg ; dovecot@dovecot.org
>> Betreff: Re: AW: AW: invalid lz4 chunk size??
>> 
>> Not sure what "remote" you are talking about. You can remove the file, and 
>> dovecot will notice it's absence and update it's indexes if this is 
>> maildir++ format.
>> 
>> If this is sdbox, you need to run `doveadm force-resync -u user FolderName`.
>> 
>> Aki
>> 
>> > On 16/03/2022 12:08 Joachim Lindenberg  wrote:
>> > 
>> >  
>> > Hi Aki,
>> > sure I can delete (or rename) the file(s) in the mail directory. 
>> > Will sync then restore it from remote or should I do this manually? Should 
>> > I stop dovecot during the process?` I am not very familiar with dovecot 
>> > yet, as most of the complexity is hidden by mailcow.
>> > Thanks, Joachim
>> > 
>> > -Ursprüngliche Nachricht-
>> > Von: Aki Tuomi 
>> > Gesendet: Wednesday, 16 March 2022 08:38
>> > An: Joachim Lindenberg ; dovecot@dovecot.org
>> > Betreff: Re: AW: invalid lz4 chunk size??
>> > 
>> > Hi,
>> > 
>> > looks a lot like your mail file is corrupted. Not much you can do about it 
>> > other than maybe delete the file? You can try recover it with `doveadm 
>> > fetch -u someone text uid 1553 mailbox Sent` and then using `doveadm save 
>> > -u someone -m Sent` to store it back.
>> > 
>> > Aki
>> > 
>> > > On 16/03/2022 09:35 Joachim Lindenberg  wrote:
>> > > 
>> > >  
>> > > Nobody that can help?
>> > > Thanks,
>> > > Joachim
>> > > 
>> > > --
>> > > 
>> > > I am still experiencing the issue. Any suggestion?
>> > > As I do have replication between two nodes and only one is showing the 
>> > > issue - can I rename the mailbox easily on one side and rely on 
>> > > replication to get the copy replaced? If that makes sense, which 
>> > > commands do you recommend?
>> > > Thanks,
>> > > Joachim
>> > > 
>> > > -Ursprüngliche Nachricht-
>> > > Von: Joachim Lindenberg 
>> > > Gesendet: Thursday, 3 March 2022 12:06
>> > > An: 'Aki Tuomi' ; dovecot@dovecot.org
>> > > Betreff: AW: invalid lz4 chunk size??
>> > > 
>> > > dovecot --version reports 2.3.17.1 (476cd46418) Joachim
>> > > 
>> > > -Ursprüngliche Nachricht-
>> > > Von: Aki Tuomi 
>> > > Gesendet: Thursday, 3 March 2022 11:56
>> > > An: Joachim Lindenberg ; 
>> > > dovecot@dovecot.org
>> > > Betreff: Re: invalid lz4 chunk size??
>> > > 
>> > > 
>> > > > On 03/03/2022 12:24 Joachim Lindenberg  wrote:
>> > > > 
>> > > >  
>> > > > Hello,
>> > > > when accessing one mailbox via ActiveSync / SoGo / Dovecot I get the 
>> > > > following error repeatedly in dovecot log:
>> > > > imap(somemail...@example.org)<1579><***>: Error: Mailbox Sent: 
>> > > > UID=1553: read(compress()) failed: read() failed: lz4.read(): invalid 
>> > > > lz4 chunk size: 1601505441 at 16842752 (read reason=) I can still 
>> > > > access the mailbox via IMAP though.
>> > > > What can I do to resolve the issue?
>> > > > Thanks,
>> > > > Joachim
>> > > 
>> > > Which version of Dovecot?
>> > > 
>> > > Aki
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Build with MySQL -> libmysqlclient not found

[justina colmena ~biz]

On February 26, 2022 9:07:12 AM AKST, John Stoffel  wrote:
>Dimitri> My Dovecot version: 2.3.18
>Dimitri> My Mariadb version: 10.6.5
>Dimitri> My OS: Ubuntu 20.04
>
>Why aren't you just using the Ubuntu 20.04 packaged version instead?

That's the beauty of free and open source software. We want to know how it's 
compiled and exactly what it depends on. And if we can't do it ourselves, then 
a lot of us amateurs feel like it's getting a little bit too closed-source and 
corporate for our purposes, or somehow more complicated than it needs to be. In 
which case we're looking for an alternative or a fork of the project with a 
legal license.

>Also, did you install the headers for libmysqlclient properly as
>well?
>
>What does /test/core/mariadb/includes/ or
>/test/core/includes/... show?

These are probably very good questions or problem-solving suggestions for 
"Dimitri."

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Nasty Bug: Re: Index Corruption Problem with new VM Host - But Only With Replication Enabled

[justina colmena ~biz]

Something about this a little bit ominous.

There's a new type of "architecture" unrolling with a certain flavor, and it is 
becoming, by and by, irremediably complex. I'm not really sure where the 
stopping or turning point is, or perhaps there are other "tools" for memory 
leak detection and static code analysis that could in theory help find bugs 
like this.

Assuming the bug is in Dovecot and not in the Linux kernel or the underlying 
KVM virtualization container.

I was using a KVM that got hacked, and I'm having better luck with CentOS on 
OpenVZ at the provider on a very small scale system, but certain critical 
security bits and pieces are going missing in action.

On February 20, 2022 8:39:13 PM AKST, Reuben Farrelly  
wrote:
>Following up to my original mail:
>
>On 18/02/2022 3:59 pm, Reuben Farrelly wrote:
>> Hi,
>>
>> I've recently migrated my two VMs across from Linode (who use KVM) 
>> onto a local VPS service (which also uses KVM).  Since doing so I have 
>> started to see some strange problems with Dovecot relating to indexes 
>> and replication.
>>
>> I have copied the configuration files across from old host to new 
>> host. The kernel is the same - as this is Gentoo everything was 
>> rebuilt and installed from fresh, but with the same options (use 
>> flags).  Even the Linux kernel is the same version with the exact same 
>> options (as is Dovecot).  The filesystem is the same EXT4 with the 
>> same options too.
>>
>No one responded from here (is anyone helping on this list anymore?) but 
>after many hours I found out the problem was to do with replication on 
>the far end host, and not anything to do with either the new VPS or the 
>existing dovecot or linux config.
>
>It turns out that if there is an existing Maildir/ in the user's 
>directory on the remote replica, the initial sync from the master 
>fails.  It may fail early on in the sync, or at the end of the initial 
>replication but either way it fails and the user ends up with a mailbox 
>in a half sync'd state.  Even if the remote Maildir is completely empty 
>as mine were, it fails - it is the mere presence of the Maildir/ 
>directory on the remote breaks the sync. Typically new users have a new 
>and empty Maildir (copied from /etc/skel) so it fails for them by default.
>
>Once I deleted the Maildir/ from the remote user's home directory and 
>the entire contents of a half replica, then dovecot created a new 
>Maildir and everything was able to sync through on all users to completion.
>
>To reproduce this: create a new user with an empty (Maildir/new 
>Maildir/cur and Maildir/tmp)  and then trigger the sync with debug 
>manually:       doveadm -v -D sync -u username -f tcp:imap2.reub.net:4814
>
>Here - with a completely empty and brand new Maildir/ on both master and 
>remote replica we can see it already fails:
>
>tornado ~ # doveadm -v -D sync -u testuser -f tcp:imap2.reub.net:4814
>Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm
>Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so: undefined 
>symbol: acl_user_module (this is usually intentional, so just ignore 
>this message)
>Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined 
>symbol: quota_user_module (this is usually intentional, so just ignore 
>this message)
>Debug: Module loaded: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_sieve_plugin.so
>Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: undefined 
>symbol: fts_user_get_language_list (this is usually intentional, so just 
>ignore this message)
>Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() 
>failed: /usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so: 
>undefined symbol: mail_crypt_box_get_pvt_digests (this is usually 
>intentional, so just ignore this message)
>Feb 21 16:31:51 Debug: Loading modules from directory: /usr/lib64/dovecot
>Feb 21 16:31:51 Debug: Module loaded: 
>/usr/lib64/dovecot/lib15_notify_plugin.so
>Feb 21 16:31:51 Debug: Module loaded: 
>/usr/lib64/dovecot/lib20_replication_plugin.so
>Feb 21 16:31:51 Debug: Loading modules from directory: 
>/usr/lib64/dovecot/doveadm
>Feb 21 16:31:51 Debug: Skipping module doveadm_acl_plugin, because 
>dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so: 
>undefined symbol: acl_user_module (this is usually intentional, so just 
>ignore this message)
>Feb 21 16:31:51 Debug: Skipping module doveadm_quota_plugin, because 
>dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined 
>symbol: quota_user_module (this is usually intentional, so just ignore 
>this message)
>Feb 21 16:31:51 Debug: Skipping module doveadm_fts_plugin, because 
>dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: 
>undefined symbol: 

Re: Unable to connect from macOS mail client

[justina colmena ~biz]

So presumably the entire contents of the ssl public and/or private key could be 
included verbatim in the configuration file without the "<" input pipeline 
redirection symbol.

On February 19, 2022 5:25:15 AM AKST, Bernardo Reino  wrote:
>On Sat, 19 Feb 2022, necktwi wrote:
>
>> After adding “<“ before ssl_ca file path, macOS mail client complained no 
>> more. Why do we need “<“ before file paths? — Necktwi
>
>Because the manual says so? :)
>
>"The < is mandatory. It indicates that the variable should contain contents of 
>the file, instead of the file name. Not using it will cause an error."
>(https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/)
>
>Or is it a rhetorical question?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level domain.

* https://abc.xyz/

I suppose Sergey Brin is Russian as well, so what have you there?

Perhaps you have inadvertently confused ".xyz" with the ".xxx" TLD. The popular 
grade school acronym for "eXamine Your Zipper" is obviously not commercially 
desirable for the same purposes, although I cannot vouch for particular 
instances.


On February 12, 2022 5:51:12 AM AKST, Marc  wrote:
>
>
>> 
>>   (sorry for posting to list this, but I don't have any ways to contact
>> Marc off-list now)
>> 
>> >>
>> >>Problem is, I need to unpack each of them to be sure, that these are
>> >> false positives and I'm afraid, that it could lower reputation of my
>> mail
>> >> server IP address with major providers (like Google Mail).
>> >>
>> >
>> > How can you get a lower reputation? Afaik dmarc is just signing your
>> outgoing messages.
>>   Marc, my domain already has problems sending mail to you, for example:
>> 
>> : host spam1.roosit.eu[212.26.193.45] said: 553
>> 5.3.0
>>  550We have blocked this toplevel because of spam. Use another
>> toplevel
>>  until the maintainer has resolved these issues (in reply to MAIL FROM
>>  command)
>> 
>> --
>
>.ru is not blocked. The connect is originating from a .xyz host.
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious 
and honest for what it is, unless that's part of Biden's sanctions, the others 
you mention look like vice domains, but looking at GitHub:

* https://github.com/dovecot

There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not 
heard of recent hostility between Finland and Russia, notwithstanding the 
Ukraine situation. Your mail client is all configured in Swedish, but Sweden & 
Finland are not officially part of NATO, AFAIK, and Sweden has its own currency 
whereas Finland did give up the markka in exchange for the Euro some 20-odd 
years ago I don't recall.


On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen  
wrote:
>Thats a TLD ban. Meaning *.ru is banned.
>
>same applies for my domain for example, I ban *.xyz, *.date and a few others.
>
>-Ursprungligt meddelande-
>Från: dovecot-boun...@dovecot.org  För Lev 
>Serebryakov
>Skickat: den 12 februari 2022 12:08
>Till: dovecot@dovecot.org
>Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
>
>On 11.02.2022 16:31, Marc wrote:
>
>  (sorry for posting to list this, but I don't have any ways to contact Marc 
> off-list now)
>
>>>
>>>Problem is, I need to unpack each of them to be sure, that these 
>>> are false positives and I'm afraid, that it could lower reputation of 
>>> my mail server IP address with major providers (like Google Mail).
>>>
>> 
>> How can you get a lower reputation? Afaik dmarc is just signing your 
>> outgoing messages.
>  Marc, my domain already has problems sending mail to you, for example:
>
>: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
> 550We have blocked this toplevel because of spam. Use another toplevel
> until the maintainer has resolved these issues (in reply to MAIL FROM
> command)
>
>--
>// Black Lion AKA Lev Serebryakov
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Google, Yahoo and Microsoft, the big providers all use ARC, and have used it 
for years. But Wikipedia doesn't have much nice to say about it.

--> allows a receiving service to validate an email when the email's SPF and 
DKIM records are rendered invalid by an intermediate server's processing. ARC 
is defined in RFC 8617, published in July 2019, as "Experimental".

It sounds like a Microsoft/Google/corporate standard, not IETF. I do seem to 
have trouble communicating with insurance companies' email systems in 
particular when I'm not using ARC on my email system, but outside the insurance 
industry -- and I'm making an educated guess that they are the main sticklers 
-- it doesn't seem to be a problem if SPF, DKIM, and DMARC are all working.


On February 9, 2022 6:16:19 AM AKST, Benny Pedersen  wrote:
>On 2022-02-09 14:33, Aki Tuomi wrote:
>> We did that replacement for a while, but people complained. We have
>> ARC signing there, unfortunately it only works if you trust it.
>
>ARC-Authentication-Results: i=1; talvi.dovecot.org;
>  dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq;
>  dmarc=pass (policy=reject) header.from=open-xchange.com;
>  spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com 
>designates
>  87.191.57.183 as permitted sender) 
>smtp.mailfrom=aki.tu...@open-xchange.com
>
>X-Spam-Status: No, score=-6.4 required=5.0 
>tests=AWL,DKIM_INVALID,DKIM_SIGNED,
>   HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL,
>   MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
>   RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
>   T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
>
>seems it breaks :/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

On February 4, 2022 11:56:53 AM AKST, Lev Serebryakov  
wrote:
>  After that I've got several DMARC reports about "spam" from my domain. All 
> these reports are about my mailing list post.
>
Interesting. That's exactly how DMARC is supposed to work with reporting 
enabled. So you've got that set up correctly at any rate!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Certificate and showing a sign-cert not there

[justina colmena ~biz]

You shouldn't need a root in the full chain, because the client already has to 
have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak  wrote:
>Justina,
>
> 
>
>The vendor I have, which is having the difficulty is still saying he gets a 
>self-signed cert… but as I showed in my last email after I added Intermediate 
>to the certificate, everything was ok.
>
> 
>
>So ServerCert, Intermediate, Root in same file should solve this?
>
> 
>
>Wayne
>
>From: dovecot  On Behalf Of justina colmena ~biz
>Sent: Tuesday, February 8, 2022 2:44 PM
>To: dovecot@dovecot.org
>Subject: Re: Certificate and showing a sign-cert not there
>
> 
>
>In general:
>
>Lots of mail servers out in the wild do not require TLS or even bother to 
>verifying TLS certificates when connecting to a remote server on port 25.
>
>However, desktop and mobile email *clients* tend to be much stricter about 
>verifying server certificates when connecting via SSL or TLS, mainly to 
>protect user passwords.
>
>Sometimes the server certificate needs to be presented with a "full chain" 
>appended to it for verification. That has been an issue before when I've used 
>some certs, particularly StartSSL before Letsencrypt started offering free 
>certs.
>
>On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <mailto:wspi...@sbanetweb.com> > wrote:
>
>Hi –
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> <http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for 
> authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list = 
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-S

Re: Certificate and showing a sign-cert not there

[justina colmena ~biz]

In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak  wrote:
>Hi -
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
> , OU = "(c) 2012 Entrust, Inc. - for
>authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list =
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
>CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
>S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
>6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
>28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
>-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
>8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
>L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
>ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Password Mismatch when connecting from Email Client

[justina colmena ~biz]

That is a test user on a private network. Not publicly accessible at all.

Anyways, I have had the best luck on dovecot and postfix with the unix/linux 
utility "pass" to generate fairly long alphanumeric-only passwords as I have 
found that any special characters in passwords are ending up garbled or 
misinterpreted when I attempt to log in to dovecot on IMAP or POP.

On February 4, 2022 7:37:54 AM AKST, Benny Pedersen  wrote:
>On 2022-02-04 17:17, Dr Francis Greaves wrote:
>
>> Any help much appreciated.
>
>what is stored in mysql on the password field ?
>
>you dont need to expose passwords in maillists 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: silly quesiton [ot]

[justina colmena ~biz]

I see. People make money outsourcing, consulting, and hooking up companies with 
the best solutions for email, office collaboration, CRM, etc., etc., which is 
great, but I didn't quite realize that look like a paid offering on the table 
and this isn't the right list to discuss potential free market competition...

On January 31, 2022 12:45:48 AM AKST, Aki Tuomi  
wrote:
>
>> On 31/01/2022 10:36 Marc  wrote:
>> 
>>  
>> > 
>> > Just ideas.
>> 
>> Maybe an idea to participate on a Microsoft forum? They like to use db's for 
>> email, and they are removing everything what is nice in order to push people 
>> into their cloud. So lots to change for the better there. 
>> 
>> It's so crappy that I recently wrote Bill Gates that he should not whine so 
>> much about the environment, because if he used only half of his profits to 
>> optimize code/designs in ms products, this would result in a significant 
>> reduction in energy use. Think of what global effect that has.
>> 
>> FYI T-mobile (and the commercial version of dovecot?) is working on storing 
>> emails in object storage, that is the future.
>
>Commercial Dovecot has had the ability to store mails & indexes in Object 
>Storage for years now, we are not "working on it" anymore.
>
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: silly quesiton [ot]

[justina colmena ~biz]

Just ideas.

Removing or deleting a single message from near the beginning of a large flat 
file takes an inordinate amount of time because the remainder of the flat file 
has to be rewritten all the way from the point of the deleted message to the 
end of the file and then truncated.

On January 30, 2022 6:30:44 PM AKST, Sam Kuper  wrote:
>On Sun, Jan 30, 2022 at 06:17:49PM -0900, justina colmena ~biz wrote:
>> On January 30, 2022 5:46:53 PM AKST, dove...@ptld.com wrote:
>>> Storing mail in a db... at the end of the day isn't it still just a
>>> file (.db file) on the drive?
>>>
>>> Aren't you just adding bloat and complexity vs just storing the mail
>>> directly (maildir format) to a file on the drive? [...]
>>
>> You'll get better indexing and fast full text search by storing your
>> emails in a database rather than a flat file, hopefully after decoding
>> any attachments. Especially for spam scoring, analysis, and
>> classification. Much better performance deleting or moving specific
>> messages, too.
>
>Do you have evidence to back up these claims, specifically re: mail
>servers?
>
>Like-for-like benchmarks, for instance?
>
>Thanks,
>
>Sam
>
>-- 
>A: When it messes up the order in which people normally read text.
>Q: When is top-posting a bad thing?
>
>()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
>/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: silly quesiton [ot]

[justina colmena ~biz]

You'll get better indexing and fast full text search by storing your emails in 
a database rather than a flat file, hopefully after decoding any attachments. 
Especially for spam scoring, analysis, and classification. Much better 
performance deleting or moving specific messages, too.

On January 30, 2022 5:46:53 PM AKST, dove...@ptld.com wrote:
>Storing mail in a db... at the end of the day isn't it still just a file (.db 
>file) on the drive?
>Aren't you just adding bloat and complexity vs just storing the mail directly 
>(maildir format) to a file on the drive?
>
>What do you think you are saving? Security?
>If someone can read files on your server, they can equally read a maildir or a 
>.db file.
>K.I.S.S.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Non-unique Message ID in mail messages

[justina colmena ~biz]

On January 27, 2022 6:17:05 AM AKST, "Daniel Ryšlink" 
 wrote:
>
>RFC 5322 clearly states that mail messages SHOULD contain a Message ID 
>identifier, but if the do contain it, it MUST be globally unique.
>
That's nice polite behavior, all right, but the enforcement of it is another 
matter entirely. Slap a tracking label with a barcode on a piece of mail, and 
the mail truck is taking off from the loading dock at the post office with the 
door wide open being rear-ended by the cop car with a federal warrant and and a 
razor-sharp military letter opener in his hand. Oh yeah, I almost forgot I've 
got a flat tire and I discovered my brake hose was apparently slit wide open, 
and my att0rney says I'm facing additional charges since they had a lawful 
warrant to take all that action against me on my account. /sarcasm

>Despite this requirement, I have encountered senders (namely Spamcop) 
>that sends obviously different (albeit related) messages called "Alert" 
>and "Summary" (they are always related to the same incident and have the 
>same Message ID). This creates all sorts of problems when processing 
>these mails, namely with users that have local forwards from one domain 
>to another (our mailserver hosts multiple domains), because for example 
>Dovecot refuses to forward the second message, flagging it as a duplicate.
>
>My question to you is - did you also encounter similar incorrect 
>(according to RFC standards) problem, and if so, is there a way to 
>persuade dovecot to perhaps determine the uniqueness of a message by 
>other means than just checking the message ID (i.e. look at other 
>identifiers, Subject, perhaps)? Because according to the log records, 
>Spamcop does not seem to be the only offender.
>
Thank you, that's a years-old bug, pet peeve and aggravation in several mailing 
systems not just Dovecot and you get my upvote for the question and complaint. 
We need to be nice, and deal respectfully but set our limits with people who 
aren't being so nice when they send emails.

>Thanks in advance for any reactions, and if I did something wrong by 
>writing this message, I apologize again in advance.
>
>If required, I can provide samples of the Spamcop messages.
>
I am hoping there are more and better solutions to this problem forthcoming.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: silly quesiton

[justina colmena ~biz]

On January 24, 2022 1:33:46 PM AKST, John Stoffel  wrote:
>steph> 1) How can I says sendmail to use the same passwd file ( with MD5) than 
>dovecot ?
>
>Ah... just saw this.  And I don't know how to configure sendmail for
>this.  I would suggest you look on the sendmail.org site for help.  

Too many professional bulk mailers on all those lists. I for one don't like the 
documentation runaround. There's a lot of stuff that's getting more complicated 
than it needs to be. I need SPF+DKIM+DMARC for basic spam control.

>steph> 2) Ideally, I would like to create virtual users for the same
>steph> mailbox  Is that possible ?

I have a setup like that myself. Nothing to do with Dovecot. It's entirely up 
to postfix which mailbox to deliver incoming messages to, and the user's client 
to address outgoing mail with a proper ID.

>steph> like 2 files Users and PAsswrds pointing out the mailbox :
>steph> maildir :/home/mailbox/user1 ex : us...@foo.com  passwrd1 
>steph> /home/mailbox/generic_mails and user2 passwrd2 
>steph> home/mailbox/generic_mails
>
>I do this myself using postfix and dovecot and it works well.  I have
>my users defined in an sqlite3 DB, though for a small number of users
>I think a flat file is simpler.

The performance of flat files really bogs down my system and causes me to lose 
mails if too many arrive or if the file grows too large.

>The trick is to have the dovecot and postfix/sendmail using the same
>files for the virtual users and their passwords.  There are a number
>of tutorials out there for doing this.
>
>John

Without a doubt there are many useful tricks and tutorials out there. I have 
found several very helpful.

Maybe a future programming project idea: I want a system that will store all 
mail messages and user account info in, say, a postgresql transactional 
database, a little more manageable and reliable than ad hoc databasing with 
those flat files all over the place cluttering up the system.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Why would dovecot not be answering

[justina colmena ~biz]

Good question. This looks like a unix socket set up for dovecot to provide 
authentication services to postfix and anyways postfix would be listening on 
TCP port 587 for authenticated mail submission. Normally you do not want to 
offer any user authentication or login on port 25, but that is all set up and 
specified explicitly in /etc/postfix/main.cf and /etc/postfix/master.cf.

Of course you do need user authentication for dovecot itself to offer IMAP 
and/or POP services for users to fetch or read their email.

I can't get really get on the postfix mailing list myself, or sort through all 
that volume. There's an unsolicited bulk email industry in control of 
everything.

On January 22, 2022 7:05:04 PM AKST, Ruben Safir  wrote:
>I am really lost as to why dovecot is not authenticating
>
>I have 
>
>smtpd_sasl_type = dovecot
>
>in main.cf
>
>and 
>
># Postfix smtp-auth
>unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> user = postfix
> group = postfix
>}
>in /etc/dovecot/conf.d/10-master.conf
>
>
>I want it to authenticate on submition only
>
>Everything I read says this should do it, but I am up against a wall.  I
>have no debugging information or log at all to confirm what postfix is
>doing.
>
>
>-- 
>So many immigrant groups have swept through our town
>that Brooklyn, like Atlantis, reaches mythological
>proportions in the mind of the world - RI Safir 1998
>http://www.mrbrklyn.com 
>
>DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>http://www.nylxs.com - Leadership Development in Free Software
>http://www2.mrbrklyn.com/resources - Unpublished Archive 
>http://www.coinhangout.com - coins!
>http://www.brooklyn-living.com 
>
>Being so tracked is for FARM ANIMALS and extermination camps, 
>but incompatible with living as a free human being. -RI Safir 2013
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Is Diffie-Hellman needed?

[justina colmena ~biz]

On January 12, 2022 4:22:00 PM AKST, Joseph Tam  wrote:
>
>   - perfect forward secrecy: the disclosure of a private
>   key will not compromise past traffic.  This is probably the
>   more compelling reason.
>
As to ECC vs. the "old fashioned" RSA paradigm based on the difficulty of 
factoring very large natural numbers --- that's a totally separate issue, 
irrelevant to that of choosing protocols that offer PFS over those that do not.

I'm "convinced" on no special considerations beyond elementary math that the 
product of two large randomly chosen primes numbers is darn near impossible to 
factor on modern computers. Scientists have tried and failed and assiduously 
documented their vain attempts at cracking the RSA challenge up to commonly 
used key size parameters.

The ECC business for involves too many secret codes and ciphers coming out of a 
college fraternity or university dormitory, and it's not clear to me as an 
outsider what it offers beyond smoke-and-mirrors obfuscation and security by 
obscurity of the algorithm. The magic numbers and specially chosen curve 
parameters like "25519" offered as is without explanation are alarming to me as 
if someone is trying to pull the wool over my eyes with the fancy maths.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Is Diffie-Hellman needed?

[justina colmena ~biz]

I want better explanations of the maths.

If RSA and DSA algorithms based on standard arithmetic exponentiation modulo 
the product of two large primes are "deprecated" -- that means that there have 
been or are expected to be major mathematical and algorithmic advances in 
factoring large integers. The maths are easy for those algorithms, whereas the 
ECC algorithms are based on very advanced maths which aren't being explained 
satisfactorily to the general public, with $1,000,000 USD prizes still out for 
the so-called Birch and Swinnerton-Dyer conjecture and the Riemann Hypothesis, 
which might be more applicable to factoring the "semi-primes" of RSA/DSA/DH 
type algorithms.

On January 10, 2022 7:12:40 AM AKST, dove...@ptld.com wrote:
>And follow up question;
>
>The docs say you are encouraged to disable non-ECC DH algorithms completely.
>However i didn't see anything on that same page explaining how to go about 
>doing that.
>
>Can someone point me to something explaining what that means and how to go 
>about doing it?

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Memory leaks in dovecot

[justina colmena ~biz]

Random bit-flipping due to aurora borealis from recent X1 class solar flares. 
Do expect soft errors, hard errors, some temporary and some permanent damage to 
computer hardware.

On November 4, 2021 6:41:36 AM AKDT, Joan Moreau  wrote:
>
>
>Hi
>
>Anyone can help on those memory leaks since 2.3.17 ?
>
>These came after adding the fts_mail_user_init(user, FALSE, ) and 
>fts_mail_user_deinit(user) function calls to avoid breaking due to 
>change in the API
>
>Thank you for help
>
>doveadm: Warning: Event 0x5563f3f2b740 leaked (parent=0x5563f3f2b330): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f2b330 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f4009ef0 leaked (parent=0x5563f3f4cf80): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f40096c0 leaked (parent=0x5563f3f4cf80): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f40092b0 leaked (parent=0x5563f3f4cf80): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3f4cf80 leaked (parent=0x5563f3f21f00): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f21f00 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f2d080 leaked (parent=0x5563f3f234f0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3f2c820 leaked (parent=0x5563f3f234f0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3f2c300 leaked (parent=0x5563f3f234f0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3f234f0 leaked (parent=0x5563f3f4e1d0): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f4e1d0 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f24d20 leaked (parent=0x5563f3fd58b0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3f24620 leaked (parent=0x5563f3fd58b0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3f23e30 leaked (parent=0x5563f3fd58b0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3fd58b0 leaked (parent=0x5563f3fd54a0): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3fd54a0 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3fd6df0 leaked (parent=0x5563f3fcc8a0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3fd65c0 leaked (parent=0x5563f3fcc8a0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3fd5dd0 leaked (parent=0x5563f3fcc8a0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3fcc8a0 leaked (parent=0x5563f3f1c990): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f1c990 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f16a20 leaked (parent=0x5563f3fbb710): 
>mail-index.c:67
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Design Check

[justina colmena ~biz]

Interesting. Have you looked at this?

https://serverfault.com/questions/133190/host-wildcard-subdomains-using-postfix

[People have too much "flair" and rep points and I can't participate in those 
stackexchange discussions or ask or answer like I used to.]

On October 27, 2021 3:15:01 PM AKDT, dove...@ptld.com wrote:
>> I think your approach would work, however, if I set
>> up aliases similar to:
>> 
>> @barbaz.mydomain.com -> bar...@mydomain.com.
>> 
>> I believe I can do that in postfix with some regex magic.
>
>Yes, that would work perfectly without any regex.
>You just point the catchall alias to the "user".
>@barbaz.mydomain.com -> bar...@mydomain.com
>
>
>
>> one stumbling block could be that we don't
>> know the various subdomains ahead of time.
>> 
>> The subdomain can be any value that the user
>> wants, and we don't want them to have to
>> precreate them before they can use an address
>
>Best to my knowledge this is not possible with postfix. But ask the 
>postfix mailing list to get a definitive answer. In postfix you have to 
>tell it the domains it accepts mail for, anything else it considers 
>relaying. Otherwise how does postfix know that email is meant to be 
>saved here or it is just passing through and you want postfix to query 
>DNS to find out where it goes (if relaying is even allowed).
>
>
>
>> The purpose of the system is that users can create disposable/temporary 
>> email addresses for various testing jobs.
>
>Are you aware of postfix recipient_delimiter? It allows for disposable / 
>wild card addresses. If enabled in postfix, you setup a mailbox user 
>like bar...@mydomain.com and any address with that user and the 
>delimiter would still get delivered to that user.
>
>bar...@mydomain.com -> bar...@mydomain.com
>barbaz+randomt...@mydomain.com -> bar...@mydomain.com
>barbaz+te...@mydomain.com -> bar...@mydomain.com
>
>You can change the + to any symbol you want postfix to look out for.
>
>
>
>> I think my "creating users" was me wanting to make sure that when 
>> postfix
>> passes an email for "bar...@mydomain.com" to Dovecot, then Dovecot will 
>> store it and wait for
>> someone to come along and impersonate barbaz. i.e. "barbaz" doesn't 
>> have to exist as a user
>> already before Dovecot will store the mail.
>
>If you are using LMTP dovecot will only accept emails from postfix that 
>it can lookup the /directory/path to from one of the userdb{} or 
>passdb{} sections. If dovecot can not find a match in any of the 
>userdb{} or passdb{} it will reject the email as user unknown causing 
>postfix to send a undeliverable notice email back to the envelope sender 
>address, also known as back-scatter. I am not aware of a way to use 
>wildcard addresses in dovecot userdb{}, i don't think its possible but i 
>don't know what i don't know.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

[justina colmena ~biz]

Thank you for the pointers. People say RTFM, as if that's rude, but it's good 
to know, especially if there is documentation of ongoing development or a "road 
map" for future work.

On July 28, 2021 10:51:50 AM AKDT, Antonio Leding  wrote:
>Making no assertions\judgements as to the goal or intended path to get 
>there…just helping with the original question…
>
>Based on the submission server link below, it appears you will need to 
>use the same auth mechanisms for submission as you do for imap\pop.  So

Good enough reason to integrate MSA (Mail Submission Agent) capabilities into 
the MUA (Mail User Agent).

Suggestion box: This should be able (in the future) to handle "tricks" like 
archiving sent messages alongside received messages or simply copying sent 
messages into an IMAP sent folder on the server. 

>https://doc.dovecot.org/admin_manual/submission_server/
>https://doc.dovecot.org/configuration_manual/authentication/
>

This is all quite new then and under active development.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

[justina colmena ~biz]

I am quite curious about the circumstances of this question. I was not aware 
that Dovecot actually offered mail submission service. If Dovecot does offer 
such a service, then it will have to relay the submitted mail to the real MTA, 
which is very likely not Dovecot. At the moment I have Postfix set up as MTA 
for that purpose —

Relaying on port 25 is usually quick and easy to whitelist for certain 
permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 
465 with SSL/TLS is generally set up for user authenticated mail submissions.

See also:
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/



On July 28, 2021 6:10:28 AM AKDT, Dan Conway  wrote:
>Hello,
>
>Is it possible to disable the requirement for authentication on the 
>submission service? I'm trying to require authentication for all,
>except 
>for a handful of IP addresses.
>
>Thank you.
>
>
>ehlo test.com
>250-aaa
>250-AUTH PLAIN LOGIN
>250-BURL imap
>250-CHUNKING
>250-DSN
>250-ENHANCEDSTATUSCODES
>250-SIZE
>250 PIPELINING
>MAIL FROM:
>530 5.7.0 Authentication required.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: 2FA/MFA with IMAP & postfix/submission

[justina colmena ~biz]

I think it's only 12 steps. There are people who need to sober up

On July 15, 2021 8:54:16 AM AKDT, Sebastian  wrote:
>The thing is, that people must stop expecting "being able to access
>mail whenever you are" without extra steps.
>
>Best solution is to offer a webmail with TOTP or SQRL or similiar
>secure auth method.
>
>Then have that webmail adds IP or country into trusted list, so if you
>want to access IMAP mail or SMTP mail from hotel wifi, you have to
>simply do one single login to webmail, and then your IMAP/SMTP will
>work as usual.
>
>The problem with certificates, is as I said, not many clients support
>them. Outlook support them natively, I don't know if Windows Mail
>support them, and I don't know if Samsung Mail do support them (maybe
>they do support client certificates in Enterprise mode, but then you
>need a license for that), K9 mail I know support them, other built-in
>email clients I don't know if they support client certificates.
>
>The solution I have on my email is a OpenVPN connection to my server,
>which is protected. My phone has a 24/7 connection to that VPN server,
>and thus im able to lock out all logins outside from VPN.
>
>-Ursprungligt meddelande-
>Från: dovecot-boun...@dovecot.org  För
>@lbutlr
>Skickat: den 15 juli 2021 18:37
>Till: dovecot mailing list 
>Ämne: Re: 2FA/MFA with IMAP & postfix/submission
>
>On 2021 Jul 15, at 08:52, Alex  wrote:
>> Client certs appears to be a good solution.
>
>A solution, certainly. A GOOD solution? Not really.
>
>> What's the process for managing them with more than a hundred client
>accounts?
>
>And that's the first issue.
>
>The second issue is "my primary device is not available, I need to
>login from this other computer or use my phone which is unsuitable for
>this task. Too bad I have no choice but to use the phone because this
>computer doesn’t have the cert."
>
>And then you have the "now that I've installed this cert, theis
>computer is considered trusted" which is another issue.
>
>2FA is a lot more flexible and robust.
>
>OATH works well. SQRL looks promising though it requires a web UI I to
>do the authentication (and SQRL does away with passwords as well).
>
>> I believe the problem they are trying to solve is hacked accounts
>from
>> compromised passwords. Does client certs solve that problem?
>
>Maybe. Depends on if the hacker can get access to the user's machine or
>not.
>
>> Perhaps there are dovecot (and postfix submission) options to at
>least
>> restrict access by IP?
>
>It is certainly possible in Postfix, but that opens up its own issues.
>It may be acceptable in some corporate environs, but in most situations
>being able to access your email wherever you are is a requirement.
>
>-- 
>The wages of sin is death, but so is the salary of virtue, and at
>   least the evil get to go home early on Fridays. --Witches Abroad

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: TLS Security

[justina colmena ~biz]

Interesting.

Assuming your "Kali" tools are in fact up to date to test with newer protocols 
TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS 
library or whatever it uses to support the newer TLS protocols?

Definitely an outdated cipher issue, on Postfix as well as Dovecot


On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher 
 wrote:
>Hi,
>
>
>I wish to build a new secure email server. It seems I am on the right
>way – at least I get no more error messages for Postfix – but Dovecot
>is still making trouble.
>
>
>I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to
>do the rough configuring and nano and whats left of my brain to do the
>finer details. Lets start with what I added to conf.d/10-ssl.conf
>
>
>ssl_cert = 
>ssl_key = 
>
>ssl_cipher_list =
>EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
>
>ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
>ssl_min_protocol = TLSv1.2
>
>
>As you can see, I clearly do not want to use TLS before v1.2. I think
>this is not unreasonable in the year 2021.
>
>
>Now, after the changes I ran Kali (I use it to verify the results of my
>experiments)
>
>and - this is a mailing list, so no screenshots:
>
>It says:
>
>
>SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the
>ports 143, 110, 993 and 995.
>
>
>I thought I had done everything one could to disable old TLS-Versions.
>What am I doing wrong?
>
>
>Yours sincerely
>
>Stefan Schumacher

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Major upgrade of mail server

[justina colmena ~biz]

It's generally a good thing to be reminded to upgrade. Regardless of whether or 
not a certain release is considered Long Term Service — if there are major 
unresolved problems with the platform or supported software that are not fixed 
— then it will be necessary and appropriate to upgrade as soon as the "nag" 
issue is fixed in the next release assuming other problems are not being 
introduced at the same time.

Otherwise if everything "works" and there are no major security issues, then 
it's not such a hurry, but plans should be made to upgrade in any case.

On July 8, 2021 5:46:25 AM AKDT, Oscar del Rio  wrote:
>On 2021-07-08 1:29 a.m., Plutocrat wrote:
>> First thing to note is that Ubuntu 18.04 is a Long Term Service 
>> release, and will be supported until 2023. So no matter how naggy 
>> Ubuntu is, you don't actually HAVE to upgrade at this point.



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: disable pop3 ports?

[justina colmena ~biz]

On Tuesday, May 4, 2021 11:27:28 AM AKDT Dan Egli wrote:
> Aki, That's what I'm saying. The only place pop3 IS listed is in
> doveconf protocols. I'm going to try settiing the ports to 0 and see if
> that does the trick.
> 
> And for those who keep mentioning the firewall, understand that I'm
> beyond security paranoid. Simply blocking at the firewall is not enough.
> I want to ensure that NO ONE is listening on that port, even if it's
> just localhost.

What in the world is going on here with POP3 on dovecot? I used to use POP3 on 
my desktop, and configure my desktop POP3 client to leave maybe 30 days' worth 
of email on the server accessible via IMAP to my mobile phone.

After that I could archive or delete / discard old email on my desktop at my 
leisure. Except since the last couple of upgrades to dovecot software, that is 
no longer possible, and the system crashes and I lose all my email whenever I 
try to use POP3 for anything.

I completely understand the tinfoil hat attitude with commercial spammers 
trying every trick in the book to take over private email servers and German 
Nazi cops doing the same to make criminal busts beating in doors with a 
battering ram, letting off flash-bang grenades, hadcuffing suspects and 
"disappearing" them to top-secret dentention centers -- (Does anyone remember 
Buchenwald, Auschwitz, Dachau?) -- without even so much as a case on the court 
docket, it's all for the safety and well-being of the children in the 
community, and no one in his right mind would even doubt that all the cops are 
on the right side of the law doing good works for humanity.
 
I don't want to say "compromise" -- no, there's got to be a very basic, simple 
"right way" to do it, and POP3 has to be made to work properly "by the book" 
somehow like it used to, and I don't have any better answers than anybody else 
either, because it's broke on my system, too.

signature.asc
Description: This is a digitally signed message part.

Re: Installation Question: Is a web server required ?

[justina colmena ~biz]

On Wednesday, April 28, 2021 9:41:17 PM AKDT @lbutlr wrote:
> On 28 Apr 2021, at 11:28, White, Daniel E. (GSFC-770.0)[NICS] 
 wrote:
> > only be accessed by POP3(s)/IMAP(s
> 
> There is no reason to support POP3 on a new mail service. IMAP is suppserior
> in every way, both for the user and for the server.
> 
> (There is nothing that POP3 can do that IMAP cannot duplicate, and many many
> MANY things that IMAPO can do that POP3 cannot).

The astronaut guy says the POP3/IMAP setup should "just work," and as pissed 
off as I am at U.S. government bureaucracy and maybe I confuse NASA with 
another government agency NSA and government spooks demanding back door access 
to read my email over my shoulder, I happen to agree with the general 
sentiment.

POP3 is the better and more efficient protocol for clients who simply want to 
download email messages to their desktop once and for all so they don't need 
to keep accessing the server over and over again to read the same old 
messages.

IMAP is better for clients with multiple devices etc.

Professionals of any line of work who use email at work on the job and 
especially people on this list know that already.

signature.asc
Description: This is a digitally signed message part.

Re: CA certs for Dovecot-as-client (proxy)

[justina colmena ~biz]

On Wednesday, April 21, 2021 2:13:01 AM AKDT Aki Tuomi wrote:
> Hi!
> 
> This is unfortunately a bug, see note in
> https://doc.dovecot.org/configuration_manual/authentication/proxies/
> 
> "ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying
> the remote certificate, although ideally they will be in a future Dovecot
> version. For now you need to add the trusted remote certificates to
> ssl_ca."
> 
> Aki
FWIW, I always thought Aki was a man's name, but they're calling it a baby 
girl's name if you look it up on Google. You couldn't make this stuff up if 
you tried.
 * https://www.thebump.com/b/aki-baby-name
I don't like the Microsoft-dominated scene here any more than anyone else 
does. If a guy has to clear his throat in a court of law or something like 
that over every little bug or issue to have it fixed, then there's quite a mob 
of organized criminal spammers on the mailing list, and of course the law 
enforcement community is always on their side when they spam vice pills down 
our throats via e-mail.

signature.asc
Description: This is a digitally signed message part.

Re: How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?

[justina colmena ~biz]

On Friday, April 9, 2021 5:19:20 AM AKDT PGNet Dev wrote:
> And it's a bad assumption that since the host is dual-stack that all
> services on it will be.

That's right. Email stuff that's supposed to work has to be crippled and 
disabled somehow so that it does not actually work as it is supposed to.

There's a knob to tweak to break someone's mailbox for a party prank, cut off 
a service if it isn't immediately obvious how it's affecting someone else's 
work, or screw something else up so it can't or doesn't work reliably, either.

signature.asc
Description: This is a digitally signed message part.

Re: Mass Stripping Attachments by Directory, Age, Size

[justina colmena ~biz]

Well ain't that rich? To use an allegory of sorts, we're going to have start 
using staples rather than paperclips ️  with our email attachments, and one 
unified digital signature on the whole message as sent rather than a separate 
signature for each enclosure as commonly "done" with PGP, GnuPG, etc.

On March 30, 2021 7:39:02 PM AKDT, Plutocrat  wrote:
>Still can't find the magic solution to this.
>
>- My PERL isn't good enough to re-purpose strip-attachments.pl so it
>works on individual emails.
>- ripmime works to extract attachments only
>- altermime looked good and would delete all attachments from a
>directory of emails. However it messed up the structure somehow so they
>wouldn't display in an email client (Thunderbird, Roundcube).
>- mimeDEFANG looked possible, but couldn't figure out how to use that
>as a standalone script.
>- PHP solutions including the promising
>https://github.com/php-mime-mail-parser/php-mime-mail-parser seem only
>to be able to save attachments from the email, not delete it.
>
>I'll keep going I guess. I can't believe I'm the only person in the
>world to want to do this though ...
>
>P.
>
>On 19/03/2021 07.31, Joseph Tam wrote:
>> On Thu, 18 Mar 2021, Plutocrat wrote:
>> 
>>> I've been looking around for a solution to this problem. I want to
>prune down the attachments on a server before a migration. Some of the
>emails are 7 years old and have 40Mb attachments, so this seems like a
>good opportunity to rationalize things. So perhaps I'd like to "Remove
>all attachments from emails older than 2 years, in the .Sent
>directory", or "Attachments over 10Mb anywhere in the mail tree"
>>>
>>> I've found the strip_attachments.pl script here
>
>which works fine on mbox (as tested on my local Thunderbird mboxes),
>but not on maildir which is on the dovecot server. My Perl isn't strong
>enough to re-purpose it.
>> 
>> It you have anything that works on mbox, it will probably work on
>Maildir
>> as each file can be considered a single message mbox.  You can
>combine
>> the script with
>> 
>>  find ~user/MailDir -type f ... -exec /path/to/mbox-strip {} \;
>> 
>> The ... can be replaced with more file tests (like minimum size or
>age
>> or only within */cur/) to cut down on processing.
>> 
>> I wrote a gawk script to slim down a multi-Gb Outlook mbox
>> for a user, but it wasn't really complicated, just matching for
>> /^Content-Transfer-Encoding:.*base64/i header (virtually all bulky
>data
>> will be encoded this way), buffering the base64 data part, then
>outputting
>> it if it was small, or deleting/replacing/extracting it otherwise.
>> 
>> It was a one-off discarded tool but I can hunt for it if you're hard
>up.
>> 
>>> I've looked at ripmime and mpack/munpack, and although they seem
>like useful tools to do the job of deconstructing the mail into its
>constituent parts, it doesn't seem to help in re-building the email. I
>think they could be used with a bit of study into mail MIME structure,
>and used with a helper script.
>>>
>>> So before I take a deep dive into scripting my own solution, I just
>wanted to check if anyone else on the list has been through this and
>has some resources or pointers they can share, or maybe even someone to
>tell me "Duh, you can do it with doveadm of course".
>> 
>> MIMEDefang may help.
>> 
>> Joseph Tam 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Question about doveadm altmove

[justina colmena ~biz]

On Sunday, March 21, 2021 12:16:28 PM AKDT María Arrea wrote:
> Hello.
>  
> We are running dovecot 2.3.13. Full doveconf -n output below
>  
> In 2.3.14 Changelog I found this:
>  
> * Remove XZ/LZMA write support. Read support will be removed in future
> release. 
> We are using mdbox + XZ/LZMA for alternate storage (messages older than 2
> weeks are moved to ALT storage via cron job), so we must convert from XZ to
> another thing (maybe zstd or bz2). 

Why can't you just pipe the output of "doveadm altmove" command through an 
external command to do the XZ/LZMA compression if dovecot no longer supports 
it internally?

From doveadm-altmove (1):
> This  command  can  be  used  with sdbox or mdbox storage to move mails to 
alternative
>   storage path when :ALT= is specified for the mail location.

And that's set in stone.

https://en.wikipedia.org/wiki/XZ_Utils

So what are the issues with xz? Security? Crashes or viruses on expanding 
invalid archives?

signature.asc
Description: This is a digitally signed message part.

Re: FW: imapsieve rules not matching at all?

[Justina Colmena ~biz]

I have not yet enabled imapsieve -- so far I have had fairly good luck avoiding 
spam simply by using SPF+DKIM+DMARC and enabling basic verification of incoming 
mail with opendkim and opendmarc.

Lately I have been reading some books on "fuzzy logic" and "fuzzy sets" with 
quite serious applications to artificial intelligence and neural networks that 
might be useful to classify "ham versus spam" based on actual content and 
context.

Spam versus ham is not the only sort of classification I would want to do on 
large volumes of email -- I might want to have separate folders to 
automatically classify incoming messages into separate categories for, say, 
friends-and-family, legal-related email, specific business interests, 
open-source-software or technical related email, mathematics, arts or crafts or 
literature or hobbies, etc.

This kind of stuff must be easily configurable -- per user -- by individual end 
users who are not experts in editing configuration files.

On March 19, 2021 11:38:19 PM AKDT, Aki Tuomi  
wrote:
>
>> On 20/03/2021 05:55 Gedalya  wrote:
>> 
>> 
>> On 3/20/21 7:37 AM, dove...@steve.wattlink.net wrote:
>> 
>> > plugin {
>> > imapsieve_mailbox1_before =
>file:/usr/local/etc/dovecot/sieve/report-spam.sieve
>> > imapsieve_mailbox1_causes = COPY APPEND
>> > imapsieve_mailbox1_name = Spam
>> > imapsieve_mailbox2_before =
>file:/usr/local/etc/dovecot/sieve/report-ham.sieve
>> > imapsieve_mailbox2_causes = COPY
>> > imapsieve_mailbox2_from = Spam
>> > imapsieve_mailbox2_name = *
>> > }
>> > - - - ->8 - - - -
>> > 
>> > I see that the static rule ought to have matched,
>> no!
>> 
>> > 
>> > 
>> > - - - - 8<- - - -
>> > Mar 19 16:21:48 mhv3 dovecot[47532]:
>imap(steve)<47541>: Debug: imapsieve: mailbox INBOX:
>APPEND event
>> > - - - ->8 - - - -
>> For INBOX (or * in your case) you only have COPY from Spam
>configured, not APPEND.
>> APPENDing to Spam should trigger the relevant script though.
>> If you want to enable ham training by uploading a message to INBOX
>you could add a third rule mentioning INBOX by name with APPEND as
>cause.
>> 
>>
>
>We provide this handy guide for teaching spam filters, see
>https://doc.dovecot.org/configuration_manual/howto/antispam_with_sieve/
>
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Panic: file mdbox-map.c: line 1494 (mdbox_map_get_uid_validity): assertion failed: (map->view != NULL)

[Justina Colmena ~biz]

Is this a new zero-day denial-of-service attack or a new CVE being exploited? 
Dovecot suddenly started acting really strangely on my system lately. PAM 
authentication started failing randomly, so I reconfigured for shadow 
authentication instead, which works now, but messages I have received from 
other domains since about 11:00 am AKST today are "invisible" and not being 
synced in my inbox for some reason.

Something is really, really bad is going on.

On March 11, 2021 10:22:18 AM AKST, Marc  wrote:
> 
> 
>Does this mean I have some problems with filesystem uid's? Currently I
>have only u=rwx, go is nothing.
> 
> 
> 
> dovecot-2.2.36-6.el7_8.1.x86_64

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Virtual users @ virtual domains / better documentation?

[justina colmena ~biz]

I have configured postfix so it will deliver mail to virtual mailboxes. For 
some reason, the mail is not delivered to the virtual mailboxes unless both 
$virtual_alias_domains and $virtual_alias_maps are left undefined: these 
directives are apparently for aliasing virtual users "@" virtual domains to 
"real" unix users on the local system.

--%%==
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
virtual_mailbox_domains = domain1.example.org domain2.example.com
virtual_transport = virtual
#virtual_alias_domains = domain1.example.org domain2.example.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
#virtual_alias_maps = hash:/etc/postfix/virtual
==%--

If the $virtual_alias_maps directive invalidates virtual mailboxes, then "the 
usual" aliases (postmaster@, etc.) for the virtual domains would have to be 
listed in
/etc/aliases
along with the non-virtual aliases, but this does not work either, and 
generates a warning when "newaliases" is run.

postalias: warning: /etc/aliases, line 99: name must be local

So as far as I can tell, no aliasing at all is available for 
"virtual_mailbox_domains" in postfix

I am still unsure how to authenticate the virtual users on postfix. PAM 
authentication works fine for non-virtual users. The following command 
gives two options for authentication: cyrus-sasl and dovecot-sasl.

# postconf -a
cyrus
dovecot

Postfix also works with cyrus-sasl if the passwords are set in "/etc/sasldb2"
via the "saslpasswd2" command, but dovecot doesn't seem to work with
cyrus-sasl, and has its own type of sasl authentication.

I realize this is not a postfix list, so my real question here is, What do I 
need in order for dovecot to authenticate the virtual users and allow them to 
read their mail and obtain authorization to send mail via postfix on the same 
system?

signature.asc
Description: This is a digitally signed message part.

Re: [trojita] No bold for text/plain mail (monospace font) in message viewer

[Justina Colmena ~biz]

I'm not sure. Why is that desirable? I would tend to think that "text/plain" is 
just that. The text is shown as typed, stars or any other characters.

Interpreting "Markdown" or other "rich text" formatting languages is an 
assumption to make for plain text emails.

5 * 6 = 30

How did you know I wanted that bold?

Many clients handle HTML emails with bold tags etc, and that is common 
for text that has to be formatted but that entails graphic design issues, bugs, 
and viruses which are much more complicated and less reliable to handle.

On February 12, 2021 3:54:45 AM AKST, Erik Quaeghebeur 
 wrote:
>Hi,
>
>
>On a new computer, I have the problem that Trojitá does not display 
>monospace text bold. Such text is used for text with stars around in 
>text/plain parts in the message viewer. On my old computer, bold is
>shown. 
>Bold is also shown in the message list and message header, which both
>use a 
>proportional font. Other applications (such as Kate and Konsole) show
>bold 
>monospace fonts fine.
>
>So it must be a configuration issue. But I can't find out where. I know
>
>there were some KDE/Qt bugs related to bold text for monospaced fonts
>not 
>working a few years back. However, none of the workarounds mentioned
>there 
>seem appropriate.
>
>Does anyone have any idea?
>
>
>Best,
>
>Erik

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Urgent Help required

[Justina Colmena ~biz]

On July 8, 2020 11:01:20 AM AKDT, Alexander Dalloz  wrote:
>Am 08.07.2020 um 20:28 schrieb Kishore Potnuru:
>> Thank you for the reply.
>> 
>> As per our current infrastructure, I can go maximum of the redhat 7.7
>> version. Not more than that. Am I able to install or upgrade to
>dovecot 2.3
>> version in redhat 7.7?

I am running Dovecot 2.2 "u" on CentOS from https://ius.io/. If there is a 
package there for 2.3, it should be possible to upgrade on either CentOS or 
RHEL.

I am still a little bit confused or concerned why mainstream packages seem to 
be lagging so far behind on CentOS and RHEL since the sudden acquisition or 
hostile corporate takeover of Red Hat by IBM.

Possibly a corporate labor-union work slowdown.  IBM is too big, too blue, and 
too politically correct. Something is a little bit off. Too many echoes in the 
hallways.

/Sorry for the rant.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

POP3Deleted flag issues

[Justina Colmena ~biz]

Hello,

I have been running my own mail server with Dovecot, Postfix, and Cyrus-SASL 
for authentication.

= dovecot22u.x86_64 1:2.2.36.4-1.el7.ius @ius

I am basically trying to tune the system for better performance. The flat files 
"/var/mail/justina" etc exhibit locking issues and conflicts when fetching mail 
at the same time new mail is being delivered by Postfix. Other mail is stored 
in "Maildir" type folders accessible via IMAP. These exhibit better performance 
with finer grained locking.

There's an "idea" that was posted to the list 7 years ago, shows up top rank on 
Google.

https://dovecot.org/pipermail/dovecot/2013-May/090114.html

I fear either an incomplete implementation of the feature or "here-be-dragons" 
code that may or may not be completely documented.

I would like all the "$POP3Deleted" mail to be moved to an "Archive" Maildir 
folder accessible via IMAP. How do I accomplish this?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 15, 2020 9:46:16 AM AKDT, Theo de Raadt  wrote:
>It is amazing how you keep digging up additional mandates for the
>OpenBSD project!
>
>Brilliant work.
>
>I'm wondering if you have an view on our UFO research?
>
>
There's Area 51, of course, from the same _area_ as SCO and the headquarters of 
GoDaddy, the popular domain registrar. How far is Roswell from Santa Cruz? New 
Mexico is a mental health state. It's not clear what did or didn't happen, but 
the ancient feudal system of Spanish common law remains to this day in the 
Southwest U.S. as if the revolution of Cinco de Mayo has been rolled back, 
never mind U.S. independence and jurisdiction in that area. E.U. and NATO are 
operating there, it would seem.

More in my area we have H.A.A.R.P. (High-altitude Active Auroral Research 
Project) which grew out of some strangely conceived joint project between 
Eielson Air Force Base officials and University of Alaska Fairbanks faculty 
back from when (mostly liberal) college students and (mostly conservative) 
military personnel had somewhat more peaceful and cordial relations than they 
do today. The top-secret project is still in existence, reportedly with private 
non-governmental funding from philanthropist George Soros, who is rather quite 
at odds and not very well disposed at all toward the current presidential 
administration of Donald Trump.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 14, 2020 7:23:11 PM AKDT, Theo de Raadt  wrote:
>That's incredibly insightful!
>
>You are precisely the true leader OpenBSD needs to compete in the
>harsh corporate environment that gives us no respect!
That might be going a bit far. You talk about *crying* on a public mailing 
list, and that's pretty much how it is in any case if you've got a PayPal or 
eBay account. It's nothing but a phishing scam. They "phish" you for 
information and everything you own. There's a vanity license plate "PHISH" 
parked next door to an auctioneer in Anchorage. People think it's cute because 
chartered and guided sport fishing is offered to tourists. I'm not welcome in 
town anymore, needless to say. It's an auction or a crying sale for everything, 
and some of you folks ask for people to buy computer stuff and hardware for you 
there.

People shamelessly burglarize, steal, rob, and extort in order to acquire all 
this stuff, including firearms, and then they sell it at auction, all 100% 
legal passed an FBI background check fingerprints and everything.

Meanwhile, I have been gradually and progressively shut out of the PayPal // 
eBay market and trespassed off the property of the U.S. Postal Service, Best 
Buy and other places where computer parts and hardware are sold. I can't obtain 
any of this hardware any more than anybody else can, and I usually have to pay 
a lot more for it than others do, to boot, if I'm even allowed to keep any 
computer parts in my possession without getting busted on a felony warrant by 
Nazi cops straight out of City Hall.

It's getting bad. I'm not lying here. I want to know exactly who these cops 
are, who's paying them, exactly how much, and what their political or "family"  
motivations are for suddenly striking with false accusations in court and 
filing false criminal charges from time to time, apparently at random, but year 
after year without letup, in carefully arranged "setups" against certain 
Targeted Individuals and Personae Non Gratae.

I'm not trying to be a terrorist or go off on a shooting rampage or anything 
like that: it's precisely those same gun control politicians who insist with a 
straight face in federal court that computer cryptography is a munition of war 
subject to their gun control export regulations.

>
>
>
>Justina Colmena ~biz  wrote:
>
>> 
>> 
>> 
>> On May 14, 2020 5:24:38 PM AKDT, Theo de Raadt 
>wrote:
>> >
>> >So you go find a mailing list noone in the industry reads,
>> >and *cry* into it.
>> >
>> >never know, it might change the world.  Or not.
>> >
>> "In the industry" again. Here we go again. I've been banlisted and
>blackballed out of all those "labor unions" since my youth. They had a
>"VICA" club at my high school many years ago, and I was not invited.
>> 
>> >> I'm not trying to be religious here, but Martin Luther and others
>> >have explained that we cannot make it to heaven or achieve success
>in
>> >this life by works of the law.
>> >
>> >nor can you by crying about hardware injustice on a mailing list
>> >read by noone
>> 
>> Certain "working class" people aggressively claim all sorts of
>collective bargaining, work-related and employment rights and then they
>ride roughshod over basic human rights for everyone and everything
>else. It's the Mob. And then the bosses play right into their hands
>with delusions of "intellectual property," 100-year corporate
>copyrights, employee non-compete agreements and non-disclosure
>agreements, business-method patent portfolios, selectively enforced
>trademarks on common dictionary words, and government top secret
>classification for business trade secrets.
>> 
>> Then the "free software" folks hired some of the same lawyers to come
>up with the "GPL," and there's an "established" Linux kernel to boot
>all that GNU software, and the Santa Cruz Operation ("SCO" out of the
>same vice district as Las Vegas, Salt Lake City, and Denver) hit them
>with poisoned code, cartel copyright allegations, and a magic solution,
>"Well, if you didn't release such reliable mission-critical code to the
>public, all would be well for the mil-spec employment market in Silicon
>Valley (San Francisco, California.)
>> 
>> Noone? I don't know. In French they say «personne» unless they're
>lawyers, in which case they say «nulle personne» … they're workers. You
>can't fire them. They never quit. They're always "serving" you in court
>or at law with something or another you didn't order and you don't
>want.
>> 
>> -- 
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 15, 2020 3:04:06 AM AKDT, jeanfrancois  wrote:
>Justine,
>
>No one except a few people probably make OpenBSD so you won't
>find what you expect here, except what you put in if we can say so.
There is too much "help" out there, and no enterprise to speak of. The risk of 
criminal prosecution is too high, people are dealing drugs on OpenBSD, and the 
cops are cracking down, but it sure ain't the dealers taking the fall for the 
drugs in any court of law. It's us "users" who haven't paid our dues for 
"protection" from the usual extortion rackets in town, not that we actually 
made a "choice" of our own free will to do anything illegal.

>
>So it depends upon if you find it worthwhile to investigate.
>
>I deeply think OpenBSD needs to remain small that's all, but it's free
A small trusted (audited) code base is great: lean and mean is definitely the 
right spirit, but some of the underlying hardware and the interfaces to connect 
to it are getting out of hand. It's  undocumented, or poorly documented, 
subject to NDA and exclusive agreements with SCO and MSFT.

I would need to get basic laptop hardware recognized and booted properly before 
I'm SWATted, trespassed off the property, arrested, and end up having all my 
computer equipment confiscated by corrupt thin-blue-line-flag cops on the take.

No I'm not blaming OpenBSD, don't take it that way. It's the Chaos Computer 
Club, the Cult of the Dead Cow, and similar groups who have gotten into the 
U.S. government and gained the ability to file and prosecute arbitrary criminal 
charges against Targeted Individuals.

>you can use it if you like, and even create projects and then let us
>know about it.
Nice. I can "use" it, "responsibly," I presume. I'm not a "hacker" and I'm not 
breaking any laws and I'm not taking anyone's paid job away by using open 
source.
>
>That's what advocacy also is for.
Well I probably do need an attorney to defend myself against all the civil and 
criminal allegations from the SCO team et alia, or I would, except all those 
attorneys are on Facebook and Twitter, they use Microsoft Windows in the 
office, and they're in trouble with the bar because they're all THIEVES IN LAW 
(воры в законе) hard at work stealing money, confiscating property, and 
REVOKING basic human rights and dignities "on vice" for life without recourse.

Sorry for the rant, but somehow we've got to get a grip on serious organized 
crime, somehow grab those guys by their scruffy white collars or dirty blue 
collars or whatever is the requisite clothing for their chosen profession or 
vocation, haul *them* into their own court system, make *them* face the charges 
for their crimes, rather than allowing them to live a life of crime and use 
their court system as a tool against us.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 14, 2020 5:24:38 PM AKDT, Theo de Raadt  wrote:
>
>So you go find a mailing list noone in the industry reads,
>and *cry* into it.
>
>never know, it might change the world.  Or not.
>
"In the industry" again. Here we go again. I've been banlisted and blackballed 
out of all those "labor unions" since my youth. They had a "VICA" club at my 
high school many years ago, and I was not invited.

>> I'm not trying to be religious here, but Martin Luther and others
>have explained that we cannot make it to heaven or achieve success in
>this life by works of the law.
>
>nor can you by crying about hardware injustice on a mailing list
>read by noone

Certain "working class" people aggressively claim all sorts of collective 
bargaining, work-related and employment rights and then they ride roughshod 
over basic human rights for everyone and everything else. It's the Mob. And 
then the bosses play right into their hands with delusions of "intellectual 
property," 100-year corporate copyrights, employee non-compete agreements and 
non-disclosure agreements, business-method patent portfolios, selectively 
enforced trademarks on common dictionary words, and government top secret 
classification for business trade secrets.

Then the "free software" folks hired some of the same lawyers to come up with 
the "GPL," and there's an "established" Linux kernel to boot all that GNU 
software, and the Santa Cruz Operation ("SCO" out of the same vice district as 
Las Vegas, Salt Lake City, and Denver) hit them with poisoned code, cartel 
copyright allegations, and a magic solution, "Well, if you didn't release such 
reliable mission-critical code to the public, all would be well for the 
mil-spec employment market in Silicon Valley (San Francisco, California.)

Noone? I don't know. In French they say «personne» unless they're lawyers, in 
which case they say «nulle personne» … they're workers. You can't fire them. 
They never quit. They're always "serving" you in court or at law with something 
or another you didn't order and you don't want.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 14, 2020 4:52:05 PM AKDT, Theo de Raadt  wrote:
>Aisha Tammy  wrote:
> ...
>
>I suspect you are an enthusiastic person who wants to send a mail to
>us,
>telling us what to do.
>
>But that which you dream of?  You won't left a leg to do any of it.
>
Lift a leg? We simply cannot get our hands out of these proprietary computer 
hardware legal handcuffs anywhere in the U.S. or Canada to help out in any 
technical capacity.

>> Voicing your ideas and finding like minded people is a good motivator
>for 
>> doing a project.
>
>No, doing work is what makes projects.
>
I'm not trying to be religious here, but Martin Luther and others have 
explained that we cannot make it to heaven or achieve success in this life by 
works of the law.

>
>What a waste of time.

"For what the law could not do, in that it was weak..."  Jesus!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Improvements and thoughts on small projects for advocacy

[Justina Colmena ~biz]

On May 14, 2020 3:24:32 PM AKDT, Theo de Raadt  wrote:
>Kyle Willett  wrote:
>
>> I think OpenBSD advocacy could do more too.  I read on an open source
>> news site that Lenovo is going to start offering a Fedora Linux
>option
>> on their Thinkpad lineup and already certifies some for Red Hat
>> Enterprise Linux.  I think it would be great if we could get some
>
>Who is "we"?
I (for one) am currently the proud owner of a Lenovo IdeaPad L340 with 4 
dual-core processors on it.
>   
>> hardware manufacturer to certify OpenBSD on a device and offer it
>> pre-installed as an OS choice.  I think that would be a good thing
>for
>> the project.  Maybe an AMD64 x86_64 laptop is too much at first and
>> maybe we should start with one of the arm or mips laptops supported
>
>Who is "we"?
>
>> well by OpenBSD.  I don't know just a dream I have.
>
I am currently running Fedora 31 and I would strongly consider switching back 
to OpenBSD, as I have used it in the past, if the proper hardware support were 
in place.
>Why go around telling people your dreams?  Why not do all this
>yourself?
>You don't need a mailing list for it.  Is it your dream that others in
>the
>group "we" will do what you dream?
>
>What you are doing here is advocating that other people do that which
>you don't and won't do yourself.  To be honest, it comes off small
>minded.
"We" are suffering from many of the same hardware problems you are, when you 
can't get documentation from the manufacturers of hardware devices, __without 
an NDA__, to write OpenBSD drivers for them.

 * General bit rot: Rowhammer, hard drive crashes, etc.
 * Proprietary patented intellectual property with "No user serviceable parts 
inside."
 * "This product contains a _ known to the State of California to cause 
cancer."
 * "The NSA" with all the undocumented back doors for the cops in everything, 
the USA crypto export regulations.
 * The FBI warnings on the movies, the Mounties in Canada and the State 
Troopers in the U.S., the copyrighted content, the child pornography, the 
firearms, the weed, and all sorts of other information deemed illegal for us to 
possess on our own computers.
 * The "hack job" in the mainstream media: we're all "hackers" if we don't use 
Microsoft® Windows® on an approved Intel® microprocessor as approved by the 
corporate boss.
 * The "evil maid" attack of some lady digging in a guy's computer with a 
private investigator or a subpoena for an anti-harassment civil suit or a 
restraining order or no-contact order or something like that.
 * The drug dealers and the hit men on the "dark web", the Bitcoin miners and 
the crypto currency mining bots.
 * The constant double-dealing between "full" KVM virtualization and 
Linux-kernel-only "paravirtualization" in the cloud.
 * The SWAT teams with their doorbuster warrants for anybody who runs a 
"server."
 * No IPv6 support anywhere under the sun.
 * ...

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[dmarc-discuss] Basic questions

[Justina Colmena via dmarc-discuss]

I have some basic questions about the implementation of DMARC policies after 
reading some of the official documentation.

For "p=quarantine", "rua=mailto:postmas...@example.biz; (if specified) should 
receive periodic spam reports, correct?

If "p=reject", then "ruf=mailto:postmas...@example.biz; is basically a "bounce 
address" for rejected messages, but if "ruf=mailto:; is not going to be 
specified, then why would someone even consider specifying "p=reject" rather 
than "p=quarantine"?

Then there is the "pct=xx" parameter for the chosen policy.

Does this mean that the chosen "p=" policy is intended to be applied uniformly 
at random (by a probabilistic lottery) to messages that fail the DMARC check, 
or by a more sophisticated method designed to catch the "spammiest"  xx% of 
messages failing the full DMARC check?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: Ok this is a stupid questions

[justina colmena via Gnupg-users]

On February 25, 2019 5:13:32 AM AKST, Michael Holly  
wrote:
> So I completely preface this question is not a valid use case for gpg.
>  I know, I get it.
> 
> I have a potential issue that I'm trying to diagnose.  I'm trying to
> understand how gpg will react to the input file size changing during
> the encrypt or decrypt step.
> 
> Right now it appears that the gpg process goes a bit crazy and the 200
> MB file I am decrypting becomes 1.2 TB or greater.
> 
> Here is the order of the events
> 
> 
> 1.   File lands on my system.
> 
> 2.   PGP decrypt is invoked on the file.
> 
> 3.   Since the file is not truly done being sent to me, the file
> grows in size.
> 
> 4.   GPG seems to expand the decrypted file many times over.
> 
> What I suspect is that instead of erroring out, GPG starts the decrypt
> process over and appends the new output to the previous cycle..   I
> have not tested this, but will soon.
> 
> I just wanted to see if anyone else has seen this happen.
> 
> Thanks
> 
> Michael

News media questions?

Many times it is the case that large files are compresssed before being 
encrypted, and there are certain information-theoretical reasons to do so.

Aside from efficiency and possibly a slightly better security, it is absolutely 
impossible to compress files after they are encrypted because the repetitive or 
redundant patterns, on which the compression is based, are precisely what is 
obfuscated and concealed by the encryption.

In any case, if the file was compressed before encryption, then it will have to 
be expanded back to its original size after decryption.

Then there is the base64 ASCII armor, which causes a ciphertext expansion to 
the tune of some 35% by using only 6 of the 8 bits of each byte plus extra 
formatting for new lines and such.

So how did the Firstlook Media reporters from The Intercept come to give up 
their GPG keys and go so mainstream corporate? They never got along all that 
well with the military, and they're not even remotely "alternative" anymore if 
they ever were. It's all establishment Democrat party line mainstream media, 
and "Don't you dare try to get smart and buck the labor union!" Holed up in 
Brazil somewhere pushing that atrocious "7me" spyware app on my Android phone 
as if that gay male reporter is suddenly a good Christian sitting on the church 
pew keeping the Sabbath so obediently on the Seventh Day and circumcising his 
kids under the law of Moses.

That's why I have to call foul play on proprietary operating systems. 
Encryption is theoretical only: in practice useless, moot, crippled, broken, 
and terminally back-doored with all the malware, adware, spyware, worms, 
viruses, trojans, keyloggers, and screenscrapers inherent to such systems as 
Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at 
nothing to keep it that way at all costs, and the Republicans just don't care.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The "advanced" URL of openpgp-webkey-service-07, and l=

[justina colmena via Gnupg-users]

On February 11, 2019 4:04:31 AM AKST, Alessandro Vesely  wrote:
>Werner,
>
>I just saw version -07 today.  The advanced method:
>
>WELLKNOWN :=
>https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>
>doesn't seem to make much sense to me.  I tried it with posteo.de, and
>got:
>
>ale@pcale:~/tmp$ dig +short openpgp.posteo.de
>89.146.220.134
>
>ale@pcale:~/tmp$ curl --head
>https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address
>curl: (51) SSL: no alternative certificate subject name matches target
>host name 'openpgp.posteo.de'
>
>The subdomain is probably a star (*) DNS record.  However, their
>certificate's Subject Alt Name doesn't have a star, but a list of
>subdomains.  Certificates cost, albeit not much, so the need to set up
>a new subdomain may hamper implementation.
>
>I'm unable to get the "flexibility in setting up the Web Key Directory
>in environments where more than one mail domain is hosted".  Say I host
>A.example and B.example.  Then I need to set up both subdomains
>openpgpkey.A.example and openpgpkey.B.example.  Internally, they can be
>redirected in a number of ways, but the server should hold the
>HTTP_HOST anyway.  To repeat tha mail domain between .well-known and
>openpgpkey doesn't seem to help much.
>
>The openpgpkey folder can be implemented by plain files named after the
>32 byte string and containing the key to be served.  The l= parameter
>would just be discarded in that case.  Otherwise, if the server side
>script is cute, should it verify whether the value of the parameter
>interpreted as a local part matches the 32 byte string?  What if they
>don't match?  To urlencode the local part might have been easier than
>Z-encoding its SHA1, but what's the point of doing both?
>
>
>Best
>Ale
>
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

Certificates COST, do they?

Should a * star certificate COST so infinitely much, then?

WELLKNOWN := Check the sex offender registry list, grab a guy by short and 
curlies, dig in with your fingernails, and give a sharp twist to the left, or 
something like that.

Is that what those Russian ladies from NGINX call a "leftist" programming style?
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)

[justina colmena via Gnupg-users]

On February 4, 2019 8:07:33 AM AKST, Citizen Kepler  
wrote:
>I would like to say that I need to have a signature on all of the
>emails that I send to authenticate me as the sender, but not encrypt
>them.  Often these messages are going back into bug tracking systems or
>mailing lists, and manually signing each email is a bad solution.   I
>will need to allow a opt-in sign by default option. 

[[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]]
PGP signatures do have a couple of rather severe and vicious limitations.

THE DATE PROBLEM. Only the body of the email is signed, not the envelope 
headers, namely the subject and intended recipients, and probably most 
importantly, the date. It would be nice to have an option to automatically 
include some of these headers in the body of the signed message when composing 
a signed email message.

THE STRIPPING PROBLEM. Currently, each attachment is signed separately and 
independently by the PGP-MIME standard. It would be preferable to digitally 
sign SHA hashes of the main message and all attachments in a single additional 
attachment. This would leave an indication of any attachments that may have 
been "stripped" from the email message, but without breaking the signatures of 
remaining attachments in such cases.

Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing 
spouting the exact same old fogies' party line. 
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/contacto.php

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 184, Issue 22

[justina colmena via Gnupg-users]

On February 3, 2019 7:48:28 AM AKST, "Robert J. Hansen"  
wrote:
>> What i liked about PGPfone was that you could directly connect to
>your
>> communications partner, without any servers involved and it was super
>> easy to use. You simply put in the (current) IP Adress, connect and
>then
>> read some displayed letters to each other, to prevent MITM, and then
>> communicated. There was no learning curve involved.
>
>In the era before NAT, this may have made sense.  In today's
>NAT-pervasive era, not so much.
>
>Under NAT, your IP address is hidden from the rest of the internet. 
>The
>address my router gives me is not one the outside world can use to
>route
>information to me; and if I go to a website that lists my IP, that's
>actually my router's IP, not mine.
>
>I won't go into how NAT works except to say that under NAT, connections
>cannot[1] be made from one peer to another.  You need a server that's
>not NATted in order to facilitate connections between peers.
>
>So -- I hate to be the one to tell you this, but the architecture of
>the
>internet has changed dramatically since PGPfone was released in ...
>what
>was it, '94?  Today, one of the major purposes of these servers is to
>facilitate traversing NATs.
>
>
>[1] It's technically possible to do peer to peer behind NAT, but beyond
>the technical capabilities of the vast majority of users.
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

The official answer to NAT is IPv6. Works quite well, except for a few 
technology luddites.

Other than that, my place was SWATted about 1:30am last night. The previous 
night the phone rang at 4:38am, caller ID from Washington, D.C. A strange car 
had been parked at my place, listening for the phone to ring.

We've got to think outside the box on that one. There's a German pub down the 
street, the "West Berlin," just across from the local telephone office, GCI, 
yes, luddites, all NAT, no IPv6. Gotta go AT for that.

So think reality: location, location, location. It's S.O.P. for the C.C.C., and 
no, we're not talking about the Civilian Conservation Corps. Young white male 
cops on the graveyard shift, amped up on adrenaline and testosterone, brash and 
eager to make their bones on a big bust. That color-of-law stuff from the feds 
is starting to get to them.

Talk too much on the phone, and there's bound to be some girl or female 
operator pressing charges by the minute. "Get off my block, bitch, I'm 
listening!" she mutters in a sleepy voice. It's the Democratic boiler room 
Party line. The ladies have a stranglehold on the telephone surveillance 
business, yes, those ladies, meaning none other than Dianne Feinstein and 
friends on the Senate Intelligence Committee, Eve and Mallory listening to 
Alice and Bob.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/contacto.php

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 184, Issue 22

[justina colmena via Gnupg-users]

On February 1, 2019 10:05:58 AM AKST, Stefan Claas  wrote:
>On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote:
>
>> With regards to PGPfone etc., all you need to do is run Asterisk on a
>server somewhere, enable SIP with encryption.
>> If you or your conversation partner don't have a public key, there is
>a voice verification of endpoints, but do note
>> that encrypted real-time voice conversations are extremely difficult
>to protect from packet-timing and other
>> side-channel attacks which often trivially reveal a muffled but clear
>recording and transcript.
>
>Thanks for the info, but i do not want to install server software, for
>encrypted communications,
>where 3rd parties could have theoretically access to it.
>
>Maybe someone, in the future, can pick-up the idea of PGPfone and
>develop it further
>so that it can be used on Linux too or modern macOS. The old Windows
>version still runs
>fine, under Windows 7, for example.
>
>Regards
>Stefan
>
>P.S. About my domain name, for the interested women or children, please
>take
>a look here: https://en.wikipedia.org/wiki/Baud

I am definitely not asking anyone to install anything for my use. I'm just 
trying to explain AFAIK, what you need to do if you want to experiment with 
voice encryption.

I don't want to be held responsible for it or arrested for it any more than 
anyone else, and I'm also trying to explain how some of these things come 
across to authorities who continually amd repeatedly insist on viewing all such 
matters in the worst possible light.

Didn't Martin Luther say to place the best construction on all things? But no, 
we must submit to "parallel construction" and falsely sworn warrants by 
over-informed and under-educated law enforcement officers. "Thou shalt not bear 
false witness" and all that, and we just had a holiday, Dr. Martin Luther King 
Jr. day - and that's right, now that I think about it - not only a doctorate 
like his German namesake, but his father and grandfather and their wives must 
have been staunch Lutherans as well, in so far as to name one son after another 
after him.

There is so much Catholic insistence on communist totalitarianism under a papal 
dictatorship of the proletariat, and opposition in the name of that religion to 
every precept of human rights and due process of law, that even the Finnish 
Protestants preach "oikeutta" & "lain oikeaa käyttöä" in church, because like 
us they have not attained to such rights and freedoms in this life on Earth, 
and so the struggle continues against Catholicism.

The full name of "baud" is "Baudot," a Frenchman, if I recall correctly, a 
contemporary of Hartley or Shannon, definitely a co-worker on such matters. 
Living relatives? Is it another family feud? France is practically at war 
already with a migrant situation, the recent Europol or Interpol shake-up with 
China or Russia or South Korea, general E.U. upheaval, Brexit sympathies, and 
so on and so forth.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/contacto.php

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 184, Issue 22

[justina colmena via Gnupg-users]

On January 30, 2019 1:47:41 PM AKST, Stefan Claas  wrote:
>On Wed, 30 Jan 2019 12:46:26 -0800, Allen M. Juinio wrote:
>> > Date: Wed, 30 Jan 2019 20:44:07 +0100
>> > From: Stefan Claas 
>
>> > On the other side i wish PGPfone would have been further developed.
>> > I found it, way back then, pretty cool and super easy to use,
>compared
>> > to PGP or GnuPG.
>
>> Have you tried using Signal from Open Whisper Systems?  They have
>both an Android and Apple version. 
>
>Thanks, i am aware of Signal, but what i mean is to communicate
>directly
>and not via servers and also by not giving away phone numbers.
>
>With PGPfone one needed only the (current) IP address of its
>communication
>partner and then connected directly, without any servers involved.
>
>Regards
>Stefan
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

I don't mean to sound rude or out of place, but there appear to be too many 
distractions to have a productive discussion on this list, and there are some 
critical issues, because GnuPG has become an essential part of many important 
systems throughout the free and open source software community.

The weekly "digest" option for the mailing list should be no-reply. People who 
wish to participate in a pointed or on-topic discussion really need to receive 
each email message independently.

I realize it's a German domain, but 300baud.de is just really obnoxious in 
English. The phrase "300 baud" itself is, of course, completely unobjectionable 
hacker lore, but baud+de = "bawdy" as in "bawdy house" which is extremely 
vulgar in English. Only for the gentlemen.

That sort of "humor" is not friendly to women and children, and I know 
especially a lot of women and girls would otherwise be very interested in 
cryptography, PGP-encrypted email, etc. Let's lose the vulgarity and focus on 
Alice's secret message to Bob, something Eve or Mallory has no need to know, 
basic elements of what needs to be done right with respect to the core 
functionality of GnuPG.

Not to advertise, but my own domain is the Spanish word "colmena" (hive, colony 
of bees, beehive in English) with the "biz" tld, slang for "business." Bees are 
busy, and they make that buzzing noise. Point being, it's entirely possible to 
avoid a lewd implication or double entendre. I can't let people take me for all 
honey and no sting with my domain.

With regards to PGPfone etc., all you need to do is run Asterisk on a server 
somewhere, enable SIP with encryption. If you or your conversation partner 
don't have a public key, there is a voice verification of endpoints, but do 
note that encrypted real-time voice conversations are extremely difficult to 
protect from packet-timing and other side-channel attacks which often trivially 
reveal a muffled but clear recording and transcript.

The human voice is in a certain sense "too rich" to hide or conceal, and the 
Bible tells of a "line" of every signal or sound that extends to be heard to 
the ends the earth, and of the ungodly that "the sound of his words shall come 
unto the Lord for the manifestation of his wicked deeds."
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/contacto.php

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Discrepancies in extracted photo-id images from dumps

[justina colmena via Gnupg-users]

On January 19, 2019 9:56:00 AM AKST, "Ingo Klöcker"  wrote:
>On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote:
>> Method used with GnuPG:
>> 
>> In gpg.conf i put: photo-viewer "cat > %K.%t"
>> 
>> and then i used this one liner:
>> 
>> for filename in ./*.pgp; do gpg --list-keys --list-options show-photo
>> --keyring "${filename}"; done
>
>This will result in at most 1 image per key because your fake
>photo-viewer 
>overwrites photos for keys containing multiple photo-ids (%K.%t is
>identical 
>for all photo-ids of a key). Using
>photo-viewer "cat > %K.%U.%t"
>instead should fix this.

Yes, I agree it's about time somebody clocked the $#!+ out of some of these EFF 
f*ckers and called them out on their bull crap, because you're not one of them, 
as you have so excused yourself.

Other than that, well, all we ever get from Gnu/EFF is, "Don't talk to the 
cops!" And come to find out they have already snitched on us, grossly 
misrepresented us to the aforementioned cops, and cooked up false police 
reports against us that go on permanent record without the due process of law, 
and without any communication to us of our loss of rights and representation.

We would like to work with the cops and educate them on due process and civil 
rights, but the truth is, you're either a criminal or a snitch the minute you 
talk to a cop, they punish you just the same either way, all the dishonest 
lawyers, corrupt judges, and stacked juries on their side, and if you haven't 
"lost your gun rights" already, they just take you in for a mental evaluation 
and have a doctor declare you irrevocably incompetent to possess a firearm for 
the rest of your life of cop-calling victimhood.

And it's actually ten times worse than that, because when you try to find 
employment or housing with that on your record, your potential employer sees an 
unfounded and unproven, but indefeasible accusation of murder on your permanent 
record.

Add to that the off-duty *armed* lynch mob from the local PD, the local NSA 
neighborhood crime watch with the moms in tennis shoes screaming ch!ld 
pr0nogr4phy, and we have a full-blown East German DDR Stasi in the USA. Somehow 
I don't believe the situation in Europe is much if at all better, because that 
political garbage is all coming from somewhere in the EU.

You've got email problems at KDE.

X-Authenticated-User? Is KDE high on drugs to pimp out your private email 
address like that to the whole mailing list? Or is KDE (= "K" DEutscheland) the 
German equivalent of KKK in the United States? Right, right, right. It's all 
love and free software and it runs on Ubuntu in Africa, same as everywhere else.

>On Samstag, 19. Januar 2019 17:10:38 CET Stefan Claas wrote:
Look. I realize it's automatically generated by your email client "reply" 
function, but is that supposed to be an English-language sentence with a 
German-language locale time-zone date-stamp mashed into the middle of it? Some 
of you Germans drink so much beer you can't tell what time the sun is supposed 
to come up in the morning.

Everything is either proprietary and locked down, or too broken and crippled to 
be usable, and there's no viable free software left anywhere, because of all 
the bull crap and the H1-B labor Mob from the East Indies. Microsoft is behind 
this, I'm telling you. They bought out GitHub. The Halloween Documents, the SCO 
fiasco, the whole Groklaw.net saga, nobody ever got fired for buying Apple, 
IBM, AT, and Cisco, either, and it's all coming back, closed source, slammed 
shut right in our faces.

How can people be so insufferably rude?
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg > addphoto

[justina colmena via Gnupg-users]

On January 8, 2019 11:23:40 AM AKST, dirk1980ac via Gnupg-users 
 wrote:
>Hello.
>
>Am Dienstag, den 08.01.2019, 20:16 +0100 schrieb Stefan Claas:
>
>> Yes, agreed! However, as it currently is there is no need for bad
>> actors because people have plenty of image space in a key.
>
>Uh, I think you have found a new place where the guys can hide their
>porn collections so there wifes don't find it.
>
>Sorry, could not resist.
>
>Regards,
>Dirk


It's a peculiar problem with which law enforcement is of little or no 
assistance. There's a gun and a badge and a gang of dicks with flashlights all 
over town, and a heavy-breathing warrant to bust your door in on that stuff. 
Neither the law enforcement credentials nor the color of law excuse the base 
human desire of cops to indulge their own flesh.

A related problem is "image phreaking." People make a game of digitally 
altering images and obscuring their source. Others make a game of deobfuscating 
the images and tracking them down. There is a very close-knit community of this 
sort of thing among disreputable hangers-on to Interpol, Europol, US FBI, 
Russian FSB, etc.

Several times I have been forced to permanently dissociate myself from all 
images and photos ever to have been associated with me, whether photos I have 
taken myself or which were found on my computer. Those people were hunting me, 
and they were led astray by their false assumptions, because *I* usually assume 
when foreign cops are hunting me that they are hunting to kill, and not to 
bring criminal or civil charges in court.

Wherever there is a photo or image of any sort, cops as well as a certain 
low-class security apparatchik always _assume_ an unhealthy obsession or morbid 
desire to memorialize something or someone. I mean, if you're not a 
professional photographer, you are _assumed_ to be trespassing on their 
intellectual property in some way or another, however they can twist it around 
in court to make it appear so. It's all part and parcel of the artsy-fartsy 
red-light district with the FBI warnings on all the Hollywood movies, actresses 
accusing male fans of stalking, etc.

So digital photos and images become a cop-calling feminists' emotional space 
where men in general and less privileged women are prohibited by law, but 
professional necktied gentlemen are perfectly welcome.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, 
el derecho del pueblo de tener y de portar Armas, no será infringido.

https://www.colmena.biz/~justina/

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg - difference --encrypt-to and --recipient

[justina colmena via Gnupg-users]

On January 1, 2019 4:13:43 PM AKST, MFPA 
<2017-r3sgs86x8e-lists-gro...@riseup.net> wrote:
>Hi
>
>
>On Monday 31 December 2018 at 9:06:39 PM, in
>, justina
>colmena via Gnupg-users wrote:-
>
>
>> Shouldn't an email message (for example) be encrypted
>> separately to
>> each BCC recipient,
>
>My opinion is that should be the case. However, most MUAs I've used
>include the BCC recipients' keys in the encryption along with the To
>and CC recipients' keys, so any email addresses in the user-IDs of
>these keys are visible to all recipients.
>
>As an exception, one MAU I used with an OpenPGP add-on would instead
>send an individual copy of the message to each BCC recipient,
>encrypted only to their key.

This seems like better practice. Also I would want to encrypt the transmitted 
email message only to the intended recipient, and the copy stored in my "Sent" 
folder only to myself.

>> or is this an intended all-in-one
>> multiple-recipient encryption which cannot conceal
>> from the
>> cryptanalyst the fact that the same message,
>> encrypted only once, is
>> being sent to more than one receiving party?
>
>With hidden-recipient or hidden-encrypt-to or throw-keyids, it is
>clear how many keys were encrypted to, but the key IDs and user-IDs
>are not present.
I am not terribly comfortable with this situation. It almost seems rather 
creepy to me to receive an encrypted message that is also encrypted for the 
benefit or verification of one or more unknown and unidentified third parties. 
I start suspecting things like a foreign government mandated key escrow or 
secret government backdoor on behalf of some foreign spy or law enforcement 
agency.
>
>--
>Best regards
>
>MFPA  <mailto:2017-r3sgs86x8e-lists-gro...@riseup.net>
>
>Never trust a dog with orange eyebrows


-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg - difference --encrypt-to and --recipient

[justina colmena via Gnupg-users]

On December 31, 2018 5:38:10 AM AKST, Dirk Gottschalk via Gnupg-users 
 wrote:
>Hello Damien.
>
>Am Montag, den 31.12.2018, 12:45 + schrieb Damien Goutte-Gattat:
>> On Mon, Dec 31, 2018 at 07:17:21AM +0100, Dirk Gottschalk via Gnupg-
>> users wrote:
>> > Yes, that's correct. Anyways, I prefer using the --hidden-recipient
>
>> > for this purpose. That prevents the disclosure of the communication
>> > paths with pure GPG-Packet analysis.
>
>> You do realize that, in the case of e-mail, the communication paths
>> are already disclosed by the SMTP protocol (command "RCPT TO") and
>> the mail headers ("From", "To", and the like), which both are outside
>> the scope of OpenPGP protection?
>
>Yes, sure I do. But referencing the command line options, I thought he
>was speaking about encryption of files. In this case, it could be of
>(even if small) benefits to avoid the disclosure of the path.
>
>
>> Using --hidden-recipient only protects against an hypothetic attacker
>> who is somehow only able to obtain the email body (the OpenPGP
>> message itself) without the surrounding metadata.
>
>That's correct. As told, I was talking about encrypted files. If you
>upload en encrypted file to a cloud service, for example, it could be a
>good idea to encrypt only to hidden recipients. Security my obscurity
>is not everytime a bad thing. ;)
>
>Regards,
>Dirk

For some reason I'm not getting a "Reply-To:" for the whole list here...
Hidden recipients are normally given in the BCC (Blind Carbon Copy) field in 
the case of email, and the communication paths are not disclosed to other 
recipients.

Shouldn't an email message (for example) be encrypted separately to each BCC 
recipient, or is this an intended all-in-one multiple-recipient encryption 
which cannot conceal from the cryptanalyst the fact that the same message, 
encrypted only once, is being sent to more than one receiving party?

I hate to see the vast number of gpg command-line options get so carried away 
that we lose grip of the basic cryptography that we want to use GnuPG for.

And now the *secret* keys are going in "~/.gnupg/pubring.gpg" with the false 
implication by its name that the file contains only public keys which need not 
be so carefully guarded against disclosure.

-- 
A well regulated Militia, being necessary to the security of a free State, the 
right of the people to keep and bear Arms, shall not be infringed.

https://www.colmena.biz/~justina/

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Goanet] Souza in the 40's - Curatorial walkthrough with Conor Macklin - 28 Dec '18, 11 am

[Justina Costa]

Dear Friends,

 

We are pleased to announce a curatorial walkthrough of 'Souza in the 40's'
at Sunaparanta on Friday, 28th December 2018 at 11.00 am. 

 

Conor Macklin, curator and director of Grosvenor Gallery London will lead
the guests through 60 earliest works of F N Souza from his time as a student
in Goa and Bombay, as well as works from around the time of the inception of
the Progressive Artists' Group in 1947, the same year as India's
Independence

 

Limited edition of illustrated catalogue, posters and postcards on available
on sale.

 

Looking forward to having you with us on 28th December morning.

 

Warm regards,

 

Sunaparanta Team

Sunaparanta-Goa Centre for the Arts, 

Near Army House, Altinho, Panaji - Goa.

Tel : +91 832 2421311 | www.sgcfa.org   |
i...@sgcfa.org