fix does a better job in this regard, so these issues may
not present itself.
(I did a Postfix/opendkim milter on an Ubuntu system and it was much
less hassle.)
You should look at *lots* of DMARC RUA reports. People are doing crazy batsh*t
stuff with your mail domain.
Joseph Tam
rols over your IMAP account, they can
create messages with a format totally different than what your mail server
can make.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
ng of namespaces?
https://doc.dovecot.org/configuration_manual/mail_location/#custom-namespace-location
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
/M2, then both your Postifx servers need to use the same
certificate with "mail.domain.com" as a subject. Simple as that.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
n
data and passes it to the persistent process via sockets? You'll
have to have some initial handshake protocol to establish session context,
but this seems the easiest way to accomplish what you want.
Joseph Tam
___
dovecot mailing list -- dovecot@dovec
depends on how you set up your filesystem and authentication and your
security constraints. You'll have to be more specific on your setup.
Confining my reply to just SSL setup, you can obtain a SSL certificate
with multiple domains named listed, which makes multi-domain SSL
support easier.
J
&
openssl x509 -noout -text | grep DNS:
DNS:sge.sgeinc.com, DNS:sgeinc.com, DNS:www.sgeinc.com
"mail.sgeinc.com" is not in your list of alternate names, hence your
mail clients
started rejecting the SSL certificate as invalid.
Joseph Tam
__
the same stuff, but at least you can turn that
behaviour off and stop it from second guessing your settings.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
protocol pop3 {
...
pop3_reuse_xuidl = yes
}
Maybe that's of use to you?
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
On Thu, Jan 18, 2024 at 6:42 PM Joseph Tam wrote:
> If you dump the above values e.g.
>
> doveadm fetch -ftab -A 'mailbox date.received' mailbox Trash BEFORE 90d
Correction: if what I suspect is true, this won't show you anything as all
your messages will be younger than 90d.
it, then it gets instantiated the current timestamp when you do.
If you do a fetch
every day, you'll eventually reach 90d, and it will work forever more
(+/- 1 day).
Perhaps adding those fields into these settings is a more direct and
better solution:
https://doc.dovecot.org/configurati
Address:1110 Nuuanu Ave
> City: Honolulu
> StateProv: HI
> PostalCode: 96817
> Country:US
Out of business virtual offices, naturally.
AIRLL also operating out of 195.96.137.0/24.
Joseph Tam
__
was not dovecot. I'm not sure what you hope to gain by saving
a few sockets that dovecot uses just to make headroom for a buggy script.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
r than 60days? If the former, you can probably just delete the entire
INBOX folder or mailbox via filesystem commands as an alternative.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
...
See note 3. above.
--------
Better?
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
ervice_count = 100
This service limit might be your culprit.
I wrote about the strange interaction between service_count and
process_limit here:
https://www.mail-archive.com/dovecot%40dovecot.org/msg85850.html
This gotcha should really be documented.
Joseph Tam
will disable STARTTLS though. Even though it's not plaintext,
maybe that is
a good thing as it avoids MITM banner stripping attacks.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
onnections and do another round.
This may be interpreted as a BFD attack, and you'll lock out a legitimate user.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
in: Disconnected: Inactivity (auth failed, 1
attempts in 180 secs): user= ...
I would modify /etc/fail2ban/filter.d/dovecot.conf to limit it to
0-99sec like so
failregex = ...( in \d{1,2} secs)...
Some BFD attempts will leak through but it avoids trigg
older than 30 days. I
> assume if I wait 30 days from now, it will start working?
Yup. If you run your script every day (and thus, run "doveadm fetch
... date.saved"
as well), that will make sure any new mail put into your Trash folder
will have date.saved
within 2
ly set -- your run of same values
coincided when you ran "doveadm fetch".
My expunge script just uses date.received instead -- it seems to work.
Joseph Tam
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
ty store so that
your mail reader does not complain about an untrusted certificate.
Clear?
Joseph Tam
ee a 40s
gap in the session logs: it will tell you who was doing what when the pause
happened (e.g. during authentication? During LIST fetch? During message
fetch?)
For example, if dovecot was busy mulching through a large INBOX rebuilding
indices, I can see how it can chew up 40s under some circumstances.
Joseph Tam
ata, then TB is somehow
misinterpreting it.
> on an uneducated guess, the mailbox is just 'too large' ?
> POP has difficulty handling so many files ?
Typically, if some resource limit is hit, one side or the other will
create a log or notification. Your INBOX is large, but not outrageous.
You can test it directly by creating smaller subsets of the INBOX messages
and see if the problem goes away.
Joseph Tam
obtain session transcripts of what server/client are doing.
I don't see any obvious errors from the logs that indicate any failure.
I do see the INBOX is rather large so maybe a timeout is involved.
Joseph Tam
l results.
I lost the context of this thread, but if you're looking for mailutil
or the older pine
stuff, the project has forked inti alpine and you can find the source tarball at
https://alpineapp.email/
Joseph Tam
,1} so that
others don't blunder along the same path I did.
Joseph Tam
tors are being held by the
config process, and
see the behaviour over time (e.g. monitor /proc/{pid}/fd/*); maybe
that will give you a clue
as to what the config process is doing.
Joseph Tam
> > doveadm -fjson mailbox status -u user unseen "*"
>
> Very nice Aki! I can pass that JSON to a Python program I make to parse
> JSON, and then just report the ones not having "unseen":"0" . Thank
Or use format "-ftab" and grep non-zero entries. Simpler than parsing JSON.
Joseph Tam
type the
mailbox name to delete.
I believe Tbunderbird has some IMAP server setting that will give it a hint.
Joseph Tam
this user
protocol imap {
...
rawlog_dir = /log/dir/%u
}
then
(Make sure this user has write permissions into this directory)
mkdir /log/dir/$user
After you're done, you can disable logging,
rm -rf /log/dir/$user
Joseph Tam
how this is
typically handled -- maybe an outbound block rule is required to handle
this niche case to finally drive a stake through a BFD connection's
heart.
(more stuff:
https://unix.stackexchange.com/questions/646663/iptables-how-kill-established-connection-except-for-an-ip).
Joseph Tam
many of
attacking IPs are represented on one of these lists.
2) Triggerimmediate block against authentication attempts that
can not possibly be real (e.g. "mysql", "testuser", "nagios", etc.)
Joseph Tam
quotes really there?
Joseph Tam
and a stub web servers.
the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?
For wildcarded certs (valid for *.sample.com), your only recourse is
use DNS challenges.
Joseph Tam
to support multiple hostnames on the same certificate.
Joseph Tam
's
virtual mailbox feature to define a catch-all virtual mailbox to placate
these users which won't bring an imap process to its knees.
Joseph Tam
features to find what you're looking for.
Users of mine who previously used Gmail expect our mail system to behave
similarly, and I have to break them of their habit to packrat all their
mail into their INBOX.
Joseph Tam
I did.
References
[1] https://doc.dovecot.org/admin_manual/login_processes/
Joseph Tam
recongize it as a dictionary attack, but it may be too
late as your AD will see it by that point.
Joseph Tam
estion how different
is different.
If you make some simplifying assumptions (e.g. exact same message body,
same header for From/Sending network or IP/time-range/Subject, you can
do a fairly good job.
Joseph Tam
nt now has a similar control or
it's up to the user to figure it all out.
Joseph Tam
come across this? Is this related to
https://doc.dovecot.org/configuration_manual/mail_location/mbox/mboxchildfolders/
?
Joseph Tam
the mathematics can get pretty hairy for both
key exchange methods.
Joseph Tam
discoveries that the client had a
malware they didn't know about.
http://www.blocklist.de/en/index.html also run a DBS RBL list and I've
had zero FPs after years of use. I think you can even get Fail2ban
report to your attackers to this site to add to the crowdsourcing.
Joseph Tam
On Wed, 5 Jan 2022, Ken Wright wrote:
Jan 5 22:09:30 grace dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=m...@mydomain.com
Just a wild ass guess, but does your password backend expect "me", or
"m...@mydomain.com" (which is what it was given).
Joseph Tam
Solr to implement Dovecot FTS should look at
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
Joseph Tam
hh.com, DNS:www.sizzelicks.com,
DNS:www.softlinksys.com
Is your Thunderbird set up to use one of the above server names, and not, for
example,
imap.aecperformance.com. The server name has to match one of the above.
Joseph Tam
the whole MDBOX, the above is not applicable as any change to
a byte will affect all subsequent bytes.
I think MDBOX is a compromise in data granularity that tries to strike
a balance between various aspects of I/O performance.
Joseph Tam
they catch IMAP hackers, but they list 95%+ of our
ssh brute forcing attacks.
Joseph Tam
, that is a different situation. It could happen if the same message
tooks different paths to your user e.g. via mailing list processor,
but that is less common and would probably break DKIM.
Joseph Tam
-ids happen whenever
the sender names more than one local recipient during SMTP. It's a wholly
unreliable way to indicates spaminess. However, if a high proportion
of those recipients do not exist, ...
Joseph Tam
to the internet (i.e. your front-end MTA
is on the same host as your LMTP), socket connection is probably simpler
and safer than TCP connections.
Joseph Tam
h that can be without knowing your current settings.
Have you tried creating nested folder structure with your mail clients?
Joseph Tam
account access.
Joseph Tam
in blocks, not K.
The man page for my OS 's'ls' states exactly that -- counts are in blocks.
Joseph Tam
hypothesis.
Apr 12 16:12:49 SERVERNAME dovecot: imap(ACCOUNTNAME): Logged out in=164 out=757
However, my hypothesis wouldn't produce this. This is a active
logout.
Joseph Tam
oveadm of course".
MIMEDefang may help.
Joseph Tam
mp;1
Maybe it's better to add another formatter to avoid tricky parsing
or shell hacks e.g.
# doveadm -f tab-nohdr ...
Joseph Tam
m not sure what you mean by "organizing": making users' mail more
consistent across different mail readers, despite their differences?
Most are taken care of by using IMAP, and there are special niche settings
for the mail reader features you're trying to address.
Joseph Tam
On Wed, 3 Mar 2021, Yassine Chaouche wrote:
Le 3/2/21 ? 9:02 PM, Matthias Kneer a ?crit :
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null |
openssl x509 -noout
-enddate
I am intrigued about the function of echo in that command line ?
It just a dummy input so that
r-for-days-not-deleting-mail.aspx
You may have to create a POP3 session log to diagnose what POP3 commands
you're client is issuing.
Joseph Tam
On Fri, 15 Jan 2021, Ron Garret wrote:
Why not simply use the message-id?
Because not every email has one. RFC5322 doesn?t require them.
Doesn't your MTA then insert one if it's missing?
Joseph Tam
needs to
have FD limits set larger than to the sum of client_limits.
Joseph Tam
which is currently
set to match
default_client_limit = 1000
What should I set "ulimit -n" relative to client_limit? Or perhaps I've roofed
service imap-login {
process_limit = 2
...
}
and should adjust that?
Joseph Tam
Or if IMAP is the only authenticated service,
munge their password hash.
Joseph Tam
. Maybe
pop3_reuse_xuidl = yes
Joseph Tam
it to piggyback spam:
https://security.stackexchange.com/questions/241263/how-is-it-possible-that-this-spam-mail-came-from-google-forms-without-revealing
Blocking mail from @trix.bounces.google.com will squelch them, but
may also biock legitimate response receipts.
Joseph Tam
-and-TLS-Deployment-Best-Practices
- (client) enforce SSL connection (i.e. refuse plaintext
sessions).
Joseph Tam
of
the form {password}+{2fa-token}, then split each part to check against
authentication systems to check validity.
Joseph Tam
a graph of user mailbox connections will
show sawtooth patterns.
Joseph Tam
time.
Joseph Tam
rather
than a synchronous process, that will check certs and restart/reload once per
day/week/whatever. This is the method I use as my LE certificates are obtained
via DNS challenges on a different host.
Joseph Tam
try debugging the interaction by using "openssl s_server" on
an alternate port with the same SSL parameters used by your dovecot.
It's not the full-fledged environment you're trying to test but may
expose the problem.
Joseph Tam
really do your head in.
Joseph Tam
t having to know all their passwords.
By making both master and passdb's the same, you allow anyone to access
anybody else's account e.g. "xyz" can access account for "abc" by using
their password with user "abc*xyz".
Joseph Tam
pass = yes
}
# Contains regular user credentials
passdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
Joseph Tam
sh), which accepts the message, then sends it to
your 20k+ recipients in small batches with small delays.
Joseph Tam
boxes,
you are telling Dovecot an untruth. It's better to tell Dovecot user
mailboxes (other than INBOX) don't exist, rather than to push all the
indices under the carpet.
Joseph Tam
: Tracking use of QUIT)
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
I issue post-DATA return codes, and I have yet, in decades of use, had
problems with legitimate senders.
Joseph Tam
have email that I need that
arrives like that.
This entire thread belongs on an anti-spam forum, but you might want to
check out
http://msbl.org/ebl.html
Joseph Tam
Not sure whether owner=rootZ:root, mode=555 will work, but those
permissions would be the safest.
Joseph Tam
; }
Also my backup scripts have locking procedures built-in so as to avoid race
conditions.
You might also want a trap handler that does a cleanup in case something
goes sideways in the middle of processing e.g.
trap rmTmpFiles 0
Joseph Tam
install: not using a package manager. (I've edited the doveconf
location, but you've outed me.) I was hoping to get "doveadm pw"
working on non-dovecot servers without having to provide seemingly
irrelevant dependencies, but it's probably more bother than its worth.
Thanks, anyways.
Joseph Tam
ssword out of a client, despite what the server policy is, or even
whether the server is available.
Only allowing implicit SSL will guarantee insecurely configured clients
will fail (and maybe not even that if it autoconfigures), but it doesn't
prevent them from being exploited.
Joseph Tam
/doveconf) failed: No such file or
directory
Joseph Tam
directory
Is there a way to circumvent the need for a configuration file?
Joseph Tam
uot;ssl_not_optional" might have been clearer.
Joseph Tam
xternalize the
patterns into runtime configuration like fail2ban does, rather than
baking them into executables.
Joseph Tam
On Fri, 8 May 2020, Joseph Tam wrote:
It depends on what you consider reasonable.
Whoops. Editing error. What I wanted to send.
On Fri, 8 May 2020, a...@globalchangemusic.org wrote:
So, generally speaking, you don't want to have inboxes that just sync all day
long, due to massive amounts
, but not good for regularly
accessed inboxes, etc.?
Joseph Tam
, then Dovecot's
*dbox support de-duping which would aso help.
Joseph Tam
/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s
this error comes about when you specify the client must authenticate with
their own certificate. If your Dveocot setup is working with Evolution, have
you ported the client certificate to the Thunderbird setup?
Joseph Tam
aying goes regarding the value of prevention vs cure, enforce
good security habits for your users: password strength, endpoint malware
protection, skepticism, etc.
Joseph Tam
-noout -modulus
Joseph Tam
by disabling auto-discovery, and if you're ultra-conservative,
certificate pinning.
Joseph Tam
this
configuration may be the answer:
(On new server)
protocol pop3 {
...
pop3_reuse_xuidl = yes
}
Joseph Tam
data is transferred to the server.
The Nextcloud (or Dropbop) example is to have a encrypted FS on
the client side (e.g. VeraCrypt) and the whole container is sync'd
on the storage side (the server). At no point does the server side ever
get to see keys.
Joseph Tam
no point
setting flags on a message you'll expunge.
/usr/bin/doveadm expunge -A DELETED OR \( SEEN SENTBEFORE 12w \)
Joseph Tam
for all future versions) or should this patch be applied in
all cases?
Joseph Tam
1 - 100 of 547 matches
Mail list logo