Re: [Dovecot] MySQL as a storage only.?
On Dec 23, 2008, at 4:51 AM, R A wrote: Romer Ventura wrote: Hello, I was wondering is I could use MySQL as storage only..? Meaning that no user information, other than the obvious email address associated with an specific email so that each email can be showed to the right user, will be stored in a MySQL database instead of /home/vmail/DOMAIN/user Would I get any advantages.? Would it be better, faster? Thanks I think IF it would be supported in a future version it would be a great addition. I did already start it once but didn't get it very well working. It's a very low priority for me to finish it. Maybe once everything else is done and I can't really think of anything better to do.. Of course anyone else is free to implement it. http://dovecot.org/list/dovecot/2007-November/026632.html Especially if you try to implement cloud-like services, where you have the possibility of links temporarily going down between servers, and mail can come in to any point, and be retrieved or moved at any point. You really need transactions then, to track every mails change in time, and to replicate those when you get connectivity back. You can possibly do it by tracking dovecot logs and do the replication yourself with scripts, but using a database would probably be easier here. I've also planned easy replication support for Dovecot. Also I don't think doing the SQL replication correctly and without losing any data on error conditions is as easy as you think.
Re: [Dovecot] MySQL as a storage only.?
On Tue, Dec 23, 2008 at 2:20 AM, Timo Sirainen t...@iki.fi wrote: On Dec 23, 2008, at 4:51 AM, R A wrote: Especially if you try to implement cloud-like services, where you have the possibility of links temporarily going down between servers, and mail can come in to any point, and be retrieved or moved at any point. You really need transactions then, to track every mails change in time, and to replicate those when you get connectivity back. You can possibly do it by tracking dovecot logs and do the replication yourself with scripts, but using a database would probably be easier here. I've also planned easy replication support for Dovecot. Also I don't think doing the SQL replication correctly and without losing any data on error conditions is as easy as you think. +1 Needless to say, replication would be _very_ useful...
Re: [Dovecot] delivers mail to bad directory(prefix) using sieve filters
really nobody has similar issue? On Mon, Dec 15, 2008 at 7:29 PM, Radim Roska radim.ro...@gmail.com wrote: Hi, I've installed dovecot debian stable(from backports) version (1.0.15). Its great..i just have problem with sieve filters. I use only web tool for creating filters that works for me (avelsieve plugin for squirrelmail). it creates rules, where specified folder has prefix INBOX. Thats fine.. Since dovecot has configured prefix INBOX too. BUT mails are delivered to INBOX.INBOX.test_folder and thats ugly and not usable. I've figured out new version 1.2 should work, but i dont like idea to install not stable version to production server. Is there any patch or something for stable version? Thanks a lot! Radim
Re: [Dovecot] delivers mail to bad directory(prefix) using sieve filters
On Tue, Dec 23, 2008 at 4:53 AM, Radim Roska radim.ro...@gmail.com wrote: really nobody has similar issue? On Mon, Dec 15, 2008 at 7:29 PM, Radim Roska radim.ro...@gmail.com wrote: Hi, I've installed dovecot debian stable(from backports) version (1.0.15). Its great..i just have problem with sieve filters. I use only web tool for creating filters that works for me (avelsieve plugin for squirrelmail). it creates rules, where specified folder has prefix INBOX. Thats fine.. Since dovecot has configured prefix INBOX too. BUT mails are delivered to INBOX.INBOX.test_folder and thats ugly and not usable. I've figured out new version 1.2 should work, but i dont like idea to install not stable version to production server. Is there any patch or something for stable version? Thanks a lot! Radim Remove the prefix in avelsieve settings?
[Dovecot] 1.1.6 - 1.1.7 regression: dovecot: pipe() failed: Too many open files
Hi all, We updated to 1.1.7 a week or two back from 1.1.6 (both standard atrpms builds). Since doing so, twice now I've seen the imap services accept connections but they hang before the banner is printed (pop seems to be unaffected). I see this in the logs: Dec 23 14:02:15 mail9 dovecot: pipe() failed: Too many open files Dec 23 14:02:15 mail9 dovecot: Temporary failure in creating login processes, slowing down for now Dec 23 14:02:15 mail9 dovecot: Created login processes successfully, unstalling Dec 23 14:02:16 mail9 dovecot: pipe() failed: Too many open files Dec 23 14:02:16 mail9 dovecot: Temporary failure in creating login processes, slowing down for now Dec 23 14:02:16 mail9 dovecot: Created login processes successfully, unstalling The ulimit for the number of open files on these servers has remained unchanged at 8192 and there are no warnings about too few fd's on dovecot startup. There weren't amazing numbers of imap sessions open at the time (only something like 400-500; we've had 1.5k in the past), so I suspect this is a regression between 1.1.6 and 1.1.7 where you've got a leak of fd's ? If it happens again I'll try and get a snapshot of the fd's open by the master dovecot process. Thanks, Mark -- Mark Zealey -- Shared Hosting Team Leader Product Development * Webfusion 123-reg.co.uk, webfusion.co.uk, donhost.co.uk, supanames.co.uk This mail is subject to http://www.gxn.net/disclaimer
Re: [Dovecot] change sender name in Sieve
Jakob Grießmann wrote: Hi, thanks a lot for the fast reply! Any other choice to avoid that bug without patching the package? I'm using vanilla Debian/Ubuntu builds here and like to avoid manual compilation... Unfortunately, no. You could ask the Debian package maintainers to apply this trivial patch in the stable packages. Just file a Debian bug report and see what happens. Regards, Stephan.
Re: [Dovecot] Password field limitations
On 12/23/2008, Tom Sommer (m...@tomsommer.dk) wrote: What limitations are imposed on the password for IMAP/POP3 users? I've had a customer saying they can't use passwords which contain . or :, and some seem to have problems when the password is 8 characters. If I'm not mistaken, dovecot doesn't care - this will be a limitation of your Filesystem and/or password storage tool... in this case, MySQL... -- Best regards, Charles
[Dovecot] Password field limitations
Hi, I've searched the WIKI for this information but seem unable to find anything about it. What limitations are imposed on the password for IMAP/POP3 users? I've had a customer saying they can't use passwords which contain . or :, and some seem to have problems when the password is 8 characters. I use PLAIN authentication, passwords are stored in a MySQL database. Thanks a lot -- Tom Sommer
Re: [Dovecot] Password field limitations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles Marcus said the following on 23/12/08 18:06: What limitations are imposed on the password for IMAP/POP3 users? I've had a customer saying they can't use passwords which contain . or :, and some seem to have problems when the password is 8 characters. If I'm not mistaken, dovecot doesn't care - this will be a limitation of your Filesystem and/or password storage tool... in this case, MySQL... I Use MySQL and I don't have such kind of limitations. I would blame Tom's MySQL interface or implementation, but not MySQL itself. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Scotty! Hurry, beam me uraghh^*Ôé~~~ NO CARRIER -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklRHwIACgkQ3kWu7Tfl6ZQ6RQCgrkcOKPXzoWajareucPlEBUS2 1m8AnjxOAl6Xx3h1dBAc90qoyx0wZwaq =xYaj -END PGP SIGNATURE-
[Dovecot] Replication (Re: MySQL as a storage only.?)
Timo Sirainen wrote: I've also planned easy replication support for Dovecot. Also I don't think doing the SQL replication correctly and without losing any data on error conditions is as easy as you think. Multiple master in MySQL is still more of a hack. Also, performance for billion-row SQL tables is rather poor for something interactive like clicking on a message in IMAP and expecting it to pop up right away. I'm looking forward to master-master replication. Not SQL though; I can't find the link now but I remember reading about a master-master system that Dovecot would use to sync maildir/dbox over N masters or something. A pool of beefy master-master Dovecots with a load balancer in front of them would be wonderful - I'm not too keen on the user a goes on server a, user b on server b system. I'd love to help out but my own development schedule is beyond full at the moment. =) ~Seth
Re: [Dovecot] change sender name in Sieve
Stephan Bosch wrote: Jakob Grießmann wrote: Hi, thanks a lot for the fast reply! Any other choice to avoid that bug without patching the package? I'm using vanilla Debian/Ubuntu builds here and like to avoid manual compilation... Unfortunately, no. You could ask the Debian package maintainers to apply this trivial patch in the stable packages. Just file a Debian bug report and see what happens. Or just rebuild the Debian packages yourself with the patch applied. 1. Download source packages (orig, dsc, and diff files) 2. apt-get build-dep package 3. dpkg-source -x dsc file 4. cd into directory created by dpkg-source -x 5. do whatever it is you want to the source 6. fakeroot dpkg-buildpackage -uc -b ~Seth
Re: [Dovecot] MySQL as a storage only.?
Neil wrote: On Tue, Dec 23, 2008 at 2:20 AM, Timo Sirainen t...@iki.fi wrote: On Dec 23, 2008, at 4:51 AM, R A wrote: Especially if you try to implement cloud-like services, where you have the possibility of links temporarily going down between servers, and mail can come in to any point, and be retrieved or moved at any point. You really need transactions then, to track every mails change in time, and to replicate those when you get connectivity back. You can possibly do it by tracking dovecot logs and do the replication yourself with scripts, but using a database would probably be easier here. I've also planned easy replication support for Dovecot. Also I don't think doing the SQL replication correctly and without losing any data on error conditions is as easy as you think. +1 Needless to say, replication would be _very_ useful... At least in 5, MySQL replication is very difficult. Based on my experience with amavisd, master - master replication does not work if you have foreign key constraints. master - slaves can have issues with high activity as a key on the master might get update while a search is happening on the slave (again this is with foreign key constraints). Then you'll probably need innodb for performance so backups become more challenging. Lastly, disk usage triples. Hate to be a wet blanket, but this is what I've seen. If you don't need the constraints, the problem becomes more manageable. Still your safest bet for replication at this time is to use the slave as a backup with some sort of auto promotion mechanism. The network master daemon (nmdb?) looks promising for straight forward databases. Don't forget blob sizing. I'm not sure how Oracle is for replication. Setups/configuration does not sound simple from the dba's I've talked to, although RACK looks decent. MySQL does work well for index problems (i.e. searches) where the index can be reconstructed if their is a failure and the searching process doesn't seize in a failure. Just my opinion and warning. ---Jack
Re: [Dovecot] MySQL as a storage only.?
Jack Stewart wrote: Neil wrote: On Tue, Dec 23, 2008 at 2:20 AM, Timo Sirainen t...@iki.fi wrote: On Dec 23, 2008, at 4:51 AM, R A wrote: Especially if you try to implement cloud-like services, where you have the possibility of links temporarily going down between servers, and mail can come in to any point, and be retrieved or moved at any point. You really need transactions then, to track every mails change in time, and to replicate those when you get connectivity back. You can possibly do it by tracking dovecot logs and do the replication yourself with scripts, but using a database would probably be easier here. I've also planned easy replication support for Dovecot. Also I don't think doing the SQL replication correctly and without losing any data on error conditions is as easy as you think. +1 Needless to say, replication would be _very_ useful... At least in 5, MySQL replication is very difficult. Based on my experience with amavisd, master - master replication does not work if you have foreign key constraints. master - slaves can have issues with high activity as a key on the master might get update while a search is happening on the slave (again this is with foreign key constraints). Then you'll probably need innodb for performance so backups become more challenging. Lastly, disk usage triples. Hate to be a wet blanket, but this is what I've seen. If you don't need the constraints, the problem becomes more manageable. Still your safest bet for replication at this time is to use the slave as a backup with some sort of auto promotion mechanism. The network master daemon (nmdb?) looks promising for straight forward databases. Don't forget blob sizing. I'm not sure how Oracle is for replication. Setups/configuration does not sound simple from the dba's I've talked to, although RACK looks decent. MySQL does work well for index problems (i.e. searches) where the index can be reconstructed if their is a failure and the searching process doesn't seize in a failure. Just my opinion and warning. I agree with you from my own experience - using a database in this manner is a huge kludge. maildir/dbox is far better suited for mail storage. For small installations where there is little mail storage and performance is not an issue, maybe. But I'd rather see Timo's time spent on an internal to dovecot master-slave and master-master system. ~Seth
Re: [Dovecot] Password field limitations
On 12/23/2008 12:25 PM, Luigi Rosa wrote:
If I'm not mistaken, dovecot doesn't care - this will be a limitation of
your Filesystem and/or password storage tool... in this case, MySQL...
I Use MySQL and I don't have such kind of limitations.
I would blame Tom's MySQL interface or implementation, but not MySQL itself.
I certainly didn't intend to mean it was a Mysql limitation in general -
I'm using it too for my user/password backend, and have all of these
characters available in passwords:
`...@#$%^*()_-+={}|[]:;?,.
More than likely it is a system library or charset issue, or something
like that...
--
Best regards,
Charles
[Dovecot] SQL field format for digest-md5?
I'm enabling digest-md5 authentication with u...@example.com username
and plain-text passwords stored in a MySQL database. What should the
password field contain in order to work with digest-md5? Would the
following:
SELECT CONCAT('{digest-md5}', MD5(CONCAT(username, '::', password))) AS
password ...
be correct?
Re: [Dovecot] SQL field format for digest-md5?
On Dec 23, 2008, at 8:57 PM, Darren Pilgrim wrote:
I'm enabling digest-md5 authentication with u...@example.com
username and plain-text passwords stored in a MySQL database. What
should the password field contain in order to work with digest-md5?
Would the following:
SELECT CONCAT('{digest-md5}', MD5(CONCAT(username, '::', password)))
AS password ...
be correct?
Don't try to do anything special. Just:
SELECT username as user, password FROM ..
[Dovecot] Possible to log IMAP connections to MySQL Table?
Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. _ Corey
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
Corey Shaw wrote: Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. ~Seth
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
On Tue, Dec 23, 2008 at 1:30 PM, Seth Mattinen se...@rollernet.us wrote: Corey Shaw wrote: Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. ~Seth If someone ever decides to make a log-login-tomysql plugin i would love to use it. I currently have a php script that runs during logrotate that parses the info.log for all pop3/imap logins and logs them to mysql, i only keep per minute and then i have a history table of peruser-perday for 90 days. It would be way cool to have dovecot throw that to mysql automagically. If i were a c programmer i would do it myself =S
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
On our current mail system we've gone down the route of a PHP script as well for logging the connections. Since I use metalog for logging (instead of syslog-ng) and I don't really want to make an exception for one of our servers, I'll probably still have to use that script. I definitely want to put in a vote for the ability to log to an SQL backend though. _ Corey Shaw Q90 Corporation Technology Specialist O. 801.491.0705 (x. 157) F. 801.491.8774 www.q90.com - Original Message - From: Brandon Lamb brandonl...@gmail.com To: Dovecot Mailing List dovecot@dovecot.org Sent: Tuesday, December 23, 2008 2:41:56 PM GMT -07:00 US/Canada Mountain Subject: Re: [Dovecot] Possible to log IMAP connections to MySQL Table? On Tue, Dec 23, 2008 at 1:30 PM, Seth Mattinen se...@rollernet.us wrote: Corey Shaw wrote: Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. ~Seth If someone ever decides to make a log-login-tomysql plugin i would love to use it. I currently have a php script that runs during logrotate that parses the info.log for all pop3/imap logins and logs them to mysql, i only keep per minute and then i have a history table of peruser-perday for 90 days. It would be way cool to have dovecot throw that to mysql automagically. If i were a c programmer i would do it myself =S
Re: [Dovecot] SQL field format for digest-md5?
Timo Sirainen wrote:
On Dec 23, 2008, at 8:57 PM, Darren Pilgrim wrote:
I'm enabling digest-md5 authentication with u...@example.com
username and plain-text passwords stored in a MySQL database. What
should the password field contain in order to work with digest-md5?
Would the following:
SELECT CONCAT('{digest-md5}', MD5(CONCAT(username, '::', password)))
AS password ...
be correct?
Don't try to do anything special. Just:
SELECT username as user, password FROM ..
That's what I already have. It works for plain, login and cram-md5;
however, but digest-md5 fails. Reading the wiki page[1] for digest-md5
says the u...@example.com username format breaks because I'm not using
realms. My options are either set auth_realms or store passwords using
the DIGEST-MD5 scheme. I'm trying to do the later since I can't
realistically set or maintain auth_realms.
1: http://wiki.dovecot.org/Authentication/Mechanisms/DigestMD5
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
Brandon Lamb wrote: On Tue, Dec 23, 2008 at 1:30 PM, Seth Mattinen se...@rollernet.us wrote: Corey Shaw wrote: Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. ~Seth If someone ever decides to make a log-login-tomysql plugin i would love to use it. I currently have a php script that runs during logrotate that parses the info.log for all pop3/imap logins and logs them to mysql, i only keep per minute and then i have a history table of peruser-perday for 90 days. It would be way cool to have dovecot throw that to mysql automagically. If i were a c programmer i would do it myself =S Somewhere on my hit list is customers wanting to see last access time for mailboxes and some informational IMAP/POP3 logging. If I ever get around to it, I could try making it a plugin rather than another rule in the fifo watcher. Although I've never done any Dovecot development before, so if someone else does it first I wouldn't be hurt. ;) ~Seth
[Dovecot] Dovecot-auth timeouts
Hello,
I've unfortunately been unable to find anything relating to the problem I'm
having specifically, in searching the list or google, and so I now plead to you
to assistance.
I'm running Dovecot as an LDA and SASL auth for Postfix on a Debian 4 box.
Dovecot is version 1.0.rc15 (the official debian pkg version).
The problem I'm running into is this. After some time of running (lately it's
been as little as 5 minutes), I start to see the following errors in
dovecot.log:
deliver(u...@domain.com): Dec 23 14:38:47 Error: User request from
dovecot-auth timed out
deliver(anotheru...@domain.com): Dec 23 14:38:48 Error: User request from
dovecot-auth timed out
Postfix responds to these by simply deferring the messages. Dovecot itself,
however, begins to return 'Authentication failed' messages after significant
lag time (sometimes greater than 30s):
Connected to localhost.
Escape character is '^]'.
+OK Dovecot-POP
user username
+OK
pass mypassword
-ERR Authentication failed.
Now, for authentication, Dovecot is using LDAP on the local server. The only
additional information I can find pertaining to these errors is the following
from slapd.log:
slapd[22593]: connection_input: conn=6 deferring operation: pending operations
These messages correspond 1-to-1 to the above 'deliver' errors, where 'conn' is
always the same number. Restarting dovecot and ldap resolves the issue for a
few minutes, but sure enough the errors start flowing again.
I'm really at the end of my rope on this, as nothing I do seems to help. I
have a good 500+ customers being effected by this as well, and they're all none
too pleased by it. If this is something that will absolutely be resolved by
upgrading from source, that is doable, but we'd prefer to stick with the
official package version if possible.
Dovecot configs follow
Thanks,
J. Fox
- configs follow -
dovecot.conf
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
mail_debug = no
base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s
protocol lda {
postmaster_address = postmas...@spiritone.com
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/dovecot.log
info_log_path = /var/log/mail.info
}
listen = *
shutdown_clients = yes
mmap_disable = yes
lock_method = dotlock
maildir_copy_with_hardlinks = no
log_path = /var/log/dovecot.log
info_log_path = /var/log/mail.log
log_timestamp = %b %d %H:%M:%S
syslog_facility = mail
auth_default_realm = involved.com
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
login_chroot = yes
valid_chroot_dirs = /home/vmail/
login_user = postfix
login_process_per_connection = yes
login_processes_count = 2
login_max_processes_count = 64
login_max_connections = 128
login_greeting = Involved
login_log_format_elements = user=%u method=%m rip=%r lip=%l %c
login_log_format = %$: %s
default_mail_env = maildir:/home/vmail/domains/%d/%u
first_valid_uid = 103
pop3_uidl_format = %08Xu%08Xv
auth_cache_size = 10485760
auth_cache_ttl = 3600
auth_worker_max_count = 10
#auth_worker_max_request_count = 50
auth default {
mechanisms = PLAIN LOGIN
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0666
user = vmail
group = vmail
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
user = vmail
}
dovecot-ldap.conf
-
hosts = localhost
auth_bind = yes
auth_bind_userdn = cn=%n,ou=%d,ou=mail,dc=domain,dc=com
ldap_version = 3
base = ou=mail,dc=domain,dc=com
dn = cn=Manager,dc=domain,dc=com
dnpass = secret
deref = never
scope = subtree
pass_attrs = mail=user,userPassword=password
user_filter = ((objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u))
pass_filter = ((objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u))
user_global_uid = 1001
user_global_gid = 1001
---end---
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
On Tue, Dec 23, 2008 at 1:54 PM, Seth Mattinen se...@rollernet.us wrote: Brandon Lamb wrote: On Tue, Dec 23, 2008 at 1:30 PM, Seth Mattinen se...@rollernet.us wrote: Corey Shaw wrote: Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. ~Seth If someone ever decides to make a log-login-tomysql plugin i would love to use it. I currently have a php script that runs during logrotate that parses the info.log for all pop3/imap logins and logs them to mysql, i only keep per minute and then i have a history table of peruser-perday for 90 days. It would be way cool to have dovecot throw that to mysql automagically. If i were a c programmer i would do it myself =S Somewhere on my hit list is customers wanting to see last access time for mailboxes and some informational IMAP/POP3 logging. If I ever get around to it, I could try making it a plugin rather than another rule in the fifo watcher. Although I've never done any Dovecot development before, so if someone else does it first I wouldn't be hurt. ;) ~Seth Its definately valuable information, I like being able to look up a user to see their past logins and by type (pop3, imap) and be able to use this information to shut off or reduce quotas on seemingly dormant accounts, and helps to identify spam boxes. If i didnt have to run a php script it would be all the better, plus if i want information RIGHT NOW I have to remember to run the script before querying the current logins.
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
If you use MySQL for auth you could include some logging bits as part of your SQL query. -Original Message- From: dovecot-bounces+jkrejci=usinternet@dovecot.org [mailto:dovecot-bounces+jkrejci=usinternet@dovecot.org] On Behalf Of Corey Shaw Sent: Tuesday, December 23, 2008 2:50 PM To: dovecot@dovecot.org Subject: [Dovecot] Possible to log IMAP connections to MySQL Table? Is it currently possible to log all IMAP connection attempts to a MySQL table? Thanks. _ Corey
[Dovecot] SSL cert problems.
I'm really racking my brain trying to figure this one out here. I am running a pop3 server for remote offices on CentOS 5.2. We purchased a SSL cert from Verisign and installed it on our dovecot server, but I continue to get failure problems with the cert and I don't know where to go from here. here is some info about our config: dovecot version: # dovecot --version 1.0.7 hostname: pop.x10.com dovecot.conf: # dovecot -n # 1.0.7: /etc/dovecot.conf base_dir: /var/run/dovecot/ log_path: /var/log/dovecot.log protocols: pop3 pop3s ssl_ca_file: /etc/pki/verisign/intermediate_ca.cer ssl_cert_file: /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file: /etc/pki/dovecot/private/pop.x10.com.key ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 verbose_ssl: yes login_dir: /var/run/dovecot//login login_executable: /usr/libexec/dovecot/pop3-login mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 pop3_client_workarounds: outlook-no-nuls auth default: passdb: driver: pam userdb: driver: passwd and last but not least, here is my test from openssl. Mind you this fails as a BAD ssl cert in Evolution. :~$ openssl s_client -ssl2 -connect pop.x10.com:995 CONNECTED(0003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450: As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated. -G
Re: [Dovecot] Replication (Re: MySQL as a storage only.?)
Seth Mattinen wrote: Multiple master in MySQL is still more of a hack. Also, performance for billion-row SQL tables is rather poor for something interactive like clicking on a message in IMAP and expecting it to pop up right away. I'm looking forward to master-master replication. Not SQL though; I can't find the link now but I remember reading about a master-master system that Dovecot would use to sync maildir/dbox over N masters or something. A pool of beefy master-master Dovecots with a load balancer in front of them would be wonderful - I'm not too keen on the user a goes on server a, user b on server b system. I'd love to help out but my own development schedule is beyond full at the moment. =) ~Seth Well, what I would like to see is multiple servers, where mail can come in simultaniously for user a at both server a,b and c. But a user is only connected to one server at a time, although it can be any of them. DNS would solve this as they all have the name and mx value. The MTA issue is trivial to sync mail between them (as long as sieve filters isnt used or updated anyway and that has not propagated) but IMAP and POP3 would be a bit trickier. No load balancer as say you have one server on one isp in canada, one in australia, and one in germany. Say the link suddenly go down to the server in australia for an hour, once it comes up you want them to resync automatically. Basically your not to keen scenario, but worse, as b can go on a, and then next time on b. Which means that a user can do things like delete a file twice, move it to two different locations etc. All you have to go on would be timestamps to resolve conflicts, so the servers pretty much would have to use ntp for this to work. -Roger
Re: [Dovecot] Replication (Re: MySQL as a storage only.?)
R A wrote: Seth Mattinen wrote: Multiple master in MySQL is still more of a hack. Also, performance for billion-row SQL tables is rather poor for something interactive like clicking on a message in IMAP and expecting it to pop up right away. I'm looking forward to master-master replication. Not SQL though; I can't find the link now but I remember reading about a master-master system that Dovecot would use to sync maildir/dbox over N masters or something. A pool of beefy master-master Dovecots with a load balancer in front of them would be wonderful - I'm not too keen on the user a goes on server a, user b on server b system. I'd love to help out but my own development schedule is beyond full at the moment. =) ~Seth Well, what I would like to see is multiple servers, where mail can come in simultaniously for user a at both server a,b and c. But a user is only connected to one server at a time, although it can be any of them. DNS would solve this as they all have the name and mx value. The MTA issue is trivial to sync mail between them (as long as sieve filters isnt used or updated anyway and that has not propagated) but IMAP and POP3 would be a bit trickier. No load balancer as say you have one server on one isp in canada, one in australia, and one in germany. Say the link suddenly go down to the server in australia for an hour, once it comes up you want them to resync automatically. Basically your not to keen scenario, but worse, as b can go on a, and then next time on b. Which means that a user can do things like delete a file twice, move it to two different locations etc. All you have to go on would be timestamps to resolve conflicts, so the servers pretty much would have to use ntp for this to work. I found the message: [Dovecot] Replication milestone 1 http://www.dovecot.org/list/dovecot/2008-May/030446.html This is something I can certainly provide infrastructure for (load balancer plus 3 or 4 servers) and possibly throw my hat in as a sponsor. But I have no idea how much progress Timo has made on this. ~Seth
Re: [Dovecot] SSL cert problems.
Geoff Sweet wrote: and last but not least, here is my test from openssl. Mind you this fails as a BAD ssl cert in Evolution. :~$ openssl s_client -ssl2 -connect pop.x10.com:995 Try -ssl3 here; you'll see more. CONNECTED(0003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450: As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated. The cert fails because s_client(1) cannot find the root CA's you've chosen to trust. The same test will fail even with gmail's IMAP and POP3 servers. See the s_client(1) man page for the CApath and CAfile flags. -- Sahil Tandon sa...@tandon.net
Re: [Dovecot] Possible to log IMAP connections to MySQL Table?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Seth Mattinen said the following on 23/12/08 22:30: Sure. You could use syslog-ng to log directly to a database or syslog plus SEC (http://kodu.neti.ee/~risto/sec/) to trigger insert rules. Or you can enable MySQL query log and see what's happening: http://dev.mysql.com/doc/refman/5.0/en/query-log.html Ciao, luigi - -- / +--[Luigi Rosa]-- \ Walt Disney is in suspended animation. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklRxLYACgkQ3kWu7Tfl6ZQpGgCgimRRKTxyNN501ju3+NfIlY35 C5sAn1kC8W8I1K0bZOp8hBFVDC9dkiZM =SYqR -END PGP SIGNATURE-
