[Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
Tere. Recently just migrated from Sendmail 8.14.3 to Postfix 2.5.6 and switched from Cyrus-sasl 2.1.22 to Dovecot 1.1.13 sasl, all are compiled from source and I have used Dovecot for a long time, since alpha versions. Everything worked well for Outlook Express, Outlook and Thunderbird clients, but Microsoft Entourage 2004 or 2008 clients smtps fails - Authentication failed because Entourage doesn't support any of the available authentication methods. Similar case like - http://archives.neohapsis.com/archives/postfix/2008-09/thread.html#145 I tried everything, the config is like described in Postfix and Dovecot sites - http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL I also tried in main.cf smtpd_sasl_security_options =forward_secrecy like described in http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options But none helped. So I switched back to Cyrus-sasl and Entourage works well like before with sendmail. I started to search what may be the reason, and seems with Dovecot sasl Postfix wont advertise needed stuff in ehlo: With Cyrus: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN starttls 220 2.0.0 Ready to start TLS With dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com starttls 220 2.0.0 Ready to start TLS Setting with Cyrus in main.cf smtpd_tls_auth_only = no gives even more but still nothing with Dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.eeESMTP EHLO example.com 250-my.host.ee 250-PIPELINING 250-SIZE 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN So is this a Entourage or Dovecot or Postfix bug? I really like to drop the Cyrus and use only Dovecot sasl. Any hint is welcome. -- Mart
Re: [Dovecot] convert from courier-imap
On Tue, 2009-04-14 at 08:54 -0700, Ricardo Kleemann wrote: Hi, I'm currently using courier-imap, Maildir files. Do I need to run conversion, or can I simply let dovecot run and create its own indexing without attempting to convert anything from courier? http://wiki.dovecot.org/Migration#IMAP_migration explains the problems you could run into. 1 isn't a problem, but 2 and 3 are. http://wiki.dovecot.org/Migration/Courier has migration scripts to preserve them. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] FTS Plugin design
On Mon, 2009-04-13 at 11:18 +0100, Rui Carneiro wrote: I didn't understood yet what is the plugin's design and how the plugins are called from the core system and I was wondering if anyone could help me with that. fts-storage.c hooks into all the functions in mail-storage API that it needs to. Currently indexing isn't done while messages are being saved, but instead just before searching. The searching functions are: - fts_mailbox_search_init() tries to figure out if FTS can optimize the search. If it does, it tries to figure out if FTS index is up-to-date and if not, starts the search. - fts_mailbox_search_next_nonblock() continues the indexing (or searching after indexing) for a while. The idea is that IMAP connection is able to process other commands while doing a long-running search. So fts plugin indexes FTS_SEARCH_NONBLOCK_COUNT (50) messages at a time. It would be nice if that value was dynamically calculated and also based on bytes instead of messages, but that's maybe too much trouble. - fts_mailbox_search_next_update_seq() uses the fts search results and updates mail-storage's search stuff so that it doesn't go through messages that don't match. - fts_build_mail() indexes a single mail. It parses the messages and returns the data in small blocks. For text/* and message/rfc822 parts those blocks are currently sent to FTS backend. This is where I think you should look into hooking your attachment parsing. Change fts_build_want_index_part() to look for more content-types that you're interested in and then before feeding the blocks to FTS backend put them through your own converter function, something like: int attachment_extract_text(struct attachment_extract_context *ctx, const struct message_block *input, struct message_block *output); signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot not accepting connections
On Sun, 2009-04-12 at 15:03 -0500, Jim wrote: Does it a) Hang after Trying 127.0.0.1... b) Hang after Escape character is '^]'. c) Say connect to address 127.0.0.1: Connection refused Naturally, now that I'm trying to duplicate the issue, I can't get it to act up. If I can get into a mode where it stops working again, I'll try that and report back. Finally had this happen again. Connecting via localhost worked just fine, returned OK Dovecot ready. If Dovecot is answering on localhost, I can't think of any reasons why it wouldn't answer to non-localhost connections. Connecting via my domain name resulted in a hung connection that eventually just timed out. So did it time out on a) or b)? And you say domain name, what about IP address? If the problem is with DNS resolving? The only odd thing that I noticed when I went to stop and restart the Dovecot process is that only one dovecot-auth process was running, normally I see two processing running. After quitting Dovecot and starting it again, I saw two dovecot-auth processes start up, and then I was able to get mail just fine. Was one of them dovecot -w process? Anyway the number of dovecot-auth processes shouldn't really make a difference. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Can virtual mailboxes created automatically?
On Sun, 2009-04-12 at 11:02 +0800, Xueron Nee wrote: On Fri, 2009-04-10 at 13:06 +0800, Xueron Nee wrote: I set a virtual namespace, and for new users, there is no root dir for it. . Apr 10 12:14:41 mail dovecot: IMAP(te...@xueron.com):Namespace 'virtual/': virtual: Root mail directory doesn't exist:/home/data/te...@xueron.com/Maildir/virtual So do you want to create some virtual mailboxes automatically, or do you simply want Dovecot to ignore the namespace if the directory doesn't exist? I think create virtual mailboxes automatically is much better for me :) I want to let users to set up there virtual mailboxes for POP3. So, a default or template of 'dovecot-virtual' for auto-created virtual mailboxes is good :) Well, that's something I don't think Dovecot should really do internally. You have two possibilities: 1) Create that directory structure immediately at the same time when you add the user to your userdb. 2) Use a post-login script (http://wiki.dovecot.org/PostLoginScripting) that does something like: if [ ! -d $HOME ]; then cp -R /etc/dovecot/template $HOME fi exec /usr/local/lib/dovecot And I suppose there could be also 3) a new plugin that does basically what 2) does, but I'm not really interested in implementing that. signature.asc Description: This is a digitally signed message part
[Dovecot] SELinux and i_stream_read() failed: Permission denied
Not a problem ... sharing a solution (this time)! Please correct my understanding of the process, if required. i_stream_read() failed: Permission denied is an error message generated when a large-ish file (128kb in my case) is attached to a message that has been passed to Dovecot's deliver program when SELinux is being enforced. In my case, these messages are first run through Spamassassin, then passed to deliver, however the SELinux policy that is being violated relates to deliver, and not to Spamassassin, even though I do NOT generate the errors WITHOUT running Spamassassin. I'm not going to guess as to why that is. The policies below resolve the issue, and now large-ish (even LARGE) attachments come through without a whimper with Postfix+Spamassassin+Dovecot. The problem is that deliver is not running with the correct SELinux policy to be able to write to the global /tmp directory (in my case, after receiving the big attachment from SA), even if that directory's permissions allow it. (Bless you, SELinux!) Small-ish file attachments do not trigger this deliver functionality. Here's a complete error message, and its subsequent errors in the course of delivering a large-ish message+attachment: === deliver(user): unlink(/tmp/dovecot.deliver.. \ 1239836047.9469.46242b1037005551) failed: Permission denied deliver(user): copy: i_stream_read() failed: Permission denied deliver(user): read(mail, uid=1) failed: Permission denied deliver(user): read(mail, uid=1) failed: Permission denied deliver(user): msgid=: save failed to INBOX: Internal error occurred. \ Refer to server log for more information. [2009-04-15 17:54:07] === This is the final error series received before the policies were finally updated, and shows an error during deliver's attempt to unlink() (remove) the temporary file. Previous errors occurred during attempts to stat() and creat() (sic) the temporary files. Basically, the dovecot_deliver_t context needs to be able to create, read, write and remove files in the /tmp directory (tmp_t context). Below, I am pasting my local_postfix.te SELinux policy file. It includes instructions for using it, and for figuring out how to do other SELinux policy adjustments on your own. This is my COMPLETE Postfix+Dovecot SELinux policy group. I also have policies for Spamassassin, if anyone wants them. If you are running Sendmail or another MTA instead of Postfix, you can build on what you find below and establish your own policies. I hope this proves useful. Again, please feel free to correct any misunderstandings I may be promoting with this message. Use at your own risk, please! No guarantees ... it just worked, for me. James ## NOTE: I have broken lines in the following using the standard \ notation to fix the email format better. However the local_postfix.te file should NOT have ANY lines broken. Remove my \ notation and keep the lines together and you should be okay. ## ### HOW TO USE THIS # SELinux, Postfix, Dovecot# # SELinux needs help resolving Postfix+Dovecot context issues. # # This file + the following instructions should get you# # on your way to resolving the policies between those contexts.# # # # 1) Create this file with the data shown below: # # local_postfix.te # # 2) Compile this file:# # checkmodule -M -m -o local_postfix.mod local_postfix.te # # 3) Create SELinux policy package:# # semodule_package -o local_postfix.pp -m local_postfix.mod# # 4) Move policy package to normal SELinux modules directory: # # mv local_postfix.pp /etc/selinux/targeted/modules/active/modules/# # 5) Update kernel with new policy package:# # semodule -i \# # /etc/selinux/targeted/modules/active/modules/local_postfix.pp # # # # Test: Send mail from remote to this system. # # Check /var/log/maillog for mail errors and # # /var/log/messages /var/log/audit/audit.log for more specific # # SELinux errors # # Also, SELinux will provide the command (sealert...) for more details # # Use the error info you see in messages (or sealert...) to create # # new entries in local_postfix.te, then re-compile, package# # and update the kernel.
Re: [Dovecot] INBOX lost in virtual namespace
On Thu, 2009-04-09 at 18:45 +0800, Xueron Nee wrote: # cat ~/Maildir/virtual/.INBOX/dovecot-virtual secret/* all but, the INBOX lost in secret/ namespace :( Because you've set inbox=no to secret/ namespace. So I think it's correct. But in latest hg version you can now do: secret/ secret/* all Alternatively to get secret/* to match INBOX in inbox=no namespace, you'd need to put the INBOX contents into ~/Maildir/.INBOX : mail_location = maildir:~/Maildir:INBOX=~/Maildir/.INBOX signature.asc Description: This is a digitally signed message part
Re: [Dovecot] SELinux and i_stream_read() failed: Permission denied
On Wed, 2009-04-15 at 16:47 -0700, James Butler wrote: i_stream_read() failed: Permission denied is an error message generated when a large-ish file (128kb in my case) is attached to a message that has been passed to Dovecot's deliver program when SELinux is being enforced. .. The problem is that deliver is not running with the correct SELinux policy to be able to write to the global /tmp directory BTW. Dovecot v1.2+ no longer writes to /tmp directory. Writing to /tmp was pretty evil. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Coredump using virtual folder.
On Thu, 2009-04-09 at 08:18 +0200, Matthias Rieber wrote:
#0 0x080a542b in search_index_arg (arg=0x973da68, ctx=0xa13b140) at
index-search.c:123
123 for (i = 0; i search_kws-count; i++) {
(gdb) bt
Committed some more fixes to hg that should fix this and other bugs.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] failed dovecot 1.2rc2 build Solaris 8, gcc 2.95.3
On Thu, 2009-04-09 at 10:35 +0200, Jernej Porenta wrote: I trying to build dovecot 1.2rc2 on ancient Solaris 8 with gcc 2.95.3 and it fails with: .. login-process.c:52: field `data' has incomplete type Fixed: http://hg.dovecot.org/dovecot-1.2/rev/933d95978040 signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dovecot SASL + Postfix no IMAP or POP3
On Tue, 2009-04-07 at 08:10 -0700, Roderick A. Anderson wrote: The only issue I see is how to disable IMAP and POP3 and use only the SASL authentication feature. I read that Timo is thinking to _someday_ :-) separate the SASL authentication from the rest of Dovecot, but in the mean time can I just leave out the IMAP and POP3 stuff from dovecot.conf, or is there a disable option? protocols = none signature.asc Description: This is a digitally signed message part
Re: [Dovecot] virtual domains with SQL auth + ntlm (winbind) auth for one of them...
On Mon, 2009-04-06 at 14:35 +0200, Tomasz Lutelmowski wrote: Hello ! Is it possible to configure dovecot so it can use SQL authentication for set of domains, and ntlm authentication for one domain? In other words, I would like to authenticate all users (with u...@domain.com as login) in SQL server, and if not found, then strip @windomain.com from login and fallback to pam-winbind authentication. I don't think it's going to work in any easy way. Two ideas: a) Create a pam plugin that drops the @domain part (maybe there already exists one?) b) Switch to using passdb checkpassword and have your script do the SQL check, then call PAM with the @domain part dropped. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Postfix, Dovecot SASL and Entourage smtps authentication fails.
On Wed, 2009-04-15 at 12:33 +0300, Mart Pirita wrote: With dovecot: telnet localhost 25 Trying 127.0.0.1... Connected to localdomain.localhost. Escape character is '^]'. 220 my.host.ee ESMTP EHLO example.com starttls 220 2.0.0 Ready to start TLS Are you saying that EHLO doesn't return anything when using Dovecot SASL? Something's very broken then. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] SELinux and i_stream_read() failed: Permission denied
On Wed, 2009-04-15 at 16:47 -0700, James Butler wrote: i_stream_read() failed: Permission denied is an error message generated when a large-ish file (128kb in my case) is attached to a message that has been passed to Dovecot's deliver program when SELinux is being enforced. .. The problem is that deliver is not running with the correct SELinux policy to be able to write to the global /tmp directory BTW. Dovecot v1.2+ no longer writes to /tmp directory. Writing to /tmp was pretty evil. I hear ya. I'm running v.1.2.rc2 ... is there a newer version?
