Re: Permission denied when logrotating dovecot.log
Am 19. März 2017 07:21:20 MEZ schrieb Michael Heuberger : >Well, I'd rather to have dovecot log alone in one log file. Let dovecot log to syslog and set syslog_facility = local5 and configure your syslog daemon to write log data for that facility to a separate file. No need to mess with permissions. >My initial question is that user/group and file permissions to use?? > -- Christian Kivalo
Re: Permission denied when logrotating dovecot.log
Well, I'd rather to have dovecot log alone in one log file. My initial question is that user/group and file permissions to use?? On 19/03/17 15:40, Richard wrote: > >> Date: Sunday, March 19, 2017 15:28:35 +1300 >> From: Michael Heuberger >> >> On 19/03/17 15:12, Richard wrote: Date: Sunday, March 19, 2017 14:56:01 +1300 From: Michael Heuberger On 19/03/17 13:43, Richard wrote: >> Date: Sunday, March 19, 2017 13:32:57 +1300 >> From: Michael Heuberger >> >> Hello guys >> >> Having headaches here how to make logrotation for dovecot log >> files work. Having permission issues: >> >> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv >> dovecot.daily >> ⏎ >> reading config file dovecot.daily >> >> Handling 1 logs >> >> rotating pattern: /var/log/dovecot*.log forced from command >> line (10 rotations) >> empty log files are rotated, old logs are removed >> considering log /var/log/dovecot.log >> error: skipping "/var/log/dovecot.log" because parent directory >> has insecure permissions (It's world writable or writable by >> group which is not "root") Set "su" directive in config file to >> tell logrotate which user/group should be used for rotation. >> >> This is my current logrotation conf for dovecot: >> >> /var/log/dovecot*.log { >> rotate 10 >> missingok >> sharedscripts >> postrotate >> doveadm log reopen >> endscript >> } >> >> And the /var/log folder has these permissions: >> >> drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log >> >> Any clues what's wrong? > As the message says: > > > because parent directory has insecure permissions > > (It's world writable or writable by group which > > is not "root") > > > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log > > On my RHEL derived systems, /var/log is root.root (and even then, > is not writable by group). Thank you. And what user/group/file perms does your dovecot.log file have? - Michael >>> I log dovecot via syslog to [/var/log/]maillog, rather than its own >>> log file. That file is owned root.root and has permissions of 600. >> Well, I tried the same but it didn't work. >> >> Setting my dovecot.log to 600 with root:root is breaking my mail >> system. I am then unable to receive and open emails. >> >> Had to apply an ugly hack >> >> /var/log/dovecot*.log { >> su syslog syslog >> create 666 syslog syslog >> rotate 10 >> ... >> } >> >> Like that anyone who wants to access/write to it, can do it and all >> works. >> >> That's my problem. Do not know who/what/how to set this up >> correctly. >> >> - Michael >> > I would be inclined to just log dovecot to the syslog mail facility, > which I believe is the default (in 10-logging.conf) -- in the RHEL > setup anyway, and what I do: > >log_path = syslog > >syslog_facility = mail -- Binary Kitchen Michael Heuberger 1/33 Parrish Road Sandringham Auckland 1025 (New Zealand) Mobile (text only) ... +64 21 261 89 81 Email mich...@binarykitchen.com Website .. http://www.binarykitchen.com
Re: Permission denied when logrotating dovecot.log
> Date: Sunday, March 19, 2017 15:28:35 +1300 > From: Michael Heuberger > > On 19/03/17 15:12, Richard wrote: >> >>> Date: Sunday, March 19, 2017 14:56:01 +1300 >>> From: Michael Heuberger >>> >>> On 19/03/17 13:43, Richard wrote: > Date: Sunday, March 19, 2017 13:32:57 +1300 > From: Michael Heuberger > > Hello guys > > Having headaches here how to make logrotation for dovecot log > files work. Having permission issues: > > michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv > dovecot.daily > ⏎ > reading config file dovecot.daily > > Handling 1 logs > > rotating pattern: /var/log/dovecot*.log forced from command > line (10 rotations) > empty log files are rotated, old logs are removed > considering log /var/log/dovecot.log > error: skipping "/var/log/dovecot.log" because parent directory > has insecure permissions (It's world writable or writable by > group which is not "root") Set "su" directive in config file to > tell logrotate which user/group should be used for rotation. > > This is my current logrotation conf for dovecot: > > /var/log/dovecot*.log { > rotate 10 > missingok > sharedscripts > postrotate > doveadm log reopen > endscript > } > > And the /var/log folder has these permissions: > > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log > > Any clues what's wrong? As the message says: > because parent directory has insecure permissions > (It's world writable or writable by group which > is not "root") > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log On my RHEL derived systems, /var/log is root.root (and even then, is not writable by group). >>> Thank you. And what user/group/file perms does your dovecot.log >>> file have? >>> >>> - Michael >>> >>> >> I log dovecot via syslog to [/var/log/]maillog, rather than its own >> log file. That file is owned root.root and has permissions of 600. > Well, I tried the same but it didn't work. > > Setting my dovecot.log to 600 with root:root is breaking my mail > system. I am then unable to receive and open emails. > > Had to apply an ugly hack > > /var/log/dovecot*.log { > su syslog syslog > create 666 syslog syslog > rotate 10 > ... > } > > Like that anyone who wants to access/write to it, can do it and all > works. > > That's my problem. Do not know who/what/how to set this up > correctly. > > - Michael > I would be inclined to just log dovecot to the syslog mail facility, which I believe is the default (in 10-logging.conf) -- in the RHEL setup anyway, and what I do: log_path = syslog syslog_facility = mail
Re: Permission denied when logrotating dovecot.log
Well, I tried the same but it didn't work. Setting my dovecot.log to 600 with root:root is breaking my mail system. I am then unable to receive and open emails. Had to apply an ugly hack /var/log/dovecot*.log { su syslog syslog create 666 syslog syslog rotate 10 ... } Like that anyone who wants to access/write to it, can do it and all works. That's my problem. Do not know who/what/how to set this up correctly. - Michael On 19/03/17 15:12, Richard wrote: > >> Date: Sunday, March 19, 2017 14:56:01 +1300 >> From: Michael Heuberger >> >> On 19/03/17 13:43, Richard wrote: Date: Sunday, March 19, 2017 13:32:57 +1300 From: Michael Heuberger Hello guys Having headaches here how to make logrotation for dovecot log files work. Having permission issues: michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv dovecot.daily ⏎ reading config file dovecot.daily Handling 1 logs rotating pattern: /var/log/dovecot*.log forced from command line (10 rotations) empty log files are rotated, old logs are removed considering log /var/log/dovecot.log error: skipping "/var/log/dovecot.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. This is my current logrotation conf for dovecot: /var/log/dovecot*.log { rotate 10 missingok sharedscripts postrotate doveadm log reopen endscript } And the /var/log folder has these permissions: drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log Any clues what's wrong? >>> As the message says: >>> >>> > because parent directory has insecure permissions >>> > (It's world writable or writable by group which >>> > is not "root") >>> >>> > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log >>> >>> On my RHEL derived systems, /var/log is root.root (and even then, >>> is not writable by group). >> Thank you. And what user/group/file perms does your dovecot.log >> file have? >> >> - Michael >> >> > I log dovecot via syslog to [/var/log/]maillog, rather than its own > log file. That file is owned root.root and has permissions of 600. -- Binary Kitchen Michael Heuberger 1/33 Parrish Road Sandringham Auckland 1025 (New Zealand) Mobile (text only) ... +64 21 261 89 81 Email mich...@binarykitchen.com Website .. http://www.binarykitchen.com
Re: Permission denied when logrotating dovecot.log
> Date: Sunday, March 19, 2017 14:56:01 +1300 > From: Michael Heuberger > > On 19/03/17 13:43, Richard wrote: >> >>> Date: Sunday, March 19, 2017 13:32:57 +1300 >>> From: Michael Heuberger >>> >>> Hello guys >>> >>> Having headaches here how to make logrotation for dovecot log >>> files work. Having permission issues: >>> >>> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv >>> dovecot.daily >>> ⏎ >>> reading config file dovecot.daily >>> >>> Handling 1 logs >>> >>> rotating pattern: /var/log/dovecot*.log forced from command line >>> (10 rotations) >>> empty log files are rotated, old logs are removed >>> considering log /var/log/dovecot.log >>> error: skipping "/var/log/dovecot.log" because parent directory >>> has insecure permissions (It's world writable or writable by group >>> which is not "root") Set "su" directive in config file to tell >>> logrotate which user/group should be used for rotation. >>> >>> This is my current logrotation conf for dovecot: >>> >>> /var/log/dovecot*.log { >>> rotate 10 >>> missingok >>> sharedscripts >>> postrotate >>> doveadm log reopen >>> endscript >>> } >>> >>> And the /var/log folder has these permissions: >>> >>> drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log >>> >>> Any clues what's wrong? >> >> As the message says: >> >> > because parent directory has insecure permissions >> > (It's world writable or writable by group which >> > is not "root") >> >> > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log >> >> On my RHEL derived systems, /var/log is root.root (and even then, >> is not writable by group). > > Thank you. And what user/group/file perms does your dovecot.log > file have? > > - Michael > > I log dovecot via syslog to [/var/log/]maillog, rather than its own log file. That file is owned root.root and has permissions of 600.
Re: Permission denied when logrotating dovecot.log
Thank you. And what user/group/file perms does your dovecot.log file have? - Michael On 19/03/17 13:43, Richard wrote: > >> Date: Sunday, March 19, 2017 13:32:57 +1300 >> From: Michael Heuberger >> >> Hello guys >> >> Having headaches here how to make logrotation for dovecot log files >> work. Having permission issues: >> >> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv >> dovecot.daily >> ⏎ >> reading config file dovecot.daily >> >> Handling 1 logs >> >> rotating pattern: /var/log/dovecot*.log forced from command line >> (10 rotations) >> empty log files are rotated, old logs are removed >> considering log /var/log/dovecot.log >> error: skipping "/var/log/dovecot.log" because parent directory has >> insecure permissions (It's world writable or writable by group >> which is not "root") Set "su" directive in config file to tell >> logrotate which user/group should be used for rotation. >> >> This is my current logrotation conf for dovecot: >> >> /var/log/dovecot*.log { >> rotate 10 >> missingok >> sharedscripts >> postrotate >> doveadm log reopen >> endscript >> } >> >> And the /var/log folder has these permissions: >> >> drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log >> >> Any clues what's wrong? > > As the message says: > > > because parent directory has insecure permissions > > (It's world writable or writable by group which > > is not "root") > > > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log > > On my RHEL derived systems, /var/log is root.root (and even then, is > not writable by group). -- Binary Kitchen Michael Heuberger 1/33 Parrish Road Sandringham Auckland 1025 (New Zealand) Mobile (text only) ... +64 21 261 89 81 Email mich...@binarykitchen.com Website .. http://www.binarykitchen.com
Re: Permission denied when logrotating dovecot.log
> Date: Sunday, March 19, 2017 13:32:57 +1300 > From: Michael Heuberger > > Hello guys > > Having headaches here how to make logrotation for dovecot log files > work. Having permission issues: > > michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv > dovecot.daily > ⏎ > reading config file dovecot.daily > > Handling 1 logs > > rotating pattern: /var/log/dovecot*.log forced from command line > (10 rotations) > empty log files are rotated, old logs are removed > considering log /var/log/dovecot.log > error: skipping "/var/log/dovecot.log" because parent directory has > insecure permissions (It's world writable or writable by group > which is not "root") Set "su" directive in config file to tell > logrotate which user/group should be used for rotation. > > This is my current logrotation conf for dovecot: > > /var/log/dovecot*.log { > rotate 10 > missingok > sharedscripts > postrotate > doveadm log reopen > endscript > } > > And the /var/log folder has these permissions: > > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log > > Any clues what's wrong? As the message says: > because parent directory has insecure permissions > (It's world writable or writable by group which > is not "root") > drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log On my RHEL derived systems, /var/log is root.root (and even then, is not writable by group).
Permission denied when logrotating dovecot.log
Hello guys Having headaches here how to make logrotation for dovecot log files work. Having permission issues: michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv dovecot.daily ⏎ reading config file dovecot.daily Handling 1 logs rotating pattern: /var/log/dovecot*.log forced from command line (10 rotations) empty log files are rotated, old logs are removed considering log /var/log/dovecot.log error: skipping "/var/log/dovecot.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. This is my current logrotation conf for dovecot: /var/log/dovecot*.log { rotate 10 missingok sharedscripts postrotate doveadm log reopen endscript } And the /var/log folder has these permissions: drwxrwxr-x 12 root syslog 4.0K Mar 19 12:43 log Any clues what's wrong? Thanks Michael -- Binary Kitchen Michael Heuberger 1/33 Parrish Road Sandringham Auckland 1025 (New Zealand) Mobile (text only) ... +64 21 261 89 81 Email mich...@binarykitchen.com Website .. http://www.binarykitchen.com
Re: dovecot problem with ssl
On Fri, 17 Mar 2017 05:21:15 -0300 "Nilton Jose Rizzo" wrote: > doveconf: Fatal: Error in configuration file > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl How did you install Dovecot? It sounds like it's been compiled without SSL support. Maybe missing SSL libraries during build? Andy
Re: dovecot problem with ssl
Em Sat, 18 Mar 2017 16:24:25 +0100, Christian Kivalo escreveu > Am 18. März 2017 18:55:58 MEZ schrieb Nilton Jose Rizzo : > >Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu > >> On 2017-03-18 07:19, Nilton Jose Rizzo wrote: > >> > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu > >> >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu > >> >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote: > >> >> > > > >> >> > > > >> >> > > Hi all, > >> >> > > > >> >> > > > >> >> > > I already searched for this error on google and nothing > >> >> > > > >> >> > > I never install dovecot, this is a first time. > >> >> > > > >> >> > > This error, I know, is too newbie and stupid, but I > >> >> > > checked more than twice. > >> >> > > > >> >> > > root@server:/usr/local/etc/dovecot # sievec > >/home3/virtual/default.sieve > >> >> > > doveconf: Fatal: Error in configuration file > >> >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown > >setting: ssl > >> >> > > root@server:/usr/local/etc/dovecot # > >> >> > > > >> >> > > I'm running a FreeBSD 12-current > >> >> > > >> >> > As someone else pointed out, that 7: means the error is on line > >7 of > >> >> > the file. > >> >> > > >> >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do > >this: > >> >> > > >> >> > diff -u 10-ssl.conf.sample 10-ssl.conf > >> >> > > >> >> > If that doesn't clearly indicate the problem to you, post the > >> >> > results to the list. > >> >> > > >> >> > hope this helps, > >> >> > > >> >> > Doug > >> >> > >> >> Sorry, I'm forget the link to tutorial > >> >> > >> >> http://www.purplehat.org/?page_id=7 > >> >> > >> >> root@server:/usr/local/etc/dovecot # head 10 conf.d/10-ssl.conf > >> >> head: 10: No such file or directory > >> >> ==> conf.d/10-ssl.conf <== > >> >> ## > >> >> ## SSL settings > >> >> ## > >> >> > >> >> # SSL/TLS support: yes, no, required. > >> >> #ssl = yes > >> >> ssl=yes > >> >> > >> >> # PEM encoded X.509 SSL/TLS certificate and private key. They're > >> >> opened before > >> >> # dropping root privileges, so keep the key file unreadable by > >anyone > >> >> but > >> >> root@server:/usr/local/etc/dovecot # > >> Please post the output of doveconf -n > >> > >> ssl = yes (or ssl=yes) is correct so should work. We need to know > >> more about your running dovecot configuration. > >> > >> Btw: is dovecot running? Can you log in? From localhost and/or from > >> a remote host? Over a secure connection? > >> > >> -- > >> Christian Kivalo > > > > > >root@server:/usr/local/etc/dovecot/conf.d # dovecot -n > > doveconf -n > > ># 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf > ># Pigeonhole version 0.4.17 (e179378) > >doveconf: Fatal: Error in configuration file > >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl > >doveconf: Error: managesieve-login: dump-capability process returned 89 > >doveconf: Fatal: Error in configuration file > >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl > >root@server:/usr/local/etc/dovecot/conf.d # > > -- > Christian Kivalo The same result, look root@server:/usr/local/etc/dovecot/conf.d # dovecot -n # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl root@server:/usr/local/etc/dovecot/conf.d # doveconf -n # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl root@server:/usr/local/etc/dovecot/conf.d # --- /* **Nilton José RizzoUFRRJ **http://www.rizzo.eng.br http://www.ufrrj.br **http://lattes.cnpq.br/0079460703536198 **/
Re: dovecot problem with ssl
Am 18. März 2017 18:55:58 MEZ schrieb Nilton Jose Rizzo : >Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu >> On 2017-03-18 07:19, Nilton Jose Rizzo wrote: >> > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu >> >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu >> >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote: >> >> > > >> >> > > >> >> > > Hi all, >> >> > > >> >> > > >> >> > > I already searched for this error on google and nothing >> >> > > >> >> > > I never install dovecot, this is a first time. >> >> > > >> >> > > This error, I know, is too newbie and stupid, but I >> >> > > checked more than twice. >> >> > > >> >> > > root@server:/usr/local/etc/dovecot # sievec >/home3/virtual/default.sieve >> >> > > doveconf: Fatal: Error in configuration file >> >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown >setting: ssl >> >> > > root@server:/usr/local/etc/dovecot # >> >> > > >> >> > > I'm running a FreeBSD 12-current >> >> > >> >> > As someone else pointed out, that 7: means the error is on line >7 of >> >> > the file. >> >> > >> >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do >this: >> >> > >> >> > diff -u 10-ssl.conf.sample 10-ssl.conf >> >> > >> >> > If that doesn't clearly indicate the problem to you, post the >> >> > results to the list. >> >> > >> >> > hope this helps, >> >> > >> >> > Doug >> >> >> >> Sorry, I'm forget the link to tutorial >> >> >> >> http://www.purplehat.org/?page_id=7 >> >> >> >> root@server:/usr/local/etc/dovecot # head 10 conf.d/10-ssl.conf >> >> head: 10: No such file or directory >> >> ==> conf.d/10-ssl.conf <== >> >> ## >> >> ## SSL settings >> >> ## >> >> >> >> # SSL/TLS support: yes, no, required. >> >> #ssl = yes >> >> ssl=yes >> >> >> >> # PEM encoded X.509 SSL/TLS certificate and private key. They're >> >> opened before >> >> # dropping root privileges, so keep the key file unreadable by >anyone >> >> but >> >> root@server:/usr/local/etc/dovecot # >> Please post the output of doveconf -n >> >> ssl = yes (or ssl=yes) is correct so should work. We need to know >> more about your running dovecot configuration. >> >> Btw: is dovecot running? Can you log in? From localhost and/or from >> a remote host? Over a secure connection? >> >> -- >> Christian Kivalo > > >root@server:/usr/local/etc/dovecot/conf.d # dovecot -n doveconf -n ># 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf ># Pigeonhole version 0.4.17 (e179378) >doveconf: Fatal: Error in configuration file >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl >doveconf: Error: managesieve-login: dump-capability process returned 89 >doveconf: Fatal: Error in configuration file >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl >root@server:/usr/local/etc/dovecot/conf.d # -- Christian Kivalo
Re: dovecot problem with ssl
Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu > On 2017-03-18 07:19, Nilton Jose Rizzo wrote: > > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu > >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu > >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote: > >> > > > >> > > > >> > > Hi all, > >> > > > >> > > > >> > > I already searched for this error on google and nothing > >> > > > >> > > I never install dovecot, this is a first time. > >> > > > >> > > This error, I know, is too newbie and stupid, but I > >> > > checked more than twice. > >> > > > >> > > root@server:/usr/local/etc/dovecot # sievec > >> > > /home3/virtual/default.sieve > >> > > doveconf: Fatal: Error in configuration file > >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl > >> > > root@server:/usr/local/etc/dovecot # > >> > > > >> > > I'm running a FreeBSD 12-current > >> > > >> > As someone else pointed out, that 7: means the error is on line 7 of > >> > the file. > >> > > >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do this: > >> > > >> > diff -u 10-ssl.conf.sample 10-ssl.conf > >> > > >> > If that doesn't clearly indicate the problem to you, post the > >> > results to the list. > >> > > >> > hope this helps, > >> > > >> > Doug > >> > >> Sorry, I'm forget the link to tutorial > >> > >> http://www.purplehat.org/?page_id=7 > >> > >> root@server:/usr/local/etc/dovecot # head 10 conf.d/10-ssl.conf > >> head: 10: No such file or directory > >> ==> conf.d/10-ssl.conf <== > >> ## > >> ## SSL settings > >> ## > >> > >> # SSL/TLS support: yes, no, required. > >> #ssl = yes > >> ssl=yes > >> > >> # PEM encoded X.509 SSL/TLS certificate and private key. They're > >> opened before > >> # dropping root privileges, so keep the key file unreadable by anyone > >> but > >> root@server:/usr/local/etc/dovecot # > Please post the output of doveconf -n > > ssl = yes (or ssl=yes) is correct so should work. We need to know > more about your running dovecot configuration. > > Btw: is dovecot running? Can you log in? From localhost and/or from > a remote host? Over a secure connection? > > -- > Christian Kivalo root@server:/usr/local/etc/dovecot/conf.d # dovecot -n # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl root@server:/usr/local/etc/dovecot/conf.d # --- /* **Nilton José RizzoUFRRJ **http://www.rizzo.eng.br http://www.ufrrj.br **http://lattes.cnpq.br/0079460703536198 **/
replication issues between to nodes
Hi, Some time ago I posted the below but never got a reponse that I could work with. So i am retrying now in the hope that there might be a better idea/suggestion on how to approach this. Situation; I have two nodes, which should replicate to eachother. My main machine receives most mail and the other one receives mostly system messages and should get replicated. (This used to be delivered on both machines, but given the issues below I had to make sure that the customer email at least arrives on machine A, as detailed below). When a mail arrives on main machine (A) everything is fine and things are synchronised asap. Customers can see the email directly via webmail/imap. When a mail arrives on the secondary machine (B) the replication is not issued until machine A starts a sync session. Customers do not see the email on machine A via webmail/imap. When a mail arrives on A, the synchronisation occurs, and all messages on B, not yet on A, are synchronised as well. Customers can now see the email on machine A as well via webmail/imap. Sadly this can mean that emails that became visible are hours late (read: were delivered hours before, but not visible for the customer). Both machines are configured through puppet, only individual settings like IP addresses and certificates are different because well, they have to. I included the difference below, and both ‘doveconf -n’s. If someone has a suggestion on seeing why machine B is not issueing (or does not seem to issue) replication, let me know. I verified that I can connect to the remote machines via IPv4 and IPv6 (for doveadm / replication purposes). Difference between configurations; --- tmp1.txt2017-03-18 15:18:41.0 +0100 +++ tmp2.txt2017-03-18 15:18:56.0 +0100 @@ -55,7 +55,7 @@ imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size - mail_replica = tcps:mail.jr-hosting.nl:12346 + mail_replica = tcps:mail2.jr-hosting.nl:12346 sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve @@ -105,7 +105,7 @@ } service lmtp { inet_listener lmtp { -address = XXX/X 127.0.0.1 ::1 +address = /Y 127.0.0.1 ::1 port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { @@ -123,8 +123,8 @@ mode = 0666 } } -ssl_ca = signature.asc Description: Message signed with OpenPGP
Re: Dovecot can't connect to openldap over starttls
The serverlog of openldap with loglevel "any": https://gwarband.de/openldap/openldap-connect.log Note: openldap waits 1 Minute before he says "TLS negotiation failure" after the connect. and dovecot says direct "Connect error" I've also delete the TLSCipherSuite from openldap. Tobias Am 2017-03-18 14:01, schrieb Tomas Habarta: Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, i...@gwarband.de wrote: I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFilecontains certificate olcTLSCACertificateFilecontains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Re: Dovecot can't connect to openldap over starttls
Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, i...@gwarband.de wrote: > I've replicate the settings from ldapsearch to dovecot but no success. > To the certificate: > Yes it's a *.crt file but I have linked the *.pem file to it and dovecot > has read access to that file. > > I have enabled the debugging in dovecot and have uploaded the output: > https://gwarband.de/openldap/dovecot-connect.log > > And the other site with ldapsearch: > https://gwarband.de/openldap/ldapsearch-connect.log > > I'm pretty sure that there is a problem with the sslhandshaking between > openldap and dovecot, but I can't find the source of the problem. > > One of the steps in the sslhandshaking is not success but in the > debugging output I can't find any line with a hit to it. > > Tobias > > Am 2017-03-18 12:30, schrieb Tomas Habarta: >> Well, if ldapsearch works, try to replicate its settings for dovecot >> client. >> It's not obvious what settings ldapsearch uses, have a look at default >> client settings in /etc/openldap/ldap.conf, there may be something set a >> slightly different way. >> Also double check permissions for files used by dovecot, I mean mainly >> the file listed for tls_ca_cert_file as dovecot may not have an access >> for reading... >> >> I cannot see anything downright bad, just posted CA cert (which is ok, >> tested) is *.crt and your config mentions *.pem but I consider it's the >> same file. >> >> Finally, I would recommend to enable debug option for dovecot's client >> debug_level = -1 (which logs all available) in your dovecot-ldap.conf >> to see what the library reports and work further on that. >> You can compare with output from ldapsearch by adding -d-1 switch to it. >> >> Hard to tell more at the moment. >> >> >> Tomas >> >> On 03/18/2017 09:41 AM, i...@gwarband.de wrote: >>> Hello, >>> >>> I have also installed LE certs. >>> But nothing helps, I have double-checking all certs. >>> >>> ldapsearch with -ZZ works see: >>> https://gwarband.de/openldap/ldapsearch.log >>> >>> I have also uploaded the TLSCACertificateFile, maybe I have a failure in >>> the merge of the two fiels: >>> https://gwarband.de/openldap/LetsEncrypt.crt >>> >>> And also I have uploaded my complete openldap configuration: >>> https://gwarband.de/openldap/openldap.conf >>> >>> All other components can work and communicate with my openldap server. >>> The components are postfix, openxchange, apache (phpldapadmin). >>> >>> My installated software is: >>> Debian 8 >>> OpenLDAP 2.4.40 >>> Dovecot 2.2.13 >>> >>> I hope you can find the issue. >>> >>> Thanks, >>> Tobias >>> >>> Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFilecontains certificate olcTLSCACertificateFilecontains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: > Hello guys, > > actually I'm trying to configure dovecot to access openldap for > passwordcheck. > My openldap is only allow access over "secure ldap". > The dovecot can communicate with the openldap server but there is > maybe > a failure in the sslhandshake. > Additional information you can find in the logs or in the dump below. > Also I have my ldap config from dovecot in the links below. > > I have already created an bug reporting in the system of openldap but > the answer was to get support from her. > > All datalinks: > https://gwarband.de/openldap/dovecot.log > https://gwarband.de/openldap/dovecot-ldap.conf > https://gwarband.de/openldap/openldap.log > https://gwarband.de/openldap/trace.dump > > The bugreportinglink from openldap: > http://www.openldap.org/its/index.cgi/Incoming?id=8615 > > I hope you can help me. > > Regards. > Tobias Warband -- toCc.cz
Re: Dovecot can't connect to openldap over starttls
I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFilecontains certificate olcTLSCACertificateFilecontains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Re: Dovecot can't connect to openldap over starttls
Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: > Hello, > > I have also installed LE certs. > But nothing helps, I have double-checking all certs. > > ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log > > I have also uploaded the TLSCACertificateFile, maybe I have a failure in > the merge of the two fiels: > https://gwarband.de/openldap/LetsEncrypt.crt > > And also I have uploaded my complete openldap configuration: > https://gwarband.de/openldap/openldap.conf > > All other components can work and communicate with my openldap server. > The components are postfix, openxchange, apache (phpldapadmin). > > My installated software is: > Debian 8 > OpenLDAP 2.4.40 > Dovecot 2.2.13 > > I hope you can find the issue. > > Thanks, > Tobias > > Am 2017-03-17 22:48, schrieb Tomas Habarta: >> Hi, >> >> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the >> unix socket on the same machine, but tried over inet with STARTTLS and >> it's working ok... >> >> I would suggest double-checking key/certs setup on OpenLDAP side; for >> the test I have used LE certs, utilizing following cn=config attributes: >> >> olcTLSCertificateKeyFilecontains private key >> olcTLSCertificateFilecontains certificate >> olcTLSCACertificateFilecontains both certs (DST Root CA X3 >> and Let's Encrypt Authority X3) >> >> and used the same CA file in Dovecot's tls_ca_cert_file >> >> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? >> >> >> >> Hope that helps, good luck ;) >> Tomas >> >> >> On 03/17/2017 04:27 PM, i...@gwarband.de wrote: >>> Hello guys, >>> >>> actually I'm trying to configure dovecot to access openldap for >>> passwordcheck. >>> My openldap is only allow access over "secure ldap". >>> The dovecot can communicate with the openldap server but there is maybe >>> a failure in the sslhandshake. >>> Additional information you can find in the logs or in the dump below. >>> Also I have my ldap config from dovecot in the links below. >>> >>> I have already created an bug reporting in the system of openldap but >>> the answer was to get support from her. >>> >>> All datalinks: >>> https://gwarband.de/openldap/dovecot.log >>> https://gwarband.de/openldap/dovecot-ldap.conf >>> https://gwarband.de/openldap/openldap.log >>> https://gwarband.de/openldap/trace.dump >>> >>> The bugreportinglink from openldap: >>> http://www.openldap.org/its/index.cgi/Incoming?id=8615 >>> >>> I hope you can help me. >>> >>> Regards. >>> Tobias Warband -- toCc.cz
Re: dovecot problem with ssl
On 2017-03-18 07:19, Nilton Jose Rizzo wrote: Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote: > > > > > > Hi all, > > > > > > I already searched for this error on google and nothing > > > > I never install dovecot, this is a first time. > > > > This error, I know, is too newbie and stupid, but I > > checked more than twice. > > > > root@server:/usr/local/etc/dovecot # sievec /home3/virtual/default.sieve > > doveconf: Fatal: Error in configuration file > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl > > root@server:/usr/local/etc/dovecot # > > > > I'm running a FreeBSD 12-current > > As someone else pointed out, that 7: means the error is on line 7 of > the file. > > Go into dovecot's conf.d folder (in /usr/local/etc/) and do this: > > diff -u 10-ssl.conf.sample 10-ssl.conf > > If that doesn't clearly indicate the problem to you, post the > results to the list. > > hope this helps, > > Doug Sorry, I'm forget the link to tutorial http://www.purplehat.org/?page_id=7 root@server:/usr/local/etc/dovecot # head 10 conf.d/10-ssl.conf head: 10: No such file or directory ==> conf.d/10-ssl.conf <== ## ## SSL settings ## # SSL/TLS support: yes, no, required. #ssl = yes ssl=yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but root@server:/usr/local/etc/dovecot # Please post the output of doveconf -n ssl = yes (or ssl=yes) is correct so should work. We need to know more about your running dovecot configuration. Btw: is dovecot running? Can you log in? From localhost and/or from a remote host? Over a secure connection? -- Christian Kivalo
Re: Dovecot can't connect to openldap over starttls
Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFile contains certificate olcTLSCACertificateFile contains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband