Dovecot 2.3-rc Logging Format
Hi, the release candidate defaults to a log format with session IDs. mail_log_prefix = "%s(%u)<%{pid}><%{session}>: " As the LMTP service seems to have the session ID hardcoded, the IDs get duplicated in the logs: Dec 21 08:48:03 edi dovecot: lmtp(26573): Connect from local Dec 21 08:48:03 edi dovecot: lmtp(t...@leuxner.net)[26573]: : fCVaBjNnO1rNZwAAIROLbg: sieve: msgid=<2323281.OorJHhdMHM@ylum>, time=158ms, status=stored mail into mailbox ':public/Mailing-Lists/Debian-User' Dec 21 08:48:03 edi dovecot: lmtp(26573): Disconnect from local: Client has quit the connection (state = READY) Regards Thomas signature.asc Description: PGP signature
Re: Disable ssl validation for replication?
Joseph Ward writes: I'm aware of at least a couple of fallback options: ??? -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP ??? - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert ? These are both much less palatable than simply disabling the cert validation if it's possible. Maybe instead of disabling the check, appease it by supplying (in /etc/hosts) an alternate mapping of the FQDN subject of your certificate to your internal IP: 10.x.x.xyour.sync.target Joseph Tam
Re: Disable ssl validation for replication?
I guess what I don't understand is why the IP address approach is more attractive to you, and why you think the "public Internet" path is less good. Best regards, A -- Please excuse my clumbsy thums -- On December 21, 2017 12:47:47 AM Joseph Ward wrote: Hi, I have two servers (HA configuration) on which I'm attempting to get replication working over SSL. They're at two different sites, but connected via a site-site VPN. Everything seems to be fine, except that the certificates are not validating as I'm using IP addresses for the sync, as opposed to the public hostnames for which the certificates are valid, and so I get the following error: doveadm(user@domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name 10.x.x.x I'm on Dovecot 2.2.33. Is there any way to disable the certificate checking/validation for the sync engine? ( I'm aware of at least a couple of fallback options: -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert These are both much less palatable than simply disabling the cert validation if it's possible. ) Thank you in advance for any assistance, Joseph
Re: detect suspicious logins
Matthew Broadhead wrote: does anyone know of a linux module (maybe similar to fail2ban) that could be installed which would monitor email logs (sign ins) and alert the user to any suspicious activity on their account? I just monitor straight from the logs using homebrew utilties. @lbutlr" Fail2ban can protect email logins. Alerting a user because random IP in Korean Middle School tried to login seems no helpful. i suspect it would need to log geo location, device type and ip address to a database. it seems like a module like this would be very useful How? Blacklist failed logins. That protects everyone and doesn't induce panic. I just went through a long thread elsewhere on this topic. Fail2ban is mainly a counter brute force measure. If you have a strong password policy, the net result of using it is that it makes your logs smaller, and maybe saves some CPU cycles or from DoS for really intense bouts, but otherwise, does not add to security as good passwords makes BFD infeasible. *However*, if the attacker knows the approximate password (e.g. shoulder surfing), this may help, but eventually, the password will succumb to a patient diligent attack. What the OP is considering is if the password is divulged e.g. phishing attack or snarfed from another source. In this case, an intruder's authentication will succeed immediately. If a monitor spots someone authenticating from another continent than where the owner is supposed to be, or from 2 locations thousands of miles apart, or from 5 different location simultaneously, or tried to send a huge number of messages with many bounces, or was using a different mail clients that one historically used), it can signal the admin/user for further investigation. For users, I think reporting a login origin audit will be helpful, regardless of circumstances. However, it should be done out of band, if the assumption is someone else has control of the account. Joseph Tam
Disable ssl validation for replication?
Hi, I have two servers (HA configuration) on which I'm attempting to get replication working over SSL. They're at two different sites, but connected via a site-site VPN. Everything seems to be fine, except that the certificates are not validating as I'm using IP addresses for the sync, as opposed to the public hostnames for which the certificates are valid, and so I get the following error: doveadm(user@domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name 10.x.x.x I'm on Dovecot 2.2.33. Is there any way to disable the certificate checking/validation for the sync engine? ( I'm aware of at least a couple of fallback options: -have a self-signed cert for replication and use the Let's Encrypt one for IMAP/POP - create firewall rules allowing them to connect to each other over the public internet so that it can validate the proper cert These are both much less palatable than simply disabling the cert validation if it's possible. ) Thank you in advance for any assistance, Joseph
Logouts/disconnections not being logged?
In a previous thread Subject: Re: iPhone/iPad IMAP connection bursts causes user+IP exceeded I reported the behaviour of MacOSX/iOS IMAP readers whereby it would use up all available connections (up to the mail_max_userip_connections setting) for mailbox searches, then log them all out, then repeat the cycle with another batch of mailbox searches, until all mailboxes were scanned. However, login/logout log counts don't square up. I would observe (for a particular user+ip) mail_max_userip_connections login entries, followed by *fewer* than mail_max_userip_connections logout entries. (I could not find any disconnections or other forms of termination.) The next peak connection count happened after another mail_max_userip_connections logins (implying the total connection count mail_max_userip_connections), then another strings of logouts fewer than mail_max_userip_connections. For example, if mail_max_userip_connections=100, I would see 0 -> 100 logins -> 87 logouts -> 100 logins -> 87 logouts -> 100 logins -> 94 logouts -> 100 logins -> ... It appears that somewhere, somehow, IMAP session exits are not being logged. Is there a reason to explain this discrepancy? Joseph Tam
Virtual folders: Panic: file mail-index-sync.c
Hi! I have compiled Dovecot 2.33.2 and crated some virtual folders. When I create a virtual folder for all flagged mails with dovecot-virtual containing * flagged and I set in 15-mailboxes.conf mailbox virtual/Flagged { special_use = \Flagged comment = All flagged messages auto = subscribe } The dovecot is crashing when any virtual folder is accessed: Dec 21 01:07:59 mail dovecot: imap(transf...@shidolya.co.tz): Panic: file mail-index-sync.c: line 413 (mail_index_sync_begin_to2): asserti on failed: (!index->syncing) Dec 21 01:07:59 mail dovecot: imap(test@test.local): Error: Raw backtrace:/usr/lib/dovecot/libdovecot.so.0(+0x935c2) [0x7f4ead13 95c2] -> /usr/lib/dovecot/libdovecot.so.0(+0x936ad) [0x7f4ead1396ad] -> /usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f4ead0c9f61] -> /u sr/lib/dovecot/libdovecot-storage.so.0(+0xd4d4c) [0x7f4ead49ed4c] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_index_sync_begin_to+0x4 f) [0x7f4ead49ee2f] -> /usr/lib/dovecot/libdovecot-storage.so.0(mail_index_sync_begin+0x1c) [0x7f4ead49eecc] -> /usr/lib/dovecot/modules/l ib20_virtual_plugin.so(virtual_storage_sync_init+0x20e) [0x7f4eabe9904e] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x4 4) [0x7f4ead4076a4] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37) [0x7f4ead407747] -> /usr/lib/dovecot/libdovecot-storage .so.0(index_storage_get_status+0x31) [0x7f4ead481dd1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d) [0x7f4eabe9616d] -> /us r/lib/dovecot/libdovecot-storage.so.0(+0x9ce81) [0x7f4ead466e81] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xd825) [0x7f4eac8d0825] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x31) [0x7f4ead407ae1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so (virtual_storage_sync_init+0x1096) [0x7f4eabe99ed6] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x44) [0x7f4ead4076a4] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37) [0x7f4ead407747] -> /usr/lib/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x31) [0x7f4ead481dd1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d) [0x7f4eabe9616d] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x9ce81) [0x7f4ead466e81] -> /usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xd825) [0x7f4eac8d0825] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x31) [0x7f4ead407ae1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(virtual_storage_sync_init+0x1096) [0x7f4eabe99ed6] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x44) [0x7f4ead4076a4] -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37) [0x7f4ead407747] -> /usr/lib/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x31) [0x7f4ead481dd1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d) [0x7f4eabe9616d] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x9ce81) [0x7f4ead466e81] When I remove "auto = subscribe" everything working like expected. I got this crash only if I use "flagged" in the virtual folder. Other virtual folders like a unseen folder is working fine with "auto = subscribe" Andreas
Re: v2.3.0 release candidate released
Hi, Odhiambo Washington wrote: > What am I missing here: > > OS = FreeBSD 8.4 > > Here is how it fails during `gmake`: [snip] Hmm, FBSD 8.4 has reached End of Life a long time ago, namely on August 1, 2015. It has not seen security updates ever since :-( Thus, I am just curious: but why can't you upgrade to either 10.x or 11.x? Regards, Michael
Re: ot: fail2ban dovecot setup
thanks for all the help, I went back to the old server's config, and, it worked as is, so that will do for now: # fail2ban-client status dovecot-iredmail Status for the jail: dovecot-iredmail |- Filter | |- Currently failed: 0 | |- Total failed: 5 | `- File list:/var/log/dovecot.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 1.144.106.60 # Chain f2b-dovecot (1 references) target prot opt source destination REJECT all -- 1.144.106.60 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
Shared mailboxes ACL's in MySQL, mailboxes in LDAP
Hi Guys, I'm having a situation that I want to autocreate my mailboxes using ldap auth as my mailboxes are in there. But as I need to share some mailboxes as shared folder is it possible to have that information in MySQL ? Maybe it even better to put everything in MySQL but designwise it's actually not. I f someone has an example how to accomplish this as I'm reading about ACL's as well and I'm wondering if this is actually going to work. Thanks! Matt
Re: New Dovecot service: SMTP Submission (RFC6409)
On 2017-12-20 14:39, Tanstaafl wrote: On Sat Dec 16 2017 15:41:25 GMT-0500 (Eastern Standard Time), Tanstaafl wrote: Ok, well, my ignorance is probably glaring here, but what I meant was, the make the BURL/URLAUTH pieces strictly between Dovecot and the backend SMTP server, make it invisible to the Client... So, I take it the no response to this means that there is no way to put the BURL/URLAUTH parts such that only server support is needed, nothing special on the client side? Bummer, that means it will be a looong time if ever that this feature is usable. Maybe take the time of the year into account and add a bit more waiting time before drawing conclusions. People might be busy with other things right now.
Re: New Dovecot service: SMTP Submission (RFC6409)
On Sat Dec 16 2017 15:41:25 GMT-0500 (Eastern Standard Time), Tanstaafl wrote: > Ok, well, my ignorance is probably glaring here, but what I meant was, > the make the BURL/URLAUTH pieces strictly between Dovecot and the > backend SMTP server, make it invisible to the Client... So, I take it the no response to this means that there is no way to put the BURL/URLAUTH parts such that only server support is needed, nothing special on the client side? Bummer, that means it will be a looong time if ever that this feature is usable.
Re: detect suspicious logins
On Tue, 19 Dec 2017 17:13:10 + Matthew Broadhead wrote: > does anyone know of a linux module (maybe similar to fail2ban) that > could be installed which would monitor email logs (sign ins) and > alert the user to any suspicious activity on their account? i > suspect it would need to log geo location, device type and ip address > to a database. it seems like a module like this would be very useful > and should exist already? thanks in advance https://github.com/PowerDNS/weakforced -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: detect suspicious logins
> On 19 Dec 2017, at 10:13, Matthew Broadhead > wrote: > > does anyone know of a linux module (maybe similar to fail2ban) that could be > installed which would monitor email logs (sign ins) and alert the user to any > suspicious activity on their account? Fail2ban can protect email logins. Alerting a user because random IP in Korean Middle School tried to login seems no helpful. > i suspect it would need to log geo location, device type and ip address to a > database. it seems like a module like this would be very useful How? Blacklist failed logins. That protects everyone and doesn't induce panic. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: v2.3.0 release candidate released
* Timo Sirainen 2017.12.18 16:23: Hi, what is the correct way of implementing carbon stats with 2.3? /etc/dovecot/conf.d/90-stats.conf: old_stats_carbon_server=127.0.0.1:2003 old_stats_carbon_name=host_domain_tld old_stats_carbon_interval=60s /etc/dovecot/conf.d/20-imap.conf: mail_plugins = I changed imap_stats to imap_old_stats, however this yields the following error: Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net)<26352><9VA9GMJgns4FkqmS>: Error: module /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: dlsym(imap_old_stats_plugin_init) failed: /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: undefined symbol: imap_old_stats_plugin_init Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net)<26352><9VA9GMJgns4FkqmS>: Error: module /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: dlsym(imap_old_stats_plugin_deinit) failed: /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: undefined symbol: imap_old_stats_plugin_deinit Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net): Error: Couldn't load required plugin /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: Module doesn't have init function Regards Thomas signature.asc Description: PGP signature