TFA authentication in dovecot, using XMPP and RFC 4226

[André Rodier via dovecot]

Hello,

I would like to implement some kind of two factors authentication, in
Dovecot.

I am thinking about using the post login script, to check for unusual
behaviour, like say, a different country / IP address or an unusual
hour.

I already wrote a simple shell script that check these factors, but
now, I have some options for the following, and I need to know your
opinion if this is feasible or not.

I want to use google authenticator Debian package (support the HMAC-
Based One-time Password (HOTP) algorithm specified in RFC 4226 and the
Time-based One-time Password (TOTP))

The challenge would be send via XMPP. This second part is fairly easy
to do, I have all the packages on Debian, for instance sendxmpp. The
first tests are promising.

In case of success, the IP address is added to the list, let's say for
one month...

My back-end for authentication is OpenLDAP.

My questions are:

- Do you see any performance issues for other users or login processes,
if I implement this?
- I am planning to use a timeout, for instance one minute to confirm
the connection. Does Dovecot have a timeout on its side, that would
abort the connection before?

Otherwise:

- Is it possible to have multiple authentication back-ends in Dovecot?
For instance LDAP and/or OTP?
- I think to have seen some TFA options in Dovecot, but AFAICS, they
are mandatory. 

Thanks for your insights, and this fabulous software.

-- 
André Rodier
HomeBox: https://github.com/progmaticltd/homebox

where shall I enforce sieve and quota plugins

[luckydog xf via dovecot]

Hello, guys,

   I'm going to using sieve and quota plugins, but I'm not sure where shall
I enforce against properly?

   I see somebody uses them against 20-imap.conf, 15-lda.conf, or
20-lmtp.conf

   I use LMTP as MDA, so where is the correct location to call these
plugins and why?

   Thanks,

Re: sieve scripts not synching for 2.3.5.1 pre-built

[Timo Sirainen via dovecot]

On 2 Apr 2019, at 22.37, Timo Sirainen via dovecot  wrote:
> 
> On 2 Apr 2019, at 17.03, Jan-Pieter Cornet via dovecot  > wrote:
>> 
>> Hi,
>> 
>> We're synching mailboxes, changing format from maildir to mdbox, using 
>> doveadm backup/doveadm sync.
>> 
>> When still running 2.2.36, 'doveadm backup' also synched the sieve scripts, 
>> without issues.
>> 
>> After the upgrade to 2.3.5.1, the sieve sync stopped working. We're using 
>> the pre-built 2.3 packages from 
>> https://repo.dovecot.org/ce-2.3-latest/debian/stretch 
>> 
> 
> Looks like this is trivial to reproduce. It used to work still in v2.3.1, but 
> then something broke it. Tracking internally in DOP-1062.

Reverting 
https://github.com/dovecot/pigeonhole/commit/479c5e57046dec76078597df844daccbfc0eb75f
 

 fixes this.

Re: sieve scripts not synching for 2.3.5.1 pre-built

[Timo Sirainen via dovecot]

On 2 Apr 2019, at 17.03, Jan-Pieter Cornet via dovecot  
wrote:
> 
> Hi,
> 
> We're synching mailboxes, changing format from maildir to mdbox, using 
> doveadm backup/doveadm sync.
> 
> When still running 2.2.36, 'doveadm backup' also synched the sieve scripts, 
> without issues.
> 
> After the upgrade to 2.3.5.1, the sieve sync stopped working. We're using the 
> pre-built 2.3 packages from 
> https://repo.dovecot.org/ce-2.3-latest/debian/stretch 
> 

Looks like this is trivial to reproduce. It used to work still in v2.3.1, but 
then something broke it. Tracking internally in DOP-1062.

sieve scripts not synching for 2.3.5.1 pre-built

[Jan-Pieter Cornet via dovecot]

Hi,

We're synching mailboxes, changing format from maildir to mdbox, using doveadm 
backup/doveadm sync.

When still running 2.2.36, 'doveadm backup' also synched the sieve scripts, 
without issues.

After the upgrade to 2.3.5.1, the sieve sync stopped working. We're using the 
pre-built 2.3 packages from 
https://repo.dovecot.org/ce-2.3-latest/debian/stretch

In fact, when I now remove the dovecot-2.3 packages, and use my own old 2.2.36 
packages, using the exact same config, the sieve scripts are being copied again.

In 2.2.36, when I migrate a mailbox, I do see Pigeonhole being initialized. Eg:

userimap-dev1:~ # doveadm -D backup -u xtra30 "doveadm -D dsync-server -u 
xtra30+mdbox=.8d1&4&03&xtra30"
  (note: that strange destination user signals to the auth proxy 
that we want the new mdbox storage instead of the default for this user)
Debug: Loading modules from directory: /usr/lib/dovecot/modules
Debug: Module loaded: /usr/lib/dovecot/modules/lib02_lazy_expunge_plugin.so
Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined symbol: 
acl_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined 
symbol: expire_set_deinit (this is usually intentional, so just ignore this 
message)
Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so
[...skipping a bunch of lines...]
dsync-local(xtra30): Debug: brain M: Mailbox Spam: 
local=88b39d12998d9e5cbb70436edcce/0/1, 
remote=/0/0: mailbox not selectable yet
dsync-local(xtra30): Debug: brain M: Mailbox Test: 
local=801bb932e98d9e5c3d6d436edcce/0/1, 
remote=/0/0: mailbox not selectable yet
dsync-local(xtra30): Debug: brain M: Mailbox Trash: 
local=fc9b162b86479f5cc85a436edcce/0/1, 
remote=/0/0: mailbox not selectable yet
dsync-remote(xtra30): Debug: brain S: Skipping unchanged mailbox 
e7c1961d84479f5c885a436edcce
dsync-local(xtra30): Debug: doveadm-sieve: Iterating Sieve mailbox attributes
dsync-local(xtra30): Debug: sieve: Pigeonhole version 0.4.24 () initializing
dsync-local(xtra30): Debug: sieve: include: sieve_global is not set; it is 
currently not possible to include `:global' scripts.
dsync-local(xtra30): Debug: sieve: file storage: Using active Sieve script 
path: /var/mail/.8d1/index/7/oldsieve/x/xt/xtra30/dovecot.sieve
[... skipping a lot of sieve debug lines that seem fine ...]
dsync-remote(xtra30): Debug: sieve: file script: Opened script 
`xtra30-testfilter' from 
`/var/mail/.8d1/index/4/03/xtra30/sieve/scripts/xtra30-testfilter.sieve'
dsync-remote(xtra30): Debug: doveadm-sieve: Assigned value for key 
`vendor/vendor.dovecot/pvt/server/sieve/default' (last change: 2019-03-29 
22:27:41)
dsync-remote(xtra30): Debug: brain S: Import INBOX: Import attribute 
vendor/vendor.dovecot/pvt/server/sieve/default: Nonexistent locally
dsync-remote(xtra30): Debug: brain S: Import INBOX: Last common UID=0. Delayed 
expunges=
dsync-remote(xtra30): Debug: brain S: Import INBOX: Import change type=save 
GUID=1553894809.M254847P28859.userimap11.xs4all.net,S=1311,W=1342 UID=1 
hdr_hash= result=Mail's UID is above local UIDNEXT - No more local mails found
[...]

Afterwards, the sieve scripts have been transferred, even including 
last-modified time of any scripts.

However, with 2.3.5.1, it seems doveadm-sieve is never called from dsync. 
Output includes:

userimap-dev1:~ # doveadm -D backup -u xtra30 "doveadm -D dsync-server -u 
xtra30+mdbox=.8d1&4&03&xtra30"
Debug: Loading modules from directory: /usr/lib/dovecot/modules
Debug: Module loaded: /usr/lib/dovecot/modules/lib02_lazy_expunge_plugin.so
Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined symbol: 
acl_lookup_dict_iterate_visible_next (this is usually intentional, so just 
ignore this message)
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined 
symbol: expire_set_deinit (this is usually intentional, so just ignore this 
message)
Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
Debug: Module loaded: 
/usr/

Re: Trying to track down source of duplicate messages

[Steffen Kaiser via dovecot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 2 Apr 2019, Timo Sirainen via dovecot wrote:

succeeded eventually. You might see these differences in Received 
headers.


yep, post the Received lines

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBXKNd4sQnQQNheMxiAQI8pAf+M0SIuJ2qeqEJVluvGixTXyG8LgApMfAg
8r4irnUQryWmvg8jRUp/xVtVLtzhC3eI6Suz0RQoo6ggFoxgnaVKEeVDLSSBugmb
RV1yjngjW0G4kiGTLcUc2yak3avvGnmWQmX2BgoadpWJ2e7Rn5j1VhuYBz9sQg2j
UYqFqhIZBHz7sjuhWfJY7ApMGf0C4Rttbi4/8O8gaGw/y9Z3xJO1WBOXElW39J71
S7V3GKjI/xY3dvRffjstw3n4Hf3qVGAn1Q3fEx/aXc7UVJ3mBM+Jg6LIXMux2YSw
6v+w5k5W28EA9MMZlfiJYzgi0y/U1T1PE0SQmBzDefOvok5KifUrBg==
=gL5U
-END PGP SIGNATURE-

Re: ssl_min_protocol

[Aki Tuomi via dovecot]

On 2.4.2019 12.37, @lbutlr via dovecot wrote:
> What are the possible settings for ssl_min_protocol? I only see it on the 
> upgrade page where it mentions the default is TLSv1.
>
> Searching on the dovecot page gives me "Your search query "ssl_min_protocol" 
> didn't return any results."
>
>
>
Hi!

Valid values are 'SSLv3' (when supported by openssl), 'TLSv1',
'TLSv1.1', 'TLSv1.2'.

Aki

ssl_min_protocol

[@lbutlr via dovecot]

What are the possible settings for ssl_min_protocol? I only see it on the 
upgrade page where it mentions the default is TLSv1.

Searching on the dovecot page gives me "Your search query "ssl_min_protocol" 
didn't return any results."



-- 
Up the airy mountains, down the rushy glen... From ghosties and bogles
and long-leggity beasties... My mother said I never should... We dare
not go a-hunting for fear... And things that go bump... Play with the
fairies in the wood... --Lords and Ladies

Re: sql table definitions

[James via dovecot]

On 02/04/2019 05:42, Richard Hector via dovecot wrote:


I'm using PostgreSQL for my auth db. I used the example CREATE TABLE
statement in the config file, but now I find the fields are too short. I
assume dovecot will be fine with 'text' type columns replacing the
varchars? Or failing that, I can change the length of the varchar fields?


ALTER TABLE $table ALTER COLUMN $column TYPE VARCHAR($newlenth);


My tables are very different from the dovecot suggested tables and it 
works, just make sure the queries in dovecot-sql.conf correspond.  My 
tables are different because they hold additional information for 
routing (the db is shared with exim).

Re: Trying to track down source of duplicate messages

[Timo Sirainen via dovecot]

On 1 Apr 2019, at 19.40, Alex via dovecot  wrote:
> 
> Hi,
> 
> I haven't received any responses to my duplicate messages problem. It
> occurred to me that I posted my full dovecot config instead of just
> the changes we've made locally. I thought it might help to follow up
> with just the specific config to make it easier to identify a
> potential problem.

How are you delivering the mails? With dovecot-lda or something else? Do you 
see any errors/warnings in your MTA log? Similar problems at least can happen 
if the delivery takes a very long time and MTA times out and retries the 
delivery later on, but the original delivery actually succeeded eventually. You 
might see these differences in Received headers.

Re: FTS delays

[Timo Sirainen via dovecot]

On 2 Apr 2019, at 6.38, Joan Moreau via dovecot  wrote:
> 
> Further on this topic:
> 
> 
> 
> When choosing any headers in the search box, dovecot core calls the plugin 
> TWICE (and returns the results quickly, but not immediatly after getting the 
> IDs from the plugins)
> 
> When choosing the BODY search, dovecot core calls the plugin ONCE (and never 
> returns) (whereas the plugins returns properly the IDs)
> 

If we simplify this, do you mean this calls it once and is fast:

doveadm search -u user@domain mailbox inbox body helloworld

But this calls twice and is slow:

doveadm search -u user@domain mailbox inbox text helloworld

And what about searching e.g. subject? :

doveadm search -u user@domain mailbox inbox subject helloworld

And does the slowness depend on whether there were any matches or not?

> This is based on GIT version. (previous versions were working properly)

Previous versions were fast? Do you mean v2.3.5?