Re: Multiple certificate option

2019-09-09 Thread Maciej Milaszewski IQ PL via dovecot 
Hi
This is for all dovecot version ?

On 10.09.2019 08:05, Greg Wildman via dovecot wrote:
> On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
>> What is the best way to adopt multiple certs? 
> I have a setup that creates letsencrypt certs for each customer domain.
> To automate this I have the following at the end of conf.d/10-ssl.conf
>
>   !include ssl.d/*.conf
>
> This includes any .conf file under conf.d/ssl.d
>
> Now it is a simple matter to add and remove certificates for each
> domain as the letsencrypt job runs. Each config file looks like this
>
> $cat ssl.d/somedomain_co_za.conf
> local_name imap.somedomain.co.za {
>   ssl_cert =ssl_key  =  }
>
>
> YMMV.
>


-- 
Maciej Miłaszewski
Starszy Administrator Systemowy
IQ PL Sp. z o.o.

Biuro Obsługi Klienta:
e-mail: b...@iq.pl
tel.: +48 58 326 09 90 - 94
fax: +48 58 326 09 99

Dział pomocy: https://www.iq.pl/pomoc
Informacja dotycząca przetwarzania danych osobowych: https://www.iq.pl/kontakt

IQ PL Sp. z o.o. z siedzibą w Gdańsku (80-298), ul. Geodetów 16, KRS 
007725, Sąd rejestrowy: Sąd Rejonowy w Gdańsku VII Wydział KRS, kapitał 
zakładowy: 140.000 PLN, NIP 5832736211, REGON 192478853




signature.asc
Description: OpenPGP digital signature

Re: Multiple certificate option

2019-09-09 Thread Greg Wildman via dovecot 
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
> What is the best way to adopt multiple certs? 

I have a setup that creates letsencrypt certs for each customer domain.
To automate this I have the following at the end of conf.d/10-ssl.conf

  !include ssl.d/*.conf

This includes any .conf file under conf.d/ssl.d

Now it is a simple matter to add and remove certificates for each
domain as the letsencrypt job runs. Each config file looks like this

$cat ssl.d/somedomain_co_za.conf
local_name imap.somedomain.co.za {
  ssl_cert = 

signature.asc
Description: This is a digitally signed message part

Re: Quota and maildir does not work with subfolders of INBOX

2019-09-09 Thread Niels Kobschätzki via dovecot 
On 9/9/19 6:18 PM, @lbutlr via dovecot wrote:
> On 9 Sep 2019, at 09:27, Niels Kobschätzki  wrote:
>> The moment I remove those folders, the size gets calculated correctly. 
>> Unfortunately those folders are generated by some clients automatically 
>> afaik (like .INBOX.Trash)
>> That sounds like a misconfiguration of the IMAP client. Someone has
gone in and improperly set INBOX as the IMAP path Prefix in their MUA.

The thing is that it worked before. Even when the user misconfigured
their client in such a way, the quota-plugin shouldn't just throw some
dice to get to a arbitrarily high quota the user has used instead of the
right amount.

> I used to have this problem with some users until I implemented repeated and 
> consistent application of a clue bat.

Some users is in my case (as far as I guess) like 0.5%

> I don’t know of a server-side setting to prevent users from screwing up this 
> setting, but maybe?

Wouldn't that break existing accounts?

Niels

Re: Multiple certificate option

2019-09-09 Thread Joseph Tam via dovecot 

On Sat, 7 Sep 2019, Remo Mattei wrote:


Thanks Michael I will check with the free cert lets encrypt to test it.


If all your certificate subjects are domains under your control,
such as when they are aliases of each other (e.g. smtp.domain.tld,
pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you
may find it more convenient to obtain a SAN (Subject Name Alternative)
certificate, which allows multiple subjects to be specified in one
certificate.  Alternatively, you can also get a wildcard domain if
all your subjects are in the same domain.

There are obvious advantages to this: one (and only one) certificate to
add to the dovecot configuration, one renewal every ~60 days requiring one
restart of the dovecot service (minimizes disruptions), etc.

A disadvantages is it's a little trickier to set up your ACME bot (and maybe
your DNS service) to get a wildcard/SAN certificate.

Joseph Tam

Re: Random duplicated emails

2019-09-09 Thread Gerald Galster via dovecot 

> I migrated our mail infrastructure to Dovecot on Ubuntu 18.04 some months 
> ago. It works fine, but recently some users told me that they sometime 
> receive duplicated emails. Same email content, same headers including 
> message-id.
> 
> I'm using two dovecot servers on two sites. Both server are in cluster. We 
> don't use shared folders. All users that reported this issue so far are using 
> the same server instance. The problematic  emails are coming from local users 
> on that instance too. The examples they given to me was emails with many 
> recipients (To/CC). A specific message can be received twice (or more) by 
> recipient A but only once by recipient B. I didn't see anything in the logs 
> about sieve rules that redirect emails to others recipients.
> 
> Where should I look to diagnostic this issue?
> 
> Thanks.
> 
> Server config:
> # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)


may be you hit this problem:

https://dovecot.org/list/dovecot/2018-March/111422.html 


I don't know if it's fixed yet.

You could log mail events and check if it's related to dsync:

mail_plugins = ... mail_log

plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size subject
}

Best regards,
Gerald

Re: Random duplicated emails

2019-09-09 Thread @lbutlr via dovecot 
On 9 Sep 2019, at 10:08, Francis  wrote:
> Where should I look to diagnostic this issue?

Look at the raw stored messages. Your MTA probably has an internal ID (queuid 
in postfix) that should tell you if the messages are getting duped before they 
get to dovecot.

the raw messages should have time stamps showing when they were written, so 
that will give you something else to check in the logs.

Both you mail and dovecot logs, of course.

Since these are local emails on one server, is it possible that server is 
sending mail to the other server that is coming back as a second copy?


-- 
Try to realize it's all within yourself/No one else can make you change

Re: Quota and maildir does not work with subfolders of INBOX

2019-09-09 Thread @lbutlr via dovecot 
On 9 Sep 2019, at 09:27, Niels Kobschätzki  wrote:
> The moment I remove those folders, the size gets calculated correctly. 
> Unfortunately those folders are generated by some clients automatically afaik 
> (like .INBOX.Trash)

That sounds like a misconfiguration of the IMAP client. Someone has gone in and 
improperly set INBOX as the IMAP path Prefix in their MUA.

I used to have this problem with some users until I implemented repeated and 
consistent application of a clue bat.

I don’t know of a server-side setting to prevent users from screwing up this 
setting, but maybe?


-- 
but then a lot of nice things turn bad out there

Random duplicated emails

2019-09-09 Thread Francis via dovecot 
Hello,

I migrated our mail infrastructure to Dovecot on Ubuntu 18.04 some months
ago. It works fine, but recently some users told me that they sometime
receive duplicated emails. Same email content, same headers including
message-id.

I'm using two dovecot servers on two sites. Both server are in cluster. We
don't use shared folders. All users that reported this issue so far are
using the same server instance. The problematic  emails are coming from
local users on that instance too. The examples they given to me was emails
with many recipients (To/CC). A specific message can be received twice (or
more) by recipient A but only once by recipient B. I didn't see anything in
the logs about sieve rules that redirect emails to others recipients.

Where should I look to diagnostic this issue?

Thanks.

Server config:
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
doveconf: Warning: service auth { client_limit=1000 } is lower than
required under max. load (2500)
doveconf: Warning: service anvil { client_limit=1000 } is lower than
required under max. load (1503)
# OS: Linux 4.15.0-60-generic x86_64 Ubuntu 18.04.3 LTS
auth_default_realm = **edited**
auth_master_user_separator = *
auth_mechanisms = plain login
default_process_limit = 500
first_valid_uid = 200
last_valid_uid = 200
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_plugins = " notify replication zlib quota"
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext vnd.dovecot.debug
mdbox_rotate_size = 10 M
namespace inbox {
  inbox = yes
  location =
  mailbox "Éléments envoyés" {
special_use = \Sent
  }
  mailbox "Éléments supprimés" {
special_use = \Trash
  }
  mailbox Brouillon {
special_use = \Drafts
  }
  mailbox "Courrier indésirable" {
special_use = \Junk
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = /etc/dovecot/passwd.masterusers
  driver = passwd-file
  master = yes
}
plugin {
  mail_replica = tcps:**edited**:53683
  quota = count:User quota
  quota_grace = 10%%
  quota_rule = *:storage=10G
  quota_rule2 = INBOX/Trash:storage=+100M
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 La boite courriel du destinataire est
pleine - Mailbox is full
  quota_status_success = DUNNO
  quota_vsizes = yes
  quota_warning = storage=100%% quota-warning 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=75%% quota-warning 75 %u
  quota_warning6 = -storage=80%% quota-warning '-80' %u
  quota_warning7 = -storage=100%% quota-warning '-100' %u
  sieve = /var/vmail/domains/%Ld/%Ln/.dovecot.sieve
  sieve_before = /var/vmail/sieve/before.sieve
  sieve_default = /var/vmail/sieve/default.sieve
  sieve_extensions = +vnd.dovecot.debug
  sieve_global = /var/vmail/sieve/global
  zlib_save = lz4
}
protocols = " imap lmtp sieve"
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  inet_listener imap {
port = 0
  }
  process_min_avail = 10
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
address = **edited**
port = 53684
  }
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
user = vmail
  }
}
ssl = required
ssl_cert =

Quota and maildir does not work with subfolders of INBOX

2019-09-09 Thread Niels Kobschätzki via dovecot 
Hi,

we just upgraded on FreeBSD (11.2-p14) from Dovecot 2.2 to Dovecot
2.3.7.2 and now we have kind of a big problem: the quota-plugin does not
work correctly anymore. If a user has a subfolder of the INBOX (like
.INBOX.foobar) the quota-calculation does not work anymore. It seems to
be arbitrary but users get counted like double and more than they
actually have in mails (the number of mails is correct, but the size
gets calculated wrongly).
The moment I remove those folders, the size gets calculated correctly.
Unfortunately those folders are generated by some clients automatically
afaik (like .INBOX.Trash)

What can we do about that?

There were already messages to the list about this in July 2018 but I
didn't find any solution
https://dovecot.org/pipermail/dovecot/2018-July/112439.html
https://dovecot.org/pipermail/dovecot/2018-July/112440.html

Niels

Re: [Bug] Sieve vacation :addresses match only case-sensitive?

2019-09-09 Thread Philipp Faeustlin via dovecot 



Am 09.09.19 um 15:58 schrieb Sami Ketola:




On 9 Sep 2019, at 16.17, Philipp Faeustlin via dovecot  
wrote:


It is not recommended to rely on local-part case, but it is indeed
case-sensitive.
And this is to avoid such issues that postfix supports address
cleanup/canonicalisation before forwarding mails to dovecot.
--
RFC 5321:
"Local-part = Dot-string / Quoted-string ; MAY be case-sensitive
[…]
While the above definition for Local-part is relatively permissive,
for maximum interoperability, a host that expects to receive mail
SHOULD avoid defining mailboxes where the Local-part requires (or
uses) the Quoted-string form or where the Local-part is case-sensitive."
And therefore “receive liberally” policy that wants to assume 
case-insensitivity should single-case the address IN THE COMPARISON.

The local-part MAY be case-sensitive, but in general I don't know any mail 
addresses where the case matters.
Thus it is hard for me to understand, why this comparison of the vacation 
address is case-sensitive. Whether the final recipients address is also treated 
case-insensitive.

If this has to be case-sensitive to be RFC compliant, then please create an 
option for admins or users to change the behavior to an case-insensitive 
comparison.



Just change auth_username_format = %Lu to make all addresses lowercase. That 
should solve your problem.
Or if you REALLY REALLY want to have case-sensitive userpart, then use 
auth_username_format = %n@%Ld

Sami

It seems there is a misunderstanding. In Pigeonhole Sieve version 
0.5.7.2, the vacation module compares the additional :addresses 
case-sensitive.

I want to have it case-insensitive again, like in Pigeonhole version 0.4.24

Philipp




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Off-site cloud backup (eg Amazon S3, Wasabi)

2019-09-09 Thread @lbutlr via dovecot 
On 9 Sep 2019, at 07:47, James Brown  wrote:
> Should I use a Dovecot process, rsync, a Mac app like Arq or Jungle Disk, or 
> something else?

I do not have specific experience with using S3, but if rsync is possible that 
is always my first choice, though if you want to backup to prevent ransomware 
issues, I’d use rsnapshot since that will give you history.

If you are concerned about never ever losing a single email no matter what, 
then you need a replication server that supports versioning.





-- 
A cubicle is simply a cell without a door.

Re: [Bug] Sieve vacation :addresses match only case-sensitive?

2019-09-09 Thread Sami Ketola via dovecot 



> On 9 Sep 2019, at 16.17, Philipp Faeustlin via dovecot  
> wrote:
> 
>>It is not recommended to rely on local-part case, but it is indeed
>>case-sensitive.
>>And this is to avoid such issues that postfix supports address
>>cleanup/canonicalisation before forwarding mails to dovecot.
>>--
>>RFC 5321:
>>"Local-part = Dot-string / Quoted-string ; MAY be case-sensitive
>>[…]
>>While the above definition for Local-part is relatively permissive,
>>for maximum interoperability, a host that expects to receive mail
>>SHOULD avoid defining mailboxes where the Local-part requires (or
>>uses) the Quoted-string form or where the Local-part is case-sensitive."
>> And therefore “receive liberally” policy that wants to assume 
>> case-insensitivity should single-case the address IN THE COMPARISON.
> The local-part MAY be case-sensitive, but in general I don't know any mail 
> addresses where the case matters.
> Thus it is hard for me to understand, why this comparison of the vacation 
> address is case-sensitive. Whether the final recipients address is also 
> treated case-insensitive.
> 
> If this has to be case-sensitive to be RFC compliant, then please create an 
> option for admins or users to change the behavior to an case-insensitive 
> comparison.
> 

Just change auth_username_format = %Lu to make all addresses lowercase. That 
should solve your problem.
Or if you REALLY REALLY want to have case-sensitive userpart, then use 
auth_username_format = %n@%Ld

Sami

Off-site cloud backup (eg Amazon S3, Wasabi)

2019-09-09 Thread James Brown via dovecot 
I’d like to synchronise our mail store to an Amazon S3 bucket or similar, for 
protection from ransomware.

Server is running on macOS with maildir.

Should I use a Dovecot process, rsync, a Mac app like Arq or Jungle Disk, or 
something else?

Anyone have experience or opinions on this?

Thanks,

James.




smime.p7s
Description: S/MIME cryptographic signature

Re: [Bug] Sieve vacation :addresses match only case-sensitive?

2019-09-09 Thread Philipp Faeustlin via dovecot 

It is not recommended to rely on local-part case, but it is indeed
case-sensitive.

And this is to avoid such issues that postfix supports address
cleanup/canonicalisation before forwarding mails to dovecot.

--
RFC 5321:

"Local-part     = Dot-string / Quoted-string ; MAY be case-sensitive
[…]
While the above definition for Local-part is relatively permissive,
for maximum interoperability, a host that expects to receive mail
SHOULD avoid defining mailboxes where the Local-part requires (or
uses) the Quoted-string form or where the Local-part is case-sensitive."




And therefore “receive liberally” policy that wants to assume 
case-insensitivity should single-case the address IN THE COMPARISON.



The local-part MAY be case-sensitive, but in general I don't know any 
mail addresses where the case matters.
Thus it is hard for me to understand, why this comparison of the 
vacation address is case-sensitive. Whether the final recipients address 
is also treated case-insensitive.


If this has to be case-sensitive to be RFC compliant, then please create 
an option for admins or users to change the behavior to an 
case-insensitive comparison.




smime.p7s
Description: S/MIME Cryptographic Signature

CVE-2019-11500 and LMTP error

2019-09-09 Thread Gabriele Nencioni via dovecot 
Hi all,
does the dovecot fixed version: 2.3.7.2, 2.2.36.4 (as the CVE-2019-11500
says) fix the LMTP error "Got unexpected reply" as well?

The LMTP error "Got unexpected reply" is described here:
https://dovecot.org/pipermail/dovecot/2018-August/112562.html
https://dovecot.org/pipermail/dovecot/2018-August/112666.html


Thanks in advance
Regards,
-- 
Gabriele Nencioni

Re: Force dovecot-uidlist reset

2019-09-09 Thread Tom Sommer via dovecot 
Nevermind, the indexes were not deleted correctly - the method described 
below works :)


---
Tom

On 2019-09-09 09:45, Tom Sommer via dovecot wrote:

Is there a way to force Dovecot to rebuild dovecot-uidlist from zero?

It seems deleting all indexes and dovecot-* files followed by "doveadm
force-resync" is not enough? It just gets the same UIDs? Perhaps from
Maildir filenames? But I would like to reset the uid of all mails.

Thanks

Force dovecot-uidlist reset

2019-09-09 Thread Tom Sommer via dovecot 

Is there a way to force Dovecot to rebuild dovecot-uidlist from zero?

It seems deleting all indexes and dovecot-* files followed by "doveadm 
force-resync" is not enough? It just gets the same UIDs? Perhaps from 
Maildir filenames? But I would like to reset the uid of all mails.


Thanks

--
Tom