RE: about imap-login: Error and imap: Error after Version-UP
You need to configure stats service client limit and imap service client limit. Those are different services than imap-login service. Aki > On 17/11/2020 01:28 森川 孝司 wrote: > > > Aki-san > > I have already seen that page. > Is the setting method wrong? > > Is there any other tuning point? > > morikawa > -Original Message- > From: Aki Tuomi [mailto:aki.tu...@open-xchange.com] > Sent: Monday, November 16, 2020 8:52 PM > To: 森川 孝司 ; dovecot@dovecot.org > Subject: Re: about imap-login: Error and imap: Error after Version-UP > > > > On 16/11/2020 13:44 森川 孝司 wrote: > > > > > > We have upgraded dovecot from 2.0.9 (centos6) to 2.2.36 (centos8). > > > > If more than 1000 users log in, the following error will occur. > > - > > Nov 16 11:33:00 dovecot[1361]: imap-login: Error: master(imap): > > net_connect_unix(imap) failed: Resource temporarily unavailable - > > http://wiki2.dovecot.org/SocketUnavailable (client-pid=1362, > > client-id=129834, rip=10.10.10.10, created 551 msecs ago, received 0/4 > > bytes) > > Nov 16 11:30:26 dovecot[1361]: imap: Error: > > net_connect_unix(/var/run/dovecot/stats-writer) failed: Resource > > temporarily unavailable > > - > > > > I set the following because I thought it was a problem with the number > > of connections, but I get an error. > > > > service imap-login { > > service_count=0 > > client_limit = $default_client_limit > > process_min_avail = 4 > > process_limit = $default_process_limit > > vsz_limit = 1G > > } > > > > limits.conf > > - > > * soft nofile 4096 > > * hard nofile 4096 > > - > > > > cat /proc/sys/net/core/somaxconn > > - > > 4096 > > - > > > > Is there any other tuning point? > > Where should I look? > > https://wiki.dovecot.org/SocketUnavailable > > Aki
RE: about imap-login: Error and imap: Error after Version-UP
Aki-san I have already seen that page. Is the setting method wrong? Is there any other tuning point? morikawa -Original Message- From: Aki Tuomi [mailto:aki.tu...@open-xchange.com] Sent: Monday, November 16, 2020 8:52 PM To: 森川 孝司 ; dovecot@dovecot.org Subject: Re: about imap-login: Error and imap: Error after Version-UP > On 16/11/2020 13:44 森川 孝司 wrote: > > > We have upgraded dovecot from 2.0.9 (centos6) to 2.2.36 (centos8). > > If more than 1000 users log in, the following error will occur. > - > Nov 16 11:33:00 dovecot[1361]: imap-login: Error: master(imap): > net_connect_unix(imap) failed: Resource temporarily unavailable - > http://wiki2.dovecot.org/SocketUnavailable (client-pid=1362, > client-id=129834, rip=10.10.10.10, created 551 msecs ago, received 0/4 > bytes) > Nov 16 11:30:26 dovecot[1361]: imap: Error: > net_connect_unix(/var/run/dovecot/stats-writer) failed: Resource > temporarily unavailable > - > > I set the following because I thought it was a problem with the number > of connections, but I get an error. > > service imap-login { > service_count=0 > client_limit = $default_client_limit > process_min_avail = 4 > process_limit = $default_process_limit > vsz_limit = 1G > } > > limits.conf > - > * soft nofile 4096 > * hard nofile 4096 > - > > cat /proc/sys/net/core/somaxconn > - > 4096 > - > > Is there any other tuning point? > Where should I look? https://wiki.dovecot.org/SocketUnavailable Aki
Re: about imap-login: Error and imap: Error after Version-UP
> On 16/11/2020 13:44 森川 孝司 wrote: > > > We have upgraded dovecot from 2.0.9 (centos6) to 2.2.36 (centos8). > > If more than 1000 users log in, the following error will occur. > - > Nov 16 11:33:00 dovecot[1361]: imap-login: Error: master(imap): > net_connect_unix(imap) failed: Resource temporarily unavailable - > http://wiki2.dovecot.org/SocketUnavailable (client-pid=1362, > client-id=129834, rip=10.10.10.10, created 551 msecs ago, received 0/4 > bytes) > Nov 16 11:30:26 dovecot[1361]: imap: Error: > net_connect_unix(/var/run/dovecot/stats-writer) failed: Resource temporarily > unavailable > - > > I set the following because I thought it was a problem with the number of > connections, but I get an error. > > service imap-login { > service_count=0 > client_limit = $default_client_limit > process_min_avail = 4 > process_limit = $default_process_limit > vsz_limit = 1G > } > > limits.conf > - > * soft nofile 4096 > * hard nofile 4096 > - > > cat /proc/sys/net/core/somaxconn > - > 4096 > - > > Is there any other tuning point? > Where should I look? https://wiki.dovecot.org/SocketUnavailable Aki
about imap-login: Error and imap: Error after Version-UP
We have upgraded dovecot from 2.0.9 (centos6) to 2.2.36 (centos8). If more than 1000 users log in, the following error will occur. - Nov 16 11:33:00 dovecot[1361]: imap-login: Error: master(imap): net_connect_unix(imap) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable (client-pid=1362, client-id=129834, rip=10.10.10.10, created 551 msecs ago, received 0/4 bytes) Nov 16 11:30:26 dovecot[1361]: imap: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Resource temporarily unavailable - I set the following because I thought it was a problem with the number of connections, but I get an error. service imap-login { service_count=0 client_limit = $default_client_limit process_min_avail = 4 process_limit = $default_process_limit vsz_limit = 1G } limits.conf - * soft nofile 4096 * hard nofile 4096 - cat /proc/sys/net/core/somaxconn - 4096 - Is there any other tuning point? Where should I look?
Re: last-login Plugin
On 16/11/2020 11:55, Andrea Gabellini wrote: > Hello, > > i'm using last_login plugin and store data into a MySql DB. I'm using > version 2.3.10.1 and the config is at the end of the email. > > I would like to store also the remote IP and the session name. The > config is working but other informations are written only the first > time. Any update is ignored but last_login time. > > Debugging MySQL, I notice that dovecot is using this query: > > INSERT INTO last_login (last_login,userid,rip,protocol,session) VALUES > (1605350938,'',x.x.x.x','imap','jLFs5A609cdSN4Wh') ON DUPLICATE KEY > UPDATE last_login=1605350938 > > How can I modify the configuration? > > > > conf.d/95-last_login.conf: > dict { > lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf.ext > } > > plugin { > last_login_dict = proxy::lastlogin > last_login_key = last-login/%u/%r/%s/%{session} > } > > protocol imap { > mail_plugins = $mail_plugins last_login > } > protocol pop3 { > mail_plugins = $mail_plugins last_login > } > > dovecot-last-login.conf.ext: > connect = host=/var/lib/mysql/mysql.sock dbname=dovecot user=xxx > password=xxx > > map { > pattern = shared/last-login/$userid/$rip/$service/$session > table = last_login > value_field = last_login > value_type = uint > > fields { > userid = $userid > rip = $rip > protocol = $service > session = $session > } > } > > One solution is to use a primary key containing all the columns except last_login. The side effect is that you can get more than one row per userid, but if you order them by last_login you can get the last one. John
last-login Plugin
Hello, i'm using last_login plugin and store data into a MySql DB. I'm using version 2.3.10.1 and the config is at the end of the email. I would like to store also the remote IP and the session name. The config is working but other informations are written only the first time. Any update is ignored but last_login time. Debugging MySQL, I notice that dovecot is using this query: INSERT INTO last_login (last_login,userid,rip,protocol,session) VALUES (1605350938,'',x.x.x.x','imap','jLFs5A609cdSN4Wh') ON DUPLICATE KEY UPDATE last_login=1605350938 How can I modify the configuration? conf.d/95-last_login.conf: dict { lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf.ext } plugin { last_login_dict = proxy::lastlogin last_login_key = last-login/%u/%r/%s/%{session} } protocol imap { mail_plugins = $mail_plugins last_login } protocol pop3 { mail_plugins = $mail_plugins last_login } dovecot-last-login.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=dovecot user=xxx password=xxx map { pattern = shared/last-login/$userid/$rip/$service/$session table = last_login value_field = last_login value_type = uint fields { userid = $userid rip = $rip protocol = $service session = $session } } -- __ UNIX is user friendly. It's just selective about who its friends are. __ TIM San Marino S.p.A. Andrea Gabellini Engineering R&D TIM San Marino S.p.A. - https://www.telecomitalia.sm Via Ventotto Luglio, 212 - Piano -2 47893 - Borgo Maggiore - Republic of San Marino Tel: (+378) 0549 886237 Fax: (+378) 0549 886188 -- Informativa Privacy Questa email ha per destinatari dei contatti presenti negli archivi di TIM San Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679). Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati presenti nei nostri archivi potete inviare una email a priv...@telecomitalia.sm. Avviso di Riservatezza Il contenuto di questa e-mail e degli eventuali allegati e' strettamente confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail potra' essere perseguito ai sensi di legge.
Re: [patch] enhancement for tika server protected by user/password basic auth
On 16/11/2020 01:14, PGNet Dev wrote: > On 11/15/20 1:29 PM, John Fawcett wrote: >>> atm, listening on localhost, with Dovecot -> Tika direct, no proxy. >>> >>> similarly fragile under load. throwing ~10 messages with .5-5MB >>> attachments at it at once causes all sorts of complaints. > > frequently, like this > > > > seems fts_tika isn't going to be a well-behaved black box. > > pulling it out of dovecot usage for now, to setup a standalone > instance and throw test attachments at it directly ... > I have to admit that despite all the warnings and errors in the Tika log, that was the part that gave me least difficulty. Though once Tika runs out of memory, I start to see 502s returned to Dovecot, this does not ultimately end up as blocking indexing on Dovecot since after restart the emails that were not indexed are resubmitted. Also I suppose that it can be resolved by adding more resources. My main issue is the following example, which blocks indexing of the relevant folder. When reindexing a specific sent folder that had a 4.3MB zip attachment containing 132MB of files, Tika passed back 139MB of output to Dovecot which then sent 228MB of output to Solr. I got back a 502 error from the apache proxy for that and haven't worked out the reason. However these files contain nothing worth indexing. I'd be happy to skip indexing any attachment larger than say 1MB (in terms of the original file, or the output from Tika or the output to send to Solr). John
Re: no shared cipher openssl
> On 16/11/2020 09:54 li...@lazygranch.com wrote: > > > On Sun, 15 Nov 2020 17:31:07 -0500 > Mike Schroeder wrote: > > > CentOS 7 > > Dovecot 2.2.36 > > > > Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth > > attempts in 0 secs): > > user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: > > SSL_accept() failed: > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, > > session=<> > > > > Was working fine for over a year, until the cert expired and I > > replaced it. I've tried the good cert I have for https and I used the > > Dovecot.org script to generate a self-signed certificate. > > > > 10-ssl.conf > > ## SSL settings > > #ssl = required > > ssl = yes > > #ssl = no > > ssl_cert = > ssl_key = > #ssl_ca = > > #ssl_require_crl = yes > > #ssl_client_ca_dir = > > #ssl_client_ca_file = > > #ssl_verify_client_cert = no > > #ssl_cert_username_field = commonName > > #ssl_dh_parameters_length = 1024 > > #ssl_protocols = !SSLv3 > > > > # SSL ciphers to use > > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > ssl_cipher_list = > > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: > > !RC4:!ADH:!LOW@STRENGTH > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > # SSL crypto device to use, for valid values run "openssl engine" > > #ssl_crypto_device = > > > > # SSL extra options. Currently supported options are: > > # no_compression - Disable compression. > > # no_ticket - Disable SSL session tickets. > > #ssl_options = > > > > === > > # openssl x509 -dates -in mydomain.com.crt > > notBefore=Nov 11 16:31:35 2020 GMT > > notAfter=Nov 11 16:31:35 2022 GMT > > -BEGIN CERTIFICATE- > > : > > === > > # openssl pkey -in mydomain.com.key > > -BEGIN PRIVATE KEY- > > : > > > > Thanks for taking a look. Any ideas on what I should do next to > > debug? > > > > Mike > > I remembered this problem was posted and still had the reply post from > Viktor. This may or may not be relevant. A search on this text will > probably drag up the whole thread. > --- > Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) > support ECDSA. You'd need an additional RSA certificate to interoperate > with their sending MTA's limited STARTTLS cipher/protocol repertoire. > -- > > When this thread went around I looked at my logs and found some no > auth complaints on my dovecot log. I believe they were trying to use > the sslv3 to hack my server. Or at least see if it is hackable. Since > my email server is a personal one and the attack was from a hosting > company, I blocked server IP space. > > The weird thing I get your error now myself but not consistently. Here > is an example. > --- > Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): > user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: > SSL alert number 46, session= > Nov 16 04:18:37 imap-login: Info: Login: user=, > method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, > session= > > However the problem isn't present at the moment. Dovecot supports alternative certificate if you have problems with ECDSA and need to use RSA for them. See https://doc.dovecot.org/settings/core/#ssl-alt-cert Aki
Re: no shared cipher openssl
On Sun, 15 Nov 2020 17:31:07 -0500 Mike Schroeder wrote: > CentOS 7 > Dovecot 2.2.36 > > Nov 14 07:13:08 mail dovecot: pop3-login: Disconnected (no auth > attempts in 0 secs): > user=<>, rip=73.0.0.0, lip=192.64.118.242, TLS handshaking: > SSL_accept() failed: > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, > session=<> > > Was working fine for over a year, until the cert expired and I > replaced it. I've tried the good cert I have for https and I used the > Dovecot.org script to generate a self-signed certificate. > > 10-ssl.conf > ## SSL settings > #ssl = required > ssl = yes > #ssl = no > ssl_cert = ssl_key = #ssl_ca = > #ssl_require_crl = yes > #ssl_client_ca_dir = > #ssl_client_ca_file = > #ssl_verify_client_cert = no > #ssl_cert_username_field = commonName > #ssl_dh_parameters_length = 1024 > #ssl_protocols = !SSLv3 > > # SSL ciphers to use > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > ssl_cipher_list = > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: > !RC4:!ADH:!LOW@STRENGTH > > # Prefer the server's order of ciphers over client's. > #ssl_prefer_server_ciphers = no > > # Prefer the server's order of ciphers over client's. > #ssl_prefer_server_ciphers = no > # SSL crypto device to use, for valid values run "openssl engine" > #ssl_crypto_device = > > # SSL extra options. Currently supported options are: > # no_compression - Disable compression. > # no_ticket - Disable SSL session tickets. > #ssl_options = > > === > # openssl x509 -dates -in mydomain.com.crt > notBefore=Nov 11 16:31:35 2020 GMT > notAfter=Nov 11 16:31:35 2022 GMT > -BEGIN CERTIFICATE- > : > === > # openssl pkey -in mydomain.com.key > -BEGIN PRIVATE KEY- > : > > Thanks for taking a look. Any ideas on what I should do next to > debug? > > Mike I remembered this problem was posted and still had the reply post from Viktor. This may or may not be relevant. A search on this text will probably drag up the whole thread. --- Specifically, an ECDSA P-256 certificate, but some systems don't (yet?) support ECDSA. You'd need an additional RSA certificate to interoperate with their sending MTA's limited STARTTLS cipher/protocol repertoire. -- When this thread went around I looked at my logs and found some no auth complaints on my dovecot log. I believe they were trying to use the sslv3 to hack my server. Or at least see if it is hackable. Since my email server is a personal one and the attack was from a hosting company, I blocked server IP space. The weird thing I get your error now myself but not consistently. Here is an example. --- Nov 16 04:18:37 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=myvpn, lip=myserverip, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Nov 16 04:18:37 imap-login: Info: Login: user=, method=PLAIN, rip=myvpn, lip=myserverip, mpid=11710, TLS, session= However the problem isn't present at the moment.