Re: Oauth2 MFA config

2024-05-24 Thread A. Schulze via dovecot 




Am 23.05.24 um 22:07 schrieb Scott Q. via dovecot:

Anyone managed to get Dovecot working as smoothly with OAUTH2 as
Gmail has with Outlook ? So that for example when you add the account
up in Outlook it performs all the required steps for saving the
device, getting tokens, etc.

Ideally with a custom ID provider, not Google as described here:
https://doc.dovecot.org/configuration_manual/authentication/oauth2/


Hello,

wish, you get more responses then my similar question:
https://dovecot.org/mailman3/hyperkitty/list/dovecot@dovecot.org/message/JJEEJG3JR5GT3H2MQEUDRLNEAA4US4KP/

Andreas
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

using keycloak

2024-04-25 Thread A. Schulze via dovecot 

Hello,

I'm relative new to oauth2. I like to understand a setup for dovecot but 
https://doc.dovecot.org/configuration_manual/authentication/oauth2/ is not 
enough for me.
Could anybody describe a simple setup where dovecot uses keycloak. For 
simplification I would start with keycloak's builtin user management only.

- how to configure dovecot
- how to configure keycloak
- how to test with 'curl --verbose --some-magic-options imap://dovecot-server'

Thanks,
Andreas
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: doveadm: Error: open(/proc/self/io) failed

2019-07-31 Thread A. Schulze via dovecot 



Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot:
> service lmtp {
>  user = vmail
> }
> 
> please remove user = vmail from here or change it to root.
> 
> for security reasons lmtp service must be started as root since version 
> 2.2.36. lmtp will drop root privileges after initialisation but it needs to 
> open /self/proc/io as root before that.

Hello Sami,

I don't read "root is required for lmtp" in 
https://wiki.dovecot.org/LMTP#Security neither does 
https://dovecot.org/doc/NEWS-2.2 say so.
Could you proof that statement somehow?

Andreas

Re: Dovecot not surviving OpenLDAP restart

2019-05-12 Thread A. Schulze via dovecot 



Dag Nygren via dovecot:


One more obvious line from the log:

dovecot[26621]: auth: Error: LDAP: Connection lost to LDAP server,  
reconnecting


usually reconnecting works. If it doesn't for you, it's probably not  
dovecot's fault.


I suggest to inspect openldap logs. Try to stop slapd and start  
(ideally: same environment and parameter)
appending "-d 320". That "-d 320" prevent slapd becoming a daemon and  
flood stdout with logs.
So it is really helpful if there are no other LDAP clients when you  
run slapd this way.


You should see dovecot reconnecting and maybe a reason why that fail.

Andreas

Re: Dovecot not surviving OpenLDAP restart

2019-05-08 Thread A. Schulze via dovecot 



Am 08.05.19 um 15:32 schrieb Dag Nygren via dovecot:
> Now since some update of dovecot it will not be able to authenticate
> your logins after a restart of the LDAP service is restarted
> without a reboot of the dovecot server.

Hello,

This sounds more like a configuration glitch.
Could you show the ldap related dovecot configuration?

Logs with failure message will also be helpful.

Andreas

Re: Feature request: exclude IP/network in allow_nets extra field

2019-05-01 Thread A. Schulze via dovecot 


Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot:
> Dear all,
> 
> We use `allow_nets`[1] to restrict login clients, it works fine.
> Recently we need to allow some users to login from everywhere except some 
> IP/networks, how can we accomplish this with "allow_nets"?
> 
> Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid 
> network '!a.b.c.d'".
> 
> Can we have this feature?
> 
> i guess it should be done in function "auth_request_validate_networks"[2] in 
> file src/auth/auth-request.c.

I had a similar problem years ago. Usually on set defaults in a configuration 
and overwrite per userdb entry
In my case the userdb was a ldap backend. I liked to limit specific users via 
allow_nets and deny all other.
So I wrote a simple patch for src/auth/auth-request.c to set defaults in case 
my ldap userdb do not return any overwriting.
Patch attached...

Andreas
Description: additional defaults for allow_nets
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: dovecot-2.3.6/src/auth/auth-request.c
===
--- dovecot-2.3.6.orig/src/auth/auth-request.c
+++ dovecot-2.3.6/src/auth/auth-request.c
@@ -1775,6 +1775,16 @@ auth_request_validate_networks(struct au
 	unsigned int bits;
 	bool found = FALSE;
 
+	if (strcmp(networks, "ALL") == 0) {
+		auth_request_log_debug(request, "auth", "allow_nets: found 'ALL'");
+		request->failed = FALSE;
+		return;
+	}
+	if (strcmp(networks, "NONE") == 0) {
+		auth_request_log_debug(request, "auth", "allow_nets: found 'NONE'");
+		request->failed = TRUE;
+		return;
+	}
 	for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) {
 		auth_request_log_debug(request, AUTH_SUBSYS_DB,
 			"%s: Matching for network %s", name, *net);

Re: Dovecot v2.3.5 released

2019-03-07 Thread A. Schulze via dovecot 



Am 07.03.19 um 17:33 schrieb Aki Tuomi via dovecot:

>> test-http-client-errors.c:2989: Assert failed: FALSE
>> connection timed out . : 
>> FAILED

Hello Aki,

> Are you running with valgrind or on really slow system?
I'm not aware my buildsystem use valgrind ...

How do you define "a really slow system"?
All I can mention as reference is a build time of 11 minutes until the error 
occur.

> Does it happen if you run env NOVALGRIND=yes make check?
yes, 

Andreas

Re: Dovecot v2.3.5 released

2019-03-07 Thread A. Schulze via dovecot 



Am 05.03.19 um 17:26 schrieb Aki Tuomi via dovecot:
> We are happy to release dovecot v2.3.5.

Hello,

it build but tests fail...

make[4]: Entering directory '/<>/src/lib-http'
for bin in test-http-date test-http-url test-http-header-parser 
test-http-transfer test-http-auth test-http-response-parser 
test-http-request-parser test-http-payload test-http-client-errors 
test-http-server-errors; do \
  if !  ./$bin; then exit 1; fi; \
done
...
unconfigured ssl . : ok
unconfigured ssl abort ... : ok
invalid url .. : ok
host lookup failed ... : ok
connection refused ... : ok
connection refused backoff ... : ok
connection lost prematurely .. : ok
test-http-client-errors.c:2989: Assert failed: FALSE
connection timed out . : FAILED
invalid redirect: not accepted ... : ok
invalid redirect: bad location ... : ok
invalid redirect: too many ... : ok
...
1 / 38 tests failed


looking at test-http-client-errors.c:2989, could this test ever pass?

test_assert(FALSE);

Andreas

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread A. Schulze via dovecot 



Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> I'll review the settings when we manage to upgrade to mailman3

Hello Aki,

before updating to mailman3 consider an simpler update to latest mailman2.

you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!

and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?

Andreas