Re: [Dovecot] Filesystem quotas

2011-10-09 Thread Alexandre Chapellon 
I think by using dovecot quota you can exclude some directories from the 
quota (e.g: spam or Trahs or whatever you like).
More specificly it is better using dovecot quota as it will allow LDA to 
report quota exceeded in NDR . If using filesystem quota, I guess you'll 
send ugly messages reporting IO error or enability too write file, which 
is really not serious.


regards.

Le 10/10/2011 00:44, Steve Fatula a écrit :

From:Eduardo Casarero
To:Steve Fatula
Cc:Dovecot List
Sent:Sunday, October 9, 2011 2:37 PM
Subject:Re: [Dovecot] Filesystem quotas


But if you dont use quotas how do you know if the user is out of space? Or does 
the user gets a notification that it's running out of space, before you start 
rejecting emails?
How do I know, or, how does the user know? I couldn't care less, so, not an issue for me. The user gets notification when their used space is above a certain percent. These are system users, so, email is just one part of their quota space. They might have 1 email, and build a massive file, they'd still be out of space. 


So, what do I get by using the Dovecot Quota/FS plugin? Is it just a matter of 
it counting used space? Something else? Better handling of out of space?


--
<http://www.horoa.net>

Alexandre Chapellon

Ingénierie des systèmes open sources et réseaux.
Follow me on twitter: @alxgomz <http://www.twitter.com/alxgomz>

Re: [Dovecot] limiting number of incorrect logins per connection

2011-08-26 Thread Alexandre Chapellon 
fail2ban will work as soon as dovecot have closed a none-authenticated 
connection: 3mins->180sec
If tarpit delay for auth failures in a connection is set to 15s (which 
seems to be the default unless i missunderstood) this let an 
attackers only 12 tries (at most) before IP gets blacklisted by 
fail2ban... Far enough to circumvent bruteforce and even dictionnary 
based attacks... unless the attacker has a botnet and uses non 
agressives retry policy. But in the last case, even if you blacklist IP 
at first failed  tried, you're still vuln to such attacks.


regards.

Le 26/08/2011 14:22, Felipe Scarel a écrit :

Yeah, I had read about half of that thread, and after I sent my mail kept
reading and stumbled upon this: "(...) using the recent module needs
dovecotto close the connection upon authentication failure, as iptables only
(normally) comes in to play for new connections (...)".

So, yeah, my suggestion probably won't work.

On Fri, Aug 26, 2011 at 09:15, Felipe Scarel  wrote:


Alex, I've not personally done it (so just speculating here, bear with me)
but you can customize Fail2Ban's actions if needed. So, if you can match the
attemps through some regex (and since you're seeing them in the logs, that
should be quite possible), then you can edit one of the 'actions' to drop
the connection for.

I'm just not entirely sure that iptables (or pf, or whatever firewall
you've got) can do it to active connections, 'cause that problem hasn't
arised for me so far.


On Fri, Aug 26, 2011 at 06:14, Alex  wrote:


I am happy to recompile if there is no config option. I gather it's in the
src/auth dir somewhere in one of the C source files. Just need to be pointed
in the right dir.


On Fri, 26 Aug 2011 19:07:08 +1000, Alex wrote:


3 minutes! I think that's too long, how can I drop that down to about
45 seconds?


On Fri, 26 Aug 2011 11:44:45 +0300, Timo Sirainen wrote:


On 26.8.2011, at 10.25, Alex wrote:

  Running Dovecot 2 on my server. It is regularly getting dictionary auth

attacked. What I have noticed is that once connected to a pop3/imap login
session, you can send endless incorrect usernames+passwords attempts. This
is a problem for me... I use fail2ban to try and stop these script kiddies.
The problem is that fail2ban detects the bad auths, firewalls the IP,
however, since it's an "established" session, the attacker can keep authing
away... It's only on a subsequent (new) connection that the firewalling will
take effect.


Umm. If client hasn't managed to log in in 3 minutes, it's
disconnected (no matter what it does with the connection).



--

<>

Re: [Dovecot] May Dovecot help in users education

2011-08-17 Thread Alexandre Chapellon 



Le 17/08/2011 16:35, Eric Shubert a écrit :

On 08/17/2011 07:24 AM, Alexandre Chapellon wrote:



Le 17/08/2011 16:05, Laurent CARON a écrit :

On 17/08/2011 16:00, Alexandre Chapellon wrote:
Is there any way to achieve this with dovecot? Does anybody have 
another

idea smoothly force used to switch to TLS?


Hi,

Maybe by sending them an email with a deadline for the end of clear
text auth support ?

If they don't amend their setup they'll be unable to retrieve their
emails.

:)... already tried this in the past and it just don't work... 80% of
users never apply changes and prefer getting very angry and call the
support. Which is exactly what I want to avoid.


Should you want to go the "nicer" way, you could throttle bandwidth to
port 110/143 provided you use those for insecure connections.

This sounds better and I though tc could help going that way, but there
is nothing informative in going this way. I know what I ask for seems
crappy and probably is out of the scope of what dovecot is supposed to
do, but this would be temporary and I wanna make sure it is not possible
before digging somewhere else.

Thanks



I think I would write a script that would glean such accounts from the 
dovecot log, then send them a message every day instructing them how 
to turn on TLS in order to quit getting this message. A support line 
to call for help would be nice for those who have difficulty changing 
their configuration.



I didn't think about that It's quite basic but i like that.

Thanks

--
<http://www.horoa.net>
<>

Re: [Dovecot] May Dovecot help in users education

2011-08-17 Thread Alexandre Chapellon 



Le 17/08/2011 16:05, Laurent CARON a écrit :

On 17/08/2011 16:00, Alexandre Chapellon wrote:

Is there any way to achieve this with dovecot? Does anybody have another
idea smoothly force used to switch to TLS?


Hi,

Maybe by sending them an email with a deadline for the end of clear 
text auth support ?


If they don't amend their setup they'll be unable to retrieve their 
emails.
:)... already tried this in the past and it just don't work... 80% of 
users never apply changes and prefer getting very angry and call the 
support. Which is exactly what I want to avoid.


Should you want to go the "nicer" way, you could throttle bandwidth to 
port 110/143 provided you use those for insecure connections.
This sounds better and I though tc could help going that way, but there 
is nothing informative in going this way. I know what I ask for seems 
crappy and probably is out of the scope of what dovecot is supposed to 
do, but this would be temporary and I wanna make sure it is not possible 
before digging somewhere else.


Thanks

--
<http://www.horoa.net>
<>

Re: [Dovecot] May Dovecot help in users education

2011-08-17 Thread Alexandre Chapellon 

Hello,

I was wondering if dovecot could help me in my project to smoothly make 
all my users switch to TLS encrypted POP / IMAP sessions and forget 
about cleartext.
My first idea was to setup dovecot as a POP/IMAP  proxy for my mailhosts 
and ask dovecot to display a warning message or slowdown non TLS sessions.
Is there any way to achieve this with dovecot? Does anybody have another 
idea smoothly force used to switch to TLS?


Regards.

P.S: double posted because previous was HTML and I've seen some MUA 
fails to display it properly... sorry will only send raw text now.
<>

[Dovecot] May Dovecot help in users education

2011-08-17 Thread Alexandre Chapellon 
<><>

[Dovecot] migration scenario

2011-06-10 Thread Alexandre Chapellon 

Hello,

I'd like to know if anybody have an experience with migrating mailboxes 
from mirapoint mail system to dovecot?


If so how was it done and what were the difficulties?

regards.

Re: [Dovecot] migrating to dovecot

2011-03-30 Thread Alexandre Chapellon 
Ok thanks for all thoose informations, As Jim asid, Now I have to give
it a try and see. what happens.

Le mercredi 30 mars 2011 à 17:07 +0300, Timo Sirainen a écrit :
> On 30.3.2011, at 16.48, Jim Lawson wrote:
> 
> >> But will imapsync keep trac of UIDs so users won't have have duplicated
> >> messages or re-download them if they use POP3?
> 
> IMAP protocol doesn't know anything about POP3 UIDLs. They might or might not 
> be based on IMAP UIDs.
> 
> > I don't think so.  The sync happens via IMAP, and I don't think IMAP
> > clients can *set* UIDs of messages; only the server does this (someone
> > please correct me if I'm mistaken.)
> 
> That too. Although Dovecot v2.1's dsync + imapc backend can migrate mails and 
> preserve IMAP UIDs, but even it can't preserve POP3 UIDLs at least currently 
> (that would also require POP3 client code for Dovecot..)
> 

-- 
horoa: la voie est libre


signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] migrating to dovecot

2011-03-30 Thread Alexandre Chapellon 
Le mardi 29 mars 2011 à 19:04 -0400, Jim Lawson a écrit :
> Does the proprietary solution allow IMAP access?  If so, I would use
> imapsync.
> 

Thanks for answers.

Not all the accounts have IMAP enabled, but I guess I could setup some
master account with IMAP enabled or even enable IMAP for all users to
proceed with migration.

But will imapsync keep trac of UIDs so users won't have have duplicated
messages or re-download them if they use POP3?
Will it preserve flags of messages so read or deleted messages do not
appear as new messages? 

regards.

> http://www.linux-france.org/prj/imapsync/
> 
> Jim
> 
> On 3/29/11 18:26 , Alexandre Chapellon wrote:
> > Hello,
> >
> > I am trying to setup a migration scenario from an proprietary solution
> > to dovecot IMAP/POP3.
> > Whereas am only at the strating point, things appear quite complicated
> > because of the following reasons:
> >
> > - The proprietary solution uses special/own/proprietary mailbox format
> > (wich is more like maildir but is not maildir)
> > - I don't have direct access to the filesystem where the mails are
> > stored. The best I could do would be a snapshots of the filesystem
> > - I have about 1,5TB of mail data.
> > - Having users to be forced to empty their mailbox before migration or
> > re-download their whole mailbox after migration would be something hard
> > for me to present as a correct option.
> >
> > Am looking for advices that would avoid me loosing time searching in bad
> > directions. Or even point me to a miraculous tool thatdoes all magic
> > while i have a beer :)
> >
> > Best regards.
> >

-- 
horoa: la voie est libre


signature.asc
Description: This is a digitally signed message part

[Dovecot] migrating to dovecot

2011-03-29 Thread Alexandre Chapellon 
Hello,

I am trying to setup a migration scenario from an proprietary solution
to dovecot IMAP/POP3.
Whereas am only at the strating point, things appear quite complicated
because of the following reasons:

- The proprietary solution uses special/own/proprietary mailbox format
(wich is more like maildir but is not maildir)
- I don't have direct access to the filesystem where the mails are
stored. The best I could do would be a snapshots of the filesystem
- I have about 1,5TB of mail data.
- Having users to be forced to empty their mailbox before migration or
re-download their whole mailbox after migration would be something hard
for me to present as a correct option.

Am looking for advices that would avoid me loosing time searching in bad
directions. Or even point me to a miraculous tool thatdoes all magic
while i have a beer :)

Best regards.

-- 
horoa: la voie est libre


signature.asc
Description: This is a digitally signed message part