Dovecot 2.3 repo for CentOS 8.
Hello! Are there any plans for an official Dovecot repo for CentOS 8? Thanks, Reio
Re: sievec *.sieve problem.
On 05/11/2019 10:03, Sami Ketola via dovecot wrote: On 5 Nov 2019, at 9.53, Reio Remma via dovecot <mailto:dovecot@dovecot.org>> wrote: Hello! For the second time I've tripped onto this banana peel. :) I had 2 sieve files in a directory that I wanted to compile: sievec *.sieve The result of this is that first.sieve is compiled into second.sieve instead of first.svbin, thus destroying the source of second.sieve. Please consider this a bug report. :) Not a bug. Works as documented: # sievec Usage: sievec [-c ] [-d] [-D] [-P ] [-x ] [] sievec(root): Fatal: Missing argument if you want to compile all sieve scripts in a single directory just give that directory as parameter and don't let your shell to expand the wildcard. Sami Very well, although unfortunate and counterintuitive. :) Reio
sievec *.sieve problem.
Hello! For the second time I've tripped onto this banana peel. :) I had 2 sieve files in a directory that I wanted to compile: sievec *.sieve The result of this is that first.sieve is compiled into second.sieve instead of first.svbin, thus destroying the source of second.sieve. Please consider this a bug report. :) Good luck, Reio
Re: Dovecot and MySQL aborted connections.
On 01/11/2019 10:16, Reio Remma via dovecot wrote: On 01/11/2019 01:19, Benjamin Connelly via dovecot wrote: during the update the log_warnings changed from 1 to 2 therefore showing lots of aborted connection notices in the logs changing the log_warnings back from 2 to 1 solved this issue Yes the same setting made the same change to the default with mysql: https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_log-warnings So now we know how to silence the "Aborted connection" mysql loglines thank you! But still I wonder if Dovecot wants to handle these connections slightly differently - if it could be cleaner? Or is it moot? Unfortunately there are (replication info) messages that I actually need from that log level and I wouldn't want to just hide issues anyway. :) I monitored the situation in MySQL Workbench a little and it seems the userdb MySQL connection closes cleanly. What doesn't close cleanly is the dict engine MySQL connection that is updating last login timestamp (its connection shows COMMIT as the last query). The dict connection closes after sleeping exactly 60 seconds (server net_write_timeout is 60 seconds). The userdb connection closes after about 61-62 seconds for some reason. I tried changing read/write_timeout in Dovecot MySQL connection to lower, equal and higher than those set by the server, but it didn't change anything.
Re: Dovecot and MySQL aborted connections.
On 01/11/2019 01:19, Benjamin Connelly via dovecot wrote: during the update the log_warnings changed from 1 to 2 therefore showing lots of aborted connection notices in the logs changing the log_warnings back from 2 to 1 solved this issue Yes the same setting made the same change to the default with mysql: https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_log-warnings So now we know how to silence the "Aborted connection" mysql loglines thank you! But still I wonder if Dovecot wants to handle these connections slightly differently - if it could be cleaner? Or is it moot? Unfortunately there are (replication info) messages that I actually need from that log level and I wouldn't want to just hide issues anyway. :)
Re: Dovecot and MySQL aborted connections.
On 28/10/2019 11:28, Gerald Galster via dovecot wrote: Hi, Is anyone else using Dovecot (2.3.8) with MySQL (5.7) seeing a lot of these in MySQL logs? 2019-10-28T11:08:20.384428+02:00 58378 [Note] Aborted connection 58378 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:10:09.821171+02:00 58420 [Note] Aborted connection 58420 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:11:26.170015+02:00 58441 [Note] Aborted connection 58441 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:13:14.091426+02:00 58459 [Note] Aborted connection 58459 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) They've plagued my logs for as long as I can remember. Is Dovecot not closing connections to the database properly or something similar? is it possible MySQL closed inactive connections? SHOW VARIABLES LIKE '%timeout%'; mysqlx_wait_timeout = 3600 wait_timeout = 3600 mysqlx_interactive_timeout = 3600 interactive_timeout = 3600 Gerald Variable_name Value connect_timeout 10 interactive_timeout 28800 lock_wait_timeout 31536000 net_read_timeout 30 net_write_timeout 60 wait_timeout 28800 That sounds plausible. I wonder how to solve it though. :) I don't get any such notices from OpenSMPTD using the same database.
Dovecot list breaks DKIM.
Hello again, I noticed mails from the Dovecot list break DKIM signatures. Perhaps it's something to look at? Most lists I'm on manage to pass messages with DKIM intact. Authentication-Results: abc.abc.abc; dkim=fail (rsa verify failed) header.d=mrstuudio.ee header.s=mr header.b=M03Fp5lE; dmarc=pass (policy=none) header.from=dovecot.org; spf=pass Thanks, Reio
Dovecot and MySQL aborted connections.
Is anyone else using Dovecot (2.3.8) with MySQL (5.7) seeing a lot of these in MySQL logs? 2019-10-28T11:08:20.384428+02:00 58378 [Note] Aborted connection 58378 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:10:09.821171+02:00 58420 [Note] Aborted connection 58420 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:11:26.170015+02:00 58441 [Note] Aborted connection 58441 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) 2019-10-28T11:13:14.091426+02:00 58459 [Note] Aborted connection 58459 to db: 'vmail' user: 'vmail' host: 'localhost' (Got an error reading communication packets) They've plagued my logs for as long as I can remember. Is Dovecot not closing connections to the database properly or something similar? Reio
Re: LastLogin update
Hello!
Does it update the remote ip for you if you already have a row for a
user? I'm experimenting with a similar feature and it seems to be
updating only the login time. I think it figures the other fields are
all part of the primary key and therefore not supplied to ON DUPLICATE
KEY UPDATE ...
Thanks,
Reio
On 24.06.2019 17:25, Júlio Covolato via dovecot wrote:
Em 22/06/2019 22:41, Zhang Huangbin via dovecot escreveu:
On Jun 23, 2019, at 4:43 AM, @lbutlr via dovecot
wrote:
https://docs.iredmail.org/track.user.last.login.html
This is cool, but I have a question:
For MySQL/MariaDB backends, we create the sql table in database vmail.
Would this interfere with or confuse postfixadmin? I use that so
that users can update their own passwords and domain admins can add
users and aliases.
The document is for iRedMail, it supports storing mail accounts in
SQL or OpenLDAP, that's why the document mentions the difference.
You're free to use any database on your own mail server.
Zhang Huangbin, founder of iRedMail project: https://www.iredmail.org/
What I did:
#$ cat dovecot-last-login.conf
connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin
password=xxx
map {
pattern = shared/last-login/$user/$domain/$rip/$service
table = last_login
value_field = last_login
value_type = uint
fields {
username = $user
domain = $domain
rip = $rip
proto = $service
}
}
--
dovecot.conf:
plugin {
...
...
# Track last login time on imap and pop3
last_login_dict = proxy::lastlogin
last_login_key = last-login/%u/%d/%r/%s
}
Result on mysql:
mysql> select * from last_login where username = 'ju...@xxx.com.br';
+--+++---+---+
| username | domain | last_login | rip | proto |
+--+++---+---+
| ju...@xxx.com.br | xxx.com.br | 1559921589 | 177.xxx.xxx.230 | imap |
+--+++---+---+
1 row in set (0.00 sec)
--
_ Engº Julio Cesar Covolato
0v0
/(_)\ F: +55 11 99175-9260
^ ^ PSI INTERNET
--
---
Este email foi escaneado pelo Avast antivírus.
https://www.avast.com/antivirus
Re: Autoexpunge not working for Junk?
Hello!
I have the autoexpunge settings defined inside protocol imap thus (and
it works):
protocol imap {
mail_plugins = quota notify replication imap_quota imap_sieve
namespace inbox {
location =
mailbox Ham {
autoexpunge = 365 days
}
mailbox Spam {
autoexpunge = 365 days
}
mailbox Trash {
autoexpunge = 180 days
}
prefix =
}
}
Good luck,
Reio
On 08.08.2019 21:34, Amir Caspi via dovecot wrote:
Hi all,
Might anyone have any idea about this issue? I can run a cron job if
needed but it seems like autoexpunge SHOULD be doing this automatically...
Thanks!
--- Amir
On Jul 24, 2019, at 10:18 PM, Amir Caspi > wrote:
Hi all,
I set up dovecot a couple of months ago and am having trouble getting
autoexpunge=30d to work on my Trash and Junk mailboxes. Not sure why
not because I'm not getting error messages in my log.
Running "doveadm search -u mailbox Junk savedbefore 30d" shows
me many messages (I've got messages back to mid-May, and a couple of
other users have them back to early April, although if this setting
were working, there should be nothing earlier than June 24). Running
a manual doveadm expunge works fine... it's just autoexpunge that
seems to not be running at all.
I'm using sendmail as the MTA and procmail as the LDA, so dovecot is
running purely for IMAP/POP service.
Any help is much appreciated.
Thanks!
doveconf -n:
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-957.21.3.el7.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core)
# Hostname: REDACTED
auth_username_format = %Ln
first_valid_uid = 1000
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mailbox_list_index = yes
mbox_write_locks = fcntl
namespace compat1 {
alias_for =
hidden = yes
list = no
location =
prefix = mail/
separator = /
}
namespace compat2 {
alias_for =
hidden = yes
list = no
location =
prefix = ~/mail/
separator = /
}
namespace compat3 {
alias_for =
hidden = yes
list = no
location =
prefix = ~%u/mail/
separator = /
}
namespace inbox {
inbox = yes
location =
mailbox Archive {
special_use = \Archive
}
mailbox "Deleted Messages" {
autoexpunge = 30 days
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
autoexpunge = 30 days
special_use = \Junk
}
mailbox "Junk E-mail" {
autoexpunge = 30 days
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
autoexpunge = 30 days
special_use = \Junk
}
mailbox Trash {
autoexpunge = 30 days
special_use = \Trash
}
prefix =
separator = /
}
passdb {
driver = pam
}
pop3_uidl_format = %08Xv%08Xu
ssl_cert = # REDACTED
ssl_cipher_list = # REDACTED
ssl_dh_parameters_length = # REDACTED
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
Re: Dovecot replication and userdb "noreplicate".
On 07/08/2019 09:29, Sami Ketola wrote:
On 6 Aug 2019, at 23.52, Reio Remma via dovecot wrote:
service doveadm {
user = vmail
}
This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open
read }; for selinux, but there are no more errors in maillog and it can read
both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or
/etc/ssh/ssh_known_hosts).
There might be. What we usually is just allow dsync user to sudo doveadm
dsync-server and then add sudo to dsync remote command.
Sami
Thanks! I'll keep it in mind in case I run into problems with doveadm as
vmail. So far so good.
Thanks again!
Reio
Re: Dovecot replication and userdb "noreplicate".
On 06.08.2019 23:17, Reio Remma via dovecot wrote:
On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
Dovecot under selinux works, as long as you do it the way the policy
writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place
and ssh_home_t:dir + ssh_home_t:file for it to be able to read
known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however
I get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create
directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read
the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the
SSH connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
service doveadm {
inet_listener http {
address = localhost
port = 8080
}
}
service doveadm {
user = vmail
}
This seems to have fixed it. Here's hoping for no unforeseen
side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans
open read }; for selinux, but there are no more errors in maillog and it
can read both the key and known_hosts (from either
/home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).
Reio
Re: Dovecot replication and userdb "noreplicate".
On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -uu...@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
Dovecot under selinux works, as long as you do it the way the policy
writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place
and ssh_home_t:dir + ssh_home_t:file for it to be able to read
known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in
/etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I
get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create
directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in
/home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read
the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH
connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.4.186-1.el7.elrepo.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core)
# Hostname: turin.mrstuudio.ee
doveadm_api_key = # hidden, use -P to show it
dsync_remote_cmd = ssh -i /home/vmail/.ssh/vmail.pem -l %{login} %{host}
doveadm dsync-server -u %u
mail_gid = vmail
mail_home = /home/vmail/%d/%n
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%u): "
mail_plugins = quota notify replication
mail_uid = vmail
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
mail_replica = remote:vmail@replica
}
protocols = imap lmtp
service aggregator {
fifo_listener replication-notify-fifo {
user = vmail
}
unix_listener replication-notify {
user = vmail
}
}
service doveadm {
inet_listener http {
address = localhost
port = 8080
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
executable = lmtp -L
}
service replicator {
process_min_avail = 1
unix_listener replicator-doveadm {
mode = 0600
user = vmail
}
}
service stats {
unix_listener stats-writer {
mode = 0666
}
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
default_fields = uid=vmail gid=vmail
driver = sql
}
protocol lmtp {
mail_plugins = quota notify replication
}
protocol imap {
imap_capability = +SPECIAL-USE
imap_metadata = yes
mail_max_userip_connections = 50
mail_plugins = quota notify replication imap_quota
namespace inbox {
location =
mailbox Ham {
autoexpunge = 365 days
}
mailbox Spam {
autoexpunge = 365 days
}
mailbox Trash {
autoexpunge = 180 days
}
prefix =
}
}
Thanks!
Reio
Re: doveadm: Error: open(/proc/self/io) failed
On 30.07.2019 20:07, Tom Diehl via dovecot wrote: Does anyone have an Idea how to fix this? Regards, Perhaps see if there are any denials in SELinux audit log: sudo grep denied /var/log/audit/audit.log | grep dovecot | audit2allow -a Good luck, Reio
Re: Dovecot with MySQL over SSL.
On 22.07.2019 16:05, Timo Sirainen via dovecot wrote: On 20 Jul 2019, at 23.02, Reio Remma via dovecot <mailto:dovecot@dovecot.org>> wrote: On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: On 20/07/2019 21:07 Reio Remma via dovecot wrote: On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 19.07.2019 0:24, Reio Remma via dovecot wrote: I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1. Is there a reason why Dovecot MySQL doesn't support TLSv1.1? Thanks! Reio Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. --- Aki Tuomi Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? Thanks, Reio What repo are you using? --- Aki Tuomi Installed Packages dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community Both are from official repos. dovecot-mysql package is built against the mariadb library that comes with CentOS 7. If you want it to work against other libmysqlclient versions you'd need to compile it yourself: https://repo.dovecot.org/ce-2.3.7/centos/7/SRPMS/2.3.7-8_ce/ Thanks, I'm again one experience richer after compiling Dovecot from the source RPM. Nicely running with TLSv1.1 now. Thanks! Reio
Re: Dovecot with MySQL over SSL.
On 20.07.2019 22:37, Aki Tuomi via dovecot wrote: On 20/07/2019 21:07 Reio Remma via dovecot wrote: On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 19.07.2019 0:24, Reio Remma via dovecot wrote: I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1. Is there a reason why Dovecot MySQL doesn't support TLSv1.1? Thanks! Reio Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. --- Aki Tuomi Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? Thanks, Reio What repo are you using? --- Aki Tuomi Installed Packages dovecot-mysql.x86_64 2:2.3.7-8 @dovecot-2.3-latest mysql-community-libs.x86_64 5.7.26-1.el7 @mysql57-community Both are from official repos. Thanks, Reio
Re: Dovecot with MySQL over SSL.
On 20.07.2019 18:03, Aki Tuomi via dovecot wrote: On 20/07/2019 13:12 Reio Remma via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 19.07.2019 0:24, Reio Remma via dovecot wrote: I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1. Is there a reason why Dovecot MySQL doesn't support TLSv1.1? Thanks! Reio Dovecot mysql uses libmysqlclient. We do not enforce any particular tls protocol version. If it requires you to downgrade I suggest you review your client my.cnf for any restrictions. --- Aki Tuomi Thanks Aki! I'm looking at it now and despite identical MySQL 5.7.26 versions on both systems, it seems Dovecot is using libmysqlclient 5.6.37. Dovecot seems to be using the older libmysqlclient.so.18.1.0 (5.6.37) from mysql-community-libs-compat 5.7.26 instead of the newer libmysqlclient.so.20.3.13 (5.7.26) from mysql-community-libs 5.7.26. If I try to remove the libs-compat, yum also insists on removing dovecot-mysql, so it depends on the older libmysqlclient and ignores the newer one. I don't suspect I can do anything on my end to force the Dovecot CentOS package to use the non-compat libmysqlclient? Thanks, Reio
Re: Dovecot with MySQL over SSL.
On 20.07.2019 17:52, John Fawcett via dovecot wrote: On 18/07/2019 23:24, Reio Remma via dovecot wrote: Hello! I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) starting up for imap, lmtp, sieve (core dumps disabled) Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA If I leave the ssl_cipher unset, I get: Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: Failed to set ciphers to use - waiting for 1 seconds before retry Any ideas? Thanks! Reio One difference between your testing manually with mysql client and the same configuration in dovecot is the "ssl_verify_server_cert" parameter. Dovecot is setting it if it is not specified. So to make the tests the same you should either specify the --ssl_verify_server_cert parameter to mysql or set it to no in the dovecot configuration. John This works as well: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA --ssl-mode=VERIFY_IDENTITY -u vmail -p Protocol mismatch persists when I set ssl_verify_server_cert=no for Dovecot MySQL connection. Thanks, Reio
Re: Dovecot with MySQL over SSL.
On 19.07.2019 0:24, Reio Remma via dovecot wrote: I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA Update: I got it to connect successfully now after downgrading the MySQL server tls-version from TLSv1.1 to TLSv1. Is there a reason why Dovecot MySQL doesn't support TLSv1.1? Thanks! Reio
Dovecot with MySQL over SSL.
Hello! I'm attempting to get Dovecot working with MySQL user database on another machine. I can connect to the MySQL (5.7.26) instance with SSL enabled: mysql -h db.mrst.ee --ssl-ca=/etc/dovecot/ca.pem --ssl-cert=/etc/dovecot/client-cert.pem --ssl-key=/etc/dovecot/client-key.pem --ssl-cipher=DHE-RSA-AES256-SHA -u vmail -p However if I use the same values in dovecot-sql.conf.ext, I get the following error: Jul 19 00:20:18 turin dovecot: master: Dovecot v2.3.7 (494d20bdc) starting up for imap, lmtp, sieve (core dumps disabled) Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:18 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: protocol version mismatch - waiting for 1 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Jul 19 00:20:19 turin dovecot: auth-worker(82996): Error: mysql(db.mrst.ee): Connect failed to database (vmail): Connections using insecure transport are prohibited while --require_secure_transport=ON. - waiting for 5 seconds before retry Database connection string: connect = host=db.mrst.ee dbname=vmail user=vmail password=stuff \ ssl_ca=/etc/dovecot/ca.pem \ ssl_cert=/etc/dovecot/client-cert.pem \ ssl_key=/etc/dovecot/client-key.pem \ ssl_cipher=DHE-RSA-AES256-SHA If I leave the ssl_cipher unset, I get: Jul 19 00:23:41 turin dovecot: auth-worker(83069): Error: mysql(db.mrst.ee): Connect failed to database (vmail): SSL connection error: Failed to set ciphers to use - waiting for 1 seconds before retry Any ideas? Thanks! Reio
Re: Replication issue 2.3.7
On 13.07.2019 12:13, Reio Remma via dovecot wrote:
Hello!
I noticed these in the logs since upgrading from 2.3.6. to 2.3.7:
Jul 13 11:52:10 turin dovecot: doveadm: Error:
dsync-remote(r...@mrstuudio.ee): Error:
Exporting mailbox INBOX failed: Mailbox attribute
vendor/vendor.dovecot/pvt/server/sieve/files/MR lookup failed: Mailbox
attributes not enabled
Jul 13 11:52:11 turin dovecot: doveadm: Error:
dsync-remote(r...@mrstuudio.ee): Error:
Exporting mailbox INBOX failed: Mailbox attribute
vendor/vendor.dovecot/pvt/server/sieve/files/MR lookup failed: Mailbox
attributes not enabled
After turning on mailbox attributes these errors went away:
mail_attribute_dict = file:~/Maildir/dovecot-attributes
protocol imap {
imap_metadata = yes
}
But now the errors are replaced with (when deleting mail):
Jul 13 12:04:32 turin dovecot: imap(r...@mrstuudio.ee): Warning:
/home/vmail/mrstuudio.ee/reio/Maildir/dovecot-uidlist: Duplicate file
entry at line 2:
1563008644.M18534P25946.orc.mrstuudio.ee,S=4180,W=4262 (uid 23030 ->
23031) - retrying by re-reading from beginning
Jul 13 12:04:32 turin dovecot: imap(r...@mrstuudio.ee): Warning:
Maildir /home/vmail/mrstuudio.ee/reio/Maildir: Expunged message
reappeared, giving a new UID (old uid=23030,
file=1563008644.M18534P25946.orc.mrstuudio.ee,S=4180,W=4262:2,S)
The mail message reappears on the other side of dsync and eventually I
end up with 3 identical messages in trash after I've deleted them on
both sides.
Thanks for any advice,
Reio
More info:
the issue manifests itself when I read a freshly arrived message on one
server and then delete it on the other server.
If I delete it on the same server after reading, it seems to work.
The mail client is Thunderbird.
Reio
Replication issue 2.3.7
Hello!
I noticed these in the logs since upgrading from 2.3.6. to 2.3.7:
Jul 13 11:52:10 turin dovecot: doveadm: Error:
dsync-remote(r...@mrstuudio.ee): Error:
Exporting mailbox INBOX failed: Mailbox attribute
vendor/vendor.dovecot/pvt/server/sieve/files/MR lookup failed: Mailbox
attributes not enabled
Jul 13 11:52:11 turin dovecot: doveadm: Error:
dsync-remote(r...@mrstuudio.ee): Error:
Exporting mailbox INBOX failed: Mailbox attribute
vendor/vendor.dovecot/pvt/server/sieve/files/MR lookup failed: Mailbox
attributes not enabled
After turning on mailbox attributes these errors went away:
mail_attribute_dict = file:~/Maildir/dovecot-attributes
protocol imap {
imap_metadata = yes
}
But now the errors are replaced with (when deleting mail):
Jul 13 12:04:32 turin dovecot: imap(r...@mrstuudio.ee): Warning:
/home/vmail/mrstuudio.ee/reio/Maildir/dovecot-uidlist: Duplicate file
entry at line 2: 1563008644.M18534P25946.orc.mrstuudio.ee,S=4180,W=4262
(uid 23030 -> 23031) - retrying by re-reading from beginning
Jul 13 12:04:32 turin dovecot: imap(r...@mrstuudio.ee): Warning: Maildir
/home/vmail/mrstuudio.ee/reio/Maildir: Expunged message reappeared,
giving a new UID (old uid=23030,
file=1563008644.M18534P25946.orc.mrstuudio.ee,S=4180,W=4262:2,S)
The mail message reappears on the other side of dsync and eventually I
end up with 3 identical messages in trash after I've deleted them on
both sides.
Thanks for any advice,
Reio
Re: Pigeonhole release v0.5.7
On 12.07.2019 22:41, Reio Remma via dovecot wrote: On 12.07.2019 22:15, Timo Sirainen via dovecot wrote: On 12 Jul 2019, at 21.09, Reio Remma via dovecot <mailto:dovecot@dovecot.org>> wrote: - dsync: dsync-replication does not synchronize Sieve scripts. Sieve replication still doesn't work for me. dsync now replicated sieve and sieve/tmp directories, but neither actual sieve files nor @.dovecot.sieve link. What if you change the Sieve script? It probably doesn't immediately replicates old scripts. It indeed works then, thanks! Just existing scripts aren't replicated then. Good luck! Reio And... I see another user's untouched script has repicated too now. It's possible the empty directories had replicated with 2.3.6 and the scripts just hadn't replicated yet with 2.3.7 when I looked earlier. Thanks again! Reio
Re: Pigeonhole release v0.5.7
On 12.07.2019 22:15, Timo Sirainen via dovecot wrote: On 12 Jul 2019, at 21.09, Reio Remma via dovecot <mailto:dovecot@dovecot.org>> wrote: - dsync: dsync-replication does not synchronize Sieve scripts. Sieve replication still doesn't work for me. dsync now replicated sieve and sieve/tmp directories, but neither actual sieve files nor @.dovecot.sieve link. What if you change the Sieve script? It probably doesn't immediately replicates old scripts. It indeed works then, thanks! Just existing scripts aren't replicated then. Good luck! Reio
Re: Pigeonhole release v0.5.7
On 12.07.2019 15:29, Aki Tuomi via dovecot wrote: Hi! We are pleased to release Pigeonhole release v0.5.7. Tarball is available at https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.7.tar.gz https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.7.tar.gz.sig Binary packages are available at https://repo.dovecot.org/ Changes --- + vacation: Made the subject for the automatic response message produced by the Sieve vacation action configurable. Both the default subject (if the script defines none) and the subject template (e.g. used to add a subject prefix) can be configured. - dsync: dsync-replication does not synchronize Sieve scripts. Sieve replication still doesn't work for me. dsync now replicated sieve and sieve/tmp directories, but neither actual sieve files nor @.dovecot.sieve link. Reio
Re: Dovecot replication and userdb "noreplicate".
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Hello!
I finally took the time and spent two days to set up replication for
my server and now I have a question or two.
I initially set noreplicate userdb field to 1 for all but a test user,
but I could still see in the logs that all mailboxes were trying to
connect to the other server via SSH. Is that normal?
Jun 22 16:55:22 host dovecot: dsync-local(u...@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -u u...@host.ee
Then I ended up setting mail_replica in userdb for only my test user,
but I could still see in the logs that it was trying to sync the
others as well, despite mail_replica being 0 for the rest.
Jun 22 20:52:59 host dovecot: doveadm(u...@host.ee): Fatal: -N
parameter requires syncing with remote host
I also notice (and read from recent posts) that sieve script
replication doesn't work at all.
Dovecot v2.3.6 and Pigeonhole from the official Dovecot CentOS repo.
Thanks,
Reio
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
Hi!
We are fixing this is 2.3.7, noreplicate works but causes errors. You
can try
https://github.com/dovecot/core/compare/6d5b4b5%5E..93945ec.patch if you
are compiling yourself.
Dovecot under selinux works, as long as you do it the way the policy
writer intended, see https://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#= dovecot_t ==
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and
ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts
from /root/.ssh
Reio
