Re: [Dovecot] How to integrate dspam and dovecot
On Tue, 2007-04-03 at 10:45 +0530, Manilal K M wrote: dspam will never include the plugin, and nor will dovecot since it's just a bridge between the two. You need to read and understand that page and then compile the plugin yourself. johannes Thanks Jonannes for your comments. I am also trying to explore other possibilities. Also, I forgot one thing: It's not a plugin for dspam, it's a plugin for dovecot that links dspam to dovecot. johannes signature.asc Description: This is a digitally signed message part
Re: [Dovecot] How to integrate dspam and dovecot
On 03/04/07, Johannes Berg [EMAIL PROTECTED] wrote: On Tue, 2007-04-03 at 10:45 +0530, Manilal K M wrote: dspam will never include the plugin, and nor will dovecot since it's just a bridge between the two. You need to read and understand that page and then compile the plugin yourself. johannes Thanks Jonannes for your comments. I am also trying to explore other possibilities. Also, I forgot one thing: It's not a plugin for dspam, it's a plugin for dovecot that links dspam to dovecot. I know :) johannes -- Better to light one candle than to curse the darkness. Blog: http://librewings.blogspot.com Blog: http://flossvalley.blogspot.com
[Dovecot] No CA names sent in TLS handshake
Hello, I'm setting up Dovecot with client certificates and everything is working fine as long as the client only has one certificate in his store. If he has more than one, the wrong one might be sent to the server. The root of the problem is that Dovecot does not send out a list of valid CA names in the TLS handshake. If I connect using openssl s_client I get: No client certificate CA names sent I am using Dovecot 1.0 RC15 from backports.org. Is there a solution to this problem? Regards, Johnny
Re: [Dovecot] How to integrate dspam and dovecot
On 03/04/07, Johannes Berg [EMAIL PROTECTED] wrote: On Tue, 2007-04-03 at 12:21 +0530, Manilal K M wrote: Also, I forgot one thing: It's not a plugin for dspam, it's a plugin for dovecot that links dspam to dovecot. I know :) :) It seemed you were a bit confused when you asked if it would be included with dspam. FWIW, I'm using it with dspam 3.6.8 from debian. But I have a per-user setup, if you want a virtual user setup you probably need to do a bit more work since the plugin will actually need to call the dspam binary with a --user argument which requires a plugin modification. I know that some people have done this modification, but I haven't received any patches. If you get it to work a patch would be welcome. johannes Basically my primary objective is to prevent spam and today i got an interesting link to it: http://searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1235770%2C00.html and http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html I think this method is more reliable since I am playing with a production server. I will surely try to contribute to dovecot, but there is a long way to go ... regards Manilal -- Better to light one candle than to curse the darkness. Blog: http://librewings.blogspot.com Blog: http://flossvalley.blogspot.com
[Dovecot] [OT] my anti-spam integration (was: Re: How to integrate dspam and dovecot)
On Tue, 2007-04-03 at 13:38 +0530, Manilal K M wrote: Basically my primary objective is to prevent spam and today i got an interesting link to it: http://searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1235770%2C00.html and http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html Nothing stops you from using that together with dspam to filter everything it let through. Here's my setup: In my exim, during SMTP, I check what dspam thinks about the email (if it's directed to a single user and that user has opted in to this service.) Then, if the spamminess of the email is higher than that user's threshold, I fake-reject the email with a message like: Your email was determined to be spam. Send email to secret@domain if that wasn't true. Since it's fake-reject the email body is stilled used, I store it in a database for later. Then, the mail gets delivered to maildrop for each user, which is globally configured to run dspam if it hasn't been run in the smtp session already. Then, depending on the dspam verdict Spam/Innocent, the mail is sorted into either the SPAM folder or handed to the users filters. Now the dovecot plugin comes into play. When a user determines that a mail was sorted wrongly, it simply retrains dspam by moving the message into or out of the SPAM folder. This is the great thing about the dspam plugin here. Mail that has been fake-rejected above is cleaned from the database every 2 weeks or so by a cronjob. If mail is sent to secret@domain, then that email is rejected with a message saying: Your previous email has been released and delivered to the original recipient. Where exactly that happens, and dspam is also trained with that message. Of course, dovecot is only involved in a tiny step here... dovecot/dspam integration requires my plugin for dovecot, exim/dspam integration is done via that fake spamassassin server for dspam that's also available on my homepage. johannes signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dovecot forward multipart problem
Timo Sirainen a écrit : On Mon, 2007-04-02 at 22:01 +0200, Samuel HAMEAU wrote: I experience problems everytime i forward a mail (basically, when forwarding an email containing an attachement) .. Here is as attachement a diff of two maildir files : the one in the sent folder, and the one received in an external domain. I didn't really understand where you're forwarding the mail to. Is Dovecot also running there? I was forwarding a mail comming from a user of the same domain (we are running dovecot/maildir), to another domain which is running cyrus-imap on mailbox. The extra '' is added if the other server stores mails in mbox format and the mail isn't saved with Dovecot LDA. Dovecot currently doesn't remove the '' from From lines. Perhaps in future it should. But are you even running Dovecot in the remote server? Is this a Dovecot problem at all? I'm not sure, i'll try to post another diff from a forwarded mail in our domain, with the same problem description. Thanks for your answer. Samuel HAMEAU
Re: [Dovecot] dovecot forward multipart problem
On Tue, 2007-04-03 at 11:28 +0200, Samuel HAMEAU wrote: I didn't really understand where you're forwarding the mail to. Is Dovecot also running there? I was forwarding a mail comming from a user of the same domain (we are running dovecot/maildir), to another domain which is running cyrus-imap on mailbox. So you have a correct mail in Dovecot system, but after sending it via SMTP to Cyrus running server it's broken in there? And if you look at it in Dovecot's Sent messages mailbox, it's still correct in there? If so, it can't be a Dovecot problem. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] No CA names sent in TLS handshake
On Tue, 2007-04-03 at 09:47 +0200, Johnny Chadda wrote: Hello, I'm setting up Dovecot with client certificates and everything is working fine as long as the client only has one certificate in his store. If he has more than one, the wrong one might be sent to the server. The root of the problem is that Dovecot does not send out a list of valid CA names in the TLS handshake. If I connect using openssl s_client I get: No client certificate CA names sent Well, I'm not that big of an OpenSSL guru, but googling shows that with other software it's often a certificate configuration problem. Did you set ssl_ca_file and does the file contain a valid CA and CRL? signature.asc Description: This is a digitally signed message part
Re: [Dovecot] No CA names sent in TLS handshake
Timo Sirainen wrote: Well, I'm not that big of an OpenSSL guru, but googling shows that with other software it's often a certificate configuration problem. Did you set ssl_ca_file and does the file contain a valid CA and CRL? Yes, the certificates are Ok. It works if I explicitly select which client certificate to send to the server from the mail client. Normal users shouldn't have to do this though. It should be selected based on which accepted CA names the server sends. It works fine in Cyrus (which I will use if this does not work) and Postfix.
Re: [Dovecot] No CA names sent in TLS handshake
On Tue, 2007-04-03 at 11:50 +0200, Johnny Chadda wrote: Timo Sirainen wrote: Well, I'm not that big of an OpenSSL guru, but googling shows that with other software it's often a certificate configuration problem. Did you set ssl_ca_file and does the file contain a valid CA and CRL? Yes, the certificates are Ok. It works if I explicitly select which client certificate to send to the server from the mail client. Normal users shouldn't have to do this though. It should be selected based on which accepted CA names the server sends. It works fine in Cyrus (which I will use if this does not work) and Postfix. Does the attached patch fix it? Index: src/login-common/ssl-proxy-openssl.c === RCS file: /var/lib/cvs/dovecot/src/login-common/ssl-proxy-openssl.c,v retrieving revision 1.55 diff -u -r1.55 ssl-proxy-openssl.c --- src/login-common/ssl-proxy-openssl.c 18 Mar 2007 02:51:19 - 1.55 +++ src/login-common/ssl-proxy-openssl.c 3 Apr 2007 09:55:23 - @@ -756,6 +756,8 @@ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_client_cert); + SSL_CTX_set_client_CA_list(ssl_ctx, + SSL_load_client_CA_file(cafile)); } /* PRNG initialization might want to use /dev/urandom, make sure it signature.asc Description: This is a digitally signed message part
Re: [Dovecot] How to integrate dspam and dovecot
Manilal K M wrote: On 03/04/07, Johannes Berg [EMAIL PROTECTED] wrote: On Tue, 2007-04-03 at 12:21 +0530, Manilal K M wrote: Also, I forgot one thing: It's not a plugin for dspam, it's a plugin for dovecot that links dspam to dovecot. I know :) :) It seemed you were a bit confused when you asked if it would be included with dspam. FWIW, I'm using it with dspam 3.6.8 from debian. But I have a per-user setup, if you want a virtual user setup you probably need to do a bit more work since the plugin will actually need to call the dspam binary with a --user argument which requires a plugin modification. I know that some people have done this modification, but I haven't received any patches. If you get it to work a patch would be welcome. johannes Basically my primary objective is to prevent spam and today i got an interesting link to it: http://searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1235770%2C00.html and http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html I think this method is more reliable since I am playing with a production server. I will surely try to contribute to dovecot, but there is a long way to go ... regards Manilal I've had several setups for SPAM/Virus handling in qmail servers, and the best solution so far was a combination of simscan + dspam + clamav. All the other qmail-queue replacements i've tried, including qpsmtpd, where just too expensive regarding system resources. Most solutions involving perl will simply not do, at least for me, on account of perl overhead. Right now i have several production environments, one of which is rather large, and i've been rather happy with the implementation outcome. That setup includes qmail-ldap with some patches for greylisting and greeting delay, simscan with a patch to handle dspam internal quarantine engine, dspam with a patch to allow user checking/address alias mapping, clamav, maildrop for server side filtering and finally dovecot with Johannes dspam plugin. Besides the regular locations for all that software, you might consider taking a look at the set of patches i mentioned. The link is http://pessoa.fct.unl.pt/hmmm/files/anti-spam/ Regards, Hugo Monteiro. -- ci.fct.unl.pt:~# cat .signature Hugo Monteiro Email: [EMAIL PROTECTED] Telefone : +351 212948300 Ext.15307 Centro de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.ci.fct.unl.pt [EMAIL PROTECTED] ci.fct.unl.pt:~# _
Re: [Dovecot] [ rc28 ] dict{} seems to be ignored
On Monday 02 April 2007 16:37, Timo Sirainen wrote: So here should be: CONCAT('dict:storage=2', ceil(quota/1000), ' proxy::quotadict') AS quota ok, this is working some way (without the 2 in the storage= ... right?) .. but I have still some things not clear... only some users have their quota updated on the DB ... both pop3 and imap have the quota in their mail_plugin parameter, imap has imap_quota too ... BTW, in the wiki the quota table suggested structure uses 2 varchar(255) fields, with a PK on ... but the maximum allowed lenght for an index il only 500 .. at least on my version of mysql I suggest to correct in 255 for the user and 245 for the path :-) -- ?php echo ' Emiliano Gabrielli (aka AlberT) ',\n, 'GrUSP founder - ZCE',\n, ' AlberT_at_SuperAlberT_it - www.SuperAlberT.it ',\n, ' IRC:#php,#AES azzurra.com ',\n,'ICQ: 158591185'; ?
Re: [Dovecot] No CA names sent in TLS handshake
Timo Sirainen wrote: On Tue, 2007-04-03 at 11:50 +0200, Johnny Chadda wrote: Timo Sirainen wrote: Well, I'm not that big of an OpenSSL guru, but googling shows that with other software it's often a certificate configuration problem. Did you set ssl_ca_file and does the file contain a valid CA and CRL? Yes, the certificates are Ok. It works if I explicitly select which client certificate to send to the server from the mail client. Normal users shouldn't have to do this though. It should be selected based on which accepted CA names the server sends. It works fine in Cyrus (which I will use if this does not work) and Postfix. Does the attached patch fix it? Indeed, it did! Thanks! Hope to see this built-in in the next release. :)
Re: [Dovecot] 1.0rc29: LDA chroot problem
Timo Sirainen wrote: The other possibility is to disable chrooting with deliver. Is it possible to disable chrooting for deliver only? What about maildir/box paths then? Uldis
Re: [Dovecot] 1.0rc29: LDA chroot problem
Timo Sirainen wrote: **sieve plugin tries to forward mail... and fails when chroot enabled. Put the sendmail binary inside chroot and change sendmail_path setting. Although I don't know if even that will work. It might want to write directly to the mail spool instead of connecting to the SMTP server via TCP. This means i must set up real chroot environment for sendmail... ldd shows up a lots of dependencies. The other possibility is to disable chrooting with deliver. While deliver itself uses external binaries too - is it a good idea to chroot deliver process at all?
Re: [Dovecot] The folder 'Inbox' cannot contain items. Namespace problems
Timo Sirainen writes: On Mon, 2007-04-02 at 22:31 -0400, Francisco Reyes wrote: Based on some TCP dumps we did we noticed that Outlook was doing LIST, but no select (except at account) creation. Could you show me the tcpdumps? Will report back today. After we upgraded to r29 and had both namespaces Outlook and thunderbird broke. I took off the Mac support and myself and two co-workers that were helping me test were about to call it a day. The co-worker testing the Mac support tried it.. and it worked. It seems that after taking the second namespace off now Mac mail was also working (with r29). This is the first time I have been able to get PC and Mac to work at the same time. Will wait a day or two before reporting back. To give it some time for customers to report back in case of problems. I can't think of why that would happen. The namespace is used only if the client is sending broken commands. I will install rc29 in a test machine and set both namespaces, then do tcpdumps.
Re: [Dovecot] How to integrate dspam and dovecot
On Tue, Apr 03, 2007 at 12:15:38PM +0100, Hugo Monteiro wrote: I've had several setups for SPAM/Virus handling in qmail servers, and the best solution so far was a combination of simscan + dspam + clamav. All the other qmail-queue replacements i've tried, including qpsmtpd, where just too expensive regarding system resources. Note that qpsmtpd is more of a qmail-smtpd replacement than a qmail-queue replacement. Most solutions involving perl will simply not do, at least for me, on account of perl overhead. Well, a theory is that the resources saved by rejecting more spam will more than offset the resources used by the perl interpreter. There are, of course, non-perl qmail-smtpd replacements, including my own :-) But qpsmtpd has a lot of momentum and you gain from that. mm (not really here nor there)
[Dovecot] detailed info about acls with virtual users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll, i try use acl with imap with dovecot latest but i dont get trough , is there more info online then written in the wiki ? i have a setup like http://wiki.dovecot.org/DovecotLDAPostfixAdminMySQL but with this acl dont seems to work , and folders arent reported with acls to i.e thnderbird - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Munich/Bavaria/Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGEnilfGH2AvR16oERAhXaAJ4nwejKMH5FkF11UAdtq97/rxWW4wCfe2Q7 BN1cS+EG+nJbb+WFZjNg/WI= =Zm8Q -END PGP SIGNATURE-
Re: [Dovecot] ssl connections frozen, client times out
Timo Sirainen wrote: On Tue, 2007-04-03 at 04:12 -0400, Steve Mulligan wrote: I'm using the latest Thunderbird Dovecot. I'm trying to setup either pop3s or imaps. The plain versions of the protocols both work fine for me, even with the TLS option selected in Thunderbird. But when I try to use the ssl versions, my client does not negotiate - it just time's out. Since it might just as well be a Thunderbird configuration problem, try with openssl directly: openssl s_client -connect localhost:995 If it works, try remotely the same in case it's a firewall problem. If that works too, it's just a Thunderbird problem. Thanks Timo. It connects fine on localhost, but when I try from a remote machine, I get : /C:\OpenSSL\binopenssl s_client -connect pop.loftsoftware.ca:110 Loading 'screen' into random state - done CONNECTED(00FC) / Then there is a very long wait, 1-2 minutes. /5696:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188: / So I would say firewall problem BUT - it works fine when I switch the dovecot server and thunderbird client over to plain pop on the same port. protocol pop3 { ssl_disable = no verbose_ssl = yes #listen = *:123 #ssl_listen = *:110 I hope you've never actually tried to use this ssl_listen = *:110 setting? pop3s is in port 995. Sadly yes, for now. I'm the only one using the pop server and I don't have control over opening my own ports to the outside world so I have been trying to get it working on 110. It should still work on 110 from a remote machine though, right? Thanks, Steve.
[Dovecot] logfile consistency
We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm... Ignoring the leading 'date hostname' prefix, some sample lines are: dovecot: imap-login: Login: user=uu, method=PLAIN, rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: IMAP(uu): Disconnected: Logged out dovecot: IMAP(uu): Disconnected in IDLE dovecot: imap-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd dovecot: pop3-login: Login: user=uu, method=PLAIN, rip=dd.dd.dd.dd1, lip=dd.dd.dd.dd dovecot: POP3(uu): Disconnected: Logged out top=0/0, retr=0/0, del=0/8, size=194970 dovecot: pop3-login: Aborted login: rip=dd.dd.dd.dd, lip=dd.dd.dd.dd deliver(uu): msgid=[EMAIL PROTECTED]: saved mail to INBOX I've obfuscated some of the local detail: uuu represents a username/identifier; dd.dd.dd.dd represents an IP address. Would it be possible, please, to consider improving the consistency of the logging information? For instance: 1. All lines, including the deliver, to begin dovecot:; 2. The IMAP(): Disconnected to become imap: disconnected user=; Overall this would make it more consistently amenable to perl-like pattern processing, at least with a reasonably hierarchical structure to the messages. Perhaps something like: dovecot: subprogram: event, key1=value1, key2=value2 ... where: subprogram is {imap,pop,deliver,...}; event is {login,disconnected, ...}; and one of the key=value will usually be user=. That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier. Thanks. -- : David LeeI.T. Service : : Senior Systems ProgrammerComputer Centre : : UNIX Team Leader Durham University : : South Road: : http://www.dur.ac.uk/t.d.lee/Durham DH1 3LE: : Phone: +44 191 334 2752 U.K. :
Re: [Dovecot] logfile consistency
David Lee wrote: We do some routine logfile (syslog) gathering and analysis. I've been looking at extending this to parse the syslog output of dovecot. Hmmm... ... For instance: 1. All lines, including the deliver, to begin dovecot:; 2. The IMAP(): Disconnected to become imap: disconnected user=; ... Overall this would make it more consistently amenable to perl-like pattern processing, at least with a reasonably hierarchical structure to the messages. Perhaps something like: dovecot: subprogram: event, key1=value1, key2=value2 ... where: subprogram is {imap,pop,deliver,...}; event is {login,disconnected, ...}; and one of the key=value will usually be user=. Or perhaps similar to postfix, like dovecot/deliver[pid]: That would really make post-processing of logging information (whether offline, or 'live' via piped syslog) considerably easier. I strongly agree. I've written some nice graphing (rrdtool) scripts and they would have been much simpler with a standard syslog format. Though really, it's not that big of a deal.
[Dovecot] Deliver die if global sieve script turn on
In my installation deliver die if global sieve script turn on. Is there anything I have missed? Thanks.. Flex 2.5.33 Dovecot 1.0.rc29 postfix 2.3.8 In maillog: Apr 3 13:29:58 minigrass postfix/pipe[24691]: CA194121BC5: to=[EMAIL PROTECTED], relay=dovecot, delay=0.24, delays=0.14/0.01/0/0.09 , dsn=5.3.0, status=bounced (Command died with status 2: /usr/libexec/dovecot/deliver. Command output: input in flex scanner failed ) In master.cf : dovecot unix- n n - - pipe flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d ${recipient} -n in dovecot.conf: mail_plugins = cmusieve quota global_script_path = /home/mail/sieve/global in /home/mail/sieve/global/dspam.sieve require fileinto; if header :is X-DSPAM-Result Spam { fileinto Spam; } Regards
Re: [Dovecot] Connection refused with auth-master after upgrading to Dovecot 1.0 rc 28
Timo, Thanks for your time. On 4/2/07, Timo Sirainen [EMAIL PROTECTED] wrote: On Mon, 2007-04-02 at 13:10 -0600, Jason Warner wrote: Fedora pushed out an update to Dovecot 1.0 rc 28 today. After upgrading, mail isn't delivered to local recipients. My log file is full of error messages similar to the following: Apr 2 12:56:32 mail deliver([EMAIL PROTECTED]): net_connect(/var/run/dovecot/auth-master) failed: Connection refused Delete this file. Restart Dovecot. Does it get recreated? When I delete the file and restart Dovecot it is recreated. I'm including some snippets from my dovecot.conf file that pertain to the auth-master file: dovecot -n shows what Dovecot really uses. It might show something different than what you thought you had. Here is the output from dovecot -n: [EMAIL PROTECTED] dovecot]# /usr/local/sbin/dovecot -c /etc/dovecot.conf -n # /etc/dovecot.conf protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/pki/dovecot/certs/pop3.pem ssl_key_file: /etc/pki/dovecot/private/pop3.pem login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login default_mail_env: maildir:/home/vmail/mail/%n mail_location: maildir:/home/vmail/mail/%n mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: static args: uid=502 gid=502 home=/home/vmail/mail/%n mail=maildir:/home/vmail/mail/%n/ socket: type: listen client: master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: mail Some other information that I've learned might be helpful in helping to troubleshoot this problem: 1. I'm using Postfix and delivering mail to virtual users. 2. The problem presents itself when using the Dovecot LDA. If I go back to my old virtual settings (not using the Dovecot LDA) then mail is delivered again. 3. The Dovecot LDA is added with this line in my master.cf for Postfix: # Dovecot LDA dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}