Re: [Dovecot] Sharing nested folders / maildir variations?
On 3 Jun, 2007, at 17:03, Timo Sirainen wrote: Should be already possible with the development version (wonder what I should call it now that I can't call it CVS HEAD anymore .. development, 1.1.UNSTABLE, hg, ..?): mail_location = maildir:~/Maildir:LAYOUT=FS Sweet! It doesn't use dots anymore then either. Do you mean folders don't have to start with a dot? I started to propose that too, but thought I'd be asking for too much. Specifically, there is a bit in the config: # By default LIST command returns all entries in maildir beginning with a dot. # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent-d_type, this check is free and it's # done always regardless of this setting) maildir_stat_dirs = no So it seems that removing the dot would break that unless cur/tmp/new/ subscriptions/dovecot* started with a dot and folders did not (thus reversing the usual convention). It seemed too much to ask for for too little gain, especially as maildrop wouldn't know how to deliver to such directories (but maybe it could call deliver). So what happens if I use the following two together, on a system not setting struct dirent-d_type? mail_location = maildir:~/Maildir:LAYOUT=FS maildir_stat_dirs = no Since I have no idea what that actually means, is linux one of the systems that does set struct dirent-d_type (JFS filesystem if it matters)? Lastly, any idea how long before this feature can be expected to reach production? Cheers, -- Casey Allen Shobe | mailto:[EMAIL PROTECTED] | http://casey.shobe.info SeattleServer.com, inc. | http://seattleserver.com
Re: [Dovecot] Client certificate verification/authentication
Timo Sirainen a écrit : On Tue, 2007-05-29 at 12:06 +0200, eizert wrote: Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate Set verbose_ssl=yes and it should log more. It should then log either Invalid certificate or Valid certificate. If it logged neither, then your client didn't send a certificate at all. I've set this option. I've create certificate signed trusted and set CA and create CRL. I have put CRL in the CA certificate by cat ca-crl.pem ca.crt.pem Also my MUA use CRL with https://myhostname/crl.der But i've simply this information in my log : Client didn't present valid SSL certificate Very hard to debug. When if i turn off ssl_verify_client_cert and ssl_require_client_cert (but only ss_require_client_cert posed a problem) I think that ss_verify_client_cert it's simply X509 verify but i'm not sure, i don't read the source... I try to compile dovecot with no CRLs usage for test it.
Re: [Dovecot] Dovecot waking every 50ms when doing nothing
On Sunday June 03, 2007 at 01:48:33 (PM) Dave McGuire wrote: On Jun 3, 2007, at 11:29 AM, Ross Burton wrote: I presume porting Dovecot to use the glib main loop abstraction (which is nice and lean, the object system is a separate library) is out of the question? Please don't. One reason Dovecot is so easy to get up and running quickly is that it has minimal dependencies. For those of us who aren't running Linux on PCs that can become a headache very quickly, as the authors of many of the depended-upon libraries often get creative with nonportable GCCisms and other such nonsense. And even when one *is* running Linux on a PC, sometimes we don't want to build fifteen packages in order to build one. That's not to say that simply adding one dependency on glib would cause a huge problem...but it indicates the adoption of a mindset, and it's a slippery slope. I am using FreeBSD-6.2 presently. Using 'portmanager' as my updating application, I have never experienced the problems or conceived problems as they may be on my system. Perhaps that is just a localized phenomena though. -- Gerard
Re: [Dovecot] Dovecot waking every 50ms when doing nothing
On Sun, 2007-06-03 at 18:27 +0300, Timo Sirainen wrote: ..Or maybe just fix the basic timeout_*() API. Add a new timeout_reset() call == timeout_remove() + timeout_add(original values) and then make the implementation be fast with hundreds of timeouts. The timeouts are currently kept in linked list, so that could be changed to red-black tree I guess (sorted by next execution time). Or is there a better data structure for this? Maybe check what the kernel does? It has the runqueue and that afaik. johannes signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot waking every 50ms when doing nothing
On Sun, 2007-06-03 at 19:13 +0100, Ross Burton wrote: By pool do you mean memory regions which can be split into children, and freeing the parent region also frees the children? That isn't in Glib. That's the idea in dovecot, yes. Actually, no parent region/child region but just basically like a slice that you can free at once. johannes signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dovecot-shared tries to fchown index+control files but fails
On Sun, 2007-06-03 at 23:05 -0400, Adam McDougall wrote: On Mon, Jun 04, 2007 at 05:57:49AM +0300, Timo Sirainen wrote: On Thu, 2007-05-24 at 18:59 -0400, Adam McDougall wrote: May 24 18:45:35 hostname dovecot: IMAP(username): fchown(/home/username/Maildir/dovecot/public/control/org/.mailfolder/dovecot-uidlist) failed: Operation not permitted I'm not sure if you already figured this out, but these calls are used to change the file's group, not its owner. Why would dovecot-shared affect files outside of the shared directory though? Well.. Dovecot doesn't know if you want to have the control or index files shared. If they were shared, you'd want to preserve the group +mode. Originally I was planning on removing the whole dovecot-shared file, but perhaps it needs to be there anyway. Inside it could be some settings that tell Dovecot how you want to preserve the group/mode. Maybe something like: group = xyz # dovecot-shared file's group if not specified #group = # empty == no change mode = 0660 # dovecot-shared file's mode if not specified private_flags = \Seen \Flagged # Default is \Seen index_group = index_mode = control_group = control_mode = signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Client certificate verification/authentication
On Mon, 2007-06-04 at 11:39 +0200, eizert wrote: Timo Sirainen a écrit : On Tue, 2007-05-29 at 12:06 +0200, eizert wrote: Not in Dovecot... In my log, i've simply : dovecot: auth(default): Client didn't present valid SSL certificate Set verbose_ssl=yes and it should log more. It should then log either Invalid certificate or Valid certificate. If it logged neither, then your client didn't send a certificate at all. I've set this option. I've create certificate signed trusted and set CA and create CRL. I have put CRL in the CA certificate by cat ca-crl.pem ca.crt.pem Also my MUA use CRL with https://myhostname/crl.der But i've simply this information in my log : Client didn't present valid SSL certificate Then I'd say the client didn't present any certificate at all to Dovecot. Are you sure the client even supports sending the certificate? signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Sharing nested folders / maildir variations?
On Sun, 2007-06-03 at 23:10 -0700, SeattleServer.com wrote: So it seems that removing the dot would break that unless cur/tmp/new/ subscriptions/dovecot* started with a dot and folders did not (thus reversing the usual convention). It doesn't break, but it does mean that you aren't able to create mailboxes named cur, tmp, new, subscriptions, etc. So what happens if I use the following two together, on a system not setting struct dirent-d_type? mail_location = maildir:~/Maildir:LAYOUT=FS maildir_stat_dirs = no LAYOUT=FS uses completely different code (same as mbox listing) and doesn't use maildir_stat_dirs at all. Lastly, any idea how long before this feature can be expected to reach production? v1.1 is hopefully ready at the end of this summer. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Client certificate verification/authentication
Sorry, but after my first message, i'm work to openssl. (newbie) And now, the certifate are valid, but authentication failed.
Re: [Dovecot] UW-IMAP style mbox snarfing from /var/mail/ to ~/mbox
Timo Sirainen wrote: Anyway, updated http://dovecot.org/patches/mbox-snarf-plugin.c Hi, thanks, this code seems to work with the original Debian package. It managed to copy the contents of a mbox from /var/mail/$user to /home/$user/.imap_mail/inbox, well done! I have yet to conduct more testing as Dovecot+Exim will be handling 100+ users soon. Exims current setup delivers directly to directory /home/user/.imap_mail, where spam mails can optionally be delivered into different mbox files. /home is subject to user-based filesystem quotas, also a policy not to bounce any mail is in place. My idea is to let Exim deliver everything to /var/mail/$user, where enough space is present, and let Dovecot snarf the mails to /home, if quota allows. Is it possible to snarf more than one mbox from /var/mail to /home/$user, like this? /var/mail/$user - /home/.imap_mail/inbox /var/mail/$user.spam - /home/.imap_mail/Spam /var/mail/$user.virus - /home/.imap_mail/Virus Snarfing only one mbox removes the possibility to let Exim move recognized spam mails not into the inbox. Since using the snarf plugin I have this additional line in syslog: Jun 4 15:28:27 bach dovecot: IMAP(kuhls): Timeout leak: 0x808ad10 Anything to worry about? Greetings, Bernd Kuhls
Re: [Dovecot] Is there a connect acl ?
Hi Gabriel, thanks for the suggestion. Will be researching about perdition, google should help. My idea is to open only IMAPS port to the internet, and then limit only a few users the check their email from home. Thanks Oliver Gabriel Millerd wrote: What sort of response would the imap server give? Obviously you allow all sessions to connect else you would handle this with iptables, and when the user/pass/cert is validated and you have the user:rip what response would you give the client? Any security issues are moot since the user/pass is over the wire in order to determine if they have access. -- Oliver Schulze L. | http://tinymailto.com/oliver Asuncion - Paraguay | http://www.solojuegos.mobi
Re: [Dovecot] dovecot-shared tries to fchown index+control files but fails
On Mon, Jun 04, 2007 at 03:47:13PM +0300, Timo Sirainen wrote: On Sun, 2007-06-03 at 23:05 -0400, Adam McDougall wrote: On Mon, Jun 04, 2007 at 05:57:49AM +0300, Timo Sirainen wrote: On Thu, 2007-05-24 at 18:59 -0400, Adam McDougall wrote: May 24 18:45:35 hostname dovecot: IMAP(username): fchown(/home/username/Maildir/dovecot/public/control/org/.mailfolder/dovecot-uidlist) failed: Operation not permitted I'm not sure if you already figured this out, but these calls are used to change the file's group, not its owner. Why would dovecot-shared affect files outside of the shared directory though? Well.. Dovecot doesn't know if you want to have the control or index files shared. If they were shared, you'd want to preserve the group +mode. Okay, I can see why you could want it. But it seems some flexibility is needed from the dovecot-shared behavior to match the flexibility of having control and index in seperate locations from the mailbox, since some mail environments would operationally (unwanted behavior) and/or technically (corruption potential) prevent the index and/or control from being shared. Originally I was planning on removing the whole dovecot-shared file, but perhaps it needs to be there anyway. Inside it could be some settings that tell Dovecot how you want to preserve the group/mode. Maybe something like: group = xyz # dovecot-shared file's group if not specified #group = # empty == no change mode = 0660 # dovecot-shared file's mode if not specified private_flags = \Seen \Flagged # Default is \Seen index_group = index_mode = control_group = control_mode = That would be an excellent feature, especially being able to control the private_flags, which I previously only had limited control over using file permissions and the acl plugin. But, I think the current behavior of dovecot-shared should hopefully suffice for my situation (after the private flags patch) as long as it doesn't cause any other unexpected behavior :)
[Dovecot] tweaking performance
Hi, I was wondering if anyone had some ideas on what I can tweak to gain more performance. We have tome timeouts reports on pop3 during heavy load periods. Using imap/pop3 with maildir with 7,000 users using mostly pop3. # /usr/local/etc/dovecot.conf protocols: imap pop3 ssl_disable: yes disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login login_greeting: Cape.Com D-V.1 wpam - ready. login_processes_count: 16 login_max_processes_count: 500 max_mail_processes: 9000 mail_location: maildir:/home/%1u/%u/Maildir maildir_copy_with_hardlinks: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %v.%u pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: count: 6 passdb: driver: pam userdb: driver: passwd TIA, PA
Re: [Dovecot] tweaking performance
We have tome timeouts reports on pop3 during heavy load periods. Using imap/pop3 with maildir with 7,000 users using mostly pop3. It's hard to tweak something without knowing the problem. Run top / iostat / vmstat to get an idea why your system becomes slow: - CPU ? - Disk-IO ? Regards, Adrian -- RFC 1925: (11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.
Re: [Dovecot] IMAP traffic logging
I wonder if it is possible to log the number of bytes send in response to IMAP commands. Unfortunately there seems to be no config option similar to pop3_logout_format. There's a patch for it. Someone already gave a link to it within last few weeks. I think it was originally posted some months ago. If you can't find it I can try to look for it. I guess it could be put to http://dovecot.org/patches/ since it's somewhat commonly requested.. Added: http://dovecot.org/patches/imap-bytes.diff Curious - this seems useful... is there any reason you don't want this added to the main code base - ie, any reason I should be wary of using it? -- Best regards, Charles
[Dovecot] Backing up mail?
My mail server is running on a Fedora FC5 box. I need to move the mail server to another computer and so I need to back up my user's mail and move it. I have found mail in /var/spoo/mail/[users] and in their home directories there is a 'mail' directory. All users have an 'Inbox' file that is empty and I think the one IMAP user has a 'Trash' file that is huge! Are those the only files I need to copy or are there others lurking out there that I don't know about? Thanks, -- Knute Johnson Molon Labe...
Re: [Dovecot] Is there a connect acl ?
I got the response from Timo, in the shell script i can use the variable $IP which holds the remote IP (rip from syslog) so, doing a grep with the $IP and the subnet will do the trick. Will update the wiki when its done. Thanks Oliver mouss wrote: Oliver Schulze L. wrote: Hi Gabriel, thanks for the suggestion. Will be researching about perdition, google should help. My idea is to open only IMAPS port to the internet, and then limit only a few users the check their email from home. you can run dovecot twice (one instance for the LAN and one of the internet), each with its list of users/passwords... -- Oliver Schulze L. | http://tinymailto.com/oliver Asuncion - Paraguay | http://www.solojuegos.mobi