Re: [Dovecot] SSL/TLS with Outlook client

[Nikolay Shopik]

On 13.11.2007 4:22, Jonathan Bond-Caron wrote:

Anyone have any solution to this?

 


I also getting a The target principal name is incorrect. in Outlook 2007

 


Is this a problem with dovecot?


  
That's probably because you CN doesn't match your server in certificate. 
Do you using self-signed certificated?

[Dovecot] namespace public folders

[Nikolay Shopik]

Hi list,
Here is thing im trying to accomplish. I would like to setup public folders 
which resposible for delivering mails for some speical addresses like [EMAIL 
PROTECTED] And it will be perfect if seen status for this folder will be 
saved per user. I mean if one user read message and set it as read other user 
should see it still as unread. As I far i know there some limitation in 1.0 
tree but not in lates 1.1.
My question is can I do such setup with dovecot+postfix. Im really appreciate 
for simple examples how can i accomplish this kind setup if it possible :)

[Dovecot] Caching?

[Bjørn T Johansen]

Any way to minimize the number of sql statements that dovecot do?

(and I tried adding userdb prefetch { } but number of sql calls are still the 
same)


Am I doing something wrong or?



Regards,

BTJ

-- 
---
Bjørn T Johansen

[EMAIL PROTECTED]
---
Someone wrote:
I understand that if you play a Windows CD backwards you hear strange Satanic 
messages
To which someone replied:
It's even worse than that; play it forwards and it installs Windows
---

Re: [Dovecot] dovecot.index mtime

[pod]

 M == Matt  [EMAIL PROTECTED] writes:

M What if the script only touched the dovecot.index if it exists?
M That would likely not be too difficult to test for with shell
M script.

Might be tricky to do in shell without a race.  On the other hand maybe a
race in this case is not significant.  On the other hand it's possible
that a running user imap process uses timestamps on the index file to
determine whether it needs to update its idea of the content and
gratuitously changing it on connect may cause already running processes to
do more work that strictly necessary.  Haven't looked at the actual code
to asses the credibility of this though.

On the other hand I've run out of hands now :)

Re: [Dovecot] Caching?

[Timo Sirainen]

On 13.11.2007, at 13.21, Bjørn T Johansen wrote:


Any way to minimize the number of sql statements that dovecot do?

(and I tried adding userdb prefetch { } but number of sql calls are  
still the same)


Did you add the userdb_* fields to passdb? Did you put prefetch  
before userdb sql? Show dovecot -n output? Set auth_debug=yes to see  
what SQL queries Dovecot actually sends.


For actual caching there's also auth_cache_size setting which is 0 by  
default.




PGP.sig
Description: This is a digitally signed message part

Re: [Dovecot] Caching?

[Bjørn T Johansen]

On Tue, 13 Nov 2007 15:17:48 +0200
Timo Sirainen [EMAIL PROTECTED] wrote:

 On 13.11.2007, at 13.21, Bjørn T Johansen wrote:
 
  Any way to minimize the number of sql statements that dovecot do?
 
  (and I tried adding userdb prefetch { } but number of sql calls are  
  still the same)
 
 Did you add the userdb_* fields to passdb?

Yes...

 Did you put prefetchbefore userdb sql? 

Nope... That might be the reason?

 Show dovecot -n output? 

# 1.0.7: /etc/dovecot/dovecot.conf
log_path: /lv1/logs/dovecot.log
protocols: imap imaps pop3 pop3s
listen: [*]
disable_plaintext_auth: no
login_dir: /usr/var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:/opt/vmail/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
pop3_uidl_format(default): 
pop3_uidl_format(imap): 
pop3_uidl_format(pop3): %08Xu%08Xv
pop3_client_workarounds(default): 
pop3_client_workarounds(imap): 
pop3_client_workarounds(pop3): outlook-no-nuls
auth default:
  mechanisms: plain login digest-md5 cram-md5
  user: vmail
  passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  userdb:
driver: passwd
  userdb:
driver: prefetch
  userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/auth
  mode: 432
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  user: vmai

Set auth_debug=yes to see  
 what SQL queries Dovecot actually sends.
 
 For actual caching there's also auth_cache_size setting which is 0 by  
 default.

auth_cache_size is used for only authentication or all sql access?


BTJ

Re: [Dovecot] namespace public folders

[Markus Stumpf]

Hoi,

On Tue, Nov 13, 2007 at 02:08:46PM +0300, Nikolay Shopik wrote:
 My question is can I do such setup with dovecot+postfix. Im really appreciate 
 for simple examples how can i accomplish this kind setup if it possible :)

AFAIK the Seen Flag is not maintained on a per user basis.

I do the delivery to the public folders via the aliases mechanism and
the safecat program http://jeenyus.net/~budney/linux/software/safecat.html
which delivers messages from stdin to a Maildir specified on the cmdline.
Along with the safecat comes a maildir sh-script that is a wrapper for
safecat and makes things shorter.

info: |/usr/local/bin/maildir /var/spool/pubfolders/.info
contact: |/usr/local/bin/maildir /var/spool/pubfolders/.info
sales: |/usr/local/bin/maildir /var/spool/pubfolders/.sales

To work around permission problems I have made the safecat programm
setuid dovecot user, executable for owner and group and gave it to the group
postfix handles aliases deliveries with, e.g.:
---s--x--- 1 dovecotu mail 21024 Oct 19 14:26 /usr/local/bin/safecat

HTH,
\Maex

-- 
Markus Stumpf

Re: [Dovecot] namespace public folders

[Adam McDougall]

On Tue, Nov 13, 2007 at 05:03:37PM +0100, Markus Stumpf wrote:

  Hoi,
  
  On Tue, Nov 13, 2007 at 02:08:46PM +0300, Nikolay Shopik wrote:
   My question is can I do such setup with dovecot+postfix. Im really 
appreciate for simple examples how can i accomplish this kind setup if it 
possible :)
  
  AFAIK the Seen Flag is not maintained on a per user basis.

Actually it depends.  I've found in dovecot 1.0 and 1.1, if you have a 
dovecot-shared file in the public folder, it forces private flags such as
read.  The wiki has some information about dovecot-shared.
  
  I do the delivery to the public folders via the aliases mechanism and
  the safecat program http://jeenyus.net/~budney/linux/software/safecat.html
  which delivers messages from stdin to a Maildir specified on the cmdline.
  Along with the safecat comes a maildir sh-script that is a wrapper for
  safecat and makes things shorter.
  
  info: |/usr/local/bin/maildir /var/spool/pubfolders/.info
  contact: |/usr/local/bin/maildir /var/spool/pubfolders/.info
  sales: |/usr/local/bin/maildir /var/spool/pubfolders/.sales
  
  To work around permission problems I have made the safecat programm
  setuid dovecot user, executable for owner and group and gave it to the group
  postfix handles aliases deliveries with, e.g.:
  ---s--x--- 1 dovecotu mail 21024 Oct 19 14:26 /usr/local/bin/safecat
  
  HTH,
  \Maex
  
  -- 
  Markus Stumpf
  

Re: [Dovecot] namespace public folders

[Nikolay Shopik]

13.11.2007 19:30, Adam McDougall пишет:

On Tue, Nov 13, 2007 at 05:03:37PM +0100, Markus Stumpf wrote:

  Hoi,
  
  On Tue, Nov 13, 2007 at 02:08:46PM +0300, Nikolay Shopik wrote:

   My question is can I do such setup with dovecot+postfix. Im really 
appreciate for simple examples how can i accomplish this kind setup if it possible 
:)
  
  AFAIK the Seen Flag is not maintained on a per user basis.


Actually it depends.  I've found in dovecot 1.0 and 1.1, if you have a 
dovecot-shared file in the public folder, it forces private flags such as

read.  The wiki has some information about dovecot-shared.
  
  I do the delivery to the public folders via the aliases mechanism and

  the safecat program http://jeenyus.net/~budney/linux/software/safecat.html
  which delivers messages from stdin to a Maildir specified on the cmdline.
  Along with the safecat comes a maildir sh-script that is a wrapper for
  safecat and makes things shorter.
  
  info: |/usr/local/bin/maildir /var/spool/pubfolders/.info

  contact: |/usr/local/bin/maildir /var/spool/pubfolders/.info
  sales: |/usr/local/bin/maildir /var/spool/pubfolders/.sales
  
  To work around permission problems I have made the safecat programm

  setuid dovecot user, executable for owner and group and gave it to the group
  postfix handles aliases deliveries with, e.g.:
  ---s--x--- 1 dovecotu mail 21024 Oct 19 14:26 /usr/local/bin/safecat
  
  HTH,

  \Maex
  
  -- 
  Markus Stumpf
  

Adam,

Thanks for pointing out, sounds promising now! ;)

Re: [Dovecot] SSL/TLS with Outlook client

[Ed W]

Nikolay Shopik wrote:

On 13.11.2007 4:22, Jonathan Bond-Caron wrote:

Anyone have any solution to this?

 

I also getting a The target principal name is incorrect. in Outlook 
2007


 


Is this a problem with dovecot?


  
That's probably because you CN doesn't match your server in 
certificate. Do you using self-signed certificated?



Is there any way around this if you have an IP and lots of A records 
pointing at it?


As I understand it mail clients are going to winge if you use any name 
other than the one which is in the certificate?  My simple research 
suggests that they don't do a lookup, then a reverse lookup and compare 
that?


It's a problem with vhosted domains...  Any suggestions?

Ed W

Re: [Dovecot] Using Dovecot as Asterisk PBX voicemail server

[Kenneth Porter]

--On Monday, November 12, 2007 6:49 PM -0500 Andrew Girling 
[EMAIL PROTECTED] wrote:



One possible solution is that you grant Asterisk access to the  mailboxes
with as a master user with a  (strong) master password.  See  the wiki
for more information:

http://wiki.dovecot.org/Authentication/MasterUsers


Excellent, that looks like a perfect solution to the problem.

[Dovecot] Enhanced Kerberos support

[Richard A Nelson]

The recent addition of auth_gssapi_hostname is a welcome addition, but a little 
more is needed
for multi-homed (or multi-domained) sites.

SSH recently added this enhancement to address this common need:

 GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI 
acceptor a client authenticates
 against. If “yes” then the client must authenticate against the 
host service on the current hostname.
 If “no” then the client may authenticate against any service key 
stored in the machine’s default
 store. This facility is provided to assist with operation on multi 
homed machines.  The default is
 “yes”.  Note that this option applies only to protocol version 2 
GSSAPI connections, and setting it
 to “no” may only work with recent Kerberos GSSAPI libraries.

I've heard that other daemons support multi-names by instead of using 
gethostname(), obtain the hostname of the
interface that the request came in on.

Can either approach be looked at for dovecot ?

Thanks,
--
Richard A Nelson (Rick)cowboy@((linux.)?vnet|us).ibm.com
Phone: 1-408-463-5584  Fax: 1-408-463-3873
COBOL Development  IBM Silicon Valley Laboratory
http://www.ibm.com/software/awdtools/cobol/

Re: [Dovecot] SSL/TLS with Outlook client

[Hugo Monteiro]

Eli Sand wrote:

Nikolay Shopik wrote:
  

Usually it works like this. You are configure your mail client to
address like this mail.example.com, when mail client establish
connection to server and receive certificate it compare CN with current
configuration in it. So if you configure connect to mx.example.com but
server receive certificate with CN=mail.example.com it should warn you.
It doesn't do any PTR lookups.



I have experimented with Outlook 2k7 and valid certificates from CACert and
I am unable to say that this is for sure how Outlook is behaving.

I have tested with a wildcard cert, and names of both the MX record and the
A record configured in the mail client.  All three of which produced the
same ultimate The target principal name is incorrect. Error.  The
certificate is valid and I do have the root CA certs loaded in Windows
correctly.

  



Ah ... wildcard certs .. from what i recall, certs issued like 
*.example.com were not very well accepted by M$ clients. You should test 
against non wildcard certs and see how it behaves.


Regards,

Hugo Monteiro.

--
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email: [EMAIL PROTECTED]
Telefone : +351 212948300 Ext.15307

Centro de Informática
Faculdade de Ciências e Tecnologia da
   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt [EMAIL PROTECTED]

ci.fct.unl.pt:~# _

Re: [Dovecot] SSL/TLS with Outlook client

[Eli Sand]

Hugo Monteiro wrote:
 Ah ... wildcard certs .. from what i recall, certs issued like
 *.example.com were not very well accepted by M$ clients. You should
 test against non wildcard certs and see how it behaves.

Already have and no luck :(  My domain is elisand.com and I have tried
*.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if
not, whatever it is is what I tried) and mail.elisand.com which is the
smtp/imap server name I use in Outlook.  All three yield the same result :(

Eli.

Re: [Dovecot] SSL/TLS with Outlook client

[Hugo Monteiro]

Eli Sand wrote:

Hugo Monteiro wrote:
  

Ah ... wildcard certs .. from what i recall, certs issued like
*.example.com were not very well accepted by M$ clients. You should
test against non wildcard certs and see how it behaves.



Already have and no luck :(  My domain is elisand.com and I have tried
*.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if
not, whatever it is is what I tried) and mail.elisand.com which is the
smtp/imap server name I use in Outlook.  All three yield the same result :(

Eli.


  


I have taken the liberty to connect to your server, using openssl, i've 
seen the following:


$ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ 
-connect mail.elisand.com:993

CONNECTED(0003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/[EMAIL PROTECTED]

verify return:1
depth=0 /CN=*.elisand.com
verify return:1
---
Certificate chain
0 s:/CN=*.elisand.com
  i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/[EMAIL PROTECTED]

---

i believe you should change two things. If the name you wish to use on 
your clients is mail.alisand.com, then the certificate should read 
CN=mail.elisand.com. Furthermore, it's always a good idea to provide the 
chaining certificate path on dovecots side. Try using the ssl_ca_file 
directive on dovecot's configuration.


Regards,

Hugo Monteiro.


--
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email: [EMAIL PROTECTED]
Telefone : +351 212948300 Ext.15307

Centro de Informática
Faculdade de Ciências e Tecnologia da
   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt [EMAIL PROTECTED]

ci.fct.unl.pt:~# _

Re: [Dovecot] SSL/TLS with Outlook client

[Nikolay Shopik]

Agree with Hugo most root CA have intermidate certificates which should 
supplied with your server certificate. Otherwise chain won't work and any 
client don't trust it.

- original message -
Subject:Re: [Dovecot] SSL/TLS with Outlook client
From:   Hugo Monteiro [EMAIL PROTECTED]
Date:   14/11/2007 00:14

Eli Sand wrote:
 Hugo Monteiro wrote:
   
 Ah ... wildcard certs .. from what i recall, certs issued like
 *.example.com were not very well accepted by M$ clients. You should
 test against non wildcard certs and see how it behaves.
 

 Already have and no luck :(  My domain is elisand.com and I have tried
 *.elisand.com, mx1.elisand.com (I believe that's what my MX record is... if
 not, whatever it is is what I tried) and mail.elisand.com which is the
 smtp/imap server name I use in Outlook.  All three yield the same result :(

 Eli.


   

I have taken the liberty to connect to your server, using openssl, i've 
seen the following:

$ openssl s_client -CApath /usr/share/ca-certificates/cacert.org/ 
-connect mail.elisand.com:993
CONNECTED(0003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/[EMAIL PROTECTED]
verify return:1
depth=0 /CN=*.elisand.com
verify return:1
---
Certificate chain
 0 s:/CN=*.elisand.com
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/[EMAIL PROTECTED]
---

i believe you should change two things. If the name you wish to use on 
your clients is mail.alisand.com, then the certificate should read 
CN=mail.elisand.com. Furthermore, it's always a good idea to provide the 
chaining certificate path on dovecots side. Try using the ssl_ca_file 
directive on dovecot's configuration.

Regards,

Hugo Monteiro.


-- 
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email: [EMAIL PROTECTED]
Telefone : +351 212948300 Ext.15307

Centro de Informática
Faculdade de Ciências e Tecnologia da
   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt [EMAIL PROTECTED]

ci.fct.unl.pt:~# _