[Dovecot] checkpassword migration script in Python
Hey all, First post to the list, so here goes, hope I don't break any rules (I didn't see any rules about not being overly verbose) I spent a long time looking for anything that would help me migrate from our old IMAP server to our new one without a lot of client-side fuss, multiple e-mail accounts, and so on. I find that a lot of our users get confused by having two 'inboxes' in Outlook (one local, unused, and one IMAP), so I figured the easier I could make it, the better. I figured there must be some way to do what I was looking for, but I couldn't find it, so I hacked up a little something to do the job. As the saying goes, it's nasty, brutish, and short, but in my tests it's done everything I needed it to. The problem: Our old mail system is hosted by another company, outsourced before I was hired, so I don't have access to the old user/ passwd database, nor to their e-mail store; thus, I cannot do a clean, simple migration by upgrading in-place as I have done on other servers. The solution IMAP authentication proxying. The idea is that I don't need to know the password, because the user's mail client knows the password, so all I need is for it to tell me, and then I can create their user. That is what this script is for. To use, set up your authentication backend (passdb) first, and then after that section, add a 'passdb checkpassword' section containing this script. Thus, the following will happen. 1. Valid users who log into your system will be authenticated as you would expect. 2. Users who could not be authenticated will fall through to the checkpassword section 3. Checkpassword will look for the user in the password database; if they exist, it is assumed that it is a valid user, but incorrect password, and checkpassword fails the user as well. 4. If the user is not currently in the database, it will initiate an IMAP4 connection to the remote host specified. If it succeeds in logging in to the remote host, then we assume that the user is a valid user and can be migrated to the local server. They are added to the database, along with their password. It then **fails the user's login regardless** 5. It /logs the username and password into the database/ so that another process can use that information to migrate their e-mail over to the new server (not yet implemented). 6. If the IMAP connection fails, the login is failed as well, and dovecot continues as normal until it has exhausted all other passdb backends. Interested? A few things to note about the script: 1. It's a brutal hack. Really, ugly stuff. However, it gets the job done, if your system is similar enough to mine. 2. It only works on MySQL. I only use MySQL in our system, so there's no point for me to add other DBs, nor any way to test. 3. It doesn't support remote servers using SSL. Our current system doesn't use it, so again, it's hard to test. 4. It does not currently migrate mailboxes. I'm working on this (see below). 5. If your schema is at all different from mine, you will likely have to rewrite all of the SQL. There's not much I can do about this. 6. If your backend database doesn't use MySQL, you're largely boned. Exception: rewrite add_user() to do whatever you need to do to add users to your system. 7. The script will **ALWAYS RETURN A FAILED LOGIN TO DOVECOT**. This is because there are too many variables on every configuration, and writing code for all of them is absurd. This way, the user's first login will always fail, and their second login will always succeed. If you want to avoid this, place your normal passdb authentication **both before and after this checkpassword section**. That way, it will check once, fail, pass to checkpassword, and then check again, success. TODO: 1. Make it not ugly. Break more junk off into functions (e.g. IMAP verification) 2. Send the user an e-mail ('Welcome to the server, sorry your mail is gone, we'll fix that soon') 3. Spawn another process to run imapsync in the background to migrate the user's old mailboxes over. This would be very site-dependent, as there are a lot of variables. It might be best done as a cronjob that polls the database every however often (1 minute? 2 minutes?) or a daemon that sits in the background watching the db for changes, or even accepting the data directly. 4. Stop being so verbose in my first postings to mailing lists. 5. Lots of other things. URLS Blah blah blah where's the code. Here you go. Pretty syntax-highlighted version for browsing before you download, in case I'm an evil hacker: http://cdslash.net/temp/python/checkpassword.py Ugly monochrome version for downloading so you don't get line numbers in your junk: http://cdslash.net/temp/python/checkpassword.raw Questions, comments? I probably won't be on the list very long, so if you want to ask something or have a suggestion, feel free to let me know by
[Dovecot] umask and mails
Hello. I would like to have rights like 750 in my mailboxes (in /var/mail/vmails/domain.tld/user). http://wiki.dovecot.org/DovecotServerInstallations/RHEL/2_Users?highlight=(mask) I see an option called umask (in dovecot.conf). I set umask = 0750 in dovecot.conf. This option add good rights to directories, but not to the mail received (always in 700). Do you have a solution? Thanks. -- - Nicolas.
[Dovecot] Expire Plugin
I was struggling for a while to get the expire plugin to expunge mail. I was using (and still would like to use) PAM as passdb and passwd as userdb but with this I could not get the expire-tool to delete any mails. For debugging purpose I switch to passwd-file as userdb/passdb and enabled mail_debug=yes. 1. passwd-file contains home directory and userdb_mail (-working!) /etc/dovecot/dovecot.users: foo:{plain}:2004:100::/home/foo::userdb_mail=maildir:~/Maildir [EMAIL PROTECTED]:# dovecot --exec-mail ext /usr/local/libexec/dovecot/expire-tool --test Info: maildir: data=~/Maildir Info: maildir++: root=/home/foo/Maildir, index=, control=, inbox=/home/foo/Maildir Info: Trash: seq=1 uid=2586: Expunge Info: Trash: timestamp 1220392046 - 1220451447 2. passwd-file contains home directory only (-not working!) /etc/dovecot/dovecot.users: foo:{plain}:2004:100::/home/foo [EMAIL PROTECTED]:# dovecot --exec-mail ext /usr/local/libexec/dovecot/expire-tool --test Info: maildir: data=/root/Maildir Info: maildir++: root=/root/Maildir, index=, control=, inbox=/root/Maildir Error: stat(/root/Maildir/.Trash/tmp) failed: Permission denied (euid=2005 egid=100) The expire-tool doesn't find foo's mailbox even if mail_location is set global in the configuration file (please see below). This is exactly the same result as when using PAM and passwd. So I guess there is something wrong with user lookup or setting/expanding HOME and MAIL in the expire-tool. [EMAIL PROTECTED]:# dovecot -n # 1.1.3: /etc/dovecot/dovecot.conf log_path: /var/log/mail/dovecot.log info_log_path: /var/log/mail/dovecot.log ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_process_size: 16 max_mail_processes: 16 mail_location: maildir:~/Maildir mail_debug: yes mail_process_size: 64 mail_plugins: quota imap_quota expire auth default: passdb: driver: passwd-file args: scheme=plain /etc/dovecot/dovecot.users userdb: driver: passwd-file args: /etc/dovecot/dovecot.users socket: type: listen client: path: /var/run/dovecot/auth-client mode: 432 user: dovecot group: mail master: path: /var/run/dovecot/auth-master mode: 384 plugin: quota: maildir quota_rule: *:storage=1GB quota_rule2: Trash:storage=10%% expire: Trash 1 Junk 1 expire_dict: proxy::expiredict dict: expiredict: db:/var/lib/dovecot/expire.db
Re: [Dovecot] umask and mails
Nicolas Letellier wrote: Hello. I would like to have rights like 750 in my mailboxes (in /var/mail/vmails/domain.tld/user). http://wiki.dovecot.org/DovecotServerInstallations/RHEL/2_Users?highlight=(mask) I see an option called umask (in dovecot.conf). I set umask = 0750 in dovecot.conf. This option add good rights to directories, but not to the mail received (always in 700). Do you have a solution? That setting is deprecated, don't use it (it does not work anyway). Create a file named 'dovecot-shared' in each of your folders, give it the mode you want your files to have, and files will be created with that mode. See http://wiki.dovecot.org/SharedMailboxes for details. -- Pure drivel tends to drive ordinary drivel off the TV screen. Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb
[Dovecot] 1.1.3 panics
Hi, Installed Dovecot 1.1.3 today and started receiving panic errors on a few of our users: dovecot: [ID 107833 mail.crit] Panic: IMAP(xx): file mail-index-transaction-view.c: line 204: unreached When I upgraded, I deleted all of our users index files so it started with a clean slate. We are running mbox format over NFS with fsquota plugin on Solaris 8. Here is output of dovecot -n: base_dir: /var/run/dovecot/ protocols: imap ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot//login login_executable: /usr/local/dovecot/libexec/dovecot/imap-login login_user: daemon login_log_format_elements: user=%u ip=%r mail_max_userip_connections: 5 first_valid_uid: 100 last_valid_uid: 128000 mail_privileged_group: mail mail_location: mbox:~/Mail:INBOX=/var/mail/%u:INDEX=/var/indexes/local/%u mail_nfs_storage: yes mbox_write_locks: fcntl mbox_lock_timeout: 180 mbox_lazy_writes: no mail_plugins: quota imap_quota namespace: type: private separator: / inbox: yes list: yes subscriptions: yes namespace: type: private separator: / prefix: Mail/ hidden: yes subscriptions: yes auth default: mechanisms: plain login failure_delay: 5 debug: yes debug_passwords: yes passdb: driver: shadow userdb: driver: passwd plugin: quota: fs -- Dean Brooks [EMAIL PROTECTED]
Re: [Dovecot] 1.1.3 panics
On Sep 3, 2008, at 5:47 PM, Dean Brooks wrote: dovecot: [ID 107833 mail.crit] Panic: IMAP(xx): file mail-index- transaction-view.c: line 204: unreached Could you get gdb backtrace? http://dovecot.org/bugreport.html PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] umask and mails
On Wed, 03 Sep 2008 08:08:39 -0300 Eduardo M KALINOWSKI [EMAIL PROTECTED] wrote: Nicolas Letellier wrote: Hello. I would like to have rights like 750 in my mailboxes (in /var/mail/vmails/domain.tld/user). http://wiki.dovecot.org/DovecotServerInstallations/RHEL/2_Users?highlight=(mask) I see an option called umask (in dovecot.conf). I set umask = 0750 in dovecot.conf. This option add good rights to directories, but not to the mail received (always in 700). Do you have a solution? That setting is deprecated, don't use it (it does not work anyway). Create a file named 'dovecot-shared' in each of your folders, give it the mode you want your files to have, and files will be created with that mode. See http://wiki.dovecot.org/SharedMailboxes for details. Thanks a lot! -- -Nicolas.
Re: [Dovecot] Dovecot ManageSieve + ingo or avelsieve
on 9/3/08 5:06 PM , Olivier Dijoux wrote : does anyone got Dovecot ManageSieve and Horde/Ingo working together ? (...) well, I found the trick : Ingo stores its own copy of sieve rules into the Horde preference backend system, seems it doesn't read/parse rules from ManageSieve server, but can only push them. so after setup the Horde backend correctly to MySQL, everything works fine; i can edit sieve rules, they are stored into horde/ingo SQL prefs backend, and then uploaded via ManageSieve into Dovecot server however i would consider avelsieve, as it can parse (GETSCRIPT) and push (PUTSCRIPT) sieve rules via ManageSieve, that's propably better if I offer ManageSieve tcp/2000 service to my users so they can you their own managesieve clients... anyway, does ManageSieve patch for Dovecot v1.1.3 exists yet ? -- Olivier