Re: [Dovecot] client certs with godaddy ssl cert
On Saturday 27 September 2008 03:43:19 Harondel J. Sibble wrote: I've read the client ssl cert section in the wiki and it talks about using a self signed cert, if I am using a commercial cert, in this case godaddy, how do I implement a self signed cert for the client side and have dovecot make use of this? I know the mechanics of setting up the self signed ca, the question is more what configuration changes do I need to make in dovecot to handle both godaddy and the self signed ca functionality? If I understand you correctly, you're using the godaddy certificate as the server certificate only. This is fine, AFAIK the server certificate can be completely independent from any client certificate. What is important: you can not self-sign each client certificate, but you need a CA with a self-signed root instead. I think you understand that already, just noting that for completeness. Then you simply configure Dovecot as described in http://wiki.dovecot.org/SSL/DovecotConfiguration In short: Put your godaddy SSl certificate, and then the complete hierachy of godaddy CA certificates (I don't know how many levels they have) in (e.g.) /etc/ssl/dovecot.pem, and set ssl_cert_file=/etc/ssl/dovecot.pem. Don't forget to set the path to your private key or add it to the beginning of your cert file. This handles SSL/TLS for the server. Then create the CA root certificate, and any sub-CA certificates if you want to implement a multi-level CA. For each hierarchy level generate a CRL (Certificate Revocation List). Then, from the most specific sub-CA down to the root, concatenate each CA cert and the corresponding CRL to one file, and set this file as ssl_ca_file. The order is important, and needs to be (if existing): * Issuing CA cert * issuing CA crl * Intermediate CA cert * intermediate CA crl * Root CA cert * Root CA crl Then configure client cert verification as described in the last section of above mentioned wiki page. To sum it up: ssl_cert_file is responsible for server side TLS/SSL and needs to contain the complete verification path for the server certificate. It has no influence on client certs. ssl_ca_file is used for client cert verification only, and does not need to cover the server certificate. So you can use commercial server cert and the self-managed client certs. You might want to consider though: your clients need to import the client cert you issue, and your root CA certificate as trusted cert. If *all your SSL/TLS clients* also get a client cert, you can also issue the server cert yourself, a commercial cert provides no extra value in that case. Thanks Regards Rainer Frey -- Software Developer -- Inxmail GmbH [EMAIL PROTECTED], www.inxmail.de Handelsregister Freiburg, HRB 5870 Ust.-ID: DE198371679 Geschäftsleitung: Martin Bucher, Peter Ziras
Re: [Dovecot] Managesieve Quota
Seth Mattinen schreef: Has anyone (is anyone) working on adding quota support to dovecot's managesieve server? I was thinking about giving it a shot myself and I'd hate to duplicate work. It would be something very basic like a max bytes setting and the total sieve storage per user isn't allowed to exceed it. It is on my TODO list as you can see in the package's TODO file. However, currently, finishing the first release of the new Sieve implementation has priority. Regards, -- Stephan Bosch Mail: [EMAIL PROTECTED] Room: Zi 4006
Re: [Dovecot] client certs with godaddy ssl cert
Harondel J. Sibble wrote: On 27 Sep 2008 at 13:22, mouss wrote: if you have a commercial cert, you don't need a self signed cert. self signed certs are for people who don't want to get a cert signed by a 3d party (commercial or other). For email, you generally don't need a commercial certificate because your users know you and you know them, and because users don't connect to thousand imap servers. Huh? I am looking to implement client side certificates which have to be installed on the end user device before they are able to connect to my mailserver. sorry, I missed the client part. but if you sign the client certificate, the commercial CA becomes irrelevant. I already have a commercial cert on the mailserver so that's a moot point. Secondly a client cert allows me to verify that the device connecting is allowed, this is secondary to any login info the user may have, ie 2 factor authentication, something you know (uid/password) and something you have (certificate). Will you consider any certificate signed by the commercial CA as valid? if so, then you don't need to sign the certificates if you use only one CA. what would be nice would be the support of a db of fingerprints (as in postfix) so that one can accept certificates independently of the CA, and only accept authorized ones.
[Dovecot] fs quota and sieve script - other place for compiled script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, lately I deployed a Sieve script for all accounts, even those already overquota. I use fs quota, which leaded to the problem that that the compiled script could not spooled into the home directory - because of the Over quota condition. Although Sieve is not directly related to the mail storage, it would be a good thing to have the compiled scripts somewhere in the INDEX= tree or some other non-quota partition. - - I hope that nobody is being able to upload a GB-Sieve script to try to fill the non-quota partition ;-) Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI4ImUVJMDrex4hCIRAgw8AJsEPEGIZRd92Y131f5lyBGLwxavvgCgqJ7P MhBmasR6RBgFViuwWAVsiTE= =QuIC -END PGP SIGNATURE-
Re: [Dovecot] Managesieve Quota
On Thu, 2008-09-25 at 09:40 -0700, Seth Mattinen wrote: Has anyone (is anyone) working on adding quota support to dovecot's managesieve server? I was thinking about giving it a shot myself and I'd hate to duplicate work. It would be something very basic like a max bytes setting and the total sieve storage per user isn't allowed to exceed it. I think it would be nice to be able to use the standard quota plugin with managesieve so that all the same backends and configuration could be used. The main problem I see is: Does anyone want (or need) to have the mail and sieve quota shared, instead of specifying separate limits for them? With shared quota the code will probably have to have some kind of sieve hardcoding or write some kind of state files so it knows where to look when recalculating quota. So preferrably no-one needs this. :) So without shared quota they could be configured as sievestorage and sievefiles which would also be visible using IMAP quota commands. Configuration could go like: quota = dict:::proxy::quota quota_rule = *:storage=100M:sievestorage=1M:sievefiles=10 I guess this would currently complain about sievestorage and sievefiles being unknown settings, so perhaps the idea would still need some more thinking. I suppose the idea of showing the sieve quota in IMAP process could be dropped and instead the quota_rule would just be different for IMAP and managesieve processes with both using storage/messages limits. And of course the quota plugin would need to be modified so that it supports counting arbitrary files instead of only messages. signature.asc Description: This is a digitally signed message part
[Dovecot] Use bacula to do backups/restores
Hi, I'm already using Bacula for a lot of backups jobs and I also want do backup mail which is stored on a server. The mail is stored in Maildirs which a could backup at filesystem level. But when I restore such a backup strange things happen. My mail client show some mail double and most of the restored mails are unread. I think I'm missing some important IMAP things. Martijn
Re: [Dovecot] Bug? Expunging Symlinked Maildir w/ Laz y_expunge Enabled
El Sábado, 22 de Septiembre de 2007 a las 16:40, Timo Sirainen escribió: Right. The symlink isn't the problem, the problem is that it's on a different filesystem so rename() fails. There are two ways to handle this: 1) Copy the message to the other filesystem. This is slow. 2) Just unlink() the message. So, if I'm right, lazy_expunge is not usable with quota=fs. Is this correct? -- Joseba Torre. CIDIR Bizkaia. signature.asc Description: This is a digitally signed message part.
Re: [Dovecot] client certs with godaddy ssl cert
Harondel J. Sibble wrote: On 27 Sep 2008 at 13:22, mouss wrote: if you have a commercial cert, you don't need a self signed cert. self signed certs are for people who don't want to get a cert signed by a 3d party (commercial or other). For email, you generally don't need a commercial certificate because your users know you and you know them, and because users don't connect to thousand imap servers. Huh? I am looking to implement client side certificates which have to be installed on the end user device before they are able to connect to my mailserver. Right. You need to keep track of what client certs you trust, so you really should be *at least* the immediate issuer (signer) of the client certs. The only reasons you would want your signing cert for those client certs to have a commercial issuer would be: 1. You want the client certs to be generally usable with those devices and servers other than your own. 2. The devices do not support the addition of new root certificates (i.e. your signing cert.) I already have a commercial cert on the mailserver so that's a moot point. It is also likely to be irrelevant. The signature chain of a server's cert does not influence what signing chain a client cert needs to have. Secondly a client cert allows me to verify that the device connecting is allowed, this is secondary to any login info the user may have, ie 2 factor authentication, something you know (uid/password) and something you have (certificate). That is only true if you are using a dependable mechanism to assure that users will actually be required to enter a password live rather than have their mail client save it
Re: [Dovecot] Converting from MBOX to Maildir broke procmail and Spamassasin and halted incoming mail
On Wed, 2008-09-17 at 12:39 -0600, Dan Roberts wrote: I did have success in getting my mail accounts converted from mbox to maildir, but then ran aground. I could see all of my existing mail and create new folders, but I could not see any of my incoming mail. What I was late in realizing was that I needed to also adjust the settings for my LDA, which as I am using sendmail is procmail, and it was suggested that I needed to adjust /etc/procmail to include the line DEFAULT=$HOME/Maildir/ I did that, but new mail still didn't show up correctly. I can only assume that I have something still not properly adjusted in my procmail settings. [...] In each users Home directory I have a .procmailrc file that further directs things on a user level. For my directory this file is currently --- [EMAIL PROTECTED] ~]$ cat .procmailrc MAILDIR=$HOME/mail PROBABLYJUNK = /home/dan/mail/probably-spam ^^ ^^ :O H * ^X-Spam-Status:.*Yes { EXITCODE=67 :0: probably-spam ^ ^^ This makes procmail deliver mail into mbox format files. You most likely want delivery action lines like this: .probably-spam/ Note the leading dot and the trailing slash. That makes procmail use Maildir format. You will have to adjust each and every delivery action. Please see 'man procmailrc'. Moreover, your ${PROBABLYJUNK} variable doesn't match your ${DEFAULT}. You'd better not provide absolute, full paths there. Given the above snippets, I guess procmail actually *did* deliver your mail. It's just been dumped in mbox format files, which dovecot with your changed settings doesn't recognize. And probably scattered in multiple directories... guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [Dovecot] Converting from MBOX to Maildir broke procmail and Spamassasin and halted incoming mail
On Wed, 17 Sep 2008, Dan Roberts wrote: It was quickly pointed out that my system was set up to use MBOX and not MAILDIR, and some helpful links and notes were sent back and forth giving me a good clue as to how to perform the conversion process. I did have success in getting my mail accounts converted from mbox to maildir, but then ran aground. I could see all of my existing mail and create new folders, but I could not see any of my incoming mail. http://markmail.org/message/4wghlnywxuljwmnh - you will want to start /etc/procmailrc with DROPPRIVS=YES My working /etc/procmailrc is as such: [EMAIL PROTECTED]:~ $ cat /etc/procmailrc DROPPRIVS=YES LOGFILE=${HOME}/procmail-log MAILDIR=${HOME}/Maildir DEFAULT=./ [EMAIL PROTECTED]:~ $ I should be using Dovecot Deliver but haven't still gotten around to it. -- Asheesh. -- If wishes were horses, then beggars would be thieves.
[Dovecot] login processes killed with signal 15
[EMAIL PROTECTED] etc]# dovecot --version 1.1.3 [EMAIL PROTECTED] etc]# dovecot -n # 1.1.3: /usr/local/etc/dovecot.conf log_path: /var/log/dovecot protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/postfix/smtpd.cert ssl_key_file: /etc/postfix/smtpd.key disable_plaintext_auth: no login_dir: /usr/local/var/run/dovecot/login login_executable(default): /usr/local/libexec/dovecot/imap-login login_executable(imap): /usr/local/libexec/dovecot/imap-login login_executable(pop3): /usr/local/libexec/dovecot/pop3-login mail_location: maildir:/home/vmail/%d/%n/ mail_debug: yes mail_executable(default): /usr/local/libexec/dovecot/imap mail_executable(imap): /usr/local/libexec/dovecot/imap mail_executable(pop3): /usr/local/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/local/lib/dovecot/imap mail_plugin_dir(imap): /usr/local/lib/dovecot/imap mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3 pop3_uidl_format(default): %08Xu%08Xv pop3_uidl_format(imap): %08Xu%08Xv pop3_uidl_format(pop3): %v.%u auth default: mechanisms: plain login debug: yes debug_passwords: yes passdb: driver: sql args: /usr/local/etc/dovecot-sql.conf userdb: driver: sql args: /usr/local/etc/dovecot-sql.conf socket: type: listen master: path: /usr/local/var/run/dovecot/auth-master mode: 384 user: vmail group: vmail The log looks like this - it happens every few days: dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: auth(default): Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: I/O leak: 0x407150 (24) deliver([EMAIL PROTECTED]): Sep 28 04:07:04 Error: Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: No such file or directory deliver([EMAIL PROTECTED]): Sep 28 04:07:53 Error: Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: No such file or directory deliver([EMAIL PROTECTED]): Sep 28 04:08:12 Error: Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: No such file or directory deliver([EMAIL PROTECTED]): Sep 28 04:13:18 Error: Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: No such file or directory deliver([EMAIL PROTECTED]): Sep 28 04:13:18 Error: Can't connect to auth server at /usr/local/var/run/dovecot/auth-master: No such file or directory It's not a rpm installation, it compiled by me. The OS is a CentOS5.2.
Re: [Dovecot] login processes killed with signal 15
On Sep 29, 2008, at 7:46 PM, Radu Popescu wrote: The log looks like this - it happens every few days: dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: auth(default): Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: pop3-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: Killed with signal 15 dovecot: Sep 28 02:28:40 Warning: imap-login: Killed with signal 15 Looks like you've something (some cronjob?) killing all running dovecot processes. Dovecot itself never sends signal 15 to login processes, not even when the dovecot master is killed (which is how it's normally stopped). Also in the middle you see that the master process is also killed. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] Managesieve Quota
Timo Sirainen wrote: On Thu, 2008-09-25 at 09:40 -0700, Seth Mattinen wrote: Has anyone (is anyone) working on adding quota support to dovecot's managesieve server? I was thinking about giving it a shot myself and I'd hate to duplicate work. It would be something very basic like a max bytes setting and the total sieve storage per user isn't allowed to exceed it. I think it would be nice to be able to use the standard quota plugin with managesieve so that all the same backends and configuration could be used. The main problem I see is: Does anyone want (or need) to have the mail and sieve quota shared, instead of specifying separate limits for them? With shared quota the code will probably have to have some kind of sieve hardcoding or write some kind of state files so it knows where to look when recalculating quota. So preferrably no-one needs this. :) So without shared quota they could be configured as sievestorage and sievefiles which would also be visible using IMAP quota commands. Configuration could go like: quota = dict:::proxy::quota quota_rule = *:storage=100M:sievestorage=1M:sievefiles=10 No need for sharing from me. (In fact, I don't use mail quotas at all.) My only goal is to have some kind of sieve quota to prevent someone from filling the filesystem with garbage either intentionally or through a baldy written client. ~Seth
Re: [Dovecot] client certs with godaddy ssl cert
On 29 Sep 2008 at 10:43, Bill Cole wrote: Right. You need to keep track of what client certs you trust, so you really should be *at least* the immediate issuer (signer) of the client certs. The only reasons you would want your signing cert for those client certs to have a commercial issuer would be: That's my intent to have full control over the client certs hence the reason for going with self signed certs for the client side. 1. You want the client certs to be generally usable with those devices and servers other than your own. I do not, this is only for use with my infrastructure and will be limited to a small handfull of people. 2. The devices do not support the addition of new root certificates (i.e. your signing cert.) Mix of devices, but primarily windows mobile, palm, symbian and blackberry handhelds. There will also be a few laptops. It is also likely to be irrelevant. The signature chain of a server's cert does not influence what signing chain a client cert needs to have. Ohh I was wondering about that... Okay then so as long as Dovecot is set to check client certs and the client cert presented matches the check points, CN, domain name, user email etc, it'll just work? That is only true if you are using a dependable mechanism to assure that users will actually be required to enter a password live rather than have their mail client save it I've already beat that one into the couple of business partners that will be making use of this. Personally I don't ever save passwords, in browsers or otherwise as a matter of course so not an issue for me. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. [EMAIL PROTECTED] (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
Re: [Dovecot] dovecot 1.2.alpha1 quota dict driver mysql broken
Timo Sirainen schrieb: On Sep 24, 2008, at 11:32 PM, Robert Schetterer wrote: Sep 24 21:40:58 Error: dict: Error in configuration file /etc/dovecot/dovecot-dict-quota.conf line 2: Unknown setting: table dovecot: Sep 24 21:40:58 Error: dict: Failed to initialize dictionary 'quotadict' dovecot: Sep 24 21:40:58 Error: IMAP([EMAIL PROTECTED]): read(/var/run/dovecot/dict-server) failed: Remote disconnected dovecot: Sep 24 21:41:06 Warning: Killed with signal 15 seems strange Unknown setting: table ??? Because there is no such setting anymore. jep , i see *g but there is no doc/dovecot-dict-sql-example.conf Well that's a different problem then. :) Looks like I forgot to include it in Makefile. See this instead: http://hg.dovecot.org/dovecot-1.2/file/tip/doc/dovecot-dict-sql-example.conf so you might have to upgrade the doc/wiki for the new syntax Yes, once I get around to it :) Hi Timo, after repopulating tables to mysql and using your example conf if have ---dovecot: Sep 29 22:09:02 Fatal: dict: Socket already exists: /var/run/dovecot//dict-server dovecot: Sep 29 22:09:02 Error: IMAP([EMAIL PROTECTED]): read(/var/run/dovecot/dict-server) failed: Connection reset by peer any idea how to fix or what might be the failure -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
[Dovecot] quota warnings clarification
I spent a long while trying to get quota warnings working with v1.1.3 on Centos5 before almost giving up. I configured everything as per the instructions on the Quota wiki page however no warning emails were being generated when I tested no debug messages in the log to give any clues as to what I was doing wrong. It turns out I wasn't doing anything wrong, but just misunderstanding at what point the warnings are generated. The warning email appears to only be generated when a message is moved from one folder to another. I was expecting the warning to be generated when the INBOX was simply opened viewed! Is this how it is supposed to work? If so, perhaps a note of clarification could be added to the wiki page? Make the switch to the world#39;s best email. Get Yahoo!7 Mail! http://au.yahoo.com/y7mail