Re: [Dovecot] Problem with ldap error logging
El Tue, 25-08-2009 a las 09:25 -0400, Timo Sirainen escribió: That's what it does..: % ./deliver % echo $? 75 % tail -1 /var/log/dovecot.log Aug 25 09:24:01 deliver(tss): Fatal: Plugin asdf not found from directory /usr/local/lib/dovecot/lda % grep define.*EX_TEMPFAIL /usr/include/sysexits.h #define EX_TEMPFAIL 75 /* temp failure; user is invited to retry */ I checked, qmail-lspawn handles 75 as a temporary failure. Then I dunno what happened in my case, but some mail definitely went into a black hole. -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/
[Dovecot] Disconnected in APPEND sometimes when with attachment
Hello! When I send a message with an attachment bigger than some undefined size, the folllowing error appears in logs: Disconnected in APPEND How to increase the allowed size or anything? # dovecot -n # 1.0.15: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: pop3 pop3s imap imaps ssl_cert_file: /usr/local/etc/ssl/certs/highlink.ru.pem ssl_key_file: /usr/local/etc/ssl/private/highlink.ru.key disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_privileged_group: mail mail_location: maildir:~/.maildir mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 pop3_uidl_format(default): pop3_uidl_format(imap): pop3_uidl_format(pop3): %08Xu%08Xv auth default: mechanisms: plain login passdb: driver: passwd-file args: /etc/dovecot/dovecot.passwd userdb: driver: passwd-file args: /etc/dovecot/dovecot.passwd socket: type: listen master: path: /var/run/dovecot/auth-master mode: 384 user: dovecot group: dovecot signature.asc Description: PGP signature
Re: [Dovecot] fchown() failed
On Mon, 2009-08-24 at 15:05 -0400, Timo Sirainen wrote: On Wed, 2009-08-19 at 13:18 +0100, Arthur Dent wrote: dovecot: Dovecot v1.2.0 starting up (core dumps disabled): 1 Time(s) dovecot: IMAP(mark): fchown() failed with file /home/mark/Mail/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted: 1 Time(s) v1.2.3+ would have given a bit better error message here. Ironically, since I posted my original message last week Fedora issued an updated Dovecot package, so here is yesterday's message in syslog: **Unmatched Entries** dovecot: Dovecot v1.2.3 starting up (core dumps disabled): 1 Time(s) dovecot: IMAP(helena): fchown(/home/wife/mail/.imap/INBOX/dovecot.index.cache.lock, -1, 12(mail)) failed: Operation not permitted (egid=501(helena), group based on /var/mail/helena): 1 Time(s) dovecot: IMAP(mark): chown(/home/mark/Mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=500(mark), group based on /var/mail/mark): 1 Time(s) dovecot: IMAP(mark): fchown(/home/mark/Mail/.imap/INBOX/dovecot.index.cache.lock, -1, 12(mail)) failed: Operation not permitted (egid=500(mark), group based on /var/mail/mark): 1 Time(s) dovecot: IMAP(mark): fchown(/home/mark/Mail/.imap/INBOX/dovecot.index.log.newlock, -1, 12(mail)) failed: Operation not permitted (egid=500(mark), group based on /var/mail/mark): 1 Time(s) dovecot: IMAP(mark): fchown(/home/mark/Mail/.imap/INBOX/dovecot.index.tmp, -1, 12(mail)) failed: Operation not permitted (egid=500(mark), group based on /var/mail/mark): 1 Time(s) dovecot: IMAP(mark): mkdir(/home/mark/Mail/.imap/INBOX) failed: Operation not permitted: 1 Time(s) Anyway the issue is that nowadays Dovecot tries to preserve mailbox's permissions so that shared mailboxes work properly. What permissions do you have in the actual INBOX file? ls -la /var/mail/ total 202024 drwxrwxr-x. 2 root mail 4096 2009-08-26 10:30 . drwxr-xr-x. 15 root root 4096 2009-08-13 12:35 .. -rw-rw. 1 clamav mail 0 2009-08-12 12:40 clamav -rw-rw. 1 wife mail 190669010 2009-08-26 10:00 wife -rw-rw. 1 mark mail 8421931 2009-08-26 09:46 mark -rw---. 1 root root787636 2009-08-26 10:30 root -rw-rw. 1 rpcmail 0 2009-08-11 16:26 rpc -rw-rw. 1 sonmail 6750285 2009-08-26 00:39 son My guess is that you have 0660 permissions of /var/mail/$USER so Dovecot tries to preserve the group. Easiest fix that also makes your system more secure is to chmod 0600 it. Hmmm - OK, seems you're right about that. Will changing it break anything else? Why does group mail exist? I will try chmod 0600 and see what happens. As I access my mailbox several times a day (and certainly did yesterday) from several different mail clients I am surprised that the error count is only 1 for most the above entries. Is this being caused by some sort of cron job (logrotate perhaps)? It happens only when index files are being created/rotated, which happens automatically every once in a while. Thanks very much. Your help is greatly appreciated... Mark signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Disconnected in APPEND sometimes when with attachment
On 8/26/2009, Igor Bogomazov (b...@hl.ru) wrote: When I send a message with an attachment bigger than some undefined size, the folllowing error appears in logs: Disconnected in APPEND 1. Dovecot is not an smtp server - it does not 'send' messages. 2. While 1.0.15 is old and you should upgrade (1.2.4 is current stable), upgrading won't fix your problem. 3. You need to fix this with your smtp server config. Also, please don't paraphrase logs... post the entire set of relevant log lines - that would have probably allowed us to see what smtp server you were using and give more specific recommendation on next steps.. -- Best regards, Charles
Re: [Dovecot] Two server certificates for two common names
So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right? thanks Dimitrios O/H Ed W έγραψε: Patrick Domack wrote: That is an ssl imposibility, and the current tls clients can't really do that either. The best way to do it is to use seperate ip's for mail1 and mail2. The only other option is to use a new certificate with subject-alt-names, but lots of email clients don't support that. Webbrowsers have for a long time now, but email is completely different. I would be interested to hear which mail clients don't support this? My experience is that the main culprits are ok (including apple and many handhelds). I use a cheapo S-A-N from GoDaddy and it seems to work ok (but I hardly have a wide range of clients using it) Hope this helps? Ed W -- ΔΗΜΗΤΡΙΟΣ ΚΑΡΑΠΙΠΕΡΗΣ ΤΕΧΝ. ΥΠ. ΣΥΖΕΥΞΙΣ ΕΛΛΗΝΙΚΗ ΔΗΜΟΚΡΑΤΙΑ - Ν. ΘΕΣΣΑΛΟΝΙΚΗΣ ΔΗΜΟΣ ΘΕΣΣΑΛΟΝΙΚΗΣ - Δ/ΝΣΗ ΟΡΓΑΝΩΣΕΩΣ ΜΕΘΟΔΩΝ 2310 - 257844 fax 2310 - 244965
Re: [Dovecot] Quotas ignored on INBOX only
Thanks The way I am testing is as follows. Setup two users on the system. Send email from user A to user B. Quota counts increase for user A as the email is copied to the Sent folder. User B quota count does not increase (size or messages) Reply from user B to user A to confirm problem effects both accounts. Remove email from sent items on one account and expunge and note quota record decreases. Remove email from INBOX and expunge, note quota record does not change. Repeat sending emails from B to A and notice quota limit is reached on sent items - error is received copying email to sent items. With quota exceeded switch to user account A and continue to send emails to B, note that they appear in the INBOX of the user despite the full quota with no bounce back. This behaviour is identical regardless of quota backend used (have tried maildir++ and dict so far). This is using the default aptitude package of dovecot-postifx for ubuntu 9.0.4 - Is this a bug?
Re: [Dovecot] Two server certificates for two common names
On Qua, 26 Ago 2009, Δημήτριος Καραπιπέρης wrote: So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right? At the moment, yes. In a future version this will be possible, but I suppose you will still need two IPs. -- Eduardo M KALINOWSKI edua...@kalinowski.com.br
Re: [Dovecot] Dovecot and LDAP-Quotas
It says nothing about LDAP here, which means that unless you filtered out some lines it's not using LDAP at all for anything. What does your dovecot -n output show now? dovecot -n # 1.2.3: /etc/dovecot.conf # OS: Linux 2.6.18-128.4.1.el5 x86_64 CentOS release 5.3 (Final) ext3 log_path: /var/log/dovecot.log info_log_path: /var/log/dovecot.log protocols: pop3 pop3s imap imaps listen(default): 123.456.789.71 listen(imap): 123.456.789.71 listen(pop3): 123.456.789.72 ssl_listen(default): ssl_listen(imap): ssl_listen(pop3): 123.456.789.72:995 ssl_ca_file: /etc/pki/dovecot/certs/pop_core_uk/trustcenter_intermediate.crt ssl_cert_file: /etc/pki/dovecot/certs/pop_core_uk/server.crt ssl_key_file: /etc/pki/dovecot/private/pop_core_uk/server.key login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: maildir:/home/vmail/%Lu/Maildir/ mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugins(default): quota imap_quota mail_plugins(imap): quota imap_quota mail_plugins(pop3): quota mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh lda: debug: yes postmaster_address: postms...@core.uk hostname: smtp.core.uk mail_plugins: quota quota_full_tempfail: yes log_path: /var/log/dovecot-deliver.log log_timestamp: %b %d %H:%M:%S rejection_reason: Ihre Nachricht an %t wurde automatisiert abgewiesen:%n%r auth default: mechanisms: plain login username_translation: @_._ verbose: yes debug: yes debug_passwords: yes passdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: static args: uid=500 gid=500 home=/home/vmail/%Lu allow_all_users=yes userdb: driver: ldap args: /etc/dovecot-ldap-userdb.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 432 user: vmail group: postfix plugin: quota: maildir:User quota quota_rule: *:storage=8M quota_warning: storage=90%% /usr/local/bin/quota-warning.sh 90 quota_warning2: storage=75%% /usr/local/bin/quota-warning.sh 75 -- dovecot-ldap.conf hosts = 123.456.789.123 123.456.789.124 base = OU=one,OU=two,OU=London,OU=GB,OU=User Accounts,DC=three,DC=core,DC=uk ldap_version = 3 auth_bind = yes auth_bind_userdn = %...@three.core.uk user_filter = ((objectClass=person)(cn=%u)) user_attrs = description=quota_rule=*:storage=%$M -- dovecot-ldap-userdb.conf is a symbolic link on dovecot-ldap.conf _ Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com
[Dovecot] mbox to maildir migration question and problems, dovecot-1.0.7-7.el5
Hi, I am trying to assist a customer with a mbox to maildir migration. I have them using the latest and greatest mb2md.pl; the one that support -K, -U|-u. They have seen overwhelming success with this; however, a recent mbox introduced a new scenario and the result was that all messages were replayed in the client UI. The mbox in question had _no_ X-UID tags. To work-a-round the issue the customer performed the following steps. [snip] We found that the fix was to clear /var/indexes/$USER for the account and log in and log back out. After doing this X-UID's were populated for each respective message. [/snip] The customer also noted that after the migration all messages went to ~/MailDir/new. I would appreciate any thoughts on why this scenario played out the way it did? Is it expected that these messages should reside in ~/MailDir/new? [config] protocol pop3 { pop3_uidl_format = %08Xv%08Xu pop3_reuse_xuidl = yes } [/config] Thank you! -- Eric L. Sammons, RHCE
[Dovecot] Weird mirgration problem
Most likely non-Dovecot, but I'd appreciate any comments on WTF might be going on here. Preparatory to migration from mbox to maildir format on our AIX mail server, I am migrating from the JFS filesystem (being deprecated by IBM) to JFS2 to better handling the jump in the number of files. Two nights ago, I took the first step and migrated the IT homedir filesystem: copied it to a scratch disk, melted down the FS and recreated it as a JFS2 FS. In order to keep changes from happening to it during this process, I killed off DC (dovecot -n ouput is appended to bottom of this note) and dropped the export of the FS. The bringup was a little ragged due to time constraints and the fact that I had trouble re-establishing the export. FWIW, the homedirs and Inobx FSes are mounted by a majordomo mailing list server. Everything went fine except for an anomaly with old pre-existing mailing list emails in my INBOX and that of a few others. Note that the inbox FS wasn't touched by this process, just the homedir FS for the IT department. What happened there was that the mbox headers went from looking like this: From owner-hcrcstaff Mon Aug 24 14:53:29 2009 From majordom Mon Aug 24 14:53:29 2009 the rest of the normal header here To looking like this: From owner-hcrcstaff Mon Aug 24 14:53:29 2009 Status: RO X-UID: 871476 Content-Length: 1915 From majordom Mon Aug 24 14:53:29 2009 normal header lines here It appears that the Status, X-UID and Content-Length lines were inserted just under the top line of the header in every old mailing list mailing email header...and not in any other mailing As a result of this, = these emails appear in the email client's TOC listing with blank Sender and Subject fields, even though the data for that is properly in the header further down = This happens both in TBird and Horde webmail. = All these emails (some 300, going back to 2008) are listed in one block, in proper order for their actual date, as having the datestamp of 5AM, when I was bringing everything back up. Unfortunately, because of time pressures, I can say exactly what I was doing then. = I never took down my TBird session while doing this process...and I imagine that others, who haven't said anything and presumably didn't have this problem, left their TBird or IMAP email client up... Does this anomaly bring to mind anything to you? FWIW, I plan on doing the students' homedir FS early tomorrow morning. This time I'll be more scrupulous about tracking things AND I will take down the mailing list and login servers to remove the possibility that they had something to do with this... dovecot -n output # 1.1.15: /usr/local/etc/dovecot.conf # OS: AIX 3 0001378F4C00 listen: *:143 ssl_listen: *:993 disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login login_processes_count: 12 login_max_processes_count: 774 max_mail_processes: 1024 verbose_proctitle: yes first_valid_uid: 200 mail_location: mbox:~/mail:INBOX=/var/spool/mail/%u:INDEX=/var/dcindx/%u mbox_write_locks: fcntl mbox_dirty_syncs: no auth default: passdb: driver: pam userdb: driver: passwd -- Once upon a time, the Internet was a friendly, neighbors-helping-neighbors small town, and no one locked their doors. Now it's like an apartment in Bed-Stuy: you need three heavy duty pick-proof locks, one of those braces that goes from the lock to the floor, and bars on the windows Stewart Dean, Unix System Admin, Bard College, New York 12504 sd...@bard.edu voice: 845-758-7475, fax: 845-758-7035
Re: [Dovecot] Two server certificates for two common names
Δημήτριος Καραπιπέρης wrote: So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right? You are kind of asking two questions here: 1) SSL as it stands maps one IP address to one certificate. The basic issue is that, bar a few exceptions, there is no clear way to connect to an IP address and say what domain you are expecting to see on the other end, hence allowing the other end to present the domain specific cert. This is currently not fixable, but you can work around it by getting one cert with all your CNs on it (see Subject Alt Name) 2) Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways Does that help? Ed W
Re: [Dovecot] Two server certificates for two common names
Basically, server is not expecting any kind of domain on ssl handshake, but what if the server can serve more than one cert, so that clients using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot instance but from different network segments could be certified. mail1.dom.gr - 10.65.0.45 (private one) mail2.dom.gr - 84.205.252.78 (random numbers) In essence, it is the same dovecot instance. Dimitrios O/H Ed W έγραψε: Δημήτριος Καραπιπέρης wrote: So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right? You are kind of asking two questions here: 1) SSL as it stands maps one IP address to one certificate. The basic issue is that, bar a few exceptions, there is no clear way to connect to an IP address and say what domain you are expecting to see on the other end, hence allowing the other end to present the domain specific cert. This is currently not fixable, but you can work around it by getting one cert with all your CNs on it (see Subject Alt Name) 2) Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways Does that help? Ed W
Re: [Dovecot] Two server certificates for two common names
Δημήτριος Καραπιπέρης wrote: Basically, server is not expecting any kind of domain on ssl handshake, but what if the server can serve more than one cert, so that clients using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot instance but from different network segments could be certified. mail1.dom.gr - 10.65.0.45 (private one) mail2.dom.gr - 84.205.252.78 (random numbers) In essence, it is the same dovecot instance. I should imagine that you can achieve this using an external SSL wrapper such as stunnel? OR You could use firewall rules to redirect incoming connections to different local ports depending on where the connection originates. Then setup appropriate config on each port to serve a different cert This setup does sound workable Ed W
Re: [Dovecot] Two server certificates for two common names
On Aug 26, 2009, at 2:17 PM, Ed W wrote: 2) Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways Dovecot v2.0 supports different certs for different IPs. Until then you'll need to run multiple Dovecot instances with different config files.
Re: [Dovecot] Weird mirgration problem
On Aug 26, 2009, at 12:36 PM, Stewart Dean wrote: From owner-hcrcstaff Mon Aug 24 14:53:29 2009 From majordom Mon Aug 24 14:53:29 2009 the rest of the normal header here Does the above look correct? Did you originally also have that there? And that empty line? If so, I think those mails were written with a buggy Dovecot version and it's more of a miracle that you hadn't got this problem earlier. :) Probably because using mbox_very_dirty_syncs and the files' mtimes had never changed without there being some other changes in the mbox. If you have a lot of such mails, I think it's a good idea to get rid of that extra new line (and maybe the extra From-line) and delete dovecot.index* files.
[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting
Traditionally this server has only accepted plaintext authentications; however, we want to change that and enable TLS/SSL. The challenge is the server has hundreds of IP addresses it binds to to listen on ports 110/143. Enabling TLS/SSL is not an option because as this is a virtual hosting environment, if a connection comes in on any other hostname other than the specific one tied to the crt all mail clients will throw a mis-matched certificate error if TLS is initiated by the client, and a surprisingly large number of customers have use TLS if available selected in their clients. According to most of the suggestions on the list, I've setup 2 dovecot instances. The first listening on *:110 and *:143, and the second listening on 10.0.0.2:993 and 10.0.0.2:995. This works great for SSL support; however, I would also like to offer TLS to connections coming in on a single IP address. Because the server has hundreds of IPs, with new IPs adding all the time, seemingly the only way would be to configure every one of these IPs (as they occur) into the primary dovecot.conf file, and then only setup the single IP that's handling SSL/TLS in the dovecot-ssl.conf (the conf file the SSL/TLS instance loads). This can be time consuming and has no way to automate. It would be terrific if one of the following exists, or potentially could exist: 1. Ideal scenario. A config option which tells TLS to only respond on certain IPs. In our case if a connection attempts to initiate TLS on any IP address except 10.0.0.2, it would respond with no TLS support. This would be ideal as we could continue running just a single dovecot instance. 2. Secondary scenario. A way to exclude an IP from being bound to. Something like the following to bind to all except 10.0.0.2 listen = *:110, -10.0.0.2 As is, based on my understanding of the config neither of these are options. Any support for adding either of these options, or alternate ideas anyone might have? - N