Re: [Dovecot] Separate access to different "folders" of the same mailbox?
~user/.procmailrc-backup or /etc/procmailrc-backup
MDIR="${HOME}/.maildir"
TODAY_YEAR=`date +%Y`
TODAY_MONTH=`date +%m`
TODAY_DAY=`date +%d`
# prepare the archive
:0
{
dummy=`(p="${MDIR}/.archive.$TODAY_YEAR.$TODAY_MONTH.$TODAY_DAY"; if [ !
-d $p ]; then mkdir -p $p; fi;) 2>/dev/null`
dummy=`if [ ! $(grep $(date '+archive.%Y.%m.%d')
$HOME/.maildir/subscriptions) ]; then echo $(date '+archive.%Y.%m.%d')
>> $HOME/.maildir/subscriptions; fi`
:0c
${MDIR}/.archive.$TODAY_YEAR.$TODAY_MONTH.$TODAY_DAY/
}
On 02/10/2011 02:41 AM, Oli Schacher wrote:
> On Thu, 10 Feb 2011 09:15:18 +0200
> Alexander Chekalin wrote:
>
>> in my company we have a mailbox that holds a copy of every message
>> that our SMTP processed. While it eats a lot of space, it saved us
>> several times when, you may imaging, user "suddenly" deleted the most
>> important message in his life and call our IT guys for help. The
>> mailbox contains "folders" for each day (like 2011-02-10), which
>> keeps mailings for that day only.
> [...]
>
> What you are describing is basically a standard mail
> archiving service. Instead of building this yourself you
> could look at existing software tools that include the features you
> describe and offer additional functionality like attachment indexing,
> signed archives etc. For example Mailarchiva (mailarchiva.com) -
> There is an open source version as well
> ( http://sourceforge.net/projects/openmailarchiva/ )
> Google lists various other alternatives.
>
> HTH
>
> Regards,
> Oli
>
Re: [Dovecot] Separate access to different "folders" of the same mailbox?
On Thu, 10 Feb 2011 09:15:18 +0200 Alexander Chekalin wrote: > in my company we have a mailbox that holds a copy of every message > that our SMTP processed. While it eats a lot of space, it saved us > several times when, you may imaging, user "suddenly" deleted the most > important message in his life and call our IT guys for help. The > mailbox contains "folders" for each day (like 2011-02-10), which > keeps mailings for that day only. [...] What you are describing is basically a standard mail archiving service. Instead of building this yourself you could look at existing software tools that include the features you describe and offer additional functionality like attachment indexing, signed archives etc. For example Mailarchiva (mailarchiva.com) - There is an open source version as well ( http://sourceforge.net/projects/openmailarchiva/ ) Google lists various other alternatives. HTH Regards, Oli
[Dovecot] Separate access to different "folders" of the same mailbox?
Hello Timo and everyone, I think on such an idea that may save me a bit of space and time: in my company we have a mailbox that holds a copy of every message that our SMTP processed. While it eats a lot of space, it saved us several times when, you may imaging, user "suddenly" deleted the most important message in his life and call our IT guys for help. The mailbox contains "folders" for each day (like 2011-02-10), which keeps mailings for that day only. Even with this, it is sometime hard to work with that "keep all" box (basically, it is slow as the size is huge). What I'd like to add is some kind of "virtual folders" (for each of our internal users) that list messages from and to his address. And I'd like to permit every user to see (that is, read only mode) only "his" such a virtual folder in our "keep all" box, so user can see his old messages on his own. Looks like 1) I need an ACL to limit user access to "their" folders and somehow hide other folders at all 2) Have such virtual folders work with huge ammount of mailings (kind of 300 Gb), separated in maybe 1000 folders (per days). I really afraid it will be slo-o-o-ow search, even with indexes (I mean, virtual folder that is defined as search over 1000 folders will be not that fast). The mailbox is maildir by nature. How can I archive these goals with smallest load possible, and if it is possible at all? Thank you, Alexander Chekalin
Re: [Dovecot] /var/mail/ and mail group privileges
On Thursday 10 of February 2011 02:54:39 Timo Sirainen wrote: > On Mon, 2011-01-10 at 14:08 +0100, Michal Hlavinka wrote: > > On Tuesday, January 04, 2011 00:47:16 Timo Sirainen wrote: > > > On 3.1.2011, at 19.15, Michal Hlavinka wrote: > > > > Shouldn't mkdir and chown make together a transaction? When it > > > > fails just for first time, it confuses some admins (this is the > > > > reason why I'm getting complains (bug reports) just because > > > > missing/wrong > > > > configuration). I think it a) should work even for first > > > > connection > > > > (ignore chown failure) or b)it should not work for following > > > > connection, so the behavior should be more consistent. > > > > I think a) is better for lazy admins, but b) is more correct, because > > other way it's (a little bit) harder to find out this error - having > > wrong permissions in situations when group is really required. > > I implemented a) a while ago. yes, I've noticed it. Thanks
Re: [Dovecot] LDAP and GSSAPI problems
This is very good. A safe default (no import_environment) maybe TZ USER and HOME. Just to maintain functionality if people don't set this up. -Original message- From: Timo Sirainen To: Dovecot Mailing List Cc: "Trever L. Adams" Sent: Wed, Feb 9, 2011 23:55:06 GMT+00:00 Subject: Re: [Dovecot] LDAP and GSSAPI problems On Thu, 2011-02-10 at 01:17 +0200, Timo Sirainen wrote: > (does this really need to be set over and over or can the master process > set it and have the environment inherited... it has been a long time > since I did any coding related to environment variables accross forks, > etc.)? Environment is inherited, but Dovecot explicitly clears it at the startup of each process, so any unnecessary stuff gets dropped out. But it would be possible to add e.g. DOVECOT_PRESERVE_ENVS that lists which environments variables should be preserved. http://hg.dovecot.org/dovecot-2.0/rev/cec7fa92ff48
[Dovecot] LDAP quota groups
Is there any way to have a per-LDAP-group quota? The OpenLDAP folk's suggestions are to hack the source for an overlay (ideal, but it looks somewhat involved) or to do it at the application (Dovecot). I've added an LDAP userattr 'quotaMegaBytes' which is great for allowing me to override the server's default quota on a per-user basis, but ideally I'd be able to override the quota only for people who are member of a certain LDAP group. Perhaps I could override it for IMAP sessions with a postlogin script, but I can't see any way to apply it to deliver. Thanks for any suggestions, Ian
Re: [Dovecot] Access rights after dsync
On Wed, 2011-01-05 at 19:26 -0500, Joan Moreau wrote: > It looks like the access rights are not correctly preserved > after a dsync > > I have rwXr-X-- from my original folder (which is right) > > > I have rwXrwXrwX in the "mirrored" fodler (which is very wrong) > > Not > sure what cause this, but it looks like a bug Have you figured it out? dsync (like Dovecot in general) anyway takes the permissions for new folders from the mail root directory. So if new folder is going to be in ~/Maildir/.foo/ and it doesn't exist, its permissions are taken from ~/Maildir. If ~/Maildir doesn't exist either, its permissions are set to 0700.
Re: [Dovecot] Dovecot 2.0.7 doesn't disassociate STDERR when it daemonizes.
On Thu, 2011-01-06 at 10:42 -0800, Virgil Champlin wrote:
> --- main.c.orig 2010-11-04 11:58:48.0 -0700
> +++ main.c 2011-01-05 18:11:45.0 -0800
> @@ -717,7 +717,8 @@
> }
>
> if (dup2(null_fd, STDIN_FILENO) < 0 ||
> - dup2(null_fd, STDOUT_FILENO) < 0)
> + dup2(null_fd, STDOUT_FILENO) < 0 ||
> + dup2(null_fd, STDERR_FILENO) < 0)
> i_fatal("dup2(null_fd) failed: %m");
>
This is done a bit too early.
http://hg.dovecot.org/dovecot-2.0/rev/08e4280e5bfd probably fixes it
too?
Re: [Dovecot] login_trusted_networks (v2.0.8)
On Thu, 2011-01-06 at 11:14 -0800, Don Buchholz wrote: > I just spent a bit puzzling over "login_trusted_networks". My problem > was using "10.1.2/24" instead of "10.1.2.0/24". > > Here are some things I looked for during troubleshooting that didn't > pan out: > >(1) No messages printed to syslog. This happens because libc's inet_aton() translates 1.2.3 to 1.2.0.3 (and similarly 1.2 to 1.0.0.2). I'd rather not add my own checks to prevent this.
Re: [Dovecot] /var/mail/ and mail group privileges
On Mon, 2011-01-10 at 14:08 +0100, Michal Hlavinka wrote: > On Tuesday, January 04, 2011 00:47:16 Timo Sirainen wrote: > > On 3.1.2011, at 19.15, Michal Hlavinka wrote: > > > Shouldn't mkdir and chown make together a transaction? When it fails just > > > for first time, it confuses some admins (this is the reason why I'm > > > getting complains (bug reports) just because missing/wrong > > > configuration). I think it a) should work even for first connection > > > (ignore chown failure) or b)it should not work for following connection, > > > so the behavior should be more consistent. > > > I think a) is better for lazy admins, but b) is more correct, because other > way it's (a little bit) harder to find out this error - having wrong > permissions in situations when group is really required. I implemented a) a while ago.
Re: [Dovecot] Error: FETCH [1] for mailbox badbox UID 1 got too little data: 2 vs 4
On Wed, 2011-01-12 at 15:02 +, Chris Wilson wrote: > $ touch ~/mail/badbox > $ echo test | /usr/libexec/dovecot/dovecot-lda -m badbox Fixed finally: http://hg.dovecot.org/dovecot-2.0/rev/079a81fb5117
Re: [Dovecot] Panic: file mailbox-list-maildir.c: line 133: unreached
On Mon, 2011-01-17 at 00:23 +0100, Holger Mauermann wrote: > I converted personal mailboxes from maildir to sdbox. Public mailboxes > are still in maildir format, because I need per-user seen flags. > However, if the user is subscribed to public mailboxes and the client > sends 'LIST (SUBSCRIBED) "" *', dovecot crashes with: > > imap(hol...@mauermann.org): Panic: file mailbox-list-maildir.c: line 133: > unreached Fixed finally: http://hg.dovecot.org/dovecot-2.0/rev/4374ae187075
Re: [Dovecot] courier-imap to dovecot-imap migration: missing TLS_TRUSTCERTS feature
On Wed, 2011-01-19 at 11:46 +0100, Uffe Jakobsen wrote: > All certificates are self signed "standalone" cerfificates - no CA > hierarchy/structure is made. > > With courier-imap we could just put every client certificate into a > trusted cert file (or hashed directory for a larger number of clients) > and courier-imap would check that through TLS_TRUSTCERTS. > > I would like to keep the current appproach and avoid the whole mini CA > setup - that way I can also avoid reissuing new certs to all existing users. > > Question: can a similar setup be achieved with dovecot-imap ? Doesn't this work? ssl_ca =
Re: [Dovecot] expire plugin and sieve
On Sat, 2011-01-22 at 08:27 +0100, c...@kruemel.org wrote: > However, the combination of sieve and expire does not seem to be > working: When sieve moves messages into a folder, no entry is created in > the database. Don't these plugins work together, or did I misconfigure > something? If you didn't yet find out: > lda: >mail_plugins: expire >mail_plugins: sieve The second mail_plugins setting overrides the first one. Use: mail_plugins = expire sieve
Re: [Dovecot] dovecot not delivering emails in the right folder
On Sat, 2011-02-05 at 14:11 -0800, paul...@calderonpale.com wrote: > deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth > input: adomain.com/test/@adomain.com The username looks broken.. It should be t...@adomain.com, not adomain.com/test/@adomain.com.. > deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth > input: home=/home/vmail/adomain.com/adomain.com/test/ home is correct. Although it ends with '/', while in dovecot.conf you have: > args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes i.e. doesn't end with '/'! > deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: maildir: > data=/home/vmail/adomain.com/adomain.com/test/ This data should be coming from mail_location setting and should end with Maildir/. > dovecot.conf: > == > mail_location = maildir:/home/vmail/%d/%n/Maildir Which you have here. So .. I've no idea really. It's as if you're using a different config file for deliver.
Re: [Dovecot] pop3 index virtual question
On Thu, 2011-02-10 at 00:32 +0100, Robert Schetterer wrote: > >> Debug: maildir++: root=/etc/dovecot/virtual, > >> index=/usr/local/virtual/domain.com/u...@domain.com//virtual, control=, > >> inbox= > >> > >> at my setup > >> > >> the double slash might not hurt , but how setup to avoid it? > > > > I guess your home directory ends with '/'. > > yes > its created by postfixadmin in mysql that way > didnt hurt with anything yet > for sure i could split away last slash in query > but for now it only looks like cosmetical > problem, would you agree or are you seeing any major problems in future > with that ? Yeah, no problems with it. Maybe I'll even some day bother to make Dovecot automatically drop it.
Re: [Dovecot] LDAP and GSSAPI problems
On Thu, 2011-02-10 at 01:17 +0200, Timo Sirainen wrote: > > (does this really need to be set over and over or can the master process > > set it and have the environment inherited... it has been a long time > > since I did any coding related to environment variables accross forks, > > etc.)? > > Environment is inherited, but Dovecot explicitly clears it at the > startup of each process, so any unnecessary stuff gets dropped out. But > it would be possible to add e.g. DOVECOT_PRESERVE_ENVS that lists which > environments variables should be preserved. http://hg.dovecot.org/dovecot-2.0/rev/cec7fa92ff48
Re: [Dovecot] pop3 index virtual question
Am 10.02.2011 00:07, schrieb Timo Sirainen: > On Tue, 2011-02-08 at 21:30 +0100, Robert Schetterer wrote: > >> Debug: maildir++: root=/etc/dovecot/virtual, >> index=/usr/local/virtual/domain.com/u...@domain.com//virtual, control=, >> inbox= >> >> at my setup >> >> the double slash might not hurt , but how setup to avoid it? > > I guess your home directory ends with '/'. yes its created by postfixadmin in mysql that way didnt hurt with anything yet for sure i could split away last slash in query but for now it only looks like cosmetical problem, would you agree or are you seeing any major problems in future with that ? > >> it would work really badly >> >> ??? didnt understand this please explain > > If you put a virtual mailbox's INDEX file into a directory shared by all > users, then first user fills it with the user's own mailbox data. The > second user who accesses it notices that it's all wrong and replaces > with that user's own mailbox data. And so on. > > ok thats what i thought -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [Dovecot] LDAP and GSSAPI problems
On Sat, 2011-02-05 at 20:49 -0700, Trever L. Adams wrote: > > Timo, is it possible for you to add that "import_environment > =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc" So you've tried that doing this via auth.sh script that sets those before calling dovecot/auth works? > (does this really need to be set over and over or can the master process > set it and have the environment inherited... it has been a long time > since I did any coding related to environment variables accross forks, > etc.)? Environment is inherited, but Dovecot explicitly clears it at the startup of each process, so any unnecessary stuff gets dropped out. But it would be possible to add e.g. DOVECOT_PRESERVE_ENVS that lists which environments variables should be preserved.
Re: [Dovecot] problem configuring deliver in LDAP environment.
On Tue, 2011-02-08 at 20:23 +0100, Andrea Borghi wrote:
> dovecotlda unix - n n - - pipe
> flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -s -e -f
> ${sender} -d ${recipient}
..
> What i am trying to do is leaving all the dovecot services running in chroot
> mode
> (as they do) but let deliver running in NORMAL (non-chroot mode)
How is deliver even chrooting? Postfix doesn't call it chrooted and
since it's user vmail:vmail the process isn't privileged to do any
chrooting of its own.
> So you know a method to substitute TWO ldap values in the mail parameter
> definition?
Not possible currently.
Re: [Dovecot] pop3 index virtual question
On Tue, 2011-02-08 at 21:30 +0100, Robert Schetterer wrote: > Debug: maildir++: root=/etc/dovecot/virtual, > index=/usr/local/virtual/domain.com/u...@domain.com//virtual, control=, > inbox= > > at my setup > > the double slash might not hurt , but how setup to avoid it? I guess your home directory ends with '/'. > it would work really badly > > ??? didnt understand this please explain If you put a virtual mailbox's INDEX file into a directory shared by all users, then first user fills it with the user's own mailbox data. The second user who accesses it notices that it's all wrong and replaces with that user's own mailbox data. And so on.
Re: [Dovecot] IMAP subfolders and MDBOX
On Wed, 2011-02-09 at 07:12 +0100, Frank Bonnet wrote: > We actually use MBOX format on our mailhub but this > does not permit to create IMAP subfolders. It does, although it's less obvious how to do that with most clients. > My problem is to choose the format that will permit > imap subfolders creation. Even mbox supports it, although the filesystem becomes a bit ugly: http://wiki2.dovecot.org/MboxChildFolders > Maildir is not my favorite format and I wonder about > MDBOX. > > Does it permit imap subfolders creation ? Sure. > It is possible to convert from MBOX to MDBOX in one shot ? You can run dsync one user at a time, and of course you can run it for as many users as you want. I'd suggest switching a few users first to make sure everything will work nicely. > Is it stable / mature enoug for a production server ( 4000 users ) ? I hope so. :)
Re: [Dovecot] LDAPS fault tolerance not working with dovecot
On Wed, 2011-02-09 at 11:41 +0200, Nikita Koshikov wrote: > uris = ldaps://host1 ldaps://host2 ldaps://host2 > > Today host1 hangs and new connections can't be established with mail > server. Connected users worked fine (auth_cache_size = 5 k > auth_cache_ttl = 15 mins). At this time - host2 and host3 are working > fine, but switching to them was not happen. Why ? Well, I can only say that it's libldap's (= OpenLDAP's) responsibility to do the switch automatically.
Re: [Dovecot] Domain blacklisting
On Wed, 2011-02-09 at 11:57 +0100, Thomas Hummel wrote:
> My understanding is that I cannot use some negative form of "allow_nets". The
> only mechanism I can think of is tcp_wrappers. However, dovecot documentation
> mention it only in the dovecot-1 section. Does it work the same way with
> dovecot-2 ?
> Is it a bad idea (I'm thinking of the induced overhead) ?
> Can you see another way to blacklist (at dovecot application level) some
> sources ?
If tcpwrappers supports it, then it should be pretty easy with v2.0, as
long as Dovecot was compiled with support for it:
login_access_sockets = tcpwrap
There is of course some extra overhead, mainly from doing a reverse DNS
lookup for all connections, but since that's what you want it can't be
avoided.. Or if you have some known good IP ranges, you can add e.g.:
remote 192.168.0.0/24 {
login_access_sockets =
}
Re: [Dovecot] Questions about dovecot-shared in 1.2 and inherit group membership from parent mailbox
On Wed, 2011-02-09 at 12:51 +0100, Lukas Haase wrote: > First, if I want shared keywords I *must* have a dovecot-shared. In this > case, the permissions are not taken any longer from the parent folder > (what is exactly this parent folder?) If you have ~/Maildir/.foo/, then the permissions are based on the .foo directory when ~/Maildir/.foo/dovecot-share doesn't exist. > but from the dovecot-shared file. > So in some sense dovecot-shared is always required (since everyone would > like to share keywords). True? dovecot-shared is needed only if you want private \Seen flags. > Second, is there only *one* dovecot-shared per namespace or per mailbox > *under* a specific namespace? Or an arbitrary number (where the "last" > is taken)? Where does dovecot-shared need to be placed? For each mailbox. > For example, if the location of the namespace points to /var/mail/shared > and I have two mailboxes "group1" and "group2" inside. > Does the dovecot-shared need to reside in /var/mail/shared or > /var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is > it possible? group1 & group2 > Third (and main) question: In /var/mail/shared I want to have a mailbox > for each group. Each user is member of his respective groups (in terms > of UNIX permissions *and* ACLs). > The mailboxes are owned by their respective groups and if a user creates > a subfolder inside it should surely have the same group assigned as the > parent mailbox (not the namespace!). Well, now you're going into something that's a new feature :) But you can probably do: /var/mail/shared = root:root, 02770 /var/mail/shared/group1 = root:group1, 02770 Now filesystem should preserve group1 and Dovecot should preserve 02770 permissions.
Re: [Dovecot] Using -s in "doveadm mailbox create"
On Wed, 2011-02-09 at 20:57 +0100, Christoph Pleger wrote: > it seems that "doveadm mailbox create" does not handle the mailbox parameters > correctly if used with the "-s"-Parameter. Fixed: http://hg.dovecot.org/dovecot-2.0/rev/98f13cc1e649
[Dovecot] Using -s in "doveadm mailbox create"
Hello,
it seems that "doveadm mailbox create" does not handle the mailbox parameters
correctly if used with the "-s"-Parameter.
I am using the following command in a script for adding new users:
doveadm mailbox create -u "${ACCOUNT}" -s INBOX Drafts Sent Trash Spam
Templates
This creates mailboxes Drafts, Sent, Trash, Spam and Templates, but not INBOX.
Likewise, when I omit INBOX in the command, only Sent, Trash, Spam and
Templates are created, but not Drafts. With only one mailbox parameter, I get
an error message about incorrect usage. When I enter the command without
the "-s"-Parameter, all given mailboxes are created.
As a workaround, I have to use the command without "-s" first and then
call "doveadm mailbox subscribe".
Regards
Christoph
Re: [Dovecot] Force STARTTLS on port 143 for !internalnetwork
* Timo Sirainen :
> >> In v2.0 you can do:
> >>
> >> disable_plaintext_auth = yes
> >> local 10.0.0.0/24 {
> >> disable_plaintext_auth = no
> >> }
> >
> > Can I also specify more than one subnet there?
>
> You can add multiple local {} blocks. Uh. Actually, you want remote {}, not
> local {}.
It's easier to enumerate the INTERNAL networks than the whole
internet...
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebra...@charite.de | http://www.charite.de
Re: [Dovecot] Dovecot + Solr does not index without break-imap-search?
On 9.2.2011, at 15.12, Jose Álvaro Domínguez Díaz wrote: > With 'break-imap-search', Dovecot connects with solr, solr indexes all, > searchs are fast and all works fine. BUT if we don't add 'break-imap-search', > solr doesn't index anything. With break-imap-search the indexing is used for TEXT and BODY search keys. Strictly looking at the IMAP RFC this makes Dovecot noncompliant, but then again there already are so many servers doing that that probably no one cares. Without break-imap-search, indexing is used only for Dovecot-specific X-TEXT-FAST and X-BODY-FAST search keys, which of course nothing uses unless you modify your webmail. In future once Dovecot supports FUZZY extension this is going to be used by it to make it a bit more useful.
Re: [Dovecot] Force STARTTLS on port 143 for !internalnetwork
On 9.2.2011, at 17.13, Ralf Hildebrandt wrote:
> * Timo Sirainen :
>
>> I think that'll work, yes, but it has the additional feature of allowing
>> clients from localnet to fake their IP address.
>
> Yes, I noticed this while reading the checkin message for the feature.
It's also mentioned in the example-config.
>> In v2.0 you can do:
>>
>> disable_plaintext_auth = yes
>> local 10.0.0.0/24 {
>> disable_plaintext_auth = no
>> }
>
> Can I also specify more than one subnet there?
You can add multiple local {} blocks. Uh. Actually, you want remote {}, not
local {}.
Re: [Dovecot] Force STARTTLS on port 143 for !internalnetwork
* Timo Sirainen :
> I think that'll work, yes, but it has the additional feature of allowing
> clients from localnet to fake their IP address.
Yes, I noticed this while reading the checkin message for the feature.
> In v2.0 you can do:
>
> disable_plaintext_auth = yes
> local 10.0.0.0/24 {
> disable_plaintext_auth = no
> }
Can I also specify more than one subnet there?
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebra...@charite.de | http://www.charite.de
Re: [Dovecot] Force STARTTLS on port 143 for !internalnetwork
On 9.2.2011, at 15.09, Nick Rosier wrote:
>> How can I force users which are connecting from OUTSIDE our newtworks
>> to user STARTTLS on Port 143?
>>
>> Right now we resort to IMAPS on port 993, but an additional STARTTLS
>> enabled login on the default port would make things easier!
>>
> You can probably add login_trusted_networks = localnet
>
> IIRC this allows for unsecure login from your localnet but forces all other
> networks to use a secure authentication method (e.g. SSL, STARTTLS, CRAM or
> DIGEST).
I think that'll work, yes, but it has the additional feature of allowing
clients from localnet to fake their IP address.
In v2.0 you can do:
disable_plaintext_auth = yes
local 10.0.0.0/24 {
disable_plaintext_auth = no
}
Re: [Dovecot] dsync problem
On 02/09/2011 03:16 PM, Pascal Volk wrote: On 02/09/2011 03:10 PM Frank Bonnet wrote: … dsync(toto): Error: Failed to sync mailbox .dovecot.sieve: Mailbox isn't a valid mbox file The directory .dovecot.sieve is used by sieve and it seems dsync doesn't like it ... Yeah, dsync works with mailboxes an messages, but not with any files of a other kind. Even when page is 'for virtual users', it explains what for the user's home directory is: http://wiki.dovecot.org/VirtualUsers/Home Please store the sieve scripts in the user's home, not in it's mail_location. Regards, Pascal OK I moved all mboxes into ~/mail directory and it runs well :-) Thanks a lot !
Re: [Dovecot] dsync problem
On 02/09/2011 03:10 PM Frank Bonnet wrote: > … > dsync(toto): Error: Failed to sync mailbox .dovecot.sieve: Mailbox isn't > a valid mbox file > > The directory .dovecot.sieve is used by sieve and it seems dsync > doesn't like it ... Yeah, dsync works with mailboxes an messages, but not with any files of a other kind. Even when page is 'for virtual users', it explains what for the user's home directory is: http://wiki.dovecot.org/VirtualUsers/Home Please store the sieve scripts in the user's home, not in it's mail_location. Regards, Pascal -- The trapper recommends today: beeffeed.1104...@localdomain.org
Re: [Dovecot] dsync problem
On 02/09/2011 03:01 PM, Joseba Torre wrote: El Wednesday 09 February 2011, Frank Bonnet dijo: hello I try to convert from mbox to mdbox using dsync i get the followin error using the following command dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto I get this error message : mail3# dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto dsync(root): Fatal: execvp(-u) failed: No such file or directory dsync-local(root): Error: read() from worker server failed: EOF Have you tried dsync -u toto mirror mbox:/user/toto:INBOX=/var/mail/toto It seems better ;-) ... , but the process is stopped with the following message : dsync(toto): Error: Failed to sync mailbox .dovecot.sieve: Mailbox isn't a valid mbox file The directory .dovecot.sieve is used by sieve and it seems dsync doesn't like it ...
Re: [Dovecot] dsync problem
El Wednesday 09 February 2011, Frank Bonnet dijo: > hello > > I try to convert from mbox to mdbox using dsync > i get the followin error using the following command > > dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto > > I get this error message : > > mail3# dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto > dsync(root): Fatal: execvp(-u) failed: No such file or directory > dsync-local(root): Error: read() from worker server failed: EOF Have you tried dsync -u toto mirror mbox:/user/toto:INBOX=/var/mail/toto -- Joseba Torre. Vicegerencia de TICs, área de Explotación
[Dovecot] dsync problem
hello I try to convert from mbox to mdbox using dsync i get the followin error using the following command dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto I get this error message : mail3# dsync mirror -u toto mbox:/user/toto:INBOX=/var/mail/toto dsync(root): Fatal: execvp(-u) failed: No such file or directory dsync-local(root): Error: read() from worker server failed: EOF any infos welcome thanks
[Dovecot] Dovecot + Solr does not index without break-imap-search?
Hi folks,
We are working with Dovecot 2.0.9 with Solr support and there is a
thing, a little strange for us. Let me explain.
We have this conf for Solr:
plugin {
...
fts = solr
fts_solr = url=http:// solr.domain:8983/solr/ break-imap-search
quota = maildir
...
}
With 'break-imap-search', Dovecot connects with solr, solr indexes all,
searchs are fast and all works fine. BUT if we don't add
'break-imap-search', solr doesn't index anything.
Logs don't report errors with debug/verbose options enabled. Somebody
has any idea about this?. Thank you very much for all.
Regards.
--
Jose Álvaro Domínguez
adoming...@yaco.es
Yaco Sistemas S.L.
http://www.yaco.es/
C/ Rioja 5, 41001 Sevilla
Teléfono +34 954 50 00 57
Fax +34 954 50 09 29
Re: [Dovecot] Force STARTTLS on port 143 for !internalnetwork
Ralf Hildebrandt wrote: Hi! How can I force users which are connecting from OUTSIDE our newtworks to user STARTTLS on Port 143? Right now we resort to IMAPS on port 993, but an additional STARTTLS enabled login on the default port would make things easier! You can probably add login_trusted_networks = localnet IIRC this allows for unsecure login from your localnet but forces all other networks to use a secure authentication method (e.g. SSL, STARTTLS, CRAM or DIGEST). N.
[Dovecot] Force STARTTLS on port 143 for !internalnetwork
Hi! How can I force users which are connecting from OUTSIDE our newtworks to user STARTTLS on Port 143? Right now we resort to IMAPS on port 993, but an additional STARTTLS enabled login on the default port would make things easier! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [Dovecot] Permissions in shared folders
Dear Timo,
Am 08.02.2011 23:48, schrieb Timo Sirainen:
On 9.2.2011, at 0.20, Lukas Haase wrote:
namespace public { separator = . prefix = Shared. location =
maildir:/var/mail/shared:CONTROL=~/Maildir/shared
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared
Why? According to the Wiki, CONTROL is used for example for the
subscriptions (I can not use "subscriptions=no" because my private
namespace is "INDEX." and not empty) and therefore I use it.
[...]
You can create a prefix="" namespace with list=no hidden=yes where
the subscriptions will be saved.
Great hint! This works!
For the archive:
namespace private {
separator = .
prefix =.
inbox = no
list = no
hidden = yes
location = maildir:~/Maildir-root
subscriptions = yes
}
The subscriptions file for the public namespaces are not saved in
~/Maildir-root.
[...]
Yes, but then if any keywords (= custom flags = labels = ..) are
used, they're not shared between users. Other users instead will see
keywords like "Unknown-1".
I re-read the Wiki again and now I understand it.
The usual option will be using dovecot-shared and INDEX=~/Maildir/...
for private Seen flags and index, no CONTROL for shared keywords and
subscriptions = no for private subscriptions in the private parent
namespace.
Thank you very much for these tipps!
Regards,
Luke
Re: [Dovecot] ldap: LDAP attribute used multiple times. This is currently unsupported
Am 08.02.2011 23:52, schrieb Timo Sirainen: On 9.2.2011, at 0.12, Lukas Haase wrote: I'm pretty sure it never worked. I think in v1.0 it simply ignored the first uid=user. So you could probably just remove that. Unfortunately not. I am really sure it worked in v1.0. For example: I mean in v1.0 it set system_groups_user=uid, but it didn't set user=uid. I doubt you need the user=uid, since they're probably same to begin with (you didn't show pass_filter so I don't know how you look up the user). So just remove the "uid=user" from pass_attrs and it'll probably work fine. Great, yes, this is/was the case. I just remove it and use "auth_username_format = %Lu" which works. Thank you! Regards, Luke
[Dovecot] Questions about dovecot-shared in 1.2 and inherit group membership from parent mailbox
Hi,
I read the Wiki about dovecot-shared a few times but it is not 100%
clear to me (at least for 1.2).
First, if I want shared keywords I *must* have a dovecot-shared. In this
case, the permissions are not taken any longer from the parent folder
(what is exactly this parent folder?) but from the dovecot-shared file.
So in some sense dovecot-shared is always required (since everyone would
like to share keywords). True?
Second, is there only *one* dovecot-shared per namespace or per mailbox
*under* a specific namespace? Or an arbitrary number (where the "last"
is taken)? Where does dovecot-shared need to be placed?
For example, if the location of the namespace points to /var/mail/shared
and I have two mailboxes "group1" and "group2" inside.
Does the dovecot-shared need to reside in /var/mail/shared or
/var/mail/shared/group1 and /var/mail/shared/group2 (with LAYOUT=fs)? Is
it possible?
Third (and main) question: In /var/mail/shared I want to have a mailbox
for each group. Each user is member of his respective groups (in terms
of UNIX permissions *and* ACLs).
The mailboxes are owned by their respective groups and if a user creates
a subfolder inside it should surely have the same group assigned as the
parent mailbox (not the namespace!).
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared:INDEX=~/Maildir/shared:LAYOUT=fs
subscriptions = no
}
mail:~# ls -l -R /var/mail/shared/
/var/mail/shared/:
total 12
drwxrwx--- 5 root group1 4096 Feb 9 11:53 Group1
drwxrwx--- 5 root group2 4096 Feb 9 12:27 Group2
-rw-r--r-- 1 root root 23 Feb 9 11:52 dovecot-acl
-rw-rw-r-- 1 root root 0 Dec 15 2009 dovecot-shared
/var/mail/shared/Group1:
total 16
drwxrwx--- 2 root group1 4096 Feb 8 10:35 cur
-rw-r--r-- 1 root group1 28 Feb 9 11:52 dovecot-acl
-rw-rw-r-- 1 root group10 Dec 15 2009 dovecot-shared
drwxrwx--- 2 root group1 4096 Dec 15 2009 new
drwxrwx--- 2 root group1 4096 Feb 8 10:34 tmp
/var/mail/shared/Group1/cur:
total 0
/var/mail/shared/Group1/new:
total 0
/var/mail/shared/Group1/tmp:
total 0
/var/mail/shared/Group2:
total 16
drwxrwx--- 2 root group2 4096 Feb 8 10:35 cur
-rw-r--r-- 1 root group2 27 Feb 9 11:52 dovecot-acl
-rw-rwS--- 1 root group20 Dec 15 2009 dovecot-shared
drwxrwx--- 2 root group2 4096 Dec 15 2009 new
drwxrwx--- 2 root group2 4096 Feb 8 10:34 tmp
/var/mail/shared/Group2/cur:
total 0
/var/mail/shared/Group2/new:
total 0
/var/mail/shared/Group2/tmp:
total 0
Again: *Inside* /var/mail/shared I want to create mailboxes for each
group (Group1, Group2, ...). This is done only by the administrator.
Therefore /var/mail/shared is owned by root.
Each Group1, Group2, ... in turn is owned by group1, group2, ...
I tried all combinations using dovecot-shared which came into my mind
such that a subfolder of Group1 is owned by group1. However, either
1.) the subfolder is owned by the primary group of the creating user
(group "users")
or
2.) the group of /var/mail/shared/dovecot-shared
or
3.) creation of the subfolder fails with
dovecot: IMAP(user1): chown(/var/mail/shared/Group2/Test1, -1, 0(root))
failed: Operation not permitted (egid=100(users), group based on
/var/mail/shared/dovecot-shared)
dovecot: IMAP(user1): mkdir(/var/mail/shared/Group2/Test1/cur) failed:
Operation not permitted
Is this just not possible or do I get something wrong here?
Regards,
Luke
[Dovecot] Domain blacklisting
Hello, I run dovecot-2/Maildir/LDAP user/passdb and would like to be able to deny acess to users who connect from certain domains/IP (google.com for instance since in that case they gave their credentials to a third party). My understanding is that I cannot use some negative form of "allow_nets". The only mechanism I can think of is tcp_wrappers. However, dovecot documentation mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? Is it a bad idea (I'm thinking of the induced overhead) ? Can you see another way to blacklist (at dovecot application level) some sources ? Thanks -- Thomas Hummel | Institut Pasteur | Pôle informatique - systèmes et réseau
Re: [Dovecot] critical feature from version 1 not migrated to version 2 = authentication configuration database per IP
Timo Sirainen wrote:
On 9.2.2011, at 9.37, da...@apollo.lv wrote:
existing version 1 config file, that allow such configuration:
/etc/dovecot.conf BEGIN
server mail.domain1.tld {
I'm surprised that this server block really worked for you. I only remember
having problems with it, and that's why its existence is well hidden.
it's worked flawlessy for many years : firstly redhat distros, later all
fedora versions. But in latest fedora distro are included v2.x branch ...
In v2.0 the idea is anyway that you could do:
local mail.domain1.tld {
..
}
local mail.domain2.tld {
..
}
But this unfortunately doesn't currently work for auth settings.
i've seen - auth from many databases possible - but all in one block,
... as solution can create 2 variables that may be passed to auth process :
- 1 = local ip address , to which was connected client
- 2 = resolved ip address from 1
that variables must be possible to use in auth database "include file"
definition similar to :
!include auth-ldap.conf.%IP
or
!include auth-ldap.conf.%IP_Resolved
_- another way _(possible that will be more easiest, and good enough for
advanced configurations) = single variable that may be set in block of
exact ip listener configuration , as for provided before example may set
variable "auth_db_suffix" = string("dc=domain1,dc=tld") for definition
"local mail.domain1.tld" and that variable are inserted in auth block
via variable inserting mechanism ...
I'll get around to doing it at some point.. There is actually probably one
horribly ugly way to make this already work, but it's so bad I don't really
even want to suggest it (involving creating duplicate service blocks for
different IPs and chrooting their processes to different dirs)..
that way (multiple instances of dovecot with full copy of all
configuration files) i was doing, but not liked, so on each update of
distro currently i'm recompiling and reinstalling 1.x version on all
mine controlled servers (ppc+x86+x64) ...
[Dovecot] LDAPS fault tolerance not working with dovecot
Hello list, In my dovecot-ldap.ext I have: uris = ldaps://host1 ldaps://host2 ldaps://host2 Today host1 hangs and new connections can't be established with mail server. Connected users worked fine (auth_cache_size = 5 k auth_cache_ttl = 15 mins). At this time - host2 and host3 are working fine, but switching to them was not happen. Why ? In logs I got: Feb 09 10:20:36 imap-login: Error: Timeout waiting for handshake from auth server. my pid=29932, input bytes=0 Feb 09 10:20:36 imap-login: Error: Timeout waiting for handshake from auth server. my pid=29867, input bytes=0 Feb 09 10:20:37 imap-login: Error: auth: connect(login) failed: Resource temporarily unavailable Feb 09 10:20:37 imap-login: Error: auth: connect(login) failed: Resource temporarily unavailable Feb 09 10:20:39 imap-login: Error: Timeout waiting for handshake from auth server. my pid=29943, input bytes=0 Feb 09 10:20:40 imap-login: Error: auth: connect(login) failed: Resource temporarily unavailable I also tried to set: hosts = host1:636 host2:636 host3:636 But with above config error log fulls with messages: Feb 09 10:44:57 auth: Error: LDAP: Connection lost to LDAP server, reconnecting And none of servers accepted ldaps connection. Is someone has a success make ldaps fault tolerance ?
