Re: [Dovecot] acl with hierarchy separators mismatched config

[YAEGASHI Takeshi]

Timo,

2011/8/24 Timo Sirainen :
> I remember listescape had problems with ACLs, and that it wasn't really 
> possible to solve those bugs without major changes. The good news though is 
> that those major changes are done in v2.1 where it should work.

Ok, I would avoid using maildir++ layout with listescape for now.  I
confirmed that it could support folder names including dots without
listescape by using LAYOUT=fs.

> Also you could make FS layout almost reserved-folder-name free by adding e.g. 
> :DIRNAME=Mails to your mail_location. Now the only reserved name is "Mails", 
> and you can of course use any other name that users are highly unlikely to 
> use (and remember that folder names are case sensitive).

Yes, I've learnt about DIRNAME from the dovecot wiki.  Currently that
config could be the best for LAYOUT=fs.

Thank you for the valuable information and suggestion!

> Seome day I'm hoping to add yet another option that mailbox names wouldn't be 
> used in filenames at all, but rather their GUIDs.

Good.  Looking forward to seeing it.  I also expect some of mailbox
migration tools to be available :-) (dsync can do it?).

Regards,
-- 
YAEGASHI Takeshi 

[Dovecot] unlink_directory failed with 'Device or resource busy' on NFS

[김기태]

Hi,

I'm getting some errors while I'm trying to move mailboxes from IMAP server to 
Outlook client. The error message is "IMAP command is failed" and I think it is 
useless.

Here are the error messages written to server's syslog.

imap(n...@domain.com): Error: 
unlink_directory(/data/domain.com/name/INBOX/direct/.nfs33fd00cd)
 failed: Device or resource busy
imap(n...@domain.com): Error: 
unlink_directory(/data/domain.com/name/INBOX/IDC/.nfs709d00e9) 
failed: Device or resource busy
imap(n...@domain.com): Error: 
unlink_directory(/data/domain.com/name/INBOX/OSSEC/.nfs709f00f0)
 failed: Device or resource busy

How can I solve this problem?

I'm using Dovecot 2.0.13 and my configurations are:

# 2.0.13: /usr/local/dovecot/etc/dovecot/dovecot.conf
# OS: Linux 2.6.38-11-server x86_64 Ubuntu 11.04
listen = *
mail_fsync = always
mail_location = maildir:~:LAYOUT=fs
mail_nfs_index = yes
mail_nfs_storage = yes
mmap_disable = yes
passdb {
 args = /usr/local/dovecot/etc/dovecot/dovecot-ldap.conf.ext
 driver = ldap
}
ssl_cert = 

Re: [Dovecot] Cannot delete subfolder in public folder

[Timo Sirainen]

On 24.8.2011, at 1.08, Karsten Becker wrote:

> I have the problem that I'm unable to delete a subfolder (again) I
> created within a public folder.
> 
> I've already read about configuring Thunderbird to delete immediately -
> which I did. But it still doesn't work.

Step 1: Verify that it really is a DELETE command that fails and that the 
returned error is "Permission denied". For example:

telnet localhost 143
a login username password
b delete Folders/test01

[Dovecot] Cannot delete subfolder in public folder

[Karsten Becker]

Hi there,

I have the problem that I'm unable to delete a subfolder (again) I
created within a public folder.

I've already read about configuring Thunderbird to delete immediately -
which I did. But it still doesn't work.

I delete -> the folder is gone -> I get a TB error message saying "The
folder doesn't exist" -> after restarting TB the folders appear again.
Maybe someone has a hint. My tip is that I may have a wrong
understanding of the ACL mechanism...  :-(

Regards from Berlin/Germany
Karsten



Log:

> Aug 24 00:01:37 mail01 dovecot: imap(karsten.bec...@company.eu): Debug: acl 
> vfile: file /etc/dovecot/global-acls//.DEFAULT not found
> Aug 24 00:01:37 mail01 dovecot: imap(karsten.bec...@company.eu): Debug: acl 
> vfile: file 
> /srv/vmail/user-mailboxes/company.eu/karsten.becker/mailboxes/dovecot-acl not 
> found
> Aug 24 00:01:37 mail01 dovecot: imap(karsten.bec...@company.eu): Debug: acl 
> vfile: file /etc/dovecot/global-acls/Folders/test01/aaa not found
> Aug 24 00:01:37 mail01 dovecot: imap(karsten.bec...@company.eu): Debug: acl 
> vfile: reading file /srv/vmail/public_folders/test01/aaa/dovecot-acl

Here's the filesystem structure in /srv/vmail:

> root@mail01.compdmz.local:/srv/vmail# ls -l public_folders/test01/
> total 20
> drwxr-xr-x 5 vmail vmail 4096 2011-08-23 23:50 aaa
> drwxr-xr-x 2 vmail vmail 4096 2011-08-23 21:45 cur
> -rw-r--r-- 1 vmail vmail   25 2011-08-23 22:19 dovecot-acl
> drwxr-xr-x 2 vmail vmail 4096 2011-08-23 21:45 new
> drwxr-xr-x 2 vmail vmail 4096 2011-08-23 21:45 tmp
> root@mail01.compdmz.local:/srv/vmail#

Here's the content of dovecot-acl (there are another ones in subfolder
aaa with the same content, inherited during creation):

> authenticated lrwstipekx

Here's my configuration of Dovecot:

> # 2.0.13: /usr/local/dovecot-2.0.13/etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-33-server x86_64 Ubuntu 10.04.3 LTS ext4
> doveconf: Warning: Dovecot was last started using /etc/dovecot/dovecot.conf, 
> but this config is /usr/local/dovecot-2.0.13/etc/dovecot/dovecot.conf
> auth_cache_negative_ttl = 0
> auth_cache_size = 10 M
> auth_mechanisms = plain login
> base_dir = /usr/local/dovecot/var/run/dovecot
> dict {
>   acl = mysql:/etc/dovecot/dovecot-dict-shared-mailboxes-mysql.conf
>   expire = mysql:/etc/dovecot/dovecot-dict-expire-mysql.conf
>   quota = mysql:/etc/dovecot/dovecot-dict-quota-mysql.conf
> }
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> login_greeting = Company Institute
> mail_attachment_dir = /srv/vmail/attachments
> mail_attachment_hash = %{sha256}
> mail_cache_min_mail_count = 2
> mail_debug = yes
> mail_location = mdbox:/srv/vmail/user-mailboxes/%d/%n
> mail_plugins = acl expire quota
> mailbox_idle_check_interval = 1 mins
> namespace {
>   inbox = yes
>   location = 
>   prefix = 
>   separator = /
>   subscriptions = yes
>   type = private
> }
> namespace {
>   list = children
>   location = mdbox:/srv/vmail/user-mailboxes/%%d/%%n
>   prefix = Users/%%d/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace {
>   list = children
>   location = 
> maildir:/srv/vmail/public_folders:INDEX=/srv/vmail/user-mailboxes/%d/%n/public_folders-seen:LAYOUT=fs
>   prefix = Folders/
>   separator = /
>   subscriptions = no
>   type = public
> }
> passdb {
>   args = /etc/dovecot/dovecot-mysql.conf
>   driver = sql
> }
> plugin {
>   acl = vfile:/etc/dovecot/global-acls:cache_secs=300
>   acl_shared_dict = proxy::acl
>   expire = Trash
>   expire2 = Trash/*
>   expire3 = Junk
>   expire4 = Junk/*
>   expire_dict = proxy::expire
>   quota = dict:User quota::proxy::quota
>   quota_rule = *:storage=10485760
>   quota_rule2 = Trash:storage=+1048576
>   quota_warning = storage=95%% quota-warning 95 %u
>   quota_warning2 = storage=80%% quota-warning 80 %u
> }
> postmaster_address = postmas...@company.eu
> protocols = imap pop3
> service auth {
>   unix_listener /var/spool/postfix/private/auth_dovecot {
> group = postfix
> mode = 0660
> user = postfix
>   }
>   unix_listener auth-master {
> mode = 0600
> user = vmail
>   }
>   user = root
> }
> service dict {
>   unix_listener dict {
> mode = 0600
> user = vmail
>   }
> }
> service imap-login {
>   inet_listener imaps {
> port = 993
> ssl = yes
>   }
>   process_min_avail = 2
> }
> service imap {
>   vsz_limit = 512 M
> }
> service pop3-login {
>   inet_listener pop3s {
> port = 995
> ssl = yes
>   }
> }
> service quota-warning {
>   executable = script /usr/local/bin/quota-warning.sh
>   user = vmail
> }
> ssl = required
> ssl_cert =  ssl_key =  userdb {
>   args = /etc/dovecot/dovecot-mysql.conf
>   driver = sql
> }
> verbose_proctitle = yes
> protocol lda {
>   auth_socket_path = auth-master
>   postmaster_address = postmas...@company.eu
> }
> protocol imap {
>   imap_client_workarounds = delay-newmail
>   imap_max_line_length = 128 k
>   mail_plugins = acl expire quota imap_acl imap_quota
> }
> protocol pop3 {
>   pop3_client_wo

Re: [Dovecot] LDA and auth-userdb socket permissions

[Lutz Preßler]

On Di, 23 Aug 2011, a.smith at ukgrid.net wrote:
> Quoting Timo Sirainen :
> 
> >
> > It doesn't have to be the primary group. This is more of an Exim side
> > problem that it doesn't assign the supplementary groups (if it did, it
> > would have worked with dovecot-lda). I don't think the way you
You probably can use the Exim transport (or router) option "initgroups".

Lutz

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

Quoting Timo Sirainen :



It doesn't have to be the primary group. This is more of an Exim side
problem that it doesn't assign the supplementary groups (if it did, it
would have worked with dovecot-lda). I don't think the way you
configured Exim to call dovecot-lda is explained anywhere in Dovecot
wiki?



I'm using the exact transport from the wiki  
(http://wiki2.dovecot.org/LDA/Exim) but with the addition of setting  
user and also I have a shadow transport configured. So, yes I do have  
a couple of differences to what is shown in the wiki...


WRT my problem, I will work around it using primary groups or possibly  
abolishing the option for users/domains to use any user other than  
vmail. I don't think its necessary but its how I inherited this  
particular mail setup...


thanks for your input,

cheers Andy.

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On Tue, 2011-08-23 at 20:38 +0100, a.sm...@ukgrid.net wrote:
> > It doesn't actually matter what groups you have assigned to vmail user.
> > Dovecot only enables the primary group (and not even that if you've
> > overridden it in config), and apparently Exim does the same too.
> >
> > The supplementary groups don't automatically get enabled when process's
> > UID switched, it requires explicit extra code to do it. In most
> > installations this is just useless extra work and a potential accidental
> > security hole.
> >
> 
> Ok, I assumed that secondary groups are honoured in almost all  
> instances on a UNIX or Linux platform. I can add a note to the wiki  
> making it explicit that the group must be the primary group if you  
> think it's appropriate...

It doesn't have to be the primary group. This is more of an Exim side
problem that it doesn't assign the supplementary groups (if it did, it
would have worked with dovecot-lda). I don't think the way you
configured Exim to call dovecot-lda is explained anywhere in Dovecot
wiki?

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

Quoting Timo Sirainen :


On Tue, 2011-08-23 at 19:27 +0100, a.sm...@ukgrid.net wrote:



In my test, actually what I have is a vmail user with primary group
vmail and secondary group mailnull. Which as mentioned results in this
error:


It doesn't actually matter what groups you have assigned to vmail user.
Dovecot only enables the primary group (and not even that if you've
overridden it in config), and apparently Exim does the same too.

The supplementary groups don't automatically get enabled when process's
UID switched, it requires explicit extra code to do it. In most
installations this is just useless extra work and a potential accidental
security hole.



Ok, I assumed that secondary groups are honoured in almost all  
instances on a UNIX or Linux platform. I can add a note to the wiki  
making it explicit that the group must be the primary group if you  
think it's appropriate...

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On Tue, 2011-08-23 at 19:27 +0100, a.sm...@ukgrid.net wrote:


> In my test, actually what I have is a vmail user with primary group  
> vmail and secondary group mailnull. Which as mentioned results in this  
> error:

It doesn't actually matter what groups you have assigned to vmail user.
Dovecot only enables the primary group (and not even that if you've
overridden it in config), and apparently Exim does the same too.

The supplementary groups don't automatically get enabled when process's
UID switched, it requires explicit extra code to do it. In most
installations this is just useless extra work and a potential accidental
security hole.

Re: [Dovecot] Bug report v2.0.13 - CentOS x86_64 - NFS - mbox - Problem reproduced

[Timo Sirainen]

On Fri, 2011-08-19 at 17:52 +0300, Kostas Zorbadelos wrote:
> The problem is more easily introduced than I imagined.

Well, I still couldn't reproduce it. But I can kind of see the problem.
http://hg.dovecot.org/dovecot-2.0/rev/030394c74f54 should help.

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

no, I did explain this later in my last email

Quoting Timo Sirainen :


On Tue, 2011-08-23 at 19:27 +0100, a.sm...@ukgrid.net wrote:


srw-rw  1 root  mailnull  0 Aug 23 19:13 /var/run/dovecot/auth-userdb


That's not vmail group as you said..

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On Tue, 2011-08-23 at 19:27 +0100, a.sm...@ukgrid.net wrote:

> srw-rw  1 root  mailnull  0 Aug 23 19:13 /var/run/dovecot/auth-userdb 

That's not vmail group as you said..

Re: [Dovecot] dovecot and tcpwrappers

[Timo Sirainen]

On Wed, 2011-07-27 at 15:39 +0200, Kees Lemmens wrote:

> I think I sorted it out : I also had to add a service section to 
> dovecot.conf and I had to change the old "imap-login" settings in 
> /etc./hosts.allow to be simply "imap" now.
..
> Timo : maybe this could be documented a little better ? It took me quite a 
> while now to figure it all out.

Yeah, I've just been too busy.. I added it now to
http://wiki2.dovecot.org/LoginProcess

> About the "not running from inetd" problem : would it be enough to copy the 
> modules to the chrooted directory to avoid this connect(imap-login) problem 
> ? 

I've removed all the code necessary for running from inetd. It was
horribly ugly code and I never liked it. There's not going to be any
easy way to add it back.

Re: [Dovecot] zlib plugin doesn't read concatenated .gz mailbox

[Timo Sirainen]

On Fri, 2011-07-29 at 20:00 +0300, Dmitry Nezhevenko wrote:

> I've observed that dovecot doesn't displays all mails from compressed via
> gzip mailbox (mbox). At the same time "mutt -f mailbox.gz" displays it
> correctly with all messages.

Fixed: http://hg.dovecot.org/dovecot-2.0/rev/35e4a547231c

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

Quoting Timo Sirainen :


Hmmm, well in my setup dovecot-lda is called from Exim with "user="  
set to a MySQL query.


Are you sure you even need Dovecot to do a userdb lookup then? If  
Exim can set up also the other needed things (home dir?) it  
shouldn't be necessary.


Yeah, I think I could do that. I followed the setup guide for Exim  
from the Dovecot wiki and this is the first config I arrived at, which  
works well apart from this little detail.




Hmm. So if dovecot-lda is running as vmail group and  
/var/run/dovecot/auth-userdb has group=vmail and 0660 permissions,  
this error shouldn' t happen. Check two things:


1) ls -ln /var/run/dovecot/auth-userdb actually shows group as 25110  
and mode being 0660


srw-rw  1 root  mailnull  0 Aug 23 19:13 /var/run/dovecot/auth-userdb



2) If you've any SELinux or app-armor stuff enabled, try disabling them


Im running FreeBSD so no SELinux here.


In my test, actually what I have is a vmail user with primary group  
vmail and secondary group mailnull. Which as mentioned results in this  
error:


Aug 23 19:19:13 lda: Error: userdb lookup:  
connect(/var/run/dovecot/auth-userdb) failed: Permission denied  
(euid=25110(vmail) egid=25110(vmail) missing +r perm:  
/var/run/dovecot/auth-userdb, euid is not dir owner)



It did cross my mind it was a bug, but then I thought the  
documentation just was wrong on the wiki...

Re: [Dovecot] dovecot's documentation dearth

[Timo Sirainen]

On Mon, 2011-08-15 at 17:13 -0400, Postmaster wrote:

> I'm working on a configuration for 2.0 and I'm finding the documentation 
> somewhat difficult.  I think it would be very helpful to me to have 
> encountered a single page that detailed all available configuration 
> sections.  I don't know how to find out what the sections are, when to 
> use them or what specifically they control.  So far I've encountered...
> 
>passdb

This is same as always: http://wiki2.dovecot.org/PasswordDatabase

>plugin

Also. Simply settings used by plugins: http://wiki2.dovecot.org/Plugins

>service

This is a bit tricky one and unfortunately not documented clearly yet.
The included example-config/conf.d/10-master.conf has some comments
about them though.

>protocol

A filter for settings inside it to affect only the specified protocol,
e.g. protocol imap {} or pop3 or smtp or .. Would have probably been
nice to name these filters in a more consistent form (like: filter
protocol imap {})

>userdb

As before: http://wiki2.dovecot.org/UserDatabase

>local_name (and I think there is another one of these for ips)

Another filter to apply settings inside it only for the specified
hostname/IP address. local_name is mainly about using it for multiple
SSL certificates when using TLS SNI. local {} is about any other
specific per-IP/network settings. remote {} is similar to local {}
except for remote IP/network.

I'm not sure where would be a good place to document these.. I suppose I
should create a new wiki page about some generic config file syntax
things.

> The service section itself would benefit from a single page detailing 
> all of the possible types of service sections available.

You can get a list of all default services with "doveconf service", but
you can also create your own services. Also e.g. once you install
Pigeonhole Sieve you'll get more services.

> The next problem I've had is discovering that several parts of dovecot 
> have no documentation at all even though they are standalone executables 
> run by root.  config, log, and ssl_params all run as root but there is 
> also anvil 

These are the services that are run internally by Dovecot. It's part of
the same "yeah, would be good to document all services and what they do
and what service parameters may and may not be changed for them" but I'm
kind of busy..

> and they look to me like they could support listening on a 
> port if inet_interfaces is defined.

Everything supports listening anywhere, but whether it's a good idea is
another thing.

> Well I guess that would be one solution.  The bottom line is that it 
> gives me an uncomfortableness to not be able to control or explain the 
> operation of the software I'm supposedly administering.  Take the 
> program named log (which should be named dovecot-log or something less 
> generic), 

It shows up as "dovecot/log" in the ps list and exists in
libexec/dovecot/log, so I don't think the name is a problem. I
considered naming everything dovecot-* but then thought dovecot/* is
prettier and doesn't require renaming so many existing binaries from
v1.x.

> it is launched even though I've specified syslog in the 
> configuration.  Logging is not interrupted when the process is killed. 
> So, why is it running?  What is it doing?  Why does it need root?  

Everything still gets logged through it even if you use syslog. It does
a few other small log simplifying things besides just writing to a log
file. If you kill it, it's restarted and that's why you don't see
logging interruption (some messages might get lost). If you send a
SIGSTOP to it the logging should stop and eventually all processes
should start blocking on log writes I think. It doesn't need to be root
as long as it can do the logging without.

Re: [Dovecot] signal 11 crash, sometimes, during mbox bz2 decompression

[Timo Sirainen]

On Tue, 2011-08-16 at 05:00 -0600, Mike Brown wrote:

> I'm running dovecot 1.2.16 from the ports collection on FreeBSD 8.1-STABLE, 
> amd64.
..
> My compressed mbox files are all .bz2 files in an 'old' subdirectory of my 
> main mail directory. I am trying to access them with Thunderbird. I 
> 'subscribed' to them just fine, and at first I thought it was working, but I 
> just got lucky on the first couple I accessed. Dovecot actually fails to 
> decompress them about 90% of the time, seemingly at random; the same box will 
> not work a bunch of times, then work once, then not work again and again. 
> When 
> it works, sometimes only some of the messages get transmitted.

I'm not entirely sure but I kind of remember bzip2 support being at
least somewhat broken in v1.x. It's been entirely rewritten in v2.0.

> Aug 16 00:25:33 myhost dovecot: dovecot: child 943 (imap) killed with signal 
> 11 (core not dumped - set mail_drop_priv_before_exec=yes)

gdb backtrace would show more information about where it crashed:
http://dovecot.org/bugreport.html

But I don't think there's much point in wasting more time on this before
trying if v2.0 has already fixed it.

Re: [Dovecot] Segmentation fault in dovecot director lmtp service

[Timo Sirainen]

On Wed, 2011-08-17 at 11:42 +, Reinhard Vicinus wrote:
> Hi,
> 
> 
> the lmtp service of our dovecot director installation quits with a
> segmentation fault if a lot of mails are simultaneously delivered.
> For example if the postfix mailqueue is filled (for whatever reason)
> and postqueue -f is run the lmtp service quits with a segmentation
> fault:

It probably means that the remote LMTP server disconnected the client
for whatever reason. http://hg.dovecot.org/dovecot-2.0/rev/2f988e370a41
should help.

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On 23.8.2011, at 19.37, a.sm...@ukgrid.net wrote:

>> No, that's the least of its troubles. If you can't run dovecot-lda as root, 
>> it won't be able to change its UID to the user's UID (and so won't have 
>> enough permissions to be able to write mails to user's mailbox). So you need 
>> to run dovecot-lda as root in some way, and after that it becomes pretty 
>> much irrelevant what auth-userdb's permissions are.
>> 
> 
> Hmmm, well in my setup dovecot-lda is called from Exim with "user=" set to a 
> MySQL query.

Are you sure you even need Dovecot to do a userdb lookup then? If Exim can set 
up also the other needed things (home dir?) it shouldn't be necessary.

> I'd guess that that means Exim runs dovecot-lda as the user directly so I 
> don't have the issue you mention above. But where the permission on the 
> auth-userdb socket are root:vmail 0660, the dovecot-lda is called as vmail 
> and the vmail user is a member of the vmail group I get the error:
> 
> Aug 11 03:38:06 lda: Error: userdb lookup: 
> connect(/var/run/dovecot/auth-userdb) failed: Permission denied 
> (euid=25110(vmail) egid=25110(vmail) missing +r perm: 
> /var/run/dovecot/auth-userdb, euid is not dir owner)

Hmm. So if dovecot-lda is running as vmail group and 
/var/run/dovecot/auth-userdb has group=vmail and 0660 permissions, this error 
shouldn' t happen. Check two things:

1) ls -ln /var/run/dovecot/auth-userdb actually shows group as 25110 and mode 
being 0660

2) If you've any SELinux or app-armor stuff enabled, try disabling them

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

Quoting Timo Sirainen :



No, that's the least of its troubles. If you can't run dovecot-lda  
as root, it won't be able to change its UID to the user's UID (and  
so won't have enough permissions to be able to write mails to user's  
mailbox). So you need to run dovecot-lda as root in some way, and  
after that it becomes pretty much irrelevant what auth-userdb's  
permissions are.




Hmmm, well in my setup dovecot-lda is called from Exim with "user="  
set to a MySQL query. I'd guess that that means Exim runs dovecot-lda  
as the user directly so I don't have the issue you mention above. But  
where the permission on the auth-userdb socket are root:vmail 0660,  
the dovecot-lda is called as vmail and the vmail user is a member of  
the vmail group I get the error:


Aug 11 03:38:06 lda: Error: userdb lookup:  
connect(/var/run/dovecot/auth-userdb) failed: Permission denied  
(euid=25110(vmail) egid=25110(vmail) missing +r perm:  
/var/run/dovecot/auth-userdb, euid is not dir owner)


In the dovecot log when dovecot-lda is called. Hence I thought the  
socket permissions where related to the multiple UID restriction...


thanks Andy.

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On 23.8.2011, at 19.10, a.sm...@ukgrid.net wrote:

>> Now you've gone outside the "Multiple UIDs" section in the wiki. There are 
>> the 3 different sections of how to run dovecot-lda a different way:
>> 
>> * with a lookup
>> * without a lookup
>> * multiple UIDs
>> 
>> None of their documentation is compatible with each others.
> 
> Ok, I must be misunderstanding. I understand that the multiple UIDs 
> limitation relates to the fact that access to the auth-userdb socket is 
> restricted, is that incorrect?

No, that's the least of its troubles. If you can't run dovecot-lda as root, it 
won't be able to change its UID to the user's UID (and so won't have enough 
permissions to be able to write mails to user's mailbox). So you need to run 
dovecot-lda as root in some way, and after that it becomes pretty much 
irrelevant what auth-userdb's permissions are.

Re: [Dovecot] LDA and auth-userdb socket permissions

[a . smith]

Quoting Timo Sirainen :


But in the example for the config file the text reads:

[QUOTE]
service auth {
 unix_listener auth-userdb {
   mode = 0600
   user = vmail # User running dovecot-lda
   #group = vmail # Or alternatively mode 0660 + dovecot-lda user  
in this group

 }
}
[/QUOTE]


Now you've gone outside the "Multiple UIDs" section in the wiki.  
There are the 3 different sections of how to run dovecot-lda a  
different way:


 * with a lookup
 * without a lookup
 * multiple UIDs

None of their documentation is compatible with each others.


Ok, I must be misunderstanding. I understand that the multiple UIDs  
limitation relates to the fact that access to the auth-userdb socket  
is restricted, is that incorrect? Following that forward, where the  
example shows that you can set group access to the socket and change  
permissions to 0660 I took to mean you can now have multiple users so  
long as they are in the correct group (ie vmail). Which contradicts  
the statement that you cannot work with multiple UIDs.

Can you put that straight if I got it wrong?

thanks in advance, Andy.

Re: [Dovecot] Default and per-User sieve script

[Thomas Harold]

On 8/22/2011 7:03 PM, Patrick Westenberg wrote:

Hi guys,

is there any way to configure Dovecot to process the default sieve
script and, after that, a user specific script?

I have a default script to sort spam into a spam folder but if a
user specific script is present, the default script is ignored.

sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_path = /usr/local/etc/dovecot/sieve/default.sieve



sieve_before and sieve_after

I keep our global default script in /etc/dovecot/sieve/global, any 
scripts that run first go in /etc/dovecot/sieve/before and the post-user 
scripts go in /etc/dovecot/sieve/after.


I tend to put most scripts in the "after" folder with only a tiny 
handful of ultra-specific scripts that must run for every user in the 
"before" folder.


Scripts in the "after" folder can then be easily overridden by the user 
in their per-user scripts if they don't like how things are working.

Re: [Dovecot] dovecot deadlock with procmail

[Timo Sirainen]

On 19.8.2011, at 13.37, kunal verma wrote:

> I m using dovecot 1.0.7. I m having problems in mail delivery to my mail
> server locally.
> When a user sends a mail few mails are in mail Q for longer period of time.
> The local delivery agent(*procmail*) is trying to deliver the mail at
> regular interval but it is unable to deliver.
> But as soon as I *restart* *dovecot* the mails in the Q are delivered
> immediately.
> I suspect it is because of locking of *mbox* file of users by dovecot.

Dovecot locks the mbox files only as long as it needs to. For IMAP commands 
it's locked only during those IMAP commands. For POP3 it's locked when the 
first message is read and kept until POP3 client disconnects (this is what POP3 
clients are supposed to do). With v1.2 POP3 sessions also unlock the mbox after 
idling for 10 seconds.

There might have also been some bugs related to this.. You could try if 
upgrading Dovecot to v1.2 or newer helps.

> How to overcome this problem as mails are some mails are taking hours to be
> delivered??
> please let me know the solution.

The only guaranteed solution would be to not use mbox.

Re: [Dovecot] Large Mailbox Slow

[Thomas Harold]

On 8/22/2011 6:42 PM, Matt wrote:

Doubt if there is any answer to this but will ask anyway.  Have a few
pop3 accounts with thousands of messages.  Its slow when checking
email naturally.  Are there any tweaks to speed it up?  I imagine
there is an exchange of the message and header list which is the slow
down.  Too bad the list could not be compressed with gzip or something
first.  I think http has an option similar to that.

Just asking.


IMAP is a far better choice if you want to leave messages up on the server.

(XFS or ext4 plus using Maildir storage format on the server can also be 
a big help.  But unless you have evidence that the disks are buried or 
the server's CPU is busy, those changes may not help at all.  A good and 
quick tool on Linux servers to monitor that is "atop".)

Re: [Dovecot] Dovecot Postfix and ssl_require_client_cert

[Timo Sirainen]

On 22.8.2011, at 2.18, mezzo wrote:

> I have a working mail system with postfix 2.7 and dovecot 1.2.15.
..
> Is there a way to enable ssl_require_client_cert in dovecot and have
> smtpd_sasl_auth_enable=yes in postfix? Better would be a way to tell dovecot
> only to use ssl_require_client_cert during the imap autorisation. 

With v1.2 you'd have to run two separate Dovecot installations with different 
configs. With v2.0 you should be able to do:

protocol !smtp {
  ssl_require_client_cert = yes
}

Re: [Dovecot] LDA and auth-userdb socket permissions

[Timo Sirainen]

On 22.8.2011, at 14.22, a.sm...@ukgrid.net wrote:

>  just wanted to check this as the wiki seems to have contradictory 
> information. With respect to running the LDA as multiple UIDs the wiki says:
> 
> [QUOTE]If you're using more than one UID for users, you're going to have 
> problems running dovecot-lda, as most MTAs won't let you run dovecot-lda as 
> root[/QUOTE]

Yep, that's a problem.

> But in the example for the config file the text reads:
> 
> [QUOTE]
> service auth {
>  unix_listener auth-userdb {
>mode = 0600
>user = vmail # User running dovecot-lda
>#group = vmail # Or alternatively mode 0660 + dovecot-lda user in this 
> group
>  }
> }
> [/QUOTE]

Now you've gone outside the "Multiple UIDs" section in the wiki. There are the 
3 different sections of how to run dovecot-lda a different way:

 * with a lookup
 * without a lookup
 * multiple UIDs

None of their documentation is compatible with each others.

Re: [Dovecot] acl with hierarchy separators mismatched config

[Timo Sirainen]

On 23.8.2011, at 10.52, YAEGASHI Takeshi wrote:

> I prefer the maildir++ layout with listescape as it's reserved-folder-name 
> free (eg. cur new tmp).

I remember listescape had problems with ACLs, and that it wasn't really 
possible to solve those bugs without major changes. The good news though is 
that those major changes are done in v2.1 where it should work.

Also you could make FS layout almost reserved-folder-name free by adding e.g. 
:DIRNAME=Mails to your mail_location. Now the only reserved name is "Mails", 
and you can of course use any other name that users are highly unlikely to use 
(and remember that folder names are case sensitive).

Some day I'm hoping to add yet another option that mailbox names wouldn't be 
used in filenames at all, but rather their GUIDs.

Re: [Dovecot] Update indexes with dovecot 1.1

[Timo Sirainen]

On 23.8.2011, at 9.52, Angel L. Mateo wrote:

>> With v2.0 you could if you use Dovecot proxy (or director) you can also 
>> proxy doveadm connections through it, so a "doveadm index" would always go 
>> to the correct server. http://wiki2.dovecot.org/Director at the bottom has 
>> some info how to set this up (works also with plain proxy, without director).
>   I'm trying this configuration in a test environment, but we are having 
> lot of problems with director. The main problem is with director and LMTP, 
> because it produces a lot timeout of errors (I have previouslly posted about 
> these problems)

Yes, I should look into the LMTP proxy problems.. Those are kind of difficult 
to debug though since I've never been able to reproduce them. In any case, you 
could initially move to v2.0 + director without LMTP (i.e. deliver to Maildir 
directly, then run the doveadm index).

>   OK. So my question is, does it worth? Our scenario is 8 POP/IMAP 
> servers with almost 7 users (not all of them are really active), about 
> 8.5 TB in use, with mailboxes in Maildir format over NFS. Our main problem 
> with this is at return of vacations periods (like the one we'll have next 
> 9/1). Our hypothesis is that the first connection of the user is expensive, 
> because he has a lot of unindexed messages in his mailbox. Supposing that 
> doveadm index indexes the mailbox correctly, does it helps to solve our 
> problem?

Yes, if there's a ton of people returning at the same time it'll create a load 
spike. It's at least partially because mails aren't indexed, so Dovecot has to 
first read the message headers (and maybe bodies) to produce the initial 
message list, and afterwards when user actually reads/downloads the message 
bodies they're re-read from disk, unless the OS still has them cached.

So this kind of preindexing would definitely reduce the CPU load during the 
spike, but I'm not entirely sure about disk load because of the OS caching 
(10-50% decrease?). I'd be really interested in seeing actual numbers some day. 
:)

[Dovecot] acl with hierarchy separators mismatched config

[YAEGASHI Takeshi]

Hi there,

I'm testing dovecot 2.0.13 on Debian squeeze (deb from 
http://xi.rename-it.nl/debian) with the following doveconf -n.


# 2.0.13 (1449a2e2c1f5): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 6.0.2 first_valid_uid = 8
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = listescape mail_log notify acl
namespace {
  inbox = yes
  location =   prefix =   separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/var/mail/public:INDEX=~/Maildir/public
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}
passdb {
  driver = pam
}
plugin {
  acl = vfile
}
protocols = " imap"
ssl = no
userdb {
  args = uid=mail gid=mail home=/var/mail/private/%u
  driver = static
}
protocol imap {
  mail_plugins = listescape mail_log notify acl imap_acl
}


My primary interest is acl and listescape enabled folders in the public 
namespace.  I've chosen "/" as the hierarchy separator to support folder names 
with dots (".").

/var/mail/public is a maildir with the maildir++ layout where the separator is 
a dot (".").  So I set up intial acls and folders as follows:


# mkdir /var/mail/public
# echo 'anyone lra' >/var/mail/public/dovecot-acl # maildirmake.dovecot 
/var/mail/public/.aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/.aaa/dovecot-acl
# chown -R mail.mail /var/mail/public


But my attempt to create a mailbox under Public/aaa fails with "Permission 
denied".


# imtest -a yaegashi localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN] Dovecot ready.
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
AUTH=PLAIN
S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
Please enter your password: C: A01 AUTHENTICATE PLAIN ?/
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk
S: A01 OK Logged in
Authenticated.
Security strength factor: 0
. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. NO [NOPERM] Permission denied


If the layout of /var/mail/public switched to "fs" where the separator is "/", 
mailbox creation succeeds as expected.


namespace {
  list = children
  location = maildir:/var/mail/public:INDEX=~/Maildir/public:LAYOUT=fs
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}


# maildirmake.dovecot /var/mail/public/aaa
# echo 'anyone lrwstipekxa' >/var/mail/public/aaa/dovecot-acl
# chown -R mail.mail /var/mail/public
# imtest -a yaegashi localhost

. getacl Public
* ACL "Public" "anyone" alr
. OK Getacl completed.
. getacl Public/aaa
* ACL "Public/aaa" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/bbb
. OK Create completed.
. getacl Public/aaa/bbb * ACL "Public/aaa/bbb" "anyone" akxeilprwtscd
. OK Getacl completed.
. create Public/aaa/1.2.3
. OK Create completed.
. create Public/aaa/cur
. NO Invalid mailbox name: Public/aaa/cur


Is this behavior expected?  Misconfiguration or dovecot bug?

I prefer the maildir++ layout with listescape as it's reserved-folder-name free 
(eg. cur new tmp).

Regards,
-- 
YAEGASHI Takeshi