[Dovecot] Default permissions on newly created maildir
Hi Guys, I am setting up SQL auth for mail. Auth works fine, I notice that if no maildir exists for the authenticated user, it is created automatically (depending on the homedir specified in the sql table entry). The problem is that it creates the dir with "700" permissions which is causing grief for my MTA when it comes time for it to try and drop mail there. If I chmod the dir to 770 things work fine. How do I change the default permissions that dovecot uses whenever it creates a new mail account?
Re: [Dovecot] Why can NOT login as root
On Tue, 20 Sep 2011 13:49:23 +1000, Alex wrote: On Tue, 20 Sep 2011 02:50:32 +0300, Timo Sirainen wrote: On 20.9.2011, at 2.22, Linda Walsh wrote: I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users. Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen. Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails. Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits). This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets. Rare, and in such cases irrelevant.
Re: [Dovecot] Why can NOT login as root
On Tue, 20 Sep 2011 02:50:32 +0300, Timo Sirainen wrote: On 20.9.2011, at 2.22, Linda Walsh wrote: I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users. Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen. Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails. Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits). This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets. Rare, and in such cases irrelevant.
Re: [Dovecot] outlook 2007 very slow.
On Mon, Sep 19, 2011 at 4:03 PM, Linda Walsh wrote: > > > > ` Kui Zhang wrote: >> >> Hello >> >> I have a user with 2500+ sub folders. Total mailboxes size is around >> 6G. (mdbox, dovecot 2:2.0.14) >> >> Syncing/Receiving appears to be slow, with outlook 2007. He does not >> want to switch to an alternative, due to various reasons. >> >> Any one else having similar issue? >> Anything else I should do to narrow down the issue? >> > > > I can't speak for outlook 2007, but back in outlook 2000, as well as > outlook 2002, it spoke a broken dialect of IMAP that would cause it to > hang if you enabled it to read multiple mailboxes at one time. > > The only safe way I found to use it was to only let it use 1 connection at > a time, and even then it wasn't impossible to cause to to fail. > > Perhaps MS limited outlook to only 1 connection to IMAP servers -- when I > spoke to the engineer, they said that really had IMAP support at the > lowest level, as it allowed the use of non-MS servers and mail servers -- > and they only wanted to support Exchange (in order to get sites to buy > exchange!)... > I thought it might have been something anti-competitive... We decided to give outlook 2k10 a try. Everything appears to work so far. It seems to be using only 1 connection... 2k7 was using 5 connections, with multiple connections in idle state(adding inotify watches) > The issue was reported broken in 2000, and they had not fixed it by > 2002 (office XP), so I moved to thunderbird... > thunderbird does not really work for us, due to amount of emails per mailbox. It was hogging all the memory + cpu. Trying out claw-mail. It is working really well. > I missed a few-several features, but I didn't miss the slowness and > unreliability in everyday reading of email. > > Another problem -- AFAIK, outlook is only 32bit. My mom gets > harassed, constantly to move things out of her primary .pst file and into > 'archives', (where she can't easily access them and they don't have to be > indexed...) because, the internal format became more strained as it got > larger. With 6G of folders, indexing those, your user might be hitting > outlook memory problems (not running out, but 'thrashing')... > > If possible, he might try unsubbing to older boxes on his main > account, and setup an alternate account to 'go into the archives'...that > way syncing only with currently active folders should go much faster)... > > Send him my condolences... > > > -l > > > > >> >> Thanks >> KuiZ >> >
Re: [Dovecot] Why can NOT login as root
On 09/20/2011 01:22 AM Linda Walsh wrote: > I guess the source needs a patch. > > Why would dovecot choose to play nursemaid to people who want to read > root email remotely via IMAPS? > … So, why do you not simply create and apply the patch? Dovecot is OSS. You are free to modify it in order to satisfy your special requirements. EOD Pascal -- The trapper recommends today: f007ba11.1126...@localdomain.org
Re: [Dovecot] Why can NOT login as root
On 20.9.2011, at 2.22, Linda Walsh wrote: > I can log in via SSH, so why not allow it with secure IMAP? I suppose > really, if someone wants to run as root with no password dovecot should be > **configurable** to allow this -- as we can't always understand the needs > of end users. Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen. Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails. > Example. You have a system on which root uid=0 means nothing (assigns no > privs -- all assigned via privilege/capability bits). > > This means dovecot is hardcoded to lock out a user that may have no > privileges, but has no prob permitting access to those with full > Capability/priv sets. Rare, and in such cases irrelevant.
Re: [Dovecot] Why can NOT login as root
John Allen wrote: As far as I recall, IMAP servers generally don't allow access to root. According to the Dovecot wiki, this is hard-coded in the binary: http://wiki.dovecot.org/MainConfig see under "first_valid_uid" If the root user is receiving emails, these need to be redirected to another user so they can be read via IMAP. --- I guess the source needs a patch. Why would dovecot choose to play nursemaid to people who want to read root email remotely via IMAPS? I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users. Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits). This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets. That is NOT remotely a secure design -- Not that it "allows login to those w/caps", but that it bogusly tries to invalidate site-security policies that it doesn't like Samba has done this and actually disparages people who don't use conventional security policies 'insecure', when those same people can point out a multitude of ways samba can be easily -- in the ways that the samba team, _recommend_, that samba can be accidentally or surreptitiously configured insecurely. When it is asked why alternate security policies are insecure -- they change the subject and agree grudgingly to re-allow 'banned' commands under options like "allow insecure "... Trying to 'play nursemaid' to users is a bad security policy -- since as soon you (like samba team leader said, "we had to make it impossible to configure samba insecurely", you are asking for trouble; cuz then users think they don't have to worry about how they config things, it will always be secure...and we know that is very untrue!
Re: [Dovecot] outlook 2007 very slow.
` Kui Zhang wrote: Hello I have a user with 2500+ sub folders. Total mailboxes size is around 6G. (mdbox, dovecot 2:2.0.14) Syncing/Receiving appears to be slow, with outlook 2007. He does not want to switch to an alternative, due to various reasons. Any one else having similar issue? Anything else I should do to narrow down the issue? I can't speak for outlook 2007, but back in outlook 2000, as well as outlook 2002, it spoke a broken dialect of IMAP that would cause it to hang if you enabled it to read multiple mailboxes at one time. The only safe way I found to use it was to only let it use 1 connection at a time, and even then it wasn't impossible to cause to to fail. Perhaps MS limited outlook to only 1 connection to IMAP servers -- when I spoke to the engineer, they said that really had IMAP support at the lowest level, as it allowed the use of non-MS servers and mail servers -- and they only wanted to support Exchange (in order to get sites to buy exchange!)... The issue was reported broken in 2000, and they had not fixed it by 2002 (office XP), so I moved to thunderbird... I missed a few-several features, but I didn't miss the slowness and unreliability in everyday reading of email. Another problem -- AFAIK, outlook is only 32bit. My mom gets harassed, constantly to move things out of her primary .pst file and into 'archives', (where she can't easily access them and they don't have to be indexed...) because, the internal format became more strained as it got larger. With 6G of folders, indexing those, your user might be hitting outlook memory problems (not running out, but 'thrashing')... If possible, he might try unsubbing to older boxes on his main account, and setup an alternate account to 'go into the archives'...that way syncing only with currently active folders should go much faster)... Send him my condolences... -l Thanks KuiZ
Re: [Dovecot] mail_max_userip_connections=10
On 19.9.2011, at 20.43, Asai wrote: > If you figure it out, please post the solution, because we're running into a > similar issue right now with K9 mail where it's causing us to get this > error:imap-login: Disconnected: Connection queue full That's a different problem. You need to increase number of login processes / connections. http://wiki2.dovecot.org/LoginProcess
Re: [Dovecot] mail_max_userip_connections=10
On 9/19/2011 5:36 AM, Tom Clark wrote: Hi Paul, It's coming from the same IP address through his ADSL. Hence he gets the problem with max_userip_connections. I think I tracked down the problem. He's been using K9 mail which seems to have a problem where it doesn't release a connection and has 1 connection per subscribed folder Ta, Tom If you figure it out, please post the solution, because we're running into a similar issue right now with K9 mail where it's causing us to get this error:imap-login: Disconnected: Connection queue full
[Dovecot] dsync with quotas
I have been working on converting people from courier maildir -> dovecot mdbox and during some of the dsync runs I'm seeing the quota_exceeded_message be printed as an Error: dsync(): Error: Can't save message to mailbox INBOX: You are over quota. To avoid losing mail, immediately empty your Trash and Sent folders and \ delete emails with large attachments. dsync(): Info: INBOX: Couldn't keep all uids^M Its possible the user was over quota on the originating courier side, but I would still like to migrate their mail proprely to mdbox, but it seems like being over quota is inhibiting that. Are the quota calculations including both the maildir files as well as the converted mdbox files, resulting in a double counting? I'm not entirely sure if the messages above indicate that the migration failed for that user or not, so I've been manually increasing their quota, then redoing the dsync mirror until it works properly. I wonder if it would be better if I turned off quota entirely during migration so I don't run into this problem? thanks, micah -- pgprlwVpl83vL.pgp Description: PGP signature
[Dovecot] ODBC support
I was wondering if ODBC support was on the road map for Dovecot, or if it has ever been discussed? Thanks.
Re: [Dovecot] 2.1: problems compiling fts-lucene - CLucene git version necessary?
On Sun, 2011-09-18 at 13:27 +0200, Lutz Preßler wrote: > Hello, > On So, 11 Sep 2011, Timo Sirainen wrote: > > On 11.9.2011, at 22.22, Lutz Preßler wrote: > > > I have problems recompiling the Debian squeeze auto build packages > > > with "--with-lecene". Is the git (2.3) version of CLucene necessary? > > Yes. > Ok, I now tried to test with clucene-core-2.3.3.4. Quite unsucessfully... > I built libclucene-core-static.a and libclucene-shared-static.a after > changing the cmake option (BUILD_STATIC_LIBRARIES). But despite enabling > BUILD_CONTRIBS, BUILD_CONTRIBS_LIB no snowball/libstemmer has been build. You need to install libstemmer separately. I think I used http://snowball.tartarus.org/dist/libstemmer_c.tgz > dovecot: imap(...): Error: fts_lucene: default_language set, but Dovecot > built without stemmer support Fixed: http://hg.dovecot.org/dovecot-2.1/rev/02c84406c661
Re: [Dovecot] mail_max_userip_connections=10
Hi Paul, It's coming from the same IP address through his ADSL. Hence he gets the problem with max_userip_connections. I think I tracked down the problem. He's been using K9 mail which seems to have a problem where it doesn't release a connection and has 1 connection per subscribed folder Ta, Tom -Original Message- From: Paul Griffith [mailto:pa...@cse.yorku.ca] Sent: 19 September 2011 1:30 PM To: Tom Clark Cc: dovecot@dovecot.org Subject: Re: [Dovecot] mail_max_userip_connections=10 On 09/19/11 04:27, Tom Clark wrote: > Hi, > > > > A couple of questions rather than a problem for once! > > > > We've got our Dovecot server running smoothly now apart from our MD. > He's having problems with mail_max_userip_connections. He has 3 > (Phone/Laptop/Tablet) items that all connect to the server at about > the same time. Which means he's frequently running over the max_userip_connections. > > > > My questions are: > > > > Is there anyway of whitelisting an IP so that it can ignore > mail_max_userip_connections=10? > > > > What should we set mail_max_userip_connections too realistically? 10 > seems a bit low? > Hi Tom, The setting mail_max_userip_connections is per IP. from 20-imap.conf (version 2.0.13, the version we are running) # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 I am going to assume he has a different IP for each device, in this case that would allow up to 30 connections. You need to post your 'doveconf -n' output! Cheers, Paul
Re: [Dovecot] mail_max_userip_connections=10
On 09/19/11 04:27, Tom Clark wrote: > Hi, > > > > A couple of questions rather than a problem for once! > > > > We've got our Dovecot server running smoothly now apart from our MD. He's > having problems with mail_max_userip_connections. He has 3 > (Phone/Laptop/Tablet) items that all connect to the server at about the same > time. Which means he's frequently running over the max_userip_connections. > > > > My questions are: > > > > Is there anyway of whitelisting an IP so that it can ignore > mail_max_userip_connections=10? > > > > What should we set mail_max_userip_connections too realistically? 10 seems a > bit low? > Hi Tom, The setting mail_max_userip_connections is per IP. from 20-imap.conf (version 2.0.13, the version we are running) # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 I am going to assume he has a different IP for each device, in this case that would allow up to 30 connections. You need to post your 'doveconf -n' output! Cheers, Paul
Re: [Dovecot] Deleted mailboxes with lazy_expunge
El 16/09/11 14:01, Timo Sirainen escribió: On Fri, 2011-09-16 at 13:24 +0200, Angel L. Mateo wrote: Sep 16 13:21:00 myotis30 dovecot: imap(angel.luis): Debug: Can't rename 'kk' to '.DELETED/kk-20110916-132100': index dirs don't match I have try to remove the same folder without INDEX in mail_location. Without this option it works. Alternatively you could add INDEX path to lazy_expunge namespaces and it would work. The important thing is that both source and destination either have or don't have INDEX path specified, but it can't be mixed. (Looks like I messed up those new debug messages - clarified them in hg now.) OK. I have configured all namespaces with the same INDEX path and the problem is solved. Thank you, Timo. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
[Dovecot] mail_max_userip_connections=10
Hi, A couple of questions rather than a problem for once! We've got our Dovecot server running smoothly now apart from our MD. He's having problems with mail_max_userip_connections. He has 3 (Phone/Laptop/Tablet) items that all connect to the server at about the same time. Which means he's frequently running over the max_userip_connections. My questions are: Is there anyway of whitelisting an IP so that it can ignore mail_max_userip_connections=10? What should we set mail_max_userip_connections too realistically? 10 seems a bit low? Thanks Tom
