Re: [Dovecot] How to define ldap connection idle
We will try this as next step to find a workaround, the problem with client idletimeout=5 mins in openldap server is that is a global server definition and have the net effect of changing replication refreshAndPersit into type refreshOnly which is not a welcome side effect, we will look other options, still the better candidate is ldap_idle_disconnect in dovecot side or any other kind of logic able to detect this kind of problems. best regards 2011/11/7 Timo Sirainen > If you set openldap server to close idle clients sooner than the > connection itself is dropped by firewall (or whatever), then Dovecot > sees the disconnection and won't hang. So you could try something like > clientidletimeout=5 mins > > On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote: > > We checked with the firewall admins and they can not change the drop > > action, this model doesn't support reject, only drops, but for testing > > they disabled the ldap protocol idle timeout wich was set to 30 mins > > to never so the firewall never drops ldap idle connections, we also > > verified the clientidletimeout option in Openldap but is set to 0 wich > > means never close a idle connection. After testing again we see the > > connection hanging again after user inactivity, we will keep looking > > for other issues and maybe do some packet captures to see what is > > really happening. > > best regards, btw it would be great this ldap_idle_disconnect = 30s > > > > 2011/11/4 Timo Sirainen > > > > On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes > > wrote: > > > I'm having a problem with dovecot ldap connection when ldap > > server is in > > > another firewall zone, firewall kills the ldap connection > > after a > > > determined period of inactivity, this is good from the > > firewall point of > > > view but is bad for dovecot because it never knows the > > connections has been > > > dropped, this creates longs timeouts in dovecot and finally > > it reconnects, > > > meanwhile many users fails to authenticate, I have seen this > > kind of post > > > in the list for a while but can't find a solution for it, so > > my question is > > > how to define a idle ldap time in dovecot so it can > > reconnect before the > > > firewall has dropped the connection or just close the > > connection under > > > inactivity so when a user authenticate doesn't fails for a > > while until > > > dovecot detects that the connection has hanged. Is this a > > feature request > > > or there is already a configuration for this??? > > > > > > Can't the firewall be changed to reject the LDAP packets > > instead of > > dropping them? Then Dovecot would immediately notice that the > > connection > > has died, and with a recent enough version it wouldn't even > > log an error > > about it. > > > > I guess some kind of an "ldap_idle_disconnect = 30s" setting > > could be > > added, but it's not a very high priority for me. > > > > > > > > >
Re: [Dovecot] How to define ldap connection idle
If you set openldap server to close idle clients sooner than the connection itself is dropped by firewall (or whatever), then Dovecot sees the disconnection and won't hang. So you could try something like clientidletimeout=5 mins On Mon, 2011-11-07 at 18:02 -0500, Aliet Santiesteban Sifontes wrote: > We checked with the firewall admins and they can not change the drop > action, this model doesn't support reject, only drops, but for testing > they disabled the ldap protocol idle timeout wich was set to 30 mins > to never so the firewall never drops ldap idle connections, we also > verified the clientidletimeout option in Openldap but is set to 0 wich > means never close a idle connection. After testing again we see the > connection hanging again after user inactivity, we will keep looking > for other issues and maybe do some packet captures to see what is > really happening. > best regards, btw it would be great this ldap_idle_disconnect = 30s > > 2011/11/4 Timo Sirainen > > On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes > wrote: > > I'm having a problem with dovecot ldap connection when ldap > server is in > > another firewall zone, firewall kills the ldap connection > after a > > determined period of inactivity, this is good from the > firewall point of > > view but is bad for dovecot because it never knows the > connections has been > > dropped, this creates longs timeouts in dovecot and finally > it reconnects, > > meanwhile many users fails to authenticate, I have seen this > kind of post > > in the list for a while but can't find a solution for it, so > my question is > > how to define a idle ldap time in dovecot so it can > reconnect before the > > firewall has dropped the connection or just close the > connection under > > inactivity so when a user authenticate doesn't fails for a > while until > > dovecot detects that the connection has hanged. Is this a > feature request > > or there is already a configuration for this??? > > > Can't the firewall be changed to reject the LDAP packets > instead of > dropping them? Then Dovecot would immediately notice that the > connection > has died, and with a recent enough version it wouldn't even > log an error > about it. > > I guess some kind of an "ldap_idle_disconnect = 30s" setting > could be > added, but it's not a very high priority for me. > > >
Re: [Dovecot] How to define ldap connection idle
We checked with the firewall admins and they can not change the drop action, this model doesn't support reject, only drops, but for testing they disabled the ldap protocol idle timeout wich was set to 30 mins to never so the firewall never drops ldap idle connections, we also verified the clientidletimeout option in Openldap but is set to 0 wich means never close a idle connection. After testing again we see the connection hanging again after user inactivity, we will keep looking for other issues and maybe do some packet captures to see what is really happening. best regards, btw it would be great this ldap_idle_disconnect = 30s 2011/11/4 Timo Sirainen > On Thu, 2011-11-03 at 11:52 -0400, Aliet Santiesteban Sifontes wrote: > > I'm having a problem with dovecot ldap connection when ldap server is in > > another firewall zone, firewall kills the ldap connection after a > > determined period of inactivity, this is good from the firewall point of > > view but is bad for dovecot because it never knows the connections has > been > > dropped, this creates longs timeouts in dovecot and finally it > reconnects, > > meanwhile many users fails to authenticate, I have seen this kind of post > > in the list for a while but can't find a solution for it, so my question > is > > how to define a idle ldap time in dovecot so it can reconnect before the > > firewall has dropped the connection or just close the connection under > > inactivity so when a user authenticate doesn't fails for a while until > > dovecot detects that the connection has hanged. Is this a feature request > > or there is already a configuration for this??? > > Can't the firewall be changed to reject the LDAP packets instead of > dropping them? Then Dovecot would immediately notice that the connection > has died, and with a recent enough version it wouldn't even log an error > about it. > > I guess some kind of an "ldap_idle_disconnect = 30s" setting could be > added, but it's not a very high priority for me. > > >
Re: [Dovecot] POP3/IMAPv4 CRAM-MD5 Authentication failed.(Re-post)
On 11/07/2011 04:12 PM Yuuichi Ikeda (SKLC) wrote: > Hi, I'm Yuuichi Ikeda from Japan User. > > > Dovecot Configuration >> … >> ssl_ca = > ssl_cert = > ssl_key = > ssl_verify_client_cert = yes > … > If it attests by connecting by POP3 or IMAPv4, the following messages will > be displayed and attestation will go wrong. > >> Nov 07 23:12:40 auth: Info: CRAM-MD5(?,192.168.1.110): Client didn't present >> valid SSL certificate >> Nov 07 23:12:40 auth: Debug: client out: FAIL 1 reason=Client didn't >> present valid SSL certificate >> Nov 07 23:12:40 pop3-login: Info: Aborted login (cert required, client >> didn't start TLS): method=CRAM-MD5, rip=192.168.1.110, lip=192.168.1.1, >> secured > >> Nov 07 23:16:32 auth: Info: CRAM-MD5(?,192.168.1.1): Client didn't present >> valid SSL certificate >> Nov 07 23:16:32 auth: Debug: client out: FAIL 1 reason=Client didn't >> present valid SSL certificate >> Nov 07 23:16:32 imap-login: Info: Aborted login (cert required, client >> didn't start TLS): method=CRAM-MD5, rip=192.168.1.1, lip=192.168.1.1, secured > > What will you do and will become like this? If some people know ways of > coping, please let me know. Are you sure you want to verify the client's certificate (ssl_verify_client_cert = yes)? If not, just remove this line and try again. Regards, Pascal -- The trapper recommends today: cafebabe.1131...@localdomain.org
Re: [Dovecot] Accessing a strange mailbox
Hi, thanks for the reply! On Fri, 04 Nov 2011 21:34:03 +0200, Timo Sirainen wrote: > On Fri, 2011-10-21 at 10:50 -0400, Micah Anderson wrote: > > I have a user who has a mailbox called: > > > > A->B > > > > It seemed to work in courier fine, they managed to create it, and there > > are mails in it. However, dovecot is not letting the user access it, the > > IMAP server gives an error. I tried to rename it but I would also get an > > error: > > > > # doveadm mailbox rename 'A->B' AtoB > > doveadm(root): Error: Can't rename mailbox A->B to AtoB: Mailbox > > doesn't exist: A->B > > Maybe it's not named that? What does it look like in filesystem? Worked > fine with me: I moved the user from courier maildir to mdbox, and I've still got the maildir folders around, the filesystem shows it as: drwx-- 6 mail mail 4096 Oct 20 07:56 .A->B I just realized my mistake, my 'doveadm mailbox rename' command wasn't limited to the particular user (I was not passing -u ) so it was looking in the wrong namespace for that user. Once I specified the user, it worked properly. Micah pgpGTC8lpFFv5.pgp Description: PGP signature
[Dovecot] POP3/IMAPv4 CRAM-MD5 Authentication failed.(Re-post)
Hi, I'm Yuuichi Ikeda from Japan User.
OS:Solaris 10 9/10 s10x_u9wos_14a X86
Mem:8GB
HDD:3TB
gcc:gcc (GCC) 4.1.2
gcc-prefix:/unsupported/gcc
Dovecot Version:2.0.15
configure:./configure --prefix=/opt/dovecot_2
--sysconfdir=/opt/dovecot_2/conf --mandir=/opt/man --enable-shared
--with-mysql --with-zlib --with-sqlite --with-sql=plugin
--with-ssldir=/opt/openssl --with-rundir=/var/run
--with-libiconv-prefix=/opt/libiconv
Dovecot Configuration
> # 2.0.15: /opt/dovecot_2/conf/dovecot/dovecot.conf
> # OS: SunOS 5.10 i86pc
> auth_debug = yes
> auth_mechanisms = cram-md5
> auth_ssl_require_client_cert = yes
> auth_ssl_username_from_cert = yes
> auth_verbose = yes
> base_dir = /var/run/dovecot/
> doveadm_worker_count = 10
> log_path = /var/log/dovecot/dovecot.log
> login_greeting = ready.
> login_trusted_networks = 192.168.1.0/24
> mail_location = maildir:~/Maildir
> passdb {
> driver = pam
> }
> passdb {
> args = /opt/dovecot_2/conf/dovecot/passwd
> driver = passwd-file
> }
> plugin {
> acl = vfile:/opt/dovecot_2/conf/dovecot/global-acls:cache_secs=300
> acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
> }
> protocols = imap pop3
> service auth {
> executable = /opt/dovecot_2/libexec/dovecot/auth
> unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> }
> }
> service imap-login {
> executable = /opt/dovecot_2/libexec/dovecot/rawlog
> /opt/dovecot_2/libexec/dovecot/imap-login
> inet_listener imap {
> port = 143
> ssl = no
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service imap {
> executable = /opt/dovecot_2/libexec/dovecot/rawlog
> /opt/dovecot_2/libexec/dovecot/imap
> }
> service lmtp {
> unix_listener lmtp {
> mode = 0666
> }
> }
> service pop3-login {
> executable = /opt/dovecot_2/libexec/dovecot/rawlog
> /opt/dovecot_2/libexec/dovecot/pop3-login
> inet_listener pop3 {
> port = 110
> ssl = no
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> service pop3 {
> executable = /opt/dovecot_2/libexec/dovecot/rawlog
> /opt/dovecot_2/libexec/dovecot/pop3
> }
> ssl_ca = ssl_cert = ssl_key = ssl_verify_client_cert = yes
> userdb {
> args = blocking=yes
> driver = passwd
> }
> protocol imap {
> imap_logout_format = bytes=%i/%o
> imap_max_line_length = 64 k
> mail_max_userip_connections = 10
> mail_plugins =
> }
> protocol lda {
> hostname = mailsv.sklc.co.jp
> info_log_path = /var/log/dovecot/deliver.log
> log_path = /var/log/dovecot/deliver.log
> mail_plugins =
> postmaster_address = postmas...@sklc.co.jp
> sendmail_path = /usr/lib/sendmail
> }
> protocol lmtp {
> mail_plugins =
> }
> protocol pop3 {
> mail_plugins =
> pop3_save_uidl = yes
> pop3_uidl_format = %v-%u
> }
If it attests by connecting by POP3 or IMAPv4, the following messages will
be displayed and attestation will go wrong.
> Nov 07 23:12:40 auth: Debug: auth client connected (pid=20018)
> Nov 07 23:12:40 auth: Debug: client in: AUTH1 CRAM-MD5
> service=pop3secured no-penalty lip=192.168.1.1 rip=192.168.1.110
> lport=110 rport=57054
> Nov 07 23:12:40 auth: Info: CRAM-MD5(?,192.168.1.110): Client didn't present
> valid SSL certificate
> Nov 07 23:12:40 auth: Debug: client out: FAIL 1 reason=Client didn't
> present valid SSL certificate
> Nov 07 23:12:40 pop3-login: Info: Aborted login (cert required, client didn't
> start TLS): method=CRAM-MD5, rip=192.168.1.110, lip=192.168.1.1, secured
> Nov 07 23:16:32 auth: Debug: auth client connected (pid=20126)
> Nov 07 23:16:32 auth: Debug: client in: AUTH1 CRAM-MD5
> service=imapsecured no-penalty lip=192.168.1.1 rip=192.168.1.1
> lport=143 rport=58734
> Nov 07 23:16:32 auth: Info: CRAM-MD5(?,192.168.1.1): Client didn't present
> valid SSL certificate
> Nov 07 23:16:32 auth: Debug: client out: FAIL 1 reason=Client didn't
> present valid SSL certificate
> Nov 07 23:16:32 imap-login: Info: Aborted login (cert required, client didn't
> start TLS): method=CRAM-MD5, rip=192.168.1.1, lip=192.168.1.1, secured
What will you do and will become like this? If some people know ways of
coping, please let me know.
=
Information-system part.
Sankei-Koumuten Co.,Ltd.
Yuuichi Ikeda
Mail:yui...@sklc.co.jp
Tel.+81-3-3623-6474 Fax.+81-3-3623-6475
Our company promotes "Team minus 6 percent"
jus, Hatena Joined member.
LPIC-2 Certified.
=
Re: [Dovecot] Dovecot crashes totally
On 11/04/2011 08:43 PM, Timo Sirainen wrote: > On Sat, 2011-10-22 at 21:21 +0200, Gordon Grubert wrote: >> Hello, >> >> our dovecot server crashes totally without any really useful >> log messages. The error log can be found in the attachment. >> The only way to get dovecot running again is a complete >> system restart. > > How often does it break? If really a "complete system restart" is needed > to fix it, it doesn't sound like a Dovecot problem. Check if it's enough > to stop dovecot and then make sure there aren't any dovecot processes > lying around afterwards. Currently, the problem occurred three times. The last time some days ago. The last "crash" was in the night and, therefore, we used the chance for a detailed debugging of the system. You could be right, that it's not a dovecot problem. Next to dovecot, we found other processes hanging and could not be killed by "kill -9". Additionally, we found a commonness of all of these processes: They hanged while trying to access the mailbox volume. Therefore, we repaired the filesystem. Now, we're watching the system ... >> Oct 11 09:55:23 mailserver2 dovecot: master: Error: service(imap): >> Initial status notification not received in 30 seconds, killing the >> process >> Oct 11 09:56:23 mailserver2 dovecot: imap-login: Error: master(imap): >> Auth request timed out (received 0/12 bytes) > > Kind of looks like auth process is hanging. You could see if stracing it > shows anything useful. Also are any errors logged about LDAP? Is LDAP > running on the same server? Dovecot authenticates against postfix and postfix has an LDAP connection. The LDAP is running on an external cluster. Here, no errors are reported. We hope, that the filesystem error was the reason for the problem and, that the problem is fixed by repairing it. Best regards, Gordon smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] Port variable in LMTP userdb lookups?
04-11-2011 23:56, Timo Sirainen yazmış: On Thu, 2011-10-20 at 12:38 +0300, Mark Zealey wrote: I'm currently changing some systems to use the redirector service, which means that to get local deliveries going I need to get lmtp set up so it can be redirected as well. This is working fine, however we have a number of different ports running on our servers depending on which brand a customer is using. When the time comes to do the user look up, we use (port, user, domain) to do a unique database lookup which works fine for everything (proxied pop, imap, lmtp& straight pop, imap) but not straight lmtp - perhaps because it doesn't have a 2-stage login process unlike the pop/imap protocols. Looking at the SQL query we are issuing, the %a port variable is set to 0 even though the connection is coming in from TCP. Is there a way to change this? We are running dovecot 2.0.12 however looking through the changelogs I can't see this would be fixed in the newest version. A quick check in code shows that this is already supposed to work. Set auth_debug=yes and see if LMTP's auth lookup sends lip, rip, lport and rport fields to auth process? From my reading of the code in 2.0.15, you pass the local & remote IP in lmtp/commands.c:427 but the struct mail_storage_service_input only has remote_ip and local_ip fields, not port fields (unlike the auth_user_info struct which has both ip's and port entries as well). I think that the mail_storage_service_input struct needs the uint local_port, remote_port fields adding in & appropriate code changes to pass these through? Mark
[Dovecot] Missing public folder
Hi
i am using dovecot 2.0.13 and i can't see public folder in my mail client. But
what is strange, it
was working after instalation, and i don't know when it dissapeared. Maybe
after some upgrade ?
When i enable debug, then i can see in my log that folder exists and no errors.
Please where should
i find the problem ?
Thanks
Martin
Here is log
Nov 7 11:00:27 OVZ dovecot: imap(komodo): Debug: Namespace : type=private,
prefix=INBOX., sep=.,
inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir
Nov 7 11:00:27 OVZ dovecot: imap(komodo): Debug: maildir++:
root=/home/komodo/Maildir, index=,
control=, inbox=/home/komodo/Maildir
Nov 7 11:00:27 OVZ dovecot: imap(komodo): Debug: Namespace : type=public,
prefix=spam_learner.,
sep=., inbox=no, hidden=no, list=yes, subscriptions=no
location=maildir:/home/shared/Maildir
Nov 7 11:00:27 OVZ dovecot: imap(komodo): Debug: maildir++:
root=/home/shared/Maildir, index=,
control=, inbox=
Here is my conf
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab037.1 x86_64 CentOS release 5.5 (Final)
default_client_limit = 1300
disable_plaintext_auth = no
hostname = somehost.com
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include variables
body enotify
environment mailbox date
mbox_write_locks = fcntl
namespace {
inbox = yes
location =
prefix = INBOX.
separator = .
type = private
}
namespace {
location = maildir:/home/shared/Maildir
prefix = spam_learner.
separator = .
subscriptions = no
type = public
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = ~/.dovecot.sieve
sieve_before = /etc/dovecot/sieve/before.d/
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
sendmail_path = /usr/sbin/sendmail.exim
service imap-login {
process_limit = 1000
process_min_avail = 30
}
ssl_cert =
