[Dovecot] indexes permissions problem

[Mark Hanford]

Hey all, I did a search but didn't find the answer to my problem, so 
here goes.


I've got a centos 6 server running Dovecot 2.0.beta6 (3156315704ef).  
For legacy reasons (I'm moving mail from a Dovecot 1.1.1 and FreeBSD box 
with user home directories NFS mounted), my index files are setup to be 
in /u/indexes/


On the Dovecot 1.1.1 installation, the perms on the indexes directory is 
777 with root:mail ownership.


The same thing on the Dovecot 2 / Centos server results in a 'permission 
denied' error when Dovecot tries to create files.
So, I guess my main question is, what perms and ownership should 
/u/indexes be set to?  I've tried several different things before this 
cry for help...


Thanks.

Mark

Re: [Dovecot] setacl fails - does not find dovecot-acl file

[Michael Stilkerich]

Hi,

On Nov 4, 2011, at 10:39 PM, Timo Sirainen wrote:

 Nov  4 16:29:03 keira dovecot: imap(isa): Error: fcntl(unlock) locking 
 failed for file /home/dovecot/isa/dovecot.index.log: No such file or 
 directory
 Nov  4 16:29:03 keira dovecot: imap(isa): Error: fstat() failed with 
 file /home/dovecot/isa/dovecot.index.log: No such file or directory
 
 These simply shouldn't happen. I'd say it's a kernel bug. You're running
 a default Ubuntu kernel? I wonder if other Ubuntu users have this
 problem.

It may be an apparmor issue. I noticed plenty of apparmor log entries on these 
accesses, though apparmor should only log but not disallow them. I have 
unloaded the dovecot apparmor profiles and not seen any of these errors since 
then.

I got a new issue, however: I migrated from Maildir to mdbox. Since then, my 
shared mailboxes don't fully work anymore.

I have given another user full rights to a shared mailbox (getacl returns 
akxeilprwtscd for that folder/user). The user sees the mailbox an can perform 
some operations including reading and deleting messages on it. If she tries to 
insert a new message, however, it fails and the error log shows:

dovecot: imap(isa): Error: fcntl(write-lock) locking failed for file 
/home/dovecot/michael/storage/dovecot.map.index.log: Bad file descriptor
dovecot: imap(isa): Error: mail_index_wait_lock_fd() failed with file 
/home/dovecot/michael/storage/dovecot.map.index.log: Bad file descriptor

All my mail locations are owned by the respective system user and the mail 
group, and writeable by both. In particular, I checked that both the storage 
directory as well as the dovecot.map.index.log are writeable by the mail group.

The users are not regular members of the mail group, but my dovecot config 
contains

mail_access_groups = mail

Any idea how to resolve this issue?

-Mike

smime.p7s
Description: S/MIME cryptographic signature

Re: [Dovecot] Dovecot 2.0.15 quota configuration with mbox

[David Ocana]

On 09/11/11 18:56, Timo Sirainen wrote:

On Wed, 2011-11-09 at 10:54 +0100, David Ocana wrote:


I've been trying to set up dovecot 2.0.15, everything seems to work
pretty well except for the quota feature. I would like to set a quota
limit only for the Inbox folder. I configured two namespaces,
according to some posts from Timo Sirainen

namespace {
   separator = /
   prefix = INBOX/
   location = mbox:/var/empty:INBOX=/mail/%d/%n:INDEX=/var/dovecot/%d/%n
   inbox = yes
   hidden = yes
}

plugin {
   quota = dirsize:User quota


quota = dirsize:User quota:ns=INBOX/


Actually I forgot to mention that I also tried that, but I got the 
following error:


Error: Initialization failed: Failed to initialize quota: Quota root 
User quota: Unknown parameter for backend dirsize: ns=INBOX/


That's why I was trying to change quota settings by using the quota_rule 
directive.




This limits the quota only to mailboxes in INBOX/ namespace.


   # I've tried with:
   quota_rule = INBOX:storage=819200K
   quota_rule = INBOX/*:storage=819200K
   quota_rule = INBOX/Inbox:storage=819200K


Quota rules don't work in this way. There are no per-mailbox quotas
really, at least in the way you're thinking about.



I see, I guess they're per-namespace quotas, right? I got the wrong idea 
after watching the following, which was exactly what I wanted to do :p


quota_rule = mailbox name:limit configuration

May be that, using dirsize backend lets you no other option than 
calculating quota for the whole user's mailbox?




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Please advise on very fast search

[Stan Hoeppner]

On 11/9/2011 11:35 PM, Alexander Chekalin wrote:
 Hello, Stan,
 
 in fact the only thing I miss even with my current scheme is permanent
 ID assigned to the message so I can easily find it despite the IMAP
 mailbox it is now (so if someone moved the message from one
 mailbox/folder to another, the ID allows to retrieve it fast anyway).
 
 You see, what I need is not only find message from|to someone on
 specified date, I also sometime need to restore that message back to
 user's original box. As far our mailserver and backup-mailserver are
 different machines, it is a bit tricky to copy messages between it fast
 enough. Say, if I need to find and restore all mails from
 u...@domain.com within 2009 year, and search yields in some 1000's of
 messages, then use IMAP to copy it over to another server takes some
 time - and if you consider both search time and restore/copy time the
 whole process may take ages.

Apparently I didn't fully understand all of your requirements.

Moving the archived mail to mbox/mdbox and/or getting a good indexing
search engine installed will cut the search time down tremendously.
Whether that would make up for the time consumed with an IMAP copy of
many emails I don't know.  If your servers aren't old and slow, and are
not already overloaded, I would think the IMAP message copying over GbE
would be pretty quick, even for the 1000 messages scenario.

There may be some Dovecot tweaks that might make this copy process
faster.  Timo would need to chime in on that.  Do you perform the IMAP
transfers with a GUI IMAP client on your management PC?  Or are you
using imapsync or some other util directly on the servers?

If the former you may be able to tweak your IMAP client to speed up the
transfers as well.  Try using IMAP and not IMAPS for the transfers.
What is the network infrastructure between the servers and your
management workstation?  Is it all GbE with jumbo frames enabled?

 With maildir I can rsync/scp needed files to another host and that's
 fast way - that's why I stick with maildir.

There is definitely some flexibility here.

 FTS in my case can help (I can search for u...@domain.com, for example),
 but it also return messages that contains such a string in message body
 (and that takes index space, too), so I'll need to filter it later, but
 surely it'll be faster than checking every message in the archive.

Sure.  So you're concerned with your poor performance, but also with
disk space.  Unfortunately there's no free lunch to be had.  You'll have
to make sacrifices somewhere.  You could go with mdbox and use
compression, trading that saved space for search index files space.

-- 
Stan

Re: [Dovecot] Exim thru through Dovecot deliver to spec IMAP-folder

[Stan Hoeppner]

On 11/10/2011 3:27 AM, Alexander KIper wrote:
 Hello All!
 
 How can I post some mails from Exim trnasport through Dovecot deliver to
 IMAP MailBox in specific folder (for example: Junk)?

Dovecot 1.x:http://wiki.dovecot.org/LDA/Sieve
Dovecot 2.x:http://wiki2.dovecot.org/Pigeonhole/Sieve

-- 
Stan

Re: [Dovecot] Please advise on very fast search

[Timo Sirainen]

On 10.11.2011, at 6.37, Alexander Chekalin wrote:

 Are there any ways I can search or parse mboxes or mdboxes not directly and 
 not with IMAP (I'm afraid it slooow in dump parsing)?

See doveadm fetch / doveadm search.

 in fact the only thing I miss even with my current scheme is permanent ID 
 assigned to the message so I can easily find it despite the IMAP mailbox it 
 is now (so if someone moved the message from one mailbox/folder to another, 
 the ID allows to retrieve it fast anyway).

Dovecot has message GUIDs (with maildir it's filename), but there's no quick 
lookup for them, even though doveadm can fetch them easily:

doveadm fetch text guid 12312312

Re: [Dovecot] Quota BUG - fixed

[Adrian Minta]

After some deep investigations I manage to solve the problem. I was only 
reading quota in user_querry. Now I read it in user_querry and in 
password_query and all seems fine:


--dovecot-sql.conf---

user_query = SELECT '/home/%d/%n' as home, 'maildir:/home/%d/%n' as mail, 150 
AS uid, 8 AS gid, CONCAT('*:bytes=', quota) AS quota_rule FROM mailbox WHERE 
username = '%u' AND active = '1'
password_query = SELECT username as user, password, '/home/%d/%n' as 
userdb_home, 'maildir:/home/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as 
userdb_gid, CONCAT('*:bytes=', quota) as userdb_quota_rule FROM mailbox WHERE 
username = '%u' AND active = '1'


--dovecot.conf---

plugin {
quota = dict:user::proxy::quotadict
quota_rule2 = Trash:storage=10%%
quota_rule3 = SPAM:storage=10%%
}


the result is fine now:

2 getquotaroot inbox
* QUOTAROOT INBOX user
* QUOTA user (STORAGE 1997999 200)
2 OK Getquotaroot completed.


Only one cosmetic bug remains when an empty mailbox appear as a small 
negative number in quota2 table, but this is fixable in postfixadmin.



--

Best regards,
Adrian MintaMA3173-RIPE,www.minta.ro

[Dovecot] dovecot-lda quota rule

[Micah Anderson]

I really like the feature where you can define quota rules with percents
which trigger off of the default values[0] (so you can set the Trash to
allow for 10% more of the user's quota for example). 

What I would really love in dovecot would be for the ability to
configure a quota rule for dovecot-lda. I would like to configure things
so we don't bounce emails for users until they are well over quota, the
IMAP quota plugin is a really great way to notify people that they are
over quota because it fails to write to other folders that should be
enough to get people's attention that they need to deal with things, but
bouncing is harsh.

Is there a way to do this now that I haven't seen? 

thanks!
micah


0. http://wiki2.dovecot.org/Quota/Configuration
-- 



pgpaJaa1mOJFt.pgp
Description: PGP signature

[Dovecot] TLS Authentication Confusion

[Carlos Mennens]

I asked a user today to make sure his incoming and outgoing email was
using TLS. He told me it wasn't possible because my Dovecot / Postfix
daemons were only listening on TCP 25  143 according to a port scan
he did. He told me the only way I could enable encrypted secure
sessions between the client  server is to enable port 993 (IMAPs). I
told him that TLS is supported on my mail server over the default
ports TCP 25 / 143 and that many consider IMAPs to be legacy. I sent
him a telnet session of my PC communicating with my server  it shows
TLS is available. I just wanted to be sure I was correct with the
information above or am I completely wrong and I do indeed need TCP
port 993?

I know this is the Dovecot mailing list but since Dovecot and Postfix
both use and support TLS in their configuration files, I figured I
would ask here for your help!

carloss@pc1:~$ telnet mail.holyghost.org 25
Trying 192.168.4.100...
Connected to mail.holyghost.org.
Escape character is '^]'.
220 mail.holyghost.org ESMTP Postfix
EHLO pc1.holyghost.org
250-mail.holyghost.org
250-PIPELINING
250-SIZE 2048
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Below is a snip from my mail logs showing TLS:

Nov  9 10:26:39 mail dovecot: imap-login: Login: user=carlos,
method=PLAIN, rip=:::192.168.4.100, lip=:::192.168.4.100, TLS

The above snip from my log means that I'm connecting to Dovecot via
TLS, correct?

Re: [Dovecot] TLS Authentication Confusion

[Dick Middleton]

On 11/10/11 19:17, Carlos Mennens wrote:
 I asked a user today to make sure his incoming and outgoing email was
 using TLS. He told me it wasn't possible because my Dovecot / Postfix
 daemons were only listening on TCP 25  143 according to a port scan
 he did. He told me the only way I could enable encrypted secure
 sessions between the client  server is to enable port 993 (IMAPs).

Yes you are right.  Port 993 is for IMAPS (SSH).  TLS is normally on the same
port as plain.

The difference between SSH and TLS is that with SSH the encryption is set up
before any application communication takes place.  i.e all application packets
are contained in the encrypted payload.  With TLS the application starts
communication and then the application sets up encryption of its payload.

Dick

Re: [Dovecot] patching dovecot for sieve/managesieve support, centos 5.6?

[Stephan Bosch]

This mail was answered before. Don't repost your question unless you 
have acted on the information provided, got new information or have 
additional questions. Re-posting the exact same message makes no sense.


Regards,

Stephan.

On 11/10/2011 5:09 AM, Scott Lewis wrote:



- Forwarded Message -
From: Scott Lewisscott_the_music...@yahoo.com.au
To: dovecot@dovecot.orgdovecot@dovecot.org
Sent: Thursday, 3 November 2011 4:31 PM
Subject: patching dovecot for sieve/managesieve support, centos 5.6?


Hi all,

I am having real trouble when attempting to patch dovecot 1.2 to include the 
Pidgeonhole sieve support on my CentOS 5.6 x64 mail server. I am relatively new 
to the programming side of linux, but I am not having a lot of luck when trying 
to get this thing to compile.

Here's what happens:

[root@mail ~]# whereis dovecot
dovecot: /usr/sbin/dovecot /etc/dovecot.conf /usr/lib/dovecot 
/usr/libexec/dovecot /usr/share/man/man8/dovecot.8.gz

[root@mail dovecot-1.2-sieve-0.1.19]# ./configure 
--with-dovecot=/usr/lib/dovecot

...

checking whether to build static libraries... yes
dovecot-config not found from /usr/lib/dovecot, use --with-dovecot=PATH
to give path to compiled Dovecot sources or to a directory with the
installed dovecot-config file. configure: error:
  dovecot-config not found

--

I get this message regardless of whether I set --with-dovecot as 
/usr/sbin/dovecot, or /etc, or /usr/libexec/dovecot.

I have SquirrelMail 1.4.22 running, and the avelsieve front-end seems happy 
enough. when I visit https://mail.mydomain.com/src/configtest.php, I get:

Avelsieve plugin details: backend = ManageSieve
ERROR: I could not determine the capabilities for Sieve Mail Filtering. Perhaps 
connectivity with ManageSieve server (if backend=Managesieve) is bad?

thanks in advance!

Re: [Dovecot] TLS Authentication Confusion

[Frank Elsner]

On Thu, 10 Nov 2011 19:28:55 + Dick Middleton wrote:
 On 11/10/11 19:17, Carlos Mennens wrote:
  I asked a user today to make sure his incoming and outgoing email was
  using TLS. He told me it wasn't possible because my Dovecot / Postfix
  daemons were only listening on TCP 25  143 according to a port scan
  he did. He told me the only way I could enable encrypted secure
  sessions between the client  server is to enable port 993 (IMAPs).
 
 Yes you are right.  Port 993 is for IMAPS (SSH).  TLS is normally on the same
 port as plain.
 
 The difference between SSH and TLS is that with SSH the encryption is set up
 before any application communication takes place.  i.e all application packets
 are contained in the encrypted payload.  With TLS the application starts
 communication and then the application sets up encryption of its payload.

:%s/SSH/SSL/g


--Frank

Re: [Dovecot] TLS Authentication Confusion

[Tom Hendrikx]

On 10-11-11 20:28, Dick Middleton wrote:
 On 11/10/11 19:17, Carlos Mennens wrote:
 I asked a user today to make sure his incoming and outgoing email was
 using TLS. He told me it wasn't possible because my Dovecot / Postfix
 daemons were only listening on TCP 25  143 according to a port scan
 he did. He told me the only way I could enable encrypted secure
 sessions between the client  server is to enable port 993 (IMAPs).
 
 Yes you are right.  Port 993 is for IMAPS (SSH).  TLS is normally on the same
 port as plain.
 
 The difference between SSH and TLS is that with SSH the encryption is set up
 before any application communication takes place.  i.e all application packets
 are contained in the encrypted payload.  With TLS the application starts
 communication and then the application sets up encryption of its payload.
 

You're contributing to the confusion.

SSL and TLS are practically the same, just another name for the same
beast. The only difference is that SSL is the old name, and newer
versions of the standard are labeled TLS. The term SSH is not in the
scope of this question.

There are 2 ways of using SSL/TLS to encrypt sessions:

1) Setup a dedicated port where a SSL/TLS session can be setup before
the actual data is transferred. This is what happens for IMAPS/993 and
SMTPS/465.

2) Extend an existing protocol to enable SSL/TLS during an open session.
This is called STARTTLS in several protocols, SMTP and IMAP being among
them. And this is what happens on SMTP/25, Submission/587 and IMAP/143.

Note that although the second option is *named* STARTTLS, you probably
could implement any server to *use* SSL 1.0 for the actual encryption
(not recommended though).

The OP is offering STARTTLS for both services, which is good.

--
Regards,
Tom

Re: [Dovecot] TLS Authentication Confusion

[Noel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
On 11/10/2011 2:11 PM, Tom Hendrikx wrote:
 On 10-11-11 20:28, Dick Middleton wrote:
 On 11/10/11 19:17, Carlos Mennens wrote:
 I asked a user today to make sure his incoming and outgoing email was
 using TLS. He told me it wasn't possible because my Dovecot / Postfix
 daemons were only listening on TCP 25  143 according to a port scan
 he did. He told me the only way I could enable encrypted secure
 sessions between the client  server is to enable port 993 (IMAPs).

 Yes you are right. Port 993 is for IMAPS (SSH). TLS is normally on
the same
 port as plain.

 The difference between SSH and TLS is that with SSH the encryption
is set up
 before any application communication takes place. i.e all
application packets
 are contained in the encrypted payload. With TLS the application
starts
 communication and then the application sets up encryption of its
payload.


 You're contributing to the confusion.

 SSL and TLS are practically the same, just another name for the same
 beast. The only difference is that SSL is the old name, and newer
 versions of the standard are labeled TLS. The term SSH is not in the
 scope of this question.

 There are 2 ways of using SSL/TLS to encrypt sessions:

 1) Setup a dedicated port where a SSL/TLS session can be setup before
 the actual data is transferred. This is what happens for IMAPS/993 and
 SMTPS/465.

 2) Extend an existing protocol to enable SSL/TLS during an open
session.
 This is called STARTTLS in several protocols, SMTP and IMAP being among
 them. And this is what happens on SMTP/25, Submission/587 and IMAP/143.

 Note that although the second option is *named* STARTTLS, you probably
 could implement any server to *use* SSL 1.0 for the actual encryption
 (not recommended though).

 The OP is offering STARTTLS for both services, which is good.

 --
 Regards,
 Tom

The confusion is caused by the way some client software
differentiate these services in their configuration, often referring
to wrappermode smtps/imaps as SSL, and STARTTLS as TLS.



  -- Noel Jones
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJOvDJcAAoJEHIluGOd3V4F6foH/16+xq91/j4hgXufdnAsxwW1
N2ZXf1fby7TjR4BpaYNdH6PsN5/UqFSZItVYkeDXWgGG/wYCTRC+LHdks/EeQKgR
1ondUL2iorQ7bGy25m3526DGShFmcEh7P+Z6WWwdFeOTLBS57LIgwvFHBg4niYHq
3ZbPOjzI+d7kbz8tT8ATb+Ju+uJlV2rpbZKHQ90qlOR9tRl6bUOEeW32yPf5hjpI
gs89o66Ud+mb9kkH9vgrhnutxsWjVxWNWM1ba43S1bh4Jg9YneIdsHdQVQSPrFUz
EPy5Tgz3b+LZC6lwe6czFrhYgv/GUiJutS34qRHLSMAQGY+fgOcZBSZQHKP7NC4=
=TdNE
-END PGP SIGNATURE-

Re: [Dovecot] LDAP expired password

[Sven Hartge]

rpalmarin rpalma...@yahoo.com wrote:
 Sven Hartge sven at svenhartge.de writes:
 Nikolaos Milas nmilas at noa.gr wrote:
 On 1/4/2011 11:09 πμ, Sven Hartge wrote:
 
 Have a look at the ppolicy slapd.overlay. This will solve your
 problem.

 Sorry for the delay in the response I checked the ppolicy overlay but
 without success. This overlay does not have a single password
 expired attribute to put in the user_filter.

I think you misunderstood the usage of the overlay.

There is _no_ additional attribute to check. With ppolicy any
authentication will fail if some previously defined conditions are met
(or no longer met) like the max age of a password.

Documentation is contained in man slapo-ppolicy, which as bit hard to
understand, I must admit.

Also look at http://www.openldap.org/doc/admin24/overlays.html 
12.10 Password Policies has a nice example.

With this overlay you don't need any additional attributes and no
maintenance or houskeeping script to invalidate expired passwords.

 At my university we introduced our own attribute gifb-status which
 contains a 1 if an account is valid, a 0 if it is not (and
 several others for different purposes) and our ldap-filters all
 contain something like ((ou=foobar)(gifb-status=1)).

 is possible that the only way to do this is to manage a new attribute?
 how can understand  all the people that have configured the mail
 client to authenticate with imap-dovecot that their passoword has
 expired?

Well, either way (using ppolicy or an additional attribute): they will
call the support desk, if they are unable to understand the message from
their mail client. No way to fix _this_ problem, I am afraid ;)

S°

-- 
Sigmentation fault. Core dumped.