Re: [Dovecot] Syntax for doveadm auth cache

[Angel L. Mateo]

El 02/10/12 22:18, Timo Sirainen escribió:

On 2.10.2012, at 11.41, Angel L. Mateo wrote:


I've been doing some more tests with this problem I have (I need to 
solve it because I'm planning to migrate mailboxes from maildir to mdbox and I 
need to change mail_location for my users without rebooting the server).


You could flush the whole cache also.

	Oh... I was so obfuscated trying to expire just the user that I forgot 
I could flush the whole cache :-(



I think I have found the source of the problem, although I don't know 
how to fix it. The problem is that I have different results if I ask for user 
information with just the login or with the whole email:


Flush both the user and user@domain entries?

	Yes, I could do this, but why there are entries with user and 
user@domain?, because I have three user databases:


* master password: it is not normally used
* pam: I have the cache_key=%n on it
* ldap: I don't know to configure cache_key (I tried args = cache_key=%n 
/etc/dovecot/dovecot-ldap.conf.ext but it didn't work)

Re: [Dovecot] bug formatting results when using doveadm-server

[Angel L. Mateo]

El 02/10/12 21:38, Timo Sirainen escribió:

On 26.9.2012, at 13.55, Angel L. Mateo wrote:


doveadm search -S /var/run/dovecot/auth-userdb -u ${user} SAVEDSINCE 5w | while 
read guid uid; do
   doveadm fetch -S /var/run/dovecot/auth-userdb -u ${user} size.physical 
mailbox-guid $guid uid $uid;
done


-S auth-userdb? You've named it completely wrong if that works :)

	auth-userdb is the socket for the auth system. I has always worked for 
me (I don't know why). What socket shoud I use? director-userdb?



The problem is that although when I run doveadm search command in the 
backend server I correctly get the list of mails, each line with the 
mailbox-guid and the uid of the message, when I run the same command in the 
director server, format of the list is corrupted and there are lines that 
contains just the mailbox-guid and the next the uid (of the previous) and the 
mailbox-guid of next, and so on. Like:

e62e0d3834ed094e5c797efb8a67 66
e62e0d3834ed094e5c797efb8a67 71
e62e0d3834ed094e5c797efb8a67 74
e62e0d3834ed094e5c797efb8a67
75 e62e0d3834ed094e5c797efb8a67
77 e62e0d3834ed094e5c797efb8a67
78 e62e0d3834ed094e5c797efb8a67


Thanks, fixed: http://hg.dovecot.org/dovecot-2.1/rev/94c7e875f9b9


Thanks, I'll check as soon as I can.

Re: [Dovecot] possible nfs issue

[Jack Bates]

On 10/2/2012 4:39 PM, Cor Bosman wrote:


Anyone else with NFS mailspools seeing this?

Cor




I haven't seen them yet, however, to help troubleshoot, see this link 
and follow it's links for more details on .nfs files


http://wordpress.org/support/topic/how-can-i-prevent-unwanted-nfs-files-from-being-created


Jack

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Timo Sirainen]

On Wed, 2012-10-03 at 02:10 +0200, Florian Zeitz wrote:
> Attached is a new export incorporating your feedback.

Committed. Also what do you think about the attached patch? (Compiles,
untested.)

diff -r 3e3ac2c16fa4 src/auth/mech-scram-sha1.c
--- a/src/auth/mech-scram-sha1.c	Wed Sep 19 03:13:39 2012 +0200
+++ b/src/auth/mech-scram-sha1.c	Wed Oct 03 03:48:46 2012 +0300
@@ -19,10 +19,9 @@
 #include "str.h"
 #include "strfuncs.h"
 #include "strnum.h"
+#include "password-scheme.h"
 #include "mech.h"
 
-/* SCRAM hash iteration count. RFC says it SHOULD be at least 4096 */
-#define SCRAM_ITERATE_COUNT 4096
 /* s-nonce length */
 #define SCRAM_SERVER_NONCE_LEN 64
 
@@ -43,8 +42,8 @@
 	buffer_t *proof;
 
 	/* stored */
-	buffer_t *stored_key;
-	buffer_t *server_key;
+	unsigned char stored_key[SHA1_RESULTLEN];
+	unsigned char server_key[SHA1_RESULTLEN];
 };
 
 static const char *get_scram_server_first(struct scram_auth_request *request,
@@ -75,7 +74,6 @@
 {
 	struct hmac_context ctx;
 	const char *auth_message;
-	unsigned char server_key[SHA1_RESULTLEN];
 	unsigned char server_signature[SHA1_RESULTLEN];
 	string_t *str;
 
@@ -83,7 +81,7 @@
 			request->server_first_message, ",",
 			request->client_final_message_without_proof, NULL);
 
-	hmac_init(&ctx, request->server_key->data, request->server_key->used,
+	hmac_init(&ctx, request->server_key, sizeof(request->server_key),
 		  &hash_method_sha1);
 	hmac_update(&ctx, auth_message, strlen(auth_message));
 	hmac_final(&ctx, server_signature);
@@ -195,7 +193,7 @@
 			request->server_first_message, ",",
 			request->client_final_message_without_proof, NULL);
 
-	hmac_init(&ctx, request->stored_key->data, request->stored_key->used,
+	hmac_init(&ctx, request->stored_key, sizeof(request->stored_key),
 		  &hash_method_sha1);
 	hmac_update(&ctx, auth_message, strlen(auth_message));
 	hmac_final(&ctx, client_signature);
@@ -209,68 +207,31 @@
 	safe_memset(client_key, 0, sizeof(client_key));
 	safe_memset(client_signature, 0, sizeof(client_signature));
 
-	return memcmp(stored_key, request->stored_key->data,
-		  request->stored_key->used) == 0;
+	return memcmp(stored_key, request->stored_key, sizeof(stored_key)) == 0;
 }
 
 static void credentials_callback(enum passdb_result result,
  const unsigned char *credentials, size_t size,
  struct auth_request *auth_request)
 {
-	const char *const *fields;
-	size_t len;
-	unsigned int iter;
-	const char *salt;
 	struct scram_auth_request *request =
 		(struct scram_auth_request *)auth_request;
+	const char *salt, *error;
+	unsigned int iter_count;
 
 	switch (result) {
 	case PASSDB_RESULT_OK:
-		fields = t_strsplit(t_strndup(credentials, size), ",");
-
-		if (str_array_length(fields) != 4) {
+		if (scram_sha1_scheme_parse(credentials, size, &iter_count,
+	&salt, request->stored_key,
+	request->server_key, &error) < 0) {
 			auth_request_log_info(auth_request, "scram-sha-1",
-	  "Invalid passdb entry");
-			auth_request_fail(auth_request);
-			break;
-		}
-
-		if (str_to_uint(fields[0], &iter) < 0 || (iter < 4096) ||
-		(iter > INT_MAX)) {
-			auth_request_log_info(auth_request, "scram-sha-1",
-	  "Invalid iteration count");
-			auth_request_fail(auth_request);
-			break;
-		}
-
-		salt = fields[1];
-
-		len = strlen(fields[2]);
-		request->stored_key = buffer_create_dynamic(request->pool,
-	MAX_BASE64_DECODED_SIZE(len));
-		if (base64_decode(fields[2], len, NULL,
-  request->stored_key) < 0) {
-			auth_request_log_info(auth_request, "scram-sha-1",
-	  "Invalid base64 encoding"
-	  "of StoredKey in passdb");
-			auth_request_fail(auth_request);
-			break;
-		}
-
-		len = strlen(fields[3]);
-		request->server_key = buffer_create_dynamic(request->pool,
-	MAX_BASE64_DECODED_SIZE(len));
-		if (base64_decode(fields[3], len, NULL,
-  request->server_key) < 0) {
-			auth_request_log_info(auth_request, "scram-sha-1",
-	  "Invalid base64 encoding"
-	  "of ServerKey in passdb");
+	  "%s", error);
 			auth_request_fail(auth_request);
 			break;
 		}
 
 		request->server_first_message = p_strdup(request->pool,
-			get_scram_server_first(request, iter, salt));
+			get_scram_server_first(request, iter_count, salt));
 
 		auth_request_handler_reply_continue(auth_request,
 	request->server_first_message,
diff -r 3e3ac2c16fa4 src/auth/password-scheme-scram.c
--- a/src/auth/password-scheme-scram.c	Wed Sep 19 03:13:39 2012 +0200
+++ b/src/auth/password-scheme-scram.c	Wed Oct 03 03:48:46 2012 +0300
@@ -18,8 +18,11 @@
 #include "str.h"
 #include "password-scheme.h"
 
-/* SCRAM hash iteration count. RFC says it SHOULD be at least 4096 */
-#define SCRAM_ITERATE_COUNT 4096
+/* SCRAM allowed iteration count range. RFC says it SHOULD be at least 4096 */
+#define SCRAM_MIN_ITERATE_COUNT 4096
+#define SCRAM_MAX_ITERATE_COUNT INT_MAX
+
+#define SCRAM_DEFAULT_ITERATE_COUNT 4096
 
 static void Hi(const unsigned char *str, size_t str_size,
 	   const u

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Florian Zeitz]

Am 03.10.2012 01:58, schrieb Timo Sirainen:
> On 3.10.2012, at 2.54, Florian Zeitz wrote:
> 
>> Am 03.10.2012 01:42, schrieb Timo Sirainen:
>>> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>>>
 attached is an hg export on top of the current dovecot-2.2 branch, which
 adds support for a SCRAM-SHA-1 password scheme.
>>>
>>> Oh, and SCRAM-SHA1 or SCRAM-SHA-1? I'd think SCRAM-SHA1 as the scheme is 
>>> now called, but elsewhere in the code (including user-visible strings) it 
>>> says SCRAM-SHA-1.
>>>
>> Well, I usually prefer SCRAM-SHA-1, as that is how it is called in the
>> RFC, and SHA-1 is the hash name registered with IANA [1].
>> I did call the password scheme SCRAM-SHA1 to be consistent with other
>> current password schemes. I'm not 100% sure which one to use, or whether
>> a mix might even be the way to go ("correct" messages, but minimum user
>> confusion for password schemes).
> 
> Hmm. Probably not worth it to have both SCRAM-SHA1 and SCRAM-SHA-1. And now I 
> see that the user-visible strings are about SCRAM-SHA-1 mechanism, not the 
> hash. So yeah, I guess the best way to avoid confusion is to call it 
> SCRAM-SHA-1 everywhere.
> 
Seems sensible.

Attached is a new export incorporating your feedback.
The iteration count is now limited to [4096, INT_MAX]. The lower bound
is a recommendation of the RFC.
# HG changeset patch
# User Florian Zeitz 
# Date 1348017219 -7200
# Node ID a0b0eece12335905500631477ec1d6ab31014469
# Parent  99843f74422ac68bfde86e9cee6920164eae4d5d
auth: Add and use SCRAM-SHA-1 password scheme

diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -44,6 +44,7 @@
password-scheme.c \
password-scheme-crypt.c \
password-scheme-md5crypt.c \
+   password-scheme-scram.c \
password-scheme-otp.c \
password-scheme-rpa.c
 
diff --git a/src/auth/mech-scram-sha1.c b/src/auth/mech-scram-sha1.c
--- a/src/auth/mech-scram-sha1.c
+++ b/src/auth/mech-scram-sha1.c
@@ -1,11 +1,14 @@
 /*
  * SCRAM-SHA-1 SASL authentication, see RFC-5802
  *
- * Copyright (c) 2011 Florian Zeitz 
+ * Copyright (c) 2011-2012 Florian Zeitz 
  *
  * This software is released under the MIT license.
  */
 
+#include 
+#include 
+
 #include "auth-common.h"
 #include "base64.h"
 #include "buffer.h"
@@ -15,6 +18,7 @@
 #include "safe-memset.h"
 #include "str.h"
 #include "strfuncs.h"
+#include "strnum.h"
 #include "mech.h"
 
 /* SCRAM hash iteration count. RFC says it SHOULD be at least 4096 */
@@ -29,45 +33,22 @@
 
/* sent: */
const char *server_first_message;
-   unsigned char salt[16];
-   unsigned char salted_password[SHA1_RESULTLEN];
+   const char *snonce;
 
/* received: */
const char *gs2_cbind_flag;
const char *cnonce;
-   const char *snonce;
const char *client_first_message_bare;
const char *client_final_message_without_proof;
buffer_t *proof;
+
+   /* stored */
+   buffer_t *stored_key;
+   buffer_t *server_key;
 };
 
-static void Hi(const unsigned char *str, size_t str_size,
-  const unsigned char *salt, size_t salt_size, unsigned int i,
-  unsigned char result[SHA1_RESULTLEN])
-{
-   struct hmac_context ctx;
-   unsigned char U[SHA1_RESULTLEN];
-   unsigned int j, k;
-
-   /* Calculate U1 */
-   hmac_init(&ctx, str, str_size, &hash_method_sha1);
-   hmac_update(&ctx, salt, salt_size);
-   hmac_update(&ctx, "\0\0\0\1", 4);
-   hmac_final(&ctx, U);
-
-   memcpy(result, U, SHA1_RESULTLEN);
-
-   /* Calculate U2 to Ui and Hi */
-   for (j = 2; j <= i; j++) {
-   hmac_init(&ctx, str, str_size, &hash_method_sha1);
-   hmac_update(&ctx, U, sizeof(U));
-   hmac_final(&ctx, U);
-   for (k = 0; k < SHA1_RESULTLEN; k++)
-   result[k] ^= U[k];
-   }
-}
-
-static const char *get_scram_server_first(struct scram_auth_request *request)
+static const char *get_scram_server_first(struct scram_auth_request *request,
+ int iter, const char *salt)
 {
unsigned char snonce[SCRAM_SERVER_NONCE_LEN+1];
string_t *str;
@@ -84,12 +65,9 @@
snonce[sizeof(snonce)-1] = '\0';
request->snonce = p_strndup(request->pool, snonce, sizeof(snonce));
 
-   random_fill(request->salt, sizeof(request->salt));
-
-   str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(request->salt)));
-   str_printfa(str, "r=%s%s,s=", request->cnonce, request->snonce);
-   base64_encode(request->salt, sizeof(request->salt), str);
-   str_printfa(str, ",i=%d", SCRAM_ITERATE_COUNT);
+   str = t_str_new(sizeof(snonce));
+   str_printfa(str, "r=%s%s,s=%s,i=%d", request->cnonce, request->snonce,
+   salt, iter);
return str_c(str);
 }
 
@@ -105,15 +83,8 @@
request->server_first_message, ",",

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Timo Sirainen]

On 3.10.2012, at 2.54, Florian Zeitz wrote:

> Am 03.10.2012 01:42, schrieb Timo Sirainen:
>> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>> 
>>> attached is an hg export on top of the current dovecot-2.2 branch, which
>>> adds support for a SCRAM-SHA-1 password scheme.
>> 
>> Oh, and SCRAM-SHA1 or SCRAM-SHA-1? I'd think SCRAM-SHA1 as the scheme is now 
>> called, but elsewhere in the code (including user-visible strings) it says 
>> SCRAM-SHA-1.
>> 
> Well, I usually prefer SCRAM-SHA-1, as that is how it is called in the
> RFC, and SHA-1 is the hash name registered with IANA [1].
> I did call the password scheme SCRAM-SHA1 to be consistent with other
> current password schemes. I'm not 100% sure which one to use, or whether
> a mix might even be the way to go ("correct" messages, but minimum user
> confusion for password schemes).

Hmm. Probably not worth it to have both SCRAM-SHA1 and SCRAM-SHA-1. And now I 
see that the user-visible strings are about SCRAM-SHA-1 mechanism, not the 
hash. So yeah, I guess the best way to avoid confusion is to call it 
SCRAM-SHA-1 everywhere.

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Florian Zeitz]

Am 03.10.2012 01:42, schrieb Timo Sirainen:
> On 3.10.2012, at 0.05, Florian Zeitz wrote:
> 
>> attached is an hg export on top of the current dovecot-2.2 branch, which
>> adds support for a SCRAM-SHA-1 password scheme.
> 
> Oh, and SCRAM-SHA1 or SCRAM-SHA-1? I'd think SCRAM-SHA1 as the scheme is now 
> called, but elsewhere in the code (including user-visible strings) it says 
> SCRAM-SHA-1.
> 
Well, I usually prefer SCRAM-SHA-1, as that is how it is called in the
RFC, and SHA-1 is the hash name registered with IANA [1].
I did call the password scheme SCRAM-SHA1 to be consistent with other
current password schemes. I'm not 100% sure which one to use, or whether
a mix might even be the way to go ("correct" messages, but minimum user
confusion for password schemes).

[1]
https://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xml

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Timo Sirainen]

On 3.10.2012, at 0.05, Florian Zeitz wrote:

> attached is an hg export on top of the current dovecot-2.2 branch, which
> adds support for a SCRAM-SHA-1 password scheme.

Oh, and SCRAM-SHA1 or SCRAM-SHA-1? I'd think SCRAM-SHA1 as the scheme is now 
called, but elsewhere in the code (including user-visible strings) it says 
SCRAM-SHA-1.

Re: [Dovecot] possible nfs issue

[Cor Bosman]

On Oct 3, 2012, at 12:35 AM, Timo Sirainen  wrote:

> On 3.10.2012, at 0.45, Timo Sirainen wrote:
> 
>> On 3.10.2012, at 0.39, Cor Bosman wrote:
>> 
>>> With NFS these files are created when a file gets unlinked, but another 
>>> process still has it open. It disappears as soon as the other process 
>>> closes it. For some reason they dont disappear. As far as I can tell we've 
>>> had no server crashes that could explain this.  One possible theory is that 
>>> a rename happens after an unlink. In that case the file remains. This could 
>>> possibly be a dovecot issue. 
>> 
>> How can a rename happen after unlink? The rename should fail. (Unless doing 
>> rename(.nfs1234, something), but Dovecot definitely isn't doing that.)
> 
> You could see if this old test program leaves .nfs files lying around:
> 
> http://dovecot.org/tmp/readdir.c
> 
> Just comment out the line:
> 
>   close(fd);
> 

I meant the .nfs1234 indeed, but it seemed very unlikely. Thanks for 
clarifying. The readdir program leaves no .nfs files. We'll have to explore 
other possibilities.

Cor

Re: [Dovecot] Logging IP address for failed login

[Joseph Tam]

Scott Neville  writes:


I am trying to use the logs to show the IP that brute force activity
comes from, but Im not succeeding.  I have read the archives and seen
the advice others have had.  I can see logs for repeated bad logins,
but I need the IP address from the attempts.

...
but only for successful logins. The brute force attempts dont log like that:

Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user


This was similar to another complaint several months ago.  I conjectured
that these attempts are SMTP AUTH, not IMAP, brute forcing.  Are you
using the dovecot's SASL feature to authenticate outgoing Email (i.e. via
Postfix?).  Maybe you verify this hypothesis by checking the Postfix logs.

Joseph Tam 

Re: [Dovecot] possible nfs issue

[Timo Sirainen]

On 3.10.2012, at 0.45, Timo Sirainen wrote:

> On 3.10.2012, at 0.39, Cor Bosman wrote:
> 
>> With NFS these files are created when a file gets unlinked, but another 
>> process still has it open. It disappears as soon as the other process closes 
>> it. For some reason they dont disappear. As far as I can tell we've had no 
>> server crashes that could explain this.  One possible theory is that a 
>> rename happens after an unlink. In that case the file remains. This could 
>> possibly be a dovecot issue. 
> 
> How can a rename happen after unlink? The rename should fail. (Unless doing 
> rename(.nfs1234, something), but Dovecot definitely isn't doing that.)

You could see if this old test program leaves .nfs files lying around:

http://dovecot.org/tmp/readdir.c

Just comment out the line:

close(fd);

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Timo Sirainen]

On 3.10.2012, at 1.12, Florian Zeitz wrote:

> Am 02.10.2012 23:27, schrieb Timo Sirainen:
>> On 3.10.2012, at 0.05, Florian Zeitz wrote:
>> 
>>> attached is an hg export on top of the current dovecot-2.2 branch, which
>>> adds support for a SCRAM-SHA-1 password scheme.
>>> 
>>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
>>> currently specific to the crypt password scheme, so I left it out for now.
>> 
>> Looks pretty good. But you could improve the error handling a bit. Instead 
>> of atoi() use str_to_uint() and verify the error value. Also verify that 
>> t_strsplit() returns the correct number of values. And there should be some 
>> sanity check for the iter count also.. I'm not sure what, but currently it's 
>> possible for Hi() to go to infinite loop.
>> 
> I shall. For the iteration count the endless loop should be fixed by
> restricting the largest value to UINT_MAX-1, right?

Yeah.

> I'm not too fond of
> stopping people from wasting their CPU time on Hi calculation beyond
> this. I can try to guestimate a "sane" upper limit, but given time I
> have an icky feeling that it will end up being too low. Thoughts?

Looks like RFC 5802 doesn't give any kind of a limit. But since it gets sent to 
various client implementations, INT_MAX is probably a good limit? Also 0 isn't 
a valid iteration count.

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Florian Zeitz]

Am 02.10.2012 23:27, schrieb Timo Sirainen:
> On 3.10.2012, at 0.05, Florian Zeitz wrote:
> 
>> attached is an hg export on top of the current dovecot-2.2 branch, which
>> adds support for a SCRAM-SHA-1 password scheme.
>>
>> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
>> currently specific to the crypt password scheme, so I left it out for now.
> 
> Looks pretty good. But you could improve the error handling a bit. Instead of 
> atoi() use str_to_uint() and verify the error value. Also verify that 
> t_strsplit() returns the correct number of values. And there should be some 
> sanity check for the iter count also.. I'm not sure what, but currently it's 
> possible for Hi() to go to infinite loop.
> 
I shall. For the iteration count the endless loop should be fixed by
restricting the largest value to UINT_MAX-1, right? I'm not too fond of
stopping people from wasting their CPU time on Hi calculation beyond
this. I can try to guestimate a "sane" upper limit, but given time I
have an icky feeling that it will end up being too low. Thoughts?

Re: [Dovecot] possible nfs issue

[Timo Sirainen]

On 3.10.2012, at 0.39, Cor Bosman wrote:

> With NFS these files are created when a file gets unlinked, but another 
> process still has it open. It disappears as soon as the other process closes 
> it. For some reason they dont disappear. As far as I can tell we've had no 
> server crashes that could explain this.  One possible theory is that a rename 
> happens after an unlink. In that case the file remains. This could possibly 
> be a dovecot issue. 

How can a rename happen after unlink? The rename should fail. (Unless doing 
rename(.nfs1234, something), but Dovecot definitely isn't doing that.)

[Dovecot] possible nfs issue

[Cor Bosman]

Hi all, we've started receiving complaints from users that seemingly use more 
quota than they actually have. We noticed that these users have (in some cases 
many) .nfs files in their mailspool. Some of our admins checked their own dirs, 
and noticed them there as well.  This could of course be unrelated to dovecot 
(kernel issue, netapp issue) but maybe somehow has an idea about if dovecot 
could cause this. This has been going on for at least a year, not really enough 
to notice before now. 

root@userimap1# find . -type f|grep -i .nfs
./cur/.nfs003967ad003c0603
./cur/.nfs0757b44b003be609
./cur/.nfs035e89bd003be60b
./cur/.nfs0796251c003be60c
./cur/.nfs0796251f003be60e
./cur/.nfs0262f9a1003be33a
./cur/.nfs096513f3003be524
./cur/.nfs07962525003be60f
./cur/.nfs03e7d8ab003be62b
./cur/.nfs026f4fad003be50d
./cur/.nfs00bdaeab003c0611
./cur/.nfs05da42c7003be525
./cur/.nfs03d74729003be526
./cur/.nfs0229769e003be535
./cur/.nfs0440969e003be516

With NFS these files are created when a file gets unlinked, but another process 
still has it open. It disappears as soon as the other process closes it. For 
some reason they dont disappear. As far as I can tell we've had no server 
crashes that could explain this.  One possible theory is that a rename happens 
after an unlink. In that case the file remains. This could possibly be a 
dovecot issue. 

Anyone else with NFS mailspools seeing this?

Cor

Re: [Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Timo Sirainen]

On 3.10.2012, at 0.05, Florian Zeitz wrote:

> attached is an hg export on top of the current dovecot-2.2 branch, which
> adds support for a SCRAM-SHA-1 password scheme.
> 
> Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
> currently specific to the crypt password scheme, so I left it out for now.

Looks pretty good. But you could improve the error handling a bit. Instead of 
atoi() use str_to_uint() and verify the error value. Also verify that 
t_strsplit() returns the correct number of values. And there should be some 
sanity check for the iter count also.. I'm not sure what, but currently it's 
possible for Hi() to go to infinite loop.

Re: [Dovecot] segfault in Debian Squeeze + Dovecot 2.1.10

[Timo Sirainen]

On 3.10.2012, at 0.09, Joe Auty wrote:

>> Timo Sirainen 
>> October 2, 2012 4:12 PM
>> 
>> Fixed: http://hg.dovecot.org/dovecot-2.1/rev/e29b627219b3
> 
> Awesome!
> 
> Will this fix make it into 2.1.11, or should I toy with incorporating your 
> change and compiling a new copy of 2.1.10 by hand?

All changes added to dovecot-2.1 hg go to the next 2.1 release. But I don't 
know when v2.1.11 will be released, probably a few weeks at least.

> Also, will the seg fault have caused performance issues in breaking IDLE 
> connections? Just wondering what sort of impact this fix might have...

It shouldn't have caused any user-visible problems.

Re: [Dovecot] segfault in Debian Squeeze + Dovecot 2.1.10

[Joe Auty]

Timo Sirainen 
October 2, 2012 4:12 PM

Fixed: http://hg.dovecot.org/dovecot-2.1/rev/e29b627219b3


Awesome!

Will this fix make it into 2.1.11, or should I toy with incorporating 
your change and compiling a new copy of 2.1.10 by hand? Also, will the 
seg fault have caused performance issues in breaking IDLE connections? 
Just wondering what sort of impact this fix might have...


Thanks for working on this, it is most appreciated, I'm a big fan of 
Dovecot!






Joe Auty 
September 24, 2012 3:03 PM


Timo Sirainen 
September 24, 2012 10:32 AM

Well, the good news is that it crashes only after it has already 
disconnected the client anyway. But I thought I fixed this bug in 
v2.1.10 and I'm not able to reproduce it myself.. Having debugging 
information available might show something useful. Try installing 
dovecot-dbg package and getting the bt full again?


Thanks Timo, I have done so. Here is the results of my debugging info 
now:


 gdb /usr/lib/dovecot/imap-login /var/run/dovecot/login/core
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 


This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show 
copying"

and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/lib/dovecot/imap-login...Reading symbols 
from /usr/lib/debug/usr/lib/dovecot/imap-login...done.

(no debugging symbols found)...done.

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/dovecot/libdovecot-login.so.0...Reading 
symbols from 
/usr/lib/debug/usr/lib/dovecot/libdovecot-login.so.0.0.0...done.

(no debugging symbols found)...done.
Loaded symbols for /usr/lib/dovecot/libdovecot-login.so.0
Reading symbols from /usr/lib/dovecot/libdovecot.so.0...Reading 
symbols from /usr/lib/debug/usr/lib/dovecot/libdovecot.so.0.0.0...done.

(no debugging symbols found)...done.
Loaded symbols for /usr/lib/dovecot/libdovecot.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols 
found)...done.

Loaded symbols for /lib/libc.so.6
Reading symbols from /usr/lib/libssl.so.0.9.8...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libssl.so.0.9.8
Reading symbols from /usr/lib/libcrypto.so.0.9.8...(no debugging 
symbols found)...done.

Loaded symbols for /usr/lib/libcrypto.so.0.9.8
Reading symbols from /lib/librt.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /lib/librt.so.1
Reading symbols from /lib/libdl.so.2...(no debugging symbols 
found)...done.

Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging 
symbols found)...done.

Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols 
found)...done.

Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libpthread.so.0...(no debugging symbols 
found)...done.

Loaded symbols for /lib/libpthread.so.0
Core was generated by `dovecot/imap-login   ?'.
Program terminated with signal 11, Segmentation fault.
#0  hash_table_destroy (_table=0x28) at hash.c:106
106hash.c: No such file or directory.
in hash.c
(gdb) bt full
#0  hash_table_destroy (_table=0x28) at hash.c:106
table = 
#1  0x7ff300721054 in settings_parser_deinit (_ctx=optimized out>) at settings-parser.c:237

ctx = 0x0
#2  0x7ff30074633d in master_service_settings_cache_deinit 
(_cache=)

at master-service-settings-cache.c:86
cache = 0x9f9a60
entry = 0xa016e0
next = 0x0
__FUNCTION__ = "master_service_settings_cache_deinit"
#3  0x7ff3009a5018 in main_deinit (binary=, 
argc=2, argv=0x9f8370) at main.c:355

No locals.
#4  login_binary_run (binary=, argc=2, 
argv=0x9f8370) at main.c:407

set_pool = 0x9f8a30
allow_core_dumps = 
login_socket = 
c = 
#5  0x7ff3003c0c8d in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
#6  0x00402459 in _start ()
No symbol table info available.
(gdb)





Joe Auty 
September 23, 2012 7:05 AM


Timo Sirainen 
September 23, 2012 5:58 AM


You should have a similar log line about the crash in mail.log (or 
wherever "doveadm log find" says that errors get logged). Find those 
lines, then configure login processes to dump core files. This 
probably should work:


service imap-login {
executable = imap-login -D
}

Next time it crashes hopefully you'll have 
/var/run/dovecot/login/core* file(s). Get a gdb backtrace from it 
send it:


gdb /usr/lib/dovecot/imap-login /var/run/dovecot/login/core
bt full


I hope I'm doing this correctly!

# gdb /usr/lib/dovecot/imap-login /v

[Dovecot] [PATCH] Add SCRAM-SHA-1 password scheme

[Florian Zeitz]

Hello,

attached is an hg export on top of the current dovecot-2.2 branch, which
adds support for a SCRAM-SHA-1 password scheme.

Ideally I'd want doveadm pw's rounds flag to apply to this, but that's
currently specific to the crypt password scheme, so I left it out for now.

Regards,
Florian Zeitz
# HG changeset patch
# User Florian Zeitz 
# Date 1348017219 -7200
# Node ID 21a0d1b4daa7bb924f1666f0bb7c7e697a19c950
# Parent  8802322d72573ee17c52ce5e972e77e6f8ad69d1
auth: Add and use SCRAM-SHA-1 password scheme

diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -44,6 +44,7 @@
password-scheme.c \
password-scheme-crypt.c \
password-scheme-md5crypt.c \
+   password-scheme-scram.c \
password-scheme-otp.c \
password-scheme-rpa.c
 
diff --git a/src/auth/mech-scram-sha1.c b/src/auth/mech-scram-sha1.c
--- a/src/auth/mech-scram-sha1.c
+++ b/src/auth/mech-scram-sha1.c
@@ -1,11 +1,13 @@
 /*
  * SCRAM-SHA-1 SASL authentication, see RFC-5802
  *
- * Copyright (c) 2011 Florian Zeitz 
+ * Copyright (c) 2011-2012 Florian Zeitz 
  *
  * This software is released under the MIT license.
  */
 
+#include 
+
 #include "auth-common.h"
 #include "base64.h"
 #include "buffer.h"
@@ -29,45 +31,22 @@
 
/* sent: */
const char *server_first_message;
-   unsigned char salt[16];
-   unsigned char salted_password[SHA1_RESULTLEN];
+   const char *snonce;
 
/* received: */
const char *gs2_cbind_flag;
const char *cnonce;
-   const char *snonce;
const char *client_first_message_bare;
const char *client_final_message_without_proof;
buffer_t *proof;
+
+   /* stored */
+   buffer_t *stored_key;
+   buffer_t *server_key;
 };
 
-static void Hi(const unsigned char *str, size_t str_size,
-  const unsigned char *salt, size_t salt_size, unsigned int i,
-  unsigned char result[SHA1_RESULTLEN])
-{
-   struct hmac_context ctx;
-   unsigned char U[SHA1_RESULTLEN];
-   unsigned int j, k;
-
-   /* Calculate U1 */
-   hmac_init(&ctx, str, str_size, &hash_method_sha1);
-   hmac_update(&ctx, salt, salt_size);
-   hmac_update(&ctx, "\0\0\0\1", 4);
-   hmac_final(&ctx, U);
-
-   memcpy(result, U, SHA1_RESULTLEN);
-
-   /* Calculate U2 to Ui and Hi */
-   for (j = 2; j <= i; j++) {
-   hmac_init(&ctx, str, str_size, &hash_method_sha1);
-   hmac_update(&ctx, U, sizeof(U));
-   hmac_final(&ctx, U);
-   for (k = 0; k < SHA1_RESULTLEN; k++)
-   result[k] ^= U[k];
-   }
-}
-
-static const char *get_scram_server_first(struct scram_auth_request *request)
+static const char *get_scram_server_first(struct scram_auth_request *request,
+ int iter, const char *salt)
 {
unsigned char snonce[SCRAM_SERVER_NONCE_LEN+1];
string_t *str;
@@ -84,12 +63,9 @@
snonce[sizeof(snonce)-1] = '\0';
request->snonce = p_strndup(request->pool, snonce, sizeof(snonce));
 
-   random_fill(request->salt, sizeof(request->salt));
-
-   str = t_str_new(MAX_BASE64_ENCODED_SIZE(sizeof(request->salt)));
-   str_printfa(str, "r=%s%s,s=", request->cnonce, request->snonce);
-   base64_encode(request->salt, sizeof(request->salt), str);
-   str_printfa(str, ",i=%d", SCRAM_ITERATE_COUNT);
+   str = t_str_new(sizeof(snonce));
+   str_printfa(str, "r=%s%s,s=%s,i=%d", request->cnonce, request->snonce,
+   salt, iter);
return str_c(str);
 }
 
@@ -105,15 +81,8 @@
request->server_first_message, ",",
request->client_final_message_without_proof, NULL);
 
-   hmac_init(&ctx, request->salted_password,
- sizeof(request->salted_password), &hash_method_sha1);
-   hmac_update(&ctx, "Server Key", 10);
-   hmac_final(&ctx, server_key);
-
-   safe_memset(request->salted_password, 0,
-   sizeof(request->salted_password));
-
-   hmac_init(&ctx, server_key, sizeof(server_key), &hash_method_sha1);
+   hmac_init(&ctx, request->server_key->data, request->server_key->used,
+ &hash_method_sha1);
hmac_update(&ctx, auth_message, strlen(auth_message));
hmac_final(&ctx, server_signature);
 
@@ -211,8 +180,7 @@
return TRUE;
 }
 
-static bool verify_credentials(struct scram_auth_request *request,
-  const unsigned char *credentials, size_t size)
+static bool verify_credentials(struct scram_auth_request *request)
 {
struct hmac_context ctx;
const char *auth_message;
@@ -221,54 +189,76 @@
unsigned char stored_key[SHA1_RESULTLEN];
size_t i;
 
-   /* FIXME: credentials should be SASLprepped UTF8 data here */
-   Hi(credentials, size, request->salt, sizeof(request->salt),
-  

Re: [Dovecot] Syntax for doveadm auth cache

[Timo Sirainen]

On 2.10.2012, at 11.41, Angel L. Mateo wrote:

>   I've been doing some more tests with this problem I have (I need to 
> solve it because I'm planning to migrate mailboxes from maildir to mdbox and 
> I need to change mail_location for my users without rebooting the server).

You could flush the whole cache also.

>   I think I have found the source of the problem, although I don't know 
> how to fix it. The problem is that I have different results if I ask for user 
> information with just the login or with the whole email:

Flush both the user and user@domain entries?

Re: [Dovecot] Dovecot deliver Segmentation fault when arrive the first message

[Timo Sirainen]

On 2.10.2012, at 22.28, Timo Sirainen wrote:

> On 19.9.2012, at 16.07, Alessio Cecchi wrote:
> 
>> #1  0x7f2fc9fc41b4 in acl_backend_vfile_acllist_try_rebuild (
>>   backend=0x1944240) at acl-backend-vfile-acllist.c:297
> 
> This backtrace is rather weird. Could you also do (instead of bt full):

Also, can you reproduce the crash always by running "doveadm quota recalc -u 
user@domain"?

Re: [Dovecot] segfault in Debian Squeeze + Dovecot 2.1.10

[Timo Sirainen]

On 24.9.2012, at 22.03, Joe Auty wrote:

> #2  0x7ff30074633d in master_service_settings_cache_deinit (_cache= optimized out>)
>at master-service-settings-cache.c:86

Fixed: http://hg.dovecot.org/dovecot-2.1/rev/e29b627219b3

Re: [Dovecot] Problem with process_limit

[Timo Sirainen]

On 1.10.2012, at 12.15, FABIO FERRARI wrote:

> Occasionally, it happens that the dovecot.log shows this line:
> master: Warning: service(imap): process_limit reached, client connections
> are being dropped
..
> Then, i edited the file /etc/dovecot/conf.d/10-master.conf and set the line
> process_limit = 1500

But did you set it inside service imap {}? All of the services have 
process_limit parameter.

Re: [Dovecot] bug formatting results when using doveadm-server

[Timo Sirainen]

On 26.9.2012, at 13.55, Angel L. Mateo wrote:

> doveadm search -S /var/run/dovecot/auth-userdb -u ${user} SAVEDSINCE 5w | 
> while read guid uid; do
>   doveadm fetch -S /var/run/dovecot/auth-userdb -u ${user} size.physical 
> mailbox-guid $guid uid $uid;
> done

-S auth-userdb? You've named it completely wrong if that works :)

>   The problem is that although when I run doveadm search command in the 
> backend server I correctly get the list of mails, each line with the 
> mailbox-guid and the uid of the message, when I run the same command in the 
> director server, format of the list is corrupted and there are lines that 
> contains just the mailbox-guid and the next the uid (of the previous) and the 
> mailbox-guid of next, and so on. Like:
> 
> e62e0d3834ed094e5c797efb8a67 66
> e62e0d3834ed094e5c797efb8a67 71
> e62e0d3834ed094e5c797efb8a67 74
> e62e0d3834ed094e5c797efb8a67
> 75 e62e0d3834ed094e5c797efb8a67
> 77 e62e0d3834ed094e5c797efb8a67
> 78 e62e0d3834ed094e5c797efb8a67

Thanks, fixed: http://hg.dovecot.org/dovecot-2.1/rev/94c7e875f9b9

Re: [Dovecot] About ManageSieve and TLS

[Stephan Bosch]

On 10/2/2012 8:45 PM, 3.lis...@adminlinux.com.br wrote:

Hi,

I have a "ubuntu10.04 + dovecot-2.0.13" configuration in my server. It 
works fine with ~50k accounts.


Recently I enabled TLS:
$ cat /etc/dovecot/dovecot.conf
...
# Use SSL ?
ssl = yes
...

The goal was to provide only IMAPS and POP3S. But Managesieve says 
"STARTTLS":

$ telnet _MY_IP_ 2000
Trying _MY_IP_...
Connected to _MY_IP_.
Escape character is '^]'.
"IMPLEMENTATION" "K8 ManageSieve"
"SIEVE" "comparator-i;ascii-numeric copy envelope fileinto imapflags 
include notify regex reject relational subaddress vacation"

"SASL" "PLAIN LOGIN"
"STARTTLS"
"VERSION" "1.0"
OK "K8 IMAP/POP3 server"

I think there is something wrong there but I don't know. I think 
Managesieve should not say "STARTTLS".

Can someone help me?


The STARTTLS capability means that ManageSieve is prepared to accept a 
STARTTLS command that invokes the TLS handshake. Basically, the protocol 
starts in plaintext and switches to a TLS/SSL secured channel once the 
STARTTLS command is issued. However, the client can also choose not to 
use it. Therefore, it really shouldn't influence whether ManageSieve 
works properly (unless the client messes up TLS somehow).


If you really want to, you can disable TLS for ManageSieve specifically 
by putting a ssl=no inside the protocol sieve {} section.


Regards,

Stephan.

Re: [Dovecot] Dovecot deliver Segmentation fault when arrive the first message

[Timo Sirainen]

On 19.9.2012, at 16.07, Alessio Cecchi wrote:

> #1  0x7f2fc9fc41b4 in acl_backend_vfile_acllist_try_rebuild (
>backend=0x1944240) at acl-backend-vfile-acllist.c:297

This backtrace is rather weird. Could you also do (instead of bt full):

fr 1
p *ns
p *ns.user
p *auser

It crashes because auser->dict = NULL, but it should never be NULL.

Re: [Dovecot] Spurious " Renaming not supported across conflicting directory permissions"

[Timo Sirainen]

On 22.9.2012, at 15.04, tlhackque wrote:

> Dovecot 2.1.10
> Client = Thunderbird.  Local disks.  mbox format.
> 
> Attempted to rename a folder, failed with:
> 
>  CANNOT Renaming not supported across conflicting directory permissions

Fixed: http://hg.dovecot.org/dovecot-2.1/rev/83695d6d41aa

[Dovecot] About ManageSieve and TLS

[3.lis...@adminlinux.com.br]

Hi,

I have a "ubuntu10.04 + dovecot-2.0.13" configuration in my server. It 
works fine with ~50k accounts.


Recently I enabled TLS:
$ cat /etc/dovecot/dovecot.conf
...
# Use SSL ?
ssl = yes
...

The goal was to provide only IMAPS and POP3S. But Managesieve says 
"STARTTLS":

$ telnet _MY_IP_ 2000
Trying _MY_IP_...
Connected to _MY_IP_.
Escape character is '^]'.
"IMPLEMENTATION" "K8 ManageSieve"
"SIEVE" "comparator-i;ascii-numeric copy envelope fileinto imapflags 
include notify regex reject relational subaddress vacation"

"SASL" "PLAIN LOGIN"
"STARTTLS"
"VERSION" "1.0"
OK "K8 IMAP/POP3 server"

doveconf -a shows:
service managesieve-login {
...
  inet_listener sieve {
address = _MY_IP_
port = 4190
ssl = no
  }
  inet_listener sieve_deprecated {
address = _MY_IP_
port = 2000
ssl = no
  }
...
}

I think there is something wrong there but I don't know. I think 
Managesieve should not say "STARTTLS".

Can someone help me?

Thanks.

--
Thiago Henrique
adminlinux.com.br

Re: [Dovecot] noisy auth-worker messages in logs (dovecot 2.1.8 FreeBSD)

[Timo Sirainen]

On 24.9.2012, at 21.41, Philippe Chevalier wrote:

> As for the ldap message, it errors if there's no domain in the login.
> 
> In the doc, it says that %d is empty if there's no domain part. So I
> guess it's an enhancement request : a configuration option to have it
> filled out with a default domain if there's no one supplied by the
> client.


Maybe this is enough?

auth_bind_userdn = dc=%Du,ou=Domains,ou=Mail,dc=dspnet,dc=fr

See %D in http://wiki2.dovecot.org/Variables

Re: [Dovecot] LTMP Proxy failure fix/hack

[Timo Sirainen]

On 28.9.2012, at 23.29, Jack Bates wrote:

> On 9/28/2012 3:12 PM, Jack Bates wrote:
>> 
>> Code needs to be written to handle the special case of us not having any 
>> proxy callbacks as they are all bad.
>> 
> 
> 
> Timo, please check and approve. This was diff'd on 2.1.10 on my test server 
> (2.1.9 and 2.1.10 at least had this callback issue).
> 
> *** lmtp-proxy.c-orig   2012-09-28 20:17:36.138916678 +
> --- lmtp-proxy.c2012-09-28 20:18:12.241940780 +
> ***
> *** 300,303 
> --- 300,304 
>lmtp_client_send(conn->client, conn->data_input);
>lmtp_client_send_more(conn->client);
>}
> +   lmtp_proxy_try_finish(proxy);
>  }

Looks ok. Added: http://hg.dovecot.org/dovecot-2.1/rev/38727d3e90ec

Re: [Dovecot] Antispam plugin problem (CRM114)

[Davide]

I'm unable to output nothing to syslog nor in other dovecot's log files 
about problem of plugin. If i use the test server the output is this:


Oct  2 10:38:34 debnew imap: antispam: mailbox_is_unsure(SPAM): 0
Oct  2 10:38:34 debnew imap: antispam: mailbox_is_trash(INBOX): 0
Oct  2 10:38:34 debnew imap: antispam: mailbox_is_trash(SPAM): 0
Oct  2 10:38:34 debnew imap: antispam: mail copy: from trash: 0, to trash: 0
Oct  2 10:38:34 debnew imap: antispam: mailbox_is_spam(INBOX): 0
Oct  2 10:38:34 debnew imap: antispam: mailbox_is_spam(SPAM): 1
Oct  2 10:38:34 debnew imap: antispam: mailbox_is_unsure(INBOX): 0
Oct  2 10:38:34 debnew imap: antispam: mail copy: src spam: 0, dst spam: 
1, src unsure: 0
Oct  2 10:38:34 debnew imap: antispam: /usr/local/bin/piper_log.sh 
--spam -u /home/vpopmail/domains/mail.cgilfe.it/davide.marchi 
--fileprefix=/opt/crm114/
 and this is correct but anyway thunderbird say [CANNOT] Failed to call 
reaver



Il 01/10/2012 14:04, Eugene Paskevich ha scritto:

On Mon, 01 Oct 2012 14:48:31 +0300, Davide
 wrote:


Can i attach compressed log in a post?


If it's of the sane size :-)
But I'm actually interested in the output which was triggered by the
mail move itself.


I can produce output replacing crm binary with a script bash to ouput
command,user etc etc


Wait a second... So the script is ran correctly but reaver isn't?
That probably means that either reaver dislikes its arguments or its
stdin...

Re: [Dovecot] Syntax for doveadm auth cache

[Angel L. Mateo]

Hello,

	I've been doing some more tests with this problem I have (I need to 
solve it because I'm planning to migrate mailboxes from maildir to mdbox 
and I need to change mail_location for my users without rebooting the 
server).


	I think I have found the source of the problem, although I don't know 
how to fix it. The problem is that I have different results if I ask for 
user information with just the login or with the whole email:


root@myotis30:/etc/dovecot/conf.d# doveadm user angel.l...@um.es
userdb: angel.l...@um.es
  mail  : 
mdbox:/home/alumnos/46/113246/mdbox:INDEX=/var/indexes/mdbox/angel.luis

  home  : /home/alumnos/46/113246
  uid   : 113246
  gid   : 1001
  quota_rule: *:storage=10G
root@myotis30:/etc/dovecot/conf.d# doveadm user angel.luis
userdb: angel.luis
  home  : /home/alumnos/46/113246
  uid   : 113246
  gid   : 1001
  quota_rule: *:storage=10G

	I guess I'm using different keys depending the user database used. I 
have configured three user databases, one for master-password, one for a 
ldap server and the other with pam (I need it because my webmail users 
authenticate in my SSO system through PAM).


This is my config:

passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users

  # Unless you're using PAM, you probably still want the destination 
user to

  # be looked up from passdb that it really exists. pass=yes does that.
  pass = yes
}

passdb {
  driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
  # [cache_key=] []
  #args = dovecot
  args = session=yes cache_key=%n dovecot
}

passdb {
  driver = ldap

  # Path for LDAP configuration file, see 
example-config/dovecot-ldap.conf.ext

  args = /etc/dovecot/dovecot-ldap.conf.ext
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# 
userdb {
  driver = prefetch
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext

  # Default fields can be used to specify defaults that LDAP may override
  #default_fields = home=/home/virtual/%u
}

	In my ldap configuration, I have a filter that looks for the uid of the 
user or the hole email:


user_filter = (&()(|(uid=%u)(mail=%u)))

	I need this, because I have users that authenticate with just his/her 
login, not the complete email address.


How can I unify those entries, so they use always just the login as key?

El 18/09/12 18:31, Timo Sirainen escribió:

On 18.9.2012, at 9.59, Angel L. Mateo wrote:


So I'm running this command. Whenever I run it, I get the message that 
3 (sometimes, is 4) entries are removed, but user information isn't really 
reloaded and I doubt it is really removed from cache (I have the user in a 
passwd-file and information used by imap processes is still the old one, no the 
new one, changed before the flush)


Works in my tests.


Is this cache the same than the user information cache?


Yes.


The parameter of the user I want to change is his quota, so I have 
modified quota value in my ldap diretory, then I run:

doveadm auth cache flush 


What is your doveconf -n output and the dovecot-ldap.conf contents? Is  
with or without @domain? Also try this:

doveadm auth cache flush foo # make sure it isn't there
doveadm user foo
doveadm auth cache flush foo

Does the second flush return 1 or 0 entries? If 0, then there's a problem. If 
1, then it really should have worked.

You could try also if disabling userdb prefetch makes any difference. And if 
you still have multiple userdb try with only one.



# 2.1.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.4.0-030400-generic x86_64 Ubuntu 12.04.1 LTS 
auth_cache_size = 20 M
auth_cache_ttl = 1 days
auth_debug = yes
auth_master_user_separator = *
auth_verbose = yes
default_process_limit = 1000
disable_plaintext_auth = no
log_timestamp = %Y-%m-%d %H:%M:%S
login_trusted_networks = 155.54.211.176/28
mail_debug = yes
mail_location = maildir:~/Maildir:INDEX=/var/indexes/%n
mail_plugins = quota
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave imapflags
mdbox_rotate_size = 20 M
namespace {
  inbox = yes
  location = 
  prefix = 
  separator = .
}
namespace {
  hidden = yes
  list = no
  location = maildir:~/Maildir/expunged
  prefix = BORRADOS.
  separator = .
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = session=yes cache_key=%n dovecot
  driver = pam
}
plugin {
  lazy_expunge = BORRADOS.
  quota = dict:User quota::file:%h/Maildir/dovecot.quota
  quota_exceeded_message = El mensaje no se