Re: [Dovecot] some questions on dovecot or rather a mail system setup
Am 08.10.2012 23:37, schrieb Christoph Anton Mitterer: - Apart from spam, I never delete mail; and because I'm subscribed to many lists, I get a lot of mail. - Storage on my server is limited and it's located somewhere at my ISP, so I generally do not trust it with respect to safety... For both reasons, I want the canonical archive of all mail to be at home at some local server. sorry you questioned very complex, try to ask more simple there are many tools which may help you bcc_copy with postfix imapsync rsync dsync getmail you may use filters too like sieve, maildrop , procmail etc at the end that should solve nearly all what you might goal its not that much a dovecot question, it more depends if you find that general layout which fits best to your ideas however there is no magical imap/pop3 server more flexibel to configure then dovecot, if your ideas dont work with it, your ideas are broken -- Best Regards MfG Robert Schetterer
Re: [Dovecot] some questions on dovecot or rather a mail system setup
On 10/8/2012 4:37 PM, Christoph Anton Mitterer wrote: The proper way to accomplish your goals, or at least the big ones. - I generally want to have _all_ mail (which is not sorted out because of being spam) to be archived at the local server. http://www.postfix.org/postconf.5.html#always_bcc - But(!) I want to selectively keep (in addition) mail at the internet server. For example I may want to select the folder that contains all mail form some friend to be kept online completely. See above. But I may want to decide that mailinglists keep only the last 10 days and/or 1000 messages of mail. http://wiki2.dovecot.org/Plugins/Expire Does age based deletion, but not folder message count based. You must use your MUA, TBird, for the latter. It's far easier to configure this in TBird than in Dovecot config files. You seem like the type who wants flexibility so you can change things often, so use TBird to be happy here. - The idea is, that the local server regularly (when it is online/running) catches new mail from the internet server... and stores it in the archive. This is not an option. The system must be up and connected to the internet 24x7x365. It must have an MX record associated and a valid domain, or a VPN tunnel and entries in both systems hosts files, along with a Postfix transport table, and other tweaks. http://www.postfix.org/transport.5.html If you refuse to run this local server 24x7x365 then you will have to use a fetchmail based solution, which will not work well, and whose configuration will prompt you to kill yourself. I cannot help you with any of that. - So apart from new mail that has not yet been read, that local archive contains always all mails that are also on the internet server... the later may contain (for specific directories) the same, or just parts of. No. Mail arriving at the colo/VPS host is immediately sent to the always_bcc address, an address and mailbox on your home server. You will create a duplicate IMAP folder structure on the home server by hand in your MUA. Once this is completed you will write individual user sieve scripts that sort the mail into folder just as it is sorted on the colo/VPS server. Basically, home server Dovecot IMAP config is identical in structure to colo/VPS setup, only the mailbox account names differ. Folder tree, folders, sieve scripts identical, retention policy different. - The MUAs will then have two imap accounts, one to the internet server and one to the local archive,... each one being usable, depending on where I am. Yep. 1) This is where my first problem arises: How can I implement that mail flow, especially: - How do I secure that all mail is read from the internet server (i.e. that nothing is forgotten? Done: always_bcc - How do I make sure that no mails are retrieved twice (or more)? A problem which I often had with pop, when the mail client crashed during sync? Done: always_bcc - Further it must be secured, that when I delete something on the internet server, it is NOT deleted on the local server (on the next mail-fetching) this is why I don't use the word sync. Done: always_bcc a) One stupid solution would be, that I duplicate all mail on the online server,... one part is for staying online, one part is for being fetched to the local archive. Done: always_bcc And yes that is stupid. As soon as it was fetched... that copy gets removed (always). That solution would give a clean and secured separation of both? b) I don't think offlineimap or any other caching-like solution is the right thing... especially as one must always fear that such a cache may be accidentally wiped. Are there better solutions than (a)? Yes. Already done: always_bcc 2) Problem would be already a refinement of a working solution for (1) (but obviously not when using (1).(a) ). When e.g. reply to or forward a mail using the online server,... and that mail had already been fetched,... can I make the flag synced? No. Your stated goal is that the local server is a mail archive put into service due to limited space on your colo/VPS server. An archive is an archive, not a secondary online server. It should only be accessed, read only, when you want to search and read an old message. And in fact, since this is an archive, you should implement the zlib plugin with dbox so all this archived mail is compressed in real time. Make up your mind. You can't have it both ways. I hear the iPhone5 can do anything automatically, no setup. Get one of those, problem solved. ;) 3) Is dovecot suitable for the local server? Yes. Probably more than any other IMAP server. - I couldn't sue maildir locally, because I loose just to much space to the block fragmentation. Maildir causes the least filesystem fragmentation. You must be thinking of mbox, which causes heavy fragmentation due to constant appends past EOF. As I said you need dbox. One email per file, similar to maildir, but
Re: [Dovecot] some questions on dovecot or rather a mail system setup
On 10/9/2012 2:57 AM, Stan Hoeppner wrote: http://www.postfix.org/postconf.5.html#always_bcc Correction. In your case you'll need to use: http://www.postfix.org/postconf.5.html#recipient_bcc_maps Because you said you only want to archive email for some users, not simply all mail received by the colo/VPS server. -- Stan
[Dovecot] Quota - usage counting.
Hello, I use dovecot 1.2 version with postfix virtual users and mysql. All information about quota for every user is in mysql table. How dovecot compare if quota in database is over quota in /var/vmail/exampleuser directory ? It uses something like du command ? regards, Wamp
Re: [Dovecot] Quota - usage counting.
Do you actually have a Guide? How did you set up quota form MySql? I'm having an issu getting it working. Can you share your dovecot.conf and dovecot-sql.conf? What's the user_query in your dovecot-sql.conf ? Thank you! - Original Message - From: w...@promax.media.pl To: dovecot@dovecot.org Subject: [Dovecot] Quota - usage counting. Hello, I use dovecot 1.2 version with postfix virtual users and mysql. All information about quota for every user is in mysql table. How dovecot compare if quota in database is over quota in /var/vmail/exampleuser directory ? It uses something like du command ? regards, Wamp
Re: [Dovecot] Quota - usage counting.
Hi Do you actually have a Guide? No, I read some docs like http://www.serverubuntu.it/postfix-dovecot-guide How did you set up quota form MySql? I'm having an issu getting it working. Can you share your dovecot.conf and dovecot-sql.conf? What's the user_query in your dovecot-sql.conf ? I can't make it working - so need information about general idea how this values should be compared. Where is info about actual size of maildir. regards, Thank you! - Original Message - From: w...@promax.media.pl To: dovecot@dovecot.org Subject: [Dovecot] Quota - usage counting. Hello, I use dovecot 1.2 version with postfix virtual users and mysql. All information about quota for every user is in mysql table. How dovecot compare if quota in database is over quota in /var/vmail/exampleuser directory ? It uses something like du command ? regards, Wamp
Re: [Dovecot] LDAP encryption
I don't think I understand. Right now the problem is the password retrieved from LDAP cannot be hashed to compare against what the user sent because it is encrypted. I have to perform my AES decryption before it can be hashed and compared. On Tue, Oct 9, 2012 at 1:03 PM, btb b...@bitrate.net wrote: On 2012.10.09 14.41, James Devine wrote: We have an LDAP server that contains AES encrypted passwords. So far I've been able to use this by adding a passdb module that encrypts the user's password prior to ldap comparison. Now I am looking at supporting client-side encrypted passwords. To do this I need to decrypt the password returned by LDAP. Is there a way to insert a module to do this decryption between ldap returning and the auth mechanism? that would be unwise, generally speaking. as a rule of thumb, in terms of security fundamentals, only the rootdn [or equiv] should be able to read the values in an ldap entry's password attribute. certainly the service account used by dovecot should not. in the context of ldap, authentication should be accomplished by binding as the user, not by retrieving attribute values and performing string comparisons. among other things, this decouples the two components and allows applications [e.g. dovecot] to be unconcerned with whatever password hashing scheme the directory server might be using. -ben
Re: [Dovecot] LDAP encryption
Here is an example of the problem: Oct 9 13:19:53 smtp-outgoing2 dovecot: auth: Debug: password(u...@domain.tld,192.168.160.49): Generating NTLM from user 'u...@domain.tld@', password 'IfBG6G3jykirE5r5vienC4w==' Oct 9 13:19:53 smtp-outgoing2 dovecot: auth: Debug: password(u...@domain.tld,192.168.160.49): Credentials: f124dc24328ed3d90db035f0d5284636 The listed password is a base64 representation of its encrypted form which I need to somehow decrypt between the time LDAP returns it and these credentials are generated. On Tue, Oct 9, 2012 at 1:16 PM, James Devine fxmul...@gmail.com wrote: I don't think I understand. Right now the problem is the password retrieved from LDAP cannot be hashed to compare against what the user sent because it is encrypted. I have to perform my AES decryption before it can be hashed and compared. On Tue, Oct 9, 2012 at 1:03 PM, btb b...@bitrate.net wrote: On 2012.10.09 14.41, James Devine wrote: We have an LDAP server that contains AES encrypted passwords. So far I've been able to use this by adding a passdb module that encrypts the user's password prior to ldap comparison. Now I am looking at supporting client-side encrypted passwords. To do this I need to decrypt the password returned by LDAP. Is there a way to insert a module to do this decryption between ldap returning and the auth mechanism? that would be unwise, generally speaking. as a rule of thumb, in terms of security fundamentals, only the rootdn [or equiv] should be able to read the values in an ldap entry's password attribute. certainly the service account used by dovecot should not. in the context of ldap, authentication should be accomplished by binding as the user, not by retrieving attribute values and performing string comparisons. among other things, this decouples the two components and allows applications [e.g. dovecot] to be unconcerned with whatever password hashing scheme the directory server might be using. -ben
Re: [Dovecot] LDAP encryption
I don't think you can do that with a plugin without core Dovecot modifications. Unless you replace the whole passdb ldap. For example you could use passdb checkpassword if performance isn't a big issue. On 9.10.2012, at 22.24, James Devine wrote: Here is an example of the problem: Oct 9 13:19:53 smtp-outgoing2 dovecot: auth: Debug: password(u...@domain.tld,192.168.160.49): Generating NTLM from user 'u...@domain.tld@', password 'IfBG6G3jykirE5r5vienC4w==' Oct 9 13:19:53 smtp-outgoing2 dovecot: auth: Debug: password(u...@domain.tld,192.168.160.49): Credentials: f124dc24328ed3d90db035f0d5284636 The listed password is a base64 representation of its encrypted form which I need to somehow decrypt between the time LDAP returns it and these credentials are generated. On Tue, Oct 9, 2012 at 1:16 PM, James Devine fxmul...@gmail.com wrote: I don't think I understand. Right now the problem is the password retrieved from LDAP cannot be hashed to compare against what the user sent because it is encrypted. I have to perform my AES decryption before it can be hashed and compared. On Tue, Oct 9, 2012 at 1:03 PM, btb b...@bitrate.net wrote: On 2012.10.09 14.41, James Devine wrote: We have an LDAP server that contains AES encrypted passwords. So far I've been able to use this by adding a passdb module that encrypts the user's password prior to ldap comparison. Now I am looking at supporting client-side encrypted passwords. To do this I need to decrypt the password returned by LDAP. Is there a way to insert a module to do this decryption between ldap returning and the auth mechanism? that would be unwise, generally speaking. as a rule of thumb, in terms of security fundamentals, only the rootdn [or equiv] should be able to read the values in an ldap entry's password attribute. certainly the service account used by dovecot should not. in the context of ldap, authentication should be accomplished by binding as the user, not by retrieving attribute values and performing string comparisons. among other things, this decouples the two components and allows applications [e.g. dovecot] to be unconcerned with whatever password hashing scheme the directory server might be using. -ben
Re: [Dovecot] Multiple Maildir?
On 10/9/2012 5:12 PM, Kelsey Cummings wrote:
On 10/09/12 15:42, Daniel Parthey wrote:
Marc Perkel wrote:
if the mail location doesn't exist
then I want to try a second mail location:
mail_location = maildir:/email/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
You might do this with a script which exports the MAIL environment
variable and then executes the service binary:
It will work, we do this to set the maildir location to a custom
hashed directory and muck around with the namespaces a bit.
The script is in perl - the relevant parts look like this.
#set user's maildir location for dovecot
$ENV{'MAIL'} = 'maildir:' . getmaildir($ENV{'USER'});
$ENV{'USERDB_KEYS'} .= 'MAIL';
#pass along to dovecot's next process
exec { $ARGV[0] } @ARGV;
-K
Namespaces is something I don't understand. Still wondering what
environment variables I can pick up in this script.
What I want to do is first try /fakedir/%d/%n and if that doesn't exist
I want to go to /email/%d/%n
[Dovecot] Feature Request
It would be handy (for me) if there were a userdb where a directory
structure defined the db.
userdb stat {
mail_location=maildir:/fakedir/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
userdb stat {
mail_location=maildir:/email/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
The idea being that if the first directory doesn't exist then it will
try the second one.
Re: [Dovecot] Feature Request
On 10/9/2012 7:29 PM, Timo Sirainen wrote:
On 10.10.2012, at 4.34, Marc Perkel wrote:
It would be handy (for me) if there were a userdb where a directory structure
defined the db.
userdb stat {
mail_location=maildir:/fakedir/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
userdb stat {
mail_location=maildir:/email/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
The idea being that if the first directory doesn't exist then it will try the
second one.
You could already implement this as userdb checkpassword script.
Can you give me an example?
Re: [Dovecot] Feature Request
On 10.10.2012, at 5.40, Marc Perkel wrote:
It would be handy (for me) if there were a userdb where a directory
structure defined the db.
userdb stat {
mail_location=maildir:/fakedir/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
userdb stat {
mail_location=maildir:/email/%d/%n:INBOX=/email/%d/%n:LAYOUT=fs
}
The idea being that if the first directory doesn't exist then it will try
the second one.
You could already implement this as userdb checkpassword script.
Can you give me an example?
Something like this:
userdb {
driver = checkpasword
args = /usr/local/bin/userdb.sh
}
/usr/local/bin/userdb.sh:
#!/bin/sh
path=/fakedir/$AUTH_DOMAIN/$AUTH_USERNAME
if [ -d $path ]; then
MAIL=maildir:$path:INBOX=/email/$AUTH_DOMAIN/$AUTH_USERNAME:LAYOUT=fs
EXTRA=mail
AUTHORIZED=2
exec $@
fi
exit 1
(I'm not sure if the MAIL/mail should be USERDB_MAIL/userdb_mail instead.
Probably not.)
