Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Robin 
On 9/24/2013 2:28 AM, Reindl Harald wrote:

> maybe on your server, my logs showing the opposite and since
> the "smtp" are outgoing messages your conclusion of "nobody"
> is strange
> 
> cat maillog | grep smtp | grep -v smtpd | grep TLS | wc -l
> 12327
> 
> cat maillog | grep smtpd | grep TLS | wc -l
> 13350
> 
> cat maillog | grep smtp | grep -v smtpd | grep TLSv1.2 | wc -l
> 2603
> 
> cat maillog | grep smtpd | grep TLSv1.2 | wc -l
> 2219

This doesn't necessarily mean the encryption is effective at cloaking the data 
exchange.  Remember:

1) Most admins who use TLS on their MTAs don't reject the transaction of the 
presented certificates FAIL to be validated against your local trust store's 
certificates.  Unlike the error dialog boxes presented to the end user when a 
certificate fails to validate against its local trust store, these "error 
fallbacks" are "silent" and to most users, completely invisible. (Yes, I know 
most MTAs will log a TLS certificate failure in the headers, but we're talking 
about Lusers here, not readers of this list.)  Failing certificate validity 
means it could be ANYONE's key/cert used to setup the ephemeral connection, and 
you can place no reliance on that channel being opaque to third-party scrutiny.

2) Even if you DO reject all failing certifcate trust-stores (on *ALL* MX hosts 
that receive/send mail), it's increasingly likely that one or more of those 
root certificates are compromised, either publicly(*) or secretly though some 
back-door arrangement with the NSA.  The Big Ugly elephant in the room is the 
notion of the NSA having a certificate signing key for VeriSlime/GeoBust/et al 
so that they're free to use their own key + cert in a MITM interception, with 
the end user being none the wiser(**).  Take a tally of the jurisdictions of 
the big root-level CAs.  It's alarmingly AUSCANNZUKUS-centric.

3) Even with all of the above dealt with, the rush for people to use 
Diffie-Hellman "PFS" based on elliptic curves (EC) may be itself subject to 
additional problems based on revelations and leaks that suggest the NSA has 
been busy subverting various standards and publicly designed software reference 
implementations to weaken its security in ways to benefit them.  In particular, 
Schneier and Bernstein feel very uneasy about the NIST specified parametres for 
the EC-based cryptographic algorithms.  These aren't "tin foil hatters" or 
kooks.

To that end, there are proposals to adopt elliptic-curve parametres and methods 
that each and every generated public key maps to a valid EC point.

See:

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
http://cr.yp.to/ecdh/curve25519-20060209.pdf
 
An Ivory Tower organisation with total control over the clients' and the 
servers' configurations can pin all of its certs + keys, and configure them to 
dump connections that fail to validate local trust stores.

This is an unfortunately very subtle and nuanced problem that defies mere 
"throwing more bits" at your key sizes. 

And I would hope that the IQ and worldly mindsets of those generally reading 
this list have an appreciation for why retaining complete control and privilege 
within your organisation's end-to-end security is important, now more than 
ever.  It has nothing to do with "I'm not doing anything wrong, so they can 
read all they want."

For an ISP or other provider with a "random" and "noisy" userbase with 
who-knows-what clients + OS/platform brain damage, the problem is probably 
intractable unless you accept that some users will be simply unable to access 
the services from some or all of their devices.

=R=

(*) Despite many compromised CAs (Certificate Authorities) being known 
publicly, I discover an annoying large number of improperly configured systems 
who accept these as valid. Maybe there are/were distros who incorrectly 
compiled lists of CAs and didn't remove those compromised CAs from the 
trust-store.  Maybe they're out of date.  Who knows why.

(**) If you "pin" various trust store certificates + keys, you can detect this 
when it occurs.

See: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

Re: [Dovecot] Delete to Archive?

2013-09-24 Thread Robert Blayzor 
On Sep 24, 2013, at 4:54 PM, Regan Yelcich  wrote:
> Would you need to set the Archive folder up to autosubscribe? Can anyone 
> provide an example? Thanks. 
> 
> 


Should be pretty straight forward:


namespace inbox {
  mailbox Archive {
special_use = \Archive
auto=subscribe
  }
}


-- 
Robert Blayzor
INOC, LLC
rblay...@inoc.net
http://www.inoc.net/~rblayzor/

Re: [Dovecot] Apple IOS 7 Mail APP uses multi body searches by default

2013-09-24 Thread Timo Sirainen 
On 24.9.2013, at 10.36, Urban Loesch  wrote:

> today we found this blogpost:
> 
> http://blog.fastmail.fm/2013/09/17/ios-7-mail-app-uses-multi-folder-body-searches-by-default/
> 
> Have you any idea if this could impact performance of dovecot using mdbox 
> format with 10MB per file size and zlib enabled?

http://wiki2.dovecot.org/Plugins/FTS would be helpful here. Dovecot could also 
do some extra optimizations, but those get a bit complex.

Re: [Dovecot] Strange errors with imapc+acl in 2.2.x

2013-09-24 Thread Timo Sirainen 
On 24.9.2013, at 19.16, René Neumann  wrote:

> after migrating to 2.2 (currently using 2.2.5), I see strange error
> messages when using imapc + public namespace + acl
> 
> My setup: I create a public shared mailbox with imapc as location. Then
> I restrict this mailbox to one user only using ACLs.
> 
> This works for this one special user, but for all others an error gets
> logged and they can't access their mailbox anymore:
> 
> Sep 24 18:09:46 [dovecot] imap(other@my.domain): Error: user
> other@my.domain: Initialization failed: Namespace 'Gemeinsam.':
> Ambiguous mail location setting, don't know what to
> do with it: yes (try prefixing it with mbox: or maildir:)

I can't reproduce this. Set mail_debug=yes and show what's in the logs?

Re: [Dovecot] still having dsync issues after upgrading to latest

2013-09-24 Thread Matthew Kaufman 

On 9/24/2013 6:14 PM, Timo Sirainen wrote:

On 25.9.2013, at 3.59, Matthew Kaufman  wrote:


Trying to migrate a bunch of users with mbox format to maildir format. dsync creates some 
directories, but otherwise does nothing. (Complained about the lack of "/" as 
separator until I added that to config, now is silent when running dsync except with the 
-D flag)

I have tried dumping all the dovecot that came with my OS and built the latest 
sources, hoping I'd at least get a little better debug information out... but 
no luck.

Lots of hopefully useful output below.

What am I doing wrong?

# /usr/local/bin/dsync -D -u matt...@matthew.at mirror 
mbox:./Mail:INBOX=./matthew

I'm not sure how relative directories work. Try using absolute paths? so 
mbox:/full/path/Mail:INBOX=/full/path/matthew



Wow, sure enough. I'd tried lots of things, but not full paths. Thanks.

Matthew Kaufman

Re: [Dovecot] still having dsync issues after upgrading to latest

2013-09-24 Thread Timo Sirainen 
On 25.9.2013, at 3.59, Matthew Kaufman  wrote:

> Trying to migrate a bunch of users with mbox format to maildir format. dsync 
> creates some directories, but otherwise does nothing. (Complained about the 
> lack of "/" as separator until I added that to config, now is silent when 
> running dsync except with the -D flag)
> 
> I have tried dumping all the dovecot that came with my OS and built the 
> latest sources, hoping I'd at least get a little better debug information 
> out... but no luck.
> 
> Lots of hopefully useful output below.
> 
> What am I doing wrong?
> 
> # /usr/local/bin/dsync -D -u matt...@matthew.at mirror 
> mbox:./Mail:INBOX=./matthew

I'm not sure how relative directories work. Try using absolute paths? so 
mbox:/full/path/Mail:INBOX=/full/path/matthew

Re: [Dovecot] Passing info from mail process to mail_filter plugin script?

2013-09-24 Thread Timo Sirainen 
On 25.9.2013, at 3.06, Charles Cazabon  wrote:

> Timo Sirainen  wrote:
>> 
>> Without modifications the only way to pass data is via the plugin {
>> mail_filter } parameters, such as the %u expanding to username in the
>> example.
> 
> I hacked an additional %variable (I used %q) into a copy of
> mail-user.c:mail_user_var_expand_table () (and called this modified version
> instead of the original, in the same place it is normally called), and moved
> my data collection around in imap/main.c:settings_var_expand() so that my info
> was available at the time mail_user->var_expand_table is populated.

Better to not give a one character name, but only the long name so it won't 
conflict with any future Dovecot additions.

> This appears to be working thus far.  If I iterate over that table, my custom
> variable is present and has a correct key, value, and long_key before
> client_create() is called.  
> 
> But when I put %q into the mail_filter config like so:
> 
>  mail_plugins = $mail_plugins mail_filter
> 
>  plugin {
>mail_filter = mail-filter %q foo %u
>mail_filter_out = mail-filter-out %u
>  }
> 
> ... and restart Dovecot, I find that the filter script is only being passed 2
> arguments, the constant "foo" in the above and the username.  The %q does not
> appear to be getting replaced; it's just skipped over.  It's not even passing
> an empty string in its place.

Hmm. yeah, the empty string isn't there because mail-filter uses 
t_strsplit_spaces() instead of t_strsplit(). I suppose it should use 
t_strsplit().

> Am I modifying the correct var_expand_table here?  Is there any step I've
> missed in making the new variable get substituted properly?  lib/var-expand.c
> doesn't appear to require anything else, but I may have missed something…

It looks like this should be correct. The plugin settings expansion i done by 
mail-user.c:mail_user_expand_plugins_envs().

The other possibility would be that you just modify mail-filter plugin and add 
the extra parameter without any %variable changes. Probably better since then 
you don't need to patch Dovecot core itself.

Re: [Dovecot] imaptest-20130617 seems to be reporting spurious header changes

2013-09-24 Thread Timo Sirainen 
On 25.9.2013, at 2.06, Mark Weaver  wrote:

> I'm trying to use this to test an IMAP server I'm developing (I picked the 
> nightly up from the link on the wiki page at 
> http://www.imapwiki.org/ImapTest/Installation).  With one client using the 
> mailbox dovecot-crlf (http://www.dovecot.org/tmp/dovecot-crlf) I get messages 
> like:
> 
> Error: t...@npsl.co.uk[67]: 1035253882.5041.34.camel@hurina: Header From 
> changed 'Timo Sirainen 
> Timo Sirainen  'Timo Sirainen ' (len 
> 26): * 1 FETCH (UID 2093 FLAGS () BODY ("text" "plain" ("charset" "us-ascii") 
> NIL NIL "7bit" 913 0) BODY[HEADER.FIELDS (From From Delivered-To) ] "From: 
> Timo Sirainen 
> From: Timo Sirainen 
> Delivered-To: dove...@procontrol.fi

Hmm. Interesting question. The issue here is that imaptest requests the From 
field twice, and you return it twice. Normally clients wouldn't do that, but I 
think the imaptest is correct here and I think most existing server 
implementations handle it like imaptest expects. From RFC 3501:

HEADER.FIELDS and HEADER.FIELDS.NOT are followed by a list of
field-name (as defined in [RFC-2822]) names, and return a
subset of the header.

Duplicating a From field is no longer a subset of the original header.

Re: [Dovecot] Problem getting a dovecot proxy to connect to another dovecot machine via STARTTLS

2013-09-24 Thread Arnoud van Heuvelen 
I've solved the issue by setting ssl to 'any-cert' and starttls to NULL.
This does a proper SSL request to the node.

I still don't understand why Dovecot does a non-SSL request on an SSL port
whenever I enable starttls, but I'm happy using normal SSL.

Regards,

Re: [Dovecot] Passing info from mail process to mail_filter plugin script?

2013-09-24 Thread Charles Cazabon 
Timo Sirainen  wrote:
>
> Without modifications the only way to pass data is via the plugin {
> mail_filter } parameters, such as the %u expanding to username in the
> example.

I hacked an additional %variable (I used %q) into a copy of
mail-user.c:mail_user_var_expand_table () (and called this modified version
instead of the original, in the same place it is normally called), and moved
my data collection around in imap/main.c:settings_var_expand() so that my info
was available at the time mail_user->var_expand_table is populated.

This appears to be working thus far.  If I iterate over that table, my custom
variable is present and has a correct key, value, and long_key before
client_create() is called.  

But when I put %q into the mail_filter config like so:

  mail_plugins = $mail_plugins mail_filter

  plugin {
mail_filter = mail-filter %q foo %u
mail_filter_out = mail-filter-out %u
  }

... and restart Dovecot, I find that the filter script is only being passed 2
arguments, the constant "foo" in the above and the username.  The %q does not
appear to be getting replaced; it's just skipped over.  It's not even passing
an empty string in its place.

Am I modifying the correct var_expand_table here?  Is there any step I've
missed in making the new variable get substituted properly?  lib/var-expand.c
doesn't appear to require anything else, but I may have missed something...
  
Any help appreciated,

Charles

-- 
---
Charles Cazabon
GPL'ed software available at:   http://pyropus.ca/software/
---

[Dovecot] imaptest-20130617 seems to be reporting spurious header changes

2013-09-24 Thread Mark Weaver 
I'm trying to use this to test an IMAP server I'm developing (I picked 
the nightly up from the link on the wiki page at 
http://www.imapwiki.org/ImapTest/Installation).  With one client using 
the mailbox dovecot-crlf (http://www.dovecot.org/tmp/dovecot-crlf) I get 
messages like:


Error: t...@npsl.co.uk[67]: 1035253882.5041.34.camel@hurina: Header From 
changed 'Timo Sirainen 
Timo Sirainen  'Timo Sirainen ' (len 
26): * 1 FETCH (UID 2093 FLAGS () BODY ("text" "plain" ("charset" 
"us-ascii") NIL NIL "7bit" 913 0) BODY[HEADER.FIELDS (From From 
Delivered-To) ] "From: Timo Sirainen 

From: Timo Sirainen 
Delivered-To: dove...@procontrol.fi

" ENVELOPE ("22 Oct 2002 05:31:22 +0300" "[dovecot] Re: Architectural 
questions" (("Timo Sirainen" NIL "tss" "iki.fi")) (("" NIL 
"dovecot-bounce" "procontrol.fi")) (("Timo Sirainen" NIL "tss" 
"iki.fi")) (("" NIL "dovecot" "procontrol.fi")) NIL NIL 
"<1035249894.5044.28.camel@hurina>" "<1035253882.5041.34.camel@hurina>") 
BODY[HEADER.FIELDS (Cc Cc From) ] "From: Timo Sirainen 


")

(I added the dump of the string length by modifying the code).  As I am 
reading it the test program has got the wrong string rather than the 
server -- the From header in the mbox file is


From: Timo Sirainen 

which is 26 characters long, not 52, and includes the closing angle 
bracket, and the code that prints the header out is in 
src/mailbox-state.c, line 377:


client_state_error(client,
"%s: Header %s changed '%.*s' (len %d) 
-> '%.*\

s' (len %d)",
msg->message_id, fetch_headers[i].name,
(int)orig_headers[j].value_len,
(const char *)orig_headers[j].value,
(int)orig_headers[j].value_len,
(int)fetch_headers[i].value_len,
(const char *)fetch_headers[i].value,
(int)fetch_headers[i].value_len);

Have I read this upside down or is there an issue with the tests?  If it 
is an issue with the tests, any pointers as to where to start looking 
for the issue would be helpful.


Thanks,

Mark

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Noel Butler 
On Tue, 2013-09-24 at 14:04 +0200, lst_ho...@kwsoft.de wrote:


> [OT] Why, they actually use the english TEMPORA to get the data, so at  
> least in part they don't sniff the wire...
> 


Tempora, amongst others 
(remember tempora is pretty old now)




signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Delete to Archive?

2013-09-24 Thread Regan Yelcich 
Would you need to set the Archive folder up to autosubscribe? Can anyone 
provide an example? Thanks. 



> On 25/09/2013, at 7:20 am, Alexander Wasmuth  wrote:
> 
> On 24.09.2013, at 21:00, James E. Pace  wrote:
> 
>>> http://appleinsider.com/articles/13/06/27/inside-ios-7-mail-gets-gesture-support-and-reworked-ui
>> 
>> Thank you so much! That allows me to do exactly what I want on the client 
>> side.
> 
> Happy to hear. There is a bit of an inconsistency between Mail.app and iOS 
> mail. In Mail.app you have two distinctive buttons/actions, delete (which 
> deletes the email, or moves it to the trash folder) and archive (which moves 
> it to the folder Archive, if there is a folder named 'Archive').
> 
> With iOS there is either or. Either delete the email or archive it.

Re: [Dovecot] Delete to Archive?

2013-09-24 Thread Alexander Wasmuth 
On 24.09.2013, at 21:00, James E. Pace  wrote:

>> http://appleinsider.com/articles/13/06/27/inside-ios-7-mail-gets-gesture-support-and-reworked-ui
> 
> Thank you so much! That allows me to do exactly what I want on the client 
> side.

Happy to hear. There is a bit of an inconsistency between Mail.app and iOS 
mail. In Mail.app you have two distinctive buttons/actions, delete (which 
deletes the email, or moves it to the trash folder) and archive (which moves it 
to the folder Archive, if there is a folder named 'Archive').

With iOS there is either or. Either delete the email or archive it.

Re: [Dovecot] Delete to Archive?

2013-09-24 Thread James E. Pace 

On 09/24/2013 11:10 AM, Alexander Wasmuth wrote:

On 23.09.2013, at 20:16, James E. Pace  wrote:

I recently switched from being a Gmail user to running Dovecot 
[2.1.10] on my server.  Thank you for an easy to use piece of software 
that solves problems!


I am trying (unsuccessfully) to replicate something from GMail.  When 
I delete a message on my iPhone (or other client), I would like to 
have it moved to an "All Mail" or Archive folder, instead of actually 
deleting it.


Is this possible?


I guess you can just create an 'Archive' folder (that will be
recognized in iOS and Mail.app) and remap your iPhone delete action to
'archive':

http://appleinsider.com/articles/13/06/27/inside-ios-7-mail-gets-gesture-support-and-reworked-ui


Thank you so much! That allows me to do exactly what I want on the 
client side.


James
--
James E. Pace

Re: [Dovecot] Delete to Archive?

2013-09-24 Thread Alexander Wasmuth 
On 23.09.2013, at 20:16, James E. Pace  wrote:

> I recently switched from being a Gmail user to running Dovecot [2.1.10] on my 
> server.  Thank you for an easy to use piece of software that solves problems!
> 
> I am trying (unsuccessfully) to replicate something from GMail.  When I 
> delete a message on my iPhone (or other client), I would like to have it 
> moved to an "All Mail" or Archive folder, instead of actually deleting it.
> 
> Is this possible?

I guess you can just create an 'Archive' folder (that will be recognized in iOS 
and Mail.app) and remap your iPhone delete action to 'archive':

http://appleinsider.com/articles/13/06/27/inside-ios-7-mail-gets-gesture-support-and-reworked-ui

[Dovecot] Strange errors with imapc+acl in 2.2.x

2013-09-24 Thread René Neumann 
Hi,

after migrating to 2.2 (currently using 2.2.5), I see strange error
messages when using imapc + public namespace + acl

My setup: I create a public shared mailbox with imapc as location. Then
I restrict this mailbox to one user only using ACLs.

This works for this one special user, but for all others an error gets
logged and they can't access their mailbox anymore:

Sep 24 18:09:46 [dovecot] imap(other@my.domain): Error: user
other@my.domain: Initialization failed: Namespace 'Gemeinsam.':
Ambiguous mail location setting, don't know what to
 do with it: yes (try prefixing it with mbox: or maildir:)

Sep 24 18:09:46 [dovecot]
imap(other@my.domain): Error: Invalid user settings. Refer to server log
for more information.


My config (relevant parts):

-- Dovecot conf 

imapc_host = some_host
imapc_port = 143
imapc_user = some_user
imapc_password = some3$pwd
imapc_ssl = starttls
imapc_ssl_verify = no

namespace gemeinsam {
type = public
separator = .
location = imapc:
prefix = Gemeinsam.
subscriptions = no
}

# I also tried different combinations of hidden and list

plugin {
acl = vfile:/etc/dovecot/global-acls:cache_secs=300
}

- /etc/dovecot/global-acls/Gemeinsam ---

anyone
user=special@my.domain lrwstipekxa



Does anyone have any thoughts about this?

Thanks,
René

Re: [Dovecot] Bug report: "doveadm rename" encodes special characters wrongly in mUTF-7 (in fs)

2013-09-24 Thread megodin 
> If doveadm says it's invalid UTF-8, it's invalid UTF-8. I guess your 
> terminal isn't actually using UTF-8 then, but something else. ("locale" 
> output should say something about UTF-8.) I guess doveadm could also 
> automatically translate parameters to UTF-8, but that's a bit annoying 
> to implement.

You were absolutely right. After thorough testing I could make up the 
problem to the SSH-Client PuTTY I was using on a Windows machine while 
testing. The default "remote character setting" is 
"ISO-8859-1:1998 (Latin-1, West Europe)", when re-setting to "UTF-8", 
opening a new shell and testing the "doveadm mailbox rename ..." with 
german umlauts just works fine then.
(Just for the sake of completeness, the "locale" settings were set to 
(LANG=de_DE.utf-8) globally in /etc/sysconfig/i18n per default.)


> The problem here is that * is expanded by your shell, not doveadm. 
> And it expands into Tr&-AOQ-sh as it's in the filesystem, but that's 
> only the mUTF-7 encoding of it. The UTF-8 version of the name is 
> Tr&AOQ-sh. So doveadm only sees that you attempted to resync a 
> nonexistent mailbox. Using '*' with quotes would work, since doveadm 
> would do the expansion then.

Thanks for pointing that * / '*' issue out.

I now unterstand that the "doevadm mailbox rename" converts the input 
to UTF _before_ applying it in the filesystem.

Now it makes sense that 
doveadm mailbox rename -u user 'Trash' 'Tr&AOQ-sh'
must be expanded to Tr&-AOQ-sh. The "-" character directly after the 
"&"in Tr&-AOQ-sh comes from a special mUTF-Specification (as stated in 
RFC 3501, section 5.1.3):

"In modified UTF-7, printable US-ASCII characters, except for "&",
represent themselves; that is, characters with octet values 0x20-0x25
and 0x27-0x7e.  The character "&" (0x26) is represented by the
two-octet sequence "&-"."

So e.g. if I wanted a german umlaut to be encoded in the filesystem, 
I must enter it directly into dovedm instead of the UTF encoded value.

One small point left...

> The UTF-8 version of the name is Tr&AOQ-sh
Just for understanding - "Tr&AOQ-sh"  is IMHO UTF-7, not UTF-8. 
Accordingly to what stated before, "Tr&-AOQ-sh" and "Tr&AOQ-sh" are 
encoded both the same (UTF-7), the first seen in clients as 
"Tr&AOQ-sh" and the second as "Träsh".

Thanks for all your help!
Megodin



---
Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! 
http://email.freenet.de/basic/Informationen

_
Send and receive anonymous emails to your inbox with InboxAlias.
http://www.inboxalias.com

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Timo Sirainen 
On 24.9.2013, at 15.01, Ron Leach  wrote:

> I support the OP's suggestion.  Could the Dovecot developer(s) consider 
> adding support for longer key sizes?

My answer from a few days ago on a different thread: 
http://dovecot.org/list/dovecot/2013-September/092615.html

> I'd like to ask a further related question, is it possible to run Dovecot 
> with GNUTLS instead of OpenSSL?

It used to be, but GNUTLS kept changing API and Dovecot nowadays doesn't 
support it.

Re: [Dovecot] Linux SO_REUSEPORT

2013-09-24 Thread staticsafe 

On 9/24/2013 02:06, Ben Morrow wrote:

At  2PM +0300 on 23/09/13 you Timo Sirainen wrote:



[SO_REUSEPORT]


This feature originated from BSDs that had it long time ago.


SO_REUSEPORT was introduced in 4.4 BSD, but the new Linux feature which
includes load balancing is something rather different. It's a pity the
Linux (Google?) people didn't choose a different name for it.

4.4's SO_REUSEPORT just allows multiple (pre-TIME_WAIT) sockets to bind
to the same local address:port. It was introduced for the benefit of
multicast apps; AFAIK its only significant non-multicast use is in ftpd,
which in active mode has to create lots of outgoing sockets originating
from the same source address:port. The question of load balancing
obviously doesn't apply here, since the connections are initiated by the
server.

With a 4.4 implementation, setting SO_REUSEPORT is actively bad for
something like Dovecot: while all the sockets will be allowed to bind,
connections will only be passed to the first until that is closed, then
to the next, and so on. Of the BSDs, DragonFly has implemented the Linux
semantics (including a fix for the bug mentioned in your commit
message); I believe the others, including OSX, are still using the 4.4
code.

Ben



Details of Linux SO_REUSEPORT implementation can be found here:
https://lwn.net/Articles/542629/

--
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post. It is not logical.
Please don't CC me! I'm subscribed to whatever list I just posted on.

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Steffen 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lampa wrote:
> After home to user and password query, log contains weird messages
> 
> 2013-09-24T14:15:38.704140+02:00 server dovecot:
> imap(u...@domain.com): Error:
> stat(/home/mail/domain.com/user/.dovecot.lda-dupes/tmp) failed:
> Not a directory 2013-09-24T14:15:38.724371+02:00 server dovecot:
> imap(u...@domain.com): Error:
> stat(/home/mail/domain.com/user/.dovecot.svbin/tmp) failed: Not a 
> directory

How does your /etc/dovecot/dovecot-sql.conf.ext looks now?
Did you changed something else?

> 2013/9/24 Steffen Kaiser 
> 
> On Tue, 24 Sep 2013, Lampa wrote:
> 
> is thought that home is enough to delivery for LDA/LMTP. On old
> version
 was using LDA and works ok.
 
> 
> You use:
> 
> mail_location = maildir:/home/mail/%d/%n/**Maildir
> 
> and return no mail field in the SQL query. Therefore you depend on
> a correctly set "%d".
> 
> 
> Added user to user_query and we will see if helps.
 
> 
> So, you could also return "mail" :-)
> 
> 
> BTW doveadm user -u  is right command ?
 
 doveadm user -u : -bash: syntax error near
 unexpected token `newline'
 
> 
> Well, the angle brackets are usually placeholder markers, such as
>  below, but
> 
> 
> doveadm user -u u...@domain2.com
 user: invalid option -- 'u' doveadm user [-a >>> path>] [-x ] [-f field] [-m]  [...]
 
> 
> you are right, -u is not correct with this particular command,
> hence:
> 
> doveadm user -u u...@domain2.com
> 
> 2013/9/24 Steffen Kaiser 
 
 -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Tue, 24 Sep 2013, Lampa wrote:
> 
> Date: Tue, 24 Sep 2013 10:42:41 +0200
> 
>> From: Lampa  To:
>> dovecot@dovecot.org Subject: Re: [Dovecot] Fwd: lmtp
>> 
>> 
>> driver = mysql
>> 
>> password_query = SELECT CONCAT(u.uzivatel, '@', d.domena)
>> AS user, u.heslo AS password, CONCAT('/home/mail/',
>> d.domena, '/', u.uzivatel) AS userdb_home, 111 AS
>> userdb_uid, 114 AS userdb_gid, u.quota AS 
>> userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2
>> FROM uzivatele AS u JOIN domeny AS d ON d.id =
>> u.domeny_id WHERE u.domeny_id = (SELECT 
>> a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS
>> d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id
>> = a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak
>> & 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak & 1 = 0
>> UNION SELECT id FROM domeny WHERE domena = '%d' AND
>> priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
>> '%n' AND u.priznak & 1 = 0
>> 
>> user_query = SELECT CONCAT('/home/mail/', d.domena, '/',
>> u.uzivatel) AS home, 111 AS uid, 114 AS gid, u.quota AS
>> quota_rule, 'Trash:ignore' AS quota_rule2 FROM uzivatele
>> AS u JOIN domeny AS d ON d.id = u.domeny_id WHERE
>> u.domeny_id = (SELECT a.domeny_id_realna FROM
>> domeny_aliasy AS a JOIN domeny AS d ON d.id =
>> a.domeny_id_alias JOIN domeny AS dd ON dd.id = 
>> a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak &
>> 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION
>> SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2
>> = 0 AND priznak & 1 = 0) AND u.uzivatel = '%n' AND
>> u.priznak & 1 = 0
>> 
>> 
> Dunno, if that applies in your situation, but the
> user_query does not return "user", hence, "doveadm user -u
> " should return domain2.com as domain. If
> this applies to LMTP as well, you could try, because there
> will be no password query before to fill the prefetch 
> userdb.
> 
> user_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS
> user, ... as above
> 
> 
> 2013/9/24 Steffen Kaiser
> 
>> 
>> -BEGIN PGP SIGNED MESSAGE-
>> 
>>> Hash: SHA1
>>> 
>>> On Tue, 24 Sep 2013, Lampa wrote:
>>> 
>>> a) i think not necessary because of b)
>>> 
>>> b) yes password_query and user_query always returns
>>> rewrited domain
 (returns main domain, not aliased domain)
 
 configs: http://pastebin.com/PuZZZ5Pg 
 http://pastebin.com/eJrp769z
 
 
 What's your /etc/dovecot/dovecot-sql.conf.**ext
 ?
>>> 
>>> 
>>> 
>>> 
>>> - -- Steffen Kaiser
>>> 

>> 
> 

- -- 

Steffen Kaiser

H Bonn-Rhein-Sieg | e-mail: steffen.kai...@h-brs.de
FB Informatik |
Grantham-Allee 20 | phone : +49 2241/865-203
53757 Sankt Augustin  |
Germany - Deutschland | fax   : +49 2241/865-8203

- -- 
Steffen
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEVAwUBUkGQ0F3r2wJMiz2NAQJeTwf7B/gz2z/RQ5i6mk++XRQRy2coOJpU0CUL
/sZdV2UxqDZCMoHjjcUCQvCUZVB6TCiOer7nvulAQxsV3cQ9fRvnAHGW8GCqrNUr
GQ5FyGqBhrt3LdPD8fhMpFoUKo1Yi4pOzFOG3VXy9+oo5YAbM+ad71kwtqetV0CK
CP28/JEveWjhWW0dAAB0giOzyujINu5hrW

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Lampa 
After home to user and password query, log contains weird messages

2013-09-24T14:15:38.704140+02:00 server dovecot: imap(u...@domain.com):
Error: stat(/home/mail/domain.com/user/.dovecot.lda-dupes/tmp) failed: Not
a directory
2013-09-24T14:15:38.724371+02:00 server dovecot: imap(u...@domain.com):
Error: stat(/home/mail/domain.com/user/.dovecot.svbin/tmp) failed: Not a
directory




2013/9/24 Steffen Kaiser 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, 24 Sep 2013, Lampa wrote:
>
>  is thought that home is enough to delivery for LDA/LMTP. On old version
>> was
>> using LDA and works ok.
>>
>
> You use:
>
> mail_location = maildir:/home/mail/%d/%n/**Maildir
>
> and return no mail field in the SQL query. Therefore you depend on a
> correctly set "%d".
>
>
>  Added user to user_query and we will see if helps.
>>
>
> So, you could also return "mail" :-)
>
>
>  BTW doveadm user -u  is right command ?
>>
>> doveadm user -u :
>> -bash: syntax error near unexpected token `newline'
>>
>
> Well, the angle brackets are usually placeholder markers, such as  info> below, but
>
>
>  doveadm user -u u...@domain2.com
>> user: invalid option -- 'u'
>> doveadm user [-a ] [-x ] [-f field] [-m]
>>  [...]
>>
>
> you are right, -u is not correct with this particular command, hence:
>
> doveadm user -u u...@domain2.com
>
>  2013/9/24 Steffen Kaiser 
>>
>>  -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> On Tue, 24 Sep 2013, Lampa wrote:
>>>
>>>  Date: Tue, 24 Sep 2013 10:42:41 +0200
>>>
 From: Lampa 
 To: dovecot@dovecot.org
 Subject: Re: [Dovecot] Fwd: lmtp


 driver = mysql

 password_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user,
 u.heslo
 AS password, CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
 userdb_home, 111 AS userdb_uid, 114 AS userdb_gid, u.quota AS
 userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2 FROM uzivatele
 AS
 u
 JOIN domeny AS d ON d.id = u.domeny_id WHERE u.domeny_id = (SELECT
 a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS d ON d.id =
 a.domeny_id_alias JOIN domeny AS dd ON dd.id = a.domeny_id_realna WHERE
 d.domena = '%d' AND d.priznak & 2 = 2 AND d.priznak & 1 = 0 AND
 dd.priznak
 & 1 = 0 UNION SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2
 =
 0
 AND priznak & 1 = 0) AND u.uzivatel = '%n' AND u.priznak & 1 = 0

 user_query = SELECT CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
 home, 111 AS uid, 114 AS gid, u.quota AS quota_rule, 'Trash:ignore' AS
 quota_rule2 FROM uzivatele AS u JOIN domeny AS d ON d.id = u.domeny_id
 WHERE u.domeny_id = (SELECT a.domeny_id_realna FROM domeny_aliasy AS a
 JOIN
 domeny AS d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id =
 a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak & 2 = 2 AND
 d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION SELECT id FROM domeny
 WHERE
 domena = '%d' AND priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
 '%n' AND u.priznak & 1 = 0


>>> Dunno, if that applies in your situation, but the user_query does not
>>> return "user", hence, "doveadm user -u " should return
>>> domain2.com as domain. If this applies to LMTP as well, you could try,
>>> because there will be no password query before to fill the prefetch
>>> userdb.
>>>
>>> user_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user,
>>>  ... as above
>>>
>>>
>>>  2013/9/24 Steffen Kaiser 

  -BEGIN PGP SIGNED MESSAGE-

> Hash: SHA1
>
> On Tue, 24 Sep 2013, Lampa wrote:
>
>  a) i think not necessary because of b)
>
>  b) yes password_query and user_query always returns rewrited domain
>> (returns main domain, not aliased domain)
>>
>> configs:
>> http://pastebin.com/PuZZZ5Pg
>> http://pastebin.com/eJrp769z
>>
>>
>>  What's your /etc/dovecot/dovecot-sql.conf.**ext ?
>
>
>
>
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBUkFPRF3r2wJMiz2NAQKydg**f9GRWttd8azegc0CelpofrFZotbCXZ
> 
> **a4r9
> 5PqkKShwNWMB0qj+**maVo9Wm4wTkIEAKAqC2oExkNDNkErw**
> UVaBGQClx6TcQmDum2
> PcjEsFMEK2nsmlhv3HvfcIhMvKexge**sPefWvLf+RsfUT1/**
> ClOgdgaNTGxYIfGelp
> 5s/**Z9DzH65U65ngWYyCmydHkRoAkUf+
> tMqw874hgGkAgaY9ZYApDx9yGmpQkm
> **J1t
> Q0VWGCnCa8V5h3pHigucWlKtGsg3/**deK0fh6XVsKqjTe0W51MdbXq8Lc39V*
> ***
> **oPm4P
> KW4YJVMgavRipBXOfVzs2mE1ikxF8M**whCNRfLO3c/DBd6924/X774A==
> =wOak
> -END PGP SIGNATURE-
>
>
>
  - -- Steffen Kaiser
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>
>>> iQEVAwUBUkFTK13r2wJMiz2NAQK0+gf/YGFvZQNrZGCKEwU+jRjyXtBeQRBD/AHB
>>> JgP2TD0hPnqWdR10ad5BJI++oMmLMm9sDOzgBiTmDw1NgYGomVLcXslgkkxLgKHw
>>> 5IJw3Pa2

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread lst_hoe02 


Zitat von Noel Butler :


On Tue, 2013-09-24 at 04:21 -0500, Stan Hoeppner wrote:




NSA doesn't sniff the wire.  They don't crack encryption.  Neither are



somebody hasnt been paying attention


[OT] Why, they actually use the english TEMPORA to get the data, so at  
least in part they don't sniff the wire...








smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:


is thought that home is enough to delivery for LDA/LMTP. On old version was
using LDA and works ok.


You use:

mail_location = maildir:/home/mail/%d/%n/Maildir

and return no mail field in the SQL query. Therefore you depend on a 
correctly set "%d".



Added user to user_query and we will see if helps.


So, you could also return "mail" :-)


BTW doveadm user -u  is right command ?

doveadm user -u :
-bash: syntax error near unexpected token `newline'


Well, the angle brackets are usually placeholder markers, such as info> below, but



doveadm user -u u...@domain2.com
user: invalid option -- 'u'
doveadm user [-a ] [-x ] [-f field] [-m]
 [...]


you are right, -u is not correct with this particular command, hence:

doveadm user -u u...@domain2.com


2013/9/24 Steffen Kaiser 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:

 Date: Tue, 24 Sep 2013 10:42:41 +0200

From: Lampa 
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Fwd: lmtp


driver = mysql

password_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user, u.heslo
AS password, CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
userdb_home, 111 AS userdb_uid, 114 AS userdb_gid, u.quota AS
userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2 FROM uzivatele AS
u
JOIN domeny AS d ON d.id = u.domeny_id WHERE u.domeny_id = (SELECT
a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS d ON d.id =
a.domeny_id_alias JOIN domeny AS dd ON dd.id = a.domeny_id_realna WHERE
d.domena = '%d' AND d.priznak & 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak
& 1 = 0 UNION SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2 =
0
AND priznak & 1 = 0) AND u.uzivatel = '%n' AND u.priznak & 1 = 0

user_query = SELECT CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
home, 111 AS uid, 114 AS gid, u.quota AS quota_rule, 'Trash:ignore' AS
quota_rule2 FROM uzivatele AS u JOIN domeny AS d ON d.id = u.domeny_id
WHERE u.domeny_id = (SELECT a.domeny_id_realna FROM domeny_aliasy AS a
JOIN
domeny AS d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id =
a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak & 2 = 2 AND
d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION SELECT id FROM domeny WHERE
domena = '%d' AND priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
'%n' AND u.priznak & 1 = 0



Dunno, if that applies in your situation, but the user_query does not
return "user", hence, "doveadm user -u " should return
domain2.com as domain. If this applies to LMTP as well, you could try,
because there will be no password query before to fill the prefetch userdb.

user_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user,
 ... as above



2013/9/24 Steffen Kaiser 

 -BEGIN PGP SIGNED MESSAGE-

Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:

 a) i think not necessary because of b)


b) yes password_query and user_query always returns rewrited domain
(returns main domain, not aliased domain)

configs:
http://pastebin.com/PuZZZ5Pg
http://pastebin.com/eJrp769z



What's your /etc/dovecot/dovecot-sql.conf.ext ?



- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkFPRF3r2wJMiz2NAQKydg**f9GRWttd8azegc0CelpofrFZotbCXZ**
**a4r9
5PqkKShwNWMB0qj+maVo9Wm4wTkIEAKAqC2oExkNDNkErwUVaBGQClx6TcQmDum2
PcjEsFMEK2nsmlhv3HvfcIhMvKexgesPefWvLf+RsfUT1/ClOgdgaNTGxYIfGelp
5s/Z9DzH65U65ngWYyCmydHkRoAkUf+tMqw874hgGkAgaY9ZYApDx9yGmpQkm**
**J1t
Q0VWGCnCa8V5h3pHigucWlKtGsg3/**deK0fh6XVsKqjTe0W51MdbXq8Lc39V**
**oPm4P
KW4YJVMgavRipBXOfVzs2mE1ikxF8MwhCNRfLO3c/DBd6924/X774A==
=wOak
-END PGP SIGNATURE-





- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkFTK13r2wJMiz2NAQK0+**gf/YGFvZQNrZGCKEwU+**jRjyXtBeQRBD/AHB
JgP2TD0hPnqWdR10ad5BJI++**oMmLMm9sDOzgBiTmDw1NgYGomVLcXs**lgkkxLgKHw
5IJw3Pa28HwdKa6SWAScAbvPffLipO**PNjzR5c/**h5VtakImR8I0V2jAqg7uBuiSlO
LFQSeYIiyNheLZ+**vtl1GDV3XPbzRoxNezuQwwYELuGmvA**ijA/2ZUng52Z055+Pm1
LQlYWSXw3WZZjxmNRriAcBDNd7tok6**iBJO4RMdcDcPriRm4ojl9y4kc6vHYG**jSTr
BFg/d5qxamwSPa6gra03b02BZ/**hMPBRfmlDekmomWuru0sC2ZUr+xg==
=Q8vZ
-END PGP SIGNATURE-





- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkF/kl3r2wJMiz2NAQLQYgf/XjwEk6K/FicasCcbIISenK1bsTYRmkkZ
ckF3ZR7kr+VZXsdWKFWdrEq+cuIkZpti054I+hRQOwp3vBPWyERvio/2mTUhRl67
RBDwd3vSnn3v4qWDc6q5RvWG3sw+nPKk0Xh+gsyYZ7I24DfXG4jOlxhUn4bw72pA
ArrHgdxiEwBHmBL8q8jncZr9dMjZ9LPPh6tIb3zCxHlX/I5lMzwE3CG2G7lDRFWI
Rz6i6oUlzSeuoG/ui7YxzGxXtxmjGns+2+3Aiwf8hcvgLmXbg3q09nngE2POoAaf
fCOELv/pBBhBIZk2vZcWknttzzKgCQBwIRZkgPs1RROMeGG76HghCA==
=IyiP
-END PGP SIGNATURE-

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Ron Leach 

On 24/09/2013 07:48, Marios Titas wrote:


Currently, dovecot generates two primes for Diffie-Hellman key
exchanges: a 512-bit one and a 1024-bit one. In light of recent
events, I think it would be wise to add support for 2048-bit primes as
well, or even better, add a configuration option that lets the user
select a file (or files) containing the DH parameters

[snip]
the case for IMAPS: it is
quite likely that the session data will include the user's
credentials.



Thank you for suggesting this and, in light of the discussion that has 
resulted from your post, may I describe our use-case in the hope it 
might help shed light on why this could be worthwhile?


Most of our work is subject to various non-disclosure obligations, and 
our staff work around the world, on short assignments of a few days, 
maybe a week or so, in countries who have various approaches and 
cultures in respect of confidentiality.  It is vital for us that 
remote access to our mail server does not leak the user logons, 
because then all previous (and future) mail could be read by strangers 
in that country, and indeed by strangers in any country onto which our 
logon credentials were passed.  To leak a private message is one 
thing, but to leak the whole mailboxes of all projects is something 
else completely.  Additionally, if mail user names are also system 
logins, the problem becomes even more serious.


Blackberry (in its Enterprise configuration) was thought to solve this 
use-case, though I've never known what cryptographic techniques RIM 
employ and, in any case, RIM has come under significant pressure from 
several countries and, we suspect, may no longer remain secure.  We'd 
prefer to employ strong Open Source components.


Though counter-party email travels in the clear over SMTP, we'd prefer 
that outbound email from staff (on assignment overseas) is sent from 
outbound mail servers in our own country (submitting via TLS, though 
not part of Dovecot, of course), and we'd prefer that inbound email, 
to the staff's MUA, is not sent in clear while they are on assignment. 
 Using IMAPS we can ensure that mail -> MUA is always encrypted.


A recent post on the OpenSSL list

http://www.mail-archive.com/openssl-users@openssl.org/msg71899.html

reveals that TLS evolution is being actively discussed with a view to 
using stronger cryptography, and that OpenSSL and GNUTLS are divergent 
at the moment (something I hadn't realised).  Within that exchange of 
views, the problem of assuring end-to-end strong security, due to use 
of older or non-compliant components, is mentioned but (sometimes) 
wrongly, in my view, as a reason not to make improvements (yet).  The 
(quite genuine) problem of end-to-end consistency can be solved, we 
feel, if each component is upgraded, so that sysadmins or end-users 
can select compatible building-blocks, including MUAs, when 
implementing their organisation's mail systems.


I support the OP's suggestion.  Could the Dovecot developer(s) 
consider adding support for longer key sizes?


I'd like to ask a further related question, is it possible to run 
Dovecot with GNUTLS instead of OpenSSL?  Even if it is not possible, I 
would still support the inclusion of more DH parameters so that 
Dovecot is 'OpenSSL ready' when OpenSSL does adopt stronger cipher or 
protocol choices.  I can sort out what MUAs we use, or move to.


regards, Ron

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Noel Butler 
On Tue, 2013-09-24 at 04:21 -0500, Stan Hoeppner wrote:


> 
> NSA doesn't sniff the wire.  They don't crack encryption.  Neither are


somebody hasnt been paying attention



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Robert Schetterer 
Am 24.09.2013 11:32, schrieb Stan Hoeppner:
> On 9/24/2013 3:05 AM, Robert Schetterer wrote:
> 
>> you may get problems with older mail clients , on smtp side i discovered
>> i.e netscape 7 ist not able to handle stuff bigger then 1024
>> but some more configure options maybe fine ever
> 
> Netscape 7.2 is *9* years old, 7.0 is *11* years old.  I think I'd be
> right, in fact, there's no way I could be wrong, if I stated:
> 
> Anyone using 9-11 year old software is obviously not concerned about
> security.
> 

however people still using it, and this was only some example ( there
might be other mail stuff acting like this ), i agree
your argument, i only want to warn about some support question might
come up with more secure settings


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Stan Hoeppner 
On 9/24/2013 3:05 AM, Robert Schetterer wrote:

> you may get problems with older mail clients , on smtp side i discovered
> i.e netscape 7 ist not able to handle stuff bigger then 1024
> but some more configure options maybe fine ever

Netscape 7.2 is *9* years old, 7.0 is *11* years old.  I think I'd be
right, in fact, there's no way I could be wrong, if I stated:

Anyone using 9-11 year old software is obviously not concerned about
security.

-- 
Stan

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Reindl Harald 
Am 24.09.2013 11:21, schrieb Stan Hoeppner:
> On 9/24/2013 1:48 AM, Marios Titas wrote:
>> Currently, dovecot generates two primes for Diffie-Hellman key
>> exchanges: a 512-bit one and a 1024-bit one. In light of recent
>> events, I think it would be wise to add support for 2048-bit primes as
>> well...
> 
> Why play incremental tiddly-winks with the NSA?  
> Go straight to 1048576 bit encryption.

is nothing else than a pointless polemic attitude

> That'll surely keep them out.  Oh, wait, all of your
> email leaves and arrives via public SMTP, which nobody encrypts...

maybe on your server, my logs showing the opposite and since
the "smtp" are outgoing messages your conclusion of "nobody"
is strange

cat maillog | grep smtp | grep -v smtpd | grep TLS | wc -l
12327

cat maillog | grep smtpd | grep TLS | wc -l
13350

cat maillog | grep smtp | grep -v smtpd | grep TLSv1.2 | wc -l
2603

cat maillog | grep smtpd | grep TLSv1.2 | wc -l
2219



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Lampa 
Hello,

is thought that home is enough to delivery for LDA/LMTP. On old version was
using LDA and works ok.

Added user to user_query and we will see if helps.

BTW doveadm user -u  is right command ?

doveadm user -u :
-bash: syntax error near unexpected token `newline'

doveadm user -u u...@domain2.com
user: invalid option -- 'u'
doveadm user [-a ] [-x ] [-f field] [-m]
 [...]



2013/9/24 Steffen Kaiser 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, 24 Sep 2013, Lampa wrote:
>
>  Date: Tue, 24 Sep 2013 10:42:41 +0200
>> From: Lampa 
>> To: dovecot@dovecot.org
>> Subject: Re: [Dovecot] Fwd: lmtp
>>
>>
>> driver = mysql
>>
>> password_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user, u.heslo
>> AS password, CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
>> userdb_home, 111 AS userdb_uid, 114 AS userdb_gid, u.quota AS
>> userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2 FROM uzivatele AS
>> u
>> JOIN domeny AS d ON d.id = u.domeny_id WHERE u.domeny_id = (SELECT
>> a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS d ON d.id =
>> a.domeny_id_alias JOIN domeny AS dd ON dd.id = a.domeny_id_realna WHERE
>> d.domena = '%d' AND d.priznak & 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak
>> & 1 = 0 UNION SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2 =
>> 0
>> AND priznak & 1 = 0) AND u.uzivatel = '%n' AND u.priznak & 1 = 0
>>
>> user_query = SELECT CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
>> home, 111 AS uid, 114 AS gid, u.quota AS quota_rule, 'Trash:ignore' AS
>> quota_rule2 FROM uzivatele AS u JOIN domeny AS d ON d.id = u.domeny_id
>> WHERE u.domeny_id = (SELECT a.domeny_id_realna FROM domeny_aliasy AS a
>> JOIN
>> domeny AS d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id =
>> a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak & 2 = 2 AND
>> d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION SELECT id FROM domeny WHERE
>> domena = '%d' AND priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
>> '%n' AND u.priznak & 1 = 0
>>
>
> Dunno, if that applies in your situation, but the user_query does not
> return "user", hence, "doveadm user -u " should return
> domain2.com as domain. If this applies to LMTP as well, you could try,
> because there will be no password query before to fill the prefetch userdb.
>
> user_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user,
>  ... as above
>
>
>> 2013/9/24 Steffen Kaiser 
>>
>>  -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> On Tue, 24 Sep 2013, Lampa wrote:
>>>
>>>  a) i think not necessary because of b)
>>>
 b) yes password_query and user_query always returns rewrited domain
 (returns main domain, not aliased domain)

 configs:
 http://pastebin.com/PuZZZ5Pg
 http://pastebin.com/eJrp769z


>>> What's your /etc/dovecot/dovecot-sql.conf.ext ?
>>>
>>>
>>>
>>> - -- Steffen Kaiser
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>
>>> iQEVAwUBUkFPRF3r2wJMiz2NAQKydg**f9GRWttd8azegc0CelpofrFZotbCXZ**
>>> **a4r9
>>> 5PqkKShwNWMB0qj+maVo9Wm4wTkIEAKAqC2oExkNDNkErwUVaBGQClx6TcQmDum2
>>> PcjEsFMEK2nsmlhv3HvfcIhMvKexgesPefWvLf+RsfUT1/ClOgdgaNTGxYIfGelp
>>> 5s/Z9DzH65U65ngWYyCmydHkRoAkUf+tMqw874hgGkAgaY9ZYApDx9yGmpQkm**
>>> **J1t
>>> Q0VWGCnCa8V5h3pHigucWlKtGsg3/**deK0fh6XVsKqjTe0W51MdbXq8Lc39V**
>>> **oPm4P
>>> KW4YJVMgavRipBXOfVzs2mE1ikxF8MwhCNRfLO3c/DBd6924/X774A==
>>> =wOak
>>> -END PGP SIGNATURE-
>>>
>>>
>>
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBUkFTK13r2wJMiz2NAQK0+**gf/YGFvZQNrZGCKEwU+**jRjyXtBeQRBD/AHB
> JgP2TD0hPnqWdR10ad5BJI++**oMmLMm9sDOzgBiTmDw1NgYGomVLcXs**lgkkxLgKHw
> 5IJw3Pa28HwdKa6SWAScAbvPffLipO**PNjzR5c/**h5VtakImR8I0V2jAqg7uBuiSlO
> LFQSeYIiyNheLZ+**vtl1GDV3XPbzRoxNezuQwwYELuGmvA**ijA/2ZUng52Z055+Pm1
> LQlYWSXw3WZZjxmNRriAcBDNd7tok6**iBJO4RMdcDcPriRm4ojl9y4kc6vHYG**jSTr
> BFg/d5qxamwSPa6gra03b02BZ/**hMPBRfmlDekmomWuru0sC2ZUr+xg==
> =Q8vZ
> -END PGP SIGNATURE-
>

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Stan Hoeppner 
On 9/24/2013 1:48 AM, Marios Titas wrote:
> Currently, dovecot generates two primes for Diffie-Hellman key
> exchanges: a 512-bit one and a 1024-bit one. In light of recent
> events, I think it would be wise to add support for 2048-bit primes as
> well...

Why play incremental tiddly-winks with the NSA?  Go straight to 1048576
bit encryption.  That'll surely keep them out.  Oh, wait, all of your
email leaves and arrives via public SMTP, which nobody encrypts...

NSA doesn't sniff the wire.  They don't crack encryption.  Neither are
cost effective.  They go straight to the source, intimidating the
service provider into giving them the data, unencrypted.  Or they don't
get the data at all.  So how does greater encryption help anyone "in
light of recent events"?

-- 
Stan

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:


Date: Tue, 24 Sep 2013 10:42:41 +0200
From: Lampa 
To: dovecot@dovecot.org
Subject: Re: [Dovecot] Fwd: lmtp

driver = mysql

password_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user, u.heslo
AS password, CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
userdb_home, 111 AS userdb_uid, 114 AS userdb_gid, u.quota AS
userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2 FROM uzivatele AS u
JOIN domeny AS d ON d.id = u.domeny_id WHERE u.domeny_id = (SELECT
a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS d ON d.id =
a.domeny_id_alias JOIN domeny AS dd ON dd.id = a.domeny_id_realna WHERE
d.domena = '%d' AND d.priznak & 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak
& 1 = 0 UNION SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2 = 0
AND priznak & 1 = 0) AND u.uzivatel = '%n' AND u.priznak & 1 = 0

user_query = SELECT CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
home, 111 AS uid, 114 AS gid, u.quota AS quota_rule, 'Trash:ignore' AS
quota_rule2 FROM uzivatele AS u JOIN domeny AS d ON d.id = u.domeny_id
WHERE u.domeny_id = (SELECT a.domeny_id_realna FROM domeny_aliasy AS a JOIN
domeny AS d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id =
a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak & 2 = 2 AND
d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION SELECT id FROM domeny WHERE
domena = '%d' AND priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
'%n' AND u.priznak & 1 = 0


Dunno, if that applies in your situation, but the user_query does not 
return "user", hence, "doveadm user -u " should return 
domain2.com as domain. If this applies to LMTP as well, you could try, 
because there will be no password query before to fill the prefetch 
userdb.


user_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user,
 ... as above



2013/9/24 Steffen Kaiser 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:

 a) i think not necessary because of b)

b) yes password_query and user_query always returns rewrited domain
(returns main domain, not aliased domain)

configs:
http://pastebin.com/PuZZZ5Pg
http://pastebin.com/eJrp769z



What's your /etc/dovecot/dovecot-sql.conf.**ext ?


- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkFPRF3r2wJMiz2NAQKydg**f9GRWttd8azegc0CelpofrFZotbCXZ**a4r9
5PqkKShwNWMB0qj+**maVo9Wm4wTkIEAKAqC2oExkNDNkErw**UVaBGQClx6TcQmDum2
PcjEsFMEK2nsmlhv3HvfcIhMvKexge**sPefWvLf+RsfUT1/**ClOgdgaNTGxYIfGelp
5s/**Z9DzH65U65ngWYyCmydHkRoAkUf+**tMqw874hgGkAgaY9ZYApDx9yGmpQkm**J1t
Q0VWGCnCa8V5h3pHigucWlKtGsg3/**deK0fh6XVsKqjTe0W51MdbXq8Lc39V**oPm4P
KW4YJVMgavRipBXOfVzs2mE1ikxF8M**whCNRfLO3c/DBd6924/X774A==
=wOak
-END PGP SIGNATURE-





- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkFTK13r2wJMiz2NAQK0+gf/YGFvZQNrZGCKEwU+jRjyXtBeQRBD/AHB
JgP2TD0hPnqWdR10ad5BJI++oMmLMm9sDOzgBiTmDw1NgYGomVLcXslgkkxLgKHw
5IJw3Pa28HwdKa6SWAScAbvPffLipOPNjzR5c/h5VtakImR8I0V2jAqg7uBuiSlO
LFQSeYIiyNheLZ+vtl1GDV3XPbzRoxNezuQwwYELuGmvAijA/2ZUng52Z055+Pm1
LQlYWSXw3WZZjxmNRriAcBDNd7tok6iBJO4RMdcDcPriRm4ojl9y4kc6vHYGjSTr
BFg/d5qxamwSPa6gra03b02BZ/hMPBRfmlDekmomWuru0sC2ZUr+xg==
=Q8vZ
-END PGP SIGNATURE-

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Lampa 
driver = mysql

password_query = SELECT CONCAT(u.uzivatel, '@', d.domena) AS user, u.heslo
AS password, CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
userdb_home, 111 AS userdb_uid, 114 AS userdb_gid, u.quota AS
userdb_quota_rule, 'Trash:ignore' AS userdb_quota_rule2 FROM uzivatele AS u
JOIN domeny AS d ON d.id = u.domeny_id WHERE u.domeny_id = (SELECT
a.domeny_id_realna FROM domeny_aliasy AS a JOIN domeny AS d ON d.id =
a.domeny_id_alias JOIN domeny AS dd ON dd.id = a.domeny_id_realna WHERE
d.domena = '%d' AND d.priznak & 2 = 2 AND d.priznak & 1 = 0 AND dd.priznak
& 1 = 0 UNION SELECT id FROM domeny WHERE domena = '%d' AND priznak & 2 = 0
AND priznak & 1 = 0) AND u.uzivatel = '%n' AND u.priznak & 1 = 0

user_query = SELECT CONCAT('/home/mail/', d.domena, '/', u.uzivatel) AS
home, 111 AS uid, 114 AS gid, u.quota AS quota_rule, 'Trash:ignore' AS
quota_rule2 FROM uzivatele AS u JOIN domeny AS d ON d.id = u.domeny_id
WHERE u.domeny_id = (SELECT a.domeny_id_realna FROM domeny_aliasy AS a JOIN
domeny AS d ON d.id = a.domeny_id_alias JOIN domeny AS dd ON dd.id =
a.domeny_id_realna WHERE d.domena = '%d' AND d.priznak & 2 = 2 AND
d.priznak & 1 = 0 AND dd.priznak & 1 = 0 UNION SELECT id FROM domeny WHERE
domena = '%d' AND priznak & 2 = 0 AND priznak & 1 = 0) AND u.uzivatel =
'%n' AND u.priznak & 1 = 0



2013/9/24 Steffen Kaiser 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tue, 24 Sep 2013, Lampa wrote:
>
>  a) i think not necessary because of b)
>> b) yes password_query and user_query always returns rewrited domain
>> (returns main domain, not aliased domain)
>>
>> configs:
>> http://pastebin.com/PuZZZ5Pg
>> http://pastebin.com/eJrp769z
>>
>
> What's your /etc/dovecot/dovecot-sql.conf.**ext ?
>
>
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBUkFPRF3r2wJMiz2NAQKydg**f9GRWttd8azegc0CelpofrFZotbCXZ**a4r9
> 5PqkKShwNWMB0qj+**maVo9Wm4wTkIEAKAqC2oExkNDNkErw**UVaBGQClx6TcQmDum2
> PcjEsFMEK2nsmlhv3HvfcIhMvKexge**sPefWvLf+RsfUT1/**ClOgdgaNTGxYIfGelp
> 5s/**Z9DzH65U65ngWYyCmydHkRoAkUf+**tMqw874hgGkAgaY9ZYApDx9yGmpQkm**J1t
> Q0VWGCnCa8V5h3pHigucWlKtGsg3/**deK0fh6XVsKqjTe0W51MdbXq8Lc39V**oPm4P
> KW4YJVMgavRipBXOfVzs2mE1ikxF8M**whCNRfLO3c/DBd6924/X774A==
> =wOak
> -END PGP SIGNATURE-
>

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 24 Sep 2013, Lampa wrote:


a) i think not necessary because of b)
b) yes password_query and user_query always returns rewrited domain
(returns main domain, not aliased domain)

configs:
http://pastebin.com/PuZZZ5Pg
http://pastebin.com/eJrp769z


What's your /etc/dovecot/dovecot-sql.conf.ext ?

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUkFPRF3r2wJMiz2NAQKydgf9GRWttd8azegc0CelpofrFZotbCXZa4r9
5PqkKShwNWMB0qj+maVo9Wm4wTkIEAKAqC2oExkNDNkErwUVaBGQClx6TcQmDum2
PcjEsFMEK2nsmlhv3HvfcIhMvKexgesPefWvLf+RsfUT1/ClOgdgaNTGxYIfGelp
5s/Z9DzH65U65ngWYyCmydHkRoAkUf+tMqw874hgGkAgaY9ZYApDx9yGmpQkmJ1t
Q0VWGCnCa8V5h3pHigucWlKtGsg3/deK0fh6XVsKqjTe0W51MdbXq8Lc39VoPm4P
KW4YJVMgavRipBXOfVzs2mE1ikxF8MwhCNRfLO3c/DBd6924/X774A==
=wOak
-END PGP SIGNATURE-

Re: [Dovecot] 2048-bit Diffie-Hellman parameters

2013-09-24 Thread Robert Schetterer 
Am 24.09.2013 08:48, schrieb Marios Titas:
> Currently, dovecot generates two primes for Diffie-Hellman key
> exchanges: a 512-bit one and a 1024-bit one. In light of recent
> events, I think it would be wise to add support for 2048-bit primes as
> well, or even better, add a configuration option that lets the user
> select a file (or files) containing the DH parameters
> 
> In recent years, there has been increased interest in DH especially in
> its ephemeral version (DHE) because it provides perfect forward
> secrecy. In that context, the use of 1024-bit parameters might not
> seem such a terrible idea: if someone cracks the ephemeral key then
> they will only gain access to the data exchanged during that
> particular session. Therefore, it might not be worth the effort to
> crack such a key. But this is certainly not the case for IMAPS: it is
> quite likely that the session data will include the user's
> credentials.
> 

you may get problems with older mail clients , on smtp side i discovered
i.e netscape 7 ist not able to handle stuff bigger then 1024
but some more configure options maybe fine ever

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: [Dovecot] Fwd: lmtp

2013-09-24 Thread Lampa 
Hello,

a) i think not necessary because of b)
b) yes password_query and user_query always returns rewrited domain
(returns main domain, not aliased domain)

configs:
http://pastebin.com/PuZZZ5Pg
http://pastebin.com/eJrp769z


2013/9/24 Steffen Kaiser 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> On Fri, 20 Sep 2013, Lampa wrote:
>
>  using dovecot with postfix with mysql. Some domains have alias. Local
>> delivery is realized over lmtp.
>>
>> When lmtp delivery to aliased domains, it takes bad mail_location - it
>> takes aliased instead real domain, so lmtp is creating domain and user
>> directory. Lmtp doesn't make sql lookup. I need lmtp delivery to real
>> domain and i don't want to create symlinks.
>>
>> mail_location = maildir:/home/mail/%d/%n/**Maildir
>> real domain: domain1.com
>> aliased domain: domain2.com
>>
>> rcpt: u...@domain2.com
>>
>> lmtp deliver message to 
>> /home/mail/domain2.com/user/**Maildirinstead
>> /home/mail/domain1.com/user/**Maildir 
>>
>
> without doveconf -n and, in this case, postfix configuration, nobody can
> really help you. But:
>
> Postfix seems to deliver the message to recipient u...@domain2.com via
> LMTP. Dovecot verifies u...@domain2.com as valid. How should Dovecot know
> that u...@domain2.com is u...@domain1.com ?
>
> So, either:
> a) reconfigure postfix to rewrite u...@domain2.com into 
> user@domain1.combefore the message is passed to LTMP, or
>
> b) have you Dovecot userdb rewrite the user. Return the file "user" with
> the correct domain.
>
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEVAwUBUkE3h13r2wJMiz2NAQL2Tw**f9FL1TQfjgCSbqu5bxrE4ZL8KLgSjD**74U8
> XNSM8RHPAtNWqXuCreYt6Qg9SMjICk**us6ymISbk6+c/**zWj1HPIp0JonD0IYepZ+X
> EN18YMiBH5GhaSuyfBCVZEPRXJuKgN**VqeZauyRL5sYwnTT/rLD4nxrbSzE+**eWJwg
> fPiONQ8jj3w0veER0qHc3Zi1knWsiL**Yr3uAPiAGrZizwH5gUIEVkVph8/**u9kAhAi
> alOc4vwaJ+CJJO0L/**aBHfZOkgRB4bIuY+**Jv8g1q2lwIS0b9kjTcpKf/**6F5VgxFva
> qwV4FsyUPA+Bb/**qSt9v5aeVjn6ekHZFRQNgvcRBj6Oi7**ax3G8D3XIQ==
> =PIp+
> -END PGP SIGNATURE-
>

[Dovecot] can't dovecot tls/ssl to openldap

2013-09-24 Thread 牧原 
Hi,

I want to dovecot connect to openldap with ssl/tls, and got error.

When without tls/ssl, it works ok.

 

from /var/log/maillog got:

Sep 24 05:38:03 mail dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Connect error

Sep 24 05:38:03 mail dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Can't contact LDAP server

Sep 24 05:38:03 mail dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Can't contact LDAP server

Sep 24 05:38:05 mail dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 2 secs): user=, method=PLAIN, rip=192.168.100.99,
lip=10.10.120.20, TLS: Disconnected, session=

Sep 24 05:38:11 mail dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Can't contact LDAP server

Sep 24 05:38:13 mail dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 6 secs): user=, method=PLAIN, rip=192.168.100.99,
lip=10.10.120.20, TLS: Disconnected, session=<2T761RPnXADAqGRj>

 

But when I use ldapsearch, it seems also ok

I use this from dovecot host

ldapsearch -D "cn=dovecot,ou=bindusers,dc=smuy,dc=net" -W -H ldap://ldap.sv.
hm -b "ou=accounts,dc=smuy,dc=net" �CZZ

 

it works ok

 

So I have no idea where to check?

Or how can I got more detailed log from dovecot for that connection

Sep 24 05:38:03 mail dovecot: auth: Error: LDAP: ldap_start_tls_s() failed:
Connect error

 

Because I use ldapsearch both tls/ssl works well, why dovecot connect error?

What’s the detail happen in this connection?

 

Here is my dovecot-ldap.conf.ext:

# This file is commonly accessed via passdb {} or userdb {} section in

# conf.d/auth-ldap.conf.ext

# Space separated list of LDAP hosts to use. host:port is allowed too.

 

#hosts = ldap.sv.hm

#uris = ldaps://ldap.sv.hm:636/

uris = ldap://ldap.sv.hm:389/

dn = cn=dovecot,ou=bindusers,dc=smuy,dc=net

dnpass = 1qaz2wsx

 

#sasl_bind = no

#sasl_mech =

#sasl_realm =

#sasl_authz_id =

 

# Use TLS to connect to the LDAP server.

tls = yes

#tls = no

tls_ca_cert_file = /etc/ssl/certs/ca/signing-ca.crt

tls_ca_cert_dir = /etc/ssl/certs/ca

#tls_cipher_suite =

# TLS cert/key is used only if LDAP server requires a client certificate.

#tls_cert_file = /etc/ssl/certs/mail.crt

#tls_key_file = /etc/ssl/private/mail.key

# Valid values: never, hard, demand, allow, try

#tls_require_cert = never

 

 

See some suggestions!

Great thanks!

 

muyuan

[Dovecot] Apple IOS 7 Mail APP uses multi body searches by default

2013-09-24 Thread Urban Loesch 

Hi,

today we found this blogpost:

http://blog.fastmail.fm/2013/09/17/ios-7-mail-app-uses-multi-folder-body-searches-by-default/

Have you any idea if this could impact performance of dovecot using mdbox 
format with 10MB per file size and zlib enabled?


Thanks and regards
Urban Loesch