[Dovecot] fail2ban
For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* ignoreregex =
Re: [Dovecot] Can sieve filter mail based on emails earlier in the thread?
On 10/3/2013 1:43 AM, Hugh Davenport wrote: > Basically I want the following scenario: > > Subscribe to lots of mailing lists > - each filtered into separate folders > > When I participate in a thread (by starting it, replying to it, or ... > setting a flag on an email > in the thread) > - filter into the particular mailing list folder > - AND filter into INBOX (or another folder of my choosing) > > I'm thinking for this, the first two can have rules that take into > account In-Reference-To and > using my domain. But the third case of using a flag... that seems to > require referencing earlier > emails in the thread. > > Is this possible in sieve? Or am I barking up the wrong tree? So you simply want to make it easier to find your own posts on a busy list? Might I suggest you simply use flags instead of copying the msgs to another folder? See: Flagging or Highlighting your mail http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples -- Stan
[Dovecot] Proxy to gmail help
Hello,
I understand the matter of using Dovecot as a forward proxy to Gmail is
very popular (and even trivial), but my lack of Dovecot experience took me
to at point where I truly need your help...
I'm starting my task by trying to have something simple, where I can test
connectivity to Gmail by sending a telnet to our Dovecot server.
The Dovecot server accepts the telnet request, but for some reason (and
here I guess is something related to SSL/TLS), I can't get to Gmail.
Here my configuration and logs/outputs:
==> OS:
* I'm using an old Centos 5.8 server as a proof of concept.
#
==> Dovecot configuration:
# 2.2.5: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final)
auth_cache_negative_ttl = 10 mins
auth_cache_size = 1 k
auth_cache_ttl = 10 mins
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = cram-md5 digest-md5 apop login plain
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
auth_username_translation =
%@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
auth_verbose = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
listen = XXX.XXX.XXX.XXX
login_greeting = Dovecot Ready
login_log_format_elements = %u %r %m %c
mail_debug = yes
mail_max_userip_connections = 100
passdb {
args = /etc/dovecot/sql.conf
driver = sql
}
protocols = pop3
service pop3-login {
client_limit = 200
inet_listener pop3 {
address = dovecotserver.
port = 110
}
process_limit = 1
process_min_avail = 1
service_count = 0
vsz_limit = 256 M
}
shutdown_clients = no
ssl_ca = /etc/pki/dovecot/certs/dovecot.pem
ssl_cert = sql.conf file
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=mysql user=root
password=xx
password_query = SELECT NULL AS password, host, destuser, proxy, 'Y' AS
starttls, '995' AS port, 'Y' AS nopassword FROM DovecotProxy WHERE user =
'%u'
#
==> DovecotProxy table
mysql> select * from DovecotProxy where user = 'MYUSER';
+-+---+---++---+
| user| host | destuser |
password | proxy |
+-+---+---++---+
| MYUSER | pop.gmail.com | myu...@gmail.com | {MD5-CRYPT}$1$L824LVh4$r.hyZ
icsE5tmGaeJrY/dw/ | Y |
+-+---+---++---+
##>> I understand "proxy" and "password" are not required there. That
happened for testing.
#
==> Telnet session:
xx [/tmp] > telnet dovecotserver 110
Trying XXX.XXX.XXX.XXX...
Connected to dovecotserver.
Escape character is '^]'.
+OK Dovecot Ready <6111.1.524dad13.VYOVkhqfe1Ox7Wz+VfogMg==@dovecotserver>
user MYUSER
+OK
pass PASSWD
-ERR Account is temporarily unavailable.
quit
+OK Logging out
Connection to dovecotserver closed by foreign host.
#
==> Logged messages in /var/log/mailllog:
Oct 3 12:23:02 dovecotserver dovecot: master: Warning: Killed with signal
15 (by pid=26790 uid=0 code=kill)
Oct 3 12:23:53 dovecotserver dovecot: master: Dovecot v2.2.5 starting up
(core dumps disabled)
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Read auth token secret
from /var/run/dovecot//auth-token-secret.dat
Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: auth client connected
(pid=26810)
Oct 3 12:24:30 dovecotserver dovecot: auth: Debug: client in: AUTH
1 PLAIN service=pop3session=/IH8S9rnzACiat/X
lip=162.106.XXX.YYY rip=162.106.XXX.ZZZ lport=110
rport=37836 resp=AHNtYXJ0YnVzZWRtAHMwbWV0aGluZw== (previous base64 data
may contain sensitive data)
Oct 3 12:24:30 dovecotserver dovecot: auth: Debug:
cache(MYUSER,162.106.223.215,): miss
Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Loading
modules from directory: /usr/lib64/dovecot/auth
Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module
loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module
loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so
Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module
loaded: /usr/lib64/dovecot/auth/libdri
Re: [Dovecot] fts-solr indexer-worker connects to wrong solr host dovecot-2.2.4
Did some more digging.
The problem is that the fts-solr plugin has a global solr_conn pointer, that
persists between users. I think this patch fixes the problem:
--- a/dovecot/fts_solr_plugin/fts-solr-plugin.c
+++ b/dovecot/fts_solr_plugin/fts-solr-plugin.c
@@ -50,6 +50,13 @@ static void fts_solr_mail_user_create(struct mail_user
*user, const char *env)
{
struct fts_solr_user *fuser;
+ /** solr URL may be different per-user **/
+ if (solr_conn != NULL) {
+ solr_connection_deinit(solr_conn);
+ solr_conn = NULL;
+ }
+ /**/
+
fuser = p_new(user->pool, struct fts_solr_user, 1);
if (fts_solr_plugin_init_settings(user, &fuser->set, env) < 0) {
/* invalid settings, disabling */
On 2013-10-02, at 3:28 PM, Richard Platel wrote:
> I've confirmed that this problem still exists in 2.2.5
>
> It seems that indexer-worker only init's plugins at startup, so the fts_solr
> plugin is holding the url= parameter from the first user.
>
> The problem doesn't happen if the indexer-worker process is idle-killed
> between users. A new process starts up with the new user's userdb settings.
>
> I thought I could work around this problem by adjusting indexer-worker's
> settings:
>
> service indexer-worker {
> service_count = 1
> idle_kill = 1
> }
>
> but these changes don't seem to have any effect, the indexer-worker process
> still hangs around idling after indexing a user, and isn't idle-killed for
> upwards of a minute.
>
> Any help?
>
>
> On 2013-09-27, at 11:46 AM, Richard Platel wrote:
>
>> Hello.
>> We're setting up fts solr and want to have the solr server host be set
>> per-user via UserDB.
>>
>> It looks like if a user connects and fts indexes mail, and then another user
>> connects and indexes mail, indexer-worker is connecting to the first user's
>> fts host:
>>
>> User1, ham...@rp-auth-test.com connects, does a SEARCH for the first time,
>> indexer-worker gets UserDB settings and correctly indexes mail on ftsvs01:
>>
>> [...]
>> auth-worker(2195): Debug: dict(ham...@rp-auth-test.com): lookup
>> shared/userdb/ham...@rp-auth-test.com
>> auth-worker(2195): Debug: dict(ham...@rp-auth-test.com): result:
>> {"uid":"8","fts":"solr","quota_rule4":"Spam:ignore","_session":"talk15_590ec6d100042","quota_rule3":"Trash:ignore","quota_rule2":"*:messages=2684354","quota_rule":"*:storage=5242880k","mail":"maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/","fts_solr":"debug
>> url=http://ftsvs01:8080/solr/","gid":"8"}
>> auth: Debug: userdb out: USER 1 ham...@rp-auth-test.com uid=8
>> fts=solrquota_rule4=Spam:ignore _session=talk15_590ec6d100042
>> quota_rule3=Trash:ignorequota_rule2=*:messages=2684354
>> quota_rule=*:storage=5242880k
>> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/
>> fts_solr=debug url=http://ftsvs01:8080/solr/gid=8
>> indexer-worker: Debug: auth input: ham...@rp-auth-test.com uid=8 fts=solr
>> quota_rule4=Spam:ignore _session=talk15_590ec6d100042
>> quota_rule3=Trash:ignore quota_rule2=*:messages=2684354
>> quota_rule=*:storage=5242880k
>> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/
>> fts_solr=debug url=http://ftsvs01:8080/solr/ gid=8
>> indexer-worker: Debug: Added userdb setting:
>> plugin/_session=talk15_590ec6d100042
>> indexer-worker: Debug: Added userdb setting: plugin/fts=solr
>> indexer-worker: Debug: Added userdb setting: plugin/fts_solr=debug
>> url=http://ftsvs01:8080/solr/
>> indexer-worker: Debug: Added userdb setting:
>> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ha
>> m...@rp-auth-test.com/
>> indexer-worker: Debug: Added userdb setting:
>> plugin/quota_rule=*:storage=5242880k
>> indexer-worker: Debug: Added userdb setting:
>> plugin/quota_rule2=*:messages=2684354
>> indexer-worker: Debug: Added userdb setting: plugin/quota_rule3=Trash:ignore
>> indexer-worker: Debug: Added userdb setting: plugin/quota_rule4=Spam:ignore
>> indexer-worker(ham...@rp-auth-test.com): Debug: Effective uid=8, gid=8, home=
>> indexer-worker(ham...@rp-auth-test.com): Debug: Namespace inbox:
>> type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions
>> =yes
>> location=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/
>> indexer-worker(ham...@rp-auth-test.com): Debug: maildir++:
>> root=/mail/mailstore01/215/573/ham...@rp-auth-test.com,
>> index=/mail/index01/215/
>> 573/ham...@rp-auth-test.com, indexpvt=, control=,
>> inbox=/mail/mailstore01/215/573/ham...@rp-auth-test.com, alt=
>> indexer-worker(ham...@rp-auth-test.com): Debug: Ignoring unknown cache
>> field: pop3.order
>> indexer-worker(ham...@rp-auth-test
Re: [Dovecot] Username issue with Dovecot LDA, IMAP and Winbind Authentication
An update on the status of my situation -- I switched from pam_winbind to pam_krb5. Now, my user accounts are being returned as "u...@domain.corp" instead of "DOMAIN\user". Dovecot-LDA is running flawlessly alongside Dovecot-IMAP. All systems go. Case closed. Thanks. On Oct 2, 2013, at 9:20 AM, Laz Peterson wrote: > Hi there Dovecot community -- > > I'll try to make this short. Here's the setup … Ubuntu 12.04, Postfix, > Dovecot, along with Amavis/Clamd/Spamassassin. Postfix is currently > receiving emails for virtual users in multiple domains, all of which are > authenticating through Winbind to Windows AD servers. The users log in to > the POP/IMAP/SMTP services using the format u...@domain.corp (the internal > domain, not the external mail domain). The domains are all in the same > forest, but there are many different domains to authenticate against. > > Dovecot is currently handling POP, IMAP, and authentication. Postfix uses a > MySQL database to map the external email domain to the internal AD domain, > for example domain.com -> domain.corp. Postfix also queries the same SQL > database for where to save the messages -- /home/vmail/domain\user -- I have > the SQL query strip off the ".corp". I had to do this because pam_winbind > returns the usernames as "DOMAIN\user" upon successful Dovecot > authentication, instead of "u...@domain.corp", which ends up invalidating all > of the %u, %n, and %d variables. On the user side, after successful auth, I > can only define %u and %n in my Dovecot configuration -- %d is null, %u is > "DOMAIN\user", and %n is "DOMAIN\user". (I use %Lu or %Ln to make it all > lower-case.) > > With this, I am able to authenticate users off of multiple domains, have the > mail delivered to a folder that is also accessible to the user when they log > in. It serves its purpose. > > Here's my problem. I am trying to now integrate Pigeonhole and ManageSieve > using Dovecot-LDA specified by "virtual_transport", and this is where things > get confusing. Dovecot IMAP/POP/SMTP auth notes the user account to be > "DOMAIN\user", while Dovecot-LDA receives the email to u...@domain.com, > noting the user account to be "u...@domain.corp". The same arguments for > userdb in "auth-system.conf.ext" are used by both Dovecot when user is > logging in for IMAP/POP/SMTP and Dovecot-LDA when it is storing the mail. > Because of the way pam_winbind returns the usernames without being able to > use %d anymore, I cannot seem to get the same behavior for both sides of > Dovecot. > > For example, if I set home and maildir to "/home/vmail/%Ln", Dovecot-LDA > delivers emails into the folder "/home/vmail/u...@domain.corp" and Dovecot > IMAP/POP looks in "/home/vmail/domain\user". If I set the home/maildir to > "/home/vmail/%Ld/%Lu", Dovecot-LDA delivers emails into the folder > "/home/vmail/domain.corp/user" and Dovecot IMAP/POP looks in > "/home/vmail/\/domain\user". So, I seem to be thoroughly unable to get > something here that works … The closest I can get is setting home/maildir to > "/home/vmail/%Ld\%Lu", but that now gives the LDA side > "/home/vmail/domain.corp\user" and the IMAP/POP/SMTP side > "/home/vmail/\\domain\user". > > If I am able to get pam_winbind to return "u...@domain.corp" instead of > "DOMAIN\user", I'd be fine. Or, if I could set the home and maildir > locations separately for Dovecot-LDA and Dovecot, I would also be okay. > > Any suggestions? I know this is probably a Winbind limitation, but I do not > know a thing about working with PAM authentication. I tried to compile and > install a pam_regex module (which seems to not be offered as a native package > in Ubuntu), but it gives errors after adding that to my PAM configuration. > I'm stumped. > > Please let me know if I can include my configuration for either Postfix or > Dovecot. > > Thank you so much for any help. > > ~ Laz Peterson
[Dovecot] understanding user_attrs and mail_uid/gid
Hello,
I'm trying to understand what's the difference between those parameters.
In my dovecot.conf in the global section I have a definition of mail_uid
and mail_gid.
In my LDAP configuration used by passdb and userdb, I have a definition for
user_attrs= uidNumber=500,gidNumber=8.
Here is a part of my configuration files (dovecot version: 2.1.7)
dovecot.conf
mail_gid = 8
mail_uid = 500
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
dovecot-ldap.conf
user_filter = (&(objectClass=posixAccount)(mailLocalAddress=%n))
user_attrs = uidNumber=500,gidNumber=8
So everything works fine when all those parameters are present in my
configuration files. If I suppress one of them nothing is working (mail
reading or delivering).
Can someone tell me where I can find a definition of those arguments, if
found nothing relevant on the wiki.
Thanks,
