[Dovecot] fail2ban
For dovecot 2.1 as per wiki2, is this still valid? noticed a problem before and saw it does seem to be triggering, I use: maxretry = 6 findtime = 600 bantime = 3600 and there was like, 2400 hits in 4 minutes, it is pointing to the correct log file, but I am no expert with fail2ban, so not sure if the log format of today is compatible with the wiki2 entry filter.d/dovecot.conf [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* ignoreregex =
Re: [Dovecot] Can sieve filter mail based on emails earlier in the thread?
On 10/3/2013 1:43 AM, Hugh Davenport wrote: > Basically I want the following scenario: > > Subscribe to lots of mailing lists > - each filtered into separate folders > > When I participate in a thread (by starting it, replying to it, or ... > setting a flag on an email > in the thread) > - filter into the particular mailing list folder > - AND filter into INBOX (or another folder of my choosing) > > I'm thinking for this, the first two can have rules that take into > account In-Reference-To and > using my domain. But the third case of using a flag... that seems to > require referencing earlier > emails in the thread. > > Is this possible in sieve? Or am I barking up the wrong tree? So you simply want to make it easier to find your own posts on a busy list? Might I suggest you simply use flags instead of copying the msgs to another folder? See: Flagging or Highlighting your mail http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples -- Stan
[Dovecot] Proxy to gmail help
Hello, I understand the matter of using Dovecot as a forward proxy to Gmail is very popular (and even trivial), but my lack of Dovecot experience took me to at point where I truly need your help... I'm starting my task by trying to have something simple, where I can test connectivity to Gmail by sending a telnet to our Dovecot server. The Dovecot server accepts the telnet request, but for some reason (and here I guess is something related to SSL/TLS), I can't get to Gmail. Here my configuration and logs/outputs: ==> OS: * I'm using an old Centos 5.8 server as a proof of concept. # ==> Dovecot configuration: # 2.2.5: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final) auth_cache_negative_ttl = 10 mins auth_cache_size = 1 k auth_cache_ttl = 10 mins auth_debug = yes auth_debug_passwords = yes auth_mechanisms = cram-md5 digest-md5 apop login plain auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz auth_verbose = yes base_dir = /var/run/dovecot/ disable_plaintext_auth = no listen = XXX.XXX.XXX.XXX login_greeting = Dovecot Ready login_log_format_elements = %u %r %m %c mail_debug = yes mail_max_userip_connections = 100 passdb { args = /etc/dovecot/sql.conf driver = sql } protocols = pop3 service pop3-login { client_limit = 200 inet_listener pop3 { address = dovecotserver. port = 110 } process_limit = 1 process_min_avail = 1 service_count = 0 vsz_limit = 256 M } shutdown_clients = no ssl_ca = /etc/pki/dovecot/certs/dovecot.pem ssl_cert = sql.conf file driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=mysql user=root password=xx password_query = SELECT NULL AS password, host, destuser, proxy, 'Y' AS starttls, '995' AS port, 'Y' AS nopassword FROM DovecotProxy WHERE user = '%u' # ==> DovecotProxy table mysql> select * from DovecotProxy where user = 'MYUSER'; +-+---+---++---+ | user| host | destuser | password | proxy | +-+---+---++---+ | MYUSER | pop.gmail.com | myu...@gmail.com | {MD5-CRYPT}$1$L824LVh4$r.hyZ icsE5tmGaeJrY/dw/ | Y | +-+---+---++---+ ##>> I understand "proxy" and "password" are not required there. That happened for testing. # ==> Telnet session: xx [/tmp] > telnet dovecotserver 110 Trying XXX.XXX.XXX.XXX... Connected to dovecotserver. Escape character is '^]'. +OK Dovecot Ready <6111.1.524dad13.VYOVkhqfe1Ox7Wz+VfogMg==@dovecotserver> user MYUSER +OK pass PASSWD -ERR Account is temporarily unavailable. quit +OK Logging out Connection to dovecotserver closed by foreign host. # ==> Logged messages in /var/log/mailllog: Oct 3 12:23:02 dovecotserver dovecot: master: Warning: Killed with signal 15 (by pid=26790 uid=0 code=kill) Oct 3 12:23:53 dovecotserver dovecot: master: Dovecot v2.2.5 starting up (core dumps disabled) Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: Read auth token secret from /var/run/dovecot//auth-token-secret.dat Oct 3 12:23:53 dovecotserver dovecot: auth: Debug: auth client connected (pid=26810) Oct 3 12:24:30 dovecotserver dovecot: auth: Debug: client in: AUTH 1 PLAIN service=pop3session=/IH8S9rnzACiat/X lip=162.106.XXX.YYY rip=162.106.XXX.ZZZ lport=110 rport=37836 resp=AHNtYXJ0YnVzZWRtAHMwbWV0aGluZw== (previous base64 data may contain sensitive data) Oct 3 12:24:30 dovecotserver dovecot: auth: Debug: cache(MYUSER,162.106.223.215,): miss Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_pgsql.so Oct 3 12:24:30 dovecotserver dovecot: auth-worker(26823): Debug: Module loaded: /usr/lib64/dovecot/auth/libdri
Re: [Dovecot] fts-solr indexer-worker connects to wrong solr host dovecot-2.2.4
Did some more digging. The problem is that the fts-solr plugin has a global solr_conn pointer, that persists between users. I think this patch fixes the problem: --- a/dovecot/fts_solr_plugin/fts-solr-plugin.c +++ b/dovecot/fts_solr_plugin/fts-solr-plugin.c @@ -50,6 +50,13 @@ static void fts_solr_mail_user_create(struct mail_user *user, const char *env) { struct fts_solr_user *fuser; + /** solr URL may be different per-user **/ + if (solr_conn != NULL) { + solr_connection_deinit(solr_conn); + solr_conn = NULL; + } + /**/ + fuser = p_new(user->pool, struct fts_solr_user, 1); if (fts_solr_plugin_init_settings(user, &fuser->set, env) < 0) { /* invalid settings, disabling */ On 2013-10-02, at 3:28 PM, Richard Platel wrote: > I've confirmed that this problem still exists in 2.2.5 > > It seems that indexer-worker only init's plugins at startup, so the fts_solr > plugin is holding the url= parameter from the first user. > > The problem doesn't happen if the indexer-worker process is idle-killed > between users. A new process starts up with the new user's userdb settings. > > I thought I could work around this problem by adjusting indexer-worker's > settings: > > service indexer-worker { > service_count = 1 > idle_kill = 1 > } > > but these changes don't seem to have any effect, the indexer-worker process > still hangs around idling after indexing a user, and isn't idle-killed for > upwards of a minute. > > Any help? > > > On 2013-09-27, at 11:46 AM, Richard Platel wrote: > >> Hello. >> We're setting up fts solr and want to have the solr server host be set >> per-user via UserDB. >> >> It looks like if a user connects and fts indexes mail, and then another user >> connects and indexes mail, indexer-worker is connecting to the first user's >> fts host: >> >> User1, ham...@rp-auth-test.com connects, does a SEARCH for the first time, >> indexer-worker gets UserDB settings and correctly indexes mail on ftsvs01: >> >> [...] >> auth-worker(2195): Debug: dict(ham...@rp-auth-test.com): lookup >> shared/userdb/ham...@rp-auth-test.com >> auth-worker(2195): Debug: dict(ham...@rp-auth-test.com): result: >> {"uid":"8","fts":"solr","quota_rule4":"Spam:ignore","_session":"talk15_590ec6d100042","quota_rule3":"Trash:ignore","quota_rule2":"*:messages=2684354","quota_rule":"*:storage=5242880k","mail":"maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/","fts_solr":"debug >> url=http://ftsvs01:8080/solr/","gid":"8"} >> auth: Debug: userdb out: USER 1 ham...@rp-auth-test.com uid=8 >> fts=solrquota_rule4=Spam:ignore _session=talk15_590ec6d100042 >> quota_rule3=Trash:ignorequota_rule2=*:messages=2684354 >> quota_rule=*:storage=5242880k >> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/ >> fts_solr=debug url=http://ftsvs01:8080/solr/gid=8 >> indexer-worker: Debug: auth input: ham...@rp-auth-test.com uid=8 fts=solr >> quota_rule4=Spam:ignore _session=talk15_590ec6d100042 >> quota_rule3=Trash:ignore quota_rule2=*:messages=2684354 >> quota_rule=*:storage=5242880k >> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/ >> fts_solr=debug url=http://ftsvs01:8080/solr/ gid=8 >> indexer-worker: Debug: Added userdb setting: >> plugin/_session=talk15_590ec6d100042 >> indexer-worker: Debug: Added userdb setting: plugin/fts=solr >> indexer-worker: Debug: Added userdb setting: plugin/fts_solr=debug >> url=http://ftsvs01:8080/solr/ >> indexer-worker: Debug: Added userdb setting: >> mail=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ha >> m...@rp-auth-test.com/ >> indexer-worker: Debug: Added userdb setting: >> plugin/quota_rule=*:storage=5242880k >> indexer-worker: Debug: Added userdb setting: >> plugin/quota_rule2=*:messages=2684354 >> indexer-worker: Debug: Added userdb setting: plugin/quota_rule3=Trash:ignore >> indexer-worker: Debug: Added userdb setting: plugin/quota_rule4=Spam:ignore >> indexer-worker(ham...@rp-auth-test.com): Debug: Effective uid=8, gid=8, home= >> indexer-worker(ham...@rp-auth-test.com): Debug: Namespace inbox: >> type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions >> =yes >> location=maildir:/mail/mailstore01/215/573/ham...@rp-auth-test.com/:INDEX=/mail/index01/215/573/ham...@rp-auth-test.com/ >> indexer-worker(ham...@rp-auth-test.com): Debug: maildir++: >> root=/mail/mailstore01/215/573/ham...@rp-auth-test.com, >> index=/mail/index01/215/ >> 573/ham...@rp-auth-test.com, indexpvt=, control=, >> inbox=/mail/mailstore01/215/573/ham...@rp-auth-test.com, alt= >> indexer-worker(ham...@rp-auth-test.com): Debug: Ignoring unknown cache >> field: pop3.order >> indexer-worker(ham...@rp-auth-test
Re: [Dovecot] Username issue with Dovecot LDA, IMAP and Winbind Authentication
An update on the status of my situation -- I switched from pam_winbind to pam_krb5. Now, my user accounts are being returned as "u...@domain.corp" instead of "DOMAIN\user". Dovecot-LDA is running flawlessly alongside Dovecot-IMAP. All systems go. Case closed. Thanks. On Oct 2, 2013, at 9:20 AM, Laz Peterson wrote: > Hi there Dovecot community -- > > I'll try to make this short. Here's the setup … Ubuntu 12.04, Postfix, > Dovecot, along with Amavis/Clamd/Spamassassin. Postfix is currently > receiving emails for virtual users in multiple domains, all of which are > authenticating through Winbind to Windows AD servers. The users log in to > the POP/IMAP/SMTP services using the format u...@domain.corp (the internal > domain, not the external mail domain). The domains are all in the same > forest, but there are many different domains to authenticate against. > > Dovecot is currently handling POP, IMAP, and authentication. Postfix uses a > MySQL database to map the external email domain to the internal AD domain, > for example domain.com -> domain.corp. Postfix also queries the same SQL > database for where to save the messages -- /home/vmail/domain\user -- I have > the SQL query strip off the ".corp". I had to do this because pam_winbind > returns the usernames as "DOMAIN\user" upon successful Dovecot > authentication, instead of "u...@domain.corp", which ends up invalidating all > of the %u, %n, and %d variables. On the user side, after successful auth, I > can only define %u and %n in my Dovecot configuration -- %d is null, %u is > "DOMAIN\user", and %n is "DOMAIN\user". (I use %Lu or %Ln to make it all > lower-case.) > > With this, I am able to authenticate users off of multiple domains, have the > mail delivered to a folder that is also accessible to the user when they log > in. It serves its purpose. > > Here's my problem. I am trying to now integrate Pigeonhole and ManageSieve > using Dovecot-LDA specified by "virtual_transport", and this is where things > get confusing. Dovecot IMAP/POP/SMTP auth notes the user account to be > "DOMAIN\user", while Dovecot-LDA receives the email to u...@domain.com, > noting the user account to be "u...@domain.corp". The same arguments for > userdb in "auth-system.conf.ext" are used by both Dovecot when user is > logging in for IMAP/POP/SMTP and Dovecot-LDA when it is storing the mail. > Because of the way pam_winbind returns the usernames without being able to > use %d anymore, I cannot seem to get the same behavior for both sides of > Dovecot. > > For example, if I set home and maildir to "/home/vmail/%Ln", Dovecot-LDA > delivers emails into the folder "/home/vmail/u...@domain.corp" and Dovecot > IMAP/POP looks in "/home/vmail/domain\user". If I set the home/maildir to > "/home/vmail/%Ld/%Lu", Dovecot-LDA delivers emails into the folder > "/home/vmail/domain.corp/user" and Dovecot IMAP/POP looks in > "/home/vmail/\/domain\user". So, I seem to be thoroughly unable to get > something here that works … The closest I can get is setting home/maildir to > "/home/vmail/%Ld\%Lu", but that now gives the LDA side > "/home/vmail/domain.corp\user" and the IMAP/POP/SMTP side > "/home/vmail/\\domain\user". > > If I am able to get pam_winbind to return "u...@domain.corp" instead of > "DOMAIN\user", I'd be fine. Or, if I could set the home and maildir > locations separately for Dovecot-LDA and Dovecot, I would also be okay. > > Any suggestions? I know this is probably a Winbind limitation, but I do not > know a thing about working with PAM authentication. I tried to compile and > install a pam_regex module (which seems to not be offered as a native package > in Ubuntu), but it gives errors after adding that to my PAM configuration. > I'm stumped. > > Please let me know if I can include my configuration for either Postfix or > Dovecot. > > Thank you so much for any help. > > ~ Laz Peterson
[Dovecot] understanding user_attrs and mail_uid/gid
Hello, I'm trying to understand what's the difference between those parameters. In my dovecot.conf in the global section I have a definition of mail_uid and mail_gid. In my LDAP configuration used by passdb and userdb, I have a definition for user_attrs= uidNumber=500,gidNumber=8. Here is a part of my configuration files (dovecot version: 2.1.7) dovecot.conf mail_gid = 8 mail_uid = 500 passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } dovecot-ldap.conf user_filter = (&(objectClass=posixAccount)(mailLocalAddress=%n)) user_attrs = uidNumber=500,gidNumber=8 So everything works fine when all those parameters are present in my configuration files. If I suppress one of them nothing is working (mail reading or delivering). Can someone tell me where I can find a definition of those arguments, if found nothing relevant on the wiki. Thanks,