[Dovecot] secure email server
Hello I have to setup a "secured" email server - encrypted filesystem - SSL or TLS only for SMTP and IMAPS - Talking only to some known other same-secured servers Any info/links welcome ! Please do not start some flame war around this ! I've been ordered to set up such server and I KNOW there are probably security holes but nothing's perfect so a starting point is necessary *Thank you for any infos*
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
On 10/22/2013 10:27 PM, Robin wrote: > On 10/22/2013 3:22 PM, Noel Butler wrote: >> But I agree with you on the rest, since of those 500K IP's Marc claims >> to have I'd bet that 99% are hijacked innocent pc's/servers, and of >> them, >75% would likely be a one time usage. > > This accords with our own statistics. While it IS tempting to treat > every IP# that "spams" or hits you with a port-scan as something worthy > of blackholing, the reality is that the vast majority of the attempts > are from "innocent" victim hosts. > > Now, there's little doubt that MOST of these are not legitimate MTA > endpoints, and so "shouldn't" be issuing email directly to your MX > hosts. SPF + OpenDKIM are great... The OP is discussing possibly blocking *IMAP* connections, not SMTP. -- Stan
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
On 10/22/2013 3:22 PM, Noel Butler wrote: But I agree with you on the rest, since of those 500K IP's Marc claims to have I'd bet that 99% are hijacked innocent pc's/servers, and of them, >75% would likely be a one time usage. This accords with our own statistics. While it IS tempting to treat every IP# that "spams" or hits you with a port-scan as something worthy of blackholing, the reality is that the vast majority of the attempts are from "innocent" victim hosts. Now, there's little doubt that MOST of these are not legitimate MTA endpoints, and so "shouldn't" be issuing email directly to your MX hosts. SPF + OpenDKIM are great, but only for those domains that actually use them; you can score "improperly delivered" emails bearing those domains with a policy defined by their operators, but many domains don't publish a policy. I would caution people to avoid throwing out the baby with the bathwater. I've been collecting an increasing number of "mysterious" email delivery problems to endpoints which do not issue DSN/bounces, *OR* provide any feedback to their users that emails have been "blocked". The list includes some big names, like: comcast (cable ISP subscribers) secureserver.net hosted emails (GoDaddy's "hosted email" service, which uses Cloudmark's anti-spam solutions) McAfee's "MXLogic" anti-spam services McAfee's "SaaS/MXLogic" anti-spam service has a responsive false positive mediation system, whereas comcast's + GoDaddy's setups are thoroughly dysfunctional and broken. Despite publishing SPF, fully specified OpenDKIM and using DomainKeys signing, having perfectly clean IP# reputations and not being on ANY RBLs, emails to those hosts is at best "random", or in comcast's case - when it's hosting "vanity domains" for its customers - completely broken. I strongly suspect these inferior anti-spam systems are mistakenly ascribing fault for "Joe Jobbed" spam runs, even if they're delivered by non-compliant hosts as specified in the domain's SPF. All of my clients "login" and issue emails through our MTAs, which are specified as permitted senders in SPF, so there are no "rogue" road warriors "allowed" by our domains' SPF policies. My point is simple: it's easy to let frustration about spam get the better of you, but don't create worse problems for your users and those who try to legitimately reach them. It's progressively making email less and less usable in a global context. =R=
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
On 23/10/2013 05:45, Rick Romero wrote: IMHO, the problem with all out blocks on auth is the same as doing an all out block based on SPF - so many IPs are shared you can easily get false positives. Blocks using SPF will not be FP's, they will be by your internal decision, so will be a genuine block 'hit', even if you don't keep your RR current, that's the admins fault, not the users, or blockers. But I agree with you on the rest, since of those 500K IP's Marc claims to have I'd bet that 99% are hijacked innocent pc's/servers, and of them, >75% would likely be a one time usage.
Re: [Dovecot] fstat() errors on /srv/mail//dovecot.index.log
Zach, Thanks for following up with the list, though I dont and wont touch anything debian/, there are plenty here who do, and may in time appreciate your feedback if they strike same. On 23/10/2013 00:14, Zach La Celle wrote: On 10/17/2013 09:23 AM, Zach La Celle wrote: On 10/17/2013 05:25 AM, Noel Butler wrote: On 17/10/2013 00:08, Zach La Celle wrote: Dovecot version 2.1.7 Ubuntu 12.04.3 LTS Kernel 3.2.0-35-generic x86_64 I'm not sure exactly when this started occurring, but sporatically users report issues receiving email, having email saved to "Sent," etc. Looking in dovecot.log, I see the following errors: 2013-10-16 09:53:20 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured, session= 2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out in=3616 out=495 2013-10-16 09:53:24 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured, session= 2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file /srv/mail/user4/dovecot.index.log: No such file or directory 2013-10-16 09:53:41 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured, session= 2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out in=93 out=819 2013-10-16 09:54:12 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured, session=<6bI5CdzoCQB/AAAB> 2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out in=736 out=7064 2013-10-16 09:54:15 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured, session= 2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out in=95 out=902 2013-10-16 09:54:20 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured, session= 2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out in=93 out=846 2013-10-16 09:54:24 imap-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured, session= 2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out in=93 out=819 These errors are not confined to a single user, and do not occur with the same frequency. This isnt per chance on a NAS/SAN/DAS is it? No, it is not on a SAN. I saw that thread a while back, but this doesn't seem to be related. I originally was running the Dovecot shipped with the default Ubuntu repositories (don't remember which version, but it was 1.*) and used a backport to upgrade to 2.1.7 to see if that fixed it. It did not. Any ideas why this is happening? gawd knows what debian (thats all ubuntu is, same package maintainers 99% of time) do to things, wouldnt be the first time they put out a package that was kaput from get go, so doveconf -n output will likely be required I can provide "dovecot -n" output if this doesn't answer the question, but it might be an apparmor issue. We recently enabled apparmor protection, and it seems that it generated an ungodly amount of profiles in complain mode. So many, that it was causing issues with usage of the openssl library. Putting it in to enforce mode seems like it might fix the problem. I'll post more information once this is confirmed or denied. I'm replying to this post for completeness. This was definitely a problem with AppArmor in complain mode breaking IMAP. It was generating an incredible amount of logging information, and ended up blocking access to the OpenSSL .so files every once in a while. Putting AppArmor into enforce mode (after checking all of the rules and verifying functionality) worked. No more fstat() errors.
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
22.10.2013 21:31, Marc Perkel: > I would like to have a list of IPs (hacker list) that I can do a lookup > on so that if anyone tries to authenticate to dovecot they always fail > if they are on my list. You could enable dovecot's tcpwrapper support for this. Kind Regards, Christian Schmidt -- No signature available.
Re: [Dovecot] doveadm: Fatal: open(/dev/tty)
On 2013-10-22 14:52, Dan Langille wrote: I received this message today, and remembered, you can't do that... $ doveadm pw -s SHA512-CRYPT Enter new password: doveadm(dan): Fatal: open(/dev/tty) failed: No such file or directory It seems if you have no tty, you can't create a password. Surely there is a better way to do this? Looking at the code, it's trying to open the tty and turn off echo. For the record: FreeBSD 8.4-RELEASE-p3 And yes, there is no console. I'm attached to a FreeBSD jail from the host system, directly via the ezjail-admin console command. # w 6:52PM up 18 days, 23:34, 0 users, load averages: 0.96, 0.57, 0.46 USER TTY FROM LOGIN@ IDLE WHAT # Ain't nobody there.. This is mostly for the record, as I found nobody else encountering this problem. Interesting... the same thing on a FreeBSD 9.1-RELEASE-p6 gives a different result. After getting into the jail via 'ezjail-admin console', there is a tty listed: # w 7:14PM up 43 days, 23:52, 1 user, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root pts/0- 7:14PM - w And all is well: # doveoveadm pw -s SHA512-CRYPT Enter new password: -- Dan Langille - http://langille.org/
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
Quoting Marc Perkel : I would like to have a list of IPs (hacker list) that I can do a lookup on so that if anyone tries to authenticate to dovecot they always fail if they are on my list. I have the list - and the list is available as a DNS blacklist. I'd like to have it work with both local IP lists or RBL lookup. The idea is so hackers from known IP addresses never succeed. If Dovecot provides the feature I have about 1/2 million IP addresses of known current hackers to block. Anyone else interested in this? How about doing a SQL Auth with a 'NOT IN ' select. Then in your post auth script do an RBL lookup and if listed (but not in your whitelist), add to your table (with a timestamp to expire of course) and kick the user. IMHO, the problem with all out blocks on auth is the same as doing an all out block based on SPF - so many IPs are shared you can easily get false positives. Rick
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
Marc Perkel skrev den 2013-10-22 21:31: Anyone else interested in this? would you sell more ram later ? basicly you like to have fail2ban to a central server logging via syslog ? if yes create more rules to fail2ban and show it on a wiki
[Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
I would like to have a list of IPs (hacker list) that I can do a lookup on so that if anyone tries to authenticate to dovecot they always fail if they are on my list. I have the list - and the list is available as a DNS blacklist. I'd like to have it work with both local IP lists or RBL lookup. The idea is so hackers from known IP addresses never succeed. If Dovecot provides the feature I have about 1/2 million IP addresses of known current hackers to block. Anyone else interested in this?
Re: [Dovecot] doveadm: Fatal: open(/dev/tty)
On 2013-10-22 14:54, Frank de Bot wrote: Dan Langille wrote: I received this message today, and remembered, you can't do that... $ doveadm pw -s SHA512-CRYPT Enter new password: doveadm(dan): Fatal: open(/dev/tty) failed: No such file or directory It seems if you have no tty, you can't create a password. Surely there is a better way to do this? Looking at the code, it's trying to open the tty and turn off echo. For the record: FreeBSD 8.4-RELEASE-p3 And yes, there is no console. I'm attached to a FreeBSD jail from the host system, directly via the ezjail-admin console command. # w 6:52PM up 18 days, 23:34, 0 users, load averages: 0.96, 0.57, 0.46 USER TTY FROM LOGIN@ IDLE WHAT # Ain't nobody there.. Hi, It sounds you have forgotten to mount /dev in the jail. You can consult http://www.freebsd.org/doc/handbook/jails-build.html for all steps to do this. Thanks Frank. /dev is mounted. In the jail: # ls /dev fd log nullptmxpts random stderr stdin stdout urandom zero From the jail host: $ mount | grep myjail | grep dev devfs on /usr/jails/myjail/dev (devfs, local, multilabel) fdescfs on /usr/jails/myjail/dev/fd (fdescfs) Dovecot, Postfix, & Bacula are running fine. -- Dan Langille - http://langille.org/
Re: [Dovecot] doveadm: Fatal: open(/dev/tty)
Hi, It sounds you have forgotten to mount /dev in the jail. You can consult http://www.freebsd.org/doc/handbook/jails-build.html for all steps to do this. Regards, Frank de Bot Dan Langille wrote: I received this message today, and remembered, you can't do that... $ doveadm pw -s SHA512-CRYPT Enter new password: doveadm(dan): Fatal: open(/dev/tty) failed: No such file or directory It seems if you have no tty, you can't create a password. Surely there is a better way to do this? Looking at the code, it's trying to open the tty and turn off echo. For the record: FreeBSD 8.4-RELEASE-p3 And yes, there is no console. I'm attached to a FreeBSD jail from the host system, directly via the ezjail-admin console command. # w 6:52PM up 18 days, 23:34, 0 users, load averages: 0.96, 0.57, 0.46 USER TTY FROM LOGIN@ IDLE WHAT # Ain't nobody there..
[Dovecot] doveadm: Fatal: open(/dev/tty)
I received this message today, and remembered, you can't do that... $ doveadm pw -s SHA512-CRYPT Enter new password: doveadm(dan): Fatal: open(/dev/tty) failed: No such file or directory It seems if you have no tty, you can't create a password. Surely there is a better way to do this? Looking at the code, it's trying to open the tty and turn off echo. For the record: FreeBSD 8.4-RELEASE-p3 And yes, there is no console. I'm attached to a FreeBSD jail from the host system, directly via the ezjail-admin console command. # w 6:52PM up 18 days, 23:34, 0 users, load averages: 0.96, 0.57, 0.46 USER TTY FROM LOGIN@ IDLE WHAT # Ain't nobody there.. -- Dan Langille - http://langille.org/
Re: [Dovecot] using dovecot in Asterisk imap storage
When I tried to add this section, I got this error at restarting dovecot $
/usr/sbin/dovecot restartdoveconf: Warning: NOTE: You can get a new clean
config file with: doveconf -n > dovecot-new.confdoveconf: Warning: Obsolete
setting in /etc/dovecot/dovecot.conf:77: add auth_ prefix to all settings
inside auth {} and remove the auth {} section completelydoveconf: Fatal: Error
in configuration file /etc/dovecot/dovecot.conf line 78: Expecting '='
Re: [Dovecot] using dovecot in Asterisk imap storage
When I tried to add this section, I got this error at restarting dovecot $
/usr/sbin/dovecot restartdoveconf: Warning: NOTE: You can get a new clean
config file with: doveconf -n > dovecot-new.confdoveconf: Warning: Obsolete
setting in /etc/dovecot/dovecot.conf:77: add auth_ prefix to all settings
inside auth {} and remove the auth {} section completelydoveconf: Fatal: Error
in configuration file /etc/dovecot/dovecot.conf line 78: Expecting '='
> From: asabatg...@hotmail.com
> To: dovecot@dovecot.org
> Date: Tue, 22 Oct 2013 15:25:34 +0200
> Subject: Re: [Dovecot] using dovecot in Asterisk imap storage
>
> Hello,Thanks for the link, I know how I can configure it from the wiki.. My
> question is can I add this section completely by myself?I can't find this
> section at all in dovecot.conf to modify it, and dovecot.masterusers file
> doesn't exist too in etc configuration files, should I create it too?because
> I couldn't find the section even commented gave me a doubt if it is the
> correct way to do it for this version, so I am posting here if someone can
> confirm this!
Thanks.
> > From: b...@computerisms.ca
> > To: dovecot@dovecot.org
> > Date: Mon, 21 Oct 2013 19:05:19 -0700
> > Subject: Re: [Dovecot] using dovecot in Asterisk imap storage
> >
> >
> > --
> > Computerisms
> > Bob Miller
> > 867-334-7117 / 867-633-3760
> > http://computerisms.ca
> >
> >
> > On Tue, 2013-10-22 at 02:47 +0200, Asmaa Ahmed wrote:
> > > Hello,
> > > I am trying to use postfix/dovecot as mail server to be the imap storage
> > > for my voicemail system.For that I installed postfix and dovecot and
> > > trying to follow the instructions in this post
> > > http://etel.wiki.oreilly.com/wiki/index.php?title=Storing_Voicemail_on_an_IMAP_server&printable=yes
> >
> > ugh. it's hard to read your mail, some line breaks or new paragraphs
> > would be useful.
> >
> > I have yet to find one wiki that answers all questions. Expand your
> > horizon:
> >
> > http://wiki2.dovecot.org/Authentication/MasterUsers
> >
> > FWIW, if you are using a recent version of freepbx you can configure
> > imap storage in there on a per-user/extension basis, so you don't need
> > to set up the masteruser...
> >
> >
> >
>
Re: [Dovecot] fstat() errors on /srv/mail//dovecot.index.log
On 10/17/2013 09:23 AM, Zach La Celle wrote: > On 10/17/2013 05:25 AM, Noel Butler wrote: >> On 17/10/2013 00:08, Zach La Celle wrote: >>> Dovecot version 2.1.7 >>> Ubuntu 12.04.3 LTS >>> Kernel 3.2.0-35-generic x86_64 >>> >>> I'm not sure exactly when this started occurring, but sporatically users >>> report issues receiving email, having email saved to "Sent," etc. >>> Looking in dovecot.log, I see the following errors: >>> >>> 2013-10-16 09:53:20 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27434, secured, >>> session= >>> 2013-10-16 09:53:20 imap(user1): Info: Disconnected: Logged out in=93 >>> out=846 >>> 2013-10-16 09:53:21 imap(user2): Info: Disconnected: Logged out in=3616 >>> out=495 >>> 2013-10-16 09:53:24 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27436, secured, >>> session= >>> 2013-10-16 09:53:24 imap(user3): Info: Disconnected: Logged out in=93 >>> out=819 >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:33 imap(user4): Error: fstat() failed with file >>> /srv/mail/user4/dovecot.index.log: No such file or directory >>> 2013-10-16 09:53:41 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27438, secured, >>> session= >>> 2013-10-16 09:53:41 imap(user3): Info: Disconnected: Logged out in=93 >>> out=819 >>> 2013-10-16 09:54:12 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27440, secured, >>> session=<6bI5CdzoCQB/AAAB> >>> 2013-10-16 09:54:12 imap(user1): Info: Disconnected: Logged out in=93 >>> out=846 >>> 2013-10-16 09:54:12 imap(user5): Info: Disconnected: Logged out in=736 >>> out=7064 >>> 2013-10-16 09:54:15 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27442, secured, >>> session= >>> 2013-10-16 09:54:15 imap(user6): Info: Disconnected: Logged out in=95 >>> out=902 >>> 2013-10-16 09:54:20 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27444, secured, >>> session= >>> 2013-10-16 09:54:20 imap(user1): Info: Disconnected: Logged out in=93 >>> out=846 >>> 2013-10-16 09:54:24 imap-login: Info: Login: user=, method=PLAIN, >>> rip=127.0.0.1, lip=127.0.0.1, mpid=27446, secured, >>> session= >>> 2013-10-16 09:54:24 imap(user3): Info: Disconnected: Logged out in=93 >>> out=819 >>> >>> These errors are not confined to a single user, and do not occur with >>> the same frequency. >>> >> >> This isnt per chance on a NAS/SAN/DAS is it? >> > No, it is not on a SAN. I saw that thread a while back, but this > doesn't seem to be related. >>> I originally was running the Dovecot shipped with the default Ubuntu >>> repositories (don't remember which version, but it was 1.*) and used a >>> backport to upgrade to 2.1.7 to see if that fixed it. It did not. >>> >>> Any ideas why this is happening? >> gawd knows what debian (thats all ubuntu is, same package maintainers >> 99% of time) do to things, wouldnt be the first time they put out a >> package that was kaput from get go, so doveconf -n output will likely >> be required >> > I can provide "dovecot -n" output if this doesn't answer the question, > but it might be an apparmor issue. We recently enabled apparmor > protection, and it seems that it generated an ungodly amount of profiles > in complain mode. So many, that it was causing issues with usage of the > openssl library. > > Putting it in to enforce mode seems like it might fix the problem. I'll > post more information once this is confirmed or denied. I'm replying to this post for completeness. This was definitely a problem with AppArmor in complain mode breaking IMAP. It was generating an incredible amount of logging information, and ended up blocking access to the OpenSSL .so files every once in a while. Putting AppArmor into enforce mode (after checking all of the rules and verifying functionality) worked. No more fstat() errors.
Re: [Dovecot] using dovecot in Asterisk imap storage
Hello,Thanks for the link, I know how I can configure it from the wiki.. My question is can I add this section completely by myself?I can't find this section at all in dovecot.conf to modify it, and dovecot.masterusers file doesn't exist too in etc configuration files, should I create it too?because I couldn't find the section even commented gave me a doubt if it is the correct way to do it for this version, so I am posting here if someone can confirm this!Thanks. > From: b...@computerisms.ca > To: dovecot@dovecot.org > Date: Mon, 21 Oct 2013 19:05:19 -0700 > Subject: Re: [Dovecot] using dovecot in Asterisk imap storage > > > -- > Computerisms > Bob Miller > 867-334-7117 / 867-633-3760 > http://computerisms.ca > > > On Tue, 2013-10-22 at 02:47 +0200, Asmaa Ahmed wrote: > > Hello, > > I am trying to use postfix/dovecot as mail server to be the imap storage > > for my voicemail system.For that I installed postfix and dovecot and trying > > to follow the instructions in this post > > http://etel.wiki.oreilly.com/wiki/index.php?title=Storing_Voicemail_on_an_IMAP_server&printable=yes > > ugh. it's hard to read your mail, some line breaks or new paragraphs > would be useful. > > I have yet to find one wiki that answers all questions. Expand your > horizon: > > http://wiki2.dovecot.org/Authentication/MasterUsers > > FWIW, if you are using a recent version of freepbx you can configure > imap storage in there on a per-user/extension basis, so you don't need > to set up the masteruser... > > >
[Dovecot] LMTP, TLS/SSL, authentication, proxy
Folks, Several questions packed into one email ;) Can dovecot use TLS/SSL on LTMP inet socket? Can I configure dovecot to only let an authenticated user deliver mail via LMTP? Can I tell dovecot to use a user/password for proxying LMTP connections? All this is related to my quest to move from cyrus to dovecot transparently to our users. And if any of the above questions can be answered with yes, I would appreciate the odd hint on howto configure that :) Thanks in advance! -- j.hofmüller aka Thesix http://users.mur.at/thesix/
Re: [Dovecot] proxy, userdb and passdb
Hi Steffen,
Am 2013-10-22 10:05, schrieb Steffen Kaiser:
see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
Did, thanks. The errors I mentioned in my previous post are gone.
Still, proxying does not work as expected. Instead I get strange warnings:
Oct 22 12:06:51 server dovecot: auth-worker(PID): Warning: userdb
passwd: Move templates args to override_fields setting
This is the proxy-userdb file's content (I removed the UID and IP address):
user:::proxy=y host=IP-ADDRESS starttls=y nopassword=y
However, a userdb does never override passdb setting (as I understand
your wording), because the userdb kicks in later, you should post your
config.
Here it comes:
# 2.1.17: /etc/dovecot/dovecot.conf
# OS: Linux 3.10-3-amd64 x86_64 Debian jessie/sid
mail_location = maildir:~/Maildir
mail_plugins = acl
namespace {
list = children
location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
prefix = shared/%%u/
subscriptions = no
type = shared
}
namespace inbox {
hidden = yes
inbox = yes
list = no
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
subscriptions = yes
type = private
}
passdb {
args = session=yes
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
protocols = " imap lmtp pop3"
ssl_cert = http://sat.mur.at/
Re: [Dovecot] proxy, userdb and passdb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 18 Oct 2013, Jogi Hofmüller wrote:
We are getting closer to the migration of our mailsystem. Now I have a
special question. We are successfully using
passdb {
driver = pam
}
and that is good. Now, how would I tell dovecot to proxy certain users
(the ones not yet migrated) to the old server? My attempts to configure
an additional userdb failed since this seems to override the passdb setting.
see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
However, a userdb does never override passdb setting (as I understand your
wording), because the userdb kicks in later, you should post your config.
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmYx2F3r2wJMiz2NAQIOYwf/aylycKboWUL9rTep6u0wzfC+e5ZVLHec
oZSzF3Kths+dC6IOwEyCBlMuDdk+3Wol1enFzpFVonV11dJ8r55dpUcDqKEhVgS/
Jmx9B/e2+T5aHNZ/VjFxO9rLA+eVasR5g8SQqyjOxN7s71qgrxeGdLfFqt6PoZ5Y
7ZLawGee0wjDblPsG6lpxfCbnJDKF2ooqkIOQ3SQm43bHd5hBHUprJYjXdI4vbFR
I2yMNGbAbyuHgzJcPV1/W1GX1UUbFp53DUENFvg3C4Q9rxHAtzDu3JgirkRxhOQ0
qgZ0Uklmddviqp0KgVGulv0jJe0kk03hI689vfwIkddP5LwESwd4Rw==
=kIXe
-END PGP SIGNATURE-
Re: [Dovecot] Strange output from LIST command
> Od: Robert Schetterer > Komu: > Dátum: 22.10.2013 00:14 > Predmet: Re: [Dovecot] Strange output from LIST command > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Am 21.10.2013 22:11, schrieb azurIt: >>> Od: Bron Gondwana Komu: >>> Dátum: 17.10.2013 12:30 Predmet: Re: >>> [Dovecot] Strange output from LIST command >>> >>> CC: "Timo Sirainen" On Thu, Oct 17, 2013, at 09:21 >>> PM, azurIt wrote: __ > Od: Bron Gondwana Komu: Michael M Slusarz > , Dátum: > 17.10.2013 12:14 Predmet: Re: [Dovecot] Strange output from > LIST command > > On Tue, Oct 15, 2013, at 06:23 AM, Michael M Slusarz wrote: >> Quoting azurIt : >> >>> i'm using Dovecot 2.1.7 (Debian Wheezy) and output from >>> LIST command looks strange: >>> >>> C: 4 LIST () "" (INBOX INBOX.Karantena INBOX.Spam) RETURN >>> (STATUS (UNSEEN)) S: * LIST () "." "INBOX" S: * LIST () >>> "." "INBOX.Karantena" S: * STATUS "INBOX.Karantena" >>> (UNSEEN 0) S: * LIST () "." "INBOX.Spam" S: * STATUS >>> "INBOX.Spam" (UNSEEN 0) S: 4 OK List completed. >>> >>> The UNSEEN information for INBOX is completely missing. >>> It is correct behavior? >> >> No. RFC 5819 [2]: >> >> "For each selectable mailbox matching the list pattern and >> selection options, the server MUST return an untagged LIST >> response followed by an untagged STATUS response containing >> the information requested in the STATUS return option." > > Just wondering if the INBOX was SELECTed at the time? > There's some fun interaction around STATUS and SELECT in > RFC3501. > > Bron. Here's the complete IMAP communication, see the (1) only: http://bugs.horde.org/view.php?actionID=view_file&type=log&file=imap-ok.log&ticket=12748 >I also find out that it's working ok when i LIST the INBOX alone like this: C: 4 LIST () "" (INBOX) RETURN (STATUS (UNSEEN)) S: * LIST () "." "INBOX" S: * STATUS "INBOX" (UNSEEN 2) S: 4 OK List completed. The information about UNSEEN messages is correct. It's only doing problems when listing multiple folders at once. >>> >>> Yeah, that definitely looks like a bug! I've CC'd Timo to grab >>> his attention :) >> >> >> Can anyone confirm the bug? Will it be fixed in 2.1.x? Thank you. >> >> azur >> > > >2.1.7 is out of date update to 2.1.17 or 2.2.6 and try again As i already said, i tried 2.1.17 and problem persists: http://dovecot.2317879.n4.nabble.com/Strange-output-from-LIST-command-tp44817p44838.html azur
