Re: [Dovecot] recipient_delimiter deux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Oct 2013, LuKreme wrote: OK, I've been banging my head on why my procmail setup for virtual users is no longer working (difficult to test, since enabling it breaks live user's mail). There are only a few virtual users who have any sort of filters in place anyway (the heavy procmail users are local, not virtual), and they are fairly simple, so I think I can recreate them with sieve. I think I have everything I need for sieve to work, but now what? The first thing I want to do is have sieve process recipient_delimiter into a separate mailbox (creating it, if needed). Googling just for example sieve scripts comes up empty (well, directing to the dovecot wiki which at least on the links that come up, does not have sample scripts). so, foo+...@example.com will go into foo's mailstore in the folder .bar/new/ On 27 Sep 2013, at 00:24 , Steffen Kaiser wrote: Dovecot LDA uses the "-m" option and only lda_mailbox_autocreate and lda_mailbox_autosubscribe, no need for recipient_delimiter to override the default mailbox. Which I still don't understand. recipient_delimiter = + is the default, so I shouldn't need to set it in my confs, I just need to setup a sieve recipe (is that what it is called? script?) that will process these messages, right? What would that look like? I have to setup the SQL users so that LMTP or LDA is used for deliver, but I want that to apply only to the sql users. Something like this, maybe? This particular step is done in your MTA. So, how do you deliver your messages from the MTA into the mail storage of the user? If you want to use procmail for system users and Dovecot's LDA/LMTP for virtual users, you need to configure a separation _there_ already. The MTA decides with LDA to use: procmail vs. Dovecot. My reply above applies to the branch, when the MTA uses Dovecot LDA to deliver messages (to virtual users). Then use the -m option of the Dovecot LDA, no need for a Sieve script. See http://wiki2.dovecot.org/LDA/Postfix If you use Dovecot's LMTP service, set lmtp_save_to_detail_mailbox = yes, no need for Sieve script either. However, Sieve can override this default mailbox with fileinto, actually both variants just replace the default mailbox (aka INBOX). If you want to use a Sieve script, you need to get the "subaddress" of the envelope recipient address. I've never done this. See http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples 2nd example in section "Plus Addressed mail filtering", however some MTA do not pass envelope information to Dovecot LDA, LMTP would be required then. See remark below that example, too. userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u sieve=/var/sieve/%u.sieve protocol_lda=$mailplugins sieve driver = sql } I'm sure that protoco_lda isn't the right syntax though. If I set sieve=/var/sieve/%u.sieve as above would users still be able to use sieve-manage to manage their own sieve files? And what MUAs support this? If I left that out, do I put ~/.dovecot.sieve in with the other mailboxes and {cur,new,tmp} and the index files, or will there be issues? If I put a dovecot.sieve file there will it just be seen, processed, and work? (SQL user's $HOME is their maildir) $ doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE i386 auth_mechanisms = PLAIN LOGIN disable_plaintext_auth = no first_valid_uid = 89 login_log_format_elements = user=<%u> %r %m %c mail_location = maildir:~/Maildir mail_max_userip_connections = 90 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox NotJunk { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } ssl_cert = - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUmjAMV3r2wJMiz2NAQIjTAf+OtgoNRi0BYkOFPGT1YGb1aTKvsv05hfV CPD7iapbP3DYNe7UyVYfWqA+rtyHQizByzDZaOdZdxigQ6Ae9d/3ewtoIyj6ZypJ 8i8egoNM9w4IOHCPYBcticqNTfHkzg6T+TJEftf7ohHEmBqnoHZ+uX33sG1bBCgS U0MzgSu3DL4WSnMfvGxuWNjsrpx0ChkfOY3uxPWhbCTQrIKo31tYfiqeIdlLgHbA hWhndufYhQNChdzY2WMwqeMDrR7yo04tuj5Bhx8HfIVwdPkyXRvaYu4D3pqmZ57Y sOAWEwrH1LdHTgxRCa7Vfwvr
[Dovecot] recipient_delimiter deux
OK, I've been banging my head on why my procmail setup for virtual users is no longer working (difficult to test, since enabling it breaks live user's mail). There are only a few virtual users who have any sort of filters in place anyway (the heavy procmail users are local, not virtual), and they are fairly simple, so I think I can recreate them with sieve. I think I have everything I need for sieve to work, but now what? The first thing I want to do is have sieve process recipient_delimiter into a separate mailbox (creating it, if needed). Googling just for example sieve scripts comes up empty (well, directing to the dovecot wiki which at least on the links that come up, does not have sample scripts). so, foo+...@example.com will go into foo's mailstore in the folder .bar/new/ On 27 Sep 2013, at 00:24 , Steffen Kaiser wrote: > Dovecot LDA uses the "-m" option and only lda_mailbox_autocreate and > lda_mailbox_autosubscribe, no need for recipient_delimiter to override the > default mailbox. Which I still don't understand. recipient_delimiter = + is the default, so I shouldn't need to set it in my confs, I just need to setup a sieve recipe (is that what it is called? script?) that will process these messages, right? What would that look like? I have to setup the SQL users so that LMTP or LDA is used for deliver, but I want that to apply only to the sql users. Something like this, maybe? userdb { args = /etc/dovecot/dovecot-sql.conf.ext default_fields = uid=vpopmail gid=vchkpw mail_location=/usr/local/virtual/%u mail=maildir:/usr/local/virtual/%u sieve=/var/sieve/%u.sieve protocol_lda=$mailplugins sieve driver = sql } I'm sure that protoco_lda isn't the right syntax though. If I set sieve=/var/sieve/%u.sieve as above would users still be able to use sieve-manage to manage their own sieve files? And what MUAs support this? If I left that out, do I put ~/.dovecot.sieve in with the other mailboxes and {cur,new,tmp} and the index files, or will there be issues? If I put a dovecot.sieve file there will it just be seen, processed, and work? (SQL user's $HOME is their maildir) $ doveconf -n # 2.2.5: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 9.1-RELEASE i386 auth_mechanisms = PLAIN LOGIN disable_plaintext_auth = no first_valid_uid = 89 login_log_format_elements = user=<%u> %r %m %c mail_location = maildir:~/Maildir mail_max_userip_connections = 90 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox NotJunk { auto = subscribe } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } } service imap-login { inet_listener imaps { port = 993 ssl = yes } } ssl_cert =
Re: [Dovecot] secure email server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Oct 2013, Robert Schetterer wrote: Am 23.10.2013 13:16, schrieb BONNET, Frank: my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ? i am not an expert with crypto filesystems, but from my few, depend to "mail" this would be a feature "on top" ( additional to i.e vpn, ssl, tls, gpg ) , the main problem may be ever, you have to mount the mailbox partition read/writable to dovecot, so you might not get what With PAM you can mount AFS and EncFS user volumes with the user password transparently. (Well, I did not used EncFS in production, but in theory). So, each Dovecot process would run with special user privilegues to access the user's mails. That however imposes the problem, how mails are delivered into the mail storage without some sort of master user, because the MDA does not gain the user privilegues without the user's password. Maybe, for that a "pending INBOX" had to be created, from where the user slurps the new mails on login with the snarf plugin. youre hoping to get from the security sight Yes, I agree. And yes STARTTLS will be used for both SMTP & IMAP access With Dovecot you can use the "secure" variable, dunno if this works with PMA though. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUmftwl3r2wJMiz2NAQIPpQgAt3O3fZ68L2XyAOvTE9vmaiAQfuRIqoIK 6L5kBogZ+l8cESdlX5L/sotsOaMTWd4UisapvtsAurLavOQgB7rOBK7+/RVWX9Mj n5pPHNBK7T0V8n6p1NI74jpsEkNuWRk4D7UGP0wa1Jypul50rF/icZHjJfeP011p tQsgfziSZRZSi9cwSFFYUMPAqagljyQyr8nQ5D7DtrUd9rcbvfAkXACIPx8jjAUz g1sr0vprv44poLSjh7djBgDFSN4hbViynj86i8YMf10RYq8s9eNnEhHrzeVpVdj+ BlwvafT+TMl7NdFPnqYZHj1difp70YH00LM/INZfZWfRxCENjGo/TQ== =AHnD -END PGP SIGNATURE-
Re: [Dovecot] secure email server
On Mit, 2013-10-23 at 15:21 +0200, Frerich Raabe wrote: > On 2013-10-23 13:21, Reindl Harald wrote: > > Am 23.10.2013 13:16, schrieb BONNET, Frank: > >> my first question is : does postfix and dovecot are able to use an > >> encrypted filesystem such as Encfs? > > > > dovecot and postfix are userland-applications > > it's not their job to bother about a filesystem > > this is a kernel-task > > Not all userland applications work equally well with all filesystems > (consider programs which work poorly with NFS because they are built > around the assumption that certain syscalls are fast). That assumption is somewhat optimistic and - thus - these applications are obviously buggy. Since Dovecot works on NFS, it should work with almost all filesystems and (relatively) slow ones too. And MTAs (like postfix) are also build for (and used in) large systems so they should better work on NFS and slow I/O too. Bernd -- Bernd Petrovitsch Email : be...@petrovitsch.priv.at LUGA : http://www.luga.at
Re: [Dovecot] secure email server
On 2013-10-23 13:21, Reindl Harald wrote: Am 23.10.2013 13:16, schrieb BONNET, Frank: my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs? dovecot and postfix are userland-applications it's not their job to bother about a filesystem this is a kernel-task Not all userland applications work equally well with all filesystems (consider programs which work poorly with NFS because they are built around the assumption that certain syscalls are fast). - Frerich
Re: [Dovecot] secure email server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 23.10.2013 13:16, schrieb BONNET, Frank: > my first question is : does postfix and dovecot are able to use an > encrypted filesystem such as Encfs ? i am not an expert with crypto filesystems, but from my few, depend to "mail" this would be a feature "on top" ( additional to i.e vpn, ssl, tls, gpg ) , the main problem may be ever, you have to mount the mailbox partition read/writable to dovecot, so you might not get what youre hoping to get from the security sight > > For the access question , yes I will use a Juniper firewall ( is it > safe to use Juniper ? )to filter IMAP and SMTP access from the > outside and the LAN that looks also "on top" to me, if this is a "closed net" you might choose ports with ssl/tls what you like, or simply "start" only secure standard ports, additional overlay with local firewall, using a boarder firewall too, should not hurt anyway the mail setup youre goal is deeply relate to the "paranoid" level you have/want to match, let me give an example, however you manage super secure servers inkl vpn, ssl, tls , gpg, but your users have insecure client computers and/or Os Types there will be ever a hole ,to brake in, also from paranoia level high.. ,it shouldnt be allowed to connect to that system with i.e imap clients which are not open software, closed software may enable spy before any crypt mech has taken place. At the end there will be ever code bugs. So there is no "secure" mail server , there ever will exist a mail setup which match the security level you want or have to match. > > And yes STARTTLS will be used for both SMTP & IMAP access > > > *Frank BONNET* > > Systemes UNIX et Reseaux > > ESIEE PARIS > > 01.45.92.66.17 - 06.70.37.37.69 > > > 2013/10/23 Steffen Kaiser > > On Wed, 23 Oct 2013, BONNET, Frank wrote: > > I have to setup a "secured" email server - encrypted filesystem > > hmm. First define what "encrypted" means in this case, the whole > partition with one master key, encrypted for each user, ... . For > the first, several block device level approaches exist, for the > latter check out AFS or Encfs. > > > - SSL or TLS only for SMTP and IMAPS > > Well, if you use an inspecting firewall, that checks the traffic, > you will be on the save side of life. > > Does IMAPS means: no STARTTLS over IMAP? Then drop the imap > listener in Dovecot. > > > - Talking only to some known other same-secured servers > > use an IP firewall. > > -- Steffen Kaiser > >> > Best Regards MfG Robert Schetterer - -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSZ8l4AAoJEP8jBObu0LlEmQEH/ioFzWv3RWX3amK0pdEMPUF8 0w5S8uLO2Ho2TsajzaJrKPSj3ln3uLcAjtvMn/iYh/0SyR2ksRzX9jZMk2MSXKgu pww8Xfv/d75/tJ+mcdzRUy/lvB0z0XcqkbWQdRuAUq/wNwzOddX1p1WJX5LTFoyv qR8OIsn66JwGsUAdrmgKkCWe/FBjr9YQ0JJ1AOiXc1FcU+shceAhMelJKpi9PTzX FbOjRVRywpmxT+z4aiPS2XeSWe3N2TCXGwINFZUMJcgWkX77CeTH6Z7NIq2cCnWk gbTpqU6eTThuWfKvf9V5tVgSNo+sLk2J5pfJFOFLe+ZdNMK1CN7kKRCGxJEW2wI= =qKE5 -END PGP SIGNATURE-
Re: [Dovecot] secure email server
Am 23.10.2013 13:16, schrieb BONNET, Frank: > my first question is : does postfix and dovecot are able to use an > encrypted filesystem such as Encfs? dovecot and postfix are userland-applications it's not their job to bother about a filesystem this is a kernel-task signature.asc Description: OpenPGP digital signature
Re: [Dovecot] secure email server
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ? For the access question , yes I will use a Juniper firewall ( is it safe to use Juniper ? )to filter IMAP and SMTP access from the outside and the LAN And yes STARTTLS will be used for both SMTP & IMAP access *Frank BONNET* Systemes UNIX et Reseaux ESIEE PARIS 01.45.92.66.17 - 06.70.37.37.69 2013/10/23 Steffen Kaiser > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Wed, 23 Oct 2013, BONNET, Frank wrote: > > I have to setup a "secured" email server >> >> - encrypted filesystem >> > > hmm. First define what "encrypted" means in this case, the whole partition > with one master key, encrypted for each user, ... . For the first, several > block device level approaches exist, for the latter check out AFS or Encfs. > > > - SSL or TLS only for SMTP and IMAPS >> > > Well, if you use an inspecting firewall, that checks the traffic, you will > be on the save side of life. > > Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in > Dovecot. > > > - Talking only to some known other same-secured servers >> > > use an IP firewall. > > - -- Steffen Kaiser > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEVAwUBUmd8+**l3r2wJMiz2NAQIgVAf+Jx3D8hOty+**6vDZ8O5jfU0CoLRr8w/8AR > xqKpZ3+oTd5AR7PsK7YjI+**PbW1h3NAgYHn9ms8ANDbG2bdEYUoVg**6TNjXFtom1Rp > dIDrTWeZg/8ese+**EtxtG2UZeUS11rP41xpQzpKCHjvO/**4Ght0aM5sXonkiLNX/39 > NffNOhUB1hCF7eFeVmnm3aexr+**bKY8b6MqmRKRXQZsgghoNcAxu0sSXd**3+02t/ty > brLLhzg3oTPaePSQ72x3FNklhpntyH**GOELF8Lun8xCn9hsHCPhBQYRE0eW3G**3Qyp > TDCix5UZh7hx8BqNmy3DqIKQza9/**M9h+MHpd4j+UL+GOHC324JwAJg== > =WULk > -END PGP SIGNATURE- >
Re: [Dovecot] secure email server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Oct 2013, BONNET, Frank wrote: I have to setup a "secured" email server - encrypted filesystem hmm. First define what "encrypted" means in this case, the whole partition with one master key, encrypted for each user, ... . For the first, several block device level approaches exist, for the latter check out AFS or Encfs. - SSL or TLS only for SMTP and IMAPS Well, if you use an inspecting firewall, that checks the traffic, you will be on the save side of life. Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in Dovecot. - Talking only to some known other same-secured servers use an IP firewall. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUmd8+l3r2wJMiz2NAQIgVAf+Jx3D8hOty+6vDZ8O5jfU0CoLRr8w/8AR xqKpZ3+oTd5AR7PsK7YjI+PbW1h3NAgYHn9ms8ANDbG2bdEYUoVg6TNjXFtom1Rp dIDrTWeZg/8ese+EtxtG2UZeUS11rP41xpQzpKCHjvO/4Ght0aM5sXonkiLNX/39 NffNOhUB1hCF7eFeVmnm3aexr+bKY8b6MqmRKRXQZsgghoNcAxu0sSXd3+02t/ty brLLhzg3oTPaePSQ72x3FNklhpntyHGOELF8Lun8xCn9hsHCPhBQYRE0eW3G3Qyp TDCix5UZh7hx8BqNmy3DqIKQza9/M9h+MHpd4j+UL+GOHC324JwAJg== =WULk -END PGP SIGNATURE-
Re: [Dovecot] Odd Feature Request - RBL blacklist lookup to prevent authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 22 Oct 2013, Marc Perkel wrote: I would like to have a list of IPs (hacker list) that I can do a lookup on so that if anyone tries to authenticate to dovecot they always fail if they are on my list. I have the list - and the list is available as a DNS blacklist. I'd like to have it work with both local IP lists or RBL lookup. The idea is so hackers from known IP addresses never succeed. Why would you let the auth happen at all? Is it some sort of tarpitting? Otherwise you could just block the IP with a firewall. Maybe you can combine the deny AuthDatabase, as explained here: http://wiki2.dovecot.org/Authentication/RestrictAccess?highlight=%28deny%29 with a socket auth demon: http://wiki2.dovecot.org/AuthDatabase/Dict So, you return success via the auth socket dict and use the remote IP as "key", but success is turned into "deny". If Dovecot provides the feature I have about 1/2 million IP addresses of known current hackers to block. Well, I do not like the notion "one IP == one person", too many setups use NAT. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUmd5xl3r2wJMiz2NAQLaVQf+KLz5cXy9u51KdVnoc2deJydbSuv0J8b1 IpQ2270EIKctTwtwABvYEEOM8o07S20kAL+vqBFBFgvS6pK/mgtm9fg/z1+GPgpu S5ngfOuHw+NrmwSP/JSOGCezFXnccH2a7KVN47pgYVRKWEOMH+j0hbbrogfXcMRD NMtI3GTDlPO0BVdXAavJxQylXbVYAZy5icrd/YkFyp6MkWCNOWkUYzOmr1/sAPZu 8t2t0SXXyfUc/gKHOdO8EGGbS2Bc2YRRO/M3iLScAiJWdo6uu4uCMOjPbZB+utqB 8Nicns0n9ZSCgIixYrjsfwE75nEjY8IwbSplL952sz4kHvG3+5MYrA== =TH+V -END PGP SIGNATURE-