Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 9 Jan 2014, Greg Rivers wrote: On Thu, 9 Jan 2014, Steffen Kaiser wrote: On Tue, 7 Jan 2014, Greg Rivers wrote: [snip] So for the archives, to get sieve's "envelope :detail ..." working with sendmail and dovecot LMTP, do the following: 1) Add "lda_original_recipient_header = X-Original-To" to 15-lda.conf 2) Add the following rule to sendmail.mc to add a X-Original-To: header to every message: LOCAL_CONFIG H?${u}?X-Original-To: $u Second: My Debian sendmail v8.14.4 does pass +detail to LMTP. Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXnz9, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/SMTP, A=FILE /var/run/dovecot2.2/lmtp looks like just: FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot2.2/lmtp')dnl of my mc-file effects it. Now this is a really useful data point! I have exactly the same configuration on FreeBSD running sendmail v8.14.7: FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp') Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXmnz9, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/SMTP, A=FILE /var/run/dovecot/lmtp The use of forwarding, aliases or virtuser table might strip the detail, you need to do explicitly preserve the +detail with those. Retry with a recipient without any rewriting and from the local host. echo TEST | sendmail -v recpient+det...@yourdomain.tld Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de by ux-2s11.inf.fh-bonn-rhein-sieg.de (Dovecot) with LMTP id aC4NEHRMzlK7dgAALie3fw for ; Thu, 09 Jan 2014 08:15:00 +0100 I'm not using any aliases or virtuser table in my tests, yet my sendmail DOES NOT pass +detail to LMTP: $ echo TEST | sendmail -v gcr+det...@badger.tharned.org try sendmail -bv -d60.5 -d27.2 -d21.12 gcr+det...@badger.tharned.org - -d60.5 - trace map lookups - -d27.2 - traces processing of aliases and forwards - -d21.12 - trace R line processing IMHO: If all map lookups return NOTFOUND, the detail is preserved, otherwise it is the duty of the map to preserve the detail. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUs+gEF3r2wJMiz2NAQJIlAf/QACnGp0vP2xqyCrt9KV4KUdEFrmEGZvg XaKIsY5CtTL3y8UM9iA5YCDTICe3/Gh8vz2G2OBF0zMwSXMiMFuCW6AXQ+YX+S7o 73WyGNmq/omom9uS8D64tbaSXu2BiywMYkg40yr9XyRnWG3MgTRJaighBCtBzQFN wUeL978qol1Z1cGUqcuTry/sVJni2M4thfP+DTlcwK6+xNqrhOB2VdHFhQurDOPq Ib/obPjVYDD3rhjzFpMsJK+M8IxJo4uJecURSOvgEri94iegMqo2fEoew4129SZr fiQniB0CCuOXpic9QKg9lYI3hTujnCBIhMjEFCgYsu+UGmQf9ykxVA== =eT4A -END PGP SIGNATURE-
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
Adrian Zaugg writes: How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions: /var/mail: drwxrwx--x root mail3072 Dec 18 01:43 . drwx-- tester tester 1024 Jan 09 12:53 tester This is probably what you need: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. mail_privileged_group = mail ...or do I need a different approach? You could also chmod 1777 /var/mail but this will allow arbitrary uses who have filesystem access to create their own files here, and maybe DoS a new user from being created (or maybe even anticipate a new mailbox, create one with mode 0777 and wait to intercept mail?). Joseph Tam
Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
On Thu, 9 Jan 2014, Steffen Kaiser wrote: On Tue, 7 Jan 2014, Greg Rivers wrote: [snip] So for the archives, to get sieve's "envelope :detail ..." working with sendmail and dovecot LMTP, do the following: 1) Add "lda_original_recipient_header = X-Original-To" to 15-lda.conf 2) Add the following rule to sendmail.mc to add a X-Original-To: header to every message: LOCAL_CONFIG H?${u}?X-Original-To: $u First: This won't work, if the message has two or more recipients, $u is empty then. Right. Miquel van Smoorenburg pointed that out too earlier in this thread. Do you serialize messages per recipient? Yes, to mitigate this issue, I plan to enforce one recipient per LMTP session with: define(`LOCAL_MAILER_MAXMSGS', `1'). This will result in adding "m=1" to the local mailer definition. But I'd really rather have +detail passed via LMTP. Second: My Debian sendmail v8.14.4 does pass +detail to LMTP. Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXnz9, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/SMTP, A=FILE /var/run/dovecot2.2/lmtp looks like just: FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot2.2/lmtp')dnl of my mc-file effects it. Now this is a really useful data point! I have exactly the same configuration on FreeBSD running sendmail v8.14.7: FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp') Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXmnz9, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/SMTP, A=FILE /var/run/dovecot/lmtp The use of forwarding, aliases or virtuser table might strip the detail, you need to do explicitly preserve the +detail with those. Retry with a recipient without any rewriting and from the local host. echo TEST | sendmail -v recpient+det...@yourdomain.tld Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de by ux-2s11.inf.fh-bonn-rhein-sieg.de (Dovecot) with LMTP id aC4NEHRMzlK7dgAALie3fw for ; Thu, 09 Jan 2014 08:15:00 +0100 I'm not using any aliases or virtuser table in my tests, yet my sendmail DOES NOT pass +detail to LMTP: $ echo TEST | sendmail -v gcr+det...@badger.tharned.org gcr+det...@badger.tharned.org... Connecting to [127.0.0.1] via relay... 220 badger.tharned.org ESMTP Sendmail 8.14.7/8.14.7; Thu, 9 Jan 2014 16:19:46 -0600 (CST) EHLO badger.tharned.org 250-badger.tharned.org Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP VERB 250 2.0.0 Verbose mode MAIL From: SIZE=5 250 2.1.0 ... Sender ok RCPT To: DATA 250 2.1.5 ... Recipient ok 354 Enter mail, end with "." on a line by itself . 050 ... Connecting to /var/run/dovecot/lmtp via local... 050 220 badger.tharned.org Dovecot ready. 050 >>> LHLO badger.tharned.org 050 250-badger.tharned.org 050 250-8BITMIME 050 250-ENHANCEDSTATUSCODES 050 250 PIPELINING 050 >>> MAIL From: 050 250 2.1.0 OK 050 >>> RCPT To: 050 >>> DATA 050 250 2.1.5 OK 050 354 OK 050 >>> . 050 250 2.0.0 OD97EoIgz1L04QAAwQnkQQ Saved 050 ... Sent 250 2.0.0 s09MJkLK057843 Message accepted for delivery gcr+det...@badger.tharned.org... Sent (s09MJkLK057843 Message accepted for delivery) Closing connection to [127.0.0.1] QUIT 221 2.0.0 badger.tharned.org closing connection Return-Path: Delivered-To: Received: from badger.tharned.org by badger.tharned.org (Dovecot) with LMTP id OD97EoIgz1L04QAAwQnkQQ for ; Thu, 09 Jan 2014 16:19:46 -0600 Return-Path: Received: from badger.tharned.org (localhost [127.0.0.1]) by badger.tharned.org (8.14.7/8.14.7) with ESMTP id s09MJkLK057843 for ; Thu, 9 Jan 2014 16:19:46 -0600 (CST) (envelope-from g...@badger.tharned.org) Received: by badger.tharned.org (8.14.7/8.14.7/Submit) id s09MJjbI057842 for gcr+det...@badger.tharned.org; Thu, 9 Jan 2014 16:19:45 -0600 (CST) (envelope-from gcr) Date: Thu, 9 Jan 2014 16:19:45 -0600 (CST) From: Greg Rivers Message-Id: <201401092219.s09mjjbi057...@badger.tharned.org> To: undisclosed-recipients:; TEST So I clearly have a sendmail problem. Maybe there's been a regression in sendmail since 8.14.4, or there's some other platform specific issue. This gives me something to go on; thanks a lot for your feedback! -- Greg Rivers
Re: [Dovecot] LDA quota rejection
The basic mail systems do need this option.. We are not talking about plain mail.. Once a message was dropped or was not delivered there is a need to know that it was not sent or received. While some will separate internal mail from external it's their preference but once I send an email to a company I would like to know that my system and their system is working properly. In a case that the company do not want to reveal it's computing resources to the outer world it's a matter of security and other policies rather then basic email policies. I do remember that in real mail once the recipient box did not got the mail it was sent back to the original sender as it was paid for this service. Eliezer On 22/09/13 06:16, Noel Butler wrote: Dovecot should never generate a message to send to sender, this is classified as backscatter. Your MTA should get the quota answer from dovecot when the sender connects, and tries to mail and fail then, it is the MTA (maillog file) you need to look at to see why your MTA is not tempfailing the connection.
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
Hi Steffen Am 09.01.14 13:36 schrieb Steffen Kaiser: > The errors says all. Almost ... If I understand you correctly, I can chose one of the three options you presented to me, right? If so, 3) I did until now. 2) no way. To 1): I now set mail_privileged_group = mail drwxrwx--x 94 root mail 3072 Dec 18 01:43 /var/mail But I still get the same error. The LMTP and the IMAP process do still get executed under group %u, when they try to create the mailbox. What's wrong? Thank you for your help! Best regards, Adrian. > > 1) See: > # Group to enable temporarily for privileged operations. Currently this is > # used only with INBOX when either its initial creation or dotlocking > fails. > # Typically this is set to "mail" to give access to /var/mail. > #mail_privileged_group = > > # Grant access to these supplementary groups for mail processes. Typically > # these are used to set up access to shared mailboxes. Note that it may be > # dangerous to set these if users can create symlinks (e.g. if "mail" > group is > # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' > # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow > reading it). > #mail_access_groups = > > 2) chmod 1777 /var/mail > > 3) pre-create your user dirs
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 9 Jan 2014, Adrian Zaugg wrote: Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get 2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771) The errors says all. 1) See: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = 2) chmod 1777 /var/mail 3) pre-create your user dirs - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUs6X0F3r2wJMiz2NAQJpBQf/QKVG5bMRpWC6U2X+IhTzN+QjIAonsVuY KMyyDkFSvDAr+8eBqek7/H/ijUhyaTQZsbZ7ftYYIqQs5ZgFSZNURhbcuJLd8Y6+ OwXX1uCshQg63hYUpsfJsQiAoQ6vxdw2wFgLFUGjASBcXtiI9BtzLObOZMgfhCzT pqsMOWoIjM9BBQt/u5r4JM/3LJccFnVP4yAn8Wmq73Yu3ozw5L+9eMGjm/NnpT3B 62wuhgqY9p3GxenWvnHN/BgfYsWNrBN9E2AKlDmFainUC7lNZD8YeB64oj0KWxz5 tlQiEKia5xMB2WsUPpEhOHOYTfh7vq0Qm0Sxw3DdhWIZnr/DVru84A== =Z2z1 -END PGP SIGNATURE-
[Dovecot] imap auto create mailbox: we're not in group 8(mail)
Dear List Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get 2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771) The imap process runs as the user the login performed and thus it has only the privileges of that user. This is good and desired, when a mailbox already exists. I do not want to allow all users to write to /var/mail, only they should write to their dirs inside /var/mail. Same story for LMTP, if no mailbox exists yet: 2014-01-09 13:01:47 lmtp(20416, tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771) How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions: /var/mail: drwxrwx--x root mail3072 Dec 18 01:43 . drwx-- tester tester 1024 Jan 09 12:53 tester ...or do I need a different approach? Thank you for helping me. Best regards, Adrian. My setup: * Exim delivers to LMTP socket as user %u, group mail * maildir storage in /var/mail doveconf -n: # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3 ext3 auth_cache_negative_ttl = 0 auth_cache_size = 5 M auth_cache_ttl = 4 hours auth_failure_delay = 3 secs auth_mechanisms = plain login digest-md5 cram-md5 apop rpa auth_username_format = %n auth_verbose = yes auth_worker_max_count = 128 first_valid_gid = 1000 first_valid_uid = 1000 last_valid_gid = 6 last_valid_uid = 6 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_location = maildir:/var/mail/./%u/:INDEX=MEMORY mail_prefetch_count = 1024 maildir_stat_dirs = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave vacation-seconds namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = type = private } passdb { args = scheme=SHA512-CRYPT username_format=%u /etc/cram-md5.pwd driver = passwd-file } plugin { sieve = /var/mail/%u/sieve/.dovecot.sieve sieve_before = /var/mail/%u/sieve/vacation.sieve sieve_dir = /var/mail/%u/sieve sieve_extensions = +vacation +vacation-seconds sieve_max_actions = 1024 sieve_vacation_default_period = 12d sieve_vacation_max_period = 0 sieve_vacation_min_period = 1d } postmaster_address = postmaster@ protocols = " imap lmtp sieve pop3" service auth-worker { user = $default_login_user } service auth { group = mail-security unix_listener auth-client { mode = 0660 user = Debian-exim } unix_listener auth-userdb { mode = 0666 } user = $default_internal_user } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 5 } service lmtp { process_min_avail = 10 unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } service_count = 1 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service pop3 { process_limit = 256 } ssl_cert =