Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 9 Jan 2014, Greg Rivers wrote:
On Thu, 9 Jan 2014, Steffen Kaiser wrote:
On Tue, 7 Jan 2014, Greg Rivers wrote:
[snip]
So for the archives, to get sieve's "envelope :detail ..." working with
sendmail and dovecot LMTP, do the following:
1) Add "lda_original_recipient_header = X-Original-To" to 15-lda.conf
2) Add the following rule to sendmail.mc to add a X-Original-To: header to
every message:
LOCAL_CONFIG
H?${u}?X-Original-To: $u
Second: My Debian sendmail v8.14.4 does pass +detail to LMTP.
Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXnz9, S=EnvFromSMTP/HdrFromL,
R=EnvToL/HdrToL,
T=DNS/RFC822/SMTP,
A=FILE /var/run/dovecot2.2/lmtp
looks like just:
FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot2.2/lmtp')dnl
of my mc-file effects it.
Now this is a really useful data point! I have exactly the same
configuration on FreeBSD running sendmail v8.14.7:
FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')
Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXmnz9, S=EnvFromSMTP/HdrFromL,
R=EnvToL/HdrToL,
T=DNS/RFC822/SMTP,
A=FILE /var/run/dovecot/lmtp
The use of forwarding, aliases or virtuser table might strip the detail,
you need to do explicitly preserve the +detail with those. Retry with a
recipient without any rewriting and from the local host.
echo TEST | sendmail -v recpient+det...@yourdomain.tld
Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de
by ux-2s11.inf.fh-bonn-rhein-sieg.de (Dovecot) with LMTP id
aC4NEHRMzlK7dgAALie3fw
for ; Thu, 09 Jan 2014 08:15:00 +0100
I'm not using any aliases or virtuser table in my tests, yet my sendmail DOES
NOT pass +detail to LMTP:
$ echo TEST | sendmail -v gcr+det...@badger.tharned.org
try
sendmail -bv -d60.5 -d27.2 -d21.12 gcr+det...@badger.tharned.org
- -d60.5 - trace map lookups
- -d27.2 - traces processing of aliases and forwards
- -d21.12 - trace R line processing
IMHO: If all map lookups return NOTFOUND, the detail is preserved,
otherwise it is the duty of the map to preserve the detail.
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUs+gEF3r2wJMiz2NAQJIlAf/QACnGp0vP2xqyCrt9KV4KUdEFrmEGZvg
XaKIsY5CtTL3y8UM9iA5YCDTICe3/Gh8vz2G2OBF0zMwSXMiMFuCW6AXQ+YX+S7o
73WyGNmq/omom9uS8D64tbaSXu2BiywMYkg40yr9XyRnWG3MgTRJaighBCtBzQFN
wUeL978qol1Z1cGUqcuTry/sVJni2M4thfP+DTlcwK6+xNqrhOB2VdHFhQurDOPq
Ib/obPjVYDD3rhjzFpMsJK+M8IxJo4uJecURSOvgEri94iegMqo2fEoew4129SZr
fiQniB0CCuOXpic9QKg9lYI3hTujnCBIhMjEFCgYsu+UGmQf9ykxVA==
=eT4A
-END PGP SIGNATURE-
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
Adrian Zaugg writes: How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions: /var/mail: drwxrwx--x root mail3072 Dec 18 01:43 . drwx-- tester tester 1024 Jan 09 12:53 tester This is probably what you need: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. mail_privileged_group = mail ...or do I need a different approach? You could also chmod 1777 /var/mail but this will allow arbitrary uses who have filesystem access to create their own files here, and maybe DoS a new user from being created (or maybe even anticipate a new mailbox, create one with mode 0777 and wait to intercept mail?). Joseph Tam
Re: [Dovecot] Dovecot LMTP does not pass envelope recipient +detail to sieve
On Thu, 9 Jan 2014, Steffen Kaiser wrote:
On Tue, 7 Jan 2014, Greg Rivers wrote:
[snip]
So for the archives, to get sieve's "envelope :detail ..." working with
sendmail and dovecot LMTP, do the following:
1) Add "lda_original_recipient_header = X-Original-To" to 15-lda.conf
2) Add the following rule to sendmail.mc to add a X-Original-To: header to
every message:
LOCAL_CONFIG
H?${u}?X-Original-To: $u
First: This won't work, if the message has two or more recipients, $u is
empty then.
Right. Miquel van Smoorenburg pointed that out too earlier in this thread.
Do you serialize messages per recipient?
Yes, to mitigate this issue, I plan to enforce one recipient per LMTP
session with: define(`LOCAL_MAILER_MAXMSGS', `1'). This will result in
adding "m=1" to the local mailer definition.
But I'd really rather have +detail passed via LMTP.
Second: My Debian sendmail v8.14.4 does pass +detail to LMTP.
Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXnz9, S=EnvFromSMTP/HdrFromL,
R=EnvToL/HdrToL,
T=DNS/RFC822/SMTP,
A=FILE /var/run/dovecot2.2/lmtp
looks like just:
FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot2.2/lmtp')dnl
of my mc-file effects it.
Now this is a really useful data point! I have exactly the same
configuration on FreeBSD running sendmail v8.14.7:
FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')
Mlocal, P=[IPC], F=lsDFMAw5:/|@qPSXmnz9, S=EnvFromSMTP/HdrFromL,
R=EnvToL/HdrToL,
T=DNS/RFC822/SMTP,
A=FILE /var/run/dovecot/lmtp
The use of forwarding, aliases or virtuser table might strip the detail, you
need to do explicitly preserve the +detail with those. Retry with a recipient
without any rewriting and from the local host.
echo TEST | sendmail -v recpient+det...@yourdomain.tld
Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de
by ux-2s11.inf.fh-bonn-rhein-sieg.de (Dovecot) with LMTP id
aC4NEHRMzlK7dgAALie3fw
for ; Thu, 09 Jan 2014 08:15:00 +0100
I'm not using any aliases or virtuser table in my tests, yet my sendmail
DOES NOT pass +detail to LMTP:
$ echo TEST | sendmail -v gcr+det...@badger.tharned.org
gcr+det...@badger.tharned.org... Connecting to [127.0.0.1] via relay...
220 badger.tharned.org ESMTP Sendmail 8.14.7/8.14.7; Thu, 9 Jan 2014 16:19:46
-0600 (CST)
EHLO badger.tharned.org
250-badger.tharned.org Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
VERB
250 2.0.0 Verbose mode
MAIL From: SIZE=5
250 2.1.0 ... Sender ok
RCPT To:
DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
.
050 ... Connecting to /var/run/dovecot/lmtp via
local...
050 220 badger.tharned.org Dovecot ready.
050 >>> LHLO badger.tharned.org
050 250-badger.tharned.org
050 250-8BITMIME
050 250-ENHANCEDSTATUSCODES
050 250 PIPELINING
050 >>> MAIL From:
050 250 2.1.0 OK
050 >>> RCPT To:
050 >>> DATA
050 250 2.1.5 OK
050 354 OK
050 >>> .
050 250 2.0.0 OD97EoIgz1L04QAAwQnkQQ Saved
050 ... Sent
250 2.0.0 s09MJkLK057843 Message accepted for delivery
gcr+det...@badger.tharned.org... Sent (s09MJkLK057843 Message accepted for
delivery)
Closing connection to [127.0.0.1]
QUIT
221 2.0.0 badger.tharned.org closing connection
Return-Path:
Delivered-To:
Received: from badger.tharned.org
by badger.tharned.org (Dovecot) with LMTP id OD97EoIgz1L04QAAwQnkQQ
for ; Thu, 09 Jan 2014 16:19:46 -0600
Return-Path:
Received: from badger.tharned.org (localhost [127.0.0.1])
by badger.tharned.org (8.14.7/8.14.7) with ESMTP id s09MJkLK057843
for ; Thu, 9 Jan 2014 16:19:46 -0600
(CST)
(envelope-from g...@badger.tharned.org)
Received: by badger.tharned.org (8.14.7/8.14.7/Submit) id s09MJjbI057842
for gcr+det...@badger.tharned.org; Thu, 9 Jan 2014 16:19:45 -0600 (CST)
(envelope-from gcr)
Date: Thu, 9 Jan 2014 16:19:45 -0600 (CST)
From: Greg Rivers
Message-Id: <201401092219.s09mjjbi057...@badger.tharned.org>
To: undisclosed-recipients:;
TEST
So I clearly have a sendmail problem. Maybe there's been a regression in
sendmail since 8.14.4, or there's some other platform specific issue.
This gives me something to go on; thanks a lot for your feedback!
--
Greg Rivers
Re: [Dovecot] LDA quota rejection
The basic mail systems do need this option.. We are not talking about plain mail.. Once a message was dropped or was not delivered there is a need to know that it was not sent or received. While some will separate internal mail from external it's their preference but once I send an email to a company I would like to know that my system and their system is working properly. In a case that the company do not want to reveal it's computing resources to the outer world it's a matter of security and other policies rather then basic email policies. I do remember that in real mail once the recipient box did not got the mail it was sent back to the original sender as it was paid for this service. Eliezer On 22/09/13 06:16, Noel Butler wrote: Dovecot should never generate a message to send to sender, this is classified as backscatter. Your MTA should get the quota answer from dovecot when the sender connects, and tries to mail and fail then, it is the MTA (maillog file) you need to look at to see why your MTA is not tempfailing the connection.
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
Hi Steffen Am 09.01.14 13:36 schrieb Steffen Kaiser: > The errors says all. Almost ... If I understand you correctly, I can chose one of the three options you presented to me, right? If so, 3) I did until now. 2) no way. To 1): I now set mail_privileged_group = mail drwxrwx--x 94 root mail 3072 Dec 18 01:43 /var/mail But I still get the same error. The LMTP and the IMAP process do still get executed under group %u, when they try to create the mailbox. What's wrong? Thank you for your help! Best regards, Adrian. > > 1) See: > # Group to enable temporarily for privileged operations. Currently this is > # used only with INBOX when either its initial creation or dotlocking > fails. > # Typically this is set to "mail" to give access to /var/mail. > #mail_privileged_group = > > # Grant access to these supplementary groups for mail processes. Typically > # these are used to set up access to shared mailboxes. Note that it may be > # dangerous to set these if users can create symlinks (e.g. if "mail" > group is > # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' > # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow > reading it). > #mail_access_groups = > > 2) chmod 1777 /var/mail > > 3) pre-create your user dirs
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 9 Jan 2014, Adrian Zaugg wrote: Somehow I don't understand the intended work flow to have new mailboxes auto created. On login of a new user with no mailbox, I get 2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771) The errors says all. 1) See: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = 2) chmod 1777 /var/mail 3) pre-create your user dirs - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUs6X0F3r2wJMiz2NAQJpBQf/QKVG5bMRpWC6U2X+IhTzN+QjIAonsVuY KMyyDkFSvDAr+8eBqek7/H/ijUhyaTQZsbZ7ftYYIqQs5ZgFSZNURhbcuJLd8Y6+ OwXX1uCshQg63hYUpsfJsQiAoQ6vxdw2wFgLFUGjASBcXtiI9BtzLObOZMgfhCzT pqsMOWoIjM9BBQt/u5r4JM/3LJccFnVP4yAn8Wmq73Yu3ozw5L+9eMGjm/NnpT3B 62wuhgqY9p3GxenWvnHN/BgfYsWNrBN9E2AKlDmFainUC7lNZD8YeB64oj0KWxz5 tlQiEKia5xMB2WsUPpEhOHOYTfh7vq0Qm0Sxw3DdhWIZnr/DVru84A== =Z2z1 -END PGP SIGNATURE-
[Dovecot] imap auto create mailbox: we're not in group 8(mail)
Dear List
Somehow I don't understand the intended work flow to have new mailboxes
auto created. On login of a new user with no mailbox, I get
2014-01-09 12:53:06 imap(tester): Error: user tester: Initialization
failed: Namespace '': mkdir(/var/mail/tester) failed: Permission denied
(euid=1016(tester) egid=1016(tester) missing +w perm: /var/mail, we're
not in group 8(mail), dir owned by 0:8 mode=0771)
The imap process runs as the user the login performed and thus it has
only the privileges of that user. This is good and desired, when a
mailbox already exists. I do not want to allow all users to write to
/var/mail, only they should write to their dirs inside /var/mail.
Same story for LMTP, if no mailbox exists yet:
2014-01-09 13:01:47 lmtp(20416, tester): Error: user tester:
Initialization failed: Namespace '': mkdir(/var/mail/tester) failed:
Permission denied (euid=1016(tester) egid=1016(tester) missing +w perm:
/var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0771)
How can I configure the auto create mailbox feature that it works and
let run LMTP and IMAP process as user %u and group mail and let create
the mailboxes in /var/mail as (example user tester) with the following
permissions:
/var/mail:
drwxrwx--x root mail3072 Dec 18 01:43 .
drwx-- tester tester 1024 Jan 09 12:53 tester
...or do I need a different approach?
Thank you for helping me.
Best regards, Adrian.
My setup:
* Exim delivers to LMTP socket as user %u, group mail
* maildir storage in /var/mail
doveconf -n:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.3 ext3
auth_cache_negative_ttl = 0
auth_cache_size = 5 M
auth_cache_ttl = 4 hours
auth_failure_delay = 3 secs
auth_mechanisms = plain login digest-md5 cram-md5 apop rpa
auth_username_format = %n
auth_verbose = yes
auth_worker_max_count = 128
first_valid_gid = 1000
first_valid_uid = 1000
last_valid_gid = 6
last_valid_uid = 6
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_location = maildir:/var/mail/./%u/:INDEX=MEMORY
mail_prefetch_count = 1024
maildir_stat_dirs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave vacation-seconds
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
type = private
}
passdb {
args = scheme=SHA512-CRYPT username_format=%u /etc/cram-md5.pwd
driver = passwd-file
}
plugin {
sieve = /var/mail/%u/sieve/.dovecot.sieve
sieve_before = /var/mail/%u/sieve/vacation.sieve
sieve_dir = /var/mail/%u/sieve
sieve_extensions = +vacation +vacation-seconds
sieve_max_actions = 1024
sieve_vacation_default_period = 12d
sieve_vacation_max_period = 0
sieve_vacation_min_period = 1d
}
postmaster_address = postmaster@
protocols = " imap lmtp sieve pop3"
service auth-worker {
user = $default_login_user
}
service auth {
group = mail-security
unix_listener auth-client {
mode = 0660
user = Debian-exim
}
unix_listener auth-userdb {
mode = 0666
}
user = $default_internal_user
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
process_min_avail = 5
}
service lmtp {
process_min_avail = 10
unix_listener lmtp {
mode = 0666
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
service_count = 1
vsz_limit = 64 M
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service pop3 {
process_limit = 256
}
ssl_cert =
