Re: [Dovecot] mdbox-files over 2 MB

[Stan Hoeppner]

On 5/5/2014 2:23 PM, Patrick Domack wrote:
> Quoting Reindl Harald :
> 
>> Am 05.05.2014 16:10, schrieb Hardy Flor:
>>> Is there really no one with this problem?
>>
>> next time quote the problem instead demand
>> others to seek for you in the archives
> 
> Even searching for him in the archives, I have no idea what he thinks is
> a problem.
> 
> I know I have no issues using mdbox, with 2mb or 50mb rotate sizes.


He's wondering why many of his mdbox files are much smaller than 2 MB.
His original post:


On 3/17/2014 1:29 AM, Hardy Flor wrote:
> Hello,
>
> there are copies with different size in 3 mailboxes of the user
> sequentially about 3800 emails.
> why not something 2MB files?
>
> After the big file "m.0034" with 14MB follow very many small ...
>
> - doveconf:
>
> # 2.2.12: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.4 ext4
> mail_attachment_dir = /var/mail/attachments
> mail_attachment_hash = %{md5}
> mail_attachment_min_size = 16 k
> mail_location = mdbox:/var/mail/user/%n
> mdbox_rotate_interval = 1 weeks
> mdbox_rotate_size = 2 M
>
> - directory:
>
> root@xxx:/var/mail/user/xxx/storage# ls -al
> insgesamt 76532
> drwx--S--- 2 vmail mail 4096 Mär 16 13:52 .
> drwx--S--- 6 vmail mail 4096 Mär 16 12:10 ..
> -rw--- 1 vmail mail74360 Mär 16 12:39 dovecot.map.index
> -rw--- 1 vmail mail25204 Mär 16 13:52 dovecot.map.index.log
> -rw--- 1 vmail mail63544 Mär 16 12:39 dovecot.map.index.log.2
> -rw--- 1 vmail mail  2092921 Mär 16 12:15 m.0001
> -rw--- 1 vmail mail  2086746 Mär 16 12:15 m.0002
> -rw--- 1 vmail mail  2084182 Mär 16 12:15 m.0003
> -rw--- 1 vmail mail  2096826 Mär 16 12:15 m.0004
> -rw--- 1 vmail mail  1882666 Mär 16 12:15 m.0005
> -rw--- 1 vmail mail  1903965 Mär 16 12:15 m.0006
> -rw--- 1 vmail mail  2091169 Mär 16 12:15 m.0007
> -rw--- 1 vmail mail  2086396 Mär 16 12:15 m.0008
> -rw--- 1 vmail mail   507205 Mär 16 12:16 m.0009
> -rw--- 1 vmail mail  2031456 Mär 16 12:17 m.0010
> -rw--- 1 vmail mail  2095697 Mär 16 12:17 m.0011
> -rw--- 1 vmail mail  1689071 Mär 16 12:17 m.0012
> -rw--- 1 vmail mail  2092124 Mär 16 12:17 m.0013
> -rw--- 1 vmail mail  1950602 Mär 16 12:17 m.0014
> -rw--- 1 vmail mail  2092215 Mär 16 12:17 m.0015
> -rw--- 1 vmail mail  2087463 Mär 16 12:17 m.0016
> -rw--- 1 vmail mail  2079795 Mär 16 12:17 m.0017
> -rw--- 1 vmail mail  2014121 Mär 16 12:17 m.0018
> -rw--- 1 vmail mail  2081893 Mär 16 12:17 m.0019
> -rw--- 1 vmail mail  2092088 Mär 16 12:17 m.0020
> -rw--- 1 vmail mail  2090508 Mär 16 12:17 m.0021
> -rw--- 1 vmail mail  1929296 Mär 16 12:17 m.0022
> -rw--- 1 vmail mail  2067685 Mär 16 12:17 m.0023
> -rw--- 1 vmail mail  1745743 Mär 16 12:20 m.0024
> -rw--- 1 vmail mail   866452 Mär 16 12:20 m.0025
> -rw--- 1 vmail mail   296379 Mär 16 12:20 m.0026
> -rw--- 1 vmail mail   433541 Mär 16 12:39 m.0027
> -rw--- 1 vmail mail92526 Mär 16 12:39 m.0028
> -rw--- 1 vmail mail19094 Mär 16 12:39 m.0029
> -rw--- 1 vmail mail   106837 Mär 16 12:39 m.0030
> -rw--- 1 vmail mail   162012 Mär 16 12:39 m.0031
> -rw--- 1 vmail mail   412080 Mär 16 13:51 m.0032
> -rw--- 1 vmail mail  1715868 Mär 16 13:51 m.0033
> -rw--- 1 vmail mail 14433784 Mär 16 13:51 m.0034
> -rw--- 1 vmail mail 3280 Mär 16 13:51 m.0035
> -rw--- 1 vmail mail 6308 Mär 16 13:51 m.0036
> -rw--- 1 vmail mail   534274 Mär 16 13:51 m.0037
> -rw--- 1 vmail mail   378719 Mär 16 13:51 m.0038
> -rw--- 1 vmail mail   458528 Mär 16 13:51 m.0039
> -rw--- 1 vmail mail   192504 Mär 16 13:51 m.0040
> -rw--- 1 vmail mail  1277766 Mär 16 13:51 m.0041
> -rw--- 1 vmail mail33417 Mär 16 13:51 m.0042
> -rw--- 1 vmail mail   142866 Mär 16 13:51 m.0043
> -rw--- 1 vmail mail   113529 Mär 16 13:51 m.0044
> -rw--- 1 vmail mail55888 Mär 16 13:51 m.0045
> -rw--- 1 vmail mail   673504 Mär 16 13:51 m.0046
> -rw--- 1 vmail mail   430738 Mär 16 13:51 m.0047
> -rw--- 1 vmail mail   218494 Mär 16 13:51 m.0048
> -rw--- 1 vmail mail96165 Mär 16 13:51 m.0049
> -rw--- 1 vmail mail 8370 Mär 16 13:51 m.0050
> -rw--- 1 vmail mail29251 Mär 16 13:51 m.0051
> -rw--- 1 vmail mail   394680 Mär 16 13:51 m.0052
> -rw--- 1 vmail mail   674892 Mär 16 13:51 m.0053
> -rw--- 1 vmail mail  1076919 Mär 16 13:51 m.0054
> -rw--- 1 vmail mail   258806 Mär 16 13:51 m.0055
> -rw--- 1 vmail mail60069 Mär 16 13:51 m.0056
> -rw--- 1 vmail mail   297891 Mär 16 13:51 m.0057
> -rw--- 1 vmail mail92772 Mär 16 13:51 m.0058
> -rw--- 1 vmail mail 

Re: [Dovecot] Broken IMAPS Connects Create Lingering imap-login Processes

[Jochen Bern]

On -10.01.-28163 20:59, Reindl Harald wrote:
> Am 05.05.2014 22:13, schrieb Jochen Bern:
>> One of the customers has a major networking problem that hasn't been
>> fully analyzed yet. Sniffing his IMAPS connects on the server side, I
>> see [...]
> 
> ask that user to restart his network-devices
> 
> i faced it way too often in the last few years that encrypted
> connections where broken on customers side and after restart
> his crap of router all went fine again

Let me put it like this: This one customer's issues have simmered in the
trouble ticket system for quite some time now. It's the possible use of
the same mechanism by someone else *cough*DDoS botnet*cough* that I'm
supposed to find an answer to.

Kind regards,
J. Bern
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im :
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH 
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

Re: [Dovecot] Disable IMAP for ONE user only

[Professa Dementia]

On 5/5/2014 3:30 PM, Benjamin Podszun wrote:
> On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
>> I'm beginning to wonder if I am going about this all wrong :-)
> 
> No offense: I'm thinking the same thing. ;-)
> 
>> Would it not be easier/better to leave all IMAP/SMTP access in place
>> (for all users) and then just use "one time throw away passwords" for
>> logging in from an internet cafe with Roundcube?

Have you considered Yubikey?

https://www.yubico.com/products/yubikey-hardware/yubikey/

The USB device looks like a keyboard when plugged in.  Plug it in, type
in your login, highlight the password field, then press the button on
the Yubikey.  It "types" in the OTP.  Click the login button.

It run on many OS's, including Linux where it interfaces with PAM.  A
simple PAM config change installs it.

https://www.yubico.com/applications/computer-login/linux/

You can even (and I do recommend that you) use it with two factor, so
you enter a normal password, plus the OTP (something that you know, plus
something that you have).  This would take a small change to Roundcube,
which is beyond scope for this list.


Dem

Re: [Dovecot] Disable IMAP for ONE user only

[Benny Pedersen]

SIW skrev den 2014-05-05 18:39:

I use MySQL to store my virtual users passwords and I am running the
latest version of Dovecot.

What I need to do is have one particular user have ONLY access to
their email via Roundcube (webmail) and no IMAP/SMTP access.

Therefore, how do I disable IMAP/SMTP access for just one user?


its not a roundcube question

but:

http://wiki2.dovecot.org/Authentication/RestrictAccess

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

setup that user to have allow_nets 127.0.0.1 with is roundcube imho

solved ?`

Re: [Dovecot] Disable IMAP for ONE user only

[Benjamin Podszun]

On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:

I'm beginning to wonder if I am going about this all wrong :-)


No offense: I'm thinking the same thing. ;-)

Would it not be easier/better to leave all IMAP/SMTP access in 
place (for all users) and then just use "one time throw away 
passwords" for logging in from an internet cafe with Roundcube?


YES!
Yes, that should be possible. It seems that [1] says that dovecot supports 
OTP and S/Key by default, using PAM would allow you to use more than that 
(i.e. plug in a yubikey or whatever). Obviously moving to PAM might not be 
an option with your virtual users.


Can this be done? So after you login it just deletes the 
password you have logged in with. Can you have one username with 
many (throw away) passwords? But keep one password that is used 
for IMAP/Thunderbird as you don't want that password being 
deleted/removed from the system!


Well, you certainly can have multiple passwords per user as far as I can 
tell: [2] lists ways to do the 'password verification by sql server' and 
that should allow you to have a way to switch between different passwords 
for the same user. That said, that still sounds .. not that nice. The best 
way would be to support two-factor/OTP in dovecot itself and while the 
latter is documented as 'supported' (again, see [1]), the documentation HOW 
that is going to work seems to be missing. [3]


At the moment I'd say your best bet would be to wait for some dovecot 
developers to chime in and help with the OTP or S/Key stuff. Messing with 
the SQL Query is a hack, ugly and .. well: You still leak your password, if 
password/otp is 'Roundcube only'.


On a sidenote: This guy [4] isn't you, is it? Seems like someone's 
evaluating the same thing (with the same threat model) just now.


Ben

1: http://wiki2.dovecot.org/Authentication/Mechanisms
2: http://wiki2.dovecot.org/AuthDatabase/SQL
3: And boy is searching the wiki evil and .. unintuitive..
4: https://forums.freebsd.org/viewtopic.php?f=43&t=45341

Re: [Dovecot] Disable IMAP for ONE user only

[SIW]

I'm beginning to wonder if I am going about this all wrong :-)

Would it not be easier/better to leave all IMAP/SMTP access in place 
(for all users) and then just use "one time throw away passwords" for 
logging in from an internet cafe with Roundcube?


Can this be done? So after you login it just deletes the password you 
have logged in with. Can you have one username with many (throw away) 
passwords? But keep one password that is used for IMAP/Thunderbird as 
you don't want that password being deleted/removed from the system!


On 05/05/2014 22:33, Rick Romero wrote:

Duh.  'ONE user only' would be the clue.  So your query would be like:
SELECT email as user, if(%r = '127.0.0.1' & user = 'yourloginname',
password,imap_password) as password FROM virtual_users WHERE email='%u';

Also, test ! and Google!   I'm throwing this out off the top of my
head..  I think the double == was wrong.

The best way test this is just replace the %u with your username and %r
with either 127.0.0.1 or anything else on the MySQL command line and make
sure what's returned is the password you're expecting.

Rick

Re: [Dovecot] Disable IMAP for ONE user only

[Rick Romero]

Duh.  'ONE user only' would be the clue.  So your query would be like:
SELECT email as user, if(%r = '127.0.0.1' & user = 'yourloginname',
password,imap_password) as password FROM virtual_users WHERE email='%u';

Also, test ! and Google!   I'm throwing this out off the top of my
head..  I think the double == was wrong.

The best way test this is just replace the %u with your username and %r
with either 127.0.0.1 or anything else on the MySQL command line and make
sure what's returned is the password you're expecting.

Rick

Quoting Rick Romero :


You don't need vpopmail - that's just an example.  It has it's own table
structure.   

Are you the only user - I missed that part of the question.  If so,

ignore

the 'Bit Operator' part, you won't need it.  That's to allow different
types of access per user (and makes the query that much more complex).

Change your user table structure and add a 2nd password field named
'imap_password', then change your Dovecot query SQL to the below:

SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as
password FROM virtual_users WHERE email='%u';

That will return the contents of 'password' when you use webmail

(assuming

it's all installed on one box), and 'imap_password' when you connect from
any other system. 

If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and
lock it down) or another visual MySQL client.

If there are multiple users, you'll need to either change the query to
just
match your username or add another field to do a bit check and make the
query more complex... :)

Rick

Quoting SIW :


Hi Rick

I really appreciate your response!

Unfortunately my SQL is, how can we say, very basic. I built my server
using the Linode guide at:



https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql


Currently my password query looks as follows:

password_query = SELECT email as user, password FROM virtual_users WHERE
email='%u';

I'm not familiar with VPopMail, would I need it in this situation?
Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.

On 05/05/2014 21:32, Rick Romero wrote:

Quoting Professa Dementia :


On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that

particular

user can't use Roundcube anymore?


That is correct.  If you block IMAP, then webmail will not work.


Not necessarily.

From:
http://wiki2.dovecot.org/AuthDatabase/VPopMail

"logically this means: show password for user=%n at domain=%d when imap
on
the account is not disabled and connection is not comming from

localhost

when webmail access on the account is not disabled and if imap for the
domain is not disabled and (connection is not comming from localhost


when

webmail access for the domain is not disabled) when vlimits are not
overriden on the account "
#
password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid &


4))

and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );

So construct your SQL query in a way that your bit field in MySQL
disables
all access for a single user except when the source IP is your webmail
server.

If you want multiple passwords, you can modify the password_query with
iif
statements based on the source IP or protocol.

Like:
select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
vpopmail .
Of course that's specific to the vpopmail table... modify as needed for
your own table structure...
Rick


 

Re: [Dovecot] Disable IMAP for ONE user only

[SIW]

Thanks Rick!

I have a handful of users on the server but I am the only one requiring 
secure access to my mail while travelling. Everything is installed on 
one box. I will give you recommendation a try so thank you for that.


One option I was thinking about is as well, is it possible to use "throw 
away one time passwords" with my setup? As described here:


http://blog.kevinvandervlist.nl/projects/roundcube-static-otp/

It would be *perfect* if I could access my mail "normally" from an IMAP 
client (Thunderbord/K9) using a strong password and then use a OTP 
(using Googles Authenticator) with a "throw away password" that can ONLY 
be used once!


This would allow me to login at an internet cafe with a throw away 
password and not care if its being recorded as it could only be used 
once anyway and couldn't be used with IMAP. is this a possibility?


I'm just trying to consider all the ideas :-)

On 05/05/2014 22:13, Rick Romero wrote:

 You don't need vpopmail - that's just an example.  It has it's own table
structure.

Are you the only user - I missed that part of the question.  If so, 
ignore

the 'Bit Operator' part, you won't need it.  That's to allow different
types of access per user (and makes the query that much more complex).

Change your user table structure and add a 2nd password field named
'imap_password', then change your Dovecot query SQL to the below:

SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as
password FROM virtual_users WHERE email='%u';

That will return the contents of 'password' when you use webmail 
(assuming

it's all installed on one box), and 'imap_password' when you connect from
any other system.

If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and
lock it down) or another visual MySQL client.

If there are multiple users, you'll need to either change the query to 
just

match your username or add another field to do a bit check and make the
query more complex... :)

Rick

Quoting SIW :


Hi Rick

I really appreciate your response!

Unfortunately my SQL is, how can we say, very basic. I built my server
using the Linode guide at:

https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql 



Currently my password query looks as follows:

password_query = SELECT email as user, password FROM virtual_users WHERE
email='%u';

I'm not familiar with VPopMail, would I need it in this situation?
Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.

On 05/05/2014 21:32, Rick Romero wrote:

Quoting Professa Dementia :


On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that 
particular

user can't use Roundcube anymore?


That is correct.  If you block IMAP, then webmail will not work.


Not necessarily.

From:
http://wiki2.dovecot.org/AuthDatabase/VPopMail

"logically this means: show password for user=%n at domain=%d when imap
on
the account is not disabled and connection is not comming from 
localhost

when webmail access on the account is not disabled and if imap for the
domain is not disabled and (connection is not comming from localhost

when

webmail access for the domain is not disabled) when vlimits are not
overriden on the account "
#
password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid &

4))

and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );

So construct your SQL query in a way that your bit field in MySQL
disables
all access for a single user except when the source IP is your webmail
server.

If you want multiple passwords, you can modify the password_query with
iif
statements based on the source IP or protocol.

Like:
select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
vpopmail .
Of course that's specific to the vpopmail table... modify as needed for
your own table structure...
Rick

Re: [Dovecot] Disable IMAP for ONE user only

[Rick Romero]

 You don't need vpopmail - that's just an example.  It has it's own table
structure.   

Are you the only user - I missed that part of the question.  If so, ignore
the 'Bit Operator' part, you won't need it.  That's to allow different
types of access per user (and makes the query that much more complex).

Change your user table structure and add a 2nd password field named
'imap_password', then change your Dovecot query SQL to the below:

SELECT email as user, if(%r == '127.0.0.1', password,imap_password) as
password FROM virtual_users WHERE email='%u';

That will return the contents of 'password' when you use webmail (assuming
it's all installed on one box), and 'imap_password' when you connect from
any other system. 

If you're unfamiliar with modifing MySQL tables, install phpmyadmin (and
lock it down) or another visual MySQL client.

If there are multiple users, you'll need to either change the query to just
match your username or add another field to do a bit check and make the
query more complex... :)

Rick

Quoting SIW :


Hi Rick

I really appreciate your response!

Unfortunately my SQL is, how can we say, very basic. I built my server
using the Linode guide at:

https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql

Currently my password query looks as follows:

password_query = SELECT email as user, password FROM virtual_users WHERE
email='%u';

I'm not familiar with VPopMail, would I need it in this situation?
Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.

On 05/05/2014 21:32, Rick Romero wrote:

Quoting Professa Dementia :


On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that particular
user can't use Roundcube anymore?


That is correct.  If you block IMAP, then webmail will not work.


Not necessarily.

From:
http://wiki2.dovecot.org/AuthDatabase/VPopMail

"logically this means: show password for user=%n at domain=%d when imap
on
the account is not disabled and connection is not comming from localhost
when webmail access on the account is not disabled and if imap for the
domain is not disabled and (connection is not comming from localhost

when

webmail access for the domain is not disabled) when vlimits are not
overriden on the account "
#
password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid &

4))

and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );

So construct your SQL query in a way that your bit field in MySQL
disables
all access for a single user except when the source IP is your webmail
server.

If you want multiple passwords, you can modify the password_query with
iif
statements based on the source IP or protocol.

Like:
select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
vpopmail .
Of course that's specific to the vpopmail table... modify as needed for
your own table structure...
Rick


 

Re: [Dovecot] Disable IMAP for ONE user only

[SIW]

Hi Rick

I really appreciate your response!

Unfortunately my SQL is, how can we say, very basic. I built my server 
using the Linode guide at:


https://library.linode.com/email/postfix/postfix2.9.6-dovecot2.0.19-mysql

Currently my password query looks as follows:

password_query = SELECT email as user, password FROM virtual_users WHERE 
email='%u';


I'm not familiar with VPopMail, would I need it in this situation? 
Currently I use Postfix/Dovecot/MySQL/Apache/Roundcube.




On 05/05/2014 21:32, Rick Romero wrote:

 Quoting Professa Dementia :


On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that particular
user can't use Roundcube anymore?


That is correct.  If you block IMAP, then webmail will not work.



Not necessarily.

From:
http://wiki2.dovecot.org/AuthDatabase/VPopMail

"logically this means: show password for user=%n at domain=%d when 
imap on

the account is not disabled and connection is not comming from localhost
when webmail access on the account is not disabled and if imap for the
domain is not disabled and (connection is not comming from localhost when
webmail access for the domain is not disabled) when vlimits are not
overriden on the account "
#
password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4))
and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );

So construct your SQL query in a way that your bit field in MySQL 
disables

all access for a single user except when the source IP is your webmail
server.

If you want multiple passwords, you can modify the password_query with 
iif

statements based on the source IP or protocol.

Like:
select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
vpopmail .
Of course that's specific to the vpopmail table... modify as needed for
your own table structure...

Rick

Re: [Dovecot] Disable IMAP for ONE user only

[Rick Romero]

 Quoting Professa Dementia :


On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that particular
user can't use Roundcube anymore?


That is correct.  If you block IMAP, then webmail will not work.
 


Not necessarily. 

From:
http://wiki2.dovecot.org/AuthDatabase/VPopMail

"logically this means: show password for user=%n at domain=%d when imap on
the account is not disabled and connection is not comming from localhost
when webmail access on the account is not disabled and if imap for the
domain is not disabled and (connection is not comming from localhost when
webmail access for the domain is not disabled) when vlimits are not
overriden on the account "
#
password_query = select pw_passwd as password FROM vpopmail LEFT JOIN
limits ON vpopmail.pw_domain=limits.domain WHERE pw_name='%n' and
pw_domain='%d' and !(pw_gid & 8) and ('%r'!='127.0.0.1' or !(pw_gid & 4))
and ( ('%r'!='127.0.0.1' or COALESCE(disable_webmail,0)!=1) and
COALESCE(disable_imap,0)!=1 or (pw_gid & 8192) );

So construct your SQL query in a way that your bit field in MySQL disables
all access for a single user except when the source IP is your webmail
server.

If you want multiple passwords, you can modify the password_query with iif
statements based on the source IP or protocol. 

Like:
select iif(%r == '127.0.0.1' & pw_name== 'yourname' &
pw_domain='yourdomain',pw_webmailpasswrd,pw_passwd) as pw_passwd from
vpopmail .
Of course that's specific to the vpopmail table... modify as needed for
your own table structure...

Rick

[Dovecot] Broken IMAPS Connects Create Lingering imap-login Processes

[Jochen Bern]

Hello everyone,

we are running a central server (CentOS 6.5, dovecot-2.0.9-7.el6 with a
small patch to disable the IMAP CREATE command, and
openssl-1.0.1e-16.el6_5.7) and distribute standard client software to
customer( site)s.

The clients do IMAPS connects in regular intervals (no IDLE, no
lingering logins) and authenticate with certs issued by a dedicated PKI
("auth_ssl_username_from_cert = yes" and a static global password).

One of the customers has a major networking problem that hasn't been
fully analyzed yet. Sniffing his IMAPS connects on the server side, I
see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen;
instead, after ~60s, we receive a single packet with "TLSv1 Certificate
Verify, Change Cipher Spec, Encrypted Handshake Message" *and* the TCP
FIN+PSH+ACK flags set.

The problem I'ld like to ask for help with here is that dovecot's
imap-login process doesn't terminate when the FIN is received, or when
the IMAP protocol's inactivity timeout is reached, it takes *more than
two hours* for it to go away. Because of that, this single client racks
up 1100+ processes (counting against dovecot's configured limits), TCP
connections, and the associated RAM usage.

(Since the client cert is obviously never received, the default
mail_max_userip_connections of 10 doesn't come into play, either.)

Is there any way - short of hexing a negative feedback loop straight
into the iptables - to prevent this kind of buildup?

Kind regards,
J. Bern

> [root ~]# date ; ps auwwwx --forest | grep -A 12 '/dove[c]ot'
> Mo 5. Mai 21:45:39 CEST 2014
> root 25297  0.8  0.0  19568   824 ?Ss   Apr30  64:44 
> /usr/sbin/dovecot
> dovecot  25299  0.1  0.1  17996  5828 ?SApr30  11:52  \_ 
> dovecot/anvil [1147 connections]
> root 25300  0.1  0.0  13388  1220 ?SApr30   8:07  \_ 
> dovecot/log
> root 25301  0.0  0.0  39596  1564 ?SApr30   2:21  \_ 
> dovecot/ssl-params
> dovecot  25304  0.3  0.0  78384  3552 ?SApr30  22:13  \_ 
> dovecot/auth [0 wait, 0 passdb, 0 userdb]
> root 13161  0.3  0.3  25236 13352 ?SMay04   7:11  \_ 
> dovecot/config
> root 18384  0.2  0.2  20080  8200 ?S08:20   1:37  \_ 
> dovecot/config
[... long-running IMAP login by the operators ...]
> dovenull 12064  0.0  0.0  42440  3656 ?S19:32   0:00  \_ 
> dovecot/imap-login [1 connections (1 TLS)]
> dovenull 12441  0.0  0.0  42440  3656 ?S19:32   0:00  \_ 
> dovecot/imap-login [1 connections (1 TLS)]
> dovenull 12495  0.0  0.0  42440  3656 ?S19:32   0:00  \_ 
> dovecot/imap-login [1 connections (1 TLS)]
> dovenull 12496  0.0  0.0  42440  3652 ?S19:32   0:00  \_ 
> dovecot/imap-login [1 connections (1 TLS)]


> [root ~]# doveconf -n
> # 2.0.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-431.3.1.el6.x86_64 x86_64 CentOS release 6.5 (Final)
> auth_ssl_require_client_cert = yes
> auth_ssl_username_from_cert = yes
> listen = [...]
> login_greeting = [...]
> mail_location = maildir:~
> mail_log_prefix = "%s(%u)[%p]: "
> mbox_write_locks = fcntl
> passdb {
>   args = password=[...]
>   driver = static
> }
> plugin {
>   mail_log_events = delete undelete expunge
>   mail_log_fields = uid msgid size vsize flags
> }
> protocols = imap
> service anvil {
>   client_limit = 3605
> }
> service auth {
>   client_limit = 7000
> }
> service imap-login {
>   process_limit = 3500
> }
> service imap {
>   process_limit = 3500
> }
> ssl = required
> ssl_ca =  ssl_cert =  ssl_key =  ssl_verify_client_cert = yes
> userdb {
>   args = uid=mandanten gid=mandanten home=/[...]/%Ld_[...]/%Ln
>   driver = static
> }
> verbose_proctitle = yes
> protocol imap {
>   mail_plugins = " mail_log notify"
> }
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im :
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH 
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

Re: [Dovecot] Disable IMAP for ONE user only

[SIW]

I'm glad you asked. Heres the challenge:

When I travel overseas I sometimes need to use a computer at an internet 
cafe to access my email via a browser. I use Googles Authenticator to 
generate a OTP that I use with Roundcube so I have two factor 
authentication. All seems secure right? Wrong. If someone records my 
login credentials on the untrusted internet computer then they can use 
those login credentials to access my email via IMAP (ie: Thunderbird). 
(its happened before)


Yes, I know I should use my own trusted device but in some cases that 
just is NOT an option.


Therefore, how can I access my email via a browser that is safe from 
keyloggers at internet cafes? I'm open to all ideas at this point!


What I was originally thinking was having a second copy of my mailbox 
that was updated every hour (from my live mailbox) and that I had a 
separate login to it that ONLY had rights to read/send via Roundcube 
(ie: No access with IMAP clients such as Thunderbird, K9 etc).


I was thinking of using Application Specific Passwords but this doesn't 
solve the issue either as once sometime records my login credentials 
that can use it to access IMAP.


Roundcube is secure in all of this...its IMAP that I am battling with 
securing...




On 05/05/2014 21:13, Professa Dementia wrote:

On 5/5/2014 1:05 PM, SIW wrote:

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that particular
user can't use Roundcube anymore?

That is correct.  If you block IMAP, then webmail will not work.

Webmail clients are just IMAP proxies.  If the roundcube you want the
user to utilize is running on a specific server, then you can allow IMAP
only from the IP address of that server.

However, usually when I hear an admin wanting to restrict only one user
to some limited access option, it is usually a policy issue and not a
technical one.  Trying to employ a technical solution is usually the
wrong way of doing it.

Why are you trying to limit just this one user?

Dem

Re: [Dovecot] Disable IMAP for ONE user only

[Professa Dementia]

On 5/5/2014 1:05 PM, SIW wrote:
> Thats a good point.
> 
> If I block IMAP/SMTP access to ONE user does that mean that particular
> user can't use Roundcube anymore?

That is correct.  If you block IMAP, then webmail will not work.

Webmail clients are just IMAP proxies.  If the roundcube you want the
user to utilize is running on a specific server, then you can allow IMAP
only from the IP address of that server.

However, usually when I hear an admin wanting to restrict only one user
to some limited access option, it is usually a policy issue and not a
technical one.  Trying to employ a technical solution is usually the
wrong way of doing it.

Why are you trying to limit just this one user?

Dem

Re: [Dovecot] Broken IMAPS Connects Create Lingering imap-login Processes

[Reindl Harald]

Am 05.05.2014 22:13, schrieb Jochen Bern:
> One of the customers has a major networking problem that hasn't been
> fully analyzed yet. Sniffing his IMAPS connects on the server side, I
> see no (necessarily fragmented) TLSv1 Client Cert + Key Exchange happen;
> instead, after ~60s, we receive a single packet with "TLSv1 Certificate
> Verify, Change Cipher Spec, Encrypted Handshake Message" *and* the TCP
> FIN+PSH+ACK flags set

ask that user to restart his network-devices

i faced it way too often in the last few years that encrypted
connections where broken on customers side and after restart
his crap of router all went fine again



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Disable IMAP for ONE user only

[SIW]

Thats a good point.

If I block IMAP/SMTP access to ONE user does that mean that particular 
user can't use Roundcube anymore?


I basically want one user to ONLY be able to send/receive/view their 
email in Roundcube and not be able to send/receive/view email from any 
other client (ie: Thunderbird, K9 email on Andriod, Outlook etc).


On 05/05/2014 19:05, Benjamin Podszun wrote:

I'm confused. Roundcube's using imap, so how are the %s queries helping?
Isn't the real question "How can I limit imap to specific clients/localhost, 
depending on the user"?

On May 5, 2014 6:39:42 PM CEST, SIW  wrote:

I use MySQL to store my virtual users passwords and I am running the
latest version of Dovecot.

What I need to do is have one particular user have ONLY access to their

email via Roundcube (webmail) and no IMAP/SMTP access.

Therefore, how do I disable IMAP/SMTP access for just one user?

Re: [Dovecot] Status of sieve-extdata?

[Stephan Bosch]

On 4/29/2014 11:01 AM, Jiri Bourek wrote:
> Hi,
>
> I'd like to ask about status of extdata plugin for sieve. The wiki
> page (http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Extdata)
> mentions versions for PigeonHole 0.2 and 0.3, but there seems to be no
> version for 0.4 and Dovecot 2.2.
>
> Is the plugin dead or is it planned to make version for Dovecot 2.2
> (when time allows I guess)?

It is not dead, but I haven't seen much interest for it either.

Anyway, I quickly made a v0.4 version:

http://hg.rename-it.nl/pigeonhole-0.4-sieve-extdata/

Regards,

Stephan.

Re: [Dovecot] mdbox-files over 2 MB

[Patrick Domack]

Quoting Reindl Harald :


Am 05.05.2014 16:10, schrieb Hardy Flor:

Is there really no one with this problem?


next time quote the problem instead demand
others to seek for you in the archives


Even searching for him in the archives, I have no idea what he thinks  
is a problem.


I know I have no issues using mdbox, with 2mb or 50mb rotate sizes.

Re: [Dovecot] Disable IMAP for ONE user only

[Gedalya]

From dovecont.conf :

# Most (but not all) settings can be overridden by different protocols 
and/or
# source/destination IPs by placing the settings inside sections, for 
example:

# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }

So maybe you can even set up an overriding passdb {} inside of a remote 
x.x.x.x/x {}



On 05/05/2014 02:05 PM, Benjamin Podszun wrote:

I'm confused. Roundcube's using imap, so how are the %s queries helping?
Isn't the real question "How can I limit imap to specific clients/localhost, 
depending on the user"?

On May 5, 2014 6:39:42 PM CEST, SIW  wrote:

I use MySQL to store my virtual users passwords and I am running the
latest version of Dovecot.

What I need to do is have one particular user have ONLY access to their

email via Roundcube (webmail) and no IMAP/SMTP access.

Therefore, how do I disable IMAP/SMTP access for just one user?

Re: [Dovecot] Disable IMAP for ONE user only

[Gedalya]

http://wiki2.dovecot.org/Variables
see: %r / rip


On 05/05/2014 02:05 PM, Benjamin Podszun wrote:

I'm confused. Roundcube's using imap, so how are the %s queries helping?
Isn't the real question "How can I limit imap to specific clients/localhost, 
depending on the user"?

On May 5, 2014 6:39:42 PM CEST, SIW  wrote:

I use MySQL to store my virtual users passwords and I am running the
latest version of Dovecot.

What I need to do is have one particular user have ONLY access to their

email via Roundcube (webmail) and no IMAP/SMTP access.

Therefore, how do I disable IMAP/SMTP access for just one user?

Re: [Dovecot] Disable IMAP for ONE user only

[Benjamin Podszun]

I'm confused. Roundcube's using imap, so how are the %s queries helping?
Isn't the real question "How can I limit imap to specific clients/localhost, 
depending on the user"?

On May 5, 2014 6:39:42 PM CEST, SIW  wrote:
>I use MySQL to store my virtual users passwords and I am running the 
>latest version of Dovecot.
>
>What I need to do is have one particular user have ONLY access to their
>
>email via Roundcube (webmail) and no IMAP/SMTP access.
>
>Therefore, how do I disable IMAP/SMTP access for just one user?

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [Dovecot] Disable IMAP for ONE user only

[Rick Romero]

 Quoting Marcin Mirosław :


W dniu 2014-05-05 19:21, Marcin Mirosław pisze:

W dniu 2014-05-05 18:39, SIW pisze:

I use MySQL to store my virtual users passwords and I am running the
latest version of Dovecot.

What I need to do is have one particular user have ONLY access to their
email via Roundcube (webmail) and no IMAP/SMTP access.

Therefore, how do I disable IMAP/SMTP access for just one user?


Hi!
Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you
can use new column in table or use CASE in SELECT statement if you don't
need to change schema of table.


Simpler query could look SELECT foo FROM bar WHERE ... AND
(%u!='blocked@user' AND %s != 'imap')


You can also use Bit Operators directly via SQL - like in vpopmail. 

http://wiki2.dovecot.org/AuthDatabase/VPopMail

Re: [Dovecot] Disable IMAP for ONE user only

[Marcin Mirosław]

W dniu 2014-05-05 19:21, Marcin Mirosław pisze:
> W dniu 2014-05-05 18:39, SIW pisze:
>> I use MySQL to store my virtual users passwords and I am running the
>> latest version of Dovecot.
>>
>> What I need to do is have one particular user have ONLY access to their
>> email via Roundcube (webmail) and no IMAP/SMTP access.
>>
>> Therefore, how do I disable IMAP/SMTP access for just one user?
>>
> Hi!
> Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you
> can use new column in table or use CASE in SELECT statement if you don't
> need to change schema of table.

Simpler query could look SELECT foo FROM bar WHERE ... AND (%u
!='blocked@user' AND %s != 'imap')

Re: [Dovecot] Disable IMAP for ONE user only

[Marcin Mirosław]

W dniu 2014-05-05 18:39, SIW pisze:
> I use MySQL to store my virtual users passwords and I am running the
> latest version of Dovecot.
> 
> What I need to do is have one particular user have ONLY access to their
> email via Roundcube (webmail) and no IMAP/SMTP access.
> 
> Therefore, how do I disable IMAP/SMTP access for just one user?
> 
Hi!
Use variable %s in query (http://wiki2.dovecot.org/Variables ). E.g. you
can use new column in table or use CASE in SELECT statement if you don't
need to change schema of table.
Regards,
Marcin

[Dovecot] Disable IMAP for ONE user only

[SIW]

I use MySQL to store my virtual users passwords and I am running the 
latest version of Dovecot.


What I need to do is have one particular user have ONLY access to their 
email via Roundcube (webmail) and no IMAP/SMTP access.


Therefore, how do I disable IMAP/SMTP access for just one user?

Re: [Dovecot] doveadm auth and the "nologin" extra field

[Axel Luttgens]

Le 5 mai 2014 à 15:25, Timo Sirainen a écrit :

> Not intentional, and since it can cause confusion I removed it: 
> http://hg.dovecot.org/dovecot-2.2/rev/3a5304b63f88

Hmmm... this was a too easy one. ;-)

Once again, many thanks Timo,
Axel

Re: [Dovecot] mdbox-files over 2 MB

[Reindl Harald]

Am 05.05.2014 16:10, schrieb Hardy Flor:
> Is there really no one with this problem?

next time quote the problem instead demand
others to seek for you in the archives



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] mdbox-files over 2 MB

[Hardy Flor]

Is there really no one with this problem?

Re: [Dovecot] Segfault in dovecot-lda when resolver is unavailable

[Marcin Mirosław]

W dniu 05.05.2014 15:14, Timo Sirainen pisze:

Hi Timo, hi all!

> On 24.4.2014, at 0.15, Marcin Mirosław  wrote:
> 
>> Recently I noticed that dovecot-lda throws segfault when resolver is
>> unavailable and with imapc configured.
> 
> I can't easily reproduce this.
> 
>> #0  0x02b612afaf72 in _int_free (av=0x2b612e215c0 ,
>> p=0x1b23bfabe0, have_lock=0) at malloc.c:3903
>> #1  0x02b612e96a4e in buffer_free (_buf=_buf@entry=0x1b23bfa948) at
>> buffer.c:144
>> #2  0x02b612ebeca8 in array_free_i (array=0x1b23bfa948) at array.h:108
>> #3  priorityq_deinit (_pq=_pq@entry=0x1b23bfabb0) at priorityq.c:38
>> #4  0x02b612eafa57 in io_loop_destroy
>> (_ioloop=_ioloop@entry=0x395a4da91d0) at ioloop.c:495
> 
> This also looks like some kind of memory corruption, which isn't good. Can 
> you try this with valgrind?
> 
> valgrind /usr/libexec/dovecot/deliver -d mar...@mejor.pl

# valgrind /usr/libexec/dovecot/deliver -d mar...@mejor.pl ==29900== Memcheck, a memory error detector
==29900== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29900== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==29900== Command: /usr/libexec/dovecot/deliver -d mar...@mejor.pl
==29900== 
==29900== Invalid read of size 8
==29900==at 0x4A8FE89: dns_client_disconnect (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4A901DC: dns_client_input (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AACB15: io_loop_call_io (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AADD9E: io_loop_handler_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AAC4C7: io_loop_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x409B1C8: imapc_client_run (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4093157: imapc_list_try_get_root_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x40931AD: imapc_list_get_hierarchy_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4091D9E: imapc_list_get_fs_name (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4092030: imapc_list_get_path (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x40B5784: mailbox_list_get_root_path (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4163EB4: quota_add_user_namespace (in 
/usr/lib64/dovecot/lib10_quota_plugin.so)
==29900==  Address 0x516e4c0 is 48 bytes inside a block of size 72 free'd
==29900==at 0x402A40C: free (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29900==by 0x4A8FD67: dns_lookup_free (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4A8FE88: dns_client_disconnect (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4A901DC: dns_client_input (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AACB15: io_loop_call_io (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AADD9E: io_loop_handler_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AAC4C7: io_loop_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x409B1C8: imapc_client_run (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4093157: imapc_list_try_get_root_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x40931AD: imapc_list_get_hierarchy_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4091D9E: imapc_list_get_fs_name (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4092030: imapc_list_get_path (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900== 
==29900== Invalid read of size 8
==29900==at 0x4A8FE92: dns_client_disconnect (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4A901DC: dns_client_input (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AACB15: io_loop_call_io (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AADD9E: io_loop_handler_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x4AAC4C7: io_loop_run (in 
/usr/lib64/dovecot/libdovecot.so.0.0.0)
==29900==by 0x409B1C8: imapc_client_run (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4093157: imapc_list_try_get_root_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x40931AD: imapc_list_get_hierarchy_sep (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4091D9E: imapc_list_get_fs_name (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4092030: imapc_list_get_path (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x40B5784: mailbox_list_get_root_path (in 
/usr/lib64/dovecot/libdovecot-storage.so.0.0.0)
==29900==by 0x4163EB4: quota_add_user_namespace (in 
/usr/lib64/dovecot/lib10_quota_plugin.so)
==29900==  Address 0x516e4b8 is 40 bytes inside a block of size 72 free'd
==29900==at 0x402A40C: free (in 
/usr/lib64/valgrind/vgpreloa

Re: [Dovecot] doveadm auth and the "nologin" extra field

[Timo Sirainen]

Not intentional, and since it can cause confusion I removed it: 
http://hg.dovecot.org/dovecot-2.2/rev/3a5304b63f88

On 18.4.2014, at 10.54, Axel Luttgens  wrote:

> Hello,
> 
> Still busy with details...
> 
> Considering, as in my previous example, a password_query returning '!' or 
> NULL for the "nologin" column, depending on an account's status (suspended or 
> not).
> 
> Let's consider a suspended user "some.user".
> 
> In the case of a successful authentication, one has:
> 
>   sh-3.2# doveadm auth test some.user goodpassword; echo $?
>   passdb: some.user auth succeeded
>   extra fields:
> user=some.user
> nologin
>   0
> 
> On the other hand, in the case of an authentication failure:
> 
>   sh-3.2# doveadm auth test some.user badpassword; echo $?
>   passdb: some.user auth failed
>   extra fields:
> user=some.user
> nologin=!
>   77
> 
> So, this is similar to what happens in a connection (pop3, imap...): when 
> present, the nologin info is always taken into account, even in the case of 
> an authentication failure.
> 
> Again, this may raise some concerns about the consistency of such a behavior.
> Is this guaranteed to always behave that way, because of some rationale I'm 
> currently missing, or does it go about some overlooked combination, liable to 
> be inadvertently "corrected" in the future?
> I haven't been able to find a definitive answer in the wiki or in the code 
> about such matters.
> 
> This is particularly important in the case of doveadm, since its output 
> requires parsing for extracting such informations (the exit code alone isn't 
> sufficient); should above behavior be changed without notice, and a script 
> could suddenly take the worst decisions...
> 
> BTW, why:
> nologin
> in the first output, and:
> nologin=!
> in the second output?
> 
> 
> TIA,
> Axel

Re: [Dovecot] Segfault in dovecot-lda when resolver is unavailable

[Timo Sirainen]

On 24.4.2014, at 0.15, Marcin Mirosław  wrote:

> Recently I noticed that dovecot-lda throws segfault when resolver is
> unavailable and with imapc configured.

I can't easily reproduce this.

> #0  0x02b612afaf72 in _int_free (av=0x2b612e215c0 ,
> p=0x1b23bfabe0, have_lock=0) at malloc.c:3903
> #1  0x02b612e96a4e in buffer_free (_buf=_buf@entry=0x1b23bfa948) at
> buffer.c:144
> #2  0x02b612ebeca8 in array_free_i (array=0x1b23bfa948) at array.h:108
> #3  priorityq_deinit (_pq=_pq@entry=0x1b23bfabb0) at priorityq.c:38
> #4  0x02b612eafa57 in io_loop_destroy
> (_ioloop=_ioloop@entry=0x395a4da91d0) at ioloop.c:495

This also looks like some kind of memory corruption, which isn't good. Can you 
try this with valgrind?

valgrind /usr/libexec/dovecot/deliver -d mar...@mejor.pl

Re: [Dovecot] When the subject portion of an e-mail contains a control character, dovecot.sieve terminates unexpectatedly.

[Timo Sirainen]

On 2.5.2014, at 11.27, Atsuko Tanaka  wrote:

> We have currently set dovecot.sieve to insert the text "[SPAM]" at the
> beginning of an e-mail's subject when it's X-Spam-Score is above 80%.
> After we set our system as stated the following errors occur:
> 
> 1) When an e-mail's subject contains control characters like
> [Ctrl+V|^V], dovecot.sieve terminates with an error and an e-mail is not
> able to be sent. When a MIME encoded Subject like [ＴＥＳＴ^VＭＡＩＬ] is sent
> we're not able to edit the subject and dovecot ends with an error.
..
> Aside from [Ctrl + V] the following control charcters also cause errors:
> backspace
> Ctrl + A
> Ctrl + C
> Ctrl + [
> Ctrl + X
> Ctrl + Y
> 
> 2) When an e-mail's subject line contains a "\0" character, everything
> following the null character is deleted.

Is there a reason why mails contain these kind of control characters? Is it 
commonly used? And is it OK if Dovecot translates them to UTF-8 for the 
rewritten header, or would the subject have to stay ISO-2022-JP encoded?

Re: [Dovecot] %{orig_user} missing in checkpassword-Script

[Timo Sirainen]

OK, added: http://hg.dovecot.org/dovecot-2.2/rev/1e099feb1dea

On 3.5.2014, at 15.32, dovecot.pk...@dfgh.net wrote:

> Dear dovecot maintainers:
> 
> I'm using SSL client certificates together with a checkpassword scripts
> to authenticate our users.
> 
> My problem is: In the checkpassword script the AUTH_USER environment
> variable will either contain the username that was configured in the
> mailclient (if auth_ssl_username_from_cert=false) or the username
> from the certificate (if auth_ssl_username_from_cert=true).
> 
> I would like to compare both values, i.e. the %{user} Dovecot-variable
> and the %{orig_user} Dovecot-variable. But the environment of a
> checkpassword-script has only one of them.
> 
> I tried myself and found the following:
> - the environment of a checkpassword script is setup by
> checkpassword_setup_env() in db-checkpassword.c
> - checkpassword_setup_env() calls env_put_auth_vars()
> - env_put_auth_vars() creates AUTH_xxx environment variables for all
> entries of the auth_request_get_var_expand_table()
> - the auth_request_get_var_expand_table_full() routine does not contain the
> original user, but the auth_request-struct does.
> 
> So I changed the dovecot sourcecode (version 2.2.12) as follows
> 
> In src/auth/auth-request.h line 152 I replaced
> #define AUTH_REQUEST_VAR_TAB_COUNT 27
> by
> #define AUTH_REQUEST_VAR_TAB_COUNT 30
> 
> In src/auth/auth-request.c around line 2027 I replaced the
> following lines at the end of auth_request_var_expand_static_tab
> 
>{ '\0', NULL, "session_pid" },
>/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
>{ '\0', NULL, NULL }
> };
> 
> by
> 
>{ '\0', NULL, "session_pid" },
>{ '\0', NULL, "orig_user" },
>{ '\0', NULL, "orig_username" },
>{ '\0', NULL, "orig_domain" },
>/* be sure to update AUTH_REQUEST_VAR_TAB_COUNT */
>{ '\0', NULL, NULL }
> };
> 
> In src/auth/auth-request.c around line 2116 I replaced the
> following lines at the end of function
> auth_request_get_var_expand_table_full()
> 
>tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
>dec2str(auth_request->session_pid);
>return ret_tab;
> 
> by
> 
>tab[26].value = auth_request->session_pid == (pid_t)-1 ? NULL :
>dec2str(auth_request->session_pid);
>if (auth_request->original_username != NULL) {
>tab[27].value =
> escape_func(auth_request->original_username, auth_request);
>tab[28].value =
> escape_func(t_strcut(auth_request->original_username, '@'), auth_request);
>tab[29].value = strchr(auth_request->original_username,
> '@');
>if (tab[29].value != NULL) {
>tab[29].value = escape_func(tab[29].value+1,
> auth_request);
>}
>}
>return ret_tab;
> 
> This will add AUTH_ORIG_USER, AUTH_ORIG_USERNAME and AUTH_ORIG_DOMAIN
> environment variables to the environment of every checkpassword script.
> 
> If this is the correct way to extend the environment of a
> chackpassword-script
> then you might consider adding these minor changes to the dovecot-source.
> 
> Kind regards and thanks very much for this wonderful project
> 
> Peter Koch

Re: [Dovecot] CONTEXT=SORT

[Timo Sirainen]

On 3.5.2014, at 8.51, Michael M Slusarz  wrote:

> Quoting Michael M Slusarz :
> 
>> 5 UID SORT RETURN (PARTIAL 1:10) (SUBJECT) UTF-8 UNDELETED
>> * ESEARCH (TAG "5") UID PARTIAL (1:10 NIL)
>> 5 OK Sort completed (0.000 secs).
> 
> Well duh.  Maybe I should actually look at the results.  This is obviously 
> wrong (this mailbox has 13 undeleted messages, so NIL is not a proper return).
> 
> ...although PARTIAL limiting for SEARCH doesn't work either:
> 
> 4 UID SEARCH RETURN (PARTIAL 1:10) UNDELETED
> * ESEARCH (TAG "4") UID PARTIAL (1:10 NIL)
> 4 OK Search completed (0.000 secs).

Ugh. This was slightly broken in earlier versions, but in v2.2.11 I broke it 
completely by misunderstanding what it was supposed to do. And after now fixing 
it nicely for SEARCH PARTIAL I realize that it's again broken for SORT PARTIAL. 
So, back to the original code with the correct minor fix..: 
http://hg.dovecot.org/dovecot-2.2/rev/32b6a95c95cc

I also updated imaptest to check for the SEARCH PARTIAL.

Oh and the reason why CONTEXT=SORT isn't advertised is because SORT RETURN 
(UPDATE) doesn't work.

Re: [Dovecot] Dovecot proxy

[Alex Ferrara]

Unfortunately, the requirement for this network is that the only pinhole 
through the firewall between the main relay and the mail server is IMAP. My 
thought was to ship a list of valid usernames to the imap relay that are 
allowed to connect, and that list would be constructed from inside the LAN and 
shipped to the DMZ via rsync.

I could set the default value of allow_nets and override it, but I am unsure 
how best to do that in my situation. Maybe if I use a passwd-file on the 
userdb, but keep the imap driver on the passdb?

aF

On 05/05/2014, at 4:24 PM, Jiri Bourek  wrote:

> Is it possible to use backend's passdb on the relay server in your setup?
> 
> If you are - for example - using SQL database as passdb on the backend, you 
> can access it from relay server as well. Let's say you have "relay_enabled" 
> column in the table of users, then you can use something like:
> 
> select ... from users where user = ... and relay_enabled = true
> 
> Users, who are not permitted access from internet, will get authentication 
> failure
> 
> If your passdb can't be shared this way (unix accounts, passwd-file etc.), 
> this won't work of course. Maybe you can try to play around allow_nets 
> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly 
> combined with login_trusted_networks on backend
> 
> The idea here is that your relay provides user's real IP and you use 
> allow_nets extra field to restrict access to your internal network only. Not 
> sure if this can work though, never tried.
> 
> 
> Alex Ferrara wrote:
>> Hi everyone,
>> 
>> I have a problem that hopefully has an easy solution.
>> 
>> I am setting up an IMAP proxy in a DMZ network. It will connect to
>> the real IMAP server and authenticate using "driver = imap", and this
>> I have working really nicely.
>> 
>> What I want to do is have it look up a list of users that are allowed
>> to connect through the proxy before proxying the connection, as not
>> all users with an account are permitted to access their email from
>> the internet. I thought that using a post-login script would get me
>> out of trouble, but it isn't possible in a relay configuration.
>> 
>> 
>> 
>> dovecot.conf
>> 
>> ## Dovecot configuration file
>> 
>> mail_uid = dovecot mail_gid = dovecot
>> 
>> protocols = imap
>> 
>> listen = *, ::
>> 
>> passdb { driver = imap # IMAP server to authenticate against args =
>> host=192.168.1.1 # IMAP server to connect to for mailbox
>> default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
>> prefetch }
>> 
>> auth_mechanisms = plain login
>> 
>> # This is the auth service used by Postfix to do dovecot auth.
>> service auth { unix_listener auth-userdb { } inet_listener { port =
>> 12345 } }
>> 
>> ## ## SSL settings ##
>> 
>> # These will need to ba adjusted to point to *your* certificates, not
>> mine 8-) # The ssl_ca line refers to the intermediate certificate
>> bundle which may or may not be required by your SSL provider
>> 
>> ssl_cert => => => ALL:!LOW:!SSLv2:!EXP:!aNULL