Re: Does dovecot work OK on *BSD?
On Fri, Sep 26, 2014 at 03:03:13PM +1200, Mark Davies wrote: > dovecot 2.2.13 works very nicely here via pkgsrc on NetBSD. Same here, works fine on NetBSD. -- Emmanuel Dreyfus m...@netbsd.org
Re: Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?
Am 26.09.2014 02:59 schrieb Joseph Tam: Since dovecot passes values via environment variables based on user input (e.g. username, password, mailbox?) to auxilliary executables (including possibly bash shell scripts), is dovecot vulnerable to this exploit? Given this article about how e.g. PHP could be vulnerable via popen/system: http://lcamtuf.blogspot.de/2014/09/quick-notes-about-bash-bug-its-impact.html I can only think about sieve now, when it constructs mail and pipes that to sendmail_path, but I would be surprised if this is using user-input (e.g. script) in environment variables. I was skimming through Roundcube and didnt find something 'fishy' so far, but that doesnt mean there is nothing ;-).
Re: Does dovecot work OK on *BSD?
I have a dovecot server on my Debian Wheezy desktop computer. My days with Debian are limited, and I'm investigating several 'BSD's: OpenBSD FreeBSD PCBSD NetBSD DragonflyBSD etc Is there any reason Dovecot wouldn't work on any of those? Does anyone know if those OS's have packages for Dovecot, or do I need to compile it myself? I've successfully run Dovecot on OpenBSD since 2010 and before that for many years on FreeBSD. Never had any issues, runs just fine on both those OSs. .jh
Re: Does dovecot work OK on *BSD?
dovecot 2.2.13 works very nicely here via pkgsrc on NetBSD. cheers mark
Is dovecot vulnerable to the shellshock/CVE-2014-6271 exploit?
I'm right now handling this beach-ball sized grenade, and trying to
figure out which of our services need to be locked down right away.
Since dovecot passes values via environment variables based on
user input (e.g. username, password, mailbox?) to auxilliary
executables (including possibly bash shell scripts), is dovecot
vulnerable to this exploit?
(This is not a fault of dovecot, but rather bash's inadequate handling
of environment variables.)
For example, injection of this sort
1 LOGIN (){x;}exploit-code whatever
I guess auth_username_chars would mitigate this particular attempt (assuming
it can work), but other values such as mailbox names could also be injected
post authentication.
Can someone with working knowlegde of dovecot's internals confirm/deny whether
this is a something that needs to be addressed?
Joseph Tam
Indexing of mailf fts clucene aborts
Hi I am trying lucene to index my email. To create the index, I run the following command and the indexing aborts: , | 09:42:20 ~$ doveadm -Dv index -u rainerkrug 'RMKrugGMAIL.*' | doveadm(rainerkrug): Debug: Loading modules from directory: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot | doveadm(rainerkrug): Debug: Module loaded: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/lib20_fts_plugin.so | doveadm(rainerkrug): Debug: Module loaded: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/lib21_fts_lucene_plugin.so | doveadm(rainerkrug): Debug: Loading modules from directory: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm | doveadm(rainerkrug): Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: dlopen(/usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_acl_plugin.so, 10): Symbol not found: _acl_user_module | Referenced from: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_acl_plugin.so | Expected in: flat namespace | in /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_acl_plugin.so (this is usually intentional, so just ignore this message) | doveadm(rainerkrug): Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: dlopen(/usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_expire_plugin.so, 10): Symbol not found: _expire_set_deinit | Referenced from: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_expire_plugin.so | Expected in: flat namespace | in /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_expire_plugin.so (this is usually intentional, so just ignore this message) | doveadm(rainerkrug): Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: dlopen(/usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_quota_plugin.so, 10): Symbol not found: _quota_user_module | Referenced from: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_quota_plugin.so | Expected in: flat namespace | in /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib10_doveadm_quota_plugin.so (this is usually intentional, so just ignore this message) | doveadm(rainerkrug): Debug: Module loaded: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib20_doveadm_fts_lucene_plugin.so | doveadm(rainerkrug): Debug: Module loaded: /usr/local/Cellar/dovecot/2.2.13_1/lib/dovecot/doveadm/lib20_doveadm_fts_plugin.so | doveadm(rainerkrug): Debug: Effective uid=501, gid=20, home=/Users/rainerkrug | doveadm(rainerkrug): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir | doveadm(rainerkrug): Debug: maildir++: root=/Users/rainerkrug/Maildir, index=, indexpvt=, control=, inbox=/Users/rainerkrug/Maildir, alt= | doveadm(rainerkrug): Debug: Ignoring unknown cache field: pop3.order | doveadm(rainerkrug): Debug: Ignoring unknown cache field: binary.parts | doveadm(rainerkrug): Info: RMKrugGMAIL.[Gmail].All Mail: Caching mails seq=2..49011 | 48700/49010Assertion failed: (numDocsInStore*8 == directory->fileLength( (docStoreSegment + "." + IndexFileNames::FIELDS_INDEX_EXTENSION).c_str() )), function closeDocStore, file /tmp/clucene-M0PS6G/src/core/CLucene/index/DocumentsWriter.cpp, line 210. | Abort trap: 6 ` Any suggestions? I am using dovecot on a Mac, Maverich=ks, installed via homebrew. If you need any further info, please let me know. Thanks, Rainer -- Rainer M. Krug email: Rainerkrugsde PGP: 0x0F52F982 pgpocbW8eSKdY.pgp Description: PGP signature
Re: Quota Woes
Quoting Art Stephens : Trying to get quota to show up in IMP - Horde 5.x Seems it is not working with dovecot Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready. This is the pre-authentication capability, so it wouldn't display QUOTA even if it is correctly enabled. You need the post-authentication capability instead. michael
Re: Does dovecot work OK on *BSD?
On 25 Sep 2014, at 18:14, Steve Litt wrote: > Hi all, > > I have a dovecot server on my Debian Wheezy desktop computer. My days > with Debian are limited, and I'm investigating several 'BSD's: > > OpenBSD > FreeBSD > PCBSD > NetBSD > DragonflyBSD > etc > > Is there any reason Dovecot wouldn't work on any of those? Does anyone > know if those OS's have packages for Dovecot, or do I need to compile > it myself? > > Thanks, > > SteveT it works just fine for my little company, see my signature on what OS I prefer. Poke me in case you need help .. Cheerio Remko > > Steve Litt* http://www.troubleshooters.com/ > Troubleshooting Training * Human Performance -- /"\ Best regards, | re...@freebsd.org \ / Remko Lodder | remko@EFnet Xhttp://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Does dovecot work OK on *BSD?
On 25.09.2014, at 18:14, Steve Litt wrote: > I'm investigating several 'BSD's: > > FreeBSD One more to confirm that Dovecot and Pigeonhole are running at FreeBSD. > Does anyone know if those OS's have packages for Dovecot, or do I > need to compile it myself? No need to compile, both come as ports. But if you might be interested in testing upcoming versions, it's pretty simple to set up a mercurial repository and compile from scratch, both Dovecot and Pigeonhole. Regards, Michael
Re: Does dovecot work OK on *BSD?
On Thu, Sep 25, 2014 at 12:01:01PM -0500, Larry Rosenman wrote: > I run dovecot on FreeBSD and its in ports.. no issues at all and the > maintainer keeps it current. I don't use it very much (mostly read mail locally, and it's a single-user system), but I have no problems with Dovecot (2.2.x, built from ports) on my FreeBSD box. w
Re: Does dovecot work OK on *BSD?
I run dovecot on FreeBSD and its in ports.. no issues at all and the maintainer keeps it current. On Sep 25, 2014 11:17 AM, "Steve Litt" wrote: > Hi all, > > I have a dovecot server on my Debian Wheezy desktop computer. My days > with Debian are limited, and I'm investigating several 'BSD's: > > OpenBSD > FreeBSD > PCBSD > NetBSD > DragonflyBSD > etc > > Is there any reason Dovecot wouldn't work on any of those? Does anyone > know if those OS's have packages for Dovecot, or do I need to compile > it myself? > > Thanks, > > SteveT > > Steve Litt* http://www.troubleshooters.com/ > Troubleshooting Training * Human Performance >
Re: Does dovecot work OK on *BSD?
I can confirm that Dovecot 1.2 (I started with 0.9 back in the day and just didn't yet upgrade to 2.x) works fine under NetBSD.
Re: Does dovecot work OK on *BSD?
Hi Steve, Go for FreeBSD ;) it offers Dovecot(2) via ports or via package. I always recommend ports though, due to the fact of being able to enable/disable options - but that's your choise. Ports: cd /usr/ports/mail/dovecot2 make install clean or via pkg(8): pkg install dovecot2 I can allway recommend to ask your friend Google: "FreeBSD + Dovecot + Tutorial" or "FreeBSD + Dovecot + How to". According to my knowledge, it works quite the same with the other BSDs in your list. It's been a while since I worked with one of them. I sticked to FreeBSD * For updating / maintenance of ports and packages, I recommend portmaster. * For System binary related updates there is freebsd-update(8). Best Regards, Leander S. Am 25.09.14 18:14, schrieb Steve Litt: Hi all, I have a dovecot server on my Debian Wheezy desktop computer. My days with Debian are limited, and I'm investigating several 'BSD's: OpenBSD FreeBSD PCBSD NetBSD DragonflyBSD etc Is there any reason Dovecot wouldn't work on any of those? Does anyone know if those OS's have packages for Dovecot, or do I need to compile it myself? Thanks, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance
Does dovecot work OK on *BSD?
Hi all, I have a dovecot server on my Debian Wheezy desktop computer. My days with Debian are limited, and I'm investigating several 'BSD's: OpenBSD FreeBSD PCBSD NetBSD DragonflyBSD etc Is there any reason Dovecot wouldn't work on any of those? Does anyone know if those OS's have packages for Dovecot, or do I need to compile it myself? Thanks, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance
Quota Woes
Trying to get quota to show up in IMP - Horde 5.x
Seems it is not working with dovecot
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
root@mail:~# dovecot --version
2.0.19
root@mail:~# dovecot -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.11.0-26-generic x86_64 Ubuntu 12.04.4 LTS
auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = mbox:~/mail/:INBOX=/var/mail/%u
mail_plugins = " quota"
passdb {
driver = pam
}
plugin {
quota = fs:User quota
quota_rule = *:storage=300M
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
}
protocols = " imap pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
ssl_cert =
Re: SSL issues when proxying
* lst_ho...@kwsoft.de : > > Zitat von Ralf Hildebrandt : > > >I'm getting this in the log when proxying IMAP (three "valid > >certificate" messages, two "Invalid certificate" messages) > > > >Why is dovecot (acting as a proxy to another dovecot instance here) not > >recognizing the StartCom Extended Validation Server CA? > > > > Forgot to include the matching intermediate CA maybe? Certificate chain 0 s:/C=DE/ST=Berlin/L=Berlin/postalCode=... i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority Oh bloody hell. I do have "StartCom Extended Validation Server CA" but not "StartCom Certification Authority". MEH! -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: SSL issues when proxying
Zitat von Ralf Hildebrandt : I'm getting this in the log when proxying IMAP (three "valid certificate" messages, two "Invalid certificate" messages) Why is dovecot (acting as a proxy to another dovecot instance here) not recognizing the StartCom Extended Validation Server CA? Forgot to include the matching intermediate CA maybe? Regards Andi smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL issues when proxying
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 25 Sep 2014, Ralf Hildebrandt wrote: Date: Thu, 25 Sep 2014 14:22:30 +0200 From: Ralf Hildebrandt To: dovecot@dovecot.org Subject: SSL issues when proxying I'm getting this in the log when proxying IMAP (three "valid certificate" messages, two "Invalid certificate" messages) does one of your proxies or servers is missing a root CA? Or do your hosts query a cert database or something like that? Can you validate the cert on all hosts via openssl manually? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVCQLoXz1H7kL/d9rAQItWwf/QGaCcxwIvAE2DJgd4rjvL/3/blnPZIQL 16TjRbSpg2c/GCPWMkMlIlavhoooGyqxEyyHNV0hvBGqg9Im/6uzUwJMD4899f9g rB3nN6jMrLPP99LyIPgzpJe+Xnp/5HGMRMS8YKsri6zP7Ltx2mP6rzKDxWr9wd1L aaEozOR+wwVb2N4Fz6wYBX5kKLA28tVdjxLA+mX9xjDw3LzSPXFtgK2Bg3zC+6ln baX2FIlhsiWid7uzl5UblRcAn/oocaXyn/lr3s0jZ6sX2Uh/Ppvx48eJqlEcowiH BrvRfDRiyyLS10VmgGG+WxSDYjD5J5sfeQ6LxkwaBkNg3P5VcREyNA== =4JwM -END PGP SIGNATURE-
SSL issues when proxying
I'm getting this in the log when proxying IMAP (three "valid certificate" messages, two "Invalid certificate" messages) Why is dovecot (acting as a proxy to another dovecot instance here) not recognizing the StartCom Extended Validation Server CA? . LOGIN ralf.hildebra...@charite.de mypassword Sep 25 14:13:04 auth-worker(30859): Info: mysql(sql.charite.de): Connected to database mailservice Sep 25 14:13:04 imap-login: Debug: SSL: where=0x10, ret=1: before/connect initialization [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: before/connect initialization [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: unknown state [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: unknown state [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server hello A [127.0.0.1] Sep 25 14:13:04 imap-login: Info: Invalid certificate: unable to get local issuer certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Invalid certificate: certificate not trusted: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmas...@charite.de/serialNumber=HRA/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmas...@charite.de/serialNumber=HRA/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server certificate A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server done A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write finished A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 flush data [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read finished A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=1: SSL negotiation finished successfully [127.0.0.1] . OK [CAPABILITY ... -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: doveadm penalty: who is 0.0.0.0?
* Peer Heinlein : > > Using doveadm penalty I just noticed a penalty for 0.0.0.0. > > Is this Postfix querying the auth-socket for his SASL-requests? Maybe a portscan? Sometimes they turn up as 0.0.0.0 -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Namespace configuration over SQL
Hello!
I had working setup, where namespace settings (including prefix) was
queried over SQL. Now, after installing new Dovecot to new server (using
same configuration), this is not working anymore.
Log shows following error:
"""
Initialization failed: namespace configuration error: list=yes requires
prefix=yes to end with separator
"""
relevant part from dovecot-sql.conf.ext:
"""
user_query = \
SELECT \
1002 AS uid \
, 1003 AS gid \
, CONCAT('/www/home/vmail/domains/', SUBSTRING(d.name, 1,
1), '/', d.name, '/', u.username) AS home \
, namespace_prefix AS 'namespace/default/prefix' \
, 'yes' AS 'namespace/default/inbox' \
, '%s' AS 'mail_service' \
FROM vm_domain d \
INNER JOIN vm_user u ON u.vm_domain_id = d.id \
WHERE d.name = '%d' AND u.username = '%n' AND u.active = 1 AND
d.active = 1
"""
namespace_prefix can be empty or INBOX.
doveconf -n output:
"""
# 2.2.13: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.3-RELEASE amd64
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
listen = *
mail_debug = yes
mail_location = maildir:~/Maildir
mmap_disable = yes
namespace default {
inbox = yes
list = yes
location =
prefix =
separator = .
type = private
}
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename flag_change append
mail_log_fields = uid box msgid size
mail_log_group_events = no
}
service imap {
process_limit = 1480
}
ssl_cert =
