dsync SSL fails since 2.2.15
Hello list, dovecot ran rock-solid on OSX Mavericks for about 1 year replicating my mail between 2 servers via dsync with SSL as that is well described here: http://wiki2.dovecot.org/Replication After upgrading to 2.2.15, dsync gets stuck with the Error: "Received invalid SSL certificate" even though neither any of the dovecot configs nor the certs, keys or the CA have changed! When I simply outcomment SSL and switch dsync to use tcp (instead of tcps) everthing replications still works like a charm. Please help me to get SSL back working! I did a lot of testing and come up with a concrete QUESTION below, hopefully leading the way out of this trap. What happend = 2 days before I upgraded one of the machines to OSX Yosemite. Along with this, I also upgraded to dovecot 2.2.15 via homebrew (unfortunately on both machines at once). During this process, also openssl was updated to "OpenSSL 1.0.1k 8 Jan 2015". If checking the unchanged certs against the CA, however, the results are still "OK". 1st check: OK == sudo /usr/bin/openssl verify -CAfile /etc/ssl/ca/dovecotCA.pem /etc/ssl/certs/dovecot_on27_signed_cert.pem Password: /etc/ssl/certs/dovecot_on27_signed_cert.pem: OK 2nd check: OK (providing the CAfile and connecting to the doveadm_port) === openssl s_client -CAfile /etc/ssl/ca/dovecotCA.pem -connect on27.linkpc.net:8082 CONNECTED(0003) depth=1 CN = dovecotCA2, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = m...@aiguphonie.com verify return:1 depth=0 CN = on27.linkpc.net, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = dovecot, emailAddress = m...@aiguphonie.com verify return:1 --- Certificate chain 0 s:/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com i:/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com --- Server certificate -BEGIN CERTIFICATE- dmVjb3RDQTIxEDAOBgNVBAoMB2RvdmVjb3QxEDAOBgNVBAsMB2RvdmVjb3QxEDAO [...] +g== -END CERTIFICATE- subject=/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com issuer=/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com --- No client certificate CA names sent --- SSL handshake has read 1709 bytes and written 487 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C4DDBA1FA50039FA5D94EF2359BA037B3903D66B6B637CA0733A9216BFCC3996 Session-ID-ctx: Master-Key: 0495D21CA11AA54856D78B48C3DBE9B70EFFB65F13224B430D2B4B2F80F12BE5A89F31454F9577F22F5DDC26FDBAAFAC Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: [...] 0090 - 2d 97 37 15 bd a9 be 68-c1 79 fa dd d8 75 76 3f -.7h.y...uv? Compression: 1 (zlib compression) Start Time: 1421443766 Timeout : 300 (sec) Verify return code: 0 (ok) --- - Yet, testing dsync yields: ERROR == sudo -u _vmail doveadm -v sync -u test tcps:on27.linkpc.net Password: doveadm(test): Info: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com doveadm(test): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com doveadm(test): Fatal: Disconnected from remote: Received invalid SSL certificate: certificate signature failure: /CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com QUESTION = So the question clearly is, how does dovecot check the cert against the CA exactly? Is there a call to the openssl cmd or is the library linked into dovecotadm? If liked, what version is used and how can I possibly change it? or: What's wrong with my CA and cert(s) all of a sudden? How can I create new CA for two certs fitting the (new) needs of dovecotadm? THANK YOU! == Here are my full but rather simple configs of both machines: == 1st machine: Yosemite # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 14.0.0 x86_64 base_dir = /var/run/dovecot/ default_internal_user = _dovecot default_login_user = _dovenull doveadm_password = secret doveadm_port = 8082 log_path = /usr/local/var/log/doveco
Re: pigeonhole - how to whitelist
Thanks. That's exactly what I needed. However I have a permission problem. I added the parameter to 90-sieve.conf and created the directory but now I get the following permissions errors in maillog even though I have the file and directory wide open with 777 permissions: Error: yY/0JHtauVQfPgAAU+Cu/Q: sieve: failed to open sieve dir: stat(/var/lib/dovecot/sieve/after.d/) failed: Permission denied (euid=526(cliffhayes) egid=12(mail) missing +x perm: /var/lib/dovecot, euid is not dir owner) On 1/16/2015 1:33 AM, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 15 Jan 2015, Cliff Hayes wrote: When new users are added we start them with a spam rule that routes spam to their junk folder. I don't see a way to assign priority ... so how does a user whitelist a spam-flagged email? Are the rules applied in some order? Alphabetically perhaps? If so I can name the spam rule z-spam. rules do have exactly one order, in which they appear in the Sieve script. But you certainly mean something different. Maybe a particular Sieve front-end, that assembles the Sieve script together? See, http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration#multiscript There is one personal script the user may change and you can define one or more scripts to be executed before or after the personal script. So, if this would be pigeonhole problem, you define the spam processing in an "after" global script and let have the user whitelist a message, the personal script must file the message somewhere and stop script processing, see the paragraphe after "sieve_after = ". - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVLi+yHz1H7kL/d9rAQL7VwgAnJyDcjCccum3681zpRl7wwm7BWgJq/9D jYGTOg162a/MO1nCcJTV+D0jETe4eaLe7QLLbYrhHyjdOoeHk32w9fMmNtrFsDQS PnddE8o0xIxEquuabBbY5grx9KWKBoriZvaN6XbBh+kC+GxAQWkZ8P+4WA5NHZCc /FbwD/3Nf5C7rZbujgkxLdhaGD+pb9EfE9+fq6WZD8+/avU/Gfm91N1H0a/I5vGf OgeErUwBH35iA0Z++cCv7tT7i4stwHAyF12LVnr9uQQE4XtDXAgQjzzeC/eY008b iyB0+i3edeR6peCh+MJ7NIn3ptNEilf8jHAfv5WrnCtRM9uSZvJPmQ== =8CZj -END PGP SIGNATURE-
dsync-remote: Error: Failed to set attribute
1. I am looking for backup solution for mdbox with SIS and experimenting with dsync. I am planning to do it like that: doveadm backup [deSISing] => transmitting to remote host => dsync-server [SISing] Is there more convenient method? 2. I have dovecot 2.2.15 on both hosts. The local host is a mail server. Dovecot on the remote host neither running nor configured (I have created an empty dovecot.conf in the config dir). When I tried to back up mailbox from local to remote host with command doveadm backup -P -u u...@domain.tld \ ssh -c blowfish -i /tmp/vmail/.ssh/id_dsa vmail@remotehost \ doveadm \ -o mail_location=mdbox:/tmp/vmail/domain.tld/user/mdbox \ -o mail_attachment_dir=/tmp/vmail/attachments \ dsync-server I got error messages: dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute vendor/vendor.dovecot/pvt/server/sieve/files/roundcube: Internal attributes cannot be changed directly dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute vendor/vendor.dovecot/pvt/server/sieve/files/main: Internal attributes cannot be changed directly dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute vendor/vendor.dovecot/pvt/server/sieve/files/test: Internal attributes cannot be changed directly dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute vendor/vendor.dovecot/pvt/server/sieve/default: Internal attributes cannot be changed directly What do that errors mean? Does dsync try to replicate sieve scripts? -- Alexander
Re: [SERVERBUG] failed to send mail with SA and antispam plugin
Am 16.01.2015 um 09:46 schrieb ML mail: Thanks to your help Steffen I was able to find out the issue which was simply the size of the Spam mail as you can see here: spamc[16545]: skipped message, greater than max message size (512000 bytes) The spam mail was around 900 kbytes as such I have changed the spamc limit to 1MB. Bastard spammer who abuses this limit by attaching a big image... that's common for years now, even as we used a Barracuda Networks device where you need to add &expert=1 in the extended settings to raise that limit given that only a small amount makes it to SA here i increased that to 5 MB, in case of large images there is no performance impact, only large messages with most plaintext are ressource hungry to scan in fact i have seen such bastards attach 2 MB images to the typical spam mailbody to bypass scanners signature.asc Description: OpenPGP digital signature
Re: [SERVERBUG] failed to send mail with SA and antispam plugin
Thanks to your help Steffen I was able to find out the issue which was simply the size of the Spam mail as you can see here: spamc[16545]: skipped message, greater than max message size (512000 bytes) The spam mail was around 900 kbytes as such I have changed the spamc limit to 1MB. Bastard spammer who abuses this limit by attaching a big image... Regards ML On Thursday, January 15, 2015 12:23 PM, ML mail wrote: Thank you for your helpful hints on debugging this issue. I wanted first to get the mail which generates this error but unfortunately the user already deleted it as well from his trash. Now I got another hint and it looks like this mail had a big attachment to it. Is it possible that spamc generated this error due to the size of the mail? Regards ML On Thursday, January 15, 2015 8:29 AM, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 15 Jan 2015, ML mail wrote: It would be better to have the original question & discussion at the top, so one could cut and read nicely, > On Wednesday, January 14, 2015 9:06 PM, Pascal Volk > wrote: > On 01/14/2015 03:05 PM, ML mail wrote: > >> Hello, >> >> I am using the antispam plugin of Dovecot with SpamAssassin and in some >> cases when users move back mails from the Spam folder to their INBOX (false >> positive) they get the following error message: >> >> [SERVERBUG] failed to send mail > # 2.1.7: /etc/dovecot/dovecot.conf > # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4 [cut] > plugin { > antispam_backend = pipe > antispam_pipe_program = /usr/bin/spamc > antispam_pipe_program_args = -d;my-mx-server.domain.com;-u;amavis > antispam_pipe_program_notspam_args = -L;ham > antispam_pipe_program_spam_args = -L;spam > antispam_pipe_tmpdir = /tmp > antispam_signature = X-Spam-Flag > antispam_signature_missing = error > antispam_spam = INBOX.Spam;INBOX.Junk > antispam_trash = INBOX.trash;trash;INBOX.Trash;Trash;INBOX.Deleted > Items;Deleted Items;INBOX.Deleted Messages;Deleted Messages > antispam_verbose_debug = 1 What does the Plugin log? [cut] > service quota-warning { > executable = script /usr/local/bin/quota-warning.sh > unix_listener quota-warning { > user = vmail > } > user = vmail > } You seem to use a virtual user configuration, so the antispam plugin executes spamc as user vmail, correct? What happens if you run the program manually? sudo -u vmail /usr/bin/spamc -d my-mx-server.domain.com -u amavis -L ham \ < message You can also trace the program with a wrapper script. Replace antispam_pipe_program with /usr/local/bin/spamc-wrapper BEGIN /usr/local/bin/spamc-wrapper #/bin/bash ( # when and who date;id; let i=0 # what echo /usr/bin/spamc "$@" # see embedded spaces in arguments for arg; do let i=i+1 echo "Arg#$i: '$arg'" done # call original program /usr/bin/spamc "$@" # log return code / exit code rc=$? echo rc=$rc # Make sure the rc is returned back to caller exit $rc # log everything into a file ) >>/tmp/spamc-wrapper.log 2>&1 END If you have lots of simultaneous calls, create one log file per call -> add .$$ to filename. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVLdsenz1H7kL/d9rAQI5wQf/R/8IIWAgcLX8061FBI5gFxEH8jP8UVMb MoSkkRT88teQJYuDxjr8zA92MX/2HDruRstzwxgJ1WxPefOvETpzGs1wrFqtWABM 2qB/ENfmkyOgmvpfsX5j6armYgOGEK0j5lf/ulV2i110wAJqjWY+9hBekFs7g4Th j29D42kv5Tl0XVwJbbYfzH/gUB+kyLxV7ja3dWWmmRRNV9am4Du36zua5AB2BzYq kuSqXfxClbnRYA/Ajy8H1KYhmx8wRtjkNijxt8B7R5f04E8hLrFVd5lKZIieuO6e oNu45xHeW3mYas0I3jWBf0u5pt1XlP7RLOtdB3D15CsW42PPsDcKxw== =Beji -END PGP SIGNATURE-