dsync SSL fails since 2.2.15

2015-01-16 Thread Martin Carlé 
Hello list,

dovecot ran rock-solid on OSX Mavericks for about 1 year replicating my mail 
between 2 servers via dsync with SSL as that is well described here: 
http://wiki2.dovecot.org/Replication

After upgrading to 2.2.15, dsync gets stuck with the Error: "Received invalid 
SSL certificate" even though neither any of the dovecot configs nor the certs, 
keys or the CA have changed!
When I simply outcomment SSL and switch dsync to use tcp (instead of tcps) 
everthing replications still works like a charm.

Please help me to get SSL back working!

I did a lot of testing and come up with a concrete QUESTION below, hopefully 
leading the way out of this trap.


What happend
=

2 days before I upgraded one of the machines to OSX Yosemite. 
Along with this, I also upgraded to dovecot 2.2.15 via homebrew (unfortunately 
on both machines at once).
During this process, also openssl was updated to "OpenSSL 1.0.1k 8 Jan 2015".

If checking the unchanged certs against the CA, however, the results are still 
"OK".

1st check: OK
==
sudo /usr/bin/openssl verify -CAfile /etc/ssl/ca/dovecotCA.pem 
/etc/ssl/certs/dovecot_on27_signed_cert.pem
Password:
/etc/ssl/certs/dovecot_on27_signed_cert.pem: OK

2nd check: OK (providing the CAfile and connecting to the doveadm_port)
===
openssl s_client -CAfile /etc/ssl/ca/dovecotCA.pem -connect on27.linkpc.net:8082
CONNECTED(0003)
depth=1 CN = dovecotCA2, O = dovecot, OU = dovecot, ST = dovecot, C = AF, L = 
dovecot, emailAddress = m...@aiguphonie.com
verify return:1
depth=0 CN = on27.linkpc.net, O = dovecot, OU = dovecot, ST = dovecot, C = AF, 
L = dovecot, emailAddress = m...@aiguphonie.com
verify return:1
---
Certificate chain
 0 
s:/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
   
i:/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
---
Server certificate
-BEGIN CERTIFICATE-
dmVjb3RDQTIxEDAOBgNVBAoMB2RvdmVjb3QxEDAOBgNVBAsMB2RvdmVjb3QxEDAO
[...]
+g==
-END CERTIFICATE-
subject=/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
issuer=/CN=dovecotCA2/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
---
No client certificate CA names sent
---
SSL handshake has read 1709 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C4DDBA1FA50039FA5D94EF2359BA037B3903D66B6B637CA0733A9216BFCC3996
Session-ID-ctx:
Master-Key: 
0495D21CA11AA54856D78B48C3DBE9B70EFFB65F13224B430D2B4B2F80F12BE5A89F31454F9577F22F5DDC26FDBAAFAC
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[...]   
0090 - 2d 97 37 15 bd a9 be 68-c1 79 fa dd d8 75 76 3f   -.7h.y...uv?

Compression: 1 (zlib compression)
Start Time: 1421443766
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
-



Yet, testing dsync yields: ERROR
==

sudo -u _vmail doveadm -v sync -u test tcps:on27.linkpc.net
Password:
doveadm(test): Info: Received invalid SSL certificate: certificate signature 
failure: 
/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
doveadm(test): Error: doveadm server disconnected before handshake: Received 
invalid SSL certificate: certificate signature failure: 
/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com
doveadm(test): Fatal: Disconnected from remote: Received invalid SSL 
certificate: certificate signature failure: 
/CN=on27.linkpc.net/O=dovecot/OU=dovecot/ST=dovecot/C=AF/L=dovecot/emailAddress=m...@aiguphonie.com


QUESTION
=
So the question clearly is, how does dovecot check the cert against the CA 
exactly?
Is there a call to the openssl cmd or is the library linked into dovecotadm?
If liked, what version is used and how can I possibly change it?

or:

What's wrong with my CA and cert(s) all of a sudden?
How can I create new CA for two certs fitting the (new) needs of dovecotadm?


THANK YOU!


==
Here are my full but rather simple configs of both machines:
==

1st machine: Yosemite

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Darwin 14.0.0 x86_64
base_dir = /var/run/dovecot/
default_internal_user = _dovecot
default_login_user = _dovenull
doveadm_password = secret
doveadm_port = 8082
log_path = /usr/local/var/log/doveco

Re: pigeonhole - how to whitelist

2015-01-16 Thread Cliff Hayes 

Thanks.
That's exactly what I needed.
However I have a permission problem.
I added the parameter to 90-sieve.conf and created the directory but now 
I get the following permissions errors in maillog even though I have the 
file and directory wide open with 777 permissions:


Error: yY/0JHtauVQfPgAAU+Cu/Q: sieve: failed to open sieve dir: 
stat(/var/lib/dovecot/sieve/after.d/) failed: Permission denied 
(euid=526(cliffhayes) egid=12(mail) missing +x perm: /var/lib/dovecot, 
euid is not dir owner)



On 1/16/2015 1:33 AM, Steffen Kaiser wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Jan 2015, Cliff Hayes wrote:


When new users are added we start them with a spam rule that routes
spam to their junk folder.  I don't see a way to assign priority ...
so how does a user whitelist a spam-flagged email?  Are the rules
applied in some order? Alphabetically perhaps?  If so I can name the
spam rule z-spam.


rules do have exactly one order, in which they appear in the Sieve script.

But you certainly mean something different. Maybe a particular Sieve
front-end, that assembles the Sieve script together?

See, http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration#multiscript

There is one personal script the user may change and you can define one
or more scripts to be executed before or after the personal script. So,
if this would be pigeonhole problem, you define the spam processing in
an "after" global script and let have the user whitelist a message, the
personal script must file the message somewhere and stop script
processing, see the paragraphe after "sieve_after = ".

- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVLi+yHz1H7kL/d9rAQL7VwgAnJyDcjCccum3681zpRl7wwm7BWgJq/9D
jYGTOg162a/MO1nCcJTV+D0jETe4eaLe7QLLbYrhHyjdOoeHk32w9fMmNtrFsDQS
PnddE8o0xIxEquuabBbY5grx9KWKBoriZvaN6XbBh+kC+GxAQWkZ8P+4WA5NHZCc
/FbwD/3Nf5C7rZbujgkxLdhaGD+pb9EfE9+fq6WZD8+/avU/Gfm91N1H0a/I5vGf
OgeErUwBH35iA0Z++cCv7tT7i4stwHAyF12LVnr9uQQE4XtDXAgQjzzeC/eY008b
iyB0+i3edeR6peCh+MJ7NIn3ptNEilf8jHAfv5WrnCtRM9uSZvJPmQ==
=8CZj
-END PGP SIGNATURE-

dsync-remote: Error: Failed to set attribute

2015-01-16 Thread Alexander Moisseev 

1. I am looking for backup solution for mdbox with SIS and experimenting with 
dsync.
I am planning to do it like that:
doveadm backup [deSISing] => transmitting to remote host => dsync-server 
[SISing]

Is there more convenient method?

2. I have dovecot 2.2.15 on both hosts. The local host is a mail server. 
Dovecot on the remote host neither running nor configured (I have created an 
empty dovecot.conf in the config dir).

When I tried to back up mailbox from local to remote host with command

doveadm backup -P -u u...@domain.tld \
ssh -c blowfish -i /tmp/vmail/.ssh/id_dsa vmail@remotehost \
doveadm \
-o mail_location=mdbox:/tmp/vmail/domain.tld/user/mdbox \
-o mail_attachment_dir=/tmp/vmail/attachments \
dsync-server

I got error messages:

dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute 
vendor/vendor.dovecot/pvt/server/sieve/files/roundcube: Internal attributes 
cannot be changed directly
dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute 
vendor/vendor.dovecot/pvt/server/sieve/files/main: Internal attributes cannot 
be changed directly
dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute 
vendor/vendor.dovecot/pvt/server/sieve/files/test: Internal attributes cannot 
be changed directly
dsync-remote(vmail): Error: Mailbox INBOX: Failed to set attribute 
vendor/vendor.dovecot/pvt/server/sieve/default: Internal attributes cannot be 
changed directly

What do that errors mean? Does dsync try to replicate sieve scripts?

--
Alexander

Re: [SERVERBUG] failed to send mail with SA and antispam plugin

2015-01-16 Thread Reindl Harald 


Am 16.01.2015 um 09:46 schrieb ML mail:

Thanks to your help Steffen I was able to find out the issue which was simply 
the size of the Spam mail as you can see here:

spamc[16545]: skipped message, greater than max message size (512000 bytes)

The spam mail was around 900 kbytes as such I have changed the spamc limit to 
1MB. Bastard spammer who abuses this limit by attaching a big image...


that's common for years now, even as we used a Barracuda Networks device 
where you need to add &expert=1 in the extended settings to raise that limit


given that only a small amount makes it to SA here i increased that to 5 
MB, in case of large images there is no performance impact, only large 
messages with most plaintext are ressource hungry to scan


in fact i have seen such bastards attach 2 MB images to the typical spam 
mailbody to bypass scanners





signature.asc
Description: OpenPGP digital signature

Re: [SERVERBUG] failed to send mail with SA and antispam plugin

2015-01-16 Thread ML mail 
Thanks to your help Steffen I was able to find out the issue which was simply 
the size of the Spam mail as you can see here:

spamc[16545]: skipped message, greater than max message size (512000 bytes)

The spam mail was around 900 kbytes as such I have changed the spamc limit to 
1MB. Bastard spammer who abuses this limit by attaching a big image...

Regards
ML







On Thursday, January 15, 2015 12:23 PM, ML mail  wrote:
Thank you for your helpful hints on debugging this issue. I wanted first to get 
the mail which generates this error but unfortunately the user already deleted 
it as well from his trash. Now I got another hint and it looks like this mail 
had a big attachment to it. Is it possible that spamc generated this error due 
to the size of the mail?

Regards
ML





On Thursday, January 15, 2015 8:29 AM, Steffen Kaiser 
 wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 15 Jan 2015, ML mail wrote:

It would be better to have the original question & discussion at the top, 
so one could cut and read nicely,

> On Wednesday, January 14, 2015 9:06 PM, Pascal Volk 
>  wrote:
> On 01/14/2015 03:05 PM, ML mail wrote:
>
>> Hello,
>>
>> I am using the antispam plugin of Dovecot with SpamAssassin and in some 
>> cases when users move back mails from the Spam folder to their INBOX (false 
>> positive) they get the following error message:
>>
>> [SERVERBUG] failed to send mail

> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 ext4

[cut]

> plugin {
> antispam_backend = pipe
> antispam_pipe_program = /usr/bin/spamc
> antispam_pipe_program_args = -d;my-mx-server.domain.com;-u;amavis
> antispam_pipe_program_notspam_args = -L;ham
> antispam_pipe_program_spam_args = -L;spam
> antispam_pipe_tmpdir = /tmp
> antispam_signature = X-Spam-Flag
> antispam_signature_missing = error
> antispam_spam = INBOX.Spam;INBOX.Junk
> antispam_trash = INBOX.trash;trash;INBOX.Trash;Trash;INBOX.Deleted 
> Items;Deleted Items;INBOX.Deleted Messages;Deleted Messages
> antispam_verbose_debug = 1

What does the Plugin log?

[cut]
> service quota-warning {
> executable = script /usr/local/bin/quota-warning.sh
> unix_listener quota-warning {
> user = vmail
> }
> user = vmail
> }

You seem to use a virtual user configuration, so the antispam plugin 
executes spamc as user vmail, correct?

What happens if you run the program manually?
sudo -u vmail /usr/bin/spamc -d my-mx-server.domain.com -u amavis -L ham \ 
< message

You can also trace the program with a wrapper script. Replace 
antispam_pipe_program with /usr/local/bin/spamc-wrapper

 BEGIN /usr/local/bin/spamc-wrapper
#/bin/bash

( # when and who
  date;id;
  let i=0
  # what
  echo /usr/bin/spamc "$@"
  # see embedded spaces in arguments
  for arg; do
   let i=i+1
   echo "Arg#$i: '$arg'"
  done
  # call original program

  /usr/bin/spamc "$@"
  # log return code / exit code
  rc=$?
  echo rc=$rc
  # Make sure the rc is returned back to caller
  exit $rc

  # log everything into a file
) >>/tmp/spamc-wrapper.log 2>&1
 END

If you have lots of simultaneous calls, create one log file per call -> 
add .$$ to filename.

- -- 
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVLdsenz1H7kL/d9rAQI5wQf/R/8IIWAgcLX8061FBI5gFxEH8jP8UVMb
MoSkkRT88teQJYuDxjr8zA92MX/2HDruRstzwxgJ1WxPefOvETpzGs1wrFqtWABM
2qB/ENfmkyOgmvpfsX5j6armYgOGEK0j5lf/ulV2i110wAJqjWY+9hBekFs7g4Th
j29D42kv5Tl0XVwJbbYfzH/gUB+kyLxV7ja3dWWmmRRNV9am4Du36zua5AB2BzYq
kuSqXfxClbnRYA/Ajy8H1KYhmx8wRtjkNijxt8B7R5f04E8hLrFVd5lKZIieuO6e
oNu45xHeW3mYas0I3jWBf0u5pt1XlP7RLOtdB3D15CsW42PPsDcKxw==
=Beji
-END PGP SIGNATURE-