full text index per user?
Is there any way of disabling the creation of a full text index on a per user basis? -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: IP drop list
Am 01.03.2015 um 23:16 schrieb Dave McGuire: On 03/01/2015 04:25 AM, Reindl Harald wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses I've been asking for this off-and-on for years, and people immediately parrot back just use fail2ban. I think fail2ban is a nice idea and all, but that suggestion assumes that I use iptables (I don't), I run firewalls on my servers (I don't; I run them on routers) and that I run Linux on my mail server (I don't). The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot even if you use Linux, Firewalls and what not * postfix supports RBL's in several ways on the MTA * mod_security and so webservers support RBL's * RBL's are *centralized* * DNS queries, especially in a LAN, are cheap everybody answering with fail2ban if someone asks for RBL support has no clue what he is talking about because he did not get the question signature.asc Description: OpenPGP digital signature
Re: IP drop list
The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot. http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets then setup fail2ban to manage extrafields
Re: IP drop list
On March 1, 2015 10:26:40 AM Reindl Harald h.rei...@thelounge.net wrote: i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses close pop3, set imap to listen only in lo interface, setup webmail with smtp auth, now then in apache install mod geoip, and only allow countrys with users in is imho the current most simplest, but maybe not the most usefull :(
dsync panic
As per http://wiki2.dovecot.org/Migration/Dsync, I'm running the following command on a local dovecot server to replicate email for a single user from a remote IMAP server: doveadm -D \ -o imapc_host=remote.imap.server \ -o imapc_user=gcr \ -o imapc_password= \ -o imapc_list_prefix=IMAP \ -o imapc_features=rfc822.size fetch-headers \ -o mail_prefetch_count=20 \ -o mail_fsync=never \ backup -R -u gcr imapc: This runs fine for a while and successfully copies quite a lot of mail, but always aborts before completion with the following error: dsync(gcr): Panic: file mail-transaction-log.c: line 271 (mail_transaction_log_rotate): assertion failed: (file-locked) The exit code is 262. Does anyone know why this might happen or how to fix it? -- Greg Rivers# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.6 (3e924b1b6c5c+) # OS: FreeBSD 10.1-RELEASE-p6 amd64 auth_verbose = yes imap_id_log = * imap_id_send = name * version * os * os-version * mail_location = mdbox:~/.mdbox mail_plugins = quota zlib managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave duplicate editheader vnd.dovecot.debug imapflags notify vnd.dovecot.duplicate vnd.dovecot.pipe vnd.dovecot.filter vnd.dovecot.execute namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = %s driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve sieve_execute_bin_dir = /usr/local/etc/dovecot/sieve/execute sieve_execute_socket_dir = sieve-execute sieve_extensions = +notify +imapflags +editheader +vnd.dovecot.duplicate +vnd.dovecot.pipe +vnd.dovecot.filter +vnd.dovecot.execute +vnd.dovecot.debug sieve_filter_bin_dir = /usr/local/etc/dovecot/sieve/filter sieve_filter_socket_dir = sieve-filter sieve_global = /usr/local/etc/dovecot/sieve sieve_max_actions = 0 sieve_max_redirects = 16 sieve_max_script_size = 0 sieve_pipe_bin_dir = /usr/local/etc/dovecot/sieve/pipe sieve_pipe_socket_dir = sieve-pipe sieve_plugins = sieve_extprograms } postmaster_address = postmaster@local.domain protocols = imap lmtp sieve quota_full_tempfail = yes ssl_cert = /etc/ssl/certs/dovecot.pem ssl_key = /etc/ssl/private/dovecot.pem userdb { driver = passwd } verbose_proctitle = yes protocol lmtp { mail_plugins = quota zlib sieve } protocol lda { mail_plugins = quota zlib sieve } protocol imap { mail_max_userip_connections = 250 mail_plugins = quota zlib imap_quota imap_zlib }
Re: IP drop list
On 03/01/2015 04:25 AM, Reindl Harald wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses I've been asking for this off-and-on for years, and people immediately parrot back just use fail2ban. I think fail2ban is a nice idea and all, but that suggestion assumes that I use iptables (I don't), I run firewalls on my servers (I don't; I run them on routers) and that I run Linux on my mail server (I don't). The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
Re: IP drop list
Am 02.03.2015 um 00:08 schrieb Benny Pedersen: On March 1, 2015 10:26:40 AM Reindl Harald h.rei...@thelounge.net wrote: i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses close pop3, set imap to listen only in lo interface, setup webmail with smtp auth, now then in apache install mod geoip, and only allow countrys with users in what a foolish trolling as usual from you signature.asc Description: OpenPGP digital signature
Re: Require certificate for external clients
Hi, Am 28.02.2015 um 00:28 schrieb Joseph Tam: That should be qualified as Is it possible to have Dovecot imap/pop daemons listening on multiple ports for a single running instance. Yes, exactly. You can share libraries, binaries, log files, but use separate configuration files, specifying different ports/addresses/ssl-configs/auth/access parameters. Then you can fire them both up dovecot -c /dovecot/etc/dovecot-1.conf dovecot -c /dovecot/etc/dovecot-2.conf I will have to look into it. I'm afraid that I would have to fiddle around with the default unit files. Also I'm not completely sure how this would work with all of the configuration files that have been split off into small chunks and get included at some point. This is probably going to be messy rather quickly :'(. Thanks for your suggestion. Best regards, Karol Babioch signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 01.03.2015 um 08:53 schrieb Jim Pazarena: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses signature.asc Description: OpenPGP digital signature
Re: IP drop list
fail2ban blocked dynamically addresses for a period of time. It has a module for dovecot. I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts.
Re: IP drop list
Am 01.03.2015 um 08:53 schrieb Jim Pazarena: I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an Have you ever tried using IP sets on Linux?
Re: Require certificate for external clients
Karol Babioch ka...@babioch.de writes: You can share libraries, binaries, log files, but use separate configuration files, specifying different ports/addresses/ssl-configs/auth/access parameters. Then you can fire them both up dovecot -c /dovecot/etc/dovecot-1.conf dovecot -c /dovecot/etc/dovecot-2.conf I will have to look into it. I'm afraid that I would have to fiddle around with the default unit files. What are unit files? Also I'm not completely sure how this would work with all of the configuration files that have been split off into small chunks and get included at some point. This is probably going to be messy rather quickly :'(. I don't see why it would be messy. If the conf.d/* are the same, you can use the same config directory. If they differ, you can can copy those files to another config directory (e.g. conf-d/* - conf-2.d/), modify the snippets that differ, then include this alternate set of configurations !include conf-2.d/* Thanks for your suggestion. You're welcome. Joseph Tam jtam.h...@gmail.com
Connect failed to database
I have dovecot version 2.2.10 dovecot -n output below I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry My connection script located at /etc/dovecot/dovecot-sql.conf.ext is like (password edited): driver = mysql connect = host=localhost dbname=servermail user='usermail' password='MY_SUPER_SECRET_PASSWORD' default_pass_scheme = SHA512-CRYPT password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'; I have verified that I can gain access to the SQL database with # mysql -u usermail -p I can make select statements on the 'servermail' database and all of its tables. I've searched for similar errors from users, but most of the questions are unanswered, or answered incorrectly. I did follow one thread's suggest of setting the MYSQL password for the 'usermail' with OLD_PASSWORD instead of PASSWORD. I did that. I could still login from the shell using mysql -u usermail -p But dovecot still wrote the same error. (I did a flush privileges, and restarted mysql, and dovecot) I then set the password in SQL back using PASSWORD. (flush'd priveleges and restarte mysql and dovecot). Still Errors. Looking for leads. Thanks, Dan LaSota Instructional Designer, UAF eLearning (907) 451-4067 dan.las...@alaska.edu http://elearning.uaf.edu dovecot -n # 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-123.20.1.el7.x86_64 x86_64 CentOS Linux release 7.0.1406 (Core) xfs auth_debug = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_location = maildir:/var/mail/vhosts/%d/%n mail_privileged_group = mail mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocols = imap lmtp service auth-worker { user = vmail } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service imap-login { inet_listener imap { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = /etc/ssl/certs/dovecot.pem ssl_key = /etc/ssl/private/dovecot.pem userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static } verbose_ssl = yes
Re: userdb passwd-file default_fields uid not expanding %variable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 27 Feb 2015, Tim Jones wrote: userdb { args = username_format=%n /home/%d/mail_users default_fields = uid=%d gid=%d home=/home/%d/mail/%n mail=maildir:/home/%d/mail/%n driver = passwd-file } Every time I try to authenticate via imap, I get the error timestamp host dovecot: auth: Fatal: passwd-file userdb: Invalid uid: %d Putting aside the question, whether or not %d is/should be expanded in default_fields = uid=%d gid=%d couldn't or shouldn't you place the correct numerical ids in the file anyway? If I put fixed a uid and gid in the userdb default_fields line: default_fields = uid=example.com gid=example.com home=/home/%d/mail/%n mail=maildir:/home/%d/mail/%n authentication passes without a problem, but of course, only for users of example.com. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVPQTPXz1H7kL/d9rAQIXQAgAx2u5pds6c3YygbHwCj4lkK1DR3FVKx4+ u24cLNacU/AiqNYC4AN6gQ180EaqK3M3bPnfV0rsuyy6fOcHwXm6HpbYIUNkUbBV WZYZPu0K+FoLWLL0JnjoXAe2QWK0whb9h4BLeG9xIA6FpRKwwnJYv0MuEqk78rZv HHrwbZra1XEbqKJsMHxYyhZ+ZOA9cC/mz25iZhBdygPPuxVgr7RtFfppI2DwdU+n XeDsr7OExgMgetBFImEYnA9YzZ5P7kxpNguaNoMtB5MFKsfhtaeCkATOoBW8Mpcw KTfVQriL3TiyVfYFU4eruJBcz6XOOvkEcrWiZytJV5WDl8GDYfYRqA== =X8eE -END PGP SIGNATURE-
Re: IP drop list
Am 01.03.2015 um 23:16 schrieb Dave McGuire: On 03/01/2015 04:25 AM, Reindl Harald wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses I've been asking for this off-and-on for years, and people immediately parrot back just use fail2ban. I think fail2ban is a nice idea and all, but that suggestion assumes that I use iptables (I don't), I run firewalls on my servers (I don't; I run them on routers) and that I run Linux on my mail server (I don't). The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot. Guys, dovecot is open source - if you desire a feature that the upstream programmer did not include, pay him a bounty to do so or send him a patch to be included. Period. We can discuss and mightbe somebody will fork if he is not willing to accept such a solutuion for any political reason. I am really tired of reading this kind of complaints on OSS lists. To make this not a troll only posting - it might be an suitable approach to let dovecot listen on the lo interface and put a proxy software in front, that supports RBLs. Oliver -- Protect your environment - close windows and adopt a penguin! smime.p7s Description: S/MIME Cryptographic Signature
Re: Connect failed to database
Am 02.03.2015 um 06:03 schrieb Dan LaSota: I have dovecot version 2.2.10 dovecot -n output below I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry Just some quick ideas * check if the mysql socket file has rw permissions for the dovecot user * Try to run the mysql query as user dovecot (su dovecot) * Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost) Oliver -- Protect your environment - close windows and adopt a penguin! smime.p7s Description: S/MIME Cryptographic Signature
Re: Require certificate for external clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 27 Feb 2015, Karol Babioch wrote: I'm currently looking into ways of making use of client certificates. I want to force external clients (i.e. anything outside the local subnet) to use client certificates. It is my understanding that this in itself can be achieved with the ssl_require_client_cert setting. However, I also want local clients (i.e. anything from a specific subnet) to be able to authenticate by the usual means (i.e. password-based). There are local and remote IP blocks in Dovecot, however, I cannot find the Wiki page it is documented on. But see: http://wiki2.dovecot.org/SSL/DovecotConfiguration local means to match the local IP of the connection, remote matches the remote end, aka client IP address. You could try to use ssl_require_client_cert as default and add a remote { } block, in which you disable that feature. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVPQWSXz1H7kL/d9rAQITnQf+PrgqIyf98ZhF1TbL/7MAfEMYBZCHXvF4 iUScUxYyaUbeJ/h2RkeXjpVfrp9ktPXDmM+yge9U1fbDJ8ejQ+7nn0ZnSWqm8Cpm SlhnkYEBfdR1ht5fzGNj1hy9CA3vLZRzCoAtPBL58VZocyFnDDdtcgFpgBg0gKaE Cmf6BYs0AtvP6omUSj4myh4lW5trklebtxClZS2K6Zol+rpATofGTfE16wRrEnBK kt4N8ZKZ70vwt8wCiytcqddegIDm9uiiSfrK0W57o5n377oZtHzN2luCOQ3S4GdF aMh6ybDEN8NeS+3pbTQp/QXa1hm4x2UefEjI1KUJJSkniKGsv6knzA== =DmyK -END PGP SIGNATURE-
Re: Connect failed to database
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 2 Mar 2015, Oliver Welter wrote: Am 02.03.2015 um 06:03 schrieb Dan LaSota: I have dovecot version 2.2.10 dovecot -n output below I am seeing connection errors being written to my dovecot error log: Mar 1 19:51:15 mail dovecot: auth-worker(2224): Error: mysql(localhost): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 5 seconds before retry Just some quick ideas * check if the mysql socket file has rw permissions for the dovecot user * Try to run the mysql query as user dovecot (su dovecot) * Try to set the local ip instead of localhost (mysql makes a difference in the ACL checks if you come from localhost) (Y) in addition: * Did mysql logged something useful? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBVPQYN3z1H7kL/d9rAQLyRwgAlasqa/rDY86UmYHF2+e/Q5++oCC/8n0a 0sCyQdY8SVJA8jsZbL4+B/F9lwkMA+7gSkiSDuLQWM/c7VotBhQ5AvZKOXfEUmCZ DFH7J2dZMwPjAubcdjjp2lnA97NS4wt3+dqyo4ezCEcc+ZKjDh8QSuPAO8xRP1Dq pK/47DYi9yyz0dExQlQ1Fx1w792n4igCuPySThT03k+yRZpx4x5Va4/s0TM5ZwLP JaRZWo8IzzWjFWvCZQDGWCpy1+TWNTN1NUAfN2ngZSxWGq0mpPX9dFerXJdgyBzg LCYGkufOO1FjlT+bRDqezBf/ps5MJsObeJr/Z816u1JdCS2Uc49CbQ== =Z7XP -END PGP SIGNATURE-