Messages lost from imap folders

2015-09-16 Thread Nikolaos Milas 

Hello,

We have one user who is complaining that he has lost mails from 3 imap 
folders, administered through squirrelmail.


The folders suddenly appeared unregistered, and once manually registered 
they were empty.


Has anyone observed something like this?

We are running two servers (as VMs) with Dovecot v2.2.18, synced 
(two-way) using dsync. The configurations follow.


Can you please help me understand what may have gone wrong?

Can I try to find actions regarding these folders in the logs? What 
should I search for?


Could this be an issue involving dsync? How can I trace back dsync 
activity in detail?


Server configs follow (I have only altered the real domain name and the 
login greeting.)


Thanks in advance,
Nick

-
SERVER 1
-

protocols = imap pop3

login_greeting = Hello World!

mail_location = maildir:~/Maildir/
mail_gid = 500
mail_uid = 500

auth_mechanisms = plain login
auth_username_format = %Lu

auth_verbose = yes
auth_debug = no
mail_debug = no

disable_plaintext_auth = no

mail_plugins = quota notify replication

protocol imap {
  imap_client_workarounds = "delay-newmail"
  mail_plugins = quota imap_quota notify replication
}

protocol pop3 {
  mail_max_userip_connections = 3
  mail_plugins = quota notify replication
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  info_log_path =
  log_path =
  mail_plugins = quota notify replication
  postmaster_address = sysad...@example.com
  sendmail_path = /usr/lib/sendmail
}

userdb {
  args = /etc/dovecot/dovecot-usrdb-ldap.conf
  driver = ldap
}

passdb {
  args = /etc/dovecot/dovecot-passdb-ldap.conf
  driver = ldap
}

dsync_remote_cmd = ssh -l root vmail1.example.com doveadm dsync-server -u%u
replication_dsync_parameters = -d -N -l 30 -U

plugin {
  mail_replica = remote:vm...@vmail1.example.com
}

plugin {
  quota = maildir:User quota
  quota_rule = *:storage=5G
  quota_rule2 = Trash:storage=+3%%
  quota_warning = storage=75%% quota-warning 75 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
}

service quota-warning {
  executable = script /opt/mail1.sh
  user = vmail
  unix_listener quota-warning {
user = vmail
  }
}

service aggregator {
  fifo_listener replication-notify-fifo {
user = vmail
  }
  unix_listener replication-notify {
user = vmail
  }
}

service replicator {
   unix_listener replicator-doveadm {
 mode = 0600
   }
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
  }
  user = root
}

service imap-login {
  service_count = 1
  vsz_limit = 64 M
}

service pop3-login {
  service_count = 1
  vsz_limit = 64 M
}

service replicator {
  process_min_avail = 1
}

service imap {
  executable = imap postlogin
}
service pop3 {
  executable = pop3 postlogin
}

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
  }
}

ssl_ca =

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

2015-09-16 Thread Shawn Heisey 
On 9/12/2015 12:31 AM, Mark Foley wrote:
> Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
> indicated to me you might be talking about Windows Small Business Server 2003 
> or
> 2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 
> AD/DC
> on Linux. 

The OP probably is referring to AD functional levels:

https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx

Thanks,
Shawn

New created users can not log in

2015-09-16 Thread Ferdinand Gruber 

Hi,

I am using dovecot 2.2 for some time. All users on the system can log in 
using Horde Webmail.


But now, after creating a new user on the server with username> this new user is not able to log in. Of course I have set a 
password for the new user.


In the log file I can see:
Sep 16 23:04:05 servername auth: gkr-pam: error looking up user information
Sep 16 23:04:07 servername HORDE: [imp] [login] Authentication failed. 
[pid 1584 on line 730 of "/srv/www/htdocs/horde/imp/lib/Imap.php"]
Sep 16 23:04:07 servername HORDE: [imp] FAILED LOGIN for calendar 
(93.82.157.132) to {imap://localhost/} [pid 1584 on line 157 of 
"/srv/www/htdocs/horde/imp/lib/Auth.php"]
Sep 16 23:04:07 servername HORDE: [horde] FAILED LOGIN for calendar to 
horde (93.82.157.132) [pid 1584 on line 199 of 
"/srv/www/htdocs/horde/login.php"]


Please give me a hint.

--
Ferdinand

Re: How to "Windows Authenticate"

2015-09-16 Thread Mark Foley 
Love your "ASCII Ribbon Campaign" signature! I still use mailx myself.

I'll have to check out that "access denied" message for the email to
mfo...@ohprs.org. I haven't seen that before. FreeBSD.org is not blocked in my
access.db. Hmmm ...

Anyway, yes, I've been through those instructions over and over and they
certainly do "suggest" it should work, but I haven't yet found anyone that has
actually got it working. I assume you have not either, right?

The platform these instructions are targeted to are not quite my setup as the
Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't
apply, nor does the Kerberos: "Please note that you do not need to install or
configure any other Kerberos KDC for Samba to work.  Samba includes a
AD-compatible KDC, currently based on an included copy of the Heimdal project."

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos

Also, the instruction in the link you reference must be a bit out of date
because the suggested userdb:

userdb static {
   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
   mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
   allow_all_users=yes
}

gives an error with my dovecot 2.2.15. The word "static" has to go inside the
curly-braces as "driver static" and the "allow_all_users" has to be added to the
'args' string. Otherwise, Dovecot won't run the config as shown in the link.

Otherwise and with the above changes to the userdb, I believe I've followed all
applicable instructions in that link.  The error I get with my config in the
Dovecot log is:

Sep 13 00:53:12 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, 
lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Any idea what would generate this message?

--Mark

-Original Message-
> Subject: Re: How to "Windows Authenticate"
> From: Remko Lodder 
> Date: Wed, 16 Sep 2015 19:38:08 +0200
> To: Mark Foley 
> Cc: dovecot@dovecot.org
>
> > On 16 Sep 2015, at 19:10, Mark Foley  wrote:
> > 
> > Does the Dovecot NTLM mechanism work with MS Outlook?
> > 
> > [ ] YES
> > [ ] NO
> > 
> > Please check one ... anybody.
> > 
> > ???Mark
>
>
>
> The URL on the wiki, which had probably been shared before with you;
>
> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>
> suggests it does.
>
> The URL quotes:
>
> Step 5. Passwordless authentication
>
> If you have logged on from Windows to the AD domain, try leaving the password 
> field, on the account, on the MUA, blank. The username / password, from the 
> initial logon to the Windows machine, are seamlessly picked up and supplied 
> to the challenge-response process between the MUA, Dovecot and AD. Employing 
> this way of authentication  we achieve single sign-on and we don't need to 
> maintain MUA local passwords.
>
> Did you follow the suggestions that are on that page? (all of them).
>
> Thank you,
> Remko
>
> --
> /"\   Best regards,  | re...@freebsd.org
> \ /   Remko Lodder   | remko@EFnet
>  Xhttp://www.evilcoder.org/  |
> / \   ASCII Ribbon Campaign  | Against HTML Mail and News
>

Re: restrict map-login by geoip?

2015-09-16 Thread Edgar Pettijohn 

I don't know if dovecot does, but your firewall should be able to.

On 09/16/2015 07:32 PM, Terry Barnum wrote:

Is there a way to restrict my user logins from a set of IPs? For example, all 
my users are in the US so there shouldn't be any logins from other countries. 
Can I tell dovecot to restrict logins to a CIDR list of US IPs? Can someone 
point me to docs on how to set this up? I've searched but haven't found how to 
accomplish this.

Thanks,
-Terry

Terry Barnum
digital OutPost
http://www.dop.com

restrict map-login by geoip?

2015-09-16 Thread Terry Barnum 
Is there a way to restrict my user logins from a set of IPs? For example, all 
my users are in the US so there shouldn't be any logins from other countries. 
Can I tell dovecot to restrict logins to a CIDR list of US IPs? Can someone 
point me to docs on how to set this up? I've searched but haven't found how to 
accomplish this.

Thanks,
-Terry

Terry Barnum
digital OutPost
http://www.dop.com

Re: restrict map-login by geoip?

2015-09-16 Thread Benny Pedersen 

Terry Barnum skrev den 2015-09-17 02:32:


I've searched but haven't found how to accomplish this.


http://wiki2.dovecot.org/Authentication/RestrictAccess
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

took me 3 sec :=)

Re: restrict map-login by geoip?

2015-09-16 Thread Terry Barnum 
Thanks Benny. I should've said I saw AllowNets but in researching it looked 
like it expected a smaller comma separated list, not hundreds of IP blocks. Is 
that what you are using to accomplish this?

Thanks,
-Terry

iPhone says Hello World!

> On Sep 16, 2015, at 6:31 PM, Benny Pedersen  wrote:
> 
> Terry Barnum skrev den 2015-09-17 02:32:
> 
>> I've searched but haven't found how to accomplish this.
> 
> http://wiki2.dovecot.org/Authentication/RestrictAccess
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
> 
> took me 3 sec :=)
>

Re: restrict map-login by geoip?

2015-09-16 Thread Benny Pedersen 

Terry Barnum skrev den 2015-09-17 03:56:

Thanks Benny. I should've said I saw AllowNets but in researching it
looked like it expected a smaller comma separated list, not hundreds
of IP blocks. Is that what you are using to accomplish this?


i did not write the wiki or dovecot c code, you asked how dovecot if it 
could doit, i searched the link for you, but i admit i du not understand 
the wiki self here :(


but basicly

127.0.0.0/8 is one cidr range with many ips
127.0.0.2/32 is a single ip cidr range

for ipv6 its possible aswell, but i dont know how to

Re: How to "Windows Authenticate"

2015-09-16 Thread Mark Foley 
Does the Dovecot NTLM mechanism work with MS Outlook?

[ ] YES
[ ] NO

Please check one ... anybody.

--Mark

-Original Message-
From: Mark Foley 
Date: Sun, 13 Sep 2015 01:10:57 -0400
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"

I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the
Active Directory/Domain Controller on the same host as Dovecot.
Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the
client MTU used to connect with Dovecot to read mail on the Users' WIN7
workstations.

I believe I have confirmed that MS Outlook will either ...

1) send the userid and password configured in the Outlook settings to Dovecot
for authorizing. This mechanism has been working fine for months.

or ...

2) Use NTML authorization if "Require login using Secure Password Authentication
(SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication

Those, I believe, are the only two choices with Outlook (other than Exchange). 
Therefore, in order not to configure a Domain-distinct password in Outlook, I
need to use the NTLM auth_mechanism for AD "Windows Authentication" with
Dovecot.  I've tried the settings below (just trying one user at the moment):

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = , rip=192.168.0.58, 
lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Can someone tell me what this means and how to fix it?

Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over 
and
over, so simply referring me to that link will not help.

Thanks, Mark

Re: How to "Windows Authenticate"

2015-09-16 Thread Remko Lodder 


> On 16 Sep 2015, at 19:10, Mark Foley  wrote:
> 
> Does the Dovecot NTLM mechanism work with MS Outlook?
> 
> [ ] YES
> [ ] NO
> 
> Please check one ... anybody.
> 
> —Mark



The URL on the wiki, which had probably been shared before with you;

http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm

suggests it does.

The URL quotes:

Step 5. Passwordless authentication

If you have logged on from Windows to the AD domain, try leaving the password 
field, on the account, on the MUA, blank. The username / password, from the 
initial logon to the Windows machine, are seamlessly picked up and supplied to 
the challenge-response process between the MUA, Dovecot and AD. Employing this 
way of authentication  we achieve single sign-on and we don't need to maintain 
MUA local passwords.

Did you follow the suggestions that are on that page? (all of them).

Thank you,
Remko

--
/"\   Best regards,  | re...@freebsd.org
\ /   Remko Lodder   | remko@EFnet
 Xhttp://www.evilcoder.org/  |
/ \   ASCII Ribbon Campaign  | Against HTML Mail and News



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: How to "Windows Authenticate"

2015-09-16 Thread Remko Lodder 

> On 16 Sep 2015, at 19:10, Mark Foley  wrote:
> 
> Does the Dovecot NTLM mechanism work with MS Outlook?
> 
> [ ] YES
> [ ] NO
> 
> Please check one ... anybody.
> 
> --Mark
> 
> 

[checking not suited for work]:

: host mail.ohprs.org[98.102.63.107] said: 550 5.7.1 Access
   denied (in reply to MAIL FROM command)

You are welcome :-p


--
/"\   Best regards,  | re...@freebsd.org
\ /   Remko Lodder   | remko@EFnet
 Xhttp://www.evilcoder.org/  |
/ \   ASCII Ribbon Campaign  | Against HTML Mail and News



signature.asc
Description: Message signed with OpenPGP using GPGMail