Re: Dovecot proxy ignores trusted root certificate store
On Monday 21 September 2015 01:53:53 Alex Bulan wrote: > Dovecot v2.2.18 > OS: FreeBSD 10.1/amd64 > > Dovecot in proxy mode ignores the root certificate store and can't verify > the backend's SSL certificate. > > I've pointed ssl_client_ca_file to my root certificate store, but I > suspect ssl_client_ca_file is only used in imapc context. It seems to be > ignored in proxy context. > > doveconf -n ssl_client_ca_file: > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt I think the correct syntax is : ssl_ca = < /etc/ssl/certs/cacert.pem For all kind of ssl_xyz files Mihai Badici[1] [1] http://mihai.badici.ro
Dovecot proxy ignores trusted root certificate store
Dovecot v2.2.18 OS: FreeBSD 10.1/amd64 Dovecot in proxy mode ignores the root certificate store and can't verify the backend's SSL certificate. I've pointed ssl_client_ca_file to my root certificate store, but I suspect ssl_client_ca_file is only used in imapc context. It seems to be ignored in proxy context. doveconf -n ssl_client_ca_file: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt In my password_query I return host set to the backend's IP address, starttls='yes', proxy='y'. The backend's certificate chain is correct and it verifies successfully with "openssl s_client -connect x.x.x.x:110 -starttls pop3 -CAfile /usr/local/share/certs/ca-root-nss.crt". But the Dovecot proxy fails to verify the intermediate certificate it receives from the backend. The inode atime of ca-root-nss.crt is never updated, either at Dovecot start or when it connects to the backend, so Dovecot (via the openssl library) never reads the file. Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: unable to get local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4 Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: certificate not trusted: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4 Sep 20 19:59:48 dovecot: pop3-login: Error: proxy: Received invalid SSL certificate from x.x.x.x:110: unable to get local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, session=
Re: [Dovecot] Pigeonhole sieve re-filter extension?
Hi Stephan Bosch, any update on this? Regards, T.B. Am 08.05.2014 um 14:37 schrieb Stephan Bosch: T.B. schreef op 7-5-2014 10:40: I think it would not be a problem to develop a solution to remotely trigger re-filtering for me, myself and I. But that is not the point here. Clients like the Thunderbird Sieve Extension (https://github.com/thsmi/sieve, https://addons.mozilla.org/de/thunderbird/addon/sieve/) or the diverse webmail MUA's will only start implementing such a feature if there is a official draft or specification. Yes, I agree. The whole point of my initiative here is that Managesieve finally becomes the capability to replicate the features the users know from their local client side filtering (Thunderbird, Outlook) which provide the feature of re-filtering. Even big webmail providers like the Global Mail Exchange / GMX here in Germany provide re-filtering in their webgui. I don't think this should be a ManageSieve feature. ManageSieve currently does not need/have access to the user's mailbox. It therefore also doesn't have the syntax elements and mechanisms in place to select mailboxes and ranges of messages. I think the only sensible place for this feature is IMAP. I use the sieve-filter tool very often for myself - everytime when I create a new subfolder and create a new fileinto rule, I refilter my Inbox to clean it up and have a consistent subfolder with all old and new mails that are matching the rule. The man page of the sieve-filter tool is 2 and a half years old ;) (http://pigeonhole.dovecot.org/doc/man1/sieve-filter.1.html) Sadly even the Wiki page doesn't mention it directly: http://wiki2.dovecot.org/HowTo/RefilterMail I haven't received much feedback about this command line tool. So either everyone is happy with it, or it is rarely used. :) Since the new german Dovecot book (http://www.dovecot-buch.de/) recommends the sieve-filter tool for refiltering, it will get much more attention in the future. Only from Germans at first, although it will be translated soon I guess. Anyway, I will give this idea a closer look somewhat soon. The main problem with IMAPSieve is not the METADATA support or the other Sieve extensions needed for it, it is the atomic nature of the IMAP commands for which it is used: either the whole command succeeds or the whole command fails. This makes things difficult for the Sieve interpreter, as it needs to keep record of what it has done for when a rollback is needed. Especially for "redirect" this is a huge pain. However, as you rightly say, this new feature can be simpler than that. It can reduce the atomicity to include only the processing of individual messages and e.g. return a response indicating which messages were successfully processed. This way, the state at client and server can still remain consistent without too much trouble. I think I'll make a proof-of-concept first and then condense my experience into a proper specification. This can take a while though; there is much Dovecot stuff on my list at the moment. Regards, Stephan.
Re: Maildir: ACLs/Unix perms and unable to see content of specific mailbox
I found that the ACL I gave were not automatically applied to the newly
created files and dirs (missing :fd-:), so I corrected them and I
added group:mail.
$ chmod -R A=owner@:rwxpdDaARWcCos:fd-:allow,\
user:olaf:rwxpdDaARWcCos:fd-:allow,\
group@:rwxpdDaARWcCos:fd-:allow,\
group:olaf:rwxpdDaARWcCos:fd-:allow,\
group:mail:rwxpdDaARWcCos:fd-:allow,\
everyone@:--a-R-c--s:fd-:allow Maildir
(I know I duplicated my username and group, but I wanted to be sure...)
drwxrwx---+348 olaf olaf 359 Sep 20 16:21 Maildir
owner@:rwxpdDaARWcCos:fd-:allow
user:olaf:rwxpdDaARWcCos:fd-:allow
group@:rwxpdDaARWcCos:fd-:allow
group:olaf:rwxpdDaARWcCos:fd-:allow
group:mail:rwxpdDaARWcCos:fd-:allow
everyone@:--a-R-c--s:fd-:allow
I verified that newly created files inside Maildir correctly retain
these ACLs.
I still get the errors (I added "mail_debug=yes" and restarted):
[ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.cache)
failed: Permission denied (euid=501(olaf) egid=501(olaf) UNIX perms
appear ok (ACL/MAC wrong?))
[ID 583609 mail.error] imap(olaf): Error:
rename(/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index.tmp,
/tank/home/olaf/Maildir/.Amici, conoscenti/dovecot.index) failed:
Permission denied
No further details.
I won't post the ls- lV again since the permissions in the specified
file and folder are all exactly like the Maildir folder above.
Different errors after I tried to rename a mail folder:
Debug: Namespace : Using permissions from /tank/home/olaf/Maildir:
mode=0770 gid=default
Error: unlink(/tank/home/olaf/Maildir/subscriptions.lock) failed:
Permission denied
Error: file_dotlock_replace() failed with subscription file
/tank/home/olaf/Maildir/subscriptions: Permission denied
Error: rename(/tank/home/olaf/Maildir/subscriptions.lock,
/tank/home/olaf/Maildir/subscriptions) failed: Permission denied
At this point I don't know if it is an issue with my system, or some
sort of incompatibility between dovecot and illumos or ZFS.
Except for folder renaming I can put mails in the IMAP folders and see
them, but I fear for future problems caused by this issue.
In case there is someone able to read source code, this is the file
where the ACL/MAC issue is generated:
http://hg.dovecot.org/dovecot-2.2/file/4f4243794ba1/src/lib/eacces-error.c
Has anyone with this additional information some clue? I still don't.
Olaf
On 19/09/2015 19:22, Christian Kivalo wrote:
Hi,
On 2015-09-19 16:17, Olaf Marzocchi wrote:
Dear Dovecot users, hello.
I will merge two issues I have into a single email because they may be
related.
I used dovecot on a OmniOS server since 2014 (currently OmniOS
r151014) with the following configuration (it shows 2.2.18 because I
recently updated dovecot, skipping only the PostgreSQL plugin):
# 2.2.18: /etc/dovecot/dovecot.conf
# OS: SunOS 5.11 i86pc zfs
mail_location = maildir:/tank/home/%u/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = imap
ssl = required
ssl_cert =
From my view the permissions seem to be set correctly, i have to admin,
its been a while since i moved to virtual users so i may be wrong here...
The log output also seems to support that permissions are correct.
Have you tried adding the group:mail: ACLs back?
Have you set mail_debug=yes or other more verbose logging settings?
http://wiki2.dovecot.org/Logging
My questions, in short:
- what are the permissions I need to give to the Maildir folder? I
understood from the documentation it's 700, with my user/group (the
one of the user accessing the mail). What about ACLs? and what about
group "mail"?
- the (only!) subfolder which appears empty in Thunderbird, may it
depend on the permissions? maybe due to them the index was not updated
and UIDs don't match. If after applying the correct permissions I
still cannot see its contents, is there a way to recover the mails?
the files are all still there.
Sorry for the long email, but after several tries yesterday I
exhausted my ideas.
Regards,
Olaf
Regards,
Christian
Re: ssl_key_password loaded from file: 'Couldn't parse private ssl_key'
Hi, On 2015-09-20 15:35, B. R. wrote: As this is my first message to this ML: Hello! I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password = However, not using the fille inclusion but directly configuring as follow: ssl_key_password = mypass did work... I don't know for sure but maybe its not implemented to load the password from a file... Reading http://wiki2.dovecot.org/SSL/DovecotConfiguration suggests to use an extra config file with tightened permissions that only contains the "ssl_key_password = $password" configuration directive and include this file with "!include_try $file". That way you could swap that file out automatically when renewing the private key. I am loading my certificate & key with the file inclusion trick... How come cannot I use that for the password file? It would avoid input the password directly into the dovecot configuraiton files, forcing me to change permissions and duplicating it... When renewing the private key I will be force to edit the password at every location. Is it a bug? or a feature? :D --- *B. R.* Regards christian
ssl_key_password loaded from file: 'Couldn't parse private ssl_key'
As this is my first message to this ML: Hello! I am using a password-protected SSL key for my dovecot MDA. When I tried to use the ssl_key_password configuration directive as follow: ssl_key_password =
Can't receive email
No problem sending email, but I can't receive email. Diagnostics follow:
a login u...@domain.com password
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH
LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 9 EXISTS
* 1 RECENT
* OK [UNSEEN 9] First unseen.
* OK [UIDVALIDITY 1439944213] UIDs valid
* OK [UIDNEXT 10] Predicted next UID
* OK [HIGHESTMODSEQ 2] Highest
b OK [READ-WRITE] Select completed (0.017 secs).
c list "" *
* LIST (\HasNoChildren \Trash) "." Trash
* LIST (\HasNoChildren) "." Queue
* LIST (\HasNoChildren \Sent) "." Sent
* LIST (\HasNoChildren \Drafts) "." Drafts
* LIST (\HasNoChildren) "." INBOX
c OK List completed (0.001 secs).
d lsub "" *
* LSUB (\Trash) "." Trash
* LSUB () "." Queue
* LSUB (\Sent) "." Sent
* LSUB (\Drafts) "." Drafts
d OK Lsub completed (0.003 secs).
e logout
* BYE Logging out
e OK Logout completed.
closed
---
from dovecot.log
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
initialization [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
initialization [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read
client hello A [xxx.xxx.xxx.xxx]
Sep 19 23:35:13 auth: Debug: Loading modules from directory:
/usr/local/lib/dovecot/auth
Sep 19 23:35:13 auth: Debug: Read auth token secret from
/var/run/dovecot/auth-token-secret.dat
Sep 19 23:35:13 auth: Debug: passwd-file /usr/local/etc/dovecot/users: Read 2
users in 0 secs
Sep 19 23:35:13 auth: Debug: auth client connected (pid=1698)
Sep 19 23:38:13 imap-login: Info: Disconnected: Inactivity (no auth attempts in
180 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking,
session=
# dovecot -n
# 2.2.18: /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: FreeBSD 10.1-RELEASE-p19 amd64
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_debug = yes
mail_gid = 1003
mail_home = /var/mail/vhosts/%d/%n
mail_location = maildir:~
mail_privileged_group = vpostfix
mail_uid = 1003
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /usr/local/etc/dovecot/users
driver = passwd-file
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert =
