Re: Thanks for Dovecot
On Tue, 13 Oct 2015, Steve Litt wrote: Thanks for making Dovecot. +1 I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. I'm just curious, did you not find it easy to get Dovecot working on Debian? I ask because if you didn't I'm largely the one to thank :-) -- Jaldhar H. Vyas
Re: Thanks for Dovecot
> Thanks for making Dovecot. > > I just transitioned from Debian Wheezy to Void Linux. It was fairly > easy to get Dovecot working on my Void box, and having Dovecot makes > all of my email activities easier by doing one thing and doing it right. > > Thank you for such great software. Same here. I switched from courier to dovecot and one of my users with a very heavy inbox called it "scary fast". Should have switched years ago. - Grant
Re: TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann (Mi 14 Okt 2015 00:46:11 CEST):
…
>
> And if I add -D to the director service, I can see "Debug: request
> refreshed timeout to …",
> but never I see "Debug: request added". And from what I
> understand this would be the place where the mail_host info comes into
> the game.
>
> But probably I do not understand how director_request_continue() is
> supposed to work.
Ah, the information comes from the other director running. The other one
is using an unpatched version of dovecot.
If I shutdown the other director instance, it seems to work.
Tomorrow I'll do more testing. Good work, thank you.
BTW: I've put there an IPv6 address into the director_servers list (not
an DNS name).
director_servers = 2001:x:y:f33::5:1
…
inet_listener {
address = ::
port = 9090
}
it doesn't recognize itself:
Oct 14 01:06:13 director1 dovecot: director: Fatal: director_servers doesn't
list ourself
director_servers = 2001:x:y:f33::5:1:9090
…
inet_listener {
address = ::
port = 9090
}
works, but is ambigous, isn't it? Shouldn't we use [2001:x:y:f33::5:1]:9090
in such a case? But: *Unknown director host: [2001:x:y:f33::5:1]*
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
On Wed, 14 Oct 2015 07:28:42 +1100 Timo Sirainen wrote > Looks like a bug in clucene library. I don't know if there's anything that > can be done about it on Dovecot side. I recommend switching to fts-solr. Either that or fts-elasticsearch[1] Regards, Tim [1] https://github.com/ascendantcom/fts-elasticsearch/
Re: TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann (Mi 14 Okt 2015 00:10:50 CEST):
> Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST):
> …
> >
> > Proxying in general does check that hostname matches the SSL certificate,
> > because both the hostname and IP address are sent to login process. So it
> > should work in a way that host= and hostip= is sent. I
> > thought my patch did that.. Normally auth_debug=yes would be enough to
> > debug this, but this happens between director and login process so I don't
> > think it's going to be of much use. login process's
> > client_auth_parse_args() is what should see these two parameters correctly.
> >
> > I can check this further tomorrow.
>
> I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places.
>
> Oct 14 00:02:33 director1 dovecot: director: Warning: ***
> login_host_callback:
> OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe
>
> Here it seems that the director doesn't send it's knowledge about the
> hostname.
>
> Here some other output, to show that the host list contains names and
> addresses:
>
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
> backends. [2001:x.y:f33::5:fe]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
> backends. [2001:x.y:f33::5:ff]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
> backends. [149.x.y.103]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
> backends. [149.x.y.102]
And if I add -D to the director service, I can see "Debug: request
refreshed timeout to …",
but never I see "Debug: request added". And from what I
understand this would be the place where the mail_host info comes into
the game.
But probably I do not understand how director_request_continue() is
supposed to work.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST):
…
>
> Proxying in general does check that hostname matches the SSL certificate,
> because both the hostname and IP address are sent to login process. So it
> should work in a way that host= and hostip= is sent. I thought
> my patch did that.. Normally auth_debug=yes would be enough to debug this,
> but this happens between director and login process so I don't think it's
> going to be of much use. login process's client_auth_parse_args() is what
> should see these two parameters correctly.
>
> I can check this further tomorrow.
I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places.
Oct 14 00:02:33 director1 dovecot: director: Warning: *** login_host_callback:
OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe
Here it seems that the director doesn't send it's knowledge about the
hostname.
Here some other output, to show that the host list contains names and addresses:
Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
backends. [2001:x.y:f33::5:fe]
Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
backends. [2001:x.y:f33::5:ff]
Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
backends. [149.x.y.103]
Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added
backends. [149.x.y.102]
--
Heiko
signature.asc
Description: Digital signature
Re: Thanks for Dovecot
Dave McGuire writes: > On 10/13/2015 05:04 PM, Gedalya wrote: >>> Thanks for making Dovecot. >>> >>> I just transitioned from Debian Wheezy to Void Linux. It was fairly >>> easy to get Dovecot working on my Void box, and having Dovecot makes >>> all of my email activities easier by doing one thing and doing it right. >>> >>> Thank you for such great software. >>> >>> SteveT >> >> Hey, you know what? It's never a bad time to join in and say a simple: >> Thank you! > > Agreed! Thank you! I want to jump on the puppy pile of love... I've used a lot of different IMAP software over the decades, and dovecot has been a breath of fresh air and a huge relief compared to what I've suffered through in the past! Thanks Timo for all your hard work, it really is appreciated! micah
Re: iterate users with passwd-file passdb?
Timo Sirainen writes:
> On 14 Oct 2015, at 00:01, Eric Abrahamsen wrote:
>>
>> Joseph Tam writes:
>>
>>> Eric Abrahamsen writes:
>>>
Simply: Is it possible to iterate over users if I'm using the
passwd-file passdb driver? Do I need a SQL-based driver if I want to
iterate?
>>>
>>> What do you mean by "iterate"? If you mean whether you can look up a
>>> password entry in a multi-entry file, then yes, definitely. If you
>>> mean to sequentially go through it and do a first/last/best match,
>>> probably not.
>>
>> Basically I just mean the -A argument to the doveadm commands. For
>> example, iterate through all the users and run sa-learn on each user's
>> learn/spam folder. If it's got to be SQL, it won't kill me...
>
> Use userdb passwd-file to get iteration working. passdb isn't used for
> iteration. userdb static can't be used to iterate.
That did it, thank you! I had been staring at this:
http://wiki2.dovecot.org/AuthDatabase/PasswdFile#line-38
But not getting it exactly right. For posterity, I edited my conf to
look like this:
passdb {
driver = passwd-file
args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db
deny = no
master = no
pass = no
skip = never
result_failure = continue
result_internalfail = continue
result_success = return-ok
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/passwd.db
default_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
}
Then edited /etc/dovecot/passwd.db to add six colons at the end of each
user line -- empty fields since presently everything I need is specified
in default_fields.
Thanks again,
Eric
Re: TLS communication director -> backend with X.509 cert checks?
On 14 Oct 2015, at 00:34, Heiko Schlittermann wrote: > > Hi Timo, > > Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST): >>> Does the attached patch work? Compiles, but untested. >> I'm about to test it. > > It seems to update the struct mail_host, but it looks as if the data > in mail_host do not propagate down to login_proxy_new(). > > In other words, in login_proxy_new() set->host contains the IP address, > correctly, because the director choose it, but where can I find the > hostname there? And we need a way to pass the host*name* further, to the > SSL verifcation step, don't we? Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host= and hostip= is sent. I thought my patch did that.. Normally auth_debug=yes would be enough to debug this, but this happens between director and login process so I don't think it's going to be of much use. login process's client_auth_parse_args() is what should see these two parameters correctly. I can check this further tomorrow.
Re: TLS communication director -> backend with X.509 cert checks?
Hi Timo,
Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST):
> > Does the attached patch work? Compiles, but untested.
> I'm about to test it.
It seems to update the struct mail_host, but it looks as if the data
in mail_host do not propagate down to login_proxy_new().
In other words, in login_proxy_new() set->host contains the IP address,
correctly, because the director choose it, but where can I find the
hostname there? And we need a way to pass the host*name* further, to the
SSL verifcation step, don't we?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: iterate users with passwd-file passdb?
Eric Abrahamsen writes: Simply: Is it possible to iterate over users if I'm using the passwd-file passdb driver? Do I need a SQL-based driver if I want to iterate? What do you mean by "iterate"? If you mean whether you can look up a password entry in a multi-entry file, then yes, definitely. If you mean to sequentially go through it and do a first/last/best match, probably not. Basically I just mean the -A argument to the doveadm commands. For example, iterate through all the users and run sa-learn on each user's learn/spam folder. If it's got to be SQL, it won't kill me... Ah. Yes, you can use -A and iterate through users, subject to any constraints such as first_valid_uid, last_valid_uid, etc. Joseph Tam
Re: iterate users with passwd-file passdb?
On 14 Oct 2015, at 00:01, Eric Abrahamsen wrote: > > Joseph Tam writes: > >> Eric Abrahamsen writes: >> >>> Simply: Is it possible to iterate over users if I'm using the >>> passwd-file passdb driver? Do I need a SQL-based driver if I want to >>> iterate? >> >> What do you mean by "iterate"? If you mean whether you can look up a >> password entry in a multi-entry file, then yes, definitely. If you >> mean to sequentially go through it and do a first/last/best match, >> probably not. > > Basically I just mean the -A argument to the doveadm commands. For > example, iterate through all the users and run sa-learn on each user's > learn/spam folder. If it's got to be SQL, it won't kill me... Use userdb passwd-file to get iteration working. passdb isn't used for iteration. userdb static can't be used to iterate.
Re: Thanks for Dovecot
On 10/13/2015 05:04 PM, Gedalya wrote: >> Thanks for making Dovecot. >> >> I just transitioned from Debian Wheezy to Void Linux. It was fairly >> easy to get Dovecot working on my Void box, and having Dovecot makes >> all of my email activities easier by doing one thing and doing it right. >> >> Thank you for such great software. >> >> SteveT > > Hey, you know what? It's never a bad time to join in and say a simple: > Thank you! Agreed! Thank you! -Dave -- Dave McGuire, AK4HZ New Kensington, PA
Re: Thanks for Dovecot
On 10/13/2015 04:00 PM, Steve Litt wrote: Hi all, Thanks for making Dovecot. I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. Thank you for such great software. SteveT Hey, you know what? It's never a bad time to join in and say a simple: Thank you!
Re: iterate users with passwd-file passdb?
Joseph Tam writes: > Eric Abrahamsen writes: > >> Simply: Is it possible to iterate over users if I'm using the >> passwd-file passdb driver? Do I need a SQL-based driver if I want to >> iterate? > > What do you mean by "iterate"? If you mean whether you can look up a > password entry in a multi-entry file, then yes, definitely. If you > mean to sequentially go through it and do a first/last/best match, > probably not. Basically I just mean the -A argument to the doveadm commands. For example, iterate through all the users and run sa-learn on each user's learn/spam folder. If it's got to be SQL, it won't kill me... Thanks! Eric
Re: iterate users with passwd-file passdb?
Eric Abrahamsen writes: Simply: Is it possible to iterate over users if I'm using the passwd-file passdb driver? Do I need a SQL-based driver if I want to iterate? What do you mean by "iterate"? If you mean whether you can look up a password entry in a multi-entry file, then yes, definitely. If you mean to sequentially go through it and do a first/last/best match, probably not. Joseph Tam
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:36:40 CEST):
…
> > I see:
> >
> >a) pass the host *names* to the director too, for CN verification
> > purpose
> >
> > May be in struct mail_host could be a field for the original
> > hostname we used to obtain the adress(es)?
>
> Does the attached patch work? Compiles, but untested.
I'm about to test it.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
On 13 Oct 2015, at 23:25, Akash wrote: > > Hi, > > Mailing list archives suggest that this problem has been fixed in the > older versions itself but I am getting the error still while trying to > doveadm index a large folder of emails. Sometimes it throws error > after 3, something 4, the latest it gave up after 111000. But > it just never completes. > > 111000/322080doveadm: > /home/stephan/packages/wheezy/i386/clucene-core-2.3.3.4/src/core/CLucene/index/DocumentsWriter.cpp:210: > std::string lucene::index::DocumentsWriter::closeDocStore(): Assertion > `numDocsInStore*8 == directory->fileLength( (docStoreSegment + "." + > IndexFileNames::FIELDS_INDEX_EXTENSION).c_str() )' failed. > Aborted > > I am using dovecot 2:2.2.19-1~auto+7& libclucene-core1:i386 2.3.3.4-4 > from debian wheezy backports. Please advice. Looks like a bug in clucene library. I don't know if there's anything that can be done about it on Dovecot side. I recommend switching to fts-solr.
Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
Hi, Mailing list archives suggest that this problem has been fixed in the older versions itself but I am getting the error still while trying to doveadm index a large folder of emails. Sometimes it throws error after 3, something 4, the latest it gave up after 111000. But it just never completes. 111000/322080doveadm: /home/stephan/packages/wheezy/i386/clucene-core-2.3.3.4/src/core/CLucene/index/DocumentsWriter.cpp:210: std::string lucene::index::DocumentsWriter::closeDocStore(): Assertion `numDocsInStore*8 == directory->fileLength( (docStoreSegment + "." + IndexFileNames::FIELDS_INDEX_EXTENSION).c_str() )' failed. Aborted I am using dovecot 2:2.2.19-1~auto+7& libclucene-core1:i386 2.3.3.4-4 from debian wheezy backports. Please advice. -Akash
Re: Dovecot - Postfix with HAproxy
Op 10/13/2015 om 5:15 PM schreef Michael JOIGNY: (For some reason Thunderbird messes up this e-mail). You could try to do pre-login rawlog to see what HAProxy is sending to Dovecot. http://wiki2.dovecot.org/Debugging/Rawlog Regards, Stephan.
Thanks for Dovecot
Hi all, Thanks for making Dovecot. I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. Thank you for such great software. SteveT
Re: Dualstack IPv4/IPv6 setup with directors
Timo Sirainen (Di 13 Okt 2015 21:42:41 CEST): … > > Oct 13 21:23:29 director1 dovecot: director: Error: > > director(149.x.y.97:9090/out): connect() failed: Connection refused > > Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip(): > > ip->family != my_ip->family > > Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks > > it's someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's > > 149.x.y.96:9090) > > > > I assume it's because the director uses only one (IPv4 OR IPv6) address > > for it's own identity, right? > > Right. I thought I did something to fix this crash, but probably not. In any > case it's not a supported configuration even if it didn't crash. Ok, maybe it should be mentioned in the Wiki, that having multiple addresses per directors isn't supported for director-director communication. But anyway, thanks for the information, it helps. -- Heiko signature.asc Description: Digital signature
Re: Dualstack IPv4/IPv6 setup with directors
On 13 Oct 2015, at 22:31, Heiko Schlittermann wrote: > > Hi, > > still using 2.2.9, I've two directors, and these directors > use both IPv4/IPv6 addresses. > > `host directors.` returns one A and AAA for each > of the two directors: > >directors. has address 149.x.y.96 (director1) >directors. has address 149.x.y.97 (director2) >directors. has IPv6 address 2001:x:y:f33::5:1 (director1) >directors. has IPv6 address 2001:x:y:f33::5:2 (director2) > > But connecting the the neighbor director gives: > > Oct 13 21:23:29 director1 dovecot: director: Warning: Director > 2001:x:y:f33::5:2:9090/left disconnected us with reason: Invalid input: ME > 149.x.y.96 9090 > Oct 13 21:23:29 director1 dovecot: director: Error: > director(149.x.y.97:9090/out): connect() failed: Connection refused > Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip(): > ip->family != my_ip->family > Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks > it's someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's > 149.x.y.96:9090) > > I assume it's because the director uses only one (IPv4 OR IPv6) address > for it's own identity, right? Right. I thought I did something to fix this crash, but probably not. In any case it's not a supported configuration even if it didn't crash.
Re: TLS communication director -> backend with X.509 cert checks?
> On 13 Oct 2015, at 22:21, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): >>> the IP address the director connects to. >> >> Right. The hostnames are lost immediately at director startup. I've never >> really thought about needing this functionality for director, since they're >> usually in the same trusted network with backends.. >> > > Ooo. > What if > >director_mail_servers = backends. > > and the DNS entry for backends. gets updated? Does the director > catch up the change automatically w/o restart? No, and I'm not sure it even should. Use "doveadm director ring remove" to get rid of unwanted directors.
Re: TLS communication director -> backend with X.509 cert checks?
On 13 Oct 2015, at 22:18, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): > … >>> On connection setup from a client the director connects to the >>> selected backend. But it seems (not checked in the source yet), >>> that for SSL certificate verification the director doesn't know the >>> original host name anymore. The certificate's CN gets compared to >>> the IP address the director connects to. >> >> Right. The hostnames are lost immediately at director startup. I've never >> really thought about needing this functionality for director, since they're >> usually in the same trusted network with backends.. >> > > That's it… "ususally". And additionally local policy says that we should use > secured connections whenever credentials are transported … And since the > director uses either a master password or the credentials obtained from > the client, we want to use secured connections. And using TLS w/o > verified certs is better than nothing, but it's far from being perfect. I've been planning to add support for non-plaintext SASL for Dovecot proxy. Probably SCRAM-SHA1. That would avoid sending credentials in plaintext, although it wouldn't prevent other kind of MITM. > I see: > >a) pass the host *names* to the director too, for CN verification > purpose > > May be in struct mail_host could be a field for the original > hostname we used to obtain the adress(es)? Does the attached patch work? Compiles, but untested. director-host.diff Description: Binary data
Dualstack IPv4/IPv6 setup with directors
Hi,
still using 2.2.9, I've two directors, and these directors
use both IPv4/IPv6 addresses.
`host directors.` returns one A and AAA for each
of the two directors:
directors. has address 149.x.y.96 (director1)
directors. has address 149.x.y.97 (director2)
directors. has IPv6 address 2001:x:y:f33::5:1 (director1)
directors. has IPv6 address 2001:x:y:f33::5:2 (director2)
But connecting the the neighbor director gives:
Oct 13 21:23:29 director1 dovecot: director: Warning: Director
2001:x:y:f33::5:2:9090/left disconnected us with reason: Invalid input: ME
149.x.y.96 9090
Oct 13 21:23:29 director1 dovecot: director: Error:
director(149.x.y.97:9090/out): connect() failed: Connection refused
Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip():
ip->family != my_ip->family
Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks it's
someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's
149.x.y.96:9090)
I assume it's because the director uses only one (IPv4 OR IPv6) address
for it's own identity, right?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Storage Design (Regligious War, Whatever)
We've been running dovecot director setup using MAILDIR++ spools on NFS served by 4 (aging) Netapp clustered filers and are considering modernizing our storage. There's nothing particularly wrong with the existing storage except the age, density and power consumption don't compare well when against new systems. Refreshing the Netapps is an option but they come at a substantial cost. The last time we were looking one of the recommended hot DIY setups was Linux NFS backed by XFS on N mirrors but this predated the availability of stable ZFS in FreeBSD or Linux as well as products like FreeNAS. A FreeBSD NFS/ZFS filer on commodity hardware with zil/l2arc on a PCIe SSD seems like an attractive, affordable and easily scaled out solution which also would allow us to leverage compression at the filesystem layer. Does anyone have any experience running ZFS spool storage? If so, how do you handle DR/HA for spool storage? Thoughts on how this might compare to using DRBD? Any pitfalls to watch out for or general pointers? Suggestions on pool configuration? -K
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST):
> > the IP address the director connects to.
>
> Right. The hostnames are lost immediately at director startup. I've never
> really thought about needing this functionality for director, since they're
> usually in the same trusted network with backends..
>
Ooo.
What if
director_mail_servers = backends.
and the DNS entry for backends. gets updated? Does the director
catch up the change automatically w/o restart?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST):
…
> > On connection setup from a client the director connects to the
> > selected backend. But it seems (not checked in the source yet),
> > that for SSL certificate verification the director doesn't know the
> > original host name anymore. The certificate's CN gets compared to
> > the IP address the director connects to.
>
> Right. The hostnames are lost immediately at director startup. I've never
> really thought about needing this functionality for director, since they're
> usually in the same trusted network with backends..
>
That's it… "ususally". And additionally local policy says that we should use
secured connections whenever credentials are transported … And since the
director uses either a master password or the credentials obtained from
the client, we want to use secured connections. And using TLS w/o
verified certs is better than nothing, but it's far from being perfect.
I see:
a) pass the host *names* to the director too, for CN verification
purpose
May be in struct mail_host could be a field for the original
hostname we used to obtain the adress(es)?
or
b) allow some kind of certificate pinning, that is loose the implied
relation CN <=> hostname
> > Should I create certificates with IP address in SAN? (Any hint about the
> > correct syntax for the openssl.conf is welcome). Or is there any chance
> > that this is fixed already or will be fixed in the near future or even
> > better, that it's my fault?
>
> I guess that could work for now. No idea about how to do such certificates.
I'll try that, but I think it's not a solution as soon as we reach out
for "official" certs. And because it puts more details about the
infrastructure into the configuration than would be necessary.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
On 13 Oct 2015, at 21:44, Heiko Schlittermann wrote: > > Hello, > > using Dovecot 2.2.9 and a setup with directors and backends. > The communication between directors and backends needs to be TLS > secured. > > The director config contains a list of hostnames for the backends. > (implicit list because of multiple A/ records for a single hostname > or explicit list of several host names) > > On connection setup from a client the director connects to the > selected backend. But it seems (not checked in the source yet), > that for SSL certificate verification the director doesn't know the > original host name anymore. The certificate's CN gets compared to > the IP address the director connects to. Right. The hostnames are lost immediately at director startup. I've never really thought about needing this functionality for director, since they're usually in the same trusted network with backends.. > Should I create certificates with IP address in SAN? (Any hint about the > correct syntax for the openssl.conf is welcome). Or is there any chance > that this is fixed already or will be fixed in the near future or even > better, that it's my fault? I guess that could work for now. No idea about how to do such certificates.
Re: Unknown cache fields?
On 05 Oct 2015, at 17:43, Larry Rosenman wrote: > > I assume this is expected, but just checking. I do NOT use POP3. > > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: pop3.order > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: binary.parts > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: body.snippet Bug, but it just affected dsync optimization. Fixed: http://hg.dovecot.org/dovecot-2.2/rev/3b1e7941542f
Re: doveadm index assertion failed
On 05 Oct 2015, at 22:05, Nick Rosier wrote: > > Hi, > > one of my mailboxes returns following error when I run doveadm index on it: > > Panic: file charset-iconv.c: line 85 (charset_to_utf8_try): assertion failed: > (srcleft <= CHARSET_MAX_PENDING_BUF_SIZE) > > OS: FreeBSD 10.2 > Dovecot: 2.1.19 > Tika: 1.10 > SOLR: 5.3.1 I thought this would have definitely been fixed by now.. Can you find some specific email which is triggering this? It's either something strange that I didn't expect, or it's a bug in FreeBSD's iconv(). Also can you debug this like: gdb --args doveadm index -u user@domain INBOX run f 5 p src p ic_srcbuf p *src_size p srcleft
TLS communication director -> backend with X.509 cert checks?
Hello,
using Dovecot 2.2.9 and a setup with directors and backends.
The communication between directors and backends needs to be TLS
secured.
The director config contains a list of hostnames for the backends.
(implicit list because of multiple A/ records for a single hostname
or explicit list of several host names)
On connection setup from a client the director connects to the
selected backend. But it seems (not checked in the source yet),
that for SSL certificate verification the director doesn't know the
original host name anymore. The certificate's CN gets compared to
the IP address the director connects to.
Oct 12 23:56:51 director2 dovecot: director: Error:
director(2001:683:921:f33::5:1:9090/out): connect() failed: Connection reset by
peer
Oct 12 23:57:53 director2 dovecot: imap-login: Error: proxy: hostname doesn't
match SSL certificate at 2001:683:921:f33::5:fe:993: user=, method=PLAIN,
rip=2001:638:912:f33::1:1, lip=2001:638:912:f33::5:2, TLS,
session=
In 10-directors.conf I've:
director_mail_servers = backend1. backend2.
Should I create certificates with IP address in SAN? (Any hint about the
correct syntax for the openssl.conf is welcome). Or is there any chance
that this is fixed already or will be fixed in the near future or even
better, that it's my fault?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: bug report: dovecot-imapd core dump
On 10 Oct 2015, at 20:34, Tamas Papp wrote:
>
> Hi,
>
> Since I did not get any specific suggestions about this bug, I am
> attaching another backtrace. Any suggestions for workarounds etc would
> be appreciated -- should I regenerate the index? Or install a dovecot
> from the repo where this might be fixed? Is this a known bug?
Fixed: http://hg.dovecot.org/dovecot-2.2/rev/5e48c5a29ddd
The APPEND will still fail, but at least it won't crash anymore.
>
> Best,
>
> Tamas
>
>
> On Wed, Oct 07 2015, Tamas Papp wrote:
>
>> Hi,
>>
>> could not find it -- back to the list, maybe someone can suggest a
>> fix/workaround.
>>
>> Best,
>>
>> Tamas
>>
>> On Wed, Oct 07 2015, Dominik Breu wrote:
>>
>>> Hello,
>>>
>>> yeah this one looks familiar to me can you search the list back in
>>> september there was a somewhat similar bug with thunderbird imho timo
>>> posted a notice about it.
>>>
>>> greetings,
>>>
>>> dominik
>>>
>>> Am Mittwoch, den 07.10.2015, 15:53 +0200 schrieb Tamas Papp:
Hi Dominik,
Thanks for the help, the backtrace is here (I did not sent it to the
list since I am not sure if it contains password or message
information,
sorry but I am unfamiliar with these things).
Core was generated by `dovecot/imap'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x7f404e58e3b6 in mail_index_keywords_unref
#(_keywords=_keywords@entry=0x7ffecb8adeb8) at mail-index.c:383
383 mail-index.c: No such file or directory.
(gdb) bt full
#0 0x7f404e58e3b6 in mail_index_keywords_unref
#(_keywords=_keywords@entry=0x7ffecb8adeb8) at mail-index.c:383
keywords = 0x7f404e27066d
__FUNCTION__ = "mail_index_keywords_unref"
#1 0x7f404e559975 in mailbox_keywords_unref
(keywords=keywords@entry=0x7ffecb8adeb8) at mailbox-keywords.c:94
No locals.
#2 0x7f404ea254ad in cmd_append_handle_args
(nonsync_r=0x7ffecb8ade8f,
#args=, cmd=0x7f4050bc3250) at cmd-append.c:602
ctx = 0x7f4050bc3348
flags_list = 0x7f4050bcc840
flags = 9
keywords_list = 0x7f4050bc33f0
internal_date_str = 0x7f4050bcca00 "17-Sep-2015 14:19:23
+0200"
internal_date = -1
timezone_offset = 0
keywords = 0x0
ret =
client = 0x7f4050bc2670
cat_list = 0x0
input =
valid =
#3 cmd_append_parse_new_msg (cmd=cmd@entry=0x7f4050bc3250) at
cmd-append.c:770
client =
ctx = 0x7f4050bc3348
args = 0x7f4050bcc488
msg =
arg_min_count =
fatal = 255
nonsync = true
last_literal =
ret =
__FUNCTION__ = "cmd_append_parse_new_msg"
#4 0x7f404ea25a17 in cmd_append (cmd=0x7f4050bc3250) at
cmd-append.c:932
client = 0x7f4050bc2670
ctx = 0x7f4050bc3348
mailbox = 0x7f4050bafb78 "Cemex"
#5 0x7f404ea30e4c in command_exec (cmd=cmd@entry=0x7f4050bc3250)
at
imap-commands.c:158
hook = 0x7f4050bad0d0
ret =
#6 0x7f404ea2fd62 in client_command_input (cmd=0x7f4050bc3250)
at
imap-client.c:780
client = 0x7f4050bc2670
command =
__FUNCTION__ = "client_command_input"
#7 0x7f404ea2fe16 in client_command_input (cmd=0x7f4050bc3250)
at
imap-client.c:841
client = 0x7f4050bc2670
command =
__FUNCTION__ = "client_command_input"
#8 0x7f404ea3014d in client_handle_next_command
(remove_io_r=>>> pointer>, client=0x7f4050bc2670) at imap-client.c:879
---Type to continue, or q to quit---
No locals.
#9 client_handle_input (client=0x7f4050bc2670) at imap-client.c:891
_data_stack_cur_id = 3
remove_io = false
handled_commands = false
client = 0x7f4050bc2670
#10 0x7f404ea304f5 in client_input (client=0x7f4050bc2670) at
imap-client.c:933
cmd = 0xf013c
output = 0x7f4050bc30a0
bytes = 135
__FUNCTION__ = "client_input"
#11 0x7f404e285247 in io_loop_call_io (io=0x7f4050bc3170) at
ioloop.c:388
ioloop = 0x7f4050bac720
t_id = 2
#12 0x7f404e286079 in io_loop_handler_run
(ioloop=ioloop@entry=0x7f4050bac720) at ioloop-epoll.c:220
ctx = 0x7f4050bad3b0
io =
tv = {tv_sec = 1799, tv_usec = 999282}
events_count =
msecs =
ret = 1
i = 0
j =
call =
__FUNCTION__ = "io_loop_handler_run"
#13 0x7f404e284d88 in io_loop_run (ioloop=0x7f4050bac720) at
ioloop.c:412
__FUNCTION__ = "io_loop_run"
#14 0x7f404e231de3 in master_service_run (ser
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
Timo Sirainen (Di 13 Okt 2015 20:19:54 CEST):
..
> > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100
> > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08
> > 21:24:47.051446465 +0200
> > @@ -1043,7 +1043,7 @@
> >
> > static void db_ldap_set_tls_options(struct ldap_connection *conn)
> > {
> > - if (!conn->set.tls)
> > + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
> >return;
>
> That's a bit ugly. I think also the URIs support multiple ones, so some ldap
> and some ldaps URLs could even be mixed, which of course would be quite
> ugly.. I think the fix is to just remove the if (tls)-check completely. I
> don't think setting those harms anything even if tls/ldaps isn't being used?
Yes, thinking about mixed schema in the URIs whould have been my next
question :)
Ok, I can test what happens if we set tls_options w/o using LDAP+TLS or
LDAPS at all.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: dovecot as proxy and verification of the backends certificate
Timo Sirainen (Di 13 Okt 2015 20:27:25 CEST):
…
> ># followed by the matching CRL(s). (e.g. ssl_ca = ># ssl_ca =
> >ssl_ca = >
> > Bug or feature? Mainly I'm asking because the comments do not indicate
> > that I should have used ssl_ca for this type of operation (dovecot as a
> > SSL client)
>
> It's a missing feature. I updated
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy about this. I'm
> thinking that once login-common code uses lib-ssl-iostream instead of the
> duplicated SSL code this gets fixed more or less automatically. Note sure if
> that'll happen for v2.3 or not.
Thank you.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
Re: Multiple core solr support
> On 11 Oct 2015, at 08:42, Daniel Miller wrote: > > Is it possible to use variables, such as domain or username, in the plugin > url declaration? This would allow using multiple cores to separate the > stored indexes. So when my own giant mailbox gets corrupt...I don't have to > rebuild everybody's... > > Something like url=http://mysolr.server.com:8983/solr/%u Exactly that. Or things like http://mysolr%4Nu.server.com to have it use mysolr0..3.server.com based on the username hash.
Re: dovecot as proxy and verification of the backends certificate
On 11 Oct 2015, at 20:04, Heiko Schlittermann wrote: > > Hello, > > I'm using a dovecot as proxy, connecting to one or more backends. > The backends use X.509 certificates. > > The proxy's passdb returns > >extra fields: >user=foo >proxy >host=backend1. >ssl=yes >nopassword=y > > Thus the proxy connects to the backend but can't verify the backends > certificate. > > The following comment suggests using ssl_client_ca_file for that. > ># Directory and/or file for trusted SSL CA certificates. These are used > only ># when Dovecot needs to act as an SSL client (e.g. imapc backend). The ># directory is usually /etc/ssl/certs in Debian-based systems and the file > is ># /etc/pki/tls/cert.pem in RedHat-based systems. >#ssl_client_ca_dir = >#ssl_client_ca_file = >ssl_client_ca_file = /tmp/certs/ca-local.pem > > But that does not work! Instead I've to use ssl_ca > ># PEM encoded trusted certificate authority. Set this only if you intend > to use ># ssl_verify_client_cert=yes. The file should contain the CA certificate(s) ># followed by the matching CRL(s). (e.g. ssl_ca = # ssl_ca = >ssl_ca = > Bug or feature? Mainly I'm asking because the comments do not indicate > that I should have used ssl_ca for this type of operation (dovecot as a > SSL client) It's a missing feature. I updated http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy about this. I'm thinking that once login-common code uses lib-ssl-iostream instead of the duplicated SSL code this gets fixed more or less automatically. Note sure if that'll happen for v2.3 or not.
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
On 08 Oct 2015, at 22:46, Heiko Schlittermann wrote:
>
> Hi,
>
> I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13
> there seems to be the same bug/feature).
>
> The userdb and passdb use LDAP. All further configuration is done in
> auth-ldap.conf.ext.
>
>uri = ldaps:///
># tls =
>tls_cert_file = /etc/ssl/certs/client-cert.pem
>tls_key_file = /etc/ssl/certs/client-key.file
>
> Dovecot ignores the tls_* options. If I use an ldap:// URI and
> switch on TLS using tls=yes it works as expected.
>
> But I do not see any reason why LDAPS should not read the tls_*
> settings.
I guess.
> This small patch solved it for me
>
> --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100
> +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 21:24:47.051446465
> +0200
> @@ -1043,7 +1043,7 @@
>
> static void db_ldap_set_tls_options(struct ldap_connection *conn)
> {
> - if (!conn->set.tls)
> + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0))
>return;
That's a bit ugly. I think also the URIs support multiple ones, so some ldap
and some ldaps URLs could even be mixed, which of course would be quite ugly..
I think the fix is to just remove the if (tls)-check completely. I don't think
setting those harms anything even if tls/ldaps isn't being used?
Dovecot - Postfix with HAproxy
Hi Everyone,
I wouldlike to set up a postfix-dovecot with HA using HAproxy but im
facing issues.
I've followed this documentation :
http://wiki2.dovecot.org/HAProxy (pour dovecot)
http://blog.haproxy.com/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
(pour postfix)
Package's version :
dovecot : 2:2.2.19 (>= 2.2.19 pour proxy protocol)
haproxy : 1.5.14
postfix : 2.11.2-1 (>2.10 pour postscreen)
A part of my configuration :
##HAPROXY
#postfix
listen smtp
bind mail.xx.xx:465
balance roundrobin
timeout client 1m
timeout connect 5s
no option http-server-close
mode tcp
option smtpchk
option tcplog
server tst tst.xxx:10465 send-proxy
server tst2 tst2.xxx:10465 send-proxy
server tst3 tst3.xxx:10465 send-proxy
#dovecot
listen imap
bind mail.xxx.xx:993
timeout client 1m
no option http-server-close
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
mode tcp
option tcplog
server tst tst.xxx:10993 send-proxy-v2
server tst2tst2.xxx:10993 send-proxy-v2
server tst3 tst3.xxx:10993 send-proxy-v2
##POSTFIX
postix main.cf
#Haproxy proxy protocol
postscreen_upstream_proxy_protocol = haproxy
postfix master.cf
#haproxy
10465 inet n – n – 1 postscreen
smtpd pass – – n – – smtpd
S
##DOVECOT
# 2.2.19 (719e7f8fd70b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.9
# OS: Linux 2.6.32-41-pve x86_64 Debian 7.9 simfs
auth_debug = yes
auth_verbose = yes
disable_plaintext_auth = no
*haproxy_timeout = 5 secs**
**haproxy_trusted_networks = x.x.x.x*
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/mailbox/%d/%n
mail_max_userip_connections = 0
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_path = /mailbox/globalsieverc
}
protocols = sieve pop3 imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0660
user = mailboxes
}
unix_listener auth-userdb {
group = mail
mode = 0666
user = dovecot
}
user = root
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imap_haproxy {
haproxy = yes
port = 10993
}
inet_listener imaps {
address = *
port = 993
}
process_limit = 450
}
service pop3-login {
inet_listener pop3 {
address = *
port = 110
}
process_limit = 180
}
ssl_cert = was automatically rejected:%n%r
rejection_subject = Rejected: %s
sendmail_path = /usr/sbin/sendmail
}
With my mail client :
With an IMAP connection, logs below, i don't understand why my login is
empty ...
dovecot: imap-login: Disconnected: Too many invalid commands (no auth
attempts in 0 secs): *user=<>*, rip=mon_ip_publique,
lip=ip_publique_haproxy, session= xxx
With a SMTP connection, logs below, i have a timeout.
postfix/postscreen[16654]: CONNECT from [my public ip]:49942 to [my
haproxy public ip]:465
postfix/postscreen[16654]: PREGREET 166 after 0 from [mon ip
publique]:49942:
\22\3\1\161\1\157\3\3+0E\b\213\131\177\173>\r/\213\177i\223k”FjA#\144\145\153\vP\\\155HL\190
If someone could help me, thanks.
Kind regards.
--
Re: fts solr ignores new mailboxes until fts rescan
On 2015-10-13 12:51, Giorgio Paolucci wrote: Hi Christian, may be the issue is related to this other post: http://dovecot.org/pipermail/dovecot/2015-September/102094.html Looks like the same problem and Timo wrote 2.2.19 should fix this -> http://dovecot.org/pipermail/dovecot/2015-September/102097.html regards christian Anyway, what I can tell you is that for every user account, for every folders created after the last doveadm fts rescan for that user, dovecot does not invoke indexer. A new rescan fix the problem for all the folders created up to that moment. I was wondering if I was missing something or if there was a work around to force rescan only for new folders at the moment of their creation... Bests. Giorgio
Re: fts solr ignores new mailboxes until fts rescan
Hi Christian,
may be the issue is related to this other post:
http://dovecot.org/pipermail/dovecot/2015-September/102094.html
Anyway, what I can tell you is that for every user account, for every
folders created after the last doveadm fts rescan for that user, dovecot
does not invoke indexer.
A new rescan fix the problem for all the folders created up to that moment.
I was wondering if I was missing something or if there was a work around to
force rescan only for new folders at the moment of their creation...
Bests.
Giorgio
Quoting Christian Kivalo :
Hi,
On 2015-10-12 18:39, Giorgio Paolucci wrote:
Hello,
on my debian wheezy installation, I implemented fts plugin with solr as
indexing system.
I noticed that if a user creates a new folder, that folder it is
ignored by
dovecot indexing until a doveadm fts rescan is performed for that user.
From that time on everything works ok on that folder.
As a test I set fts_autoindex=yes and put in that folder a brand new
mail
never indexed before. in my logs indexer-worker says it indexed 0
messages
Obviously this is a major issue as users often create new folders, but a
search always returns empty results.
My system is a debian wheezy with dovecot packages from backports
dovecot
2.2.13-11~bpo70+1.
Am I missing something? Any clue would be appreciated.
Am using 2.2.19 with fts_autoindex = yes and Maildir storage.
I create a folder and moved a message from inbox to the new folder and
the log says it indexed 1 message in test, I don't have messages that
where never indexed but i doubt this makes any difference.
I'm using Roundcube and tried the search with both Subject and Body
searches.
Are the mails indexed when you perform a search?
How do you search?
Thank you all in advance.
Bests
Giorgio Paolucci
=
doveconf -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8
auth_default_realm = xxx
disable_plaintext_auth = no
log_path = /var/log/dovecot/dovecot.log
mail_fsync = always
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = quota listescape mail_log notify fts fts_solr
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex
imap4flags
copy include variables body enotify environment mailbox date ihave
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 10 M
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
passdb {
args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext
driver = sql
}
plugin {
fts = solr
fts_solr = url=http://%n.%1n.solr.csia:8983/solr/
i have and fts_autoindex = yes and break-imap-search set, but afaik the
lattter should only take effect on searches
regards
christian
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
mail_log_fields = uid box msgid size
pop3_migration_mailbox = INBOX
quota = dict:User quota::file:/SYSTEM/USERS/homes/%d/%1u/%u/%u.quota
quota_rule = *:storage=7000M
quota_rule2 = Trash:storage=+100M
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
sieve = /SYSTEM/USERS/mailbox/%d/%1n/%u/.dovecotactive.sieve
sieve_default = /etc/dovecot/default.sieve
sieve_dir = /SYSTEM/USERS/mailbox/%d/%1n/%u/sieve
}
pop3c_host = 147.162.10.68
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
}
service imap-login {
inet_listener imaps {
ssl = no
}
process_min_avail = 20
service_count = 1
}
service imap {
executable = imap postlogin
process_limit = 4096
}
service lmtp {
executable = lmtp
inet_listener lmtp {
port = 2223
}
process_min_avail = 15
}
service pop3-login {
inet_listener pop3s {
ssl = no
}
}
service pop3 {
process_limit = 256
}
service postlogin {
executable = script-login -d rawlog
user = vmail
}
service quota-warning {
executable = script /SYSTEM/DOVECOT/scripts/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = vmail
}
ssl = no
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext
driver = sql
}
protocol lmtp {
info_log_path = /tmp/dovecot-lmtp-info.log
log_path = /tmp/dovecot-lmtp.log
mail_plugins = quota listescape mail_log notify sieve
}
protocol lda {
mai
Re: Problems sync with mail client MAC and dovecot-2.2.10-4.el7_0.1.el7_0.1.x86_64
On 2015-10-13 09:20, grupo correo wrote: Hello, i have installed Centos 7.1.1503 with Dovecot 2.2.10-4.el7_0.1. With Thunderbird all works fine, but when i configure the email client of Mac (Yosemite) with IMAP i can see a error in the log and the client not see the emails: Oct 9 14:31:34 localhost dovecot: imap(xxx@xxx): Fatal: master: service(imap): child 18639 killed with signal 11 (core dumps disabled) Do you have more logs? Have you enabled mail_debug = yes to get more verbose logs? I have read the instructions of http://www.dovecot.org/bugreport.html, but core file is not writing. Does anyone have this issues? I think that can be a problem in the configuration Please share your doveconf -n output. Best regards regards christian
Re: fts solr ignores new mailboxes until fts rescan
Hi,
On 2015-10-12 18:39, Giorgio Paolucci wrote:
Hello,
on my debian wheezy installation, I implemented fts plugin with solr as
indexing system.
I noticed that if a user creates a new folder, that folder it is
ignored by
dovecot indexing until a doveadm fts rescan is performed for that user.
From that time on everything works ok on that folder.
As a test I set fts_autoindex=yes and put in that folder a brand new
mail
never indexed before. in my logs indexer-worker says it indexed 0
messages
Obviously this is a major issue as users often create new folders, but
a
search always returns empty results.
My system is a debian wheezy with dovecot packages from backports
dovecot
2.2.13-11~bpo70+1.
Am I missing something? Any clue would be appreciated.
Am using 2.2.19 with fts_autoindex = yes and Maildir storage.
I create a folder and moved a message from inbox to the new folder and
the log says it indexed 1 message in test, I don't have messages that
where never indexed but i doubt this makes any difference.
I'm using Roundcube and tried the search with both Subject and Body
searches.
Are the mails indexed when you perform a search?
How do you search?
Thank you all in advance.
Bests
Giorgio Paolucci
=
doveconf -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8
auth_default_realm = xxx
disable_plaintext_auth = no
log_path = /var/log/dovecot/dovecot.log
mail_fsync = always
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = quota listescape mail_log notify fts fts_solr
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex
imap4flags
copy include variables body enotify environment mailbox date ihave
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 10 M
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
passdb {
args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext
driver = sql
}
plugin {
fts = solr
fts_solr = url=http://%n.%1n.solr.csia:8983/solr/
i have and fts_autoindex = yes and break-imap-search set, but afaik the
lattter should only take effect on searches
regards
christian
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
mail_log_fields = uid box msgid size
pop3_migration_mailbox = INBOX
quota = dict:User quota::file:/SYSTEM/USERS/homes/%d/%1u/%u/%u.quota
quota_rule = *:storage=7000M
quota_rule2 = Trash:storage=+100M
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
sieve = /SYSTEM/USERS/mailbox/%d/%1n/%u/.dovecotactive.sieve
sieve_default = /etc/dovecot/default.sieve
sieve_dir = /SYSTEM/USERS/mailbox/%d/%1n/%u/sieve
}
pop3c_host = 147.162.10.68
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
}
service imap-login {
inet_listener imaps {
ssl = no
}
process_min_avail = 20
service_count = 1
}
service imap {
executable = imap postlogin
process_limit = 4096
}
service lmtp {
executable = lmtp
inet_listener lmtp {
port = 2223
}
process_min_avail = 15
}
service pop3-login {
inet_listener pop3s {
ssl = no
}
}
service pop3 {
process_limit = 256
}
service postlogin {
executable = script-login -d rawlog
user = vmail
}
service quota-warning {
executable = script /SYSTEM/DOVECOT/scripts/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = vmail
}
ssl = no
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext
driver = sql
}
protocol lmtp {
info_log_path = /tmp/dovecot-lmtp-info.log
log_path = /tmp/dovecot-lmtp.log
mail_plugins = quota listescape mail_log notify sieve
}
protocol lda {
mail_plugins = quota listescape mail_log notify
}
protocol imap {
imap_max_line_length = 128 k
mail_max_userip_connections = 20
mail_plugins = quota listescape mail_log notify fts fts_solr
imap_quota
}
protocol doveadm {
mail_plugins = quota listescape mail_log notify fts fts_solr
pop3_migration
}
protocol pop3 {
pop3_no_flag_updates = yes
pop3_uidl_format = %10v.%09u
Problems sync with mail client MAC and dovecot-2.2.10-4.el7_0.1.el7_0.1.x86_64
Hello, i have installed Centos 7.1.1503 with Dovecot 2.2.10-4.el7_0.1. With Thunderbird all works fine, but when i configure the email client of Mac (Yosemite) with IMAP i can see a error in the log and the client not see the emails: Oct 9 14:31:34 localhost dovecot: imap(xxx@xxx): Fatal: master: service(imap): child 18639 killed with signal 11 (core dumps disabled) I have read the instructions of http://www.dovecot.org/bugreport.html, but core file is not writing. Does anyone have this issues? I think that can be a problem in the configuration Best regards
