Re: Thanks for Dovecot
On Tue, 13 Oct 2015, Steve Litt wrote: Thanks for making Dovecot. +1 I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. I'm just curious, did you not find it easy to get Dovecot working on Debian? I ask because if you didn't I'm largely the one to thank :-) -- Jaldhar H. Vyas
Re: Thanks for Dovecot
> Thanks for making Dovecot. > > I just transitioned from Debian Wheezy to Void Linux. It was fairly > easy to get Dovecot working on my Void box, and having Dovecot makes > all of my email activities easier by doing one thing and doing it right. > > Thank you for such great software. Same here. I switched from courier to dovecot and one of my users with a very heavy inbox called it "scary fast". Should have switched years ago. - Grant
Re: TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann (Mi 14 Okt 2015 00:46:11 CEST): … > > And if I add -D to the director service, I can see "Debug: request > refreshed timeout to …", > but never I see "Debug: request added". And from what I > understand this would be the place where the mail_host info comes into > the game. > > But probably I do not understand how director_request_continue() is > supposed to work. Ah, the information comes from the other director running. The other one is using an unpatched version of dovecot. If I shutdown the other director instance, it seems to work. Tomorrow I'll do more testing. Good work, thank you. BTW: I've put there an IPv6 address into the director_servers list (not an DNS name). director_servers = 2001:x:y:f33::5:1 … inet_listener { address = :: port = 9090 } it doesn't recognize itself: Oct 14 01:06:13 director1 dovecot: director: Fatal: director_servers doesn't list ourself director_servers = 2001:x:y:f33::5:1:9090 … inet_listener { address = :: port = 9090 } works, but is ambigous, isn't it? Shouldn't we use [2001:x:y:f33::5:1]:9090 in such a case? But: *Unknown director host: [2001:x:y:f33::5:1]* Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
On Wed, 14 Oct 2015 07:28:42 +1100 Timo Sirainen wrote > Looks like a bug in clucene library. I don't know if there's anything that > can be done about it on Dovecot side. I recommend switching to fts-solr. Either that or fts-elasticsearch[1] Regards, Tim [1] https://github.com/ascendantcom/fts-elasticsearch/
Re: TLS communication director -> backend with X.509 cert checks?
Heiko Schlittermann (Mi 14 Okt 2015 00:10:50 CEST): > Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST): > … > > > > Proxying in general does check that hostname matches the SSL certificate, > > because both the hostname and IP address are sent to login process. So it > > should work in a way that host= and hostip= is sent. I > > thought my patch did that.. Normally auth_debug=yes would be enough to > > debug this, but this happens between director and login process so I don't > > think it's going to be of much use. login process's > > client_auth_parse_args() is what should see these two parameters correctly. > > > > I can check this further tomorrow. > > I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places. > > Oct 14 00:02:33 director1 dovecot: director: Warning: *** > login_host_callback: > OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe > > Here it seems that the director doesn't send it's knowledge about the > hostname. > > Here some other output, to show that the host list contains names and > addresses: > > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added > backends. [2001:x.y:f33::5:fe] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added > backends. [2001:x.y:f33::5:ff] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added > backends. [149.x.y.103] > Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added > backends. [149.x.y.102] And if I add -D to the director service, I can see "Debug: request refreshed timeout to …", but never I see "Debug: request added". And from what I understand this would be the place where the mail_host info comes into the game. But probably I do not understand how director_request_continue() is supposed to work. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST): … > > Proxying in general does check that hostname matches the SSL certificate, > because both the hostname and IP address are sent to login process. So it > should work in a way that host= and hostip= is sent. I thought > my patch did that.. Normally auth_debug=yes would be enough to debug this, > but this happens between director and login process so I don't think it's > going to be of much use. login process's client_auth_parse_args() is what > should see these two parameters correctly. > > I can check this further tomorrow. I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places. Oct 14 00:02:33 director1 dovecot: director: Warning: *** login_host_callback: OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe Here it seems that the director doesn't send it's knowledge about the hostname. Here some other output, to show that the host list contains names and addresses: Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends. [2001:x.y:f33::5:fe] Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends. [2001:x.y:f33::5:ff] Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends. [149.x.y.103] Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added backends. [149.x.y.102] -- Heiko signature.asc Description: Digital signature
Re: Thanks for Dovecot
Dave McGuire writes: > On 10/13/2015 05:04 PM, Gedalya wrote: >>> Thanks for making Dovecot. >>> >>> I just transitioned from Debian Wheezy to Void Linux. It was fairly >>> easy to get Dovecot working on my Void box, and having Dovecot makes >>> all of my email activities easier by doing one thing and doing it right. >>> >>> Thank you for such great software. >>> >>> SteveT >> >> Hey, you know what? It's never a bad time to join in and say a simple: >> Thank you! > > Agreed! Thank you! I want to jump on the puppy pile of love... I've used a lot of different IMAP software over the decades, and dovecot has been a breath of fresh air and a huge relief compared to what I've suffered through in the past! Thanks Timo for all your hard work, it really is appreciated! micah
Re: iterate users with passwd-file passdb?
Timo Sirainen writes: > On 14 Oct 2015, at 00:01, Eric Abrahamsen wrote: >> >> Joseph Tam writes: >> >>> Eric Abrahamsen writes: >>> Simply: Is it possible to iterate over users if I'm using the passwd-file passdb driver? Do I need a SQL-based driver if I want to iterate? >>> >>> What do you mean by "iterate"? If you mean whether you can look up a >>> password entry in a multi-entry file, then yes, definitely. If you >>> mean to sequentially go through it and do a first/last/best match, >>> probably not. >> >> Basically I just mean the -A argument to the doveadm commands. For >> example, iterate through all the users and run sa-learn on each user's >> learn/spam folder. If it's got to be SQL, it won't kill me... > > Use userdb passwd-file to get iteration working. passdb isn't used for > iteration. userdb static can't be used to iterate. That did it, thank you! I had been staring at this: http://wiki2.dovecot.org/AuthDatabase/PasswdFile#line-38 But not getting it exactly right. For posterity, I edited my conf to look like this: passdb { driver = passwd-file args = username_format=%u scheme=ssha512 /etc/dovecot/passwd.db deny = no master = no pass = no skip = never result_failure = continue result_internalfail = continue result_success = return-ok } userdb { driver = passwd-file args = username_format=%u /etc/dovecot/passwd.db default_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n } Then edited /etc/dovecot/passwd.db to add six colons at the end of each user line -- empty fields since presently everything I need is specified in default_fields. Thanks again, Eric
Re: TLS communication director -> backend with X.509 cert checks?
On 14 Oct 2015, at 00:34, Heiko Schlittermann wrote: > > Hi Timo, > > Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST): >>> Does the attached patch work? Compiles, but untested. >> I'm about to test it. > > It seems to update the struct mail_host, but it looks as if the data > in mail_host do not propagate down to login_proxy_new(). > > In other words, in login_proxy_new() set->host contains the IP address, > correctly, because the director choose it, but where can I find the > hostname there? And we need a way to pass the host*name* further, to the > SSL verifcation step, don't we? Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host= and hostip= is sent. I thought my patch did that.. Normally auth_debug=yes would be enough to debug this, but this happens between director and login process so I don't think it's going to be of much use. login process's client_auth_parse_args() is what should see these two parameters correctly. I can check this further tomorrow.
Re: TLS communication director -> backend with X.509 cert checks?
Hi Timo, Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST): > > Does the attached patch work? Compiles, but untested. > I'm about to test it. It seems to update the struct mail_host, but it looks as if the data in mail_host do not propagate down to login_proxy_new(). In other words, in login_proxy_new() set->host contains the IP address, correctly, because the director choose it, but where can I find the hostname there? And we need a way to pass the host*name* further, to the SSL verifcation step, don't we? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: iterate users with passwd-file passdb?
Eric Abrahamsen writes: Simply: Is it possible to iterate over users if I'm using the passwd-file passdb driver? Do I need a SQL-based driver if I want to iterate? What do you mean by "iterate"? If you mean whether you can look up a password entry in a multi-entry file, then yes, definitely. If you mean to sequentially go through it and do a first/last/best match, probably not. Basically I just mean the -A argument to the doveadm commands. For example, iterate through all the users and run sa-learn on each user's learn/spam folder. If it's got to be SQL, it won't kill me... Ah. Yes, you can use -A and iterate through users, subject to any constraints such as first_valid_uid, last_valid_uid, etc. Joseph Tam
Re: iterate users with passwd-file passdb?
On 14 Oct 2015, at 00:01, Eric Abrahamsen wrote: > > Joseph Tam writes: > >> Eric Abrahamsen writes: >> >>> Simply: Is it possible to iterate over users if I'm using the >>> passwd-file passdb driver? Do I need a SQL-based driver if I want to >>> iterate? >> >> What do you mean by "iterate"? If you mean whether you can look up a >> password entry in a multi-entry file, then yes, definitely. If you >> mean to sequentially go through it and do a first/last/best match, >> probably not. > > Basically I just mean the -A argument to the doveadm commands. For > example, iterate through all the users and run sa-learn on each user's > learn/spam folder. If it's got to be SQL, it won't kill me... Use userdb passwd-file to get iteration working. passdb isn't used for iteration. userdb static can't be used to iterate.
Re: Thanks for Dovecot
On 10/13/2015 05:04 PM, Gedalya wrote: >> Thanks for making Dovecot. >> >> I just transitioned from Debian Wheezy to Void Linux. It was fairly >> easy to get Dovecot working on my Void box, and having Dovecot makes >> all of my email activities easier by doing one thing and doing it right. >> >> Thank you for such great software. >> >> SteveT > > Hey, you know what? It's never a bad time to join in and say a simple: > Thank you! Agreed! Thank you! -Dave -- Dave McGuire, AK4HZ New Kensington, PA
Re: Thanks for Dovecot
On 10/13/2015 04:00 PM, Steve Litt wrote: Hi all, Thanks for making Dovecot. I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. Thank you for such great software. SteveT Hey, you know what? It's never a bad time to join in and say a simple: Thank you!
Re: iterate users with passwd-file passdb?
Joseph Tam writes: > Eric Abrahamsen writes: > >> Simply: Is it possible to iterate over users if I'm using the >> passwd-file passdb driver? Do I need a SQL-based driver if I want to >> iterate? > > What do you mean by "iterate"? If you mean whether you can look up a > password entry in a multi-entry file, then yes, definitely. If you > mean to sequentially go through it and do a first/last/best match, > probably not. Basically I just mean the -A argument to the doveadm commands. For example, iterate through all the users and run sa-learn on each user's learn/spam folder. If it's got to be SQL, it won't kill me... Thanks! Eric
Re: iterate users with passwd-file passdb?
Eric Abrahamsen writes: Simply: Is it possible to iterate over users if I'm using the passwd-file passdb driver? Do I need a SQL-based driver if I want to iterate? What do you mean by "iterate"? If you mean whether you can look up a password entry in a multi-entry file, then yes, definitely. If you mean to sequentially go through it and do a first/last/best match, probably not. Joseph Tam
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:36:40 CEST): … > > I see: > > > >a) pass the host *names* to the director too, for CN verification > > purpose > > > > May be in struct mail_host could be a field for the original > > hostname we used to obtain the adress(es)? > > Does the attached patch work? Compiles, but untested. I'm about to test it. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
On 13 Oct 2015, at 23:25, Akash wrote: > > Hi, > > Mailing list archives suggest that this problem has been fixed in the > older versions itself but I am getting the error still while trying to > doveadm index a large folder of emails. Sometimes it throws error > after 3, something 4, the latest it gave up after 111000. But > it just never completes. > > 111000/322080doveadm: > /home/stephan/packages/wheezy/i386/clucene-core-2.3.3.4/src/core/CLucene/index/DocumentsWriter.cpp:210: > std::string lucene::index::DocumentsWriter::closeDocStore(): Assertion > `numDocsInStore*8 == directory->fileLength( (docStoreSegment + "." + > IndexFileNames::FIELDS_INDEX_EXTENSION).c_str() )' failed. > Aborted > > I am using dovecot 2:2.2.19-1~auto+7& libclucene-core1:i386 2.3.3.4-4 > from debian wheezy backports. Please advice. Looks like a bug in clucene library. I don't know if there's anything that can be done about it on Dovecot side. I recommend switching to fts-solr.
Indexing fails with .. FIELDS_INDEX_EXTENSION).c_str() )' failed
Hi, Mailing list archives suggest that this problem has been fixed in the older versions itself but I am getting the error still while trying to doveadm index a large folder of emails. Sometimes it throws error after 3, something 4, the latest it gave up after 111000. But it just never completes. 111000/322080doveadm: /home/stephan/packages/wheezy/i386/clucene-core-2.3.3.4/src/core/CLucene/index/DocumentsWriter.cpp:210: std::string lucene::index::DocumentsWriter::closeDocStore(): Assertion `numDocsInStore*8 == directory->fileLength( (docStoreSegment + "." + IndexFileNames::FIELDS_INDEX_EXTENSION).c_str() )' failed. Aborted I am using dovecot 2:2.2.19-1~auto+7& libclucene-core1:i386 2.3.3.4-4 from debian wheezy backports. Please advice. -Akash
Re: Dovecot - Postfix with HAproxy
Op 10/13/2015 om 5:15 PM schreef Michael JOIGNY: (For some reason Thunderbird messes up this e-mail). You could try to do pre-login rawlog to see what HAProxy is sending to Dovecot. http://wiki2.dovecot.org/Debugging/Rawlog Regards, Stephan.
Thanks for Dovecot
Hi all, Thanks for making Dovecot. I just transitioned from Debian Wheezy to Void Linux. It was fairly easy to get Dovecot working on my Void box, and having Dovecot makes all of my email activities easier by doing one thing and doing it right. Thank you for such great software. SteveT
Re: Dualstack IPv4/IPv6 setup with directors
Timo Sirainen (Di 13 Okt 2015 21:42:41 CEST): … > > Oct 13 21:23:29 director1 dovecot: director: Error: > > director(149.x.y.97:9090/out): connect() failed: Connection refused > > Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip(): > > ip->family != my_ip->family > > Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks > > it's someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's > > 149.x.y.96:9090) > > > > I assume it's because the director uses only one (IPv4 OR IPv6) address > > for it's own identity, right? > > Right. I thought I did something to fix this crash, but probably not. In any > case it's not a supported configuration even if it didn't crash. Ok, maybe it should be mentioned in the Wiki, that having multiple addresses per directors isn't supported for director-director communication. But anyway, thanks for the information, it helps. -- Heiko signature.asc Description: Digital signature
Re: Dualstack IPv4/IPv6 setup with directors
On 13 Oct 2015, at 22:31, Heiko Schlittermann wrote: > > Hi, > > still using 2.2.9, I've two directors, and these directors > use both IPv4/IPv6 addresses. > > `host directors.` returns one A and AAA for each > of the two directors: > >directors. has address 149.x.y.96 (director1) >directors. has address 149.x.y.97 (director2) >directors. has IPv6 address 2001:x:y:f33::5:1 (director1) >directors. has IPv6 address 2001:x:y:f33::5:2 (director2) > > But connecting the the neighbor director gives: > > Oct 13 21:23:29 director1 dovecot: director: Warning: Director > 2001:x:y:f33::5:2:9090/left disconnected us with reason: Invalid input: ME > 149.x.y.96 9090 > Oct 13 21:23:29 director1 dovecot: director: Error: > director(149.x.y.97:9090/out): connect() failed: Connection refused > Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip(): > ip->family != my_ip->family > Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks > it's someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's > 149.x.y.96:9090) > > I assume it's because the director uses only one (IPv4 OR IPv6) address > for it's own identity, right? Right. I thought I did something to fix this crash, but probably not. In any case it's not a supported configuration even if it didn't crash.
Re: TLS communication director -> backend with X.509 cert checks?
> On 13 Oct 2015, at 22:21, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): >>> the IP address the director connects to. >> >> Right. The hostnames are lost immediately at director startup. I've never >> really thought about needing this functionality for director, since they're >> usually in the same trusted network with backends.. >> > > Ooo. > What if > >director_mail_servers = backends. > > and the DNS entry for backends. gets updated? Does the director > catch up the change automatically w/o restart? No, and I'm not sure it even should. Use "doveadm director ring remove" to get rid of unwanted directors.
Re: TLS communication director -> backend with X.509 cert checks?
On 13 Oct 2015, at 22:18, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): > … >>> On connection setup from a client the director connects to the >>> selected backend. But it seems (not checked in the source yet), >>> that for SSL certificate verification the director doesn't know the >>> original host name anymore. The certificate's CN gets compared to >>> the IP address the director connects to. >> >> Right. The hostnames are lost immediately at director startup. I've never >> really thought about needing this functionality for director, since they're >> usually in the same trusted network with backends.. >> > > That's it… "ususally". And additionally local policy says that we should use > secured connections whenever credentials are transported … And since the > director uses either a master password or the credentials obtained from > the client, we want to use secured connections. And using TLS w/o > verified certs is better than nothing, but it's far from being perfect. I've been planning to add support for non-plaintext SASL for Dovecot proxy. Probably SCRAM-SHA1. That would avoid sending credentials in plaintext, although it wouldn't prevent other kind of MITM. > I see: > >a) pass the host *names* to the director too, for CN verification > purpose > > May be in struct mail_host could be a field for the original > hostname we used to obtain the adress(es)? Does the attached patch work? Compiles, but untested. director-host.diff Description: Binary data
Dualstack IPv4/IPv6 setup with directors
Hi, still using 2.2.9, I've two directors, and these directors use both IPv4/IPv6 addresses. `host directors.` returns one A and AAA for each of the two directors: directors. has address 149.x.y.96 (director1) directors. has address 149.x.y.97 (director2) directors. has IPv6 address 2001:x:y:f33::5:1 (director1) directors. has IPv6 address 2001:x:y:f33::5:2 (director2) But connecting the the neighbor director gives: Oct 13 21:23:29 director1 dovecot: director: Warning: Director 2001:x:y:f33::5:2:9090/left disconnected us with reason: Invalid input: ME 149.x.y.96 9090 Oct 13 21:23:29 director1 dovecot: director: Error: director(149.x.y.97:9090/out): connect() failed: Connection refused Oct 13 21:23:29 director1 dovecot: director: Warning: net_connect_ip(): ip->family != my_ip->family Oct 13 21:23:29 director1 dovecot: director: Error: Remote director thinks it's someone else (connected to 2001:x:y:f33::5:1:9090, remote says it's 149.x.y.96:9090) I assume it's because the director uses only one (IPv4 OR IPv6) address for it's own identity, right? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Storage Design (Regligious War, Whatever)
We've been running dovecot director setup using MAILDIR++ spools on NFS served by 4 (aging) Netapp clustered filers and are considering modernizing our storage. There's nothing particularly wrong with the existing storage except the age, density and power consumption don't compare well when against new systems. Refreshing the Netapps is an option but they come at a substantial cost. The last time we were looking one of the recommended hot DIY setups was Linux NFS backed by XFS on N mirrors but this predated the availability of stable ZFS in FreeBSD or Linux as well as products like FreeNAS. A FreeBSD NFS/ZFS filer on commodity hardware with zil/l2arc on a PCIe SSD seems like an attractive, affordable and easily scaled out solution which also would allow us to leverage compression at the filesystem layer. Does anyone have any experience running ZFS spool storage? If so, how do you handle DR/HA for spool storage? Thoughts on how this might compare to using DRBD? Any pitfalls to watch out for or general pointers? Suggestions on pool configuration? -K
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): > > the IP address the director connects to. > > Right. The hostnames are lost immediately at director startup. I've never > really thought about needing this functionality for director, since they're > usually in the same trusted network with backends.. > Ooo. What if director_mail_servers = backends. and the DNS entry for backends. gets updated? Does the director catch up the change automatically w/o restart? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): … > > On connection setup from a client the director connects to the > > selected backend. But it seems (not checked in the source yet), > > that for SSL certificate verification the director doesn't know the > > original host name anymore. The certificate's CN gets compared to > > the IP address the director connects to. > > Right. The hostnames are lost immediately at director startup. I've never > really thought about needing this functionality for director, since they're > usually in the same trusted network with backends.. > That's it… "ususally". And additionally local policy says that we should use secured connections whenever credentials are transported … And since the director uses either a master password or the credentials obtained from the client, we want to use secured connections. And using TLS w/o verified certs is better than nothing, but it's far from being perfect. I see: a) pass the host *names* to the director too, for CN verification purpose May be in struct mail_host could be a field for the original hostname we used to obtain the adress(es)? or b) allow some kind of certificate pinning, that is loose the implied relation CN <=> hostname > > Should I create certificates with IP address in SAN? (Any hint about the > > correct syntax for the openssl.conf is welcome). Or is there any chance > > that this is fixed already or will be fixed in the near future or even > > better, that it's my fault? > > I guess that could work for now. No idea about how to do such certificates. I'll try that, but I think it's not a solution as soon as we reach out for "official" certs. And because it puts more details about the infrastructure into the configuration than would be necessary. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: TLS communication director -> backend with X.509 cert checks?
On 13 Oct 2015, at 21:44, Heiko Schlittermann wrote: > > Hello, > > using Dovecot 2.2.9 and a setup with directors and backends. > The communication between directors and backends needs to be TLS > secured. > > The director config contains a list of hostnames for the backends. > (implicit list because of multiple A/ records for a single hostname > or explicit list of several host names) > > On connection setup from a client the director connects to the > selected backend. But it seems (not checked in the source yet), > that for SSL certificate verification the director doesn't know the > original host name anymore. The certificate's CN gets compared to > the IP address the director connects to. Right. The hostnames are lost immediately at director startup. I've never really thought about needing this functionality for director, since they're usually in the same trusted network with backends.. > Should I create certificates with IP address in SAN? (Any hint about the > correct syntax for the openssl.conf is welcome). Or is there any chance > that this is fixed already or will be fixed in the near future or even > better, that it's my fault? I guess that could work for now. No idea about how to do such certificates.
Re: Unknown cache fields?
On 05 Oct 2015, at 17:43, Larry Rosenman wrote: > > I assume this is expected, but just checking. I do NOT use POP3. > > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: pop3.order > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: binary.parts > Oct 5 09:41:20 thebighonker dovecot: indexer-worker(mrm): Debug: Ignoring > unknown cache field: body.snippet Bug, but it just affected dsync optimization. Fixed: http://hg.dovecot.org/dovecot-2.2/rev/3b1e7941542f
Re: doveadm index assertion failed
On 05 Oct 2015, at 22:05, Nick Rosier wrote: > > Hi, > > one of my mailboxes returns following error when I run doveadm index on it: > > Panic: file charset-iconv.c: line 85 (charset_to_utf8_try): assertion failed: > (srcleft <= CHARSET_MAX_PENDING_BUF_SIZE) > > OS: FreeBSD 10.2 > Dovecot: 2.1.19 > Tika: 1.10 > SOLR: 5.3.1 I thought this would have definitely been fixed by now.. Can you find some specific email which is triggering this? It's either something strange that I didn't expect, or it's a bug in FreeBSD's iconv(). Also can you debug this like: gdb --args doveadm index -u user@domain INBOX run f 5 p src p ic_srcbuf p *src_size p srcleft
TLS communication director -> backend with X.509 cert checks?
Hello, using Dovecot 2.2.9 and a setup with directors and backends. The communication between directors and backends needs to be TLS secured. The director config contains a list of hostnames for the backends. (implicit list because of multiple A/ records for a single hostname or explicit list of several host names) On connection setup from a client the director connects to the selected backend. But it seems (not checked in the source yet), that for SSL certificate verification the director doesn't know the original host name anymore. The certificate's CN gets compared to the IP address the director connects to. Oct 12 23:56:51 director2 dovecot: director: Error: director(2001:683:921:f33::5:1:9090/out): connect() failed: Connection reset by peer Oct 12 23:57:53 director2 dovecot: imap-login: Error: proxy: hostname doesn't match SSL certificate at 2001:683:921:f33::5:fe:993: user=, method=PLAIN, rip=2001:638:912:f33::1:1, lip=2001:638:912:f33::5:2, TLS, session= In 10-directors.conf I've: director_mail_servers = backend1. backend2. Should I create certificates with IP address in SAN? (Any hint about the correct syntax for the openssl.conf is welcome). Or is there any chance that this is fixed already or will be fixed in the near future or even better, that it's my fault? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: bug report: dovecot-imapd core dump
On 10 Oct 2015, at 20:34, Tamas Papp wrote: > > Hi, > > Since I did not get any specific suggestions about this bug, I am > attaching another backtrace. Any suggestions for workarounds etc would > be appreciated -- should I regenerate the index? Or install a dovecot > from the repo where this might be fixed? Is this a known bug? Fixed: http://hg.dovecot.org/dovecot-2.2/rev/5e48c5a29ddd The APPEND will still fail, but at least it won't crash anymore. > > Best, > > Tamas > > > On Wed, Oct 07 2015, Tamas Papp wrote: > >> Hi, >> >> could not find it -- back to the list, maybe someone can suggest a >> fix/workaround. >> >> Best, >> >> Tamas >> >> On Wed, Oct 07 2015, Dominik Breu wrote: >> >>> Hello, >>> >>> yeah this one looks familiar to me can you search the list back in >>> september there was a somewhat similar bug with thunderbird imho timo >>> posted a notice about it. >>> >>> greetings, >>> >>> dominik >>> >>> Am Mittwoch, den 07.10.2015, 15:53 +0200 schrieb Tamas Papp: Hi Dominik, Thanks for the help, the backtrace is here (I did not sent it to the list since I am not sure if it contains password or message information, sorry but I am unfamiliar with these things). Core was generated by `dovecot/imap'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7f404e58e3b6 in mail_index_keywords_unref #(_keywords=_keywords@entry=0x7ffecb8adeb8) at mail-index.c:383 383 mail-index.c: No such file or directory. (gdb) bt full #0 0x7f404e58e3b6 in mail_index_keywords_unref #(_keywords=_keywords@entry=0x7ffecb8adeb8) at mail-index.c:383 keywords = 0x7f404e27066d __FUNCTION__ = "mail_index_keywords_unref" #1 0x7f404e559975 in mailbox_keywords_unref (keywords=keywords@entry=0x7ffecb8adeb8) at mailbox-keywords.c:94 No locals. #2 0x7f404ea254ad in cmd_append_handle_args (nonsync_r=0x7ffecb8ade8f, #args=, cmd=0x7f4050bc3250) at cmd-append.c:602 ctx = 0x7f4050bc3348 flags_list = 0x7f4050bcc840 flags = 9 keywords_list = 0x7f4050bc33f0 internal_date_str = 0x7f4050bcca00 "17-Sep-2015 14:19:23 +0200" internal_date = -1 timezone_offset = 0 keywords = 0x0 ret = client = 0x7f4050bc2670 cat_list = 0x0 input = valid = #3 cmd_append_parse_new_msg (cmd=cmd@entry=0x7f4050bc3250) at cmd-append.c:770 client = ctx = 0x7f4050bc3348 args = 0x7f4050bcc488 msg = arg_min_count = fatal = 255 nonsync = true last_literal = ret = __FUNCTION__ = "cmd_append_parse_new_msg" #4 0x7f404ea25a17 in cmd_append (cmd=0x7f4050bc3250) at cmd-append.c:932 client = 0x7f4050bc2670 ctx = 0x7f4050bc3348 mailbox = 0x7f4050bafb78 "Cemex" #5 0x7f404ea30e4c in command_exec (cmd=cmd@entry=0x7f4050bc3250) at imap-commands.c:158 hook = 0x7f4050bad0d0 ret = #6 0x7f404ea2fd62 in client_command_input (cmd=0x7f4050bc3250) at imap-client.c:780 client = 0x7f4050bc2670 command = __FUNCTION__ = "client_command_input" #7 0x7f404ea2fe16 in client_command_input (cmd=0x7f4050bc3250) at imap-client.c:841 client = 0x7f4050bc2670 command = __FUNCTION__ = "client_command_input" #8 0x7f404ea3014d in client_handle_next_command (remove_io_r=>>> pointer>, client=0x7f4050bc2670) at imap-client.c:879 ---Type to continue, or q to quit--- No locals. #9 client_handle_input (client=0x7f4050bc2670) at imap-client.c:891 _data_stack_cur_id = 3 remove_io = false handled_commands = false client = 0x7f4050bc2670 #10 0x7f404ea304f5 in client_input (client=0x7f4050bc2670) at imap-client.c:933 cmd = 0xf013c output = 0x7f4050bc30a0 bytes = 135 __FUNCTION__ = "client_input" #11 0x7f404e285247 in io_loop_call_io (io=0x7f4050bc3170) at ioloop.c:388 ioloop = 0x7f4050bac720 t_id = 2 #12 0x7f404e286079 in io_loop_handler_run (ioloop=ioloop@entry=0x7f4050bac720) at ioloop-epoll.c:220 ctx = 0x7f4050bad3b0 io = tv = {tv_sec = 1799, tv_usec = 999282} events_count = msecs = ret = 1 i = 0 j = call = __FUNCTION__ = "io_loop_handler_run" #13 0x7f404e284d88 in io_loop_run (ioloop=0x7f4050bac720) at ioloop.c:412 __FUNCTION__ = "io_loop_run" #14 0x7f404e231de3 in master_service_run (ser
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
Timo Sirainen (Di 13 Okt 2015 20:19:54 CEST): .. > > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100 > > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 > > 21:24:47.051446465 +0200 > > @@ -1043,7 +1043,7 @@ > > > > static void db_ldap_set_tls_options(struct ldap_connection *conn) > > { > > - if (!conn->set.tls) > > + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0)) > >return; > > That's a bit ugly. I think also the URIs support multiple ones, so some ldap > and some ldaps URLs could even be mixed, which of course would be quite > ugly.. I think the fix is to just remove the if (tls)-check completely. I > don't think setting those harms anything even if tls/ldaps isn't being used? Yes, thinking about mixed schema in the URIs whould have been my next question :) Ok, I can test what happens if we set tls_options w/o using LDAP+TLS or LDAPS at all. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: dovecot as proxy and verification of the backends certificate
Timo Sirainen (Di 13 Okt 2015 20:27:25 CEST): … > ># followed by the matching CRL(s). (e.g. ssl_ca = ># ssl_ca = > >ssl_ca = > > > Bug or feature? Mainly I'm asking because the comments do not indicate > > that I should have used ssl_ca for this type of operation (dovecot as a > > SSL client) > > It's a missing feature. I updated > http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy about this. I'm > thinking that once login-common code uses lib-ssl-iostream instead of the > duplicated SSL code this gets fixed more or less automatically. Note sure if > that'll happen for v2.3 or not. Thank you. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: Multiple core solr support
> On 11 Oct 2015, at 08:42, Daniel Miller wrote: > > Is it possible to use variables, such as domain or username, in the plugin > url declaration? This would allow using multiple cores to separate the > stored indexes. So when my own giant mailbox gets corrupt...I don't have to > rebuild everybody's... > > Something like url=http://mysolr.server.com:8983/solr/%u Exactly that. Or things like http://mysolr%4Nu.server.com to have it use mysolr0..3.server.com based on the username hash.
Re: dovecot as proxy and verification of the backends certificate
On 11 Oct 2015, at 20:04, Heiko Schlittermann wrote: > > Hello, > > I'm using a dovecot as proxy, connecting to one or more backends. > The backends use X.509 certificates. > > The proxy's passdb returns > >extra fields: >user=foo >proxy >host=backend1. >ssl=yes >nopassword=y > > Thus the proxy connects to the backend but can't verify the backends > certificate. > > The following comment suggests using ssl_client_ca_file for that. > ># Directory and/or file for trusted SSL CA certificates. These are used > only ># when Dovecot needs to act as an SSL client (e.g. imapc backend). The ># directory is usually /etc/ssl/certs in Debian-based systems and the file > is ># /etc/pki/tls/cert.pem in RedHat-based systems. >#ssl_client_ca_dir = >#ssl_client_ca_file = >ssl_client_ca_file = /tmp/certs/ca-local.pem > > But that does not work! Instead I've to use ssl_ca > ># PEM encoded trusted certificate authority. Set this only if you intend > to use ># ssl_verify_client_cert=yes. The file should contain the CA certificate(s) ># followed by the matching CRL(s). (e.g. ssl_ca = # ssl_ca = >ssl_ca = > Bug or feature? Mainly I'm asking because the comments do not indicate > that I should have used ssl_ca for this type of operation (dovecot as a > SSL client) It's a missing feature. I updated http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy about this. I'm thinking that once login-common code uses lib-ssl-iostream instead of the duplicated SSL code this gets fixed more or less automatically. Note sure if that'll happen for v2.3 or not.
Re: Dovecot auth-ldap ignores tls_* settings when using ldaps://
On 08 Oct 2015, at 22:46, Heiko Schlittermann wrote: > > Hi, > > I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 > there seems to be the same bug/feature). > > The userdb and passdb use LDAP. All further configuration is done in > auth-ldap.conf.ext. > >uri = ldaps:/// ># tls = >tls_cert_file = /etc/ssl/certs/client-cert.pem >tls_key_file = /etc/ssl/certs/client-key.file > > Dovecot ignores the tls_* options. If I use an ldap:// URI and > switch on TLS using tls=yes it works as expected. > > But I do not see any reason why LDAPS should not read the tls_* > settings. I guess. > This small patch solved it for me > > --- dovecot-2.2.9/src/auth/db-ldap.c2013-11-24 14:37:39.0 +0100 > +++ dovecot-2.2.9.hs12/src/auth/db-ldap.c 2015-10-08 21:24:47.051446465 > +0200 > @@ -1043,7 +1043,7 @@ > > static void db_ldap_set_tls_options(struct ldap_connection *conn) > { > - if (!conn->set.tls) > + if (!(conn->set.tls || strncmp(conn->set.uris, "ldaps:", 6) == 0)) >return; That's a bit ugly. I think also the URIs support multiple ones, so some ldap and some ldaps URLs could even be mixed, which of course would be quite ugly.. I think the fix is to just remove the if (tls)-check completely. I don't think setting those harms anything even if tls/ldaps isn't being used?
Dovecot - Postfix with HAproxy
Hi Everyone, I wouldlike to set up a postfix-dovecot with HA using HAproxy but im facing issues. I've followed this documentation : http://wiki2.dovecot.org/HAProxy (pour dovecot) http://blog.haproxy.com/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/ (pour postfix) Package's version : dovecot : 2:2.2.19 (>= 2.2.19 pour proxy protocol) haproxy : 1.5.14 postfix : 2.11.2-1 (>2.10 pour postscreen) A part of my configuration : ##HAPROXY #postfix listen smtp bind mail.xx.xx:465 balance roundrobin timeout client 1m timeout connect 5s no option http-server-close mode tcp option smtpchk option tcplog server tst tst.xxx:10465 send-proxy server tst2 tst2.xxx:10465 send-proxy server tst3 tst3.xxx:10465 send-proxy #dovecot listen imap bind mail.xxx.xx:993 timeout client 1m no option http-server-close balance leastconn stick store-request src stick-table type ip size 200k expire 30m mode tcp option tcplog server tst tst.xxx:10993 send-proxy-v2 server tst2tst2.xxx:10993 send-proxy-v2 server tst3 tst3.xxx:10993 send-proxy-v2 ##POSTFIX postix main.cf #Haproxy proxy protocol postscreen_upstream_proxy_protocol = haproxy postfix master.cf #haproxy 10465 inet n – n – 1 postscreen smtpd pass – – n – – smtpd S ##DOVECOT # 2.2.19 (719e7f8fd70b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.9 # OS: Linux 2.6.32-41-pve x86_64 Debian 7.9 simfs auth_debug = yes auth_verbose = yes disable_plaintext_auth = no *haproxy_timeout = 5 secs** **haproxy_trusted_networks = x.x.x.x* log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/mailbox/%d/%n mail_max_userip_connections = 0 mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_path = /mailbox/globalsieverc } protocols = sieve pop3 imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { mode = 0660 user = mailboxes } unix_listener auth-userdb { group = mail mode = 0666 user = dovecot } user = root } service imap-login { inet_listener imap { port = 0 } inet_listener imap_haproxy { haproxy = yes port = 10993 } inet_listener imaps { address = * port = 993 } process_limit = 450 } service pop3-login { inet_listener pop3 { address = * port = 110 } process_limit = 180 } ssl_cert = was automatically rejected:%n%r rejection_subject = Rejected: %s sendmail_path = /usr/sbin/sendmail } With my mail client : With an IMAP connection, logs below, i don't understand why my login is empty ... dovecot: imap-login: Disconnected: Too many invalid commands (no auth attempts in 0 secs): *user=<>*, rip=mon_ip_publique, lip=ip_publique_haproxy, session= xxx With a SMTP connection, logs below, i have a timeout. postfix/postscreen[16654]: CONNECT from [my public ip]:49942 to [my haproxy public ip]:465 postfix/postscreen[16654]: PREGREET 166 after 0 from [mon ip publique]:49942: \22\3\1\161\1\157\3\3+0E\b\213\131\177\173>\r/\213\177i\223k”FjA#\144\145\153\vP\\\155HL\190 If someone could help me, thanks. Kind regards. --
Re: fts solr ignores new mailboxes until fts rescan
On 2015-10-13 12:51, Giorgio Paolucci wrote: Hi Christian, may be the issue is related to this other post: http://dovecot.org/pipermail/dovecot/2015-September/102094.html Looks like the same problem and Timo wrote 2.2.19 should fix this -> http://dovecot.org/pipermail/dovecot/2015-September/102097.html regards christian Anyway, what I can tell you is that for every user account, for every folders created after the last doveadm fts rescan for that user, dovecot does not invoke indexer. A new rescan fix the problem for all the folders created up to that moment. I was wondering if I was missing something or if there was a work around to force rescan only for new folders at the moment of their creation... Bests. Giorgio
Re: fts solr ignores new mailboxes until fts rescan
Hi Christian, may be the issue is related to this other post: http://dovecot.org/pipermail/dovecot/2015-September/102094.html Anyway, what I can tell you is that for every user account, for every folders created after the last doveadm fts rescan for that user, dovecot does not invoke indexer. A new rescan fix the problem for all the folders created up to that moment. I was wondering if I was missing something or if there was a work around to force rescan only for new folders at the moment of their creation... Bests. Giorgio Quoting Christian Kivalo : Hi, On 2015-10-12 18:39, Giorgio Paolucci wrote: Hello, on my debian wheezy installation, I implemented fts plugin with solr as indexing system. I noticed that if a user creates a new folder, that folder it is ignored by dovecot indexing until a doveadm fts rescan is performed for that user. From that time on everything works ok on that folder. As a test I set fts_autoindex=yes and put in that folder a brand new mail never indexed before. in my logs indexer-worker says it indexed 0 messages Obviously this is a major issue as users often create new folders, but a search always returns empty results. My system is a debian wheezy with dovecot packages from backports dovecot 2.2.13-11~bpo70+1. Am I missing something? Any clue would be appreciated. Am using 2.2.19 with fts_autoindex = yes and Maildir storage. I create a folder and moved a message from inbox to the new folder and the log says it indexed 1 message in test, I don't have messages that where never indexed but i doubt this makes any difference. I'm using Roundcube and tried the search with both Subject and Body searches. Are the mails indexed when you perform a search? How do you search? Thank you all in advance. Bests Giorgio Paolucci = doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 auth_default_realm = xxx disable_plaintext_auth = no log_path = /var/log/dovecot/dovecot.log mail_fsync = always mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = quota listescape mail_log notify fts fts_solr managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mdbox_rotate_interval = 1 days mdbox_rotate_size = 10 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } passdb { args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext driver = sql } plugin { fts = solr fts_solr = url=http://%n.%1n.solr.csia:8983/solr/ i have and fts_autoindex = yes and break-imap-search set, but afaik the lattter should only take effect on searches regards christian mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size pop3_migration_mailbox = INBOX quota = dict:User quota::file:/SYSTEM/USERS/homes/%d/%1u/%u/%u.quota quota_rule = *:storage=7000M quota_rule2 = Trash:storage=+100M quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = /SYSTEM/USERS/mailbox/%d/%1n/%u/.dovecotactive.sieve sieve_default = /etc/dovecot/default.sieve sieve_dir = /SYSTEM/USERS/mailbox/%d/%1n/%u/sieve } pop3c_host = 147.162.10.68 protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imaps { ssl = no } process_min_avail = 20 service_count = 1 } service imap { executable = imap postlogin process_limit = 4096 } service lmtp { executable = lmtp inet_listener lmtp { port = 2223 } process_min_avail = 15 } service pop3-login { inet_listener pop3s { ssl = no } } service pop3 { process_limit = 256 } service postlogin { executable = script-login -d rawlog user = vmail } service quota-warning { executable = script /SYSTEM/DOVECOT/scripts/quota-warning.sh unix_listener quota-warning { user = vmail } user = vmail } ssl = no userdb { driver = prefetch } userdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext driver = sql } protocol lmtp { info_log_path = /tmp/dovecot-lmtp-info.log log_path = /tmp/dovecot-lmtp.log mail_plugins = quota listescape mail_log notify sieve } protocol lda { mai
Re: Problems sync with mail client MAC and dovecot-2.2.10-4.el7_0.1.el7_0.1.x86_64
On 2015-10-13 09:20, grupo correo wrote: Hello, i have installed Centos 7.1.1503 with Dovecot 2.2.10-4.el7_0.1. With Thunderbird all works fine, but when i configure the email client of Mac (Yosemite) with IMAP i can see a error in the log and the client not see the emails: Oct 9 14:31:34 localhost dovecot: imap(xxx@xxx): Fatal: master: service(imap): child 18639 killed with signal 11 (core dumps disabled) Do you have more logs? Have you enabled mail_debug = yes to get more verbose logs? I have read the instructions of http://www.dovecot.org/bugreport.html, but core file is not writing. Does anyone have this issues? I think that can be a problem in the configuration Please share your doveconf -n output. Best regards regards christian
Re: fts solr ignores new mailboxes until fts rescan
Hi, On 2015-10-12 18:39, Giorgio Paolucci wrote: Hello, on my debian wheezy installation, I implemented fts plugin with solr as indexing system. I noticed that if a user creates a new folder, that folder it is ignored by dovecot indexing until a doveadm fts rescan is performed for that user. From that time on everything works ok on that folder. As a test I set fts_autoindex=yes and put in that folder a brand new mail never indexed before. in my logs indexer-worker says it indexed 0 messages Obviously this is a major issue as users often create new folders, but a search always returns empty results. My system is a debian wheezy with dovecot packages from backports dovecot 2.2.13-11~bpo70+1. Am I missing something? Any clue would be appreciated. Am using 2.2.19 with fts_autoindex = yes and Maildir storage. I create a folder and moved a message from inbox to the new folder and the log says it indexed 1 message in test, I don't have messages that where never indexed but i doubt this makes any difference. I'm using Roundcube and tried the search with both Subject and Body searches. Are the mails indexed when you perform a search? How do you search? Thank you all in advance. Bests Giorgio Paolucci = doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.8 auth_default_realm = xxx disable_plaintext_auth = no log_path = /var/log/dovecot/dovecot.log mail_fsync = always mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = quota listescape mail_log notify fts fts_solr managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mdbox_rotate_interval = 1 days mdbox_rotate_size = 10 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } passdb { args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext driver = sql } plugin { fts = solr fts_solr = url=http://%n.%1n.solr.csia:8983/solr/ i have and fts_autoindex = yes and break-imap-search set, but afaik the lattter should only take effect on searches regards christian mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size pop3_migration_mailbox = INBOX quota = dict:User quota::file:/SYSTEM/USERS/homes/%d/%1u/%u/%u.quota quota_rule = *:storage=7000M quota_rule2 = Trash:storage=+100M quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = /SYSTEM/USERS/mailbox/%d/%1n/%u/.dovecotactive.sieve sieve_default = /etc/dovecot/default.sieve sieve_dir = /SYSTEM/USERS/mailbox/%d/%1n/%u/sieve } pop3c_host = 147.162.10.68 protocols = imap pop3 lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imaps { ssl = no } process_min_avail = 20 service_count = 1 } service imap { executable = imap postlogin process_limit = 4096 } service lmtp { executable = lmtp inet_listener lmtp { port = 2223 } process_min_avail = 15 } service pop3-login { inet_listener pop3s { ssl = no } } service pop3 { process_limit = 256 } service postlogin { executable = script-login -d rawlog user = vmail } service quota-warning { executable = script /SYSTEM/DOVECOT/scripts/quota-warning.sh unix_listener quota-warning { user = vmail } user = vmail } ssl = no userdb { driver = prefetch } userdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/conf.d/dovecot-sqlSSO.conf.ext driver = sql } protocol lmtp { info_log_path = /tmp/dovecot-lmtp-info.log log_path = /tmp/dovecot-lmtp.log mail_plugins = quota listescape mail_log notify sieve } protocol lda { mail_plugins = quota listescape mail_log notify } protocol imap { imap_max_line_length = 128 k mail_max_userip_connections = 20 mail_plugins = quota listescape mail_log notify fts fts_solr imap_quota } protocol doveadm { mail_plugins = quota listescape mail_log notify fts fts_solr pop3_migration } protocol pop3 { pop3_no_flag_updates = yes pop3_uidl_format = %10v.%09u
Problems sync with mail client MAC and dovecot-2.2.10-4.el7_0.1.el7_0.1.x86_64
Hello, i have installed Centos 7.1.1503 with Dovecot 2.2.10-4.el7_0.1. With Thunderbird all works fine, but when i configure the email client of Mac (Yosemite) with IMAP i can see a error in the log and the client not see the emails: Oct 9 14:31:34 localhost dovecot: imap(xxx@xxx): Fatal: master: service(imap): child 18639 killed with signal 11 (core dumps disabled) I have read the instructions of http://www.dovecot.org/bugreport.html, but core file is not writing. Does anyone have this issues? I think that can be a problem in the configuration Best regards