Re: Block public namespace mail when quota exceeded

2016-02-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 25 Feb 2016, Chris wrote:


is it possible to temporarily reject mails, when quota of public namespace
subfolder is exceeded? I'd check folder size with a cronjob.


How does the MTA know that the message is filed into a public namespace?


Dovecot is using a system user, so I guess blocking post and insert in ACL
isn't a solution?


you mean users drop messages via Sieve script there? Yes, removing post 
and insert is a solution, but the message is still excepted by the MTA and 
generates a DSN if not resolved in a time.



I don't want to set the folder to read-only, that users can still delete
mails.

Thank you in advance.

- Chris



- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVs6sU3z1H7kL/d9rAQICKgf/R1xL4zDlg8ICIFQBoxrDDnW3JWAqgkb1
k597wUona8FAxHH/EfIxXBYvfA67D884w1ruquOin2STXcvxu+hi4Ob2hgTd7L5X
iyWlRCERi98+mzZSIWitW/HwmuXjB5u8i2M+/s2E5HFG0R4zpd4KU556JHDe6v9B
UQ4HNIPlCOF6U3ocWleORN9oUrJ+q33erP2J3yLSJdUeH0Rmblo3uI9EobqqCIQQ
as6GrhmVycgxxT0iBne0fAMsrnJOMBNigT0waLEdz6hi7TJ6kHgTkYa9e9r4HceH
OAAV1ri63w3p2jhOD+ZmUurAsOD/+F142daAaE4k2My4gSecxqetZQ==
=R22x
-END PGP SIGNATURE-

Re: Different Quotas For Public Namespace

2016-02-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 25 Feb 2016, Chris wrote:


are different quotas for public namespace folders possible? They're in the
same namespace.

If I got it right, the wiki says there's one quota per namespace only?


Which Wiki says what exactly and what's your config and what's your goal?

http://wiki2.dovecot.org/Quota/Configuration
says "Quota for public namespaces

You can create a separate namespace-specific quota that's shared between 
all users. This is done simply by adding :ns= parameter 
to quota setting. For example you could have something like:


"

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVs6rE3z1H7kL/d9rAQLDZQgAq2veIN4n3xM+Vc7i8RQXiYhmyWxqDsSC
eZ51q92aQuwm2uiFOmmnVscRGK/ObUUYWM+TpnEbZuTO7krdHdrzvGEC1+wm8y8U
v6bFzSZDueZWB1i9qvJzGLe9XG7NF/jeOqlkpXBSkcrqjNF+7aKflHBSUDxx1fVM
YifgCmYRLtACtpPxBVL8sIIhz+cYeLAZfdkaDqmdaZZ4mP9MJffL1gitDm62kd6Y
74jYh2VDX4Sfmqe0cvo/Z6uiDhFQdQRlh/5h+ePW0YSySxN9C4D84Zmj70k+/R3y
jSxbY0katYbbiOA0P/AyklywiWxbpbsYfwglMJ3TgfpeptX0x07rsQ==
=OmD6
-END PGP SIGNATURE-

Re: Deleting / Removing users

2016-02-24 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 24 Feb 2016, John Krug wrote:


i have a list of users that I’ve removed from LDAP and I want to delete their 
mail storage.

sdbox
Dovecot 2.2.15.8

I have mail messages in one location and indexes in another. Should I just
rm -rf /messages/
rm -rf /indexes/


if that's where the mail_location points to. Also check out the home 
directory of eash user.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVs6qRnz1H7kL/d9rAQL8Hgf/fNlN1fuggq2eABGDrn6sv43+VE0geAXn
U3oMoQF8ABItuOU7kMagDwY7n+K35ZFY/b2sddZ3kc4eKLORRxUzrN3orl1+H9jl
bkqjeDmF7PazKd1lFtfCZpgjCT/UM6MQPn8Lxm4TaL+2tV50Gm//Og7PdeQ5N7UO
YQcWvYLQOVgkY8vbqhNTnp0QFlfttHT+oFT+Kp3mDj3GQ2Mg7nMSKFZAeanaX2Qd
XTSgsKtX9yaoG/E76o/2dvtW8jh0RS1OhX9oDaboFIsKj4OkI7ahaAxwmB6jZxX7
pnnrOZzKMEDO8S7MmjtyWmG0MGIzzWwKfYSI/5mOpT3rkphHjihpwA==
=WH5K
-END PGP SIGNATURE-

where is pop3_migration_ignore_missing_uidls=yes set?

2016-02-24 Thread Leon Kyneur 

While doing pop3 migrations with dsync I am getting an error:

dsync(u...@domain.net): Error: pop3_migration: 2 POP3 messages have no 
matching IMAP messages (first POP3 msg 2638 UIDL 
fb3d6f3299541e695a28585f5803ed1c) - set 
pop3_migration_ignore_missing_uidls=yes to continue anyway
dsync(u...@domain.net): Error: Exporting mailbox INBOX failed: Can't 
lookup pop3-uidl for UID=3252: POP3 UIDLs couldn't be synced


Can't see this is doveconf -a so it's not a setting? - tried configuring 
it as a plugin setting but that didn't work...


Where is the correct place to set this?

TIA

Block public namespace mail when quota exceeded

2016-02-24 Thread Chris 
Dear All,

is it possible to temporarily reject mails, when quota of public namespace
subfolder is exceeded? I'd check folder size with a cronjob.

Dovecot is using a system user, so I guess blocking post and insert in ACL
isn't a solution?

I don't want to set the folder to read-only, that users can still delete
mails.

Thank you in advance.

- Chris

VS: Re: SQLite driver and auth-worker credentials

2016-02-24 Thread Aki Tuomi 
this is probably something that ought to be fixed. Read only scenario for 
auth/userdb is quite plausible. 
---Aki TuomiDovecot oy Alkuperäinen viesti Lähettäjä: Lev 
Serebryakov  Päivämäärä: 24.2.2016  23.32  (GMT+02:00) 
Saaja: ja...@lottspot.com Kopio: dovecot@dovecot.org Aihe: Re: SQLite driver 
and auth-worker credentials 
Hello James,

Wednesday, February 24, 2016, 11:17:12 PM, you wrote:

>>   But system should assign all secondary GIDs to effective UID?
> separate 'group =' directive in addition to the 'user =' directive
> (http://wiki2.dovecot.org/Services).
  Oh, I missed this one, thank you

-- 
Best regards,
 Lev    mailto:l...@serebryakov.spb.ru

Deleting / Removing users

2016-02-24 Thread John Krug 
i have a list of users that I’ve removed from LDAP and I want to delete their 
mail storage. 

sdbox
Dovecot 2.2.15.8

I have mail messages in one location and indexes in another. Should I just 
rm -rf /messages/
rm -rf /indexes/

Thanks,
JK


---
John "JK" Krug
System Administrator
The University of Chicago | Laboratory Schools
1362 East 59th Street  |  Chicago, IL  60637
Phone: (773) 834-4476
j...@ucls.uchicago.edu  | 
http://helpdesk.ucls.uchicago.edu
___

Re: SQLite driver and auth-worker credentials

2016-02-24 Thread Lev Serebryakov 
Hello James,

Wednesday, February 24, 2016, 11:17:12 PM, you wrote:

>>   But system should assign all secondary GIDs to effective UID?
> separate 'group =' directive in addition to the 'user =' directive
> (http://wiki2.dovecot.org/Services).
  Oh, I missed this one, thank you

-- 
Best regards,
 Levmailto:l...@serebryakov.spb.ru

pgpzxVMl6nDrJ.pgp
Description: PGP signature

Re: SQLite driver and auth-worker credentials

2016-02-24 Thread james 

  dovecot CAN NOT open SQLite database with read-only permissions set!
It is problem №1 in my message: it uses sqlite3_open() API which
requires read-write access and fails otherwise.


What I'm talking about has nothing to do with the sqlite3 API. The API 
is not how you *securely* enforce read-only access to a sqlite3 
database. If you need to enforce read-only access, you will need to do 
so using filesystem permissions modes (i.e., use chmod and chown to set 
the read bit for the user or group which will read the database, and 
unset the write bit for the same user or group).



  But system should assign all secondary GIDs to effective UID?


Not the case. Changing the effective uid of a process does not associate 
the process with any of the groups which the user it has inherited are 
associated with. The process must explicitly call setgid in order to 
change its effective GID. This is also why dovecot services have a 
separate 'group =' directive in addition to the 'user =' directive 
(http://wiki2.dovecot.org/Services).


In order to achieve the configuration you desire, you need to set the 
group of the auth-worker service to hostingdb and set filesystem 
permissions on the database to 640. Forget about trying to alter the 
behavior of sqlite3_open.



On 2016-02-24 14:18, Lev Serebryakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 24.02.2016 21:49, ja...@lottspot.com wrote:


The only secure way to enforce read-only access on a sqlite
database is via filesystem permissions. I would recommend setting
your database to 640 and ensure that any modifying process runs
with the owning UID.

  dovecot CAN NOT open SQLite database with read-only permissions set!
It is problem №1 in my message: it uses sqlite3_open() API which
requires read-write access and fails otherwise.


Dovecot processes will not assume they should run as a GID based on
the UID to which they are assigned; you need to explicitly set the
GID of

  But system should assign all secondary GIDs to effective UID?


the process (pretty sure this is the case anyways). Neither I or
anyone else on this list though will be able to offer much more
guidance than that unless you supply your `doveconf -n` output.


 Relevant parts:

===
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

userdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

service auth-worker {
  user = $default_internal_user
}
===

 And I have:

% grep dovecot /etc/group
dovecot:*:143:
hostingdb:*:999:postfix,dovecot
% ls -l /usr/local/etc/hostenv/db/mailhost.sqlite
- -rw-rw  1 root  hostingdb  14336 24 Feb 14:47
/usr/local/etc/hostenv/db/mailhost.sqlite
% sudo su -m dovecot -c id
uid=143(dovecot) gid=143(dovecot) groups=143(dovecot),999(hostingdb)
%

- --
// Black Lion AKA Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJWzgIBXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePIK0QAJk0nTOGCCxc/A5LqLKbYzX4
9fKQKrfLfWZfKcdRW0flLefcrCj2AAL9aM/KybKDOIR/IqC/+s8KwLLi/VN0+CSa
UaKOca2LsMJtiOVy0DOs+KXS5ynpBeTZ9UCna2lVlySoVNsXPw2pQ+uSQYtKFrVQ
SRmF6XanVndW4mH7x0Pj4YJwSE55FC+RcuNP94th4uIHavV7LCjFuv4O7hTSax7d
RuBxkW52ILZaD4RICHQ6T5bmhCUVgzmYNw2NV/sZdvT5CH6rszPQU8VR/3I3FYp5
/8rNXaScOgQ351WEBI/K9s8IjvazZjKi6jE0auvJb0qw0tD0N3UCrfALtIOKLcbb
GWacmqlogidVYMgaggPJBEu4W6bkqBxDICp2FXvIzzRGuwYv4dks+IxLDpHIfZyH
PrQLDK4qBsBo3/4dTd3CxJddHMYM1Hdnswntg/S2hwt6g20ZE+WB1YhPUWyfiFMh
0sn4timpuxW40AzYIO6jtE7/HB0hUMCajKiBemcVb8P4bMXmTSeLaflhYlq1/zty
lDYcT+qIb29ug7rBY0ljuOWRSYTq8JJTxuM3QEJbjDLKmucNsGRmcF1j1Yb9fnZl
6jicP0CSyWvGtD051mz1AIBoT6WW1xtB6g/0gBnyEIHD2TSEWad53lZM8Kq3h6OD
d8eBgznhx4DwJjF4u7XZ
=OOJa
-END PGP SIGNATURE-

Re: SQLite driver and auth-worker credentials

2016-02-24 Thread Lev Serebryakov 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 24.02.2016 21:49, ja...@lottspot.com wrote:

> The only secure way to enforce read-only access on a sqlite
> database is via filesystem permissions. I would recommend setting
> your database to 640 and ensure that any modifying process runs
> with the owning UID.
  dovecot CAN NOT open SQLite database with read-only permissions set!
It is problem №1 in my message: it uses sqlite3_open() API which
requires read-write access and fails otherwise.

> Dovecot processes will not assume they should run as a GID based on
> the UID to which they are assigned; you need to explicitly set the
> GID of
  But system should assign all secondary GIDs to effective UID?

> the process (pretty sure this is the case anyways). Neither I or
> anyone else on this list though will be able to offer much more
> guidance than that unless you supply your `doveconf -n` output.

 Relevant parts:

===
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

userdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

service auth-worker {
  user = $default_internal_user
}
===

 And I have:

% grep dovecot /etc/group
dovecot:*:143:
hostingdb:*:999:postfix,dovecot
% ls -l /usr/local/etc/hostenv/db/mailhost.sqlite
- -rw-rw  1 root  hostingdb  14336 24 Feb 14:47
/usr/local/etc/hostenv/db/mailhost.sqlite
% sudo su -m dovecot -c id
uid=143(dovecot) gid=143(dovecot) groups=143(dovecot),999(hostingdb)
%

- -- 
// Black Lion AKA Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJWzgIBXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePIK0QAJk0nTOGCCxc/A5LqLKbYzX4
9fKQKrfLfWZfKcdRW0flLefcrCj2AAL9aM/KybKDOIR/IqC/+s8KwLLi/VN0+CSa
UaKOca2LsMJtiOVy0DOs+KXS5ynpBeTZ9UCna2lVlySoVNsXPw2pQ+uSQYtKFrVQ
SRmF6XanVndW4mH7x0Pj4YJwSE55FC+RcuNP94th4uIHavV7LCjFuv4O7hTSax7d
RuBxkW52ILZaD4RICHQ6T5bmhCUVgzmYNw2NV/sZdvT5CH6rszPQU8VR/3I3FYp5
/8rNXaScOgQ351WEBI/K9s8IjvazZjKi6jE0auvJb0qw0tD0N3UCrfALtIOKLcbb
GWacmqlogidVYMgaggPJBEu4W6bkqBxDICp2FXvIzzRGuwYv4dks+IxLDpHIfZyH
PrQLDK4qBsBo3/4dTd3CxJddHMYM1Hdnswntg/S2hwt6g20ZE+WB1YhPUWyfiFMh
0sn4timpuxW40AzYIO6jtE7/HB0hUMCajKiBemcVb8P4bMXmTSeLaflhYlq1/zty
lDYcT+qIb29ug7rBY0ljuOWRSYTq8JJTxuM3QEJbjDLKmucNsGRmcF1j1Yb9fnZl
6jicP0CSyWvGtD051mz1AIBoT6WW1xtB6g/0gBnyEIHD2TSEWad53lZM8Kq3h6OD
d8eBgznhx4DwJjF4u7XZ
=OOJa
-END PGP SIGNATURE-

search problem dovecot 2.2.21 + fts - Solr

2016-02-24 Thread Anderson Barbosa 
Hello,

Realized update dovecot on my server. Now the search is returning
differently from the previous version bringing reference information of
other messages .
For example when doing a search for anderson.joao this new version of the
dovecot dovecot 2.2.21 + fts - Solr response will be all email that has the
word anderson and joao, instead of returning only items with the word
anderson.joao.

Before used version 2.2.18 + dovecot fts - Solr and the problem did not
occur .
For example practical test :

Dovecot 2.2.18


# telnet SERVER 143
Trying SERVER...
Connected to SERVER.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN] Zimbra IMAP4.
a login co...@conta.com.br 1223456
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAn
a select  INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 14 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1452548222] UIDs valid
* OK [UIDNEXT 25] Predicted next UID
* OK [HIGHESTMODSEQ 52] Highest
a OK [READ-WRITE] Select completed (0.001 secs).
a SEARCH text "anderson"
* SEARCH 11 12 (2 found emails)
a OK Search completed (0.265 secs).
a SEARCH text "joao"
* SEARCH 13 14 (2 found emails)
a OK Search completed (0.003 secs).
a SEARCH text "anderson.joao"
* SEARCH (0 found emails)
a OK Search completed (0.004 secs).
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.


Dovecot 2.2.21

# telnet SERVER 143
Trying SERVER...
Connected to SERVER.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN] Zimbra IMAP4.
a login co...@conta.com.br 1223456
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAn
a select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 14 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1452548222] UIDs valid
* OK [UIDNEXT 25] Predicted next UID
* OK [HIGHESTMODSEQ 52] Highest
a OK [READ-WRITE] Select completed (0.000 + 0.000 secs).
a SEARCH text "anderson"
* SEARCH 11 12 (2 found emails)
a OK Search completed (0.004 + 0.000 secs).
a SEARCH text "joao" (2 found emails)
* SEARCH 13 14
a OK Search completed (0.005 + 0.000 secs).
a SEARCH text "anderson.joao"
* SEARCH 11 12 13 14 *(4 found emails)*
a OK Search completed (0.005 + 0.000 secs).
a logout
* BYE Logging out
a OK Logout completed.
Connection closed by foreign host.

Even using characters Special "" \ scape, ' ' for an answer will always be
all emails with the word anderson and joao.
Checking the Changelog dovecot noticed que NAS versions Previous v2.2.20
and v2.2.19 certain changes with respect to fts .

There Have Another way to Make Search for Exact Word In this new version to
loft?



-- 
Anderson Barbosa dos Santos

Em todo o universo, nada existe de mais parecido com Deus que o silêncio.
"Johanes Eckhart"

Re: SQLite driver and auth-worker credentials

2016-02-24 Thread james 
The only secure way to enforce read-only access on a sqlite database is 
via filesystem permissions. I would recommend setting your database to 
640 and ensure that any modifying process runs with the owning UID.


Dovecot processes will not assume they should run as a GID based on the 
UID to which they are assigned; you need to explicitly set the GID of 
the process (pretty sure this is the case anyways). Neither I or anyone 
else on this list though will be able to offer much more guidance than 
that unless you supply your `doveconf -n` output.


On 2016-02-24 13:31, Lev Serebryakov wrote:

I want to use SQLite database as storage for auth and user databases.
I've encountered two problems here:

 (1) There is no way to open SQLite database read-only (via
sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I
don't need (and want) to give dovecot rights to write to this database.

 (2) I've created system group "hostingdb", added "dovecot" user to it
and gives 660 rights to database file, but still "auth-worker" could 
not

open database and complains to log file. Now I'm set "user = root" for
auth-worker, but I don't like it! Why auth-worker doesn't belong to
"hostingdb" group?

SQLite driver and auth-worker credentials

2016-02-24 Thread Lev Serebryakov 

  I want to use SQLite database as storage for auth and user databases.
I've encountered two problems here:

 (1) There is no way to open SQLite database read-only (via
sqlite3_open_v2() call with SQLITE_OPEN_READONLY flag). It looks bad. I
don't need (and want) to give dovecot rights to write to this database.

 (2) I've created system group "hostingdb", added "dovecot" user to it
and gives 660 rights to database file, but still "auth-worker" could not
open database and complains to log file. Now I'm set "user = root" for
auth-worker, but I don't like it! Why auth-worker doesn't belong to
"hostingdb" group?


-- 
// Black Lion AKA Lev Serebryakov



signature.asc
Description: OpenPGP digital signature

Script dovecot ACLs, Quota and doveadm

2016-02-24 Thread Chris 
Dear All,

I'd like to set

a) Quota for mailboxes in private and public namespace
b) ACLs for both.

What's the easiest way to do this?

Do I have to call doveadm for every mailbox (private and public)?

Is it required to provide a username to doveadm? Can I use the same user
for all if it is defined in global ACLs?

For Cyrus there are perl modules which have the same functions as cyradm.
Is there something like this for dovecot? Are there any modules available?
Haven't found anything in CPAN.


- Chris

Re: Streaming MOVE commands

2016-02-24 Thread Emilio Jesús Gallego Arias 
Hi,

Timo Sirainen  writes:

>>> Thanks, looks like this was broken with Maildir and mbox formats. It
>>> also caused expunges in some other situations to be lost. Fixed:
>>> 
>>> https://github.com/dovecot/core/commit/950a6e61d6c2dac961ce031bdd8b2895bc32b827
>> 
>> Is this patch suitable of being backported to 2.2.13? (Debian stable)
>
> Should be.
>
> BTW. This bug only meant that some expunges were ignored, which at
> worst caused unwanted email duplicates. It didn't corrupt the mailbox
> state or the client state in any way.

The GNUS mail client developers would like to add quirk to workaround
this problem in its mail client, any idea which version should be
affected by this problem?

Thank you & best regards,
Emilio

Re: Automatically inferring %d on multi-domain virtual install ?

2016-02-24 Thread Gabriel L. Somlo 
On Sun, Feb 21, 2016 at 04:20:07AM +0200, Timo Sirainen wrote:
> How about:
> 
> passdb {
>   driver = passwd-file
>   args = username_format=%l /etc/dovecot/passwd.domains
>   result_success = continue
> }
> 
> passdb {
>   .. the real passdb for authentication ..
> }
> 
> Where /etc/dovecot/passwd.domains contains:
> 
> 10.0.0.100:domain=foo.org
> 10.0.0.101:domain=bar.org
> 
> So the first passdb lookup would set the domain based on IP and then continue 
> for the actual authentication. Or if you don't want it to override an 
> explicit user@domain authentication, this should also work:
> 
> 10.0.0.100:domain:protected=foo.org
> 10.0.0.101:domain:protected=bar.org
> 
> Not tested, but should work I think. At least with new enough Dovecot 
> versions.

Apparently you werre a ':' short, so cut'n'pasting your solution
didn't immediately work; Adding an extra colon did the trick:

10.0.0.100:::domain=foo.org

Still working on "domain:protected=foo.org", which would be nice,
since it'd support all possible combinations of client settings, but
wanted to let everyone know your suggestion works for me, and say
thanks again for the tip!

Thanks,
--Gabriel
 
> 
> > On 19 Feb 2016, at 23:10, Gabriel L. Somlo  wrote:
> > 
> > On Fri, Feb 19, 2016 at 08:41:15AM +0100, Steffen Kaiser wrote:
> >>> I'm trying to allow domain-less logins for a multi-domain virtual IMAP
> >>> server, and wondering if I can automatically infer the domain (value of
> >>> variable %d) from the local IP (%l) or the hostname used by the client
> >>> when connecting to my server.
> >>> 
> >>> Let's say I have two host names: mail.foo.org (10.0.0.100) and
> >>> mail.bar.com (10.0.0.200), with forward and reverse DNS configured to
> >>> resolve A and PTR records in either direction.
> >>> 
> >>> Let's also say I have 10.0.0.100 and 10.0.0.200 set up as secondaries
> >>> on my server's loopback interface, and routing is set up to bring client
> >>> traffic to me for both of those IP addresses.
> >> 
> >> Hm, it should be possible like so:
> >> 
> >> 1) keep the file you have now as 2nd passdb, in order to let your users
> >> login like now from anywhere
> >> 
> >>> us...@foo.org:{PLAIN}user1foo
> >> 
> >> 2) from this file create another passwd-file with ExtraField via script /
> >> cron jobs, that defines
> >> 
> >> user1@10.0.0.100:{PLAIN}user1foo:user=us...@foo.org
> >> 
> >> see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
> >> 
> >> Maybe allow_nets could limit the clients further.
> >> 
> >> Then add another passdb section pointing to that file using
> >> username_format=%n@%l
> >> 
> >> http://wiki2.dovecot.org/AuthDatabase/PasswdFile
> >> 
> >> That will map domain-less logins to full mail addresses, which in turn sets
> >> %d, too.
> > 
> > That *almost* worked :)
> > 
> > I now have
> > 
> >  passdb {
> >driver = passwd-file
> >args = username_format=%n@%l /var/lib/topgen/etc/postfix/users
> >  }
> > 
> > pointing to a "users" file with entries such as
> > 
> >   user1@10.0.0.100:{PLAIN}user1foo:user=us...@foo.org
> > 
> > The only trouble is, %d does not get set; I get new "user1" and 
> > "user2" folders created directly under /var/lib/vmail/, which
> > indicates the %d portion is equal to the empty string.
> > 
> > I also tried
> > 
> >   user1@111.0.10.10:{PLAIN}tartans1:domain=foo.org
> > 
> > which the PasswordDatabase wiki page says should override %d, but
> > still no luck...
> > 
> > Thanks for the pointer though, now that I read the relevant bits of
> > documentation it feels like I'm really close, and this *should* work.
> > I'm still either missing something, or tickling a bug (probably the
> > former :)
> > 
> > Thanks,
> > --Gabriel
> > 
> >> 
> >>> 
> >>> The relevant bits of my dovecot.conf are:
> >>> 
> >>> ---%<--
> >>> mail_location = maildir:/var/lib/vmail/%d/%n
> >>> passdb {
> >>> driver = passwd-file
> >>> args = /var/lib/vmail/etc/postfix/userdb
> >>> }
> >>> userdb {
> >>> driver = static
> >>> args = uid=dovenull gid=dovenull home=/var/lib/vmail/%d/%n
> >>> }
> >>> ---%<--
> >>> 
> >>> And my userdb passwd-file right now includes:
> >>> 
> >>> ---%<--
> >>> us...@foo.org:{PLAIN}user1foo
> >>> us...@foo.org:{PLAIN}user2foo
> >>> us...@bar.com:{PLAIN}user1bar
> >>> us...@bar.com:{PLAIN}user2bar
> >>> ---%<--
> >>> 
> >>> Right now, us...@foo.org must configure their imap client like so:
> >>> 
> >>>   IMAP server: mail.foo.org
> >>>   username: us...@foo.org
> >>>   password: user1foo
> >>> 
> >>> I would like to require this (and other) users to only have to set:
> >>> 
> >>>   IMAP server: mail.foo.org
> >>>   username: user1
> >>>   password: ...
> >>> 
> >>> and have dovecot somehow infer

Re: Automatically inferring %d on multi-domain virtual install ?

2016-02-24 Thread Gabriel L. Somlo 
On Sun, Feb 21, 2016 at 04:20:07AM +0200, Timo Sirainen wrote:
> How about:
> 
> passdb {
>   driver = passwd-file
>   args = username_format=%l /etc/dovecot/passwd.domains
>   result_success = continue
> }
> 
> passdb {
>   .. the real passdb for authentication ..
> }
> 
> Where /etc/dovecot/passwd.domains contains:
> 
> 10.0.0.100:domain=foo.org
> 10.0.0.101:domain=bar.org
> 
> So the first passdb lookup would set the domain based on IP and then continue 
> for the actual authentication. Or if you don't want it to override an 
> explicit user@domain authentication, this should also work:
> 
> 10.0.0.100:domain:protected=foo.org
> 10.0.0.101:domain:protected=bar.org
> 
> Not tested, but should work I think. At least with new enough Dovecot 
> versions.

Sounds promising, thanks for the idea. My current problem is that
passwd.domains "authentication" now fails because user1's password
doesn't match the "empty field" corresponding to

10.0.0.100:domain=foo.org

I get:
auth: Info: passwd-file(user1,,): unknown user
auth: Info: passwd-file(user1,,): Password mismatch

Hmm, "result_failure = continue" doesn't seem to help, either...

Thanks,
--Gabriel

Dovecot + Ceph Cluster Sizing

2016-02-24 Thread Michele Soragni 
Hi all. We are searching for information about how to size dovecot servers
in a clustered architecture (dovecot + postfix + roundcube + mysql).
We need to migrate mailboxes from an old Exchange installation:

60k mailbox
900 GB total storage
14 MB/mailbox
About 133 email/mailbox
Low usage: about 2k simultaneous imap/pop3 connections


This is how we are thinking to build our new architecture
3 x Dell R630 or R530 servers with 6x300SAS disks for Ceph storage with 1
replica . Total storage = 2,5 TB for mailboxes

3 x Dell R630 or R530 with 2x CPU 6core,64GB RAM, 4x 300SAS disks hosting
the following VMs in a VMware cluster:
 - 3 x VM Dovecot
 - 3 x VM Postfix
 - 3 x VM Roundcube webmail
 - 3 x VM MySQL

All VMs are behind a balancer
All OS disks are on local storage
Dovecot VMs share Ceph storage with OCFS2 filesystem for the mailboxes.

I'd like to have some hints about CPU and memory for Dovecot VMs. 2 vCPU
and 8 GB RAM each sould be enough? Is there a way to calculate this?
Do you think the storage performance could be a problem using Ceph + OCFS2?
Is Ceph + XFS + Dsync replication a better choice?

Thanks!

Michele

Segfault using doveadm dsync

2016-02-24 Thread fabio . onorini 

I'm trying to migrate a imap mailbox from dovecot 1.2.15 to a new imap server 
with dovecot 2.2.13.

I would preserving the IMAP UIDs and POP3 UIDLs.

So I'm using doveadm backup command but after folders analyze, command return 
segmentation fault.

Any hint?

GDB result:

sync(easymail): Debug: brain S: Deleting mailbox 'Bozze' (GUID 
f0836f3222c335cfa383cb38ff0e3183): UIDNEXT is too high (9 > 1)
dsync(easymail): Debug: brain S: Deleting mailbox 'Cestino' (GUID 
cd0edec22e40323d878a39dc8e432e5a): UIDNEXT is too high (628 > 1)
dsync(easymail): Debug: brain S: Deleting mailbox 'INBOX' (GUID 
c92f64f79f0d1ed01e6d5b314f04886c): UIDVALIDITY changed (1456239585 -> 
1456310264)
dsync(easymail): Debug: brain S: Deleting mailbox 'Modelli' (GUID 
f0933f8b90e6eaf3a00a0220b173f3b4): UIDNEXT is too high (2 > 1)
dsync(easymail): Debug: brain S: Deleting mailbox 'Sent' (GUID 
7d3c7eaa71cdf47ee8a1192687cda8cd): UIDNEXT is too high (39 > 1)

Program received signal SIGSEGV, Segmentation fault.
imapc_client_mailbox_cmd (box=0x0, callback=callback@entry=0x776d7140 
, context=context@entry=0x7fffe2d0) at 
imapc-client.c:351
351imapc-client.c: No such file or directory.
(gdb) bt full
#0  imapc_client_mailbox_cmd (box=0x0, callback=callback@entry=0x776d7140 
, context=context@entry=0x7fffe2d0) at 
imapc-client.c:351
cmd = 
__FUNCTION__ = "imapc_client_mailbox_cmd"
#1  0x776d7915 in imapc_mailbox_noop (mbox=mbox@entry=0x558049e0) 
at imapc-storage.c:154
cmd = 
sctx = {client = 0x557e89b0, ret = -2}
#2  0x776d5c18 in imapc_mailbox_sync_init (box=0x558049e0, 
flags=(MAILBOX_SYNC_FLAG_FULL_READ | MAILBOX_SYNC_FLAG_FIX_INCONSISTENT)) at 
imapc-sync.c:476
mbox = 0x558049e0
list = 
capabilities = 
changes = false
ret = 0
#3  0x776e9289 in mailbox_sync_init (box=0x558049e0, 
flags=(MAILBOX_SYNC_FLAG_FULL_READ | MAILBOX_SYNC_FLAG_FIX_INCONSISTENT)) at 
mail-storage.c:1677
_data_stack_cur_id = 3
ctx = 
#4  0x776e93d7 in mailbox_sync (box=box@entry=0x558049e0, 
flags=, flags@entry=MAILBOX_SYNC_FLAG_FULL_READ) at 
mail-storage.c:1725
ctx = 0x55804ea8
status = {sync_delayed_expunges = 0}
#5  0x77715bab in mailbox_expunge_all_data (box=0x558049e0) at 
index-storage.c:648
ctx = 0x77714e57 
t = 0x558049e0
mail = 0x7fffe4b4
search_args = 0x7fffe558
#6  index_storage_mailbox_delete (box=0x558049e0) at index-storage.c:701
metadata = {guid = 
"\264\344\377\377\377\177\000\000\000\000\000\000\000\000\000", virtual_size = 
140737488348504, cache_fields = 0x55807258, 
  precache_fields = (MAIL_FETCH_RECEIVED_DATE | MAIL_FETCH_SAVE_DATE | 
MAIL_FETCH_PHYSICAL_SIZE | MAIL_FETCH_VIRTUAL_SIZE | MAIL_FETCH_IMAP_ENVELOPE | 
MAIL_FETCH_REFCOUNT | unknown: 1426065408), backend_ns_prefix = 0x773b1e59 
 ";\003u\v\307\003", backend_ns_type = (unknown: 1434470880)}
status = {messages = 4294960472, recent = 32767, unseen = 0, 
uidvalidity = 0, uidnext = 1434582544, first_unseen_seq = 0, first_recent_uid = 
232594432, 
  last_cached_seq = 3612951791, highest_modseq = 93824995052000, 
highest_pvt_modseq = 93824992578308, keywords = 0x1, permanent_flags = 
4151223616, 
  permanent_keywords = 1, allow_new_keywords = 1, nonpermanent_modseqs 
= 1, no_modseq_tracking = 1, have_guids = 1, have_save_guids = 1, 
have_only_guid128 = 1}
ret_guid = 
#7  0x776ea737 in mailbox_delete (box=box@entry=0x558049e0) at 
mail-storage.c:1319
ret = 
#8  0x555895d4 in dsync_brain_mailbox_tree_sync_change 
(brain=brain@entry=0x557fcd00, change=) at 
dsync-brain-mailbox-tree-sync.c:182
box = 0x558049e0
destbox = 0x558007c8
errstr = 0x557ff750 "\030\366\177UUU"
func_name = 0x0
---Type  to continue, or q  to quit---
storage_name = 
error = 32767
ret = 
__FUNCTION__ = "dsync_brain_mailbox_tree_sync_change"
#9  0x555892db in dsync_brain_mailbox_trees_sync (brain=0x557fcd00) 
at dsync-brain-mailbox-tree.c:291
ctx = 0x5580ab40
change = 
sync_type = 
sync_flags = 
#10 dsync_brain_recv_mailbox_tree_deletes (brain=brain@entry=0x557fcd00) at 
dsync-brain-mailbox-tree.c:440
deletes = 0x557fa0a0
i = 
count = 0
sep = 47 '/'
__FUNCTION__ = "dsync_brain_recv_mailbox_tree_deletes"
#11 0x555860e8 in dsync_brain_run_real (changed_r=0x7fffe74b, 
brain=0x557fcd00) at dsync-brain.c:565
ret = true
orig_state = DSYNC_STATE_RECV_MAILBOX_TREE_DELETES
orig_box_recv_state = DSYNC_BOX_STATE_MAILBOX
orig_box_send_state = DSYNC_BOX_STATE_MAILBOX
changed = false
#12 dsync_brain_run (brain=0x557fcd00,