Re: Deleting / Removing users

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 2 Mar 2016, John Krug wrote:

To complicate issues, I have two-way dsync running between two servers. 
Since the index log files are used to track deleted mails (yes?), do I 
need to worry about replication trying to bring things back?


You've wrote: "users that I’ve removed from LDAP". Do you find any log 
entries of those users generated by dsync? Well, provided you have logs 
from dsync at all.



Can I just rm the users files from each server and be OK?


That depends on how you invoke dsync.


On Feb 25, 2016, at 1:16 AM, Steffen Kaiser  
wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 24 Feb 2016, John Krug wrote:


i have a list of users that I’ve removed from LDAP and I want to delete their 
mail storage.

sdbox
Dovecot 2.2.15.8

I have mail messages in one location and indexes in another. Should I just
rm -rf /messages/
rm -rf /indexes/


if that's where the mail_location points to. Also check out the home directory 
of eash user.

- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVs6qRnz1H7kL/d9rAQL8Hgf/fNlN1fuggq2eABGDrn6sv43+VE0geAXn
U3oMoQF8ABItuOU7kMagDwY7n+K35ZFY/b2sddZ3kc4eKLORRxUzrN3orl1+H9jl
bkqjeDmF7PazKd1lFtfCZpgjCT/UM6MQPn8Lxm4TaL+2tV50Gm//Og7PdeQ5N7UO
YQcWvYLQOVgkY8vbqhNTnp0QFlfttHT+oFT+Kp3mDj3GQ2Mg7nMSKFZAeanaX2Qd
XTSgsKtX9yaoG/E76o/2dvtW8jh0RS1OhX9oDaboFIsKj4OkI7ahaAxwmB6jZxX7
pnnrOZzKMEDO8S7MmjtyWmG0MGIzzWwKfYSI/5mOpT3rkphHjihpwA==
=WH5K
-END PGP SIGNATURE-





- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBVtfllHz1H7kL/d9rAQJIxwf/YlqKOQNAQst17J65LzMdJppFjGzhQmcd
AfmzPsQlqjJVkOyG9eM8E+Bem4BB0Ni0IAEsgzbsM6YxQw9LX9G9aGxkQxnLSaTj
hA9P8V+xB9+Sdb8O003cQZHd00/8zps58M536fvghma1kT47G0my/NAtzeCbVjIu
zoOGkxSFNZ0xqydeeVJRiwCVjmKYvgeU0KbWGw8o6MAyk4qJy2D9RzeiNK7Eb51v
uAyqGjAzh236l8JNALPJHgyyl94uvSF9fdqvqpLpSoEQbu66uIU4eF73rX+hfJom
vgvfGDtuYPmgYEnYdX+FBVM6DWx5ljggAnqM1EQtzDdzYeBbB85bNw==
=wqER
-END PGP SIGNATURE-

Deliver to Public Mailbox

[Chris]

Dear All,

I'd like dovecot-lda (deliver) to post a message to a public mailbox.

It doesn't seem to work when I just use the -m parameter with the
IMAP-Mailbox path, e.g. Public/info .

What parameters are required? Do I have to change the headers with formail
in any way?

TIA!

- Chris

Re: Deleting / Removing users

[John Krug]

Thank you, sir. Sounds easy enough.
To complicate issues, I have two-way dsync running between two servers.  Since 
the index log files are used to track deleted mails (yes?), do I need to worry 
about replication trying to bring things back? 

Can I just rm the users files from each server and be OK?

Thanks again,
JK




---
John "JK" Krug
System Administrator
The University of Chicago | Laboratory Schools
1362 East 59th Street  |  Chicago, IL  60637
Phone: (773) 834-4476
j...@ucls.uchicago.edu  | 
http://helpdesk.ucls.uchicago.edu
___

> On Feb 25, 2016, at 1:16 AM, Steffen Kaiser  
> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Wed, 24 Feb 2016, John Krug wrote:
> 
>> i have a list of users that I’ve removed from LDAP and I want to delete 
>> their mail storage.
>> 
>> sdbox
>> Dovecot 2.2.15.8
>> 
>> I have mail messages in one location and indexes in another. Should I just
>> rm -rf /messages/
>> rm -rf /indexes/
> 
> if that's where the mail_location points to. Also check out the home 
> directory of eash user.
> 
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> 
> iQEVAwUBVs6qRnz1H7kL/d9rAQL8Hgf/fNlN1fuggq2eABGDrn6sv43+VE0geAXn
> U3oMoQF8ABItuOU7kMagDwY7n+K35ZFY/b2sddZ3kc4eKLORRxUzrN3orl1+H9jl
> bkqjeDmF7PazKd1lFtfCZpgjCT/UM6MQPn8Lxm4TaL+2tV50Gm//Og7PdeQ5N7UO
> YQcWvYLQOVgkY8vbqhNTnp0QFlfttHT+oFT+Kp3mDj3GQ2Mg7nMSKFZAeanaX2Qd
> XTSgsKtX9yaoG/E76o/2dvtW8jh0RS1OhX9oDaboFIsKj4OkI7ahaAxwmB6jZxX7
> pnnrOZzKMEDO8S7MmjtyWmG0MGIzzWwKfYSI/5mOpT3rkphHjihpwA==
> =WH5K
> -END PGP SIGNATURE-

Re: Dual certificate

[l...@airstreamcomm.net]

Google multi domain certificates.  Comodo sells a multi domain wild card 
certificate that we use to host multiple SSL domains on dovecot and postfix 
successfully.  You install the single certificate and reissue and reinstall 
after adding a new domain.

> On Mar 2, 2016, at 2:02 AM, Jean-Baptiste Vignaud  wrote:
> 
> Hello all;
> 
> 
> Is anyone knows if it's possible to have a dual certificate setup on
> dovecot like in postfix or apache ?
> 
> i tried to add several crts in local name section  :
> 
> local_name imap.server.tdl {
> ssl_cert =  ssl_key =  ssl_cert =  ssl_key =  }
> 
> but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
> not used.
> 
> 
> to check if booth are working, i check with openssl:
> 
> openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
> imap -servername imap.server.tdl  -cipher ECDHE-RSA-AES128-GCM-SHA256 for
> rsa
> 
> and
> 
> openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
> imap -servername imap.server.tdl  -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for
> ecdsa
> 
> In apache we have to duplicate the cert / key lines one for rsa, one for
> edcda.
> 
> In postfix, we have some specific ecdsa conf keys.
> 
> So is there a way to do the same in dovecot ?
> 

Re: Dual certificate

[Timo Sirainen]

On 02 Mar 2016, at 10:02, Jean-Baptiste Vignaud  wrote:
> 
> Hello all;
> 
> 
> Is anyone knows if it's possible to have a dual certificate setup on
> dovecot like in postfix or apache ?
> 
> i tried to add several crts in local name section  :
> 
> local_name imap.server.tdl {
> ssl_cert =  ssl_key =  ssl_cert =  ssl_key =  }
> 
> but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
> not used.

Would it work if you had a single .pem file containing both certs and a single 
file containing both keys?

> In apache we have to duplicate the cert / key lines one for rsa, one for
> edcda.
> 
> In postfix, we have some specific ecdsa conf keys.
> 
> So is there a way to do the same in dovecot ?

Looks like from OpenSSL code point of view the same cert/key loading functions 
can simply be called multiple times. There's currently no way to trigger that 
in Dovecot. But maybe the single .pem file would happen to work as well? If 
not, this would need some config changes and I'm not sure what would be the 
nicest way..

Re: Found bug in quota-status + patch

[Timo Sirainen]

> On 08 Feb 2016, at 00:26, Thierry Coppey  wrote:
> 
> Hello,
> 
> I've found a bug in the quota-status util (Dovecot 2.2.21, and probably 
> below): it always return
> OK (sufficient quota) because it fails to load the user properly. More 
> specifically, the branch
> " if (quser == NULL) return 1; " in src/plugins/quota/quota-status.c:59 is 
> always taken.
> (at least with postgresql backend, test your config with the (adapted) 
> command below:
> printf "recipient=mail...@example.com\nsize=100\n\n" | nc 
> inet:mailstore.example.com 12340
> it should reject, unless you have no quota, or more than 10G).

It works fine with me. Maybe you simply didn't enable quota-plugin for 
quota-status service? (e.g. you enabled inside protocol imap { .. } and 
elsewhere, but not globally)

Re: Get mailbox from its guid through IMAP

[Timo Sirainen]

On 15 Feb 2016, at 14:26, Peter Chiochetti  wrote:
> 
> In the shell I'do:
> 
>   doveadm fetch -u bob mailbox mailbox-guid $box uid 1
> 
> Is there a way through IMAP to get the same?

Not directly, but:

a STATUS mailbox (X-GUID)

or for all:

a LIST "" * RETURN (STATUS (X-GUID))

Re: Timout for LDAP connection

[Gordon Grubert]

Hi Timo,

On 03/01/2016 10:51 PM, Timo Sirainen wrote:

On 29 Feb 2016, at 17:18, Gordon Grubert 
 wrote:


Hi,

we are using a round robin dns record for connections to our ldap
system. This works fine for almost all cases. In particular, for
dovecot does this mean, when an ldap server is stopped, dovecot
instantly reconnects to another ldap server.

But when the network connection to the active ldap server is broken,
dovecot sticks to the failed ldap server. Is there any possibility to
define a connection timeout?


What should happen is that as long as new requests keep coming, Dovecot 
realizes after about 60 seconds that the LDAP server is hanging. It then 
reconnects and the reconnection should work. But... First of all, 60 seconds is 
likely a much too long timeout.

But more importantly it looks like there's something weird now going on with 
OpenLDAP library. I added this somewhat recently and tested that it works:

https://github.com/dovecot/core/commit/fb3178a1924dae52151d88c4d4ded879df43dd3f


thx a lot. I'll test this ASAP. IMHO, this will not really help,
because the timeout is relevant when connecting to the LDAP server only
and not for an active session, or?


But now that I'm testing it, the timeout doesn't seem to be triggering. I don't 
know what happened to it that it suddenly doesn't work.. This also means that 
OpenLDAP seems to be internally stuck trying to connect to a server that isn't 
responding. Dovecot doesn't currently make the decisions on which LDAP server 
to connect to. It just passes through all the hosts to OpenLDAP library and 
lets it handle it. And it seems like OpenLDAP library can't right now do this 
failover. So maybe Dovecot should be responsible for that as well..


You're right, that there are some modifications in the OpenLDAP client.
In 2014, the option

BIND_POLICY

in ldap.conf still existed. The current version does not support this
option :-(


Anyway, for now you could set up haproxy to localhost and configure Dovecot 
LDAP to connect to haproxy and haproxy connect to the actual LDAP servers.


I'll tke a look on it.

Thx and best regards,
Gordon



--
Technischer Leiter & stellv. Direktor
Universitätsrechenzentrum (URZ)
E.-M.-Arndt-Universität Greifswald
Felix-Hausdorff-Str. 12
17489 Greifswald
Germany

Tel. +49 3834 86 1456
Fax. +49 3834 86 1401

Re: Error: istream-seekable: safe_mkstemp(/tmp/dovecot.imap.) failed

[Thomas Leuxner]

* Timo Sirainen  2016.03.01 23:03:

> > I'm seeing these recently:
> > 
> > Feb 27 09:24:01 nihlus dovecot: imap(t...@leuxner.net): Error: 
> > istream-seekable: safe_mkstemp(/tmp/dovecot.imap.) failed: No such file or 
> > directory
> 
> You don't have a /tmp directory or imap is chrooted somewhere where there is 
> no /tmp?..

No and no :) However the error message magically disappeared with newer builds. 
I'm not seeing it since Sunday...


signature.asc
Description: Digital signature

Re: Timout for LDAP connection

[mj]

Hi,

We have experienced the same or similar problem, and not just with 
dovecot but also with postfix. Thanks for your HAProxy suggestion!


We have the feeling that when the ldap connection is actually DOWN 
(gone, terminated), OpenLDAP will reconnect to another server.
But if the ldap server becomes 'stuck' (as in: returning no data 
anymore, but not actually terminating the connection) a failover does 
not happen.


(we have had the second scenario, with samba4 AD ldap)

MJ

On 03/01/2016 10:51 PM, Timo Sirainen wrote:

 But now that I'm testing it, the timeout doesn't seem to be
triggering. I don't know what happened to it that it suddenly doesn't
work.. This also means that OpenLDAP seems to be internally stuck
trying to connect to a server that isn't responding. Dovecot doesn't
currently make the decisions on which LDAP server to connect to. It
just passes through all the hosts to OpenLDAP library and lets it
handle it. And it seems like OpenLDAP library can't right now do this
failover. So maybe Dovecot should be responsible for that as well..

Anyway, for now you could set up haproxy to localhost and configure
Dovecot LDAP to connect to haproxy and haproxy connect to the actual
LDAP servers.

Dual certificate

[Jean-Baptiste Vignaud]

Hello all;


Is anyone knows if it's possible to have a dual certificate setup on
dovecot like in postfix or apache ?

i tried to add several crts in local name section  :

local_name imap.server.tdl {
ssl_cert =