Re: Exim still accepting emails to nonexistent users

[Marti Markov]

Hi Heiko,

Here is the router:

virtual_aliases:
driver = redirect
debug_print = "R: Check address using virtual_aliases for 
$local_part@$domain"
allow_fail
allow_defer
hide data = CHECK_VIRTUAL_ALIASES
user = vmail
group = mail




local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
#Dovecot auth check
#  check_local_user
  local_parts = ! root
  transport = dovecot_lmtp
  cannot_route_message = Unknown user


And this is the transport:

dovecot_lmtp:
   driver = lmtp
   socket = /var/run/dovecot/lmtp
   #return_path_add
   #maximum number of deliveries per batch, default 1
   batch_max = 200

This might also be helpful (this is with check_local_user commented out in the 
router)
> local_user router <
local_part=nosuchuser domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
NoSuchUser in "! root"? yes (end of list)
R: local_user for nosuchu...@domainproblem.com
calling local_user router
local_user router called for nosuchu...@domainproblem.com
  domain = domainproblem.com
queued for dovecot_lmtp transport: local_part = nosuchuser
domain = domainproblem.com
  errors_to=NULL
  domain_data=NULL localpart_data=NULL
routed by local_user router
  envelope to: nosuchu...@domainproblem.com
  transport: dovecot_lmtp
Cannot do callout: neither router nor transport provided a host list
--- end verify 
deny: condition test failed in ACL "acl_check_rcpt"
processing "accept"
check domains = +relay_to_domains
domainproblem.com in "empty"? no (end of list)
domainproblem.com in "+relay_to_domains"? no (end of list)
accept: condition test failed in ACL "acl_check_rcpt"
processing "accept"
accept: condition test succeeded in ACL "acl_check_rcpt"
SMTP>> 250 Accepted
250 Accepted


This is when it’s not commented out:
> local_user router <
local_part=m.markov domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
m.markov in "! root"? yes (end of list)
checking for local user
seeking password data for user "m.markov": using cached result
getpwnam() returned NULL (user not found)
local_user router skipped: m.markov is not a local user


I currently have check_local_user disabled because nobody will be able to 
receive emails.

> On 17 Nov 2016, at 21:33, Heiko Schlittermann  wrote:
> 
> Hi,
> 
> Marti Markov  (Mi 16 Nov 2016 04:28:28 CET):
>> After adding the configuration bit:
>> 
>> deny
>>message = invalid recipient
>>domains = +local_domains
>>!verify = recipient/callout=no_cache
>> 
>> from: http://wiki2.dovecot.org/LMTP/Exim 
>>  running update-exim4.conf and service 
>> exim4 restart
>> 
>> the server is still accepting emails to recipients that do not exist in 
>> dovecot.
> 
> How is the router, targeting the messages to dovecot, configured? And
> how the transport, responsible for the delivery to dovecot?
> 
>Best regards from Dresden/Germany
>Viele Grüße aus Dresden
>Heiko Schlittermann
> -- 
> SCHLITTERMANN.de  internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --- key ID: F69376CE -
> ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -

Re: Implementing secondary quota w/ "Archive" namespace

[Fred Turner]

Hey Everybody—

Posted this to the list a couple of months ago, but didn’t get any responses. 
Is there a better place to ask this question about quota & namespace 
configuration? Seems like a lot of the discussion here is a little 
deeper/lower-level than my configuration question, like debugging and 
development…

Thx,
Fred


> On Sep 20, 2016, at 02:28 PM, Fred Turner  wrote:
> 
> Hello folks—
> 
> My first post, so please be gentle… :-)
> 
> I have a client email server using SSDs for primary user mailboxes, but since 
> the number of users keeps growing and they all seem to be very reluctant to 
> delete anything, I’ve implemented an “Archive” namespace that stores its 
> mailboxes on a larger HD RAID. The idea is that, as the users approach their 
> quota, they move messages to the Archive mailboxes to alleviate space in 
> their primary Inbox namespace. This secondary storage part is working well, 
> but I’m having trouble w/ getting the quotas to work right. Here are the 
> basics of the setup:
> 
> Mac Pro Server 2012
> Mac OS X Server 10.6.8
> Dovecot 1.1.20apple0.5
> 
> Here is how I’ve configured my namespaces (during testing):
> 
> namespace private {
> separator = /
> prefix =
> inbox = yes
> }
> 
> namespace private {
> separator = /
> prefix = testArchive/
> location = maildir:/Shared Items/MailArchive/%u
> subscriptions = yes
> }
> 
> My quota research has led me to try this:
> 
> quota = maildir:User quota:ns=
> 
> quota2 = maildir:ns=testArchive/
> quota2_rule = *:storage=20G
> 
> The first line is already in the default config, with the exception of the 
> added “:ns=“ at the end. The 2nd line in the examples I saw had a middle 
> component w/ the quota name, but when I tried that, like so:
> 
> quota2 = maildir:Archive quota:ns=testArchive/
> 
> my server fails and shows this in the logs:
> 
>> Fatal: IMAP(*): Quota root test backend maildir: Unknown parameter: 
>> ns=testArchive/
> 
> 
> Any idea why it doesn’t like that? Also, do I need to add a quota_rule for 
> the primary quota? It does not have one normally in the Mac OS X Server 
> config…
> 
> Thus far in my testing, I’ve been able to get the 2 quotas to show up in 
> Roundcube and Mac Mail.app. It’s a little messy…the first shows up as “User 
> quota”, the 2nd as “ns=testArchive/“, presumably because I cannot leave the 
> description field in there.
> 
> Unfortunately, both quotas show the same amount of space in use. If I drop 
> the primary quota to a mere 4MB for testing, and if I have 5.2MB of messages 
> in a testArchive folder, the space used for “User quota” shows as 5.2MB 
> (>100%), as does the “ns=testArchive/“ quota (which is 20GB). In actuality, 
> the Inbox namespace is really only using a few KB— the 5.2MB is in the 
> testArchive namespace. This means that I cannot move messages between either 
> set of namespaces, and new messages are not delivered. So, the quota trouble 
> here is negating the whole point of having the Archive namespace...
> 
> Is there a way to get Dovecot to “see” the 2 quotas as unique/discrete? It 
> seems like I’m close to accomplishing what I want, but just can’t quite get 
> it to cooperate. And that “Unknown parameter” error is bewildering. Any ideas?
> 
> Thx,
> Fred
> 
> P.S. I can add my Dovecot config to the thread upon request…didn’t want to 
> make this initial message even longer.

Re: Feedback on first, i.e. novice-level, experiences with dovecot

[Michael Felt]

On 20/11/2016 16:41, Michael Felt wrote:

(though still unknowing what the fatal error)


This is also needed:

cp -rp /etc/dovecot/conf.d /opt/etc/dovecot/

as the config file contains:

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 
00-prefixes

# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

Note: the include_try did not complain, but the include conf.d/*.conf 
did (relative name, not fullpath)


All for today!

Re: Feedback on first, i.e. novice-level, experiences with dovecot

[Michael Felt]

On 20/11/2016 16:36, Michael Felt wrote:
More later. 


So, part of my confusion may be resolved - I was thinking $prefix only, 
where there are three:


From the default config file (though still unknowing what the fatal 
error) contains:


# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

However, I still would have expected 
/usr/share/doc/dovecot-core/example-config/ to be behind /opt. Or is 
there yet another ./configure setting I skipped?

Re: Feedback on first, i.e. novice-level, experiences with dovecot

[Michael Felt]

On 20/11/2016 14:51, Michael Felt wrote:

root@x066:/data/prj/aixtools/dovecot/core# cat /etc/dovecot/README
Configuration files go to this directory. See example configuration 
files in

/usr/share/doc/dovecot-core/example-config/

Conclusion:

--prefix=/opt is not applied everywhere.

* More first impressions as I come to them - if you want them - as I 
hope this helps make dovecot better!


Next experience:

root@x066:/data/prj/aixtools/dovecot/core# cp /etc/dovecot/dovecot.conf 
/opt/etc/dovecot/dovecot.conf

root@x066:/data/prj/aixtools/dovecot/core#  /opt/bin/doveconf -n
# 2.3.devel (92c8109): /opt/etc/dovecot/dovecot.conf
doveconf: Fatal: Error in configuration file 
/opt/etc/dovecot/dovecot.conf line 94: No matches


So, I shall look into why no matches are found using vi

More later.

Feedback on first, i.e. novice-level, experiences with dovecot

[Michael Felt]

a) google: "dovecot imap configuration" brought an article from 2005 as 
the first item:


while I like debian and a bit of history you may want to ask yourself 
how to improve your site as the primary hit from google. FYI: years ago 
I had great results in the top of google searches - and then I made a 
major error - I moved my site to a new url and google forgot me.


b) using your http://wiki.dovecot.org/QuickConfiguration as a guide:

I built dovecot using --prefix=/opt (I abhor /usr/local these days - 
that is so 1984ish). The applications got installed in /opt/bin


root@x066:/data/prj/aixtools/dovecot/core# ls -ltr /opt
total 36
drwxr-xr-x 3 root root 4096 Nov 20 14:33 lib
drwxr-xr-x 3 root root 4096 Nov 20 14:33 include
drwxr-xr-x 6 root root 4096 Nov 20 14:33 share
drwxr-xr-x 3 root root 4096 Nov 20 14:33 libexec
drwxr-xr-x 2 root root 4096 Nov 20 14:33 sbin
drwxr-xr-x 2 root root 4096 Nov 20 14:33 bin

Are the directories 'make install' touched or made.

root@x066:/data/prj/aixtools/dovecot/core#  /opt/bin/doveconf -n

# 2.3.devel (92c8109): /opt/etc/dovecot/dovecot.conf
doveconf: Fatal: open(/opt/etc/dovecot/dovecot.conf) failed: No such 
file or directory


where are example configs?

root@x066:/data/prj/aixtools/dovecot/core# find /opt -name example-config
root@x066:/data/prj/aixtools/dovecot/core#

Not in /opt

How about a default config?

root@x066:/data/prj/aixtools/dovecot/core# find / -name dovecot
/etc/init.d/dovecot
/etc/pam.d/dovecot
/etc/default/dovecot
/etc/dovecot
/var/lib/dovecot
^C

Seems to be /etc/dovecot

root@x066:/data/prj/aixtools/dovecot/core# ls -l /etc/dovecot
total 40
drwxr-xr-x 2 root root4096 Apr 30  2015 conf.d
-rw-r--r-- 1 root root4180 Jun  8  2014 dovecot.conf
-rw-r- 1 root dovecot  410 Jun  8  2014 dovecot-db.conf.ext
-rw-r- 1 root dovecot  782 Jun  8  2014 dovecot-dict-sql.conf.ext
-rw-r--r-- 1 root dovecot 1363 Apr 30  2015 dovecot.pem
-rw-r- 1 root dovecot 5348 Jun  8  2014 dovecot-sql.conf.ext
drwx-- 2 root root4096 Apr 30  2015 private
-rw-r--r-- 1 root root 121 Jun  8  2014 README

and finally - read README to find the examples:

root@x066:/data/prj/aixtools/dovecot/core# cat /etc/dovecot/README
Configuration files go to this directory. See example configuration files in
/usr/share/doc/dovecot-core/example-config/

Conclusion:

--prefix=/opt is not applied everywhere.

* More first impressions as I come to them - if you want them - as I 
hope this helps make dovecot better!


Michael

doveadm service: verify client cert

[Matwey V. Kornilov]

Hello,

I want to open a socket for connecting doveadm using tcps. I do the
following:

service doveadm {
inet_listener {
port = 5001
ssl = yes
}
}

At the same time, I would like to verify client certificates for
connections goes to port 5001.
I am trying to do the following, but it doesn't work:

protocol doveadm {
ssl_require_crl = yes
ssl_verify_client_cert = yes
}

How could I achieve required behavior?

Re: [PATCH] Manually cleanup OpenSSL from dovecot_openssl_common_global_unref()

[Reuben Farrelly]

Hi,

This patch:

On 15/11/2016 10:46 PM, Aki Tuomi wrote:



On 13.11.2016 20:04, Apollon Oikonomopoulos wrote:

OpenSSL 1.1 features a cleanup function that is automatically run on shutdown
using atexit(3). This function frees all OpenSSL-allocated resources.

In dovecot, OpenSSL is loaded indirectly using dlopen(3) against the relevant
dovecot crypto module and is finally unloaded using dlclose(3). Until
OpenSSL 1.0.1c this worked fine, however OpenSSL 1.0.1c makes sure[1] that the
library stays loaded after the initial dlclose() so that the atexit(3)
handlers can run on shutdown. This, together with the fact that dovecot
uses custom allocation functions for OpenSSL and has already partially
free()'d some of OpenSSL's resources in module_free(), leads to a
segfault at process shutdown[2].

We fix this by explicitly calling OPENSSL_cleanup() during module unload. This
is safe to do, as long as we will never want to subsequently re-initialize
OpenSSL.

[1] 
https://github.com/openssl/openssl/commit/4af9f7fe79ff82b90c16969b7e5871435056377b
[2] 
https://buildd.debian.org/status/fetch.php?pkg=dovecot=amd64=1:2.2.26.0-2=1478873022

Signed-off-by: Apollon Oikonomopoulos 
---
 src/lib-ssl-iostream/dovecot-openssl-common.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c 
b/src/lib-ssl-iostream/dovecot-openssl-common.c
index 51ea3ad..2bf6307 100644
--- a/src/lib-ssl-iostream/dovecot-openssl-common.c
+++ b/src/lib-ssl-iostream/dovecot-openssl-common.c
@@ -101,6 +101,9 @@ bool dovecot_openssl_common_global_unref(void)
ERR_remove_thread_state(NULL);
 #endif
ERR_free_strings();
+#if OPENSSL_VERSION_NUMBER >= 0x1010L
+   OPENSSL_cleanup();
+#endif
return FALSE;
 }



Hi!

Your patch is being reviewed.

Aki


... which was committed as c164f8afe58c8d83ef2a48aae629c72408dfea01 in 
master-2.2, terminally breaks the build with LibreSSL.  Obviously this 
wasn't tested or considered ;)


*** Warning: Linking the executable test-http-client against the 
loadable module

*** libssl_iostream_openssl.so is not portable!
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -O0 -g -pipe 
-march=native -mtune=native -Wall -W -Wmissing-prototypes 
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -Wl,-O1 -o 
.libs/test-http-client test-http-client.o -Wl,--export-dynamic 
-Wl,--as-needed ./.libs/libhttp.a ../lib-dns/.libs/libdns.a 
../lib-ssl-iostream/.libs/libssl_iostream.a 
../lib-master/.libs/libmaster.a ../lib-settings/.libs/libsettings.a 
../lib-test/.libs/libtest.a ../lib/.libs/liblib.a -ldl 
../lib-ssl-iostream/.libs/libssl_iostream_openssl.so -lssl -lcrypto 
-Wl,-rpath -Wl,/usr/lib64/dovecot
../lib-ssl-iostream/.libs/libssl_iostream_openssl.so: undefined 
reference to `OPENSSL_cleanup'

collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:737: test-http-client] Error 1
make[3]: *** Waiting for unfinished jobs
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -O0 -g -pipe 
-march=native -mtune=native -Wall -W -Wmissing-prototypes 
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 
-Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -Wl,-O1 -o 
test-http-client-errors test-http-client-errors.o -Wl,--export-dynamic 
-Wl,--as-needed ./.libs/libhttp.a ../lib-dns/.libs/libdns.a 
../lib-ssl-iostream/.libs/libssl_iostream.a 
../lib-master/.libs/libmaster.a ../lib-settings/.libs/libsettings.a 
../lib-test/.libs/libtest.a ../lib/.libs/liblib.a -ldl
make[3]: Leaving directory 
'/var/tmp/portage/net-mail/dovecot-2.2.26_p20161120/work/dovecot-2.2.26_p20161120/src/lib-http'

make[2]: *** [Makefile:493: all-recursive] Error 1
make[2]: Leaving directory 
'/var/tmp/portage/net-mail/dovecot-2.2.26_p20161120/work/dovecot-2.2.26_p20161120/src'

make[1]: *** [Makefile:618: all-recursive] Error 1
make[1]: Leaving directory 
'/var/tmp/portage/net-mail/dovecot-2.2.26_p20161120/work/dovecot-2.2.26_p20161120'

make: *** [Makefile:462: all] Error 2
 * ERROR: net-mail/dovecot-2.2.26_p20161120::reub-Local-Overlay failed 
(compile phase):

 *   emake failed
 *

I am running LibreSSL-2.5.0, so I guess it may not be a supported 
function yet.


Reuben