postfix/smtpd[725]: fatal: no SASL authentication mechanisms
I haven't doveadm logs in /var/log/. Are they default in another place or maybe should I turn on something? My config (default passdb block and auth_mechanisms, nothing more changed): root@vps342401:/etc/dovecot# doveconf -n # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS auth_mechanisms = plain login listen = *,[::] log_timestamp = "%Y-%m-%d %H:%M:%S " mail_max_userip_connections = 100 mail_plugins = " quota" mail_privileged_group = vmail passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage sieve = /var/vmail/%d/%n/.sieve sieve_max_redirects = 25 } postmaster_address = postmas...@vps342401.ovh.net protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service imap-login { client_limit = 1000 process_limit = 512 } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = required ssl_cert = &1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; do ne) Feb 1 09:53:01 vps342401 CRON[778]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done ) Is there any strange thing in these config lines? -- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *ser...@poliman.pl*
Dovecot, Postfix, and SASL AUTH EXTERNAL
Hey folks, I've been using the ever popular Dovecot and Postfix combo for years. A while back I also introduced mutual TLS for mail clients to Dovecot and Postfix. I achieved this by a custom checkpassword script and SASL AUTH EXTERNAL for IMAP. This all worked great with clients like Thunderbird, which can be configured to use mutual TLS and SASL EXTERNAL for IMAP, and mutual TLS with no additional authentication for SMTP. However, I found that other mail clients, in particular K-9 mail on Android, [1] are not compatible with this configuration. I've been patching K-9 mail to work around this issue for some time now. If I configure K-9 to behave like Thunderbird when sending messages via SMTP, all is well. However, there's been some activity on an issue [2] which suggests some changes may be upcoming which will be incompatible with my patch. Without my patch, K-9 tries to auth with Postfix via AUTH EXTERNAL after presenting its client certificate. Despite configuring Postfix to prefer certificates before SASL, Postfix forwards the authentication request to Dovecot, which rejects it without even trying my checkpassword script. With my patch, K-9 simply initiates an SMTP connection without any additional authentication when mutual TLS is used. This behavior is similar to Thunderbird. The K-9 maintainers do not seem interested in merging this behavior into mainline. I can't seem to get Postfix to ignore the SASL failures in the case of successful mutual TLS. I want to use SASL authentication as a fallback from untrusted clients, where I use a combination of password and one time code. Even if Dovecot did not reject the AUTH EXTERNAL request from Postfix, I'm not sure how it could determine whether a valid client certificate were presented to Postfix, unless some additional information were passed along in the SASL request. I'd love to hear any thoughts from the community on how to move forward here. Should I pressure the K-9 maintainers to behave more like other clients? Would it make sense to extend the SASL interface in some way such that Dovecot could handle an EXTERNAL request from Postfix? Or should Postfix simply ignore SASL EXTERNAL based on the configured authentication mechanism order? Thanks, Matt [1] https://github.com/k9mail/k-9/ [2] https://github.com/k9mail/k-9/issues/793 -- Matt Horan m...@matthoran.com http://matthoran.com/
Compiling Dovecot on Solaris 10
Hello, I am tying to compile Dovecot 2.2.27 on Solaris 10, and I get this error: test-ioloop.c: In function `test_ioloop_pending_io': test-ioloop.c:188: error: size of array `type name' is negative My configuration is like this: Install prefix . : /usr/local File offsets ... : 64bit I/O polling : poll I/O notifys : none SSL : yes (OpenSSL) GSSAPI . : no passdbs : static passwd passwd-file shadow pam checkpassword dcrypt ..: yes : -bsdauth -sia -ldap -sql -vpopmail userdbs : static prefetch passwd passwd-file checkpassword : -ldap -sql -vpopmail -nss SQL drivers : : -pgsql -mysql -sqlite -cassandra Full text search : squat : -lucene -solr Last version that I have compiled was 2.2.24, version 2.2.25 failed with error: In file included from guid.c:6: sha1.h:80: error: static or type qualifiers in abstract declarator Is there anyone who can help me? -- Pagarbiai Mantas Gegužis VU Informacinių technologijų taikymo centras tel. 8 5 236 6208
Re: Moving to new password scheme
On Jan 25, 2017, at 4:57 AM, Steffen Kaiserwrote: > yes, userdb's are checked in the same order as they appear in the config > file(s). Thanks for all the help, got everyone migrated over to SHA256-CRYPT now. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: quota-status returns quota_status_success when email would put user over quota
Hi Christian, On 2017-01-31 23:20, Christian Kivalo wrote: dovecot -n: # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 ext4 auth_default_realm = vejen-net.dk auth_mechanisms = plain login auth_verbose = yes disable_plaintext_auth = no first_valid_uid = 110 log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_location = maildir:/data/vmail/%d/%n/ The one line i'm missing here from your doveconf -n output is mail_plugins = " quota" set in conf.d/10-mail.conf Have you added quota to the global mail plugins setting? http://wiki2.dovecot.org/Quota That did it, now it seems to work! I thought the global mail_plugins was only a variable not a config option. But it seems it must be set. So this works: mail_plugins = $mail_plugins quota protocol imap { mail_plugins = $mail_plugins imap_quota } protocol pop3 { mail_plugins = $mail_plugins } But this does not: protocol imap { mail_plugins = quota imap_quota } protocol pop3 { mail_plugins = quota } Thank you very much for helping me along. Also thanks to Aki Tuomi who pointed out the same issue. Regards, -- Kristian Pedersen ASOM-Net Systemadministrator www.asom-net.dk Telefon: 44 400 970
Dovecot performance and proxy loops with IPv6
Hello list, i run here an large mailsetup with some million mailboxes and got strange performance problems, cause i think i have overseen or forgotten an simple setting. Here are some details: 21 CentOS 7 Servers with dovecot 2.2.25 and ldap userdb/passdb via socket behind an hardware loadbalancer. The storage behind is an ISCSI Storage with 4 10Gbit/s multipath paths, splitted up to 10 TB volumes for each server with LVM and xfs filesystem. No Cluster FS Each server has about 60.000 to 75.000 mailboxes on it. mailboxes can have up to 10Gbyte space. The Log says this sometimes and complete random: Feb 1 10:42:49 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Feb 1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Feb 1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Feb 1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Feb 1 10:42:50 server1 dovecot: imap-login: Error: net_connect_unix(imap) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Feb 1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) failed: Resource temporarily unavailable - http://wiki2.dovecot.org/SocketUnavailable Sure i have read the SocketUnavailabe wiki page and changed some settings, but the errors are not gone. Could you please look over my dovecot config and give me some tips or hints what to change. The next this is, when adding IPv6 via DNS to the hosts and login with IPv6 i will become an proxy loop. Settings in nameserver: server1.domain.com IN A 123.123.123.123 server1.domain.com IN 2001:123::1 The host entry comes from the ldap and says: mailHost: server1.domain.com Imap Login with IPv6 to server1.domain.com tries to proxy from server1.domain.com ( IPv6 ) to server1.domain.com ( IPv6 ) and loops then. I have removed the IPv6 entries in the dns to stop this loops. Sorry, but i have no logs for this anymore. Thanks in advise, Daniel And here system configs and dovecot configs: sysctl: fs.inotify.max_user_instances = 65535 fs.inotify.max_user_watches = 16384 systemd startup with ulimit settings: [Unit] Description=Dovecot Mailservice IMAP/POP [Service] Type=simple LimitCORE=0 LimitNPROC=500 LimitNOFILE=65535 LimitSTACK=81920 LimitDATA=infinity LimitMEMLOCK=infinity LimitRSS=infinity LimitAS=infinity ExecStart=/usr/local/dovecot2/sbin/dovecot -F -c /usr/local/dovecot2/etc/dovecot/dovecot.conf [Install] WantedBy=multi-user.target dovecot-ldap.conf: uris = ldapi://%2Fvar%2Frun%2Fldapi dn = cn=xxx,o=domain,c=com dnpass = x auth_bind = no ldap_version = 3 base = o=domain,c=com user_attrs = mail=user,mailMessageStore=home,\ mailQuota=quota_rule=*:storage=%$ iterate_filter= (|(mailHost=server1.domain.com)(mailHost=popserver1.domain.com)) user_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u))) pass_attrs = mail=user,userPassword=password,=proxy_maybe=y,mailHost=host,=destuser=%u[%r] pass_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u))) dovecot.conf: # 2.2.25 (7be1766): /usr/local/dovecot2/etc/dovecot/dovecot.conf # OS: Linux 3.10.0-327.36.3.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core) auth_cache_negative_ttl = 1 mins auth_cache_size = 64 M auth_cache_ttl = 2 hours auth_mechanisms = plain login auth_username_chars = auth_verbose = yes base_dir = /var/run/dovecot/ debug_log_path = /dev/null default_login_user = dovecot disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it doveadm_port = 12345 first_valid_gid = 1001 first_valid_uid = 1001 info_log_path = /dev/stderr lda_mailbox_autocreate = yes lda_original_recipient_header = X-Envelope-To log_path = /dev/stderr log_timestamp = login_log_format_elements = user=[%u] method=%m rip=%r lip=%l %c mail_gid = 1001 mail_location = mdbox:~:INDEX=%h/INDEX mail_plugins = "notify replication stats" mail_uid = 1001 mbox_write_locks = fcntl namespace { inbox = yes location = prefix = INBOX. separator = . type = private } passdb { args = /usr/local/dovecot2/etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { quota = dict:User quota::file:%h/mdbox/dovecot-quota quota_warning = storage=85%% quota-warning 85 %u stats_refresh = 30 secs stats_track_cmds = yes } replication_max_conns = 30 sendmail_path = /usr/local/exim/bin/exim service aggregator { fifo_listener replication-notify-fifo { mode = 0666 user = popuser } unix_listener replication-notify { mode = 0666 user = popuser } } service anvil { client_limit = 6 } service auth { client_limit = 6 unix_listener
SNI with mixed certs
Dovecot SNI is failing hard today. Server with n domains, each with a startssl certificate of its own, all certificates expired this morning. Decision: move to Letsencrypt. Firsr certificate issued and installed. Other domains in the pipeline. Dovecot server rebooted. Expected result: one domain returning the new cert, and the n-1 domains returning the expiration notification. Actual result: the domain with LE is returning startssl expired notifications. Manual check of the key and pem files is OK...
Doveadm option for a non-wildcard single-user with userdb
Hello, Most "doveadm" commands accept "[-A|-u user|-F file]" for user selection, or the environment "USER". I'm testing with "doveadm quota recalc". The problem is that there is no way to ask "doveadm" to work in (1) single-user mode with (2) no wildcard support, and at the same time to (3) make a lookup in "userdb", in order to get the user's specific configuration. We have mailboxes which contain "?" and "*" symbols, and we can't work with them using "doveadm" now. * If we use "-A", this works with all users. Not our case at all. * If we use "-F" and provide just one user in the file, this works for a single user + lookup in "userdb", does not interpret wildcard, but "doveadm" works in a "users list" mode and the output is different. What's more problematic is that errors for an mbox do not end up in "doveadm" exiting with a non-zero exit code. * If we use "-u", this works for a single user + lookup in "userdb", but interprets wildcards. Does not work for mailboxes which contain "?" and "*". * If we use the USER environment, this works for a single users and does not interpret wildcards but does not do a lookup in "userdb". Should we add another user-selection argument, for example "-U", which (1) selects a single-user like "-u", does a "userdb" lookup like "-u" does, but does not interpret wildcards unlike "-u" ? Best regards. --Ivan