postfix/smtpd[725]: fatal: no SASL authentication mechanisms

[Poliman - Serwis]

I haven't doveadm logs in /var/log/. Are they default in another place or
maybe should I turn on something?
My config (default passdb block and auth_mechanisms, nothing more changed):
root@vps342401:/etc/dovecot# doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS
auth_mechanisms = plain login
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_max_userip_connections = 100
mail_plugins = " quota"
mail_privileged_group = vmail
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  quota = dict:user::file:/var/vmail/%d/%n/.quotausage
  sieve = /var/vmail/%d/%n/.sieve
  sieve_max_redirects = 25
}
postmaster_address = postmas...@vps342401.ovh.net
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
  }
  user = root
}
service imap-login {
  client_limit = 1000
  process_limit = 512
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_cert = &1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; do  ne)
Feb  1 09:53:01 vps342401 CRON[778]: (root) CMD
(/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo
`/bin/date` "$line" >> /var/log/ispconfig/cron.log; done  )


Is there any strange thing in these config lines?

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*ser...@poliman.pl *

Dovecot, Postfix, and SASL AUTH EXTERNAL

[Matt Horan]

Hey folks,

I've been using the ever popular Dovecot and Postfix combo for years. A
while back I also introduced mutual TLS for mail clients to Dovecot and
Postfix. I achieved this by a custom checkpassword script and SASL AUTH
EXTERNAL for IMAP.

This all worked great with clients like Thunderbird, which can be
configured to use mutual TLS and SASL EXTERNAL for IMAP, and mutual TLS
with no additional authentication for SMTP. However, I found that other
mail clients, in particular K-9 mail on Android, [1] are not compatible
with this configuration.

I've been patching K-9 mail to work around this issue for some time now.
If I configure K-9 to behave like Thunderbird when sending messages via
SMTP, all is well. However, there's been some activity on an issue [2]
which suggests some changes may be upcoming which will be incompatible
with my patch.

Without my patch, K-9 tries to auth with Postfix via AUTH EXTERNAL after
presenting its client certificate. Despite configuring Postfix to prefer
certificates before SASL, Postfix forwards the authentication request to
Dovecot, which rejects it without even trying my checkpassword script.

With my patch, K-9 simply initiates an SMTP connection without any
additional authentication when mutual TLS is used. This behavior is
similar to Thunderbird. The K-9 maintainers do not seem interested in
merging this behavior into mainline.

I can't seem to get Postfix to ignore the SASL failures in the case of
successful mutual TLS. I want to use SASL authentication as a fallback
from untrusted clients, where I use a combination of password and one
time code.

Even if Dovecot did not reject the AUTH EXTERNAL request from Postfix,
I'm not sure how it could determine whether a valid client certificate
were presented to Postfix, unless some additional information were
passed along in the SASL request.

I'd love to hear any thoughts from the community on how to move forward
here. Should I pressure the K-9 maintainers to behave more like other
clients? Would it make sense to extend the SASL interface in some way
such that Dovecot could handle an EXTERNAL request from Postfix? Or
should Postfix simply ignore SASL EXTERNAL based on the configured
authentication mechanism order?

Thanks,
Matt

[1] https://github.com/k9mail/k-9/
[2] https://github.com/k9mail/k-9/issues/793

-- 
Matt Horan m...@matthoran.com http://matthoran.com/

Compiling Dovecot on Solaris 10

[Mantas Gegužis]

Hello,

I am tying to compile Dovecot 2.2.27 on Solaris 10, and I get this error:
test-ioloop.c: In function `test_ioloop_pending_io':
test-ioloop.c:188: error: size of array `type name' is negative

My configuration is like this:
Install prefix . : /usr/local
File offsets ... : 64bit
I/O polling  : poll
I/O notifys  : none
SSL  : yes (OpenSSL)
GSSAPI . : no
passdbs  : static passwd passwd-file shadow pam checkpassword
dcrypt ..: yes
 : -bsdauth -sia -ldap -sql -vpopmail
userdbs  : static prefetch passwd passwd-file checkpassword
 : -ldap -sql -vpopmail -nss
SQL drivers  :
 : -pgsql -mysql -sqlite -cassandra
Full text search : squat
 : -lucene -solr

Last version that I have compiled was 2.2.24, version 2.2.25 failed  
with error:

In file included from guid.c:6:
sha1.h:80: error: static or type qualifiers in abstract declarator

Is there anyone who can help me?

--
Pagarbiai
Mantas Gegužis
VU Informacinių technologijų taikymo centras
tel. 8 5 236 6208

Re: Moving to new password scheme

[@lbutlr]

On Jan 25, 2017, at 4:57 AM, Steffen Kaiser  
wrote:
> yes, userdb's are checked in the same order as they appear in the config 
> file(s).

Thanks for all the help, got everyone migrated over to SHA256-CRYPT now.


-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: quota-status returns quota_status_success when email would put user over quota

[Kristian Pedersen]

Hi Christian,

On 2017-01-31 23:20, Christian Kivalo wrote:

dovecot -n:
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6 ext4
auth_default_realm = vejen-net.dk
auth_mechanisms = plain login
auth_verbose = yes
disable_plaintext_auth = no
first_valid_uid = 110
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_debug = yes
mail_location = maildir:/data/vmail/%d/%n/

The one line i'm missing here from your doveconf -n output is mail_plugins = " 
quota" set in conf.d/10-mail.conf

Have you added quota to the global mail plugins setting? 
http://wiki2.dovecot.org/Quota


That did it, now it seems to work!

I thought the global mail_plugins was only a variable not a config 
option. But it seems it must be set.


So this works:

mail_plugins = $mail_plugins quota
protocol imap {
  mail_plugins = $mail_plugins imap_quota
}
protocol pop3 {
  mail_plugins = $mail_plugins
}

But this does not:
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
}

Thank you very much for helping me along.
Also thanks to Aki Tuomi who pointed out the same issue.

Regards,

--
Kristian Pedersen
ASOM-Net
Systemadministrator
www.asom-net.dk
Telefon: 44 400 970

Dovecot performance and proxy loops with IPv6

[Daniel Betz]

Hello list,

i run here an large mailsetup with some million mailboxes and got strange 
performance problems, cause i think i have overseen or forgotten an simple 
setting.

Here are some details:

21 CentOS 7 Servers with dovecot 2.2.25 and ldap userdb/passdb via socket 
behind an hardware loadbalancer.
The storage behind is an ISCSI Storage with 4 10Gbit/s multipath paths, 
splitted up to 10 TB volumes for each server with LVM and xfs filesystem. No 
Cluster FS
Each server has about 60.000 to 75.000 mailboxes on it. mailboxes can have up 
to 10Gbyte space.

The Log says this sometimes and complete random:
Feb  1 10:42:49 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1  dovecot: pop3-login: Error: net_connect_unix(pop3) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: imap-login: Error: net_connect_unix(imap) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable
Feb  1 10:42:50 server1 dovecot: pop3-login: Error: net_connect_unix(pop3) 
failed: Resource temporarily unavailable - 
http://wiki2.dovecot.org/SocketUnavailable

Sure i have read the SocketUnavailabe wiki page and changed some settings, but 
the errors are not gone.
Could you please look over my dovecot config and give me some tips or hints 
what to change.

The next this is, when adding IPv6 via DNS to the hosts and login with IPv6 i 
will become an proxy loop.

Settings in nameserver:
server1.domain.com IN A 123.123.123.123
server1.domain.com IN  2001:123::1

The host entry comes from the ldap and says: mailHost: server1.domain.com

Imap Login with IPv6 to server1.domain.com tries to proxy from 
server1.domain.com ( IPv6 ) to server1.domain.com ( IPv6 ) and loops then.
I have removed the IPv6  entries in the dns to stop this loops.
Sorry, but i have no logs for this anymore.

Thanks in advise,
Daniel


And here system configs and dovecot configs:

sysctl:

fs.inotify.max_user_instances = 65535
fs.inotify.max_user_watches = 16384

systemd startup with ulimit settings:

[Unit]
Description=Dovecot Mailservice IMAP/POP

[Service]
Type=simple
LimitCORE=0
LimitNPROC=500
LimitNOFILE=65535
LimitSTACK=81920
LimitDATA=infinity
LimitMEMLOCK=infinity
LimitRSS=infinity
LimitAS=infinity

ExecStart=/usr/local/dovecot2/sbin/dovecot -F -c 
/usr/local/dovecot2/etc/dovecot/dovecot.conf

[Install]
WantedBy=multi-user.target



dovecot-ldap.conf:

uris = ldapi://%2Fvar%2Frun%2Fldapi
dn = cn=xxx,o=domain,c=com
dnpass = x
auth_bind = no
ldap_version = 3
base = o=domain,c=com 
user_attrs = mail=user,mailMessageStore=home,\
mailQuota=quota_rule=*:storage=%$
iterate_filter= (|(mailHost=server1.domain.com)(mailHost=popserver1.domain.com))
user_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u)))
pass_attrs = 
mail=user,userPassword=password,=proxy_maybe=y,mailHost=host,=destuser=%u[%r]
pass_filter = (&(accountstatus=active)(|(uid=%u)(mail=%u)))

dovecot.conf:

# 2.2.25 (7be1766): /usr/local/dovecot2/etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.36.3.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 
(Core)
auth_cache_negative_ttl = 1 mins
auth_cache_size = 64 M
auth_cache_ttl = 2 hours
auth_mechanisms = plain login
auth_username_chars =
auth_verbose = yes
base_dir = /var/run/dovecot/
debug_log_path = /dev/null
default_login_user = dovecot
disable_plaintext_auth = no
doveadm_password =  # hidden, use -P to show it
doveadm_port = 12345
first_valid_gid = 1001
first_valid_uid = 1001
info_log_path = /dev/stderr
lda_mailbox_autocreate = yes
lda_original_recipient_header = X-Envelope-To
log_path = /dev/stderr
log_timestamp =
login_log_format_elements = user=[%u] method=%m rip=%r lip=%l %c
mail_gid = 1001
mail_location = mdbox:~:INDEX=%h/INDEX
mail_plugins = "notify replication stats"
mail_uid = 1001
mbox_write_locks = fcntl
namespace {
  inbox = yes
  location =
  prefix = INBOX.
  separator = .
  type = private
}
passdb {
  args = /usr/local/dovecot2/etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  quota = dict:User quota::file:%h/mdbox/dovecot-quota
  quota_warning = storage=85%% quota-warning 85 %u
  stats_refresh = 30 secs
  stats_track_cmds = yes
}
replication_max_conns = 30
sendmail_path = /usr/local/exim/bin/exim
service aggregator {
  fifo_listener replication-notify-fifo {
mode = 0666
user = popuser
  }
  unix_listener replication-notify {
mode = 0666
user = popuser
  }
}
service anvil {
  client_limit = 6
}
service auth {
  client_limit = 6
  unix_listener 

SNI with mixed certs

[Ruga]

Dovecot SNI is failing hard today. Server with n domains, each with a startssl 
certificate of its own, all certificates expired this morning. Decision: move 
to Letsencrypt. Firsr certificate issued and installed. Other domains in the 
pipeline. Dovecot server rebooted. Expected result: one domain returning the 
new cert, and the n-1 domains returning the expiration notification. Actual 
result: the domain with LE is returning startssl expired notifications. Manual 
check of the key and pem files is OK...

Doveadm option for a non-wildcard single-user with userdb

[Ivan Zahariev]

Hello,

Most "doveadm" commands accept "[-A|-u user|-F file]" for user 
selection, or the environment "USER". I'm testing with "doveadm quota 
recalc".


The problem is that there is no way to ask "doveadm" to work in (1) 
single-user mode with (2) no wildcard support, and at the same time to 
(3) make a lookup in "userdb", in order to get the user's specific 
configuration. We have mailboxes which contain "?" and "*" symbols, and 
we can't work with them using "doveadm" now.


* If we use "-A", this works with all users. Not our case at all.
* If we use "-F" and provide just one user in the file, this works for a 
single user + lookup in "userdb", does not interpret wildcard, but 
"doveadm" works in a "users list" mode and the output is different. 
What's more problematic is that errors for an mbox do not end up in 
"doveadm" exiting with a non-zero exit code.
* If we use "-u", this works for a single user + lookup in "userdb", but 
interprets wildcards. Does not work for mailboxes which contain "?" and "*".
* If we use the USER environment, this works for a single users and does 
not interpret wildcards but does not do a lookup in "userdb".


Should we add another user-selection argument, for example "-U", which 
(1) selects a single-user like "-u", does a "userdb" lookup like "-u" 
does, but does not interpret wildcards unlike "-u" ?


Best regards.
--Ivan