Re: Permission denied when logrotating dovecot.log

2017-03-18 Thread Richard 


> Date: Sunday, March 19, 2017 15:28:35 +1300
> From: Michael Heuberger 
>
> On 19/03/17 15:12, Richard wrote:
>> 
>>> Date: Sunday, March 19, 2017 14:56:01 +1300
>>> From: Michael Heuberger 
>>> 
>>> On 19/03/17 13:43, Richard wrote:
> Date: Sunday, March 19, 2017 13:32:57 +1300
> From: Michael Heuberger 
> 
> Hello guys
> 
> Having headaches here how to make logrotation for dovecot log
> files work. Having permission issues:
> 
> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
> dovecot.daily
>  ⏎
> reading config file dovecot.daily
> 
> Handling 1 logs
> 
> rotating pattern: /var/log/dovecot*.log  forced from command
> line (10 rotations)
> empty log files are rotated, old logs are removed
> considering log /var/log/dovecot.log
> error: skipping "/var/log/dovecot.log" because parent directory
> has insecure permissions (It's world writable or writable by
> group which is not "root") Set "su" directive in config file to
> tell logrotate which user/group should be used for rotation.
> 
> This is my current logrotation conf for dovecot:
> 
> /var/log/dovecot*.log {
> rotate 10
> missingok
> sharedscripts
> postrotate
> doveadm log reopen
> endscript
> }
> 
> And the /var/log folder has these permissions:
> 
> drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
> 
> Any clues what's wrong?
 As the message says:
 
   > because parent directory has insecure permissions
   > (It's world writable or writable by group which
   > is not "root") 
 
   > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
 
 On my RHEL derived systems, /var/log is root.root (and even then,
 is not writable by group).
>>> Thank you. And what user/group/file perms does your dovecot.log
>>> file have?
>>> 
>>> - Michael
>>> 
>>> 
>> I log dovecot via syslog to [/var/log/]maillog, rather than its own
>> log file. That file is owned root.root and has permissions of 600.

> Well, I tried the same but it didn't work.
> 
> Setting my dovecot.log to 600 with root:root is breaking my mail
> system. I am then unable to receive and open emails.
> 
> Had to apply an ugly hack
> 
> /var/log/dovecot*.log {
> su syslog syslog
> create 666 syslog syslog
> rotate 10
> ...
> }
> 
> Like that anyone who wants to access/write to it, can do it and all
> works.
> 
> That's my problem. Do not know who/what/how to set this up
> correctly.
> 
> - Michael
> 

I would be inclined to just log dovecot to the syslog mail facility,
which I believe is the default (in 10-logging.conf) -- in the RHEL
setup anyway, and what I do:

   log_path = syslog

   syslog_facility = mail

Re: Permission denied when logrotating dovecot.log

2017-03-18 Thread Michael Heuberger 
Well, I tried the same but it didn't work.

Setting my dovecot.log to 600 with root:root is breaking my mail system.
I am then unable to receive and open emails.

Had to apply an ugly hack

/var/log/dovecot*.log {
su syslog syslog
create 666 syslog syslog
rotate 10
...
}

Like that anyone who wants to access/write to it, can do it and all works.

That's my problem. Do not know who/what/how to set this up correctly.

- Michael

On 19/03/17 15:12, Richard wrote:
>
>> Date: Sunday, March 19, 2017 14:56:01 +1300
>> From: Michael Heuberger 
>>
>> On 19/03/17 13:43, Richard wrote:
 Date: Sunday, March 19, 2017 13:32:57 +1300
 From: Michael Heuberger 

 Hello guys

 Having headaches here how to make logrotation for dovecot log
 files work. Having permission issues:

 michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
 dovecot.daily
  ⏎
 reading config file dovecot.daily

 Handling 1 logs

 rotating pattern: /var/log/dovecot*.log  forced from command line
 (10 rotations)
 empty log files are rotated, old logs are removed
 considering log /var/log/dovecot.log
 error: skipping "/var/log/dovecot.log" because parent directory
 has insecure permissions (It's world writable or writable by group
 which is not "root") Set "su" directive in config file to tell
 logrotate which user/group should be used for rotation.

 This is my current logrotation conf for dovecot:

 /var/log/dovecot*.log {
 rotate 10
 missingok
 sharedscripts
 postrotate
 doveadm log reopen
 endscript
 }

 And the /var/log folder has these permissions:

 drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log

 Any clues what's wrong?
>>> As the message says:
>>>
>>>   > because parent directory has insecure permissions
>>>   > (It's world writable or writable by group which
>>>   > is not "root") 
>>>
>>>   > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>>>
>>> On my RHEL derived systems, /var/log is root.root (and even then,
>>> is not writable by group).
>> Thank you. And what user/group/file perms does your dovecot.log
>> file have?
>>
>> - Michael
>>
>>
> I log dovecot via syslog to [/var/log/]maillog, rather than its own
> log file. That file is owned root.root and has permissions of 600.

-- 

Binary Kitchen
Michael Heuberger
1/33 Parrish Road
Sandringham
Auckland 1025
(New Zealand)

Mobile (text only) ...  +64 21 261 89 81
Email   mich...@binarykitchen.com
Website ..  http://www.binarykitchen.com

Re: Permission denied when logrotating dovecot.log

2017-03-18 Thread Richard 


> Date: Sunday, March 19, 2017 14:56:01 +1300
> From: Michael Heuberger 
>
> On 19/03/17 13:43, Richard wrote:
>> 
>>> Date: Sunday, March 19, 2017 13:32:57 +1300
>>> From: Michael Heuberger 
>>> 
>>> Hello guys
>>> 
>>> Having headaches here how to make logrotation for dovecot log
>>> files work. Having permission issues:
>>> 
>>> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
>>> dovecot.daily
>>>  ⏎
>>> reading config file dovecot.daily
>>> 
>>> Handling 1 logs
>>> 
>>> rotating pattern: /var/log/dovecot*.log  forced from command line
>>> (10 rotations)
>>> empty log files are rotated, old logs are removed
>>> considering log /var/log/dovecot.log
>>> error: skipping "/var/log/dovecot.log" because parent directory
>>> has insecure permissions (It's world writable or writable by group
>>> which is not "root") Set "su" directive in config file to tell
>>> logrotate which user/group should be used for rotation.
>>> 
>>> This is my current logrotation conf for dovecot:
>>> 
>>> /var/log/dovecot*.log {
>>> rotate 10
>>> missingok
>>> sharedscripts
>>> postrotate
>>> doveadm log reopen
>>> endscript
>>> }
>>> 
>>> And the /var/log folder has these permissions:
>>> 
>>> drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>>> 
>>> Any clues what's wrong?
>> 
>> As the message says:
>> 
>>   > because parent directory has insecure permissions
>>   > (It's world writable or writable by group which
>>   > is not "root") 
>> 
>>   > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>> 
>> On my RHEL derived systems, /var/log is root.root (and even then,
>> is not writable by group).
>
> Thank you. And what user/group/file perms does your dovecot.log
> file have?
> 
> - Michael
> 
> 

I log dovecot via syslog to [/var/log/]maillog, rather than its own
log file. That file is owned root.root and has permissions of 600.

Re: Permission denied when logrotating dovecot.log

2017-03-18 Thread Michael Heuberger 
Thank you. And what user/group/file perms does your dovecot.log file have?

- Michael


On 19/03/17 13:43, Richard wrote:
>
>> Date: Sunday, March 19, 2017 13:32:57 +1300
>> From: Michael Heuberger 
>>
>> Hello guys
>>
>> Having headaches here how to make logrotation for dovecot log files
>> work. Having permission issues:
>>
>> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
>> dovecot.daily
>>  ⏎
>> reading config file dovecot.daily
>>
>> Handling 1 logs
>>
>> rotating pattern: /var/log/dovecot*.log  forced from command line
>> (10 rotations)
>> empty log files are rotated, old logs are removed
>> considering log /var/log/dovecot.log
>> error: skipping "/var/log/dovecot.log" because parent directory has
>> insecure permissions (It's world writable or writable by group
>> which is not "root") Set "su" directive in config file to tell
>> logrotate which user/group should be used for rotation.
>>
>> This is my current logrotation conf for dovecot:
>>
>> /var/log/dovecot*.log {
>> rotate 10
>> missingok
>> sharedscripts
>> postrotate
>> doveadm log reopen
>> endscript
>> }
>>
>> And the /var/log folder has these permissions:
>>
>> drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>>
>> Any clues what's wrong?
>
> As the message says:
>
>   > because parent directory has insecure permissions
>   > (It's world writable or writable by group which
>   > is not "root") 
>
>   > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
>
> On my RHEL derived systems, /var/log is root.root (and even then, is
> not writable by group).

-- 

Binary Kitchen
Michael Heuberger
1/33 Parrish Road
Sandringham
Auckland 1025
(New Zealand)

Mobile (text only) ...  +64 21 261 89 81
Email   mich...@binarykitchen.com
Website ..  http://www.binarykitchen.com

Re: Permission denied when logrotating dovecot.log

2017-03-18 Thread Richard 


> Date: Sunday, March 19, 2017 13:32:57 +1300
> From: Michael Heuberger 
>
> Hello guys
> 
> Having headaches here how to make logrotation for dovecot log files
> work. Having permission issues:
> 
> michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
> dovecot.daily
>  ⏎
> reading config file dovecot.daily
> 
> Handling 1 logs
> 
> rotating pattern: /var/log/dovecot*.log  forced from command line
> (10 rotations)
> empty log files are rotated, old logs are removed
> considering log /var/log/dovecot.log
> error: skipping "/var/log/dovecot.log" because parent directory has
> insecure permissions (It's world writable or writable by group
> which is not "root") Set "su" directive in config file to tell
> logrotate which user/group should be used for rotation.
> 
> This is my current logrotation conf for dovecot:
> 
> /var/log/dovecot*.log {
> rotate 10
> missingok
> sharedscripts
> postrotate
> doveadm log reopen
> endscript
> }
> 
> And the /var/log folder has these permissions:
> 
> drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log
> 
> Any clues what's wrong?


As the message says:

  > because parent directory has insecure permissions
  > (It's world writable or writable by group which
  > is not "root") 

  > drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log

On my RHEL derived systems, /var/log is root.root (and even then, is
not writable by group).

Permission denied when logrotating dovecot.log

2017-03-18 Thread Michael Heuberger 
Hello guys

Having headaches here how to make logrotation for dovecot log files
work. Having permission issues:

michael.heuberger@xxx /e/l/daily ❯❯❯ sudo logrotate -fv
dovecot.daily   

  
⏎
reading config file dovecot.daily

Handling 1 logs

rotating pattern: /var/log/dovecot*.log  forced from command line (10
rotations)
empty log files are rotated, old logs are removed
considering log /var/log/dovecot.log
error: skipping "/var/log/dovecot.log" because parent directory has
insecure permissions (It's world writable or writable by group which is
not "root") Set "su" directive in config file to tell logrotate which
user/group should be used for rotation.

This is my current logrotation conf for dovecot:

/var/log/dovecot*.log {
rotate 10
missingok
sharedscripts
postrotate
doveadm log reopen
endscript
}

And the /var/log folder has these permissions:

drwxrwxr-x 12 root syslog   4.0K Mar 19 12:43 log

Any clues what's wrong?

Thanks
Michael

-- 

Binary Kitchen
Michael Heuberger
1/33 Parrish Road
Sandringham
Auckland 1025
(New Zealand)

Mobile (text only) ...  +64 21 261 89 81
Email   mich...@binarykitchen.com
Website ..  http://www.binarykitchen.com

Re: dovecot problem with ssl

2017-03-18 Thread Andrew Beverley 
On Fri, 17 Mar 2017 05:21:15 -0300 "Nilton Jose Rizzo"
 wrote:
> doveconf: Fatal: Error in configuration file
> /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl

How did you install Dovecot? It sounds like it's been compiled without
SSL support. Maybe missing SSL libraries during build?

Andy

Re: dovecot problem with ssl

2017-03-18 Thread Nilton Jose Rizzo 
Em Sat, 18 Mar 2017 16:24:25 +0100, Christian Kivalo escreveu
> Am 18. März 2017 18:55:58 MEZ schrieb Nilton Jose Rizzo :
> >Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu
> >> On 2017-03-18 07:19, Nilton Jose Rizzo wrote:
> >> > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu
> >> >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu
> >> >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote:
> >> >> > >
> >> >> > >
> >> >> > >   Hi all,
> >> >> > >
> >> >> > >
> >> >> > >  I already searched for this error on google and nothing
> >> >> > >
> >> >> > >  I never install dovecot, this is a first time.
> >> >> > >
> >> >> > >  This error, I know, is too newbie and stupid, but I
> >> >> > > checked more than twice.
> >> >> > >
> >> >> > > root@server:/usr/local/etc/dovecot # sievec
> >/home3/virtual/default.sieve
> >> >> > > doveconf: Fatal: Error in configuration file
> >> >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown
> >setting: ssl
> >> >> > > root@server:/usr/local/etc/dovecot #
> >> >> > >
> >> >> > > I'm running a FreeBSD 12-current
> >> >> >
> >> >> > As someone else pointed out, that 7: means the error is on line
> >7 of
> >> >> > the file.
> >> >> >
> >> >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do
> >this:
> >> >> >
> >> >> > diff -u 10-ssl.conf.sample 10-ssl.conf
> >> >> >
> >> >> > If that doesn't clearly indicate the problem to you, post the
> >> >> > results to the list.
> >> >> >
> >> >> > hope this helps,
> >> >> >
> >> >> > Doug
> >> >> 
> >> >>   Sorry,  I'm forget the link to tutorial
> >> >> 
> >> >>  http://www.purplehat.org/?page_id=7
> >> >> 
> >> >> root@server:/usr/local/etc/dovecot # head  10 conf.d/10-ssl.conf
> >> >> head: 10: No such file or directory
> >> >> ==> conf.d/10-ssl.conf <==
> >> >> ##
> >> >> ## SSL settings
> >> >> ##
> >> >> 
> >> >> # SSL/TLS support: yes, no, required. 
> >> >> #ssl = yes
> >> >> ssl=yes
> >> >> 
> >> >> # PEM encoded X.509 SSL/TLS certificate and private key. They're 
> >> >> opened before
> >> >> # dropping root privileges, so keep the key file unreadable by
> >anyone 
> >> >> but
> >> >> root@server:/usr/local/etc/dovecot #
> >> Please post the output of doveconf -n
> >> 
> >> ssl = yes (or ssl=yes) is correct so should work. We need to know 
> >> more about your running dovecot configuration.
> >> 
> >> Btw: is dovecot running? Can you log in? From localhost and/or from 
> >> a remote host? Over a secure connection?
> >> 
> >> -- 
> >>   Christian Kivalo
> >
> >
> >root@server:/usr/local/etc/dovecot/conf.d # dovecot -n
> 
> doveconf -n
> 
> ># 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf
> ># Pigeonhole version 0.4.17 (e179378)
> >doveconf: Fatal: Error in configuration file
> >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
> >doveconf: Error: managesieve-login: dump-capability process returned 89
> >doveconf: Fatal: Error in configuration file
> >/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
> >root@server:/usr/local/etc/dovecot/conf.d #
> 
> -- 
> Christian Kivalo

 The same result, look

root@server:/usr/local/etc/dovecot/conf.d # dovecot -n
# 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.17 (e179378)
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
root@server:/usr/local/etc/dovecot/conf.d # doveconf -n
# 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.17 (e179378)
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
root@server:/usr/local/etc/dovecot/conf.d # 




---
/*
**Nilton José RizzoUFRRJ
**http://www.rizzo.eng.br  http://www.ufrrj.br
**http://lattes.cnpq.br/0079460703536198
**/

Re: dovecot problem with ssl

2017-03-18 Thread Christian Kivalo 


Am 18. März 2017 18:55:58 MEZ schrieb Nilton Jose Rizzo :
>Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu
>> On 2017-03-18 07:19, Nilton Jose Rizzo wrote:
>> > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu
>> >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu
>> >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote:
>> >> > >
>> >> > >
>> >> > >   Hi all,
>> >> > >
>> >> > >
>> >> > >  I already searched for this error on google and nothing
>> >> > >
>> >> > >  I never install dovecot, this is a first time.
>> >> > >
>> >> > >  This error, I know, is too newbie and stupid, but I
>> >> > > checked more than twice.
>> >> > >
>> >> > > root@server:/usr/local/etc/dovecot # sievec
>/home3/virtual/default.sieve
>> >> > > doveconf: Fatal: Error in configuration file
>> >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown
>setting: ssl
>> >> > > root@server:/usr/local/etc/dovecot #
>> >> > >
>> >> > > I'm running a FreeBSD 12-current
>> >> >
>> >> > As someone else pointed out, that 7: means the error is on line
>7 of
>> >> > the file.
>> >> >
>> >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do
>this:
>> >> >
>> >> > diff -u 10-ssl.conf.sample 10-ssl.conf
>> >> >
>> >> > If that doesn't clearly indicate the problem to you, post the
>> >> > results to the list.
>> >> >
>> >> > hope this helps,
>> >> >
>> >> > Doug
>> >> 
>> >>   Sorry,  I'm forget the link to tutorial
>> >> 
>> >>  http://www.purplehat.org/?page_id=7
>> >> 
>> >> root@server:/usr/local/etc/dovecot # head  10 conf.d/10-ssl.conf
>> >> head: 10: No such file or directory
>> >> ==> conf.d/10-ssl.conf <==
>> >> ##
>> >> ## SSL settings
>> >> ##
>> >> 
>> >> # SSL/TLS support: yes, no, required. 
>> >> #ssl = yes
>> >> ssl=yes
>> >> 
>> >> # PEM encoded X.509 SSL/TLS certificate and private key. They're 
>> >> opened before
>> >> # dropping root privileges, so keep the key file unreadable by
>anyone 
>> >> but
>> >> root@server:/usr/local/etc/dovecot #
>> Please post the output of doveconf -n
>> 
>> ssl = yes (or ssl=yes) is correct so should work. We need to know 
>> more about your running dovecot configuration.
>> 
>> Btw: is dovecot running? Can you log in? From localhost and/or from 
>> a remote host? Over a secure connection?
>> 
>> -- 
>>   Christian Kivalo
>
>
>root@server:/usr/local/etc/dovecot/conf.d # dovecot -n

doveconf -n

># 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf
># Pigeonhole version 0.4.17 (e179378)
>doveconf: Fatal: Error in configuration file
>/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
>doveconf: Error: managesieve-login: dump-capability process returned 89
>doveconf: Fatal: Error in configuration file
>/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
>root@server:/usr/local/etc/dovecot/conf.d # 

-- 
Christian Kivalo

Re: dovecot problem with ssl

2017-03-18 Thread Nilton Jose Rizzo 
Em Sat, 18 Mar 2017 11:36:34 +0100, Christian Kivalo escreveu
> On 2017-03-18 07:19, Nilton Jose Rizzo wrote:
> > Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu
> >> Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu
> >> > On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote:
> >> > >
> >> > >
> >> > >   Hi all,
> >> > >
> >> > >
> >> > >  I already searched for this error on google and nothing
> >> > >
> >> > >  I never install dovecot, this is a first time.
> >> > >
> >> > >  This error, I know, is too newbie and stupid, but I
> >> > > checked more than twice.
> >> > >
> >> > > root@server:/usr/local/etc/dovecot # sievec 
> >> > > /home3/virtual/default.sieve
> >> > > doveconf: Fatal: Error in configuration file
> >> > > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
> >> > > root@server:/usr/local/etc/dovecot #
> >> > >
> >> > > I'm running a FreeBSD 12-current
> >> >
> >> > As someone else pointed out, that 7: means the error is on line 7 of
> >> > the file.
> >> >
> >> > Go into dovecot's conf.d folder (in /usr/local/etc/) and do this:
> >> >
> >> > diff -u 10-ssl.conf.sample 10-ssl.conf
> >> >
> >> > If that doesn't clearly indicate the problem to you, post the
> >> > results to the list.
> >> >
> >> > hope this helps,
> >> >
> >> > Doug
> >> 
> >>   Sorry,  I'm forget the link to tutorial
> >> 
> >>  http://www.purplehat.org/?page_id=7
> >> 
> >> root@server:/usr/local/etc/dovecot # head  10 conf.d/10-ssl.conf
> >> head: 10: No such file or directory
> >> ==> conf.d/10-ssl.conf <==
> >> ##
> >> ## SSL settings
> >> ##
> >> 
> >> # SSL/TLS support: yes, no, required. 
> >> #ssl = yes
> >> ssl=yes
> >> 
> >> # PEM encoded X.509 SSL/TLS certificate and private key. They're 
> >> opened before
> >> # dropping root privileges, so keep the key file unreadable by anyone 
> >> but
> >> root@server:/usr/local/etc/dovecot #
> Please post the output of doveconf -n
> 
> ssl = yes (or ssl=yes) is correct so should work. We need to know 
> more about your running dovecot configuration.
> 
> Btw: is dovecot running? Can you log in? From localhost and/or from 
> a remote host? Over a secure connection?
> 
> -- 
>   Christian Kivalo


root@server:/usr/local/etc/dovecot/conf.d # dovecot -n
# 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.17 (e179378)
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file
/usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
root@server:/usr/local/etc/dovecot/conf.d # 



---
/*
**Nilton José RizzoUFRRJ
**http://www.rizzo.eng.br  http://www.ufrrj.br
**http://lattes.cnpq.br/0079460703536198
**/

replication issues between to nodes

2017-03-18 Thread Remko Lodder 
Hi,

Some time ago I posted the below but never got a reponse that I could work 
with. So i am retrying now in the hope that there might be a better 
idea/suggestion on how to approach this.

Situation;

I have two nodes, which should replicate to eachother. My main machine receives 
most mail and the other one receives mostly system messages and should get 
replicated. (This used to be delivered on both machines, but given the issues 
below I had to make sure that the customer email at least arrives on machine A, 
as detailed below).

When a mail arrives on main machine (A) everything is fine and things are 
synchronised asap. Customers can see the email directly via webmail/imap.

When a mail arrives on the secondary machine (B) the replication is not issued 
until machine A starts a sync session. Customers do not see the email on 
machine A via webmail/imap.

When a mail arrives on A, the synchronisation occurs, and all messages on B, 
not yet on A, are synchronised as well. Customers can now see the email on 
machine A as well via webmail/imap. Sadly this can mean that emails that became 
visible are hours late (read: were delivered hours before, but not visible for 
the customer).

Both machines are configured through puppet, only individual settings like IP 
addresses and certificates are different because well, they have to. I included 
the difference below, and both ‘doveconf -n’s. If someone has a suggestion on 
seeing why machine B is not issueing (or does not seem to issue) replication, 
let me know. I verified that I can connect to the remote machines via IPv4 and 
IPv6 (for doveadm / replication purposes).

Difference between configurations;

--- tmp1.txt2017-03-18 15:18:41.0 +0100
+++ tmp2.txt2017-03-18 15:18:56.0 +0100
@@ -55,7 +55,7 @@
   imapsieve_mailbox2_name = *
   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
   mail_log_fields = uid box msgid size
-  mail_replica = tcps:mail.jr-hosting.nl:12346
+  mail_replica = tcps:mail2.jr-hosting.nl:12346
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
   sieve_execute_bin_dir = /usr/local/lib/dovecot/sieve
@@ -105,7 +105,7 @@
 }
 service lmtp {
   inet_listener lmtp {
-address = XXX/X 127.0.0.1 ::1
+address = /Y 127.0.0.1 ::1
 port = 24
   }
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
@@ -123,8 +123,8 @@
 mode = 0666
   }
 }
-ssl_ca = 

signature.asc
Description: Message signed with OpenPGP

Re: Dovecot can't connect to openldap over starttls

2017-03-18 Thread info 

The serverlog of openldap with loglevel "any":
https://gwarband.de/openldap/openldap-connect.log
Note: openldap waits 1 Minute before he says "TLS negotiation failure" 
after the connect.

and dovecot says direct "Connect error"

I've also delete the TLSCipherSuite from openldap.

Tobias

Am 2017-03-18 14:01, schrieb Tomas Habarta:
Increase log level on server side as well to see what the server 
says...
You may remove anything in TLSCipherSuite for the purpose of testing 
too.


Hopefully anyone knowing OpenLDAP internals could help you analyse it
more deeply.

Tomas

On 03/18/2017 01:31 PM, i...@gwarband.de wrote:
I've replicate the settings from ldapsearch to dovecot but no 
success.

To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and 
dovecot

has read access to that file.

I have enabled the debugging in dovecot and have uploaded the output:
https://gwarband.de/openldap/dovecot-connect.log

And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log

I'm pretty sure that there is a problem with the sslhandshaking 
between

openldap and dovecot, but I can't find the source of the problem.

One of the steps in the sslhandshaking is not success but in the
debugging output I can't find any line with a hit to it.

Tobias

Am 2017-03-18 12:30, schrieb Tomas Habarta:

Well, if ldapsearch works, try to replicate its settings for dovecot
client.
It's not obvious what settings ldapsearch uses, have a look at 
default
client settings in /etc/openldap/ldap.conf, there may be something 
set a

slightly different way.
Also double check permissions for files used by dovecot, I mean 
mainly
the file listed for tls_ca_cert_file as dovecot may not have an 
access

for reading...

I cannot see anything downright bad, just posted CA cert (which is 
ok,
tested) is *.crt and your config mentions *.pem but I consider it's 
the

same file.

Finally, I would recommend to enable debug option for dovecot's 
client
debug_level = -1 (which logs all available) in your 
dovecot-ldap.conf

to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1 switch to 
it.


Hard to tell more at the moment.


Tomas

On 03/18/2017 09:41 AM, i...@gwarband.de wrote:

Hello,

I have also installed LE certs.
But nothing helps, I have double-checking all certs.

ldapsearch with -ZZ works see:
https://gwarband.de/openldap/ldapsearch.log

I have also uploaded the TLSCACertificateFile, maybe I have a 
failure in

the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt

And also I have uploaded my complete openldap configuration:
https://gwarband.de/openldap/openldap.conf

All other components can work and communicate with my openldap 
server.

The components are postfix, openxchange, apache (phpldapadmin).

My installated software is:
Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13

I hope you can find the issue.

Thanks,
Tobias

Am 2017-03-17 22:48, schrieb Tomas Habarta:

Hi,

been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over 
the
unix socket on the same machine, but tried over inet with STARTTLS 
and

it's working ok...

I would suggest double-checking key/certs setup on OpenLDAP side; 
for

the test I have used LE certs, utilizing following cn=config
attributes:

olcTLSCertificateKeyFilecontains private key
olcTLSCertificateFilecontains certificate
olcTLSCACertificateFilecontains both certs (DST Root CA X3
and Let's Encrypt Authority X3)

and used the same CA file in Dovecot's tls_ca_cert_file

Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or 
... ?




Hope that helps, good luck ;)
Tomas


On 03/17/2017 04:27 PM, i...@gwarband.de wrote:

Hello guys,

actually I'm trying to configure dovecot to access openldap for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but there is
maybe
a failure in the sslhandshake.
Additional information you can find in the logs or in the dump 
below.

Also I have my ldap config from dovecot in the links below.

I have already created an bug reporting in the system of openldap 
but

the answer was to get support from her.

All datalinks:
https://gwarband.de/openldap/dovecot.log
https://gwarband.de/openldap/dovecot-ldap.conf
https://gwarband.de/openldap/openldap.log
https://gwarband.de/openldap/trace.dump

The bugreportinglink from openldap:
http://www.openldap.org/its/index.cgi/Incoming?id=8615

I hope you can help me.

Regards.
Tobias Warband

Re: Dovecot can't connect to openldap over starttls

2017-03-18 Thread Tomas Habarta 
Increase log level on server side as well to see what the server says...
You may remove anything in TLSCipherSuite for the purpose of testing too.

Hopefully anyone knowing OpenLDAP internals could help you analyse it
more deeply.

Tomas

On 03/18/2017 01:31 PM, i...@gwarband.de wrote:
> I've replicate the settings from ldapsearch to dovecot but no success.
> To the certificate:
> Yes it's a *.crt file but I have linked the *.pem file to it and dovecot
> has read access to that file.
> 
> I have enabled the debugging in dovecot and have uploaded the output:
> https://gwarband.de/openldap/dovecot-connect.log
> 
> And the other site with ldapsearch:
> https://gwarband.de/openldap/ldapsearch-connect.log
> 
> I'm pretty sure that there is a problem with the sslhandshaking between
> openldap and dovecot, but I can't find the source of the problem.
> 
> One of the steps in the sslhandshaking is not success but in the
> debugging output I can't find any line with a hit to it.
> 
> Tobias
> 
> Am 2017-03-18 12:30, schrieb Tomas Habarta:
>> Well, if ldapsearch works, try to replicate its settings for dovecot
>> client.
>> It's not obvious what settings ldapsearch uses, have a look at default
>> client settings in /etc/openldap/ldap.conf, there may be something set a
>> slightly different way.
>> Also double check permissions for files used by dovecot, I mean mainly
>> the file listed for tls_ca_cert_file as dovecot may not have an access
>> for reading...
>>
>> I cannot see anything downright bad, just posted CA cert (which is ok,
>> tested) is *.crt and your config mentions *.pem but I consider it's the
>> same file.
>>
>> Finally, I would recommend to enable debug option for dovecot's client
>> debug_level = -1 (which logs all available) in your dovecot-ldap.conf
>> to see what the library reports and work further on that.
>> You can compare with output from ldapsearch by adding -d-1 switch to it.
>>
>> Hard to tell more at the moment.
>>
>>
>> Tomas
>>
>> On 03/18/2017 09:41 AM, i...@gwarband.de wrote:
>>> Hello,
>>>
>>> I have also installed LE certs.
>>> But nothing helps, I have double-checking all certs.
>>>
>>> ldapsearch with -ZZ works see:
>>> https://gwarband.de/openldap/ldapsearch.log
>>>
>>> I have also uploaded the TLSCACertificateFile, maybe I have a failure in
>>> the merge of the two fiels:
>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>
>>> And also I have uploaded my complete openldap configuration:
>>> https://gwarband.de/openldap/openldap.conf
>>>
>>> All other components can work and communicate with my openldap server.
>>> The components are postfix, openxchange, apache (phpldapadmin).
>>>
>>> My installated software is:
>>> Debian 8
>>> OpenLDAP 2.4.40
>>> Dovecot 2.2.13
>>>
>>> I hope you can find the issue.
>>>
>>> Thanks,
>>> Tobias
>>>
>>> Am 2017-03-17 22:48, schrieb Tomas Habarta:
 Hi,

 been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the
 unix socket on the same machine, but tried over inet with STARTTLS and
 it's working ok...

 I would suggest double-checking key/certs setup on OpenLDAP side; for
 the test I have used LE certs, utilizing following cn=config
 attributes:

 olcTLSCertificateKeyFilecontains private key
 olcTLSCertificateFilecontains certificate
 olcTLSCACertificateFilecontains both certs (DST Root CA X3
 and Let's Encrypt Authority X3)

 and used the same CA file in Dovecot's tls_ca_cert_file

 Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?



 Hope that helps, good luck ;)
 Tomas


 On 03/17/2017 04:27 PM, i...@gwarband.de wrote:
> Hello guys,
>
> actually I'm trying to configure dovecot to access openldap for
> passwordcheck.
> My openldap is only allow access over "secure ldap".
> The dovecot can communicate with the openldap server but there is
> maybe
> a failure in the sslhandshake.
> Additional information you can find in the logs or in the dump below.
> Also I have my ldap config from dovecot in the links below.
>
> I have already created an bug reporting in the system of openldap but
> the answer was to get support from her.
>
> All datalinks:
> https://gwarband.de/openldap/dovecot.log
> https://gwarband.de/openldap/dovecot-ldap.conf
> https://gwarband.de/openldap/openldap.log
> https://gwarband.de/openldap/trace.dump
>
> The bugreportinglink from openldap:
> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>
> I hope you can help me.
>
> Regards.
> Tobias Warband

-- 
toCc.cz

Re: Dovecot can't connect to openldap over starttls

2017-03-18 Thread info 

I've replicate the settings from ldapsearch to dovecot but no success.
To the certificate:
Yes it's a *.crt file but I have linked the *.pem file to it and 
dovecot has read access to that file.


I have enabled the debugging in dovecot and have uploaded the output:
https://gwarband.de/openldap/dovecot-connect.log

And the other site with ldapsearch:
https://gwarband.de/openldap/ldapsearch-connect.log

I'm pretty sure that there is a problem with the sslhandshaking between 
openldap and dovecot, but I can't find the source of the problem.


One of the steps in the sslhandshaking is not success but in the 
debugging output I can't find any line with a hit to it.


Tobias

Am 2017-03-18 12:30, schrieb Tomas Habarta:
Well, if ldapsearch works, try to replicate its settings for dovecot 
client.

It's not obvious what settings ldapsearch uses, have a look at default
client settings in /etc/openldap/ldap.conf, there may be something set 
a

slightly different way.
Also double check permissions for files used by dovecot, I mean mainly
the file listed for tls_ca_cert_file as dovecot may not have an access
for reading...

I cannot see anything downright bad, just posted CA cert (which is ok,
tested) is *.crt and your config mentions *.pem but I consider it's 
the

same file.

Finally, I would recommend to enable debug option for dovecot's client
debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1 switch to 
it.


Hard to tell more at the moment.


Tomas

On 03/18/2017 09:41 AM, i...@gwarband.de wrote:

Hello,

I have also installed LE certs.
But nothing helps, I have double-checking all certs.

ldapsearch with -ZZ works see: 
https://gwarband.de/openldap/ldapsearch.log


I have also uploaded the TLSCACertificateFile, maybe I have a failure 
in

the merge of the two fiels:
https://gwarband.de/openldap/LetsEncrypt.crt

And also I have uploaded my complete openldap configuration:
https://gwarband.de/openldap/openldap.conf

All other components can work and communicate with my openldap 
server.

The components are postfix, openxchange, apache (phpldapadmin).

My installated software is:
Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13

I hope you can find the issue.

Thanks,
Tobias

Am 2017-03-17 22:48, schrieb Tomas Habarta:

Hi,

been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over 
the
unix socket on the same machine, but tried over inet with STARTTLS 
and

it's working ok...

I would suggest double-checking key/certs setup on OpenLDAP side; 
for
the test I have used LE certs, utilizing following cn=config 
attributes:


olcTLSCertificateKeyFilecontains private key
olcTLSCertificateFilecontains certificate
olcTLSCACertificateFilecontains both certs (DST Root CA X3
and Let's Encrypt Authority X3)

and used the same CA file in Dovecot's tls_ca_cert_file

Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... 
?




Hope that helps, good luck ;)
Tomas


On 03/17/2017 04:27 PM, i...@gwarband.de wrote:

Hello guys,

actually I'm trying to configure dovecot to access openldap for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but there is 
maybe

a failure in the sslhandshake.
Additional information you can find in the logs or in the dump 
below.

Also I have my ldap config from dovecot in the links below.

I have already created an bug reporting in the system of openldap 
but

the answer was to get support from her.

All datalinks:
https://gwarband.de/openldap/dovecot.log
https://gwarband.de/openldap/dovecot-ldap.conf
https://gwarband.de/openldap/openldap.log
https://gwarband.de/openldap/trace.dump

The bugreportinglink from openldap:
http://www.openldap.org/its/index.cgi/Incoming?id=8615

I hope you can help me.

Regards.
Tobias Warband

Re: Dovecot can't connect to openldap over starttls

2017-03-18 Thread Tomas Habarta 
Well, if ldapsearch works, try to replicate its settings for dovecot client.
It's not obvious what settings ldapsearch uses, have a look at default
client settings in /etc/openldap/ldap.conf, there may be something set a
slightly different way.
Also double check permissions for files used by dovecot, I mean mainly
the file listed for tls_ca_cert_file as dovecot may not have an access
for reading...

I cannot see anything downright bad, just posted CA cert (which is ok,
tested) is *.crt and your config mentions *.pem but I consider it's the
same file.

Finally, I would recommend to enable debug option for dovecot's client
debug_level = -1 (which logs all available) in your dovecot-ldap.conf
to see what the library reports and work further on that.
You can compare with output from ldapsearch by adding -d-1 switch to it.

Hard to tell more at the moment.


Tomas

On 03/18/2017 09:41 AM, i...@gwarband.de wrote:
> Hello,
> 
> I have also installed LE certs.
> But nothing helps, I have double-checking all certs.
> 
> ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log
> 
> I have also uploaded the TLSCACertificateFile, maybe I have a failure in
> the merge of the two fiels:
> https://gwarband.de/openldap/LetsEncrypt.crt
> 
> And also I have uploaded my complete openldap configuration:
> https://gwarband.de/openldap/openldap.conf
> 
> All other components can work and communicate with my openldap server.
> The components are postfix, openxchange, apache (phpldapadmin).
> 
> My installated software is:
> Debian 8
> OpenLDAP 2.4.40
> Dovecot 2.2.13
> 
> I hope you can find the issue.
> 
> Thanks,
> Tobias
> 
> Am 2017-03-17 22:48, schrieb Tomas Habarta:
>> Hi,
>>
>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the
>> unix socket on the same machine, but tried over inet with STARTTLS and
>> it's working ok...
>>
>> I would suggest double-checking key/certs setup on OpenLDAP side; for
>> the test I have used LE certs, utilizing following cn=config attributes:
>>
>> olcTLSCertificateKeyFilecontains private key
>> olcTLSCertificateFilecontains certificate
>> olcTLSCACertificateFilecontains both certs (DST Root CA X3
>> and Let's Encrypt Authority X3)
>>
>> and used the same CA file in Dovecot's tls_ca_cert_file
>>
>> Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?
>>
>>
>>
>> Hope that helps, good luck ;)
>> Tomas
>>
>>
>> On 03/17/2017 04:27 PM, i...@gwarband.de wrote:
>>> Hello guys,
>>>
>>> actually I'm trying to configure dovecot to access openldap for
>>> passwordcheck.
>>> My openldap is only allow access over "secure ldap".
>>> The dovecot can communicate with the openldap server but there is maybe
>>> a failure in the sslhandshake.
>>> Additional information you can find in the logs or in the dump below.
>>> Also I have my ldap config from dovecot in the links below.
>>>
>>> I have already created an bug reporting in the system of openldap but
>>> the answer was to get support from her.
>>>
>>> All datalinks:
>>> https://gwarband.de/openldap/dovecot.log
>>> https://gwarband.de/openldap/dovecot-ldap.conf
>>> https://gwarband.de/openldap/openldap.log
>>> https://gwarband.de/openldap/trace.dump
>>>
>>> The bugreportinglink from openldap:
>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>
>>> I hope you can help me.
>>>
>>> Regards.
>>> Tobias Warband

-- 
toCc.cz

Re: dovecot problem with ssl

2017-03-18 Thread Christian Kivalo 



On 2017-03-18 07:19, Nilton Jose Rizzo wrote:

Em Fri, 17 Mar 2017 22:35:40 -0300, Nilton Jose Rizzo escreveu

Em Thu, 16 Mar 2017 23:06:08 -0700, Doug Barton escreveu
> On 03/17/2017 01:21 AM, Nilton Jose Rizzo wrote:
> >
> >
> >   Hi all,
> >
> >
> >  I already searched for this error on google and nothing
> >
> >  I never install dovecot, this is a first time.
> >
> >  This error, I know, is too newbie and stupid, but I
> > checked more than twice.
> >
> > root@server:/usr/local/etc/dovecot # sievec /home3/virtual/default.sieve
> > doveconf: Fatal: Error in configuration file
> > /usr/local/etc/dovecot/conf.d/10-ssl.conf line 7: Unknown setting: ssl
> > root@server:/usr/local/etc/dovecot #
> >
> > I'm running a FreeBSD 12-current
>
> As someone else pointed out, that 7: means the error is on line 7 of
> the file.
>
> Go into dovecot's conf.d folder (in /usr/local/etc/) and do this:
>
> diff -u 10-ssl.conf.sample 10-ssl.conf
>
> If that doesn't clearly indicate the problem to you, post the
> results to the list.
>
> hope this helps,
>
> Doug

  Sorry,  I'm forget the link to tutorial

 http://www.purplehat.org/?page_id=7

root@server:/usr/local/etc/dovecot # head  10 conf.d/10-ssl.conf
head: 10: No such file or directory
==> conf.d/10-ssl.conf <==
##
## SSL settings
##

# SSL/TLS support: yes, no, required. 
#ssl = yes
ssl=yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're 
opened before
# dropping root privileges, so keep the key file unreadable by anyone 
but

root@server:/usr/local/etc/dovecot #

Please post the output of doveconf -n

ssl = yes (or ssl=yes) is correct so should work. We need to know more 
about your running dovecot configuration.


Btw: is dovecot running? Can you log in? From localhost and/or from a 
remote host? Over a secure connection?


--
 Christian Kivalo

Re: Dovecot can't connect to openldap over starttls

2017-03-18 Thread info 

Hello,

I have also installed LE certs.
But nothing helps, I have double-checking all certs.

ldapsearch with -ZZ works see: 
https://gwarband.de/openldap/ldapsearch.log


I have also uploaded the TLSCACertificateFile, maybe I have a failure 
in the merge of the two fiels:

https://gwarband.de/openldap/LetsEncrypt.crt

And also I have uploaded my complete openldap configuration:
https://gwarband.de/openldap/openldap.conf

All other components can work and communicate with my openldap server.
The components are postfix, openxchange, apache (phpldapadmin).

My installated software is:
Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13

I hope you can find the issue.

Thanks,
Tobias

Am 2017-03-17 22:48, schrieb Tomas Habarta:

Hi,

been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the
unix socket on the same machine, but tried over inet with STARTTLS and
it's working ok...

I would suggest double-checking key/certs setup on OpenLDAP side; for
the test I have used LE certs, utilizing following cn=config 
attributes:


olcTLSCertificateKeyFilecontains private key
olcTLSCertificateFile   contains certificate
olcTLSCACertificateFile contains both certs (DST Root CA X3
and Let's Encrypt Authority X3)

and used the same CA file in Dovecot's tls_ca_cert_file

Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ?



Hope that helps, good luck ;)
Tomas


On 03/17/2017 04:27 PM, i...@gwarband.de wrote:

Hello guys,

actually I'm trying to configure dovecot to access openldap for
passwordcheck.
My openldap is only allow access over "secure ldap".
The dovecot can communicate with the openldap server but there is 
maybe

a failure in the sslhandshake.
Additional information you can find in the logs or in the dump below.
Also I have my ldap config from dovecot in the links below.

I have already created an bug reporting in the system of openldap but
the answer was to get support from her.

All datalinks:
https://gwarband.de/openldap/dovecot.log
https://gwarband.de/openldap/dovecot-ldap.conf
https://gwarband.de/openldap/openldap.log
https://gwarband.de/openldap/trace.dump

The bugreportinglink from openldap:
http://www.openldap.org/its/index.cgi/Incoming?id=8615

I hope you can help me.

Regards.
Tobias Warband