Re: rawlog

[Matt Bryant]

Sigh ... one issue was misconfig kinda forgot to add the script into
imap service  .. the other is I thought I had updated the dovecot
package but that was on another instance to rawlog_dir wouldnt have been
in that version. Rats .. its a shame there is not auto create though
mis-read that one.

rgds

Matt
> Aki Tuomi 
> 4 August 2017 at 4:05 am
>
> Most common mistake with rawlogs is to assume that the target
> directory gets created. It doesn't.
>
> You need to make sure the target directory exists fully expanded, e.g.
> if you have target directory /tmp/rawlogs/%u, you need to create
> /tmp/rawlogs/victim and chmod it to 0777.
>
> Aki
> Alexander Dalloz 
> 4 August 2017 at 3:57 am
> Am 03.08.2017 um 01:04 schrieb Matt Bryant:
>> Hi,
>>
>> Trying to get rawlog working on dovecot 2.2.31 configured as per
>>
>> https://wiki2.dovecot.org/Debugging/Rawlog
>>
>> but
>>
>> a) it doesnt appear to be loggin anything
>> b) rawlog_dir which is supposed to be v2.2.26+ seems no where in site ..
>> in fact complains about unknown variable
>>
>> So does rawlog still do anything  Or am I missing something ...
>> config is below 
>>
>>
>> # 2.2.19: /etc/dovecot/dovecot.conf
>
> You run dovecot 2.2.19, not v2.2.26+.
>
> From where did you take that specific version? CentOS 7 ships dovecot
> 2.2.10. I can recommend the usage of the dovecot packages from the
> ghettoforge.org repository. Then you are current (2.2.31 actually).
>
>> # Pigeonhole version 0.4.9 (357ac0a0e68b+)
>> doveconf: Warning: service auth { client_limit=3 } is lower than
>> required under max. load (150032)
>> doveconf: Warning: service anvil { client_limit=22000 } is lower than
>> required under max. load (50027)
>> # OS: Linux 3.10.0-327.4.4.el7.x86_64 x86_64 CentOS Linux release
>> 7.2.1511 (Core)
>
> Please, keep your systems up to date! At least your kernel is terribly
> out of date.
>
> Regards
>
> Alexander
> Matt Bryant 
> 3 August 2017 at 9:04 am
> Hi,
>
> Trying to get rawlog working on dovecot 2.2.31 configured as per
>
> https://wiki2.dovecot.org/Debugging/Rawlog
>
> but
>
> a) it doesnt appear to be loggin anything
> b) rawlog_dir which is supposed to be v2.2.26+ seems no where in site ..
> in fact complains about unknown variable
>
> So does rawlog still do anything  Or am I missing something ...
> config is below 
>
>
> # 2.2.19: /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.9 (357ac0a0e68b+)
> doveconf: Warning: service auth { client_limit=3 } is lower than
> required under max. load (150032)
> doveconf: Warning: service anvil { client_limit=22000 } is lower than
> required under max. load (50027)
> # OS: Linux 3.10.0-327.4.4.el7.x86_64 x86_64 CentOS Linux release
> 7.2.1511 (Core)
> auth_cache_negative_ttl = 2 mins
> auth_cache_size = 10 M
> auth_cache_ttl = 10 mins
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_worker_max_count = 1
> default_client_limit = 5
> default_process_limit = 5
> disable_plaintext_auth = no
> doveadm_password = # hidden, use -P to show it
> imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
> imap_hibernate_timeout = 1 mins
> imap_idle_notify_interval = 1 mins
> login_greeting = IMAP/POP3 ready - dev-dh-ro-ms-001-b
> mail_attachment_dir = /var/lib/dovecot/attachments/%Ld
> mail_cache_min_mail_count = 5
> mail_plugins = " notify replication quota virtual"
> mailbox_list_index = yes
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate vacation-seconds spamtest
> spamtestplus editheader
> mbox_write_locks = fcntl
> mmap_disable = yes
> namespace {
> inbox = yes
> list = yes
> location =
> mailbox Archive {
> auto = create
> special_use = \Archive
> }
> mailbox Drafts {
> auto = create
> special_use = \Drafts
> }
> mailbox Sent {
> auto = create
> special_use = \Sent
> }
> mailbox Spam {
> auto = create
> special_use = \Junk
> }
> mailbox Trash {
> auto = create
> special_use = \Trash
> }
> prefix = INBOX/
> separator = /
> type = private
> }
> namespace {
> list = no
> location = virtual:/var/lib/dovecot/virtual:INDEXPVT=~/virtual
> prefix = virtual/
> separator = /
> type = private
> }
> passdb {
> args = /etc/dovecot/sql_users.conf
> driver = sql
> }
> plugin {
> mail_log_events = delete expunge
> mail_log_fields = uid box msgid size
> mail_replica = tcp:dev-ms-001-a:4000
> quota = dict:UserQuota::file:%h/dovecot-quota
> quota_rule2 = INBOX/Trash:storage=+10%%
> sieve = file:~/sieve/user;active=~/.dovecot.sieve
> sieve_default = file:/var/lib/dovecot/sieve/default.sieve
> sieve_default_name = default
> sieve_editheader_max_header_size = 1k
> sieve_extensions = +spamtest +spamtestplus +editheader +vacation-seconds
> si

Re: rawlog

[Joseph Tam]

Matt Bryant wrote:


a) it doesnt appear to be loggin anything
b) rawlog_dir which is supposed to be v2.2.26+ seems no where in site ..
in fact complains about unknown variable
...
service postlogin {
 executable = script-login -d rawlog
 unix_listener postlogin {
   group = atmail
   mode = 0660
 }
}


In my test setup, I use the first option

protocol imap {
...
rawlog_dir = /data/rawlogs/%u
}

You may also want it into your protocol pop3 section.

Joseph Tam 

Re: Doveadm-sync SSH practicalities

[Joseph Tam]

Terry Jones wrote:


The documentation is somewhat silent on this subject.


If you mean https://wiki.dovecot.org/Tools/Doveadm/Sync the answers seem
implicit to what's been stated.


What permissions does the SSH user need ?


To be able to run the doveadm executable (or a wrapper script that eventually
runs doveadm) on the remote side.


How associated does it need to be with things like dovecot directory
ownership etc ?


It will take uid/gid directly from the login privileges unless you use
a wrapper script that changes UID/GID.  This may be necessary if you
use remote-prefix option for remapping virtual users and user@domain to
another UID/GID.


Obviously my dovecot daemon processes are running as restricted users
with "nologin" shells etc.,  and I don't really want to go opening
them up if I don't have to.


It doesn't seem possible: you'll need to be able to set up the other
endpoint of communication.  You may be able to lock down the shell
by replacing it with a fixed doveadm and arguments, or perhaps by fiddling
with keys and the forced command feature of ssh, after working out the
security issues.

Depending on your use-case, you might be better off using one of the other
transport methods.  Do you actually need per-user syncing?

Joseph Tam 

Re: rawlog

[Aki Tuomi]

> On August 3, 2017 at 8:57 PM Alexander Dalloz  wrote:
> 
> 
> Am 03.08.2017 um 01:04 schrieb Matt Bryant:
> > Hi,
> > 
> > Trying to get rawlog working on dovecot 2.2.31 configured as per
> > 
> > https://wiki2.dovecot.org/Debugging/Rawlog
> > 
> > but
> > 
> > a) it doesnt appear to be loggin anything
> > b) rawlog_dir which is supposed to be v2.2.26+ seems no where in site ..
> > in fact complains about unknown variable
> > 
> > So does rawlog still do anything  Or am I missing something ...
> > config is below 
> > 
> > 
> > # 2.2.19: /etc/dovecot/dovecot.conf
> 
> You run dovecot 2.2.19, not v2.2.26+.
> 
>  From where did you take that specific version? CentOS 7 ships dovecot 
> 2.2.10. I can recommend the usage of the dovecot packages from the 
> ghettoforge.org repository. Then you are current (2.2.31 actually).
> 
> > # Pigeonhole version 0.4.9 (357ac0a0e68b+)
> > doveconf: Warning: service auth { client_limit=3 } is lower than
> > required under max. load (150032)
> > doveconf: Warning: service anvil { client_limit=22000 } is lower than
> > required under max. load (50027)
> > # OS: Linux 3.10.0-327.4.4.el7.x86_64 x86_64 CentOS Linux release
> > 7.2.1511 (Core)
> 
> Please, keep your systems up to date! At least your kernel is terribly 
> out of date.
> 
> Regards
> 
> Alexander

Most common mistake with rawlogs is to assume that the target directory gets 
created. It doesn't.

You need to make sure the target directory exists fully expanded, e.g. if you 
have target directory /tmp/rawlogs/%u, you need to create /tmp/rawlogs/victim 
and chmod it to 0777.

Aki

Re: rawlog

[Alexander Dalloz]

Am 03.08.2017 um 01:04 schrieb Matt Bryant:

Hi,

Trying to get rawlog working on dovecot 2.2.31 configured as per

https://wiki2.dovecot.org/Debugging/Rawlog

but

a) it doesnt appear to be loggin anything
b) rawlog_dir which is supposed to be v2.2.26+ seems no where in site ..
in fact complains about unknown variable

So does rawlog still do anything  Or am I missing something ...
config is below 


# 2.2.19: /etc/dovecot/dovecot.conf


You run dovecot 2.2.19, not v2.2.26+.

From where did you take that specific version? CentOS 7 ships dovecot 
2.2.10. I can recommend the usage of the dovecot packages from the 
ghettoforge.org repository. Then you are current (2.2.31 actually).



# Pigeonhole version 0.4.9 (357ac0a0e68b+)
doveconf: Warning: service auth { client_limit=3 } is lower than
required under max. load (150032)
doveconf: Warning: service anvil { client_limit=22000 } is lower than
required under max. load (50027)
# OS: Linux 3.10.0-327.4.4.el7.x86_64 x86_64 CentOS Linux release
7.2.1511 (Core)


Please, keep your systems up to date! At least your kernel is terribly 
out of date.


Regards

Alexander

Re: proxy-dict with tcp connection

[Aki Tuomi]

> On August 3, 2017 at 2:10 PM Ralf Becker  wrote:
> 
> 
> I try to create a patch to allow (proxy-)dict to use tcp connections
> instead of a unix domain socket.
> 
> I'm replacing connection_init_client_unix with connection_init_client_ip:
> 
> --- ./src/lib-dict/dict-client.c.orig
> +++ ./src/lib-dict/dict-client.c
> @@ -721,6 +721,10 @@ client_dict_init(struct dict *driver, const char *uri,
>  struct ioloop *old_ioloop = current_ioloop;
>  struct client_dict *dict;
>  const char *p, *dest_uri, *path;
> +const char *const *args;
> +unsigned int argc;
> +struct ip_addr ip;
> +in_port_t port=0;
>  unsigned int idle_msecs = DICT_CLIENT_DEFAULT_TIMEOUT_MSECS;
>  unsigned int warn_slow_msecs = DICT_CLIENT_DEFAULT_WARN_SLOW_MSECS;
> 
> @@ -772,7 +776,21 @@ client_dict_init(struct dict *driver, const char *uri,
>  dict->warn_slow_msecs = warn_slow_msecs;
>  i_array_init(&dict->cmds, 32);
> 
> -if (uri[0] == ':') {
> +args = t_strsplit(uri, ":");
> +for(argc=0; args[argc] != NULL; argc++);
> +
> +if (argc == 3) {/* host:ip:somewhere --> argc == 3 */
> +if (net_addr2ip(args[0], &ip) < 0) {
> +*error_r = t_strdup_printf("Invalid IP: %s in URI: %s",
> args[0], uri);
> +return -1;
> +}
> +if (net_str2port(args[1], &port) < 0) {
> +*error_r = t_strdup_printf("Invalid port: %s in URI: %s",
> args[1], uri);
> +return -1;
> +}
> +dest_uri = strrchr(uri, ':');
> +} else if (uri[0] == ':') {
>  /* default path */
>  path = t_strconcat(set->base_dir,
>  "/"DEFAULT_DICT_SERVER_SOCKET_FNAME, NULL);
> @@ -784,7 +802,13 @@ client_dict_init(struct dict *driver, const char *uri,
>  path = t_strconcat(set->base_dir, "/",
>  t_strdup_until(uri, dest_uri), NULL);
>  }
> -connection_init_client_unix(dict_connections, &dict->conn.conn, path);
> +if (port > 0) {
> +connection_init_client_ip(dict_connections, &dict->conn.conn,
> &ip, port);
> +} else {
> +connection_init_client_unix(dict_connections, &dict->conn.conn,
> path);
> +}
>  dict->uri = i_strdup(dest_uri + 1);
> 
>  dict->ioloop = io_loop_create();
> 
> But unfortunately this crashes:
> 
> Jul 28 13:20:04 auth: Error: auth worker: Aborted PASSL request for
> i...@outdoor-training.de: Worker process died unexpectedly
> Jul 28 13:20:04 auth-worker(705): Fatal: master: service(auth-worker):
> child 705 killed with signal 11 (core dumped)
> Jul 28 13:20:04 doveadm(10.44.88.1,i...@outdoor-training.de): Error:
> user i...@outdoor-training.de: Auth PASS lookup failed
> 
> It looks like the tcp connection gets opened non-blocking and the first
> write / dict lookup happens to early:
> 
> 4303041 13:44:25.120398220 0 auth (29884) < connect
> res=-115(EINPROGRESS) tuple=172.18.0.2:47552->10.44.99.180:2001
> 
> Looking at dict-memcached-ascii.c I probably need to do something like:
> 
> i_array_init(&dict->input_states, 4);
> i_array_init(&dict->replies, 4);
> 
> dict->ioloop = io_loop_create();
> io_loop_set_current(old_ioloop);
> *dict_r = &dict->dict;
> 
> to wait until the socket is ready ...
> 
> Any idea / tips?
> 
> Ralf

It's probably cleaner to make a "proxy-tcp" driver so parsing all the funny 
things gets easier. Also it will require some restructing in the 
client_dict_connect code.

Aki

Re: pam auth problem

[Randy Bush]

>> # cat /etc/pam.d/dovecot
>> passdb {
>>  driver = pam
>>  # args = failure_show_msg=yes
>>  # args = max_requests=12
>>  args = %s
>> }
> 
> this info belongs into Dovecot's conf files, not into /etc/pam.d.

doh.  i misread the wiki page.  thanks.

> copy or link /etc/pam.d/imap do /etc/pam.d/dovecot

that seems to have helped a lot!

thank you

randy

Re: pam auth problem

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 3 Aug 2017, Randy Bush wrote:


# cat /etc/pam.d/dovecot
passdb {
 driver = pam
 # args = failure_show_msg=yes
 # args = max_requests=12
 args = %s
}


this info belongs into Dovecot's conf files, not into /etc/pam.d.


and /etc/pam.d/{imap,pop3} were untouched; both as follows

#
# $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $
#
# PAM configuration for the "pop3" service
#

# auth
#auth   sufficient  pam_krb5.so no_warn try_first_pass
#auth   sufficient  pam_ssh.so  no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass

# account
#accountrequiredpam_nologin.so
account requiredpam_unix.so


copy or link /etc/pam.d/imap do /etc/pam.d/dovecot

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWYMlw3z1H7kL/d9rAQLrCQgAyDJmgni9kmFa5833CedRV1aeA+JsUAjJ
IzRuDFXCsi+uEJfOdL8ZxlIXdnTPmvVSGHzx+iDNLId0y4VsJYDuby4d8LkKu7Be
MkOp+H6Ii1Qsx60Us9D9S8wcMwpdv0gG/4GrxuxCFC4CZUth/gF2yMmI9FxDa3f6
jQbJDOHVcs3mMtByxICRwWH8TT05hhDQ6duMNlTldULfhVoym1VTQOx0AivJYHOv
gnaozfnDlp2HTIz5VBIH3sob7ZSJde01KW2gpfz6O3aMhZSmAPhe6tr4xOMBMWUT
8n6t/CH0G0U4K/5yRw/DE+9CCAs4/A/YNsVKzEG0Art7kfwRSi7HPw==
=3p5l
-END PGP SIGNATURE-

Re: pam auth problem

[Randy Bush]

> do you have a /etc/pam.d/dovecot file, does it define all necessary
> settings?

probably not, as i do not know what the necessary ones are :)

i did as best i could using
https://wiki.dovecot.org/PasswordDatabase/PAM as guidance

randy

Re: pam auth problem

[Randy Bush]

> What is in the pam.d/dovecot file? (Remember to strip passwords if
> included)

# cat /etc/pam.d/dovecot
passdb {
  driver = pam
  # args = failure_show_msg=yes
  # args = max_requests=12
  args = %s
}

and /etc/pam.d/{imap,pop3} were untouched; both as follows

#
# $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $
#
# PAM configuration for the "pop3" service
#

# auth
#auth   sufficient  pam_krb5.so no_warn try_first_pass
#auth   sufficient  pam_ssh.so  no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass

# account
#accountrequiredpam_nologin.so
account requiredpam_unix.so

Re: pam auth problem

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 3 Aug 2017, Randy Bush wrote:


Date: Thu, 03 Aug 2017 22:08:22 +0900
From: Randy Bush 
To: Remko Lodder 
Cc: Christian Kivalo , dovecot@dovecot.org
Subject: Re: pam auth problem


auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid 
facility


I do not think that it has something to do with the dovecot settings
itself but perhaps with the pam facility settings instead?


i can believe that.  any clues to debug?


do you have a /etc/pam.d/dovecot file, does it define all necessary 
settings?


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWYMiAHz1H7kL/d9rAQLmcAgArM/RKrUk2g3MUWN7O51VZ4wIBXL0aIwh
EqyG7Tj7CnWPWu+sZY64omu6beoD6WC3ThfRkY2uAWEP9MKGU6Nt9W6vZSsLdDeH
cegMSHnfW19YZefiIhlYMZJHC7pyn2sEslS3iTkDNjja6FSoVbW/Qr+SUri9Gd5h
rHF/DOUtLbLugrQymWe2KO2pJaL+WZvwhd4FP66pOlr+njEkxRfNjCQQx6L9kM7m
Muq4beU9WvHFB6cXYxv1bGyxvLU1Y02YaAFVQAiKRVicNfBXo7RLXj1duQADtWqK
1tB60TVAFhREKR5Mu0tq3xRYuwYQc0tNVbuP1KrjfOTtJ9NLpeDE+g==
=9LWc
-END PGP SIGNATURE-

Re: pam auth problem

[Remko Lodder]

What is in the pam.d/dovecot file? (Remember to strip passwords if included)

Cheers,

Remko Lodder
 /* sent from my phone and thus brief and to the point *\

Op 3 aug. 2017 om 15:08 heeft Randy Bush  het volgende 
geschreven:

>>> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid 
>>> facility
>> 
>> I do not think that it has something to do with the dovecot settings
>> itself but perhaps with the pam facility settings instead?
> 
> i can believe that.  any clues to debug?
> 
> randy

Re: Auth Policy Server/wforce/weakforced

[Teemu Huovila]

On 02.08.2017 23:35, Daniel Miller wrote:
> Is there explicit documentation available for the (probably trivial) 
> configuration needed for Dovecot and Wforce?  I'm probably missing something 
> that should be perfectly obvious...
> 
> Wforce appears to start without errors.  I added a file to dovecot's conf.d:
> 
> 95-policy.conf:
> auth_policy_server_url = http://localhost:8084/
> auth_policy_hash_nonce = this_is_my_super_secret_something
> 
> Looking at the Wforce console I see:
> 
> WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication 
> failed
> 
> In wforce.conf I have the (default):
> 
> webserver("0.0.0.0:8084", "--WEBPWD")
> 
> Do I need to change the "--WEBPWD"?  Do I need to specify something in the 
> Dovecot config? 
You could try putting an actual password, in plain text, where --WEBPWD is. 
Then add that base64 encoded to dovecot setting auth_policy_server_api_header.

hope this helps,
Teemu

Re: pam auth problem

[Randy Bush]

>> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid 
>> facility
> 
> I do not think that it has something to do with the dovecot settings
> itself but perhaps with the pam facility settings instead?

i can believe that.  any clues to debug?

randy

proxy-dict with tcp connection

[Ralf Becker]

I try to create a patch to allow (proxy-)dict to use tcp connections
instead of a unix domain socket.

I'm replacing connection_init_client_unix with connection_init_client_ip:

--- ./src/lib-dict/dict-client.c.orig
+++ ./src/lib-dict/dict-client.c
@@ -721,6 +721,10 @@ client_dict_init(struct dict *driver, const char *uri,
 struct ioloop *old_ioloop = current_ioloop;
 struct client_dict *dict;
 const char *p, *dest_uri, *path;
+const char *const *args;
+unsigned int argc;
+struct ip_addr ip;
+in_port_t port=0;
 unsigned int idle_msecs = DICT_CLIENT_DEFAULT_TIMEOUT_MSECS;
 unsigned int warn_slow_msecs = DICT_CLIENT_DEFAULT_WARN_SLOW_MSECS;

@@ -772,7 +776,21 @@ client_dict_init(struct dict *driver, const char *uri,
 dict->warn_slow_msecs = warn_slow_msecs;
 i_array_init(&dict->cmds, 32);

-if (uri[0] == ':') {
+args = t_strsplit(uri, ":");
+for(argc=0; args[argc] != NULL; argc++);
+
+if (argc == 3) {/* host:ip:somewhere --> argc == 3 */
+if (net_addr2ip(args[0], &ip) < 0) {
+*error_r = t_strdup_printf("Invalid IP: %s in URI: %s",
args[0], uri);
+return -1;
+}
+if (net_str2port(args[1], &port) < 0) {
+*error_r = t_strdup_printf("Invalid port: %s in URI: %s",
args[1], uri);
+return -1;
+}
+dest_uri = strrchr(uri, ':');
+} else if (uri[0] == ':') {
 /* default path */
 path = t_strconcat(set->base_dir,
 "/"DEFAULT_DICT_SERVER_SOCKET_FNAME, NULL);
@@ -784,7 +802,13 @@ client_dict_init(struct dict *driver, const char *uri,
 path = t_strconcat(set->base_dir, "/",
 t_strdup_until(uri, dest_uri), NULL);
 }
-connection_init_client_unix(dict_connections, &dict->conn.conn, path);
+if (port > 0) {
+connection_init_client_ip(dict_connections, &dict->conn.conn,
&ip, port);
+} else {
+connection_init_client_unix(dict_connections, &dict->conn.conn,
path);
+}
 dict->uri = i_strdup(dest_uri + 1);

 dict->ioloop = io_loop_create();

But unfortunately this crashes:

Jul 28 13:20:04 auth: Error: auth worker: Aborted PASSL request for
i...@outdoor-training.de: Worker process died unexpectedly
Jul 28 13:20:04 auth-worker(705): Fatal: master: service(auth-worker):
child 705 killed with signal 11 (core dumped)
Jul 28 13:20:04 doveadm(10.44.88.1,i...@outdoor-training.de): Error:
user i...@outdoor-training.de: Auth PASS lookup failed

It looks like the tcp connection gets opened non-blocking and the first
write / dict lookup happens to early:

4303041 13:44:25.120398220 0 auth (29884) < connect
res=-115(EINPROGRESS) tuple=172.18.0.2:47552->10.44.99.180:2001

Looking at dict-memcached-ascii.c I probably need to do something like:

i_array_init(&dict->input_states, 4);
i_array_init(&dict->replies, 4);

dict->ioloop = io_loop_create();
io_loop_set_current(old_ioloop);
*dict_r = &dict->dict;

to wait until the socket is ready ...

Any idea / tips?

Ralf
-- 
Ralf Becker
EGroupware GmbH [www.egroupware.org]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 631 31657-0


--- ./src/lib-dict/dict-client.c.orig
+++ ./src/lib-dict/dict-client.c
@@ -721,6 +721,10 @@ client_dict_init(struct dict *driver, const char *uri,
struct ioloop *old_ioloop = current_ioloop;
struct client_dict *dict;
const char *p, *dest_uri, *path;
+   const char *const *args;
+   unsigned int argc;
+   struct ip_addr ip;
+   in_port_t port=0;
unsigned int idle_msecs = DICT_CLIENT_DEFAULT_TIMEOUT_MSECS;
unsigned int warn_slow_msecs = DICT_CLIENT_DEFAULT_WARN_SLOW_MSECS;

@@ -772,7 +776,21 @@ client_dict_init(struct dict *driver, const char *uri,
dict->warn_slow_msecs = warn_slow_msecs;
i_array_init(&dict->cmds, 32);

-   if (uri[0] == ':') {
+   args = t_strsplit(uri, ":");
+   for(argc=0; args[argc] != NULL; argc++);
+
+   if (argc == 3) {/* host:ip:somewhere --> argc == 3 */
+   if (net_addr2ip(args[0], &ip) < 0) {
+   *error_r = t_strdup_printf("Invalid IP: %s in URI: %s", 
args[0], uri);
+   return -1;
+   }
+   if (net_str2port(args[1], &port) < 0) {
+   *error_r = t_strdup_printf("Invalid port: %s in URI: 
%s", args[1], uri);
+   return -1;
+   }
+   dest_uri = strrchr(uri, ':');
+   i_warning("using TCP URI: %s with %d args", uri, argc);
+   } else if (uri[0] == ':') {
/* default path */
path = t_strconcat(set->base_dir,
"/"DEFAULT_DICT_SERVER_SOCKET_FNAME, NULL);
@@ -784,7 +802,13 @@ client_dict_init(struct dict *driver, const char *uri,
path = t_strconcat(set->base_dir, "/",
   

Replication and public folders with private (seen) flags

[Ralf Becker]

We started using Dovecot replication between two nodes and noticed that
our configured private flags (INDEXPVT) in public/shared mailboxes are
not replicated. We are only replicating INBOX namespace, as we dont want
to replicate content of shared mailboxes for every user again.

Is there a way to replicate the INDEXPVT or is that not (yet) implemented?

Dovecot versions:

# 2.2.31 (65cde28): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.4.0-87-generic x86_64

Using following namespaces:

namespace inboxes {
  inbox = yes
  location =
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Templates {
auto = subscribe
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
  subscriptions = no
}
namespace subs {
  hidden = yes
  list = no
  location =
  prefix =
  separator = /
}
namespace users {
  location = mdbox:%%h/mdbox:INDEXPVT=~/shared/%%u
  prefix = user/%%n/
  separator = /
  subscriptions = no
  type = shared
}

And the following replication config:

root@ka-nfs-mail:~# cat /etc/dovecot/replication.conf
service aggregator {
  fifo_listener replication-notify-fifo {
user = dovecot
  }
  unix_listener replication-notify {
user = dovecot
  }
}

service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
group = dovecot
user = dovecot
mode = 0660
  }
}

service doveadm {
  inet_listener {
port = 12345
#ssl = yes
  }
}

doveadm_port = 12345
doveadm_password = ***

plugin {
  #mail_replica = tcp:10.44.99.1 # use doveadm_port
  mail_replica = tcp:10.44.88.1 # use doveadm_port
}

replication_dsync_parameters = -d -n INBOX -l 30 -U

-- 
Ralf Becker
EGroupware GmbH [www.egroupware.org]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 631 31657-0




signature.asc
Description: OpenPGP digital signature

Re: pam auth problem

[Remko Lodder]

Hi Randy,

> On 3 Aug 2017, at 08:50, Randy Bush  wrote:
> 
> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid 
> facility

I do not think that it has something to do with the dovecot settings itself but 
perhaps with the pam facility settings instead?

Cheers
Remko


signature.asc
Description: Message signed with OpenPGP