RE: Mixed Autehtnication and password schemes

[Raymond Sellars]

Thanks

-Original Message-
From: Aki Tuomi [mailto:aki.tu...@dovecot.fi] 
Sent: Friday, 1 September 2017 2:15 AM
To: dovecot@dovecot.org; Raymond Sellars
Subject: Re: Mixed Autehtnication and password schemes


> The above not suggests I can't use DIGEST-MD5 with master password 
> configuration, if using more than one passdb setup. I don't understand why 
> there would be a restriction as the password validation should just fall 
> through irrespective.
> 

Because CRAM-MD5 is bothersome. Do you really need it? It's not really 
necessary with SSL.

[Raymond] Unfortunately yes, part of the ONC 2015 Edition requirements. As you 
say its not really needed but more one of those tick the compliance boxes. 

> Problem #2 How do I enforce some kind of account access policy
> 
> As a worse case does Dovecot implement any type of account access policies? 
> Out IT security reviewers are hot on account policies, i.e. lockouts, 
> expiries, and back off attempts.
> 

You can use https://wiki2.dovecot.org/Authentication/Policy to implement 
complex requirements.

other than that, dovecot will deter brute force on it's own to some degree.

[Raymond] Thanks, i'll need to upgrade but this definitely addresses the 
requirement.

> Thanks
> Raymond
> Solution Architect - Orion Health

Aki Tuomi
Dovecot oy

Re: General IMAP question

[Joseph Tam]

"Scott Techlist"  writes:


Currently my POP users have a max mbox size but that is how much it
will store before they "come get it".  I ensure they have at least one
device set to delete from the server periodically (i.e.  1 week).  So
users with multiple devices get their mail duplciated on their devices
and at least one devices keeps the server emptied so their mbox does
not hit any limits.


Traditionally, POP was a store and forward protocol.  The client would
download all the message in INBOX, them empty the mailbox.  Nowadays,
many POP users configure their clients to "Leave on server mode", which
essentially accumulate on the server.  The client may or may not also
keep a cached copy.


As I understand it, when using IMAP, the user's messages are
perpetually stored on the server.


IMAP is oriented as a remote mail service (client fetches and manipulate
mail data on a remote server), so yes, messages are meant to remain on
the server until deleted.  There are probably some clients that cache
local copies, but the remote server is considered canonical, so that
local copies are deleted if the remote copies disappear.


How do other's deal with this? Am I misunderstanding something? As
popular as it seems to be, these seem like big hurdles to overcome.
Appreciate some help for a IMAP noob.


What problem are you trying to solve?  Is there a particularly compelling
reason for you to move to IMAP (if not, stay with POP3)?  You want to
curtail space usage by users?  You want to force users to retain client
side copies of the messages?

(Mind you, you'll still could have the same problem with POP -- there's
nothing you can do to enforce the client to download/delete messages.
Whether you use IMAP or POP3, you'll probably need some client side
set up.)

Joseph Tam 

RE: Iterate All Dovecot Users !

[Nick Lekkas]

Hi Thomas !

So simple But you save my ass .
And yes it works !

Thanks a lot ! Really ! I appreciate it !

Thanks

Nick

-Original Message-
From: Thomas Reifferscheid [mailto:tho...@reifferscheid.org]
Sent: Thursday, August 31, 2017 10:49 PM
To: nlek...@gmail.com
Subject: Re: Iterate All Dovecot Users !



Am 31.08.2017 um 18:18 schrieb Nick Lekkas:
> Hello to all !
>  
> I am trying to write a script that iterate all users that are created in
> dovecot and postfix 
> Is there any way ..?
>  

Hi Nick

for user in $(doveadm user -u '*'); do echo $user; done

Thomas


__ Information from ESET Endpoint Antivirus, version of detection
engine 16008 (20170831) __

The message was checked by ESET Endpoint Antivirus.

  part000.txt - is OK

http://www.eset.com




__ Information from ESET Endpoint Antivirus, version of detection
engine 16008 (20170831) __

The message was checked by ESET Endpoint Antivirus.

Email message - is OK

http://www.eset.com

Re: Hide public mailboxes from some users

[Arie Peterson]

Perhaps my previous email was a bit long. Let me start with a single question.

Is a user without the "lookup" ACL right to a given mailbox supposed to be 
able to see the mailbox listed in their email client?

Re: Iterate All Dovecot Users !

[Arie Peterson]

Nick Lekkas wrote:
> I am trying to write a script that iterate all users that are created in
> dovecot and postfix 
> Is there any way ..?

You could try `doveadm user '*'` .

Re: General IMAP question

[KSB]

On 2017.08.31. 22:42, Scott Techlist wrote:

My server is a limited space mailserver set up to filter spam.  Most of it's 
mail is passed on ot an exchange server so it is not stored locally.  I have a 
handful of pop accounts that are stored locally.  For years I've used mbox type 
mailboxes that I'm familiar with and can access on the server when needed using 
the old mailx program.  They use a variety of clinets, typically Outlook and 
smartphones.

I'm considering changing to IMAP because I need a single IMAP mailbox for an 
unrelated reason.  But I am concerned about user storage issues at least..

Currently my POP users have a max mbox size but that is how much it will store before 
they "come get it".  I ensure they have at least one device set to delete from 
the server periodically (i.e. 1 week).  So users with multiple devices get their mail 
duplciated on their devices and at least one devices keeps the server emptied so their 
mbox does not hit any limits.

As I understand it, when using IMAP, the user's messages are perpetually stored on the 
server.  So if the user is not moving their messages from their inbox to some other place 
(e.g. a different Outlook pst file), that all the messages will remain on the server.  
All messages are "synced" in the user's inbox or other user created folders.  
Is that right?  This would pretty quickly cripple those normal non-computer types that 
have years of emails in their inboxes.  And I don't have the storage space to allow 
storing years of their mail.  I also understand if they exceed their storage limit, mail 
starts bouncing which is what's I'd expect.

At first I started googling how to expire the old mail, but then realized that 
won't work because if I delete on the server, I understand that will delete on 
their devices, too.

How do other's deal with this?  Am I misunderstanding something?  As popular as 
it seems to be, these seem like big hurdles to overcome.  Appreciate some help 
for a IMAP noob.

Thanks,
Scott

Use that single mailbox with IMAP, others stay to POP(if server with 
such small disks pretends to be a mailserver). It's just connection 
protocol at all.


--
KSB

General IMAP question

[Scott Techlist]

My server is a limited space mailserver set up to filter spam.  Most of it's 
mail is passed on ot an exchange server so it is not stored locally.  I have a 
handful of pop accounts that are stored locally.  For years I've used mbox type 
mailboxes that I'm familiar with and can access on the server when needed using 
the old mailx program.  They use a variety of clinets, typically Outlook and 
smartphones.

I'm considering changing to IMAP because I need a single IMAP mailbox for an 
unrelated reason.  But I am concerned about user storage issues at least..  

Currently my POP users have a max mbox size but that is how much it will store 
before they "come get it".  I ensure they have at least one device set to 
delete from the server periodically (i.e. 1 week).  So users with multiple 
devices get their mail duplciated on their devices and at least one devices 
keeps the server emptied so their mbox does not hit any limits.

As I understand it, when using IMAP, the user's messages are perpetually stored 
on the server.  So if the user is not moving their messages from their inbox to 
some other place (e.g. a different Outlook pst file), that all the messages 
will remain on the server.  All messages are "synced" in the user's inbox or 
other user created folders.  Is that right?  This would pretty quickly cripple 
those normal non-computer types that have years of emails in their inboxes.  
And I don't have the storage space to allow storing years of their mail.  I 
also understand if they exceed their storage limit, mail starts bouncing which 
is what's I'd expect. 

At first I started googling how to expire the old mail, but then realized that 
won't work because if I delete on the server, I understand that will delete on 
their devices, too.  

How do other's deal with this?  Am I misunderstanding something?  As popular as 
it seems to be, these seem like big hurdles to overcome.  Appreciate some help 
for a IMAP noob.

Thanks,
Scott

Iterate All Dovecot Users !

[Nick Lekkas]

Hello to all !
 
I am trying to write a script that iterate all users that are created in
dovecot and postfix  
Is there any way ..?
 
Thanks in advance for your time !
 
Nick


__ Information from ESET Endpoint Antivirus, version of detection
engine 16007 (20170831) __

The message was checked by ESET Endpoint Antivirus.

Email message - is OK

http://www.eset.com

Re: Strange folders

[Aki Tuomi]

> On August 30, 2017 at 11:40 PM Marti Markov  wrote:
> 
> 
> Hi all,
> 
> I’ve been experiencing the “magical” creation of random folders on my mail 
> server.
> 
> I managed to catch the creation of one last night. Here is the log:
> 
> Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: Namespace : 
> /home/vmail/domain.com/f.lastName/Maildir/.wkkwgfrubwioniohkcyqttugdtdabuyn 
> doesn't exist yet, using default permissions
> Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: Namespace : 
> Using permissions from /home/vmail/domain.com/f.lastName/Maildir: mode=0700 
> gid=default
> Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: acl vfile: 
> file 
> /home/vmail/domain.com/f.lastName/Maildir/.wkkwgfrubwioniohkcyqttugdtdabuyn/dovecot-acl
>  not found
> 
> 
> I have substituted only the username and the domain name. The folder name is 
> as it was created: wkkwgfrubwioniohkcyqttugdtdabuyn
> 
> 
> 
> There has been no activity logged on the exim4 side at that time. What would 
> be the best course of action to determine what is happening?

was the user logged in?

are all the folders with same name?

have you enabled mail_log?

Aki

Strange folders

[Marti Markov]

Hi all,

I’ve been experiencing the “magical” creation of random folders on my mail 
server.

I managed to catch the creation of one last night. Here is the log:

Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: Namespace : 
/home/vmail/domain.com/f.lastName/Maildir/.wkkwgfrubwioniohkcyqttugdtdabuyn 
doesn't exist yet, using default permissions
Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: Namespace : 
Using permissions from /home/vmail/domain.com/f.lastName/Maildir: mode=0700 
gid=default
Aug 30 01:38:13 mail dovecot: imap(f.lastn...@domain.com): Debug: acl vfile: 
file 
/home/vmail/domain.com/f.lastName/Maildir/.wkkwgfrubwioniohkcyqttugdtdabuyn/dovecot-acl
 not found


I have substituted only the username and the domain name. The folder name is as 
it was created: wkkwgfrubwioniohkcyqttugdtdabuyn



There has been no activity logged on the exim4 side at that time. What would be 
the best course of action to determine what is happening?

Re: Segmentation fault with doveadm search

[Stefán Tamás]

> 2017. aug. 30. dátummal, 12:02 időpontban Aki Tuomi  
> írta:
> 
> Something goes wrong when opening "Junk" mailbox. Are you sure it exists? Can 
> you doveadm with
> 
> doveadm -Dv search -u em...@example.com mailbox Junk savedbefore 30d

There is public namespace defined. Maybe that is the problem?

doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/lib01_acl_plugin.so
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/lib10_quota_plugin.so
doveadm(root): Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/doveadm
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so
doveadm(root): Debug: Skipping module doveadm_expire_plugin, because dlopen() 
failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: 
undefined symbol: expire_set_deinit (this is usually intentional, so just 
ignore this message)
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
doveadm(root): Debug: Module loaded: 
/usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so
doveadm(root): Debug: Skipping module doveadm_fts_plugin, because dlopen() 
failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined 
symbol: fts_backend_rescan (this is usually intentional, so just ignore this 
message)
doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
mail=maildir:/var/vmail/europrofil.hu/kiss.gitta/Maildir
doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
plugin/quota=dict:user::file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage
doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
plugin/quota_rule=*:storage=3670016000B
doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
plugin/sieve=/var/vmail/europrofil.hu/kiss.gitta/.sieve
doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
plugin/sieve_before=/var/vmail/europrofil.hu/kiss.gitta/sieve/roundcube.sieve
doveadm(kiss.gi...@europrofil.hu): Debug: Effective uid=5000, gid=5000, 
home=/var/vmail/europrofil.hu/kiss.gitta
doveadm(kiss.gi...@europrofil.hu): Debug: acl: No acl setting - ACLs are 
disabled
doveadm(kiss.gi...@europrofil.hu): Debug: Quota root: name=user backend=dict 
args=:file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage
doveadm(kiss.gi...@europrofil.hu): Debug: Quota rule: root=user mailbox=* 
bytes=3670016000 messages=0
doveadm(kiss.gi...@europrofil.hu): Debug: Quota grace: root=user 
bytes=367001600 (10%)
doveadm(kiss.gi...@europrofil.hu): Debug: dict quota: 
user=kiss.gi...@europrofil.hu, 
uri=file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage, noenforcing=0
doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=private, 
prefix=INBOX., sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes 
location=maildir:/var/vmail/europrofil.hu/kiss.gitta/Maildir
doveadm(kiss.gi...@europrofil.hu): Debug: maildir++: 
root=/var/vmail/europrofil.hu/kiss.gitta/Maildir, index=, indexpvt=, control=, 
inbox=/var/vmail/europrofil.hu/kiss.gitta/Maildir, alt=
doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=public, 
prefix=Public., sep=., inbox=no, hidden=no, list=children, subscriptions=yes 
location=maildir:/var/vmail/europrofil.hu/public/:CONTROL=/var/vmail/europrofil.hu/public/:INDEX=~/Maildir/public
doveadm(kiss.gi...@europrofil.hu): Debug: maildir++: 
root=/var/vmail/europrofil.hu/public, 
index=/var/vmail/europrofil.hu/kiss.gitta/Maildir/public, indexpvt=, control=, 
inbox=, alt=
doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=private, prefix=, 
sep=, inbox=no, hidden=yes, list=no, subscriptions=no location=fail::LAYOUT=none
doveadm(kiss.gi...@europrofil.hu): Debug: none: root=, index=, indexpvt=, 
control=, inbox=, alt=

Üdvözlettel

Stefán Tamás
- domain > email > web >>> siker
Numex Informatika Kft.
Mobil: +36 20 956 0233, Tel: +36 1 205 3915
http://numex.hu

Re: Segmentation fault with doveadm search

[Stefán Tamás]

> 
> Can you do
> 
> p *box

$1 = {name = 0x557e1f18 "Junk", vname = 0x557e1f10 "Junk",
  storage = 0x557e1860, list = 0x557e1050, v = {
is_readonly = 0x776e5a50 ,
enable = 0x776e5a60 ,
exists = 0x776e5a70 ,
open = 0x776e5e60 ,
close = 0x769cf800 ,
free = 0x769d0370 ,
create_box = 0x776e5e30 ,
update_box = 0x776e5e00 ,
delete_box = 0x776e5dd0 ,
rename_box = 0x776e5da0 ,
get_status = 0x769d0170 , get_metadata = 0x0,
set_subscribed = 0x776e5d30 ,
attribute_set = 0x0, attribute_get = 0x0, attribute_iter_init = 0x0,
attribute_iter_next = 0x0, attribute_iter_deinit = 0x0,
list_index_has_changed = 0x0, list_index_update_sync = 0x0,
sync_init = 0x776e5aa0 ,
sync_next = 0x776e5ac0 ,
sync_deinit = 0x769d0420 ,
sync_notify = 0x769cf9d0 ,
notify_changes = 0x776e5ad0 ,
transaction_begin = 0x769cf900 ,
transaction_commit = 0x769d00a0 ,
transaction_rollback = 0x769cfff0 , 
get_private_flags_mask = 0x0,
mail_alloc = 0x776e61b0 ,
search_init = 0x776e5c00 ,
search_deinit = 0x776e5b80 ,
search_next_nonblock = 0x776e5ae0 ,
search_next_update_seq = 0x776e5af0 
, save_alloc = 0x776e5b00 
,
save_begin = 0x769cfea0 ,
save_continue = 0x776e5b30 ,
save_finish = 0x769cfe30 ,
save_cancel = 0x776e5b50 ,
copy = 0x769cfd30 , transaction_save_commit_pre = 0x0,
transaction_save_commit_post = 0x0, transaction_save_rollback = 0x0,
is_inconsistent = 0x776e5b70 },
  vlast = 0x557e2038, pool = 0x557e1c50, metadata_pool = 0x0,
  prev = 0x0, next = 0x0, index = 0x0, view = 0x0, cache = 0x0,
  index_pvt = 0x0, view_pvt = 0x0, _perm = {file_uid = 0, file_gid = 0,
file_create_mode = 0, dir_create_mode = 0, file_create_gid = 0,
file_create_gid_origin = 0x0, gid_origin_is_mailbox_path = false,
mail_index_permissions_set = false}, _path = 0x777450df "",
  mail_vfuncs = 0x0, set = 0x0, open_error = MAIL_ERROR_NONE, input = 0x0,
  index_prefix = 0x0, flags = MAILBOX_FLAG_IGNORE_ACLS, transaction_count = 0,
  enabled_features = (unknown: 0), partial_cache = {uid = 0,
physical_start = 0, physical_pos = 0, virtual_pos = 0},
  tmp_sync_view = 0x0, notify_callback = 0x0, notify_context = 0x0,
  generation_sequence = 0, search_results = {arr = {buffer = 0x557e1f20,
  element_size = 8}, v = 0x557e1f20, v_modifiable = 0x557e1f20},
  module_contexts = {arr = {buffer = 0x557e1fd8, element_size = 8},
v = 0x557e1fd8, v_modifiable = 0x557e1fd8}, opened = 0,
  mailbox_deleted = 0, creating = 0, deleting = 0, deleting_must_be_empty = 0,
  delete_skip_empty_check = 0, marked_deleted = 0, inbox_user = 0,
  inbox_any = 0, disable_reflink_copy_to = 0, disallow_new_keywords = 0,
  synced = 0}


Üdvözlettel

Stefán Tamás

Re: Segmentation fault with doveadm search

[Stefán Tamás]

> 2017. aug. 30. dátummal, 12:56 időpontban Aki Tuomi  
> írta:
> 
> I think the problem is that you should be using INBOX.Junk instead of Junk.

You are right! It is OK that way.

Thanks Aki!


Üdvözlettel

Stefán Tamás

Re: Mixed Autehtnication and password schemes

[Aki Tuomi]

> On August 31, 2017 at 12:41 AM Raymond Sellars 
>  wrote:
> 
> 
> Hi
> 
> Looking for some confirmation/direction on how to achieve the following. 
> 
> We have a requirement to support both SASL PLAIN and DIGEST-MD5 
> authentication (certification reasons). In addition to this we have an 
> application (webmail) that utilises a master password pattern for access, as 
> the contain web portal provides the necessary authentication.
> 
> I have access to users passwords in PLAIN text and looking to utilise the 
> dict lookup mechanism for passwords.
> 
> Problem #1
> 
> https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the 
> fallback works only with the PLAIN authentication mechanism."
> 
> The above not suggests I can't use DIGEST-MD5 with master password 
> configuration, if using more than one passdb setup. I don't understand why 
> there would be a restriction as the password validation should just fall 
> through irrespective.
> 

Because CRAM-MD5 is bothersome. Do you really need it? It's not really 
necessary with SSL.

> Problem #2 How do I enforce some kind of account access policy
> 
> Currently we're backing the authentication with an Identity and 
> Authentication system. I would like to block IMAP access if a user's account 
> is locked out, expired, or inactive. Similarly if there are too many IMAP 
> attempts with the incorrect password I would like the account system wide to 
> be locked out.
> 
> With Dict lookup I don't seem a mechanism to keep the IDM system aware of 
> login attempt/failures, since it pulls the plaintext password and validates 
> internally. Is this possible?
> 
> As a worse case does Dovecot implement any type of account access policies? 
> Out IT security reviewers are hot on account policies, i.e. lockouts, 
> expiries, and back off attempts.
> 

You can use https://wiki2.dovecot.org/Authentication/Policy to implement 
complex requirements.

other than that, dovecot will deter brute force on it's own to some degree.

> Thanks
> Raymond
> Solution Architect - Orion Health

Aki Tuomi
Dovecot oy

Re: Segmentation fault with doveadm search

[Aki Tuomi]

On 30.08.2017 12:55, Stefán Tamás wrote:
>> Can you do
>>
>> p *box
> $1 = {name = 0x557e1f18 "Junk", vname = 0x557e1f10 "Junk",
>   storage = 0x557e1860, list = 0x557e1050, v = {
> is_readonly = 0x776e5a50 ,
>

Something goes wrong when opening "Junk" mailbox. Are you sure it
exists? Can you doveadm with

doveadm -Dv search -u em...@example.com mailbox Junk savedbefore 30d

Aki

Pigeonhole 0.4.20 source archive based on v. 0.4.20-rc1?

[Markus Schönhaber]

Hi,

looking at the source archive of pigeonhole 0.4.20

I noticed that the contained ChangeLog mentions v0.4.20.rc1 as first
entry and pigeonhole-version.h defines git revision 7cd71ba as version
where I'd expect 4a55e6c.
This is probably no big deal. But since Makefile.in and install-sh also
differ (see attached diff) from the patch contained in

I thought I'd ask whether this is something without importance or
something which should be changed.

-- 
Regards
  mks


diff -uNr archive/pigeonhole/ChangeLog patchfile/pigeonhole/ChangeLog
--- archive/pigeonhole/ChangeLog	2017-08-27 15:17:38.0 +0200
+++ patchfile/pigeonhole/ChangeLog	2017-08-31 11:34:25.726202126 +0200
@@ -1,3 +1,11 @@
+2017-08-27 15:31:23 +0200 Stephan Bosch  (4a55e6c)
+
+Released v0.4.20 for Dovecot v2.2.32.
+
+
+M	NEWS
+M	configure.ac
+
 2017-08-18 02:28:14 +0200 Stephan Bosch  (7cd71ba)
 
 Released v0.4.20.rc1 for Dovecot v2.2.32.rc1.
diff -uNr archive/pigeonhole/install-sh patchfile/pigeonhole/install-sh
--- archive/pigeonhole/install-sh	2016-06-23 13:57:36.0 +0200
+++ patchfile/pigeonhole/install-sh	2017-08-31 11:34:25.752870094 +0200
@@ -345,34 +345,41 @@
 	# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
 	;;
 	  *)
+# $RANDOM is not portable (e.g. dash);  use it when possible to
+# lower collision chance
 	tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-	trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+	trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
 
+	 # As "mkdir -p" follows symlinks and we work in /tmp possibly;  so
+	 # create the $tmpdir first (and fail if unsuccessful) to make sure
+	 # that nobody tries to guess the $tmpdir name.
 	if (umask $mkdir_umask &&
-		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+		$mkdirprog $mkdir_mode "$tmpdir" &&
+		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
 	then
 	  if test -z "$dir_arg" || {
 		   # Check for POSIX incompatibilities with -m.
 		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
 		   # other-writable bit of parent directory when it shouldn't.
 		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
+		   test_tmpdir="$tmpdir/a"
+		   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
 		   case $ls_ld_tmpdir in
 		 d-?r-*) different_mode=700;;
 		 d-?--*) different_mode=755;;
 		 *) false;;
 		   esac &&
-		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-		 ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+		   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
+		 ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
 		 test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
 		   }
 		 }
 	  then posix_mkdir=:
 	  fi
-	  rmdir "$tmpdir/d" "$tmpdir"
+	  rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
 	else
 	  # Remove any dirs left behind by ancient mkdir implementations.
-	  rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+	  rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
 	fi
 	trap '' 0;;
 	esac;;
diff -uNr archive/pigeonhole/Makefile.in patchfile/pigeonhole/Makefile.in
--- archive/pigeonhole/Makefile.in	2017-08-27 14:42:39.0 +0200
+++ patchfile/pigeonhole/Makefile.in	2017-08-31 11:34:25.759537086 +0200
@@ -86,7 +86,7 @@
 	$(srcdir)/stamp.h.in $(dist_aclocal_DATA) \
 	$(dist_pkginc_lib_HEADERS) AUTHORS COPYING ChangeLog INSTALL \
 	NEWS README TODO compile config.guess config.rpath config.sub \
-	depcomp install-sh missing ltmain.sh
+	install-sh missing ltmain.sh
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/dovecot.m4 \
 	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
diff -uNr archive/pigeonhole/pigeonhole-version.h patchfile/pigeonhole/pigeonhole-version.h
--- archive/pigeonhole/pigeonhole-version.h	2017-08-27 14:42:44.0 +0200
+++ patchfile/pigeonhole/pigeonhole-version.h	2017-08-31 11:34:25.762870581 +0200
@@ -1,6 +1,6 @@
 #ifndef PIGEONHOLE_VERSION_H
 #define PIGEONHOLE_VERSION_H
 
-#define PIGEONHOLE_VERSION_FULL PIGEONHOLE_VERSION" (7cd71ba)"
+#define PIGEONHOLE_VERSION_FULL PIGEONHOLE_VERSION" (4a55e6c)"
 
 #endif /* PIGEONHOLE_VERSION_H */

Re: Segmentation fault with doveadm search

[Aki Tuomi]

On 30.08.2017 13:55, Stefán Tamás wrote:
>> 2017. aug. 30. dátummal, 12:02 időpontban Aki Tuomi  
>> írta:
>>
>> Something goes wrong when opening "Junk" mailbox. Are you sure it exists? 
>> Can you doveadm with
>>
>> doveadm -Dv search -u em...@example.com mailbox Junk savedbefore 30d
> There is public namespace defined. Maybe that is the problem?
>
> doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules
> doveadm(root): Debug: Module loaded: 
> /usr/lib/dovecot/modules/lib01_acl_plugin.so
> doveadm(root): Debug: Module loaded: 
> /usr/lib/dovecot/modules/lib10_quota_plugin.so
> doveadm(root): Debug: Loading modules from directory: 
> /usr/lib/dovecot/modules/doveadm
> doveadm(root): Debug: Module loaded: 
> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so
> doveadm(root): Debug: Skipping module doveadm_expire_plugin, because dlopen() 
> failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: 
> undefined symbol: expire_set_deinit (this is usually intentional, so just 
> ignore this message)
> doveadm(root): Debug: Module loaded: 
> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
> doveadm(root): Debug: Module loaded: 
> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so
> doveadm(root): Debug: Skipping module doveadm_fts_plugin, because dlopen() 
> failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: 
> undefined symbol: fts_backend_rescan (this is usually intentional, so just 
> ignore this message)
> doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
> mail=maildir:/var/vmail/europrofil.hu/kiss.gitta/Maildir
> doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
> plugin/quota=dict:user::file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage
> doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
> plugin/quota_rule=*:storage=3670016000B
> doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
> plugin/sieve=/var/vmail/europrofil.hu/kiss.gitta/.sieve
> doveadm(kiss.gi...@europrofil.hu): Debug: Added userdb setting: 
> plugin/sieve_before=/var/vmail/europrofil.hu/kiss.gitta/sieve/roundcube.sieve
> doveadm(kiss.gi...@europrofil.hu): Debug: Effective uid=5000, gid=5000, 
> home=/var/vmail/europrofil.hu/kiss.gitta
> doveadm(kiss.gi...@europrofil.hu): Debug: acl: No acl setting - ACLs are 
> disabled
> doveadm(kiss.gi...@europrofil.hu): Debug: Quota root: name=user backend=dict 
> args=:file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage
> doveadm(kiss.gi...@europrofil.hu): Debug: Quota rule: root=user mailbox=* 
> bytes=3670016000 messages=0
> doveadm(kiss.gi...@europrofil.hu): Debug: Quota grace: root=user 
> bytes=367001600 (10%)
> doveadm(kiss.gi...@europrofil.hu): Debug: dict quota: 
> user=kiss.gi...@europrofil.hu, 
> uri=file:/var/vmail/europrofil.hu/kiss.gitta/.quotausage, noenforcing=0
> doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=private, 
> prefix=INBOX., sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes 
> location=maildir:/var/vmail/europrofil.hu/kiss.gitta/Maildir
> doveadm(kiss.gi...@europrofil.hu): Debug: maildir++: 
> root=/var/vmail/europrofil.hu/kiss.gitta/Maildir, index=, indexpvt=, 
> control=, inbox=/var/vmail/europrofil.hu/kiss.gitta/Maildir, alt=
> doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=public, 
> prefix=Public., sep=., inbox=no, hidden=no, list=children, subscriptions=yes 
> location=maildir:/var/vmail/europrofil.hu/public/:CONTROL=/var/vmail/europrofil.hu/public/:INDEX=~/Maildir/public
> doveadm(kiss.gi...@europrofil.hu): Debug: maildir++: 
> root=/var/vmail/europrofil.hu/public, 
> index=/var/vmail/europrofil.hu/kiss.gitta/Maildir/public, indexpvt=, 
> control=, inbox=, alt=
> doveadm(kiss.gi...@europrofil.hu): Debug: Namespace : type=private, prefix=, 
> sep=, inbox=no, hidden=yes, list=no, subscriptions=no 
> location=fail::LAYOUT=none
> doveadm(kiss.gi...@europrofil.hu): Debug: none: root=, index=, indexpvt=, 
> control=, inbox=, alt=
>
> Üdvözlettel
>
> Stefán Tamás
> - domain > email > web >>> siker
> Numex Informatika Kft.
> Mobil: +36 20 956 0233, Tel: +36 1 205 3915
> http://numex.hu
I think the problem is that you should be using INBOX.Junk instead of Junk.

Aki

Mixed Autehtnication and password schemes

[Raymond Sellars]

Hi

Looking for some confirmation/direction on how to achieve the following. 

We have a requirement to support both SASL PLAIN and DIGEST-MD5 authentication 
(certification reasons). In addition to this we have an application (webmail) 
that utilises a master password pattern for access, as the contain web portal 
provides the necessary authentication.

I have access to users passwords in PLAIN text and looking to utilise the dict 
lookup mechanism for passwords.

Problem #1

https://wiki2.dovecot.org/Authentication/MultipleDatabases - "Currently the 
fallback works only with the PLAIN authentication mechanism."

The above not suggests I can't use DIGEST-MD5 with master password 
configuration, if using more than one passdb setup. I don't understand why 
there would be a restriction as the password validation should just fall 
through irrespective.

Problem #2 How do I enforce some kind of account access policy

Currently we're backing the authentication with an Identity and Authentication 
system. I would like to block IMAP access if a user's account is locked out, 
expired, or inactive. Similarly if there are too many IMAP attempts with the 
incorrect password I would like the account system wide to be locked out.

With Dict lookup I don't seem a mechanism to keep the IDM system aware of login 
attempt/failures, since it pulls the plaintext password and validates 
internally. Is this possible?

As a worse case does Dovecot implement any type of account access policies? Out 
IT security reviewers are hot on account policies, i.e. lockouts, expiries, and 
back off attempts.

Thanks
Raymond
Solution Architect - Orion Health