Re: Embeding a path in address extensions
On 08 Sep 2017, at 12:19, @lbutlr wrote: > Or, maybe I make the admins use an MUA? If so, I should replace most of these > .'s with dashes… This seems like the obvious decision, so never mind. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Dovecot and Letsencrypt certs
On 08 Sep 2017, at 12:21, Ralph Seichter wrote: > On 08.09.2017 19:51, @lbutlr wrote: >> How I would do it is IF the certificate is expired, the dovecot should >> check if there is a new cert and if so, load it. > New cert as in file modification date or checksum changed? Either one, but checksum is going to be more reliable. > Might work. Still, from what I seem to remember, Dovecot loads certificate > data before dropping privileges, which is why reloading the data might be > problematic without some changes. Can't dovecot reload itself? That could be a problem if not. > Not worth spending development effort on, IMO, given that Dovecot can easily > be restarted by the external processes that update the cert (like Certbot > hook, Ansible, etc.). All I'm saying is that it's a failure event that doesn't need to occur. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Dovecot and Letsencrypt certs
On 08.09.2017 19:51, @lbutlr wrote: > How I would do it is IF the certificate is expired, the dovecot should > check if there is a new cert and if so, load it. New cert as in file modification date or checksum changed? Might work. Still, from what I seem to remember, Dovecot loads certificate data before dropping privileges, which is why reloading the data might be problematic without some changes. Not worth spending development effort on, IMO, given that Dovecot can easily be restarted by the external processes that update the cert (like Certbot hook, Ansible, etc.). -Ralph
Embeding a path in address extensions
I generate bcc backups with the pattern backups+date.user.domain@mybackupdomain.tld (for example, backups+20170908.kremels.kreme@mybackupdomain.tld) This puts mail in …/.20170908.kremels.kreme.com/new What I would like to do is get the expansion to generate the following path …/.20170908/.kremels.kreme.com/new Of course the date changes everyday, but it will always be numeric if that helps. dovecot get the mail from postfix: dovecotunix - n n - - pipe flags=DRhu user=vpopmail:vchkpw argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension} -a ${original_recipient} Would it make more sense (or is it even possible) to split the extension in postfix or to do something with sieve? Or is there a character I can use in the extension that tells dovecot to create a path? Even though I am using a maildir structure for the backups, this "account" never accesses the mail via a MUA, only via the command line when an admin has to restore an email, so it would be much easier to deal with this with daily subfolders. Or, maybe I make the admins use an MUA? If so, I should replace most of these .'s with dashes… -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Dovecot and Letsencrypt certs
On 08 Sep 2017, at 10:08, Ralph Seichter wrote: > What is Dovecot supposed to do? Keep track of the certificate expiry > date? And if that is passed, then what? Automatically shutdown/restart? > What if the certificate has not been updated in between? I think that > handling certificates is better left to the administrator. How I would do it is IF the certificate is expired, the dovecot should check if there is a new cert and if so, load it. This prevents a failure event, but doesn't interfere with reloading the cert when it is renewed. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Dovecot and Letsencrypt certs
On 08 Sep 2017, at 09:28, Вадим Бажов wrote: > "I think it’s probably easier to just kick dovecot once a month." - > that's not good from system administration's point of view. You can > get into trouble when certificate is renewed but dovecot isn't > reloaded yet. That's simply not possible. The cert renews well before it expires. > "it seems like checking the certs is something that dovecot should be > doing on its own" if dovecot loads it in memory, it shouldn't reread > certificates. Of course it should because certs are DESIGNED to expire and MUST expire, and dovecot certainly has the ability to see when the cert expires. > Why to take servers resources just 'because of something > may be changed' Something WILL be changed, absolutely certain of that. All certs expire. > restarting dovecot with no need ? restarting/reloading dovecot is trivial and takes far less time than writing a script to check the certs and then creating a crontab for that which also gives a tertiary point of failure. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: can't get quota working. I use static userdb driver.
Got it ! The issue is in the 'type = public' parameter. I removed it from my namespace definition and quota got counted as expected ! Problem solved. 2017-09-01 21:34 GMT+05:00 Вадим Бажов : > Hi, people ! > Set up global quota according to docs to 2 Mb. > Send more than ten Mb on the box. > Mail still getting put in the box, no bounces, no error messages in > logs, nothing to prevent mail to be delivered in overflooded mailbox. > > quota settings are: > > mail_plugins = quota > lmtp_rcpt_check_quota = yes > quota_full_tempfail = yes > > protocol lmtp { > postmaster_address = postmaster # required > mail_plugins = $mail_plugins sieve > } > > protocol lda { > mail_plugins = $mail_plugins sieve > } > > protocol imap { > mail_plugins = $mail_plugins imap_quota > } > > plugin { > quota = maildir:"User quota" > quota_rule = *:storage=10M > quota_rule3 = INBOX.Trash:storage=+10%% > quota_exceeded_message = "552 5.2.2 Mailbox is full" > } > > > doveconf -n is attached. > > # doveadm quota get > Quota name TypeValue Limit > > % > "User quota" STORAGE 0 10240 > > 0 > "User quota" MESSAGE 0 - > > # doveadm quota get -u vadim > Quota name TypeValue Limit > > % > "User quota" STORAGE 0 10240 > > 0 > "User quota" MESSAGE 0 - > > # du -sh /var/mail/vadim/ > 23M /var/mail/vadim/ > > I tried to pass quota_rule as an argument to userdb, quota is being > parsed, but still doesn't work. > > I think problem is that dovecot can't (re)calculate the actual quota > on disc (cant calculate how disk space mailbox is used), despite the > fact that quota limit itself is configured correctly, since dovecot > shows it in log and doveconf -n. > > What I am dong wrong ?
Re: can't get quota working. I use static userdb driver.
I found what causes quota not being working at all - namespace. Whenever I declare a basic namespace : namespace { type = public prefix = INBOX. separator = . inbox = yes } or even namespace { type = public inbox = yes } Quota gets broken: # doveadm quota recalc -u administrator; doveadm quota get -u administrator Quota name TypeValue Limit % User quota STORAGE 0 10 0 User quota MESSAGE 0 - 0 When I get rid of any namespace declaration, quota gets work: # doveadm quota recalc -u administrator; doveadm quota get -u administrator Quota name TypeValue Limit % User quota STORAGE 19922 10 19 User quota MESSAGE 2 - 0 Quota settings are simple: plugin { quota = maildir quota_rule = *:bytes=10k } 'count' quota engine works too as well. But I need to declare and set up my own namespace (Spam and Sent folders, subscriptions and autoexpunge stuff). Any suggestions how to set quota within a specific namespace ? 2017-09-06 21:24 GMT+05:00 Вадим Бажов : > Quotas not being counted with 'passwd-file' driver too. Thunderbird > still doesn't show quota bar. > It is mentioned to run passdb with '-d' parameter if quotas aren't > working. Can you explain how to set it up. How to run passdb with '-d' > parameter ? Any configuration file snippet ? > > 2017-09-06 21:20 GMT+05:00 Вадим Бажов : >> Just tried 'count', 'fs' and 'dirsize' quota ackends. All the same. >> >> # doveadm quota recalc >> # doveadm quota get -u vadim >> Quota name TypeValue Limit >> >> % >> User quota STORAGE 0 10240 >> >> 0 >> User quota MESSAGE 0 - >> >> 0 >> # doveadm quota get >> Quota name TypeValue Limit >> >> % >> User quota STORAGE 0 10240 >> >> 0 >> User quota MESSAGE 0 - >> >> It looks like quota_rule is interpreted but quota backend doesn't work >> (cant count current quota state). >> >> I deleted all the mailboxes, then I divided CONTROL an INDEX dirs >> apart from mailbox dir itself: >> maildir:/var/spool/mail/%u:INDEX=/tmp/no-quotas/index/%u:CONTROL=/tmp/no-quotas/control/%u >> Boxes were created with dovecot files for them under /tmp/no-quotas as >> well, but no changes. quota value is always zero. >> May be I should try MDBOX with all these quota backends, but, anyway, >> I cant migrate to MDBOX yet, so it's not my choice. >> >> Any suggestions ? Does anyone has a working maldir quota installation >> all around ? >> Dovecot version is 2.2.27 (c0f36b0). >> >> Some other questions: >> 1. Documentation says that quotas can work improperly if static userdb >> driver is used. I use static driver. Is it really a problem ? I tried >> to return user quotas from my bash-script, it passes from bash to >> dovecot during lmtp and auth processes succesfully. But no difference >> with calculating quotas. Can I use something different from static >> driver for userdb if I use external bash script for auth and lmtp ? (I >> will try to change the driver...) >> 2. It said that maildir quota backend count quotas using 'maildirsize' >> files. I dont have such files inside box dirs. What should I tune in >> order to create them by dovecot ? >> 3. Found this in docs: "Dovecot can't currently handle not being able >> to write the control files, so it will cause problems with filesystem >> quota. To avoid problems with this, you should place control files >> into a partition where quota isn't checked. You can specify this by >> adding :CONTROL= to mail_location, for example:" - i tried to >> put CONTROL and INDEX files in separate dir, but in the same dis >> partition. Should I really change the disk partition ? What >> 'filesystem quota' means here ? I dont use any disk quotas in my >> system (centos 6.9). >> >> 2017-09-06 15:55 GMT+05:00 Alex JOST : >>> Am 06.09.2017 um 12:17 schrieb Вадим Бажов: Thank you for your answers. I fixed config to: plugin { sieve_default = /mnt/rw_disc/dovecot/sieve/default.sieve sieve_global = /mnt/rw_disc/dovecot/sieve/ quota = maildir:User quota_rule = *:storage=10M # quota_rule2 = INBOX.Trash:storage=+10%% quota_max_mail_size = 3M quota_exceeded_message = "552 5.2.2 Mailbox is full" } >>> >>> >>> Have you tried using a different backend (e.g. dict & flat file)? >>> >>> The mail_location is actually maildir:/var/spool/mail/%u, mdbox was a misspelling (i tried migration from maildir to mdbox before). >>> >>> >>> I'm wondering if this might be caused by using the same directory for home >>> and mail? >>> >>> -- >>> Alex JOST
Re: EOF from net_disconnect(fd)
Aki, Thanks for your direction! It seems that the issue I’m running into is this: https://www.dovecot.org/list/dovecot-cvs/2014-January/024154.html I’m told it’s fixed in 2.2.11 but CentOS 7’s repos have 2.2.10-7.el7. I found a work-around in the plugin at https://github.com/st3fan/dovecot-xaps-plugin/pull/15 without having to manually build the latest dovecot for the fix but think I’ll have to look into moving to ostream/istream. Do you know if ostream/istream are affected by that bug listed above? My goal is to make an RPM of the plugin and daemon that can be distributed eventually without having to alter the default version of doevcot in the repos. Thank you, Steffan Cline 602-793-0014 On 9/7/17, 11:43 PM, "dovecot on behalf of Aki Tuomi" wrote: Hi! Nice to hear you are developing this, I'll add it to our wiki if it's not there. Please don't use net_transmit, it's going away. You should use ostream and istream instead. Aki On 08.09.2017 09:29, Steffan Cline wrote: > I’m working on an OS project from github. There are two parts: > > Dovecot plugin - https://github.com/st3fan/dovecot-xaps-plugin > > Daemon written in Go - https://github.com/st3fan/dovecot-xaps-daemon > > > > # dovecot --version > > 2.2.10 > > > > Both parts worked fine on CentOS 6 but I recently rebuilt them both for CentOS 7 and have run into some errors. > > > > The plugin sends a notification over a socket to the daemon. The daemon then processes the request and returns a message to the plugin. > > > > The plugin reads the response then closes the socket and at that point, I’m running into an issue. > > > > The daemon reports the following: read unix /tmp/xapsd.sock->@: read: connection reset by peer > > > > In reading the Go language docs, it says that it will throw the first error it hits before the EOF from the socket. This led me to think that perhaps the plugin was not sending an EOF when closing the socket. > > > > I tried to write an EOF to the socket before the close but no change. Everything works between the plugin and daemon right up until the socket close. > > > > Is there a way to monitor the stream through the socket so I can see if the plugin is indeed sending the EOF? Knowing that lets me know if I need to chase down the issue in the Go daemon code. > > > > I’m no pro with C but I tried. The snippet from the plugin follows: > > > > alarm(1); > > { > > if (net_transmit(fd, str_data(req), str_len(req)) < 0) { > > i_error("write(%s) failed: %m", socket_path); > > ret = -1; > > } else { > > char res[1024]; > > ret = net_receive(fd, res, sizeof(res)-1); > > if (ret < 0) { > > i_error("read(%s) failed: %m", socket_path); > > } else { > > res[ret] = '\0'; > > if (strncmp(res, "OK ", 3) == 0) { > > ret = 0; > > } > > } > > } > > } > > alarm(0); > > > > char stx[1]; > > stx[0]=(char) 4; > > //stx[1]='\0'; > > if ( net_transmit(fd, stx, sizeof(stx) ) < 0 ) { > > i_error("Error writing EOF"); > > } > > > > //string_t *testEOF= t_str_new(2); > > //str_append(testEOF, (char*) 4); > > //if ( net_transmit(fd, str_data(testEOF), str_len(testEOF) ) < 0 ) { > > // i_error("Error writing EOF"); > > //} > > > > //i_close_fd(&fd); > > net_disconnect(fd); > > fd=-1; > > > > > > > > Thank you, > > Steffan Cline > > 602-793-0014 > >
Re: Dovecot and Letsencrypt certs
On 08.09.2017 16:20, LuKreme wrote: > That is a great solution, but I think it’s probably easier to just > kick dovecot once a month. Certbot hooks are very easy to write, and are only executed when the certificate is updated. In that light, I can see no advantage in "kick dovecot once a month". ;-) > However, it seems like checking the certs is something that dovecot > should be doing on its own. What is Dovecot supposed to do? Keep track of the certificate expiry date? And if that is passed, then what? Automatically shutdown/restart? What if the certificate has not been updated in between? I think that handling certificates is better left to the administrator. -Ralph
Re: disable imap for ldap user
On 08.09.2017 17:11, Markus Rosjat wrote: > I have a LDAP dir with an attribute set to 0 or 1 and in my old setup > (a courier server) I used this attribute to map it to an authoption > called disableimap. This prevent users to access the mailbox with imap > protocol. > > So the question is what should I set in dovecot to get the same > behaviour? You can configure 'pass_filter' to discount entries with your disable- flag. Affected users won't be able to authenticate with Dovecot, which I assume is what you are trying to achieve. -Ralph
Re: Dovecot and Letsencrypt certs
"I think it’s probably easier to just kick dovecot once a month." - that's not good from system administration's point of view. You can get into trouble when certificate is renewed but dovecot isn't reloaded yet. And, doing something via cron just by-guess, once a month - is a no no logic. "it seems like checking the certs is something that dovecot should be doing on its own" if dovecot loads it in memory, it shouldn't reread certificates. Why to take servers resources just 'because of something may be changed' restarting dovecot with no need ? And, never do restart if reload suits your needs. But check it first, if reload action rereads certificate from file system. 2017-09-08 19:20 GMT+05:00 LuKreme : > On Sep 8, 2017, at 07:56, Darac Marjal wrote: >> #!/bin/bash >> >>set -e >>set -u >>set -o pipefail >> >>if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then >>echo " + Hook: Restarting Dovecot..." >>/usr/sbin/service dovecot restart >>fi >> >> That means that dovecot will be restarted only if the certificate for the >> mail server is being deployed. If dehydrated runs, but fails to renew the >> certificate, then dovecot won't be restarted. Similarly, if it renews a >> different certificate, dovecot won't be restarted. > > That is a great solution, but I think it’s probably easier to just kick > dovecot once a month. > > 4 4 4 * * service dovecot restart > > However, it seems like checking the certs is something that dovecot should be > doing on its own. > > -- > This is my signature. There are many like it, but this one is mine.
disable imap for ldap user
hi there, I have a LDAP dir with an attribute set to 0 or 1 and in my old setup (a courier server) I used this attribute to map it to an authoption called disableimap. This prevent users to access the mailbox with imap protocol. So the question is what should I set in dovecot to get the same behaviour? I looked at the docs but the part with the pass_ilter and service doesn't really fit. Some advice would be appreciated regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Automatic DB password hash scheme selection
Hi all, Is there a way to get dovecot to recognize arbitrary password hash schemes when looking up a password in a database? I originally set up with #default_pass_scheme = MD5, and I would like to migrate to SHA512. Is this possible currently? Thanks, Kurt Hi! Prefix with {SCHEME}. Hi Aki, Thanks for the tip. This works, but when implementing it I discovered that just setting the password type generically to 'CRYPT' will let Dovecott use the built-in OS crypt decoding of the scheme number already encoded in the password. It now automatically detects MD5, SHA256, and SHA512. If my Linux distribution supported blowfish it would support that too.
Re: Hide public mailboxes from some users
> Is a user without the "lookup" ACL right to a given mailbox supposed to be > able to see the mailbox listed in their email client? Anything I can try to debug this further? Any hints or suggestions are appreciated :-).
Re: Dovecot and Letsencrypt certs
On Sep 8, 2017, at 07:56, Darac Marjal wrote: > #!/bin/bash > >set -e >set -u >set -o pipefail > >if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then >echo " + Hook: Restarting Dovecot..." >/usr/sbin/service dovecot restart >fi > > That means that dovecot will be restarted only if the certificate for the > mail server is being deployed. If dehydrated runs, but fails to renew the > certificate, then dovecot won't be restarted. Similarly, if it renews a > different certificate, dovecot won't be restarted. That is a great solution, but I think it’s probably easier to just kick dovecot once a month. 4 4 4 * * service dovecot restart However, it seems like checking the certs is something that dovecot should be doing on its own. -- This is my signature. There are many like it, but this one is mine.
Re: Dovecot and Letsencrypt certs
On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote: So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November. After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following: #!/bin/bash set -e set -u set -o pipefail if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then echo " + Hook: Restarting Dovecot..." /usr/sbin/service dovecot restart fi That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot won't be restarted. Hope that helps. Should I just create a monthly cron to restart dovecot or is there something else? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures. -- For more information, please reread. signature.asc Description: PGP signature
Re: Dovecot and Letsencrypt certs
On 08-09-2017 09:47, @lbutlr wrote: > Should dovecot check for certs being refreshed? Or is this an artifact of my > using symbolic links everywhere to point to the newest LE certs (which are > themselves links the dehydrate script creates to point to the newest > cert-1502534746.csr etc files? > > Should I just create a monthly cron to restart dovecot or is there something > else? Dovecot needs a restart after the certificate is changed. certbot allows you to define hooks to be run after a certificate is renewed, so you could use that feature to restart dovecot after the renewal. Other clients might have similar features. -- While you recently had your problems on the run, they've regrouped and are making another attack. Eduardo M KALINOWSKI edua...@kalinowski.com.br
Re: Dovecot and Letsencrypt certs
Dovecot seems to load certificates into memory and don't refresh them until restart, or may be reload. And this is a correct logic. You better add restart/reload task to the LE cron job after the successful renewal of LE certificate. Check that it really works as it should. Dovecot shouldn't be restarted/reloaded if certificate wasn't changed. 2017-09-08 17:47 GMT+05:00 @lbutlr : > So this morning at 4am I was awoken to my mail clients getting certificate > errors for an expired certificate. > > I hopped on to the server and checked and… no, the LE certs renewed last > month and are valid until November. > > After some moments of confusion I noticed that dovecot had been running since > before the renewal, so I did a quick service dovecot restart which fixed > everything. > > Should dovecot check for certs being refreshed? Or is this an artifact of my > using symbolic links everywhere to point to the newest LE certs (which are > themselves links the dehydrate script creates to point to the newest > cert-1502534746.csr etc files? > > Should I just create a monthly cron to restart dovecot or is there something > else? > > -- > Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Dovecot and Letsencrypt certs
So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate. I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November. After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? Should I just create a monthly cron to restart dovecot or is there something else? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: password reset
On Sep 8, 2017, at 3:20 AM, Steffen Kaiser wrote: > >> sudo passed > > After you did so, where does the passwort *not* work? In Dovecot? I never got as far as checking in dovecot. It did not work from the command line. >> if I try to change the password in the user's account (after su ) t >> requires the old password. > even after sudo passwd? Right. >> When I try to change the password with sudo, the timestamp on /etc/passwd >> gets updated but there is nothing logged to anything in /var/log/ > > Hmm, does the entry in /etc/passwd change, too? There is no obvious change in the passwd file. I haven't tried to look in spwf.db, but its time stamp also changes. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Problems to configure IMAP Quota
Hello, We manage a mail server using Dovecot under Debian. Since a long time, we run nightly a script permitting to display the storage usage of each user on the webmail, using internal calls. The usage on each mailbox is stored in a Mysql database. For several reasons, we would now want to use the IMAP quota feature, not only to let users have the quota displayed from their Mail clients. But testing that features, I encounter two problems : 1) It seems that when we use the sql dict, a map contaning the patern "priv/quota/limit/messages" is mandatory. Not specifying it in dovecot-dict-sql.conf.ext issues an error. As we are interested only by the storage size and don't want to process the number of messages, how to get rid of it ? 2) We store the storage value in kilobytes. But the plugin seems to only accept storage in bytes, Is there any way to let know to dovecot that the value stored in the database is in kilobytes ? (of course, I tried to put "size/1024" in the value_field field of the map. It works, but generate a lot of error lines in the dovecot log as it create a syntaxly incorrect MySQL uodate request...) Jacques. -- The last man connected to the Interet was browsing some old WebSites. "You have new mail" appeared on the screen... --- adapted from a short Fredric Brown's story
Re: doveadm expunge returns error code 68
Hi Aki, On Wed, Sep 06, 2017 at 11:26:30AM +0300, Aki Tuomi wrote: > On 05.09.2017 14:39, Florian Lohoff wrote: > > Hi, > > i am running basically this from cron: > > > > /usr/bin/doveadm -v expunge -u * mailbox INBOX.Spam SENTBEFORE 90d > > /usr/bin/doveadm -v expunge -u * mailbox INBOX.Trash SENTBEFORE 90d > > /usr/bin/doveadm -v expunge -u * mailbox INBOX.Junk SENTBEFORE 90d > > > > Now i am experiencing that the first line e.g. expunging INBOX.Spam > > returns the error code 68. No syslog/Output whatsoever. I tried > > running with -vvv -D which gives me a lot of output (for all mailboxes) > > but still i am unable to pinpoint the problem. The later 2 commands > > return "0" as expected. > > > > Where does the error return code come from and what does 68 mean? > You probably should use -A instead of -u *. My problem is not that it does not process all users. The problem is that i dont get ANY error message except the exit code. No logging at all. I tried to find any define in the source-code with 68 and failed to find one. So i am completely clueless where the problem is. And -A returns the very same exit code - on Jessie and Stretch. Flo -- Florian Lohoff f...@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away signature.asc Description: Digital signature
Re: Is it possible to disable pipelining in imapc?
On 09/08/2017 01:53 PM, Aki Tuomi wrote: On 08.09.2017 14:50, Nagy, Attila wrote: Hi, I've a broken IMAP server, which doesn't support pipelining and fails on dovecot's attempt to do this ([C] is dovecot's imapc, [S] is the IMAP server): [C] 24 LOGIN "user" "pass" [S] 23 OK [C] 25 SELECT "INBOX" [C] 23 UID FETCH 2 (INTERNALDATE) [S] 25 OK [S] 23 BAD No mailbox selected Sadly, fixing the server would be a hard task, turning off pipelining in dovecot's imapc (which already supports many workarounds for different servers) could be easy... ... except I can see no place to do this in imapc (only in pop3c and imap proxy, which I guess doesn't apply here). If I'm right, may I ask for a knob for such dumb servers? Thanks, For proxy, use proxy_nopipelining Are you sure it works with imapc? I've tried it, and dovecot still does the above.
Re: pop3-login core dump when using TLSSTART on version dovecot-2.2.32 (OPEN)
I assume you mean STARTTLS. Can you provide gdb /path/to/bin /path/to/core and provide output of bt full? Aki On 08.09.2017 15:01, arvid.ei...@telenor.com wrote: > Hi, > > Pop3-login are CORE-dumping when I log on with TLSSTART, I believe the same > will happen with imap-logon to, but I have not tested it yet. > The TLS session is coming up and it works fine until I log off, then it's > core dump. Open sslvesrion is openssl-1.0.2k. > We ran dovecot-2.2.27 before we upgraded to dovecote-2.2.32, and that seems > to work fine. (not core dumping) > > > Arvid > > > LOG > Sep 05 14:27:34 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Sep 05 14:30:30 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Sep 05 14:30:30 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Sep 05 14:30:42 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Sep 05 14:30:42 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Sep 05 14:30:50 pop3-login: Info: Login: user=, method=PLAIN, > rip=127.0.0.1, lip=127.0.0.1, mpid=18361, secured, session=<65m8ZXBYtpN/AAAB> > Sep 05 14:30:50 pop3-login: Error: ENGINE_finish, bad functional reference > count > Sep 05 14:30:50 pop3-login: Fatal: master: service(pop3-login): child 18359 > killed with signal 6 (core dumped) > > > > > > > From ./crypto/engine/eng_init.c > > . > int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers) > { > int to_return = 1; > > /* > * Reduce the functional reference count here so if it's the terminating > * case, we can release the lock safely and call the finish() handler > * without risk of a race. We get a race if we leave the count until > * after and something else is calling "finish" at the same time - > * there's a chance that both threads will together take the count from 2 > * to 0 without either calling finish(). > */ > e->funct_ref--; > engine_ref_debug(e, 1, -1); > if ((e->funct_ref == 0) && e->finish) { > if (unlock_for_handlers) > CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); > to_return = e->finish(e); > if (unlock_for_handlers) > CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); > if (!to_return) > return 0; > } > #ifdef REF_CHECK > if (e->funct_ref < 0) { > fprintf(stderr, "ENGINE_finish, bad functional reference count\n"); > abort(); > > . > > /* The API (locked) version of "finish" */ > int ENGINE_finish(ENGINE *e) > { > int to_return = 1; > > if (e == NULL) { > ENGINEerr(ENGINE_F_ENGINE_FINISH, ERR_R_PASSED_NULL_PARAMETER); > return 0; > } > CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); > to_return = engine_unlocked_finish(e, 1); > CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); > if (!to_return) { > ENGINEerr(ENGINE_F_ENGINE_FINISH, ENGINE_R_FINISH_FAILED); > return 0; > } > return to_return; > }
pop3-login core dump when using TLSSTART on version dovecot-2.2.32 (OPEN)
Hi, Pop3-login are CORE-dumping when I log on with TLSSTART, I believe the same will happen with imap-logon to, but I have not tested it yet. The TLS session is coming up and it works fine until I log off, then it's core dump. Open sslvesrion is openssl-1.0.2k. We ran dovecot-2.2.27 before we upgraded to dovecote-2.2.32, and that seems to work fine. (not core dumping) Arvid LOG Sep 05 14:27:34 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 14:30:30 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 14:30:30 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 14:30:42 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 14:30:42 pop3-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 14:30:50 pop3-login: Info: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=18361, secured, session=<65m8ZXBYtpN/AAAB> Sep 05 14:30:50 pop3-login: Error: ENGINE_finish, bad functional reference count Sep 05 14:30:50 pop3-login: Fatal: master: service(pop3-login): child 18359 killed with signal 6 (core dumped) >From ./crypto/engine/eng_init.c . int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers) { int to_return = 1; /* * Reduce the functional reference count here so if it's the terminating * case, we can release the lock safely and call the finish() handler * without risk of a race. We get a race if we leave the count until * after and something else is calling "finish" at the same time - * there's a chance that both threads will together take the count from 2 * to 0 without either calling finish(). */ e->funct_ref--; engine_ref_debug(e, 1, -1); if ((e->funct_ref == 0) && e->finish) { if (unlock_for_handlers) CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); to_return = e->finish(e); if (unlock_for_handlers) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if (!to_return) return 0; } #ifdef REF_CHECK if (e->funct_ref < 0) { fprintf(stderr, "ENGINE_finish, bad functional reference count\n"); abort(); . /* The API (locked) version of "finish" */ int ENGINE_finish(ENGINE *e) { int to_return = 1; if (e == NULL) { ENGINEerr(ENGINE_F_ENGINE_FINISH, ERR_R_PASSED_NULL_PARAMETER); return 0; } CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); to_return = engine_unlocked_finish(e, 1); CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!to_return) { ENGINEerr(ENGINE_F_ENGINE_FINISH, ENGINE_R_FINISH_FAILED); return 0; } return to_return; }
Re: Is it possible to disable pipelining in imapc?
On 08.09.2017 14:50, Nagy, Attila wrote: > Hi, > > I've a broken IMAP server, which doesn't support pipelining and fails > on dovecot's attempt to do this ([C] is dovecot's imapc, [S] is the > IMAP server): > > [C] 24 LOGIN "user" "pass" > [S] 23 OK > [C] 25 SELECT "INBOX" > [C] 23 UID FETCH 2 (INTERNALDATE) > [S] 25 OK > [S] 23 BAD No mailbox selected > > Sadly, fixing the server would be a hard task, turning off pipelining > in dovecot's imapc (which already supports many workarounds for > different servers) could be easy... > > ... except I can see no place to do this in imapc (only in pop3c and > imap proxy, which I guess doesn't apply here). > > If I'm right, may I ask for a knob for such dumb servers? > > Thanks, For proxy, use proxy_nopipelining Aki
Is it possible to disable pipelining in imapc?
Hi, I've a broken IMAP server, which doesn't support pipelining and fails on dovecot's attempt to do this ([C] is dovecot's imapc, [S] is the IMAP server): [C] 24 LOGIN "user" "pass" [S] 23 OK [C] 25 SELECT "INBOX" [C] 23 UID FETCH 2 (INTERNALDATE) [S] 25 OK [S] 23 BAD No mailbox selected Sadly, fixing the server would be a hard task, turning off pipelining in dovecot's imapc (which already supports many workarounds for different servers) could be easy... ... except I can see no place to do this in imapc (only in pop3c and imap proxy, which I guess doesn't apply here). If I'm right, may I ask for a knob for such dumb servers? Thanks,
Re: password reset
On 09/08/2017 11:20 AM, Steffen Kaiser wrote: When I try to change the password with sudo, the timestamp on /etc/passwd gets updated but there is nothing logged to anything in /var/log/ /etc/shadow should get updated but not /etc/passwd ! make a copy of /etc/passwd before the change and look at the diff Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu atis.informatik.kit.edu www.kit.edu KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
Re: password reset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 7 Sep 2017, @lbutlr wrote: I have a local user who cannot login because of a forgotten password, so I went to reset her password with sudo passed After you did so, where does the passwort *not* work? In Dovecot? doveadm auth cache flush if I try to change the password in the user's account (after su ) t requires the old password. even after sudo passwd? When I try to change the password with sudo, the timestamp on /etc/passwd gets updated but there is nothing logged to anything in /var/log/ Hmm, does the entry in /etc/passwd change, too? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWbJgwnz1H7kL/d9rAQKQIggAoqHCuDd/xtVu3fxJ37YAb/H6CsYQFOB+ FGgDM/V55YuvL03uRKd9f61W+rVK8g73iUt+0RpO+v2OExpFHNPAxrY2Wi5VxNXi tHyaPAfBV7HaBQxeNxjJHDj6ObFyIPROJEUs1FZbqr3YfpvzfXAp27iYZHREu0Jt crKzJSGKnTPcGY3OBG21U81xsvDRk3CctVZrzwpvHFkpqm6HuKEoMSIoQS6rNtJ/ RdQAWCpylB4XvTcZsNAq5S4o0g+/5OiM/nw+uEcFnOL54fhcSxl4GHCK/CdSmD6g PjR/8EayZ5fZZeTtVJcfudsSmYwtJvgrjsEaZrgWHzGkFGl7N/O4IA== =xZFe -END PGP SIGNATURE-
Re: EOF from net_disconnect(fd)
If you are using unix socket, you could use socat to see what's going on there. It might require little setting up though. Aki On 08.09.2017 10:16, Steffan Cline wrote: > I'm not the originator. I'm just trying to do some maintenance on the code to > make it work for CentOS 7. > > I'll check out those two. > > Any ideas on how to check exactly what's sent via the socket? If the EOF is > sent, I know to dig further into the daemon code. > > > Thanks, > Steffan Cline > stef...@hldns.com > 602-793-0014 > >> On Sep 7, 2017, at 11:43 PM, Aki Tuomi wrote: >> >> Hi! >> >> Nice to hear you are developing this, I'll add it to our wiki if it's >> not there. >> >> Please don't use net_transmit, it's going away. You should use ostream >> and istream instead. >> >> Aki >> >> >>> On 08.09.2017 09:29, Steffan Cline wrote: >>> I’m working on an OS project from github. There are two parts: >>> >>> Dovecot plugin - https://github.com/st3fan/dovecot-xaps-plugin >>> >>> Daemon written in Go - https://github.com/st3fan/dovecot-xaps-daemon >>> >>> >>> >>> # dovecot --version >>> >>> 2.2.10 >>> >>> >>> >>> Both parts worked fine on CentOS 6 but I recently rebuilt them both for >>> CentOS 7 and have run into some errors. >>> >>> >>> >>> The plugin sends a notification over a socket to the daemon. The daemon >>> then processes the request and returns a message to the plugin. >>> >>> >>> >>> The plugin reads the response then closes the socket and at that point, I’m >>> running into an issue. >>> >>> >>> >>> The daemon reports the following: read unix /tmp/xapsd.sock->@: read: >>> connection reset by peer >>> >>> >>> >>> In reading the Go language docs, it says that it will throw the first error >>> it hits before the EOF from the socket. This led me to think that perhaps >>> the plugin was not sending an EOF when closing the socket. >>> >>> >>> >>> I tried to write an EOF to the socket before the close but no change. >>> Everything works between the plugin and daemon right up until the socket >>> close. >>> >>> >>> >>> Is there a way to monitor the stream through the socket so I can see if the >>> plugin is indeed sending the EOF? Knowing that lets me know if I need to >>> chase down the issue in the Go daemon code. >>> >>> >>> >>> I’m no pro with C but I tried. The snippet from the plugin follows: >>> >>> >>> >>> alarm(1); >>> >>> { >>> >>> if (net_transmit(fd, str_data(req), str_len(req)) < 0) { >>> >>> i_error("write(%s) failed: %m", socket_path); >>> >>> ret = -1; >>> >>> } else { >>> >>> char res[1024]; >>> >>> ret = net_receive(fd, res, sizeof(res)-1); >>> >>> if (ret < 0) { >>> >>>i_error("read(%s) failed: %m", socket_path); >>> >>> } else { >>> >>>res[ret] = '\0'; >>> >>>if (strncmp(res, "OK ", 3) == 0) { >>> >>> ret = 0; >>> >>>} >>> >>> } >>> >>> } >>> >>> } >>> >>> alarm(0); >>> >>> >>> >>> char stx[1]; >>> >>> stx[0]=(char) 4; >>> >>> //stx[1]='\0'; >>> >>> if ( net_transmit(fd, stx, sizeof(stx) ) < 0 ) { >>> >>> i_error("Error writing EOF"); >>> >>> } >>> >>> >>> >>> //string_t *testEOF= t_str_new(2); >>> >>> //str_append(testEOF, (char*) 4); >>> >>> //if ( net_transmit(fd, str_data(testEOF), str_len(testEOF) ) < 0 ) { >>> >>> // i_error("Error writing EOF"); >>> >>> //} >>> >>> >>> >>> //i_close_fd(&fd); >>> >>> net_disconnect(fd); >>> >>> fd=-1; >>> >>> >>> >>> >>> >>> >>> >>> Thank you, >>> >>> Steffan Cline >>> >>> 602-793-0014 >>> >>>
Re: EOF from net_disconnect(fd)
I'm not the originator. I'm just trying to do some maintenance on the code to make it work for CentOS 7. I'll check out those two. Any ideas on how to check exactly what's sent via the socket? If the EOF is sent, I know to dig further into the daemon code. Thanks, Steffan Cline stef...@hldns.com 602-793-0014 > On Sep 7, 2017, at 11:43 PM, Aki Tuomi wrote: > > Hi! > > Nice to hear you are developing this, I'll add it to our wiki if it's > not there. > > Please don't use net_transmit, it's going away. You should use ostream > and istream instead. > > Aki > > >> On 08.09.2017 09:29, Steffan Cline wrote: >> I’m working on an OS project from github. There are two parts: >> >> Dovecot plugin - https://github.com/st3fan/dovecot-xaps-plugin >> >> Daemon written in Go - https://github.com/st3fan/dovecot-xaps-daemon >> >> >> >> # dovecot --version >> >> 2.2.10 >> >> >> >> Both parts worked fine on CentOS 6 but I recently rebuilt them both for >> CentOS 7 and have run into some errors. >> >> >> >> The plugin sends a notification over a socket to the daemon. The daemon then >> processes the request and returns a message to the plugin. >> >> >> >> The plugin reads the response then closes the socket and at that point, I’m >> running into an issue. >> >> >> >> The daemon reports the following: read unix /tmp/xapsd.sock->@: read: >> connection reset by peer >> >> >> >> In reading the Go language docs, it says that it will throw the first error >> it hits before the EOF from the socket. This led me to think that perhaps >> the plugin was not sending an EOF when closing the socket. >> >> >> >> I tried to write an EOF to the socket before the close but no change. >> Everything works between the plugin and daemon right up until the socket >> close. >> >> >> >> Is there a way to monitor the stream through the socket so I can see if the >> plugin is indeed sending the EOF? Knowing that lets me know if I need to >> chase down the issue in the Go daemon code. >> >> >> >> I’m no pro with C but I tried. The snippet from the plugin follows: >> >> >> >> alarm(1); >> >> { >> >> if (net_transmit(fd, str_data(req), str_len(req)) < 0) { >> >> i_error("write(%s) failed: %m", socket_path); >> >> ret = -1; >> >> } else { >> >> char res[1024]; >> >> ret = net_receive(fd, res, sizeof(res)-1); >> >> if (ret < 0) { >> >>i_error("read(%s) failed: %m", socket_path); >> >> } else { >> >>res[ret] = '\0'; >> >>if (strncmp(res, "OK ", 3) == 0) { >> >> ret = 0; >> >>} >> >> } >> >> } >> >> } >> >> alarm(0); >> >> >> >> char stx[1]; >> >> stx[0]=(char) 4; >> >> //stx[1]='\0'; >> >> if ( net_transmit(fd, stx, sizeof(stx) ) < 0 ) { >> >> i_error("Error writing EOF"); >> >> } >> >> >> >> //string_t *testEOF= t_str_new(2); >> >> //str_append(testEOF, (char*) 4); >> >> //if ( net_transmit(fd, str_data(testEOF), str_len(testEOF) ) < 0 ) { >> >> // i_error("Error writing EOF"); >> >> //} >> >> >> >> //i_close_fd(&fd); >> >> net_disconnect(fd); >> >> fd=-1; >> >> >> >> >> >> >> >> Thank you, >> >> Steffan Cline >> >> 602-793-0014 >> >> >
Re: EOF from net_disconnect(fd)
If you read the entire context you'll see code from a dovecot plugin and I'm trying to determine if dovecot is sending an EOF when closing the socket or not because the other end of the socket is at fault. From there I can check elsewhere. Dovecot code, dovecot list, made sense to try here first. Got any suggestions on how to check the socket traffic? Thanks, Steffan Cline stef...@hldns.com 602-793-0014 > On Sep 7, 2017, at 11:42 PM, Ruben Safir wrote: > >> On 09/08/2017 02:29 AM, Steffan Cline wrote: >> I’m working on an OS project from github. There are two parts: >> >> Dovecot plugin - https://github.com/st3fan/dovecot-xaps-plugin >> >> Daemon written in Go - https://github.com/st3fan/dovecot-xaps-daemon >> > > what does this have to do with dovecot? > >> > > > -- > So many immigrant groups have swept through our town > that Brooklyn, like Atlantis, reaches mythological > proportions in the mind of the world - RI Safir 1998 > http://www.mrbrklyn.com > > DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 > http://www.nylxs.com - Leadership Development in Free Software > http://www2.mrbrklyn.com/resources - Unpublished Archive > http://www.coinhangout.com - coins! > http://www.brooklyn-living.com > > Being so tracked is for FARM ANIMALS and and extermination camps, > but incompatible with living as a free human being. -RI Safir 2013 >