Re: How to limit Apple Mail (desktop)?
When Apple Mail connects to an IMAP account for the very first time, it downloads all e-mails to build a local mirror. When the user changes the name of a folder, Apple Mail downloads the whole subtree and erases the old one. We have Apple Mail users with >20GB worth of e-mails, downloaded multiple times (horrified emoticon here). Sent from ProtonMail Mobile On Mon, Oct 30, 2017 at 10:38 AM, Rupert Gallagher wrote: > By default, Apple Mail downloads all e-mails from server's account. Previous > versions of this client allowed to opt-out. The latest two versions? however, > only allow to opt-out from downloading the attachments. > > The stress on the server is unbearable. We cannot ask users to be > considerate: this is the default behaviour of Apple Mail. > > We need a server-side solution to the problem. > > Please share your ideas.
Re: Disconnected: Inactivity (no auth attempts in 180 secs)
Alexandre wrote: I can send and receive mails using: IMAP 143 with TLS OK, IMAP STARTTLS is working in some sense. (Your MTA handles SMTP, not dovecot.) The hangup occours inside of my LAN using Outlook 2016, and Outside also trying access on 4G from my Android smartphone. My goal is enable also POP3s and IMAPs using TLS. [voluminous diagnostics] I can't really see from what you present what the problem is. Can you report the output of openssl s_client -starttls imap {imap-server}:143 openssl s_client -starttls pop3 {imap-server}:110 (from both inside and outside), as well as any matching log entries. Joseph Tam
Disconnected: Inactivity (no auth attempts in 180 secs)
Hi, I hope you guys can understand me since english is not my nativelanguage. I am trying setup dovecot for imap and pop3 on FreeBSD 10.3 and is notworking on IMAPS or POP3S, currently My setup is: OS = FreeBSD 10.3 ( I did not get enough time for update to 11) Postfix = 3.2.3 Dovecot = 2.2.33.2 (d6601f4ec) OpenSSL =1.0.1s-freebsd SSL Certificate = Let's Encrypt I can send and receive mails using: IMAP 143 with TLS SMTP 587 with TLS Usually on Linux distros works pretty easy, when I don't forgetsomething this should be working on first try, but, after spend 2 weeks workingon it after arrive from job without found any solution, I am trying the luckasking for help from your guys expert on dovecot. The hangup occours inside of my LAN using Outlook 2016, and Outside also trying access on 4G from my Android smartphone. My goal is enable also POP3s and IMAPs using TLS. This is my data: Dovecot –n: #2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.21 (92477967) # OS: FreeBSD 10.3-RELEASE-p22 amd64 zfs auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes hostname = mail.mydomain.com imap_client_workarounds = delay-newmail tb-extra-mailbox-septb-lsub-flags lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lda_original_recipient_header = X-Original-To mail_attachment_fs = sis-queue posix mail_attachment_hash = %{sha512} mail_debug = yes mail_location = maildir:/usr/local/vmail/%d/%n:LAYOUT=fs mail_plugins = quota acl mail_privileged_group = vmail mailbox_list_index = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelopeencoded-character vacation subaddress comparator-i;ascii-numeric relationalregex imap4flags copy include variables body enotify environment mailbox dateindex ihave duplicate mime foreverypart extracttext mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Archives { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "SentMessages" { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } mailbox virtual/All { auto = subscribe comment = All my messages special_use = \All } mailbox virtual/Flagged { auto = subscribe comment = All my flaggedmessages special_use = \Flagged } prefix = } passdb { args =/usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile quota = maildir:User quota quota_max_mail_size = 100M quota_rule = *:storage=1G quota_rule2 =Archive:storage=+1G quota_rule3 =Trash:storage=+100M quota_warning = storage=80%%quota-warning 80 %u sieve =/usr/local/vmail/%d/%n/.dovecot.sieve sieve_before =/usr/local/vmail/sieve/before.d/ sieve_dir = /usr/local/vmail/%d/%n sieve_global_dir =/usr/local/vmail/sieve/%d sieve_global_path =/usr/local/vmail/sieve/%d/default.sieve } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh postmaster_address = postmas...@mydomain.com protocols = imap pop3 lmtp sieve quota_full_tempfail = yes service auth-worker { user = vmail } service auth { unix_listener/var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_min_avail = 2 } service lmtp { unix_listener/var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } } service quota-warning { executable = script/usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl = required ssl_ca = , rip=192.168.0.95, lip=10.0.0.32, TLShandshaking, session=<+Xf> Oct 25 06:49:38 mail postfix/submission/smtpd[9400]: connect fromunknown[192.168.0.95]:50860 Oct 25 06:49:38 mail postfix/submission/smtpd[9400]: Anonymous TLSconnection established from unknown[192.168.0.95]:50860: TLSv1.2 with cipherECDHE-RSA-AES256-SHA384 (256/256 bits) Oct 25 06:49:38 mail dovecot: auth: Debug: auth client connected (pid=0) Oct
Re: Password encription
Aki, (Not speaking for Aki) I understand that salted passwords saved in my database and stronger hash algorithm course that it will require more processor time/power to crack my passwords. But only when hackers have direct access to my database what means that hackers have access to my passwords hashes (eg. hackers stolen my database). My Dovecot use passwords saved in database as SHA256 and hackers can use only SMTP, IMAP or POP3 services to try crack it using dictionary attack (I understand that they using plain text dictionaty passwords). Stronger hash algorithm and salt is useful when hackers have direct access to my database but when they use services as SMTP, IMAP or POP3 to crack passwords only longer and more complicated password can be more secure. I do not understand this correctly ? Yes, your understanding is basically correct. However, history gives lots of examples of broken systems that explicitly or implicitly relied on one critical system not failing -- they lacked defense in depth or resilience. Examples are "this system has no bugs", "my system does not leak hashes", "this algorithm is unbreakable", "we'll never see a CAT5 hurricane", etc. If these critical assumption ever becomes untrue, the foundation of your defense crumbles. If you narrow your attack definition to only include in-protocol remote brute forcing, then any decent password will take far too long to break that way (esp. with throttling controls that are built-in). Your log files will overflow recording the attempts long before you can expect a password to be cracked. However, you're still susceptable to the qwerty passwords. If this is your *only* line of defense, it is brittle. A robustly secure system will overlap protection: strong hashes, password compliance systems, brute force countermeasures, file permissions/OS hardening, network origins vetting, anti-DoS measures, etc. Keep this picture in mind that I found on CLCERT https://www.clcert.cl/humor/img/weakest-link-road.jpg Joseph Tam
Re: How to limit Apple Mail (desktop)?
Am 30.10.2017 um 17:50 schrieb Robert Schetterer: > Am 30.10.2017 um 10:38 schrieb Rupert Gallagher: >> By default, Apple Mail downloads all e-mails from server's account. >> Previous versions of this client allowed to opt-out. The latest two >> versions? however, only allow to opt-out from downloading the attachments. >> >> The stress on the server is unbearable. We cannot ask users to be >> considerate: this is the default behaviour of Apple Mail. >> >> We need a server-side solution to the problem. >> >> Please share your ideas. >> > > first check if you can ident Apple Mail versions related, i recent have > none in my log , but i.e Android does > > ---log > ID sent: name=com.samsung.android.email.provider, os=android, > os-version=7.0; NRD90M, vendor=samsung, x-android-device-model=SM-G930F > - > > then you need a procedure for limiti have no idea which one > > Best Regards > MfG Robert Schetterer > I dont know Apple Mail very good, but as workaround you might use sieve to presort mails on the server at incomming in (sub)folders which arent synced at default i.e in a date named folder, for sure users ( you should know your apple mail users ) then need configure an extra subscribe on these folders. Perhaps a combi with virtual folders may usefull , for now not better idea , iam nearly sure this is not what you you expected and/or wanted seems google has a feature to "hide" mails see https://www.guidingtech.com/44581/prevent-mail-app-space-mac/ however if feel very strange with this Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: How to limit Apple Mail (desktop)?
Am 30.10.2017 um 10:38 schrieb Rupert Gallagher: > By default, Apple Mail downloads all e-mails from server's account. Previous > versions of this client allowed to opt-out. The latest two versions? however, > only allow to opt-out from downloading the attachments. > > The stress on the server is unbearable. We cannot ask users to be > considerate: this is the default behaviour of Apple Mail. > > We need a server-side solution to the problem. > > Please share your ideas. > first check if you can ident Apple Mail versions related, i recent have none in my log , but i.e Android does ---log ID sent: name=com.samsung.android.email.provider, os=android, os-version=7.0; NRD90M, vendor=samsung, x-android-device-model=SM-G930F - then you need a procedure for limiti have no idea which one Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
LDAP authentication and shadowExpire
Hi, I am trying to configure Dovecot (2.2.27) with LDAP passdb, specifically with authentication binds (https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds). Atribute shadowExpire has a unix time stamp value. Is there a way to write pass_filter like shadowExpire Or maybe there is better way to implement password expiration in Dovecot? -- Pagarbiai Mantas Gegužis VU Informacinių technologijų taikymo centras
Re: Dovecot and the Maildir path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 30 Oct 2017, Will Merkens wrote: But when I look in the mail server at /var/spool/maildir the testuser is not created inside of userful.com but at the same level as userful.com contrary to the %d in mail_location settings. doveadm -D mailbox list -u 'testu...@userful.com' this command bypasses passdb. Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com,192.168.123.39,): result: uid=testuser; uid unused Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com,192.168.123.39,): username changed testu...@userful.com -> testuser Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testuser,192.168.123.39,): result: uid=testuser your passdb strips the domain. Any ideas and any settings files that I need to post. Check the LDAP settings for "user" extra field - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWfcwcXz1H7kL/d9rAQLpSggAnTWizpyk6wNDRuT//m1r0MaPM/8FriPF NOSdMwOktUblanmlf1OWWsqF/LonTIltscqIhcd8eVz2n/XNcYc9v6Bbe2lhKcLr eQRXX8U901d0TbwMM5c2TRAhyGYAypttTdNnmTwwk9qo4SxW+Dwv3llWx5Rj0OEK ZkOT/2ud/39R5lO4TdR5UirUP2C2MWLS8PDQPXfvUzhiFWJt9hQnrekuuJ7L8P8X 3w+CqUynUIVMI7KeHDc/42P+i6E99aI0YB9G+ctxplICUxLL8XnTdnGHAb20ueHR ym7EQlQx0+qhH1laCtvZZ4lFUCIVmBU3Oqxfyr74KWzryDiwOvlZTQ== =vWu2 -END PGP SIGNATURE-
Dovecot and the Maildir path
System basics Centos 7.3 Dovecot 2.2.32 (dfbe293d4) I am working on a replacement mail server for work and one of the features I wanted was ldap authentication After much fiddling I got it to work. But I encountered a issue where two different methods of testing a mail account resulted in the mail_location being different I set mail_location = maildir:/var/spool/maildir/%d/%n/Maildir in dovecot.conf when I test the authentication and to see if the folders are created correctly on first use I have two results depending on how I test. First test was from openssl openssl s_client -connect mail2:993 I have no problem connecting, I issue the following commands * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login testu...@userful.com a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE] Logged in a list "" * * LIST (\HasNoChildren) "." INBOX a OK List completed (0.001 + 0.000 secs). * BYE Disconnected for inactivity. closed But when I look in the mail server at /var/spool/maildir the testuser is not created inside of userful.com but at the same level as userful.com contrary to the %d in mail_location settings. Now second method doveadm -D mailbox list -u 'testu...@userful.com' This correctly creates the user under the domain as specified. for logs I have from journalctl for openssl Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: client in: AUTH 2 PLAIN service=imap secured session=VgBmvMNcQoTAqHsn lip=192.168. 123.236 rip=192.168.123.39 lport=993 rport=33858 resp=AHRlc3R1c2VyQHVzZXJmdWwuY29tADk5dGVzdHVzZXI5OQ== (previous base64 data may contain sensitive data) Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com,192.168.123.39,): bind search: base=ou=People,dc=userful,dc=ca filter=(&(objectClass=posixAccount)(uid=testuser)) Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com,192.168.123.39,): result: uid=testuser; uid unused Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com,192.168.123.39,): username changed testu...@userful.com -> testuser Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testuser,192.168.123.39,): result: uid=testuser Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: client passdb out: OK 2 user=testuser original_user=testu...@userful.com Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: master in: REQUEST 2784755713 10725 2 d4a357fe811a1da8bd725b82fc1da2ab session_pid=11051 request_auth_token Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testuser,192.168.123.39,): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=testuser)) fields=homeDirectory,uidNumber,gidNumber Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testuser,192.168.123.39,): result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000; homeDirectory,uidNumber,gidNumber unused Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: ldap(testuser,192.168.123.39,): result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000 Oct 30 07:37:12 mail2 dovecot[10722]: auth: Debug: master userdb out: USER 2784755713 testuser home=/nfs/home/test-user uid=6000 gid=1000 auth_token=29e6ac32c85cf1b69eeabbe8e4f8e4810e9a3468 auth_user=testu...@userful.com Oct 30 07:37:12 mail2 dovecot[10722]: imap-login: Login: user=, method=PLAIN, rip=192.168.123.39, lip=192.168.123.236, mpid=11051, TLS, session= for doveadm Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: master in: USER 1 testu...@userful.com service=doveadm Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): user search: base=ou=People,dc=userful,dc=ca scope=subtree filter=(&(objectClass=posixAccount)(uid=testuser)) fields=homeDirectory,uidNumber,gidNumber Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000; homeDirectory,uidNumber,gidNumber unused Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: ldap(testu...@userful.com): result: homeDirectory=/nfs/home/test-user uidNumber=6000 gidNumber=1000 Oct 30 07:39:12 mail2 dovecot[10722]: auth: Debug: userdb out: USER 1 testu...@userful.com home=/nfs/home/test-user uid=6000 gid=1000 Any ideas and any settings files that I need to post. -- William Merkens IT Support Analyst Userful Corporation +1 403.289
Re: Bug: lmtp proxy does not quote local parts with spaces
On 26/10/2017 19:33, David Zambonini wrote: > On 26/10/2017 18:38, Alexander Dalloz wrote: >> Am 26.10.2017 um 12:20 schrieb David Zambonini: >>> >>> There seems to be a bug with RFC822 processing in ltmp proxying that >>> doesn't >>> quote local parts that, for example, contain spaces. >> >> Newer related RFCs are RFC 5321 and 5322. > > Typo, meant to say RFC2822, which they still supercede, not that the > local-part spec has changed. :) > >> >> [ ... ] >> >>> MAIL FROM:\r\n >>> RCPT TO:\r\n >>> >>> 501 5.5.4 Invalid.parameters\r\n >> >> That recipient address is totally invalid. It is neither just a local >> part without a domain, nor a plussed address destination. >> >> Check your setup with i.e. >> >> RCPT TO:<"Junk E-mail"@deemzed.uk> >> >> or >> >> RCPT TO:<"test+Junk E-mail"@deemzed.uk> > > Apologies, I was attempting to cut the config down at the time the dump > was taken. Correcting (I can provide config privately, but not share to > list), I still get: > > MAIL FROM:\r\n > RCPT TO:<"deemzed.uk+Junk E-mail"@mailbox.localhost>\r\n > DATA\r\n > (etc) > .\r\n > > 501 5.5.4 Invalid parameters\r\n > > QUIT\r\n > > from director -> dovecot LMTP network dump: > > I could have a look at > starting to get a fix together tomorrow with an aim to providing a pull > request, if it turns out there are no side-effects to treating > lmtp_rcpt.address like this and you'd like an example of what I mean. My apologies for not adding your address on my initial response, Alexander - not sure if you noticed what I replied with or not. Nope, this isn't going to happen. I'm not familiar with the dovecot internals but lmtp uses just the address string in the form of "full address with quotes stripped from local part but otherwise not decoded" and nothing else throughout, which touches on quite a bit of code. It makes it indeterminate and not always possible to reassemble the original, it's a bit of a trainwreck. The sanest option to me seems to me to be to store a decoded local part and domain in addition to the detail in mail_recipient, and keeping a now properly rfc822 encoded address in sync with it. However, this would cause a deviation from existing behaviour for the full original user (the quotes would be seen). I'm between a rock and a hard place here - at the very least I'd like this bug to be officially recognised. -- David Zambonini
How to limit Apple Mail (desktop)?
By default, Apple Mail downloads all e-mails from server's account. Previous versions of this client allowed to opt-out. The latest two versions? however, only allow to opt-out from downloading the attachments. The stress on the server is unbearable. We cannot ask users to be considerate: this is the default behaviour of Apple Mail. We need a server-side solution to the problem. Please share your ideas.
Replication to wrong mailbox
It happened now twice that replication created folders and mails in the wrong mailbox :( Here's the architecture we use: - 2 Dovecot (2.2.32) backends in two different datacenters replicating via a VPN connection - Dovecot directors in both datacenters talks to both backends with vhost_count of 100 vs 1 for local vs remote backend - backends use proxy dict via a unix domain socket and socat to talk via tcp to a dict on a different server (kubernetes cluster) - backends have a local sqlite userdb for iteration (also containing home directories, as just iteration is not possible) - serving around 7000 mailboxes in a roughly 200 different domains Everything works as expected, until dict is not reachable eg. due to a server failure or a planed reboot of a node of the kubernetes cluster. In that situation it can happen that some requests are not answered, even with Kubernetes running multiple instances of the dict. I can only speculate what happens then: it seems the connection failure to the remote dict is not correctly handled and leads to situation in which last mailbox/home directory is used for the replication :( When it happened the first time we attributed it to the fact that the Sqlite database at that time contained no home directory information, which we fixed after. This first time (server failure) took a couple of minutes and lead to many mailboxes containing mostly folders but also some new arrived mails belonging to other mailboxes/users. We could only resolve that situation by rolling back to a zfs snapshot before the downtime. The second time was last Friday night during a (much shorter) reboot of a Kubernetes node and lead only to a single mailbox containing folders and mails of other mailboxes. That was verified by looking at timestamps of directories below $home/mdbox/mailboxes and files in $home/mdbox/storage. I can not tell if adding the home directory to the Sqlite database or the shorter time of the failure limited the wrong replication to a single mailbox. Can someone with more knowledge of the Dovecot code please check/verify how replication deals with failures in proxy dict. I'm of cause happy to provide more information of our configuration if needed. Here is an exert of our configuration (full doveconf -n is attached): passdb { args = /etc/dovecot/dovecot-dict-master-auth.conf driver = dict master = yes } passdb { args = /etc/dovecot/dovecot-dict-auth.conf driver = dict } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-dict-auth.conf driver = dict } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } dovecot-dict-auth.conf: uri = proxy:/var/run/dovecot_auth_proxy/socket:backend password_key = passdb/%u/%w user_key = userdb/%u iterate_disable = yes dovecot-dict-master-auth.conf: uri = proxy:/var/run/dovecot_auth_proxy/socket:backend password_key = master/%{login_user}/%u/%w iterate_disable = yes dovecot-sql.conf: driver = sqlite connect = /etc/dovecot/users.sqlite user_query = SELECT home,NULL AS uid,NULL AS gid FROM users WHERE userid = '%n' AND domain = '%d' iterate_query = SELECT userid AS username, domain FROM users -- Ralf Becker EGroupware GmbH [www.egroupware.org] Handelsregister HRB Kaiserslautern 3587 Geschäftsführer Birgit und Ralf Becker Leibnizstr. 17, 67663 Kaiserslautern, Germany Telefon +49 631 31657-0 # 2.2.32 (dfbe293d4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.20 (7cd71ba) # OS: Linux 4.4.0-97-generic x86_64 auth_cache_negative_ttl = 2 mins auth_cache_size = 10 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_username_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#" default_client_limit = 3500 default_process_limit = 512 disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it doveadm_port = 12345 first_valid_uid = 90 listen = * log_path = /dev/stderr mail_access_groups = dovecot mail_gid = dovecot mail_location = mdbox:~/mdbox mail_log_prefix = "%s(%u %p): " mail_max_userip_connections = 200 mail_plugins = acl quota notify replication mail_log mail_uid = dovecot managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave vnd.dovecot.debug mbox_min_index_size = 1000 B mdbox_rotate_size = 50 M namespace inboxes { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Templates { auto = subscribe } mailbox Trash { auto = subscribe special_use = \Trash } prefix = INBOX/ separator = / subscriptions = no } namespace subs { hidden = yes list = no location = prefix = separator = / } namespace users {
Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
On 30.10.2017 09:10, Aki Tuomi wrote: > > > On 30.10.2017 00:23, Reuben Farrelly wrote: >> Hi Aki, >> >> On 30/10/2017 12:43 AM, Aki Tuomi wrote: On October 29, 2017 at 1:55 PM Reuben Farrelly wrote: Hi again, Chasing down one last problem which seems to have been missed from my last email: On 20/10/2017 9:22 PM, Stephan Bosch wrote: > > Op 20-10-2017 om 4:23 schreef Reuben Farrelly: >> On 18/10/2017 11:40 PM, Timo Sirainen wrote: >>> On 18 Oct 2017, at 6.34, Reuben Farrelly >>> wrote: This problem below is still present in 2.3 -git, as of version 2.3.devel (6fc40674e) >>> Secondly, this ssl_dh messages is always printed from doveconf: >>> >>> doveconf: Warning: please set ssl_dh=>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> >>> Yet the file is there: >>> >>> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >>> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >>> >>> And the config is there as well: >>> >>> thunderstorm dovecot # doveconf -P | grep ssl_dh >>> ssl_dh = >> doveconf: Warning: please set ssl_dh=>> doveconf: Warning: You can generate it with: dd >>> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >>> -inform der > /etc/dovecot/dh.pem >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> ssl_dh = -BEGIN DH PARAMETERS- >>> thunderstorm dovecot # >>> >>> It appears that this warning is being triggered by the presence of >>> the ssl-parameters.dat file because when I remove it the warning >>> goes away. Perhaps the warning could be made a bit more specific >>> about this file being removed if it is not required because at the >>> moment the warning message is not related to the trigger. >>> >>> Thanks, >>> Reuben Thanks, Reuben >>> It is triggered when there is ssl-parameters.dat file *AND* there is >>> no ssl_dh=< explicitly set in config file. >>> >>> Aki >> >> I have this already in my 10-ssl.conf file: >> >> lightning dovecot # /etc/init.d/dovecot reload >> doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd >> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >> -inform der > /etc/dovecot/dh.pem >> * Reloading dovecot configs and restarting auth/login processes >> ... [ ok ] >> lightning dovecot # >> >> However: >> >> lightning dovecot # grep ssl_dh conf.d/10-ssl.conf >> # gives on startup when ssl_dh is unset. >> ssl_dh=> lightning dovecot # >> >> and the file is there: >> >> lightning dovecot # ls -la /etc/dovecot/dh.pem >> -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem >> lightning dovecot # >> >> So it is actually configured and yet the warning still is present. >> >> Reuben > > Hi! > > I gave this a try, and I was not able to repeat this issue. Perhaps you > are still missing ssl_dh somewhere? > > Aki > Hello Just a guess, but at this point I would recommend reviewing the output of "doveconf -n" to make sure the appropriate settings are present. br, Teemu
Re: dovecot-2.3 (-git) Warning and Fatal Compile Error
On 30.10.2017 00:23, Reuben Farrelly wrote: > Hi Aki, > > On 30/10/2017 12:43 AM, Aki Tuomi wrote: >>> On October 29, 2017 at 1:55 PM Reuben Farrelly >>> wrote: >>> >>> >>> Hi again, >>> >>> Chasing down one last problem which seems to have been missed from my >>> last email: >>> >>> On 20/10/2017 9:22 PM, Stephan Bosch wrote: Op 20-10-2017 om 4:23 schreef Reuben Farrelly: > On 18/10/2017 11:40 PM, Timo Sirainen wrote: >> On 18 Oct 2017, at 6.34, Reuben Farrelly >> wrote: >>> This problem below is still present in 2.3 -git, as of version >>> 2.3.devel >>> (6fc40674e) >>> >> Secondly, this ssl_dh messages is always printed from doveconf: >> >> doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd >> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >> -inform der > /etc/dovecot/dh.pem >> >> Yet the file is there: >> >> thunderstorm conf.d # ls -la /etc/dovecot/dh.pem >> -rw-r--r-- 1 root root 769 Oct 19 21:55 /etc/dovecot/dh.pem >> >> And the config is there as well: >> >> thunderstorm dovecot # doveconf -P | grep ssl_dh >> ssl_dh = > doveconf: Warning: please set ssl_dh=> doveconf: Warning: You can generate it with: dd >> if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh >> -inform der > /etc/dovecot/dh.pem >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> ssl_dh = -BEGIN DH PARAMETERS- >> thunderstorm dovecot # >> >> It appears that this warning is being triggered by the presence of >> the ssl-parameters.dat file because when I remove it the warning >> goes away. Perhaps the warning could be made a bit more specific >> about this file being removed if it is not required because at the >> moment the warning message is not related to the trigger. >> >> Thanks, >> Reuben >>> Thanks, >>> Reuben >> It is triggered when there is ssl-parameters.dat file *AND* there is >> no ssl_dh=< explicitly set in config file. >> >> Aki > > I have this already in my 10-ssl.conf file: > > lightning dovecot # /etc/init.d/dovecot reload > doveconf: Warning: please set ssl_dh= doveconf: Warning: You can generate it with: dd > if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dh > -inform der > /etc/dovecot/dh.pem > * Reloading dovecot configs and restarting auth/login processes > ... [ ok ] > lightning dovecot # > > However: > > lightning dovecot # grep ssl_dh conf.d/10-ssl.conf > # gives on startup when ssl_dh is unset. > ssl_dh= lightning dovecot # > > and the file is there: > > lightning dovecot # ls -la /etc/dovecot/dh.pem > -rw-r--r-- 1 root root 769 Oct 19 19:06 /etc/dovecot/dh.pem > lightning dovecot # > > So it is actually configured and yet the warning still is present. > > Reuben Hi! I gave this a try, and I was not able to repeat this issue. Perhaps you are still missing ssl_dh somewhere? Aki