Re: [SPAMMY]Re: Dovecot LMTP Proxy + STARTTLS?
Hi thanks for the link. Read that page before but somehow missed the comment about ssl+lmtp proxy :-) Are there any plans to implement that to dovecot in future? Regards tobi Am 23.11.2017 um 18:38 schrieb Carsten Rosenberg: > NOTE: LMTP/doveadm proxying doesn't support SSL/TLS currently - any > ssl/starttls extra field is ignored > > https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy > > Am 23. November 2017 09:31:41 MEZ schrieb Tobi : >> Hi >> >> I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is >> configured to act as director and delivers to my two backend servers. >> I enabled lmtp proxy on director to listen on port 24. >> >> Now I see in msg headers that the connection to the lmtp proxy uses >> STARTTLS but the connection from proxy to backend seems to be >> unencrypted. Is it possible to enforce the use of STARTTLS in the >> connection from the director to the backend as well? >> >> Regards >> >> tobi
Re: set parameter per user
Am 23.11.2017 um 14:40 schrieb Sami Ketola: > can you verify if the value is correctly formed in userdb. Ie. is it visible > in output: > > doveadm -o service=lmtp user # doveadm -o service=lmtp user us...@example.org field value uid 8 gid 8 home/mail/user1 mailmaildir:~/Maildir lmtp_save_to_detail_mailbox no master_user us...@example.org # doveadm -o service=lmtp user us...@example.org field value uid 8 gid 8 home/mail/user2 mailmaildir:~/Maildir lmtp_save_to_detail_mailbox yes master_user us...@example.org Andreas
Re: set parameter per user
> On 23 Nov 2017, at 15.32, A. Schulze wrote: > > > Steffen Kaiser: > >> Is the detail delived to Dovecot by the MTA at all? > sure! > > have to say: I faked that example. In reality I tested the inverse way: > My lab setup actually *do* deliver to folders and > I saw, setting lmtp_save_to_detail_mailbox to 'no' still deliver to folder > while INBOX was expected. > > so, correct hint: I should really try on an other system ... > > But from my debug logs it really should not matter if > > doveconf.conf: lmtp_save_to_detail_mailbox = yes > set to 'no' per user from ldap > > vs. > > doveconf.conf: lmtp_save_to_detail_mailbox = no > set to 'yes' per user from ldap can you verify if the value is correctly formed in userdb. Ie. is it visible in output: doveadm -o service=lmtp user Sami
Re: set parameter per user
Steffen Kaiser: Is the detail delived to Dovecot by the MTA at all? sure! have to say: I faked that example. In reality I tested the inverse way: My lab setup actually *do* deliver to folders and I saw, setting lmtp_save_to_detail_mailbox to 'no' still deliver to folder while INBOX was expected. so, correct hint: I should really try on an other system ... But from my debug logs it really should not matter if doveconf.conf: lmtp_save_to_detail_mailbox = yes set to 'no' per user from ldap vs. doveconf.conf: lmtp_save_to_detail_mailbox = no set to 'yes' per user from ldap Andreas
Re: Exclude disabled accounts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 23 Nov 2017, Evgeniy Korneechev wrote: We have userdb=passwd. userdb { driver = passwd #server was entered domain Active Directory override_fields = home=/var/vmail/glu_vrem/%u } If I disable in AD user's account, he can not sign in. But he can and will receive letters, which of course is not correct. How can I exclude disabled accounts from 'userdb'? Dovecot uses your system's getpwnam(), so if getent passwd username returns something, Dovecot uses it. There is no notion about "disabled" status in passwd databases. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWhaz5cQnQQNheMxiAQJomQgAldUZ2F22x5aoMOkJyyRBi2H7ChRrvTWS THDuYr9SfMoCSaeebrdvDeS7Cqs03/a3G9ffCXsvk15g8rWkEC98vtpUc6NObpLy JhiXU6qL2O+j5jVdR1bCVTqt3IgmC+wQb+2z7C16+PPJMB0uBK3S0e8PBjrqbESI ni/UFXwCUEybNrUiToqCuCvTSujFlnk83oeQhzN/NN1JZefPOixovn+vci1O9zba NVMDrjbC0vb/e+EQkJQmQGjGmhwPsMb1Z0waTQPq5fjV3DgUy1XaPOoP3gMexKpx dB3SPZ2WK3rNc1uR6CyrZrdjObLC6XKjN6xZg070dFX2kRcpJMyZOw== =Dp0N -END PGP SIGNATURE-
Re: set parameter per user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 21 Nov 2017, A. Schulze wrote: in /etc/dovecot/ldap.conf user_attrs = ... =lmtp_save_to_detail_mailbox=%{ldap:lmtp-save-to-detail-mailbox:no}, =... Unfortunately messages to user+extension@domain are still delivered to INBOX/ while they should be delivered to INBOX/extension. I also tried to make the attribute accessible vi pass_attr and userdb_foo = ... because I use prefetch driver as userdb. I also disabled prefetching at all but no luck :-/ Is the detail delived to Dovecot by the MTA at all? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWhayysQnQQNheMxiAQKZlAgAwbgQHs46y/g79WjuDN3I5FTxSULOr1c6 hyNmYKC4h+2ZEwyVrOzGZx9debh+idw8iGaCpyqj2mJnBfuJ31ZwXXVjKV6Nvq8C SCntpHW/38vjEKHDiPz9z8O0GE6kPU+nNrqHtaw3RGNygZWH3ZDvMe52HARmGLlz MFqg2s3Uwxx9/bdcfRKjbu98flU9TOv710ZSY5fihWmLYW0u9txoQra1FN+O2cmW sPWomXkJjHHHQi5C9jIp1bvAAFRPzmTKhwdWxlUwlO2iOYcgmFoJ/T+A5UtLOG83 5xLGuVNQBXoui/PixpQn+kBqvw8mpqoY858u0ot2iHFqz8GcVD4JsA== =vpQM -END PGP SIGNATURE-
Exclude disabled accounts
Hello! We have userdb=passwd. userdb { driver = passwd #server was entered domain Active Directory override_fields = home=/var/vmail/glu_vrem/%u } If I disable in AD user's account, he can not sign in. But he can and will receive letters, which of course is not correct. How can I exclude disabled accounts from 'userdb'? dovecot -n: # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.4.39-std-def-alt0.M80P.1 x86_64 ALT 8.1 Server auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login cram-md5 auth_socket_path = /var/run/dovecot/auth-userdb auth_username_chars = auth_verbose = yes auth_verbose_passwords = plain base_dir = /var/run/dovecot/ debug_log_path = /var/log/dovecot disable_plaintext_auth = no first_valid_gid = 502 first_valid_uid = 502 last_valid_gid = 26899 last_valid_uid = 26899 log_path = /var/log/dovecot login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_access_groups = vmail mail_debug = yes mail_gid = 502 mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/ mail_plugins = " quota autocreate" mail_privileged_group = vmail mail_uid = 502 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapflags notify mbox_write_locks = fcntl namespace { list = children location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = prefix = separator = / type = private } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { quota_rule = *:storage=5G recipient_delimiter = + sieve = /etc/dovecot/sieves/default.sieve sieve_default = /etc/dovecot/sieves/default.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags sieve_max_redirects = 8 } protocols = imap pop3 lmtp sieve service auth-worker { user = root } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service dict { unix_listener dict { group = vmail mode = 0600 user = vmail } } service imap-login { inet_listener imap { port = 143 } } service imap { process_limit = 1024 vsz_limit = 256 M } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } } service pop3 { process_limit = 1024 } ssl_ca =
Dovecot LMTP Proxy + STARTTLS?
Hi I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is configured to act as director and delivers to my two backend servers. I enabled lmtp proxy on director to listen on port 24. Now I see in msg headers that the connection to the lmtp proxy uses STARTTLS but the connection from proxy to backend seems to be unencrypted. Is it possible to enforce the use of STARTTLS in the connection from the director to the backend as well? Regards tobi