Re: [SPAMMY]Re: Dovecot LMTP Proxy + STARTTLS?

[tobisworld]

Hi

thanks for the link. Read that page before but somehow missed the
comment about ssl+lmtp proxy :-)

Are there any plans to implement that to dovecot in future?

Regards

tobi

Am 23.11.2017 um 18:38 schrieb Carsten Rosenberg:
> NOTE: LMTP/doveadm proxying doesn't support SSL/TLS currently - any 
> ssl/starttls extra field is ignored
> 
> https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
> 
> Am 23. November 2017 09:31:41 MEZ schrieb Tobi :
>> Hi
>>
>> I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is
>> configured to act as director and delivers to my two backend servers.
>> I enabled lmtp proxy on director to listen on port 24.
>>
>> Now I see in msg headers that the connection to the lmtp proxy uses
>> STARTTLS but the connection from proxy to backend seems to be
>> unencrypted. Is it possible to enforce the use of STARTTLS in the
>> connection from the director to the backend as well?
>>
>> Regards
>>
>> tobi

Re: set parameter per user

[A. Schulze]

Am 23.11.2017 um 14:40 schrieb Sami Ketola:
> can you verify if the value is correctly formed in userdb. Ie. is it visible 
> in output:
> 
> doveadm -o service=lmtp user 
# doveadm -o service=lmtp user us...@example.org
field   value
uid 8
gid 8
home/mail/user1
mailmaildir:~/Maildir
lmtp_save_to_detail_mailbox no
master_user us...@example.org

# doveadm -o service=lmtp user us...@example.org
field   value
uid 8
gid 8
home/mail/user2
mailmaildir:~/Maildir
lmtp_save_to_detail_mailbox yes
master_user us...@example.org

Andreas

Re: set parameter per user

[Sami Ketola]

> On 23 Nov 2017, at 15.32, A. Schulze  wrote:
> 
> 
> Steffen Kaiser:
> 
>> Is the detail delived to Dovecot by the MTA at all?
> sure!
> 
> have to say: I faked that example. In reality I tested the inverse way:
> My lab setup actually *do* deliver to folders and
> I saw, setting lmtp_save_to_detail_mailbox to 'no' still deliver to folder
> while INBOX was expected.
> 
> so, correct hint: I should really try on an other system ...
> 
> But from my debug logs it really should not matter if
> 
>  doveconf.conf: lmtp_save_to_detail_mailbox = yes
>  set to 'no' per user from ldap
> 
> vs.
> 
>  doveconf.conf: lmtp_save_to_detail_mailbox = no
>  set to 'yes' per user from ldap


can you verify if the value is correctly formed in userdb. Ie. is it visible in 
output:

doveadm -o service=lmtp user 

Sami

Re: set parameter per user

[A. Schulze]

Steffen Kaiser:


Is the detail delived to Dovecot by the MTA at all?

sure!

have to say: I faked that example. In reality I tested the inverse way:
My lab setup actually *do* deliver to folders and
I saw, setting lmtp_save_to_detail_mailbox to 'no' still deliver to folder
while INBOX was expected.

so, correct hint: I should really try on an other system ...

But from my debug logs it really should not matter if

  doveconf.conf: lmtp_save_to_detail_mailbox = yes
  set to 'no' per user from ldap

vs.

  doveconf.conf: lmtp_save_to_detail_mailbox = no
  set to 'yes' per user from ldap

Andreas

Re: Exclude disabled accounts

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 23 Nov 2017, Evgeniy Korneechev wrote:


We have userdb=passwd.
userdb {
 driver = passwd #server was entered domain Active Directory
 override_fields = home=/var/vmail/glu_vrem/%u
}

If I disable in AD user's account, he can not sign in.
But he can and will receive letters, which of course is not correct.

How can I exclude disabled accounts from 'userdb'?


Dovecot uses your system's getpwnam(), so if

getent passwd username

returns something, Dovecot uses it. There is no notion about "disabled" 
status in passwd databases.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWhaz5cQnQQNheMxiAQJomQgAldUZ2F22x5aoMOkJyyRBi2H7ChRrvTWS
THDuYr9SfMoCSaeebrdvDeS7Cqs03/a3G9ffCXsvk15g8rWkEC98vtpUc6NObpLy
JhiXU6qL2O+j5jVdR1bCVTqt3IgmC+wQb+2z7C16+PPJMB0uBK3S0e8PBjrqbESI
ni/UFXwCUEybNrUiToqCuCvTSujFlnk83oeQhzN/NN1JZefPOixovn+vci1O9zba
NVMDrjbC0vb/e+EQkJQmQGjGmhwPsMb1Z0waTQPq5fjV3DgUy1XaPOoP3gMexKpx
dB3SPZ2WK3rNc1uR6CyrZrdjObLC6XKjN6xZg070dFX2kRcpJMyZOw==
=Dp0N
-END PGP SIGNATURE-

Re: set parameter per user

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 21 Nov 2017, A. Schulze wrote:


 in /etc/dovecot/ldap.conf
user_attrs  = ...

=lmtp_save_to_detail_mailbox=%{ldap:lmtp-save-to-detail-mailbox:no},
=...



Unfortunately messages to user+extension@domain are still delivered to INBOX/
while they should be delivered to INBOX/extension.

I also tried to make the attribute accessible vi pass_attr and userdb_foo = 
...
because I use prefetch driver as userdb. I also disabled prefetching at all 
but no luck :-/


Is the detail delived to Dovecot by the MTA at all?

- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWhayysQnQQNheMxiAQKZlAgAwbgQHs46y/g79WjuDN3I5FTxSULOr1c6
hyNmYKC4h+2ZEwyVrOzGZx9debh+idw8iGaCpyqj2mJnBfuJ31ZwXXVjKV6Nvq8C
SCntpHW/38vjEKHDiPz9z8O0GE6kPU+nNrqHtaw3RGNygZWH3ZDvMe52HARmGLlz
MFqg2s3Uwxx9/bdcfRKjbu98flU9TOv710ZSY5fihWmLYW0u9txoQra1FN+O2cmW
sPWomXkJjHHHQi5C9jIp1bvAAFRPzmTKhwdWxlUwlO2iOYcgmFoJ/T+A5UtLOG83
5xLGuVNQBXoui/PixpQn+kBqvw8mpqoY858u0ot2iHFqz8GcVD4JsA==
=vpQM
-END PGP SIGNATURE-

Exclude disabled accounts

[Evgeniy Korneechev]

Hello!
We have userdb=passwd.
userdb {
  driver = passwd #server was entered domain Active Directory
  override_fields = home=/var/vmail/glu_vrem/%u
}

If I disable in AD user's account, he can not sign in.
But he can and will receive letters, which of course is not correct.

How can I exclude disabled accounts from 'userdb'?



dovecot -n:
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.4.39-std-def-alt0.M80P.1 x86_64 ALT 8.1 Server 
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login cram-md5
auth_socket_path = /var/run/dovecot/auth-userdb
auth_username_chars = 
auth_verbose = yes
auth_verbose_passwords = plain
base_dir = /var/run/dovecot/
debug_log_path = /var/log/dovecot
disable_plaintext_auth = no
first_valid_gid = 502
first_valid_uid = 502
last_valid_gid = 26899
last_valid_uid = 26899
log_path = /var/log/dovecot
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_access_groups = vmail
mail_debug = yes
mail_gid = 502
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = " quota autocreate"
mail_privileged_group = vmail
mail_uid = 502
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext imapflags notify
mbox_write_locks = fcntl
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  quota_rule = *:storage=5G
  recipient_delimiter = +
  sieve = /etc/dovecot/sieves/default.sieve
  sieve_default = /etc/dovecot/sieves/default.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags
  sieve_max_redirects = 8
}
protocols = imap pop3 lmtp sieve
service auth-worker {
  user = root
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service dict {
  unix_listener dict {
group = vmail
mode = 0600
user = vmail
  }
}
service imap-login {
  inet_listener imap {
port = 143
  }
}
service imap {
  process_limit = 1024
  vsz_limit = 256 M
}
service lmtp {
  unix_listener lmtp {
mode = 0666
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  vsz_limit = 64 M
}
service pop3-login {
  inet_listener pop3 {
port = 110
  }
}
service pop3 {
  process_limit = 1024
}
ssl_ca = 

Dovecot LMTP Proxy + STARTTLS?

[Tobi]

Hi

I got dovecot 2.2.26 on a Centos7 with latest updates. Dovecot is
configured to act as director and delivers to my two backend servers.
I enabled lmtp proxy on director to listen on port 24.

Now I see in msg headers that the connection to the lmtp proxy uses
STARTTLS but the connection from proxy to backend seems to be
unencrypted. Is it possible to enforce the use of STARTTLS in the
connection from the director to the backend as well?

Regards

tobi