Dovecot 2.3-rc Logging Format

[Thomas Leuxner]

Hi,

the release candidate defaults to a log format with session IDs.

mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "

As the LMTP service seems to have the session ID hardcoded, the IDs get 
duplicated in the logs:

Dec 21 08:48:03 edi dovecot: lmtp(26573): Connect from local
Dec 21 08:48:03 edi dovecot: lmtp(t...@leuxner.net)[26573]: 
: fCVaBjNnO1rNZwAAIROLbg: sieve: 
msgid=<2323281.OorJHhdMHM@ylum>, time=158ms, status=stored mail into mailbox 
':public/Mailing-Lists/Debian-User'
Dec 21 08:48:03 edi dovecot: lmtp(26573): Disconnect from local: Client has 
quit the connection (state = READY)

Regards
Thomas


signature.asc
Description: PGP signature

Re: Disable ssl validation for replication?

[Joseph Tam]

Joseph Ward writes:


I'm aware of at least a couple of fallback options:
??? -have a self-signed cert for replication and use the Let's Encrypt
one for IMAP/POP
??? - create firewall rules allowing them to connect to each other over
the public internet so that it can validate the proper cert
?
These are both much less palatable than simply disabling the cert
validation if it's possible.


Maybe instead of disabling the check, appease it by supplying (in
/etc/hosts) an alternate mapping of the FQDN subject of your certificate
to your internal IP:

10.x.x.xyour.sync.target

Joseph Tam 

Re: Disable ssl validation for replication?

[Andrew Sullivan]

I guess what I don't understand is why the IP address approach is more 
attractive to you, and why you think the "public Internet" path is less good.


Best regards,

A

--
Please excuse my clumbsy thums



--
On December 21, 2017 12:47:47 AM Joseph Ward  wrote:


Hi,

I have two servers (HA configuration) on which I'm attempting to get
replication working over SSL.  They're at two different sites, but
connected via a site-site VPN.

Everything seems to be fine, except that the certificates are not
validating as I'm using IP addresses for the sync, as opposed to the
public hostnames for which the certificates are valid, and so I get the
following error: 

doveadm(user@domain): Error: doveadm server disconnected before
handshake: SSL certificate doesn't match expected host name 10.x.x.x

I'm on Dovecot 2.2.33.

Is there any way to disable the certificate checking/validation for the
sync engine? 

(
I'm aware of at least a couple of fallback options:
    -have a self-signed cert for replication and use the Let's Encrypt
one for IMAP/POP
    - create firewall rules allowing them to connect to each other over
the public internet so that it can validate the proper cert
 
These are both much less palatable than simply disabling the cert
validation if it's possible.
)


Thank you in advance for any assistance,
Joseph

Re: detect suspicious logins

[Joseph Tam]

Matthew Broadhead  wrote:


does anyone know of a linux module (maybe similar to fail2ban) that
could be installed which would monitor email logs (sign ins) and alert
the user to any suspicious activity on their account?


I just monitor straight from the logs using homebrew utilties.

@lbutlr" 


Fail2ban can protect email logins.  Alerting a user because random IP
in Korean Middle School tried to login seems no helpful.


i suspect it would need to log geo location, device type and ip
address to a database.  it seems like a module like this would be very
useful


How?

Blacklist failed logins. That protects everyone and doesn't induce panic.


I just went through a long thread elsewhere on this topic.

Fail2ban is mainly a counter brute force measure.  If you have a strong
password policy, the net result of using it is that it makes your logs
smaller, and maybe saves some CPU cycles or from DoS for really intense
bouts, but otherwise, does not add to security as good passwords makes
BFD infeasible.

*However*, if the attacker knows the approximate password (e.g.
shoulder surfing), this may help, but eventually, the password will
succumb to a patient diligent attack.

What the OP is considering is if the password is divulged e.g.  phishing
attack or snarfed from another source.  In this case, an intruder's
authentication will succeed immediately.  If a monitor spots someone
authenticating from another continent than where the owner is supposed
to be, or from 2 locations thousands of miles apart, or from 5 different
location simultaneously, or tried to send a huge number of messages with
many bounces, or was using a different mail clients that one historically
used), it can signal the admin/user for further investigation.

For users, I think reporting a login origin audit will be helpful,
regardless of circumstances.  However, it should be done out of band,
if the assumption is someone else has control of the account.

Joseph Tam 

Disable ssl validation for replication?

[Joseph Ward]

Hi,

I have two servers (HA configuration) on which I'm attempting to get
replication working over SSL.  They're at two different sites, but
connected via a site-site VPN.

Everything seems to be fine, except that the certificates are not
validating as I'm using IP addresses for the sync, as opposed to the
public hostnames for which the certificates are valid, and so I get the
following error: 

doveadm(user@domain): Error: doveadm server disconnected before
handshake: SSL certificate doesn't match expected host name 10.x.x.x

I'm on Dovecot 2.2.33.

Is there any way to disable the certificate checking/validation for the
sync engine? 

(
I'm aware of at least a couple of fallback options:
    -have a self-signed cert for replication and use the Let's Encrypt
one for IMAP/POP
    - create firewall rules allowing them to connect to each other over
the public internet so that it can validate the proper cert
 
These are both much less palatable than simply disabling the cert
validation if it's possible.
)


Thank you in advance for any assistance,
Joseph

Logouts/disconnections not being logged?

[Joseph Tam]

In a previous thread

Subject: Re: iPhone/iPad IMAP connection bursts causes user+IP exceeded

I reported the behaviour of MacOSX/iOS IMAP readers whereby it would
use up all available connections (up to the mail_max_userip_connections
setting) for mailbox searches, then log them all out, then repeat the
cycle with another batch of mailbox searches, until all mailboxes were
scanned.

However, login/logout log counts don't square up.  I would observe
(for a particular user+ip) mail_max_userip_connections login entries,
followed by *fewer* than mail_max_userip_connections logout entries.
(I could not find any disconnections or other forms of termination.)

The next peak connection count happened after another
mail_max_userip_connections logins (implying the total connection count

mail_max_userip_connections), then another strings of logouts fewer

than mail_max_userip_connections.

For example, if mail_max_userip_connections=100, I would see

0 -> 100 logins -> 87 logouts -> 100 logins -> 87 logouts
-> 100 logins -> 94 logouts -> 100 logins -> ...

It appears that somewhere, somehow, IMAP session exits are not being
logged.  Is there a reason to explain this discrepancy?

Joseph Tam 

Virtual folders: Panic: file mail-index-sync.c

[Andreas Tauscher]

Hi!

I have compiled Dovecot 2.33.2 and crated some virtual folders.
When I create a virtual folder for all flagged mails with
dovecot-virtual containing

*
  flagged

and I set in 15-mailboxes.conf

  mailbox virtual/Flagged {
special_use = \Flagged
comment = All flagged messages
auto = subscribe
  }

The dovecot is crashing when any virtual folder is accessed:

Dec 21 01:07:59 mail dovecot: imap(transf...@shidolya.co.tz): Panic:
file mail-index-sync.c: line 413 (mail_index_sync_begin_to2): asserti
on failed: (!index->syncing)
Dec 21 01:07:59 mail dovecot: imap(test@test.local): Error: Raw
backtrace:/usr/lib/dovecot/libdovecot.so.0(+0x935c2) [0x7f4ead13
95c2] -> /usr/lib/dovecot/libdovecot.so.0(+0x936ad) [0x7f4ead1396ad] ->
/usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f4ead0c9f61] -> /u
sr/lib/dovecot/libdovecot-storage.so.0(+0xd4d4c) [0x7f4ead49ed4c] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mail_index_sync_begin_to+0x4
f) [0x7f4ead49ee2f] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mail_index_sync_begin+0x1c)
[0x7f4ead49eecc] -> /usr/lib/dovecot/modules/l
ib20_virtual_plugin.so(virtual_storage_sync_init+0x20e) [0x7f4eabe9904e]
-> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x4
4) [0x7f4ead4076a4] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37)
[0x7f4ead407747] -> /usr/lib/dovecot/libdovecot-storage
.so.0(index_storage_get_status+0x31) [0x7f4ead481dd1] ->
/usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d)
[0x7f4eabe9616d] -> /us
r/lib/dovecot/libdovecot-storage.so.0(+0x9ce81) [0x7f4ead466e81] ->
/usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xd825) [0x7f4eac8d0825]
 -> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x31)
[0x7f4ead407ae1] -> /usr/lib/dovecot/modules/lib20_virtual_plugin.so
(virtual_storage_sync_init+0x1096) [0x7f4eabe99ed6] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x44)
[0x7f4ead4076a4] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37)
[0x7f4ead407747] ->
/usr/lib/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x31)
[0x7f4ead481dd1] ->
/usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d)
[0x7f4eabe9616d] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x9ce81)
[0x7f4ead466e81] ->
/usr/lib/dovecot/modules/lib01_acl_plugin.so(+0xd825) [0x7f4eac8d0825]
-> /usr/lib/dovecot/libdovecot-storage.so.0(mailbox_get_status+0x31)
[0x7f4ead407ae1] ->
/usr/lib/dovecot/modules/lib20_virtual_plugin.so(virtual_storage_sync_init+0x1096)
[0x7f4eabe99ed6] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x44)
[0x7f4ead4076a4] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mailbox_sync+0x37)
[0x7f4ead407747] ->
/usr/lib/dovecot/libdovecot-storage.so.0(index_storage_get_status+0x31)
[0x7f4ead481dd1] ->
/usr/lib/dovecot/modules/lib20_virtual_plugin.so(+0x916d)
[0x7f4eabe9616d] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x9ce81)
[0x7f4ead466e81]

When I remove "auto = subscribe" everything working like expected.
I got this crash only if I use "flagged" in the virtual folder. Other
virtual folders like a unseen folder is working fine with "auto = subscribe"

Andreas

Re: v2.3.0 release candidate released

[Michael Grimm]

Hi,

Odhiambo Washington  wrote:

> What am I missing here:
> 
> OS = FreeBSD 8.4
> 
> Here is how it fails during `gmake`:

[snip]

Hmm, FBSD 8.4 has reached End of Life a long time ago, namely on August 1, 
2015. It has not seen security updates ever since :-(

Thus, I am just curious: but why can't you upgrade to either 10.x or 11.x?

Regards,
Michael

Re: ot: fail2ban dovecot setup

[voytek]

thanks for all the help, I went back to the old server's config, and, it
worked as is, so that will do for now:

# fail2ban-client status dovecot-iredmail
Status for the jail: dovecot-iredmail
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 5
|  `- File list:/var/log/dovecot.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   1.144.106.60
#

Chain f2b-dovecot (1 references)
target prot opt source   destination
REJECT all  --  1.144.106.60 anywhere reject-with
icmp-port-unreachable
RETURN all  --  anywhere anywhere

Shared mailboxes ACL's in MySQL, mailboxes in LDAP

[Matt .]

Hi Guys,

I'm having a situation that I want to autocreate my mailboxes using
ldap auth as my mailboxes are in there. But as I need to share some
mailboxes as shared folder is it possible to have that information in
MySQL ?

Maybe it even better to put everything in MySQL but designwise it's
actually not.

I f someone has an example how to accomplish this as I'm reading about
ACL's as well and I'm wondering if this is actually going to work.

Thanks!

Matt

Re: New Dovecot service: SMTP Submission (RFC6409)

[Marcus Rueckert]

On 2017-12-20 14:39, Tanstaafl wrote:

On Sat Dec 16 2017 15:41:25 GMT-0500 (Eastern Standard Time), Tanstaafl
 wrote:

Ok, well, my ignorance is probably glaring here, but what I meant was,
the make the BURL/URLAUTH pieces strictly between Dovecot and the
backend SMTP server, make it invisible to the Client...


So, I take it the no response to this means that there is no way to put
the BURL/URLAUTH parts such that only server support is needed, nothing
special on the client side?

Bummer, that means it will be a looong time if ever that this feature 
is

usable.


Maybe take the time of the year into account and add a bit more waiting 
time before drawing conclusions.

People might be busy with other things right now.

Re: New Dovecot service: SMTP Submission (RFC6409)

[Tanstaafl]

On Sat Dec 16 2017 15:41:25 GMT-0500 (Eastern Standard Time), Tanstaafl
 wrote:
> Ok, well, my ignorance is probably glaring here, but what I meant was,
> the make the BURL/URLAUTH pieces strictly between Dovecot and the
> backend SMTP server, make it invisible to the Client...

So, I take it the no response to this means that there is no way to put
the BURL/URLAUTH parts such that only server support is needed, nothing
special on the client side?

Bummer, that means it will be a looong time if ever that this feature is
usable.

Re: detect suspicious logins

[Marcus Rueckert]

On Tue, 19 Dec 2017 17:13:10 +
Matthew Broadhead  wrote:

> does anyone know of a linux module (maybe similar to fail2ban) that 
> could be installed which would monitor email logs (sign ins) and
> alert the user to any suspicious activity on their account?  i
> suspect it would need to log geo location, device type and ip address
> to a database.  it seems like a module like this would be very useful
> and should exist already?  thanks in advance

https://github.com/PowerDNS/weakforced

-- 
  openSUSE - SUSE Linux is my linux
  openSUSE is good for you
  www.opensuse.org

Re: detect suspicious logins

[@lbutlr]

> On 19 Dec 2017, at 10:13, Matthew Broadhead  
> wrote:
> 
> does anyone know of a linux module (maybe similar to fail2ban) that could be 
> installed which would monitor email logs (sign ins) and alert the user to any 
> suspicious activity on their account?

Fail2ban can protect email logins. Alerting a user because random IP in Korean 
Middle School tried to login seems no helpful.

> i suspect it would need to log geo location, device type and ip address to a 
> database.  it seems like a module like this would be very useful

How?

Blacklist failed logins. That protects everyone and doesn't induce panic.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: v2.3.0 release candidate released

[Thomas Leuxner]

* Timo Sirainen  2017.12.18 16:23:

Hi,

what is the correct way of implementing carbon stats with 2.3?

/etc/dovecot/conf.d/90-stats.conf: 
old_stats_carbon_server=127.0.0.1:2003
old_stats_carbon_name=host_domain_tld
old_stats_carbon_interval=60s

/etc/dovecot/conf.d/20-imap.conf:

mail_plugins =

I changed imap_stats to imap_old_stats, however this yields the following error:

Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net)<26352><9VA9GMJgns4FkqmS>: 
Error: module /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: 
dlsym(imap_old_stats_plugin_init) failed: 
/usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: undefined symbol: 
imap_old_stats_plugin_init
Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net)<26352><9VA9GMJgns4FkqmS>: 
Error: module /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: 
dlsym(imap_old_stats_plugin_deinit) failed: 
/usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: undefined symbol: 
imap_old_stats_plugin_deinit
Dec 20 10:20:30 edi dovecot: imap(t...@leuxner.net): Error: Couldn't load 
required plugin /usr/lib/dovecot/modules/lib95_imap_old_stats_plugin.so: Module 
doesn't have init function

Regards
Thomas


signature.asc
Description: PGP signature