Re: Replication fails with dsync-server(ad...@asergis.com): Error: Couldn't create lock /home/admin/.dovecot-sync.lock: No such file or directory

[Aki Tuomi]

Your userdb is returning user 'admin' on either site. For the segfault would be 
useful to get gdb backtrace (or equivalent). 

Aki

> On 30 March 2018 at 21:04 Vladimir Tiukhtin  
> wrote:
> 
> 
> Hello
> 
> 
> I have configured replication using dsync. It fails with a message
> 
> Error: Couldn't create lock /home/admin/.dovecot-sync.lock: No such file 
> or directory
> 
> This directory predictably does not exist - all my users are supposed to 
> be virtual.  I can not find an option to switch this off. At the same 
> time if I try manual replication I get segfault error
> 
> 
> Mar 30 17:17:24 localhost.localdomain dovecot[29063]: 
> dsync-server(ad...@asergis.com): Error: Couldn't create lock 
> /home/admin/.dovecot-sync.lock: No such file or directory
> Mar 30 17:17:54 localhost.localdomain dovecot[29063]: 
> dsync-server(ad...@asergis.com): Error: sieve-storage: couldn't find 
> storage root directory; sieve_dir was left unconfigured and 
> autodetection failed
> Mar 30 17:17:54 localhost.localdomain dovecot[29063]: 
> dsync-server(ad...@asergis.com): Fatal: master: service(doveadm): child 
> 29133 killed with signal 11 (core dumps disabled)
> Mar 30 17:17:54 localhost.localdomain kernel: doveadm-server[29133]: 
> segfault at 58 ip 7fa0608c9ca1 sp 7fffbf349480 error 4 in 
> lib10_doveadm_sieve_plugin.so[7fa0608c2000+b000]
> Mar 30 17:22:25 localhost.localdomain dovecot[29063]: 
> dsync-server(ad...@asergis.com): Error: Couldn't create lock 
> /home/admin/.dovecot-sync.lock: No such file or directory
> Mar 30 17:27:58 localhost.localdomain kernel: doveadm[29153]: segfault 
> at 58 ip 7fc1e65baca1 sp 7ffd1a78b020 error 4 in 
> lib10_doveadm_sieve_plugin.so[7fc1e65b3000+b000]
> 
> **
> 
> *My OS*:
> 
> # cat /etc/os-release
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/;
> BUG_REPORT_URL="https://bugs.centos.org/;
> 
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="
> 
> *My dovecot:*
> 
> # dovecot --version
> 2.2.10
> 
> *My config*:
> 
> auth_cache_size = 12 M
> auth_cache_ttl = 1 days
> auth_debug = yes
> auth_mechanisms = plain login
> auth_username_chars = abcdefghijklmnopqrstuvwxyz.@
> auth_verbose = yes
> base_dir = /var/run/dovecot/
> default_client_limit = 1024
> default_process_limit = 128
> doveadm_password = mysecretpasswordsharedamongservers
> first_valid_uid = 1000
> instance_name = powergate
> login_greeting = with a great power comes great responsibility
> mail_location = mdbox:/var/mail/%d/%n
> mail_plugins = replication notify
> mail_privileged_group = mail
> mbox_write_locks = fcntl
> namespace inbox {
>    inbox = yes
>    location =
>    mailbox Drafts {
>      auto = no
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      special_use = \Junk
>    }
>    mailbox Sent {
>      auto = subscribe
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      auto = no
>      special_use = \Sent
>    }
>    mailbox Spam {
>      auto = create
>      special_use = \Junk
>    }
>    mailbox Trash {
>      auto = no
>      special_use = \Trash
>    }
>    mailbox virtual/All {
>      auto = no
>      special_use = \All
>    }
>    prefix =
> }
> passdb {
>    args = /etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
> plugin {
>    mail_replica = tcp:192.168.100.11:54321
> }
> protocols = imap lmtp
> service aggregator {
>    fifo_listener replication-notify-fifo {
>      mode = 0666
>      user = $default_internal_user
>    }
>    unix_listener replication-notify {
>      mode = 0666
>      user = $default_internal_user
>    }
> }
> service auth {
>    client_limit = 512
>    inet_listener auth-client {
>      port = 12345
>    }
>    unix_listener auth-userdb {
>      mode = 0666
>    }
> }
> service doveadm {
>    inet_listener {
>      port = 54321
>    }
> }
> service imap-login {
>    inet_listener imap {
>      port = 0
>    }
>    inet_listener imaps {
>      port = 993
>      ssl = yes
>    }
>    process_min_avail = 2
>    service_count = 1
> }
> service imap {
>    service_count = 1
> }
> service lmtp {
>    unix_listener lmtp {
>      group = postfix
>      mode = 0600
>      user = postfix
>    }
> }
> ssl = required
> ssl_cert =  ssl_dh_parameters_length = 2048
> ssl_key =  userdb {
>    args = /etc/dovecot/dovecot-sql.conf.ext
>    driver = sql
> }
>

Re: Issue with a bug with imap-login

[Aki Tuomi]

https://wiki.dovecot.org/Debugging/Rawlog

Can you try with this?

Aki

> On 31 March 2018 at 00:52 Grant Keller  wrote:
> 
> 
> Hello,
> 
> Currently working on migrating our existing directors from 2.1.13 to
> 2.2.10. In 2.2.10 when issuing the logout command on an unauthenticated
> connection, the connection is closed before the server sends the BYE
> line to the client. The new version works as expected with a non-secure
> connection. I will include the strace output from the imap-login process
> that shows the connection closing before the message can be sent.
> 
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-693.21.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
> (Core)
> auth_master_user_separator = *
> auth_username_format = %Ln
> auth_verbose = yes
> default_client_limit = 2
> director_mail_servers = removed 
> director_servers = c.director.imapd.sonic.net d.director.imapd.sonic.net
> disable_plaintext_auth = no
> doveadm_port = 1842
> login_trusted_networks = removed 
> mbox_write_locks = fcntl
> passdb {
>   args = /etc/dovecot/master-users
>   driver = passwd-file
>   master = yes
>   pass = yes
> }
> passdb {
>   args = proxy=y nopassword=y
>   driver = static
> }
> service anvil {
>   client_limit = 40103
> }
> service auth {
>   client_limit = 41704
> }
> service director {
>   fifo_listener login/proxy-notify {
> mode = 0666
>   }
>   inet_listener {
> port = 9321
>   }
>   unix_listener login/director {
> mode = 0666
>   }
> }
> service imap-login {
>   executable = imap-login director
>   process_limit = 2
>   process_min_avail = 1
> }
> service imap {
>   process_limit = 20480
> }
> service pop3-login {
>   executable = pop3-login director
>   process_limit = 2
>   process_min_avail = 32
> }
> ssl_ca =  ssl_cert =  ssl_cipher_list = 
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> ssl_key =  ssl_parameters_regenerate = 1 days
> ssl_protocols = !SSLv2 !SSLv3
> syslog_facility = local0
> protocol imap {
>   imap_max_line_length = 128 k
>   ssl_ca =ssl_cert =ssl_key =  }
> protocol pop3 {
>   ssl_ca =ssl_cert =ssl_key =  }
> 
> STRACE:
> 
> 263563 epoll_wait(14, [{EPOLLIN, {u32=2772983280, 
> u64=94500643429872}}], 8, -1) = 1
> 263563 accept(9, {sa_family=AF_INET, 
> sin_port=htons(39552), sin_addr=inet_addr("64.142.18.25")}, [16]) = 
> 1864.142.18.25:39552]>
> 263563 fcntl(1864.142.18.25:39552]>, F_GETFL) = 0x2 
> (flags O_RDWR)
> 263563 fcntl(1864.142.18.25:39552]>, F_SETFL, 
> O_RDWR|O_NONBLOCK) = 0
> 263563 write(5, "\213\5\4\0\223\16\0\0\0\0\0\0", 12) = 12
> 263563 write(2, "\1\010263563 ip=64.142.18.25\n", 25) = 25
> 263563 getsockname(1864.142.18.25:39552]>, 
> {sa_family=AF_INET, sin_port=htons(993), 
> sin_addr=inet_addr("64.142.111.79")}, [16]) = 0
> 263563 socket(AF_LOCAL, SOCK_STREAM, 0) = 19
> 263563 fcntl(19, F_GETFL) = 0x2 (flags O_RDWR)
> 263563 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> 263563 connect(19, {sa_family=AF_LOCAL, 
> sun_path="ssl-params"}, 110) = 0
> 263563 fcntl(19, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
> 263563 fcntl(19, F_SETFL, O_RDWR) = 0
> 263563 read(19, "\0\2\0\0", 4) = 4
> 263563 read(19, "H\0\0\0", 4) = 4
> 263563 read(19, 
> "0F\2A\0\246@\4\253O,\222\10\300\237\334\240>\331\270\24K\261w\300\16\0076\230\2039\1"...,
>  72) = 72
> 263563 read(19, "\0\4\0\0", 4) = 4
> 263563 read(19, "\212\0\0\0", 4) = 4
> 263563 read(19, 
> "0\201\207\2\201\201\0\213:7H\"\251}6d\371}\212\312\276\177p!\10\26\1[\241\265\254\216"...,
>  138) = 138
> 263563 read(19, "\0\0\0\0", 4) = 4
> 263563 read(19, "", 1)  = 0
> 263563 close(19)= 0
> 263563 socketpair(AF_LOCAL, SOCK_STREAM, 0, [191401334]>, 
> 201401333]>]) = 0
> 263563 fcntl(191401334]>, F_GETFL) = 0x2 (flags O_RDWR)
> 263563 fcntl(191401334]>, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> 263563 

Issue with a bug with imap-login

[Grant Keller]

Hello,

Currently working on migrating our existing directors from 2.1.13 to
2.2.10. In 2.2.10 when issuing the logout command on an unauthenticated
connection, the connection is closed before the server sends the BYE
line to the client. The new version works as expected with a non-secure
connection. I will include the strace output from the imap-login process
that shows the connection closing before the message can be sent.

# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-693.21.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
(Core)
auth_master_user_separator = *
auth_username_format = %Ln
auth_verbose = yes
default_client_limit = 2
director_mail_servers = removed 
director_servers = c.director.imapd.sonic.net d.director.imapd.sonic.net
disable_plaintext_auth = no
doveadm_port = 1842
login_trusted_networks = removed 
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = proxy=y nopassword=y
  driver = static
}
service anvil {
  client_limit = 40103
}
service auth {
  client_limit = 41704
}
service director {
  fifo_listener login/proxy-notify {
mode = 0666
  }
  inet_listener {
port = 9321
  }
  unix_listener login/director {
mode = 0666
  }
}
service imap-login {
  executable = imap-login director
  process_limit = 2
  process_min_avail = 1
}
service imap {
  process_limit = 20480
}
service pop3-login {
  executable = pop3-login director
  process_limit = 2
  process_min_avail = 32
}
ssl_ca = , [{EPOLLIN, {u32=2772983280, 
u64=94500643429872}}], 8, -1) = 1
263563 accept(9, {sa_family=AF_INET, sin_port=htons(39552), 
sin_addr=inet_addr("64.142.18.25")}, [16]) = 
1864.142.18.25:39552]>
263563 fcntl(1864.142.18.25:39552]>, F_GETFL) = 0x2 
(flags O_RDWR)
263563 fcntl(1864.142.18.25:39552]>, F_SETFL, 
O_RDWR|O_NONBLOCK) = 0
263563 write(5, "\213\5\4\0\223\16\0\0\0\0\0\0", 12) = 12
263563 write(2, "\1\010263563 ip=64.142.18.25\n", 25) = 25
263563 getsockname(1864.142.18.25:39552]>, 
{sa_family=AF_INET, sin_port=htons(993), sin_addr=inet_addr("64.142.111.79")}, 
[16]) = 0
263563 socket(AF_LOCAL, SOCK_STREAM, 0) = 19
263563 fcntl(19, F_GETFL) = 0x2 (flags O_RDWR)
263563 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
263563 connect(19, {sa_family=AF_LOCAL, sun_path="ssl-params"}, 
110) = 0
263563 fcntl(19, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
263563 fcntl(19, F_SETFL, O_RDWR) = 0
263563 read(19, "\0\2\0\0", 4) = 4
263563 read(19, "H\0\0\0", 4) = 4
263563 read(19, 
"0F\2A\0\246@\4\253O,\222\10\300\237\334\240>\331\270\24K\261w\300\16\0076\230\2039\1"...,
 72) = 72
263563 read(19, "\0\4\0\0", 4) = 4
263563 read(19, "\212\0\0\0", 4) = 4
263563 read(19, 
"0\201\207\2\201\201\0\213:7H\"\251}6d\371}\212\312\276\177p!\10\26\1[\241\265\254\216"...,
 138) = 138
263563 read(19, "\0\0\0\0", 4) = 4
263563 read(19, "", 1)  = 0
263563 close(19)= 0
263563 socketpair(AF_LOCAL, SOCK_STREAM, 0, [191401334]>, 
201401333]>]) = 0
263563 fcntl(191401334]>, F_GETFL) = 0x2 (flags O_RDWR)
263563 fcntl(191401334]>, F_SETFL, O_RDWR|O_NONBLOCK) = 0
263563 fcntl(201401333]>, F_GETFL) = 0x2 (flags O_RDWR)
263563 fcntl(201401333]>, F_SETFL, O_RDWR|O_NONBLOCK) = 0
263563 fcntl(1864.142.18.25:39552]>, F_GETFL) = 0x802 
(flags O_RDWR|O_NONBLOCK)
263563 fcntl(1864.142.18.25:39552]>, F_SETFL, 
O_RDWR|O_NONBLOCK) = 0
263563 fstat(201401333]>, {st_mode=S_IFSOCK|0777, st_size=0, 
...}) = 0
263563 lseek(201401333]>, 0, SEEK_CUR) = -1 ESPIPE (Illegal 
seek)
263563 getsockname(201401333]>, {sa_family=AF_LOCAL, NULL}, 
[2]) = 0
263563 epoll_ctl(14, EPOLL_CTL_ADD, 
201401333]>, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, 
{u32=2773038880, u64=94500643485472}}) = 0
263563 write(201401333]>, "* OK [CAPABILITY IMAP4rev1 
LITER"..., 103) = 103
263563 brk(NULL)= 0x55f2a549d000
263563 brk(0x55f2a54c2000)  = 0x55f2a54c2000
263563 read(1864.142.18.25:39552]>, 
"\26\3\1\0\253\1\0\0\247\3\3", 11) = 11
263563 read(1864.142.18.25:39552]>, 
"\205\224\354\263zY\200p\240T\21\377\276\224\251(\343\255x\277\273.\223\304\"64.142.18.25:39552]>, 
"\26\3\3\0=\2\0\0009\3\0033\336\314\231\205\305\330\206M\361qQ\240\272\225\317^\331Ysc"...,
 4096) = 4096
263563 

Replication fails with dsync-server(ad...@asergis.com): Error: Couldn't create lock /home/admin/.dovecot-sync.lock: No such file or directory

[Vladimir Tiukhtin]

Hello


I have configured replication using dsync. It fails with a message

Error: Couldn't create lock /home/admin/.dovecot-sync.lock: No such file 
or directory


This directory predictably does not exist - all my users are supposed to 
be virtual.  I can not find an option to switch this off. At the same 
time if I try manual replication I get segfault error



Mar 30 17:17:24 localhost.localdomain dovecot[29063]: 
dsync-server(ad...@asergis.com): Error: Couldn't create lock 
/home/admin/.dovecot-sync.lock: No such file or directory
Mar 30 17:17:54 localhost.localdomain dovecot[29063]: 
dsync-server(ad...@asergis.com): Error: sieve-storage: couldn't find 
storage root directory; sieve_dir was left unconfigured and 
autodetection failed
Mar 30 17:17:54 localhost.localdomain dovecot[29063]: 
dsync-server(ad...@asergis.com): Fatal: master: service(doveadm): child 
29133 killed with signal 11 (core dumps disabled)
Mar 30 17:17:54 localhost.localdomain kernel: doveadm-server[29133]: 
segfault at 58 ip 7fa0608c9ca1 sp 7fffbf349480 error 4 in 
lib10_doveadm_sieve_plugin.so[7fa0608c2000+b000]
Mar 30 17:22:25 localhost.localdomain dovecot[29063]: 
dsync-server(ad...@asergis.com): Error: Couldn't create lock 
/home/admin/.dovecot-sync.lock: No such file or directory
Mar 30 17:27:58 localhost.localdomain kernel: doveadm[29153]: segfault 
at 58 ip 7fc1e65baca1 sp 7ffd1a78b020 error 4 in 
lib10_doveadm_sieve_plugin.so[7fc1e65b3000+b000]


**

*My OS*:

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/;
BUG_REPORT_URL="https://bugs.centos.org/;

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="

*My dovecot:*

# dovecot --version
2.2.10

*My config*:

auth_cache_size = 12 M
auth_cache_ttl = 1 days
auth_debug = yes
auth_mechanisms = plain login
auth_username_chars = abcdefghijklmnopqrstuvwxyz.@
auth_verbose = yes
base_dir = /var/run/dovecot/
default_client_limit = 1024
default_process_limit = 128
doveadm_password = mysecretpasswordsharedamongservers
first_valid_uid = 1000
instance_name = powergate
login_greeting = with a great power comes great responsibility
mail_location = mdbox:/var/mail/%d/%n
mail_plugins = replication notify
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = no
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = create
    special_use = \Junk
  }
  mailbox Trash {
    auto = no
    special_use = \Trash
  }
  mailbox virtual/All {
    auto = no
    special_use = \All
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_replica = tcp:192.168.100.11:54321
}
protocols = imap lmtp
service aggregator {
  fifo_listener replication-notify-fifo {
    mode = 0666
    user = $default_internal_user
  }
  unix_listener replication-notify {
    mode = 0666
    user = $default_internal_user
  }
}
service auth {
  client_limit = 512
  inet_listener auth-client {
    port = 12345
  }
  unix_listener auth-userdb {
    mode = 0666
  }
}
service doveadm {
  inet_listener {
    port = 54321
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 2
  service_count = 1
}
service imap {
  service_count = 1
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = 

Re: debian lintian warn: hardening-no-fortify-functions

[A. Schulze]

> Hi! Dovecot 2.3 has hardening enabled.

OK, I'll give it a try and report if I've results...

Thanks
Andreas

Re: dovecot auth error: Illegal seek

[Aki Tuomi]

> On 30 March 2018 at 15:11 panetta  wrote:
> 
> 
> Hi,
> 
> I recently configured dovecot to manage auth
> for both local and virtual user.
> When i login as a virtual user (claudio.panetta) I get the following 
> message:
> 
> dovecot: auth: Error: 
> passwd(claudio.panetta,160.97.62.1,): getpwnam() 
> failed: Illegal seek
> 
> but login is ok and sending/receiving email is ok,
> how can, if possible, I suppress this error message?
> 
> In the following my dovecot config:
> 
> host-prompt# dovecot -n
> # 2.1.7: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
> auth_mechanisms = plain login
> auth_username_format = %Ln
> listen = *
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> login_greeting = Server ready.
> mail_full_filesystem_access = yes
> mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
> mail_privileged_group = mail
> passdb {
>    driver = pam
> }
> passdb {
>    args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
>    driver = passwd-file
> }
> protocols = " imap"
> service auth {
>    unix_listener /var/spool/postfix/private/auth {
>      group = postfix
>      mode = 0660
>      user = postfix
>    }
>    user = root
> }
> service imap-login {
>    inet_listener imap {
>      port = 0
>    }
> }
> ssl_cert =  ssl_key =  userdb {
>    driver = passwd
> }
> userdb {
>    args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail 
> home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir
>    driver = static
> }
> verbose_proctitle = yes
> 
> host-prompt# cat /etc/dovecot/users
> claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst
> ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst
> 
> Regards,
> Claudio
> 
>

Hi! Put the file based passdb before the pam one. Also not sure what you are 
trying to do with the static userdb. It looks like you wanted to use 
passwd-file?

Aki

Re: debian lintian warn: hardening-no-fortify-functions

[Aki Tuomi]

> On 30 March 2018 at 15:08 "A. Schulze"  wrote:
> 
> 
> Hello,
> 
> to build + packages dovecot I use the usual Debian tool chain. That includes 
> build with selected GCC options and running lintian.
> 
> I notice since a long time (read: many earlier versions, up to 2.2.35) this 
> lintian warnings:
> 
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth
> N: 
> N:This package provides an ELF binary that lacks the use of fortified libc
> N:functions. Either there are no potentially unfortified functions called
> N:by any routines, all unfortified calls have already been fully validated
> N:at compile-time, or the package was not built with the default Debian
> N:compiler flags defined by dpkg-buildflags. If built using
> N:dpkg-buildflags directly, be sure to import CPPFLAGS.
> N:
> N:NB: Due to false-positives, Lintian ignores some unprotected functions
> N:(e.g. memcpy).
> N:
> N:Refer to https://wiki.debian.org/Hardening and
> N:https://bugs.debian.org/673112 for details.
> N:
> N:Severity: normal, Certainty: wild-guess
> N:
> N:Check: binaries, Type: binary, udeb
> N: 
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/config
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/director
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/imap
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/libdovecot-login.so.0.0.0
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/libdovecot-storage.so.0.0.0
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/modules/lib10_quota_plugin.so
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/modules/lib20_fts_plugin.so
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/modules/lib20_replication_plugin.so
> I: dovecot-core: hardening-no-fortify-functions 
> usr/lib/dovecot/modules/lib99_welcome_plugin.so
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/quota-status
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script-login
> I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/xml2text
> 
> As you may note, not all binaries are affected. doveadm, doveconf or dovecot 
> aren't for example.
> 
> My (simplyfied) debian/rules:
>   #!/usr/bin/make -f
> 
>   export DEB_BUILD_MAINT_OPTIONS = hardening=+all
>   DPKG_EXPORT_BUILDFLAGS = 1
>   include /usr/share/dpkg/buildflags.mk
> 
>   include /usr/share/cdbs/1/rules/debhelper.mk
>   include /usr/share/cdbs/1/class/autotools.mk
> 
>   DEB_DH_STRIP_ARGS = --dbg-package=dovecot-core-dbg
> 
> This result in that call to configure:
> 
> CFLAGS="-g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong 
> -Wformat -Werror=format-security" CXXFLAGS="-g -O2 
> -fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat 
> -Werror=format-security" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" 
> LDFLAGS="-Wl,-z,relro -Wl,-z,now" /<>/./configure 
> --build=x86_64-linux-gnu --prefix=/usr --includedir="\${prefix}/include" 
> --mandir="\${prefix}/share/man" --infodir="\${prefix}/share/info" 
> --sysconfdir=/etc --localstatedir=/var --libexecdir="\${prefix}/lib/dovecot" 
> --srcdir=. --disable-maintainer-mode --disable-dependency-tracking 
> --disable-silent-rules --libexecdir=/usr/lib --localstatedir=/var 
> --with-statedir=/var/lib/dovecot --with-moduledir=/usr/lib/dovecot/modules 
> --without-docs
> 
> I may provide a full build log if that would be helpful.
> To me that looks like not all binaries are build with same CFLAGS / CXXFLAGS 
> / CPPFLAGS / LDFLAGS
> 
> Andreas

Hi! Dovecot 2.3 has hardening enabled.
 
Aki

dovecot auth error: Illegal seek

[panetta]

Hi,

I recently configured dovecot to manage auth
for both local and virtual user.
When i login as a virtual user (claudio.panetta) I get the following 
message:


dovecot: auth: Error: 
passwd(claudio.panetta,160.97.62.1,): getpwnam() 
failed: Illegal seek


but login is ok and sending/receiving email is ok,
how can, if possible, I suppress this error message?

In the following my dovecot config:

host-prompt# dovecot -n
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-686-pae i686 Debian 7.11
auth_mechanisms = plain login
auth_username_format = %Ln
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = Server ready.
mail_full_filesystem_access = yes
mail_location = mbox:~/:INBOX=/var/mail/%u:INDEX=/var/index/%u
mail_privileged_group = mail
passdb {
  driver = pam
}
passdb {
  args = scheme=MD5-CRYPT username_format=%n /etc/dovecot/users
  driver = passwd-file
}
protocols = " imap"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl_cert =   args = username_format=%n /etc/dovecot/users uid=vmail gid=vmail 
home=/var/vmail/%d/%n mail=maildir:/var/vmail/%d/%n/Maildir

  driver = static
}
verbose_proctitle = yes

host-prompt# cat /etc/dovecot/users
claudio.panetta:{MD5-CRYPT}$1$abcdefghijklmnopqrst
ciccio.pasticcio:{MD5-CRYPT}$1$abcdefghijklmnopqrst

Regards,
Claudio

debian lintian warn: hardening-no-fortify-functions

[A. Schulze]

Hello,

to build + packages dovecot I use the usual Debian tool chain. That includes 
build with selected GCC options and running lintian.

I notice since a long time (read: many earlier versions, up to 2.2.35) this 
lintian warnings:

I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth
N: 
N:This package provides an ELF binary that lacks the use of fortified libc
N:functions. Either there are no potentially unfortified functions called
N:by any routines, all unfortified calls have already been fully validated
N:at compile-time, or the package was not built with the default Debian
N:compiler flags defined by dpkg-buildflags. If built using
N:dpkg-buildflags directly, be sure to import CPPFLAGS.
N:
N:NB: Due to false-positives, Lintian ignores some unprotected functions
N:(e.g. memcpy).
N:
N:Refer to https://wiki.debian.org/Hardening and
N:https://bugs.debian.org/673112 for details.
N:
N:Severity: normal, Certainty: wild-guess
N:
N:Check: binaries, Type: binary, udeb
N: 
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/config
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/director
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/imap
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/libdovecot-login.so.0.0.0
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/libdovecot-storage.so.0.0.0
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib10_quota_plugin.so
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib20_fts_plugin.so
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib20_replication_plugin.so
I: dovecot-core: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib99_welcome_plugin.so
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/quota-status
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script-login
I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/xml2text

As you may note, not all binaries are affected. doveadm, doveconf or dovecot 
aren't for example.

My (simplyfied) debian/rules:
#!/usr/bin/make -f

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk

include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/autotools.mk

DEB_DH_STRIP_ARGS = --dbg-package=dovecot-core-dbg

This result in that call to configure:

CFLAGS="-g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong 
-Wformat -Werror=format-security" CXXFLAGS="-g -O2 
-fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat 
-Werror=format-security" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" 
LDFLAGS="-Wl,-z,relro -Wl,-z,now" /<>/./configure 
--build=x86_64-linux-gnu --prefix=/usr --includedir="\${prefix}/include" 
--mandir="\${prefix}/share/man" --infodir="\${prefix}/share/info" 
--sysconfdir=/etc --localstatedir=/var --libexecdir="\${prefix}/lib/dovecot" 
--srcdir=. --disable-maintainer-mode --disable-dependency-tracking 
--disable-silent-rules --libexecdir=/usr/lib --localstatedir=/var 
--with-statedir=/var/lib/dovecot --with-moduledir=/usr/lib/dovecot/modules 
--without-docs

I may provide a full build log if that would be helpful.
To me that looks like not all binaries are build with same CFLAGS / CXXFLAGS / 
CPPFLAGS / LDFLAGS

Andreas

Re: mail_max_userip_connections from userdb query

[Aki Tuomi]

You can probably implement this better with weakforced.
---Aki TuomiDovecot oy
 Original message From: Arkadiusz Miśkiewicz  
Date: 30/03/2018  11:21  (GMT+02:00) To: dovecot@dovecot.org Subject: 
mail_max_userip_connections  from userdb query 
Hello.

Is still true that mail_max_userip_connections cannot be overriden in userdb 
query? Want lower global and raise for some logins.

https://www.dovecot.org/pipermail/dovecot/2017-July/108520.html

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

mail_max_userip_connections from userdb query

[Arkadiusz Miśkiewicz]

Hello.

Is still true that mail_max_userip_connections cannot be overriden in userdb 
query? Want lower global and raise for some logins.

https://www.dovecot.org/pipermail/dovecot/2017-July/108520.html

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )