Re: end-to-end encryption

[Aki Tuomi]

> On 15 May 2018 at 22:43 Gandalf Corvotempesta 
>  wrote:
> 
> 
> Hi to all
> I was looking at protonmail.com
> Is possible to implement and end-to-end encryption with dovecot, where
> server-side there is no private key to decrypt messages?
> 

You could probably automate this with sieve and e.g. GnuPG, which would mean 
that all your mails are encrypted without server having key to decrypt this.

> If I understood properly, on protonmail the private key is encrypted with
> user's password, so that only an user is able to decrypt the mailbox.
> 
> Anything similiar ?

In this case, the server *does* have the private key, even if it's encrypted... 
=)

Dovecot's mail crypt plugin can achieve *similar* thing with 

mail_crypt_private_password=%{password} (see 
https://wiki.dovecot.org/Plugins/MailCrypt)

But this requires quite good planning, esp. if you are hosting mails, since 
there is currently no DR feature in dovecot. If you decide to use mail crypt 
plugin, set it up with private key password, and lose the password, then the 
mails really are gone.

Also worth noting is that, currently, dovecot does not encrypt indexes, which 
can contain information about your mails.

Aki

end-to-end encryption

[Gandalf Corvotempesta]

Hi to all
I was looking at protonmail.com
Is possible to implement and end-to-end encryption with dovecot, where
server-side there is no private key to decrypt messages?

If I understood properly, on protonmail the private key is encrypted with
user's password, so that only an user is able to decrypt the mailbox.

Anything similiar ?

Re: Postfix/Dovecot permissions for new mailboxes

[Aki Tuomi]

Well, that's not what I asked you to try...

try

mail_home=/var/spool/mail/%u
mail_location=mdbox:~/

Aki

> On 15 May 2018 at 20:03 telsch  wrote:
> 
> 
> With this settings I don't get the expectet result, still get wrong 
> permissions on new mailboxes. Aki did you also try with %u ?
> 
>  > In /etc/dovecot/conf.d/10-mail.conf follow options are set:
>  >mail_gid = mail
>  >mail_privileged_group = mail
>  >mail_access_groups = mail
>  >mail_location = mdbox:/var/spool/mail/%u
> 
> On 15.05.2018 13:06, Aki Tuomi wrote:
> > I have to correct myself. I tested with sdbox now too, and it seems that
> > using
> > 
> > mail_location=sdbox:~/Mail
> > 
> > produces the expected behaviour. mdbox uses same code as sdbox for this,
> > so it should work fine.
> > 
> > Aki
> > 
> > 
> > On 15.05.2018 13:01, telsch wrote:
> >> I use mdbox not maildir:
> >>
> >>  mail_location = mdbox:/var/spool/mail/%u
> >>
> >> On 15.05.2018 11:53, Aki Tuomi wrote:
> >>> Do you have
> >>>
> >>> mail_location=maildir:~/mail
> >>>
> >>> or
> >>>
> >>> mail_location = maildir:/path/to/whatever/%u
> >>>
> >>> I tested with latest 2.2 that if I use /path/to, I get correct
> >>> permissions.
> >>>
> >>> Aki
> >>>
> >>>
> >>> On 15.05.2018 12:43, telsch wrote:
>  I would expect same permissions as for root mail directory 02770:
>    drwxrws--- 5 newuser mail 4096 Apr 23 19:31
>  /var/spool/mail/newuser/
> 
>  Using Dovecot 2.2.34
> 
>  On 14.05.2018 08:37, Aki Tuomi wrote:
> >
> >
> > On 09.05.2018 12:52, telsch wrote:
> >> Hello,
> >>
> >> the wiki page describe that permission should copied from root mail
> >> directory
> >>    https://wiki2.dovecot.org/SharedMailboxes/Permissions
> >>
> >> The permissions for the root mail directory are set to 2770:
> >>    drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/
> >>
> >> But newly created mailboxes get following permissions:
> >>    drwx--S--- 5 newuser mail 4096 Apr 23 19:31
> >> /var/spool/mail/newuser/
> >>
> >> In /etc/dovecot/conf.d/10-mail.conf follow options are set:
> >>    mail_gid = mail
> >>    mail_privileged_group = mail
> >>    mail_access_groups = mail
> >>
> >> I'm missing something to get right group permissions for new
> >> mailboxes?
> >
> > What permissions were you expecting? Also, which version of dovecot
> > are
> > you running?
> >
> > Aki
> >
> >>>
> >

Re: Postfix/Dovecot permissions for new mailboxes

[telsch]

With this settings I don't get the expectet result, still get wrong 
permissions on new mailboxes. Aki did you also try with %u ?


> In /etc/dovecot/conf.d/10-mail.conf follow options are set:
>mail_gid = mail
>mail_privileged_group = mail
>mail_access_groups = mail
>mail_location = mdbox:/var/spool/mail/%u

On 15.05.2018 13:06, Aki Tuomi wrote:

I have to correct myself. I tested with sdbox now too, and it seems that
using

mail_location=sdbox:~/Mail

produces the expected behaviour. mdbox uses same code as sdbox for this,
so it should work fine.

Aki


On 15.05.2018 13:01, telsch wrote:

I use mdbox not maildir:

 mail_location = mdbox:/var/spool/mail/%u

On 15.05.2018 11:53, Aki Tuomi wrote:

Do you have

mail_location=maildir:~/mail

or

mail_location = maildir:/path/to/whatever/%u

I tested with latest 2.2 that if I use /path/to, I get correct
permissions.

Aki


On 15.05.2018 12:43, telsch wrote:

I would expect same permissions as for root mail directory 02770:
  drwxrws--- 5 newuser mail 4096 Apr 23 19:31
/var/spool/mail/newuser/

Using Dovecot 2.2.34

On 14.05.2018 08:37, Aki Tuomi wrote:



On 09.05.2018 12:52, telsch wrote:

Hello,

the wiki page describe that permission should copied from root mail
directory
   https://wiki2.dovecot.org/SharedMailboxes/Permissions

The permissions for the root mail directory are set to 2770:
   drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/

But newly created mailboxes get following permissions:
   drwx--S--- 5 newuser mail 4096 Apr 23 19:31
/var/spool/mail/newuser/

In /etc/dovecot/conf.d/10-mail.conf follow options are set:
   mail_gid = mail
   mail_privileged_group = mail
   mail_access_groups = mail

I'm missing something to get right group permissions for new
mailboxes?


What permissions were you expecting? Also, which version of dovecot
are
you running?

Aki

Re: Postfix/Dovecot permissions for new mailboxes

[Aki Tuomi]

I have to correct myself. I tested with sdbox now too, and it seems that
using

mail_location=sdbox:~/Mail

produces the expected behaviour. mdbox uses same code as sdbox for this,
so it should work fine.

Aki


On 15.05.2018 13:01, telsch wrote:
> I use mdbox not maildir:
>
> mail_location = mdbox:/var/spool/mail/%u
>
> On 15.05.2018 11:53, Aki Tuomi wrote:
>> Do you have
>>
>> mail_location=maildir:~/mail
>>
>> or
>>
>> mail_location = maildir:/path/to/whatever/%u
>>
>> I tested with latest 2.2 that if I use /path/to, I get correct
>> permissions.
>>
>> Aki
>>
>>
>> On 15.05.2018 12:43, telsch wrote:
>>> I would expect same permissions as for root mail directory 02770:
>>>  drwxrws--- 5 newuser mail 4096 Apr 23 19:31
>>> /var/spool/mail/newuser/
>>>
>>> Using Dovecot 2.2.34
>>>
>>> On 14.05.2018 08:37, Aki Tuomi wrote:


 On 09.05.2018 12:52, telsch wrote:
> Hello,
>
> the wiki page describe that permission should copied from root mail
> directory
>   https://wiki2.dovecot.org/SharedMailboxes/Permissions
>
> The permissions for the root mail directory are set to 2770:
>   drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/
>
> But newly created mailboxes get following permissions:
>   drwx--S--- 5 newuser mail 4096 Apr 23 19:31
> /var/spool/mail/newuser/
>
> In /etc/dovecot/conf.d/10-mail.conf follow options are set:
>   mail_gid = mail
>   mail_privileged_group = mail
>   mail_access_groups = mail
>
> I'm missing something to get right group permissions for new
> mailboxes?

 What permissions were you expecting? Also, which version of dovecot
 are
 you running?

 Aki

>>

Re: Postfix/Dovecot permissions for new mailboxes

[telsch]

I use mdbox not maildir:

mail_location = mdbox:/var/spool/mail/%u

On 15.05.2018 11:53, Aki Tuomi wrote:

Do you have

mail_location=maildir:~/mail

or

mail_location = maildir:/path/to/whatever/%u

I tested with latest 2.2 that if I use /path/to, I get correct permissions.

Aki


On 15.05.2018 12:43, telsch wrote:

I would expect same permissions as for root mail directory 02770:
 drwxrws--- 5 newuser mail 4096 Apr 23 19:31 /var/spool/mail/newuser/

Using Dovecot 2.2.34

On 14.05.2018 08:37, Aki Tuomi wrote:



On 09.05.2018 12:52, telsch wrote:

Hello,

the wiki page describe that permission should copied from root mail
directory
  https://wiki2.dovecot.org/SharedMailboxes/Permissions

The permissions for the root mail directory are set to 2770:
  drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/

But newly created mailboxes get following permissions:
  drwx--S--- 5 newuser mail 4096 Apr 23 19:31
/var/spool/mail/newuser/

In /etc/dovecot/conf.d/10-mail.conf follow options are set:
  mail_gid = mail
  mail_privileged_group = mail
  mail_access_groups = mail

I'm missing something to get right group permissions for new mailboxes?


What permissions were you expecting? Also, which version of dovecot are
you running?

Aki

Re: Postfix/Dovecot permissions for new mailboxes

[Aki Tuomi]

Do you have

mail_location=maildir:~/mail

or

mail_location = maildir:/path/to/whatever/%u

I tested with latest 2.2 that if I use /path/to, I get correct permissions.

Aki


On 15.05.2018 12:43, telsch wrote:
> I would expect same permissions as for root mail directory 02770:
> drwxrws--- 5 newuser mail 4096 Apr 23 19:31 /var/spool/mail/newuser/
>
> Using Dovecot 2.2.34
>
> On 14.05.2018 08:37, Aki Tuomi wrote:
>>
>>
>> On 09.05.2018 12:52, telsch wrote:
>>> Hello,
>>>
>>> the wiki page describe that permission should copied from root mail
>>> directory
>>>  https://wiki2.dovecot.org/SharedMailboxes/Permissions
>>>
>>> The permissions for the root mail directory are set to 2770:
>>>  drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/
>>>
>>> But newly created mailboxes get following permissions:
>>>  drwx--S--- 5 newuser mail 4096 Apr 23 19:31
>>> /var/spool/mail/newuser/
>>>
>>> In /etc/dovecot/conf.d/10-mail.conf follow options are set:
>>>  mail_gid = mail
>>>  mail_privileged_group = mail
>>>  mail_access_groups = mail
>>>
>>> I'm missing something to get right group permissions for new mailboxes?
>>
>> What permissions were you expecting? Also, which version of dovecot are
>> you running?
>>
>> Aki
>>

Re: 2.3.1 with quota and lmtp; message may be sent more than once

[Stephan Bosch]

Op 14-5-2018 om 23:43 schreef Stephan Bosch:

Op 14/05/2018 om 23:17 schreef Stephan Bosch:



Op 01/05/2018 om 10:12 schreef Frank Ebert:

Hi,

I have another problem with dovecot 2.3.1 on FreeBSD (smtpd is postfix
3.3.0). When one mail is sent with different recipients and the quota
limit of one user is exceeded, the message will be delivered repeatedly
to all users. The queue from postfix says:

(lost connection with mailserver.foo.bar[private/lmtp-dovecot] while
sending end of data -- message may be sent more than once)

The problem started with dovecot 2.3.1. With 2.2.3x everything was 
fine.


Any ideas?


Hmm, I am wondering whether we already fixed this one implicitly. I 
think we addressed some quota-related problems. Do you have the 
opportunity to test this with git master(-2.3) ?


Never mind, I can reproduce something here:

lmtp(hugo)<953>: Fatal: master: 
service(lmtp): child 953 killed with signal 11 (core dumps disabled - 
https://dovecot.org/bugreport.html#coredumps)


Working on it..


Fix scheduled for 2.3.2:

https://github.com/dovecot/core/commit/847790d5aab84df38256a6f9b4849af0eb408419

Regards,

Stephan.

Re: Postfix/Dovecot permissions for new mailboxes

[telsch]

I would expect same permissions as for root mail directory 02770:
drwxrws--- 5 newuser mail 4096 Apr 23 19:31 /var/spool/mail/newuser/

Using Dovecot 2.2.34

On 14.05.2018 08:37, Aki Tuomi wrote:



On 09.05.2018 12:52, telsch wrote:

Hello,

the wiki page describe that permission should copied from root mail
directory
 https://wiki2.dovecot.org/SharedMailboxes/Permissions

The permissions for the root mail directory are set to 2770:
 drwxrws--- 36 root mail 4096 Apr 15 02:30 /var/spool/mail/

But newly created mailboxes get following permissions:
 drwx--S--- 5 newuser mail 4096 Apr 23 19:31 /var/spool/mail/newuser/

In /etc/dovecot/conf.d/10-mail.conf follow options are set:
 mail_gid = mail
 mail_privileged_group = mail
 mail_access_groups = mail

I'm missing something to get right group permissions for new mailboxes?


What permissions were you expecting? Also, which version of dovecot are
you running?

Aki

Re: Upgrading dovecot 2.2 to 2.3 without downtime when using proxy/director?

[Timo Sirainen]

On 15 May 2018, at 12.06, Timo Sirainen  wrote:
> 
> If you look at .176's error log, do you see an error about 
> "director_consistent_hashing settings differ between directors"? Have you set 
> director_consistent_hashing=yes in the old directors? That is needed now, 
> because the old non-consistent-hashing method is obsoleted. Unfortunately 
> there's no easy way to upgrade directors to use the consistent hashing method 
> without stopping the entire ring. The hard way would be to build a secondary 
> director ring and start moving users to that ring in proxies.

Added https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy#moving 
 to 
explain further the hard way.

Re: Upgrading dovecot 2.2 to 2.3 without downtime when using proxy/director?

[Timo Sirainen]

> On 6 May 2018, at 8.46, Niels Kobschätzki  wrote:
> 
> Hi,
> 
> I have a setup with several dovecot-servers (2.2.35) and I use dovecot
> proxy. I upgraded one server to 2.3.1 and got the configs fixed so far
> that it started again. But when I tried to add it into the proxying
> again with "doveadm director add" I see the following in the logfiles:
> 
> May  6 07:19:30 host dovecot: director: Warning: Director
> xxx.xxx.xxx.176:9090/out disconnected us with reason: Invalid input: OPTIONS
> May  6 07:19:30 $host dovecot: director: Connecting to
> xxx.xxx.xxx.171:9090 (as xxx.xxx.xxx.176): Reconnecting after error
> 
> xxx.xxx.xxx.176 is the upgraded host, xxx.xxx.xxx.171 is one of the
> other hosts (the applicable hosts are in the range xxx.xxx.xxx.171-176).
> 
> Do I have to remove all the hosts from the proxy, upgrade them and then
> add them again? Or is there a way to handle the upgrade without a
> downtime? After all one of the reasons I use several hosts is that I do
> not want to have a downtime.

If you look at .176's error log, do you see an error about 
"director_consistent_hashing settings differ between directors"? Have you set 
director_consistent_hashing=yes in the old directors? That is needed now, 
because the old non-consistent-hashing method is obsoleted. Unfortunately 
there's no easy way to upgrade directors to use the consistent hashing method 
without stopping the entire ring. The hard way would be to build a secondary 
director ring and start moving users to that ring in proxies.

Re: sieve trace directory: error

[André]

Thank you for your support, Stephan.

I will continue to send logs like that when relevant.

Kind regards,
André.

On 14 May 2018 22:11:30 BST, Stephan Bosch  wrote:
>
>
>Op 31/03/2018 om 10:50 schreef André Rodier:
>> On 31/03/18 09:29, Stephan Bosch wrote:
>>> Op 3/31/2018 om 9:27 AM schreef André Rodier:
 Hello,

 I am using a custom directory for sieve logs and trace and it
>apparently
 generate an error, in some corner case.

 - I have an IMAP global sieve script, that is run when appending
>emails
 into the "Archives" folder.
 - I have Thunderbird configured to archive emails by year

 When archiving an email, for instance in "Archives/2018", I often
>have
 an error message like this:

 Mar 31 08:03:02 homebox dovecot[14078]: imap(andre): Error: sieve:
 trace:

>creat(/home/users/andre/mails/sieve/logs//andre.Archives/2018.3.20180331-080302.14235.5.trace)
 failed: No such file or directory

 I have this configuration (amongst) for sieve logs:
sieve_user_log = ~/mails/sieve/logs/
sieve_trace_dir = ~/mails/sieve/logs/
sieve_trace_level = commands
sieve_trace_debug = yes
sieve_trace_addresses = yes

 Did I a misconfigured something?
>>> This should fix the trace directory problem:
>>>
>https://github.com/stephanbosch/pigeonhole-core/commit/ee0d15407d231198519b4f87a0fc533b941765a2
>>> I still need to create some CI tests for this and it needs some
>internal
>>> review before it will be merged in Pigeonhole core.
>>>
>>> Also, I notice that your sieve_user_log setting points to a
>directory.
>>> That needs to be a file, otherwise it will not work.
>>>
>>> Regards,
>>>
>>> Stephan.
>>>
>> Thanks for your help and your advice, Stephen.
>>
>> I suppose it will take some time before being included into the
>Debian
>> main repository.
>>
>> I have amended the sieve_user_log setting.
>
>Currently scheduled for 2.3.3, which will take some time.
>
>Regards,
>
>Stephan.

-- 
André

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

On Tue, 15 May 2018, Aki Tuomi wrote:


On 15.05.2018 09:14, B. Reino wrote:

Dear all,

Just in case you've missed it, the certificate for repo.dovecot.org
just expired yesterday.

This causes errors in e.g. apt-get update.

Thanks in advance for fixing it,

--
B. Reino


Seems something went wrong during deployment, thanks. It's fixed now.

Aki



Yup, working fine now :)

Thanks!

Re: Letsencrypt certificate for repo.dovecot.org expired May 14th..

[Aki Tuomi]

On 15.05.2018 09:14, B. Reino wrote:
> Dear all,
>
> Just in case you've missed it, the certificate for repo.dovecot.org
> just expired yesterday.
>
> This causes errors in e.g. apt-get update.
>
> Thanks in advance for fixing it,
>
> -- 
> B. Reino

Seems something went wrong during deployment, thanks. It's fixed now.

Aki

Letsencrypt certificate for repo.dovecot.org expired May 14th..

[B. Reino]

Dear all,

Just in case you've missed it, the certificate for repo.dovecot.org just 
expired yesterday.


This causes errors in e.g. apt-get update.

Thanks in advance for fixing it,

--
B. Reino