Re: How to send mail to mailbox with disabled domain?
Thanks for all the replies. I didn't have time to reply earlier. I went with my first proposed solution. Everything else is simply too much hazzle. You would have to set this for every single exception/address/user and so on and you cannot be sure that it doesn't bite you some time later with a tiny problem you didn't imagine at that time. For instance with domain affiliation of users. Yes, this is a Postfix problem. I just thought first it belongs more to Dovecot because it is Dovecot's lmtp that does the final mailbox delivery. I changed the SQL code a few times and tried to convince Postfix to deliver to virtual users without a domain, but it didn't work. As soon as I remove the domain or have an account name like user@whatever Postfix uses user@$myorigin (even completely removing the whatever stub) and this might have created a problem differentiating users (for instance for domain quota). It only delivers to mailboxes without a domain that are transport "local". And I wanted to keep that domain "local", anyway. I setup a stub dummy zone of "mail.localdomain" in Unbound which works as a wildcard and setup a fitting domain for that client. This works just like a normal domain. I can now reuse this wildcard for any more I might need it for. Kai
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Ok, got that! After I remover ssl=no it seems to start working as expected. Will know that 'by design' feature for Dovecot, THANK YOU! On Mon, Sep 17, 2018 at 5:34 PM Aki Tuomi wrote: > auth process receives the protocol requested when performing > authentication as variable %s (see https://wiki2.dovecot.org/Variables) > > You can use this to choose the value you return for port. > > Aki > > > On 17 September 2018 at 16:56 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Seen that URL but port= is strange due to there is no protocol > connection. > > So if I set port=12345 then what proto will I see there? Misleading > setting > > this is why I mentioned (non-existing) per-proto port setting above. > > > > May I please ask for any example on how to pass port per proto? It is a > bit > > fuzzy for me to figure it out but I do believe you used to use it > somehow. > > > > On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > > > > > The port is determined with port=nnn setting. You can't return > > > per-protocol port like that, you need to look at the protocol > requested by > > > user and return port based on that, or you can omit port to default > into > > > "standard port". > > > > > > not using ssl/starttls is default. > > > > > > > On 17 September 2018 at 16:35 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Thank you! > > > > > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > > > > > Can I somehow specify ports on remote hosts that proxy will use to > > > connect > > > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > > > 10.1.1.1:110' > > > > or somehow? > > > > > > > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi > wrote: > > > > > > > > > Due to certain design issues, the ssl=no is actually same as > ssl=yes, > > > same > > > > > goes for starttls=no. So there is no support actually for "ssl=no" > at > > > this > > > > > moment. > > > > > > > > > > Aki > > > > > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > Surely. > > > > > > > > > > > > Here it is: > > > > > > > > > > > > # doveadm auth u...@domain.com > > > > > > Password: > > > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > > > extra fields: > > > > > > user=u...@domain.com > > > > > > proxy > > > > > > host=10.10.14.131 > > > > > > ssl=no > > > > > > startssl=no > > > > > > source_ip=10.10.14.2 > > > > > > proxy > > > > > > proxy > > > > > > pass=password > > > > > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed > from > > > > > > passdb. > > > > > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > > > wrote: > > > > > > > > > > > > > Can you provide output of > > > > > > > > > > > > > > doveadm auth test some-user > > > > > > > Aki > > > > > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > > > > > Dear Aki, > > > > > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > > > host=backend_ip > > > > > > > tls=no' it won't use non-TLS connection. The same is when I > remove > > > > > 'tls=no' > > > > > > > part. May there be any extra things I need to pass when I use > LDAP? > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi < > aki.tu...@dovecot.fi> > > > > > wrote: > > > > > > > > > > > > > >> > > > > > > >> > > > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > > > >> > Hi, > > > > > > >> > > > > > > > >> > I try to set up dovecot as a proxy server, to proxy > requests to > > > > > > >> > several dovecot-based backend servers. I wand external > clients > > > who > > > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to > set > > > up) > > > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > > > backends. > > > > > > >> > > > > > > > >> > You see, links to backends are over LAN so no TLS needed, > and > > > these > > > > > > >> > backends are poor old machines (with old Docecots like > 2.0.6) > > > this > > > > > is > > > > > > >> > why I don't want to use TLS to acces backends. > > > > > > >> > > > > > > > >> > But as I did the test setup I can see proxy Dovecot uses > TLS to > > > > > > >> > connect to backends. Is there any way I can specify this > aspect > > > of > > > > > > >> > Dovecot proxy? > > > > > > >> > > > > > > > >> > Please advice! > > > > > > >> > > > > > > > >> > Yours, > > > > > > >> > Alexander > > > > > > >> > > > > > > >> Dovecot does not use TLS/SSL when connecting to a backend > server > > > by > > > > > > >> default, you are probably specifying this in your proxy > config or > > > > > > >> password database. > > > > > > >> > > > > > > >> Aki > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
auth process receives the protocol requested when performing authentication as variable %s (see https://wiki2.dovecot.org/Variables) You can use this to choose the value you return for port. Aki > On 17 September 2018 at 16:56 Alexander Chekalin > wrote: > > > Seen that URL but port= is strange due to there is no protocol connection. > So if I set port=12345 then what proto will I see there? Misleading setting > this is why I mentioned (non-existing) per-proto port setting above. > > May I please ask for any example on how to pass port per proto? It is a bit > fuzzy for me to figure it out but I do believe you used to use it somehow. > > On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > > > The port is determined with port=nnn setting. You can't return > > per-protocol port like that, you need to look at the protocol requested by > > user and return port based on that, or you can omit port to default into > > "standard port". > > > > not using ssl/starttls is default. > > > > > On 17 September 2018 at 16:35 Alexander Chekalin < > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > Thank you! > > > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > > > Can I somehow specify ports on remote hosts that proxy will use to > > connect > > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > > 10.1.1.1:110' > > > or somehow? > > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, > > same > > > > goes for starttls=no. So there is no support actually for "ssl=no" at > > this > > > > moment. > > > > > > > > Aki > > > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > > > > Surely. > > > > > > > > > > Here it is: > > > > > > > > > > # doveadm auth u...@domain.com > > > > > Password: > > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > > extra fields: > > > > > user=u...@domain.com > > > > > proxy > > > > > host=10.10.14.131 > > > > > ssl=no > > > > > startssl=no > > > > > source_ip=10.10.14.2 > > > > > proxy > > > > > proxy > > > > > pass=password > > > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > > passdb. > > > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > > wrote: > > > > > > > > > > > Can you provide output of > > > > > > > > > > > > doveadm auth test some-user > > > > > > Aki > > > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > > > Dear Aki, > > > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > > host=backend_ip > > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > > 'tls=no' > > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > > wrote: > > > > > > > > > > > >> > > > > > >> > > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > > >> > Hi, > > > > > >> > > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > > >> > several dovecot-based backend servers. I wand external clients > > who > > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set > > up) > > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > > backends. > > > > > >> > > > > > > >> > You see, links to backends are over LAN so no TLS needed, and > > these > > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) > > this > > > > is > > > > > >> > why I don't want to use TLS to acces backends. > > > > > >> > > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > > >> > connect to backends. Is there any way I can specify this aspect > > of > > > > > >> > Dovecot proxy? > > > > > >> > > > > > > >> > Please advice! > > > > > >> > > > > > > >> > Yours, > > > > > >> > Alexander > > > > > >> > > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server > > by > > > > > >> default, you are probably specifying this in your proxy config or > > > > > >> password database. > > > > > >> > > > > > >> Aki > > > > > >> > > > > > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Seen that URL but port= is strange due to there is no protocol connection. So if I set port=12345 then what proto will I see there? Misleading setting this is why I mentioned (non-existing) per-proto port setting above. May I please ask for any example on how to pass port per proto? It is a bit fuzzy for me to figure it out but I do believe you used to use it somehow. On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > The port is determined with port=nnn setting. You can't return > per-protocol port like that, you need to look at the protocol requested by > user and return port based on that, or you can omit port to default into > "standard port". > > not using ssl/starttls is default. > > > On 17 September 2018 at 16:35 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Thank you! > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > Can I somehow specify ports on remote hosts that proxy will use to > connect > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > 10.1.1.1:110' > > or somehow? > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, > same > > > goes for starttls=no. So there is no support actually for "ssl=no" at > this > > > moment. > > > > > > Aki > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Surely. > > > > > > > > Here it is: > > > > > > > > # doveadm auth u...@domain.com > > > > Password: > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > extra fields: > > > > user=u...@domain.com > > > > proxy > > > > host=10.10.14.131 > > > > ssl=no > > > > startssl=no > > > > source_ip=10.10.14.2 > > > > proxy > > > > proxy > > > > pass=password > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > passdb. > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > wrote: > > > > > > > > > Can you provide output of > > > > > > > > > > doveadm auth test some-user > > > > > Aki > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > Dear Aki, > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > host=backend_ip > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > 'tls=no' > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > wrote: > > > > > > > > > >> > > > > >> > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > >> > Hi, > > > > >> > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > >> > several dovecot-based backend servers. I wand external clients > who > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set > up) > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > backends. > > > > >> > > > > > >> > You see, links to backends are over LAN so no TLS needed, and > these > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) > this > > > is > > > > >> > why I don't want to use TLS to acces backends. > > > > >> > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > >> > connect to backends. Is there any way I can specify this aspect > of > > > > >> > Dovecot proxy? > > > > >> > > > > > >> > Please advice! > > > > >> > > > > > >> > Yours, > > > > >> > Alexander > > > > >> > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server > by > > > > >> default, you are probably specifying this in your proxy config or > > > > >> password database. > > > > >> > > > > >> Aki > > > > >> > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy For list of values you can use. Aki > On 17 September 2018 at 16:42 Aki Tuomi wrote: > > > The port is determined with port=nnn setting. You can't return per-protocol > port like that, you need to look at the protocol requested by user and return > port based on that, or you can omit port to default into "standard port". > > not using ssl/starttls is default. > > > On 17 September 2018 at 16:35 Alexander Chekalin > > wrote: > > > > > > Thank you! > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > Can I somehow specify ports on remote hosts that proxy will use to connect > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' > > or somehow? > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > > > goes for starttls=no. So there is no support actually for "ssl=no" at this > > > moment. > > > > > > Aki > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Surely. > > > > > > > > Here it is: > > > > > > > > # doveadm auth u...@domain.com > > > > Password: > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > extra fields: > > > > user=u...@domain.com > > > > proxy > > > > host=10.10.14.131 > > > > ssl=no > > > > startssl=no > > > > source_ip=10.10.14.2 > > > > proxy > > > > proxy > > > > pass=password > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > passdb. > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > > > > > Can you provide output of > > > > > > > > > > doveadm auth test some-user > > > > > Aki > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > Dear Aki, > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > host=backend_ip > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > 'tls=no' > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > wrote: > > > > > > > > > >> > > > > >> > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > >> > Hi, > > > > >> > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > >> > several dovecot-based backend servers. I wand external clients who > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > backends. > > > > >> > > > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > > > is > > > > >> > why I don't want to use TLS to acces backends. > > > > >> > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > >> > connect to backends. Is there any way I can specify this aspect of > > > > >> > Dovecot proxy? > > > > >> > > > > > >> > Please advice! > > > > >> > > > > > >> > Yours, > > > > >> > Alexander > > > > >> > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > > > >> default, you are probably specifying this in your proxy config or > > > > >> password database. > > > > >> > > > > >> Aki > > > > >> > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
The port is determined with port=nnn setting. You can't return per-protocol port like that, you need to look at the protocol requested by user and return port based on that, or you can omit port to default into "standard port". not using ssl/starttls is default. > On 17 September 2018 at 16:35 Alexander Chekalin > wrote: > > > Thank you! > > Ok, so I can omit ssl=no and startssl=no, and this results in default > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > Can I somehow specify ports on remote hosts that proxy will use to connect > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' > or somehow? > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > > goes for starttls=no. So there is no support actually for "ssl=no" at this > > moment. > > > > Aki > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > Surely. > > > > > > Here it is: > > > > > > # doveadm auth u...@domain.com > > > Password: > > > passdb: chekalin_...@ascon.ru auth succeeded > > > extra fields: > > > user=u...@domain.com > > > proxy > > > host=10.10.14.131 > > > ssl=no > > > startssl=no > > > source_ip=10.10.14.2 > > > proxy > > > proxy > > > pass=password > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > passdb. > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > > > Can you provide output of > > > > > > > > doveadm auth test some-user > > > > Aki > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > Dear Aki, > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > host=backend_ip > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > 'tls=no' > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > wrote: > > > > > > > >> > > > >> > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > >> > Hi, > > > >> > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > >> > several dovecot-based backend servers. I wand external clients who > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > backends. > > > >> > > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > > is > > > >> > why I don't want to use TLS to acces backends. > > > >> > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > >> > connect to backends. Is there any way I can specify this aspect of > > > >> > Dovecot proxy? > > > >> > > > > >> > Please advice! > > > >> > > > > >> > Yours, > > > >> > Alexander > > > >> > > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > > >> default, you are probably specifying this in your proxy config or > > > >> password database. > > > >> > > > >> Aki > > > >> > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Thank you! Ok, so I can omit ssl=no and startssl=no, and this results in default settings for ssl which is 'off'? Or the defaults are 'on' anyway? Can I somehow specify ports on remote hosts that proxy will use to connect to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' or somehow? On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > goes for starttls=no. So there is no support actually for "ssl=no" at this > moment. > > Aki > > > On 17 September 2018 at 15:32 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Surely. > > > > Here it is: > > > > # doveadm auth u...@domain.com > > Password: > > passdb: chekalin_...@ascon.ru auth succeeded > > extra fields: > > user=u...@domain.com > > proxy > > host=10.10.14.131 > > ssl=no > > startssl=no > > source_ip=10.10.14.2 > > proxy > > proxy > > pass=password > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > passdb. > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > Can you provide output of > > > > > > doveadm auth test some-user > > > Aki > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > Dear Aki, > > > > > > we keep our users in LDAP so I when I even return 'proxy > host=backend_ip > > > tls=no' it won't use non-TLS connection. The same is when I remove > 'tls=no' > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > wrote: > > > > > >> > > >> > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > >> > Hi, > > >> > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > >> > several dovecot-based backend servers. I wand external clients who > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > >> > while want to have unsecured (plain IMAP/POP) connections to > backends. > > >> > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > is > > >> > why I don't want to use TLS to acces backends. > > >> > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > >> > connect to backends. Is there any way I can specify this aspect of > > >> > Dovecot proxy? > > >> > > > >> > Please advice! > > >> > > > >> > Yours, > > >> > Alexander > > >> > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > >> default, you are probably specifying this in your proxy config or > > >> password database. > > >> > > >> Aki > > >> > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
> On Sep 17, 2018, at 6:59 AM, Alexander Chekalin > wrote: > > Hi, > > I try to set up dovecot as a proxy server, to proxy requests to several > dovecot-based backend servers. I wand external clients who connects to this > proxy Dovecot to use TLS (this is easy to set up) while want to have > unsecured (plain IMAP/POP) connections to backends. > > You see, links to backends are over LAN so no TLS needed, and these backends > are poor old machines (with old Docecots like 2.0.6) this is why I don't want > to use TLS to acces backends. A better security practice would be to also use TLS to the backend. You want a defense in depth rather than a "crunchy shell around a soft, chewy center." Jim
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
On 17.09.2018 13:59, Alexander Chekalin wrote: > Hi, > > I try to set up dovecot as a proxy server, to proxy requests to > several dovecot-based backend servers. I wand external clients who > connects to this proxy Dovecot to use TLS (this is easy to set up) > while want to have unsecured (plain IMAP/POP) connections to backends. > > You see, links to backends are over LAN so no TLS needed, and these > backends are poor old machines (with old Docecots like 2.0.6) this is > why I don't want to use TLS to acces backends. > > But as I did the test setup I can see proxy Dovecot uses TLS to > connect to backends. Is there any way I can specify this aspect of > Dovecot proxy? > > Please advice! > > Yours, > Alexander Dovecot does not use TLS/SSL when connecting to a backend server by default, you are probably specifying this in your proxy config or password database. Aki
Proxy secured incoming POP3/IMAP4 to unsecure backend?
Hi, I try to set up dovecot as a proxy server, to proxy requests to several dovecot-based backend servers. I wand external clients who connects to this proxy Dovecot to use TLS (this is easy to set up) while want to have unsecured (plain IMAP/POP) connections to backends. You see, links to backends are over LAN so no TLS needed, and these backends are poor old machines (with old Docecots like 2.0.6) this is why I don't want to use TLS to acces backends. But as I did the test setup I can see proxy Dovecot uses TLS to connect to backends. Is there any way I can specify this aspect of Dovecot proxy? Please advice! Yours, Alexander
Using both starttls and ssl in passdb on proxy results in timeouts
Hi List,
I have a dovecot which proxies to different backends depending on an entry in a
mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works fine.
But this causes me a problem: sieve-backends only support STARTTLS and if I set
‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to the
sieve-backends, which fails.
My attempt was to alter the query to include %{real_lport} and return ‚ssl=no‘
and ‚starttls=any-cert‘ if the port matches the sieve-port. It works as
expected in that it returns the correct values and proxies to the correct
backend.
However it seems that TLS is no longer working and I get timeouts from the
backends.
Debug: client passdb out: OK1 user=someu...@example.com proxy
proxy_nopipelining=yhost=backend1.example.com nodelay=y nologin
starttls=no ssl=any-certhostip=so.me.i.ppass=
results in:
Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error:
proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none
(after 30 secs, local=lo.cal.i.p:60524): user=,
method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS,
session=
My query looks like this:
password_query = SELECT host from proxy_domain, NULL as password, 'y' as
nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as
nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as
'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
As soon as I remove the starttls-part and the passdb only returns ssl=any-cert
(without starttls=no) it works flawlessly.
Is it possible that I am attacking the problem the wrong way? Or is it not
possible to set both starttls and ssl to some values in passdb and
enable/disable them as needed?
Thanks for any input :)
Cheers,
Filias
Re: Problem with envelope from in Pigeonhole after upgrade
The content in my INBOX looks like this... >From MAILER-DEAMON Mon Sep 17 17:13:08 2018 hello X-UID: 30392 Status: X-Keywords: Content-Length: 1 when using dovecot-pigeonhole 0.5 It looks like this... >From no...@nowhere.com Mon Sep 17 17:13:08 2018 hello X-UID: 30392 Status: X-Keywords: Content-Length: 1 when using dovecot-pigeonhole 0.4 --Dave
Re: Quotas not working with roundcube
Ahh, there it is. I was reading "Enabling quota plugins".
Thanks,
Reio
On 17/09/2018 09:56, Aki Tuomi wrote:
You should read it more carefully. See the 'Configuration' section.
Aki
On 17.09.2018 09:31, Reio Remma wrote:
I was wondering about that myself, but then I couldn't find any info
on quota = in the wiki.
Please update:
https://wiki2.dovecot.org/Quota
:)
Thanks,
Reio
On 17/09/2018 08:57, Aki Tuomi wrote:
You did everything except actually enable quota... =)
Try adding this to your configuration
quota = count:User quota
quota_vsizes = yes
inside the plugin {} section.
Aki
On 16 September 2018 at 21:58 Mik J wrote:
Hello,
I'm trying to have quotas working with roundcube.
When I'm logged into roundcube I see 0% quota which seems to correspond to
disabled.
However I did everything that I could to enable quotas
https://wiki.dovecot.org/Quota
# doveconf -n
auth_mechanisms = cram-md5 loginauth_verbose = yes
debug_log_path = /tmp/dovecot.log
first_valid_uid = 1000
log_path = /var/log/dovecot.log
mail_gid = vmail
mail_location = maildir:/home/mail/%d/%n/Maildir
mail_plugins = notify replication quota
mail_uid = vmail
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = bsdauth
}
passdb {
args = /etc/dovecot/dovecot.passwd
driver = passwd-file
}
plugin {
quota_grace = 10%%
quota_rule = *:storage=2G
quota_rule2 = Trash:storage=+200M
quota_rule3 = SPAM:ignore
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
}
ssl_ca = /etc/ssl/certs/CA_Intermed_Lets_Encrypt.crt
ssl_cert =
--
Tervitades
Reio Remma
MR Stuudio 25 aastat
*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee
--
Tervitades
Reio Remma
MR Stuudio 25 aastat
*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee
Re: Quotas not working with roundcube
You should read it more carefully. See the 'Configuration' section.
Aki
On 17.09.2018 09:31, Reio Remma wrote:
> I was wondering about that myself, but then I couldn't find any info
> on quota = in the wiki.
>
> Please update:
>
> https://wiki2.dovecot.org/Quota
>
> :)
>
> Thanks,
> Reio
>
> On 17/09/2018 08:57, Aki Tuomi wrote:
>> You did everything except actually enable quota... =)
>>
>> Try adding this to your configuration
>>
>> quota = count:User quota
>> quota_vsizes = yes
>>
>> inside the plugin {} section.
>>
>> Aki
>>
>>> On 16 September 2018 at 21:58 Mik J wrote:
>>>
>>>
>>> Hello,
>>>
>>> I'm trying to have quotas working with roundcube.
>>> When I'm logged into roundcube I see 0% quota which seems to correspond to
>>> disabled.
>>>
>>> However I did everything that I could to enable quotas
>>> https://wiki.dovecot.org/Quota
>>>
>>> # doveconf -n
>>> auth_mechanisms = cram-md5 loginauth_verbose = yes
>>> debug_log_path = /tmp/dovecot.log
>>> first_valid_uid = 1000
>>> log_path = /var/log/dovecot.log
>>> mail_gid = vmail
>>> mail_location = maildir:/home/mail/%d/%n/Maildir
>>> mail_plugins = notify replication quota
>>> mail_uid = vmail
>>> mbox_write_locks = fcntl
>>> mmap_disable = yes
>>> namespace inbox {
>>> inbox = yes
>>> location =
>>> mailbox Drafts {
>>> special_use = \Drafts
>>> }
>>> mailbox Junk {
>>> special_use = \Junk
>>> }
>>> mailbox Sent {
>>> special_use = \Sent
>>> }
>>> mailbox "Sent Messages" {
>>> special_use = \Sent
>>> }
>>> mailbox Trash {
>>> special_use = \Trash
>>> }
>>> prefix =
>>> }
>>> passdb {
>>> driver = bsdauth
>>> }
>>> passdb {
>>> args = /etc/dovecot/dovecot.passwd
>>> driver = passwd-file
>>> }
>>> plugin {
>>> quota_grace = 10%%
>>> quota_rule = *:storage=2G
>>> quota_rule2 = Trash:storage=+200M
>>> quota_rule3 = SPAM:ignore
>>> quota_status_nouser = DUNNO
>>> quota_status_overquota = 552 5.2.2 Mailbox is full
>>> quota_status_success = DUNNO
>>> quota_warning = storage=95%% quota-warning 95 %u
>>> quota_warning2 = storage=80%% quota-warning 80 %u
>>> }
>>> ssl_ca = /etc/ssl/certs/CA_Intermed_Lets_Encrypt.crt
>>> ssl_cert = >> ssl_key = # hidden, use -P to show it
>>> ssl_key_password = # hidden, use -P to show it
>>> userdb {
>>> driver = passwd
>>> }
>>> userdb {
>>> driver = static
>>> }
>>> protocol lda {
>>> mail_plugins = notify replication quota
>>> }
>>> protocol imap {
>>> mail_plugins = notify replication quota imap_quota
>>> }
>>>
>>>
>>>
>>>
>
>
> --
> Tervitades
> Reio Remma
>
>
> MR Stuudio 25 aastat
>
> *MR Stuudio OÜ*
> Tondi 17b, 11316, Tallinn
> Tel +372 650 4808
> Mob +372 56 22 00 33
> r...@mrstuudio.ee
> www.mrstuudio.ee
>
>
>
Re: Problem with envelope from in Pigeonhole after upgrade
Can you also provide the resulting email? Aki On 17.09.2018 09:17, David Dodd wrote: > I was able to make it happen from the command line on the host that would > normally receive inbound mail for me: > > echo Hello | dovecot-lda -d dave -f f...@nowhere.com > > The output then appears as an email in my inbox. > > --Dave
Re: Quotas not working with roundcube
I was wondering about that myself, but then I couldn't find any info on
quota = in the wiki.
Please update:
https://wiki2.dovecot.org/Quota
:)
Thanks,
Reio
On 17/09/2018 08:57, Aki Tuomi wrote:
You did everything except actually enable quota... =)
Try adding this to your configuration
quota = count:User quota
quota_vsizes = yes
inside the plugin {} section.
Aki
On 16 September 2018 at 21:58 Mik J wrote:
Hello,
I'm trying to have quotas working with roundcube.
When I'm logged into roundcube I see 0% quota which seems to correspond to
disabled.
However I did everything that I could to enable quotas
https://wiki.dovecot.org/Quota
# doveconf -n
auth_mechanisms = cram-md5 loginauth_verbose = yes
debug_log_path = /tmp/dovecot.log
first_valid_uid = 1000
log_path = /var/log/dovecot.log
mail_gid = vmail
mail_location = maildir:/home/mail/%d/%n/Maildir
mail_plugins = notify replication quota
mail_uid = vmail
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = bsdauth
}
passdb {
args = /etc/dovecot/dovecot.passwd
driver = passwd-file
}
plugin {
quota_grace = 10%%
quota_rule = *:storage=2G
quota_rule2 = Trash:storage=+200M
quota_rule3 = SPAM:ignore
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
}
ssl_ca = /etc/ssl/certs/CA_Intermed_Lets_Encrypt.crt
ssl_cert =
--
Tervitades
Reio Remma
MR Stuudio 25 aastat
*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee
Re: Quotas not working with roundcube
Hello Aki,
Thank you very much, indeed that was the missing part.
I've also enabled
mailbox_list_index = yes
protocol !indexer-worker {
mail_vsize_bg_after_count = 100
}
As described in the documentation
https://wiki.dovecot.org/Quota/Count
Regards
Le lundi 17 septembre 2018 à 07:57:58 UTC+2, Aki Tuomi
a écrit :
You did everything except actually enable quota... =)
Try adding this to your configuration
quota = count:User quota
quota_vsizes = yes
inside the plugin {} section.
Aki
> On 16 September 2018 at 21:58 Mik J wrote:
>
>
> Hello,
>
> I'm trying to have quotas working with roundcube.
> When I'm logged into roundcube I see 0% quota which seems to correspond to
> disabled.
>
> However I did everything that I could to enable quotas
> https://wiki.dovecot.org/Quota
>
> # doveconf -n
> auth_mechanisms = cram-md5 loginauth_verbose = yes
> debug_log_path = /tmp/dovecot.log
> first_valid_uid = 1000
> log_path = /var/log/dovecot.log
> mail_gid = vmail
> mail_location = maildir:/home/mail/%d/%n/Maildir
> mail_plugins = notify replication quota
> mail_uid = vmail
> mbox_write_locks = fcntl
> mmap_disable = yes
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> driver = bsdauth
> }
> passdb {
> args = /etc/dovecot/dovecot.passwd
> driver = passwd-file
> }
> plugin {
> quota_grace = 10%%
> quota_rule = *:storage=2G
> quota_rule2 = Trash:storage=+200M
> quota_rule3 = SPAM:ignore
> quota_status_nouser = DUNNO
> quota_status_overquota = 552 5.2.2 Mailbox is full
> quota_status_success = DUNNO
> quota_warning = storage=95%% quota-warning 95 %u
> quota_warning2 = storage=80%% quota-warning 80 %u
> }
> ssl_ca = /etc/ssl/certs/CA_Intermed_Lets_Encrypt.crt
> ssl_cert = ssl_key = # hidden, use -P to show it
> ssl_key_password = # hidden, use -P to show it
> userdb {
> driver = passwd
> }
> userdb {
> driver = static
> }
> protocol lda {
> mail_plugins = notify replication quota
> }
> protocol imap {
> mail_plugins = notify replication quota imap_quota
> }
>
>
>
>
Re: Problem with envelope from in Pigeonhole after upgrade
I was able to make it happen from the command line on the host that would normally receive inbound mail for me: echo Hello | dovecot-lda -d dave -f f...@nowhere.com The output then appears as an email in my inbox. --Dave
