Replication 'noreplicate' field usage

2018-10-16 Thread Phil 
I've set up replication as per the wiki under 2.3.3 and in my SQL user 
query I am returning a 'noreplicate' field, this is a boolean and 
returns true for all users at the moment. However when I do "doveadm 
replicator status '*'" it lists all users in my database suggesting it 
is trying to sync all users regardless of the noreplicate field.


```
user_query = SELECT home, uid, gid, noreplicate FROM users WHERE address 
= '%u'

```

It seems that the noreplicate field is being ignored, am I using it 
correctly?

Re: Fatal: setgid, imap connections dropped.

2018-10-16 Thread J. de Meijer 
I'm still trying to fix this problem. Hopefully someone can help.

I've upgraded dovecot to 2.3.3
# dovecot --version
2.3.3 (dcead646b)

That didn't help.

Next I switched 10-auth.conf to use a local password file (instead of LDAP)

===
# cache all authentication results for one hour
auth_cache_size = 10M
auth_cache_ttl = 1 hour
auth_cache_negative_ttl = 1 hour

# only use plain username/password auth - OK since everything is over TLS
auth_mechanisms = plain

passdb {
  driver = passwd-file
  args = scheme=ssha username_format=%n /usr/local/etc/dovecot/passwd
}

userdb {
  driver = passwd-file
  args = username_format=%n /usr/local/etc/dovecot/passwd
}
==

The /usr/local/etc/dovecot/passwd file is in the following format
userA:{SSHA}hash:1000:1000::/home/userA

Authentication works, and mail gets delivered. But I'm still getting the
same intermitted errors.

Sep 28 00:03:24 mailserver dovecot: imap(userD)<14864>:
Fatal: setgid(1012(userD) from userdb lookup) failed with
euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
permitted (This binary should probably be called with process group set to
1012(userD) instead of 1011(userA))

Also tried disabling the cache in 10-auth.conf, at no avail.

I'm a bit at loss :(

Regards,
J. de Meijer


> Hi,
>
> I'm getting errors with my IMAP setup.
> Basically, everything seems to work.
> Mail is delivered nicely from Postfix to Dovecot via LMTP. Dovecot does
> the authentication to LDAP (also for Postfix). Users are able to send mail
> via authenticated submission (Postfix) and login into IMAP and POP.
>
> However, IMAP connections are dropped frequently with an "ERROR:
> Connection dropped by IMAP server.". After pressing reload on the webmail,
> or refreshing in the client might help for a short period. So it fails
> intermittently.
>
> The errors in the maillog are below. It seems to be mixing up users kind
> of randomly. I think when multiple connections are made at the same time.
> Did a lot of searching, put couldn't find an answer to this problem. All I
> can find is related to LDA, which I'm not using.
>
> Any help would be appreciated.
>
> Errors from the log:
> Sep 28 00:03:24 mailserver dovecot: imap(userD)<14864>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:24 mailserver dovecot: imap(userD)<17009>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:03:26 mailserver dovecot: imap(userD)<12807><8T0iguF2NspUUoaT>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:06:59 mailserver dovecot: imap(userD)<15661>:
> Fatal: setgid(1012(userD) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1012(userD) instead of 1011(userA))
> Sep 28 00:07:54 mailserver dovecot: imap(userA)<45614>:
> Fatal: setgid(1011(userA) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1011(userA) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<45055>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<46412><87ntkuF2JvptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1011(userA), gid=1011(userA), egid=1011(userA): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1011(userA))
> Sep 28 00:08:08 mailserver dovecot: imap(userF)<44858><0nXzkuF2KfptSCYM>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1012(userD), gid=1012(userD), egid=1012(userD): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of 1012(userD))
> Sep 28 00:08:14 mailserver dovecot: imap(userF)<36517>:
> Fatal: setgid(1033(userF) from userdb lookup) failed with
> euid=1017(userC), gid=1017(userC), egid=1017(userC): Operation not
> permitted (This binary should probably be called with process group set to
> 1033(userF) instead of

Re: [sieve] Restrict redirects to own domain only

2018-10-16 Thread Ralph Seichter 
On 16.10.2018 15:43, Yassine Chaouche wrote:

> I don't fully understand how could this prevent them from forwarding
> to any other domain by other means, for example by using a managesieve-
> able client

Well, your OP made no mention of your environment. ;-) You posted on the
Dovecot mailing list, so I suppose we know what your IMAP server is, but
you mentioned nothing beyond that.

I made the assumption that your users are allowed to use sieve, based on
the subject line, but you did not elaborate on how they use it. Simplest
form: Sieve files. If you generate the files, you can screen the content
and also keep them read-only for users.

If you have important restrictions/conditions, you need to mention them
to us.

-Ralph

Re: [sieve] Restrict redirects to own domain only

2018-10-16 Thread Yassine Chaouche 
Thanks Ralph but I don't fully understand how could this prevent them 
from forwarding to any other domain by other means, for example by using 
a managesieve-able client


Yassine.


On 10/16/18 12:37, Ralph Seichter wrote:

On 16.10.18 12:48, Yassine Chaouche wrote:


I'd like to let my colleagues redirect mail automatically (via a sieve
filter) to other mailboxes within the same domain, but deny redirects
to outside domains [...] Ideas ?

Set up a simple internal web application or some other mechanism that
allows your colleagues to enter the local address part for forwarding
only. Use backend logic to generate a sieve script containing

   redirect :copy "localp...@yourdomain.tld";

or whatever suits your needs.

-Ralph

Re: [sieve] Restrict redirects to own domain only

2018-10-16 Thread Ralph Seichter 
On 16.10.18 12:48, Yassine Chaouche wrote:

> I'd like to let my colleagues redirect mail automatically (via a sieve
> filter) to other mailboxes within the same domain, but deny redirects
> to outside domains [...] Ideas ?

Set up a simple internal web application or some other mechanism that
allows your colleagues to enter the local address part for forwarding
only. Use backend logic to generate a sieve script containing

  redirect :copy "localp...@yourdomain.tld";

or whatever suits your needs.

-Ralph

[sieve] Restrict redirects to only own domain

2018-10-16 Thread Yassine Chaouche 

Hello list,

I'd like to let my colleagues redirect mail automatically (via a sieve 
filter) to other mailboxes within the same domain, but deny redirects to 
outside mailboxes (gmail, yahoo etc.) since this is considered bad 
practice and could lead to blacklisting (forwarding spam for example).


If I set sieve_max_redirect to 0 then no redirect is allowed, at all. I 
wish to let redirects to internal mailboxes still possible.


Ideas ?

Yassine.

[sieve] Restrict redirects to own domain only

2018-10-16 Thread Yassine Chaouche 

Hello list,

I'd like to let my colleagues redirect mail automatically (via a sieve
filter) to other mailboxes within the same domain, but deny redirects to
outside domains (gmail, yahoo etc.) since this could lead to blacklisting
(forwarding spam for example).

If I set sieve_max_redirect to 0 then no redirect is allowed, at all. I
wish to let redirects to internal mailboxes still possible. Ideas ?

Yassine.