Re: Overrideing pop delete?

[Robert L Mathews]

On 12/14/18 3:34 PM, @lbutlr wrote:

> Now that I think about it, even better would be a way to move the messages 
> into an archive box when they are downloaded, this way they will be entirely 
> invisible from the POP3 access, and I can use normal expiry functions to 
> clean out that archive after backup.

We do exactly this using the "Lazy Expunge" plugin:

 https://wiki.dovecot.org/Plugins/Lazyexpunge

Despite the IMAP-sounding "expunge" in the name, it works for all
deletions, including POP3.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/

Re: Overrideing pop delete?

[@lbutlr]

On 14 Dec 2018, at 16:30, @lbutlr  wrote:
> Is it possible to override the POP3 delete on download command and make sure 
> that messages stay on the server for at least X hours or X days?
> 
> It is important that the messages be around long enough to hit a snapshot 
> cycle (using rsnapshot to backup ever hour).

Now that I think about it, even better would be a way to move the messages into 
an archive box when they are downloaded, this way they will be entirely 
invisible from the POP3 access, and I can use normal expiry functions to clean 
out that archive after backup.

-- 
I laugh in the face of danger. Then I hide until it goes away.

Overrideing pop delete?

[@lbutlr]

Is it possible to override the POP3 delete on download command and make sure 
that messages stay on the server for at least X hours or X days?

It is important that the messages be around long enough to hit a snapshot cycle 
(using rsnapshot to backup ever hour).

-- 
Greedo didn't shoot first, motherfucker!

Re: Upgrade to 2.3.1 has failed

[Alexander Dalloz]

Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre:

Thanks for the input. I've checked out your suggestions (details below)
but unfortunately no joy.
I also restored my backup 10-ssl.conf. It indeed has the "<" sign with
a space before the explicit paths to the files:
     ssl_cert = 

Hi,

the syntax you see in the documentation is mandatory. Your issue is 
really a permissions problem.


Check your AppArmor setup. The path you use for storing the chained 
certificate and the private key is certainly not known to AppArmor. See 
your /var/log/audit/audit.log for indications.


https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.apparmor.managing.html

may help.

Btw. permissions setting to 0777, especially for the cert and key, is 
awful, even for debugging issues.


Alexander

Re: Upgrade to 2.3.1 has failed

[C. Andrews Lavarre]

Aki hello, thank you. Hopefully excerpts and top posting are acceptable
in the mailing list? 
On that assumption:
Thanks for the input. I've checked out your suggestions (details below)
but unfortunately no joy.
I also restored my backup 10-ssl.conf. It indeed has the "<" sign with
a space before the explicit paths to the files:
    ssl_cert = https://wiki2.dovecot.org/Upgrading/2.3
    https://github.com/dovecot/core/blob/master/doc/example-config/conf
.d/10-ssl.conf
• Changed ssl_protocols to ssl_min_protocol = TLSv1
• Added ssl_dh =  # PEM encoded X.509 SSL/TLS certificate and private key. They're
> opened before
> # dropping root privileges, so keep the key file unreadable by anyone
> but
> # root
However if I remove the < then dovecot starts up correctly.  
    I
delete them one at a time, test, and it shows that file read, but then
fails on the next. So carry on. After the ssl_cert and ssl_key  < are
removed dovecot runs (ssl_dh still has <):
    Dec 14 10:49:31 lavarre
systemd[1]: Started Dovecot IMAP/POP3 email server.    Dec 14 10:49:31 lavarre 
dovecot[14059]: master: Dovecot v2.3.1 (8e2f634)     starting up for imap, 
pop3, lmtpBut then logging in imap fails:
open(old-stats-user) failed: Permission denied
The documentation for 2.3 says to remove stats from mail-plugin 
settings, but I do not find that in either dovecot.conf or 10-mail.conf.
The mail system is working correctly. Mail is received and stored in 
/home/alavarre/Maildir/new
I'm sure it's something simple, since it worked before the version upgrade. So 
maybe the answer is just go back to the older version... :-(

Thanks again.
Andy


Here are the results of addressing your suggestions, thank you again:
>You should set ssl_prefer_server_ciphers = yes
Done. No change in status however...

>>4. We do NOT include the less than (<) symbol before the paths
because then dovecot fails to load complaining it cannot find the
files.
> Yes, this is probably indication that you are missing the files 
    The files are not missing or corrupted. cat shows apparently
properly hashed certificates and keys.

>or are chrooting dovecot in unsupported way. Not including the <
symbol will not help with this.
M:
      https://wiki.archlinux.org/index.php/Chroot
    I did not intentionally or explicitly chroot dovecot. However, it
is possible that yast2 may have done this to perform the upgrade from
Leap 42.3 to 15.0 and didn't undo it?
    However, this does not seem to have happened:
          https://stackoverflow.com/questions/75182/detecting-a-chroot-
jail-from-within
   stat indicates that root is indeed the normal root:
     stat -c %i /
              returns 2. (But thanks for the education! :-) I now know
about chroot...)

>You should use
>   ssl_cert =ssl_key 
> = ssl_dh =, 
rip=107.107.60.219, lip=70.186.159.22, session=
Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: 
Failed to initialize SSL server context: Can't load SSL certificate: There is 
no valid PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22, 
session=I'm inclined to think that the "less than" symbol is 
the problem. The
documentation says 
the  > 
> > On 14 December 2018 at 02:12 "C. Andrews Lavarre" 
> > om> wrote:
> > 
> > 
> > Problem:
> > We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But
> > we
> > upgraded openSUSE to Leap 15.0.
> > In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no
> > longer
> > works and I haven't figured out how to downgrade to the older
> > working
> > version.
> > 
> > The key issue seems to be the change to requiring dh.pem and
> > changing s
> > sl_protocols to ssl_min_protocols. I think I've navigated both
> > correctly, but it still doesn't work.
> > The error is
> >  auth: Error: stats: open(old-stats-user) failed:
> > Permission denied
> > 
> > as a consequence of which we get
> > imap-login: Error: Failed to initialize SSL server
> > context: Can't
> > load SSL certificate: There is no valid PEM certificate.
> > 
> > We have followed the instructions at    https://wiki.dovecot.o
> > rg/S
> > SL/DovecotConfiguration
> > 1. We have created /etc/dovecot/dh.pem (yes it took five
> > hours) 
> > 
> > 2. We have edited 10-ssl.conf as directed by the Wiki:
> > ssl = yes
> > ssl_cert =
> > /etc/certbot/live/privustech.com/fullchain.pem
> > ssl_key =
> > /etc/certbot/live/privustech.com/privkey.pem
> > ssl_dh = /etc/dovecot
> /dh.pem   #(yes, it took five hours to create...)
> 
> 
> Hi! You should use
> 
> ssl_cert = ssl_key = ssl_dh = 
> > 
> > ssl_min_protocol = TLSv1
> > ssl_cipher_list =
> > 

Re: I never touched nuthin'

[RW via dovecot]

On Sat, 1 Dec 2018 16:35:19 +0200 (EET)
Aki Tuomi wrote:

> > On 01 December 2018 at 12:09 mick crane  wrote:

> >  getmail is not sending the delete request.
> > Mails are sent and received but not deleted gmail so I keep getting 
> > them.
> > 
> > mick@rapunzel:~/.getmail$ getmail --rcfile getmailrc1
> > Delivery error (command deliver 1363 wrote to stderr:
> > lda(mick,)Error: net_connect_unix(/var/run/dovecot//stats-writer)
> > failed: Permission denied)
> > 
> > I think is apt install dovecot on debian buster probably
> > I updated yesterday but was working OK since so I dunno what
> > happened. is log full or something ?
> 
> you can fix this with 
> 
> service stats {
>  unix_listener stats-writer {
>mode = 077
>  }
> }


But why is this needed? Something has changed. It used to work
without the socket being owned by the user running 'deliver'.

I just ran into this on FreeBSD after a package update, so it's not
just Debian.

RE: Downloading e-mail from a master mail server

[Marc Roos]

 


 >I am trying to migrate a small company from Microsoft Exchange / 
Outlook 
 >to Thunderbird. I am evaluating e-mail server software.

Why don't stay at exchange? I have been testing a redundant setup with 
2016 for a while and it is do'able. If you are not using public folders, 
you have lots of clients that interact quite well with it. Eg. macos 
mail syncs tasks and notes with the native applications remindes and 
notes.

 >We have an Internet provider that we do not really want to rely upon. 
We 
 >also do not have the resources to maintain a mail server visible from 
 >the outside, especially regarding security updates.

Get one you do rely upon. I can't imagine you do doing a better job in 
most cases if you do not know dovecot, do not read the manuals here, do 
not have a test environment. Because you do not have the 'resources'.

 >Each employee has an e-mail account on our current Internet provider, 
 >and one e-mail account on our internal Exchange Server. Our Exchange 
 >server periodically downloads all e-mails from the Internet provider 
 >mailboxes to its local mailboxes. Therefore, employees cannot access 
 >their e-mails when travelling.

Yes the pop connector in exchange 2003. We have one running still in a 
firewalled environment and limited l2tp vpn access. Maybe you can switch 
this to some spla(?) licensing program of ms, so you pay per account?

 >We have worked this way for years without problems. There are other 
 >ways, like VPN access etc, but we do not have the resources to install 

 >or maintain more IT stuff.

Your provider should be able to facilitate you with a vpn gateway, to an 
'offline' exchange server, that is not really a big deal. 

 >So I would like to keep this setup, with one important difference: 
 >e-mails on the Internet provider mailboxes should remain there for a 
 >couple of weeks. This is similar to Thunderbird's option "Leave a copy 

 >on server" together with "For at most xx days". This way, employees 
 >could access at least their most recent e-mails when travelling, if 
only 
 >over the Internet provider's web interface.

So configure your pop connector not to delete after download. You will 
still have the problem with users creating online imap folders that the 
popconnector cannot see. Maybe you can solve this with an imap sync 
program. But this is a wrong direction to take.  

 >I could achieve such a setup without a local mail server at all, only 
 >with the Thunderbird clients, but I have not figured out yet how to 
 >automatically backup all mailboxes. See this question of mine:
 >

Configure clients to store mail files on the a network share, and do 
backup on the server? But also this is thinking in a wrong direction. 


 >
 >So I am trying to design a solution with Dovecot, but I know too 
little 
 >about mail servers. 

So study it, read about it. How can you select a good service provider, 
without this knowlegde?

 >How could I configure Dovecot / MTAs / whatever in 
 >order to achieve the "Leave a copy on server" together with "For at 
most 
 >xx days" mentioned above? This way, Dovecot does not need to be 
exposed 
 >on the Internet.

If you have to ask this question, you should not be doing this. 
Especially if you value your security so much, as you mentioned before.


 >Failing that, could someone tell me at least how to configure Dovecot 
/ 
 >whatever to download the external IMAP mailboxes to the internal IMAP 
 >mailboxes? When I read about Postfix and the like, I see SMTP and 
e-mail 
 >queues, but that's not what I need.

Here is described how you configure dovecot.
https://wiki.dovecot.org/


 >I also haven't understood yet the backup part with Dovecot. There is 
no 
 >central e-mail database like in Microsoft Exchange, right? How do I 
 >backup all mailboxes for all users? I probably need to stop the 
Dovecot 
 >server an any MTAs before backing the raw files underneath, right?
 >

If you do not have time to read, get some help. Otherwise you will 
create a mess for your users. The problem with IT is that everyone is 
just jumping in without education nor responsibility. 
It is like your dentist is earning something on the side in the weekend 
as a brain surgeon.
Start acting like a pro

 

Re: Re: Panic…

[Kai Schaetzl]

Btw, what sizes are we talking about here? I assume it would be really 
huuuge?
What's the max size of the .cache file and how many mails might create 
this size?

Kai

Re: dovecot/config processes one more time - which are safe to kill?

[Arkadiusz Miśkiewicz]

On 13/12/2018 17:02, j.emerlik wrote:
> In my Dovecot 2.2.32 I do not have such a problem.


Most likely you don't use

shutdown_clients = no

option.

> 
> czw., 13 gru 2018 o 10:18 Arkadiusz Miśkiewicz  > napisał(a):
> 
> 
> Hello.
> 
> The problem with dovecot/config processes never ending and spawning new
> one on each reload
> (https://www.dovecot.org/list/dovecot/2016-November/106058.html) is
> becoming a problem here:
> 
> # ps aux|grep dovecot/config|wc -l
> 206
> 
> That's a lot of wasted memory - dovecot/config processes ate over 30GB
> of ram on 64GB box.
> 
> Before killing dovecot/config processes:
> # free -m
>               total        used        free      shared  buff/cache
> available
> Mem:          64437       61656         483           0        2297
> 
> 
> after:
> 
> # free -m
>               total        used        free      shared  buff/cache
> available
> Mem:          64437       23676       37822           0        2939
> 
> 
> Currently on dovecot 2.3.3. I guess it's very low priority to handle
> that, so: how can I figure out which dovecot/config processes are safe
> to be killed by external script?
> 
> Does "all beside 2 newest ones" rule look sane?
> 
> Thanks,
> -- 
> Arkadiusz Miśkiewicz, arekm / ( maven.pl  |
> pld-linux.org  )
> 


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Downloading e-mail from a master mail server

[R. Diez via dovecot]

Hi all:

I am trying to migrate a small company from Microsoft Exchange / Outlook 
to Thunderbird. I am evaluating e-mail server software.


We have an Internet provider that we do not really want to rely upon. We 
also do not have the resources to maintain a mail server visible from 
the outside, especially regarding security updates.


Each employee has an e-mail account on our current Internet provider, 
and one e-mail account on our internal Exchange Server. Our Exchange 
server periodically downloads all e-mails from the Internet provider 
mailboxes to its local mailboxes. Therefore, employees cannot access 
their e-mails when travelling.


We have worked this way for years without problems. There are other 
ways, like VPN access etc, but we do not have the resources to install 
or maintain more IT stuff.


So I would like to keep this setup, with one important difference: 
e-mails on the Internet provider mailboxes should remain there for a 
couple of weeks. This is similar to Thunderbird's option "Leave a copy 
on server" together with "For at most xx days". This way, employees 
could access at least their most recent e-mails when travelling, if only 
over the Internet provider's web interface.


I could achieve such a setup without a local mail server at all, only 
with the Thunderbird clients, but I have not figured out yet how to 
automatically backup all mailboxes. See this question of mine:


https://support.mozilla.org/en-US/questions/1243605

So I am trying to design a solution with Dovecot, but I know too little 
about mail servers. How could I configure Dovecot / MTAs / whatever in 
order to achieve the "Leave a copy on server" together with "For at most 
xx days" mentioned above? This way, Dovecot does not need to be exposed 
on the Internet.


Failing that, could someone tell me at least how to configure Dovecot / 
whatever to download the external IMAP mailboxes to the internal IMAP 
mailboxes? When I read about Postfix and the like, I see SMTP and e-mail 
queues, but that's not what I need.


This guy wants a similar setup:

https://serverfault.com/questions/500591/fetch-all-mail-from-an-imap-server-with-postfix-to-distribute-on-local-imap-serv

But I did not understand the Fetchmail part, which seems to be 
discouraged anyway:


"Fetchmail can be used as a POP/IMAP-to-SMTP gateway for an entire DNS 
domain, collecting mail from a single drop box on an ISP and 
SMTP-forwarding it based on header addresses. (We don't really recommend 
this, though, as it may lose important envelope-header information. ETRN 
or a UUCP connection is better.)"


I also haven't understood yet the backup part with Dovecot. There is no 
central e-mail database like in Microsoft Exchange, right? How do I 
backup all mailboxes for all users? I probably need to stop the Dovecot 
server an any MTAs before backing the raw files underneath, right?


Many thanks in advance,
  rdiez