Re: Re: How to configure Dovecot to disable NIST's curves and still rertain EECDH?

2018-12-18 Thread Tributh via dovecot 



Am 19.12.18 um 07:10 schrieb Kurt Fitzner:
> My opinion is that security by RFC is not security, it's mommy
> medicine.  Standards have had a terrible time keeping up with security
> realities.
> 
> NITS's curves leak side channel information all over the place.  I don't
> have details on what implementations are set to calculate the NIST
> curves in constant time, and that's not an easy feat to do anyway so I
> don't want to depend on implementations that say they are actually doing
> it the right way.  Frankly I can't be bothered to keep up with that. 
> There are better curves *today*, so yes I intend to use them if I can
> find a way.  Otherwise, I'll just keep EECDH disabled.
> 
> I have EDH now, and I've not yet run into a client that doesn't support
> it.  I want EECDH, but I won't use it without safe curves.  I'm
> confident that EECDH with safe curves and a second choice of EDH will
> support any clients that are worth using.  OpenSSL supports X25519, and
> that is half the battle.
> 
> Is there a way to change the curve selection in Dovecot?

Yes. Try:

ssl_curve_list = X448:X25519

Tested and works with openssl 1.1.1a

Re: How to configure Dovecot to disable NIST's curves and still rertain EECDH?

2018-12-18 Thread Kurt Fitzner 
My opinion is that security by RFC is not security, it's mommy medicine.
 Standards have had a terrible time keeping up with security realities. 

NITS's curves leak side channel information all over the place.  I don't
have details on what implementations are set to calculate the NIST
curves in constant time, and that's not an easy feat to do anyway so I
don't want to depend on implementations that say they are actually doing
it the right way.  Frankly I can't be bothered to keep up with that. 
There are better curves TODAY, so yes I intend to use them if I can find
a way.  Otherwise, I'll just keep EECDH disabled. 

I have EDH now, and I've not yet run into a client that doesn't support
it.  I want EECDH, but I won't use it without safe curves.  I'm
confident that EECDH with safe curves and a second choice of EDH will
support any clients that are worth using.  OpenSSL supports X25519, and
that is half the battle. 

Is there a way to change the curve selection in Dovecot?

On 2018-12-19 01:49, Tributh via dovecot wrote:

> Do you really plan to do this?
> RFC 8446 section 9.1:
> A TLS-compliant application MUST support key exchange with secp256r1
> (NIST P-256) and SHOULD support key exchange with X25519
> 
> I think your idea could be not future proved.
> 
> Beside that, how many mail-clients will remain usable with this cipher
> selection?
> 
> Torsten

Re: How to configure Dovecot to disable NIST's curves and still rertain EECDH?

2018-12-18 Thread Tributh via dovecot 



Am 19.12.18 um 04:39 schrieb Kurt Fitzner:
> I am interested in configuring Dovecot's TLS so as to retain forward
> secrecy, but eliminate all of NIST's elliptic curves.
> 
> Besides being subject to side channel attacks
> , in some quarters there is a
> general distrust of NIST's curves and any of their other cryptographic
> primitives after the Dual EC DRBG debacle.
> 
> From what I can tell, the following will prevent the use of NIST's
> curves (along with other dangerous primitives) in Dovecot, but this is
> accomplished by simply disabling EECDH entirely.
> 
> |ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH |
> 
> This should still retain forward secrecy through the use of EDH, but
> this doesn't leave much in the way of allowable algorithms on my server:
> 
> |$ openssl ciphers -V
> 'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH' 0x00,0x9F -
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
> 0x00,0x6B - DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256)
> Mac=SHA256 0x00,0x9D - AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA
> Enc=AESGCM(256) Mac=AEAD 0x00,0x3D - AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA
> Enc=AES(256) Mac=SHA256 0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2
> Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD 0x00,0x67 - DHE-RSA-AES128-SHA256
> TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 0x00,0x9C -
> AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
> 0x00,0x3C - AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 |
> 
> Is there a better way to do this? Is there a way to disable only the
> suspect NIST curves and still retain EECDH but with side-channel safe
> curves like X25519?
> 
> Thanks,
> 
>    Kurt Fitzner
> 
>  

Do you really plan to do this?
RFC 8446 section 9.1:
   A TLS-compliant application MUST support key exchange with secp256r1
   (NIST P-256) and SHOULD support key exchange with X25519

I think your idea could be not future proved.

Beside that, how many mail-clients will remain usable with this cipher
selection?

Torsten

Re: High Load average on NFS Spool - v.2.1.15 & 2.2.13

2018-12-18 Thread Nick Edwards 
dont play net cop here
but since you want to try force your opinion down others throats heres
one for you, if you want to try dictate to someone to bottom post to
suite you how about you use proper net etiquette yourself and TRIM
your posts


On 12/19/18, admin  wrote:
> Am Dienstag, den 18.12.2018, 14:26 -0500 schrieb Albert E. Whale, CEH
> CHS CISA CISSP:
>> I have, but I will be happy to review it once again.
>>
>>
>> On 12/18/18 2:14 PM, admin wrote:
>>
>>
>>
>> >
>> >   Am Dienstag, den 18.12.2018, 14:06 -0500 schrieb Albert E.
>> > Whale, CEH CHS CISA CISSP:
>> >
>> > > I have two servers pointing to an NFS mounted mail spool
>> > > with
>> > >   dovecot.  Since I recently switched from using Dovecot
>> > > v1.X, I
>> > >   have been experiencing high CPU use with the two
>> > > Dovecot
>> > >   servers.  I am not certain why they are not well
>> > > behaved.
>> > >   Here is the configuration information.
>> > >
>> > >
>> > >
>> > > This configuration is currently running at a load average
>> > > of
>> > >   17.
>> > >
>> > >
>> > > /usr/sbin/dovecot -n
>> > >
>> > >   # 2.1.15: /etc/dovecot/dovecot.conf
>> > >
>> > >   # OS: Linux 3.10.54-server-2.mga3 i686 Mageia 3
>> > >
>> > >   base_dir = /var/run/dovecot/
>> > >
>> > >   disable_plaintext_auth = no
>> > >
>> > >   lock_method = dotlock
>> > >
>> > >   login_greeting = SpamZapper Email ready.
>> > >
>> > >   login_log_format_elements = user=<%u> method=%m rip=%r
>> > >   lip=%l %c
>> > >
>> > >   mail_debug = yes
>> > >
>> > >   mail_fsync = always
>> > >
>> > >   mail_location = maildir:~/Maildir
>> > >
>> > >   mail_nfs_index = yes
>> > >
>> > >   mail_nfs_storage = yes
>> > >
>> > >   mail_privileged_group = mail
>> > >
>> > >   mbox_lock_timeout = 15 mins
>> > >
>> > >   mmap_disable = yes
>> > >
>> > >   passdb {
>> > >
>> > > driver = pam
>> > >
>> > >   }
>> > >
>> > >   protocols = imap pop3
>> > >
>> > >   service anvil {
>> > >
>> > > client_limit = 203
>> > >
>> > > process_limit = 1
>> > >
>> > >   }
>> > >
>> > >   service auth {
>> > >
>> > > user = root
>> > >
>> > >   }
>> > >
>> > >   service imap-login {
>> > >
>> > > chroot = login
>> > >
>> > > client_limit = 10
>> > >
>> > > user = dovecot
>> > >
>> > > vsz_limit = 256 M
>> > >
>> > >   }
>> > >
>> > >   service pop3-login {
>> > >
>> > > chroot = login
>> > >
>> > > client_limit = 20
>> > >
>> > > user = dovecot
>> > >
>> > >   }
>> > >
>> > >   ssl = no
>> > >
>> > >   syslog_facility = local2
>> > >
>> > >   userdb {
>> > >
>> > > driver = passwd
>> > >
>> > >   }
>> > >
>> > >   verbose_proctitle = yes
>> > >
>> > >   protocol pop3 {
>> > >
>> > > mail_max_userip_connections = 20
>> > >
>> > > pop3_logout_format = top=%t/%p, retr=%r/%b,
>> > > del=%d/%m,
>> > >   size=%s
>> > >
>> > > pop3_uidl_format = %08Xv%08Xu
>> > >
>> > >   }
>> > >
>> > >   protocol lda {
>> > >
>> > > postmaster_address = postmas...@example.com
>> > >
>> > >   }
>> > >
>> > >   protocol imap {
>> > >
>> > > mail_max_userip_connections = 10
>> > >
>> > >   }
>> > >
>> > >
>> > > And the other server which is currently running with a
>> > > load
>> > >   average of 10.
>> > > dovecot -n
>> > >
>> > >   # 2.2.13: /etc/dovecot/dovecot.conf
>> > >
>> > >   doveconf: Warning: service anvil { client_limit=100 }
>> > > is lower
>> > >   than required under max. load (303)
>> > >
>> > >   # OS: Linux 4.1.15-server-2.mga5 x86_64 Mageia 4
>> > >
>> > >   base_dir = /var/run/dovecot/
>> > >
>> > >   disable_plaintext_auth = no
>> > >
>> > >   listen = *
>> > >
>> > >   lock_method = dotlock
>> > >
>> > >   login_greeting = SpamZapper Email ready.
>> > >
>> > >   login_log_format_elements = user=<%u> method=%m rip=%r
>> > >   lip=%l %c
>> > >
>> > >   mail_fsync = always
>> > >
>> > >   mail_location = maildir:~/Maildir
>> > >
>> > >   mail_nfs_index = yes
>> > >
>> > >   mail_nfs_storage = yes
>> > >
>> > >   mail_privileged_group = mail
>> > >
>> > >   mmap_disable = yes
>> > >
>> > >   passdb {
>> > >
>> > > driver = pam
>> > >
>> > >   }
>> > >
>> > >   protocols = imap pop3
>> > >
>> > >   service anvil {
>> > >
>> > > client_limit = 100
>> > >
>> > > process_limit = 1
>> > >
>> > >

How to configure Dovecot to disable NIST's curves and still rertain EECDH?

2018-12-18 Thread Kurt Fitzner 
I am interested in configuring Dovecot's TLS so as to retain forward
secrecy, but eliminate all of NIST's elliptic curves. 

Besides being subject to side channel attacks [1], in some quarters
there is a general distrust of NIST's curves and any of their other
cryptographic primitives after the Dual EC DRBG debacle. 

>From what I can tell, the following will prevent the use of NIST's
curves (along with other dangerous primitives) in Dovecot, but this is
accomplished by simply disabling EECDH entirely.

ssl_cipher_list = HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH

This should still retain forward secrecy through the use of EDH, but
this doesn't leave much in the way of allowable algorithms on my server:

$ openssl ciphers -V
'HIGH:!DSS:!EECDH:!ECDH:!SHA1:!aNULL:!eNULL:@STRENGTH'
  0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH   Au=RSA 
Enc=AESGCM(256) Mac=AEAD
  0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH   Au=RSA 
Enc=AES(256)  Mac=SHA256
  0x00,0x9D - AES256-GCM-SHA384   TLSv1.2 Kx=RSA  Au=RSA 
Enc=AESGCM(256) Mac=AEAD
  0x00,0x3D - AES256-SHA256   TLSv1.2 Kx=RSA  Au=RSA 
Enc=AES(256)  Mac=SHA256
  0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH   Au=RSA 
Enc=AESGCM(128) Mac=AEAD
  0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH   Au=RSA 
Enc=AES(128)  Mac=SHA256
  0x00,0x9C - AES128-GCM-SHA256   TLSv1.2 Kx=RSA  Au=RSA 
Enc=AESGCM(128) Mac=AEAD
  0x00,0x3C - AES128-SHA256   TLSv1.2 Kx=RSA  Au=RSA 
Enc=AES(128)  Mac=SHA256

Is there a better way to do this? Is there a way to disable only the
suspect NIST curves and still retain EECDH but with side-channel safe
curves like X25519? 

Thanks, 

   Kurt Fitzner 

  

Links:
--
[1] https://blog.cr.yp.to/20140323-ecdsa.html

Re: Apple mail fails with Submission

2018-12-18 Thread Adi Pircalabu via dovecot 

On 2018-12-19 03:17, Ruud Voorjans wrote:

Postfix debug peer logging

Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >
server.example.org [4][XX.XX.XX.XX]: 250 2.1.5 Ok
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: watchdog_pat:
0x55ef4ec020180
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_fflush_some: fd 10 flush 28
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_buf_get_ready: fd 10 got 15
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: <
server.example.org [4]  [ XX.XX.XX.XX]: BDAT 326 LAST
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? connect
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? get
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? post
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
match_list_match: BDAT: no match
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >
server.example.org [4]  [ XX.XX.XX.XX]  : 502 5.5.2 Error: command not
recognized
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: watchdog_pat:
0x55ef4ec020180
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_fflush_some: fd 10 flush 41
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_buf_get_ready: fd 10 got 326
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: <
server.example.org [4]  [ XX.XX.XX.XX]  : Content-Type: text/plain;
charset=us-ascii
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: warning:
non-SMTP command from  server.example.org [4]  [ XX.XX.XX.XX]  :
Content-Type: text/plain; charset=us-ascii
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >
server.example.org [4]  [ XX.XX.XX.XX]  ]: 221 2.7.0 Error: I can
break rules, too. Goodbye.


Do you have the submission logs for the same timestamp? You server 
doesn't support BDAT command. However, looking at the logs below I have 
a suspicion your submission is advertising CHUNKING incorrectly. 
Misconfiguration or bug?

https://tools.ietf.org/html/rfc1830

--
Adi Pircalabu



Op di 18 dec. 2018 om 17:01 schreef Ruud Voorjans


doveconf -n output:
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 ()
# OS: Linux 4.18.0-12-generic x86_64 Ubuntu 18.10
# Hostname: mail.example.org [1]
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
director_mail_servers = XX.XX.XX.XX
hostname = mail.example.org [1]
log_path = /var/log/dovecot.log
login_trusted_networks = XX.XX.XX.XX
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = proxy=y host=XX.XX.XX nopassword=y
driver = static
}
protocols = imap submission
service director {
fifo_listener login/proxy-notify {
mode = 0600
user = $default_login_user
}
inet_listener {
port = 9090
}
unix_listener director-userdb {
mode = 0600
}
unix_listener login/director {
mode = 0666
}
}
service imap-login {
executable = imap-login director
}
service submission-login {
executable = submission-login
}
ssl = required
ssl_cert = 
AES256+EECDH:AES256+EDH:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
submission_relay_host = XX.XX.XX.XX
submission_relay_rawlog_dir = /var/log/dovecot.log
submission_relay_trusted = yes
verbose_ssl = yes

Logging:
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Connection created
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Received new command: EHLO [10.225.11.41]
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO; 250 reply: Submitted
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO: Ready to reply
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Trigger output
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Sending replies
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO: Completed
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Connection state reset
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO; 250 reply: Sent: 250-mail.example.org [3] 8BITMIME
BURL imap CHUNKING ENHANCEDSTATUSCODES SIZE STARTTLS PIPELINING
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO: Destroy
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
command EHLO; 250 reply: Destroy
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:

Re: High Load average on NFS Spool - v.2.1.15 & 2.2.13

2018-12-18 Thread admin 
Am Dienstag, den 18.12.2018, 14:26 -0500 schrieb Albert E. Whale, CEH
CHS CISA CISSP:
> I have, but I will be happy to review it once again.
> 
> 
> On 12/18/18 2:14 PM, admin wrote:
> 
> 
> 
> >   
> >   Am Dienstag, den 18.12.2018, 14:06 -0500 schrieb Albert E.
> > Whale, CEH CHS CISA CISSP:
> >   
> > > I have two servers pointing to an NFS mounted mail spool
> > > with
> > >   dovecot.  Since I recently switched from using Dovecot
> > > v1.X, I
> > >   have been experiencing high CPU use with the two
> > > Dovecot
> > >   servers.  I am not certain why they are not well
> > > behaved. 
> > >   Here is the configuration information.
> > > 
> > > 
> > > 
> > > This configuration is currently running at a load average
> > > of
> > >   17.
> > > 
> > > 
> > > /usr/sbin/dovecot -n
> > > 
> > >   # 2.1.15: /etc/dovecot/dovecot.conf
> > > 
> > >   # OS: Linux 3.10.54-server-2.mga3 i686 Mageia 3
> > > 
> > >   base_dir = /var/run/dovecot/
> > > 
> > >   disable_plaintext_auth = no
> > > 
> > >   lock_method = dotlock
> > > 
> > >   login_greeting = SpamZapper Email ready.
> > > 
> > >   login_log_format_elements = user=<%u> method=%m rip=%r
> > >   lip=%l %c
> > > 
> > >   mail_debug = yes
> > > 
> > >   mail_fsync = always
> > > 
> > >   mail_location = maildir:~/Maildir
> > > 
> > >   mail_nfs_index = yes
> > > 
> > >   mail_nfs_storage = yes
> > > 
> > >   mail_privileged_group = mail
> > > 
> > >   mbox_lock_timeout = 15 mins
> > > 
> > >   mmap_disable = yes
> > > 
> > >   passdb {
> > > 
> > > driver = pam
> > > 
> > >   }
> > > 
> > >   protocols = imap pop3
> > > 
> > >   service anvil {
> > > 
> > > client_limit = 203
> > > 
> > > process_limit = 1
> > > 
> > >   }
> > > 
> > >   service auth {
> > > 
> > > user = root
> > > 
> > >   }
> > > 
> > >   service imap-login {
> > > 
> > > chroot = login
> > > 
> > > client_limit = 10
> > > 
> > > user = dovecot
> > > 
> > > vsz_limit = 256 M
> > > 
> > >   }
> > > 
> > >   service pop3-login {
> > > 
> > > chroot = login
> > > 
> > > client_limit = 20
> > > 
> > > user = dovecot
> > > 
> > >   }
> > > 
> > >   ssl = no
> > > 
> > >   syslog_facility = local2
> > > 
> > >   userdb {
> > > 
> > > driver = passwd
> > > 
> > >   }
> > > 
> > >   verbose_proctitle = yes
> > > 
> > >   protocol pop3 {
> > > 
> > > mail_max_userip_connections = 20
> > > 
> > > pop3_logout_format = top=%t/%p, retr=%r/%b,
> > > del=%d/%m,
> > >   size=%s
> > > 
> > > pop3_uidl_format = %08Xv%08Xu
> > > 
> > >   }
> > > 
> > >   protocol lda {
> > > 
> > > postmaster_address = postmas...@example.com
> > > 
> > >   }
> > > 
> > >   protocol imap {
> > > 
> > > mail_max_userip_connections = 10
> > > 
> > >   }
> > > 
> > > 
> > > And the other server which is currently running with a
> > > load
> > >   average of 10.
> > > dovecot -n
> > > 
> > >   # 2.2.13: /etc/dovecot/dovecot.conf
> > > 
> > >   doveconf: Warning: service anvil { client_limit=100 }
> > > is lower
> > >   than required under max. load (303)
> > > 
> > >   # OS: Linux 4.1.15-server-2.mga5 x86_64 Mageia 4
> > > 
> > >   base_dir = /var/run/dovecot/
> > > 
> > >   disable_plaintext_auth = no
> > > 
> > >   listen = *
> > > 
> > >   lock_method = dotlock
> > > 
> > >   login_greeting = SpamZapper Email ready.
> > > 
> > >   login_log_format_elements = user=<%u> method=%m rip=%r
> > >   lip=%l %c
> > > 
> > >   mail_fsync = always
> > > 
> > >   mail_location = maildir:~/Maildir
> > > 
> > >   mail_nfs_index = yes
> > > 
> > >   mail_nfs_storage = yes
> > > 
> > >   mail_privileged_group = mail
> > > 
> > >   mmap_disable = yes
> > > 
> > >   passdb {
> > > 
> > > driver = pam
> > > 
> > >   }
> > > 
> > >   protocols = imap pop3
> > > 
> > >   service anvil {
> > > 
> > > client_limit = 100
> > > 
> > > process_limit = 1
> > > 
> > >   }
> > > 
> > >   service auth {
> > > 
> > > user = root
> > > 
> > >   }
> > > 
> > >   service imap-login {
> > > 
> > > chroot = login
> > > 
> > > client_limit = 48
> > > 
> > > user = dovecot
> > > 
> > > vsz_limit = 256 M
> > >

Re: High Load average on NFS Spool - v.2.1.15 & 2.2.13

2018-12-18 Thread Albert E. Whale, CEH CHS CISA CISSP 

I have, but I will be happy to review it once again.

On 12/18/18 2:14 PM, admin wrote:
Am Dienstag, den 18.12.2018, 14:06 -0500 schrieb Albert E. Whale, CEH 
CHS CISA CISSP:


I have two servers pointing to an NFS mounted mail spool with 
dovecot.  Since I recently switched from using Dovecot v1.X, I have 
been experiencing high CPU use with the two Dovecot servers.  I am 
not certain why they are not well behaved. Here is the configuration 
information.



This configuration is currently running at a load average of 17.

/usr/sbin/dovecot -n
# 2.1.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.54-server-2.mga3 i686 Mageia 3
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
lock_method = dotlock
login_greeting = SpamZapper Email ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
mail_debug = yes
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
mbox_lock_timeout = 15 mins
mmap_disable = yes
passdb {
  driver = pam
}
protocols = imap pop3
service anvil {
  client_limit = 203
  process_limit = 1
}
service auth {
  user = root
}
service imap-login {
  chroot = login
  client_limit = 10
  user = dovecot
  vsz_limit = 256 M
}
service pop3-login {
  chroot = login
  client_limit = 20
  user = dovecot
}
ssl = no
syslog_facility = local2
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol pop3 {
  mail_max_userip_connections = 20
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
  pop3_uidl_format = %08Xv%08Xu
}
protocol lda {
  postmaster_address = postmas...@example.com
}
protocol imap {
  mail_max_userip_connections = 10
}

And the other server which is currently running with a load average 
of 10.


dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
doveconf: Warning: service anvil { client_limit=100 } is lower than 
required under max. load (303)

# OS: Linux 4.1.15-server-2.mga5 x86_64 Mageia 4
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
listen = *
lock_method = dotlock
login_greeting = SpamZapper Email ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
mmap_disable = yes
passdb {
  driver = pam
}
protocols = imap pop3
service anvil {
  client_limit = 100
  process_limit = 1
}
service auth {
  user = root
}
service imap-login {
  chroot = login
  client_limit = 48
  user = dovecot
  vsz_limit = 256 M
}
service pop3-login {
  chroot = login
  client_limit = 50
  user = dovecot
}
ssl = no
syslog_facility = local2
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol pop3 {
  mail_max_userip_connections = 50
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
  pop3_uidl_format = %08Xv%08Xu
}
protocol lda {
  postmaster_address = postmas...@example.com
}
protocol imap {
  mail_max_userip_connections = 40
}

Can you please offer a suggestion on what is happening?  The timeouts 
to the imap server are frequent due to the load average.


Thank you.

--
--
--

Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Info Security Officer*
IT Security, Inc.  - A Service 
Disabled Veteran Owned Company - (*SDVOSB*)

*HUBZone Certified*
LinkedIn  Profile


Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
Cell: 412-889-6870



Did  you have a look at https://wiki2.dovecot.org/NFS ?

--
awib IT Solutions
i...@awib.it  

--
--
--

Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Info Security Officer*
IT Security, Inc.  - A Service Disabled 
Veteran Owned Company - (*SDVOSB*)

*HUBZone Certified*
LinkedIn  Profile


Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
Cell: 412-889-6870

Re: High Load average on NFS Spool - v.2.1.15 & 2.2.13

2018-12-18 Thread admin 
Am Dienstag, den 18.12.2018, 14:06 -0500 schrieb Albert E. Whale, CEH
CHS CISA CISSP:
> I have two servers pointing to an NFS mounted mail spool with
>   dovecot.  Since I recently switched from using Dovecot v1.X, I
>   have been experiencing high CPU use with the two Dovecot
> servers. 
>   I am not certain why they are not well behaved.  Here is the
>   configuration information.
> 
> 
> 
> This configuration is currently running at a load average of 17.
> 
> 
> /usr/sbin/dovecot -n
> 
>   # 2.1.15: /etc/dovecot/dovecot.conf
> 
>   # OS: Linux 3.10.54-server-2.mga3 i686 Mageia 3
> 
>   base_dir = /var/run/dovecot/
> 
>   disable_plaintext_auth = no
> 
>   lock_method = dotlock
> 
>   login_greeting = SpamZapper Email ready.
> 
>   login_log_format_elements = user=<%u> method=%m rip=%r
>   lip=%l %c
> 
>   mail_debug = yes
> 
>   mail_fsync = always
> 
>   mail_location = maildir:~/Maildir
> 
>   mail_nfs_index = yes
> 
>   mail_nfs_storage = yes
> 
>   mail_privileged_group = mail
> 
>   mbox_lock_timeout = 15 mins
> 
>   mmap_disable = yes
> 
>   passdb {
> 
> driver = pam
> 
>   }
> 
>   protocols = imap pop3
> 
>   service anvil {
> 
> client_limit = 203
> 
> process_limit = 1
> 
>   }
> 
>   service auth {
> 
> user = root
> 
>   }
> 
>   service imap-login {
> 
> chroot = login
> 
> client_limit = 10
> 
> user = dovecot
> 
> vsz_limit = 256 M
> 
>   }
> 
>   service pop3-login {
> 
> chroot = login
> 
> client_limit = 20
> 
> user = dovecot
> 
>   }
> 
>   ssl = no
> 
>   syslog_facility = local2
> 
>   userdb {
> 
> driver = passwd
> 
>   }
> 
>   verbose_proctitle = yes
> 
>   protocol pop3 {
> 
> mail_max_userip_connections = 20
> 
> pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m,
> size=%s
> 
> pop3_uidl_format = %08Xv%08Xu
> 
>   }
> 
>   protocol lda {
> 
> postmaster_address = postmas...@example.com
> 
>   }
> 
>   protocol imap {
> 
> mail_max_userip_connections = 10
> 
>   }
> 
> 
> And the other server which is currently running with a load
>   average of 10.
> dovecot -n
> 
>   # 2.2.13: /etc/dovecot/dovecot.conf
> 
>   doveconf: Warning: service anvil { client_limit=100 } is lower
>   than required under max. load (303)
> 
>   # OS: Linux 4.1.15-server-2.mga5 x86_64 Mageia 4
> 
>   base_dir = /var/run/dovecot/
> 
>   disable_plaintext_auth = no
> 
>   listen = *
> 
>   lock_method = dotlock
> 
>   login_greeting = SpamZapper Email ready.
> 
>   login_log_format_elements = user=<%u> method=%m rip=%r
>   lip=%l %c
> 
>   mail_fsync = always
> 
>   mail_location = maildir:~/Maildir
> 
>   mail_nfs_index = yes
> 
>   mail_nfs_storage = yes
> 
>   mail_privileged_group = mail
> 
>   mmap_disable = yes
> 
>   passdb {
> 
> driver = pam
> 
>   }
> 
>   protocols = imap pop3
> 
>   service anvil {
> 
> client_limit = 100
> 
> process_limit = 1
> 
>   }
> 
>   service auth {
> 
> user = root
> 
>   }
> 
>   service imap-login {
> 
> chroot = login
> 
> client_limit = 48
> 
> user = dovecot
> 
> vsz_limit = 256 M
> 
>   }
> 
>   service pop3-login {
> 
> chroot = login
> 
> client_limit = 50
> 
> user = dovecot
> 
>   }
> 
>   ssl = no
> 
>   syslog_facility = local2
> 
>   userdb {
> 
> driver = passwd
> 
>   }
> 
>   verbose_proctitle = yes
> 
>   protocol pop3 {
> 
> mail_max_userip_connections = 50
> 
> pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m,
> size=%s
> 
> pop3_uidl_format = %08Xv%08Xu
> 
>   }
> 
>   protocol lda {
> 
> postmaster_address = postmas...@example.com
> 
>   }
> 
>   protocol imap {
> 
> mail_max_userip_connections = 40
> 
>   }
> 
> 
> Can you please offer a suggestion on what is happening?  The
>   timeouts to the imap server are frequent due to the load
> average.
> Thank you.
> 
> 
> -- 
> 
>   -- 
> 
>   --
> 
>   
> 
>   Albert E. Whale, CEH CHS CISA CISSP
> 
>   President - Chief Info Security Officer
> 
>   IT Security, Inc. - A
>   Service Disabled Veteran Owned Company - (SDVOSB)
> 
>   HUBZone Certified
> 
>   LinkedIn
>   Profile
> 
>   
> 
>   
> 
>   Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
> 
>   Cell: 412-889-6870
> 
>   
> 
> 
>   
> 

Did  you have a look at https://wiki2.dovecot.org/NFS ?

-- 
awib IT solutionsi...@awib.it

High Load average on NFS Spool - v.2.1.15 & 2.2.13

2018-12-18 Thread Albert E. Whale, CEH CHS CISA CISSP 
I have two servers pointing to an NFS mounted mail spool with dovecot.  
Since I recently switched from using Dovecot v1.X, I have been 
experiencing high CPU use with the two Dovecot servers. I am not certain 
why they are not well behaved.  Here is the configuration information.



This configuration is currently running at a load average of 17.

/usr/sbin/dovecot -n
# 2.1.15: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.54-server-2.mga3 i686 Mageia 3
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
lock_method = dotlock
login_greeting = SpamZapper Email ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
mail_debug = yes
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
mbox_lock_timeout = 15 mins
mmap_disable = yes
passdb {
  driver = pam
}
protocols = imap pop3
service anvil {
  client_limit = 203
  process_limit = 1
}
service auth {
  user = root
}
service imap-login {
  chroot = login
  client_limit = 10
  user = dovecot
  vsz_limit = 256 M
}
service pop3-login {
  chroot = login
  client_limit = 20
  user = dovecot
}
ssl = no
syslog_facility = local2
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol pop3 {
  mail_max_userip_connections = 20
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
  pop3_uidl_format = %08Xv%08Xu
}
protocol lda {
  postmaster_address = postmas...@example.com
}
protocol imap {
  mail_max_userip_connections = 10
}

And the other server which is currently running with a load average of 10.

dovecot -n
# 2.2.13: /etc/dovecot/dovecot.conf
doveconf: Warning: service anvil { client_limit=100 } is lower than 
required under max. load (303)

# OS: Linux 4.1.15-server-2.mga5 x86_64 Mageia 4
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
listen = *
lock_method = dotlock
login_greeting = SpamZapper Email ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_privileged_group = mail
mmap_disable = yes
passdb {
  driver = pam
}
protocols = imap pop3
service anvil {
  client_limit = 100
  process_limit = 1
}
service auth {
  user = root
}
service imap-login {
  chroot = login
  client_limit = 48
  user = dovecot
  vsz_limit = 256 M
}
service pop3-login {
  chroot = login
  client_limit = 50
  user = dovecot
}
ssl = no
syslog_facility = local2
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol pop3 {
  mail_max_userip_connections = 50
  pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
  pop3_uidl_format = %08Xv%08Xu
}
protocol lda {
  postmaster_address = postmas...@example.com
}
protocol imap {
  mail_max_userip_connections = 40
}

Can you please offer a suggestion on what is happening?  The timeouts to 
the imap server are frequent due to the load average.


Thank you.

--
--
--

Albert E. Whale, CEH CHS CISA CISSP
*President - Chief Info Security Officer*
IT Security, Inc.  - A Service Disabled 
Veteran Owned Company - (*SDVOSB*)

*HUBZone Certified*
LinkedIn  Profile


Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
Cell: 412-889-6870

Re: Apple mail fails with Submission

2018-12-18 Thread Ruud Voorjans 
Postfix debug peer logging

Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >
server.example.org[XX.XX.XX.XX]:
250 2.1.5 Ok
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: watchdog_pat:
0x55ef4ec020180
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: vstream_fflush_some:
fd 10 flush 28
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_buf_get_ready: fd 10 got 15
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: <  server.example.org
[ XX.XX.XX.XX]: BDAT 326 LAST
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? connect
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? get
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_string:
smtpd_forbidden_commands: bdat ~? post
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: match_list_match:
BDAT: no match
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >  server.example.org
[ XX.XX.XX.XX]  : 502 5.5.2 Error: command not recognized
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: watchdog_pat:
0x55ef4ec020180
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: vstream_fflush_some:
fd 10 flush 41
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]:
vstream_buf_get_ready: fd 10 got 326
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: <  server.example.org
[ XX.XX.XX.XX]  : Content-Type: text/plain; charset=us-ascii
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: warning: non-SMTP
command from  server.example.org  [ XX.XX.XX.XX]  : Content-Type:
text/plain; charset=us-ascii
Dec 18 17:08:11 mail postfix/submission/smtpd[10626]: >  server.example.org
[ XX.XX.XX.XX]  ]: 221 2.7.0 Error: I can break rules, too. Goodbye.


Op di 18 dec. 2018 om 17:01 schreef Ruud Voorjans :

> doveconf -n output:
> # 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.2 ()
> # OS: Linux 4.18.0-12-generic x86_64 Ubuntu 18.10
> # Hostname: mail.example.org
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> director_mail_servers = XX.XX.XX.XX
> hostname = mail.example.org
> log_path = /var/log/dovecot.log
> login_trusted_networks = XX.XX.XX.XX
> mail_debug = yes
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mail_privileged_group = mail
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
> }
> passdb {
>   args = proxy=y host=XX.XX.XX nopassword=y
>   driver = static
> }
> protocols = imap submission
> service director {
>   fifo_listener login/proxy-notify {
> mode = 0600
> user = $default_login_user
>   }
>   inet_listener {
> port = 9090
>   }
>   unix_listener director-userdb {
> mode = 0600
>   }
>   unix_listener login/director {
> mode = 0666
>   }
> }
> service imap-login {
>   executable = imap-login director
> }
> service submission-login {
>   executable = submission-login
> }
> ssl = required
> ssl_cert =  ssl_cipher_list =
> AES256+EECDH:AES256+EDH:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
> ssl_dh =  # hidden, use -P to show it
> ssl_key =  # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> submission_relay_host = XX.XX.XX.XX
> submission_relay_rawlog_dir = /var/log/dovecot.log
> submission_relay_trusted = yes
> verbose_ssl = yes
>
>
> Logging:
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
> Connection created
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: Received
> new command: EHLO [10.225.11.41]
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO; 250 reply: Submitted
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO: Ready to reply
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: Trigger
> output
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: Sending
> replies
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO: Completed
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
> Connection state reset
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO; 250 reply: Sent: 250-mail.example.org 8BITMIME BURL imap CHUNKING
> ENHANCEDSTATUSCODES SIZE STARTTLS PIPELINING
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO: Destroy
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
> EHLO; 250 reply: Destroy
> Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: Trigger
> output
> Dec 18 16:36:39 submission-login: Debug:

Re: Apple mail fails with Submission

2018-12-18 Thread Ruud Voorjans 
doveconf -n output:
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 ()
# OS: Linux 4.18.0-12-generic x86_64 Ubuntu 18.10
# Hostname: mail.example.org
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
director_mail_servers = XX.XX.XX.XX
hostname = mail.example.org
log_path = /var/log/dovecot.log
login_trusted_networks = XX.XX.XX.XX
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = proxy=y host=XX.XX.XX nopassword=y
  driver = static
}
protocols = imap submission
service director {
  fifo_listener login/proxy-notify {
mode = 0600
user = $default_login_user
  }
  inet_listener {
port = 9090
  }
  unix_listener director-userdb {
mode = 0600
  }
  unix_listener login/director {
mode = 0666
  }
}
service imap-login {
  executable = imap-login director
}
service submission-login {
  executable = submission-login
}
ssl = required
ssl_cert = , method=PLAIN, rip=XX.XX.XX.XX,
lip=XX.XX.XX.XX, TLS, session=<>
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Disconnected: Connection closed
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]: command
AUTH; 235 reply: Destroy
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Connection destroy
Dec 18 16:36:39 submission-login: Debug: smtp-server: conn   [0]:
Connection state reset
Dec 18 16:36:40 submission-login: Info: proxy(  ): disconnecting
XX.XX.XX.XX (Disconnected by server(0s idle, in=533, out=295)): user=<  >,
method=PLAIN, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX, TLS, session=<>
Dec 18 16:36:40 submission-login: Debug: SSL alert: close notify


Op di 18 dec. 2018 om 07:18 schreef Aki Tuomi :

>
> On 18 December 2018 at 02:30 Adi Pircalabu via dovecot <
> dovecot@dovecot.org> wrote:
>
>
> On 2018-12-18 07:33, Ruud Voorjans wrote:
>
> Dear all,
>
> I'm running dovecot # 2.3.2.1 - Pigeonhole version 0.5.2 () - OS:
> Linux 4.18.0-12-generic x86_64 Ubuntu 18.10 with Submission.
> It works great except with apple mail (Iphone).
>
> I get an error with the MTA (postfix):
> ""postfix/submission/smtpd[32552]: warning: non-SMTP command from
> mail.example.org [1][xx.xx.xx.xx]: Content-Transfer-Encoding: 7bit""
>
> with other mail-client(s) (Outlook (Desktop and Iphone app)) i have no
> problem and it proxy-sends the e-mail beautiful out to the recipient.
>
> Hardly anything to do with Dovecot. When it comes to email clients Apple
> Mail has been and is still one of the worst flops (no offence intended,
> just my opinion based on personal experience). If you can reliably
> reproduce it, try and log the raw SMTP conversation between Postfix and
> the client by enabling per IP debugging in Postfix:
> postconf -e "debug_peer_level = 20"
> postconf -e "debug_peer_list = xx.xx.xx.xx"
> postfix reload
> where xx.xx.xx.xx is the unlucky client IP address.
>
> Possibly some crappy SMTP PIPELINING implementation at the Apple end,
> who knows.
>
> --
> Adi Pircalabu
>
>
> It's not unconceivable that there are bugs in submission either. Can you
> provide doveconf -n and submission rawlogs? See
> https://wiki.dovecot.org/Submission for settings.
>
> ---
> Aki Tuomi
>

Errors with missing links to files when using Single Instance Storage and zlib (Dovecot 2.3.4)

2018-12-18 Thread Daniel Schütze 
I'm running Dovecot 2.3.4 with Single Instance Storage (SIS) and zlib 
and I am frequently seeing errors where files are missing in the 
attachments directory even though the zipped file in the hash directory 
is actually there.  This appears not to have been an issue in Dovecot 
2.3.1 Requested output of the server below.


The error looks like this in the log

Dec 18 08:58:58 dovecot01 dovecot: 
imap(username)<3692>: Error: Mailbox INBOX/FOLDER: 
UID=41: 
read(attachments-connector(zlib(/usr/home/vmail/mail/username//mdbox/storage/m.411))) 
failed: 
read(/usr/home/vmail/attachments/91/08/91085773a0774909207852b8f9c98dbe22fe5a31-e88ba0276aae135cd205d09efc50[base64:19 
b/l]) failed: 
open(/usr/home/vmail/attachments/91/08/91085773a0774909207852b8f9c98dbe22fe5a31-e88ba0276aae135cd205d09efc50) 
failed: No such file or directory (FETCH BODY[])


I'm also seeing errors when replication fails

dovecot: dsync-local(username): Error: 
dsync(servername): 
read(attachments-connector(zlib(/usr/home/vmail/mail/username//mdbox/storage/m.413))) 
failed: 
read(/usr/home/vmail/attachments/45/42/4542dcf385f6b4a4dc8752b96db1d7ad8a8023d5-ac735007f6bd135c93440100cd1be907[base64:19 
b/l]) failed: 
open(/usr/home/vmail/attachments/45/42/4542dcf385f6b4a4dc8752b96db1d7ad8a8023d5-ac735007f6bd135c93440100cd1be907) 
failed: No such file or directory (last sent=mail, last recv=mail (EOL))


It is not the case that every replication fail has a corresponding imap 
access fail.


I am running Dovecot 2.3.4 on FreeBSD11.2 and I did not see this error 
on Dovecot 2.3.1 FreeBSD 10.4.  Both installs had the same configuration 
for Dovecot.  Both installs were made from source code and not packages 
(as the need for the non standard fts and mysql options).


During my testing I had the 2.3.1 install receive mail and replicate to 
the 2.3.4 and that was working fine (except for tcp connection issues 
which I saw was fixed in the changelog).


Unfortunately having gone into testing with real account and mail being 
sent to the 2.3.4 install I'm seeing the above errors.


My clients are using Thunderbird on desktops and Roundcube for webmail.

My users report they can see the e-mails fine in their webmail 
(Roundcube) and only Thunderbird is giving issues.  I admit I don't know 
how this can be the case as both systems use the same account details.


In everycase so far there is a file in the hashes directory I have hand 
crafted the missing file (i.e. link) using ln and this restores access 
in Thunderbird.


Clearly this is an big issue for my install and I'd appreciate any help!

At the moment it looks like my course will be to try and script creation 
(recreation?) of the links from the error logs (I've seen people talking 
about this online) but that isn't really what I'm after.


DOVECOT CONFIG


# 2.3.4 (0ecbaf23d): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 (60b0f48d)
# OS: FreeBSD 11.2-RELEASE-p5 amd64
# Hostname: dovecot01.cwa.uk.com
dict {
  acl = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
doveadm_password = # hidden, use -P to show it
first_valid_uid = 145
last_valid_uid = 145
mail_access_groups = mail
mail_attachment_dir = /usr/home/vmail/attachments
mail_attachment_min_size = 64 k
mail_gid = vmail
mail_location = mdbox:~/mdbox:INDEX=/indexdisk/indexes/%n
mail_plugins = " fts fts_solr acl zlib notify replication"
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart extracttext

namespace {
  list = yes
  location = mdbox:%%h/mdbox:INDEXPVT=~/mdbox/shared/%%n
  prefix = shared/%%n/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://localhost:8983/solr/dovecot/
  mail_replica = tcp:192.168.0.138:12345
  replication_dsync_parameters = -d -l 30 -U
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_duplicate_default_period = 1h
  sieve_duplicate_max_period = 1d
  sieve_global_dir = /usr/home/vmail/sieve/global/
  sieve_global_path = /usr/home/vmail/default.sieve
  sieve_vacation_default_period = 1d
  zlib_save = gz
  zlib_save_level = 6
}
protocols = imap sieve
service aggregator {
 

Re: Apple mail fails with Submission

2018-12-18 Thread Paul Hecker via dovecot 
Hi,

did you see this thread?

https://dovecot.org/list/dovecot/2018-October/113348.html 


Had a similar issue with CHUNKING and Apple Mail, but could reproduce it with a 
Perl script, too. But I do not whether this was fixed already in v2.3.4 
(nothing found in the release notes). Could be that relaying PIPELINING hast 
the same issues with “multi-line replies”.

Regards,
Paul


> On 18. Dec 2018, at 07:18, Aki Tuomi  wrote:
> 
> 
>> On 18 December 2018 at 02:30 Adi Pircalabu via dovecot < dovecot@dovecot.org 
>> > wrote:
>> 
>> 
>> On 2018-12-18 07:33, Ruud Voorjans wrote:
>>> Dear all,
>>> 
>>> I'm running dovecot # 2.3.2.1 - Pigeonhole version 0.5.2 () - OS:
>>> Linux 4.18.0-12-generic x86_64 Ubuntu 18.10 with Submission.
>>> It works great except with apple mail (Iphone).
>>> 
>>> I get an error with the MTA (postfix):
>>> ""postfix/submission/smtpd[32552]: warning: non-SMTP command from
>>> mail.example.org [1][xx.xx.xx.xx]: Content-Transfer-Encoding: 7bit""
>>> 
>>> with other mail-client(s) (Outlook (Desktop and Iphone app)) i have no
>>> problem and it proxy-sends the e-mail beautiful out to the recipient.
>> Hardly anything to do with Dovecot. When it comes to email clients Apple
>> Mail has been and is still one of the worst flops (no offence intended,
>> just my opinion based on personal experience). If you can reliably
>> reproduce it, try and log the raw SMTP conversation between Postfix and
>> the client by enabling per IP debugging in Postfix:
>> postconf -e "debug_peer_level = 20"
>> postconf -e "debug_peer_list = xx.xx.xx.xx"
>> postfix reload
>> where xx.xx.xx.xx is the unlucky client IP address.
>> 
>> Possibly some crappy SMTP PIPELINING implementation at the Apple end,
>> who knows.
>> 
>> --
>> Adi Pircalabu
> 
> It's not unconceivable that there are bugs in submission either. Can you 
> provide doveconf -n and submission rawlogs? See 
> https://wiki.dovecot.org/Submission for settings.
> 
> --- 
> Aki Tuomi


Paul Hecker
p...@iwascoding.com 
http://www.iwascoding.com 

iwascoding GmbH
Weserstr 18, 10247 Berlin
HRB 97269 B Amtsgericht Berlin-Charlottenburg
Geschäftsführer: Paul Hecker, Ilja Iwas










smime.p7s
Description: S/MIME cryptographic signature

Change default mode for attachment files

2018-12-18 Thread Олег Кривоносов 
Hi

I migrated my dovecot server from Maildir to mdbox with saving attachments
to external files and enabled SIS a few days ago.

Everything works fine except one issue. I have both virtual and system
users. Dovecot saves attachments with mode 0600. So I catch such errors for
system users:
dovecot: lda(wasya): Error: fs-sis: Couldn't read hash file
/var/mail/attachments/2e/dc/hashes/2edc6009bc9b6ba38febb581df03986dcaf134d9:
Permission denied

I want to fix this issue by changing default file mode to 0660 via group
policy.

I found such feature in the changelog (v2.1.rc2 2012-01-06):
lib-fs: Added "mode" parameter to "posix" backend to specify mode for
created files/dirs.

Unfortunately I can't find any information about this feature in the
dovecot documentation.

Can I use it to setup mode 0660 for attachments in the dovecot
configuration?

uname -a
Linux diplo.trueconf.ru 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1
(2018-05-07) x86_64 GNU/Linux

dovecot --version
2.2.27 (c0f36b0)

10-mail.conf dovecot configuration:

mail_access_groups = vmail
mail_location = mdbox:~/mdbox
mdbox_preallocate_space = yes
mdbox_rotate_interval = 1 weeks
mdbox_rotate_size = 5 M

mail_attachment_dir = /var/mail/attachments
mail_attachment_min_size = 32k
mail_attachment_fs = sis posix
mail_attachment_hash = %{sha1}

Thank you