Re: decrypt.rb

[Aki Tuomi via dovecot]

> On 11 April 2019 00:49 David Salisbury via dovecot  
> wrote:
> 
>  
> >>>
> >> Yes. I gave it a try here, and it seems to work. Does it give any extra
> >> information if you include -i flag?
> >>
> >> Aki
> >>
> >
> > Yes, I had tried that, and it doesn't give much extra information, at 
> > least to my eye, that seems to help my issue.  Above the previous 
> > output it outputs the Version, Flags, Header length, Cipher algo, and 
> > Digest algo, and then the Key derivation Rounds. Then it does the 
> > previous output and exits as before.
> >
> > I tried using pry to debug through the script a little, and strace as 
> > well, but have not found anything pointing me in the direction of a 
> > solution or what may be causing it not to work for me yet. Will keep 
> > looking.
> >
> > Out of curiosity, what version of ruby were you using to run the 
> > script?  My ruby version is 2.5.1p57.
> >
> > -Dave
> 
> So, I found that in decrypt.rb there is a point where this section is 
> reached:
> 
> [code]
> unless our_key == nil
>     # decrypt data!
> [/code]
> 
> While testing I discovered that, for me, our_key was apparently equal to 
> nil because the code was never even making it into that block.  There 
> was a block right above that that was setting our_key to nil if a 
> certain condition happened, but I could tell that condition wasn't 
> happening as the accompanying error message wasn't printing.  Looking 
> farther up, I found:
> 
> [code]
> our_key = key if key[:digest] == options[:key_digest]
> [/code]
> 
> I printed the values of key[:digest] and options[:key_digest], and they 
> are in fact different.  Since our_key is nil by default, our_key was 
> just remaining nil, hence no decryption for me.
> 
> The key[:digest] variable is filled a little above that part of the code:
> 
> [code]
> (key[:type],key[:digest]) = options[:input].read(33).unpack('Ca*')
> [/code]
> 
> and options[:key_digest] is filled as the private key option is passed in:
> 
> [code]
> opts.on("-k","--key KEY", "Private key to decrypt file") do |k|
>    options[:key] = OpenSSL::PKey.read(File.open(k))
>    options[:key_digest] = get_pubid_priv(options[:key])
> end
> [/code]
> 
> It's apparently using the key from the command line to get the key 
> digest with the get_pubid_priv() function, and for some reason that 
> value is coming back as different than the key digest that is 
> ascertained by the "options[:input].read" line.
> 
> Out of curiosity, and since I know I'm using the correct key, I 
> commented out the if statement in the our_key line so as not to make the 
> comparison between the digests:
> 
> [code]
> our_key = key #if key[:digest] == options[:key_digest]
> [/code]
> 
>  and then it worked!  The script successfully decrypted the message!
> 
> So, not being an expert at encryption, what are the ramifications of 
> those digests being read as different values in the two different 
> places??   I do notice that the get_pubid_priv() function is internal to 
> the decrypt.rb script and calls several OpenSSL functions.
> 
> -Dave

Hmm... can you show me how you made the keypair for encryption? Maybe there is 
some difference?

Aki

Re: masteruser can not select INBOX

[Ludwig Wieland via dovecot]

Hi Aki,

Thank you.

The problem is solved.

in global-acls i have created the file .DEFAULT
now the Masteruser can read INBOX.

Best regards
Luda


> Am 09.04.2019 um 09:46 schrieb Ludwig Wieland :
> 
> Thank you,
> 
> How and where ?
> 
> 
> I configured only this:
> cat /Library/Server/Mail/Data/shared/shared-mailboxes 
> * user=masteruser lr
> 
> 
> masteruser is ok for all masters (mailmaster) ?
> 
> Luda
> 
>> Am 09.04.2019 um 09:33 schrieb Aki Tuomi > >:
>> 
>> Hi!
>> 
>> You need to grant the master user rights in your ACL file.
>> 
>> Aki
> 

Re: Lua Push Notification Plugin

[Aki Tuomi via dovecot]

> On 11 April 2019 07:57 Robust Coding via dovecot  wrote:
> 
> 
> Hi Admin,
> 
> I hope you consider reading and addressing my concern promptly.
> 
> For the past few days I've been setting up a VPS with cPanel and WHM 
> pre-installed on Bluehost. I want to enable push notification plugin in 
> Dovecot2.3.5. I tried OX and Lua plugins and got errors.
> 
> For using OX plugin:
> push_notification_driver = ox:url=http://staging.mydomain.com/mail-notify/v1 
> user_from_metadata
> And got this error on runtime:
> Error: push-notification-ox: Skipped because unable to get attribute: Mailbox 
> attributes not enabled
> 

mail_attribute_dict = file:%h/Maildir/dovecot-attributes

> When using Lua:
> mail_plugins = $mail_plugins mail_lua notify push_notification 
> push_notification_lua
> 
> plugin {
>push_notification_driver = lua:file=/path/to/lua/push.lua
> }
> And got this order:
> Plugin 'push_notification_lua' not found from directory /usr/lib64/dovecot
> 

You do not have push_notification_lua installed.

> I think I'm missing something here but I can't figure it out. Please HELP!
> 
> Sincerely,
> John Lopena
> 
> -- 
> 
> "Become a programmer - Lose your brain's virginity"

Aki

Lua Push Notification Plugin

[Robust Coding via dovecot]

Hi Admin,

I hope you consider reading and addressing my concern promptly.

For the past few days I've been setting up a VPS with cPanel and WHM
pre-installed on Bluehost. I want to enable push notification plugin in
Dovecot2.3.5. I tried OX and Lua plugins and got errors.

For using OX plugin:

push_notification_driver =
ox:url=http://staging.mydomain.com/mail-notify/v1 user_from_metadata

And got this error on runtime:
*Error: push-notification-ox: Skipped because unable to get attribute:
Mailbox attributes not enabled*

When using Lua:

mail_plugins = $mail_plugins mail_lua notify push_notification
push_notification_luaplugin {   push_notification_driver =
lua:file=/path/to/lua/push.lua}

And got this order:
*Plugin 'push_notification_lua' not found from directory /usr/lib64/dovecot*

I think I'm missing something here but I can't figure it out. Please HELP!

Sincerely,
John Lopena

-- 
*"Become a programmer - Lose your brain's virginity"*

Re: failed: read(/var/run/dovecot/dns-client)

[John Fawcett via dovecot]

On 11/04/2019 00:51, Laura Smith via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
>  wrote:
>
>> On 11/04/2019 00:18, Laura Smith via dovecot wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi aki.tu...@open-xchange.com 
>>> wrote:
>>>
> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> 
> wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> aki.tu...@open-xchange.com> wrote:
>
>>> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>> Sent with ProtonMail Secure Email.
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
>>>
> On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org 
> wrote:
> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>
>>> On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>>
>>> ==
>>>
>>> dsync( foo...@example.com): Error: imapc(foobar.example.com:993): 
>>> dns_lookup(foobar.example.com) failed: 
>>> read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
>>> Connection reset by peer
>>> This is dovecot's internal dns-client, and something goes wrong 
>>> when talking to the service.
>>> dsync( foo...@example.com): Error: Failed to initialize user: 
>>> imapc: Login to foobar.example.com failed: Disconnected from server
>>> This is btw dsync service, not imap service.
>>>
>>> ===
>>>
>>> Initially I thought "oh no, not another AppArmor block".
>>> But then surely the second message would not appear if the DNS 
>>> lookup was not successful ?
>>> Also "dig foobar.example.com" works fine.
>>> How should I be troubleshooting this ? And if it is still likely to 
>>> be AppArmor, what is calling it ? "doveadm" itself or something 
>>> else ? What does "/var/run/dovecot/dns-client" do and why doesn't 
>>> dovecot use standard OS calls like everyone else ?
>>> Because the "standard OS call" is blocking and we would prefer it 
>>> to not block everything else.
>>> So many questions !
>>> Aki
>>> Thanks for your reply, but both those message are generated from a 
>>> simple :
>>> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com 
>>> imapc:
>>> So I don't know what you mean about dsync service failing ? Surely 
>>> the DNS lookup succeeded if the 'dsync service' failed due to 
>>> remote disconnect ?
>>> I'm still none the wiser as to where to start looking for 
>>> troubleshoting ?
>>> Did you check dovecot logs? Maybe there is something useful?
>>> Aki
>>> Only the same old cryptic message about dns-client ?
>>> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: 
>>> Permission denied
>>> Something prevents executing the dns-client binary.
>>> master: Error: service(dns_client): command startup failed, 
>>> throttling for 16 secs
>>> dns_client: Fatal: master: service(dns_client): child 14293 
>>> returned error 84 (exec() failed)
>>> Aki
>>> Yes but is it being called by doveadm directly or by some other 
>>> dovecot program ? If I'm going to have to go down the AppArmor 
>>> route, then I would prefer if you told me what was calling it 
>>> instead of me having to un-necessarily spend time doing straces !
> Also, should I be able to call dns-client directly myself ? (or is there 
> a way to do so to enable testing ?
> It is started by dovecot's master process when you connect to dns-client 
> unix socket. You can try
 socat stdio unix-connect:/var/run/dovecot/dns-client
 I thought apparmor tells when something is blocked into kernel log? have 
 you checked dmesg?

 Apologies for your frustration.

 
>>> Yeah nothing in dmesg.  I'm still hunting around to find some log somewhere 
>>> but so far 

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot 
 wrote:

> On 11/04/2019 00:18, Laura Smith via dovecot wrote:
>
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi aki.tu...@open-xchange.com 
> > wrote:
> >
> > > > On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> 
> > > > wrote:
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > > > aki.tu...@open-xchange.com> wrote:
> > > >
> > > > > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
> > > > > > wrote:
> > > > > > Sent with ProtonMail Secure Email.
> > > > > > ‐‐‐ Original Message ‐‐‐
> > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > > > aki.tu...@open-xchange.com wrote:
> > > > > >
> > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot 
> > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > > > aki.tu...@open-xchange.com wrote:
> > > > > > > >
> > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > > >
> > > > > > > > > > ==
> > > > > > > > > >
> > > > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > > > imapc(foobar.example.com:993): 
> > > > > > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) 
> > > > > > > > > > failed: Connection reset by peer
> > > > > > > > > > This is dovecot's internal dns-client, and something goes 
> > > > > > > > > > wrong when talking to the service.
> > > > > > > > > > dsync( foo...@example.com): Error: Failed to initialize 
> > > > > > > > > > user: imapc: Login to foobar.example.com failed: 
> > > > > > > > > > Disconnected from server
> > > > > > > > > > This is btw dsync service, not imap service.
> > > > > > > > > >
> > > > > > > > > > ===
> > > > > > > > > >
> > > > > > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > > > > > But then surely the second message would not appear if the 
> > > > > > > > > > DNS lookup was not successful ?
> > > > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > > > How should I be troubleshooting this ? And if it is still 
> > > > > > > > > > likely to be AppArmor, what is calling it ? "doveadm" 
> > > > > > > > > > itself or something else ? What does 
> > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't dovecot 
> > > > > > > > > > use standard OS calls like everyone else ?
> > > > > > > > > > Because the "standard OS call" is blocking and we would 
> > > > > > > > > > prefer it to not block everything else.
> > > > > > > > > > So many questions !
> > > > > > > > > > Aki
> > > > > > > > > > Thanks for your reply, but both those message are generated 
> > > > > > > > > > from a simple :
> > > > > > > > > > doveadm -v -o mail_fsync=never backup -R -u 
> > > > > > > > > > foo...@example.com imapc:
> > > > > > > > > > So I don't know what you mean about dsync service failing ? 
> > > > > > > > > > Surely the DNS lookup succeeded if the 'dsync service' 
> > > > > > > > > > failed due to remote disconnect ?
> > > > > > > > > > I'm still none the wiser as to where to start looking for 
> > > > > > > > > > troubleshoting ?
> > > > > > > > > > Did you check dovecot logs? Maybe there is something useful?
> > > > > > > > > > Aki
> > > > > > > > > > Only the same old cryptic message about dns-client ?
> > > > > > > > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: 
> > > > > > > > > > Permission denied
> > > > > > > > > > Something prevents executing the dns-client binary.
> > > > > > > > > > master: Error: service(dns_client): command startup failed, 
> > > > > > > > > > throttling for 16 secs
> > > > > > > > > > dns_client: Fatal: master: service(dns_client): child 14293 
> > > > > > > > > > returned error 84 (exec() failed)
> > > > > > > > > > Aki
> > > > > > > > > > Yes but is it being called by doveadm directly or by some 
> > > > > > > > > > other dovecot program ? If I'm going to have to go down the 
> > > > > > > > > > AppArmor route, then I would prefer if you told me what was 
> > > > > > > > > > calling it instead of me having to un-necessarily spend 
> > > > > > > > > > time doing straces !
> > > >
> > > > Also, should I be able to call dns-clie

Re: failed: read(/var/run/dovecot/dns-client)

[John Fawcett via dovecot]

On 11/04/2019 00:18, Laura Smith via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi  
> wrote:
>
>>> On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
>>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
>>> aki.tu...@open-xchange.com> wrote:
>>>
> On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org wrote:
> Sent with ProtonMail Secure Email.
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> aki.tu...@open-xchange.com wrote:
>>> On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org 
>>> wrote:
>>> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
>>> aki.tu...@open-xchange.com wrote:
> On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org 
> wrote:
> ==
> dsync( foo...@example.com): Error: imapc(foobar.example.com:993): 
> dns_lookup(foobar.example.com) failed: 
> read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
> Connection reset by peer
 This is dovecot's internal dns-client, and something goes wrong when 
 talking to the service.
> dsync( foo...@example.com): Error: Failed to initialize user: imapc: 
> Login to foobar.example.com failed: Disconnected from server
 This is btw dsync service, not imap service.
> ===
> Initially I thought "oh no, not another AppArmor block".
> But then surely the second message would not appear if the DNS lookup 
> was not successful ?
> Also "dig foobar.example.com" works fine.
> How should I be troubleshooting this ? And if it is still likely to 
> be AppArmor, what is calling it ? "doveadm" itself or something else 
> ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot 
> use standard OS calls like everyone else ?
 Because the "standard OS call" is blocking and we would prefer it to 
 not block everything else.
> So many questions !
 Aki
>>> Thanks for your reply, but both those message are generated from a 
>>> simple :
>>> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:
>>> So I don't know what you mean about dsync service failing ? Surely the 
>>> DNS lookup succeeded if the 'dsync service' failed due to remote 
>>> disconnect ?
>>> I'm still none the wiser as to where to start looking for 
>>> troubleshoting ?
>> Did you check dovecot logs? Maybe there is something useful?
>> Aki
> Only the same old cryptic message about dns-client ?
> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission 
> denied
 Something prevents executing the dns-client binary.
> master: Error: service(dns_client): command startup failed, throttling 
> for 16 secs
> dns_client: Fatal: master: service(dns_client): child 14293 returned 
> error 84 (exec() failed)
 Aki
>>> Yes but is it being called by doveadm directly or by some other dovecot 
>>> program ? If I'm going to have to go down the AppArmor route, then I would 
>>> prefer if you told me what was calling it instead of me having to 
>>> un-necessarily spend time doing straces !
>>>
>>> Also, should I be able to call dns-client directly myself ? (or is there a 
>>> way to do so to enable testing ?
>> It is started by dovecot's master process when you connect to dns-client 
>> unix socket. You can try
>>
>> socat stdio unix-connect:/var/run/dovecot/dns-client
>>
>> I thought apparmor tells when something is blocked into kernel log? have you 
>> checked dmesg?
>>
>> Apologies for your frustration. 
>> ---
> Yeah nothing in dmesg.  I'm still hunting around to find some log somewhere 
> but so far silence.
>
> "socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns 
> nothing. Is that expected ?
>
> When you say "dovecot's master process", so  doveadm sync talks to the master 
> process ?  So in terms of apparmor I would therefore be looking at 
> /usr/sbin/dovecot ?  If that's the case, the relevant apparmor permisssions 
> are already provided :
>   /{,var/}run/dovecot/ rw,
>   /{,var/}run/dovecot/** rw,

Laura

Do the above apparmor settings give permission to dovecot to execute
/usr/lib/dovecot/dns-client, assuming that the user under which dovecot
is running already has file system permissions to do that?

John

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi  
wrote:

> > On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < 
> > aki.tu...@open-xchange.com> wrote:
> >
> > > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org 
> > > > wrote:
> > > > Sent with ProtonMail Secure Email.
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
> > > > aki.tu...@open-xchange.com wrote:
> > >
> > > > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org 
> > > > > > wrote:
> > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > > > aki.tu...@open-xchange.com wrote:
> > > > >
> > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot 
> > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > ==
> > > > > > > > dsync( foo...@example.com): Error: 
> > > > > > > > imapc(foobar.example.com:993): dns_lookup(foobar.example.com) 
> > > > > > > > failed: read(/var/run/dovecot/dns-client) failed: 
> > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > >
> > > > > > > This is dovecot's internal dns-client, and something goes wrong 
> > > > > > > when talking to the service.
> > > > > >
> > > > > > > > dsync( foo...@example.com): Error: Failed to initialize user: 
> > > > > > > > imapc: Login to foobar.example.com failed: Disconnected from 
> > > > > > > > server
> > > > > >
> > > > > > > This is btw dsync service, not imap service.
> > > > > >
> > > > > > > > ===
> > > > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > > > But then surely the second message would not appear if the DNS 
> > > > > > > > lookup was not successful ?
> > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > How should I be troubleshooting this ? And if it is still 
> > > > > > > > likely to be AppArmor, what is calling it ? "doveadm" itself or 
> > > > > > > > something else ? What does "/var/run/dovecot/dns-client" do and 
> > > > > > > > why doesn't dovecot use standard OS calls like everyone else ?
> > > > > >
> > > > > > > Because the "standard OS call" is blocking and we would prefer it 
> > > > > > > to not block everything else.
> > > > > >
> > > > > > > > So many questions !
> > > > > >
> > > > > > > Aki
> > > > >
> > > > > > Thanks for your reply, but both those message are generated from a 
> > > > > > simple :
> > > > > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com 
> > > > > > imapc:
> > > > > > So I don't know what you mean about dsync service failing ? Surely 
> > > > > > the DNS lookup succeeded if the 'dsync service' failed due to 
> > > > > > remote disconnect ?
> > > > > > I'm still none the wiser as to where to start looking for 
> > > > > > troubleshoting ?
> > > >
> > > > > Did you check dovecot logs? Maybe there is something useful?
> > > > > Aki
> > >
> > > > Only the same old cryptic message about dns-client ?
> > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission 
> > > > denied
> >
> > > Something prevents executing the dns-client binary.
> >
> > > > master: Error: service(dns_client): command startup failed, throttling 
> > > > for 16 secs
> > > > dns_client: Fatal: master: service(dns_client): child 14293 returned 
> > > > error 84 (exec() failed)
> >
> > > Aki
> >
> > Yes but is it being called by doveadm directly or by some other dovecot 
> > program ? If I'm going to have to go down the AppArmor route, then I would 
> > prefer if you told me what was calling it instead of me having to 
> > un-necessarily spend time doing straces !
> >
> > Also, should I be able to call dns-client directly myself ? (or is there a 
> > way to do so to enable testing ?
>
> It is started by dovecot's master process when you connect to dns-client unix 
> socket. You can try
>
> socat stdio unix-connect:/var/run/dovecot/dns-client
>
> I thought apparmor tells when something is blocked into kernel log? have you 
> checked dmesg?
>
> Apologies for your frustration. 
> ---

Yeah nothing in dmesg.  I'm still hunting around to find some log somewhere but 
so far silence.

"socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns 
nothing. Is that expected ?

When you say "dovecot's master process", so  doveadm sync talks to the master 
process ?  So in terms of apparmor I would therefore be looking at 
/usr/sbin/dovecot ?  If that's the case, the relevant apparmor permisssions are 
already provided :
  /{,var/}run/dovecot/ rw,
  /{,var/}run/dovecot/** rw,

Re: decrypt.rb

[David Salisbury via dovecot]

Yes. I gave it a try here, and it seems to work. Does it give any extra
information if you include -i flag?

Aki



Yes, I had tried that, and it doesn't give much extra information, at 
least to my eye, that seems to help my issue.  Above the previous 
output it outputs the Version, Flags, Header length, Cipher algo, and 
Digest algo, and then the Key derivation Rounds. Then it does the 
previous output and exits as before.


I tried using pry to debug through the script a little, and strace as 
well, but have not found anything pointing me in the direction of a 
solution or what may be causing it not to work for me yet. Will keep 
looking.


Out of curiosity, what version of ruby were you using to run the 
script?  My ruby version is 2.5.1p57.


-Dave


So, I found that in decrypt.rb there is a point where this section is 
reached:


[code]
unless our_key == nil
   # decrypt data!
[/code]

While testing I discovered that, for me, our_key was apparently equal to 
nil because the code was never even making it into that block.  There 
was a block right above that that was setting our_key to nil if a 
certain condition happened, but I could tell that condition wasn't 
happening as the accompanying error message wasn't printing.  Looking 
farther up, I found:


[code]
our_key = key if key[:digest] == options[:key_digest]
[/code]

I printed the values of key[:digest] and options[:key_digest], and they 
are in fact different.  Since our_key is nil by default, our_key was 
just remaining nil, hence no decryption for me.


The key[:digest] variable is filled a little above that part of the code:

[code]
(key[:type],key[:digest]) = options[:input].read(33).unpack('Ca*')
[/code]

and options[:key_digest] is filled as the private key option is passed in:

[code]
opts.on("-k","--key KEY", "Private key to decrypt file") do |k|
  options[:key] = OpenSSL::PKey.read(File.open(k))
  options[:key_digest] = get_pubid_priv(options[:key])
end
[/code]

It's apparently using the key from the command line to get the key 
digest with the get_pubid_priv() function, and for some reason that 
value is coming back as different than the key digest that is 
ascertained by the "options[:input].read" line.


Out of curiosity, and since I know I'm using the correct key, I 
commented out the if statement in the our_key line so as not to make the 
comparison between the digests:


[code]
our_key = key #if key[:digest] == options[:key_digest]
[/code]

 and then it worked!  The script successfully decrypted the message!

So, not being an expert at encryption, what are the ramifications of 
those digests being read as different values in the two different 
places??   I do notice that the get_pubid_priv() function is internal to 
the decrypt.rb script and calls several OpenSSL functions.


-Dave

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   
On 10 April 2019 23:56 Laura Smith via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
‐‐‐ Original Message ‐‐‐
   
   
On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi <
aki.tu...@open-xchange.com> wrote:
   
   

   
   

 
  On 10 April 2019 23:13 Laura Smith via dovecot 
  dovecot@dovecot.org wrote:
 
 
  Sent with ProtonMail Secure Email.
 
 
  ‐‐‐ Original Message ‐‐‐
 
 
  On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi 
  aki.tu...@open-xchange.com wrote:
 


 
  
   
On 10 April 2019 22:13 Laura Smith via dovecot 
dovecot@dovecot.org wrote:
   
   
On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
aki.tu...@open-xchange.com wrote:
   
  
  
   

 
  On 10 April 2019 21:26 Laura Smith via dovecot 
  dovecot@dovecot.org wrote:
 
 
  ==
 
 
  dsync(
  foo...@example.com): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer
 

   
   

 This is dovecot's internal dns-client, and something goes wrong when talking to the service.

   
   

 
  dsync(
  foo...@example.com): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server
 

   
   

 This is btw dsync service, not imap service.

   
   

 
  ===
 
 
  Initially I thought "oh no, not another AppArmor block".
 
 
  But then surely the second message would not appear if the DNS lookup was not successful ?
 
 
  Also "dig foobar.example.com" works fine.
 
 
  How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ?
 

   
   

 Because the "standard OS call" is blocking and we would prefer it to not block everything else.

   
   

 
  So many questions !
 

   
   

 Aki

   
  
  
   
Thanks for your reply, but both those message are generated from a simple :
   
   
doveadm -v -o mail_fsync=never backup -R -u 
foo...@example.com imapc:
   
   
So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ?
   
   
I'm still none the wiser as to where to start looking for troubleshoting ?
   
  
 
 
  
   Did you check dovecot logs? Maybe there is something useful?
  
  
   Aki
  
 


 
  Only the same old cryptic message about dns-client ?
 
 
  master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied
 

   
   

 Something prevents executing the dns-client binary.

   
   

 
  master: Error: service(dns_client): command startup failed, throttling for 16 secs
 
 
  dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed)
 

   
   

 Aki

   
   

   
   
Yes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces !
   
   

   
   
Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ?
   
  
  
   
  
  
   It is started by dovecot's master process when you connect to dns-client unix socket. You can try
  
  
   
  
  
   socat stdio unix-connect:/var/run/dovecot/dns-client
  
  
   
  
  
   I thought apparmor tells when something is blocked into kernel log? have you checked dmesg?
  
  
   
  
  
   Apologies for your frustration. 
  
  
   ---
   
  
  
   Aki Tuomi
   
 

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi  
wrote:

> > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > Sent with ProtonMail Secure Email.
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi aki.tu...@open-xchange.com 
> > wrote:
> >
> > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org 
> > > > wrote:
> > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > > aki.tu...@open-xchange.com wrote:
> > > >
> > > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org 
> > > > > > wrote:
> > > > > > ==
> > > > > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> > > > > > dns_lookup(foobar.example.com) failed: 
> > > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
> > > > > > Connection reset by peer
> > > > >
> > > > > This is dovecot's internal dns-client, and something goes wrong when 
> > > > > talking to the service.
> > > > >
> > > > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: 
> > > > > > Login to foobar.example.com failed: Disconnected from server
> > > > >
> > > > > This is btw dsync service, not imap service.
> > > > >
> > > > > > ===
> > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > But then surely the second message would not appear if the DNS 
> > > > > > lookup was not successful ?
> > > > > > Also "dig foobar.example.com" works fine.
> > > > > > How should I be troubleshooting this ? And if it is still likely to 
> > > > > > be AppArmor, what is calling it ? "doveadm" itself or something 
> > > > > > else ? What does "/var/run/dovecot/dns-client" do and why doesn't 
> > > > > > dovecot use standard OS calls like everyone else ?
> > > > >
> > > > > Because the "standard OS call" is blocking and we would prefer it to 
> > > > > not block everything else.
> > > > >
> > > > > > So many questions !
> > > > >
> > > > > Aki
> > > >
> > > > Thanks for your reply, but both those message are generated from a 
> > > > simple :
> > > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:
> > > > So I don't know what you mean about dsync service failing ? Surely the 
> > > > DNS lookup succeeded if the 'dsync service' failed due to remote 
> > > > disconnect ?
> > > > I'm still none the wiser as to where to start looking for 
> > > > troubleshoting ?
> > >
> > > Did you check dovecot logs? Maybe there is something useful?
> > > Aki
> >
> > Only the same old cryptic message about dns-client ?
> > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied
>
> Something prevents executing the dns-client binary.
>
> > master: Error: service(dns_client): command startup failed, throttling for 
> > 16 secs
> > dns_client: Fatal: master: service(dns_client): child 14293 returned error 
> > 84 (exec() failed)
>
> Aki


Yes but is it being called by doveadm directly or by some other dovecot program 
?  If I'm going to have to go down the AppArmor route, then I would prefer if 
you told me what was calling it instead of me having to un-necessarily spend 
time doing straces !

Also, should I be able to call dns-client directly myself ? (or is there a way 
to do so to enable testing ?)

# /usr/lib/dovecot/dns-client
Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xd879e) 
[0x7f582c65f79e] -> /usr/lib64/dovecot/libdovecot.so.0(+0xd87e1) 
[0x7f582c65f7e1] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) 
[0x7f582c5c9024] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf045c) 
[0x7f582c67745c] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x36) 
[0x7f582c679e96] -> 
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x4c) [0x7f582c6786ec] 
-> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f582c678908] -> 
/usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f582c5ee203] -> 
/usr/lib/dovecot/dns-client(main+0x8d) [0x55866c96050d] -> 
/lib64/libc.so.6(__libc_start_main+0xea) [0x7f582c1edf4a] -> 
/usr/lib/dovecot/dns-client(_start+0x2a) [0x55866c96055a]

Re: decrypt.rb

[Dave via dovecot]

On 4/10/2019 1:32 AM, Aki Tuomi wrote:

On 9.4.2019 18.15, Dave wrote:

I've tried specifying an output file as well, per the script's

command line options,

but the output file is 0 bytes.  Does anyone have any suggestions?

I *think* I'm

using it the way it's intended to be used, but maybe I'm not?!
-Dave

Hi!
Maybe the key you tried was not used to encrypt the file?
Aki

Aki, it's the same key I've used in the config for the mail_crypt
plugin in 90-plugin.conf:

plugin {
   mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY]
   mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY]
   mail_crypt_save_version = 2
}

That's the private key that's encrypting all of the messages
successfully, so that's the one I would use with script, correct?
-Dave


Yes. I gave it a try here, and it seems to work. Does it give any extra
information if you include -i flag?

Aki



Yes, I had tried that, and it doesn't give much extra information, at 
least to my eye, that seems to help my issue.  Above the previous output 
it outputs the Version, Flags, Header length, Cipher algo, and Digest 
algo, and then the Key derivation Rounds.  Then it does the previous 
output and exits as before.


I tried using pry to debug through the script a little, and strace as 
well, but have not found anything pointing me in the direction of a 
solution or what may be causing it not to work for me yet.  Will keep 
looking.


Out of curiosity, what version of ruby were you using to run the 
script?  My ruby version is 2.5.1p57.


-Dave

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

> On 10 April 2019 23:13 Laura Smith via dovecot  wrote:
> 
>  
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi  
> wrote:
> 
> > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi 
> > > aki.tu...@open-xchange.com wrote:
> > >
> > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org 
> > > > > wrote:
> > > > >
> > > > > ==
> > > > >
> > > > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> > > > > dns_lookup(foobar.example.com) failed: 
> > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
> > > > > Connection reset by peer
> > > >
> > > > This is dovecot's internal dns-client, and something goes wrong when 
> > > > talking to the service.
> > > >
> > > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: 
> > > > > Login to foobar.example.com failed: Disconnected from server
> > > >
> > > > This is btw dsync service, not imap service.
> > > >
> > > > > ===
> > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > But then surely the second message would not appear if the DNS lookup 
> > > > > was not successful ?
> > > > > Also "dig foobar.example.com" works fine.
> > > > > How should I be troubleshooting this ? And if it is still likely to 
> > > > > be AppArmor, what is calling it ? "doveadm" itself or something else 
> > > > > ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot 
> > > > > use standard OS calls like everyone else ?
> > > >
> > > > Because the "standard OS call" is blocking and we would prefer it to 
> > > > not block everything else.
> > > >
> > > > > So many questions !
> > > >
> > > > Aki
> > >
> > > Thanks for your reply, but both those message are generated from a simple 
> > > :
> > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:
> > > So I don't know what you mean about dsync service failing ? Surely the 
> > > DNS lookup succeeded if the 'dsync service' failed due to remote 
> > > disconnect ?
> > > I'm still none the wiser as to where to start looking for troubleshoting ?
> >
> > Did you check dovecot logs? Maybe there is something useful?
> >
> > Aki
> 
> 
> Only the same old cryptic message about dns-client ?
> master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied

Something prevents executing the dns-client binary.

> master: Error: service(dns_client): command startup failed, throttling for 16 
> secs
> dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 
> (exec() failed)

Aki

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi  
wrote:

> > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi aki.tu...@open-xchange.com 
> > wrote:
> >
> > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org 
> > > > wrote:
> > > >
> > > > ==
> > > >
> > > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> > > > dns_lookup(foobar.example.com) failed: 
> > > > read(/var/run/dovecot/dns-client) failed: read(size=512) failed: 
> > > > Connection reset by peer
> > >
> > > This is dovecot's internal dns-client, and something goes wrong when 
> > > talking to the service.
> > >
> > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: 
> > > > Login to foobar.example.com failed: Disconnected from server
> > >
> > > This is btw dsync service, not imap service.
> > >
> > > > ===
> > > > Initially I thought "oh no, not another AppArmor block".
> > > > But then surely the second message would not appear if the DNS lookup 
> > > > was not successful ?
> > > > Also "dig foobar.example.com" works fine.
> > > > How should I be troubleshooting this ? And if it is still likely to be 
> > > > AppArmor, what is calling it ? "doveadm" itself or something else ? 
> > > > What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use 
> > > > standard OS calls like everyone else ?
> > >
> > > Because the "standard OS call" is blocking and we would prefer it to not 
> > > block everything else.
> > >
> > > > So many questions !
> > >
> > > Aki
> >
> > Thanks for your reply, but both those message are generated from a simple :
> > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:
> > So I don't know what you mean about dsync service failing ? Surely the DNS 
> > lookup succeeded if the 'dsync service' failed due to remote disconnect ?
> > I'm still none the wiser as to where to start looking for troubleshoting ?
>
> Did you check dovecot logs? Maybe there is something useful?
>
> Aki


Only the same old cryptic message about dns-client ?
master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied
master: Error: service(dns_client): command startup failed, throttling for 16 
secs
dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 
(exec() failed)

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

> On 10 April 2019 22:13 Laura Smith via dovecot  wrote:
> 
>  
> On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi  
> wrote:
> 
> > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > > ===
> > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> > > dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) 
> > > failed: read(size=512) failed: Connection reset by peer
> >
> > This is dovecot's internal dns-client, and something goes wrong when 
> > talking to the service.
> >
> > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login 
> > > to foobar.example.com failed: Disconnected from server
> >
> > This is btw dsync service, not imap service.
> >
> > > ===
> > > Initially I thought "oh no, not another AppArmor block".
> > > But then surely the second message would not appear if the DNS lookup was 
> > > not successful ?
> > > Also "dig foobar.example.com" works fine.
> > > How should I be troubleshooting this ? And if it is still likely to be 
> > > AppArmor, what is calling it ? "doveadm" itself or something else ? What 
> > > does "/var/run/dovecot/dns-client" do and why doesn't dovecot use 
> > > standard OS calls like everyone else ?
> >
> > Because the "standard OS call" is blocking and we would prefer it to not 
> > block everything else.
> >
> > > So many questions !
> >
> > Aki
> 
> 
> Thanks for your reply, but both those message are generated from a simple :
> doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:
> 
> So I don't know what you mean about dsync service failing ?  Surely the DNS 
> lookup succeeded if the 'dsync service' failed due to remote disconnect ?
> 
> I'm still none the wiser as to where to start looking for troubleshoting ?

Did you check dovecot logs? Maybe there is something useful?

Aki

Re: failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi  
wrote:

> > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > ===
> > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> > dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) 
> > failed: read(size=512) failed: Connection reset by peer
>
> This is dovecot's internal dns-client, and something goes wrong when talking 
> to the service.
>
> > dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login 
> > to foobar.example.com failed: Disconnected from server
>
> This is btw dsync service, not imap service.
>
> > ===
> > Initially I thought "oh no, not another AppArmor block".
> > But then surely the second message would not appear if the DNS lookup was 
> > not successful ?
> > Also "dig foobar.example.com" works fine.
> > How should I be troubleshooting this ? And if it is still likely to be 
> > AppArmor, what is calling it ? "doveadm" itself or something else ? What 
> > does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard 
> > OS calls like everyone else ?
>
> Because the "standard OS call" is blocking and we would prefer it to not 
> block everything else.
>
> > So many questions !
>
> Aki


Thanks for your reply, but both those message are generated from a simple :
doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc:

So I don't know what you mean about dsync service failing ?  Surely the DNS 
lookup succeeded if the 'dsync service' failed due to remote disconnect ?

I'm still none the wiser as to where to start looking for troubleshoting ?

Re: failed: read(/var/run/dovecot/dns-client)

[Aki Tuomi via dovecot]

> On 10 April 2019 21:26 Laura Smith via dovecot  wrote:
> 
>  
> ===
> dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
> dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) 
> failed: read(size=512) failed: Connection reset by peer
>

This is dovecot's internal dns-client, and something goes wrong when talking to 
the service.
 
> dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login to 
> foobar.example.com failed: Disconnected from server

This is btw dsync service, not imap service.

> ===
> 
> Initially I thought "oh no, not another AppArmor block".
> 
> But then surely the second message would not appear if the DNS lookup was not 
> successful ?
> 
> Also "dig foobar.example.com" works fine.
> 
> How should I be troubleshooting this ?  And if it is still likely to be 
> AppArmor, what is calling it ? "doveadm" itself or something else ?  What 
> does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS 
> calls like everyone else ?
> 

Because the "standard OS call" is blocking and we would prefer it to not block 
everything else.

> So many questions !

Aki

Re: ssl_cert: Can't open file permission denied

[Laura Smith via dovecot]

‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 1:08 PM, Michael Orlitzky via dovecot 
 wrote:

> On 4/10/19 6:39 AM, Dmitry Donskih via dovecot wrote:
>
> > `chmod -R 655 /etc/foobar/ssl' drops x attribute from`ssl' itself.
> > Use `chmod -R 755' or`chmod +x' or similar.
>
> Your private keys should be... private. Use 750 instead.


You are teaching granny to suck eggs.

Sometimes granny needs to do troubleshooting (especially when neither Dovecot 
or the Operating System are generating any sort of useful log entries to help 
granny... it means granny needs to resort to real basics like file permissions 
and then work upwards).

failed: read(/var/run/dovecot/dns-client)

[Laura Smith via dovecot]

===
dsync(foo...@example.com): Error: imapc(foobar.example.com:993): 
dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) 
failed: read(size=512) failed: Connection reset by peer

dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login to 
foobar.example.com failed: Disconnected from server
===

Initially I thought "oh no, not another AppArmor block".

But then surely the second message would not appear if the DNS lookup was not 
successful ?

Also "dig foobar.example.com" works fine.

How should I be troubleshooting this ?  And if it is still likely to be 
AppArmor, what is calling it ? "doveadm" itself or something else ?  What does 
"/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls 
like everyone else ?

So many questions !

Re: ssl_cert: Can't open file permission denied

[Laura Smith via dovecot]

On Wednesday, April 10, 2019 11:40 AM, Gerald Galster via dovecot 
 wrote:

> > Am 10.04.2019 um 11:59 schrieb Laura Smith via dovecot 
> > :
> >
> > On Wednesday, April 10, 2019 10:52 AM, Aki Tuomi via dovecot 
> >  wrote:
> >
> > > On 10.4.2019 12.36, Laura Smith via dovecot wrote:
> > >
> > > > Dovecot 2.3.3 (dcead646b)
> > > > openSUSE Leap 15.0
> > > > I am getting a weird error message:
> > > > Fatal: Error in configuration file /etc/dovecot/local.conf line 16: 
> > > > ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied
> > > > I have tried the following:
> > > >
> > > > -   chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
> > > > -   create "ssl_users" group add dovecot to it chown -R 
> > > > dovecot:ssl_users /etc/foobar/ssl
> > > >
> > > > How can I fix this ? There's no obvious solution ?
> > >
> > > Are you by chance using selinux? If you are, you might need to relabel
> > > the files.
> > >
> > > Aki
> >
> > This is openSUSE, not Centos, I don't think it even comes with selinux.
>
> Maybe apparmor?
>
> https://git.ispconfig.org/ispconfig/ispconfig3/issues/5071
>
>  > OpenSuSE and apparmor expect dovecot certs to be in /etc/ssl/private
>  > ISPConfig setup script expects SSL certs to be in /etc/postfix but 
> apparmor prevents dovecot from reading them in that directory
>
> Otherwise you could login as dovecot user (temporarily change the shell to 
> bash if needed; usermod -s /bin/bash) and see if you can access the 
> certificate.
> Check all directory/file permissions, including acls (man getfacl), along the 
> path.
>
> Best regards
> Gerald

@Gerald   Spot on with apparmor !

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

> On 10 Apr 2019, at 11:50, Aki Tuomi via dovecot  wrote:
> 
> 
>> On 10 April 2019 20:48 @lbutlr via dovecot  wrote:
>> 
>> 
>> On 10 Apr 2019, at 10:43, @lbutlr via dovecot  wrote:
>>> lso, the failed message strongly implies that the email was not delivered, 
>>> since it happens on the delivery log line and there is not indication in 
>>> the log that delivery succeeded. However, the message is delivered. It 
>>> might be worth changing the message or still logging the actual message 
>>> delivery?
>> 
>> One last thing:
>> 
>>  does not mention that stats is now 
>> required. I ignored the entire block on that page on stats because I'd never 
>> used it.
>> 
> 
> I guess it's that 'statistics' is kinda built-in now. So it's not like a 
> plugin anymore. But I get your point, maybe we should clarify this better.

Since it requires a config change, it seems something should be there.

And it looks like the necessary block could be auto-generated based on looking 
at 10-master.conf?


-- 
IT'S POTATO, NOT POTATOE Bart chalkboard Ep. 7F01

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Aki Tuomi via dovecot]

> On 10 April 2019 20:48 @lbutlr via dovecot  wrote:
> 
>  
> On 10 Apr 2019, at 10:43, @lbutlr via dovecot  wrote:
> > lso, the failed message strongly implies that the email was not delivered, 
> > since it happens on the delivery log line and there is not indication in 
> > the log that delivery succeeded. However, the message is delivered. It 
> > might be worth changing the message or still logging the actual message 
> > delivery?
> 
> One last thing:
> 
>  does not mention that stats is now 
> required. I ignored the entire block on that page on stats because I'd never 
> used it.
> 

I guess it's that 'statistics' is kinda built-in now. So it's not like a plugin 
anymore. But I get your point, maybe we should clarify this better.

Aki

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

On 10 Apr 2019, at 10:43, @lbutlr via dovecot  wrote:
> lso, the failed message strongly implies that the email was not delivered, 
> since it happens on the delivery log line and there is not indication in the 
> log that delivery succeeded. However, the message is delivered. It might be 
> worth changing the message or still logging the actual message delivery?

One last thing:

 does not mention that stats is now 
required. I ignored the entire block on that page on stats because I'd never 
used it.


-- 
'Nothing works against magic. Except stronger magic. And then the only
thing that beats stronger magic is even stronger magic. And the next
thing you know...' 'Phooey?' --Sourcery

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

On 10 Apr 2019, at 10:55, Remo Mattei via dovecot  wrote:
> This is what fixed mine 
> 
> service stats {
> # unix_listener stats-reader {
> # group =
> # mode = 0666
> # user =
> #   }
>   unix_listener stats-writer {
> group = dovecot
> mode = 0666
> user =
>   }
>  }

Setting permissions to 666 never seems like a great idea.


-- 
But I been sane a long while now, and change is good.

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Remo Mattei via dovecot]

This is what fixed mine 

 service stats {
# unix_listener stats-reader {
# group =
# mode = 0666
# user =
#   }
   unix_listener stats-writer {
 group = dovecot
 mode = 0666
 user =
   }
  }


> On Apr 10, 2019, at 09:43, @lbutlr via dovecot  wrote:
> 
> On 10 Apr 2019, at 09:06, @lbutlr via dovecot  wrote:
>> Should I add
>> 
>> service stats {
>> unix_listener stats-writer {
>> user = dovecot
>> }
>> unix_listener stats-reader {
>> user = dovecot
>> }
>> }
>> 
>> to my dovecot.conf file?
> 
> I did this and it appears to have fixed the issue.
> 
> Also, the failed message strongly implies that the email was not delivered, 
> since it happens on the delivery log line and there is not indication in the 
> log that delivery succeeded. However, the message is delivered. It might be 
> worth changing the message or still logging the actual message delivery?
> 
> 
> -- 
> I WILL NOT CARVE GODS Bart chalkboard Ep. 8F11
> 
> 

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Odhiambo Washington via dovecot]

On Wed, 10 Apr 2019 at 19:44, @lbutlr via dovecot 
wrote:

> On 10 Apr 2019, at 09:06, @lbutlr via dovecot  wrote:
> > Should I add
> >
> > service stats {
> >  unix_listener stats-writer {
> >  user = dovecot
> >  }
> >  unix_listener stats-reader {
> >  user = dovecot
> >  }
> > }
> >
> > to my dovecot.conf file?
>
> I did this and it appears to have fixed the issue.
>
> Also, the failed message strongly implies that the email was not
> delivered, since it happens on the delivery log line and there is not
> indication in the log that delivery succeeded. However, the message is
> delivered. It might be worth changing the message or still logging the
> actual message delivery?
>
>
I use dovecot-lda for deliveries and would see entries in both Exim (MTA)
and Dovecot log files.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

On 10 Apr 2019, at 09:06, @lbutlr via dovecot  wrote:
> Should I add
> 
> service stats {
>  unix_listener stats-writer {
>  user = dovecot
>  }
>  unix_listener stats-reader {
>  user = dovecot
>  }
> }
> 
> to my dovecot.conf file?

I did this and it appears to have fixed the issue.

Also, the failed message strongly implies that the email was not delivered, 
since it happens on the delivery log line and there is not indication in the 
log that delivery succeeded. However, the message is delivered. It might be 
worth changing the message or still logging the actual message delivery?


-- 
I WILL NOT CARVE GODS Bart chalkboard Ep. 8F11

Re: Solr connection timeout hardwired to 60s

[Peter Mogensen via dovecot]

On 4/4/19 6:57 PM, Peter Mogensen wrote:
> 
> 
> On 4/4/19 6:47 PM, dovecot-requ...@dovecot.org wrote:
>> For a typical Solr index, 60 seconds is an eternity.  Most people aim
>> for query times of 100 milliseconds or less, and they often achieve
>> that goal.
> 
> I'm pretty sure I get these while indexing, not querying.
> 
> Apr 04 16:44:50 host dovecot[114690]: indexer-worker(m...@example.com):
> Error: fts_solr: Indexing failed: Request timed out (Request queued
> 66.015 secs ago, 1 attempts in 66.005 secs, 63.146 in http ioloop, 0.000
> in other ioloops, connected 94.903 secs ago)

Doing a TCP dump on indexing operations which consistently fail, I see
that there's a lot of softCommits which never get an HTTP answer:

==
POST /solr/dovebody/update HTTP/1.1
Host: localhost:8983
Date: Wed, 10 Apr 2019 14:22:29 GMT
Expect: 100-continue
Content-Length: 47
Connection: Keep-Alive
Content-Type: text/xml

HTTP/1.1 100 Continue





... in contrast to the first softCommit on the connection:


POST /solr/dovebody/update HTTP/1.1
Host: localhost:8983
Date: Wed, 10 Apr 2019 14:20:53 GMT
Expect: 100-continue
Content-Length: 47
Connection: Keep-Alive
Content-Type: text/xml

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Content-Type: application/xml; charset=UTF-8
Content-Length: 156





  0
  37


==

The missing softCommit responses seem to start right after the last
added document:
==

0

HTTP/1.1 200 OK
Content-Type: application/xml; charset=UTF-8
Content-Length: 156





  0
  12


POST /solr/dovebody/update HTTP/1.1
Host: localhost:8983
Date: Wed, 10 Apr 2019 14:22:29 GMT
Expect: 100-continue
Content-Length: 47
Connection: Keep-Alive
Content-Type: text/xml

HTTP/1.1 100 Continue


===

... and then the rest of the TCP dump doesn't get responses to
softCommit POSTs

/Peter

Re: Restoring mailboxes from backup duplicates messages in POP clients

[Tanstaafl via dovecot]

On Wed Apr 10 2019 11:14:29 GMT-0400 (Eastern Standard Time), @lbutlr
via dovecot  wrote:
> On 10 Apr 2019, at 08:59, Tanstaafl via dovecot  wrote:
>> On Wed Apr 10 2019 09:13:41 GMT-0400 (Eastern Standard Time), Luis F. V.
>> Gomes via dovecot  wrote:
>>> I had a disk problem and had to reformat it. All mailboxes were backed 
>>> up using rsync.
>>> After I restored the mailboxes, the POP clients (Thunderbird) that 
>>> were configured to leave the messages on the mailserver for, let's 
>>> say, 30 days, didn't understand that some messages were already 
>>> transfered and the users got duplicated messages in their Inbox.
>>> How can we avoid this?

>> Don't use rsync, use the built in dovecot backup capability?

> Also, don't use POP3?

Well, I can at least understand the argument for someone wanting to use
POP3, but that is beside the point... rsync won't retain the message
UUIDs, while Dovecots backup will, thereby preventing POP3 users
redownloading the emails.

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Odhiambo Washington via dovecot]

On Wed, 10 Apr 2019 at 18:06, @lbutlr via dovecot 
wrote:

>
>
> > On 10 Apr 2019, at 08:57, Odhiambo Washington via dovecot <
> dovecot@dovecot.org> wrote:
> >
> >
> >
> > On Wed, 10 Apr 2019 at 17:50, @lbutlr via dovecot 
> wrote:
> > On 10 Apr 2019, at 08:36, @lbutlr via dovecot 
> wrote:
> > > net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission
> den))
> >
> > One other detail:
> >
> > /var/run/dovecot/stats-writer:
> > 0 srw-rw  1 root dovecot 0 Apr 10 08:47 stats-writer
> >
> >
> > Edit your 10-master.conf and make sure that the user specified in the
> details below matches the dovecot user:
> >
> >
> > service stats {
> >   unix_listener stats-writer {
> >   user = mailnull
> >   }
> >   unix_listener stats-reader {
> >   user = mailnull
> >   }
>
> Sorry, i am confused. There is no similar clock in 10-master.conf
>
> In fact,. the string "stats" does not appear in that file at all. The
> commented line
>
> #default_internal_user = dovecot
>
> is in that file, and that is the dovecot user (as seen in the permissions
> above).
>
> Should I add
>
> service stats {
>   unix_listener stats-writer {
>   user = dovecot
>   }
>   unix_listener stats-reader {
>   user = dovecot
>   }
> }
>
> to my dovecot.conf file?
>
>
Add the two blocks to 10-master.conf, before the last "}"

My dovecot runs as user mailnull. YMMV.




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Restoring mailboxes from backup duplicates messages in POP clients

[@lbutlr via dovecot]

On 10 Apr 2019, at 08:59, Tanstaafl via dovecot  wrote:
> On Wed Apr 10 2019 09:13:41 GMT-0400 (Eastern Standard Time), Luis F. V.
> Gomes via dovecot  wrote:
>> I had a disk problem and had to reformat it. All mailboxes were backed 
>> up using rsync.
>> After I restored the mailboxes, the POP clients (Thunderbird) that 
>> were configured to leave the messages on the mailserver for, let's 
>> say, 30 days, didn't understand that some messages were already 
>> transfered and the users got duplicated messages in their Inbox.
>> How can we avoid this?
> 
> Don't use rsync, use the built in dovecot backup capability?

Also, don't use POP3?


-- 
Ahahahahaha! Ahahahaha! Aahahaha!  BEWARE!  Yrs sincerely  The Opera
Ghost

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

> On 10 Apr 2019, at 08:57, Odhiambo Washington via dovecot 
>  wrote:
> 
> 
> 
> On Wed, 10 Apr 2019 at 17:50, @lbutlr via dovecot  wrote:
> On 10 Apr 2019, at 08:36, @lbutlr via dovecot  wrote:
> > net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission den))
> 
> One other detail:
> 
> /var/run/dovecot/stats-writer:
> 0 srw-rw  1 root dovecot 0 Apr 10 08:47 stats-writer
> 
> 
> Edit your 10-master.conf and make sure that the user specified in the details 
> below matches the dovecot user:
> 
> 
> service stats {
>   unix_listener stats-writer {
>   user = mailnull
>   }
>   unix_listener stats-reader {
>   user = mailnull
>   }

Sorry, i am confused. There is no similar clock in 10-master.conf

In fact,. the string "stats" does not appear in that file at all. The commented 
line

#default_internal_user = dovecot 

is in that file, and that is the dovecot user (as seen in the permissions 
above).

Should I add

service stats {
  unix_listener stats-writer {
  user = dovecot
  }
  unix_listener stats-reader {
  user = dovecot
  }
}

to my dovecot.conf file?


-- 
I want a party where all the women wear new dresses and all the men
drink beer. -- Jason Gaes

Re: Restoring mailboxes from backup duplicates messages in POP clients

[Tanstaafl via dovecot]

On Wed Apr 10 2019 09:13:41 GMT-0400 (Eastern Standard Time), Luis F. V.
Gomes via dovecot  wrote:
> I had a disk problem and had to reformat it. All mailboxes were backed 
> up using rsync.
> After I restored the mailboxes, the POP clients (Thunderbird) that 
> were configured to leave the messages on the mailserver for, let's 
> say, 30 days, didn't understand that some messages were already 
> transfered and the users got duplicated messages in their Inbox.
> How can we avoid this?

Don't use rsync, use the built in dovecot backup capability?

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Odhiambo Washington via dovecot]

On Wed, 10 Apr 2019 at 17:50, @lbutlr via dovecot 
wrote:

> On 10 Apr 2019, at 08:36, @lbutlr via dovecot  wrote:
> > net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission den))
>
> One other detail:
>
> /var/run/dovecot/stats-writer:
> 0 srw-rw  1 root dovecot 0 Apr 10 08:47 stats-writer
>
>
Edit your 10-master.conf and make sure that the user specified in the
details below matches the dovecot user:


service stats {
  unix_listener stats-writer {
  user = mailnull
  }
  unix_listener stats-reader {
  user = mailnull
  }


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   
On 10 April 2019 17:49 @lbutlr via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On 10 Apr 2019, at 08:36, @lbutlr via dovecot <
dovecot@dovecot.org> wrote:
   
   

 net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission den))

   
   
One other detail:
   
   

   
   
/var/run/dovecot/stats-writer:
   
   
0 srw-rw 1 root dovecot 0 Apr 10 08:47 stats-writer
   
   

   
   

   
   
--
   
   
"Back off, man. I'm a scientist."
   
  
  
   
  
  
   New stats is no longer optional, and has no relation to old stats. You can maybe temporarily allow writing to that socket for all.
  
  
   ---
Aki Tuomi
   
 

Re: /var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

On 10 Apr 2019, at 08:36, @lbutlr via dovecot  wrote:
> net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission den))

One other detail:

/var/run/dovecot/stats-writer:
0 srw-rw  1 root dovecot 0 Apr 10 08:47 stats-writer


-- 
"Back off, man. I'm a scientist."

/var/run/dovecot/stats-writer) failed: Permission denied

[@lbutlr via dovecot]

I am getting this error in logs 

net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission den))

and I looked around the google results and it seems to be related to using 
service stats, which I am not using.

# doveconf -n | grep stat
# doveconf -n | head -3
# 2.3.5.1 (7ec6d0ade): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.5 (2483b085)
# OS: FreeBSD 11.2-RELEASE-p4 i386  

Postfix is 3.4-20190106 (the newest version in ports)


-- 
Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire.
And riots. What gives? -- Mark Morford

Restoring mailboxes from backup duplicates messages in POP clients

[Luis F. V. Gomes via dovecot]

Hello


I had a disk problem and had to reformat it. All mailboxes were backed 
up using rsync.
After I restored the mailboxes, the POP clients (Thunderbird) that 
were configured to leave the messages on the mailserver for, let's 
say, 30 days, didn't understand that some messages were already 
transfered and the users got duplicated messages in their Inbox.

How can we avoid this?



--
Thanks
Luís Fernando V. Gomes
IT Manager
(55)(21) 3527-1220
Departamento de Engenharia Elétrica
PUC-Rio
R. Marques de S. Vicente 225/401L
22451-900 - Rio de Janeiro/RJ - BR

Re: ssl_cert: Can't open file permission denied

[Michael Orlitzky via dovecot]

On 4/10/19 6:39 AM, Dmitry Donskih via dovecot wrote:
> `chmod -R 655 /etc/foobar/ssl' drops x attribute from `ssl' itself.
> Use `chmod -R 755' or `chmod +x' or similar.
> 

Your private keys should be... private. Use 750 instead.

Re: ssl_cert: Can't open file permission denied

[Gerald Galster via dovecot]

> Am 10.04.2019 um 11:59 schrieb Laura Smith via dovecot :
> 
> 
> On Wednesday, April 10, 2019 10:52 AM, Aki Tuomi via dovecot 
>  wrote:
> 
>> On 10.4.2019 12.36, Laura Smith via dovecot wrote:
>> 
>>> Dovecot 2.3.3 (dcead646b)
>>> openSUSE Leap 15.0
>>> I am getting a weird error message:
>>> Fatal: Error in configuration file /etc/dovecot/local.conf line 16: 
>>> ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied
>>> I have tried the following:
>>> 
>>> -   chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
>>> -   create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users 
>>> /etc/foobar/ssl
>>> 
>>> How can I fix this ? There's no obvious solution ?
>> 
>> Are you by chance using selinux? If you are, you might need to relabel
>> the files.
>> 
>> Aki
> 
> This is openSUSE, not Centos, I don't think it even comes with selinux.

Maybe apparmor?

https://git.ispconfig.org/ispconfig/ispconfig3/issues/5071 


 > OpenSuSE and apparmor expect dovecot certs to be in /etc/ssl/private
 > ISPConfig setup script expects SSL certs to be in /etc/postfix but apparmor 
 > prevents dovecot from reading them in that directory

Otherwise you could login as dovecot user (temporarily change the shell to bash 
if needed; usermod -s /bin/bash) and see if you can access the certificate.
Check all directory/file permissions, including acls (man getfacl), along the 
path.

Best regards
Gerald

Re: ssl_cert: Can't open file permission denied

[Dmitry Donskih via dovecot]

`chmod -R 655 /etc/foobar/ssl' drops x attribute from `ssl' itself.
Use `chmod -R 755' or `chmod +x' or similar.

10.04.2019 12:36, Laura Smith via dovecot пишет:
> Dovecot 2.3.3 (dcead646b)
> openSUSE Leap 15.0
>
> I am getting a weird error message:
>
> Fatal: Error in configuration file /etc/dovecot/local.conf line 16: ssl_cert: 
> Can't open file /etc/foobar/ssl/certbot.pem: Permission denied
>
> I have tried the following:
> - chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
> - create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users 
> /etc/foobar/ssl
>
>
> How can I fix this ? There's no obvious solution ?
>
>
>

Re: protocols: Unknown protocol: sieve

[Aki Tuomi via dovecot]

On 10.4.2019 13.33, Gerald Galster via dovecot wrote:
>
>> Am 10.04.2019 um 11:24 schrieb luckydog xf via dovecot :
>>
>> Hi, list,
>>
>> I downloaded dovecot-2.3-pigeonhole-0.5.5.tar.gz and installed it, after 
>> I enabled 
>>
>> #/etc/dovecot/conf.d/20-managesieve.conf
>> protocols = $protocols sieve
>>
>> it said " protocols: Unknown protocol: sieve"
>>
>> What's wrong?"
> Do you have something like
>
> protocol sieve {
>  #managesieve_max_line_length = 65536 
>  ...
> }
>
> in any of your config files?
>
> Best regards
> Gerald


Which isn't at all related to this...

There have been some cases where ./configure needs --prefix to make sure
that the files are installed to correct location. Can you verify that
the protocol handler was installed to same place where the rest of the
dovecot files are installed?

Aki

Re: protocols: Unknown protocol: sieve

[Gerald Galster via dovecot]

> Am 10.04.2019 um 11:24 schrieb luckydog xf via dovecot :
> 
> Hi, list,
> 
> I downloaded dovecot-2.3-pigeonhole-0.5.5.tar.gz and installed it, after 
> I enabled 
> 
> #/etc/dovecot/conf.d/20-managesieve.conf
> protocols = $protocols sieve
> 
> it said " protocols: Unknown protocol: sieve"
> 
> What's wrong?"

Do you have something like

protocol sieve {
 #managesieve_max_line_length = 65536 
 ...
}

in any of your config files?

Best regards
Gerald

Re: ssl_cert: Can't open file permission denied

[Laura Smith via dovecot]

On Wednesday, April 10, 2019 10:52 AM, Aki Tuomi via dovecot 
 wrote:

> On 10.4.2019 12.36, Laura Smith via dovecot wrote:
>
> > Dovecot 2.3.3 (dcead646b)
> > openSUSE Leap 15.0
> > I am getting a weird error message:
> > Fatal: Error in configuration file /etc/dovecot/local.conf line 16: 
> > ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied
> > I have tried the following:
> >
> > -   chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
> > -   create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users 
> > /etc/foobar/ssl
> >
> > How can I fix this ? There's no obvious solution ?
>
> Are you by chance using selinux? If you are, you might need to relabel
> the files.
>
> Aki

This is openSUSE, not Centos, I don't think it even comes with selinux.

Re: ssl_cert: Can't open file permission denied

[Aki Tuomi via dovecot]

On 10.4.2019 12.36, Laura Smith via dovecot wrote:
> Dovecot 2.3.3 (dcead646b)
> openSUSE Leap 15.0
>
> I am getting a weird error message:
>
> Fatal: Error in configuration file /etc/dovecot/local.conf line 16: ssl_cert: 
> Can't open file /etc/foobar/ssl/certbot.pem: Permission denied
>
> I have tried the following:
> - chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
> - create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users 
> /etc/foobar/ssl
>
>
> How can I fix this ? There's no obvious solution ?
>
>
>
Are you by chance using selinux? If you are, you might need to relabel
the files.

Aki

ssl_cert: Can't open file permission denied

[Laura Smith via dovecot]

Dovecot 2.3.3 (dcead646b)
openSUSE Leap 15.0

I am getting a weird error message:

Fatal: Error in configuration file /etc/dovecot/local.conf line 16: ssl_cert: 
Can't open file /etc/foobar/ssl/certbot.pem: Permission denied

I have tried the following:
- chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755)
- create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users 
/etc/foobar/ssl


How can I fix this ? There's no obvious solution ?

protocols: Unknown protocol: sieve

[luckydog xf via dovecot]

Hi, list,

I downloaded dovecot-2.3-pigeonhole-0.5.5.tar.gz and installed it,
after I enabled

#/etc/dovecot/conf.d/20-managesieve.conf
protocols = $protocols sieve

it said " protocols: Unknown protocol: sieve"

What's wrong?"

Thanks,

Dovecot index compatibility

[Frido Otten via dovecot]

We're in the process of upgrading Dovecot from version 2.1.17 to 2.2.27
(package Debian Stretch). We have a shared NFS storage in use by
multiple servers without Dovecot director. I've tested by connecting to
IMAP on the new server to my own mailbox. This isn't a problem. But when
the server with the Dovecot version 2.1.17 LDA drops a new message in my
mailbox it thinks the index file is corrupted, and the message bounces
to it's sender. So there must be a index compatibility issue between
both versions. This is still no problem if I upgrade the entire platform
in a maintenance window at once. But what I want is a rollback
possibility. To which minimal Dovecot version should I upgrade the old
platform to create this rollback possibility.

I was looking for a table of dovecot index compatibility between the
different versions (forward and backward), but couldn't find it. Is
there any? Please advice.

Best regards,
Frido