RE: Email encryption and key protection
What I can think of without any experience using mail-crypt - who says they need to be stored on the server? They need to be available on the server when you start dovecot. - and if you are using 3rd party external storage mounted on your server. At least this 3rd party cannot access the email -Original Message- From: Chris Narkiewicz via dovecot [mailto:dovecot@dovecot.org] Sent: vrijdag 5 juli 2019 7:11 To: dovecot@dovecot.org Subject: Email encryption and key protection I was reading through Dovecot mail-crypt plugin documentation and I'm wondering what is the benefit of turning the encryption on if private and public keys are both stored on the server? What are the benefits and how the key can be protected (apart from file permissions). Cheers, Chris
Email encryption and key protection
I was reading through Dovecot mail-crypt plugin documentation and I'm wondering what is the benefit of turning the encryption on if private and public keys are both stored on the server? What are the benefits and how the key can be protected (apart from file permissions). Cheers, Chris signature.asc Description: OpenPGP digital signature
dovecot/imap [blocking on log write]
Hi, My dovecot process seam blocked on dovecot/imap [blocking on log write], only restart fix it. How solve that's? Cheers, -- alpha_one_x86/BRULE Herman Main developer of Supercopier/Ultracopier/CatchChallenger, Esourcing and server management IT, OS, technologies, research & development, security and business department
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐
On Thursday, July 4, 2019 3:10 PM, Aki Tuomi wrote:
> > I am also not sure about sha512 hash because the Dovecot Variable wiki page
> > does not mention sha512 but only sha256. Is sha512 also available?
>
> Yes
Thank you Aki for confirming. I tried it out and it works but I needed to use
"%{sha512:password}" instead of "%{sha512:w}". That's a nice feature of Dovecot!
Now all I still need to do is to change the password of my user's crypto
keypair to the SHA512 hash of their login password and that's it.
Re: Applying Dovecot for a large / deep folder-hierarchy archive.
Hi all, The guidance provided so far has been really helpful, and has helped a great deal to bringing down wasted energy on finding and executing a viable path. I am now at the final due action to complete our Dovecot application to our use-case, but am stuck on an issue that I cannot find any easily accessible documentation on. Generally this is what has been done: 1. Uploaded the enterprise data PST to the target groupware server. 2. Prepared the server by changing the mailbox format to sdbox and the the Dovecot mail location to mail_location=/var/vmail/domain/user/mail/ 3. Converted the pst (on-server) to a recursive mbox hierarchy using readpst 4. Executed doveadm-sync to convert mbox hierarchy data into sdbox and to copy it into the enterprise archive user's mailboxes 4.i. The biggest issue I faced at this point was doveadm-sync saying that the source and destination pointed to the same location, whereas they clearly did not. 4.i.a. I resolved this by removing the location= setting from the target namespace, and allowing it to default to mail_location = setting, and then using a completely different DIRNAME for the import doveadm-sync execution (which was the desired final DIRNAME); I then once the sync had been successful, changed the mail_location DIRNAME so that it pointed to the imported mail DIRNAME; and hence the imported email data was in the live mailboxes 4.i.b. doveadm-import failed several times, and was throwing quite inexplicable errors, so I moved onto doveadm-sync 4.i.c. I also had to make sure that the source and destination folder names matched, otherwise doveadm-syc threw very many errors and only partially imported the data 4.i.d. An issue which I decided just to live with is that an mbox DIRNAME was added to each mailbox as well as the DIRNAME specified so the path to mail is mbox/dbox-Mails. My thought is that with the data live on an IMAP server it will be possible to do a dysync through TCP to correct this problem. The final issue that I am facing now, is that when readpst finds empty folders in the source pst hierarchy, it does not create an mbox file in the mbox hierarchy folder space. This causes doveadm-sync to not create the target data required for its mailbox structure i.e. DIRNAME sub- folder and index file (with our configuration). At this point either doveadm-sync or the dovecot process makes these empty folders not selectable. The question now is how would I go about making all of these folders selectable, e.g. with an internal or external command line tool to change flags / create necessary sdbox mailbox constituent data? -Original Message- From: Arnold Opio Oree via dovecot Reply-To: arnoldo...@parallaxict.com, Arnold Opio Oree < arnold.o...@parallaxict.com> To: Robert Schetterer , dovecot@dovecot.org Subject: Re: Applying Dovecot for a large / deep folder-hierarchy archive. Date: Thu, 27 Jun 2019 12:05:35 +0100 > Also you may run into client limits i ve seen this with outlook, > apple mail, thunderbird via imap in the past Thanks for this note Robert, it was not really an aspect that I wasconsidering. We are operating our groupware services user access through bothEvolution Groupware and KDE Kontact / KMail on Debian Linuxworkstations. Hopefully if there is a client issue it should be localto only one groupware client. I will be sure to study / investigate in this - client - area should any issues that are not traceable to the server-side arise. Many thanks, Arnold Opio OreeChief Executive OfficerParallax Digital Technologies arnoldo...@parallaxdt.com http://www.parallaxdt.com tel : +44 (0) 333 577 8587fax : +44 (0) 20 8711 2477 Parallax Digital Technologies is a trading name of Parallax GlobalLimited. U.K. Co. No. 08836288 The contents of this e-mail are confidential. If you are not theintended recipient you are to delete this e-mail immediately, disregardits contents and disclose them to no other persons. -Original Message-From: Robert Schetterer via dovecot < dovecot@dovecot.org>Reply-To: Robert Schetterer To: dovecot@dovecot.org Subject: Re: Applying Dovecot for a large / deep folder- hierarchyarchive.Date: Thu, 27 Jun 2019 12:53:49 +0200 Am 27.06.2019 um 07:35 schrieb Aki Tuomi via dovecot: > On 26.6.2019 22.12, Arnold Opio Oree via dovecot wrote: > > Hello to you all, > > I'd like to ask about my intended application of Dovecot to createa > > folder-hierarchy for storing our enterprise emails, which > > aretreated as live data rather than archives for compliance > > oroccasional / reactive retrieval. > > The data is presently not that large (a few gigabytes), but it > > isexpected to grow rapidly. Up to this stage the data has > > beencontainedin a Microsoft Exchange mailbox (2013), and then in an > > offline PST.The move to the offline PST was by necessity, as the > > large numberoffolders, and depth of hierarchy to my best > > understanding caused theexchange server / outlook / evolution mail > > clients to begin tomalfu
Re: Percent character in mail_crypt_private_password not possible
On 4.7.2019 16.05, mabi via dovecot wrote:
> ‐‐‐ Original Message ‐‐‐
> On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot
> wrote:
>
>> It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
>>
>> I think the safest option would be setup LDAP so that the private
>> password would be only readable by self, and have dovecot use bind
>> authentication. This way you can export it only when you successfully
>> log in to LDAP.
> Good point regarding LDAP but right now I am using PostgreSQL as backend for
> storing my accounts and use the following "password_query" parameter:
>
> password_query = SELECT username AS user, password, '%w' AS
> userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
>
> So based on the Dovecot Variables wiki documentation you mention I could
> adapt my "password_query" parameter to the following in order to use a SHA512
> hash of the password:
>
> password_query = SELECT username AS user, password, '%{sha512:w}' AS
> userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
>
> is this correct?
>
> I am also not sure about sha512 hash because the Dovecot Variable wiki page
> does not mention sha512 but only sha256. Is sha512 also available?
>
>
>
>
>
Yes
Aki
Re: Percent character in mail_crypt_private_password not possible
‐‐‐ Original Message ‐‐‐
On Thursday, July 4, 2019 11:18 AM, Aki Tuomi via dovecot
wrote:
> It depends. You can use either one, seehttps://wiki2.dovecot.org/Variables
>
> I think the safest option would be setup LDAP so that the private
> password would be only readable by self, and have dovecot use bind
> authentication. This way you can export it only when you successfully
> log in to LDAP.
Good point regarding LDAP but right now I am using PostgreSQL as backend for
storing my accounts and use the following "password_query" parameter:
password_query = SELECT username AS user, password, '%w' AS
userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
So based on the Dovecot Variables wiki documentation you mention I could adapt
my "password_query" parameter to the following in order to use a SHA512 hash of
the password:
password_query = SELECT username AS user, password, '%{sha512:w}' AS
userdb_mail_crypt_private_password FROM mailboxes WHERE username = '%u'
is this correct?
I am also not sure about sha512 hash because the Dovecot Variable wiki page
does not mention sha512 but only sha256. Is sha512 also available?
Re: mail_crypt: multiple keypairs
On 4.7.2019 15.35, mabi via dovecot wrote: > ‐‐‐ Original Message ‐‐‐ > On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot > wrote: > >>> Is it possible to delete the inactive keypair? if yes how? >> Wouldn’t you then be unable to *unencrypt* previous emails? > That's also what I thought but based on my understand and on the > documentation of the "mailbox cryptokey generate" doveadm command > (https://wiki2.dovecot.org/Plugins/MailCrypt#doveadm_mailbox_cryptokey_generate) > if you use the "-R" parameter you re-encrypt all the mails with the new key. > See the description of that "-R" parameter: > > -R - Re-encrypt all folder keys with current active user key > > Someone please correct me here if I am wrong... > Actually -R will re-encrypt all folder keys with new user key. After this, old user key can be removed. Re-encrypting mails can only be done by moving them around. Never ever delete an old **folder** key unless you are really sure it's not used by anything anymore. Aki
Re: mail_crypt: multiple keypairs
‐‐‐ Original Message ‐‐‐ On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot wrote: > > Is it possible to delete the inactive keypair? if yes how? > > Wouldn’t you then be unable to *unencrypt* previous emails? That's also what I thought but based on my understand and on the documentation of the "mailbox cryptokey generate" doveadm command (https://wiki2.dovecot.org/Plugins/MailCrypt#doveadm_mailbox_cryptokey_generate) if you use the "-R" parameter you re-encrypt all the mails with the new key. See the description of that "-R" parameter: -R - Re-encrypt all folder keys with current active user key Someone please correct me here if I am wrong...
fts_lucene
Hi everybody... I've inherited 2 servers with dovecot and fts_lucene enabled, which I plan to switch to fts-solr instead. My plan is to disable lucene in dovecot.conf, delete all cache associated files, and start configuring the fts plugin from scratch. I need to make sure that I don't mess up things pretty bad and delete the correct files. Are those to be deleted all dovecot.index* files located in the Maildir folder? Is there anything else I should be aware of? Thanks so much in advance for your kind help! Ignacio
Re: solr vs fts
Hi, Is Clucene no longer prefered/developed indexer? Thanks. Dave. On 7/4/19, Felix Zielcke via dovecot wrote: > Am Donnerstag, den 04.07.2019, 12:27 +0300 schrieb Aki Tuomi via > dovecot: >> On 4.7.2019 12.22, Maciej Milaszewski IQ PL via dovecot wrote: >> > Hi >> > So you're advised to use a solr or something else? >> > >> >> Using any FTS is advisable, currently suitable ones would be SOLR or >> Xapian (see https://github.com/grosjo/fts-xapian) >> > > Hi Aki, > > I didn't yet think about using FTS either but followed a bit the thread > about developing the Xapian plugin. > How stable is that now? > > https://wiki.dovecot.org/Plugins/FTS says above: > > "The following FTS indexers (in preferred order) are supported" > > but fts-xapian is listed below all others and Solr at the top. > > Is the wiki just outdated? > > Felix > >
Re: solr vs fts
Am Donnerstag, den 04.07.2019, 12:27 +0300 schrieb Aki Tuomi via dovecot: > On 4.7.2019 12.22, Maciej Milaszewski IQ PL via dovecot wrote: > > Hi > > So you're advised to use a solr or something else? > > > > Using any FTS is advisable, currently suitable ones would be SOLR or > Xapian (see https://github.com/grosjo/fts-xapian) > Hi Aki, I didn't yet think about using FTS either but followed a bit the thread about developing the Xapian plugin. How stable is that now? https://wiki.dovecot.org/Plugins/FTS says above: "The following FTS indexers (in preferred order) are supported" but fts-xapian is listed below all others and Solr at the top. Is the wiki just outdated? Felix
Re: mail_crypt: multiple keypairs
On 4 Jul 2019, at 03:17, @lbutlr via dovecot wrote: > On 3 Jul 2019, at 06:38, mabi via dovecot wrote: >> Is it possible to delete the inactive keypair? if yes how? > > Wouldn’t you then be unable to encrypt previous emails? UNencrypt, of course.
Re: solr vs fts
On 4.7.2019 12.22, Maciej Milaszewski IQ PL via dovecot wrote: >>> A few clients have 25K and more e-mail >>> >>> I thinking about use solr like: >>> fts = solr >>> fts_solr = debug url=http://IP:8983/solr/ (solr in external machine) >>> >>> Does it make sense ? use dovecot_indexes and fts ? >>> What is the difference in performance? >>> >> Hi! >> >> Dovecot indexes are not actually related to FTS that much. Using FTS >> usually makes sense since it speeds up IMAP fulltext searches. >> >> Aki >> > Hi > So you're advised to use a solr or something else? > Using any FTS is advisable, currently suitable ones would be SOLR or Xapian (see https://github.com/grosjo/fts-xapian) Aki
Re: solr vs fts
>> A few clients have 25K and more e-mail >> >> I thinking about use solr like: >> fts = solr >> fts_solr = debug url=http://IP:8983/solr/ (solr in external machine) >> >> Does it make sense ? use dovecot_indexes and fts ? >> What is the difference in performance? >> > Hi! > > Dovecot indexes are not actually related to FTS that much. Using FTS > usually makes sense since it speeds up IMAP fulltext searches. > > Aki > Hi So you're advised to use a solr or something else?
Re: solr vs fts
On 4.7.2019 12.14, Maciej Milaszewski IQ PL via dovecot wrote: > Hi > I have a question about tunning dovecot-2.2.36.x > > Mail was stared in storage via nfs in MAILDIR via > /home/us/usern...@domain.ltd/MAILDIR/ > I use additionally local dovecot_indexes via SSD disk > (/var/dovecot_indexes%h) > > A few clients have 25K and more e-mail > > I thinking about use solr like: > fts = solr > fts_solr = debug url=http://IP:8983/solr/ (solr in external machine) > > Does it make sense ? use dovecot_indexes and fts ? > What is the difference in performance? > Hi! Dovecot indexes are not actually related to FTS that much. Using FTS usually makes sense since it speeds up IMAP fulltext searches. Aki
Re: Percent character in mail_crypt_private_password not possible
On 2.7.2019 23.27, mabi wrote: > ‐‐‐ Original Message ‐‐‐ > On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot > wrote: > >> I don't actually recommend using password directly from user as password for >> private keys, I recommend running them thru some hash / pkcs5 before that. > That's a great idea and makes things even safer. I don't know much about > PKCS5 but would SHA512 also be safe enough for hashing the password? > > SHA512 would then generate a 128 characters hash which I would then pass to > the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox > cryptokey generate ..." command. > It depends. You can use either one, see https://wiki2.dovecot.org/Variables I think the safest option would be setup LDAP so that the private password would be only readable by self, and have dovecot use bind authentication. This way you can export it only when you successfully log in to LDAP. Aki
Re: mail_crypt: multiple keypairs
On 3 Jul 2019, at 06:38, mabi via dovecot wrote: > Is it possible to delete the inactive keypair? if yes how? Wouldn’t you then be unable to encrypt previous emails?
Re: Dovecot 2.3.0 TLS
On 4.7.2019 12.14, @lbutlr via dovecot wrote: > On 3 Jul 2019, at 02:55, Peter Kahl via dovecot wrote: >> I failed to disclose that the described problem occurs on iOS 13.0 beta. >> >> After trying again and again, it appears that a bug in iOS 13.0 beta is the >> likely culprit. I am reading on Reddit that there is some bug in iOS with >> certificate trust... > I am accessing my dovecot mail via iOS 13 beta without issue. (noe on eta 3, > but had no issues with beta 2 or 3. Well, no issues with MAIL that is). > > I am running current doevcot. > > I just opened the mail client on my phone: > > imap(krem...@kreme.com)<12940><14ffIdeMDf9JDqGg>: ID sent: name=iPhone Mail, > version=17A5522f, os=iOS, os-version=13.0 (17A5522f) I think the problem manifests itself when using custom CA certificates. Aki
solr vs fts
Hi I have a question about tunning dovecot-2.2.36.x Mail was stared in storage via nfs in MAILDIR via /home/us/usern...@domain.ltd/MAILDIR/ I use additionally local dovecot_indexes via SSD disk (/var/dovecot_indexes%h) A few clients have 25K and more e-mail I thinking about use solr like: fts = solr fts_solr = debug url=http://IP:8983/solr/ (solr in external machine) Does it make sense ? use dovecot_indexes and fts ? What is the difference in performance?
Re: dsync not replicatiing .dovecot.sieve
On 4.7.2019 9.45, Laura Smith via dovecot wrote:
> There was a post on this topic to the list Aug 06, 2018 to which Aki replied
> "Thank you for reporting this, we'll take a look at this.".
>
> But its not clear what (if anything) has happened since ? The problem still
> seems to exist in 2.3.3 (original report by previous poster was for 2.3.2.1)
>
> The scenario I'm seeing is pretty much identical to the original poster's.
> Mail seems to be replicating fine, but sieve doesn't replicate at all.
>
Fix for this is planned for next release, also please find patch
attached if you want to give it a try.
Aki
>From 0e91911d22d43621c820d7f5b28be671050fd290 Mon Sep 17 00:00:00 2001
From: Aki Tuomi
Date: Mon, 27 May 2019 09:43:25 +0300
Subject: [PATCH] doveadm-sieve: Fix script synchronization
When dsyncing, this codepath is always called with prefix "".
There is no point checking the prefix at all.
Broken in 479c5e57046dec76078597df844daccbfc0eb75f
---
src/plugins/doveadm-sieve/doveadm-sieve-sync.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/plugins/doveadm-sieve/doveadm-sieve-sync.c b/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
index 34bd18d4..069f20ab 100644
--- a/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
+++ b/src/plugins/doveadm-sieve/doveadm-sieve-sync.c
@@ -606,9 +606,7 @@ sieve_attribute_iter_init(struct mailbox *box, enum mail_attribute_type type,
siter->iter.box = box;
siter->super = sbox->super.attribute_iter_init(box, type, prefix);
- if (box->storage->user->dsyncing &&
- type == MAIL_ATTRIBUTE_TYPE_PRIVATE &&
- str_begins(prefix, MAILBOX_ATTRIBUTE_PREFIX_SIEVE)) {
+ if (box->storage->user->dsyncing) {
if (sieve_attribute_iter_script_init(siter) < 0)
siter->failed = TRUE;
}
--
2.11.0
Re: Dovecot 2.3.0 TLS
On 3 Jul 2019, at 02:55, Peter Kahl via dovecot wrote: > I failed to disclose that the described problem occurs on iOS 13.0 beta. > > After trying again and again, it appears that a bug in iOS 13.0 beta is the > likely culprit. I am reading on Reddit that there is some bug in iOS with > certificate trust... I am accessing my dovecot mail via iOS 13 beta without issue. (noe on eta 3, but had no issues with beta 2 or 3. Well, no issues with MAIL that is). I am running current doevcot. I just opened the mail client on my phone: imap(krem...@kreme.com)<12940><14ffIdeMDf9JDqGg>: ID sent: name=iPhone Mail, version=17A5522f, os=iOS, os-version=13.0 (17A5522f)
Re: Sieve question
On 3 Jul 2019, at 01:28, Stephan Bosch via dovecot wrote:
> On 03/07/2019 04:44, @lbutlr via dovecot wrote:
>> I have the following in my active sieve file, and there are no errors logged.
>>
>>
>> if header :contains "to" "+root" {
>>setflag "\\Seen";
>>fileinto :create "root";
>>stop;
>> }
>>
>> The message is put in .root, bit is not marked as seen.
>>
>> Is the default action to put mail in a folder matching the extension taking
>> precedence?
>
> That should work. What version is this (output from `dovecot -`n`)? There
> have been some bugs with flags in the recent history.
# 2.3.6 (7eab80676): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.6 (92dc263a)
# OS: FreeBSD 11.2-RELEASE-p10 i386
It seems ti be working now. Does dovecot need to refresh the sieve rules
periodically? (It has not been restarted recently., so it’s not that).
