Re: SASL: encoded packet size too big

2019-08-14 Thread Aki Tuomi via dovecot 
> On 15/08/2019 00:34 Eugene via dovecot  wrote:
> 
>  
> The next combination of parameters makes 100% LDAP connections unsuccessful 
> (the log snippet form the previous mail).
> sasl_bind = yes
> sasl_mech = gssapi
> tls = yes
> 
> Looks like this combination is utterly incorrect and should be prohibited 
> (tls must not be used when mech is gssapi).
> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/
> 
> With `tls = no` errors `encoded packet size too big` becomes sporadic, but 
> still heart auth orepations performance.
> May be there are two different problems.
> 

Does the "encoded packet size too big" coincide with LDAP server connection 
failure?

Aki

> Has someone encountered this problem before?
> How can I help to facilitate the issue debugging?
> 
> [I] net-mail/dovecot
>  Installed versions:  2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos 
> ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc 
> -lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat 
> -vpopmail)
> 
> On 8/15/19 12:01 AM, Eugene wrote:
> > Hello!
> > 
> > Dovecot uses it's own SASL implementation, doesn't it?
> > 
> > Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
> > Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big 
> > (813804546 > 65536)
> > Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: 
> > LDAP: Can't connect to server: ldap://ipa2.example.com
> > Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: 
> > Aborted USER request for eugene: Lookup timed out
> > Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: 
> > login: request [3847225345]: Login auth request failed: Internal auth 
> > failure (auth connected 6 msecs ago, request took 6 msecs, 
> > client-pid=10362 client-id=1)
> > 
> > Looks like cyrus-sasl encountered same problem earlier.
> > https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html
> > 
> > I never have such an issue with ldapsearch. So, I assume there is a similar 
> > problem in Dovecot SASL implementation.
> > 
> 
> -- 
> Eugene Bright
> IT engineer
> Tel: + 79257289622

Re: Dovecot not responding to external clients

2019-08-14 Thread Edwin Humphries via dovecot 

Hi all,

THanks Alexander - you made me check somethiing that should not have 
changed, but clearly had: the port forwarding rules on the router. Fixed 
and now working - sorry. :-[

On 15/8/19 9:52 am, Alexander Dalloz via dovecot wrote:

Am 15.08.2019 um 00:34 schrieb Edwin Humphries via dovecot:

Hi all

I have Dovecot on my Linux-Mint workstation, running IMAP for the 
Thunderbird client thereon, but previously also for my phone and 
laptop clients as well. Since upgrading to Linux-Mint 19, however, 
although the Thunderbird client on the workstation works just fine, 
the other clients can't connect. I've disabled the firewall, and nmap 
shows the ports open, so it seems like some setting in the server. 
Can anyone help?


lsof -i :143
lsof -i :993

What does your mail logging report when the clients try to connect? 
Anything that blocks connections from outside the dovecot host itself?



Dovecot version is 2.2.33.2 (d6601f4ec)

dovecot -n output:

# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-55-generic x86_64 Linux Mint 19.1 Tessa
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
ssl_cert = 


Alexander



--

Regards,
Edwin Humphries
Mobile: 0419 233 051

NetSense Computers logo

NetSense Computers (Ironstone Technology Pty Ltd)
79 Barney St, Kiama, NSW, 2533
Web: http://www.netsensecomputers.com.au

--
This email is intended for the named addressee/s only and may contain 
confidential or privileged information. If you are not a named addressee 
please delete it and notify the sender.

--

/"At every moment he beholdeth a wondrous world, a new creation, and 
goeth from astonishment to astonishment, and is lost in awe at the works 
of the Lord of Oneness./" Baha'u'llah, The Seven Valleys
/"... humans are interesting. With all the wonders there are in the 
Universe, they invented boredom./" Terry Pratchett, Hogfather
/"The most beautiful thing we can experience is the mysterious. It is 
the source of all true art and all science. He to whom this emotion is a 
stranger, who can no longer pause to wonder and stand rapt in awe, is as 
good as dead: his eyes are closed./" Albert Einstein
/"Stuff your eyes with wonder ... live as if you'd drop dead in ten 
seconds. See the world. It's more fantastic than any dream made or paid 
for in factories./" Ray Bradbury

Re: Dovecot not responding to external clients

2019-08-14 Thread Alexander Dalloz via dovecot 

Am 15.08.2019 um 00:34 schrieb Edwin Humphries via dovecot:

Hi all

I have Dovecot on my Linux-Mint workstation, running IMAP for the 
Thunderbird client thereon, but previously also for my phone and laptop 
clients as well. Since upgrading to Linux-Mint 19, however, although the 
Thunderbird client on the workstation works just fine, the other clients 
can't connect. I've disabled the firewall, and nmap shows the ports 
open, so it seems like some setting in the server. Can anyone help?


lsof -i :143
lsof -i :993

What does your mail logging report when the clients try to connect? 
Anything that blocks connections from outside the dovecot host itself?



Dovecot version is 2.2.33.2 (d6601f4ec)

dovecot -n output:

# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-55-generic x86_64 Linux Mint 19.1 Tessa
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
ssl_cert = 


Alexander

Dovecot not responding to external clients

2019-08-14 Thread Edwin Humphries via dovecot 

Hi all

I have Dovecot on my Linux-Mint workstation, running IMAP for the 
Thunderbird client thereon, but previously also for my phone and laptop 
clients as well. Since upgrading to Linux-Mint 19, however, although the 
Thunderbird client on the workstation works just fine, the other clients 
can't connect. I've disabled the firewall, and nmap shows the ports 
open, so it seems like some setting in the server. Can anyone help?



Dovecot version is 2.2.33.2 (d6601f4ec)

dovecot -n output:

# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-55-generic x86_64 Linux Mint 19.1 Tessa
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap"
ssl_cert = 

--

Regards,
Edwin Humphries

Re: SASL: encoded packet size too big

2019-08-14 Thread Eugene via dovecot 
The next combination of parameters makes 100% LDAP connections unsuccessful 
(the log snippet form the previous mail).
sasl_bind = yes
sasl_mech = gssapi
tls = yes

Looks like this combination is utterly incorrect and should be prohibited (tls 
must not be used when mech is gssapi).
https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/

With `tls = no` errors `encoded packet size too big` becomes sporadic, but 
still heart auth orepations performance.
May be there are two different problems.

Has someone encountered this problem before?
How can I help to facilitate the issue debugging?

[I] net-mail/dovecot
 Installed versions:  2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6 kerberos 
ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib -argon2 -doc 
-lucene -managesieve -mysql -selinux -solr -static-libs -suid -textcat 
-vpopmail)

On 8/15/19 12:01 AM, Eugene wrote:
> Hello!
> 
> Dovecot uses it's own SASL implementation, doesn't it?
> 
>   Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
>   Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big 
> (813804546 > 65536)
>   Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: 
> LDAP: Can't connect to server: ldap://ipa2.example.com
>   Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: 
> Aborted USER request for eugene: Lookup timed out
>   Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: 
> login: request [3847225345]: Login auth request failed: Internal auth failure 
> (auth connected 6 msecs ago, request took 6 msecs, client-pid=10362 
> client-id=1)
> 
> Looks like cyrus-sasl encountered same problem earlier.
> https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html
> 
> I never have such an issue with ldapsearch. So, I assume there is a similar 
> problem in Dovecot SASL implementation.
> 

-- 
Eugene Bright
IT engineer
Tel: + 79257289622



signature.asc
Description: OpenPGP digital signature

SASL: encoded packet size too big

2019-08-14 Thread Eugene via dovecot 
Hello!

Dovecot uses it's own SASL implementation, doesn't it?

Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big 
(813804546 > 65536)
Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: 
LDAP: Can't connect to server: ldap://ipa2.example.com
Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth worker: 
Aborted USER request for eugene: Lookup timed out
Aug 14 23:45:23 example.com dovecot[10085]: imap: Error: auth-master: 
login: request [3847225345]: Login auth request failed: Internal auth failure 
(auth connected 6 msecs ago, request took 6 msecs, client-pid=10362 
client-id=1)

Looks like cyrus-sasl encountered same problem earlier.
https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html

I never have such an issue with ldapsearch. So, I assume there is a similar 
problem in Dovecot SASL implementation.

-- 
Eugene Bright
IT engineer
Tel: + 79257289622



signature.asc
Description: OpenPGP digital signature

Re: Autoexpunge not working for Junk?

2019-08-14 Thread Amir Caspi via dovecot 
On Aug 14, 2019, at 1:45 PM, Timo Sirainen  wrote:
> 
> It's not very helpful to look at the indexes after the problem already 
> happened.

Good point!  I guess I'll empty out the mailboxes completely, touch a 
completely empty file, and see if the problem recurs.  I'll shorten the 
autoexpunge time to 7 days so we don't have to wait a month to see if it recurs.

Thanks.

--- Amir

Re: segmentation fault in fs_list_get_path

2019-08-14 Thread Timo Sirainen via dovecot 
On 3 Aug 2019, at 21.22, David M. Johnson via dovecot  
wrote:
> 
> There seems to be a straightforward bug in 
> src/lib-storage/list/mailbox-list-fs.c:79.  set->index_dir is unchecked prior 
> to dereferencing (unlike on line 126 in the same file, where it is properly 
> checked).  This manifested on a FreeBSD server running dovecot 2.3.6 when 
> clients tried to retrieve mail with subscriptions like `~/bar/baz`.  This 
> caused the `imap` child to crash, e.g. (slightly anonymized)

Could you also send your doveconf -n output? Would likely help creating a 
reproducible test.

Re: auth module logging

2019-08-14 Thread Timo Sirainen via dovecot 
On 4 Aug 2019, at 6.23, AP via dovecot  wrote:
> 
> On Sat, Aug 03, 2019 at 11:27:24AM -0600, Michael Slusarz wrote:
>>> Errors hit the logs but I would appreciate seeing successful auths
>>> happen for the additional piece of mind. Cmouse and I couldn't
>>> find a way to do it on irc and it appears that the capability is
>>> missing. Successul /logins/ can be logged but auths, by themselves,
>>> cannot.
>>> 
>>> I would appreciate if the ability was added.
>>> 
>>> Dovecot 2.3.7.1 is in use.
>> 
>> Events (using event exporter) is probably what you want, new in 2.3.7.
>> 
>> https://doc.dovecot.org/admin_manual/list_of_events/
> 
> Hi,
> 
> I've tried using this in various ways but I could never get any real success.
> 
> I came close but the logging was always far too verbose. The info I wanted
> WAS there but so was a ton of other data I didn't want. I'd share the configs
> I tried but they came and went as I was experimenting.
> 
> Would love to know how to configure the events logging such that I only get
> a successful auth line logged as that would, indeed, solve my issue. It's
> quite likely I didn't hit the right config as the docs are somewhat sparse.

There probably isn't yet a name for the event that you want. A kludgy approach 
would be to filter the event based on the source code filename and line number. 
But that likely needs to be modified every time you upgrade Dovecot..

Re: dovecot-uidlist invalid data

2019-08-14 Thread Timo Sirainen via dovecot 
On 4 Aug 2019, at 22.57, Király Balázs via dovecot  wrote:
> 
> Hi!
>  
> I’m struggling with the following error: 
>  
> Aug  4 21:32:00 mx02 dovecot: imap(x...@xxx.tld)<17693>: 
> Error: Mailbox INBOX: Broken file /home/vmail/xxx.tld/xxx/dovecot-uidlist 
> line 6246: Invalid data:
> Aug  4 21:49:22 mx02 dovecot: imap(x...@xxx.tld)<21879>: 
> Error: Mailbox INBOX: Broken file /home/vmail/xxx.tld/xxx/dovecot-uidlist 
> line 6249: Invalid data:
>  
> It seems the first part is not incremented properly and sometimes it has a 
> jump in it, like the line 6246:
>  
> 18810 :1564935891.M816284P8904.mx01.m.ininet.hu,S=12145,W=12409
> 18812 :1564947092.M542714P2651.mx01.m.ininet.hu,S=12275,W=12517

Is there ever anything after the "Invalid data:" text? It seems anyway that 
concurrent reading/writing isn't working as expected in dovecot-uidlist. Most 
likely something to do with NFS.

Can you reproduce this easily by just running "imaptest" with some test account 
(it'll delete mails)? See https://imapwiki.org/ImapTest - it's also available 
in dovecot-imaptest package in repo.dovecot.org.

Re: Emails not visible after renaming folders

2019-08-14 Thread Timo Sirainen via dovecot 
Looks like this happens when you use a combination of FULLDIRNAME and INDEX in 
mail_location. Without one of these, or using DIRNAME instead of FULLDIRNAME it 
works correctly. Tracking internally in DOP-1348.

> On 6 Aug 2019, at 14.22, Aleksandr via dovecot  wrote:
> 
> Hi guys.
> 
> Does anyone have problems with a similar configuration (mdbox)?
> 
> Just tested with latest version (stage servers installation: dovecot 2.3.7), 
> also affected.
> 
> Not critical, but have complaints from users, 1-2 per month.
> 
> 
> 26.06.2019 12:05, Aleksandr пишет:
>> Copying or moving with email client: thunderbird, roundcube (webmail), mutt 
>> or any other email client via imap protocol.
>> 
>> 25.06.2019 22:10, Germán Herrera пишет:
>>> Are you copying/moving the emails with {cp|mv} or with "doveadm 
>>> {copy|move}"?
>>> 
>>> On 2019-06-25 12:00, Aleksandr via dovecot wrote:
 Hello,
 
 I have strange problem with "losing" emails after rename mail
 folder(s) (via imap client: thunderbird, roundcude, etc..)
 
 How to reproduce:
 
 1. Create some folder name, like TEST
 2. Create sub-folder under TEST (like SUBTEST)
 
 Structure:
 
 TEST
   |--SUBTEST
 
 
 # doveadm  mailbox list  -u postmaster@testmailbox
 Spam
 Trash
 Sent
 Drafts
 INBOX
 TEST
 TEST/SUBTEST
 
 3. Move (or copy) mails from INBOX to SUBTEST (all looks fine, and
 mails visible under SUBTEST)
 4. Rename TEST folder to any new name, NEWTEST
 
 Let`s try to view mails in mail client in NEWTEST-SUBTEST, folder have
 no emails :(
 
 
 mailsrv# doveadm -f table mailbox status -u postmaster@testmailbox
 "messages vsize" NEWTEST*
 mailbox  messages vsize
 NEWTEST 00
 NEWTEST/SUBTEST 00
 
 If doveadm force-resync postmaster@testmailbox, mails will be visible in 
 INBOX
 
 mailsrv# doveadm -f table mailbox status -u postmaster@testmailbox
 "messages vsize" INBOX*
 mailbox messages vsize
 INBOX   228
 
 Dovecot installation: CentOS x86_64 Linux 7.5.1804
 
 Storage: HDD Local Partition - XFS filesystem  / multi-dbox (mdbox) as
 mail_storage (this problem is not reproduced with the settings as
 Maildir storage !)
 somthing wrong with mapping indices.
 
 
  [start] 
 
 # dovecot -n
 
 # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
 # Pigeonhole version 0.4.21 (92477967)
 # OS: Linux 3.10.0-862.2.3.el7.x86_64 x86_64 CentOS Linux release
 7.5.1804 (Core)
 # Hostname: 
 auth_mechanisms = plain login digest-md5 cram-md5
 base_dir = /var/run/dovecot/
 default_client_limit = 2
 default_login_user = dovecot
 default_process_limit = 1
 dict {
   quota = redis:host=127.0.0.1:prefix=user/:timeout_msecs=1000
 }
 disable_plaintext_auth = no
 first_valid_gid = 90
 first_valid_uid = 90
 imapc_features = rfc822.size fetch-headers
 imapc_host = 
 imapc_user = %u
 lda_mailbox_autocreate = yes
 lda_mailbox_autosubscribe = yes
 login_greeting = .
 login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
 login_trusted_networks = 10.0.1.0/24
 mail_access_groups = mail
 mail_debug = yes
 mail_fsync = never
 mail_gid = 97
 mail_location =
 mdbox:~/mail/mailboxes:FULLDIRNAME=mBoX-MeSsAgEs:INDEX=~/mail/index:CONTROL=~/mail/control:INBOX=~/mail/mailboxes/inbox
 mail_log_prefix = "%{session} %Us(%u): "
 mail_max_lock_timeout = 30 secs
 mail_plugins = quota  zlib
 mail_prefetch_count = 20
 mail_privileged_group = mail
 mail_uid = 97
 managesieve_notify_capability = mailto
 managesieve_sieve_capability = fileinto reject envelope
 encoded-character vacation subaddress comparator-i;ascii-numeric
 relational regex imap4flags copy include variables enotify environment
 mailbox date index ihave duplicate mime foreverypart extracttext
 vacation-seconds editheader
 mbox_lock_timeout = 30 secs
 mbox_very_dirty_syncs = yes
 mbox_write_locks = fcntl
 namespace inbox {
   inbox = yes
   list = yes
   location =
   mailbox Drafts {
 auto = subscribe
 special_use = \Drafts
   }
   mailbox Sent {
 auto = subscribe
 special_use = \Sent
   }
   mailbox Spam {
 auto = subscribe
   }
   mailbox Trash {
 auto = subscribe
 special_use = \Trash
   }
   prefix =
   separator = /
   type = private
 }
 passdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
 }
 plugin {
   cgroup_basedir = /usr/sys/cgroup
   hostingAccount = default
   quota = dict:User quota::proxy::quota
   quota_grace = 0%%
   quota_over_flag_value = TRUE
   quota_over_script = account-quota

Re: Autoexpunge not working for Junk?

2019-08-14 Thread Timo Sirainen via dovecot 
On 14 Aug 2019, at 22.35, Amir Caspi via dovecot  wrote:
> 
> On Aug 14, 2019, at 1:26 PM, Timo Sirainen via dovecot  > wrote:
>> 
>> It probably has something to do with using mbox format. Are the IMAP UIDs 
>> changing unexpectedly? Errors/warnings logged related to it? Unfortunately 
>> it's a rather troublesome mailbox format. There are likely some bugs in 
>> Dovecot mbox code, but it's difficult and time consuming to try to reproduce 
>> any of the bugs so I've mostly given up trying.
> 
> I'm not getting any errors or warnings as far as I can tell, and I don't 
> think the UIDs are changing unexpectedly -- messages are not getting 
> re-downloaded randomly.  That is, everything SEEMS to be working fine, as far 
> as I can tell.
> 
> So many people still use mbox that I hope we can fix this issue.
> 
> I'm happy to help test or provide further debug output... this problem is 
> certainly reproducible here, and it seems like lbutlr has a similar problem, 
> so hopefully we can address at least this one...
> 
> (I'm also happy to give you the Junk mailbox and index files... there's 
> nothing sensitive in my spam!)

It's not very helpful to look at the indexes after the problem already 
happened. But if you can find a reliably reproducible way to make this happen 
starting from an empty mailbox, I could look into it further. Ideally it would 
be a standalone script that reproduces the problem every time. Possibly 
something like:

 * Deliver mails with procmail
 * Read the mails with doveadm fetch
 * Maybe expunge the mails with doveadm expunge
 * Keep checking the uid and date.saved with doveadm fetch to see if they 
unexpectedly change at some point

Re: Auth driver

2019-08-14 Thread Timo Sirainen via dovecot 
On 9 Aug 2019, at 15.08, Riccardo Paolo Bestetti via dovecot 
 wrote:
> 
> 
> Could you point me to any documentation or examples? While I can find many 
> plugins in the repo and around the Internet, I could find none which add 
> authdb drivers.

https://dovecot.org/patches/2.2/passdb-openam.c 
 although it's not using 
autotools to do it in a nice way. For the autotools stuff you can use some 
other plugins as example. Pigeonhole for example, although it's much more 
complicated than most. https://dovecot.org/patches/2.2/mail-filter.tar.gz 
 probably has also (I 
didn't look into it).

Re: Autoexpunge not working for Junk?

2019-08-14 Thread Amir Caspi via dovecot 
On Aug 14, 2019, at 1:26 PM, Timo Sirainen via dovecot  
wrote:
> 
> It probably has something to do with using mbox format. Are the IMAP UIDs 
> changing unexpectedly? Errors/warnings logged related to it? Unfortunately 
> it's a rather troublesome mailbox format. There are likely some bugs in 
> Dovecot mbox code, but it's difficult and time consuming to try to reproduce 
> any of the bugs so I've mostly given up trying.

I'm not getting any errors or warnings as far as I can tell, and I don't think 
the UIDs are changing unexpectedly -- messages are not getting re-downloaded 
randomly.  That is, everything SEEMS to be working fine, as far as I can tell.

So many people still use mbox that I hope we can fix this issue.

I'm happy to help test or provide further debug output... this problem is 
certainly reproducible here, and it seems like lbutlr has a similar problem, so 
hopefully we can address at least this one...

(I'm also happy to give you the Junk mailbox and index files... there's nothing 
sensitive in my spam!)

Cheers.

--- Amir

Re: Should dovecot not be using different logging facility and severity levels?

2019-08-14 Thread Timo Sirainen via dovecot 
On 9 Aug 2019, at 17.39, Marc Roos via dovecot  wrote:
> 
> Should dovecot not be using different severity levels like auth.warn? On 
> my system everything goes to loglevel info:

My thinking has been:

 * Panic: There's a bug that needs fixing
 * Fatal: Somewhat stronger error
 * Error: Something's broken or misconfigured - admin should fix something
 * Warning: Something seems to be at least temporarily broken, like maybe some 
limit was reached because the system was overloaded. Admin may need to do 
something or possibly just wait. Either way, these should be looked into.
 * Info: Events that admin doesn't necessarily need to look at, except while 
debugging or for gathering stats or something
 * Debug: Only when really debugging

> lev_info:Aug  9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth 
> failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, 
> lip=x.x.x.x, TLS, session=
> lev_info:Aug  9 16:18:29 mail03 dovecot: auth-worker(28656): 
> pam(krinfo,188.206.104.240,): unknown user

These are regular events that happen all the time due to brute force attacks 
and such. I don't know why you'd want to see them as warnings?

Re: Autoexpunge not working for Junk?

2019-08-14 Thread Timo Sirainen via dovecot 
On 13 Aug 2019, at 5.57, Amir Caspi via dovecot  wrote:
> 
> On Aug 12, 2019, at 8:54 PM, Thomas Zajic via dovecot  
> wrote:
>> 
>> * Amir Caspi via dovecot, 12.08.19 22:01
>> 
>>> [~]# doveadm mailbox status -u cepheid firstsaved Junk
>>> Junk firstsaved=1563154976
>>> 
>>> I can't tell how that timestamp corresponds to a human-readable date, 
>>> however.
>> 
>> [zlatko@disclosure:~]$ date -d @1563154976
>> Mon Jul 15 03:42:56 CEST 2019
> 
> So this is the same timestamp as date.saved on message 1... as it should be, 
> I guess.  Except that, as I showed, the timestamps are definitely messed up 
> somehow.  The timestamps in my MUA (whether webmail or local mail app) show 
> just fine... so something seems to be corrupted with the timestamps in the 
> dovecot index file, I think.  But the weird thing is that this is affecting 
> all users, not just me.

It probably has something to do with using mbox format. Are the IMAP UIDs 
changing unexpectedly? Errors/warnings logged related to it? Unfortunately it's 
a rather troublesome mailbox format. There are likely some bugs in Dovecot mbox 
code, but it's difficult and time consuming to try to reproduce any of the bugs 
so I've mostly given up trying.

Re: Dovecot for imap with LDAP

2019-08-14 Thread Joseph Mays via dovecot 
> Plenty of people have this type of setup, if you already know what you're
> doing with LDAP from the existing installation you shouldn't have any problem
> configuring it with Dovecot.

Thanks. That's what I would have thought, but I am clearly getting something 
wrong. I have dovecot with ldap installed, and I thought I had it configured to 
talk with our ldap server the same way the courier imap (which works fine) 
does, but all was getting was an authentication failure with timeout.

Tried running tcpdump on the ldap server to watch the exchange, but it didn't 
reveal much. I'm not an expert at reading tcpdump output, but it looks like 
when I connect to the dovecot imap server and try to log in, it opens a 
connection to the ldap server and then nothing happens. I don't see any 
data exchange occurring. But as I said, I am not an expert at reading tcpdump 
output.

nb-200# tcpdump -vv port 389
tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
15:12:53.378192 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 60) 
nb-212.win.net.64502 > nb-200.win.net.ldap: S [tcp sum ok] 
1650141152:1650141152(0) win 65535 
15:12:53.378319 IP (tos 0x0, ttl  64, id 31077, offset 0, flags [DF], length: 
64) nb-200.win.net.ldap > nb-212.win.net.64502: S [tcp sum ok] 
4093352694:4093352694(0) ack 1650141153 win 65535 
15:12:53.378457 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 52) 
nb-212.win.net.64502 > nb-200.win.net.ldap: . [tcp sum ok] 1:1(0) ack 1 win 
1026 
15:12:53.378470 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 92) 
nb-212.win.net.64502 > nb-200.win.net.ldap: P 1:41(40) ack 1 win 1026 

15:12:53.381078 IP (tos 0x0, ttl  64, id 31084, offset 0, flags [DF], length: 
66) nb-200.win.net.ldap > nb-212.win.net.64502: P [tcp sum ok] 1:15(14) ack 41 
win 33304 
15:12:53.484057 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 52) 
nb-212.win.net.64502 > nb-200.win.net.ldap: . [tcp sum ok] 41:41(0) ack 15 win 
1026 
15:13:03.979700 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 166) 
nb-212.win.net.64502 > nb-200.win.net.ldap: P 41:155(114) ack 15 win 1026 

15:13:04.076671 IP (tos 0x0, ttl  64, id 33174, offset 0, flags [DF], length: 
52) nb-200.win.net.ldap > nb-212.win.net.64502: . [tcp sum ok] 15:15(0) ack 155 
win 33304 
15:13:23.300900 IP (tos 0x0, ttl  64, id 35751, offset 0, flags [DF], length: 
66) nb-200.win.net.ldap > nb-212.win.net.64502: P [tcp sum ok] 15:29(14) ack 
155 win 33304 
15:13:23.407040 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 52) 
nb-212.win.net.64502 > nb-200.win.net.ldap: . [tcp sum ok] 155:155(0) ack 29 
win 1026 
^C227 packets captured
21204 packets received by filter
0 packets dropped by kernel

Re: ACL ignored for master users

2019-08-14 Thread Philip Iezzi via dovecot 
Sorry about double posting. Thought my previous post didn't make it through. 
Still struggling with this problem...

> On 14 Aug 2019, at 15:21, Philip Iezzi  wrote:
> 
> Hi there!
> 
> I can't get ACL working for master users. Login as master user works fine 
> though, and I am able to access any mailbox using the 
> auth_master_user_separator "*", tested e.g. via Python's imaplib:
> 
> import imaplib
> imap = imaplib.IMAP4_SSL('imap.example.com')
> imap.login('f...@example.com*admin-acldemo', '**')
> ('OK', [b'Logged in'])
> 
> My /etc/dovecot/dovecot-acl looks like this:
> 
> * user=admin lr
> b...@example.com user=admin-acldemo lr
> 
> So, if I didn't misunderstand 
> https://wiki.dovecot.org/Authentication/MasterUsers and 
> https://wiki.dovecot.org/ACL documentation, this should only give "admin" 
> master user access to all mailaccounts and limiting "admin-acldemo" master 
> user to only a single mailaccount. That's what I would like to accomplish.
> But no matter what I put into dovecot-acl (it could even be empty), master 
> users always have access to all existing mailaccounts. The whole dovecot-acl 
> seems to be ignored and there are no logs pointing to any problem (syntax, 
> access permissions) with that file.
> 
> In mail.log I am getting a successful login message:
> dovecot: imap-login: Login: user=, method=PLAIN, ...
> So the login with "f...@example.com*admin-acldemo" seems to get resolved to a 
> regular "f...@example.com" user login.
> 
> My current setup (relevant config options):
> 
> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.1 (db5c74be)
> # OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
> auth_master_user_separator = *
> mail_plugins = quota acl
> passdb {
> args = /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> pass = yes
> }
> plugin {
> acl = vfile:/etc/dovecot/dovecot-acl
> acl_user = %u
> master_user = %u
> }
> protocol lmtp {
> mail_plugins = quota acl sieve
> }
> protocol lda {
> mail_plugins = quota acl sieve
> }
> protocol imap {
> mail_plugins = quota acl imap_acl imap_quota
> }
> 
> On ACL documentation it says:
> 
>> Note that master users have their own ACLs. They're not the the mailbox 
>> owners, so by default they have no permissions to any of the mailboxes
> 
> and on Authentication/MasterUsers documentation:
> 
>> If ACL plugin is enabled, the Master user is still subject to ACLs just like 
>> any other user, which means that by default the master user has no access to 
>> any mailboxes of the user.
> 
> So it must be somehow possible to limit master users to specific mailbox(es) 
> via ACL. I could allow master users to be able to log in as themselves, by 
> adding two passdb sections (one with `master = yes`, the other `master = 
> no`), but then I see no way to do a user context switch (where ACLs would get 
> respected...) after logging in with "admin".
> 
> Any help greatly appreciated! Thanks in advance.
> Cheers,
> Philip
>

ACL ignored for master users

2019-08-14 Thread Philip Iezzi via dovecot 
Hi there!

I can't get ACL working for master users. Login as master user works fine 
though, and I am able to access any mailbox using the 
auth_master_user_separator "*", tested e.g. via Python's imaplib:

import imaplib
imap = imaplib.IMAP4_SSL('imap.example.com')
imap.login('f...@example.com*admin-acldemo', '**')
('OK', [b'Logged in'])

My /etc/dovecot/dovecot-acl looks like this:

* user=admin lr
b...@example.com user=admin-acldemo lr

So, if I didn't misunderstand 
https://wiki.dovecot.org/Authentication/MasterUsers and 
https://wiki.dovecot.org/ACL documentation, this should only give "admin" 
master user access to all mailaccounts and limiting "admin-acldemo" master user 
to only a single mailaccount. That's what I would like to accomplish.
But no matter what I put into dovecot-acl (it could even be empty), master 
users always have access to all existing mailaccounts. The whole dovecot-acl 
seems to be ignored and there are no logs pointing to any problem (syntax, 
access permissions) with that file.

In mail.log I am getting a successful login message:
dovecot: imap-login: Login: user=, method=PLAIN, ...
So the login with "f...@example.com*admin-acldemo" seems to get resolved to a 
regular "f...@example.com" user login.

My current setup (relevant config options):

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.18-18-pve x86_64 Debian 9.9 
auth_master_user_separator = *
mail_plugins = quota acl
passdb {
 args = /etc/dovecot/passwd.masterusers
 driver = passwd-file
 master = yes
 pass = yes
}
plugin {
 acl = vfile:/etc/dovecot/dovecot-acl
 acl_user = %u
 master_user = %u
}
protocol lmtp {
 mail_plugins = quota acl sieve
}
protocol lda {
 mail_plugins = quota acl sieve
}
protocol imap {
 mail_plugins = quota acl imap_acl imap_quota
}

On ACL documentation it says:

> Note that master users have their own ACLs. They're not the the mailbox 
> owners, so by default they have no permissions to any of the mailboxes

and on Authentication/MasterUsers documentation:

> If ACL plugin is enabled, the Master user is still subject to ACLs just like 
> any other user, which means that by default the master user has no access to 
> any mailboxes of the user.

So it must be somehow possible to limit master users to specific mailbox(es) 
via ACL. I could allow master users to be able to log in as themselves, by 
adding two passdb sections (one with `master = yes`, the other `master = no`), 
but then I see no way to do a user context switch (where ACLs would get 
respected...) after logging in with "admin".

Any help greatly appreciated! Thanks in advance.
Cheers,
Philip

Re: Dovecot - Microsoft Azure AD

2019-08-14 Thread Aki Tuomi via dovecot 


> On 14/08/2019 15:36 Lennart Boettcher via dovecot  wrote:
> 
> 
>   
>  Hello,
>  
> I am currently trying to connect my Dovecot mail server to Microsoft's 
> Azure-AD and use it as password and user database. I am using version 2.3.7.1.
> 
>  
> 
> 
>  
> Using the Azure-AD as passdb already works. In this context I noticed that 
> the scope implementation is not yet merged.
> 
>  
> 
> 
>  
> Since I haven't found any hints for an OAuth2 userdb implementation yet, I 
> wanted to ask if there are any plans for an implementation.
>  
> 
> 
>  
> Greetings
>  
> Lennart Boettcher
> 
>  
> 
>

Dovecot 2.3 supports oauth2. I don't know how "oauth2 user database" would 
work, since oauth2 is an authentication mechanism. I suggest you use LDAP or 
static userdb, or set mail_* settings for user settings.

Aki

Dovecot - Microsoft Azure AD

2019-08-14 Thread Lennart Boettcher via dovecot 
Hello,
I am currently trying to connect my Dovecot mail server to Microsoft's Azure-AD 
and use it as password and user database. I am using version 2.3.7.1.

Using the Azure-AD as passdb already works. In this context I noticed that the 
scope implementation is not yet merged.

Since I haven't found any hints for an OAuth2 userdb implementation yet, I 
wanted to ask if there are any plans for an implementation.

Greetings
Lennart Boettcher