RE: Dovecot proxying to some backend using LOGIN proxy_mech
Hello List,
Pardon me for bumping this topic, but does anyone had (positive ?) experience
with dovecot proxying using LOGIN proxy_mech instead of PLAIN ?
I tried to resolve this on my own but I have not path to follow yet. I’m not
even sure if this is supposed to work
Kind regards
--SR
From: dovecot On Behalf Of Sébastien Riccio via
dovecot
Sent: samedi, 21 septembre 2019 12:33
To: dovecot@dovecot.org
Subject: Dovecot proxying to some backend using LOGIN proxy_mech
Hello list,
I am currently testing a setup for a PoC wit this configuration.
- 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission
- 2 x Backend dovecot with local mail storage
The frontend does the user authentification and communicate with the backends
using a master password
The fronted accepts PLAIN and LOGIN auth mechanisms and talk with backends
using PLAIN auth mechanism (with the master password).
This works very well, it's cool.
Then, I've added to this setup an existing mail server (running another
mailserver software) as a 3rd backend, and would like the frontend to also
proxy for this, but this time not using master password.
This is working for IMAP/POP3 when it uses PLAIN auth, but not for Submission.
The backend server in this case only accepts LOGIN auth and not PLAIN on port
587.
So I found out there is a field in the passdb we can add (proxy_mech), and I've
set it to LOGIN.
The frontend seems to now use LOGIN auth mech to talk to this 3rd backend, but
the authentication still fails.
According to the backend logs, tt seems dovecot proxy is now using LOGIN auth,
but sends garbage as username and/or password.
Also IMAP that was working when using PLAIN doesn't work anymore with LOGIN.
Might this be a bug or this setup shouldn't be supported at all ?
Passdb MySQL table on frontend:
mysql> describe users;
+-+--+--+-+-+---+
| Field | Type | Null | Key | Default | Extra |
+-+--+--+-+-+---+
| user| varchar(255) | NO | PRI | NULL| |
| domain | varchar(255) | NO | PRI | NULL| |
| password| varchar(255) | YES | | NULL| |
| displayname | varchar(255) | YES | | NULL| |
| host| varchar(16) | NO | | NULL| |
| usemaster | tinyint(1) | NO | | 1 | |
| proxy_mech | varchar(20) | YES | | NULL| |
| starttls| varchar(20) | YES | | NULL| |
+-+--+--+-+-+---+
mailstore-01/02 are dovecot backends
otherhost is the other mailserver I also would like to proxy through dovecot
proxy
+-+-+-++--+---++--+
| user| domain | password|
displayname| host | usemaster | proxy_mech | starttls |
+-+-+-++--+---++--+
| user1 | somedomain.com | {SHA512-CRYPT} | Joe
Black | mailstore-01 | 1 | NULL | NULL |
| user2 | otherdomain.com | {SHA512-CRYPT} | Mr.
Smith | mailstore-02 | 1 | NULL | NULL |
| user3 | area13.com | NULL| Donald
Duck| otherhost| 0 | LOGIN | any-cert |
| user4 | area13.com | NULL| Thanks
Obama | otherhost| 0 | LOGIN | any-cert |
+-+-+-++--+---++--+
Passdb query :
password_query = \
SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy, \
IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \
IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \
IF(usemaster is FALSE, 'Y', NULL) as nopassword, \
proxy_mech, \
starttls \
FROM users WHERE user = '%n' AND domain = '%d'
Some questions I'm asking myself:
Is proxying using LOGIN proxy_mech supported at all to auth on backends ?
Is dovecot proxying to "otherhost" supposed to decode original client auth
(using PLAIN) and translate it to LOGIN format to auth with "otherhost" ?
# otherhost port 587 log
Without specifying proxy_mech
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO
dovecotproxy.local.domain
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp:
250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE 52428800250-AUTH
LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504 Unrecognized
authentication type.
When using proxy_mech LOGIN
[2019.09.20]
Re: Mail received but not indexed?
> On 27 Sep 2019, at 16.38, Marc Roos via dovecot wrote: > > You recommend I should change this? I have already a new setup where I > am using[0]. But the current setup I have now was ok for many many > years. > > [0] > FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl Using dovecot-lda is always better from dovecot point of view, but I think still your current config should work even if it is not optimal. for some reason dovecot now does not detect changes on the mbox file and for that reason does not add new mails to index. But I can't say for sure for what reason. Sami
Re: Debug one user possible?
On Fri, 27 Sep 2019, Aki Tuomi wrote:
On 27/09/2019 16:08 Marc Roos via dovecot wrote:
Is it possible to mail debug just one user? Maybe via the userdb?
You could try returning mail_debug=yes from userdb.
For raw IMAP logging, you can configure
protocol imap {
...
rawlog_dir = /log/dir/%u
}
then when you need to need to dump IMAP diagnostics for a user e.g. "marc",
# Temp folder avoids permission/write race condition
cd /log/dir
mkdir temp
chown marc temp
mv temp marc
When you're done
rm -rf /log/dir/marc
Joseph Tam
lmtp and virtual users
Good afternoon. I have dovecot setup to authenticate virtual users using either gssapi or doind a bind to an ldap server to achieve a single sign on capable imap server connected to a samba active directory DC. What I am also trying to achieve is to have dovecot's lmtp daemon handle the mails passed from postfix. However, the only way I've gotten this to work is setting allow_all_users = yes in the userdb but this causes lmtp to deliver mails to non existant accounts without rejection. I've been searching but haven't found a way to set this same thing up but having dovecots lmtp check the validity of the mails recipient against the same samba AD DC through ldap before delivering it and rejecting unknown email addresses. Could someone please provide some insight into how to achieve this? Thank you very much in advance. Best regards, David Wells.
RE: Mail received but not indexed?
You recommend I should change this? I have already a new setup where I am using[0]. But the current setup I have now was ok for many many years. [0] FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl -Original Message- Subject: RE: Mail received but not indexed? No, it is still old sendmail to /var/spool/mail/ -Original Message- From: Sami Ketola [mailto:sami.ket...@dovecot.fi] Sent: vrijdag 27 september 2019 15:17 To: dovecot Cc: Marc Roos Subject: Re: Mail received but not indexed? > On 27 Sep 2019, at 16.06, Marc Roos via dovecot wrote: > CentOS Linux release 7.6.1810 (Core) > dovecot-2.2.36-3.el7.x86_64 > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var > /d > ovecot2/%u/index:LAYOUT=maildir++ How do you deliver the emails then? dovecot-lda? Sami
RE: Mail received but not indexed?
No, it is still old sendmail to /var/spool/mail/ -Original Message- From: Sami Ketola [mailto:sami.ket...@dovecot.fi] Sent: vrijdag 27 september 2019 15:17 To: dovecot Cc: Marc Roos Subject: Re: Mail received but not indexed? > On 27 Sep 2019, at 16.06, Marc Roos via dovecot wrote: > CentOS Linux release 7.6.1810 (Core) > dovecot-2.2.36-3.el7.x86_64 > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var > /d > ovecot2/%u/index:LAYOUT=maildir++ How do you deliver the emails then? dovecot-lda? Sami
Re: Debug one user possible?
> On 27/09/2019 16:08 Marc Roos via dovecot wrote: > > > Is it possible to mail debug just one user? Maybe via the userdb? You could try returning mail_debug=yes from userdb. Aki
Re: Mail received but not indexed?
> On 27 Sep 2019, at 16.06, Marc Roos via dovecot wrote: > CentOS Linux release 7.6.1810 (Core) > dovecot-2.2.36-3.el7.x86_64 > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d > ovecot2/%u/index:LAYOUT=maildir++ How do you deliver the emails then? dovecot-lda? Sami
Debug one user possible?
Is it possible to mail debug just one user? Maybe via the userdb?
Mail received but not indexed?
I have recently that some users are complaining about that they are not getting emails. While I see that they are delivered and in the inbox. When I do a doveadm force-resync -u INBOX it resolves the problem. I think this is something recent. Where/how should I resolve this issue? Recent changes 1. did some os updates 2019-08-27 2. provider took away the ssd for index storage (maybe config issue having less iops storage?) CentOS Linux release 7.6.1810 (Core) dovecot-2.2.36-3.el7.x86_64 mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot2/%u/index:LAYOUT=maildir++ PS during force-resync, I am getting these "index/.INBOX/dovecot.index.log was locked for 176 seconds" on some users
limits in high-security mode with ssl
Hello.
I'm using dovecot in high-security mode:
service_count = 1 for imap-login service
starttls is requires, so the maximum number of active connections is
process_limit (which is set to 1024) for the same imap-login service.
But with this setup I got:
doveconf: Warning: service auth { client_limit=1000 } is lower than
required under max. load (1324)
doveconf: Warning: service anvil { client_limit=1000 } is lower than
required under max. load (1227)
1. Where did 1324 and 1227 come from?
2. How configuration should be updated so these warnings disappear?
--
sergio.
Re: Dovecote IMAPSieve user scripts
> I wonder how to configure IMAPSieve with user scripts. I can't find much
> information on the internet.
try to enable managesieve:
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
https://wiki2.dovecot.org/Pigeonhole/ManageSieve/Configuration
Roundcube or Thunderbird with Sieve plugin connect to your dovecot server on
port 4190.
Users are authenticatd with the same credentials used for pop/imap and can
upload their
scripts.
Best regards
Gerald
Dovecote IMAPSieve user scripts
Hello, I wonder how to configure IMAPSieve with user scripts. I can't find much information on the internet. I have Sieve and IMAPSieve for spam configured as described in the wiki and it works. Documentation mentions that imapsieve_url has to be set to appropriate ManageSieve server but no further explanation is given. What I want to achieve: let users create their own sieve scripts and execute them each time a message is being moved/copied between their mailboxes. I saw mentions of "association of user scripts with mailboxes" but I'm not sure what that means or if it's supported by Thuderbird Sieve extension (or any other software out there). Please advice. -- Regards, Alex
Re: sis-queue: Parent filesystem not given as parameter
On 26.9.2019 16.29, Ralf Hildebrandt via dovecot wrote: > I tried to change: > mail_attachment_fs = sis posix > to > mail_attachment_fs = sis-queue posix > > and immediately failed with: > > Failed to initialize user: Namespace '': mdbox: mail_attachment_fs: > sis-queue: Parent filesystem not given as parameter > > Where do I specify the "Parent filesystem"? sis-queue:/path/to/something Aki
Re: Website Down? Not down.
> On 27/09/2019 09:26 @lbutlr via dovecot wrote: > > > On Sep 26, 2019, at 10:47 PM, dun...@gmail.com wrote: > > Its not down, its most likely your providers DNS resolution. > > As I said, multiple connections failed. T-mobile started working about 2 > hours ago, century link soon after. Comcast took longer, but is working now. > Each of these connections have different DNS servers. > > > -- > Charlie don't surf! But quite likely same transit paths. Aki
Re: Website Down? Not down.
On Sep 26, 2019, at 10:47 PM, dun...@gmail.com wrote: > Its not down, its most likely your providers DNS resolution. As I said, multiple connections failed. T-mobile started working about 2 hours ago, century link soon after. Comcast took longer, but is working now. Each of these connections have different DNS servers. -- Charlie don't surf!
