Re: starttls for some services only
Hello Aki, On 10.02.20 20:34, Aki Tuomi wrote: > - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass > connections details to dovecot. With recent enough dovecot, you can include > TLS information with haproxy to dovecot. > - configure login_trusted_networks and haproxy_trusted_networks > - set 'haproxy=yes' to the listener you are connecting with haproxy, so > dovecot knows to expect and parse the proxy protocol. that part is working fine. Whether it's a proxied or non-proxied config can be ignored here. The essential question broken down to a minimum is, is there any way to 1) configure a dovecot service with plain unencrypted authentication (like imap-login for example) that also _does_not_ advertise starttls and at the same time 2) configure another dovecot service (like managesieve for example) that _does_ advertise starttls? Thanks Björn
Re: starttls for some services only
> On 10/02/2020 19:17 Bjoern Jacke wrote: > > > Hi Aki, > > On 10.02.20 17:03, Aki Tuomi wrote: > > Try setting > > > > login_trusted_networks = lb-ip/32 > > > > See > > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks > > I do have login-trusted_networks set already. Along with the proxy > protocol (haproxy_trusted_networks = lb-ip) I had to set > login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol > tells dovecot the real clients' IP address and that IP adders is the one > actually evaluated for login_trusted_networks. With the plain > authentication being done inside the load balancer's TLS connection this > is more or less obvious that this is needed in that case. > > But those settings don't change the pity: ssl=no is globally required to > make the starttls options disappear for imap-login - but with ssl=no > globally I don't see a possibility to enable the starttls option for > other services like managesieve for example. > > Thanks > Björn With haproxy you need to - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot. - configure login_trusted_networks and haproxy_trusted_networks - set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol. Aki
Re: starttls for some services only
Hi Aki, On 10.02.20 17:03, Aki Tuomi wrote: > Try setting > > login_trusted_networks = lb-ip/32 > > See > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks I do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case. But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example. Thanks Björn
Re: Email Server Backup Strategy
On Sun, 9 Feb 2020 18:26:25 +0100 Esteban L wrote: > Was thinking it would be wise to backup my server, in case anything > "bad" ever happened, so that I could quickly get up to speed. Thanks for asking (I could not find a lot of threads about it when I looked into it.) I am obsessive so I have a forward-all rule in POSTFIX that pipes to a command line from which I cast to another server where I save (and replicate to another server and so on.) This is what I do ,what I'd recommend is that'd be a feature delivered with POSTFIX (since it's the `first' program to receive the email and tell the sender that it's ok, it's been received. Perhaps that's why I did not find much: I was focusing my search around POSTFIX.) Now I understand one is supposed to have a back up email server but that's for if the internet facing one is down/disconnected ? I think there is something in the standard to say to reasonably retry. I'm here originially to set up my system on my iPhone with server-side rules. (Thus only realizing there seems to be a built-in backup mechanism in Dovecot?) -- Germain Le Chapelain Software Engineer Lanvaux
Re: starttls for some services only
Try setting login_trusted_networks = lb-ip/32 See https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks Aki On 10/02/2020 15:38 Bjoern Jacke < lists2...@j3e.de> wrote: Hi, I would like to disable offering starttls to clients for certain dovecot services. Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set ssl = no globally only. Setting it in the service imap-login section seems to be impossible. If I set it globally to no though, I cannot use it in other services where it is needed like in the manage-sieve, where clients unfortunately only support starttls and no tls on connect. Is there any way to configure dovecot to offer starttls for some services and for some not or is this just not supported currently? Thanks Björn --- Aki Tuomi
postmaster_address parameter scope
Hello, I was wondering when I define the following dovecot parameter: postmaster_address = postmas...@mydomain.com in my local.conf config file, does this parameter apply globally? I mean because it is not inside any {} curly braces does it also appliy to: protocol lmtp { ... } or do I need o explicitly define again my postmaster_address parameter inside protocol lmtp{} like this? protocol lmtp { postmaster_address = postmas...@mydomain.com } My very same question applies also for protocol lda {}... Regards, Mabi
starttls for some services only
Hi, I would like to disable offering starttls to clients for certain dovecot services. Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set ssl = no globally only. Setting it in the service imap-login section seems to be impossible. If I set it globally to no though, I cannot use it in other services where it is needed like in the manage-sieve, where clients unfortunately only support starttls and no tls on connect. Is there any way to configure dovecot to offer starttls for some services and for some not or is this just not supported currently? Thanks Björn
Re: Email Server Backup Strategy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 10/2/20 8:37 pm, Francis Augusto Medeiros-Logeay wrote: > On 09.02.2020 19:08, Andrew McGlashan wrote: > >> >> If rsync is not fast... then how about doing a snapshot and then rsync >> off the snapshot? (I do rsync over lvm snapshots to back up file >> systems cleanly) and, btw, perform file system dumps [ufsdump / >> ufsrestore like, but dump and restore on Linux] of *non-mounted* >> backup file systems fwiw. >> >> I have other rsyncs that happen via rsnapshot during the day, I don't >> worry about snapshotting them though, but I probably should > > But thinking again about it, doesn't snapshotting every time leads to increased storage space? After being hammered by dmarc reports, I've switched emails for this list. My snapshots are temporary, so the storage for the short periods of use is not a big deal. Cheers A. -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXkEsYwAKCRCoFmvLt+/i +xcnAP49M0vjYkynm3k3FMgaySoNFp+2SaNgY4ixC7Fx15ThiQD/fM9fmf3JQjfm Cy5zptW3nUX7QIFv9nvz3kZ3ue+jnI0= =klqy -END PGP SIGNATURE-
Re: Email Server Backup Strategy
On 09.02.2020 19:08, Andrew McGlashan wrote: If rsync is not fast... then how about doing a snapshot and then rsync off the snapshot? (I do rsync over lvm snapshots to back up file systems cleanly) and, btw, perform file system dumps [ufsdump / ufsrestore like, but dump and restore on Linux] of *non-mounted* backup file systems fwiw. I have other rsyncs that happen via rsnapshot during the day, I don't worry about snapshotting them though, but I probably should But thinking again about it, doesn't snapshotting every time leads to increased storage space? Best, Francis 0xEE41D33F.asc Description: application/pgp-keys
Re: Email Server Backup Strategy
On 09.02.2020 19:08, Andrew McGlashan wrote: Hi, On 10/2/20 4:59 am, Francis Augusto Medeiros-Logeay wrote: What I do: 1 - I ran a maildirlock command to my mail folder 2 - I then rsync the folder where my maildirs are, as well as the indexes, to a remote location If rsync is not fast... then how about doing a snapshot and then rsync off the snapshot? (I do rsync over lvm snapshots to back up file systems cleanly) and, btw, perform file system dumps [ufsdump / ufsrestore like, but dump and restore on Linux] of *non-mounted* backup file systems fwiw. That's a good idea - In my case rsync is super fast, 1-2 min tops, so I can afford the lock for that time. But I surely should check more about snapshots. I have other rsyncs that happen via rsnapshot during the day, I don't worry about snapshotting them though, but I probably should 3 - I tar.gz the daily backup 4 - I kill the maildirlock process I also use replication of my server so that I keep getting mail when my main server isn't available. You mean backup mx? Yes. It is a work of beauty that thing :) I remember how cool it was to see mail being replicated when both servers are up and one responding for mail when one of the servers is down. Best, Francis 0xEE41D33F.asc Description: application/pgp-keys
Re: Email Server Backup Strategy
What I do: 1 - I ran a maildirlock command to my mail folder 2 - I then rsync the folder where my maildirs are, as well as the indexes, to a remote location 3 - I tar.gz the daily backup 4 - I kill the maildirlock process I also use replication of my server so that I keep getting mail when my main server isn't available. As for postfix, I backup the database once a week, since it doesn't get changed that often. Hope that helps! Best, Francis On 09.02.2020 18:26, Esteban L wrote: Hello, Was thinking it would be wise to backup my server, in case anything "bad" ever happened, so that I could quickly get up to speed. 1. clone the whole drive -- which might be the best to ensure I keep the whole system working. 2. But, what about, if I just wanted to backup my Email server components? Postfix - which I think is just config files, and Dovecot - I think there is a doveadm backup for doing such things. What do you guys do, recommend for backups?? Thanks 0xEE41D33F.asc Description: application/pgp-keys 0xEE41D33F.asc Description: application/pgp-keys