got a listener on 993
Hello,
Before I get in to my question is ssl on 993 or starttls on 143 better
from a security perspective?
I've noticed that I've got a dovecot listener on port 993, below is my
doveconf -n output I don't have an imaps listener uncommented should I
do so and set it's port to 0? Will that disable the 993 listener?
Thanks.
Dave.
# 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (bf8ef1c2)
# OS: FreeBSD 12.1-RELEASE-p2 amd64
# Hostname: hostname.example.com
auth_cache_size = 10 M
auth_default_realm = example.com
auth_mechanisms = plain login
auth_realms = example.com
dict {
lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf
}
first_valid_gid = 2100
first_valid_uid = 2100
hostname = hostname.example.com
imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep
tb-lsub-flags
imap_idle_notify_interval = 1 mins
last_valid_gid = 2100
last_valid_uid = 2100
lda_hostnamebox_autocreate = yes
lda_hostnamebox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = xxx.xxx.xxx.xxx
lmtp_rcpt_check_quota = yes
log_timestamp = "%Y-%m-%d %H:%M:%S "
hostname_access_groups = vhostname
hostname_fsync = never
hostname_gid = vhostname
hostname_home = /var/vhostname/hostnameboxes/%d/%n
hostname_location = dbox:~/hostname
hostname_plugins = acl fts fts_lucene mail_log notify quota trash
virtual welcome zlib mail_crypt
hostname_privileged_group = vhostname
hostname_server_admin = hostnameto:postmas...@example.com
hostname_uid = vhostname
managesieve_notify_capability = hostnameto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment hostnamebox date index ihave duplicate mime foreverypart
extracttext spamtest spamtestplus virustest editheader imapflags
notify imapsieve vnd.dovecot.imapsieve
namespace {
location =
sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public
prefix = Public/
separator = /
subscriptions = yes
type = public
}
namespace {
hidden = no
list = yes
location =
hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office
prefix = shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
inbox = yes
location =
hostnamebox Drafts {
auto = subscribe
special_use = \Drafts
}
hostnamebox Sent {
auto = subscribe
special_use = \Sent
}
hostnamebox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
hostnamebox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300
fts = lucene
fts_autoindex = yes
fts_autoindex_exclude = \Junk
fts_autoindex_exclude2 = \Trash
fts_autoindex_exclude3 = \Spam
fts_autoindex_max_recent_msgs = 80
fts_index_timeout = 90
fts_lucene = whitespace_chars=@. normalize no_snowball
imapsieve_hostnamebox1_before =
file:/var/vhostname/sieve/global/learn-spam.sieve
imapsieve_hostnamebox1_causes = COPY
imapsieve_hostnamebox1_name = Spam
imapsieve_hostnamebox2_before =
file:/var/vhostname/sieve/global/learn-ham.sieve
imapsieve_hostnamebox2_causes = COPY
imapsieve_hostnamebox2_from = Spam
imapsieve_hostnamebox2_name = *
last_login_dict = proxy::lastlogin
last_login_key = # hidden, use -P to show it
hostname_crypt_curve = prime256v1
hostname_crypt_global_private_key = # hidden, use -P to show it
hostname_crypt_global_public_key = # hidden, use -P to show it
hostname_crypt_save_version = 2
hostname_log_events = delete undelete expunge copy
hostnamebox_delete hostnamebox_rename
hostname_log_fields = uid box msgid size
quota = count:User quota
quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
quota_grace = 10%%
quota_rule2 = Trash:ignore
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 hostnamebox is full
quota_status_success = DUNNO
quota_vsizes = true
quota_warning = storage=100%% quota-exceeded 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_warning5 = storage=75%% quota-warning 75 %u
sieve =
file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve
sieve_before = /var/vhostname/sieve/global/spam-global.sieve
sieve_extensions = +notify +imapflags +spamtest +spamtestplus
+virustest +editheader
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+vnd.dovecot.environment
sieve_max_redirects = 30
sieve_max_script_size = 1M
sieve_pipe_bin_dir = /usr/bin
sieve_plugins
replication_full_sync_interval
Default value for replication_full_sync_interval is 24 hours. How is it then possible to get doveadm replicator status results like this one username priority fast sync full sync success sync failed someuser none 24:23:39 24:23:39 24:23:37 - # doveconf -a | grep replication_full_sync_interval replication_full_sync_interval = 1 days # dovecot --version 2.2.33.2 (d6601f4ec)
Re: Unable to set ssl_min_protocol=TLSv1.3
> On 13/04/2020 12:35 Thomas Schneider wrote:
>
>
> Good $daytime,
>
> as per the recommendations of Mozilla’s SSL config generator[0], I
> wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This
> produced the error:
>
> imap-login: Error: Failed to initialize SSL server context: Unknown
> ssl_min_protocol setting 'TLSv1.3'
>
> After some digging, I found the function that parses this setting in
> src/lib-ssl-iostream/iostream-openssl-common.c
> (openssl_min_protocol_to_options()), which maps strings such as
> SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
> version and option defines of OpenSSL.
>
> Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
> surprise that dovecot does not know this setting. As a quick fix, I
> could probably extend struct {…} protocol_versions[] (in
> iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
> (and send a patch), though I would also suggest to OpenSSL to add a
> SSL_TXT_TLSV1_3 define.
>
> Unfortunately, I have not found a config setting in dovecot to set
> SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
> via the cipher list string.
>
> I think that dovecot should support setting this, and I’d also gladly
> provide a patch.
>
> Thanks,
> Thomas
Hi!
What version of Dovecot are you using? What OS/distro are you using?
I'm guessing you're seeing this, see
https://dovecot.org/pipermail/dovecot/2019-December/117799.html
Aki
Unable to set ssl_min_protocol=TLSv1.3
Good $daytime,
as per the recommendations of Mozilla’s SSL config generator[0], I
wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This
produced the error:
imap-login: Error: Failed to initialize SSL server context: Unknown
ssl_min_protocol setting 'TLSv1.3'
After some digging, I found the function that parses this setting in
src/lib-ssl-iostream/iostream-openssl-common.c
(openssl_min_protocol_to_options()), which maps strings such as
SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
version and option defines of OpenSSL.
Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
surprise that dovecot does not know this setting. As a quick fix, I
could probably extend struct {…} protocol_versions[] (in
iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
(and send a patch), though I would also suggest to OpenSSL to add a
SSL_TXT_TLSV1_3 define.
Unfortunately, I have not found a config setting in dovecot to set
SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
via the cipher list string.
I think that dovecot should support setting this, and I’d also gladly
provide a patch.
Thanks,
Thomas
[0]:
https://ssl-config.mozilla.org/#server=dovecot=2.3.4.1=modern=1.1.1d=5.4
signature.asc
Description: PGP signature
Re: %d ignored from auth-passwdfile.conf.ext configuration file
I retried with right user in thunderbird and it's working.
Thanks.
On Mon, Apr 13, 2020 at 1:20 PM Andrei Petru Mura
wrote:
> I tried to log in as test@some_domain. From thunderbird client. Although,
> I get this logged after before mentioned log:
> imap-login: Disconnected (auth failed, 2 attempts in 14 secs):
> user=, method=PLAIN, rip=some.ip.addr.here, lip=another.ip.addr.here,
> TLS, session=
>
> On Mon, Apr 13, 2020 at 1:16 PM Ivo <
> c.e4ed1a035298f9021dcfbca4d511c...@ultra.hr> wrote:
>
>> Did you try to log in as user "test" or "test@some_domain" ?
>> Is seems to me that you did not use full username (Error:
>> passwd-file(test,).
>> ( %d domain domain part in user@domain, empty if user with no domain )
>>
>>
>> On 13.4.2020. 11:05, Andrei Petru Mura wrote:
>> > I try to configure dovecot with virtual users. I put my users file in
>> > folder /etc/dovecot/my_domain_name/users.
>> > My auth-passwdfile.conf.ext file looks like this:
>> > passdb {
>> > driver = passwd-file
>> > args = username_format=%n /etc/dovecot/%d/users
>> > }
>> >
>> > When I try to log in, I get this:
>> > dovecot: auth: Error:
>> > passwd-file(test,some.ip.addr.here,):
>> > stat(/etc/dovecot//users) failed: No such file or directory
>> >
>> > As you can see, %d isn't interpreted. Why is this happening? Any hints?
>> >
>> > Thanks,
>> > Mura Andrei
>>
>>
Re: %d ignored from auth-passwdfile.conf.ext configuration file
Did you try to log in as user "test" or "test@some_domain" ?
Is seems to me that you did not use full username (Error:
passwd-file(test,).
( %d domain domain part in user@domain, empty if user with no domain )
On 13.4.2020. 11:05, Andrei Petru Mura wrote:
I try to configure dovecot with virtual users. I put my users file in
folder /etc/dovecot/my_domain_name/users.
My auth-passwdfile.conf.ext file looks like this:
passdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/%d/users
}
When I try to log in, I get this:
dovecot: auth: Error:
passwd-file(test,some.ip.addr.here,):
stat(/etc/dovecot//users) failed: No such file or directory
As you can see, %d isn't interpreted. Why is this happening? Any hints?
Thanks,
Mura Andrei
%d ignored from auth-passwdfile.conf.ext configuration file
I try to configure dovecot with virtual users. I put my users file in
folder /etc/dovecot/my_domain_name/users.
My auth-passwdfile.conf.ext file looks like this:
passdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/%d/users
}
When I try to log in, I get this:
dovecot: auth: Error:
passwd-file(test,some.ip.addr.here,):
stat(/etc/dovecot//users) failed: No such file or directory
As you can see, %d isn't interpreted. Why is this happening? Any hints?
Thanks,
Mura Andrei
Re: Missing permissions
Hi Aki,
You did a great job. God bless you! :)
I think it will work now. I'll come with feedback if that's the case after
applying this on my server. I just want to mention one little thing bellow
(which possibly has some importance).
In my system, instead of /home/mail/domain/test/Maildir, I have
*/some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From
*dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories
are:
/root/Maildir(/.*)?
/root/.esmtp_queue(/.*)?
/home/[^/]+/.maildir(/.*)?
/home/[^/]+/Maildir(/.*)?
/home/[^/]+/.esmtp_queue(/.*)?
which anyway, seems to me, doesn't match the initial directory path which I
provided (it's the first time when I knowledgeably interact with SELinux).
I think this shouldn't impact the documented issue, but if you think it
does, I wanted to inform you.
Thanks and have a nice day,
Mura Andrei
On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi
wrote:
>
> > On 11/04/2020 15:57 Aki Tuomi wrote:
> >
> >
> >
> >
> > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote:
> > >
> > >
> > >
> > >
> > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura:
> > > > Hi,
> > > >
> > > >
> > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get
> the
> > > > following error logs in audit:
> > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83
> > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=
> a3=fcd8
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.637:6736):
> proctitle="dovecot/imap"
> > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for
> > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21
> > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe
> > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005
> euid=1005
> > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none)
> > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap"
> > > > subj=system_u:system_r:dovecot_t:s0 key=(null)
> > > > type=PROCTITLE msg=audit(1586604621.638:6737):
> proctitle="dovecot/imap"
> > > >
> > > >
> > > > I have SELinux enabled, on CentOS.
> > > > If I run:
> > > > audit2why < /var/log/audit/audit.log
> > > >
> > > >
> > > > I get:
> > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for
> > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738
> > > > scontext=system_u:system_r:dovecot_t:s0
> > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
> permissive=0
> > > >
> > > >
> > > > Was caused by:
> > > > Missing type enforcement (TE) allow rule.
> > > >
> > > >
> > > > I think it's important to know that I'm trying to use dovecot with
> virtual
> > > > users. If I try to configure it with PAM authentication using system
> users,
> > > > it works well.
> > > >
> > > >
> > > > Any suggestions on this?
> > > Looks like /home/mail as mail store isn't included in the default
> > > SELinux policy. Did you make sure that the correct SELinux type is set
> > > on the directories?
> > > https://www.unix.com/man-page/centos/8/dovecot_selinux/
> > >
> > >
> > >
> > >
> > > If this isn't enough to get you going you might need to create your own
> > > policy. The following steps should be all that it takes to create your
> > > own policy.
> > >
> > >
> > > Check that grep includes only lines that you want included in your new
> > > policy:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -w
> > >
> > >
> > > Create your new policy for Dovecot and install it:
> > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom
> > > semodule -i dovecot_custom.pp
> > >
> > >
> > > --
> > > Alex JOST
> >
> >
> >
> >
> > Or just label the directory with mail_home_rw_t
> >
> >
> > ---
> > Aki Tuomi
> >
>
> I took the time to document suitable approach to this problem. You can
> check it here https://github.com/dovecot/documentation/pull/63/files
>
> Aki
>
