got a listener on 993
Hello, Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective? I've noticed that I've got a dovecot listener on port 993, below is my doveconf -n output I don't have an imaps listener uncommented should I do so and set it's port to 0? Will that disable the 993 listener? Thanks. Dave. # 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (bf8ef1c2) # OS: FreeBSD 12.1-RELEASE-p2 amd64 # Hostname: hostname.example.com auth_cache_size = 10 M auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com dict { lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf } first_valid_gid = 2100 first_valid_uid = 2100 hostname = hostname.example.com imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep tb-lsub-flags imap_idle_notify_interval = 1 mins last_valid_gid = 2100 last_valid_uid = 2100 lda_hostnamebox_autocreate = yes lda_hostnamebox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = xxx.xxx.xxx.xxx lmtp_rcpt_check_quota = yes log_timestamp = "%Y-%m-%d %H:%M:%S " hostname_access_groups = vhostname hostname_fsync = never hostname_gid = vhostname hostname_home = /var/vhostname/hostnameboxes/%d/%n hostname_location = dbox:~/hostname hostname_plugins = acl fts fts_lucene mail_log notify quota trash virtual welcome zlib mail_crypt hostname_privileged_group = vhostname hostname_server_admin = hostnameto:postmas...@example.com hostname_uid = vhostname managesieve_notify_capability = hostnameto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment hostnamebox date index ihave duplicate mime foreverypart extracttext spamtest spamtestplus virustest editheader imapflags notify imapsieve vnd.dovecot.imapsieve namespace { location = sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public prefix = Public/ separator = / subscriptions = yes type = public } namespace { hidden = no list = yes location = hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = hostnamebox Drafts { auto = subscribe special_use = \Drafts } hostnamebox Sent { auto = subscribe special_use = \Sent } hostnamebox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } hostnamebox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 fts = lucene fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_autoindex_exclude3 = \Spam fts_autoindex_max_recent_msgs = 80 fts_index_timeout = 90 fts_lucene = whitespace_chars=@. normalize no_snowball imapsieve_hostnamebox1_before = file:/var/vhostname/sieve/global/learn-spam.sieve imapsieve_hostnamebox1_causes = COPY imapsieve_hostnamebox1_name = Spam imapsieve_hostnamebox2_before = file:/var/vhostname/sieve/global/learn-ham.sieve imapsieve_hostnamebox2_causes = COPY imapsieve_hostnamebox2_from = Spam imapsieve_hostnamebox2_name = * last_login_dict = proxy::lastlogin last_login_key = # hidden, use -P to show it hostname_crypt_curve = prime256v1 hostname_crypt_global_private_key = # hidden, use -P to show it hostname_crypt_global_public_key = # hidden, use -P to show it hostname_crypt_save_version = 2 hostname_log_events = delete undelete expunge copy hostnamebox_delete hostnamebox_rename hostname_log_fields = uid box msgid size quota = count:User quota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_rule2 = Trash:ignore quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 hostnamebox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve sieve_before = /var/vhostname/sieve/global/spam-global.sieve sieve_extensions = +notify +imapflags +spamtest +spamtestplus +virustest +editheader sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.environment sieve_max_redirects = 30 sieve_max_script_size = 1M sieve_pipe_bin_dir = /usr/bin sieve_plugins
replication_full_sync_interval
Default value for replication_full_sync_interval is 24 hours. How is it then possible to get doveadm replicator status results like this one username priority fast sync full sync success sync failed someuser none 24:23:39 24:23:39 24:23:37 - # doveconf -a | grep replication_full_sync_interval replication_full_sync_interval = 1 days # dovecot --version 2.2.33.2 (d6601f4ec)
Re: Unable to set ssl_min_protocol=TLSv1.3
> On 13/04/2020 12:35 Thomas Schneider wrote: > > > Good $daytime, > > as per the recommendations of Mozilla’s SSL config generator[0], I > wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This > produced the error: > > imap-login: Error: Failed to initialize SSL server context: Unknown > ssl_min_protocol setting 'TLSv1.3' > > After some digging, I found the function that parses this setting in > src/lib-ssl-iostream/iostream-openssl-common.c > (openssl_min_protocol_to_options()), which maps strings such as > SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate > version and option defines of OpenSSL. > > Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no > surprise that dovecot does not know this setting. As a quick fix, I > could probably extend struct {…} protocol_versions[] (in > iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry > (and send a patch), though I would also suggest to OpenSSL to add a > SSL_TXT_TLSV1_3 define. > > Unfortunately, I have not found a config setting in dovecot to set > SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe > via the cipher list string. > > I think that dovecot should support setting this, and I’d also gladly > provide a patch. > > Thanks, > Thomas Hi! What version of Dovecot are you using? What OS/distro are you using? I'm guessing you're seeing this, see https://dovecot.org/pipermail/dovecot/2019-December/117799.html Aki
Unable to set ssl_min_protocol=TLSv1.3
Good $daytime, as per the recommendations of Mozilla’s SSL config generator[0], I wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This produced the error: imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting 'TLSv1.3' After some digging, I found the function that parses this setting in src/lib-ssl-iostream/iostream-openssl-common.c (openssl_min_protocol_to_options()), which maps strings such as SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate version and option defines of OpenSSL. Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no surprise that dovecot does not know this setting. As a quick fix, I could probably extend struct {…} protocol_versions[] (in iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry (and send a patch), though I would also suggest to OpenSSL to add a SSL_TXT_TLSV1_3 define. Unfortunately, I have not found a config setting in dovecot to set SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe via the cipher list string. I think that dovecot should support setting this, and I’d also gladly provide a patch. Thanks, Thomas [0]: https://ssl-config.mozilla.org/#server=dovecot=2.3.4.1=modern=1.1.1d=5.4 signature.asc Description: PGP signature
Re: %d ignored from auth-passwdfile.conf.ext configuration file
I retried with right user in thunderbird and it's working. Thanks. On Mon, Apr 13, 2020 at 1:20 PM Andrei Petru Mura wrote: > I tried to log in as test@some_domain. From thunderbird client. Although, > I get this logged after before mentioned log: > imap-login: Disconnected (auth failed, 2 attempts in 14 secs): > user=, method=PLAIN, rip=some.ip.addr.here, lip=another.ip.addr.here, > TLS, session= > > On Mon, Apr 13, 2020 at 1:16 PM Ivo < > c.e4ed1a035298f9021dcfbca4d511c...@ultra.hr> wrote: > >> Did you try to log in as user "test" or "test@some_domain" ? >> Is seems to me that you did not use full username (Error: >> passwd-file(test,). >> ( %d domain domain part in user@domain, empty if user with no domain ) >> >> >> On 13.4.2020. 11:05, Andrei Petru Mura wrote: >> > I try to configure dovecot with virtual users. I put my users file in >> > folder /etc/dovecot/my_domain_name/users. >> > My auth-passwdfile.conf.ext file looks like this: >> > passdb { >> > driver = passwd-file >> > args = username_format=%n /etc/dovecot/%d/users >> > } >> > >> > When I try to log in, I get this: >> > dovecot: auth: Error: >> > passwd-file(test,some.ip.addr.here,): >> > stat(/etc/dovecot//users) failed: No such file or directory >> > >> > As you can see, %d isn't interpreted. Why is this happening? Any hints? >> > >> > Thanks, >> > Mura Andrei >> >>
Re: %d ignored from auth-passwdfile.conf.ext configuration file
Did you try to log in as user "test" or "test@some_domain" ? Is seems to me that you did not use full username (Error: passwd-file(test,). ( %d domain domain part in user@domain, empty if user with no domain ) On 13.4.2020. 11:05, Andrei Petru Mura wrote: I try to configure dovecot with virtual users. I put my users file in folder /etc/dovecot/my_domain_name/users. My auth-passwdfile.conf.ext file looks like this: passdb { driver = passwd-file args = username_format=%n /etc/dovecot/%d/users } When I try to log in, I get this: dovecot: auth: Error: passwd-file(test,some.ip.addr.here,): stat(/etc/dovecot//users) failed: No such file or directory As you can see, %d isn't interpreted. Why is this happening? Any hints? Thanks, Mura Andrei
%d ignored from auth-passwdfile.conf.ext configuration file
I try to configure dovecot with virtual users. I put my users file in folder /etc/dovecot/my_domain_name/users. My auth-passwdfile.conf.ext file looks like this: passdb { driver = passwd-file args = username_format=%n /etc/dovecot/%d/users } When I try to log in, I get this: dovecot: auth: Error: passwd-file(test,some.ip.addr.here,): stat(/etc/dovecot//users) failed: No such file or directory As you can see, %d isn't interpreted. Why is this happening? Any hints? Thanks, Mura Andrei
Re: Missing permissions
Hi Aki, You did a great job. God bless you! :) I think it will work now. I'll come with feedback if that's the case after applying this on my server. I just want to mention one little thing bellow (which possibly has some importance). In my system, instead of /home/mail/domain/test/Maildir, I have */some_other_custom_dir/mail/my_domain_name/test/Maildir/*. From *dovecot_selinux*'s man page I can see that *mail_home_rw_t *directories are: /root/Maildir(/.*)? /root/.esmtp_queue(/.*)? /home/[^/]+/.maildir(/.*)? /home/[^/]+/Maildir(/.*)? /home/[^/]+/.esmtp_queue(/.*)? which anyway, seems to me, doesn't match the initial directory path which I provided (it's the first time when I knowledgeably interact with SELinux). I think this shouldn't impact the documented issue, but if you think it does, I wanted to inform you. Thanks and have a nice day, Mura Andrei On Sun, Apr 12, 2020 at 10:52 PM Aki Tuomi wrote: > > > On 11/04/2020 15:57 Aki Tuomi wrote: > > > > > > > > > > > On 11/04/2020 15:47 Alex JOST < jost+li...@dimejo.at> wrote: > > > > > > > > > > > > > > > Am 11.04.2020 um 13:00 schrieb Andrei Petru Mura: > > > > Hi, > > > > > > > > > > > > After configuring systemd unit with ReadWritePaths=/home/mail, I get > the > > > > following error logs in audit: > > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c03e syscall=83 > > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2= > a3=fcd8 > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.637:6736): > proctitle="dovecot/imap" > > > > type=AVC msg=audit(1586604621.638:6737): avc: denied { write } for > > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > type=SYSCALL msg=audit(1586604621.638:6737): arch=c03e syscall=21 > > > > success=no exit=-13 a0=55b493a7f508 a1=2 a2=55b493a7f388 a3=fffe > > > > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 > euid=1005 > > > > suid=1005 fsuid=1005 egid=1005 sgid=1005 fsgid=1005 tty=(none) > > > > ses=4294967295 comm="imap" exe="/usr/libexec/dovecot/imap" > > > > subj=system_u:system_r:dovecot_t:s0 key=(null) > > > > type=PROCTITLE msg=audit(1586604621.638:6737): > proctitle="dovecot/imap" > > > > > > > > > > > > I have SELinux enabled, on CentOS. > > > > If I run: > > > > audit2why < /var/log/audit/audit.log > > > > > > > > > > > > I get: > > > > type=AVC msg=audit(1586601301.044:6707): avc: denied { write } for > > > > pid=9930 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > > scontext=system_u:system_r:dovecot_t:s0 > > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir > permissive=0 > > > > > > > > > > > > Was caused by: > > > > Missing type enforcement (TE) allow rule. > > > > > > > > > > > > I think it's important to know that I'm trying to use dovecot with > virtual > > > > users. If I try to configure it with PAM authentication using system > users, > > > > it works well. > > > > > > > > > > > > Any suggestions on this? > > > Looks like /home/mail as mail store isn't included in the default > > > SELinux policy. Did you make sure that the correct SELinux type is set > > > on the directories? > > > https://www.unix.com/man-page/centos/8/dovecot_selinux/ > > > > > > > > > > > > > > > If this isn't enough to get you going you might need to create your own > > > policy. The following steps should be all that it takes to create your > > > own policy. > > > > > > > > > Check that grep includes only lines that you want included in your new > > > policy: > > > grep dovecot /var/log/audit/audit.log | audit2allow -w > > > > > > > > > Create your new policy for Dovecot and install it: > > > grep dovecot /var/log/audit/audit.log | audit2allow -M dovecot_custom > > > semodule -i dovecot_custom.pp > > > > > > > > > -- > > > Alex JOST > > > > > > > > > > Or just label the directory with mail_home_rw_t > > > > > > --- > > Aki Tuomi > > > > I took the time to document suitable approach to this problem. You can > check it here https://github.com/dovecot/documentation/pull/63/files > > Aki >