I can no longer use TLS for Windows7 and Outlook
I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f. A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected. Could anyone share a set of port 993/995 SSL settings known to work with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ? Mine is currently... ssl_ca =
Re: identify 143 vs 993 clients
On 29/05/20 11:27 pm, mj wrote: Thanks to all who participated in the interesting discussion. It seems my initial thought might have been best after all, and discontinuing port 143 might be the safest way proceed. Yes and no. Some of the attack vectors mentioned are not reasonable and it really depends on the client. Thunderbird, for example, used to have settings for plain text, TLS and "TLS if available", but the latter setting has not been available for some time which forces the user to choose either plain text or TLS at setup time now. This means that the user would now have to change the setting in their client for a downgrade attack to work. I can't speak for all MUAs but if they similarly have removed their "TLS if available" option or if the users explicitly don't pick that option (you can ask them not to in your setup instructions) then that type of downgrade attack cannot occur. The other possible downgrade attack which was not mentioned but is equally mitigated by the client is where the MITM intercepts the connection, connects to your server and issues a STARTTLS itself but presents the resulting connection as plain text to the client. This means that enforcing STARTTLS on the server side will not prevent a plain text connection through a MITM from the client. But do keep in mind that if the client is configured properly to only connect via TLS then it will refuse the connection if it is not presented with a STARTTLS option that works. So yes the safest way to go is to just use port 993, but as long as the client is not set to a "TLS if available" option then port 143 is also safe. Also note that the same concerns apply for your submission server (likely postfix) using the submission port (587) and enforcing STARTTLS vs the submissions port (465) which is a direct TLS connection. Peter
Re: Simple backup of maildir folder
On 2020-05-30 07:49, Admin Beckspaced wrote: Am 29.05.2020 um 17:37 schrieb Francis Augusto Medeiros-Logeay: Hi, I want to do a simple backup of my maildir. I read here that maildirlock is not to count on in the future and the recommended option was to use doveadm backup. However, it seems that this requires to setup another dovecot server. My questions are: - How much to I need to configure this new server? Do I need to setup user by user, or even install postfix (that's where my users are configured) to get it all backed up? I tried to install dovecot and running doveadm backup, but it complains the users are not there. - What's the simplest way to configure dovecot without mirrowing my server so that this can work? Best, Francis --- Francis Augusto Medeiros-Logeay Oslo, Norway Hello Francis, I also have maildir as mailbox format and use the following script to do daily backups https://github.com/tachtler/dovecot-backup There's also a more detailed how-to which explains how to do a restore. But it's only in german language https://www.dokuwiki.tachtler.net/doku.php?id=tachtler:dovecot_backup_-_skript Google Translate is your friend ;) perhaps this might help? greetings Becki Thanks a lot Becki. I read your script, but the thing is that I want to backup to a remote server. Your script seems to be focused on a local backup. Did I get it right? But it still gives me a good idea of a possibility of backing up locally and rsyncing to another server. -- Francis Augusto Medeiros-Logeay Oslo, Norway
Re: Current thinking on backups ?
This all gives me an interesting idea. Currently, I only have one box running dovecot doing IMAP duties. For other systems where I want availability (specifically, postgres databases), I use manatee (https://github.com/joyent/manatee). I wonder if something similar would work to have dovecot instances bootstrap themselves: - discover existing instances via whatever method. - zfs send / zfs recv a snapshot from one of the existing primaries - setup replication from one of the existing boxes. It’s perhaps not quite as straightforward as a database that already has native definitions of “primary”, “synchronous peer”, and “asynchronous peer” Is this something that people see as among the land of the possible or desired? -c > On May 29, 2020, at 10:34 PM, deano-dove...@areyes.com wrote: > > I run a pair of dovecot servers for personal small domains with several > layers of backup in place ... > > - The two dovecot servers replicate to each via a Tinc vpn mesh. That gives > email resiliency. > - All mail is replicated via offlineimap to a 3rd server over that Tinc vpn. > It's on the mesh, it has space, so why not ? > - All mail is replicated as well as via mbsync to a zfs dataset on my main > media server at home once an hour. > - That zfs dataset (and others) is snapshot'd hourly, and zfs send/recv to a > backup box nightly. > > Outside of dovecot procedures, I find mbsync to work extremely well. It was > easy enough to set up a systemd timer and service to pull the mail down. > > > mysync.timer > > # Run the mbsync process to sync mail down to local mediabox > > [Unit] > Description=mbsync timer > ConditionPathExists=%h/.mbsyncrc > ConditionPathIsDirectory=/stuff/Backups/Mailsystems/mbsync-backups > > [Timer] > OnBootSec=15m > OnCalendar=hourly > Persistent=true > > [Install] > WantedBy=timers.target > > > mysync.service > == > # mbsync service > > [Unit] > Description=mbsync backup from mailsystems > ConditionPathExists=%h/.mbsyncrc > ConditionPathIsDirectory=/stuff/Backups/Mailsystems/mbsync-backups > > [Service] > Type=oneshot > ExecStart=/usr/local/bin/mbsync backup > > [Install] > WantedBy=default.target > > > "backup" is the mbsync group that includes all the defined channels that > determine what should be backed up. Transparent. In the background. Don't > have to think about it, it's just there. > > I've done test restores to test environments via mbsync, and it all works > flawlessly. > > > On 2020-05-26 12:31 am, Germain Le Chapelain wrote: >>> Le 24 mai 2020 à 14:42, Laura Smith a >>> écrit : >>> Hi, >>> What are people doing for backups ? >>> My current process is LVM snapshot and backup from that to NFS share. >>> But there seems to be hints around the internet that people use/abuse >>> "doveadm backup" for backup purposes even though it seems its original >>> intention was for transferring mailboxes between dovecot instances. >>> Assuming its ok to "doveadm backup" to an NFS share, is it ok to use >>> "doveadm backup" when dovecot has replication setup (replication-notify >>> etc.) ? Or will it interfere ? >>> Thanks! >>> Laura >> This has came up in the past: >> https://dovecot.org/pipermail/dovecot/2020-February/thread.html#118206 >> I ended up developing my own system based on forwarding all emails to >> a program (from which I back-up as they come in.) >> I am hoping if disaster and/or misfortune were to strike my server, I >> could simply cat >> back all those files in order (or not come to >> think of it) in the /var/mail/ (or somewhere even better fit >> in Postfix.) >> I am not interested in saving the state of the mailbox as much as all >> the mails that ever come in (or go out.) > > -- > Dean Carpenter > deano is at areyes dot com > 203 six oh four 6644 -- Coy Hile coy.h...@coyhile.com
Re: Operation not permitted - fchown() failed for /run/dovecot/login
I had permission issues on docker, its fixed by running chown command at docker init. On Fri, May 29, 2020 at 8:56 PM Dshah wrote: > # dovecot --version > 2.3.10.1 (a3d0e1171) > > Dovecot is unable to start, I see error " Fatal: fchown() failed for > /run/dovecot/login: Operation not permitted" > > what could be the problem? > any help please > > > $ls -la /var/mail/ > drwxr-xr-x1 root root 4096 May 29 17:32 . > drwxr-xr-x1 root root 4096 May 28 17:08 .. > drw---2 root root 4096 May 29 17:32 domains > > # cat /etc/dovecot/dovecot.conf= > auth_mechanisms = plain login > auth_username_format = %Lu > auth_verbose = yes > auth_debug = yes > auth_debug_passwords = no > > log_timestamp = "%Y-%m-%d %H:%M:%S " > login_greeting = IMAP server ready > > disable_plaintext_auth = no > > protocols = imap pop3 > log_timestamp = "%Y-%m-%d %H:%M:%S " > mail_location = maildir:/var/mail/domains/%d/%n > > first_valid_gid = 105 > first_valid_uid = 102 > last_valid_gid = 105 > last_valid_uid = 102 > > service anvil { > client_limit = 2100 > } > > ssl_cert = ssl_key = ssl_ca = > > namespace inbox { > inbox = yes > > mailbox Trash { > auto = create > special_use = \Trash > } > > mailbox Spam { > auto = no > special_use = \Junk > } > > mailbox Ham { > auto = no > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > > } > # service auth { > # unix_listener auth-master { > # mode = 0600 > # user = vmail > # } > > # unix_listener /var/spool/postfix/private/auth { > # mode = 0666 > # user = postfix > # group = postfix > # } > > # user = root > # } > > # service auth-worker { > # user = root > # } > > # protocol lda { > # log_path = /home/vmail/dovecot-deliver.log > # auth_socket_path = /var/run/dovecot/auth-master > # postmaster_address = postmas...@razalabs.com > # } > > protocol pop3 { > pop3_uidl_format = %08Xu%08Xv > } > > userdb { > driver = static > args = uid=102 gid=105 home=/var/mail/domains/%d/%n allow_all_users=yes > } > > passdb { > driver = sql > args = /etc/dovecot/dovecot-sql.conf.ext > } > > =/etc/dovecot/dovecot-sql.conf.ext=== > driver = mysql > connect = host=localhost dbname=mail user=root password=pass > default_pass_scheme = CRYPT > password_query = SELECT email as user, password FROM users WHERE > email='%u'; > =dovecot-sql.conf.ext=== > > =/etc/dovecot/dovecot-sql.conf.ext=== > driver = mysql > connect = host=localhost dbname=mail user=root password=pass > default_pass_scheme = CRYPT > password_query = SELECT email as user, password FROM users WHERE > email='%u'; > =dovecot-sql.conf.ext=== > > > and postfix > =/etc/postfix/main.cf=== > inet_protocols = all > meta_directory = /etc/postfix > shlib_directory = /usr/lib/postfix > myhostname = mail.my-domain.com > mynetworks = 127.0.0.0/8 > message_size_limit = 3072 > virtual_alias_domains = > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, > mysql:/etc/postfix/mysql-virtual_email2email.cf > virtual_mailbox_domains = proxy:mysql:/etc/postfix/ > mysql-virtual_domains.cf > virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf > virtual_mailbox_base = /var/mail/domains > virtual_uid_maps = static:102 > virtual_gid_maps = static:105 > smtpd_sasl_type = dovecot > smtpd_sasl_path = /var/spool/postfix/private/auth > smtpd_sasl_auth_enable = yes > broken_sasl_auth_clients = yes > smtpd_sasl_authenticated_header = yes > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination > smtpd_use_tls = yes > smtpd_tls_cert_file = /secret/tls.crt > smtpd_tls_key_file = /secret/tls.key > #virtual_create_maildirsize = yes > #virtual_maildir_extended = yes > proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps > $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains > $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps > $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks > virtual_transport = dovecot > dovecot_destination_recipient_limit = 1 > smtpd_milters = inet:127.0.0.1:8891 > milter_default_action = accept > > =/etc/postfix/main.cf=== >
Re: Running doveadm without config file?
> On 29. May 2020, at 23.43, Joseph Tam wrote: > > On Fri, 29 May 2020, Sami Ketola wrote: > >>> # echo plaintextpass | doveadm pw -s BLF-CRYPT >>> doveadm(user): Fatal: Error reading configuration: >>> stat(/etc/dovecot/dovecot.conf) failed: No such file or directory >>> >>> Is there a way to circumvent the need for a configuration file? >> >> I don't think so. But you can specify the location of the config file with >> -c /path/to/file >> like >> >> echo -n plaintextpass | doveadm -c /root/emptyfile.conf pw -s SHA1 > > Thanks, Sami. > > I tried this with /dev/null and /tmp/empty.conf but ran into another wall > > doveadm(root): Fatal: execv(/usr/bin/doveconf) failed: No such file or > directory > How did you install dovecot on that system since /usr/bin/doveconf is part of the base package? Sami