Re: BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
> On 22/09/2020 21:00 PGNet Dev wrote: > > > On 9/22/20 10:51 AM, Aki Tuomi wrote: > >>> > > > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. > > This sounds more like OpenSSL issue than dovecot issue. > > I've NO issue with that config/setting with any _other_ app -- whether in > general openssl-lib-linked usage, or specifically for a mail submitter (e.g., > postfix). The ServerPreference setting is seen/respected/utilized as > intended. > > It's ONLY Dovecot that's reproducibly firing the error, as reported above. > > It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so > far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving > normally. Ok.. I can give it a quick try to see if I can reproduce this issue. Aki
Re: BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
On 9/22/20 10:51 AM, Aki Tuomi wrote: >>> > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. > This sounds more like OpenSSL issue than dovecot issue. I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended. It's ONLY Dovecot that's reproducibly firing the error, as reported above. It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.
Re: BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
> On 22/09/2020 20:05 PGNet Dev wrote: > > > bump > > On 8/24/20 5:17 PM, PGNet Dev wrote: > > I've > > > > dovecot --version > > 2.3.10.1 (a3d0e1171) > > openssl version > > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > > > , atm on Fedora32. > > > > I configure > > > > /etc/pki/tls/openssl.cnf > > > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > > > cat /etc/pki/tls/openssl.cnf > > > > openssl_conf = default_conf > > > > [default_conf] > > ssl_conf = ssl_sect > > > > [ssl_sect] > > system_default = system_default_sect > > > > [system_default_sect] > > MinProtocol = TLSv1.2 > > Ciphersuites = > > TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > CipherString = > > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > Options = PrioritizeChaCha,ServerPreference > > > > However, any/all sends from local client via Dovecot submission -- from an > > instance on the same server -- FAILS with that^^ openssl.cnf, > > > > ==> /var/log/dovecot/dovecot.log <== > > ... > > 2020-08-24 17:04:42 > > submission(testu...@example.com): Error: smtp-client: > > conn int.mx.example.net:465 (10.0.4.65:465) [1]: > > connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't > > initialize SSL context: Can't load SSL certificate: error:14187180:SSL > > routines:ssl_do_config:bad value: section=system_default, cmd=Options, > > arg=ServerPreference,PrioritizeChaCha > > 2020-08-24 17:04:42 > > submission(testu...@example.com): Error: Failed to > > establish relay connection: Failed to connect to remote server > > ... > > > > editing, > > > > - Options = PrioritizeChaCha,ServerPreference > > + Options = PrioritizeChaCha > > > > cures the error > > > > ==> /var/log/dovecot/dovecot.log <== > > ... > > 2020-08-24 17:08:04 > > submission(testu...@example.com): Info: Successfully > > relayed message: from=, size=433, > > id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as > > 4Bb8TJ4VQbz7v6t' > > ... > > > > checking ssl docs > > > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > > > BOTH are valid 'Options', > > > > ... > > ServerPreference: use server and not client preference order when > > determining which cipher suite, signature algorithm or elliptic curve to > > use for an incoming connection. Equivalent to > > SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. > > > > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a > > ChaCha20 cipher at the top of its preference list. This usually indicates a > > mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used > > by servers. > > ... > > > > > > The mere presence of that option in a system-wide openssl.cnf shouldn't > > cause a Dovecot submission failure. > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. Aki
Re: Dovecot SASL
> On 22/09/2020 20:22 Jorge Bastos wrote: > > > Howdy, > I'm going back to this matter, to finish the replacement os cyrus SASL per > dovecot-SASL. > I want to have the same functionality that i had before, that is, SASL > check's AUTH agains a different table than the users one. > > I was looking in the dovecot-SASL docs, and i see nothing related. > (https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL) > Does someone have an ideia on how to achieve it or how it could be done? > I mean, how could i check this different table to be checked in the auth? > service auth { > ... > unix_listener /var/spool/postfix/private/auth { > mode = 0660 > # Assuming the default Postfix user and group > user = postfix > group = postfix > } > ... > } > > Thanks in advanced, > On 2019-12-10 20:57, Jorge Bastos via dovecot wrote: > > Howdy, > > > > I know i’ve asked this before, but i think i got really no answer. > > > > I’d like to have dovecot SASL, to check AUTH against an SQL table, instead > > of dovecot SASL use the AUTH MECH for imap/pop3. > > I want this, to have the same behavior as I have now, where i use postfix > > with cyrus SASL on a different table (with the same login details), and > > when i have an user that his accounts was hacked for sending spam, i just > > block the send and allow the user to keep receiving emails, for example to > > warn him. > > > > Would this be possible? Dovecot SASL against a SQL table? Havent found much > > info about it, > > Thanks in advanced, > I am not sure what you are after, but I guess you could use the %s expansion, that should expand into Service, such as SMTP. Alternatively, you can use protocol smtp { passdb { } } to have different passdb for smtp. Aki
Re: Dovecot SASL
Howdy, I'm going back to this matter, to finish the replacement os cyrus SASL per dovecot-SASL. I want to have the same functionality that i had before, that is, SASL check's AUTH agains a different table than the users one. I was looking in the dovecot-SASL docs, and i see nothing related. (https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL) Does someone have an ideia on how to achieve it or how it could be done? I mean, how could i check this different table to be checked in the auth? service auth { ... unix_listener /var/spool/postfix/private/auth { mode = 0660 # Assuming the default Postfix user and group user = postfix group = postfix } ... } Thanks in advanced, On 2019-12-10 20:57, Jorge Bastos via dovecot wrote: Howdy, I know i've asked this before, but i think i got really no answer. I'd like to have dovecot SASL, to check AUTH against an SQL table, instead of dovecot SASL use the AUTH MECH for imap/pop3. I want this, to have the same behavior as I have now, where i use postfix with cyrus SASL on a different table (with the same login details), and when i have an user that his accounts was hacked for sending spam, i just block the send and allow the user to keep receiving emails, for example to warn him. Would this be possible? Dovecot SASL against a SQL table? Havent found much info about it, Thanks in advanced,
Re: BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
bump On 8/24/20 5:17 PM, PGNet Dev wrote: > I've > > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > , atm on Fedora32. > > I configure > > /etc/pki/tls/openssl.cnf > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > cat /etc/pki/tls/openssl.cnf > > openssl_conf = default_conf > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1.2 > Ciphersuites = > TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > CipherString = > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > Options = PrioritizeChaCha,ServerPreference > > However, any/all sends from local client via Dovecot submission -- from an > instance on the same server -- FAILS with that^^ openssl.cnf, > > ==> /var/log/dovecot/dovecot.log <== > ... > 2020-08-24 17:04:42 > submission(testu...@example.com): Error: smtp-client: conn > int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) > failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load > SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: > section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha > 2020-08-24 17:04:42 > submission(testu...@example.com): Error: Failed to > establish relay connection: Failed to connect to remote server > ... > > editing, > > - Options = PrioritizeChaCha,ServerPreference > + Options = PrioritizeChaCha > > cures the error > > ==> /var/log/dovecot/dovecot.log <== > ... > 2020-08-24 17:08:04 > submission(testu...@example.com): Info: Successfully > relayed message: from=, size=433, > id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as > 4Bb8TJ4VQbz7v6t' > ... > > checking ssl docs > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > BOTH are valid 'Options', > > ... > ServerPreference: use server and not client preference order when > determining which cipher suite, signature algorithm or elliptic curve to use > for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. > Only used by servers. > > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a > ChaCha20 cipher at the top of its preference list. This usually indicates a > mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by > servers. > ... > > > The mere presence of that option in a system-wide openssl.cnf shouldn't cause > a Dovecot submission failure. >
Re: FTS Index based on UserDB preference
Thank you. Would it be complicated to extend this option and create a new one called 'fts_skip_body' which in turn would exclude the body of the e-mail from being indexed ? I imagine it would have to propagate all the way to plugins/fts/fts-build-mail.c and set skip_body to true. On Tuesday, 22/09/2020 at 02:33 Aki Tuomi wrote: On 18.9.2020 17.45, Scott Q. wrote: > Does anyone know if it's possible to do FTS Index based on a userdb > preference ? Basically if the preference is 'on' , dovecot goes ahead > with the fts indexing for that particular user. > > I'm guessing right now it's not possible but is there anyone that > could envision writing such a patch ? If so, can you contact me off-list ? Totally possible, just return from your userdb `fts=solr` (e.g.) to turn on fts processing for some user. If you are using passwd-file, you need to use userdb_fts=solr. Aki
Re: Antispam plugin
On 22.9.2020 13.59, Maciej Milaszewski wrote: > Hi > System centos8 + dovecot-2.3.8 from repo > > # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.8 (b7b03ba2) > # OS: Linux 4.18.0-193.19.1.el8_2.x86_64 x86_64 CentOS Linux release > 8.2.2004 (Core) > > I need "Antispam plugin". What antispam-plugin I must use ? > > In older version dovecot-2.2.36.4 i use "dovecot-antispam-plugin" but in > centos I had a problem with configure - probably toold wersion > > "./configure: line 3193: DC_DOVECOT: command not found" > > In wiki dovect is "antispam-plugin" I try this > http://hg.dovecot.org/dovecot-antispam-plugin > but get 404 > > Backand spamassassin > You don't need antispam plugin: https://doc.dovecot.org/configuration_manual/howto/antispam_with_sieve/ Aki
Antispam plugin
Hi System centos8 + dovecot-2.3.8 from repo # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.8 (b7b03ba2) # OS: Linux 4.18.0-193.19.1.el8_2.x86_64 x86_64 CentOS Linux release 8.2.2004 (Core) I need "Antispam plugin". What antispam-plugin I must use ? In older version dovecot-2.2.36.4 i use "dovecot-antispam-plugin" but in centos I had a problem with configure - probably toold wersion "./configure: line 3193: DC_DOVECOT: command not found" In wiki dovect is "antispam-plugin" I try this http://hg.dovecot.org/dovecot-antispam-plugin but get 404 Backand spamassassin
[SOLVED]AW: AW: doveadm search segfault Dovecot 2.2.22
Dear Aki thank you! With version 2.3.11 of dovecot it works fine. Yours sincerely Pascal Rudolf -Ursprüngliche Nachricht- Von: dovecot Im Auftrag von Aki Tuomi Gesendet: Montag, 21. September 2020 17:37 An: rud...@padaru.de; Dovecot Mailing List Betreff: Re: AW: doveadm search segfault Dovecot 2.2.22 > On 21/09/2020 15:14 rud...@padaru.de wrote: > > > Hey, > > i am now a bit deeper into dovecot debugging with gdb and have a full bt now, > with debugging infos. > > Is there a patch that resolve this Problem in dovecot 2.2.22-1ubuntu2.13 for > ubuntu 16? > > Here the bt: > Hi! We don't really support 2.2.22 since it was released several years ago. Please try to reproduce this issue with 2.2.36 or 2.3.11. You can find packages for 2.3.11 from https://repo.dovecot.org Aki