Re: debugging TLS with wireshark and a custom application ?
On Wed, 30 Sep 2020, Kurt Jaeger wrote: My question is: can dovecot be used to debug/decrypt TLS sessions ? The reason I'm asking: A custom application wants to speak IMAP with TLS with a dovecot instance. If it's happening during the handshake (i.e. IMAP/POP hasn't even started) you can try debugging the interaction by using "openssl s_server" on an alternate port with the same SSL parameters used by your dovecot. It's not the full-fledged environment you're trying to test but may expose the problem. Joseph Tam
Re: auth_username_format effective only within passdb/userdb
Sami Ketola writes:
>> On 30. Sep 2020, at 17.08, Bob wrote:
>>
>> Hello dovecot list.
>>
>> I have multiple passdb/userdb, some use %Ln some use %Lu.
>> How to make auth_username_format effective only within passdb/userdb?
>
>
> passdb {
> driver = passwd-file
> args = username_format=%Ln /etc/dovecot/dovecot-passwd
> }
>
> Sami
Thanks for the quick reply. :-)
I have one backend using the driver passwd-file
one fallback backend using the passwd driver.
Does the passwd driver support username_format?
auth_username_format effective only within passdb/userdb
Hello dovecot list. I have multiple passdb/userdb, some use %Ln some use %Lu. How to make auth_username_format effective only within passdb/userdb?
Re: debugging TLS with wireshark and a custom application ?
> On 30/09/2020 18:06 Kurt Jaeger wrote:
>
>
> Hi!
>
> My question is: can dovecot be used to debug/decrypt TLS sessions ?
>
> The reason I'm asking:
>
> A custom application wants to speak IMAP with TLS with a dovecot
> instance.
>
> It fails, and the error message is, unfortunatly, not very helpful.
> tcpdump shows that the session is established, but fails. The custom
> application says error 6, not much more.
>
> There is a way to decode TLS sessions in some cases:
>
> https://wiki.wireshark.org/TLS
>
>
> using firefox and the enviroment variable SSLKEYLOGFILE.
>
> Basically, the TLS client (firefox), while negotiating keys with the
> other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE
> and at the same time, wireshark is used to capture / write the pcap
> of the session.
>
> Then wireshark can be used to decode the contents of the TLS-encrypted
> session.
>
> Is something similiar possible with dovecot as the server and
> from the server side ?
>
> Is, by chance, the session=<...> value already such a key so that
> a tcpdump pcap file would be able to descrypt that session ?
>
> Sep 29 08:51:30 imap-login: Info: Login: user=, method=PLAIN,
> rip=, lip=, mpid=63667, TLS,
> session=
>
> --
> p...@opsec.eu+49 171 3101372Now what ?
Hi!
If rawlogs did not have a bug, you would be able to use that to log what the
client is sending/receiving.
But, unfortunately that does not work, it's broken with TLS, so you need to
workaround this bit:
return from passdb
proxy_maybe=y host=127.0.0.2
to connect to localhost again, unencrypted. then add
protocol imap {
rawlog_dir=%h/rawlogs/
}
then create rawlogs directory under user home directory, with mode 0777, and it
should store input/output transcripts per session.
remember to disable these after using them!
Aki
debugging TLS with wireshark and a custom application ?
Hi! My question is: can dovecot be used to debug/decrypt TLS sessions ? The reason I'm asking: A custom application wants to speak IMAP with TLS with a dovecot instance. It fails, and the error message is, unfortunatly, not very helpful. tcpdump shows that the session is established, but fails. The custom application says error 6, not much more. There is a way to decode TLS sessions in some cases: https://wiki.wireshark.org/TLS using firefox and the enviroment variable SSLKEYLOGFILE. Basically, the TLS client (firefox), while negotiating keys with the other side, writes those logfiles to a logfile specified by SSLKEYLOGFILE and at the same time, wireshark is used to capture / write the pcap of the session. Then wireshark can be used to decode the contents of the TLS-encrypted session. Is something similiar possible with dovecot as the server and from the server side ? Is, by chance, the session=<...> value already such a key so that a tcpdump pcap file would be able to descrypt that session ? Sep 29 08:51:30 imap-login: Info: Login: user=, method=PLAIN, rip=, lip=, mpid=63667, TLS, session= -- p...@opsec.eu+49 171 3101372Now what ?
Re: auth_username_format effective only within passdb/userdb
> On 30. Sep 2020, at 17.08, Bob wrote:
>
> Hello dovecot list.
>
> I have multiple passdb/userdb, some use %Ln some use %Lu.
> How to make auth_username_format effective only within passdb/userdb?
passdb {
driver = passwd-file
args = username_format=%Ln /etc/dovecot/dovecot-passwd
}
Sami
Re: Leaked files in maildir "tmp" after vsz_limit crashes
> On 30/09/2020 13:43 Peter Mogensen wrote: > > > Hi, > > Lately I've seen a few examples of users hitting the vsz_limit (usually > trying to "delete" mails i Spam/Junk by moving them to Trash with a > large dovecot.index.cache - which resulted in mails left/leaked in the > tmp directory of Trash. > > Sometimes it seems the client gets into a state were it repeatedly tried > to sync the client and server state so it does it again and again, > building up the number of files/links in tmp. > > It seems the default 1 week interval to "unlink_old_files()" is not > enough to prevent this from blowing up inode wise. > > However, ... lowering it, - or increasing vsz_limit feels a bit like > kicking the can down the road. > > PS: This on dovecot 2.2.36 > > /Peter You need to set your vsz_limit to facilitate large index files. I would recommend configuring it up to 2G. Aki
Leaked files in maildir "tmp" after vsz_limit crashes
Hi, Lately I've seen a few examples of users hitting the vsz_limit (usually trying to "delete" mails i Spam/Junk by moving them to Trash with a large dovecot.index.cache - which resulted in mails left/leaked in the tmp directory of Trash. Sometimes it seems the client gets into a state were it repeatedly tried to sync the client and server state so it does it again and again, building up the number of files/links in tmp. It seems the default 1 week interval to "unlink_old_files()" is not enough to prevent this from blowing up inode wise. However, ... lowering it, - or increasing vsz_limit feels a bit like kicking the can down the road. PS: This on dovecot 2.2.36 /Peter
