Re: Mapping usernames used for authentication to UNIX usernames
Hello, Frank> Would it be possible to configure something that will map an Frank> email address to the UNIX account name and use the account name Frank> for authentication and obtaining the related information (uid, Frank> gid, home dir)? https://dovecot.org/pipermail/dovecot/2018-September/113025.html should be what you are looking for. I used that to map legacy accounts to username@domain accounts in SQL, but it should also work the other way round. Florian
Re: N-way replication, multiple masters
1 GB data per day is very little volume ,I think dovecot replication, rsync also suitable. Hi Mail replication – honestly, I don’t have any hard metrics for that. I’m anticipating its less than 1 GB per day. Link speed – being AWS inter AZ its 100Mbps-1GBps. I’m conscious if I go inter region the strategy may need to change. Thanks Raymond Raymond Sellars () 在 2021年6月17日星期四 上午11:30:23 [GMT+8] 寫道: #yiv6469694122 #yiv6469694122 -- _filtered {} _filtered {} _filtered {} _filtered {} _filtered {}#yiv6469694122 #yiv6469694122 p.yiv6469694122MsoNormal, #yiv6469694122 li.yiv6469694122MsoNormal, #yiv6469694122 div.yiv6469694122MsoNormal {margin:0cm;font-size:11.0pt;font-family:sans-serif;}#yiv6469694122 a:link, #yiv6469694122 span.yiv6469694122MsoHyperlink {color:blue;text-decoration:underline;}#yiv6469694122 span.yiv6469694122EmailStyle19 {font-family:sans-serif;color:#1F497D;font-weight:normal;font-style:normal;}#yiv6469694122 .yiv6469694122MsoChpDefault {font-size:10.0pt;} _filtered {}#yiv6469694122 div.yiv6469694122WordSection1 {}#yiv6469694122 Hi Mail replication – honestly, I don’t have any hard metrics for that. I’m anticipating its less than 1 GB per day. Link speed – being AWS inter AZ its 100Mbps-1GBps. I’m conscious if I go inter region the strategy may need to change. Thanks Raymond From: Henry Sent: Thursday, 17 June 2021 3:20 PM To: Raymond Sellars Subject: Re: N-way replication, multiple masters How many data for mail replication ? and the link speed? Raymond Sellars () 在 2021年6月17日星期四 上午11:10:23 [GMT+8] 寫道:
N-way replication, multiple masters
Hi Looking for some guidance on how to setup a dovecot cluster with more than 2 servers. Ideally as multiple masters so I don't have the complexity of back recovery/synchronisation in failover situations. And I can utilised upstream load balancers (director or other) to automatically move between available nodes. Current pattern is: High availability at one site (AWS availability zone) with two active servers behind dovecot directors and an AWS network load balancer in front of the directors. A third dovecot server as a disaster recovery instance (another availability zone or region), with ideally real time and bidirectional replication. Behind a different network and NLB access path. Dovecot --version = 2.3.14 Centos 7 Previously for the HA pair we utilised NFS but the AWS EFS equivalent doesn't perform ( very high latency and NFS meta data caching required). And then for DR we utilised the dovecot replication. 2 way so I have automated recovery and could do active active testing/verification as required with no down time. This help verify recovery pathways. https://doc.dovecot.org/configuration_manual/replication/# - reading the documentation is seems clear that replication only supports a PAIR of masters. Any ideas on how I can add in a 3rd replication node? Two pairs? I'm happy to utilise a star pattern. HA 1 <-> HA2, HA 1 <-> DR. Not possible? Can I run more than one replicator? Or should I utilise doveadm sync via cron jobs and 2-way sync. Any thoughts, suggestions most welcome. How are others achieving > 2 clusters for dovecot servers supporting the same domain? Most of this is for availability rather than purely performance scaling. Thanks Raymond
Re: Mapping usernames used for authentication to UNIX usernames
Frank> I'm looking for some advice or pointers how to best solve a Frank> small problem that I have. I have no doubt that this can be Frank> done in dovecot, but I'm struggling to find the easiest way to Frank> implement it. Frank> First of all, what I have: Frank> I have a relative small dovecot setup for a dozen domains, and about 50 Frank> users in total. All users use IMAP to retrieve mail, and SMTP submission Frank> protocol to submit email. Frank> Because of the small size, every user has its own UNIX account, Frank> authentication is done using PAM and mail is stored in a Frank> Maildir folder in their home directory. Works perfectly! Do these users ever login and use their Unix account? Or do they only access the system via IMAP to read email? If this, then I would completely move away from local accounts and unix home dirs and just use virtual users instead. Then you login with your email address and password to get mail. Much simpler! Frank> There is one minor inconvenience. When a new mail client is Frank> configured, users (often guided by the auto config generator of Frank> the mail client) tend to use their email address as the Frank> username to authenticate instead of their UNIX account name, Frank> which fails of course. Frank> Would it be possible to configure something that will map an Frank> email address to the UNIX account name and use the account name Frank> for authentication and obtaining the related information (uid, Frank> gid, home dir)? Frank> I do have two concerns: Frank> 1) I do not want to break existing mail configurations, so Frank> authentication with the UNIX username should still be possible. I think you can have multiple usernames pointing to the same backend account, so moving to virtual users would be even simpler. Frank> 2) I cannot do a simple reg. exp for the translation because Frank> every email domain has e.g. an i...@domain.com mailbox, and I Frank> do not want them all to go to UNIX user "info". Even if you do offer Unix logins, I would still seperate the user email logins from the Unix logins. Just having all email access happen via IMAP makes things simpler. And if they want to read email from their unix acocunt, a text based IMAP tool like mutt should be good enough. John
working locally not externally, how to check what failed?
this morning I noticed not getting any email on remote to server mail client, though, in webmail/squirellmail on mail host there were new emails restarting with doveadm stop/dovecot 'fixed it' what could've gone wrong, what to look for in the logs ? thanks for any pointers long running dovecot/postfix/mysql setup dovecot --version 2.3.14 (cee3cbc0d)
Re: Piping to doveadm pw
Bernardo Reino wrote: > On Wed, 16 Jun 2021, Kevin N. wrote: > > > Thanks. Reading the manual was the first thing I did before posting to the > > list. > > > > I'm not sure if this is relevant for the question, but I forgot to mention > > that the user enters it's password through a 'dialog --passwordbox'. > > > > I guess my question is: it possible to pipe that into 'doveadm pw' directly > > from memory, without using any kind of on-disk temp file? > > $ dialog --passwordbox .. | sed p | doveadm pw > > with "sed p" you print explicitly (p) and implicitly (default in sed) the > input > lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as > required. > > Cheers. Thanks Bernardo. The "sed p" seems to do the trick. I do have to do some validation before I pass the password to "doveadm pw", so my code looks something like: - input_password=$(dialog --passwordbox ...) #... some validation here ... hashed_password=$(echo "${input_password}" | sed p | doveadm pw -s SHA512-CRYPT) - In this case will the password still be safe and hidden from a "ps" for example? I am still new to all this and I wouldn't want to end up with a false sense of security regarding this password passing :) Doing an 'strace' on the script does show up the password in some reads, in the form of: read(3, "password_here", ), but not in execve(...) as parameter. Cheers.
Re: Piping to doveadm pw
On Wed, 16 Jun 2021, Kevin N. wrote: Thanks. Reading the manual was the first thing I did before posting to the list. I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'. I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file? $ dialog --passwordbox .. | sed p | doveadm pw with "sed p" you print explicitly (p) and implicitly (default in sed) the input lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as required. Cheers.
Re: Piping to doveadm pw
Oscar del Rio wrote: > On 2021-06-16 5:23 a.m., Kevin N. wrote: > > I am using 'doveadm pw' from inside a bash script to generate the salted > > hash for a user provided password. > > I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password > > > > Is there any possible way to use piping (so it won't show up in ps for > > example) to pass the username and password to 'doveadm pw' instead of using > > arguments? > > % man doveadm-pw > > -p password > ?? The plain text password for which the hash should > be > generated.?? If no password was given doveadm(1)?? will?? prompt interac??? > ?? tively for one. > -u user > ?? When the DIGEST-MD5 scheme is used, also the user > name > must be given...?? (so -u not needed here) > > % doveadm pw -s SHA256-CRYPT > Enter new password: ** > Retype new password: ** > {SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb... > > % cat /tmp/test > test123 > test123 > > % cat /tmp/test | doveadm pw -s SHA256-CRYPT > {SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ Thanks. Reading the manual was the first thing I did before posting to the list. I'm not sure if this is relevant for the question, but I forgot to mention that the user enters it's password through a 'dialog --passwordbox'. I guess my question is: it possible to pipe that into 'doveadm pw' directly from memory, without using any kind of on-disk temp file?
Re: Piping to doveadm pw
On 2021-06-16 5:23 a.m., Kevin N. wrote: I am using 'doveadm pw' from inside a bash script to generate the salted hash for a user provided password. I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password Is there any possible way to use piping (so it won't show up in ps for example) to pass the username and password to 'doveadm pw' instead of using arguments? % man doveadm-pw -p password The plain text password for which the hash should be generated. If no password was given doveadm(1) will prompt interac‐ tively for one. -u user When the DIGEST-MD5 scheme is used, also the user name must be given... (so -u not needed here) % doveadm pw -s SHA256-CRYPT Enter new password: ** Retype new password: ** {SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb... % cat /tmp/test test123 test123 % cat /tmp/test | doveadm pw -s SHA256-CRYPT {SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ
Re: Mapping usernames used for authentication to UNIX usernames
probably thinking about this backwards, use the full email address by default, and if they only provide the user name, then concatonate the proper domain before authentication. full email address should be the preferred default moving forward. On 2021-06-16 6:58 a.m., Frank Volf wrote: Hi, I'm looking for some advice or pointers how to best solve a small problem that I have. I have no doubt that this can be done in dovecot, but I'm struggling to find the easiest way to implement it. First of all, what I have: I have a relative small dovecot setup for a dozen domains, and about 50 users in total. All users use IMAP to retrieve mail, and SMTP submission protocol to submit email. Because of the small size, every user has its own UNIX account, authentication is done using PAM and mail is stored in a Maildir folder in their home directory. Works perfectly! There is one minor inconvenience. When a new mail client is configured, users (often guided by the auto config generator of the mail client) tend to use their email address as the username to authenticate instead of their UNIX account name, which fails of course. Would it be possible to configure something that will map an email address to the UNIX account name and use the account name for authentication and obtaining the related information (uid, gid, home dir)? I do have two concerns: 1) I do not want to break existing mail configurations, so authentication with the UNIX username should still be possible. 2) I cannot do a simple reg. exp for the translation because every email domain has e.g. an i...@domain.com mailbox, and I do not want them all to go to UNIX user "info". As said, I would appreciate any advice on how this can be configured the easiest. Thanks in advance. Kind regards, Frank -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: LMTP with hardlinks ?
Dne úterý 25. května 2021 0:31:20 CEST, Vladislav Kurz napsal(a): > Hello, > > I'm looking for deduplication of mails via hardlinks during delivery. I.e. a > mail that is sent to multiple recipients (to, cc, bcc) should be stored > only once. > > I did some search and found only some non-complete information. > > dovecot-lda has a "-p path" option that does the delivery using symlinks if > possible (i.e. same uid/gid and same filesystem). This is working by hand, > but could not find any hints how to use this with postfix. Found only > suggestion of a wrapper, that was probably never implemented - in this > thread: > https://dovecot.org/pipermail/dovecot/2008-June/031158.html > > In this message: https://dovecot.org/list/dovecot/2013-February/088540.html > there is statement that: LMTP always delivers the mail to the first user. > Then it tries to copy the first mail to the second user, because in some > setups this can be done using hard links. > > I was not able to get this in my setup, and I'd like to know if this > statement is really true. I have all mail in /var/vmail, all owned by vmail > user, but still mail delivered to multiple users is duplicated. > > If this is really supposed to make hardlinks (which would be great), is > there any way to debug it? E.g. see if the hardlink was attempted but > failed for some reason, or if the message was delivered in the same LMTP > session ? I will answer to myself, to provide further information for others bumping into the same issue. It seems so, that LMTP does hard links, only if the recipients do not have any sieve scripts. But repeated delivery with "dovecot-lda -p -f -d " makes hardlinks even if users do have sieve scripts. So I made a wrapper that takes all recipients on command line, mail message on stdin, dumps the mail to tempfile and loops over all recipients with dovecot- lda. So far it seems to be working nice (with postfix as SMTP server). -- Best regards Vladislav Kurz
Mapping usernames used for authentication to UNIX usernames
Hi, I'm looking for some advice or pointers how to best solve a small problem that I have. I have no doubt that this can be done in dovecot, but I'm struggling to find the easiest way to implement it. First of all, what I have: I have a relative small dovecot setup for a dozen domains, and about 50 users in total. All users use IMAP to retrieve mail, and SMTP submission protocol to submit email. Because of the small size, every user has its own UNIX account, authentication is done using PAM and mail is stored in a Maildir folder in their home directory. Works perfectly! There is one minor inconvenience. When a new mail client is configured, users (often guided by the auto config generator of the mail client) tend to use their email address as the username to authenticate instead of their UNIX account name, which fails of course. Would it be possible to configure something that will map an email address to the UNIX account name and use the account name for authentication and obtaining the related information (uid, gid, home dir)? I do have two concerns: 1) I do not want to break existing mail configurations, so authentication with the UNIX username should still be possible. 2) I cannot do a simple reg. exp for the translation because every email domain has e.g. an i...@domain.com mailbox, and I do not want them all to go to UNIX user "info". As said, I would appreciate any advice on how this can be configured the easiest. Thanks in advance. Kind regards, Frank
Piping to doveadm pw
Hello everybody, I am using 'doveadm pw' from inside a bash script to generate the salted hash for a user provided password. I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password Is there any possible way to use piping (so it won't show up in ps for example) to pass the username and password to 'doveadm pw' instead of using arguments? Dovecot version: 2.3.14 Many thanks, Kevin