Re: auth between postfix and dovecot?

[Shawn Heisey]

On 4/22/2022 10:35 PM, ミユナ (alice) wrote:

my question is:

when postfix talks to dovecot, does it require user's 
username/password for authentication? or this communication just goes 
without authentication?


I asked this, b/c my webmail send mail from localhost has been going 
without authentication to postifx. so i am not sure if postfix talks 
to dovecot without requiring auth too.


My setup is virtual users in a postfixadmin database.  Dovecot does all 
authentication, even with posfix.  I believe the config snippets I have 
included below are the relevant things that make it possible for postfix 
to talk to dovecot for mail delivery and authentication.


Mail sent from localhost on port 25 does not require authentication on 
my system, because 127.0.0.0/8 is in postfix's mynetworks config and 
port 25's access restrictions include permit_mynetworks.  Anything sent 
via submission (port 587) does require auth, even from trusted 
networks.  If you can configure your webmail to use submission instead 
of smtp, maybe that can be authenticated.  You'll need to consult 
support resources for your webmail to see if that is possible.   I can 
say for sure that roundcube can do it ... I have roundcube configured to 
talk to port 587, which as mentioned, ALWAYS requires authentication.


When postfix sends mail to dovecot for delivery, I'm pretty sure that 
happens without authentication.  It's LMTP via unix socket, not 
something an outside client can access directly.


# In 10-master.conf
service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }
}

service auth {
  unix_listener auth-userdb {
    mode = 0666
    user = vmail
    group = mail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}


# In 10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-sql.conf.ext


# In postfix master.cf
dovecot  unix   -    n  n   -   -   pipe
  flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d 
$(recipient)



# In postfix main.cf
# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Re: auth between postfix and dovecot?

[Alexander Dalloz]

Am 23.04.2022 um 16:08 schrieb Shawn Heisey:

On 4/22/2022 10:35 PM, ミユナ (alice) wrote:

my question is:

when postfix talks to dovecot, does it require user's 
username/password for authentication? or this communication just goes 
without authentication?


[ ... ]

When postfix sends mail to dovecot for delivery, I'm pretty sure that 
happens without authentication.  It's LMTP via unix socket, not 
something an outside client can access directly.


# In 10-master.conf
service lmtp {
   unix_listener lmtp {
     #mode = 0666
   }
}


[ ... ]


# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1


With this Postfix configuration you do not make use of LMTP delivery.

Alexander

Re: auth between postfix and dovecot?

[Shawn Heisey]

On 4/23/2022 9:07 AM, Alexander Dalloz wrote:

With this Postfix configuration you do not make use of LMTP delivery.


Interesting.  I thought it was using LMTP but it looks like master.cf 
has it running /usr/lib/dovecot/dovecot-lda to deliver. Would LMTP be a 
better option? It has always worked, so I didn't look at it very closely.


I thought I had something in the postfix/dovecot combination using LMTP, 
but it looks like I was wrong about that.  The communication between 
postfix and mailman3 running in docker containers (which is a very 
recent addition) uses LMTP.


Thanks,
Shawn

Re: Weird status... " noselect"... why ?

[Aki Tuomi]

> On 22/04/2022 21:11 Stephane Magnier  wrote:
> 
> 
> 
> 
> a list "" * gives me this
> 
> * LIST (\HasChildren \UnMarked) "/" INBOX/2022-PERSONNEL/FOO2
>  * LIST (\HasNoChildren \UnMarked) "/" INBOX/2022-PERSONNEL/FOO2/test
>  * LIST (\Noselect \HasChildren) "/" INBOX/2022-PERSONNEL/FOO2/test
>  * LIST(\Noselect\HasNoChildren) "/" INBOX/2022-PERSONNEL/FOO2/test/Location
> 
> As you can see there is " noselect " and with Thunderbird this is in grey.. 
> Due to a bad manipulation. I wanted to create a subfolder and I wrote 
> "FOO2/test" when FOO2 didn't exist yet
> Now " test" is grey and I cannot place anything inside..
> I didn't see this at first sight and I've placed important emails in it, that 
> it didin't synch... and which which seems to be lost :-(
> 
> a Repair didn't work out
> 
> 
> 
> How can I " revalidate " this folder ? without removing it ? ( hoping to get 
> something in it )
> Thanks
>

Hi!

A maildir folder is not recognized as one if it does not contain cur,new and 
tmp directories. Make sure those exist.

Aki

Re: how to setup IMAPs with letsencrypt

[Richard Hector]

On 22/04/22 11:57, Joseph Tam wrote:

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several other 
domains too, but there's nothing else served on that domain (at the moment).


Cheers,
Richard

Re: auth between postfix and dovecot?

[alice]

Shawn Heisey wrote:
My setup is virtual users in a postfixadmin database.  Dovecot does all 
authentication, even with posfix.  I believe the config snippets I have 
included below are the relevant things that make it possible for postfix 
to talk to dovecot for mail delivery and authentication.


Mail sent from localhost on port 25 does not require authentication on 
my system, because 127.0.0.0/8 is in postfix's mynetworks config and 
port 25's access restrictions include permit_mynetworks.  Anything sent 
via submission (port 587) does require auth, even from trusted 
networks.  If you can configure your webmail to use submission instead 
of smtp, maybe that can be authenticated.  You'll need to consult 
support resources for your webmail to see if that is possible.   I can 
say for sure that roundcube can do it ... I have roundcube configured to 
talk to port 587, which as mentioned, ALWAYS requires authentication.


When postfix sends mail to dovecot for delivery, I'm pretty sure that 
happens without authentication.  It's LMTP via unix socket, not 
something an outside client can access directly.



Thank you. that's good suggestion.

regards.

Re: auth between postfix and dovecot?

[alice]

Shawn Heisey wrote:
Interesting.  I thought it was using LMTP but it looks like master.cf 
has it running /usr/lib/dovecot/dovecot-lda to deliver. Would LMTP be a 
better option? It has always worked, so I didn't look at it very closely.


I see some docs saying dovecot uses LDA for delivery by default. LDA has 
worse performance than LMTP. though I am not sure about this.


thanks.

Re: how to setup IMAPs with letsencrypt

[alice]

Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?

Thanks

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:14 am, ミユナ (alice) wrote:



Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?


There is a procedure for wildcards but it's a little complex. It helps 
to have your own bind server.


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot

--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:22 am, Jeremy Ardley wrote:


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

doveadm pw usage

[alice]

Hello

when i want to assign a password to a user, I need to write the plain 
passwd to a text file then do:


# doveadm pw -p input.txt
{CRAM-MD5}77180880...


it's not that convenient to write to a file first.

does it support the format below?

doveadm pw "plain password"

providing the plain password as CL argument to generate a encrypted one.

thank you
ミユナ alice

Re: how to setup IMAPs with letsencrypt

[alice]

thank you Jeremy. I will check out them.

Jeremy Ardley wrote:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 

Re: how to setup IMAPs with letsencrypt

[Shawn Heisey]

On 4/23/2022 6:45 PM, Richard Hector wrote:
_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several 
other domains too, but there's nothing else served on that domain (at 
the moment).


I didn't want to mess with creating a web infrastructure for the usual 
web-based validation that is common with LE.  Getting that working for 
my services would be very messy.  So I use DNS validation with 
LetsEncrypt, and I have wildcards in my cert.  You can see the cert at 
this location:


https://http3test.elyograg.org/

Reload the page to see if your browser can do http/3 -- the initial 
connection will usually be http/2.


Certbot has plugins for many common DNS providers that let it 
automatically add the validation records to your DNS.  I use a DNS 
provider which is not covered by the official plugins, but I found a 
third party hook script on github, so I have built scripts that 
accomplish completely automated certificate renewals with DNS 
validation.  I run the renew script with cron every other day, and have 
it waiting until 5 days before expiration before it actually does the 
renewal.  So I get a new cert about every 85 days, and it even installs 
the cert and restarts services on everything that needs it.


Thanks,
Shawn