Re: Should one prevent reconnection before expunge?

2022-08-21 Thread Aki Tuomi 


> On 21/08/2022 13:08 EEST Christian Kivalo  wrote:
> 
>  
> On August 21, 2022 12:34:46 AM GMT+02:00, Jack Cecil  
> wrote:
> >On Fri, 12 Aug 2022, Jack Cecil wrote:
> >
> >> could you help me understand the 'doveadm expunge' feature better?
> >> 
> >> If a Maildir has 20 thousand messages and user is reading it over IMAP I 
> >> have a suspicion it is not a good idea to be rewriting the dovecot index 
> >> and cache at the same time.
> >> 
> >> Should I temporarily prevent login (e.g. with passwd-file deny) and then 
> >> kick them before the expunge?
> >
> >Hi. Could someone please drop me a hint? I have 309 users that will be very 
> >angry with me if their Thunderbirds start displaying 0 messages :(
> >
> >Thanks.
> I had never thought about this, i do have some folders for which i expunge 
> message with doveadm with a cron job, never had a problem.
> 
> What keeps you from testing with a test account to see what happens when you 
> expunge while logged in? My assumption is, the client will update it's 
> knowledge of the mailbox on next access or login. 
> -- 
> Christian Kivalo

Running doveadm expunge while user is logged in, is safe. 

Aki

Re: Get a list of currently active IMAP connections?

2022-08-21 Thread Jaroslaw Rafa 
Dnia 20.08.2022 o godz. 19:34:03 Jaroslaw Rafa pisze:
> I have one more question regarding this.
> 
> My service needs to access the socket /var/run/dovecot/anvil. The problem is
> that this socket (at least on my system) has permissions only for root:
> 
> srw--- 1 root root 0 May 22  2020 /var/run/dovecot/anvil
> 
> And I don't think it's a good idea to run my service as root. Is it possible
> to add permission to this socket for another user? If yes, what should I
> change in Dovecot config?

Well, documentation is not very clear on this, but by trial and error I was
able to change /var/run/dovecot/anvil socket permissions to:

srw-rw 1 root dovecot 0 Aug 21 20:47 /var/run/dovecot/anvil

by putting the following lines into Dovecot configuration:

# this is needed for Postfix IMAP-before-SMTP policy service to access anvil
service anvil {
unix_listener anvil {
user = root
group = dovecot
mode = 0660
}
}

Then my service can run under the user "dovecot" and access anvil.

So I'd like to ask - do I create any security risk by changing the anvil
socket permissions like above and running my service under "dovecot" user?

Or is it better that I create a special user dedicated only for this service
and run the service under that user?
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-21 Thread Remo Mattei 
It’s a mount partition you should check that probably it is nfs. 

Good luck. 

> Il giorno 21 ago 2022, alle ore 07:43, Austin Witmer  
> ha scritto:
> 
> Thanks to all of your for your input!
> 
> I think I may have gotten this resolved. More time and testing will tell! 
> More details later . . .
> 
> Austin Witmer
> 
> 
>> On Aug 20, 2022, at 9:06 AM, Erwan David  wrote:
>> 
>>> Le 20/08/2022 à 16:52, Austin Witmer a écrit :
>>> Hello all!
>>> 
>>> Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then 
>>> I am periodically getting some dovecot errors like the below in my mail 
>>> log. As far as I can tell, my unix perms are just fine. What is ACL/MAC?
>>> 
>>> Aug 20 14:41:58 mail dovecot: 
>>> imap(u...@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: 
>>> stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log
>>>  ) failed: Permission denied 
>>> (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
>>> 
>>> And here is the listing showing the permissions for that file.
>>> 
>>> *austin@mail*:*~*$ ls -la 
>>> /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
>>> 
>>> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 
>>> */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
>>> *
>>> 
>>> What in the world is causing these errors, and what can I do about them?
>>> 
>>> Thanks in advance!
>>> 
>>> Austin Witmer
>> 
>> Did you check wether your linux distribution uses SeLINUX or Apparmor ? In 
>> that case you would have to check their policy to give dovecot access to 
>> this directory.
>> 
>

Re: Permission denied UNIX perms appear ok (ACL/MAC wrong?))

2022-08-21 Thread Austin Witmer 
Thanks to all of your for your input!

I think I may have gotten this resolved. More time and testing will tell! More 
details later . . .

Austin Witmer


> On Aug 20, 2022, at 9:06 AM, Erwan David  wrote:
> 
> Le 20/08/2022 à 16:52, Austin Witmer a écrit :
>> Hello all!
>> 
>> Recently I upgraded my mail server to Ubuntu 22.04 LTS and ever since then I 
>> am periodically getting some dovecot errors like the below in my mail log. 
>> As far as I can tell, my unix perms are just fine. What is ACL/MAC?
>> 
>> Aug 20 14:41:58 mail dovecot: 
>> imap(u...@domain.com)<56316><1NieGKPmuOdKwxVI>: Error: Mailbox INBOX: 
>> stat(/mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
>> ) failed: Permission denied 
>> (euid=1000(austin) egid=1000(austin) UNIX perms appear ok (ACL/MAC wrong?))
>> 
>> And here is the listing showing the permissions for that file.
>> 
>> *austin@mail*:*~*$ ls -la 
>> /mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
>> 
>> -rwxrwxr-- 1 austin austin 15796 Aug 20 14:41 
>> */mnt/volume1/mailserver/plain/maildir/domain.com/user/dovecot.index.log 
>> *
>> 
>> What in the world is causing these errors, and what can I do about them?
>> 
>> Thanks in advance!
>> 
>> Austin Witmer
> 
> Did you check wether your linux distribution uses SeLINUX or Apparmor ? In 
> that case you would have to check their policy to give dovecot access to this 
> directory.
>

Re: Adding new server (POP3 only)

2022-08-21 Thread Adrian Minta 

Hi,

your users will not notice anything.

If you are using a load-balancer try to stick a user on the same 
back-end. Use "static" hash or Dovecot Director.


On 8/21/22 11:41, Antonino Esposito wrote:

Good morning,

we're facing a spike in users activation and we've decided to add 
another server for POP3 only.
Since our dovecot is currently backed by NFS, i'm under the impression 
we just need to add a new instance listening for POP3, backed by the 
same NFS. However, i'm afraid the existing POP3 users will download 
the messages once again, due to the fact the responding server will be 
on a different IP address, even if the hostname will be exactly the same.


Am i right in this assumption? Have you any advice for me?

Thanks
Antonino


--
Best regards,
Adrian Minta

Re: Should one prevent reconnection before expunge?

2022-08-21 Thread Christian Kivalo 



On August 21, 2022 12:34:46 AM GMT+02:00, Jack Cecil  
wrote:
>On Fri, 12 Aug 2022, Jack Cecil wrote:
>
>> could you help me understand the 'doveadm expunge' feature better?
>> 
>> If a Maildir has 20 thousand messages and user is reading it over IMAP I 
>> have a suspicion it is not a good idea to be rewriting the dovecot index and 
>> cache at the same time.
>> 
>> Should I temporarily prevent login (e.g. with passwd-file deny) and then 
>> kick them before the expunge?
>
>Hi. Could someone please drop me a hint? I have 309 users that will be very 
>angry with me if their Thunderbirds start displaying 0 messages :(
>
>Thanks.
I had never thought about this, i do have some folders for which i expunge 
message with doveadm with a cron job, never had a problem.

What keeps you from testing with a test account to see what happens when you 
expunge while logged in? My assumption is, the client will update it's 
knowledge of the mailbox on next access or login. 
-- 
Christian Kivalo

Adding new server (POP3 only)

2022-08-21 Thread Antonino Esposito 

Good morning,

we're facing a spike in users activation and we've decided to add 
another server for POP3 only.
Since our dovecot is currently backed by NFS, i'm under the impression 
we just need to add a new instance listening for POP3, backed by the 
same NFS. However, i'm afraid the existing POP3 users will download the 
messages once again, due to the fact the responding server will be on a 
different IP address, even if the hostname will be exactly the same.


Am i right in this assumption? Have you any advice for me?

Thanks
Antonino