Re: possible doveadm expunge bug
On 18/09/2023 16:17, Aki Tuomi via dovecot wrote: Aki, any ideas? Or have I have hit a ridiculously low 1000D hard coded limit? ...and I know some troll will comment, so let me say yes I know I can and will likely have to use nix's "find" to actually cull them, but if doveadm has an expunge option, it should do what it is asked of it :) # doveconf -a # 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.20 (149edcf2) # OS: Linux 5.15.117 x86_64 Slackware 15.0 ext4 - Yes I know 2.3.21 was released 2 days ago, but I'm not seeing anything in changelog/NEWS that's related -- Regards, Noel Butler Hi! Can you try using strace for the doveadm command to see what it's up to? Aki Aki, Did you see anything out of the usual in the trace I sent you? Just asking since I've manually cleaned up most folders, but left one incase you'd like me to try something, so no urgency :) -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Dovecot OIDC question
Exploring the possible use of SSO using OIDC with Dovecot. Trying to understand the functionality of OIDC as it pertains to e-mail clients like Thunderbird, Outlook etc... My OIDC provider will authenticate a user by intercepting the connection attempt to the resource, present a login screen and after success it will redirect to the resource. When it comes to e-mail clients, how would that process work if at all? Thanks ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: 2.3.21 broke XOAUTH authentication against Keycloak
> On 23/09/2023 12:55 EEST t...@interseclab.org wrote: > > > I have Roundcube and Dovecot2 setup to authenticate against Keycloak > using the XOAUTH2 method, as follows: > > introspection_url = > https://[...]/realms/[...]/protocol/openid-connect/token/introspect > introspection_mode = post > username_attribute = email > client_id = [...] > client_secret = [...] > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with: > > dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed: > Introspection failed: No username returned > > WARN [org.keycloak.events] (executor-thread-45) > type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, > ipAddress=[...], error=client_not_found > WARN [org.keycloak.events] (executor-thread-45) > type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, > ipAddress=[...], error=invalid_request, detail='Authentication failed.' > > Downgrading to 2.3.20 fixes the issue. > > I believe this change is to blame: > > lib-oauth2: Dovecot would send client_id and client_secret as POST > parameters to the introspection server. These need to be optionally in > Basic auth instead. > > Is there anything I should change in my Keycloak/Dovecot config or is > this a bug? Try changing introspection_url to https://client_id:client_secret@server/ Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
2.3.21 broke XOAUTH authentication against Keycloak
I have Roundcube and Dovecot2 setup to authenticate against Keycloak using the XOAUTH2 method, as follows: introspection_url = https://[...]/realms/[...]/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = email client_id = [...] client_secret = [...] tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with: dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed: Introspection failed: No username returned WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=client_not_found WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=invalid_request, detail='Authentication failed.' Downgrading to 2.3.20 fixes the issue. I believe this change is to blame: lib-oauth2: Dovecot would send client_id and client_secret as POST parameters to the introspection server. These need to be optionally in Basic auth instead. Is there anything I should change in my Keycloak/Dovecot config or is this a bug? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
is dovecot 2.3.20 compatible with YESCRYPT?
To Whom It May Concern, Fedora 38 uses YESCRYPT by default to create the passwords stored in "shadow". The prefix is "$y$". Ref: https://doc.dovecot.org/configuration_manual/authentication/password_schemes/#authentication-password-schemes The nearest supported password scheme is blowfish. Can dovecot 2.3.20 read passwords created with YESCRYPT? Regards, -- Andrew Hoff 6/10 Middle Road Maribyrnong 3032 Victoria Australia Tel: 0393185581 (unreachable outside of Australia) Mob: 0400966178 Email: andrew.h...@bigpond.com ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot username with domain
On 19-09-2023 22:36, Dave McGuire wrote: On 9/19/23 16:34, Michael Grant wrote: Thanks, I was hoping for something less complicated. I found auth_username_format %n which drops the domain if supplied. Unfortunately my imap username isn't 'mgrant'. Probably i could make this work if there was no other way. This forces me to have my IMAP password the same as my unix password. I probably should move to virtual users for everyone on my box but that's not so easy. I was hoping there was some way i could translate individual users which would make this transition easier. You could have virtual users with any username (matching the required format for 'New Outlook') and password in an SQL passdb + userdb, and a second backend for the system users (PAM probably) as a fallback. The docs describe this precise scenario at: https://doc.dovecot.org/configuration_manual/authentication/multiple_authentication_databases/ Regards, Tom ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: How to use http api doveadm to manage acl permissions
Yes off course i ve done that but not found, moreover it should be available in the api documentation ? this is the content off the get call is there a command for acl with maybe not ACL word inside ? [ { "command": "mailboxMutf7", "parameters": [ { "name": "toUtf8", "type": "boolean" }, { "name": "fromUtf8", "type": "boolean" }, { "name": "name", "type": "array" } ] }, { "command": "serviceStop", "parameters": [ { "name": "service", "type": "array" } ] }, { "command": "serviceStatus", "parameters": [ { "name": "service", "type": "array" } ] }, { "command": "sisDeduplicate", "parameters": [ { "name": "rootDir", "type": "string" }, { "name": "queueDir", "type": "string" } ] }, { "command": "sisFind", "parameters": [ { "name": "rootDir", "type": "string" }, { "name": "hash", "type": "string" } ] }, { "command": "processStatus", "parameters": [ { "name": "service", "type": "array" } ] }, { "command": "stop", "parameters": [] }, { "command": "reload", "parameters": [] }, { "command": "statsDump", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "reset", "type": "boolean" }, { "name": "fields", "type": "string" } ] }, { "command": "statsAdd", "parameters": [ { "name": "name", "type": "string" }, { "name": "filter", "type": "string" }, { "name": "exporter", "type": "string" }, { "name": "exporterInclude", "type": "string" }, { "name": "description", "type": "string" }, { "name": "fields", "type": "string" }, { "name": "groupBy", "type": "string" } ] }, { "command": "statsRemove", "parameters": [ { "name": "name", "type": "string" } ] }, { "command": "oldstatsDump", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "type", "type": "string" }, { "name": "filter", "type": "string" } ] }, { "command": "oldstatsReset", "parameters": [ { "name": "socketPath", "type": "string" } ] }, { "command": "penalty", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "netmask", "type": "string" } ] }, { "command": "kick", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "force", "type": "boolean" }, { "name": "mask", "type": "array" } ] }, { "command": "who", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "separateConnections", "type": "boolean" }, { "name": "mask", "type": "array" } ] }, { "command": "directorStatus", "parameters": [ { "name": "socketPath", "type": "string" }, { "name": "user", "type": "string" }, { "name": "tag", "type": "string"