Re: Oauth2 MFA config
Am 23.05.24 um 22:07 schrieb Scott Q. via dovecot: Anyone managed to get Dovecot working as smoothly with OAUTH2 as Gmail has with Outlook ? So that for example when you add the account up in Outlook it performs all the required steps for saving the device, getting tokens, etc. Ideally with a custom ID provider, not Google as described here: https://doc.dovecot.org/configuration_manual/authentication/oauth2/ Hello, wish, you get more responses then my similar question: https://dovecot.org/mailman3/hyperkitty/list/dovecot@dovecot.org/message/JJEEJG3JR5GT3H2MQEUDRLNEAA4US4KP/ Andreas ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
using keycloak
Hello, I'm relative new to oauth2. I like to understand a setup for dovecot but https://doc.dovecot.org/configuration_manual/authentication/oauth2/ is not enough for me. Could anybody describe a simple setup where dovecot uses keycloak. For simplification I would start with keycloak's builtin user management only. - how to configure dovecot - how to configure keycloak - how to test with 'curl --verbose --some-magic-options imap://dovecot-server' Thanks, Andreas ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: doveadm: Error: open(/proc/self/io) failed
Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot: > service lmtp { > user = vmail > } > > please remove user = vmail from here or change it to root. > > for security reasons lmtp service must be started as root since version > 2.2.36. lmtp will drop root privileges after initialisation but it needs to > open /self/proc/io as root before that. Hello Sami, I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. Could you proof that statement somehow? Andreas
Re: Dovecot not surviving OpenLDAP restart
Dag Nygren via dovecot: One more obvious line from the log: dovecot[26621]: auth: Error: LDAP: Connection lost to LDAP server, reconnecting usually reconnecting works. If it doesn't for you, it's probably not dovecot's fault. I suggest to inspect openldap logs. Try to stop slapd and start (ideally: same environment and parameter) appending "-d 320". That "-d 320" prevent slapd becoming a daemon and flood stdout with logs. So it is really helpful if there are no other LDAP clients when you run slapd this way. You should see dovecot reconnecting and maybe a reason why that fail. Andreas
Re: Dovecot not surviving OpenLDAP restart
Am 08.05.19 um 15:32 schrieb Dag Nygren via dovecot: > Now since some update of dovecot it will not be able to authenticate > your logins after a restart of the LDAP service is restarted > without a reboot of the dovecot server. Hello, This sounds more like a configuration glitch. Could you show the ldap related dovecot configuration? Logs with failure message will also be helpful. Andreas
Re: Feature request: exclude IP/network in allow_nets extra field
Am 30.04.19 um 03:56 schrieb Zhang Huangbin via dovecot: > Dear all, > > We use `allow_nets`[1] to restrict login clients, it works fine. > Recently we need to allow some users to login from everywhere except some > IP/networks, how can we accomplish this with "allow_nets"? > > Tried allow_nets="!a.b.c.d", but Dovecot reports error "allow_nets: Invalid > network '!a.b.c.d'". > > Can we have this feature? > > i guess it should be done in function "auth_request_validate_networks"[2] in > file src/auth/auth-request.c. I had a similar problem years ago. Usually on set defaults in a configuration and overwrite per userdb entry In my case the userdb was a ldap backend. I liked to limit specific users via allow_nets and deny all other. So I wrote a simple patch for src/auth/auth-request.c to set defaults in case my ldap userdb do not return any overwriting. Patch attached... Andreas Description: additional defaults for allow_nets Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: dovecot-2.3.6/src/auth/auth-request.c === --- dovecot-2.3.6.orig/src/auth/auth-request.c +++ dovecot-2.3.6/src/auth/auth-request.c @@ -1775,6 +1775,16 @@ auth_request_validate_networks(struct au unsigned int bits; bool found = FALSE; + if (strcmp(networks, "ALL") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'ALL'"); + request->failed = FALSE; + return; + } + if (strcmp(networks, "NONE") == 0) { + auth_request_log_debug(request, "auth", "allow_nets: found 'NONE'"); + request->failed = TRUE; + return; + } for (net = t_strsplit_spaces(networks, ", "); *net != NULL; net++) { auth_request_log_debug(request, AUTH_SUBSYS_DB, "%s: Matching for network %s", name, *net);
Re: Dovecot v2.3.5 released
Am 07.03.19 um 17:33 schrieb Aki Tuomi via dovecot: >> test-http-client-errors.c:2989: Assert failed: FALSE >> connection timed out . : >> FAILED Hello Aki, > Are you running with valgrind or on really slow system? I'm not aware my buildsystem use valgrind ... How do you define "a really slow system"? All I can mention as reference is a build time of 11 minutes until the error occur. > Does it happen if you run env NOVALGRIND=yes make check? yes, Andreas
Re: Dovecot v2.3.5 released
Am 05.03.19 um 17:26 schrieb Aki Tuomi via dovecot: > We are happy to release dovecot v2.3.5. Hello, it build but tests fail... make[4]: Entering directory '/<>/src/lib-http' for bin in test-http-date test-http-url test-http-header-parser test-http-transfer test-http-auth test-http-response-parser test-http-request-parser test-http-payload test-http-client-errors test-http-server-errors; do \ if ! ./$bin; then exit 1; fi; \ done ... unconfigured ssl . : ok unconfigured ssl abort ... : ok invalid url .. : ok host lookup failed ... : ok connection refused ... : ok connection refused backoff ... : ok connection lost prematurely .. : ok test-http-client-errors.c:2989: Assert failed: FALSE connection timed out . : FAILED invalid redirect: not accepted ... : ok invalid redirect: bad location ... : ok invalid redirect: too many ... : ok ... 1 / 38 tests failed looking at test-http-client-errors.c:2989, could this test ever pass? test_assert(FALSE); Andreas
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot: > I'll review the settings when we manage to upgrade to mailman3 Hello Aki, before updating to mailman3 consider an simpler update to latest mailman2. you're using 2.1.15, current mailman2 is 2.1.29 Your missing an /significant amount/ of DMARC fixes! and: more off-topic: while my messages *to* the dovecot list are sent using STARTTLS, messages *from* wursti.dovecot.fi are sent without encryption. any reason to stay on unencrypted SMTP? Andreas