Re: shared/public mailbox application

2016-11-28 Thread Adrian POPA 

-Original Message-
From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Michael 
Fox

Sent: Thursday, November 24, 2016 11:53 AM
To: Dovecot Mailing List 
Subject: shared/public mailbox application

I'm new to Dovecot and I need help configuring a shared or public 
mailbox -

I'm not sure which is appropriate.  I've read the wiki and Peer's book and
neither appears to cover what I'd like to do.  So I could use some 
specific

help on how to configure a solution for the following:



I'd like to create two real mailboxes, let's call them AAA and BBB.  Let's
call the domain "mydomain".  By "real", I mean that users aaa@mydomain and
bbb@mydomain can log into their own mailbox.

Anyone user can send mail to them, just like any other address:
aaa@mydomain or bbb@mydomain.

I'd like all IMAP users in mydomain to be able to read the messages in 
those

mailboxes.

I'd like all POP users in mydomain to also see those messages.  (But I 
don't

think I need help with the virtual part).

I'd like only a few designated IMAP users to be able to delete the 
messages

in those mailboxes, including dummy users AAA and BBB themselves.

Ideally, I'd like them to appear in the client under a separate namespace
from shared mailboxes.  Example:



INBOX

+--- the normal stuff.

Shared

+--- user1

+--- user2

Special

+--- AAA

+--- BBB



My confusion:

1)  I don't know if this requires a shared namespace or a public
namespace.  It "feels" like it's "public", since all users would have
access.  But Peer's book and the wiki describe manually creating folders 
for

public namespaces and controlling the contents with manual file
manipulation, which leads me to believe that they can't be used for 
regular

mail (although the book and the wiki never say one way or the other).   I
don't want to manually control files.  I want to send mail to the mailbox
and delete (see above) it with a client.

2)  There are several examples in Peer's book and the wiki, but none
seem to match what I want.  (This is the problem with documentation that 
is

predominantly example-based).  I guess I need more explanation of the
mechanical differences between shared and public and why one would pick 
one

over the other.



Can someone help?  Please be as specific as you can.



Thanks much,

Michael



Hi,
I did that in Linux (Ubuntu) by using symbolic links.
In the INBOX of users that you want to see shared emails place a symlink to 
the shared INBOX.


 | 
 |  | ...INBOX
 |  | .Drafts (folder)
 |  | .Trash (folder
 |  | ...
 |  | ~.Shared AAA --> ../aaa
 |  | ~.Shared BBB --> ../bbb
 | 
 |  |  ...INBOX
 |  | ...
 |  | ~.Shared AAA --> ../aaa
 |  | ~.Shared BBB --> ../bbb
 | 
 |  | ...INBOX
 |  | ...
 | 
 |  | ...INBOX
 |  | ...
The only thing that could create problems are permissions. I use the same 
UID/GID for all users (vmail:vmail) so I don't have such problems.
If you want special permissions for groups of users (some can delete emails 
in shared folders) you need to define the permission groups, add users you 
want to those groups and set rw permission and set group bit on shared 
folders.


If you're not using Linux I cannot help.
Adrian

Re: BUG: nopassword doesn't work with CRAM-MD5

2016-11-17 Thread Adrian POPA 

On 17.11.2016 10:30, Arkadiusz Miśkiewicz wrote:

On Thursday 17 of November 2016, Aki Tuomi wrote:

On 17.11.2016 10:14, Arkadiusz Miśkiewicz wrote:

Hello.

dovecot 2.2.26.0

When testing nopassword extra field
(http://wiki2.dovecot.org/PasswordDatabase/ExtraFields) with CRAM-MD5
dovecot doesn't allow any password (while it should) and returns

" Authentication failed"

while in logs:

Nov 17 08:22:34 auth-worker(1551): Info:
sql(pepe,127.0.0.1,): Requested CRAM-MD5 scheme, but we
have a NULL password

NULL is there because our sql query returns empty password just like wiki
says "nopassword:  you want to allow all passwords, use an empty
password and this field. "


If password is returned in sql query then it fails, too:

Nov 17 09:00:49 auth-worker(2206): Error:
sql(pepe,127.0.0.1,): nopassword set but password is
non- empty

So looks to be a bug.

It's not a bug. CRAM-MD5 does in fact require *some* password to work,

Provide fake/random one for nopassword internally.


you can either store it with doveadm pw -S CRAM-MD5 or as plain text
password.

Then I get


sql(pepe,127.0.0.1,): nopassword set but password is
non- empty

So that doesn't help

btw. doveadm pw -S is not documented, so no idea what it does


Aki
Sorry to bump into your conversation but Aki is defending too hard 
something that is realy a bug.

I have signaled myself this issue in the "very old" version 2.2.9(!)
nopassword means ANY password (including none). One cannot store 
something like ANY with doveadm, SQL or anything.
So with "nopassword" the query should simply ignore the password field 
(missing, NULL or set to anything else).
Why would an user login with nopassword? This is an administrator 
decision and is not subject for comments.
My problem was with LDA who refuses to store mail in INBOX if the user 
is not properly authenticated (nopassword) so you cannot receive mails 
for "hidden" users that cannot login, maybe to redirect mails later or 
do some other things with.


Adrian

Re: Crashing when run against OpenSSL 1.1.0c

2016-11-15 Thread Adrian POPA 

Hi

You can't think how glad I am that SSL issues rise again in a new Dovecot 
version with next Ubuntu release with a new OpenSSL library.
Some days ago I have posted something similar about Ubuntu 14.04 - Dovecot 
2.2.9 - OpenSSL 1.0 (Dovecot processes turning zombie) but noone cared 
about.
I still think is somehow related to ssl-param process + config + auth + 
...whatever (all of them "ignoring idle SIGINT")


If Dovecot SSL implementation is so dependant of a certain version of a 
library (OpenSSL for example) you should consider saving a copy of the 
"known-good" library version somewhere in Dovecot private space and use it 
without relaing on generic system upgrades.


Don't get me wrong: I love Dovecot as IMAP server and local delivery agent. 
But public interface is unreliable, authentication too, so for now I am 
using Dovecot as an isolated server in localhost and attach other public 
interfaces to it. Even so, delivery agent LDA is still trying to 
authenticate and complains about null passwords (what?). I have destination 
addresses that should go to a shared mailbox and that user@domain is never 
allowed to login. The workaround is to set an "impossible" password for 
those but this is not a nice solution. LDA should care only about what 
counts for him (maybe using some defaults) and leave everything else for the 
"big boys".


Sorry for any inconvenience,
Adrian POPA


- Original Message - 
From: "Aki Tuomi" 

To: 
Sent: Tuesday, November 15, 2016 1:43 PM
Subject: Re: Crashing when run against OpenSSL 1.1.0c





On 15.11.2016 13:27, Michael Marley wrote:

Hi,

I am running Dovecot 2.2.26.0 compiled against OpenSSL 1.1 and, since
upgrading to OpenSSL 1.1.0c, the "lmtp" process has been crashing with
SIGSEGV whenever it receives SIGINT.  This always happens a minute or so
after the lmtp process handles a message.  It can also be manually
reproduced by sending SIGINT to one of the running lmtp processes.

I am compiling and running on an Ubuntu 17.04 x86_64 system using GCC 
6.2.


Here is the output of me reproducing it with gdb:

(gdb) signal SIGINT
Continuing with signal SIGINT.

Program received signal SIGSEGV, Segmentation fault.
0x7f6748cc2fb0 in ?? ()
(gdb) bt
#0  0x7f6748cc2fb0 in ?? ()
#1  0x7f674872ac60 in ossl_init_thread_stop (locals=)
at crypto/init.c:336
#2  0x7f674872aee4 in OPENSSL_cleanup () at crypto/init.c:391
#3  0x7f67491052e0 in __run_exit_handlers (status=0,
listp=0x7f674948c5d8 <__exit_funcs>,
run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:83
#4  0x7f674910533a in __GI_exit (status=) at 
exit.c:105

#5  0x7f67490eb3f8 in __libc_start_main (main=0x555b35fbfbc0 ,
argc=1, argv=0x7ffd4ede3588, init=,
fini=, rtld_fini=,
stack_end=0x7ffd4ede3578) at ../csu/libc-start.c:325
#6  0x555b35fbfe3a in _start ()

Here is the output of "doveconf -n":

# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.devel (623ae77)
# OS: Linux 4.8.7-040807-generic x86_64 Ubuntu Zesty Zapus (development
branch)
auth_mechanisms = plain login
auth_username_format = %Ln
mail_location = mdbox:~/mdbox
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart 
extracttext

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = mich...@michaelmarley.com
protocols = imap sieve lmtp
service auth {
  client_limit = 1624
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
  }
}
service imap-login {
  inet_listener imaps {
port = 0
  }
}
service lmtp {
  process_min_avail = 5
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = required
ssl_ca = Using host libthread_db library 
"/lib/x86_64-linux-gnu/libthread_db.so.1".
test_cipher_test_vectors . : 
ok
test_cipher_aead_test_vectors  : 
ok
test_hmac_test_vectors ... : 
ok
test_load_v1_keys  : 
ok
test_load_v1_key . : 
ok
test_load_v1_public_key ..

Dovecot processes turning zombie

2016-11-09 Thread Adrian POPA 
Hi

I am running Ubuntu 14.04 (plan to go to 16.04) with Postfix and Dovecot 2.2.9 
from Ubuntu repository.
Dovecot configuration has not changed dramatically since the days of Ubuntu 
12.04 (can't remember Dovecot version).
In the last months, connection to Dovecot IMAP service become more and more 
dificult. First Ubuntu Thunderbird refused to connect, than Android phones. The 
last one connecting regularly was an old XP laptop(!). Now it's facing problems 
too.
Again, I did not make any configuration changes lately so only system upgrades 
(libraries) may have caused this.
The first thing to notice was that some Dovecot processes are going zombie 
(defunct). At startup "ssl-params", then sometimes "auth", "imap-login" and 
rarely "config".
Turning on debug logging in Dovecot show that offending process "is ignoring 
idle SIGINT". And "auth client limit (1000) reached".
This behavior also impacts on Postfix delivery through Dovecot LDA with 
"status=deferred (temporary failure)" (I turned off mail sending with -e in lda 
invocation).
Another thing is SLL connection. Attempts to test with openssl s_client show 
that Dovecot is not responding after ClientHelo when it should normally send 
server certificate.
The very same certificate is used with Postfix and it works (I can send mails 
through Postfix) but IMAP connections to Dovecot do not. There is no protocol 
mismatch because I have try a local SSL connection (same computer). Initial 
messages are TLS1.2 but nothing in response.

So my question is: did you faced such problems and found a cause (and maybe a 
fix)? Upgrading to Ubuntu 16.04 with whatever Dovecot version it provides may 
resolve the issues?

Thanks