[Dovecot] high number of processes
Hi, Sometimes a script kiddie tries to guess passwords on our mailserver (Ubuntu 10.04.2 LTS, postfix, dovecot 1.2.9, scanners, the standard stuff). That leads to a nagios message about the high number of processes. The number goes above 500. Nagios threshold is set to 250, which is more than enough for normal operation of this server. When are these processes supposed to die again? They seem to stay at the high count quite long. Is there a way to limit the generation of extra login processes? Can I tune the login_process... params a bit? I have then all on default. dovecot - n below: root@mail-dev:/etc/dovecot# dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-32-server x86_64 Ubuntu 10.04.2 LTS log_path: /var/log/dovecot/error.log info_log_path: /var/log/dovecot/info.log log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap pop3 imaps pop3s listen: *, [::] ssl_cert_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.crt ssl_key_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.key ssl_cipher_list: ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login first_valid_uid: 200 mail_privileged_group: vmail mail_location: maildir:~/Maildir mmap_disable: yes dotlock_use_excl: no mail_nfs_storage: yes mail_nfs_index: yes mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap-wrapper.sh mail_executable(imap): /usr/lib/dovecot/imap-wrapper.sh mail_executable(pop3): /usr/lib/dovecot/pop3-wrapper.sh mail_plugins: convert autocreate mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 imap_client_workarounds(default): outlook-idle delay-newmail imap_client_workarounds(imap): outlook-idle delay-newmail imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh lda: postmaster_address: postmaster deliver_log_format: msgid=%m: %$ rejection_subject: Rejected: %s rejection_reason: Your message to <%t> was automatically rejected:%n%r auth_socket_path: /var/run/dovecot/auth-master auth default: mechanisms: plain login realms: kader.hcc.nl hobby.nl default_realm: kader.hcc.nl cache_size: 1024 cache_ttl: 10 passdb: driver: pam args: failure_show_msg=yes cache_key=%u dovecot passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/dovecot-auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail plugin: convert_mail: mbox:/disk/mail/convert/%n autocreate: Trash autocreate2: Sent autocreate3: Drafts autocreate4: Spam autosubscribe: Trash autosubscribe2: Sent autosubscribe3: Drafts autosubscribe4: Spam login_process defaults: #login_user = dovecot #login_process_size = 64 #login_process_per_connection = yes #login_processes_count = 3 #login_max_processes_count = 128 #login_max_connections = 256 lsof -n output (part of long list): dovecot-a 12941 root 17u unix 0x88012a457300 0t0 13606994 /var/run/dovecot/login/default dovecot-a 12941 root 18u unix 0x8800272bd800 0t0 13565904 /var/run/dovecot/login/default dovecot-a 12941 root 19u unix 0x8800a68a9800 0t0 13610586 /var/run/dovecot/login/default TNX for any advise! Egbert Jan HCC!Hobbynet, NL
Re: [Dovecot] rotate logs ?
Same advise. Works flawlessly.
Egbert Jan
Op 18-1-2011 10:41, Nick Lunt schreef:
-Original Message-
From: dovecot-bounces+nick.lunt=patech-solutions@dovecot.org
[mailto:dovecot-bounces+nick.lunt=patech-solutions@dovecot.org] On
Behalf Of Frank Bonnet
Sent: 18 January 2011 09:41
To: Dovecot Mailing List
Subject: [Dovecot] rotate logs ?
Hello
is there an internal mechanism in dovecot to rotate logs daily ?
thanks
How about putting the something similar to the following in
/etc/logrotate.conf (on redhat/centos)
/var/log/dovecot.log {
weekly
minsize 1M
create 0664 root postfix
rotate 4
}
Cheers
Nick .
__ Information from ESET NOD32 Antivirus, version of virus
signature database 5795 (20110117) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Re: [Dovecot] Web Based User Management
Op 14-1-2011 21:14, Matt schreef: Does anyone know of a web GUI type application that would allow the creation and deletion of email accounts on an email server? +1 for PostfixAdmin. I get the users form a 3rd party and wrote some Perl script to feed tem all into de MySQL db. We have about 160 domains, 5000 aliases and 900 mailboxes. All virtual offcause. Postfix, Dovecot, Roundcube, Mailman, All server side virus and spam software. Egbert Jan
Re: [Dovecot] Last login
Op 9-1-2011 23:55, Jan-Frode Myklebust schreef:
On Sun, Jan 09, 2011 at 09:19:39PM +0100, Egbert Jan van den Bussche wrote:
I'm trying to find a way to find inactive users.
What we do is to touch a file upon every login:
protocol imap {
mail_executable = /usr/local/dovecot/sbin/imap-wrapper.sh
}
protocol pop3 {
mail_executable = /usr/local/dovecot/sbin/pop-wrapper.sh
}
and these simply do:
#! /bin/sh -
touch /var/log/activemailaccounts/imap/$USER
exec /usr/local/dovecot/libexec/dovecot/imap
Once a day we push this info to a database, and use that to view
stats on account/protocol usage.
-jf
TNX!
This works fine! I had to change the path but that is Ubuntu versus your
distro. One question though:
I have file called "dump-capability" in the ...activeaccounts/imap dir.
Any idea what that is? Maybe generated during restart of dovecot? Must
be created bij the imap-wrapper.sh.
Egbert Jan
[Dovecot] Last login
Hi, I'm trying to find a way to find inactive users. Is there a simple way to deduct the last login date of a user from that users Maildir files? Are the timestamps on the index files reliable? I ask because the system and dovecot logs are not available to me but I can search the whole .../vmail/domain/user/Maildir tree. I'n running 1.2.9 on ububtu 10.04 LTS with posttfix and postfixadmin. The users (all are virtual) reside in the postfixadmin MySQL tables. TNX Egbert Jan (NL)
Re: [Dovecot] two mailboxes - sieve?
Op 24-11-2010 1:48, Daniel L. Miller schreef: On 11/23/2010 1:16 PM, Egbert Jan van den Bussche wrote: Op 23-11-2010 22:08, Charles Marcus schreef: On 2010-11-23 2:04 PM, Egbert Jan van den Bussche wrote: Hi helpful list! I have this user that has two different accounts om the mail server. One is a system account, the other is a virtual account (for what it is worth...). This user would like to have all his email to the virtual mail box (maildir format) automatically moved (or delivered) to the system mailbox (also maildir fornat). Both are on the same machine and use the same postfix/dovecot installation. Something tells me that I might need the sieve plugin for lda here since dovecot is the local delivery transport. I have no knowledge whatsoever about sieve or its scripting. What do I need to o apart from enabling the sieve plugin in dovecot.conf? Or is there another simple solution for this problem directly in Postfix or with fetchmail? A simple working example would be wonderful! At least two alternatives are available to you. Pure Postfix solution, using the recipient_bcc_maps parameter; or Sieve, using the redirect. Simple Sieve script needs to be enabled for the base mailbox (in this case, the virtual mailbox): # Sieve script file keep; redirect "copym...@domain.com"; Pure Postfix option - 1. Create a file to store mappings - I use /etc/postfix/maps/recipient_bcc 2. Add entries to that file in the form: m...@domain.com copym...@domain.com 3. "Compile" the file - 'postmap /etc/postfix/maps/recipient_bcc' - this creates recipient_bcc.db 4. Add 'recipient_bcc_maps = hash:/etc/postfix/maps/recipient_bcc' to main.cf 5. Execute 'postfix reload' Further questions should be directed to the Postfix mailing list. Many thanks. I've been playing with the pure Postfix solution but came not further than de 'user has moved' feature which only sends an friendly DSN. I do wantto learn about sieve, so I'll dig into that further on a test system and implement the bcc trick for now. Egbert Jan
Re: [Dovecot] two mailboxes - sieve?
Op 23-11-2010 22:08, Charles Marcus schreef: On 2010-11-23 2:04 PM, Egbert Jan van den Bussche wrote: Hi helpful list! I have this user that has two different accounts om the mail server. One is a system account, the other is a virtual account (for what it is worth...). This user would like to have all his email to the virtual mail box (maildir format) automatically moved (or delivered) to the system mailbox (also maildir fornat). Both are on the same machine and use the same postfix/dovecot installation. Something tells me that I might need the sieve plugin for lda here since dovecot is the local delivery transport. I have no knowledge whatsoever about sieve or its scripting. What do I need to o apart from enabling the sieve plugin in dovecot.conf? Or is there another simple solution for this problem directly in Postfix or with fetchmail? A simple working example would be wonderful! Unless I'm missing something - why not just create an alias (virtual-alias) instead of a virtual *user* and point it at the system user account? Thanks Charles. Lets say that we have no control over the content of the user/mailbox database. The whole postfixadmin database is being filled from external data in flat text files with the aid of some perl scripts. Egbert Jan
[Dovecot] two mailboxes - sieve?
Hi helpful list! I have this user that has two different accounts om the mail server. One is a system account, the other is a virtual account (for what it is worth...). This user would like to have all his email to the virtual mail box (maildir format) automatically moved (or delivered) to the system mailbox (also maildir fornat). Both are on the same machine and use the same postfix/dovecot installation. Something tells me that I might need the sieve plugin for lda here since dovecot is the local delivery transport. I have no knowledge whatsoever about sieve or its scripting. What do I need to o apart from enabling the sieve plugin in dovecot.conf? Or is there another simple solution for this problem directly in Postfix or with fetchmail? A simple working example would be wonderful! TIA Egbert Jan (NL)
Re: [Dovecot] Confused about Maildir
Op 22-11-2010 1:47, Glen Lee Edwards schreef: I'm trying to configure Dovecot 2.0.7. In the Dovecot Wiki for Maildirs it says that Maildirs are almost always located in ~/Maildir. I'm a Linux end user, not a programmer, so I may be wrong in this; but isn't the notation "~/" used for system users only to reference their home page; /home/? If that's the case, then does that mean that Maildirs can only be used with system users and not with vmail accounts? Glen As Patrick mentioned already (and to speak with Timo) ALL user should have a homedir. This is mostly /home/ for real system users. Virtuial users still should have a home dir. On my system that is a NFS share on /disk/mail/vmail// and the Maildir is in /disk/mail/vmail///Maildir. It could had been something colmpletely different! Egbert Jan
[Dovecot] local users and virtual users
Hi list, I'm facing this problem: I have a e few local (system) users and a bunch of virtual users (in MySQL). To make it easy for the big group, I've set a default domain which is not the domain of the server (which is just the servername). So the big group logs in with there short name without @. BUT the few system users (in passwd) cannot login to pop or imap because they get the non-local domain attached and cannot be found in the mysql db but they cannot be found in passdb either with their long name. The same applies when system users give their longname with the local domain which IS the localname of the server. This name is not in mysql nor passdb either. Is there a way to find local users in passdb when the come in with a long name? Do I need another passwd like file (i hope not...) Recap: local Domain is :mail-dev.hobby.nl default domain added bij dovecot is kader.hcc.nl kader users are found in mysql regardless if they give @kader.hcc.nl or not (then it is added) system user are never found since longname is not in mysql nor in passdb. dovecot -n: r...@mail-dev:/etc/dovecot# dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-25-server x86_64 Ubuntu 10.04.1 LTS log_path: /var/log/dovecot/error.log info_log_path: /var/log/dovecot/info.log log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap pop3 imaps pop3s managesieve listen: *, [::] ssl_cert_file: /etc/ssl/certs/ssl-mail.pem ssl_key_file: /etc/ssl/private/ssl-mail.key ssl_cipher_list: ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_max_userip_connections(default): 10 mail_max_userip_connections(imap): 10 mail_max_userip_connections(pop3): 3 mail_max_userip_connections(managesieve): 10 verbose_proctitle: yes first_valid_uid: 200 mail_privileged_group: vmail mail_location: maildir:~/Maildir mail_debug: yes mmap_disable: yes dotlock_use_excl: no mail_nfs_storage: yes mail_nfs_index: yes mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_plugins(default): convert autocreate mail_plugins(imap): convert autocreate mail_plugins(pop3): convert autocreate mail_plugins(managesieve): mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve imap_client_workarounds(default): outlook-idle delay-newmail imap_client_workarounds(imap): outlook-idle delay-newmail imap_client_workarounds(pop3): imap_client_workarounds(managesieve): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_client_workarounds(managesieve): lda: postmaster_address: postmaster deliver_log_format: msgid=%m: %$ rejection_reason: Your message to <%t> was automatically rejected:%n%r auth_socket_path: /var/run/dovecot/auth-master auth default: mechanisms: plain login realms: kader.hcc.nl hobby.nl default_realm: kader.hcc.nl cache_size: 1024 verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: failure_show_msg=yes cache_key=%u dovecot passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd args: mail=maildir:~/Maildir userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/dovecot-auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail plugin: convert_mail: mbox:/disk/mail/convert/%n autocreate: Trash autocreate2: Sent autocreate3: Drafts autocreate4: Spam autosubscribe: Trash autosubscribe2: Sent autosubscribe3: Drafts autosubscribe4: Spam Pse help. TIA! Egbert Jan
Re: [Dovecot] Convert plugin
Op 15-10-2010 20:15, Donny Brooks schreef:
On 10/15/2010 1:10 PM, Timo Sirainen wrote:
On Wed, 2010-10-06 at 22:01 +0200, Egbert Jan van den Bussche wrote:
I'm trying the example from the wiki:
plugin {
convert_mail = mbox:~/mail:INBOX=/var/mail/%n
}
but have still not succeded.
Did you figure it out already? The problem is that you have no ~/mail/
directory, convert plugin doesn't then do anything because it thinks the
mails are already converted. Either you need to create those dirs, or
maybe it's easier to just use one of the scripts and do all the users at
once some weekend.
Be sure your mail in /home/username is stored in mail and not Mail.
Otherwise change the ~/mail to ~/Mail and it will work. This is what
mine was. Also check the /var/mail/%n portion. Mine was stored in
/var/spool/mail/%n.
Donny B.
OK! I can confirm that the idea to move the big old mailbox files to
~/mail works fine. The emails are flagged as new but that is not a real
problem (not of mine at least). I do see a new problem though... As long
as the user has not logged in to the new mailserver, his home dir is
not created yet (and mail dir neither) so I cannot place his old
mailstore in that location.
I will do the test again with a dummy home dir like /var/dummy/%n/ with
the old mail store in there called inbox. All owned by vmail:vmail. This
is something I can write a script for to do the conversion from
/var/mail/ on the ols server to /var/dummy/%n/inbox.
CU
EJ
Re: [Dovecot] Convert plugin
Op 15-10-2010 20:15, Donny Brooks schreef:
On 10/15/2010 1:10 PM, Timo Sirainen wrote:
On Wed, 2010-10-06 at 22:01 +0200, Egbert Jan van den Bussche wrote:
I'm trying the example from the wiki:
plugin {
convert_mail = mbox:~/mail:INBOX=/var/mail/%n
}
but have still not succeded.
Did you figure it out already? The problem is that you have no ~/mail/
directory, convert plugin doesn't then do anything because it thinks the
mails are already converted. Either you need to create those dirs, or
maybe it's easier to just use one of the scripts and do all the users at
once some weekend.
Be sure your mail in /home/username is stored in mail and not Mail.
Otherwise change the ~/mail to ~/Mail and it will work. This is what
mine was. Also check the /var/mail/%n portion. Mine was stored in
/var/spool/mail/%n.
Donny B.
Thanks Timo and Donny.
Still not figured out how to make this happen in a reliable way. But I'm
learning every day...
This probably means that I have to build a temporary /home/user/mail/
structure for about 500+ users to satisfy the convert plugin. Maybe a
fake mailstore file with just one message in that directory. The bulk
mail is then still the file in /var/mail/. Alternatively I
could just move the big file from /var/mail/ to ~/mail. (Probably with
the name 'ínbox'?).
On the new system home dir expands to:
/var/vmail//
and the mail dir is:
/var/vmail//
The old mail would them be in /var/vmail///mail/
These remote users on the old mail system were supposed to use pop3 ONLY
but some of them found out about imap... and we had the service running.
So their mail just kept growing in the file /var/mail/username. Because
they are not system users pur-sang they have no real /home/username/mail
directory at all. All they could do was fetch their mail with pop3; no
local store with fancy folder structure.
When convert runs, under which user is it? root? vmail (virt. users have
all vmail:vmail) I suppose since it is after login (which is root by
default IIRC) has run?
TNX
Egbert Jan
[Dovecot] Convert plugin
Hi,
I'm trying to get old mail from /var/mail/, where is the
(sometimes) huge mailfile, not a directory, converted to the maildir
INBOX in ~/Maildir. Users have no ~/mail directory; they were supposed
to use pop3 only.
I'm trying the example from the wiki:
plugin {
convert_mail = mbox:~/mail:INBOX=/var/mail/%n
}
but have still not succeded. I tried /var/mail/ where is a
file and /var/mail// where user is first a diredtory en the
second a file. I also used the filename 'inbox', since the
logging suggested that to me. Other logging seems to indicate that the
right maildir++ info is composed.
I'm in vor any advise!
TIA
Egbert Jan (NL)
Here is dovecot -n:
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-25-server x86_64 Ubuntu 10.04.1 LTS
log_path: /var/log/dovecot/error.log
info_log_path: /var/log/dovecot/info.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s managesieve
listen: *, [::]
ssl_cert_file: /etc/ssl/certs/ssl-mail.pem
ssl_key_file: /etc/ssl/private/ssl-mail.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
disable_plaintext_auth: no
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_max_userip_connections(default): 10
mail_max_userip_connections(imap): 10
mail_max_userip_connections(pop3): 3
mail_max_userip_connections(managesieve): 10
first_valid_uid: 200
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mail_debug: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugins(default): convert autocreate
mail_plugins(imap): convert autocreate
mail_plugins(pop3):
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
lda:
postmaster_address: postmaster
deliver_log_format: msgid=%m: %$
rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth_socket_path: /var/run/dovecot/auth-master
auth default:
mechanisms: plain login
realms: kader.hcc.nl hobby.nl
cache_size: 1024
verbose: yes
debug: yes
passdb:
driver: pam
args: failure_show_msg=yes cache_key=%u dovecot
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
userdb:
driver: passwd
args: mail=maildir:~/Maildir
userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
socket:
type: listen
client:
path: /var/spool/postfix/private/dovecot-auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmail
plugin:
convert_mail: mbox:~/mail:INBOX=/var/mail/%n
convert_skip_broken_mailboxes: yes
autocreate: Trash
autocreate2: Sent
autocreate3: Drafts
autocreate4: Spam
autosubscribe: Trash
autosubscribe2: Sent
autosubscribe3: Drafts
autosubscribe4: Spam
Re: [Dovecot] How to add the missing maildir folders SOLVED
Op 5-10-2010 23:13, Ralf Hildebrandt schreef: * Egbert Jan van den Bussche: Hi fellow list members, What would be the best way to add the .Sent,.Draft, etc. folders to the maildir tree? It seems not Dovecots task to do that but of the MUA. http://wiki2.dovecot.org/Plugins/Autocreate Thanks. Stupid me. I thought autocreate was for 2.x only. I'm still on 1.2.9 (Ubuntu 10.04 LTS). Folders are created now. Although not strict a function of Dovecot, I'm very happy that this plugin exists. Egbert Jan
[Dovecot] How to add the missing maildir folders
Hi fellow list members, What would be the best way to add the .Sent,.Draft, etc. folders to the maildir tree? It seems not Dovecots task to do that but of the MUA. I have seen several options. Use of skel but that works only for new system users. I have only virtual users preloaded in a database. I've discoverred that ONLY Roundcube add the folders (if configured to do that) but I've not been able to have the folders created by Thunderbird. Yes, you can manage the subscribtions to folders but there is no way to create them. I did not bother to try Outlook... MY users use pop3, imap and web (Roundcube) but I cannot ask them to use Roundcube first, just to create the folders. I have no such thing as maildrop, which seems to be able to create folders. Should I run some script during login? How? TIA Egbert Jan (NL)
Re: [Dovecot] Migrating mail from mbox to maildir using dovecot
Op 14-9-2010 17:51, Donny Brooks schreef:
I think I will have to stay with the 1.x branch since we have to stick to using
approved rpm's (internal policy) and fedora 13 does not have a 2.x branch that
I see yet. So maildir it is for now.
I see my error on the inbox not getting the new mail. That was one of those "all
nighter" errors that I just plain missed due to lack of sleep. I forgot to point
postfix to the proper place to deliver the mail.
So once I setup postfix to deliver the mail properly and the dovecot convert
plugin is setup, is there a way to gradually migrate the users so I don't kill
the server? We have about 220GB or so of mail between about 160+/- users. What
would be the best way to migrate it all to maildir?
In my test to convert a mbox situation (sendmail) to Dovecot, I used
script similar to that below. The conversion is done with the mb2md.pl
script and all takes place when a user logs in. The fact that $@ is
destroyed by the awk does not seem to harm. YMMV!
I used the hooks provided in the dovecot config file (thanks Timo) where
you can call a script instead of the IMAP exec. Details are in the 1.x
dovecot wiki.
HTH
Egbert Jan (NL)
#!/bin/sh
#
# split $USER in User and Domain
var=$(echo $USER | awk -F"@" '{print $1,$2}')
set -- $var
#
# If /var/mail/ does not exist : skip to exec
#
if [ -f /var/mail/$1 ]
then
set > /etc/dovecot/dovecot-$1
#/etc/dovecot/mb2md.pl -S -W -s /var/mail/egbert -d $HOME
#chown vmail:vmail $HOME/cur/*
mv /var/mail/$1 /var/mail/$1-converted
fi
exec /usr/lib/dovecot/imap "$@"
Re: [Dovecot] Running auth as root
Op 31-8-2010 21:10, Timo Sirainen schreef: On Tue, 2010-08-31 at 21:07 +0200, Egbert Jan van den Bussche wrote: If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user). TNX Timo. I have added vmail to the shadow group. Now it may read /etc/shadow. That doesn't sound like such a good idea. Now all imap/pop3/etc processes can read your /etc/shadow. Only auth process needs to do that. Hmmm, you're right. I better create a doveauth user for it. Hope that it doesn't give problem when 1.2.9 gets replaced by the Ubuntu update mechanism EJ
Re: [Dovecot] Running auth as root
Op 31-8-2010 20:04, Timo Sirainen schreef: On Mon, 2010-08-30 at 14:15 +0200, Egbert Jan van den Bussche wrote: Hi, I seem to be forced to run the auth proces as root because I want to use pam for local users. My gut feeling says that this is Not Good. Is there another way? For the virtual users 'vmail' is good enough because that user may access the MySQL database. If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user). TNX Timo. I have added vmail to the shadow group. Now it may read /etc/shadow. Egbert Jan
Re: [Dovecot] permissions on auth-userdb
Op 31-8-2010 2:13, spamv...@googlemail.com schreef:
Hi..
im still trying to upgrade to 2.0.
Im getting:
dovecot: lda: Error: userdb lookup:
connect(/var/run/dovecot/auth-userdb) failed: Permission denied
(euid=1(vmail) egid=1(vmail) missing +r perm:
/var/run/dovecot/auth-userdb, euid is not dir owner)
the error is correct caus its owned by root. My Questions is who should own it ?
Im not sure how that works, what process/user calls the auth-userdb ?
The auth-userdb returns the args generated in master.conf, right ?
i think comment out the user and group setting in master.conf will fix
it but im not sure if that is the securest way.
the mails come from postfix via dovecot-lda
Hans
master.conf
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener auth-userdb {
mode = 0600
#user = vmail
#group = vmail
}
auth-ldap.conf.ext
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/home/MAILBOXES/%u/
mail=/home/MAILBOXES/%u/mail
}
Had more or less the same fight with 1.2.9. I had to change auth user to
the group 'shadow' (if /etc/shadow is owned by group shadow). Or run
auth under the default user 'root'.
In your case it has to do with the passdb and/or userdb you use. In my
case I had the problems with local users via pam.
HTH
Egbert Jan
[Dovecot] Running auth as root
Hi, I seem to be forced to run the auth proces as root because I want to use pam for local users. My gut feeling says that this is Not Good. Is there another way? For the virtual users 'vmail' is good enough because that user may access the MySQL database. This is on Ubuntu server 10.04.1 and Dovecot 1.2.9. TIA, Egbert Jan
Re: [Dovecot] PAM authentication fails
Op 29-8-2010 20:51, Egbert Jan van den Bussche schreef: Hi, I'm fighting all weekend on with auth and pam to authenticate local system users. testuser is such local user and is in passwd and shadow. I want to have local system users (testuser is one of them) and virtual users. The virtual part works fine but I cannot get the local user to connect. Still pam fails finding the user. The suggested password mismatch at the end is, in my eyes, because there is no user in the first place. I verified the password by interactive login to the account. The pam module (dovecot) is just the default file with three @includes in it. Syslog: Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: AUTH#0112#011LOGIN#011service=imap#011lip=2a02:968:1:2:212:72:224:16#011rip=2001:888:1740:10:250:daff:fe41:4d1c#011lport=143#011rport=1093 Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: CONT#0112#011VXNlcm5hbWU6 Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: CONT#0112#011dGVzdHVzZXI= Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: CONT#0112#011UGFzc3dvcmQ6 Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: CONT#0112#011dmF4dm1z Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): lookup service=dovecot Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): #1/1 style=1 msg=Password: Aug 29 20:18:02 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): miss Aug 29 20:18:04 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): hit: Aug 29 20:18:04 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): User unknown Aug 29 20:18:04 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: ) Aug 29 20:18:06 mail-dev dovecot: auth(default): client out: FAIL#0112#011user=testuser Relevant settings in dovecot: r...@mail-dev:/etc/dovecot# dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-24-server x86_64 Ubuntu 10.04.1 LTS ext4 log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap pop3 imaps pop3s managesieve listen: *, [::] ssl_cert_file: /etc/ssl/certs/ssl-mail.pem ssl_key_file: /etc/ssl/private/ssl-mail.key ssl_cipher_list: ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_max_userip_connections(default): 10 mail_max_userip_connections(imap): 10 mail_max_userip_connections(pop3): 3 mail_max_userip_connections(managesieve): 10 mail_privileged_group: mail mail_location: maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n mail_debug: yes mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve imap_client_workarounds(default): outlook-idle delay-newmail imap_client_workarounds(imap): outlook-idle delay-newmail imap_client_workarounds(pop3): imap_client_workarounds(managesieve): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_client_workarounds(managesieve): lda: postmaster_address: postmaster deliver_log_format: msgid=%m: %$ rejection_reason: Your message to <%t> was automatically rejected:%n%r auth_socket_path: /var/run/dovecot/auth-master auth default: mechanisms: plain login realms: kader.hcc.nl hobby.nl cache_size: 1024 user: vmail verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: setcred=yes failure_show_msg=yes cache_key=%u dovecot passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/dovecot-auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail Where should I look further for this dovecot pam problem? Is there such a thing as pam debugging? TIA Egbert Jan Answering to myself: Auth user needs to be root not vmail. Restrictions on shadow make it neccessary to do the auth and read shadow Also needed to add mail=aildir:~/Maildir in the userdb passwd to override the default setting for vi
[Dovecot] PAM authentication fails
Hi, I'm fighting all weekend on with auth and pam to authenticate local system users. testuser is such local user and is in passwd and shadow. I want to have local system users (testuser is one of them) and virtual users. The virtual part works fine but I cannot get the local user to connect. Still pam fails finding the user. The suggested password mismatch at the end is, in my eyes, because there is no user in the first place. I verified the password by interactive login to the account. The pam module (dovecot) is just the default file with three @includes in it. Syslog: Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: AUTH#0112#011LOGIN#011service=imap#011lip=2a02:968:1:2:212:72:224:16#011rip=2001:888:1740:10:250:daff:fe41:4d1c#011lport=143#011rport=1093 Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: CONT#0112#011VXNlcm5hbWU6 Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: CONT#0112#011dGVzdHVzZXI= Aug 29 20:18:02 mail-dev dovecot: auth(default): client out: CONT#0112#011UGFzc3dvcmQ6 Aug 29 20:18:02 mail-dev dovecot: auth(default): client in: CONT#0112#011dmF4dm1z Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): lookup service=dovecot Aug 29 20:18:02 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): #1/1 style=1 msg=Password: Aug 29 20:18:02 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): miss Aug 29 20:18:04 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): hit: Aug 29 20:18:04 mail-dev dovecot: auth(default): cache(testuser,2001:888:1740:10:250:daff:fe41:4d1c): User unknown Aug 29 20:18:04 mail-dev dovecot: auth-worker(default): pam(testuser,2001:888:1740:10:250:daff:fe41:4d1c): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: ) Aug 29 20:18:06 mail-dev dovecot: auth(default): client out: FAIL#0112#011user=testuser Relevant settings in dovecot: r...@mail-dev:/etc/dovecot# dovecot -n # 1.2.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-24-server x86_64 Ubuntu 10.04.1 LTS ext4 log_timestamp: %Y-%m-%d %H:%M:%S protocols: imap pop3 imaps pop3s managesieve listen: *, [::] ssl_cert_file: /etc/ssl/certs/ssl-mail.pem ssl_key_file: /etc/ssl/private/ssl-mail.key ssl_cipher_list: ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM disable_plaintext_auth: no verbose_ssl: yes login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_max_userip_connections(default): 10 mail_max_userip_connections(imap): 10 mail_max_userip_connections(pop3): 3 mail_max_userip_connections(managesieve): 10 mail_privileged_group: mail mail_location: maildir:/home/vmail/%d/%n:INDEX=/home/vmail/%d/%n mail_debug: yes mbox_write_locks: fcntl dotlock mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_executable(managesieve): /usr/lib/dovecot/managesieve mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve imap_client_workarounds(default): outlook-idle delay-newmail imap_client_workarounds(imap): outlook-idle delay-newmail imap_client_workarounds(pop3): imap_client_workarounds(managesieve): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh pop3_client_workarounds(managesieve): lda: postmaster_address: postmaster deliver_log_format: msgid=%m: %$ rejection_reason: Your message to <%t> was automatically rejected:%n%r auth_socket_path: /var/run/dovecot/auth-master auth default: mechanisms: plain login realms: kader.hcc.nl hobby.nl cache_size: 1024 user: vmail verbose: yes debug: yes debug_passwords: yes passdb: driver: pam args: setcred=yes failure_show_msg=yes cache_key=%u dovecot passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd userdb: driver: sql args: /etc/dovecot/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/dovecot-auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail group: vmail Where should I look further for this dovecot pam problem? Is there such a thing as pam debugging? TIA Egbert Jan
Re: [Dovecot] Using MySQL For Mailboxes?
> -Oorspronkelijk bericht- > Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org > [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] > Namens Bradley Giesbrecht > Verzonden: maandag 8 maart 2010 17:06 > Aan: Carlos Mennens > CC: Dovecot Mailing List > Onderwerp: Re: [Dovecot] Using MySQL For Mailboxes? > > > > On Mar 8, 2010, at 8:00 AM, Carlos Mennens wrote: > > > On Mon, Mar 8, 2010 at 10:55 AM, Timo Sirainen wrote: > >> Dovecot supports looking up user information from MySQL, but not > >> actually storing mails there. If you really wanted to > store mails on > >> MySQL, you'd have to use dbmail instead of Dovecot. > > > > Is it even worth it with less than 500 users? I mean I > don't have any > > problems right now creating individual users and their home > > directories in Linux but I have never used MySQL for mail so can't > > differentiate the two. I guess I don't even know if this worth the > > effort to change my configuration especially if it involves > changing > > out my IMAP server for 'dbmail' which I know nothing about > until you > > mentioned it. > > > No one will be able to answer what something is worth to you. > > If your 500 users are mostly email only then you will probably enjoy > storing email addresses, passwords, paths to mailboxes, > quotes etc... > in mysql. > > This is how you can use mysql with dovecot. The emails will still be > stored on a file system in one of the popular mailbox formats like > mbox, maildir, etc > > // Brad You might have a look at PostfixAdmin. Egbert >
Re: [Dovecot] First time Dovecot user, really impressed so far. What is best IMAP enabled webmail package to go with Dovecot?
Welcome! Have a look at RoundCube webmail. I used to use squirrelmail but had the same issues as you. RoundCube is very nice. Egbert Jan > -Oorspronkelijk bericht- > Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org > [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] > Namens Stan Hoeppner > Verzonden: maandag 4 januari 2010 22:01 > Aan: dovecot@dovecot.org > Onderwerp: [Dovecot] First time Dovecot user, really > impressed so far. What is best IMAP enabled webmail package > to go with Dovecot? > > > Greetings everyone, > > I'm new to the list as of today. I just installed Dovecot a > couple of days ago for the first time, Debian Lenny Dovecot > v1.0.15-2.3. So far I'm pretty impressed. I'm using mbox > format with Dovecot auto-deciding to place mail in user home > directories, which is great. It works very well with the > Win32 Thunderbird 3 client over a small basic 100FDX switched > net. I've got one list mail folder with 10,600 messages and > server side body searching that folder via T-Bird is very > quick, on the order of 5 seconds. It would probably be > quicker if Dovecot threaded the search to use both CPUs, but > pegging just the one CPU the search is still very darn quick. > And this is on a dual P2-550 class machine with only 384MB > RAM and a single 500GB 7200RPM SATA drive. > > I'd like to install a webmail package on the same host. I > used Squirrelmail for this purpose many years ago and I > wasn't wholly impressed with the user interface. I'm also > not impressed by the fact that I regularly receive spam from > compromised Squirrelmail hosts/accounts. I really like the > look/feel of the Scalix Web Access AJAX based interface, but > I can't/won't use Scalix as it's not supported on Debian, it > has more features than I need, and the system requirements > are a bit steep. > > So, what's the best FOSS IMAP enabled web mail front end with > a modern look/feel? I'd like to run it on lighttpd, which > I'm already using, not apache. > > Thanks in advance for any advice. My apologies if my first > post is a little OT, but I figured there's probably no better > place to ask about the best webmail front end for Dovecot than here. > > -- > Stan >
Re: [Dovecot] For the record: Postfix+Spamassassin+ClamAV+Dovecot
> -Oorspronkelijk bericht- > Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org > [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] > Namens James Butler > Verzonden: vrijdag 17 april 2009 20:58 > Aan: Dovecot Mailing List > Onderwerp: [Dovecot] For the record: > Postfix+Spamassassin+ClamAV+Dovecot > > > Postfix 2.5.5 > SpamAssassin 3.2.5 (under Perl 5.10.0) > ClamAV 0.95.1 > Dovecot 1.2.rc2 > > works fine on Fedora 10. > > Installed Dovecot and ClamAV from source and everything else > using yum. > > I'm using the ClamAV plugin for Spamassassin: > http://wiki.apache.org/spamassassin/ClamAVPlugin > > I'm calling Spamassassin with: > > /etc/postfix/main.cf: > mailbox_command = /usr/bin/spamc -f -e > /usr/local/libexec/dovecot/deliver > > Postfix hands off to Spamassassin, which processes ALL mail (not just > attachments) through the ClamAV plugin before parsing for > spam, and then hands the whole mess off to Dovecot for > 'deliver' to handle. > > How simple is that? > > Since ClamAV scanns all mail, it might be too > processor-intensive for really large mail systems, but it is > working great for our 120+ user system with lots of spam > coming in. If you're using Procmail or some other > preprocessor that can hand off to a pipe, then you could skip > the plugin and pipe messages over a certain size (i.e. >1024) > to clamd, instead. > > Enjoy! > > James Hi! Apologies for digging an old thread from the bin. I was wondering how this relates to Amavisd? Should I regard the proposed plugin solution as a 'poor mans' solution when one does not want to install amavis? Thanks! Egbert Jan (NL)
Re: [Dovecot] I've moved to US
That sounds like a very nice challenge, Timo! Don't forget to enjoy your stay abroad too! Egbert Jan (NL) > -Oorspronkelijk bericht- > Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org > [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] > Namens Timo Sirainen > Verzonden: vrijdag 6 februari 2009 23:58 > Aan: dovecot-n...@dovecot.org > CC: dovecot@dovecot.org > Onderwerp: [Dovecot] I've moved to US > > > I thought about saying this in v1.2.beta1 release > annoouncement, but looks like it'll take a few more days. So > I've moved to Blacksburg, Virginia and I'm now working for > Mailtrust the rest of this year. Here's some talk about it: > > http://mailtrust.com/blog > > (A bit stupid looking picture, but then again all my pictures > seem to be that way so I didn't bother getting a new one taken.) > > And if it's not clear from that blog: Pretty much everything > I do here will be Dovecot improvements that will be released > as open source. Mailtrust has actually been paying for > Dovecot features for about 3 years now. > >
Re: [Dovecot] SSL cert problems.
Still strange that Verisign is not already in your cert. store. Most browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is not included, being a small free CA. I often have to import class3 and root cert. which is not a big deal after all. Only thing I can say about your problem is that the ---BEGIN CERTIFICATE--- line should be on a line by its own. It is a far shot but maybe it helps. We are dealing with security stuff and all files (and permissions!) are very strict. Your key file should be on 600. Egbert Jan -Oorspronkelijk bericht- Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] Namens Geoff Sweet Verzonden: maandag 29 december 2008 20:31 Aan: Dovecot Mailing List Onderwerp: Re: [Dovecot] SSL cert problems. So my conf looks similar to yours: # Disable SSL/TLS support. #ssl_disable = no ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file = /etc/pki/dovecot/private/pop.x10.com.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password = # File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer # Request client to send a certificate. #ssl_verify_client_cert = no and the ssl_ca_file is a copy and past from this: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation /index.html Yet the cert still doesn't work. And the OpenSSL people are telling me this is an issue with my application, dovecot. For reference this is all that is in my /etc/pki/verisign/intermediate_ca.cer: -BEGIN CERTIFICATE- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -END CERTIFICATE- Like I said, just a copy and paste from the Verisign site. Any thoughts? -Geoff
Re: [Dovecot] SSL cert problems.
-Oorspronkelijk bericht- Van: dovecot-bounces+egbert=vandenbussche...@dovecot.org [mailto:dovecot-bounces+egbert=vandenbussche...@dovecot.org] Namens Sahil Tandon Verzonden: donderdag 25 december 2008 18:01 Aan: dovecot@dovecot.org Onderwerp: Re: [Dovecot] SSL cert problems. Geoff Sweet wrote: [Please do not top-post] > Oh, ok once I added the -CAfile change the cert verifies without > issue. That's because you installed the intermediate cert on your client; this should not be required. > openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 > -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary > Certification Authority > verify return:1 > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server > CA > verify return:1 > depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, > Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa > (c)05/CN=pop.x10.com > verify return:1 > +OK Dovecot ready. > > So does that mean I need to install the intermediate cert on all my > clients that will be accessing this server? That's going to be a bit > of a PITA... No, you need to properly install and configure dovecot to see the intermediate cert on your server. See: http://www.verisign.com/support/advisories/page_040611.html The article is quite dated, but might be helpful to you. -- Sahil Tandon I use CACert free certificates (I'm a certifier myself) for my servers. In Dovecot I use: # Disable SSL/TLS support. #ssl_disable = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert_file = /etc/pki/tls/certs/server.crt ssl_key_file = /etc/pki/tls/certs/server.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password = # File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt # Request client to send a certificate. If you also want to require it, set # ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no Server.cert and .key is the issued certificate and key. I (mis)use the ssl_ca_cert parameter to insert the class3 certificate. Egbert Jan (NL)
Re: [Dovecot] spamassassin, postfix with dovecot lda?
George Mamalakis wrote: Hi all, I am trying to setup a mail server using postfix (virtual_mailboxes), spamassassin and dovecot, along with SQL where appropriate. From my research so far I realized that, for several reasons, it is required for me to use dovecot LDA instead of maildrop, local, procmail or other alternatives. My configuration was working flawlessly, until spamassassin per-user configuration came to play. If I just wanted an MTA anti-spam gateway, I could directly call spamassassin via master.cf, or through some helper "content-filter-application" (like amavis or amavisd-new), and everything would work just fine (I tried and tested many such configurations with success). But when antispam per user preferences became my concern (Bayesian filters and classifier), I realized that spamd should be called by the LDA. With procmail this was a trivial issue, with dovecot-lda I was unable to find any solution on the web or other documentation. So my question is as follows: Is there a way to call spamc from dovecot-LDA (and/or dovecot-sieve), or is there an alternate way to do this for a site with virtual mailboxes configured with dovecot-lda? Thank you all in advance, regards, Hi George. You seem to have a similar setup as I have here. I found www.postfixvirtual.net most useful! Do have a look there. I just had a 12 hour fight to get all running again after a upgrade from Mandriva 2008.0 to 2008.1. That should have been trivial but I had all sort of issues with amavisd missing perl modules. Well, finally solved that one again. Egbert Jan (NL)
Re: [Dovecot] SSL certificate?
Bjørn T Johansen wrote: When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...) Regards, BTJ Hi Bjørn, I use a CAcert certificate which uses a class 3 intermediate certificate. I have this configured in my dovecot.conf: # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert_file = /etc/pki/tls/certs/server.crt ssl_key_file = /etc/pki/tls/certs/server.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password = # File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 # gives cert errors when used... 2007112vbs ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt So I kind of 'misused' ssl_ca_file' for it. Egbert Jan
