Re: Issue with one user only, exceeding connections
I think if IMAP IDLE is used you need one connection per folder. If I remember
correctly at least either Thunderbird or K9 Mail (I'm using both too) use one
connection per selected directory. Simply increasing the number of connections
was the easiest solution as I only have very few users too.
Regards
Frank
Am 8. Juni 2022 21:14:23 MESZ schrieb Jeremy Schaeffer :
>I keep having this issue with one user, and I have to restart dovecot
>several times a day to clear it. What I have is a postfix / dovecot mail
>server (Centos 7) and about a dozen users. All mailboxes are imap ssl. I
>monitor about 4 mailboxes on my computer and tablet. I use Thunderbird
>on the computer (cache connections at 2) and K9 on the tablet, but one
>user of the four I keep getting "Maximum number of connections from
>user+IP exceeded" and I have the maximum at 50
>"(mail_max_userip_connections=50)" so its hard for me to believe I am
>actually exceeding it unless dovecot/client is not dropping connections
>and keeps starting new ones until it reaches the maximum, but again,
>only for one user, even though I am monitoring 4 on the same devices.
>Any idea how to troubleshoot this? I don't know if I should be looking
>at dovecot or the clients, or what I need to look for. It's been going
>on since I put this server in use over a year ago. I also have issues
>with Outlook clients disconnecting, just outlook, is there any
>recommended settings to make Outlook work smoother?
>
>Thanks! - Jeremy
>
>Config -
>
># 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
># OS: Linux 3.10.0-1160.11.1.el7.x86_64 x86_64 CentOS Linux release
>7.9.2009 (Core)
># Hostname: ***
>auth_mechanisms = plain login
>debug_log_path = /var/log/dovecot_debug.log
>first_valid_gid = 500
>last_valid_gid = 600
>last_valid_uid = 600
>listen = *
>mail_location = maildir:~/Maildir
>mbox_write_locks = fcntl
>namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix = INBOX.
> separator = .
>}
>passdb {
> driver = pam
>}
>pop3_uidl_format = %f
>protocols = imap lmtp
>service auth {
> unix_listener /var/spool/postfix/private/auth {
> group = postfix
> mode = 0660
> user = postfix
> }
>}
>service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> process_min_avail = 1
> service_count = 0
>}
>service imap {
> process_limit = 1024
>}
>service lmtp {
> unix_listener lmtp {
> mode = 0666
> }
>}
>ssl = required
>ssl_cert = <***
>ssl_cipher_list = ECDHE-RSA-CHACHA20-POLY1305:ALL:!LOW:!SSLv2:!EXP:!aNULL
>ssl_key = # hidden, use -P to show it
>ssl_prefer_server_ciphers = yes
>userdb {
> driver = passwd
>}
>protocol imap {
> mail_max_userip_connections = 50
>}
>
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: set up for Dovecot redundancy -- store on edge server only if link to backofc server is down, otherwise deliver to final dest?
Perhaps I misunderstood the constraints, but (for a low nunber od accounts) what would be wrong with simply fetching the mail on the local server from dovecot1 and delivering it to dovecot2 with IMAP idle to prevent delays? If the VPN link is down mail will stay on dovecot1. You could even configure a postponed deletion (hours or days) so you would be able to access recent mail if dovecot2 is down. Am 4. Januar 2021 14:52:20 MEZ schrieb PGNet Dev : >I run Postfix + Dovecot. > >Currently, I've got a cloud-instance of Postfix that handles all the >anti-spam/auth/routing. >On successful 'pass', it resends email -- over a VPN link -- to a >*local* Postfix instance, which then LMTP-delivers to a Dovecot >instance on the same box. > >Works great. > >I'd like to set up some IMAP redundancy, so that if the VPN link is >down for any reason, mail is stored/accessible, and -- eventually -- >correctly (re)delivered to the local Dovecot instance when the link's >up again. > >The goal state I'm considering looks like: > >@cloud > > Postfix > LMTP delivery from Postfix to "Dovecot1" > >@local > > LMTP (re)delivery from "Dovecot1", @cloud, to "Dovecot2" > >IDEALLY, no IMAP mail should ever be persistently stored on the @cloud >Dovecot instance -- unless the VPN link is down. >Then, when the VPN link is up again, the @cloud-stored IMAP mail should >me 'moved' to the @local instance. > >I.e., I do _not_ want a replicated store. > >My question is how transparent/automated can this be done? > >I'd guess that somewhere in Dovecot's config I need logic that provides >the conditional delivery to just @cloud vs 'all the way' to @local ... > >Any suggestions as to how to put this VPN-conditional redundancy in >place?
wrong Messages in virtual Folder
Hello,
I created a virtual Folder that should contain all Mails from several different
Folders and their subfolders. Recently I added a new folder to the
dovecot-virtual file and then found that most Mails from this folder were
missing. I always restartet dovecot (is this necessary?) after any change. The
system is running Debian Stretch and I am using the supplied dovecot 2.2.7 (see
below for output of doveconf -n).
To narrow this down I removed all other directories from the dovecot-virtual file and
then found that the number of mails is correct, but most mails are the wrong ones from
other directories. The dovecot-virtual file currently contains only the source directory
and in the last line 4 spaces followed by the keyword "all" and a newline.
Mails that where moved there after the directory was added to the virtual folder seemed
to be displayed correct. If I move one Mail away from the source diectory a totally
different Mail in the virtual Folder disappers. After moving the file back to the source
folder it correctly appears in the virtual folder.
What might be the cause and how can I fix it?
Thanks,
Frank
Output of "doveconf -n":
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-11-amd64 x86_64 Debian 9.11 zfs
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_location = maildir:/home/bananamail/Maildir:INDEX=/var/dovecot_indexes/%u
mail_plugins = " virtual fts fts_solr"
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace {
location = virtual:~/Maildir/virtual
prefix = _virtual.
separator = .
type = private
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/users
driver = passwd-file
}
plugin {
fts = solr
fts_autoindex = yes
fts_enforced = yes
fts_solr = break-imap-search url=http://localhost:8080/solr/
sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = postmaster@localhost
protocols = imap
service imap-login {
inet_listener imaps {
port =
ssl = yes
}
}
ssl = required
ssl_cert =
Re: Fast searching from android device with Dovecot/Maildir
I dont't know the capabilities of gmail, but IMAP supports server side search
which is quite fast if the Solr full text search plugin for dovecot is used
(wiki.dovecot.org/Plugins/FTS/Solr). For debian "dovecot-solr" can be used.
For Android K9-Mail does not really support server side search, Aquamail does
and for other mail clients I don't know.
Am 1. Dezember 2019 22:18:37 MEZ schrieb John Gateley via dovecot
:
>Hello,
>
>I am using dovecot as an imap server, mail is stored in mail
>directories.
>Configuration is below.
>
>One mail directory has about 14 Gb of mail in the inbox and .Sent
>directories.
>
>Searching from an Android phone with gmail is slow or doesn't work (it
>times out).
>
>Is there a configuration for Dovecot that can improve this? A better
>e-mail client
>for Android?
>
>Thanks,
>
>John
>
>
>root@giraffe:~# dovecot --version
>2.2.27 (c0f36b0)
>root@giraffe:~# doveconf -an
># 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
># Pigeonhole version 0.4.16 (fed8554)
># OS: Linux 4.9.0-11-amd64 x86_64 Debian 9.11
>...
>mail_location = maildir:~/Maildir
>namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
>}
>...
>protocols = " imap"
>...
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
clients out of sync after restoring backup
Hi, due to a failing disk I had to restore everything from a backup including dovecot (2.2.22) and the Maildir containing the stored mails. A period of some days must later be restored manuall, but that is beyond scope for this question. Naturally this causes confusion for the clients as they keep mails that are no longer on the server. That was expected but what puzzles me is that mails arriving after the succesful restore are only sporadically detected by some clients (e.g. K9 and Thunderbird) that were connected before the crash. A client that was connected for the first time after restoring from the backup works exactly as expected. Might this situation lead to reusing UUIDs that some clients still remember as belonging to a different mail? Is there a clean solution for this on the server side or is it necessary to purge locally stored data by the clients (e.g. by temporarily removing account)? Frank -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: is a self signed certificate always invalid the first time?
Am 11. August 2017 12:46:46 MESZ schrieb Ruben Safir : >On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote: >> I can't see any security advantages of a self signed cert. I > >then you fail to understand the history, like when Microsoft's certs >were undermined because the third party authentication agency gave the >keys to 2 guys that knocked on the door and asked for them... > > > >-- >So many immigrant groups have swept through our town >that Brooklyn, like Atlantis, reaches mythological >proportions in the mind of the world - RI Safir 1998 >http://www.mrbrklyn.com > >DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 >http://www.nylxs.com - Leadership Development in Free Software >http://www2.mrbrklyn.com/resources - Unpublished Archive >http://www.coinhangout.com - coins! >http://www.brooklyn-living.com > >Being so tracked is for FARM ANIMALS and and extermination camps, >but incompatible with living as a free human being. -RI Safir 2013 Of course I know about this risk. But the only way to reduce it is to remove all preinstalled root CAs from all devices you use. It's more important whoom your client trusts than who signed your cert. Using a self signed cert alone and still using a client with a huge list of preinstalled root CAs will be exactly as vulnerable as using a regular cert with this client. The client will accept a spoofed cert that was fraudulently obtained from one of those root CAs in both cases. If you configure your client such that it only accepts certs that you manually added you could (theoretically and from a security standpoint) still use certs signed by an external CA that you add manually without compromising security. It's only important that you don't let someone else (e.g. the CA because it's easier...) generate your key pair but that you generate it yourself and only submit a certificate signing request.
Re: is a self signed certificate always invalid the first time?
I can't see any security advantages of a self signed cert. If the keypair is generated locally (which it should) a certificate signed by an external CA can't be worse just by the additional signature of the external CA. Better security can only be gained if all users are urged to remove all preinstalled trusted CAs from their mail clients (which seems impractical). Else an attacker could still use a fake cert signed by one of those CAs. Public key pinning could be an (academic) alternative and would still work with a cert signed by an external CA without restrictions. If someone tells me to add security exceptions this rings all alarm bells. Users who are not experts should not get used to doing this as they soon will accept everything. Am 10. August 2017 21:40:25 MESZ schrieb Doug Hardie : > > >> On 10 August 2017, at 04:37, Alef Veld wrote: >> >> I completely agree (having said that I'm pretty new to all this so I >might be full of it). >> >> You should run your own CA if you have an active financial interest >in your company (say your the owner). No added benefit to have your >certificate certified by a third party, why would they care about that >one client). Ofcourse people would say "but ofcourse you would verify >your own certificate" but in that case they probably don't understand >how it all works. >> >> Ofcourse once your own company grows large you run the same risk of >entropy (incorrect documentation or records, no trained staff, no up to >date procedures etc.) large companies have to deal with. Maybe if you >had one person working full time on it, or an automated process >handling things it would be more secure and reliable. >> >> Was diginotar the Dutch company, I think I remember that one. >> >> Sent from my iPhone >> >>> On 10 Aug 2017, at 08:18, Stephan von Krawczynski >wrote: >>> >>> On Wed, 9 Aug 2017 08:39:30 -0700 >>> Gregory Sloop wrote: >>> AV> So i’m using dovecot, and i created a self signed certificate AV> with mkcert.sh based on dovecot-openssl.cnf. The name in there >matches AV> my mail server. AV> The first time it connects in mac mail however, it says the AV> certificate is invalid and another server might pretend to be >me etc. AV> I then have the option of trusting it. AV> Is this normal behaviour? Will it always be invalid if it’s not >signed AV> by a third party? Yes. The point of a trusted CA signing your cert is that they have steps >to "verify" who you are and that you're "authorized" to issue certs >for the listed FQDNs. Without that, ANYONE could create a cert, and sign it >and then present it to people connecting to your mail server [perhaps using >a MITM style attack.] The connecting party would have no way to tell if >your cert vs the attackers cert was actually valid. It would be like showing up at the bank and having this exchange: You: "Hey, I'm Jim Bob - can I take money out of his account?" Bank: "Do you have some ID?" You: "Yeah! See, I have this plastic card with my picture and name, >that I ginned up in the basement." Now does the bank say: "Yeah, that looks fine." or do they say "You >know we really need ID [a certificate] that's authenticated and issued >[signed] by the state [third-party/trusted CA.]." I think it's obvious that accepting your basement produced ID would >be a problem. [Even if we also admit that while the state issued ID (or >trusted CA signed certs) has some additional value, it isn't without >potential flaws, etc.] The alternative would be to add your CA cert [the one you signed >the server cert with] to all the connecting clients as a trusted CA. This way >your self signed cert would now be "trusted." [The details are left as an exercise to the reader. Google is your >friend.] -Greg >>> >>> This was exactly the global thinking - until the day DigiNotar fell. >>> Since that day everybody should be aware that the true problem of a >>> certificate is not its issuer, but the "trusted" third party CA. >>> This could have been known way before of course by simply thinking >about the >>> basics. Do you really think your certificate gets more trustworthy >because >>> some guys from South Africa (just an example) say it is correct, >running a >>> _business_? Honestly, that is just naive. >>> It would be far better to use a self-signed certificate that can be >checked >>> through some instance/host set inside your domain. Because only then >the only >>> one being responsible and trustworthy is yourself. And that is the >way it >>> should be. >>> Everything else involving third party business is just bogus. >>> >>> -- >>> Regards, >>> Stephan >>> > > >If you use a self-signed certificate, your users either have to accept >the certificate when requested, or install your root certificate.
Re: Updated my Dovecot certificate for the first time
What would be the use of a self signed cert that is not automatically checked? If you see a warning how can you be sure that the cryptographic key used is correct? Just manually checking the common name displayed lowers the security to almost zero. A big additional disadvantage is that one gets used to ignoring security warnings. Setting up a "CA" is quite easy and installing the new root certificate in the root store of the devices used is also quite easy. I switched to a certificate from startssl and of course I generated the key pair on my own and transferred only the CSR (certificate signing request). Am 24. November 2016 16:37:48 MEZ, schrieb Steve Litt : >On Thu, 24 Nov 2016 07:52:51 +0100 (CET) >Steffen Kaiser wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On Wed, 23 Nov 2016, Steve Litt wrote: >> >> >On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers >> > wrote: >> >> $ strings $(whence alpine) | grep '^/.*certs$' >> >> /etc/ssl/certs >> > >> > The directory or the certs isn't the problem. Alpine sees the >> > self-signed cert I just made, but complains because it's >> > self-signed, and gives me the choice between saying "yes" every >> > time, and just not checking for certs at all. >> >> "sees the self-signed cert"? >> Did you've added it as trusted to the CA as Greg said and wrote what >> to do? > >No. I don't want to deal with a third party "Trusted Party": I want it >self-signed. What I was looking for was a way Alpine could be set to >check for a cert, warn if the cert is conflicting, but not warn if it's >self-signed. > >Thanks, > >SteveT > >Steve Litt >November 2016 featured book: Quit Joblessness: Start Your Own Business >http://www.troubleshooters.com/startbiz -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: Moving Maildir folders
How did you verify that dovecot doesn't show these folders? Couldn't this be a client problem? In Thunderbird e.g. it might be necessary to update the list of displayed folders. Am 16. Juli 2016 19:07:39 MESZ, schrieb Mark Foley : >On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa >wrote: >> >> Mark Foley wrote on 16/07/2016 07:43: >> > Our office had a user leave. Another user is taking over her >duties and needs reference to the >> > departing user's email. I've copied that entire departed user's >Maildir structure to the current >> > user: >> > >> > mv olduser/Maildir/.* curuser/Maildir/.olduser >> > >> > I did change permission and ownership on curuser/Maildir/.olduser >to be the target user. I did >> > not bring over the olduser/Maildir/dovecot* files (indexes, >subscriptions, etc.) as I thought >> > that would be bad. >> >> Maildir has no nested folders. >> >> If you want a subtree structure in maildir you must create each >folder at the >> first level >> >> in the new user you must have something like: >> >> .olduser.INBOX >> .olduser.Sent >> .olduser.Trash >> .olduser.Drafts >> .olduser.whatever >> >> Each directory with tmp, newm cur subdirs only (ad dovecot files, of >course) >> >> >> >> -- >> >> >> Ciao, >> luigi >> >> / >> +--[Luigi Rosa]-- >> \ >> >> Understanding is a three-edged sword. >> --Kosh, "Deathwalker" > >OK, I believe I've done as you suggested, but still nothing showing on >the target users mail >client. Here's what part of the Maildir looks like with the 1st set of >folders belonging to the >target user and those beginning with .bpatterson from the old user. >Does this look right as >you've advised? Perhaps I need to do something else? > >.INBOX.Travel/ >.INBOX.UPS/ >.INBOX.US\ Bank/ >.INBOX.United\ Health\ Care-Employee/ >.INBOX.VRC/ >.INBOX.Website/ >.INBOX.Website.Mouse\ Pad\ Insert/ >.INBOX.iLink/ >.Junk\ E-mail/ >.Sent\ Items/ >.Templates/ >.bpatterson.Deleted\ Items/ >.bpatterson.Drafts/ >.bpatterson.INBOX.2011\ Investment\ Confirmation\ Responses/ >.bpatterson.INBOX.2011\ and\ 2012\ KCR\ Audit/ >.bpatterson.INBOX.2012\ Investment\ Confirmation\ Responses/ >.bpatterson.INBOX.2013\ Health\ Care\ Changes\ -\ Information/ >.bpatterson.INBOX.2013\ Investment\ Confirmation\ Responses/ > >At the top level, the target user has (in email client): > >Inbox >Drafts >Templates >Sent Items >Junk E-mail >Deleted Items > >I'm expecting to see "bpatterson" appear in that list. > >Thanks --Mark -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: Dovecot frequently full-text reindexes the whole maildir
Hi, I'm not an expert, but am doing something similar (moving messages and training the spam filter). To detect the existence of new messages looking directly at the maildir can be a quick and dirty solution to get a trigger event. But to move or delete I think you should use 'doveadm' to search for all messages in your spam directory and get a list of all uids an guids. Then you can call doveadm again to move vor delete the messages by id. Just look for "doveadm search/move/purge" in the dovecot wiki. This should ensure that the indexes stay up to date. Am 27. Oktober 2015 11:24:39 MEZ, schrieb vita...@yourcmc.ru: >Hi! > >I'm using Dovecot 2.2.13 (Debian Jessie package 1:2.2.13-12~deb8u1) on >my personal mail server (the address I'm writing from is on this >server). > >I use Maildirs, I have fts + fts_squat enabled, and I have a problem >with it for a long time - dovecot seems to not update the index always >"incrementally". > >Yesterday I've finally made a test by telneting to imap port and >issuing >a search request. Dovecot started to reindex the mailbox. Full >reindexing has taken around 15-20 minutes. > >After reindexing the fulltext searches were fast, just as they should >be. And they were fast yesterday even after some new emails arrived. > >But I've tried to do a new search today and Dovecot started to reindex >the whole maildir again! > >Why is it reindexing the whole maildir again? Could it be related to my > >anti-spam scripts removing messages from SPAM imap folder? And if yes, >how to remove them correctly? > >-- >With best regards, > Vitaliy Filippov -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
doveadm-search-query pattern format
Hello, the doveadm-search-query documentation specifies a 'pattern' for many search keys. Unfortunately it does not mention the format specification of this pattern (special characters, wildcards, ...). I'm using dovecot 2.2.9 but also searched the current documention on dovecot.org. Where can I find further documentation concerning the exact specification of the pattern format?
modify message with doveadm?
Hello, I'm using dovecot with getmail and spamassassin. To re-learn false detected mails I created two folders and use an external script that checks the corresponding maildir directories for changes (with inotifywait). The mails found in these directories are passed to sa-learn (to re-learn the correct classification) and then moved back to the inbox or the spam folder. To access the mail I use "doveadm search" (to find all mails in the two folders), "doveadm fetch" (to get the text and pass it to sa-learn) and "doveadm move" (to move the mail to the correct location. This works as desired, except that a mail once marked as spam will forever be marked as such. Spamassassin has the -d option to remove the markup, but I need to replace the original mail with the cleaned version. The only idea I got was deleting that mail and importing the cleaned one, but as I want to implement several "special" folders for further functionality with different IMAP clients I would prefer a "cleaner" solution. What would be the correct/best way to modify the mail body/header/text from an external tool? Kind regards, Frank
