[Dovecot] Using different auth_default_realm on multiple sockets with postfix. Is it possible?
Hi,
I have more postfix smtpd instances (via master.cf) listening on different
ports, and the FW passes the inbound mail submit connections to the right
port. The problem: it seems postfix is not able to append default realm
and I need to set different values for the instances. As far as I see, it's
not possible as postfix only passes the base64 encoded string from the user
to the dovecot auth service (as I'm using dovecot for sasl authentication).
We're talking about PLAIN and LOGIN methods.
In the other hand, dovecot is happily append realm with
auth_default_realm. It works (which does not with postfix) but again: I need
more defaults. I wouldn't like to run multiple instances of dovecot (just
for having a single setting be different), so I've tried similar solutions:
service auth {
unix_listener /var/spool/postfix/private/auth-dom1 {
group = postfix
mode = 0660
user = postfix
}
auth_default_realm = domain1.com
}
And the same for /var/spool/postfix/private/auth-dom2 with domain2.com.
I thought then I could use postfix's master.cf to give different auth socket
(like /var/spool/postfix/private/auth-dom1 and auth-dom2) with
smtpd_sasl_path postfix parameter.
However it seems dovecot finds auth_default_realm invalid unless it's used
in the global scope of the configuration.
It's dovecot 2.0.19 (in Ubuntu 12.04 LTS).
Is it possible at all, what I would like to do? Maybe with newer dovecot, or
can you suggest me some other solution?
Any feedback is welcomed and thanked.
Thanks,
- Gábor
Re: [Dovecot] best way to activate quota
On Wed, Sep 12, 2012 at 01:28:58AM +0300, Timo Sirainen wrote: Activating quota is equally slow, because it needs to scan sizes of all files. If the size is stored in maildir filename (,S=123) this is pretty fast, otherwise it's pretty slow because Dovecot stat()s the files, but afterwards it stores them to dovecot-uidlist file. So the main difference is that Maildir++ requires rescanning the quota periodically, while dict quota never rescans unless you run doveadm quota rescan. Ahaa, thanks for your answer. But ... why is rescan needed sometimes with maildir++? If I don't touch maildir by other softwares ever (I even have maildir_very_dirty_syncs = yes) just dovecot pop3/imap and incoming mails via dovecot's lmtp (no other MDAs, not even the LDA, etc), then why is it needed to rescan periodically with maildir? I don't really understand the difference then which needs quota rescan with maildir++ but not with dict quota during the very same usage environment otherwise. Anyway I guess, having dict quota with SQL backend is not so a bad idea: I would be able to check incoming mails (at MXs) if target user will have enough space to hold the mail by using the mail size and quota usage (from SQL what dict quota uses as well) on the MXs using eg postfix policy server ... So I won't generate ugly NDRs later, after accepted mails. Not 100% accurate (quota usage may change while mail hits dovecot) but at least it will stop the majority of those quota related NDRs I have problems with currently. The only thing which keep me away from dict quota with sql backend that it needs much more complex stuff than simply using maildir++ quota, but it's maybe only my lazyness ... thanks again.
[Dovecot] question on doveadm user and pass/userdb
Hi, I'm about getting to know dovecot in details, I am about the command doveadm user. The man page shows this example: userdb: jane uid : 8001 gid : 8001 home : /home/jane mail : sdbox:~/sdbox plugins : sieve quota_rule: *:storage=150M It seems to be nice, however I never got this only: ~# doveadm user lgb@office userdb: lgb@office That's all. The dovecot test configuration works otherwise via IMAP/POP3/LMTP nicely. What I guess that the lack of extra information (which would be needed by some scripts of mine, eg for getting user's home easily from shell scripts, as it's hash based, etc) is caused because I don't pass home (and/or other settings) back from userdb and/or passdb. However I do have these in global scope: mail_home = /mailstorage/%Ld/%Ln (yes, this is not hashed at all at the momement but it will be soon) mail_location = maildir:~/Maildir mail_uid = vmail mail_gid = vmail (... and also some global quota stuffs configured in plugin section) Now, I am a bit confused: even with passdb/userdb does not return with user home or GID/UID, dovecot knows these in case of pop3/imap/lmtp access, since these information can be composed from those settings. But then, wouldn't it possible so doveadm user shows those as well, like lmtp/pop3/imap can resolve those too? Honestly, it's a bit redundant to put needed information into user and pass attrs in every dbs (I have some) when dovecot knows those otherwise ... If I interpret doveadm user's goal wrong (it's just for userdb/passdb query tool nothing more), is there any tool which works in this config, displaying extra information (at least user's home), or should I create some script which just repeats the functionality of dovecot's configured mail_home resolution? Thanks.
Re: [Dovecot] dsync issue: Server sent invalid input: Error parsing input: Unexpected ')'
Hi, On Tue, Sep 11, 2012 at 08:47:23PM +0300, Timo Sirainen wrote: [...] Is it possible that the problem about ')' is caused by this line? I'm not sure if it's because of that line, but there are ways to make it break with that error message. These fix it: I just guessed it was, as the error msg was server sent invalid input but the only input from the server according to tcpdump was that line. For sure it's only my oversimplified logic now :) http://hg.dovecot.org/dovecot-2.1/rev/382df961f290 http://hg.dovecot.org/dovecot-2.1/rev/245fe7fd6f00 Thanks, Timo! With these patches the problem does not show up (honestly, just a quick test after patching/rebuilding, but it seems work now). Fatal: Mail locations must use the same virtual mailbox hierarchy separator (specify separator for the default namespace) Now I got this, but imho this is totally different issue (mine, not dovcot's) and I will take care about that later. Thanks for your help again!
Re: [Dovecot] best way to activate quota
On Tue, Sep 11, 2012 at 07:20:02PM +0300, Timo Sirainen wrote: On 7.9.2012, at 13.11, Angel L. Mateo wrote: Hello, I'm planning to activate quota control in dovecot, with maildir quota backend. I have about 70k users in my system directed to 4 backend servers (with a director to ensure that a user is always directed to the same server). I have tried to activate it in one of my nodes. The problem is that load of it has increase a lot, as much as the system was unusable (maildir is in nfs storage, with indexes in local disks). What do you think is the best to activate it? Use dict-file quota instead of Maildir++ quota. Sorry to jump into this topic, but can I ask why? Is dict quota is superior over Maildir++ quota in performance in general or it is only about the fact, that it's better in the case like above: activating the quota for many users later than the creation of the server itself? The question is interesting for me as well, as I need to implement quota with maildir (on NFS).
[Dovecot] dsync issue: Server sent invalid input: Error parsing input: Unexpected ')'
Hi,
I'm trying to use dsync (dovecot version 2.1.9) for IMAP only per-user
migration from other IMAP servers to my shiny new one. One worked quite
well, but there is a problem with an old IMAP server:
dsync(migtest@office): Debug: imapc(imap-sunw-old.servers.intra:143): Looking
up IP address
dsync(migtest@office): Debug: imapc(imap-sunw-old.servers.intra:143):
Connecting to 192.168.10.100:143
dsync(migtest@office): Error: imapc(imap-sunw-old.servers.intra:143): Server
sent invalid input: Error parsing input: Unexpected ')'
dsync(migtest@office): Debug: imapc(imap-sunw-old.servers.intra:143):
Disconnected
dsync(migtest@office): Error: imapc: Command failed: Disconnected from server
dsync(migtest@office): Error: user migtest@office: Initialization failed:
Initializing mail storage from mail_location setting failed: imapc: LIST
failed: Internal error occurred. Refer to server log for more information.
[2012-09-10 11:49:02]
dsync(migtest@office): Fatal: User init failed
What can cause this? By hand test with telnet'ing says:
dovecot-test:~$ telnet imap-sunw-old.servers.intra 143
Trying 192.168.10.100...
Connected to imap-sunw-old.servers.intra.
Escape character is '^]'.
* OK [CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
CHILDREN BINARY UNSELECT SORT LANGUAGE XSENDER X-NETSCAPE XSERVERINFO
X-SUN-SORT X-SUN-IMAP X-ANNOTATEMORE X-UNAUTHENTICATE XUM1 AUTH=PLAIN]
imap-sunw-old.servers.intra IMAP4 service (Sun Java(tm) System Messaging
Server 6.3-5.02 (built Oct 12 2007; 32bit))
(this is one line of course)
Is it possible that the problem about ')' is caused by this line? Or is it
tottaly different issue? I just think this, because the the major difference
between this and the working server on migration is to have ')' and '('
at the imap greeting, the working server does not have those, and the
error message is about something with ')'.
The command was the following (no configuration in dovecot for this, only
this command is given at shell level - currently mainly for testing if it
works or not);
doveadm -D -v -o imapc_features=rfc822.size \
-o imapc_host=192.168.10.100 \
-o imapc_user=migtest@office -o imapc_password=SECRET backup -R -f \
-u migtest@office imapc:
This was OK with a dovecot v1 as the source (as I've written) but has the
problem I've desribed with that old sun messaging server as the source.
I've also used tcpdump then wireshark's follow TCP stream on it: the
communication seems to be just that greeting line, then my (target)
dovecot sends FIN.
That old server works otherwise since years with various IMAP clients.
The log of my server does not contain too much just the db lookups, which
works nicely (the same for working and non-working source IMAP servers):
Sep 10 11:49:02 dovecot-test dovecot: auth: Debug: prefetch(migtest@office):
passdb didn't return userdb entries, trying the next userdb
Sep 10 11:49:02 dovecot-test dovecot: auth: Debug: ldap(migtest@office): user
search: base=cn=mail,dc=office,dc=intra scope=subtree
filter=((objectClass=mailUser)(uid=migtest@office)) fields=uid
Sep 10 11:49:02 dovecot-test dovecot: auth: Debug: ldap(migtest@office):
result: uid=migtest@office
Any help is welcome,
- Gábor
[Dovecot] different userdb and/or passdb for lmtp and pop3/imap?
Dear All,
I have a bit complex question about ldap based user/passdb with some twists
caused by the LDAP schema I have to use. It's complex for me at least, since
it's my first time to try to setup any dovecot install which is more than a
trivial thing eg for some unix system users.
What I'd like to do:
Users are stored in LDAP with the following schema:
storageMailUid:
contains user's uid in x@z format, and it CAN be different than
mail address. This value is used to login (pop3/imap) and to
get the maildir path (well, home) in the form of /mailstorage/z/x/ regardless
of the value of the mail attribute. If @z part is missing (I mean
the user supplied login, not the LDAP!), some default value (example.com)
should be treated (I guess that's easy: auth_default_realm may be
enough, isn't it). It is NOT possible to login via pop3/imap with mail,
only with storageMailUid! This storageMailUid can specify a string
which is not even an existing mail address, of course.
mail:
contains user's mail address, or even mail addresses (there
can be more mail addresses - more mail ldap attributes - for
a single ldap entry). This attribute cannot be used
for pop3/imap login, neither it counts to resolve the maildir path,
it only counts when a mail is received: the location of the
user's maildir must be got from storageMailUid.
storageMailQuota:
it contains the quota value (in bytes) for the given user, which
should be enforced on receiving mail, or by using IMAP (not
counting the Trash folder which is a fixed size for all users
and it must be handled outside of this).
All user maildirs have the same fixed unix UID/GID, which is not stored
in LDAP, but must be configured statically. Home directory of the user
is also not stored in LDAP, it must be got from storageMailUid LDAP parameter.
Mails are received via LMTP only.
I'd like to use prefetchdb to minimalize the amount of LDAP lookups (however
I can live without that). I am unsure if auth_bind is OK, or it should not
be used, currently I'd like to play with auth_bind, since it worked before
on other servers well.
I'm totally lost with the user_attrs/pass_attrs to create this kind of
configuration.
In case of static userdb, it was easy to set up:
passdb {
args = /etc/dovecot/dovecot-ldap-passdb.conf
driver = ldap
}
userdb {
args = uid=vmail gid=vmail home=/mailstorage/%Ld/%Ln
driver = static
}
With this, pop3/imap worked (quota was not of the scope yet, though),
however lmtp is not (passdb doesn't support lookups, can't verify user's
existence which is odd for me, as userdb does not support it in my
opinion).
Please, give some suggestion how to set up userdb and passdb to support
this configuration which works with the described scenario. I should also
set iterate_filter and iterate_attrs I guess, so some doveadm commands
can work then (-A stuffs, I guess).
I am also not sure if auth service should be used or not (I mean extra
configuration related): since I want LMTP not LDA, I guessed I don't need
it, but I am not sure.
I am also confused, because on receiving a mail (via LMTP) different
kind of LDAP lookup is needed: then mail must be searched, but it's
storageMailUid based lookup in case of pop3 or imap login ... Is it
possible to give different userdb/passdb for lmtp and pop3/imap?
In theory it's even possible to have x...@example.com as mail and
y...@example.com
as storageMailUid for one user, and the opposite for the another, so lookups
cannot be done together for mail and storageMailUid.
The LDAP schema/rest of the system works this way, not an option to change.
Any help is greatly welcomed.
Thanks a lot in advance,
Gábor
Re: [Dovecot] Sieve/pigeonhole rejects email addresses for valid UNIX users
On Wed, Aug 22, 2012 at 06:45:17PM +0300, David Anderson wrote: There are no incoming mail accounts for those users. The server in question is a webserver. Every website has a unique UNIX user, for security when running scripts. You can't virtualise that. If you run all your scripts under the same UNIX user on a shared server, then it's less secure. Sieve was complaining about the envelope *sender* address being invalid, on a piece of outgoing mail (generated by the website). It wasn't about incoming mail or maintaining accounts. I guess what an RFC says about email address syntax is valid rule for both sender _and_ recipient. Mails are usually filtered to check they are valid, for example a *sender* what you mentioned as an example would not be able to send mails to our ISP since syntax of sender address are checked on the MX MTAs as well. So I don't see too much point to send mails with invalid (by RFC) sender as most mail softwares and/or MTA admin's configuration will reject it, like with your example, check the subject out of your mail. I guess it's a valid decision to reject these. But _again_: I can be wrong here. That's a bit academic, though. It think the main points are that: * Many Unixes allow you to set up usernames ending in periods * The MTAs also allow you to send and receive mail using those periods Strictly according to the RFC, the address is invalid. But if the MTA accepts it, why should sieve reject it? Sieve is deployed to Which MTA? Our ISP would reject those, for example. It's matter of the kind of the MTA, and also its configuration, but since according to the RFC which says that invalid, it's not so suprising that some people and/or mail related software decide not to accept. For sure, there can be softwares/configs which allows it. It clearly shows that it's better to avoid addresses which are often handled as invalid (but not always, it depends, yes), especially if standards says they are invalid as well. apply filters to mail - not to make policy decisions on valid email addresses. That's a layering violation. Well, it's bit out of scope my intent, also I am not instered to start a flame war or so :) I just wanted to point out that it's anyway a very bad idea to use invalid addresses even if it can be said as true that sieve should not reject things if it's MTA's job ... The basic idea is the same: why do you want to use them, if there are problems with these anyway, and sooner or later you will hit a rejection, even if sieve is fixed not having this decision as well. Creating a system which use known to be invalid things (even if it works locally, or other similar examples) are a good sign to introduce interesting and hard-to-track-down problems later, maybe in the more far future only. I can't say anything about sieve itself, to be honest, anyway, and your suggestion that it must be fixed or not. Again, sorry if someone treated my mail as OT/flame/whatever.
Re: [Dovecot] Temporary files
On Wed, Jul 14, 2010 at 09:34:52PM +0100, Timo Sirainen wrote: [...] So why was the move made in the first place? Because a) some people had small (maybe ramfs) /tmp and Dovecot was eating it all up and b) to On Solaris, this is the situation, though it's not called ramfs but: l...@hydra:/tmp$ uname -a SunOS hydra 5.10 Generic_141444-09 sun4v sparc SUNW,Sun-Fire-T200 l...@hydra:/tmp$ df -h . Filesystem size used avail capacity Mounted on swap16G 0K16G 0%/tmp l...@hydra:/tmp$ swap -l swapfile dev swaplo blocks free /dev/zvol/dsk/rpool/swap 256,1 16 33554416 33554416 Yes, this machine has some RAM and enough swap zvol as well, but still there can be machines with less resources too, and in Solaris /tmp is not a normal filesystem anyway ... /var/tmp is available though, and it's a normal filesystem ...
Re: [Dovecot] best choice of user database file to work with postfix?
On Wed, Apr 21, 2010 at 01:45:35PM -0400, Phil Howard wrote: Then I think MySQL will do the job. Both postfix and dovecot support MySQL, and you can use SASL to authenticate SMTP with Dovecot, so Dovecot would do all the auth work. Finally, you could use Postfix's VDA patch if you want to use Maildir++. Hope this helps. I don't want to use any other server engine of any kind with this. I'm trying to keep it small and lean, and minimize what the people that have to monitor and fix it need to know. So at the present time, I am excluding all databases like any SQL or LDAP or anything else that needs to run as a daemon/engine/service. Aham, yes, but as soon as you need some management interface, like a web based one, it will be more and more complicated to deal with this decision, you must edit/generate those files with that interface, care about locking because of the possibility of multiple admin access at the same time, you must parse them when you want to show the user list and so on. Sure, if you are very sure that it's not a need and it won't be either, then maybe you're right about keeping minimal solution, but based on my experience at an ISP, it's always the situation that sooner or later somebody want to extend the usage of a system which sooner or later needs to use some kind of database to avoid the complexity with dealing local databases as flat files or other solution (or keeping them as system users).
Re: [Dovecot] Disconnected: Too many invalid IMAP commands
On Mon, Sep 21, 2009 at 01:24:27PM +0300, Timo Sirainen wrote: I guess I should mention that I don't really mind people asking questions when they're using an old version, but if it's a bug report there's a good chance the answer is then upgrade. Indeed, thanks for the patience and sorry for my off-topic level, as I was developer too (mplayer for example) I know it's quite hard to do anything with bug reports about old (and/or even obsolated) versions when the development/bug fixing is done on the current branch ...
Re: [Dovecot] Disconnected: Too many invalid IMAP commands
On Fri, Sep 18, 2009 at 11:03:48PM +1000, Noel Butler wrote: The problem however is many people very dangerously and wrongly consider that their beloved favourite distro package, is in fact the current stable and the only one that exists. I'm horrified by the number of people responsible for servers that wont use anything but an rpm or a deb, they simply refuse to use the source, even though its current and stable, far more so than that rpm/deb file at like 3 years out of date, and they have the nerve to get narky at you for not helping them *sigh* Well I can agree otherwise, but I can understand them too: they use (or even bought with support) a distribution to have a solution, otherwise they would be able to use own distro, compiling everything from source (hmm, gentoo?). The problem, that if they use many softwares and all of their makers say use a newer one soon they would find themselves with compiling _everything_ (the kernel itself too, soon, if it's based on an OS with open source kernel at least) from source, and maybe they don't want this, especially not with dozens of servers with their own managing tools, and so on. But otherwise fully agreed, I'm using most server softwares compiled from sources :) Just I tried to understand the other opinion too. Hopefully it was not highly off-topic here to tell this. [but it's also true that if they want the distributor's packages, they should ask for help from them maybe, because developers are focusing on the up-to-date versions and also next development ones, but not very old ones even patched by distributors with custom and/or backported patches ...]
Re: [Dovecot] dovecot sieve sends vacation messages with null envelope sender
Hi, On Tue, Aug 12, 2008 at 08:26:28AM -0600, CJ Keist wrote: I understand the concept of having the from empty, namely to keep It's not just a concept but a rule set by some RFCs. another automated system from replying back to your vacation reply, but what do we do to keep our vacation replies being canned by anti-spam systems?? Maybe this should be a option in the configuration file to Then those systems violates RFCs, because it's compulsory to accept the null originator. Even there is a DNS based list which tries to block domains (of course only if you use it in your MTA) don't accept it. http://www.rfc-ignorant.org/policy-dsn.php Also NDRs (bounces) come with the null originator, so rejecting them makes the concept of e-mail partly dead (sender will not be notified that her/his mail cannot be delivered. yes, of course it's good idea to try to avoid to accept mails THEN sending back NDRs, but ...) -- - Gábor
Re: [Dovecot] solaris 10 + dovecot (1)
Re, On Wed, Mar 14, 2007 at 02:26:53PM +, aza zel wrote: like other suggest me, the cause of problem is that i not have much space in / (i think that 4.4gb is a lot of space but i wrong) so, i move to /export/home where i have space and try again and i not have any problems. about memory... i don't remeber how much i have but swap have nearly 667mbs free for proces compile (i only run these proces). Nice :) I've mentioned 'memory' because of the Spanish (is it Spanish? Just guessing) fragment 'espacio de memoria' remembered me to the English word of 'memory', I was wrong here it seems. So forget about memory, it was only my guesswork about your native language :) The lesson here: please translate all messages to English if you want to post to an English mailing list. Otherwise some people (like me) have no chance to understand just guessing ... :) -- - Gábor
