Re: Dovecot passdb and postfix login
It seems to me that you have passdb { args = /etc/dovecot/local_sql_users.conf driver = sql } but you don't have userdb { args = /etc/dovecot/local_sql_users.conf driver = sql } Regards, Ivo. On 22.5.2020. 19:18, Laura Smith wrote: Hi, Long story short I've got a fully functional Dovecot IMAP instance and I am now looking to upgrade some perimiter authenticated SMTP relays to authenticate against the Dovecot instance. Trouble is that I am seeing errors such as "auth: Warning: sql: Ignoring changed user_query in /etc/dovecot/local_sql_users.conf, because userdb sql not used." in my Postfix server logs and not able to successfully authenticate via AUTH LOGIN on the Postfi instance. Perhaps I'm missing something obvious from my config ? Here is the doveconf -n from the Postfix server in question: # 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf # OS: Linux 4.19.0-9-amd64 x86_64 Debian 10.4 # Hostname: foobar.example.com auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = sha1:7 disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/local_sql_users.conf driver = sql } service auth { inet_listener { address = 127.0.0.1 port = 7425 } inet_listener { address = ::1 port = 7425 } unix_listener /var/spool/postfix-authrelay/private/dovecot-auth { group = postfix mode = 0660 user = postfix } } ssl = no The local_sql_users.conf is the same one that's used on the functioning IMAP servers, just copied accross to the authenticated relay server: $ sudo cat /etc/dovecot/local_sql_users.conf driver = pgsql connect = host=foo dbname=bar user=secret password=squirrel default_pass_scheme = ARGON2ID password_query = select dovecot_username as user,password from get_user('%u') user_query = select 'vmail' as uid, 'vmail' as gid iterate_query = select dovecot_username as user from get_users()
Re: Hierarchy separator recommendation?
On 26.4.2020. 12:17, Markus Winkler wrote: Doesn't it, in the end, all come to translation from IMAP names (user,folder) to OS filesystem names within dovecot (at some benchmark tests expense) ? :-) No, as there's a difference between "namespace / hierarchy" (mailbox name) and "layout" separators (OS filesystem). Hi Markus, I was trying to write wannabe-joke / philosophical / theoretical comment. It seems that I failed :-( What I tried to say is something like this : If some character is forbidden for usage in file or folder name in your OS who stands in your way to "escape it" or use mappings e.g. use 9ca6aead2310a010cf445099d8c731490329f9af (result of SHA1('Markus.Winkler')) instead of Markus.Winkler if '.' creates a problem. You need just one additional file to record mapping info and some CPU cycles / IO operations to do mappings every time you need to access it (hence mentioning benchmark tests). Yes, admins would "love" that and yes, this comment had no real value for dovecot users. Sorry. Have a nice day, Ivo.
Re: Hierarchy separator recommendation?
On 24.04.20 17:56, Admin Beckspaced wrote: what sort of troubles did you run into with the dot '.' as namespace separator? disadvantages could be: - shared folders with dots in user names - if you want to use dots in folder names What disadvantages are when using '/' as namespace separator? Why is '.' default (at least in .deb packages) if it is worse then '/' ? Doesn't it, in the end, all come to translation from IMAP names (user,folder) to OS filesystem names within dovecot (at some benchmark tests expense) ? :-)
Re: replication_full_sync_interval
On 14.4.2020. 17:35, Aki Tuomi wrote: Those full syncs are not done precisely on the clock. If there is lots of other operations going on, such as higher priority syncs, they get done first. Aki Good to know. I was afraid that something is not working as it should. Thanks Aki. Ivo
Re: got a listener on 993
Maybe this thread can help you with your first question : https://dovecot.org/pipermail/dovecot/2014-August/097488.html On 13.4.2020. 20:52, David Mehler wrote: Hello, Before I get in to my question is ssl on 993 or starttls on 143 better from a security perspective? I've noticed that I've got a dovecot listener on port 993, below is my doveconf -n output I don't have an imaps listener uncommented should I do so and set it's port to 0? Will that disable the 993 listener? Thanks. Dave. # 2.3.10 (0da0eff44): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (bf8ef1c2) # OS: FreeBSD 12.1-RELEASE-p2 amd64 # Hostname: hostname.example.com auth_cache_size = 10 M auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com dict { lastlogin = mysql:/usr/local/etc/dovecot/dovecot-last-login.conf } first_valid_gid = 2100 first_valid_uid = 2100 hostname = hostname.example.com imap_client_workarounds = delay-newhostname tb-extra-hostnamebox-sep tb-lsub-flags imap_idle_notify_interval = 1 mins last_valid_gid = 2100 last_valid_uid = 2100 lda_hostnamebox_autocreate = yes lda_hostnamebox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = xxx.xxx.xxx.xxx lmtp_rcpt_check_quota = yes log_timestamp = "%Y-%m-%d %H:%M:%S " hostname_access_groups = vhostname hostname_fsync = never hostname_gid = vhostname hostname_home = /var/vhostname/hostnameboxes/%d/%n hostname_location = dbox:~/hostname hostname_plugins = acl fts fts_lucene mail_log notify quota trash virtual welcome zlib mail_crypt hostname_privileged_group = vhostname hostname_server_admin = hostnameto:postmas...@example.com hostname_uid = vhostname managesieve_notify_capability = hostnameto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment hostnamebox date index ihave duplicate mime foreverypart extracttext spamtest spamtestplus virustest editheader imapflags notify imapsieve vnd.dovecot.imapsieve namespace { location = sdbox:/var/vhostname/public/:CONTROL=~/hostname/public:INDEX=~/hostname/public prefix = Public/ separator = / subscriptions = yes type = public } namespace { hidden = no list = yes location = hostnamedir:/var/vhostname/shared/office/.hostnamedir:CONTROL=~/.hostnamedir/control/office:INDEX=~/.hostnamedir/index/office prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = hostnamebox Drafts { auto = subscribe special_use = \Drafts } hostnamebox Sent { auto = subscribe special_use = \Sent } hostnamebox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } hostnamebox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = separator = / type = private } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile:/usr/local/etc/dovecot/global-acls:cache_secs=300 fts = lucene fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_autoindex_exclude3 = \Spam fts_autoindex_max_recent_msgs = 80 fts_index_timeout = 90 fts_lucene = whitespace_chars=@. normalize no_snowball imapsieve_hostnamebox1_before = file:/var/vhostname/sieve/global/learn-spam.sieve imapsieve_hostnamebox1_causes = COPY imapsieve_hostnamebox1_name = Spam imapsieve_hostnamebox2_before = file:/var/vhostname/sieve/global/learn-ham.sieve imapsieve_hostnamebox2_causes = COPY imapsieve_hostnamebox2_from = Spam imapsieve_hostnamebox2_name = * last_login_dict = proxy::lastlogin last_login_key = # hidden, use -P to show it hostname_crypt_curve = prime256v1 hostname_crypt_global_private_key = # hidden, use -P to show it hostname_crypt_global_public_key = # hidden, use -P to show it hostname_crypt_save_version = 2 hostname_log_events = delete undelete expunge copy hostnamebox_delete hostnamebox_rename hostname_log_fields = uid box msgid size quota = count:User quota quota_exceeded_message = Storage quota for this account has been exceeded, please try again later. quota_grace = 10%% quota_rule2 = Trash:ignore quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 hostnamebox is full quota_status_success = DUNNO quota_vsizes = true quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=75%% quota-warning 75 %u sieve = file:/var/vhostname/sieve/%d/%n/scripts;active=/var/vhostname/sieve/%d/%n/active-script.sieve sieve_before = /var/vhostname/sieve/global/spam-global.sieve sieve_extensions = +notify +imapflags
replication_full_sync_interval
Default value for replication_full_sync_interval is 24 hours. How is it then possible to get doveadm replicator status results like this one username priority fast sync full sync success sync failed someuser none 24:23:39 24:23:39 24:23:37 - # doveconf -a | grep replication_full_sync_interval replication_full_sync_interval = 1 days # dovecot --version 2.2.33.2 (d6601f4ec)
Re: %d ignored from auth-passwdfile.conf.ext configuration file
Did you try to log in as user "test" or "test@some_domain" ? Is seems to me that you did not use full username (Error: passwd-file(test,). ( %d domain domain part in user@domain, empty if user with no domain ) On 13.4.2020. 11:05, Andrei Petru Mura wrote: I try to configure dovecot with virtual users. I put my users file in folder /etc/dovecot/my_domain_name/users. My auth-passwdfile.conf.ext file looks like this: passdb { driver = passwd-file args = username_format=%n /etc/dovecot/%d/users } When I try to log in, I get this: dovecot: auth: Error: passwd-file(test,some.ip.addr.here,): stat(/etc/dovecot//users) failed: No such file or directory As you can see, %d isn't interpreted. Why is this happening? Any hints? Thanks, Mura Andrei
doveadm replicator command
Can someone please explain to me what do commands "doveadm replicator add" and "doveadm replicator remove" really do. According to https://wiki.dovecot.org/Tools/Doveadm/Replicator they "Add the specified user(s) to the replicator." and "Remove the specified user from replicator.". Do they really do that? Since the default list of users for replication comes from doveadm user '*' (https://wiki.dovecot.org/Replication) I tried removing one user (e.g. xyz) from replication by using "doveadm replicator remove xyz" and it didn't work. Namely, after entering that command the only thing that I noticed is that "doveadm replicator status xyz" does not return any information. BUT, as soon as one mail arrives for that user "doveadm replicator status xyz" displays valid information and mail is replicated. Thanks in advance for any reply. # dovecot --version 2.2.33.2 (d6601f4ec)
Re: Re: Warning: Failed to do incremental sync
I am getting a lot of these messages (on the master side of replication) : dovecot: doveadm: Error: dsync-remote(userxyz): Warning: Failed to do incremental sync for mailbox INBOX, retry with a full sync (Modseq 81589 no longer in transaction log) Having "Error" and "Warning" on the same line is confusing, to start with. If I get it right. it means that very often (incremental) sync fails and replication starts again after 5 min but this time by doing full sync, which, I guess, is not good (more resources used). Since I am doing only one way replication what could be the reason for those errors/warnings? Nothing is changing files on the remote side besides dsync-server. Is there anything I can do to "fix" this ? # dovecot --version 2.2.33.2 (d6601f4ec)
Re: [Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
On Mon, 16 Jan 2012 18:20:39 +0200, Mark Sapiro m...@msapiro.net wrote: On 11:59 AM, IVO GELOV (CRM) wrote: The limitation of 1 message per week for any unique combination of sender/recipient does not stop backscatter - because each message can come with a new forged FROM address, and from different compromised mail servers. The spammer does not have control over the body of the auto-replies (which is something like I am not at the office, please write to my colleagues), but it still may cause the victims to take some measures. All true, but the sender in the sender/recipient combination is the forged From: that ultimately receives the backscatter and the recipient is your local user who set the vacation autoresponse. If you only have one or two local users on vacation at a time, any given backscatter recipient could receive at most one or two backscatter messages per week regardless of how many compromised servers the spammer sends from. And this assumes the spam is initially sent to multiple local users on vacation and gets past your local spam filtering. I don't know about you, but I have more significant potential backscatter sources to worry about. I see your point and I agree with you this is a minor problem. Thanks for your time, Mark. Best wishes, Ivo Gelov
Re: [Dovecot] Dovecot unable to locate mailbox
On Mon, 16 Jan 2012 14:38:44 +0200, Jason X, Maney jsxmo...@gmail.com wrote: Dear all, I hope someone can point me in the right direction. here. I have setup my Dovecot v2.0.13 on Ubuntu 11.10. The logs tells me that the mail location has failed as follows: = Jan 16 14:18:16 myservername dovecot: pop3-login: Login: user=userA, method=PLAIN, rip=aaa.bbb.ccc.ddd, lip=www.xxx.yyy.zzz, mpid=1360, TLS Jan 16 14:18:16 myservername dovecot: pop3(userA): Error: user molla: Initialization failed: mail_location not set and autodetection failed: Mail storage autodetection failed with home=/home/userA Jan 16 14:18:16 myservername dovecot: pop3(userA): Error: Invalid user settings. Refer to server log for more information. = Yet my config also come out strangely as below: # path given in the mail_location setting. # mail_location = maildir:~/Maildir # mail_location = mbox:~/mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n mail_location = maildir:~/Maildir # explicitly, ie. mail_location does nothing unless you have a namespace # mail_location, which is also the default for it. Hi, Jason. I will describe my configuration and probably you will find some usefull information. I am using Postfix as MTA and have configured Dovecot to be LDA. I have several domains, so I am using the following folder schema: /var/mail/vhosts = the root of the mail storage /var/mail/vhosts/domain_1 = first domain /var/mail/vhosts/domain_1/user_1 = first mailbox in this domain /var/mail/vhosts/domain_2 = another domain /var/mail/vhosts/domain_2/user_1 = first mailbox in the other domain This is achieved with the following setting in mail.conf: mail_location = maildir:/var/mail/vhosts/%d/%n But since I do not want to manually go and create the corresponding folders each time I add new user (I manage accounts through a MySQL table), I also use the following setting in lda.conf: lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes Perhaps you only need to add the latter settings in lda.conf and everything should run fine. Best wishes, IVO GELOV
Re: [Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
On Sun, 15 Jan 2012 23:36:48 +0200, Mark Sapiro m...@msapiro.net wrote: IVO GELOV (CRM) wrote: I still think that my idea with custom error codes is more useful - if the user is on vacation, the message is rejected immediately (no auto-reply is sent) and sender can see (hopefully, because most users just ignore error messages) the reason why the messages was rejected. A 4xx status will not do this. It should just cause the sending MTA to keep the message queued and keep retrying. Depending on the sending MTA's retry and notification policies, the sender may see no error or delay notification for several days. If you really want the sender to immediately see a rejection, you have to use a 5xx status. Yes, you are right. The error code is the smallest difficulty :)
Re: [Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
On Sun, 15 Jan 2012 23:50:02 +0200, Mark Sapiro m...@msapiro.net wrote: On 11:59 AM, Charles Marcus wrote: On 2012-01-14 12:23 PM, IVO GELOV (CRM) i...@crm.walltopia.com wrote: I have downloaded the latest version 4.0 - but it seems there is no way to prevent spammers to use forged email addresses. I decided to remove the vacation feature from our corporate mail server, because it actually opens a backdoor (even though only when someone decides to activate his vacation auto-reply) for spammers and puts a risk on the company (our server can be blacklisted). Sorry, I misread your message... However, (I *think*) there *is* a simple solution to your problem, if I now understand it correctly... Simply disallow anyone sending from an email address in your domain from sending without SASL_AUTHing... I don't see how this will help. The scenario the OP is concerned about is spammer@foreign.domain sends a message with forged From: and maybe envelope sender victim@other.foreign.domain to his user on vacation. The vacation program sends an autoresponse to the victim. However, why worry about this minimal backscatter? A good vacation program will not send more that one autoresponse per long time (a week?) for a given sender/recipient and won't include the original spam payload. So, even though a spammer might use this backdoor to cause your server to send messages to multiple recipients, the messages should not have spam payloads and shouldn't be sent more that once to a given end recipient. The limitation of 1 message per week for any unique combination of sender/recipient does not stop backscatter - because each message can come with a new forged FROM address, and from different compromised mail servers. The spammer does not have control over the body of the auto-replies (which is something like I am not at the office, please write to my colleagues), but it still may cause the victims to take some measures.
Re: [Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
On Sun, 15 Jan 2012 14:33:24 +0200, Charles Marcus cmar...@media-brokers.com wrote: On 2012-01-14 12:23 PM, IVO GELOV (CRM) i...@crm.walltopia.com wrote: I have downloaded the latest version 4.0 - but it seems there is no way to prevent spammers to use forged email addresses. I decided to remove the vacation feature from our corporate mail server, because it actually opens a backdoor (even though only when someone decides to activate his vacation auto-reply) for spammers and puts a risk on the company (our server can be blacklisted). Sorry, I misread your message... However, (I *think*) there *is* a simple solution to your problem, if I now understand it correctly... Simply disallow anyone sending from an email address in your domain from sending without SASL_AUTHing... The way I do this is: in main.cf (I put all of my restrictions in smtpd_recipient_restrictions) add: check_sender_access ${hash}/nospoof, somewhere after reject_unauth_destination *but before any RBL checks) where nospoof contains: # Prevent spoofing from domains that we own allowed_addre...@example.com OK allowed_addre...@example.com OK example.com REJECT You must use sasl_auth to send from one of our example.com email addresses... and of course be sure to postmap the nospoof database after making any changes... These are the restrictions I apply (or had been applying for some time). Anyway, for now I simply disabled the vacation plugin. smtpd_client_restrictions = permit_mynetworks, check_client_access mysql:/etc/postfix/sender_ip, permit_sasl_authenticated, reject_unknown_client #reject_rhsbl_client blackhole.securitysage.com, reject_rbl_client opm.blitzed.org, #smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access mysql:/etc/postfix/client_sql, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org, permit #smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access mysql:/etc/postfix/client_ok, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org, reject_unknown_client ###, check_policy_service inet:127.0.0.1:10040, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client dnsbl.ahbl.org #,reject_rbl_client opm.blitzed.org, reject_rbl_client relays.ordb.org, reject_rbl_client dun.dnsrbl.net #REJECT_NON_FQDN_HOSTNAME - proverka dali HELO e pylno Domain ime (sus suffix) #smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname smtpd_helo_restrictions = reject_invalid_hostname smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org #reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender opm.blitzed.org, #smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access mysql:/etc/postfix/sender_sql, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender rhsbl.ahbl.org, reject_rhsbl_sender block.rhs.mailpolice.com, reject_rhsbl_sender rhsbl.sorbs.net, reject_rhsbl_sender multi.surbl.org, reject_rhsbl_sender dsn.rfc-ignorant.org, permit #, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender relays.ordb.org, reject_rhsbl_sender dun.dnsrbl.net #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_recipient_access regexp:/etc/postfix/dspam_incoming smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining smtpd_data_restrictions = reject_unauth_pipelining
Re: [Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
On Fri, 13 Jan 2012 20:03:36 +0200, Charles Marcus cmar...@media-brokers.com wrote: On 2012-01-13 12:11 PM, IVO GELOV (CRM) i...@crm.walltopia.com wrote: I am aware of the various autoresponder scripts for vacation autoreplies (I am using Virtual Vacation 3.1 by Mischa Peters). I have an issue with auto-replies - it is vulnerable to spamming with forged email address. I think you are using an extremely old/outdated version... The latest version would not suffer this problem, because it has a lot of message types that it will *not* respond to, including messages appearing to be from yourself... Get the latest version fro the postfixadmin package. However, I don't know how to use it without also using postfixadmin (it creates databases for storing the vacation message, etc)... I have downloaded the latest version 4.0 - but it seems there is no way to prevent spammers to use forged email addresses. I decided to remove the vacation feature from our corporate mail server, because it actually opens a backdoor (even though only when someone decides to activate his vacation auto-reply) for spammers and puts a risk on the company (our server can be blacklisted). I still think that my idea with custom error codes is more useful - if the user is on vacation, the message is rejected immediately (no auto-reply is sent) and sender can see (hopefully, because most users just ignore error messages) the reason why the messages was rejected. Probably Dovecot-auth does not offer such flexibility right now - but it worths considering.
[Dovecot] Using Dovecot-auth to return error code 450 (or other 4xx) to Postfix when user is on vacation
Hello to all members. I am using Dovecot for 5 years, but this is my first post here. I am aware of the various autoresponder scripts for vacation autoreplies (I am using Virtual Vacation 3.1 by Mischa Peters). I have an issue with auto-replies - it is vulnerable to spamming with forged email address. Forging can be prevented with several Postfix settings, which I did in the past - but was forced to remove, because our company occasionaly has clients with improper configurations and those settings prevent us to receive their legitimate mail (and this of course is not good for the business). So I have though about another idea. Since I use Dovecot-auth to verify mailbox existence - I just wonder is it possible to somehow indicate specific error code (and hopefully descriptive text also) to Postfix (e.g. 450 or some other temporary failure) when the owner of the mailbox is currently on vacation ? Best wishes, IVO GELOV