Re: Can't Empty Inbox that is Over quota

[Jason Hirsh via dovecot]

> On Jun 6, 2024, at 7:29 AM, Benny Pedersen via dovecot  
> wrote:
> 
> Jason Hirsh via dovecot skrev den 2024-06-06 03:20:
> 
>> Is there anyway I can remove Dovecot from my server and reinstalll it?   It 
>> is so messed up I don’t care about losing data
> 
> reinstall will make the same install problem fails


That would be me 
> 
> i often joke about precompiled problems :)
> 
> more help show logs
> 

The logs show 

imap-login: Disconnected: Connection closed: SSL_accept() failed: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: 
SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=69.142.122.175, 
lip=209.160.65.133, TLS handshaking: SSL_accept() failed: error:14094416:SSL 
routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, 
session=
Jun  5 18:18:49 triggerfish dovecot[37112]: ima




> and also doveconf -n



I  tried before Burt message was tooo bg   let me try again



# 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.21 (f6cd4b8e)
# OS: FreeBSD 13.2-RELEASE-p4 amd64  ufs
# Hostname: triggerfish.theoceanwindow.com
dict {
  quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_gid = 110
first_valid_uid = 110
hostname = triggerfish.theoceanwindow.com
last_valid_gid = 110
last_valid_uid = 110
lmtp_rcpt_check_quota = yes
mail_location = maildir:/usr/local/virtual/%d/%n
mail_plugins = quota
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  expire = Trash
  imapsieve_mailbox1_before = 
file:/usr/local/virtual/sieve/rspamd/rspamd-learn-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = 
file:/usr/local/virtual/sieve/rspamd/rspamd-learn-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  imapsieve_mailbox3_before = file:/usr/local/virtual/sieve/global/read.sieve
  imapsieve_mailbox3_causes = COPY
  imapsieve_mailbox3_name = Trash
  mail_home = /usr/local/virtual/%d/%n
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
  quota = dict:User quota::proxy::quota
  quota_exceeded_message = Storage quota for this account has been exceeded, 
please try again later.
  quota_grace = 10%%
  quota_max_mail_size = 100M
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+30%%
  quota_rule3 = Sent:storage=+30%%
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  quota_warning4 = -storage=100%% quota-warning -100 %u
  sieve = /usr/local/virtual/%d/%n/.dovecot.sieve
  sieve_before = /usr/local/virtual/sieve/global/default.sieve
  sieve_dir = /usr/local/virtual/%d/%n/sieve
  sieve_global = /usr/local/virtual/sieve/global/
  sieve_global_dir = /usr/local/virtual/sieve/global/
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_pipe_bin_dir = /usr/local/virtual/sieve/rspamd
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
postmaster_address = ad...@theoceanwindow.com
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = mail
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
group = mail
mode = 0666
user = vmail
  }
}
service dict {
  unix_listener dict {
group = vscan
mode = 0660
user = vscan
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
  }
}
service quota-warning {
  executable = script /usr/local/virtual/bin/quota-warning.sh
  unix_listener quota-warning {
user = vscan
  }
  user = dovecot
}
ssl_ca =  
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Can't Empty Inbox that is Over quota

[Jason Hirsh via dovecot]

I am getting this error

imap-login: Disconnected: Connection closed: SSL_accept() failed: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: 
SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=69.142.122.175, 
lip=209.160.65.133, TLS handshaking: SSL_accept() failed: error:14094416:SSL 
routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, 
session=
J

I tried sending the results of  doveconf -n. But the resulting message I too 
big and waits monitor review





> On Jun 6, 2024, at 7:29 AM, Benny Pedersen via dovecot  
> wrote:
> 
> Jason Hirsh via dovecot skrev den 2024-06-06 03:20:
> 
>> Is there anyway I can remove Dovecot from my server and reinstalll it?   It 
>> is so messed up I don’t care about losing data
> 
> reinstall will make the same install problem fails
> 
> i often joke about precompiled problems :)
> 
> more help show logs
> 
> and also doveconf -n
> 
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Adjusting logging with the "remote" syntax

[Jason Young]

I wanted to follow up on this message. Is there any way to disable info logging 
for when the ‘remote’ is localhost?   

> On Aug 12, 2020, at 12:48 PM, Jason Young  wrote:
> 
> According to the docs, we can use ‘local’ and ‘remote’ blocks to change 
> configuration directives. 
> 
> In my current setup (Mail-in-a-box using Nextcloud, which is configured for 
> IMAP authentication), my mail logs are spammed with local logins. I really 
> don't need these reports, but still want to retain login logs for remote IPs. 
> So I set the following in my configuration:
> 
> remote 127.0.0.1 {
>  info_log_path = /dev/null
> }
> 
> When I run "doveadm -n -f remote=127.0.0.1”, it does seem to understand it:
> 
> ---
> # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)
> ...
> info_log_path = /dev/null
> ...
> remote 127.0.0.1 {
>  info_log_path = /dev/null
> }
> ---
> 
> However, I’m still getting spammed with local login reports:
> 
> Aug 12 12:17:13 imap-login: Info: Login: user=, 
> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=29798, TLS, 
> session=
> Aug 12 12:17:13 imap(u...@domain.tld): Info: Logged out in=305 out=2277
> 
> I've also tried logging to a specific file, instead of /dev/null, but no file 
> was created. So there must be an issue with my understanding.
> 
> How can I prevent logins from localhost from being logged without sacrificing 
> logs for all logins?
> 
> -Jason Young

Adjusting logging with the "remote" syntax

[Jason Young]

According to the docs, we can use ‘local’ and ‘remote’ blocks to change 
configuration directives. 

In my current setup (Mail-in-a-box using Nextcloud, which is configured for 
IMAP authentication), my mail logs are spammed with local logins. I really 
don't need these reports, but still want to retain login logs for remote IPs. 
So I set the following in my configuration:

remote 127.0.0.1 {
  info_log_path = /dev/null
}

When I run "doveadm -n -f remote=127.0.0.1”, it does seem to understand it:

---
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
...
info_log_path = /dev/null
...
remote 127.0.0.1 {
  info_log_path = /dev/null
}
---

However, I’m still getting spammed with local login reports:

Aug 12 12:17:13 imap-login: Info: Login: user=, method=PLAIN, 
rip=127.0.0.1, lip=127.0.0.1, mpid=29798, TLS, session=
Aug 12 12:17:13 imap(u...@domain.tld): Info: Logged out in=305 out=2277

I've also tried logging to a specific file, instead of /dev/null, but no file 
was created. So there must be an issue with my understanding.

How can I prevent logins from localhost from being logged without sacrificing 
logs for all logins?

-Jason Young

Dovecot Postfix MySQL Authentication Issues

[jason hirsh]

I aim using mysql 5.7.28
Postfix 3.4,8
Dovecot 2.3.9.2

It began a whole and I was using the Purple Hat Organiation installation guide 
which was loaded with minor errors

Now dead in water

Dovecot Postfix MySQL Authentication Issues

[jason hirsh]

I am I a situation where I have to wipe my remote server and reinstall, Its 
been a while since I built a server and I am not as sharp as I use to be
I am running FreeBSD 12.1. well at least the server is... I am getting constant 
authentication errors like


Dec 28 22:10:18 triggerfish dovecot[21809]: imap-login: Aborted login (auth 
failed, 1 attempts in 6 secs): user=, method=PLAIN, 
rip=73.150.178.106, lip=x.x.x.x, TLS, session=
Dec 28 22:10:19 triggerfish dovecot[21809]: imap-login: Aborted login (client 
didn't finish SASL auth, waited 4 secs): user=<>, method=LOGIN, 
rip=73.150.178.106, lip=x.x.x.x, TLS, session=
Dec 28 22:10:19 triggerfish dovecot[21809]: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=73.150.178.106, lip=x,x,x,x, TLS: Connection 
closed, session=
Dec 28 22:10:24 triggerfish dovecot[21809]: imap-login: Aborted login (auth 
failed, 1 attempts in 6 secs): user=, method=LOGIN, 
rip=73.150.178.106, lip=x,x,x,x, TLS, session=


results of postconf -n are

broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 2560
meta_directory = /usr/local/libexec/postfix
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_recipient_maps = 
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, 
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, 
reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client 
bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client 
zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client 
rhsbl.sorbs.net, reject_rbl_client db.wpbl.info, reject_rbl_client 
cbl.abuseat.org, reject_rbl_client proxies.blackholes.wirehub.net, 
reject_rbl_client query.bondedsender.org permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender, 
permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/ssl/more/server.crt
smtpd_tls_key_file = /usr/local/etc/ssl/more/server.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = 
mysql:/usr/local/etc/postfix/mysql-virtual-domains-maps.cf
virtual_mailbox_limit = 5120
virtual_mailbox_maps = 
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp




Not sure if I need to post main.cf.  

I have been beating my head against the screen for a week and thought I'd try 
here. Probably some stupid typo or stupid action on my part. Feel free to slap 
me around

Re: v2.2.27 Panic: file rfc822-parser.h: line 23 (rfc822_parser_deinit): assertion failed: (ctx->data <= ctx->end)

[Jason Lewis via dovecot]

Hi Hendrik,

Hendrik Boom via dovecot wrote on 29/3/19 4:03 am:
> On Wed, Mar 27, 2019 at 10:25:02AM +1100, Jason Lewis via dovecot wrote:
>> Hi Aki,
>>
>> debian jessie backports has been moved to archive.debian.org and
>> initially I was unable to install dovecot-dbg because of that. But I've
>> managed to resolve that issue now.
> 
> Just curious -- what deb line did you use in /etc/apt/sources.lst to 
> refer to the archived repositories? 
> 
> -- hendrik
> 


my sources.list:

deb http://deb.debian.org/debian jessie main contrib non-free
deb http://archive.debian.org/debian jessie-backports main contrib non-free
deb  http://security.debian.org jessie/updates main contrib non-free

deb-src http://deb.debian.org/debian jessie   main contrib non-free
deb-src http://archive.debian.org/debian jessie-backports main contrib
non-free
deb-src http://security.debian.org jessie/updates main contrib non-free


Jason


-- 
Jason Lewis
http://emacstragic.net

Re: v2.2.27 Panic: file rfc822-parser.h: line 23 (rfc822_parser_deinit): assertion failed: (ctx->data <= ctx->end)

[Jason Lewis via dovecot]

After some investigation, it turns out it is non trivial to install
dovecot-dbg on debian jessie.

Sorry I can't investigate further.

Jason

Aki Tuomi wrote on 25/3/19 6:12 pm:
> Can you install dovecot-dbg and try gdb again?
> 
> Aki
> 
> On 25.3.2019 3.20, Jason Lewis via dovecot wrote:
>> Hi,
>>
>> I've been having an issue with the indexer giving me errors on mailbox
>> in dovecot.
>>
>> I managed to narrow it down to a specific email in that mailbox.
>>
>> Various dovecot functions have issues with this email.
>>
>> The email itself is just spam. I can email it to you if you want to
>> analyse it. I did run it through mbox-anonymize but its not clear to me
>> that that would be of any use. Happy to email the suspect email
>> privately to anyone who wants it.
>>
>> /home is mounted nfs4 and is zfs on the nfs server.
>>
>>
>> Dovecot is installed from Debian Jessie.
>> $ /usr/sbin/dovecot --version
>> 2.2.27 (c0f36b0)
>>
>> dovecot-core:
>>   Installed: 1:2.2.27-3+deb9u2~bpo8+1
>>   Candidate: 1:2.2.27-3+deb9u2~bpo8+1
>>   Version table:
>>  *** 1:2.2.27-3+deb9u2~bpo8+1 0
>> 100 /var/lib/dpkg/status
>>  1:2.2.13-12~deb8u5 0
>> 400 http://security.debian.org/ jessie/updates/main amd64 Packages
>>  1:2.2.13-12~deb8u4 0
>> 400 http://deb.debian.org/debian/ jessie/main amd64 Packages
>>
>>
>> ~# dovecot -n
>> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.16 (fed8554)
>> # OS: Linux 4.9.0-0.bpo.6-amd64 x86_64 Debian 8.10
>> imap_hibernate_timeout = 5 secs
>> mail_location = maildir:~/Maildir
>> mail_plugins = fts fts_solr
>> mailbox_list_index = yes
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   mailbox Drafts {
>> special_use = \Drafts
>>   }
>>   mailbox Junk {
>> special_use = \Junk
>>   }
>>   mailbox Sent {
>> special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>> special_use = \Sent
>>   }
>>   mailbox Trash {
>> special_use = \Trash
>>   }
>>   prefix =
>> }
>> passdb {
>>   driver = pam
>> }
>> plugin {
>>   fts = solr
>>   fts_autoindex = yes
>>   fts_enforced = yes
>>   fts_solr = url=http://10.0.2.19:8080/solr/
>>   imapsieve_mailbox1_before = file:/etc/dovecot/train-as-spam.sieve
>>   imapsieve_mailbox1_causes = COPY
>>   imapsieve_mailbox1_name = Junk
>>   imapsieve_mailbox2_before = file:/etc/dovecot/train-as-ham.sieve
>>   imapsieve_mailbox2_causes = COPY
>>   imapsieve_mailbox2_from = Junk
>>   imapsieve_mailbox2_name = *
>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>>   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
>>   sieve_pipe_bin_dir = /usr/bin
>>   sieve_plugins = sieve_imapsieve sieve_extprograms
>> }
>> protocols = " imap"
>> service anvil {
>>   client_limit = 1127
>> }
>> service auth {
>>   client_limit = 2200
>>   unix_listener /var/spool/postfix/private/auth {
>> mode = 0666
>>   }
>> }
>> service imap-hibernate {
>>   unix_listener imap-hibernate {
>> group = dovecot
>> mode = 0660
>>   }
>> }
>> service imap-login {
>>   process_limit = 1024
>>   process_min_avail = 12
>>   service_count = 0
>>   vsz_limit = 1 G
>> }
>> service imap {
>>   extra_groups = dovecot
>>   unix_listener imap-master {
>> user = dovecot
>>   }
>> }
>> ssl_cert = > ssl_key =  # hidden, use -P to show it
>> userdb {
>>   driver = passwd
>> }
>> protocol imap {
>>   mail_max_userip_connections = 20
>>   mail_plugins = fts fts_solr imap_sieve
>> }
>>
>>
>>
>>
>>
>> jason@debian:~$ doveadm -D -f flow fetch imap.envelope mailbox
>> crm-spam.2008.g
>> Debug: Loading modules from directory: /usr/lib/dovecot/modules
>> Debug: Module loaded: /usr/lib/dovecot/modules/lib20_fts_plugin.so
>> Debug: Module loaded: /usr/lib/dovecot/modules/lib21_fts_solr_plugin.so
>> Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
>> Debug: Skipping module doveadm_acl_plugin, because dlopen() failed:
>> /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined
>> symbol: acl_user_module (this is usually intentional, so just ignore
>> this message)
>> Debug: Skipping module doveadm_expire_plugin, because dlopen() failed:
>

Re: v2.2.27 Panic: file rfc822-parser.h: line 23 (rfc822_parser_deinit): assertion failed: (ctx->data <= ctx->end)

[Jason Lewis via dovecot]

Hi Aki,

debian jessie backports has been moved to archive.debian.org and
initially I was unable to install dovecot-dbg because of that. But I've
managed to resolve that issue now.

This was the command I ran:
doveadm -D -f flow fetch imap.envelope mailbox crm-spam.2008.g

Backtrace follows.

Jason

jason@debian:~$ gdb /usr/bin/doveadm /home/jason/core
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/doveadm...Reading symbols from
/usr/lib/debug/.build-id/8a/e850dc3cde00618eb0c3386b7404fe984c8118.debug...done.
done.
[New LWP 23099]
Core was generated by `/usr/bin/doveadm -D -f flow fetch imap.envelope
mailbox crm-spam.2008.g'.
Program terminated with signal SIGABRT, Aborted.
#0  0x7f3a7bf58067 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  0x7f3a7bf58067 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 23099
selftid = 23099
#1  0x7f3a7bf59448 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction =
0x0}, sa_mask = {__val = {1024, 93886903596007, 93886903463748,
  139889164438341, 93886903464748, 0, 93886931979560, 513,
12274393185022739456, 93886931979560, 139889168940995, 93886931979560,
  140727948500176, 4294967040, 139889168941353,
93886931979560}}, sa_flags = 2083919594, sa_restorer = 0x7ffdc7615d01}
sigs = {__val = {32, 0 }}
#2  0x7f3a7c3669a6 in default_fatal_finish (type=,
status=status@entry=0) at failures.c:201
backtrace = 0x5563c13acd60
"/usr/lib/dovecot/libdovecot.so.0(+0x989ae) [0x7f3a7c3669ae] ->
/usr/lib/dovecot/libdovecot.so.0(+0x98a28) [0x7f3a7c366a28] ->
/usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f3a7c2fc67e] ->
/usr/lib/d"...
#3  0x7f3a7c366a28 in default_fatal_handler (ctx=0x7ffdc7615d20,
format=, args=) at failures.c:215
status = 0
#4  0x7f3a7c2fc67e in i_panic (format=format@entry=0x7f3a7c399088
"file %s: line %d (%s): assertion failed: (%s)") at failures.c:275
ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0,
timestamp_usecs = 0}
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7ffdc7615e20, reg_save_area = 0x7ffdc7615d60}}
#5  0x7f3a7c34a97d in rfc822_parser_deinit (ctx=0x7ffdc7615e38,
ctx=0x7ffdc7615e38) at rfc822-parser.h:23
No locals.
#6  message_address_parse_real (pool=pool@entry=0x5563c13e75d0,
data=data@entry=0x5563c13f3910 "To: bluef...@dickson.st,
ja...@dickson.st, lewisja...@dickson.st, 05 Jul 2008 16:39:47 -0500
PDT6Q--q=dns; c=nofws;d sender)
smtp.mail=matt_coo...@postnewsweektech.com; domainkeys=pass (test mode)
hea"..., size=size@entry=64,
max_addresses=max_addresses@entry=4294967295,
fill_missing=fill_missing@entry=true) at message-address.c:323
ctx = {pool = 0x5563c13e75d0, parser = {
data = 0x5563c13f3951 " 05 Jul 2008 16:39:47 -0500
PDT6Q--q=dns; c=nofws;d sender)
smtp.mail=matt_coo...@postnewsweektech.com; domainkeys=pass (test mode)
header.From=matt_coo...@postnewsweektech.com",
end = 0x5563c13f3950 ", 05 Jul 2008 16:39:47 -0500
PDT6Q--q=dns; c=nofws;d sender)
smtp.mail=matt_coo...@postnewsweektech.com; domainkeys=pass (test mode)
header.From=matt_coo...@postnewsweektech.com", last_comment =
0x5563c13acb78}, first_addr = 0x5563c13e7910,
  last_addr = 0x5563c13e7a28, addr = {next = 0x0, name = 0x0,
route = 0x0, mailbox = 0x0, domain = 0x0, invalid_syntax = false},
  str = 0x5563c13acc50, fill_missing = true}
#7  0x7f3a7c34a9e5 in message_address_parse
(pool=pool@entry=0x5563c13e75d0,
data=0x5563c13f3910 "To: bluef...@dickson.st, ja...@dickson.st,
lewisja...@dickson.st, 05 Jul 2008 16:39:47 -0500 PDT6Q--q=dns;
c=nofws;d sen---Type  to continue, or q  to quit---
der) smtp.mail=matt_coo...@postnewsweektech.com; domainkeys=pass (test
mode) hea"..., size=64, max_addresses=max_addresses@entry=4294967295,
fill_missing=fill_missing@entry=true) at message-address.

Re: v2.2.27 Panic: file rfc822-parser.h: line 23 (rfc822_parser_deinit): assertion failed: (ctx->data <= ctx->end)

[Jason Lewis via dovecot]

Thanks Timo.

Given the age of these dovecot packages, and this being on debian
oldstable, what should we do next? I'm inclined to just delete the email
in question and move on.

Jason

Timo Sirainen wrote on 28/3/19 12:16 am:
> On 27 Mar 2019, at 1.25, Jason Lewis via dovecot  wrote:
>>
>> Hi Aki,
>>
>> debian jessie backports has been moved to archive.debian.org and
>> initially I was unable to install dovecot-dbg because of that. But I've
>> managed to resolve that issue now.
>>
>> This was the command I ran:
>> doveadm -D -f flow fetch imap.envelope mailbox crm-spam.2008.g
>>
>> Backtrace follows.
> 
> I've a feeling Debian's security fix backports didn't work properly:
> 
>> #5  0x7f3a7c34a97d in rfc822_parser_deinit (ctx=0x7ffdc7615e38,
>> ctx=0x7ffdc7615e38) at rfc822-parser.h:23
> 
> rfc822_parser_deinit() wasn't added until v2.2.31. I think it was added as 
> part of a security fix.
> 
>>data=data@entry=0x5563c13f3910 "To: bluef...@dickson.st,
>> ja...@dickson.st, lewisja...@dickson.st, 05 Jul 2008 16:39:47 -0500
>> PDT6Q--q=dns; c=nofws;d sender)
>> smtp.mail=matt_coo...@postnewsweektech.com; domainkeys=pass (test mode)
>> hea"..., size=size@entry=64,
> 
> I tried fetching a mail with these contents in v2.2.27, v2.2.33 and master. 
> They all worked fine.
> 

-- 
Jason Lewis
http://emacstragic.net

v2.2.27 Panic: file rfc822-parser.h: line 23 (rfc822_parser_deinit): assertion failed: (ctx->data <= ctx->end)

[Jason Lewis via dovecot]

Hi,

I've been having an issue with the indexer giving me errors on mailbox
in dovecot.

I managed to narrow it down to a specific email in that mailbox.

Various dovecot functions have issues with this email.

The email itself is just spam. I can email it to you if you want to
analyse it. I did run it through mbox-anonymize but its not clear to me
that that would be of any use. Happy to email the suspect email
privately to anyone who wants it.

/home is mounted nfs4 and is zfs on the nfs server.


Dovecot is installed from Debian Jessie.
$ /usr/sbin/dovecot --version
2.2.27 (c0f36b0)

dovecot-core:
  Installed: 1:2.2.27-3+deb9u2~bpo8+1
  Candidate: 1:2.2.27-3+deb9u2~bpo8+1
  Version table:
 *** 1:2.2.27-3+deb9u2~bpo8+1 0
100 /var/lib/dpkg/status
 1:2.2.13-12~deb8u5 0
400 http://security.debian.org/ jessie/updates/main amd64 Packages
 1:2.2.13-12~deb8u4 0
400 http://deb.debian.org/debian/ jessie/main amd64 Packages


~# dovecot -n
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-0.bpo.6-amd64 x86_64 Debian 8.10
imap_hibernate_timeout = 5 secs
mail_location = maildir:~/Maildir
mail_plugins = fts fts_solr
mailbox_list_index = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
plugin {
  fts = solr
  fts_autoindex = yes
  fts_enforced = yes
  fts_solr = url=http://10.0.2.19:8080/solr/
  imapsieve_mailbox1_before = file:/etc/dovecot/train-as-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = file:/etc/dovecot/train-as-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_pipe_bin_dir = /usr/bin
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap"
service anvil {
  client_limit = 1127
}
service auth {
  client_limit = 2200
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
}
service imap-hibernate {
  unix_listener imap-hibernate {
group = dovecot
mode = 0660
  }
}
service imap-login {
  process_limit = 1024
  process_min_avail = 12
  service_count = 0
  vsz_limit = 1 G
}
service imap {
  extra_groups = dovecot
  unix_listener imap-master {
user = dovecot
  }
}
ssl_cert = data <= ctx->end)
doveadm(jason): Error: Raw backtrace:
/usr/lib/dovecot/libdovecot.so.0(+0x989ae) [0x7f170b1389ae] ->
/usr/lib/dovecot/libdovecot.so.0(+0x98a28) [0x7f170b138a28] ->
/usr/lib/dovecot/libdovecot.so.0(i_fatal+0) [0x7f170b0ce67e] ->
/usr/lib/dovecot/libdovecot.so.0(+0x7c97d) [0x7f170b11c97d] ->
/usr/lib/dovecot/libdovecot.so.0(message_address_parse+0x55)
[0x7f170b11c9e5] ->
/usr/lib/dovecot/libdovecot.so.0(imap_envelope_parse_header+0x144)
[0x7f170b110374] ->
/usr/lib/dovecot/libdovecot-storage.so.0(index_mail_parse_header+0xfe)
[0x7f170b47422e] -> /usr/lib/dovecot/libdovecot.so.0(+0x7979f)
[0x7f170b11979f] -> /usr/lib/dovecot/libdovecot.so.0(i_stream_read+0x53)
[0x7f170b1437e3] ->
/usr/lib/dovecot/libdovecot.so.0(i_stream_read_data+0x3d)
[0x7f170b14422d] ->
/usr/lib/dovecot/libdovecot.so.0(message_parse_header_next+0x72)
[0x7f170b11f3d2] ->
/usr/lib/dovecot/libdovecot.so.0(message_parse_header+0x4f)
[0x7f170b11fd7f] ->
/usr/lib/dovecot/libdovecot-storage.so.0(index_mail_headers_get_envelope+0x138)
[0x7f170b475448] ->
/usr/lib/dovecot/libdovecot-storage.so.0(index_mail_get_special+0x1a1)
[0x7f170b4796c1] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x69dd3)
[0x7f170b42fdd3] ->
/usr/lib/dovecot/libdovecot-storage.so.0(mail_get_special+0xd)
[0x7f170b400a8d] -> /usr/bin/doveadm(+0x2dca8) [0x562378dd4ca8] ->
/usr/bin/doveadm(+0x2ed7e) [0x562378dd5d7e] ->
/usr/bin/doveadm(+0x2a57c) [0x562378dd157c] ->
/usr/bin/doveadm(+0x2b0da) [0x562378dd20da] ->
/usr/bin/doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x21f)
[0x562378dd2f5f] -> /usr/bin/doveadm(doveadm_cmd_run_ver2+0x560)
[0x562378de2390] -> /usr/bin/doveadm(doveadm_cmd_try_run_ver2+0x37)
[0x562378de23e7] -> /usr/bin/doveadm(main+0x1e4) [0x562378dc1f44] ->
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f170ad16b45]
-> /usr/bin/doveadm(+0x1b32c) [0x562378dc232c]
Aborted (core dumped)


jason@debian:~$ gdb /usr/bin/doveadm /home/jason/core
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Re: Issue sharing folders with Thunderbird

[Jason Perry]

Hi, 

Circling back around on this project.  I hadn’t seen any replies but below is 
where I’m stuck.  Any help would be much appreciated.  

Thanks!
Jason


> On Sep 10, 2018, at 8:08 PM, Jason Perry  wrote:
> 
> Hi Aki I see what you are saying, and no I don’t believe so.  I’m using 
> typical /etc/passwd for the user db.  I reviewed 
> https://wiki.dovecot.org/UserDatabase/ExtraFields 
> <https://wiki.dovecot.org/UserDatabase/ExtraFields> but I’m not clear on how 
> to actually return system_user userdb attribute.
> 
> I also have set mail_user_groups = sharedusers in dovecot.conf and then in 
> /etc/group put all the users with mailboxes into the sharedusers group.  I 
> can see why that wouldn’t work if the above is not set.  Can you point me in 
> the right direction on how to pass that information?
> 
> Thanks!
> 
>> On Aug 28, 2018, at 12:40 AM, Aki Tuomi > <mailto:aki.tu...@dovecot.fi>> wrote:
>> 
>> Are you returning system_user userdb attribute? Extra groups from /etc/group 
>> are not applied without this.
>> 
>> ---
>> Aki Tuomi
>> Dovecot oy
>> 
>>  Original message 
>> From: Jason Perry mailto:jason.pe...@dtainc.us>>
>> Date: 28/08/2018 04:27 (GMT+02:00)
>> To: Aki Tuomi mailto:aki.tu...@dovecot.fi>>
>> Cc: dovecot@dovecot.org <mailto:dovecot@dovecot.org>
>> Subject: Re: Issue sharing folders with Thunderbird
>> 
>> Hi Aki, they are.
>> 
>>> 3. The permissions for the file are:
>>> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
>>> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
>>> /var/lib/dovecot/db/shared-mailboxes.db
>>> 4. Users I'm testing with are part of the sharedusers group in /etc/group
>> 
>> The dir /var/lib/dovecot/db has this for permissions:
>> drwsrwsrwx.  2 rootsharedusers   33 Aug 27 21:12 db
>> 
>> the user operations is a member of “sharedusers” in /etc/group.  I even 
>> chmod’ed the permissions after to rw for global and I get the same 
>> error/result.
>> 
>> The file does appear to get written to.  For example, lets say user u2.name 
>> creates a folder called “starbucks” and uses the IMAP commands to share it 
>> out to user operations.  It seems to write to the acl_shared_dict file in 
>> /var/lib/dovecot/db/shared-mailboxes.db with an entry like
>>> shared/shared-boxes/user/u2.name/operations
>>> 1
>> 
>> And it writes to the ~/Maildir/.starbucks/dovecot-acl file for u2.user with 
>> an entry like:
>> user=operations lrw
>> 
>> So it appears to be working.  However, if I log into Thunderbird with the 
>> user operations account and go to subscribe, I do not see “starbucks” in the 
>> list of available folders.  And I still get the nfs_flush_chown error.
>> 
>> Is there anything else I can be doing with the file/dir permissions?
>> 
>> Thanks.
>> 
>> 
>>> On Aug 27, 2018, at 10:50 AM, Aki Tuomi >> <mailto:aki.tu...@dovecot.fi>> wrote:
>>> 
>>> acl_shared_dict file & folder must be readwritable by user performing the 
>>> sharing as stated in wiki.
>>> 
>>> https://wiki.dovecot.org/SharedMailboxes/Shared 
>>> <https://wiki.dovecot.org/SharedMailboxes/Shared>
>>> ---
>>> Aki Tuomi
>>> Dovecot oy
>>> 
>>>  Original message 
>>> From: Jason Perry mailto:jason.pe...@dtainc.us>>
>>> Date: 27/08/2018 17:01 (GMT+02:00)
>>> To: dovecot@dovecot.org <mailto:dovecot@dovecot.org>
>>> Subject: Issue sharing folders with Thunderbird
>>> 
>>> Trying to share folder "JasonAlerts" within mailbox operations to user 
>>> u1.name
>>>  
>>> Issues:
>>> 1. Shared mailboxes do not appear under subscriptions in Thunderbird for 
>>> another user
>>> 2. When I try to set permissions via IMAP commands I get in 
>>> /var/log/dovecot.log
>>> Aug 26 20:33:24 imap(operations): Error: nfs_flush_chown_uid: 
>>> chown(/var/lib/dovecot/db) failed: Permission denied
>>> 3. The permissions for the file are:
>>> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
>>> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
>>> /var/lib/dovecot/db/shared-mailboxes.db
>>> 4. Users I'm testing with are part of the sharedusers group in /etc/group
>>> 5. IMAP commands DO write to the file:
>>> [root@dal-notify-01 Maildir]# cat /var/lib/dovecot/db/shar

Re: Issue sharing folders with Thunderbird

[Jason Perry]

Hi Aki I see what you are saying, and no I don’t believe so.  I’m using typical 
/etc/passwd for the user db.  I reviewed 
https://wiki.dovecot.org/UserDatabase/ExtraFields 
<https://wiki.dovecot.org/UserDatabase/ExtraFields> but I’m not clear on how to 
actually return system_user userdb attribute.

I also have set mail_user_groups = sharedusers in dovecot.conf and then in 
/etc/group put all the users with mailboxes into the sharedusers group.  I can 
see why that wouldn’t work if the above is not set.  Can you point me in the 
right direction on how to pass that information?

Thanks!

> On Aug 28, 2018, at 12:40 AM, Aki Tuomi  wrote:
> 
> Are you returning system_user userdb attribute? Extra groups from /etc/group 
> are not applied without this.
> 
> ---
> Aki Tuomi
> Dovecot oy
> 
> ---- Original message 
> From: Jason Perry 
> Date: 28/08/2018 04:27 (GMT+02:00)
> To: Aki Tuomi 
> Cc: dovecot@dovecot.org
> Subject: Re: Issue sharing folders with Thunderbird
> 
> Hi Aki, they are.
> 
>> 3. The permissions for the file are:
>> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
>> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
>> /var/lib/dovecot/db/shared-mailboxes.db
>> 4. Users I'm testing with are part of the sharedusers group in /etc/group
> 
> The dir /var/lib/dovecot/db has this for permissions:
> drwsrwsrwx.  2 rootsharedusers   33 Aug 27 21:12 db
> 
> the user operations is a member of “sharedusers” in /etc/group.  I even 
> chmod’ed the permissions after to rw for global and I get the same 
> error/result.
> 
> The file does appear to get written to.  For example, lets say user u2.name 
> creates a folder called “starbucks” and uses the IMAP commands to share it 
> out to user operations.  It seems to write to the acl_shared_dict file in 
> /var/lib/dovecot/db/shared-mailboxes.db with an entry like
>> shared/shared-boxes/user/u2.name/operations
>> 1
> 
> And it writes to the ~/Maildir/.starbucks/dovecot-acl file for u2.user with 
> an entry like:
> user=operations lrw
> 
> So it appears to be working.  However, if I log into Thunderbird with the 
> user operations account and go to subscribe, I do not see “starbucks” in the 
> list of available folders.  And I still get the nfs_flush_chown error.
> 
> Is there anything else I can be doing with the file/dir permissions?
> 
> Thanks.
> 
> 
>> On Aug 27, 2018, at 10:50 AM, Aki Tuomi > <mailto:aki.tu...@dovecot.fi>> wrote:
>> 
>> acl_shared_dict file & folder must be readwritable by user performing the 
>> sharing as stated in wiki.
>> 
>> https://wiki.dovecot.org/SharedMailboxes/Shared 
>> <https://wiki.dovecot.org/SharedMailboxes/Shared>
>> ---
>> Aki Tuomi
>> Dovecot oy
>> 
>>  Original message 
>> From: Jason Perry mailto:jason.pe...@dtainc.us>>
>> Date: 27/08/2018 17:01 (GMT+02:00)
>> To: dovecot@dovecot.org <mailto:dovecot@dovecot.org>
>> Subject: Issue sharing folders with Thunderbird
>> 
>> Trying to share folder "JasonAlerts" within mailbox operations to user 
>> u1.name
>>  
>> Issues:
>> 1. Shared mailboxes do not appear under subscriptions in Thunderbird for 
>> another user
>> 2. When I try to set permissions via IMAP commands I get in 
>> /var/log/dovecot.log
>> Aug 26 20:33:24 imap(operations): Error: nfs_flush_chown_uid: 
>> chown(/var/lib/dovecot/db) failed: Permission denied
>> 3. The permissions for the file are:
>> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
>> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
>> /var/lib/dovecot/db/shared-mailboxes.db
>> 4. Users I'm testing with are part of the sharedusers group in /etc/group
>> 5. IMAP commands DO write to the file:
>> [root@dal-notify-01 Maildir]# cat /var/lib/dovecot/db/shared-mailboxes.db
>> shared/shared-boxes/user/u1.name/u2.name
>> 1
>> shared/shared-boxes/user/operations/u2.name
>> 1
>> shared/shared-boxes/user/u1.name/operations
>> 1
>> shared/shared-boxes/user/u1.name/operations
>> 1
>> 6. It will also write to the user's 
>> /home/operations/Maildir/.JasonAlert/dovecot-acl file
>> user=u1.name ilrw
>>  
>> However if I got into Thunderbird and try to subscribe, none of the shared 
>> folders are listed.  Can anyone help??  Thanks!!
>>  
>> Dovecot version = 2.2.10
>>  
>> dovecot -n
>> [root@server]# dovecot -n
>> # 2.2.10: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Li

Re: Issue sharing folders with Thunderbird

[Jason Perry]

Hi Aki, they are.

> 3. The permissions for the file are:
> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
> /var/lib/dovecot/db/shared-mailboxes.db
> 4. Users I'm testing with are part of the sharedusers group in /etc/group

The dir /var/lib/dovecot/db has this for permissions:
drwsrwsrwx.  2 rootsharedusers   33 Aug 27 21:12 db

the user operations is a member of “sharedusers” in /etc/group.  I even 
chmod’ed the permissions after to rw for global and I get the same error/result.

The file does appear to get written to.  For example, lets say user u2.name 
creates a folder called “starbucks” and uses the IMAP commands to share it out 
to user operations.  It seems to write to the acl_shared_dict file in 
/var/lib/dovecot/db/shared-mailboxes.db with an entry like
> shared/shared-boxes/user/u2.name/operations
> 1

And it writes to the ~/Maildir/.starbucks/dovecot-acl file for u2.user with an 
entry like:
user=operations lrw

So it appears to be working.  However, if I log into Thunderbird with the user 
operations account and go to subscribe, I do not see “starbucks” in the list of 
available folders.  And I still get the nfs_flush_chown error.

Is there anything else I can be doing with the file/dir permissions?

Thanks.


> On Aug 27, 2018, at 10:50 AM, Aki Tuomi  wrote:
> 
> acl_shared_dict file & folder must be readwritable by user performing the 
> sharing as stated in wiki.
> 
> https://wiki.dovecot.org/SharedMailboxes/Shared
> ---
> Aki Tuomi
> Dovecot oy
> 
>  Original message 
> From: Jason Perry 
> Date: 27/08/2018 17:01 (GMT+02:00)
> To: dovecot@dovecot.org
> Subject: Issue sharing folders with Thunderbird
> 
> Trying to share folder "JasonAlerts" within mailbox operations to user u1.name
>  
> Issues:
> 1. Shared mailboxes do not appear under subscriptions in Thunderbird for 
> another user
> 2. When I try to set permissions via IMAP commands I get in 
> /var/log/dovecot.log
> Aug 26 20:33:24 imap(operations): Error: nfs_flush_chown_uid: 
> chown(/var/lib/dovecot/db) failed: Permission denied
> 3. The permissions for the file are:
> root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
> -rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
> /var/lib/dovecot/db/shared-mailboxes.db
> 4. Users I'm testing with are part of the sharedusers group in /etc/group
> 5. IMAP commands DO write to the file:
> [root@dal-notify-01 Maildir]# cat /var/lib/dovecot/db/shared-mailboxes.db
> shared/shared-boxes/user/u1.name/u2.name
> 1
> shared/shared-boxes/user/operations/u2.name
> 1
> shared/shared-boxes/user/u1.name/operations
> 1
> shared/shared-boxes/user/u1.name/operations
> 1
> 6. It will also write to the user's 
> /home/operations/Maildir/.JasonAlert/dovecot-acl file
> user=u1.name ilrw
>  
> However if I got into Thunderbird and try to subscribe, none of the shared 
> folders are listed.  Can anyone help??  Thanks!!
>  
> Dovecot version = 2.2.10
>  
> dovecot -n
> [root@server]# dovecot -n
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
> (Core)
> first_valid_uid = 100
> listen = *
> log_path = /var/log/dovecot.log
> mail_debug = yes
> mail_location = maildir:~/Maildir
> mail_plugins = acl
> mail_privileged_group = mail
> mbox_write_locks = fcntl
> namespace Private {
>   hidden = no
>   inbox = no
>   list = no
>   location =
>   prefix = Private/
>   separator = /
>   type = private
> }
> namespace Public {
>   hidden = no
>   inbox = no
>   list = no
>   location = maildir:/var/mail/public
>   prefix = Public/
>   separator = /
>   subscriptions = yes
>   type = public
> }
> namespace Shared {
>   hidden = no
>   inbox = no
>   list = yes
>   location = maildir:/var/mail/%u:INDEXPVT=~/Maildir/%u
>   prefix = shared/%u/
>   separator = /
>   subscriptions = yes
>   type = shared
> }
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Drafts {
> special_use = \Drafts
>   }
>   mailbox Junk {
> special_use = \Junk
>   }
>   mailbox Sent {
> special_use = \Sent
>   }
>   mailbox "Sent Messages" {
> special_use = \Sent
>   }
>   mailbox Trash {
> special_use = \Trash
>   }
>   prefix =
>   separator = /
> }
> passdb {
>   driver = pam
> }
> passdb {
>   driver = pam
> }
> plugin {
>   acl = vfile
>   acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db 
> 
> }
> protocols = imap
> ssl_cert =  ssl_key =  syslog_facility = local2
> userdb {
>   driver = passwd
> }
> userdb {
>   driver = passwd
> }
> protocol imap {
>   mail_plugins = acl imap_acl
> }

Issue sharing folders with Thunderbird

[Jason Perry]

Trying to share folder "JasonAlerts" within mailbox operations to user u1.name
 
Issues:
1. Shared mailboxes do not appear under subscriptions in Thunderbird for 
another user
2. When I try to set permissions via IMAP commands I get in /var/log/dovecot.log
Aug 26 20:33:24 imap(operations): Error: nfs_flush_chown_uid: 
chown(/var/lib/dovecot/db) failed: Permission denied
3. The permissions for the file are:
root@dal-notify-01 Maildir]# ls -la /var/lib/dovecot/db/shared-mailboxes.db
-rw-rw-r--. 1 operations sharedusers 197 Aug 26 20:33 
/var/lib/dovecot/db/shared-mailboxes.db
4. Users I'm testing with are part of the sharedusers group in /etc/group
5. IMAP commands DO write to the file:
[root@dal-notify-01 Maildir]# cat /var/lib/dovecot/db/shared-mailboxes.db
shared/shared-boxes/user/u1.name/u2.name
1
shared/shared-boxes/user/operations/u2.name
1
shared/shared-boxes/user/u1.name/operations
1
shared/shared-boxes/user/u1.name/operations
1
6. It will also write to the user's 
/home/operations/Maildir/.JasonAlert/dovecot-acl file
user=u1.name ilrw
 
However if I got into Thunderbird and try to subscribe, none of the shared 
folders are listed.  Can anyone help??  Thanks!!
 
Dovecot version = 2.2.10
 
dovecot -n
[root@server]# dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
(Core)
first_valid_uid = 100
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir
mail_plugins = acl
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace Private {
  hidden = no
  inbox = no
  list = no
  location =
  prefix = Private/
  separator = /
  type = private
}
namespace Public {
  hidden = no
  inbox = no
  list = no
  location = maildir:/var/mail/public
  prefix = Public/
  separator = /
  subscriptions = yes
  type = public
}
namespace Shared {
  hidden = no
  inbox = no
  list = yes
  location = maildir:/var/mail/%u:INDEXPVT=~/Maildir/%u
  prefix = shared/%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
  separator = /
}
passdb {
  driver = pam
}
passdb {
  driver = pam
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db 

}
protocols = imap
ssl_cert = 

Re: Dovecot 2.3.0 imap-login using 100% CPU

[Jason Kiniry]

We were able to obtain a better backtrace:

0x7f4b303b5af5 in clients_notify_auth_connected () at 
client-common-auth.c:839
839 if (!client_does_custom_io(client) && 
client->input_blocked) {
(gdb) run

Thank you!

Regards,

Jason Kiniry

> On Jan 10, 2018, at 4:28 PM, Jason Kiniry  wrote:
> 
> When in the process of testing out the 2.3.0 version of Dovecot, we noticed 
> that on a busy server, imap-login can sometimes take 100% CPU and remain 
> there indefinitely. We grabbed a gdb trace while it was happening:
> 
> dovenull 36053 31.2  0.0  60460 17316 ?R04:38  11:55 
> dovecot/imap-login
> root@server [~]# strace -p 36053
> Process 36053 attached
> ^CProcess 36053 detached
> root@server [~]# gdb 
> atGNU gdb (GDB) Red Hat Enterprise Linux (7.2-92.el6)
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-redhat-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> (gdb) attach 36053
> Attaching to process 36053
> Reading symbols from /usr/libexec/dovecot/imap-login...done.
> Reading symbols from /usr/lib64/dovecot/libdovecot-login.so.0...done.
> Loaded symbols for /usr/lib64/dovecot/libdovecot-login.so.0
> Reading symbols from /usr/lib64/dovecot/libdovecot.so.0...done.
> Loaded symbols for /usr/lib64/dovecot/libdovecot.so.0
> Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libc.so.6
> Reading symbols from /usr/lib64/libssl.so.10...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libssl.so.10
> Reading symbols from /usr/lib64/libcrypto.so.10...(no debugging symbols 
> found)...done.
> Loaded symbols for /usr/lib64/libcrypto.so.10
> Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done.
> Loaded symbols for /lib64/librt.so.1
> Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libdl.so.2
> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libgssapi_krb5.so.2
> Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libkrb5.so.3
> Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libcom_err.so.2
> Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libk5crypto.so.3
> Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done.
> Loaded symbols for /lib64/libz.so.1
> Reading symbols from /lib64/libpthread.so.0...(no debugging symbols 
> found)...done.
> [Thread debugging using libthread_db enabled]
> Loaded symbols for /lib64/libpthread.so.0
> Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libkrb5support.so.0
> Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libkeyutils.so.1
> Reading symbols from /lib64/libresolv.so.2...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libresolv.so.2
> Reading symbols from /lib64/libselinux.so.1...(no debugging symbols 
> found)...done.
> Loaded symbols for /lib64/libselinux.so.1
> Reading symbols from /usr/lib64/dovecot/libssl_iostream_openssl.so...done.
> Loaded symbols for /usr/lib64/dovecot/libssl_iostream_openssl.so
> 0x7f758fb8dd18 in client_notify_auth_ready@plt () from 
> /usr/lib64/dovecot/libdovecot-login.so.0
> Missing separate debuginfos, use: debuginfo-install 
> dovecot-2.3.0-4.cp1162.x86_64
> (gdb) back
> #0  0x7f758fb8dd18 in client_notify_auth_ready@plt () from 
> /usr/lib64/dovecot/libdovecot-login.so.0
> #1  0x7f758fb90af0 in clients_notify_auth_connected () at 
> client-common-auth.c:837
> #2  0x7f758f8cfc04 in auth_server_input_done (conn=0x7f7591911838) at 
> auth-server-connection.c:127
> #3  auth_server_connection_input_line (conn=0x7f7591911838) at 
> auth-server-connection.c:229
> #4  auth_server_connection_input (conn=0x7f7591911838) at 
> auth-server-connection.c:281
> #5  0x7f758f8f5e35 in io_loop_call_io (io=0x7f7592

Dovecot 2.3.0 imap-login using 100% CPU

[Jason Kiniry]

nterrupt.
client_notify_auth_ready (client=0x7f7592775140) at client-common.c:1031
1031client-common.c: No such file or directory.
in client-common.c
(gdb) back
#0  client_notify_auth_ready (client=0x7f7592775140) at client-common.c:1031
#1  0x7f758fb90af0 in clients_notify_auth_connected () at 
client-common-auth.c:837
#2  0x7f758f8cfc04 in auth_server_input_done (conn=0x7f7591911838) at 
auth-server-connection.c:127
#3  auth_server_connection_input_line (conn=0x7f7591911838) at 
auth-server-connection.c:229
#4  auth_server_connection_input (conn=0x7f7591911838) at 
auth-server-connection.c:281
#5  0x7f758f8f5e35 in io_loop_call_io (io=0x7f759277e2a0) at ioloop.c:614
#6  0x7f758f8f7d3f in io_loop_handler_run_internal (ioloop=) at ioloop-epoll.c:222
#7  0x7f758f8f5f25 in io_loop_handler_run (ioloop=0x7f75918e4d00) at 
ioloop.c:666
#8  0x7f758f8f6148 in io_loop_run (ioloop=0x7f75918e4d00) at ioloop.c:639
#9  0x7f758f875ab3 in master_service_run (service=0x7f75918e4b90, 
callback=) at master-service.c:767
#10 0x7f758fb96156 in login_binary_run (binary=, 
argc=1, argv=0x7f75918e4890) at main.c:549
#11 0x7f758f4a2d1d in __libc_start_main () from /lib64/libc.so.6
#12 0x7f758ffc4469 in _start ()
(gdb) 

Anyone have any thoughts?

Regards,

Jason Kiniry

Re: Mail Alias Stores in mySQL Not working - SOLVED

[jason hirsh]

"You have the alias ab...@kasdivi.com  for the 
address ad...@theoceanwindow.com  in your db 
and all mail to these aliases should go the the admin@ mailbox.
Address mapping should be done in postfix so that the recipient address that 
gets used on the lmtp connection to dovecot is ad...@theoceanwindow.com 
 

You probably disabled address mapping in postfix.
-- 
Christian Kivalo”

You nailed that .. I had completely forgotten about that.. I am changing a 
system from hash to SQL

I actually feel kind of stupid   I knew Postfix was supposed to do the 
acceptance.. and it should have been common sense that it need to rewrite.. The 
logs kept reminding me



I had the following line in master,cf

 -o 
receive_override_options=no_address_mappings,no_header_body_checks,no_unknown_recipient_checks


changed to 

   -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks  


and system works great..

Thanls!!

Re: Mail Alias Stores in mySQL Not working

[jason hirsh]

"So ab...@kasdivi.com <mailto:ab...@kasdivi.com> is an alias, not a user.? You 
can't login with an alias because
your user_query is looking at the`mailbox` table.

Have your tried logging in as:

ad...@theoceanwindow.com <mailto:ad...@theoceanwindow.com>

OR
you could put an entry forab...@kasdivi.com <mailto:forab...@kasdivi.com> in 
your `mailbox` table.

Bill”


Bill
Excuse me I must have some where mi-stated myself.   Yes 
ab...@variousdoamns.com   is an alias going back to my admin account

The issue was iin my master.cf where I had at some time disabled remapping


Fixed that and all is good

Thanks for your time and effort.. You helped  tremendously   and actually had 
me discover  some other issues

Jason

Re: Mail Alias Stores in mySQL Not working

[jason hirsh]

"Do you have an SQL entry for ab...@kasdivi.com  ?

Bill”


One of my first thoughts


mysql> SELECT `address`, `domain`, `goto` FROM `alias` LIMIT 8;
+---++--+
| address   | domain | goto 
|
+---++--+
| ab...@theoceanwindow.com  | theoceanwindow.com | ad...@theoceanwindow.com 
|
| hostmas...@theoceanwindow.com | theoceanwindow.com | ad...@theoceanwindow.com 
|
| postmas...@theoceanwindow.com | theoceanwindow.com | ad...@theoceanwindow.com 
|
| webmas...@theoceanwindow.com  | theoceanwindow.com | ad...@theoceanwindow.com 
|
| ja...@theoceanwindow.com  | theoceanwindow.com | ja...@theoceanwindow.com 
|
| ad...@theoceanwindow.com  | theoceanwindow.com | ad...@theoceanwindow.com 
|
| t...@theoceanwindow.com   | theoceanwindow.com | t...@theoceanwindow.com  
|
| ab...@kasdivi.com | kasdivi.com| ad...@theoceanwindow.com 
|
+---++--+
8 rows in set (0.00 sec)

Re: Mail Alias Stores in mySQL Not working

[jason hirsh]

"In an earlier post you said your user_query was:

user_query = SELECT CONCAT('/var/vmail/mail/', maildir) AS home, 5000 AS uid, 
5000 AS gid, CONCAT('*:bytes=', quota) AS 
quota_rule FROM mailbox WHERE username = '%u' AND active=?1'

Last post you said:

mail is stored at /var/mail/vhosts

and:

mail_location = maildir:/var/mail/vhosts/%d/%n

These don't agree with your user_query.”


Probably my mis-statement

"Run a MySQL query:
SELECT `username`, `domain`, `maildir` FROM `mailbox` LIMIT 5;
Let's see the value of maildir”

mysql> SELECT `username`, `domain`, `maildir` FROM `mailbox` LIMIT 5;
+--++---+
| username | domain | maildir   |
+--++---+
| ja...@theoceanwindow.com | theoceanwindow.com | theoceanwindow.com/jason/ |
| ad...@gcsbonaire.com | gcsbonaire.com | gcsbonaire.com/admin/ |
| ad...@theoceanwindow.com | theoceanwindow.com | theoceanwindow.com/admin/ |
| t...@theoceanwindow.com  | theoceanwindow.com | theoceanwindow.com/test/  |
| l...@grapestreet.com  | grapestreet.com| grapestreet.com/lin/  |
+--++---+
5 rows in set (0.00 sec)


"Also, lets see the output of:
ls -l /var/mail/vhosts/*”



drwxrwxr-x   4 1003  vmail  512 Jun 25  2016 camantonewfashion.com
drwxrwxr-x   4 1003  vmail  512 Sep  6  2016 filmusfamily.com
drwxrwxr-x   8 1003  vmail  512 Oct  8 13:44 gcs-bonaire.com
drwxrwxr-x   4 1003  vmail  512 Oct  5 07:40 gcsbonaire.com
drwxrwxr-x   3 1003  vmail  512 Jun 25  2016 grapestreet.com
drwxrwxr-x   5 1003  vmail  512 Jun 25  2016 grapestreetgen.com
drwxrwxr-x   5 1003  vmail  512 Jun 25  2016 grapestreetvoice.com
drwxrwxr-x  11 1003  vmail  512 Oct 11 13:37 kasdivi.com
drwx--   3 1003  vmail  512 Oct 11 13:25 test.com
drwxrwxr-x   7 1003  vmail  512 Oct 11 13:42 theoceanwindow.com




It seems that the correct information is stored in the correct place   but i get


dovecot: auth-worker(21961): sql(ab...@kasdivi.com): unknown user 

Its seems like there is a simple config thing I am not getting right
Jason

Re: Mail Alias Stores in mySQL Not working

[jason hirsh]

"With that query, it appears everyone is sharing the same mail directory.? It, 
of course, depends
on the value of `maildir`.? It doesn't look right.”

stored by domain or at least it was until i started messing with mysql

"Have you checked your MySQL log file to see the actual query?”

hmm  found out i had never enabled that log…. another tangent I need to follow

"We don't know your mailbox format.? Post your 'doveconf -n’.”

My bad

# OS: FreeBSD 11.0-RELEASE-p9 amd64  ufs
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = vmail
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
pop3_uidl_format = %v.%u
postmaster_address = postmas...@theoceanwindow.com
service auth-worker {
  user = vmail
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
mode = 0600
user = vmail
  }
  user = dovecot
}
service director {
  unix_listener director-userdb {
mode = 0600
  }
}
service imap-login {
  inet_listener imaps {
port = 993
ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service pop3-login {
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
ssl_ca = 

Re: Issue with mailbox conversion using dsync in v2.2.32 (maildir <-> mdbox)

[Jason Kiniry]

Hello Timo,

Thank you for the quick reply! My answers are inline:

On Tue, Oct 10, 2017 at 8:52 AM, Timo Sirainen  wrote:

> On 10 Oct 2017, at 3.36, Jason Kiniry  wrote:
> >
> > /usr/bin/dsync -f -D -o mail_location=mdbox:/home/blahmail/mail -u
> > _mainacco...@blahmail.tld -v mirror maildir:/home/blahmail/mail
>
> Where is the Maildir coming from? Has it been used by Dovecot earlier, or
> is it something else?
>

The maildir is already in use by Dovecot and has received mail. Then we do
the conversion in-place to mdbox (or vice versa).


> > doveadm(_mainacco...@blahmail.tld): Debug: Namespace INBOX.:
> > /home/blahmail/mail/mailboxes/INBOX doesn't exist yet, using default
> > permissions
>
> So mdbox apparently didn't exist before you ran dsync.
>

That's correct. We're changing from the maildir format to the mdbox format
in-place.


>
> > dsync(blahmail): Debug: brain M: Local mailbox tree: INBOX
> > guid=60f6d91a25fddb598304a19766e2 uid_validity=1507589418 uid_next=1
> > subs=no last_change=0 last_subs=0
> > dsync(blahmail): Debug: brain S: Local mailbox tree: INBOX
> > guid=e6191d3644fddb59e204a19766e2 uid_validity=1507589413 uid_next=2
> > subs=no last_change=0 last_subs=0
>
> But here the INBOXes already have conflicting UIDVALIDITYs. One of these
> was created too early.


> I think one of these helps:
>  * disable quota
>  * disable quota_clone
>  * disable mailbox_list_index
>
>
Disabling mailbox_list_index seems to resolve the issue. Unfortunately
though, I'm fairly sure we need that setting though for our environment,
but mayhap we can just disable it during the sync. Thank you for the
suggestion!

Regards,

Jason

Mail Alias Stores in mySQL Not working

[jason hirsh]

First of all excuse.. I am having an issue getting maillist responses so I may 
be responding to this worng

No on topic
I commented out the first user_quesry

The second query was not copied correctly  , reads

user_query = SELECT CONCAT('/var/vmail/mail/', maildir) AS home, 5000 AS uid, 
5000 AS gid, CONCAT('*:bytes=', quota) AS quota_rule FROM mailbox WHERE 
username = '%u' AND active=‘1'

still have the same error

I did a comparison between the data contained in the sql file and my mail 
directory and found that they are not consistent

Apparently postfixadmin, which I have been using, does not update the maildir

I am surprised I am getting any mail at all.

I think I have to take this back to ground zero

"I see two problems:
1) you have two user_querys, there should only be one
2) your 2nd user_query is not limiting the SQL search with a WHERE clause"

Issue with mailbox conversion using dsync in v2.2.32 (maildir <-> mdbox)

[Jason Kiniry]

Hi all,

I've run into an issue with in-place mailbox format conversions between
mdbox and maildir and wondered if someone could assist. When using dsync to
convert a mailbox, the conversion loses a mailbox GUID and produces a
warning. This behavior seems to have been introduced between version 2.2.31
and 2.2.32. See below for the full debug output from both versions followed
by the dovecot configuration used for both attempts.

When I run the following:

/usr/bin/dsync -f -D -o mail_location=mdbox:/home/blahmail/mail -u
_mainacco...@blahmail.tld -v mirror maildir:/home/blahmail/mail

On version 2.2.32, I get the following with the warning included on the
last line of the output:

Debug: Loading modules from directory: /usr/lib64/dovecot
Debug: Module loaded: /usr/lib64/dovecot/lib10_quota_plugin.so
Debug: Module loaded: /usr/lib64/dovecot/lib20_fts_plugin.so
Debug: Module loaded: /usr/lib64/dovecot/lib20_quota_clone_plugin.so
Debug: Module loaded: /usr/lib64/dovecot/lib20_zlib_plugin.so
Debug: Module loaded: /usr/lib64/dovecot/lib21_fts_solr_plugin.so
Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm
Debug: Skipping module doveadm_acl_plugin, because dlopen() failed:
/usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so: undefined symbol:
acl_user_module (this is usually intentional, so just ignore this message)
Debug: Skipping module doveadm_expire_plugin, because dlopen() failed:
/usr/lib64/dovecot/doveadm/lib10_doveadm_expire_plugin.so: undefined
symbol: expire_set_deinit (this is usually intentional, so just ignore this
message)
Debug: Module loaded:
/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so
Debug: Module loaded: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so
Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() failed:
/usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so: undefined
symbol: mail_crypt_box_get_pvt_digests (this is usually intentional, so
just ignore this message)
doveadm(_mainacco...@blahmail.tld): Debug: Ignoring overridden (-o) userdb
setting: mail
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/password=
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota=maildir:Mailbox:ns=INBOX.
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota2=fs:cPanel Account
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota_clone_dict=file:/home/blahmail/mail/dovecot-quota
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota_rule=*:messages=2147483647
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota_rule2=INBOX.Trash:ignore
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota_status_overquota=552 5.2.2 Mailbox is full / Blocks limit
exceeded / Inode limit exceeded
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/quota_vsizes=yes
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_gid=1081
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_home=/home/blahmail
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_mail=maildir:/home/blahmail/mail
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_password=
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota=maildir:Mailbox:ns=INBOX.
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota2=fs:cPanel Account
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota_clone_dict=file:/home/blahmail/mail/dovecot-quota
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota_rule=*:messages=2147483647
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota_rule2=INBOX.Trash:ignore
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota_status_overquota=552 5.2.2 Mailbox is full / Blocks
limit exceeded / Inode limit exceeded
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_quota_vsizes=yes
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_uid=1137
doveadm(_mainacco...@blahmail.tld): Debug: Added userdb setting:
plugin/userdb_user=blahmail
doveadm(_mainacco...@blahmail.tld): Debug: Effective uid=1137, gid=1081,
home=/home/blahmail
doveadm(_mainacco...@blahmail.tld): Debug: Quota root: name=Mailbox
backend=maildir args=ns=INBOX.
doveadm(_mainacco...@blahmail.tld): Debug: Quota rule: root=Mailbox
mailbox=* bytes=0 messages=2147483647
doveadm(_mainacco...@blahmail.tld): Debug: Quota rule: root=Mailbox
mailbox=INBOX.Trash ignored
doveadm(_mainacco...@blahmail.tld): Debug: Quota grace: root=Mailbox
bytes=0 (10%)
doveadm(_mainacco...@blahmail.tld): Debug: Quota root: name=cPanel Account
backend=fs args=
doveadm(_mainacco...@blahmail.tld): Debug: Quota grace: root=cPanel Account
b

Mail Alias Stores in mySQL Not working

[jason hirsh]

This apparently was a problem that i was not aware since i redid my mail server 
configuration to make use of Postfixadmin. I have update the conf files using 
the postfix document fromthe down load. The download document seems to be fpr 
an early version of dovecot (I am using 2.2.4) as it focuse of dovecot.conf 
which is now broken into file in the conf.d subdirectory I get "dovecot: 
auth-worker(30555): sql(ab...@examplei.com): unknown user " 
I imagine this is a conf problem and deals with reading the sql daya I have 
confirmed the dayta is there
The major file apperas to be dovecot-sql.conf.ext
Mine reads as follows
driver = mysql
connect = host=127.0.0.1 dbname=postfix user=postfix password=postfixadmin
password_query = SELECT username, password FROM mailbox WHERE username='%u' and 
active ="
default_pass_scheme = MD5-CRYPT
user_query = SELECT maildir, 5000 AS uid, 5000 AS gid FROM mailbox WHERE 
username = '%u'
user_query = SELECT CONCAT('/var/vmail/mail/', maildir) AS home, 5000 AS uid, 
5000 AS gid
Since normal mail is habdled by dovecoy It would see somthing is wrong wihh the 
first user_query since it appears to be the one that should fine the alias user
Any hellp or suggestions would be appreciate

Unable to get mail?

[Jason Pruim]

Hey everyone,

I'm not sure I'm on the right list for this one... I have a postfix/dovecot
install that was running fine on amazon web services that all of a sudden
stopped receiving mail... In my mail log all I get is this:

Apr 30 03:16:26 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Connection closed in=595 out=1459

Apr 30 03:16:31 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=68.105.170.121,
lip=172.31.28.46, mpid=31865, TLS, session=

Apr 30 03:16:33 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=68.105.170.121,
lip=172.31.28.46, mpid=31867, TLS, session=

Apr 30 03:16:34 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=97 out=440

Apr 30 03:16:38 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=68.105.170.121,
lip=172.31.28.46, mpid=31869, TLS, session=

Apr 30 03:19:14 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=408 out=1385

Apr 30 03:19:14 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=847 out=3067

Apr 30 03:20:25 ip-172-31-28-46 postfix/postfix-script[3891]: stopping the
Postfix mail system

Apr 30 03:20:25 ip-172-31-28-46 postfix/master[31225]: terminating on
signal 15

Apr 30 03:20:25 ip-172-31-28-46 postfix/postfix-script[3963]: starting the
Postfix mail system

Apr 30 03:20:25 ip-172-31-28-46 postfix/master[3964]: daemon started --
version 2.6.6, configuration /etc/postfix

Apr 30 03:20:44 ip-172-31-28-46 dovecot: master: Warning: Killed with
signal 15 (by pid=3977 uid=0 code=kill)

Apr 30 03:20:44 ip-172-31-28-46 dovecot: imap: Server shutting down. in=472
out=1366

Apr 30 03:20:45 ip-172-31-28-46 dovecot: master: Dovecot v2.2.10 starting
up for imap, pop3, lmtp (core dumps disabled)

Apr 30 03:21:17 ip-172-31-28-46 dovecot: imap-login: Aborted login (no auth
attempts in 9 secs): user=<>, rip=68.105.170.121, lip=172.31.28.46,
session=

Apr 30 03:24:30 ip-172-31-28-46 postfix/postfix-script[4141]: stopping the
Postfix mail system

Apr 30 03:24:30 ip-172-31-28-46 postfix/master[3964]: terminating on signal
15

Apr 30 03:24:30 ip-172-31-28-46 dovecot: master: Warning: Killed with
signal 15 (by pid=4147 uid=0 code=kill)

Apr 30 03:25:28 ip-172-31-28-46 postfix/postfix-script[2761]: starting the
Postfix mail system

Apr 30 03:25:28 ip-172-31-28-46 postfix/master[2762]: daemon started --
version 2.6.6, configuration /etc/postfix

Apr 30 03:26:22 ip-172-31-28-46 dovecot: master: Dovecot v2.2.10 starting
up for imap, pop3, lmtp (core dumps disabled)

Apr 30 03:27:03 ip-172-31-28-46 dovecot: imap-login: Aborted login (no auth
attempts in 6 secs): user=<>, rip=68.105.170.121, lip=172.31.28.46,
session=

Apr 30 03:27:36 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=68.105.170.121,
lip=172.31.28.46, mpid=3001, TLS, session=

Apr 30 03:27:54 ip-172-31-28-46 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 2 secs): user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=

Apr 30 03:28:06 ip-172-31-28-46 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 6 secs): user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=

Apr 30 03:28:10 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3008, secured, session=

Apr 30 03:28:10 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=29 out=466

Apr 30 03:28:10 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3011, secured, session=

Apr 30 03:28:10 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=44 out=538

Apr 30 03:28:11 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3014, secured, session=

Apr 30 03:28:11 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=314 out=6899

Apr 30 03:28:12 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3017, secured, session=

Apr 30 03:28:12 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=209 out=816

Apr 30 03:29:12 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3024, secured, session=

Apr 30 03:29:12 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Disconnected: Logged out in=91 out=872

Apr 30 03:30:12 ip-172-31-28-46 dovecot: imap-login: Login: user=<
b...@primelashdiva.info>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=3027, secured, session=<9r6GYKsxsAB/AAAB>

Apr 30 03:30:12 ip-172-31-28-46 dovecot: imap(b...@primelashdiva.info):
Dis

Unable to login with iPhone?

[Jason Pruim]

Hey Everyone,

So I have my dovecot install up and running! I can receive mail from the
outside, still dealing with a small issue with sending email, but I think
that's an issue off needing to setup a relay...

Right now though... My biggest issue is it won't connect to my iPhone... I
can login with mail on my computer, and through round cube for webmail...
But it gets stuck on "verifying"... I tried addingcram-md5 and digest-md5
to the auth_mechanisms but that didn't work... Any idea what I'm missing?

Here is my doveconf -n:

[ec2-user@ip-172-31-28-46 postfix]$ doveconf -n

# 2.2.10: /etc/dovecot/dovecot.conf

# OS: Linux 4.4.5-15.26.amzn1.x86_64 x86_64  ext4

auth_mechanisms = plain login cram-md5 digest-md5

mail_location = maildir:/var/vmail/%d/%n/Maildir

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  prefix =

  separator = .

}

passdb {

  args = /etc/dovecot/dovecot-sql.conf.ext

  driver = sql

}

plugin {

  sieve = ~/.dovecot.sieve

  sieve_dir = ~/sieve

}

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0660

user = postfix

  }

  unix_listener auth-userdb {

group = vmail

mode = 0666

user = vmail

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

ssl = required

ssl_cert = 

Re: 1 last error

[Jason Pruim]

Jason Pruim
pru...@gmail.com
352.234.3175


> On Apr 3, 2016, at 6:49 AM, aki.tu...@dovecot.fi wrote:
> 
> 
>> On April 3, 2016 at 7:38 AM Jason Pruim  wrote:
>> 
>> 
>> Hey Everyone,
>> 
>> I’m down to 1 last error that I know I created on my own but I can’t figure
>> out how to fix it… Here is the error that I’m getting:
>> 
>> Apr  3 04:29:37 ip-172-31-24-2 postfix/qmgr[20458]: EFE01423E2:
>> from=, size=359, nrcpt=1 (queue active)
>> Apr  3 04:29:37 ip-172-31-24-2 dovecot: lda(b...@primelashdiva.info): Fatal:
>> setresgid(89(postfix),89(postfix),97(dovecot)) failed with euid=97(dovecot):
>> Operation not permitted
> 
> This means that dovecot is not permitted to use group 89. Is dovecot user 
> member
> of this group?

Yes it is. still getting the same error…


> 
>> Jason Pruim
>> pru...@gmail.com
>> 352.234.3175
> 
> Aki Tuomi
> Dovecot Oy

1 last error

[Jason Pruim]

Hey Everyone,

I’m down to 1 last error that I know I created on my own but I can’t figure out 
how to fix it… Here is the error that I’m getting:

Apr  3 04:29:37 ip-172-31-24-2 postfix/qmgr[20458]: EFE01423E2: 
from=, size=359, nrcpt=1 (queue active)
Apr  3 04:29:37 ip-172-31-24-2 dovecot: lda(b...@primelashdiva.info): Fatal: 
setresgid(89(postfix),89(postfix),97(dovecot)) failed with euid=97(dovecot): 
Operation not permitted
Apr  3 04:29:37 ip-172-31-24-2 postfix/pipe[20745]: EFE01423E2: 
to=, relay=dovecot, delay=22, delays=22/0.01/0/0.01, 
dsn=4.3.0, status=deferred (temporary failure)

So I figure that I messed up the permissions on /etc/dovecot/conf.d I tried to 
fix it even by setting it way open:

drwxrwxrwx 2 dovecot dovecot 4096 Mar 30 00:56 conf.d


And it still doesn’t work! 

doveconf -n:

$ doveconf -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 4.1.17-22.30.amzn1.x86_64 x86_64  ext4
auth_mechanisms = plain login
first_valid_uid = 89
hostname = mail.primelashdiva.info
mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_privileged_group = dovecot
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  prefix = 
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = postmas...@primelashdiva.info
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = dovecot
mode = 0666
user = dovecot
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = no
ssl_cert = 

Re: Still muddling through with broken auth...

[Jason Pruim]

Jason Pruim
pru...@gmail.com
352.234.3175


> On Apr 2, 2016, at 9:06 PM, Alexander Dalloz  wrote:
> 
> Am 03.04.2016 um 02:07 schrieb Jason Pruim:
>> 
>> Jason Pruim
>> pru...@gmail.com
>> 352.234.3175
> 
> Please answer just to the mailing list and omit to copy your replies to my 
> personal address too. Thanks.

My apologies, I had been hitting reply all.
> 
>>>>>> Here is the same error:
>>>>>> 
>>>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database 
>>>>>> driver 'sql'
>>>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: master: Error: service(auth): 
>>>>>> command startup failed, throttling for 60 secs
>>>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth 
>>>>>> process broken (disconnected before auth was ready, waited 9 secs): 
>>>>>> user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, 
>>>>>> session=
> 
> rpm -qlv dovecot | grep libdovecot-sql
> 
> That should print out something like
> 
> lrwxrwxrwx1 rootroot   23 Apr  1 03:29 
> /usr/lib64/dovecot/libdovecot-sql.so.0 -> libdovecot-sql.so.0.0.0
> -rwxr-xr-x1 rootroot95058 Apr  1 03:29 
> /usr/lib64/dovecot/libdovecot-sql.so.0.0.0
> 
> If no libdovecot-sql.so is included, then SQL support is missing in that 
> dovecot package.
> 
> Alexander

I started going back over the same tutorial and reran the commands including 
this one: postconf -e 
virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
 and as soon as that one hit I was able to login! Now I just need to get it 
accepting email and sending email! 

Thank you for your help and for putting up with my lack of knowledge!

Re: Still muddling through with broken auth...

[Jason Pruim]

>> 
>>> 
 driver = sql
 }
 protocols = imap lmtp
 service auth {
 unix_listener /var/spool/postfix/private/auth {
   group = postfix
   mode = 0660
   user = postfix
 }
 unix_listener auth-userdb {
   group = postfix
   mode = 0600
   user = postfix
 }
 user = dovecot
 }
 service imap-login {
 inet_listener imap {
   port = 143
 }
 inet_listener imaps {
   port = 993
 }
 }
 service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
 }
 }
 ssl = no
 ssl_cert = >>> ssl_key = >>> ssl_protocols = !SSLv2 !SSLv3
 userdb {
 args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
 driver = static
 }
 protocol lmtp {
 mail_plugins = " sieve"
 }
 protocol lda {
 mail_plugins = " sieve"
 }
 [ec2-user@ip-172-31-24-2 conf.d]$
 
 
 It’s been awhile since I’ve run a mail server, and never to this extent… 
 Always through hosting companies except for about 15 years ago when I did 
 it for fun! :)
 
 Thanks for all your help!
>>> 
>>> Regards
>>> 
>>> Alexander
>> 
>> 
>> Thanks Alexander!
> 
> Make sure MySQL is running and configured correctly as well.

Logged in as the same user and was able to run the 3 sql commands that are in 
the config files…. Best as I can tell it’s up and running properly.

Re: Still muddling through with broken auth...

[Jason Pruim]

Jason Pruim
pru...@gmail.com
352.234.3175


> On Apr 2, 2016, at 8:01 PM, Alexander Dalloz  wrote:
> 
> Am 03.04.2016 um 01:04 schrieb Jason Pruim:
>> 
>> Jason Pruim
>> pru...@gmail.com
>> 352.234.3175
>> 
>> 
>>> On Apr 2, 2016, at 6:42 PM, Alexander Dalloz  wrote:
>>> 
>>> Am 03.04.2016 um 00:26 schrieb Jason Pruim:
>>>> Hey Edgar,
>>>> 
>>>> Thanks for catching that! Missed it earlier! Got it changed but I’m still 
>>>> having the same error updated postconf -n:
>>> 
>>> Why do you provide the Postfix configuration? Absolutely unrelated to the 
>>> shown dovecot error.
>> 
>> I provide what I know how to provide :)
>>> 
>>>> [ec2-user@ip-172-31-24-2 conf.d]$ postconf -n
>>>> alias_database = hash:/etc/aliases
>>>> alias_maps = hash:/etc/aliases
>>>> command_directory = /usr/sbin
>>>> config_directory = /etc/postfix
>>>> daemon_directory = /usr/libexec/postfix
>>>> data_directory = /var/lib/postfix
>>>> debug_peer_level = 2
>>>> html_directory = no
>>>> inet_interfaces = localhost
>>>> inet_protocols = all
>>>> mail_owner = postfix
>>>> mailq_path = /usr/bin/mailq.postfix
>>>> manpage_directory = /usr/share/man
>>>> mydestination = $myhostname, localhost.$mydomain, localhost
>>>> newaliases_path = /usr/bin/newaliases.postfix
>>>> queue_directory = /var/spool/postfix
>>>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>>>> sample_directory = /usr/share/doc/postfix-2.6.6/samples
>>>> sendmail_path = /usr/sbin/sendmail.postfix
>>>> setgid_group = postdrop
>>>> unknown_local_recipient_reject_code = 550
>>>> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
>>>> virtual_mailbox_domains = 
>>>> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
>>>> virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
>>>> virtual_transport = dovecot
>>>> [ec2-user@ip-172-31-24-2 conf.d]$
>>> 
>>> While being at Postfix: You have zero SASL configuration, unless it is 
>>> defined in master.cf for the submission transport.
>> 
>> Lets do 1 problem at a time… Unless SASL is needed for sending email?
> 
> Right, 1 problem at a time.
> 
> Yes, SASL is needed for your MTA to permit relaying based on authentication.

Okay, I’ll look at that as soon as I get my server allowing me to login! :)

> 
>>>> Here is the same error:
>>>> 
>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database 
>>>> driver 'sql'
>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: master: Error: service(auth): 
>>>> command startup failed, throttling for 60 secs
>>>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth 
>>>> process broken (disconnected before auth was ready, waited 9 secs): 
>>>> user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=
>>> 
>>> Please provide the output of "doveconf -n". You have a severe configuration 
>>> error so that the auth process fails.
>> 
>> Here is the output:
>> 
>> [ec2-user@ip-172-31-24-2 conf.d]$ dovecot -n
>> # 2.2.10: /etc/dovecot/dovecot.conf
> 
> Where did you get that dovecot version from? The Postfix version seems to 
> indicate a RHEL/CentOS base of major release 6. That one does not ship a 
> dovecot 2.2.x version.

postfix and dovecot were both downloaded from a simple: yum install postfix 
dovecot command on my amazon linux server
> 
>> # OS: Linux 4.1.17-22.30.amzn1.x86_64 x86_64  ext4
>> auth_mechanisms = plain login
>> mail_location = maildir:/var/vmail/%d/%n/Maildir
>> mbox_write_locks = fcntl
>> namespace inbox {
>>   inbox = yes
>>   location =
>>   prefix =
>>   separator = .
>> }
>> passdb {
>>   args = /etc/dovecot/dovecot-sql.conf.ext
> 
> What specified in the dovecot-sql.conf.ext file? Make sure the driver in 
> there is set as "mysql" and not "sql". Not sure whether your dovecot is 
> packaged in a way that you need a another package to provide the SQL driver 
> functionality.

driver = mysql
connect = host=127.0.0.1 dbname=mailserver user=validsqluser 
password=validsqlpassword

default_pass_scheme = PLAIN-MD5
password_query = SELECT email as user, password FROM virtual_users WHERE 
email='%u’;

> 
> Btw. there is no need to run any SQL b

Re: Still muddling through with broken auth...

[Jason Pruim]

Jason Pruim
pru...@gmail.com
352.234.3175


> On Apr 2, 2016, at 6:42 PM, Alexander Dalloz  wrote:
> 
> Am 03.04.2016 um 00:26 schrieb Jason Pruim:
>> Hey Edgar,
>> 
>> Thanks for catching that! Missed it earlier! Got it changed but I’m still 
>> having the same error updated postconf -n:
> 
> Why do you provide the Postfix configuration? Absolutely unrelated to the 
> shown dovecot error.

I provide what I know how to provide :)
> 
>> [ec2-user@ip-172-31-24-2 conf.d]$ postconf -n
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> html_directory = no
>> inet_interfaces = localhost
>> inet_protocols = all
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> mydestination = $myhostname, localhost.$mydomain, localhost
>> newaliases_path = /usr/bin/newaliases.postfix
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>> sample_directory = /usr/share/doc/postfix-2.6.6/samples
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
>> virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
>> virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
>> virtual_transport = dovecot
>> [ec2-user@ip-172-31-24-2 conf.d]$
> 
> While being at Postfix: You have zero SASL configuration, unless it is 
> defined in master.cf for the submission transport.

Lets do 1 problem at a time… Unless SASL is needed for sending email?
> 
>> Here is the same error:
>> 
>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database driver 
>> 'sql'
>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: master: Error: service(auth): 
>> command startup failed, throttling for 60 secs
>> Apr  2 22:25:50 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth 
>> process broken (disconnected before auth was ready, waited 9 secs): user=<>, 
>> rip=127.0.0.1, lip=127.0.0.1, secured, session=
> 
> Please provide the output of "doveconf -n". You have a severe configuration 
> error so that the auth process fails.

Here is the output:

[ec2-user@ip-172-31-24-2 conf.d]$ dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 4.1.17-22.30.amzn1.x86_64 x86_64  ext4
auth_mechanisms = plain login
mail_location = maildir:/var/vmail/%d/%n/Maildir
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  prefix = 
  separator = .
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
  unix_listener auth-userdb {
group = postfix
mode = 0600
user = postfix
  }
  user = dovecot
}
service imap-login {
  inet_listener imap {
port = 143
  }
  inet_listener imaps {
port = 993
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
ssl = no
ssl_cert = 

Re: Still muddling through with broken auth...

[Jason Pruim]

Hey Edgar,

Thanks for catching that! Missed it earlier! Got it changed but I’m still 
having the same error updated postconf -n:

[ec2-user@ip-172-31-24-2 conf.d]$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
[ec2-user@ip-172-31-24-2 conf.d]$ 

Here is the same error:

Apr  2 22:25:50 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database driver 
'sql'
Apr  2 22:25:50 ip-172-31-24-2 dovecot: master: Error: service(auth): command 
startup failed, throttling for 60 secs
Apr  2 22:25:50 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth process 
broken (disconnected before auth was ready, waited 9 secs): user=<>, 
rip=127.0.0.1, lip=127.0.0.1, secured, session=



I feel like I’m missing something simple but can’t see the forest through the 
trees…


Jason Pruim
pru...@gmail.com
352.234.3175


> On Apr 2, 2016, at 5:54 PM, Edgar Pettijohn  wrote:
> 
> 
> 
> Sent from my iPhone
> 
>> On Apr 2, 2016, at 4:11 PM, Jason Pruim  wrote:
>> 
>> Hey Everyone,
>> 
>> I’m still muddling through my first install… Followed the tutorials on 
>> workaround.org <http://workaround.org/> which were very helpful! but don’t 
>> include much info if things don’t work 100%… and so far I haven’t been able 
>> to pin down where the error is. When I try: telnet localhost 143 this is 
>> what shows up in the maillot:
>> 
>> Apr  2 21:06:57 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database driver 
>> 'sql'
>> Apr  2 21:06:57 ip-172-31-24-2 dovecot: master: Error: service(auth): 
>> command startup failed, throttling for 2 secs
>> Apr  2 21:06:57 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth 
>> process broken (disconnected before auth was ready, waited 0 secs): user=<>, 
>> rip=127.0.0.1, lip=127.0.0.1, secured, session=<+lw34IYvVgB/AAAB>
>> 
>> With the failed driver for the database, I tried mysql and sql both of which 
>> produce the same error… I have a few other issues but I think those are 
>> related farther upstream… Not being able to sign into round cube for 
>> webmail, because of it being unable to connect to the storage container… But 
>> I think that’s a round cube issue… I want to get postfix and dovecot playing 
>> nicely before I worry too much about things like webmail access…
>> 
>> Here is my postconf -n:
>> 
>> [ec2-user@ip-172-31-24-2 dovecot]$ postconf -n
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> html_directory = no
>> inet_interfaces = localhost
>> inet_protocols = all
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> mydestination = $myhostname, localhost.$mydomain, localhost
>> newaliases_path = /usr/bin/newaliases.postfix
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>> sample_directory = /usr/share/doc/postfix-2.6.6/samples
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> unknown_local_recipient_reject_code = 550
>> virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
>> virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_users
>> virtual_transport = dovecot
>> [ec2-user@ip-172-31-24-2 dovecot]$ 
> 
> 
> I don't use postfix, but I'm guessing the above hash:/etc/ should probably be 
> some form of mysql:/etc/...
> 
>> 
>> What else can I provide?
>> 
>> Thanks!
>> 
>> 
>> 
>> Jason Pruim
>> pru...@gmail.com
>> 352.234.3175

Still muddling through with broken auth...

[Jason Pruim]

Hey Everyone,

I’m still muddling through my first install… Followed the tutorials on 
workaround.org <http://workaround.org/> which were very helpful! but don’t 
include much info if things don’t work 100%… and so far I haven’t been able to 
pin down where the error is. When I try: telnet localhost 143 this is what 
shows up in the maillot:

Apr  2 21:06:57 ip-172-31-24-2 dovecot: auth: Fatal: Unknown database driver 
'sql'
Apr  2 21:06:57 ip-172-31-24-2 dovecot: master: Error: service(auth): command 
startup failed, throttling for 2 secs
Apr  2 21:06:57 ip-172-31-24-2 dovecot: imap-login: Disconnected: Auth process 
broken (disconnected before auth was ready, waited 0 secs): user=<>, 
rip=127.0.0.1, lip=127.0.0.1, secured, session=<+lw34IYvVgB/AAAB>

With the failed driver for the database, I tried mysql and sql both of which 
produce the same error… I have a few other issues but I think those are related 
farther upstream… Not being able to sign into round cube for webmail, because 
of it being unable to connect to the storage container… But I think that’s a 
round cube issue… I want to get postfix and dovecot playing nicely before I 
worry too much about things like webmail access…

Here is my postconf -n:

[ec2-user@ip-172-31-24-2 dovecot]$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_users
virtual_transport = dovecot
[ec2-user@ip-172-31-24-2 dovecot]$ 


What else can I provide?

Thanks!



Jason Pruim
pru...@gmail.com
352.234.3175

First dovecot install

[Jason Pruim]

Hey Everyone,

I am trying to get postfix and dovecot to talk to each other… postfix is up and 
running, dovecot allows me to telnet into it both locally and remotely, but 
when I try to do: “a login “username” “password” I get an authentication failed 
error… Here is my dovecot -n:

[ec2-user@ip-172-31-24-2 dovecot]$ dovecot -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 4.1.17-22.30.amzn1.x86_64 x86_64  
auth_debug_passwords = yes
auth_mechanisms = plain login
first_valid_uid = 200
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_gid = 12
mail_home = /mnt/vmail/%d/%n
mail_location = maildir:~
mail_uid = 200
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/dovecot-sql.conf
  driver = sql
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autocreate3 = Junk
  autosubscribe = Trash
  autosubscribe2 = Sent
  autosubscribe3 = Junk
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /etc/dovecot/sieve/global/
  sieve_global_path = /etc/dovecot/sieve/default.sieve
  sieve_max_script_size = 1M
}
protocols = imap lmtp sieve pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = ec2-user
  }
  unix_listener auth-userdb {
group = mail
mode = 0600
user = mailreader
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
}
ssl = required
ssl_cert = 

Re: New dovecot user needs installation help

[Jason Pruim]

Jason Pruim
pru...@gmail.com
352.234.3175


> On Mar 15, 2016, at 8:21 AM, Steffen Kaiser  
> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Tue, 15 Mar 2016, Jason Pruim wrote:
>>> On Mar 15, 2016, at 3:22 AM, Steffen Kaiser  
>>> wrote:
>>> 
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>> 
>>>> On Mon, 14 Mar 2016, Jason Pruim wrote:
>>>> 
>>>> So I just setup my first dovecot install with postfix running for the mail 
>>>> server… I can telnet into my dovecot install and login just fine
>>> 
>>> what does "telnet into my dovecot install" mean exacly?
>> 
>> I used telnet to connect to port 143 and issued some smtp commands including 
>> logging into an account.
> 
> I issued SMTP commands on port 143 ?

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
STARTTLS AUTH=PLAIN] Dovecot ready.
a login "beth" "beth4338"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT 
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN 
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT 
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
select inbox
select BAD Error in IMAP command INBOX: Unknown command.

> 
>>> 
>>> Did you've read:
>>> http://wiki2.dovecot.org/TestInstallation
>> 
>> I did yes... But I will go back over it tonight when I get back home.
>>> 
>>>> with my user locally… But when I try to add the account from my phone, 
>>>> computer, or telnetting from my local computer, it just hangs and 
>>>> eventually kicks back a generic error saying it can’t be added… Where can 
>>>> I start looking? I’m hosted with amazon web services and I’m waiting on 
>>>> them to approve my request to white list my IP on my instance, but that 
>>>> should only restrict my ability to send email out on port 25… I should 
>>>> still be able to operate locally…
>>>> 
>>>> 
>>>> According to the firewall on amazon port 143 and 993 are both allowed from 
>>>> any IP address into the server (All outbound traffic is currently open 
>>>> until I get it working)
>>>> 
>>>> I’m thinking it’s something easy, and I can handle pointers! I don’t 
>>>> necessarily need my hand held the entire way… At least not yet…
>>>> 
>>>> Here is the output of my dovecot -n:
>>>> 
>>>> [ec2-user@ip-172-31-22-222 log]$ dovecot -n
>>>> # 2.0.9: /etc/dovecot/dovecot.conf
>>>> # OS: Linux 3.14.48-33.39.amzn1.x86_64 x86_64
>>>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>>> mbox_write_locks = fcntl
>>>> passdb {
>>>> driver = pam
>>>> }
>>>> ssl_cert = >>> ssl_key = >>> userdb {
>>>> driver = passwd
>>>> }
>>>> [ec2-user@ip-172-31-22-222 log]$
> 
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> 
> iQEVAwUBVuf+Ynz1H7kL/d9rAQLCAQgAy/MZhOYJHjtIYK3L7149W7UiXtn50WBR
> 4bq9322YfcxtCWeGGsVdz5q/IM7Sz1WnQR5tFGd3LhaMb/g5FjOUzMGZiAaz3Qwu
> AcrC+VVYT1cDhXj/7IMRnKvWWH1l0caSU54rGiKrp5lWKOqmGDabxwYEKFnV8aRC
> Y3RXu+ZQSVaDjHxnwG8ydFGdRTjkJ5w4GndJG5xPJm6W+56QjEgXgerTeQkCx3vf
> mMHqg3BqJ5jWC1cVmnix3kMSpZvlJDRLmc/YIv7Ycvkic+QPisO27b5Wmmgb79GH
> OtOTiotR7thlO/ktP16OLuj8oGPVislBcXDfliyDYkLEg6koRbuZWg==
> =fu00
> -END PGP SIGNATURE-

Re: New dovecot user needs installation help

[Jason Pruim]

This is all it’s showing me in the log:

[ec2-user@ip-172-31-22-222 ~]$ sudo tail -f /var/log/maillog
Mar 15 20:39:41 ip-172-31-22-222 dovecot: doveadm: Debug: This is Dovecot's 
debug log (1458074381)
Mar 15 20:39:41 ip-172-31-22-222 dovecot: doveadm: This is Dovecot's info log 
(1458074381)
Mar 15 20:39:41 ip-172-31-22-222 dovecot: doveadm: Warning: This is Dovecot's 
warning log (1458074381)
Mar 15 20:39:41 ip-172-31-22-222 dovecot: doveadm: Error: This is Dovecot's 
error log (1458074381)
Mar 15 20:39:41 ip-172-31-22-222 dovecot: doveadm: Fatal: This is Dovecot's 
fatal log (1458074381)
Mar 15 20:39:50 ip-172-31-22-222 dovecot: doveadm: Debug: This is Dovecot's 
debug log (1458074390)
Mar 15 20:39:50 ip-172-31-22-222 dovecot: doveadm: This is Dovecot's info log 
(1458074390)
Mar 15 20:39:50 ip-172-31-22-222 dovecot: doveadm: Warning: This is Dovecot's 
warning log (1458074390)
Mar 15 20:39:50 ip-172-31-22-222 dovecot: doveadm: Error: This is Dovecot's 
error log (1458074390)
Mar 15 20:39:50 ip-172-31-22-222 dovecot: doveadm: Fatal: This is Dovecot's 
fatal log (1458074390)
Mar 15 20:41:53 ip-172-31-22-222 dovecot: imap-login: Login: user=, 
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=1561, secured


I just logged in and ran the commands. you can see my login, but it’s not 
logging any errors… Although it won’t let me select my inbox on that user…


Jason Pruim
pru...@gmail.com
352.234.3175


> On Mar 15, 2016, at 1:06 AM, Aki Tuomi  wrote:
> 
> Can yoi run doveadm log errors too?
> 
> 
> 
> ---
> Aki Tuomi
> Dovecot oy
> 
>  Alkuperäinen viesti 
> Lähettäjä: Jason Pruim 
> Päivämäärä: 15.3.2016 4.50 (GMT+02:00)
> Saaja: dovecot@dovecot.org
> Aihe: New dovecot user needs installation help
> 
> Hey Everyone,
> 
> So I just setup my first dovecot install with postfix running for the mail 
> server… I can telnet into my dovecot install and login just fine with my user 
> locally… But when I try to add the account from my phone, computer, or 
> telnetting from my local computer, it just hangs and eventually kicks back a 
> generic error saying it can’t be added… Where can I start looking? I’m hosted 
> with amazon web services and I’m waiting on them to approve my request to 
> white list my IP on my instance, but that should only restrict my ability to 
> send email out on port 25… I should still be able to operate locally…
> 
> 
> According to the firewall on amazon port 143 and 993 are both allowed from 
> any IP address into the server (All outbound traffic is currently open until 
> I get it working)
> 
> I’m thinking it’s something easy, and I can handle pointers! I don’t 
> necessarily need my hand held the entire way… At least not yet…
> 
> Here is the output of my dovecot -n:
> 
> [ec2-user@ip-172-31-22-222 log]$ dovecot -n
> # 2.0.9: /etc/dovecot/dovecot.conf
> # OS: Linux 3.14.48-33.39.amzn1.x86_64 x86_64  
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mbox_write_locks = fcntl
> passdb {
>   driver = pam
> }
> ssl_cert =  ssl_key =  userdb {
>   driver = passwd
> }
> [ec2-user@ip-172-31-22-222 log]$ 
> 
> 
> 
> 
> Let me know if there is anything else you need, or where to go from here!
> 
> Thanks in advance!
> 
> Jason Pruim
> pru...@gmail.com

Re: New dovecot user needs installation help

[Jason Pruim]

Sent from my iPhone

> On Mar 15, 2016, at 3:22 AM, Steffen Kaiser  
> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
>> On Mon, 14 Mar 2016, Jason Pruim wrote:
>> 
>> So I just setup my first dovecot install with postfix running for the mail 
>> server… I can telnet into my dovecot install and login just fine
> 
> what does "telnet into my dovecot install" mean exacly?

I used telnet to connect to port 143 and issued some smtp commands including 
logging into an account. 
> 
> Did you've read:
> http://wiki2.dovecot.org/TestInstallation

I did yes... But I will go back over it tonight when I get back home. 
> 
>> with my user locally… But when I try to add the account from my phone, 
>> computer, or telnetting from my local computer, it just hangs and eventually 
>> kicks back a generic error saying it can’t be added… Where can I start 
>> looking? I’m hosted with amazon web services and I’m waiting on them to 
>> approve my request to white list my IP on my instance, but that should only 
>> restrict my ability to send email out on port 25… I should still be able to 
>> operate locally…
>> 
>> 
>> According to the firewall on amazon port 143 and 993 are both allowed from 
>> any IP address into the server (All outbound traffic is currently open until 
>> I get it working)
>> 
>> I’m thinking it’s something easy, and I can handle pointers! I don’t 
>> necessarily need my hand held the entire way… At least not yet…
>> 
>> Here is the output of my dovecot -n:
>> 
>> [ec2-user@ip-172-31-22-222 log]$ dovecot -n
>> # 2.0.9: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.14.48-33.39.amzn1.x86_64 x86_64
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>> mbox_write_locks = fcntl
>> passdb {
>> driver = pam
>> }
>> ssl_cert = > ssl_key = > userdb {
>> driver = passwd
>> }
>> [ec2-user@ip-172-31-22-222 log]$
>> 
>> 
>> 
>> 
>> Let me know if there is anything else you need, or where to go from here!
>> 
>> Thanks in advance!
>> 
>> Jason Pruim
>> pru...@gmail.com
> 
> - -- Steffen Kaiser
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> 
> iQEVAwUBVue4MHz1H7kL/d9rAQJ/8AgAgyDbtTpEbzm7ZFQNQsIhVm2ofEewc9mt
> Gplv/Wl46scIfF6tl5NvruoAu3ogQDMoMNnlpZ9cMTWhOrBxXhL3usBRhgB6MnaD
> nEuTStYXLCgKS90DLZB0xWvzbhAhqLNu9ohbjW7Al4iWwvl2A4tSrgJAWwNLJsAi
> VpDQ9ha41zzu2ZqjH9J8PepVoQS47ZDauiGtPinTVQ8aMI40uLB1L5gFLfuVm0rM
> l/f0JsK/SYKPkE1j+yow61zpqOFnCbYOMlck526RGP7nJZIo0MLfCwt68j8C0TPh
> HxnRsL9jkvuufgB3zTvcdCYgHgODB0oP/AGtQPnXXo10HvsqdoBapA==
> =N+EP
> -END PGP SIGNATURE-


Thanks for taking the time to look!

New dovecot user needs installation help

[Jason Pruim]

Hey Everyone,

So I just setup my first dovecot install with postfix running for the mail 
server… I can telnet into my dovecot install and login just fine with my user 
locally… But when I try to add the account from my phone, computer, or 
telnetting from my local computer, it just hangs and eventually kicks back a 
generic error saying it can’t be added… Where can I start looking? I’m hosted 
with amazon web services and I’m waiting on them to approve my request to white 
list my IP on my instance, but that should only restrict my ability to send 
email out on port 25… I should still be able to operate locally…


According to the firewall on amazon port 143 and 993 are both allowed from any 
IP address into the server (All outbound traffic is currently open until I get 
it working)

I’m thinking it’s something easy, and I can handle pointers! I don’t 
necessarily need my hand held the entire way… At least not yet…

Here is the output of my dovecot -n:

[ec2-user@ip-172-31-22-222 log]$ dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.48-33.39.amzn1.x86_64 x86_64  
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mbox_write_locks = fcntl
passdb {
  driver = pam
}
ssl_cert = 

ntlm_auth random failures with dovecot

[Jason Gunthorpe]

I'm still a bit fuzzy on exactly what has blown up here since my 1.2
install (or maybe it was broken then and I never noticed), but it
looks like the way dovecot is calling out to ntlm_auth is violating
the --helper-protocol=squid-2.5-ntlmssp scheme.

The issue is how it handles simultaneous clients connecting - for
instance launching thunderbird with NTLM auth creates multiple imapds
that all have to be auth'd.

Since dovecot doesn't (and apparrently didn't in 1.2?) serialize this
it ends up sending a jumble to ntlm_auth. Strace sayth, as example:

read(0, "YR xxx=\n", 4096) = 48
read(0, "YR xxx=\n", 4096) = 48
read(0, "KK xxx=\n",4096) = 176
read(0, "KK xxx=\n",4096) = 176

That is two clients connecting at once, and the sequence has become
jumbled.

Fiddling around with ntlm_auth manually I can get it to give me this:

YR xxx # 1
TT xxx # 1
YR xxx # 2
TT xxx # 2
KK xxx # 2
AF jgg # 2
KK xxx # 1
Called NTLMSSP after state machine was 'done'
GENSEC login failed: NT_STATUS_INVALID_PARAMETER
NA NT_STATUS_INVALID_PARAMETER

Ie, reordering the sequence (# 1 and # 2) causes it to tell you that,
no, the sequence cannot be reordered.

To me this says the samba folks expect that the YY/TT/KK/AF sequence
is *NOT* reordered.

The implication is that the mech-winbind in dovecot must seralize
everything, and it doesn't!

So, this is fairly broken, I can hit these failure causes with a high
probability when using thunderbird.

Any thoughts on how to repair this?

The simplest answer would be to pool and assign a ntlm_auth process to
each incoming auth context, or to actually serialize auth. But it
can't treat ntlm_auth as a stateless helper.

Jason

[PATCH] LAYOUT=imapdir is broken in v2.2

[Jason Gunthorpe]

The next thing I noticed in my v1.2 -> 2.2 upgrade is that

mail_location = maildir:[..]:LAYOUT=imapdir

is broken, the symptom is dovecot returning this to the client when
requesting any mailbox beyond INBOX:

  Character not allowed in mailbox name: '

Which is actually trying to say "Character not allowed in mailbox name: '\0'",
but since the %c is not escaped it ends up with the truncated string.

This patch fixes it:

diff --git a/src/lib-storage/list/mailbox-list-maildir.c 
b/src/lib-storage/list/mailbox-list-maildir.c
index c99a2900a6d6..ae5f35d955ac 100644
--- a/src/lib-storage/list/mailbox-list-maildir.c
+++ b/src/lib-storage/list/mailbox-list-maildir.c
@@ -46,6 +46,7 @@ static struct mailbox_list *imapdir_list_alloc(void)
list = p_new(pool, struct maildir_mailbox_list, 1);
list->list = imapdir_mailbox_list;
list->list.pool = pool;
+   list->sep = '.';
 
list->global_temp_prefix = IMAPDIR_GLOBAL_TEMP_PREFIX;
list->temp_prefix = p_strconcat(pool, list->global_temp_prefix,

Analysis:

I noticed this while upgrading a dovecot install from 1.2.15 (squeeze) to
2.2.13 (jessie).

This upstream commit

author  Timo Sirainen 
Thu Jan 20 20:59:07 2011 +0200 (2011-01-20)
changeset 12586 a2780b694b2d
parent 12585b748c622e896
child 12587 c3a258ee96c4

lib-storage: mailbox_alloc() now takes a virtual mailbox name and other 
related API changes.
All storage_name <-> vname conversions now go through the same two
mailbox_list methods. This has many benefits, such as:

* listescape plugin is now much simpler and bugfree
* allows changing lib-storage API to use UTF-8 mailbox names in future
* allows creation of "mailbox aliases" plugin

Restructed the _alloc functions to move the hierarchy_sep from the initializer
into the _alloc call itself:

@@ -29,6 +30,7 @@ static struct mailbox_list *maildir_list_alloc(void)
list = p_new(pool, struct maildir_mailbox_list, 1);
list->list = maildir_mailbox_list;
list->list.pool = pool;
+   list->sep = '.';

list->global_temp_prefix = MAILDIR_GLOBAL_TEMP_PREFIX;
list->temp_prefix = p_strconcat(pool, list->global_temp_prefix,
[..]
 struct mailbox_list maildir_mailbox_list = {
.name = MAILBOX_LIST_NAME_MAILDIRPLUSPLUS,
-   .hierarchy_sep = '.',
.props = MAILBOX_LIST_PROP_NO_MAILDIR_NAME |
MAILBOX_LIST_PROP_NO_ALT_DIR |
MAILBOX_LIST_PROP_NO_NOSELECT,
[..]
 struct mailbox_list imapdir_mailbox_list = {
.name = MAILBOX_LIST_NAME_IMAPDIR,
-   .hierarchy_sep = '.',
.props = MAILBOX_LIST_PROP_NO_MAILDIR_NAME |
MAILBOX_LIST_PROP_NO_ALT_DIR |
MAILBOX_LIST_PROP_NO_NOSELECT,

Noting that heierarchy_sep was removed from maildir_mailbox_list and
imapdir_mailbox_list but only added to maildir_list_alloc(), and not
imapdir_list_alloc(). This ultimately results in
mailbox_list_get_hierarchy_sep() returning '\0' and mailbox_verify_name()
failing everything (all strings contain '\0' according to strchr).

This ended up as debian bug #774533

Regards,
Jason

dovecot and ntlm_auth through winbind

[Jason Gunthorpe]

Hi all,

I am upgrading a dovecot 1.2 installation to a 2.2 installation and
have found and fixed a number of problems..

I've seen several postings in the archive about ntlm_auth not working,
and it is true, there are several regressions in dovecot here.

The first and simplest is that the enablement instructions in the
wikki are wrong. ntlm_auth must be called as root, which is what 1.2
did.

2.2 defaults to calling it as the auth user which subtly doesn't work:

Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: Login for user 
[]\[jgg]@[wakko] failed due to [Reading winbind reply failed!]
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: 
../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for \jgg 
failed: NT_STATUS_UNSUCCESSFUL
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: GENSEC login failed: 
NT_STATUS_UNSUCCESSFUL
Dec 30 20:30:21 quartz dovecot[8439]: auth: Error: winbind: ntlm_auth exited 
with exit code 0

The fix is simple, run auth as root:

service auth {
  user = root
}

This ended up as debian bug #774263 which has a few more details.

Regards,
Jason

Re: [Dovecot] dovecot temporary suspension all of pop3 login about 5 minutes

[Jason]

Dear Steffen Kaiser,

I had fixed the problem after upgrade to v2.2.12 .

Best regards,

Jason

-Original Message-
From: dovecot [mailto:dovecot-boun...@dovecot.org] On Behalf Of Steffen
Kaiser
Sent: Friday, April 25, 2014 3:14 PM
To: Jason
Cc: dovecot@dovecot.org
Subject: Re: [Dovecot] dovecot temporary suspension all of pop3 login about
5 minutes

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 25 Apr 2014, Jason wrote:

> When the user login P0P3 more than 10 times in 1 minute that the dovecot
temporary suspension all of pop3 login about 5 minutes.
>
> How to disable the setting for dovecot.

> Apr 24 16:11:14 mww dovecot: pop3-login: Login: user=, 
> method=PLAIN, rip=192.168.16.84, lip=192.168.16.159, mpid=8767, 
> session=<5USPZMX3/QDAqBBU> Apr 24 16:11:14 mww dovecot: pop3(scan): 
> Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Apr 24 
> 16:11:15 mww dovecot: auth-worker: Error: no talloc stackframe at 
> ../source3/param/loadparm.c:4864, leaking memory

> # 2.2.9: /etc/dovecot/dovecot.conf

> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:99:
> ssl_disable has been renamed to ssl
...
> ssl = no

Check out last log line, it's a bug. First try update your config, then
upgrade to v2.2.13, then let us know if your bug is fixed.

BTW: I do not find no loadparm.c in v2.2.12.

http://ubuntuforums.org/showthread.php?t=2214042
http://osdir.com/ml/ubuntu-bugs/2014-04/msg16458.html
http://ubuntuforums.org/showthread.php?t=2218612

Looks like an Ubuntu bug with authentifications.

- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU1oLSnz1H7kL/d9rAQKprwf/euB02Q0afRd4KrRshgNhdwjoDPQKNFW7
2tuWTBEoSvYujqLKVKQOONkkZOQZpy+M49AS7tJh5+0ZhsmKZKZsLLWW7pJE+fBH
6M6sZ0h2qH1HP0g9ONx0jr1aDPzNRhPtEIzZyvIgRjvg5Own2wtNLSJvncasoVLM
Wh4G5K67cH6CUkufnnoG6fm7unDKZm+JxXks0GuLZ62nqW9ID/KZelfqZHH8LWLN
iM0uTbW58wcF024aAs8Asa+fVGIr4NXC/OhFM0gl9B7K0opkzr58N30kE+KDAM3a
GU1H+ndTn+pokTAhB7t6a3FJoXfHB2cc9hK22e6OwirtL4HmobzuPg==
=GNDN
-END PGP SIGNATURE-

Re: [Dovecot] dovecot temporary suspension all of pop3 login about 5 minutes

[Jason]

Dear Steffen Kaiser,

Thank you very much!

Best regards,

Jason

-Original Message-
From: Steffen Kaiser [mailto:skdove...@smail.inf.fh-brs.de] 
Sent: Friday, April 25, 2014 3:14 PM
To: Jason
Cc: dovecot@dovecot.org
Subject: Re: [Dovecot] dovecot temporary suspension all of pop3 login about
5 minutes

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 25 Apr 2014, Jason wrote:

> When the user login P0P3 more than 10 times in 1 minute that the dovecot
temporary suspension all of pop3 login about 5 minutes.
>
> How to disable the setting for dovecot.

> Apr 24 16:11:14 mww dovecot: pop3-login: Login: user=, 
> method=PLAIN, rip=192.168.16.84, lip=192.168.16.159, mpid=8767, 
> session=<5USPZMX3/QDAqBBU> Apr 24 16:11:14 mww dovecot: pop3(scan): 
> Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Apr 24 
> 16:11:15 mww dovecot: auth-worker: Error: no talloc stackframe at 
> ../source3/param/loadparm.c:4864, leaking memory

> # 2.2.9: /etc/dovecot/dovecot.conf

> doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:99:
> ssl_disable has been renamed to ssl
...
> ssl = no

Check out last log line, it's a bug. First try update your config, then
upgrade to v2.2.13, then let us know if your bug is fixed.

BTW: I do not find no loadparm.c in v2.2.12.

http://ubuntuforums.org/showthread.php?t=2214042
http://osdir.com/ml/ubuntu-bugs/2014-04/msg16458.html
http://ubuntuforums.org/showthread.php?t=2218612

Looks like an Ubuntu bug with authentifications.

- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU1oLSnz1H7kL/d9rAQKprwf/euB02Q0afRd4KrRshgNhdwjoDPQKNFW7
2tuWTBEoSvYujqLKVKQOONkkZOQZpy+M49AS7tJh5+0ZhsmKZKZsLLWW7pJE+fBH
6M6sZ0h2qH1HP0g9ONx0jr1aDPzNRhPtEIzZyvIgRjvg5Own2wtNLSJvncasoVLM
Wh4G5K67cH6CUkufnnoG6fm7unDKZm+JxXks0GuLZ62nqW9ID/KZelfqZHH8LWLN
iM0uTbW58wcF024aAs8Asa+fVGIr4NXC/OhFM0gl9B7K0opkzr58N30kE+KDAM3a
GU1H+ndTn+pokTAhB7t6a3FJoXfHB2cc9hK22e6OwirtL4HmobzuPg==
=GNDN
-END PGP SIGNATURE-

[Dovecot] dovecot temporary suspension all of pop3 login about 5 minutes

[Jason]

Dear All，

 

When the user login P0P3 more than 10 times in 1 minute that the dovecot 
temporary suspension all of pop3 login about 5 minutes.

How to disable the setting for dovecot.

 

Mail Log:

Apr 24 16:11:14 mww dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.16.84, lip=192.168.16.159, mpid=8767, session=<5USPZMX3/QDAqBBU> 

Apr 24 16:11:14 mww dovecot: pop3(scan): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0 

Apr 24 16:11:15 mww dovecot: auth-worker: Error: no talloc stackframe at 
../source3/param/loadparm.c:4864, leaking memory 

Apr 24 16:11:15 mww dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.16.84, lip=192.168.16.159, mpid=8769, session= 

Apr 24 16:11:15 mww dovecot: pop3(scan): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0 

Apr 24 16:11:16 mww dovecot: auth-worker: Error: no talloc stackframe at 
../source3/param/loadparm.c:4864, leaking memory 

Apr 24 16:11:16 mww dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.16.84, lip=192.168.16.159, mpid=8771, session= 

Apr 24 16:11:16 mww dovecot: pop3(scan): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0 

Apr 24 16:11:17 mww dovecot: auth-worker: Error: no talloc stackframe at 
../source3/param/loadparm.c:4864, leaking memory 

Apr 24 16:11:17 mww dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.16.84, lip=192.168.16.159, mpid=8773, session=

Apr 24 16:11:17 mww dovecot: pop3(scan): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0 

Apr 24 16:11:18 mww dovecot: auth-worker: Error: no talloc stackframe at 
../source3/param/loadparm.c:4864, leaking memory 

Apr 24 16:11:18 mww dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=192.168.16.84, lip=192.168.16.159, mpid=8775, session= 

Apr 24 16:11:18 mww dovecot: pop3(scan): Disconnected: Logged out top=0/0, 
retr=0/0, del=0/0, size=0 

Apr 24 16:11:23 mww dovecot: pop3-login: Disconnected (auth failed, 1 attempts 
in 4 secs): user=, method=PLAIN, rip=192.168.16.84, lip=192.168.16.159, 
session= 

Apr 24 16:12:04 mww dovecot: pop3-login: Disconnected (auth failed, 1 attempts 
in 4 secs): user=, method=PLAIN, rip=192.168.16.59, lip=192.168.16.159, 
session=

 

Dovecot v2.2.9 

 

# 2.2.9: /etc/dovecot/dovecot.conf

doveconf: Warning: NOTE: You can get a new clean config file with: 

doveconf -n > dovecot-new.conf

doveconf: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:99: 

ssl_disable has been renamed to ssl

# OS: Linux 3.13.0-24-generic x86_64 Ubuntu 14.04 LTS disable_plaintext_auth = 
no mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox {

   inbox = yes

   location =

   mailbox Drafts {

 special_use = \Drafts

   }

   mailbox Junk {

 special_use = \Junk

   }

   mailbox Sent {

 special_use = \Sent

   }

   mailbox "Sent Messages" {

 special_use = \Sent

   }

   mailbox Trash {

 special_use = \Trash

   }

   prefix =

}

passdb {

   driver = pam

}

plugin {

   sieve = ~/.dovecot.sieve

   sieve_dir = ~/sieve

}

protocols = " imap pop3"

ssl = no

ssl_cert = 

[Dovecot] Trouble with case-sensitive LDAP user logins

[Jason Discount]

Hi All,

I have a client running Dovecot-Postfix on Debian Squeeze. I'm using Dovecot 
from the Squeeze repository.

# dovecot --version
1.2.15

I've implemented a central mail_location and am using one vmail user, as I 
thought this would be be the best approach for when it came time to implement 
Shared and Public Mailboxes.

# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-xen-686 i686 Debian 6.0.7 ext3
log_timestamp: %Y-%m-%d %H:%M:%S 
protocols: imap imaps pop3s managesieve
listen(default): 127.0.0.1:143
listen(imap): 127.0.0.1:143
listen(pop3): 127.0.0.1:110
listen(managesieve): *
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
ssl_listen(managesieve): 
ssl_ca_file: /etc/ssl/certs/RapidSSL_CA_bundle.pem
ssl_cert_file: /etc/ssl/certs/mail.example.com.2013.chain.pem
ssl_key_file: /etc/ssl/private/example.2013.key
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_max_userip_connections(default): 40
mail_max_userip_connections(imap): 40
mail_max_userip_connections(pop3): 10
mail_max_userip_connections(managesieve): 10
mail_privileged_group: mail
mail_uid: vmail
mail_gid: vmail
mail_location: maildir:/var/spool/dovecot/%d/%u
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): 
mail_plugins(managesieve): 
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address: postmas...@example.com
  mail_plugins: sieve quota
  log_path: /var/log/dovecot-deliver.log
  info_log_path: /var/log/dovecot-deliver.log
auth default:
  mechanisms: plain login
  passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap-userdb.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/private/auth
  mode: 432
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 384
  user: vmail
  group: vmail
plugin:
  quota: maildir:User
  quota_rule: *:storage=1200M
  quota_rule2: Deleted Messages:storage=10%%
  quota_rule3: Deleted Items:storage=10%%
  quota_rule4: Trash:storage=10%%
  sieve: /var/spool/sieve/%d/%u/.dovecot.sieve
  sieve_dir: /var/spool/sieve/%d/%u

All of the mail users are LDAP users only (not local UNIX users - not using 
nsswitch). dovecot-ldap-userdb.conf is a symbolic link to dovecot-ldap.conf

# grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf 
uris = ldaps://mail.example.com/
dn = uid=mail,ou=Services,dc=example,dc=com
dnpass = **
tls_require_cert = hard
auth_bind = yes
base = ou=People,dc=example,dc=com
user_attrs = quota=quota_rule=*:storage=%$M
user_filter = (&(objectClass=posixAccount)(mail=%u))
pass_attrs = uid=mail,userPassword=password
pass_filter = (&(objectClass=posixAccount)(mail=%u))

Now, mail addressed to u...@example.com and u...@example.com correctly gets 
delivered to the correct mail location of /var/spool/dovecot/example.com/user, 
but the problem occurs when the user creates their account with uppercase 
characters in their username, e.g. u...@example.com. This creates a new 
directory at /var/spool/dovecot/exaMPLE.com/user, which ever receives any mail. 
Is it possible to ignore the case the user enters in their mail client and 
always land them at the lowercase mail directory? Where would this be done?

Thank you,

Jay

[Dovecot] Trash plugin

[Jason Pfingstmann]

Hello all!  I tried to post this earlier today, but it's stuck in a
moderator queue for being too long, so here's a shorter version (mod,
please delete the pending message from me, if you read this).

I'm new to dovecot and just finished setting everything up.  It's a postfix
+ dovecot + myql + spamassassin + postgrey virtual mail server.  The issue
I'm having (1 of 2) is that the Trash plugin isn't working, over-quota mail
is being rejected despite a large piece that would bring it under quota
with room to spare for the piece being delivered that is in the Trash
folder.

My configs (postconf -n, doveconf -n, trash.conf):
http://pastebin.com/vFJ0rfZ6

It may be unrelated, but it seems postgrey isn't running either, but maybe
those are partially tied together?

Thanks for all your help!

Jason Pfingstmann

[Dovecot] Trash plugin

[Jason Pfingstmann]

Hello!  This is my first dovecot install, which I put together by mixing
and matching pieces of various online howtos (fortunately, Dovecot doesn't
seem to be overly complex - a big plus).  I've got it mostly working, but
the trash plugin doesn't seem to be working right.  Below are configs and
some logs.

Any thoughts?  Also, any suggestions regarding my configuration?   I can
post other items for troubleshooting if they'd be helpful.

-Jason Pfingstmann

Here's my doveconf -n:

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) ext4
auth_anonymous_username = anonymous
auth_cache_negative_ttl = 1 hours
auth_cache_size = 0
auth_cache_ttl = 1 hours
auth_debug = no
auth_debug_passwords = no
auth_default_realm =
auth_failure_delay = 2 secs
auth_first_valid_uid = 500
auth_gssapi_hostname =
auth_krb5_keytab =
auth_last_valid_uid = 0
auth_master_user_separator =
auth_mechanisms = plain login
auth_realms =
auth_socket_path = auth-userdb
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
auth_use_winbind = no
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format =
auth_username_translation =
auth_verbose = no
auth_verbose_passwords = no
auth_winbind_helper_path = /usr/bin/ntlm_auth
auth_worker_max_count = 30
base_dir = /var/run/dovecot
config_cache_size = 1 M
debug_log_path =
default_client_limit = 1000
default_idle_kill = 60
default_internal_user = dovecot
default_login_user = dovenull
default_process_limit = 100
default_vsz_limit = 256 M
deliver_log_format = msgid=%m: %$
dict {
  quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf
}
dict_db_config =
director_doveadm_port = 0
director_mail_servers =
director_servers =
director_user_expire = 15 mins
disable_plaintext_auth = yes
dotlock_use_excl = no
doveadm_socket_path = doveadm-server
doveadm_worker_count = 0
first_valid_gid = 12
first_valid_uid = 101
hostname =
imap_capability =
imap_client_workarounds =
imap_id_log =
imap_id_send =
imap_idle_notify_interval = 2 mins
imap_logout_format = bytes=%i/%o
imap_max_line_length = 64 k
info_log_path =
last_valid_gid = 0
last_valid_uid = 0
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header =
libexec_dir = /usr/libexec/dovecot
listen = *, ::
lmtp_proxy = no
lmtp_save_to_detail_mailbox = yes
lock_method = fcntl
log_path = syslog
log_timestamp = "%b %d %H:%M:%S "
login_access_sockets =
login_greeting = Dovecot ready.
login_log_format = %$: %s
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
login_trusted_networks =
mail_access_groups =
mail_attachment_dir =
mail_attachment_fs = sis posix
mail_attachment_hash = %{sha1}
mail_attachment_min_size = 128 k
mail_cache_fields = flags
mail_cache_min_mail_count = 0
mail_chroot =
mail_debug = no
mail_fsync = optimized
mail_full_filesystem_access = no
mail_gid =
mail_home =
mail_location = maildir:/home/vmail/%d/%n
mail_log_prefix = "%s(%u): "
mail_max_keyword_length = 50
mail_max_lock_timeout = 0
mail_max_userip_connections = 10
mail_never_cache_fields = imap.envelope
mail_nfs_index = no
mail_nfs_storage = no
mail_plugin_dir = /usr/lib64/dovecot
mail_plugins = trash
mail_privileged_group =
mail_save_crlf = no
mail_temp_dir = /tmp
mail_uid =
mailbox_idle_check_interval = 30 secs
mailbox_list_index_disable = no
maildir_copy_with_hardlinks = yes
maildir_stat_dirs = no
maildir_very_dirty_syncs = no
managesieve_client_workarounds =
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_logout_format = bytes=%i/%o
managesieve_max_compile_errors = 5
managesieve_max_line_length = 65536
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date
master_user_separator =
mbox_dirty_syncs = yes
mbox_dotlock_change_timeout = 2 mins
mbox_lazy_writes = yes
mbox_lock_timeout = 5 mins
mbox_min_index_size = 0
mbox_read_locks = fcntl
mbox_very_dirty_syncs = no
mbox_write_locks = dotlock fcntl
mdbox_preallocate_space = no
mdbox_rotate_interval = 0
mdbox_rotate_size = 2 M
mmap_disable = no
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  deny = no
  driver = sql
  master = no
  pass = no
}
plugin {
  acl = vfile:/etc/dovecot/acls
  quota = dict:user::proxy::quotadict
  sieve = ~/dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /home/sieve/
  sieve_global_path = /home/sieve/globalfilter.sieve
  sieve_max_script_size = 1M
  trash = /etc/dovecot/trash.conf
}
pop3_client_workarounds =
pop3_enable_last = no
pop3_fast_size_lookups = no
pop3_lock_session = no
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_no_flag_updates = no
pop3_reuse_xuidl = no
pop3_save_uidl = no
pop3_uidl_format = %08Xu%08Xv
postmaster_address =
protoc

[Dovecot] IMAP

[Jason Lock]

We are using version 1.2.17 and recently are experiencing major issues with 
performance, which we believe have isolated to IMAP sessions.

We have 3 servers running Dovecot, with a central store shared via NFS.  Things 
have been running quite well for months now, with the latest issues appearing 
within the last week.

As an experiment have 2 of the server running and only accepting POP3 
connecitons no IMAP, and the 3rd server only accepting IMAP connections and no 
POP3.

When the issue occurred today, stopping dovecot on the IMAP only server allowed 
POP3 to resume to normal operations 5-10 minutes later.  Leaving IMAP disabled 
for a period of time (about 30 mins) and then re-enabling seemed to worked the 
first time.  Subsequent times, the issue appeared shortly after re-enabling 
IMAP.

Our webmail solution connects via IMAP, so when disabled this also impact 
clients using the webmail.

Running only POP3 while IMAP is disabled we do not appear to have any issues.

At this point, looking for any advice.  We believe the number of devices 
utilizing IMAP has increased significantly for us, and whether or not a 
specific device is the cause we have not been able to determine.

Anyone else experiencing a similar problem that appears related to IMAP?

Re: [Dovecot] FreeBSD, Dovecot and ZFS

[Jason Lock]

At  9PM + on 12/02/13 you (Jason Lock) wrote:
> Mail Issues - FreeBSD
> 
> Hello, my apologies if this may be the wrong forum but hoping that 
> maybe someone might be able to provide some insight.

>> This may turn out to be something better addressed on freebsd-stable, but 
>> this is a perfectly good place to start.

Thank you for your reply.

> Have a very sporadic and strange issue with our mail servers running 
> Dovecot on FreeBSD.  There are three servers hosting Dovecot with 
> FreeBSD as the underlying operating system.  All three connect to a 
> NAS server, again running FreeBSD and ZFS.

>> Over NFS, I assume? What version, what mount options, and what type of 
>> authentication? 

Yes, using NFSv3 to attach the share from the NAS to each of the POP3/IMAP 
servers.  Only mount options set are RW.  Not authentication in place, NAS and 
POP3/IMAP Servers share VLAN just for the NAS connections.

>> What locking strategies is Dovecot using? 

In dovecot using the following:

dotlock_use_excl: no
mail_nfs_storage: yes
mail_nfs_index: yes
lock_method: dotlock

>> Are there any suspicious messages in syslog on either machine?

Nothing specific.

> When the specific issue occurs, clients connecting to check mail via
> POP3 or IMAP experience long delays and timeouts.  To the point where
> POP3 Logins fail due to the timeouts.  The issue is further compounded 
> by clients increasing the number of attempts to check mail.

>> Are the delays happening before or after login?

Delays appear during login, username gets passed but then timeouts after the 
password is sent.

>> If you can provoke this and get a 'procstat -k' for the relevant dovecot 
>> process this might be helpful. If 'long' delays means >> several minutes, 
>> running something along the lines of 'procstat -k $(pgrep -U dovecot -U 
>> doveauth)' every minute or so for a >> while might be one way to catch this, 
>> though this will collect a lot of data rather fast so you will need some way 
>> to locate the >> relevant entry.

Will look to capture that information if possible, have not been able to 
re-create the situation in which the issue occurs.

>> Ben

Re: [Dovecot] FreeBSD, Dovecot and ZFS

[Jason Lock]

>> WAG would be similar issues you can face when using NFS with multiple 
>> servers accessing it (file locking issues).
>> The solution would be to use Director to make sure users are always directed 
>> to the same server.
>> http://wiki2.dovecot.org/Director
>> If that isn't the problem, then much more info would be needed (ie, doveconf 
>> -n output, logs exhibiting the problem, etc)...
>> -- 
>>
>> Best regards,
>>
>> */Charles /*

Thank you for your reply.  To further expand the problem does not happen with 
any regularity, we went over 30 days with no issue after two weeks of sporadic 
occurrences.  It usually only appears, if at all, any time after 2:00 PM (i.e. 
14:30, 15:20, 16:10).  And not every day (has not happened on a weekend).  The 
number of POP3 and IMAP processes increase dramatically when the issue occurs.

Here is a copy of the dovecot -n output

# 1.2.17: /usr/local/etc/dovecot.conf
# OS: FreeBSD 8.1-RELEASE-p5 i386  nfs
protocols: imap imaps pop3 pop3s
ssl_cert_file: /mail/shared/etc/ssl/certs/dovecot.pem
ssl_key_file: /mail/shared/etc/ssl/private/dovecot.pem
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/libexec/dovecot/imap-login
login_executable(imap): /usr/local/libexec/dovecot/imap-login
login_executable(pop3): /usr/local/libexec/dovecot/pop3-login
login_greeting: Hello there, who might you be?
max_mail_processes: 4096
verbose_proctitle: yes
first_valid_uid: 26
first_valid_gid: 0
mail_privileged_group: mail
mail_location: maildir:/mail/store/%d/%n
mmap_disable: yes
dotlock_use_excl: no
mail_nfs_storage: yes
mail_nfs_index: yes
lock_method: dotlock
mail_executable(default): /usr/local/libexec/dovecot/imap
mail_executable(imap): /usr/local/libexec/dovecot/imap
mail_executable(pop3): /usr/local/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/local/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/lib/dovecot/pop3
imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh 
tb-extra-mailbox-sep
imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh 
tb-extra-mailbox-sep
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
lda:
  postmaster_address: {REMOVED}
  sendmail_path: /usr/local/sbin/exim
auth default:
  default_realm: {REMOVED}
  username_format: %Lu
  passdb:
driver: sql
args: /mail/shared/etc/dovecot-sql.conf
  userdb:
driver: passwd
  userdb:
driver: static
args: uid=26 gid=6 home=/mail/store/%d/%n

[Dovecot] Is there any way to mask or hide the INBOX label for Dovecot 1.2.x Shared Mailboxes?

[Jason Discount]

Hello,

I'm setting up a new Dovecot sever to replace an old Cyrus server, and need to 
keep things as consistent as possible. I have a couple local accounts, like 
junkmail and notjunkmail that users get shared access to, and can drop things 
in to train sa-update. However, when users share over junkmail's inbox, it's 
displayed in the hierarchy:

• Other Users
• junkmail
• INBOX

Is there any way to get junkmail's INBOX to just show up at Other 
Users/junkmail and not require that extra depth?

• Other Users
• junkmail

I'm running Debian Squeeze and the standard dovecot package available therein:

> # uname -a
> Linux internet.digitalquay.com.au 2.6.32-5-xen-amd64 #1 SMP Sun Sep 23 
> 13:49:30 UTC 2012 x86_64 GNU/Linux
> #dovecot --version
> 1.2.15

I'm running in a configuration where all mail is owned by the vmail user, due 
to the impression I'm under, that it's a better way if there is to be shared 
mailboxes.

Relevant bits of dovecot -n:

> mail_uid: vmail
> mail_gid: vmail
> mail_location: maildir:/var/spool/dovecot/user/%u
> mail_plugins: acl imap_acl
> namespace:
>   type: private
>   separator: /
>   inbox: yes
>   list: yes
>   subscriptions: yes
> namespace:
>   type: shared
>   separator: /
>   prefix: Other Users/%%u/
>   location: 
> maildir:/var/spool/dovecot/user/%%u:INDEX="/var/spool/dovecot/user/%u/Other\ 
> Users/%%u"
>   list: children
> auth default:
>   passdb:
> driver: ldap
> args: /etc/dovecot/dovecot-ldap.conf
>   userdb:
> driver: passwd
> args: uid=vmail gid=vmail blocking=yes 
> mail=maildir:/var/spool/dovecot/user/%u


Am I barking up the wrong tree, or is this possible?

Thanks,

Jay

[Dovecot] FreeBSD, Dovecot and ZFS

[Jason Lock]

Mail Issues - FreeBSD

Hello, my apologies if this may be the wrong forum but hoping that maybe 
someone might be able to provide some insight.

Have a very sporadic and strange issue with our mail servers running Dovecot on 
FreeBSD.  There are three servers hosting Dovecot with FreeBSD as the 
underlying operating system.  All three connect to a NAS server, again running 
FreeBSD and ZFS.

When the specific issue occurs, clients connecting to check mail via POP3 or 
IMAP experience long delays and timeouts.  To the point where POP3 Logins fail 
due to the timeouts.  The issue is further compounded by clients increasing the 
number of attempts to check mail.

Part of the frustration in attempting to diagnose the issue is not knowing the 
root cause or symptom that initates the issue.

Wondering if anyone has experienced anything similar, or suggestions on ways to 
help identify the root cause

[Dovecot] Dovecot unable to locate mailbox

[Jason X, Maney]

Dear all,

I hope someone can point me in the right direction. here. I have setup my
Dovecot v2.0.13 on Ubuntu 11.10. The logs tells me that the mail location
has failed as follows:

=
Jan 16 14:18:16 myservername dovecot: pop3-login: Login: user=,
method=PLAIN, rip=aaa.bbb.ccc.ddd, lip=www.xxx.yyy.zzz, mpid=1360, TLS
Jan 16 14:18:16 myservername dovecot: pop3(userA): Error: user molla:
Initialization failed: mail_location not set and autodetection failed: Mail
storage autodetection failed with home=/home/userA
Jan 16 14:18:16 myservername dovecot: pop3(userA): Error: Invalid user
settings. Refer to server log for more information.
=

Yet my config also come out strangely as below:

=
root@guyana:~# dovecot -n
# 2.0.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.0.0-12-server x86_64 Ubuntu 11.10
passdb {
  driver = pam
}
protocols = " imap pop3"
ssl_cert = 

[Dovecot] managesieve vacation script bounces/frozen with a 550 error.

[Jason X, Maney]

Dear all,

I have been trying to get this problem out of the way but I just cant seem
to get it right. I hope someone can point me in the right direction here. I
have come up with a vacation script as below, which can be send out from my
Postfix SMTP server to my smarthost at the ISP, and yet for some reason it
is not sent out at my ISP server. The guys at the ISP have sent me the full
error they are getting on their Exim SMTP server. My dovecot version is:
==
dovecot --version
1.2.9
==

...and my managesieve configs are as follows:
==
dovecot -n |grep sieve
protocols: pop3 pop3s imap imaps managesieve
listen(managesieve): *:4190
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugins(managesieve):
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
  mail_plugins: sieve quota
  sieve: /var/vmail/sieve/%d/%u/sieve-script
  sieve_global_path: /var/vmail/sieve/default.sieve
  sieve_storage: /var/vmail/sieve/%d/%u
==

Error from my ISP smarthost:
==
+++ 1ReM7W-000Dm8-My has not completed +++
2011-12-26 09:34:18 1ReM7W-000Dm8-My <= <>
H=(myhostname.mydomain.com)
[xxx.xxx.xxx.xxx] P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 S=1451
id=dovecot-sieve-1324712058-257846-0@havana T="Out of office reply"
2011-12-26 09:34:18 1ReM7W-000Dm8-My **
jsxmo...@gmail.comr=send_to_gateway T=remote_smtp: SMTP error from
remote mail server after
RCPT TO:: host
smtp.myisp.com[yyy.yyy.yyy.yyy]: 550
Bounces must have only a single recipient
2011-12-26 09:34:18 1ReM7W-000Dm8-My Frozen (delivery error message
==

My vacation sieve script is:
==
## /* empty script */
require ["fileinto", "vacation"];

vacation
  # Reply at most once a day to a same sender
  :days 1
  :subject "Out of office reply"
  # List of additional recipient addresses which are included in the auto
replying.
  # If a mail's recipient is not the envelope recipient and it's not on
this list,
  # no vacation reply is sent for it.
  :addresses "m...@mydomain.com"
"I'm out of office, please contact Joan Doe instead.
Best regards
Me";
==

What I am not sure of is, is this a problem I need to fix or is it
something my ISP need to work on, on their Exim? If its something they can
work on can you also give me pointers so I can work with them to fix it?

Many thanx,

JXM.

Re: [Dovecot] Kerberos GSSAPI - proper item name in keytab

[Jason Gunthorpe]

On Wed, Aug 31, 2011 at 09:28:50AM -0600, Trever L. Adams wrote:

> I have only followed part of this. It the original poster's problem is
> that the LDAP database is not being able to be accessed with an SPN
> ticket, this is because SPNs are not allowed to log in in AD. You need
> to use a user account (including MACHINE$ accounts). It took me forever
> to figure this out. To use this, you need a cron job that creates/renews
> tickets from time to time for the user/machine account. Then you use
> Dovecot's environment setup configuration to set the KRB5_CC (or
> whatever it is called, my head is elsewhere) env variable to that
> Kerberos ticket cache that was created in the cronjob. This cache needs
> to be readable by dovecot and should be owned by its user.

This all works a 1000% better if you use Samba to join the domain and
create your keytab with the right SPNs. See my prior posts to this
list for a formula. Using the MS kerberos compatability tools is
painful, complicated and tends to make a mess.

Samba will create a machine UPN and populate the system keytab
appropriately. From a cron job you can use 'kinit -k' to maintain an
active ticket for the machine UPN which dovecot can use for LDAP
operations.

Jason

Re: [Dovecot] Forwarding loop

[Jason Schulz]

Just a shot in the dark, but perhaps something changed in your gmail
filtering rules?

-Jason

On Tue, May 3, 2011 at 5:22 PM, Brian Mihulka  wrote:

> I used to filter my mail through gmail with the following sieve rule.
>
> if not header :contains "X-Forwarded-To" "bmihu...@hulkster.net"{
>  redirect "bmihu...@gmail.com";
> }
>
> With the gmail account set to forward to bmihu...@hulkster.net
>
> After upgrading to dovecot 1.2.9 and postfix 2.7.0 from whatever was with
> debian etch.  I get a forwarding loop error.  I don't know if this is a
> dovecot issue or postfix issue so I'm starting here.  If anyone has any
> ideas or a better place to ask about this please let me know.
>
> Thanks
> Brian Mihulka
>

Re: [Dovecot] LDAP and GSSAPI problems

[Jason Gunthorpe]

On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote:

> >> It appears that the script you recommended doesn't do the trick. Does
> >> /usr/libexec/dovecot/auth clear the environment. Even doing it manually
> >> from the command line the openldap stuff doesn't seem to pick up the
> >> KRB5_KTNAME environment variable.
> > Isn't it called KRB5CCNAME?
> Yes. Some things (Amanda, at least from the directions, I haven't done
> it yet) actually still use service principals which are KRB5_KTNAME. For
> credentials in most clients, yes, KRB5CCNAME and that does work.

Amanda is doing what I described below internally. The keytab file
contains kerberos shared secrets so Amanda uses that to get a TGT. You
can't use kerberos without a TGT. The fact it is using a SPN or UPN
shared secret doesn't matter at the client.

> > However! Be aware that the TGT must be refreshed periodically, that
> > is just how kerberos works.
> Yes, this refresh is EXACTLY what I have been trying to avoid with
> service principals. I am starting to wish that Samba 4 supported SASL
> CRAM-MD5 or something so that I could just use that; no refresh.

Put the kinit -k line in a crontab. That command gets a fresh TGT for
the machine account.

Service principles just avoid having to create a new UPN in MIT
kerberos. In AD kerberos a SPN cannot get a TGT so that is
undoable. The machine account works in very similarly to how a SPN
would be used in MIT kerberos except that it is a UPN at the
KDC. Samba writes a keytab entry for the machine account that
contains the shared secret which lets kinit -k work.

> Thank you for all your input. I am afraid this is the same problem I am
> going to hit with Postfix (it does a similar setup to Dovecot, I am just
> not running the recent version yet that supports it).

Yes. Same answer, run it pointing to the same CC cache you setup for
dovecot.

Be aware that both the keytab and the creditial cache are 'password
equilvients' and must be protected.

Jason

Re: [Dovecot] Samba AD and Dovecot

[Jason Gunthorpe]

On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote:

> > Set these things in the config
> >
> > auth_use_winbind = yes
> >
> >   mechanisms = plain gssapi gss-spnego login ntlm

> Ok, I do this step differently as I use gssapi directly and not with
> winbind.

This is also what this does. auth_use_winbind only affects gss-spnego
and ntlm which call out to the ntlm_auth helper to make it go. IMHO,
if you have AD you should set this up too.

> I use postfix instead of exim. How do you know what user is valid and
> what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and
> dovecot deliver... I have to use LDAP for the aliases to be setup the
> way they have been requested). I also don't see any mention of any other
> user database.

In my simple world everything rides on nss_winbind and winbindd. These
instructions are just how to setup kerberos for authentication
not the much sticker authorization..

Jason

Re: [Dovecot] Samba AD and Dovecot

[Jason Gunthorpe]

On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
> > There was a thread a month or so ago on how to do GSSAPI with AD and
> > dovecot kerberos. It works great, and I highly recommend it for AD
> > sites. Check the archives, it isn't really too hard.

> I am not finding this. Do you happen to remember the subject?

No, but it is pretty simple using latest everything (well, Debian
squeeze).. Basically from scratch.. Notice this also sets up NTLM,
which is supported by many roaming devices (ie phones).

1) Put this or similar in /etc/samba/smb.conf

[global]
workgroup = $NT_WORKGROUP$
realm = $REALM$
security = ads
kerberos method = secrets and keytab

2) Confirm that hostname gives an unqualified name and hostname -f
   gives a fully qualified name. Confirm you have DNS setup properly
   (eg dig -t SRV _kerberos._udp.$REALM$ works OK)

3) Join the machine to AD

$ net ads join -U 'user with AD privs'

$ kinit AD_USER
$ kvno host/`hostname -f`

4) Setup imap SPN:

$ net ads keytab add imap

$ net ads search cn=`hostname` | grep servicePrincipalName
$ klist -k
$ kvno imap/`hostname -f`
   
   The last three should report imap/`hostname -f` entries.

5) Setup dovecot..

Set these things in the config

auth_use_winbind = yes

  mechanisms = plain gssapi gss-spnego login ntlm

6) Setup exim..

$ net ads keytab add smtp

Use these in the dovecot config:

  client {
  path = /var/run/dovecot/auth-client
  mode = 0660
  group = Debian-exim
}
  }

And this at the end of the exim.conf:

dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id=PLAIN-${quote:$auth1}

dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}

dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}

dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}

7) Setup openssh

in sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes

Jason

Re: [Dovecot] LDAP and GSSAPI problems

[Jason Gunthorpe]

On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
> On 02/02/2011 04:17 PM, Timo Sirainen wrote:
> >
> > It does set that, but only on first GSSAPI authentication. I guess it
> > wouldn't hurt moving it to do it always. If that script helps you, I can
> > do this change.
> It appears that the script you recommended doesn't do the trick. Does
> /usr/libexec/dovecot/auth clear the environment. Even doing it manually
> from the command line the openldap stuff doesn't seem to pick up the
> KRB5_KTNAME environment variable.

Isn't it called KRB5CCNAME?

Ie if you are using a AD type environment then I think the only way
this can work is if you do these steps:

# JGGL is the name of your machine in AD klist -k should tell
# you what it is, and you must have samba setup properly, the
# machine joined, and samba must be set to write the system keytab.
# See 'net ads keytab'
$ KRB5CCNAME="/tmp/machine" kinit -k JGGL$

$ KRB5CCNAME="/tmp/machine" klist 
Ticket cache: FILE:/tmp/machine
Default principal: JGGL$@ADS.ORCORP.CA

Valid starting ExpiresService principal
02/05/11 18:26:34  02/06/11 04:26:34
krbtgt/ads.orcorp...@ads.orcorp.ca
renew until 02/12/11 18:26:34
$ KRB5CCNAME="/tmp/machine" ldapsearch
uid=jgg
SASL/GSSAPI authentication started
SASL username: JGGL$@ADS.ORCORP.CA
SASL SSF: 56
SASL data security layer installed.
[..]

Presumably if dovecot has SASL setup properly for Openldap then it
will work just fine if KRB5CCNAME is properly exported to it.

However! Be aware that the TGT must be refreshed periodically, that
is just how kerberos works.

> I can kinit on the command line and get auth to work, but the kinit
> doesn't hold over to the dovecot process (for good reasons I am sure).

Maybe dovecot isn't enabling SASL for openldap?

eg the python wrappers for openldap require this sequence:

conn = ldap.initialize(server);
auth_tokens = ldap.sasl.gssapi();
conn.sasl_interactive_bind_s("",auth_tokens);

Before they attempt gssapi - so this will also be true for the C
version.

The *ideal* world would be if dovecot supported an in-memory ticket
cache that it stored a TGT for a given UPN that it initializes using a
given keytab. This is what samba does internally and realistically is
required to use kerberos as a client.

IMHO, doing ldap without kerb is kinda sketchy unless you completely
trust your network - it is easy to spoof ldap replies, kerb fixes
that and has low overhead compared to ssl.

Jason

Re: [Dovecot] LDAP and GSSAPI problems

[Jason Gunthorpe]

On Thu, Feb 03, 2011 at 01:17:02AM +0200, Timo Sirainen wrote:
> > Postfix (the other half of my solution -- though the version I am using
> > doesn't do SASL LDAP yet, but 2.9.x does) allows you, in the
> > configuration, to set what environment variables it should not unset and
> > even define new ones (an example -- import_environment =
> > KRB5_KTNAME=/etc/dovecot/krb5.keytab). This may be a good solution for
> > Dovecot specifically for things like this.
> 
> Maybe.. But there haven't really been all that many uses for it.

Windows AD's LDAP server behaves by default in the same way, in that
all LDAP must be authenticated - this makes alot of sense, IMHO. It
would be nice to have LDAP out of the box support kerberos
authentication using the machine principle setup by samba.

Jason

[Dovecot] Imap Error

[Jason Liedtke]

This morning I have a Outlook 2007 user who getting the error and I am
unsure how to fix it.

Cannot open this item. The server responded: "Error in IMAP command UID
FETCH: Invalid uidset'

DoveCot v 1.2.9


# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-27-generic-pae i686 Ubuntu 10.04.1 LTS
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap imaps pop3 pop3s managesieve
listen(default): *
listen(imap): *
listen(pop3): *
listen(managesieve): *:2000
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
login_executable(managesieve): /usr/lib/dovecot/managesieve-login
mail_privileged_group: mail
mail_location: maildir:~/
mmap_disable: yes
mail_nfs_storage: yes
mail_nfs_index: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap
mail_executable(imap): /usr/lib/dovecot/imap
mail_executable(pop3): /usr/lib/dovecot/pop3
mail_executable(managesieve): /usr/lib/dovecot/managesieve
mail_plugins(default): quota imap_quota
mail_plugins(imap): quota imap_quota
mail_plugins(pop3): quota
mail_plugins(managesieve):
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve
imap_client_workarounds(default): tb-extra-mailbox-sep
imap_client_workarounds(imap): tb-extra-mailbox-sep
imap_client_workarounds(pop3):
imap_client_workarounds(managesieve):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
pop3_client_workarounds(managesieve):
managesieve_logout_format(default): bytes=%i/%o
managesieve_logout_format(imap): bytes=%i/%o
managesieve_logout_format(pop3): bytes=%i/%o
managesieve_logout_format(managesieve): bytes ( in=%i : out=%o )
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
lda:
  postmaster_address:
  hostname:
  auth_socket_path: /var/run/dovecot/auth-master
  mail_plugins: quota sieve
  log_path:
  info_log_path:
  syslog_facility: mail
auth default:
  username_format: %Lu
  passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  passdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
  userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  userdb:
driver: ldap
args: /etc/dovecot/dovecot-ldap.conf
  socket:
type: listen
master:
  path: /var/run/dovecot/auth-master
  mode: 432
  user: vmail
  group: vmail
plugin:
  quota: maildir
  quota_rule: *:bytes=20M
  sieve: ~/sieve/.dovecot.sieve
  sieve_dir: ~/sieve
  sieve_global_path: /var/mail/default.sieve
  sieve_before: /var/mail/sieve/global
  sieve_extensions: +imapflags

[Dovecot] auth-worker ownership issue

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Greetings,

I installed 2.0.7 this evening and I'm getting these messages in 
/var/log/maillog :

Nov  8 23:36:53 myserver dovecot: auth: Fatal: net_connect_unix(auth-worker) in 
directory /var/run/dovecot failed: Permission denied (euid=89(vpopmail) 
egid=89(vchkpw) missing +r perm: auth-worker, euid is not dir owner)
Nov  8 23:36:53 myserver dovecot: master: Error: service(auth): command startup 
failed, throttling


If I change the ownership of /var/run/dovecot/auth-worker to vpopmail, dovecot 
starts working properly.  However, restarting the service results in this file 
being re-owned by dovecot.

Am I missing a config option somewhere?  I'm using dovecot with qmail and 
vpopmail 5.4.32.

Thanks,

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkzY1OUACgkQ8CjzPZyTUTQVtQCgi3E0N9IL/kBdT59p0CxpU11u
5YMAoIA+2338GzFkRDt8ymusl73tJM07
=cVkA
-END PGP SIGNATURE-

Re: [Dovecot] RHEL5/CentOS5 YUM repo, rpm, or spec file for 2.0?

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Oct 26, 2010, at 7:36 AM, Roderick A. Anderson wrote:
> Darn!  :-( I forgot to check there.  I did the last time I wanted the latest 
> version but that was a long time ago.  (A 1.1.x has been working just fine 
> for my personal stuff.)
> 
> I'll look today.  Thanks.

I can make a 2.x SRPM available if it will help.

> \\||/
> Rod



- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law




-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkzG72MACgkQ8CjzPZyTUTRXPQCgj8Ly2RwhYMx0EADvtzd4v78m
sssAnA/Tzjm2CrPJ3bMUVjzn2TAY5CkT
=vhnS
-END PGP SIGNATURE-

[Dovecot] Setting up the Director

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

I'm trying to wrap my head around the Director and how it works, but 
I'm not having much luck finding documentation.  Currently, I have two front 
end mail servers that use NFS for mail storage.  I'm using Cisco's SLB for load 
balancing, though I may switch over to a server-based load balancing solution 
at some point.

SLB works great, but it doesn't guarantee that a given user will stick 
to the same server.  At least, not as it's configured now..  But, regardless, I 
want to move away from SLB so I can have a bit more control.

If I want to implement the Director, do I need to have additional 
machines, or does it get configured on the front end mail machines?  I'm 
thinking the former, but hoping for the latter..  :P

Does anyone know of a really good write-up about the director and how 
it works?

thanks,

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkypPLcACgkQ8CjzPZyTUTT+/QCfUpOS4mdc6hMCZLXAYIlnfOdL
XfcAmgIH0n1peB1qHKSfIps0wQ8dbHxF
=h8Xt
-END PGP SIGNATURE-

Re: [Dovecot] [Dovecot-news] v2.0.4 released

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/27/2010 08:46 AM, Timo Sirainen wrote:
> On Mon, 2010-09-27 at 14:13 +0200, Renaud Allard wrote:
> 
>> I upgraded from 2.0.2 this morning and now all the mails which were 
>> compressed using zlib plugin are not readable anymore. Also, new mails 
>> are not stored compressed anymore either. This is on OpenBSD amd64, and 
>> I am using sdbox.
> 
> Whops. This fixes it: http://hg.dovecot.org/dovecot-2.0/rev/c359ee549df7
> 
> (and also making sure it won't happen again:
> http://hg.dovecot.org/dovecot-2.0/rev/a3c8026d0305)

Was 2.0.4 re-released with this patch, or do we have to add it ourselves?

- -- 
- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyiRKgACgkQ8CjzPZyTUTSmywCfWFzmtZc9j+o2jMsfjHuEUcGq
UVcAni7S6nWBusAg/E164HqrMdsPxJJu
=svGl
-END PGP SIGNATURE-

Re: [Dovecot] Vpopmail support broken

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sep 22, 2010, at 1:13 PM, Timo Sirainen wrote:
> So the attached patch should make it work ok?


Would this remove the requirement for vpopmail 5.5+ for dovecot 2.x?  I'm eager 
to move to 2.x, but I'm reluctant to run a dev version of vpopmail..

Thanks,

- -------
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkyaqjwACgkQ8CjzPZyTUTTmUQCeI2o8nRQ0Ak2HDzfgQLKrcJC2
H8IAmwYyF1aIqebx6EorCJSTozAEn1Sc
=WhmJ
-END PGP SIGNATURE-

Re: [Dovecot] Combining ManageSieve with hand-written scripts

[Jason Bleazard]

On Mon, 30 Aug 2010 13:15:43 -0400, Jason Bleazard
 wrote:

> I thought I could do something like 
> sieve_before = ~/sieve/custom.sieve
> 
> but that doesn't seem to work.

Okay, I did a bit more reading and testing and figured it out.  I hadn't
previously noticed that %h also specifies the user home directory.  Setting
"sieve_before = %h/sieve/custom.sieve" DOES work, where the ~ didn't.  The
~ works for the sieve and sieve_dir settings, but apparently not
sieve_before or sieve_after.

So I'm happy, just thought I'd share the answer with the rest of the list.

Thanks,
Jason

[Dovecot] Combining ManageSieve with hand-written scripts

[Jason Bleazard]

Hi, new to Dovecot, forgive me if I'm missing something basic...

I'm trying to figure out if there's a way to use a couple of custom rules
alongside ManageSieve.  Most of the time I like the ManageSieve interface
in Roundcube, but there's one rule that I can't get it to do the way I want
(it's a notify rule, and I don't like the way Roundcube constructs the
notify).  I figured out how to write it by hand, but of course I can't put
my own rules in Roundcube's file or it gets really confused.  I tried
adding an include to the generated file, but Roundcube politely removes it
for me the next time I use the rule editor.  (Squirrelmail doesn't seem to
be any better in this regard.)

I thought I could do something like 
sieve_before = ~/sieve/custom.sieve

but that doesn't seem to work.  I couldn't even see any evidence in the
log that it attempted to look at that file.  Apparently sieve_before isn't
meant to work on a per-user basis.

If I do a global sieve_before, can I have it "include :personal"?  If so,
what's going to happen with the script compilation?  From what I
understand, it can't be compiled globally, since each user has a different
custom rule set.

Am I trying to do the impossible here?

Thanks for any ideas,
Jason Bleazard

Re: [Dovecot] 2.0 and vpopmail

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Aug 17, 2010, at 12:56 PM, Timo Sirainen wrote:
> It's in vpopmail 5.5. If you want to keep using 5.4, I guess you could
> just remove that line of code..

No specific desire to use 5.4, I'm really just going with what's on the 
vpopmail site..  5.5 is labeled as development, so I was somewhat reluctant to 
jump on that, though it has been around for a while..  I'll see if I can get 
5.5 installed and run with that..

Thanks,

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkxrK4UACgkQ8CjzPZyTUTSErwCfbEkr5xc6gWoFLw/m1OUZ42Xp
OawAn2HpGZ9b3+6igPHLSebWXfN1BzSu
=fAYs
-END PGP SIGNATURE-

[Dovecot] 2.0 and vpopmail

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

Does 2.0 require a specific version of vpopmail?  I'm getting this on 
my build attempt :

/usr/src/redhat/BUILD/dovecot-2.0.0/src/auth/passdb-vpopmail.c:185: undefined 
reference to `vauth_load_module'

Yes, it's an RPM, that's how I roll.  I'm not finding vauth_load_module 
anywhere on my system.. I'm running vpopmail 5.4.30 which is, I believe the 
latest stable release..

Thanks,

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkxp/6YACgkQ8CjzPZyTUTT0tACgi5WLR2IcGvhmvmIGlmZpeg1P
tUQAn2zx6HuIR3QHIGt/aYCP7nRNBvJ7
=yYrj
-END PGP SIGNATURE-

Re: [Dovecot] Dovecot 1.1 migration to 1.2

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Jul 19, 2010, at 10:54 PM, Jason 'XenoPhage' Frisvold wrote:
> Isn't 1.2 still in RC release?  Is RC2 stable for production?


Ugh .. My apologies.  Apparently I'm seeing number where they aren't..  2.0 is 
in RC..  1.2 is what I'm running right now..  Duh..  :)

Nothing to see here, move along..

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkxFEDoACgkQ8CjzPZyTUTSYJwCfQbeKXlj6E84BU/7ppSO9RbRY
8RQAn0X7tzFuRQ3CsRX6T7rsWi0PK9qr
=W9Jd
-END PGP SIGNATURE-

Re: [Dovecot] Dovecot 1.1 migration to 1.2

[Jason 'XenoPhage' Frisvold]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Jul 19, 2010, at 9:35 AM, Arne K. Haje wrote:
> I was however able to do this on a test server, so when when upgrading 
> production server I already had a working config file ready for use. 

Isn't 1.2 still in RC release?  Is RC2 stable for production?

> Regards,
> 
> Arne

- ---
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com
- ---
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iEYEARECAAYFAkxFD/EACgkQ8CjzPZyTUTSrmACgo3/NnzfXhokBw6L1u8WFWmU9
ZvcAn0gNS/GoFas3Z7X6ADT29eTktD4q
=XDhW
-END PGP SIGNATURE-

Re: [Dovecot] Mail Stuck in cur file

[jason hirsh]

On Jun 16, 2010, at 9:22 AM, Charles Marcus wrote:


On 2010-06-16 9:14 AM, jason hirsh wrote:

It may just be impression.. I knew people weren't getting email even
though The maillog seemed to indicate that POSTFIX was receiving and
putting in que i just assumed the "lost" messages were these
messages

I guess I was wrong


Newly delivered messages go into /new. When the first client 'sees'
them, they get moved to /cur...

--



for my education.. when are they removed from cur??





Best regards,

Charles

Re: [Dovecot] Mail Stuck in cur file

[jason hirsh]

On Jun 16, 2010, at 8:39 AM, Phil Howard wrote:


On Tue, Jun 15, 2010 at 17:19, jason hirsh  wrote:
I am running dovecot 1.1.7  with postfix 2.6.5.  Ihad a server down  
issue and when it rebooted the IPFW firewalll on my FReebsd server  
prevented mail from being delivered..at least thatis what I think  
the issue was... when i stopped IPFW .. mail resumed
anyway I use vmail structure..and there are message in the cur  
directory.. how do i get them "reprocessed" or "released"  I  
presume this are incoming


Being in the cur directory, under a particular user, should be a
completed delivery.  Is the problem specific to one user, a certain
group of users, or all users?



It may just be impression.. I knew people weren't getting email even  
though The maillog seemed to indicate that POSTFIX was receiving and  
putting in que  i just assumed the "lost" messages were these messages


I guess I was wrong

thanks

[Dovecot] Mail Stuck in cur file

[jason hirsh]

I am running dovecot 1.1.7  with postfix 2.6.5.  Ihad a server down issue and 
when it rebooted the IPFW firewalll on my FReebsd server prevented mail from 
being delivered..at least thatis what I think the issue was... when i stopped 
IPFW .. mail resumed
anyway I use vmail structure..and there are message in the cur directory.. how 
do i get them "reprocessed" or "released"  I presume this are incoming

Re: [Dovecot] Setting up a 'rootless' server - user and auth_user cannot be the same

[Jason Ahrens]

On Sat, May 15, 2010 at 9:54 AM, Charles Marcus
 wrote:
> On 2010-05-15 11:59 AM, vus...@test123.ru wrote:
>> I am trying to follow http://wiki.dovecot.org/HowTo/Rootless to set up
>> a personal dovecot server that does not use 'root' and does not need
>> to change uids/gids. I'm trying to set it up on a Cygwin personal
>> system.
>
> You need to follow the directions found there then.
>
> Your config is missing stuff from the 'The important settings to change
> for rootless installation are:" section...

So I played around with this suggestion and came across the following issues:

1) The sample config has an invalid directive. 'ssl_disable' is not
valid. I'm assuming that 'ssl = no' is the same as 'ssl_disable =
yes'. If I can get confirmation of that, I'll update the wiki if no
one else does.

2) If I set the 'user' and 'auth_user' fields to my own login, it
works fine (or at least passes 'dovecot -n'. If I set it to the
'cyg_server' user I get the error message about not being able to use
the same user. I'm not really clear on the logic used to determine
when a user can or can not be used for both. Is there an explanation
of this so I can design my layout accordingly? I tried
'first_valid_uid = 1' to see if it would help, did not. cyg_server is
already UID 1005 though, so didn't really expect it to.

Jason

[Dovecot] Setting up a 'rootless' server - user and auth_user cannot be the same

[Jason Ahrens]

I am trying to follow http://wiki.dovecot.org/HowTo/Rootless to set up
a personal dovecot server that does not use 'root' and does not need
to change uids/gids. I'm trying to set it up on a Cygwin personal
system.

The problem I'm running into though, the directions say to set "user"
and "auth_user" to be the same in this setup. However when you do
this, Dovecot compains and will refuse to start up. Did I miss
something?

$ ./dovecot --version
1.2.11

$ ./dovecot -n
# 1.2.11: /usr/local/etc/dovecot.conf
Error: login_user cyg_server (uid 1005) must not be same as auth_user
Fatal: Invalid configuration in /usr/local/etc/dovecot.conf

Config trying to use:
protocols = imap
disable_plaintext_auth = no
ssl = no
login_chroot = no
login_user = cyg_server
login_process_size = 0
login_max_processes_count = 5
mail_location = maildir:~/Maildir
max_mail_processes = 5
mail_process_size = 0
auth_process_size = 0
auth default {
  mechanisms = plain
  passdb passwd-file {
args = /usr/local/etc/dovecot.users
  }
  userdb passwd {
  }
  user = cyg_server
}

Re: [Dovecot] dovecot + dns srv registers

[Jason Gunthorpe]

On Wed, Nov 04, 2009 at 02:33:07PM -0500, Timo Sirainen wrote:
> I still don't really understand. Probably because I don't know how
> exactly SRV records are supposed to even work. How would I query LDAP
> service with e.g. dig?

Latest versions of openldap do this automatically, IIRC you specify a
LDAP url something like:

 ldap:///DC=foo,DC=bar,DC=com

And it looks up _ldap._tcp.foo.bar.com:
$ dig -t SRV _ldap._tcp.foo.bar.com.
_ldap._tcp.foo.bar.com. 600   IN  SRV 0 100 389 ldap.foo.bar.com.

And then it picks the best priority SRV and looks that up, and
rotates around to the other ones if the first doesn't work.

SRV records are better than RR DNS because the priority field lets the
client sort them. In MS implementations the DNS server will return
priority fields that reflect the queriers subnet - it will dynamically
make closer servers have better priority.

Jason

Re: [Dovecot] Samba AD and Dovecot

[Jason Gunthorpe]

On Wed, Oct 07, 2009 at 12:57:21AM -0400, Timo Sirainen wrote:
> Ccing mailing list, since I'm not all-knowing..
> 
> On Oct 7, 2009, at 12:49 AM, Trever L. Adams wrote:
> 
> >Timo Sirainen wrote:
> >>On Oct 7, 2009, at 12:36 AM, Trever L. Adams wrote:
> >>>1) I have seen how to configure for LDAP and Kerberos. AD uses both
> >>>together. All user information is in AD/LDAP and authentication is
> >>>AD/Kerberos. How can I configure Dovecot to use both appropriately?
> >>You could forget about the Kerberos part and just use AD as an LDAP
> >>server.
> >I really want to use kerberos/SPNEGO everywhere I can for various
> >reasons. The LDAP would be for the configuration.
> 
> Do you actually want the IMAP/POP3 clients to use Kerberos? For  
> plaintext auth I don't see any benefit in Dovecot using Kerberos  
> rather than LDAP (and it doesn't support that, except via pam_kerberos  
> or whatever I guess). But for clients to use Kerberos (GSSAPI) and  
> authenticate against AD while Dovecot is in the middle... I've no  
> idea. I guess that's possible somehow.

There was a thread a month or so ago on how to do GSSAPI with AD and
dovecot kerberos. It works great, and I highly recommend it for AD
sites. Check the archives, it isn't really too hard.

The problem with LDAP is you have to use SSL ldap for security. The
overhead is much higher than using native kerberos or samba pam
modules. There is also an obnoxios setup procedure on the AD side to
get a LDAP SSL cert installed and serious issues with failover to
backup domain controllers. For plain text password auth on AD sites,
samba's pam_winbind is probably the best choice. Secure, easy to setup
and pretty fast.

If you have an AD server I also *highly* recommend the dovcot winbind
NTLM method. Almost every client in the world will do some level of
NTLM hashing and it reduces the risk from plain password exposure.

> >No, I will be using the new Samba IDMAP stuff that hashes all the  
> >parts
> >of the windows ID to a 32 bit UID. Anyway to do to this, or will I  
> >need
> >to find another solution (not for mailing, but for directory  
> >creation)?
> 
> There's no great way to do this.. A couple of kludgy ways. Like chmod  
> 01777 /var/mail. Or override mail_executable setting to a script that  
> still runs as root and can create the directory with proper  
> permissions. http://wiki.dovecot.org/PostLoginScripting

Can dovecot use pam_mkhomedir?

Jason

Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Mon, Aug 31, 2009 at 11:20:18PM +0100, Gavin Hamill wrote:

> > Ok.. this is not too good, you should have many other entries too,
> > several starting with host/ and CCIMAP$.
> 
> The suggestion to remove the computer object (and the 'imapCcimap' user
> I bound the SPN to using ktpass) and 'net ads join' worked like a charm
> - I have lots more output in 'net ads keytab list' and kvno
> imap/ccimap.ad.laterooms.com works now.

Snazzy
 
> Aug 31 23:13:02 ccimap dovecot: imap-login: Login: user=,
> method=GSSAPI, rip=10.6.1.81, lip=10.6.1.82

Yap, that is it

> The 'auth_gssapi_hostname = $ALL' was confusing so I commented that out
> and let it do a gethostname() instead - now it works :)

I thought Timo included this patch?? You need the $ALL for various
cases, including, I think, exim.. All it says it match any entry in
the keytab, not just imap/gethostbyname()@REALM.

If you have AD and Linux servers it is worth kerberdizing everything
(ssh, logins, imap, pop, smtp, apache, etc) the method you just used
is basically how to do it for anything. Ie you can now turn on ssh
kerberos via its config file, and with kerberdized putty on windows
you get SSO ssh logins, etc.

Jason

Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Mon, Aug 31, 2009 at 10:21:47PM +0100, Gavin Hamill wrote:
> On Mon, 2009-08-31 at 13:24 -0600, Jason Gunthorpe wrote:
> 
> > > Ouch, can you go a little more slowly, please? I think I've joined the
> > > domain OK:
> 
> > Sure..
> 
> Many thanks for taking the time on this - it is appreciated.

NP, if you have success consider making a HOWTO for the dovcot wikki
:)

> > Also verify that 'hostname -f' returns what you want. Very important.
> 
> Yep, 'ccimap.ad.laterooms.com' - forward + reverse DNS are correct in AD

Good

> > ccimap:~# net ads keytab add imap
> > 
> > Then:
> > ccimap:~ klist -k
> > 
> > And verify you have imap/ entries
> > 
> > Then verify kerberos is working with:
> > 
> > ccimap:~# kvno imap/ccimap.ad.laterooms.com
> > imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2
> 
> I get 
> 
> ccimap:/etc# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>7 imap/ccimap.ad.laterooms@ad.laterooms.com
>7 imap/ccimap.ad.laterooms@ad.laterooms.com
>7 imap/ccimap.ad.laterooms@ad.laterooms.com
>7 imap/cci...@ad.laterooms.com
>7 imap/cci...@ad.laterooms.com
>7 imap/cci...@ad.laterooms.com

Ok.. this is not too good, you should have many other entries too,
several starting with host/ and CCIMAP$.

What version of samba is this? does 'net ads keytab create' fix it up?

Check that you have

use kerberos keytab = true

In smb.conf

> ccimap:/etc# kvno imap/ccimap.ad.laterooms.com
> kvno: Server not found in Kerberos database while getting credentials
> for imap/ccimap.ad.laterooms@ad.laterooms.com

This is fatal. If ldapsearch indicates that SPN exists then you are
probably right that something has become damaged in AD. Otherwise you
are just having wacky samba problems.

> However, before I received your message I had been following the
> 'old-school' ktpass.exe method and I think I have poisoned the 'imap'
> name as a result:

Possibly, it would be good to start again. Go into AD, and delete the
ccimap computer account, then re-do 'net ads join'. That should clean
everything out.

The ktpass.exe method has so many problems, don't use it. Samba can
generate all the keys directly itself now, there is no need for ktpass.

> Is 'imap' a magic hardcoded name that Thunderbird will use? If so,
> should creating 'pop3' using 'net ads keytab add' also do the business?
> I'd rather try that and get a basic working auth than try to unpick my
> AD problems just yet.

The SPN service name is hardwired based on the protocol, imap, smtp
and something for pop. I'm not sure what. :)

> I ask because if I do a random name 'net ads keytab add purmle' and then
> 'kvno purmle/ccimap.ad.laterooms.com' then I get sensible output:
> 
> purmle/ccimap.ad.laterooms@ad.laterooms.com: kvno = 7

Hmm. You do need the '-U Administrator' or similarly privileged
account for the keytab add. Otherwise I noticed that samba silently
fails to update LDAP when it gets permission denied from ADS. The true
test that it worked is the ldapsearch command I gave, or adsi edit.

Jason

Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Mon, Aug 31, 2009 at 07:23:22PM +0100, Gavin Hamill wrote:
> On Sun, 2009-08-30 at 14:29 -0600, Jason Gunthorpe wrote:
> 
> > The kerberos setup is pretty easy.. 'net ads join' your server, go
> > into the adsi editor and provide a imap and smtp SPN for the host, use
> > 'net ads keytab' to put the imap and smtp SPNs in the system keytab,
> > and then you are good to go. I test it with mutt first as the error
> > messages are somewhat better.
> 
> Ouch, can you go a little more slowly, please? I think I've joined the
> domain OK:

Sure..
 
> ccimap:~# net ads testjoin
> Join is OK
> ccimap:~# net ads info
> LDAP server: 10.6.1.245
> LDAP server name: orwell.ad.laterooms.com
> [...]

Yah, thats good

You also want kerberos and LDAP to work easily on your server machine:

# kinit 'your AD user'
# klist
# ldapsearch uid='your AD user'
SASL/GSSAPI authentication started
[..]

For ldap stick the information from 'net ads info' in /etc/ldap/ldap.conf:

URI ldap://orwell.ad.laterooms.com
BASE dc=

kinit should work if you got this far with samba, but if you have
troubles ensure that /etc/krb5.conf has at least:

[libdefaults]
 default_realm = AD.LATEROOMS.COM # guessing
 dns_lookup_realm = true
 dns_lookup_kdc = true

Once the above two are working your basic stuff is OK. (You can skip
the ldap, but I find it is helpful)

Also verify that 'hostname -f' returns what you want. Very important.

> But I have no idea how / where you add a service principal with ADSIEdit
> - can you point me in the right direction? Kerberos is still mainly a
> mystery to me (and I'm sure many others!)

Hmm. So upon reviewing this, it seems samba has changed, in some ways
it is better, others worse.. Hmm. (I'm using 3.3.2)

Just do this:

ccimap:~# net ads keytab add imap

Then:
ccimap:~ klist -k

And verify you have imap/ entries

Then verify kerberos is working with:

ccimap:~# kvno imap/ccimap.ad.laterooms.com
imap/ccimap.ad.laterooms@ad.laterooms.com: kvno = 2
ccimap:~# ldapsearch CN=ccimap servicePrincipalName 
SASL/GSSAPI authentication started
[..]
servicePrincipalName: imap/ccimap.ad.laterooms.com

Unfortunately 'net ads keytab add' can only add SPNs without a
hostname qualifier, so you cannot add another alias. This is bad if
you have multiple names for your host. I can't think of an easy way to
make that work with the new samba behavior. I'd probably patch samba
to fix that..

Since samba now does the adsiedit part on its own you probably don't
need to worry about it, but here is a posting explaining it:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

Please note that Windows and Linux use different methods to resolve
the SPN. If your reverse IP and SSL hostname are different you'll need
extra help to make this work, as samba cannot do it by itself!!
Easiest plan is to Not Do That.

That should do the trick for both native GSSAPI and for winbind
GSSAPI. The key part is that the kvno works.

Make sure dovecot is setup with the:
 auth_gssapi_hostname = $ALL
option, and turn on the 'gssapi' mechanism.

Those steps should give you working kerberos and gssapi in dovecot.
I like to start simple and test with mutt. 'kinit' a ticket for that
user, setup mutt, and then give it a try. Then try thunderbird on
linux then thunderbird on windows.

The .muttrc config is simple:
set spoolfile=imap://u...@ccimap.ad.laterooms.com/INBOX
set folder=imap://u...@ccimap.ad.laterooms.com/

And 'kinit user' before hand.

Use winbind to process ntlm messages. Setup winbind in smb.conf and
test the authentication function:

wbinfo -D AD.LATEROOMS.COM
wbinfo -K user%pass
wbinfo -a user%pass

Then turn it on in dovecot

I run plain password authentication for dovecot through pam. Right now
I use pam_krb5.so, but pam_winbind.so is a better choice with a modern
samba. 

exim piggy backs off dovecot-auth:

dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}

dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}

dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}

I also drive all the Linux directory services through winbind and the
rfc2307 LDAP scheme AD supports, so all my Linux users get kerberos
tickets on logon, and SSO for everything. Windows is the same.

Jason

Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Sun, Aug 30, 2009 at 08:38:20PM +0100, Gavin Hamill wrote:
> On Sat, 2009-08-29 at 21:55 -0600, Jason Gunthorpe wrote:
> > On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
> > > Has anyone successfully configured the above to enable Single Sign-On? I
> > > would love to move away from Exchange but SSO is a corporate
> > > requirement.
> > 
> > I looked at this in some detail and concluded that the NTLM support on
> > Outlook 2007 was only for encryption, it was not using SPA. I couldn't
> > find a hidden registry setting or whatnot to switch it.
> 
> Heh, have just found you here:
>  https://bugzilla.mozilla.org/show_bug.cgi?id=284538
> 
> You mention that you managed to get Thunderbird working with SSO; I've
> not achieved that - I'm still required to provide the password before
> the NTLM login is successful.. Is there any particular magic needed with
> Thunderbird 2.0.0.23 ?

Yes, you can't use NTLM in Thunderbird either, you have to use
Kerberos (GSSAPI). I run NTLM through winbind and GSSAPI through MIT
Kerberos, and then run exim through dovecot-auth. This gives complete
SSO using GSSAPI for Thunderbird on all platforms, and secure
challenge/response NTLM hashed passwords for roaming users without
Kerberos.

The kerberos setup is pretty easy.. 'net ads join' your server, go
into the adsi editor and provide a imap and smtp SPN for the host, use
'net ads keytab' to put the imap and smtp SPNs in the system keytab,
and then you are good to go. I test it with mutt first as the error
messages are somewhat better.

Apparently if you direct the GSSAPI messages through winbind (like
for NTLM) then you can omit the 'net ads keytab' steps and things work
a bit smoother, but I have not attempted that configuration.

Jason

Re: [Dovecot] Outlook 2007 w/SPA, Active Directory (was NTLM failures with an interesting twist)

[Jason Gunthorpe]

On Sun, Aug 30, 2009 at 01:50:02AM +0100, Gavin Hamill wrote:
> Has anyone successfully configured the above to enable Single Sign-On? I
> would love to move away from Exchange but SSO is a corporate
> requirement.

I looked at this in some detail and concluded that the NTLM support on
Outlook 2007 was only for encryption, it was not using SPA. I couldn't
find a hidden registry setting or whatnot to switch it.

If you have a corporate support arrangement with MS, maybe ask them?
Many people would love an answer. Even a trace of outlook using SPA
with Exchange over IMAP would be interesting to see.

IMHO, clearly Dovecot is setup properly, Outlook Express works,
Thunderbird w/ SPA works, etc. I believe MS has deliberately decided
not to make SSO work in Outlook over IMAP specifically because that is
a must have feature for enterprises, so it only works over MAPI and
thus only with Exchange.

Jason

Re: [Dovecot] SIS Implementation

[Jason Fesler]

Hard links would be the simplest implementation without needing a
separate database. Sure you could implement that too if you wanted to.


It would be worth checking the limits for hard links, and making sure they 
are suitable for a large mail system using this scheme, without having a 
fallback plan of some sort.


Looks like UFS hardlink limit is 32767; ext2 32000; reiser and jfs, 65535.
http://www.dirvish.org/viewcvs/dirvish_1_2/FAQ.html?rev=2  see
"Could linking between images be limited by a maximum link count?"

Re: [Dovecot] GSSAPI Authentication in v1.2.1

[Jason Gunthorpe]

On Fri, Aug 07, 2009 at 12:50:25PM -0400, Timo Sirainen wrote:
 
> I think "secure authentication" usually means CRAM-MD5 in Thunderbird.
> But maybe they use it for GSSAPI too, no idea.

For sure it enables NTML and GSSAPI at least.

Jason

Re: [Dovecot] problems compiling dovecot-1.2.2 on solaris 10

[Jason Welsh]

well, I thought I had the official tarball, but the
dovecot-latest.tar.gz compiled fine..

thanks.
Jason


Timo Sirainen wrote:
> On Wed, 2009-07-29 at 09:33 -0400, Jason Welsh wrote:
>   
>> if test "$dot_seen" = "no"; then \
>>   make  "$target-am" || exit 1; \
>> fi; test -z "$fail"
>> make: Fatal error: Command failed for target `all-recursive'
>> Current working directory /scratch/jawelsh/src/dovecot-1.2.2/src
>> *** Error code 1
>> The following command caused the error:
>> failcom='exit 1'; \
>> 
> ..
>
> Umm. Is this from the actual 1.2.2 tarball? Did you run any autotools
> stuff before running configure and make?
>
> That error you have doesn't look like anything I've seen before, so I've
> no idea what the problem is in your system. There are two other problems
> in Solaris though, but neither produces the error you see.
>
> I guess you could anyway try running
> http://dovecot.org/nightly/dovecot-latest.tar.gz which fixes those two
> Solaris issues..
>   

-- 

|Jason Welsh   ja...@monsterjam.org|
| http://monsterjam.orgDSS PGP: 0x5E30CC98 |
|gpg key: http://monsterjam.org/gpg/   |

[Dovecot] problems compiling dovecot-1.2.2 on solaris 10

[Jason Welsh]

if test "$dot_seen" = "no"; then \
  make  "$target-am" || exit 1; \
fi; test -z "$fail"
make: Fatal error: Command failed for target `all-recursive'
Current working directory /scratch/jawelsh/src/dovecot-1.2.2/src
*** Error code 1
The following command caused the error:
failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
  case $f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
  esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='src  doc'; for subdir in $list; do \
  echo "Making $target in $subdir"; \
  if test "$subdir" = "."; then \
dot_seen=yes; \
local_target="$target-am"; \
  else \
local_target="$target"; \
  fi; \
  (cd $subdir && make  $local_target) \
  || eval $failcom; \
done; \
if test "$dot_seen" = "no"; then \
  make  "$target-am" || exit 1; \
fi; test -z "$fail"
make: Fatal error: Command failed for target `all-recursive'
Current working directory /scratch/jawelsh/src/dovecot-1.2.2
*** Error code 1
make: Fatal error: Command failed for target `all'
[house-7]$

this is with gcc-4.1.1

any ideas?

Jason

[Dovecot] Compiling Dovecot

[Jason Silkey]

I'm attempting to compile Dovecot 1.2.1 from source with support for  
ManageSieve, with little success.  ./configure seems to complete  
successfully, but make fails with the message:


make: *** No targets.  Stop.

I checked the Makefile, and it's empty.  I run into the same problem  
no matter the configure options, with or without the managesieve patch  
applied, and even with earlier versions (I also tried 1.2.0 and 1.1.17  
just to see if it would work, but no go).  I've had no problems  
compiling other software, so I'm at a bit of a loss here.  Any thoughts?

Re: [Dovecot] kerberos trying to obtain credentials for wrong machine

[Jason Gunthorpe]

On Wed, Feb 18, 2009 at 10:33:09PM +0300, Nikolay Shopik wrote:

> I'm currently trying to configure Dovecot to use kerberos. My KDC is 
> Windows 2003 and I successful generated keytab file for Dovecot machine. 
> Problem is when I'm trying to use GSSAPI it told me
> Obtaining credentials for i...@debian5 - and of course this fails because 
> debian5 isn't KDC, it should look for 
> imap/debian5.inblock.lo...@inblock.local.
> What I'm missing?

You need to make sure that 'hostname -f' returns a full hostname, and
you need to put default_realm = INBLOCK.LOCAL into your krb5.conf

Then confirm that 'kvno imap/debian5.inblock.local' works

Jason

Re: [Dovecot] Active Directory authentication

[Jason Gunthorpe]

On Wed, Jan 21, 2009 at 08:26:37AM +0200, Dimitrios Karapiperis wrote:

> I would like to ask if there is adequate mechanism to authenticate users
> through POP3 against Active Directory by Outlook Express so that users will
> authenticate seamlessly using logon credentials.
> 
> I have implemented  LDAP authentication but users must supply their
> credentials to Outlook Express although they have logged on to Windows (AD).
> 
> the ntlm auth in Dovecot 1.1 (windind) satisies this requirement (no
> credentials in Outlook)?

I don't know about Outlook Express, but I was unable to get Outlook
2007 to use login credentials, and my dovecot is configured to support
NTLM, SPNEGO and GSSAPI :(

Thunderbird on Windows will use the login credentials if dovecot
supports GSSAPI and has the proper kerberos setup. Check use secure
authentication or somesuch.

Jason

Re: [Dovecot] Dovecot authenticating---> Active Directory Win2003

[Jason Gunthorpe]

On Tue, Dec 09, 2008 at 01:57:43PM +0100, Thomas Siebert wrote:

> > That works but has 3 main drawbacks:
> >  1) It is a pain to setup SSL LDAP on both windows and linux. If you
> > don't do this then it is massively insecure
> 
> Agreed, if you don't it is massively insecure. But I don't see why it should
> be that complicated. For the ADS, Microsoft gives advice:
> http://support.microsoft.com/kb/321051
> 
> ...and for Linux, there are tons of tutorials.

Right, it isn't impossible, but setting up a CA, generating certs,
installing them and enabling the magic feature (on all your ADS
servers) is much more work than setting up winbind :)

> >  2) Passwords must be exchanged in plain text over IMAP. Also no
> > single sign on capabilities.

> Agreed there's no single sign on. But for plain text password exchange,
> there's no drawback when you use IMAPS or POP3S. And you should always do
> so. 

Well, the security advantage to all the hashing schemes is that a
compromise of your imap server does not result in a plain text
password disclosure for all users.

> For load balancing, it should be possible to use a round-robin DNS server
> instead. And you forget that the numbers of LDAP queries will be doubled as
> there's no possibility to use userdb prefetch.

I looked at load balancing with SSL LDAP once and rapidly ran into
trouble with certificate validation issues. The SSL certs in the ADS
should have unique machine names which was incompatible with a DNS
round robin. The new SRV record processing code in openldap is
supposed to avoid that problem though.

Also, winbind doesn't actually authenticate over ldap, it uses a much
lower overhead UDP protocol...

Once you no longer need to do authentication over ldap it
becomes possible to maintain a long term kerberdized LDAP session for
user database queries if you need that (though I suppose dovecot
cannot do that today).. Removing the per-user SSL setup cost would
easially gain back any overheads from even the most expensive
authentication operation that winbind does..

Heck, even being able to do a root-owned kerberdized LDAP query would
be a nice dovecot feature for ADS integration since it removes the
need for SSL setup entirely. Once samba joins an ADS domain root has
access to the host$ ticket and can do secured ldap queries using the
machine account.

Jason

Re: [Dovecot] Dovecot authenticating---> Active Directory Win2003

[Jason Gunthorpe]

On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
> You have to use LDAP as Authentication Backend with Port 3268.
> 
> http://wiki.dovecot.org/AuthDatabase/LDAP

That works but has 3 main drawbacks:
 1) It is a pain to setup SSL LDAP on both windows and linux. If you
don't do this then it is massively insecure
 2) Passwords must be exchanged in plain text over IMAP. Also no
single sign on capabilities.
 3) There is no redundancy or load balancing if you have
multiple ADS servers

The *best* answer is to use a combination of samba's winbind and
kerberos. This gives you encryption and mutual authentication between
dovecot and the ADS server and various non-plaintext options between
the client and dovecot - plus single sign on capabilities for SSPI or
kerberdized clients.

Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the
native support to call out to winbind for ntlm and spnego. Dovecot's
native gssapi kerberos rounds things out.

The basic steps are
 1) Get samba, winbind, dovecot, kerberos installed
 1a) Setup smb.conf with the proper ADS options
   Note you do not need to run nmbd or smbd, just winbind.
 2) Use samba to join the machine to the domain with
'net ads join -U Administrator'
Verify in ADS you have a computer with the proper name
 3) Create an imap keytab entry 'net ads keytab imap/[EMAIL PROTECTED]'
Also tell windows imap is allowed for this host via the gui or
adsiedit/ldapedit/etc
 4) Start winbind
 5) Setup dovecot
 5a) Setup pma_winbind for dovecot
 6) Test on the dovecot machine:
   net ads testjoin
   wbinfo -n mywinuser
   klist -k
   kinit [EMAIL PROTECTED]
   kvno imap/[EMAIL PROTECTED]
   # check DNS that host has proper forward and reverse entries
   telnet localhost imap
 1 CAPABILITIY
 * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN 
AUTH=NTLM

I also have exim setup to use dovecot SASL and so it also does
NTLM, GSSAPI and SPNEGO.

There is alot of information about this scattered on various web
sites. The method I've outlined above is the lastest scheme using the
newer software. Some reference material uses older techniques...

In my experience pretty much every client supports some version of
NTLM, so passwords will be exchanged non-plaintext in most cases
(though weak flavors of NTLM might be negotiated). Many clients like
thunderbird support kerberos, and so on windows you get single sign on
too. Most linux clients also support kerberos so can gen single sign
on for them too with some setup.

Here are some config fragments you might find helpful

smb.conf:
[global]
   netbios name = host
   workgroup = FOO
   realm = ADS.FOO
   security = ads
   use kerberos keytab = true
   encrypt passwords = true
   winbind use default domain = yes

Dovecot:

auth_ntlm_use_winbind = yes
auth_username_format = %n
auth_winbind_helper_path = /usr/bin/ntlm_auth
  mechanisms = plain gssapi gss-spnego login ntlm
  passdb pam {}

Re: [Dovecot] Dovecot dies with PAM error?

[Jason Walton]

This seems to have fixed it.  Thanks Timo!

Timo Sirainen wrote:

On Wed, 2008-10-22 at 18:17 -0400, Jason Walton wrote:
  

Oct 21 14:47:15 tachikoma dovecot-auth: PAM _pam_init_handlers: error
reading /etc/pam.d/dovecot



Perhaps it's leaking file descriptors and running out of them. Set
auth_worker_max_request_count to some non-zero value and it probably
gets fixed.

  

[Dovecot] Dovecot dies with PAM error?

[Jason Walton]

Just setup a new server on the weekend with Ubuntu 8.10 beta, and Dovecot
1.1.4. Every now and then, the IMAP server dies, and won't let users
authenticate. It happens about once or twice a day. In /var/log/mail.log,
you can see dovecot complaining about critial errors:

Oct 21 14:46:16 tachikoma dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS
Oct 21 14:46:16 tachikoma dovecot: IMAP(jason): Disconnected: Logged out
bytes=769/9124
Oct 21 14:47:15 tachikoma dovecot: auth-worker(default):
pam(jason,127.0.0.1): pam_start() failed: Critical error - immediate abort
Oct 21 14:47:17 tachikoma dovecot: imap-login: Disconnected (auth failed, 1
attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS

If I have a look at /var/log/auth.log, I see:

Oct 21 14:47:15 tachikoma dovecot-auth: PAM _pam_init_handlers: error
reading /etc/pam.d/dovecot
Oct 21 14:47:15 tachikoma dovecot-auth: PAM _pam_init_handlers: [Critical
error - immediate abort]
Oct 21 14:47:15 tachikoma dovecot-auth: PAM error reading PAM configuration
file
Oct 21 14:47:15 tachikoma dovecot-auth: PAM pam_start: failed to initialize
handlers

This sounds ominous. If I try to cat /etc/pam.d/dovecot, though, the file
is obviously there:

[EMAIL PROTECTED]:/var/log$ cat /etc/pam.d/dovecot
#%PAM-1.0
@include common-auth
@include common-account
@include common-session

And restarting dovecot seems to fix the problem. Dovecot WAS running just
fine, servicing mail all day long, and then suddenly it won't read the PAM
config file, and then it won't let anyone log in until I log in and kill
it. Any ideas?

My IMAP client is either Thunderbird or Roundcube, if that's relevant.

[Dovecot] Has anyone ever seen outlook do single sign on with dovecot/etc?

[Jason Gunthorpe]

Hey all,

I'm curious, has anyone been able to get outlook to do single sign on
with a linux IMAP/SMTP back end? I have it doing NTLM authentication
via the dovecot winbind module with Samba 3.2 just fine, but I have
yet to see it try to use the cached windows logon credentials.. It
appears to do an NTLM exchange with a blank password and then prompt
for a password and then do an exchange with the given password. It
does the same thing if PLAIN authentication is used.

I'm starting to suspect MS deliberately hobbled outlook so that it
uses the SSPI to exchange an entered password but not ever the logon
credentials.. Does anyone know different?

What a topsy-turvy world when thunderbird using SSPI works better on
Windows than outlook. :|

Thanks,
Jason