Re: Which DKIM application for postfix 3.9.0

[Jean-Daniel Dupas via dovecot]

Talking about completeness, you can also use rspamd (https://www.rspamd.com 
).
While it it design to to more than DKIM, it can be use for it.

I have an internal mailer relay based on postfix and rspamd that works great.


> Le 24 avr. 2024 à 09:40, infoomatic via dovecot  a écrit 
> :
> 
> Just for completeness sake I will throw some in:
> 
> *) https://launchpad.net/dkimpy-milter
> *) https://lib.rs/crates/dkim-milter
> *) https://github.com/fastmail/authentication_milter
> 
> I have not yet had time to look at them, so no comment on their usability.
> 
> regards,
> Robert
> 
> 
> On 24.04.24 00:06, Joseph Tam via dovecot wrote:
>> On Tue, Apr 23, 2024 at 7:33 AM  wrote:
>> 
 I am upgrading to postfix 3.9.0. I have not used DKIM in previous postfix 
 installs, but I
 would like to start now with the new google rules. I have done some 
 research and opendkim
  is the most recommended, however, other research states the opendkim has 
 been
 abandoned by it's maintainers. So I am looking for a good alternative dkim 
 software
 that will work with postfix that I can compile myself. I do not run on any 
 linux
 version, so therefore I can not just apt-get a new dkim application.
 I run Solaris and therefore need to compile my applications, postfix and 
 dkim.
 Any good suggestions will be appreciated.
>> 
>> I just rolled out a locally compiled opendkim on my mail server. It
>> works, but there
>> are a few gotchas.
>> 
>> Although it seems like a moribund project, there is a late beta
>> version that includes
>> some important patches, most notably the "Header:\n LongHeaderValue" bug that
>> needs fixing.  You can look at
>> 
>> https://sourceforge.net/p/opendkim/patches/
>> 
>> to find that patch, as well as others you deem important.  As DKIM standards
>> are not going to change soon, having end-of-line software is not as
>> bad as it seems
>> unless you need particular enhancements to make it work better in your
>> circumstances.
>> Once you get your setup dialed, you can probably set it and forget it.
>> 
>> Most of the headaches have actually been internal: local mail
>> injection via sendmail
>> would skip miltering, From header canonicalization by the MTA would not be
>> seen by the opendkim milter thereby creating messages with missing or invalid
>> signatures, and mailing list/auto reply/forwarder software mangling messages.
>> 
>> I think Postfix does a better job in this regard, so these issues may
>> not present itself.
>> (I did a Postfix/opendkim milter on an Ubuntu system and it was much
>> less hassle.)
>> 
>> You should look at *lots* of DMARC RUA reports.  People are doing crazy 
>> batsh*t
>> stuff with your mail domain.
>> 
>> Joseph Tam 
>> ___
>> dovecot mailing list -- dovecot@dovecot.org
>> To unsubscribe send an email to dovecot-le...@dovecot.org
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 18 oct. 2023 à 09:35, Marc  a écrit :
> 
>>  Dovecot has this option to store attachments separately not? So I am
>> not sure this is then still a problem.
>> 
>> 
>> 
>> Interesting. How do you tell dovecot to do that ?
>> 
> 
> I thought I read about something like this,
> 
> mail_location =  ATTACHMENTS=/attachment
> 
> but now you have made me read the docs[1] I can't really find it.
> 
> @Aki maybe if this SIS is phased out, it is good to offer a solution that 
> stores the attachments separately? I think that would allow current SIS users 
> to implement something alternative.
> 

Thanks for the pointer.
Thanks to it, I found it in the documentation. It was supposed to be defined 
like this in v2.0.0, but it is now a core setting (and is only available for 
sd/mdbox storage):

mail_attachment_dir
• Default: 
• Values: String
The directory in which to store mail attachments.

With sdbox and mdbox, mail attachments can be saved to external files, which 
also allows single-instance storage of them.

If no value is specified, attachment saving to external files is disabled.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 16:34, Marc  a écrit :




 The problem is a bit what everyone understands as s3. I associate
 this indeed also with an http endpoint on object storage. But the
 ceph
 plugin skips this http and talks directly to object store. I don't
 think
 you would like to operate on this http level. If I look at this page
 of
 ceph[1], it also looks like you do not want to get yourself involved
 in
 deduplication.

 [1]
 https://docs.ceph.com/en/reef/dev/deduplication/




 Moreover, following Filip remark about block deduplication, having
 any kind
 of deduplication that is not optimized for the email case (where
 attachments are always embed in slightly different documents) would
 make it
 ineffective.

Dovecot has this option to store attachments separately not? So I am not sure
this is then still a problem. 

Interesting. How do you tell dovecot to do that ? 


  Is it really worse bothering deploying a whole Ceph cluster
  for that ?


 No you should not get ceph just for this. But ceph brings you nice
 redundancy, distributed storage. I am totally fan of it.

Me too. I’m using it extensively to store multi terabytes of data, but it may
be overkill if you don’t need all of this.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

 Le 17 oct. 2023 à 13:12, Marc  a écrit :


 Is s3 not to slow for this?

I think the clue is in the name "s3-
compatible".

Clearly calling out to "real" (AWS) S3
would be a non-starter.

But a local installation of something
like CEPH, MinIO or whatever on
 the
same LAN ? I'd think that should be
workable, no ?
   Do you know of anything that does this reliably?

   I tested a few years ago with ceph[1] but at that
   point there was some
 issues where it had a 2x write applification (on top of the 3x) if I
 remember correctly.
  All of this is if not dead end will be a lots of complexity
  and
 inefficiency and a lot of waste of money. Only the application know
 how to
 things efficiently and with consistency.

 S3-compatible storage is very good for multi-server installations
 where you
 need redundancy, availability. S3 is basically HTTP server so you can
 code
 your own logic on stored emails, balancers, caches, deduplication,
 compression, encryption it does't need to be off-the-shelf storage.

The problem is a bit what everyone understands as s3. I associate this indeed
also with an http endpoint on object storage. But the ceph plugin skips this
http and talks directly to object store. I don't think you would like to
operate on this http level. If I look at this page of ceph[1], it also looks
like you do not want to get yourself involved in deduplication.

[1]
https://docs.ceph.com/en/reef/dev/deduplication/


Moreover, following Filip remark about block deduplication, having any kind of
deduplication that is not optimized for the email case (where attachments are
always embed in slightly different documents) would make it ineffective.
Is it really worse bothering deploying a whole Ceph cluster for that ? 


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The future of SIS

[Jean-Daniel Dupas]

> Le 16 oct. 2023 à 15:51, Marc  a écrit :
> 
>>> Hello to everyone!
>>> Ooops, we are using SIS, guess the solution for a similar optimization
>> will be
>>> a native deduplicated filesystem.
>> 
>> did you really mean deduplicated or distributed?
>> 
> 
> I think this duduplicating. Storage systems are offering such solutions. I 
> think ceph has something like this, although I am not sure for rbd disk 
> images. I think it makes more sense to have something like this done by a fs 
> or storage solution.

If you are using Ubuntu, OpenZFS is readily available, and support 
deduplication natively.
Else it is also available on other platforms, but may require more setup.


___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: The end of Dovecot Director?

[Jean-Daniel]

If the community has enough resources to fork the whole project, it would 
probably be far more efficient and easier to just fork the Director component.

I’m not familiar enough with dovecot sources to tell if this is possible, but 
if the community really wants to keep Director alive, maybe it should start 
investigating if building it as an out of tree component is possible ?


> Le 2 nov. 2022 à 17:46, Jan Hugo Prins  a écrit :
> 
> I think the only thing they will gain is a community that is angry and will 
> in the end leave the product / fork the complete product.
> 
> Jan Hugo
> 
> On November 2, 2022 5:39:53 PM GMT+01:00, Brad Schuetz  wrote:
> On 11/2/22 03:54, Aki Tuomi wrote:
> On 02/11/2022 11:55 EET Frank Wall  wrote:
> 
>   On 2022-11-02 09:11, Aki Tuomi wrote:
> You can also see the email sent by others which shows how you can do
> this without replication, using proxy and passdb to direct users to
> right backend. Which is basically what director does.
> It's not the same thing.
> 
> It is not critical functionality. You can feasibly run a two-node
> dovecot system on NFS without having director.
> It seems to be critical enough to offer a replacement for paying
> customers, while at the same time leaving the community edition
> with no valid replacement.
> 
> 
> Ciao
> - Frank
> Can you tell me what kind of functionality you are unable to achieve with the 
> passdb solution?
> 
> Aki
> 
> Can you tell us what you are gaining (other than monitarily) by removing a 
> completely functionally working feature that numerous people are using?
> 
> Adding new paid features is one thing (i.e. nginx), taking away a feature to 
> replace it with a paid feature is something completely different.
> 
> -- 
> Brad
> 
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: adding caldav/carddav next to dovecot

[Jean-Daniel]

> Début du message réexpédié :
> 
> De: Tanstaafl 
> Objet: Rép. : adding caldav/carddav next to dovecot
> Date: 15 octobre 2022 à 16:11:43 UTC+2
> À: infoomatic , dovecot@dovecot.org
> 
> A HUGE second for SOGo
> 
> We used it for many years in a Gentoo/Dovecot/Postfix environment.
> 
> It was super fast/snappy, and extremely reliable, and works perfectly with 
> both Thunderbird AND Outlook (this was a huge plus for some of our users who 
> ridiculously preferred Outlook)...
> 
> they also offer implementation and ongoing support services at very 
> reasonable rates, but if you prefer to do everything yourself, the 
> documentation is perfectly adequate, and their email support list should 
> address any potential issues you might have.
> 
> SOGo rocks…

Out of curiosity, how many users do you have on SOGo ?

One big drawback I had when experimenting with it, is that its single threaded 
worker model scales poorly compared to a server design to support many 
thousands connections by worker.

Re: how to setup IMAPs with letsencrypt

[Jean-Daniel Dupas]

> Le 22 avr. 2022 à 01:50, Jeremy Ardley  a écrit :
> 
> 
> 
> On 22/4/22 7:44 am, al...@coakmail.com  wrote:
>>> On 22/4/22 7:25 am, al...@coakmail.com  wrote:
>>> 
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>> 
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS 
> on port 993
> 

While it's true for SMTP, my experience is that IMAP clients prefer imaps in 
993 instead of STARTTLS. 

I have a server with only port 993 opened, and almost never had any issue with 
client configuration.

Re: disable pop3 ports?

[Jean-Daniel]

Not sure what distribution you are using, but some distributions provide 
distincts package for dovecot-pop, so removing it may be enough.

This package main purpose it to install a file in 
/usr/share/dovecot/protocols.d/ which is then imported in the config by a line 
like "!include_try /usr/share/dovecot/protocols.d/*.protocol »

Also, make sure "doveconf protocols" does not include pop3

Presence of service pop3-login, service pop3 in config should not be enough to 
start listening on pop3 ports.



> Le 4 mai 2021 à 06:40, Dan Egli  a écrit :
> 
> I admit I don't quite understand dovecot's config yet, but this is driving me 
> batty. I was looking at my server and noticed that dovecot was listening on 
> the pop3 ports (110/TCP). Since I do not use pop3 at all, nor does anyone who 
> has ever or ever will connect to the server, that seems like a needless 
> waste. So I went through the config files and commented out every reference 
> to pop3 in them. But when I restart dovecot, it STILL opens a listener on 
> 110. How do I fix this? The ONLY external ports I want dovecot listening to 
> are imap4 and imap4s.
> 
> Thanks!
> 
> -- 
> Dan Egli
> From my Test Server
> 
> 

Re: systemd timeout on startup after upgrade

[Jean-Daniel]

> Le 18 avr. 2021 à 08:22, Felix Zielcke  a écrit :
> 
> Am Sonntag, dem 18.04.2021 um 08:17 +0200 schrieb Jean-Daniel:
>> systemd don’t need pid files, and the executable must be started
>> without forking.
>> 
>> 
>> Can you show us the content fo the system dovecot.service file. As
>> long as it contains this line, it should be fine:
>> 
>> Type=simple
>> ExecStart=/usr/sbin/dovecot -F
> 
> Just before I saw your mail, I found now a solution.
> 
> The original dovecot.service has this:
> 
> [Service]
> Type=notify
> ExecStart=/usr/sbin/dovecot -F
> 
> which according to systemd.service man page needs a sd_notify() call
> from the running process. So somehow this is broken now?
> 
> I changed it to the following and now it works:
> 
> [Service]
> Type=forking
> ExecStart=/usr/sbin/dovecot
> 
> 
> 
> I don't know that much about systemd what of forking/exec/simple would
> be the best one.
> 

The forking type exists mainly for compatibility with executables that are not 
able to start without forking.

When an executable as a « foreground » mode, it is usually recommended to use 
it instead.

The snippet I posted come from the official dovecot ubuntu distribution (from 
https://repo.dovecot.org <https://repo.dovecot.org/>) (that’s the one I’m 
using).

Re: systemd timeout on startup after upgrade

[Jean-Daniel]

systemd don’t need pid files, and the executable must be started without 
forking.


Can you show us the content fo the system dovecot.service file. As long as it 
contains this line, it should be fine:

Type=simple
ExecStart=/usr/sbin/dovecot -F



> Le 18 avr. 2021 à 07:34, Felix Zielcke  a écrit :
> 
> Am Sonntag, dem 18.04.2021 um 01:04 +0200 schrieb Łukasz Szczepański:
>> If systemd doesn't recognize that service has started, that mean
>> probably pid file has other location than previously.
>> You can check what systemd is doing via strace:
>> 
>> strace -s 1024 systemctl start dovecot
>> 
> 
> strace doestn't show anything about opening a pid file.
> 
> There's a few repeated of these:
> 
> recvmsg(3, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="/org/freedesktop/systemd1/unit/dovecot_2eservice\0\0\0\0\0\0\0\0\2\1s\0\37\0\0\0org.freedesktop.DBus.Properties\0\3\1s\0\21\0\0\0PropertiesChanged\0\0\0\0\0\0\0\7\1s\0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\10sa{sv}as\0\0\0\35\0\0\0org.freedesktop.systemd1.Unit\0\0\0d\3\0\0\v\0\0\0ActiveState\0\1s\0\0\10\0\0\0inactive\0\0\0\0\0\0\0\0\f\0\0\0FreezerState\0\1s\0\7\0\0\0running\0\10\0\0\0SubState\0\1s\0\4\0\0\0dead\0\0\0\0\0\0\0\0\24\0\0\0StateChangeTimestamp\0\1t\0\0\0\0\0\5\252\316m8\300\5\0\35\0\0\0StateChangeTimestampMonotonic\0\1t\0\0\0\0\357v\2604\r\0\0\0\25\0\0\0InactiveExitTimestamp\0\1t\0\0\0\0\214kJZ8\300\5\0\36\0\0\0InactiveExitTimestampMonotonic\0\1t\0\0\0v8,!\r\0\0\0\24\0\0\0ActiveEnterTimestamp\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\35\0\0\0ActiveEnterTimestampMonotonic\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\23\0\0\0ActiveExitTimestamp\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\0\0\0ActiveExitTimestampMonotonic\0\1t\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0InactiveEnterTimestamp\0\1t\0\0\0\5\252\316m8\300\5\0\37\0\0\0InactiveEnterTimestampMonotonic\0\1t\0\0\357v\2604\r\0\0\0\3\0\0\0Job\0\4(uo)\0\0\0\207\360\0\0#\0\0\0/org/freedesktop/systemd1/job/61575\0\0\0\0\0\17\0\0\0ConditionResult\0\1b\0\0\1\0\0\0\0\0\0\0\f\0\0\0AssertResult\0\1b\0\1\0\0\0\22\0\0\0ConditionTimestamp\0\1t\0\0\0\0\0\0\0005l\nn8\300\5\0\33\0\0\0ConditionTimestampMonotonic\0\1t\0\0\0\0\0\0\379\3544\r\0\0\0\17\0\0\0AssertTimestamp\0\1t\0\08l\nn8\300\5\0\30\0\0\0AssertTimest"...,
>  iov_len=1124}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, 
> MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 1124
> recvmsg(3, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="l\4\1\0013\3\0\0\7\0\0\0\276\0\0\0\1\1o\\0\0\0", 
> iov_len=24}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, 
> MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = 24
> 
> And then it ends in a loop with a failing
> 
> recvmsg(3, {msg_namelen=0}, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) = -1 EAGAIN (Die 
> Ressource ist zur Zeit nicht verfügbar)
> 
> The strange thing is, that strace mentions then even php7.4-fpm. Which should 
> have nothing to do with the `systemctl start dovecot`?
> 
> Anyone here has a bullseye system where this works?
> Maybe I also should report this to the Debian BTS.
> 

Re: JMAP support?

[Jean-Daniel]

The HTTP API is just for doveadm and is not related in anyway to JMAP AFAIK.

> Le 8 mars 2021 à 23:52, Philip  a écrit :
> 
> Didn't JMAP get included with v2.3 with the HTTP API?
> 
> https://www.dovecot.org/list/dovecot-news/2016-March/000313.html
> 
> Or maybe that was just for admin things.
> 
> Phil
> 
> On 09/03/2021 11:26, @lbutlr wrote:
>> On 08 Mar 2021, at 14:04, Leonardo Rodrigues  
>> wrote:
>>> Em 08/03/2021 16:43, @lbutlr escreveu:
 On 08 Mar 2021, at 02:15, Mark Constable  wrote:
 There doesn't seem to be much interest in JMAP ou there, which means it is 
 going to be pretty hard to get something working well unless you write it 
 yourself.
>>> Or sponsor its development, if the OP is so interested on it!
>> I checked and Roundcube-next appears to be a dead project, so I'd really not 
>> hold out much hope.
>> 

Re: Feature request.

[Jean-Daniel]

> Le 10 oct. 2020 à 11:38, @lbutlr  a écrit :
> 
> On 09 Oct 2020, at 02:16, Rogier Wolff  wrote:
>> It turns out that dovecot had been running uninterrupted since august
>> 13th, the certificate was renewed on september 7th and I suspect it
>> expired on october 7th.
> 
> The ACME protocol that LE uses has a specific feature for specifying a script 
> to run after a certificate updates. One of the common things to do in these 
> scripts is to restart services like apache and dovecot so they see the new 
> certs. Other common actions are copying the certs to specific locations on 
> the system (like, say, into jails) or even to other hardware.
> 
> This is the best, most reliable, and least fiddly solution.
> 


ACME protocol does not care about script run on renew, as it only specifies the 
network exchange between the ACME client and the ACME server. 
Running hook on script renew is the responsibility of each acme client, and so 
is specific to the client you are using.

All clients have there own way to do it:
- certbot.
- acmebot
- acmetool (which may be a good solution for people who don’t like dependencies 
installed by other solutions as this is a standalone binary)
- Kubernetes CertManager.


Just check the doc for the one you are using.

Re: local stanza only generated for IPv6

[Jean-Daniel]

> Le 1 juil. 2020 à 06:50, Jeremy Ardley  a écrit :
> 
> I have a mail server with multiple IP addresses and associated DNS names
> 
> In the dovecot configuration I have a listen directive:
> 
> listen = mail.example.com.com,mail.otherexample.com,localhost
> 
> Multiple local stanzas are of the form:
> 
> local mail.example.com {
>   protocol imap {
>  ssl_cert =   ssl_key =  
>  service imaps_login {
>inet_listener imaps {
>  address=mail.example.com
>}
>inet_listener imap {
>  address=mail.example.com
>}
>  } 
>   }
> }
> 
> mail.example.com has IPv4 and IPv6 addresses in DNS
> 
> When I run doveconf -n the local configuration is only generated for the IPv6 
> address. I can test the operation on IPv6 using openSSL and see different 
> server certificates on different IP addresses as expected.
> 
> How do I force local generation for both IPv4 and IPv6 ?
> 
You can probably don’t use hostname for address directive, but instead space 
separated list of IP address you want to listen to.

And unless you need to disable dovecot on some interfaces, you don’t have to 
specify the listen directive, as it defaults to all IPv4 and IPv6 addresses.

Re: identify 143 vs 993 clients

[Jean-Daniel]

> Le 31 mai 2020 à 06:09, Peter  a écrit :
> 
> On 29/05/20 11:27 pm, mj wrote:
>> Thanks to all who participated in the interesting discussion.
>> It seems my initial thought might have been best after all, and 
>> discontinuing port 143 might be the safest way proceed.
> 
> Yes and no.  Some of the attack vectors mentioned are not reasonable and it 
> really depends on the client.  Thunderbird, for example, used to have 
> settings for plain text, TLS and "TLS if available", but the latter setting 
> has not been available for some time which forces the user to choose either 
> plain text or TLS at setup time now.  This means that the user would now have 
> to change the setting in their client for a downgrade attack to work.  I 
> can't speak for all MUAs but if they similarly have removed their "TLS if 
> available" option or if the users explicitly don't pick that option (you can 
> ask them not to in your setup instructions) then that type of downgrade 
> attack cannot occur.
> 
> The other possible downgrade attack which was not mentioned but is equally 
> mitigated by the client is where the MITM intercepts the connection, connects 
> to your server and issues a STARTTLS itself but presents the resulting 
> connection as plain text to the client.  This means that enforcing STARTTLS 
> on the server side will not prevent a plain text connection through a MITM 
> from the client.  But do keep in mind that if the client is configured 
> properly to only connect via TLS then it will refuse the connection if it is 
> not presented with a STARTTLS option that works.
> 
> So yes the safest way to go is to just use port 993, but as long as the 
> client is not set to a "TLS if available" option then port 143 is also safe.

I don’t think you can call an option safe if it relies on the users to properly 
configure their client. We all know that users are usually bad at following 
instructions ;-)

Re: identify 143 vs 993 clients

[Jean-Daniel]

> Le 29 mai 2020 à 11:17, Stuart Henderson  a écrit :
> 
> On 2020-05-26, mj  wrote:
>> Hi,
>> 
>> On 25/05/2020 23:04, Voytek wrote:
>>> jumping here with a question, if I use 143 with STARTTLS, and, force
>>> TLS/SSL in configuration, that's equivalent from security POV, isn't
>>> it? and, same for 110 STARTTLS? Or am I missing something?
>> Interesting point, after some googling, I think you are right, and as 
>> long as we have set "disable_plaintext_auth = yes" (and we have that) we 
>> should be fine keeping 143 open. Right?
> 
> In the case of 143, nothing stops the client *sending* a plaintext login
> request. Login may be denied, but the password is already leaked. Also
> if you have only the server side (not the client side) deny plaintext
> logins, a MITM can just strip off the STARTSSL capability from the server
> response.

And doing that it can as easily inject a LOGIN capability, making non-broken 
client also send the password in plain text. (Only broken client will send 
password if LOGIN is not present).

That’s why this RFC exists: https://tools.ietf.org/html/rfc8314 


> In a setting where you want to protect the clients from accidentally
> exposing secrets by misconfiguration, allowing only 993/995 (and 465 for
> SMTP; 25/587 have the same problem) is the safe way.

Port 25 is a special case and should never be used by client, but only for 
(unauthenticated) server to server communication.
There is no way to use implicit TLS for SMTP as the SMTP transport MX  
infrastructure has no way to specify a port.

Client should always use the submission port (587, or 465 for submission over 
TLS).

Re: got a listener on 993

[Jean-Daniel]

> Le 14 avr. 2020 à 18:57, A. Schulze  a écrit :
> 
> 
> 
> Am 13.04.20 um 20:52 schrieb David Mehler:
>> Hello,
>> 
>> Before I get in to my question is ssl on 993 or starttls on 143 better
>> from a security perspective?
> 
> implicit TLS is recommended: https://tools.ietf.org/html/rfc8314#section-3

One rational for this is to make sure broken clients don’t send  clear text 
credential on port 143, even if STARTTLS is required.

So from a security perspective, you can consider TLS on port 943 a better 
solution.

Re: lmtp and recipient_delimiter

[Jean-Daniel]

> Le 11 mars 2020 à 19:32, Juri Haberland  a écrit :
> 
> Hi list,
> 
> I have a small problem with recipient_delimiters contained in usernames.
> Recently I have extended recipient_delimiter from "+" to "+-" in both
> Postfix and Dovecot (using lmtp) and now any user that have a '-' in it's
> username can't receive mail anymore, because lmtp truncates the localpart
> after the '-' and of course can't find the first half in the user database.
> 
> To illustrate: given an account "foo-...@example.com", I get the following
> log entry from postfix:
> Mar  9 09:31:43 batleth postfix/lmtp[6196]: 9A7BA33E005B:
> to=,
> relay=batleth.sapienti-sat.org[private/dovecot-lmtp], delay=20,
> delays=20/0.01/0.01/0.08, dsn=5.1.1, status=bounced (host
> batleth.sapienti-sat.org[private/dovecot-lmtp] said: 550 5.1.1
>  User doesn't exist: f...@example.com (in reply to RCPT
> TO command))
> Is there any way to tell lmtp to first look for
>  and if that fails look for  only (the
> reverse order would be ok, too)?
> 

This is already what they do AFAIK. I’m using ‘-‘ as delimiter for a long time 
and didn’t have any issue with my mails.
I think this postfix error only reflects the last attempt, and not all the 
resolution attempts. Try increasing the log (either in postfix or LMTP) to see 
what append exactly.

Re: Dovecot HA/Resilience

[Jean-Daniel]

If you just want active/standby, you can simply use corosync/pacemaker as other 
already suggest and don’t use Director.
I have a dovecot HA server that uses floating IP and pacemaker to managed it, 
and it works quite well.

The only real hard part is having a HA storage.
You can simply use a NFS storage shared by both servers (as long as only one 
has the floating IP, you won’t have issue with the same client accessing it 
from both servers), but the storage will then be a single point of failure.
You may have both server have their own storage and sync it using dovecot 
replicator (I have never tried, so I can’t say for sure), or have an other 
layer taking care of the storage sync (like DRDB).

While drdb is fine to sync dovecot storage, it may not be enough if you really 
want HA and have other services (postfix, rspamd, …) running on that server, as 
you may need to also have the postfix queues (or other data) sync on both 
servers.



> Le 10 janv. 2020 à 21:12, Adrian Minta  a écrit :
> 
> Yes, but it works for small systems if you set IP source address persistence 
> on LB or even better, if you set priority to be Active/Standby. I couldn't 
> find a good example with dovecot director and backend on the same server, so 
> adding another two machines seems overkill for small setups.
> 
> If someone has a working example for this please make it public !
> 
> Quote from https://wiki2.dovecot.org/Director
> 
> "Director and Backend in same server (broken)
> NOTE: This feature never actually worked. It would require further 
> development to fix (director would need to add "proxy" field to extra fields 
> and notify auth that the auth_request can be freed)."
> 
> Also:
> 
> https://dovecot.org/pipermail/dovecot/2012-May/135600.htm
> 
> https://www.dovecot.org/list/dovecot/2012-June/083983.html
> 
> 
> On 1/10/20 8:09 PM, Aki Tuomi wrote:
>> Also you should probably use dovecot director to ensure same user sessions 
>> end up on same server, as it's not supported to access same user on 
>> different backends in this scenario.
>> 
>> Aki
>> 
>>> On 10/01/2020 19:49 Adrian Minta  wrote:
>>> 
>>> 
>>>  Hello,
>>>  you need to "clone" the first server, change the ip address, mount the 
>>> same maildir storage and use some mechanism to share the accounts database.
>>> 
>>>  Then you need to put a TCP load-balancer in front of the servers an you 
>>> are good to go. This is the easiest solution if you already have in the 
>>> network an appliance that can do LB. For instance if you already have a 
>>> firewall with that function.
>>> 
>>>  
>>> 
>>>  Another solution is to make a cluster with corosync/pacemaker out of the 
>>> two servers:
>>> 
>>>  
>>> https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-04
>>>  
>>> https://linuxacademy.com/blog/linux-academy/configure-a-failover-cluster-with-pacemaker/
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  On 1/10/20 7:16 PM, Kishore Potnuru wrote:
>>> 
>>>  
 Thank you all for the replies
  
 
  I have the test environment with the same configuration. But I have been 
 asked to go with same environment for HA/Resilience in Live.
Yes, I have only one Live server. It is configured in "Maildir" format. 
 The data stores on a Network / Shared Storage (But definitely not local 
 disk, its a mount point).
I have been asked to create a HA/Resilience for this environment. They 
 gave me another server with same ram/cpu/os and I need to configure the 
 dovecot on it.
Please provide your suggestions/steps as I am new to this kind of 
 environment.
Is it possible, when any email comes to any one or both of the two 
 servers, how it will be read by the user from Outlook? How to create the 
 environment?
  
 
  Thanks,
  Kishore Potnuru
On Fri, Jan 10, 2020 at 7:55 AM Sami Ketola  
 wrote:
 
  
>> On 10 Jan 2020, at 9.20, Emmanuel Dreyfus  wrote:
>  >
>  > On Fri, Jan 10, 2020 at 09:07:24AM +0200, Aki Tuomi wrote:
>  >> Replication is not supported with mbox. Most features are not.
>  >
>  > It would be nice if the document about replication could tell
>  > what setup works.
>  First step in setting up HA system would be to migrate away from 
> mbox.
>Sami
>  
>>>  -- 
>>> Best regards,
>>> Adrian Minta
>>> 
>>> 
>>> 
> -- 
> Best regards,
> Adrian Minta
> 
> 

Re: Perl was: JMAP: Re: http API for IMAP

[Jean-Daniel via dovecot]

> Le 19 nov. 2019 à 09:14, Thomas Güttler via dovecot  a 
> écrit :
> 
> Am 18.11.19 um 16:18 schrieb Ralph Seichter via dovecot:
>> * Thomas Güttler via dovecot:
>>> https://github.com/guettli/programming-guidelines#regex-are-great---but-its-like-eating-rubbish
>> Thanks for including the disclaimer "It's my personal opinion and
>> feeling. No facts, no single truth." in your 'guidelines' (many of which
>> I disagree with). I just wish you had included the same disclaimer in
>> what you wrote in this thread, instead of presenting your personal
>> opinions and beliefs as facts.
>> Also, this has drifted far away from being related to Dovecot in any
>> useful way.
> 
> 
> You disagree? Great! I am curious. What is wrong in my personal
> guidelines?

Please, if you want to start a coding style flame war, do that in private.
I think we got enough mails from this this discussion that are completely off 
the dovecot list subject.

Re: IMAP4 extensions for Visual Voicemail (VVM)

[Jean-Daniel via dovecot]

> Le 20 oct. 2019 à 22:24, Mauricio Tavares via dovecot  a 
> écrit :
> 
> On Sun, Oct 20, 2019 at 10:43 AM Rajesh Bansal via dovecot
>  wrote:
>> 
>> Hi Team,
>> 
>> 
>> 
>> I need to develop Visual VoiceMail solution. In this solution I need a IMAP4 
>> server, from which I can get a hit for each mail retrieval. Can anyone help 
>> me if dovecot can be used for this purpose.
>> 
>  That is rather vague. Do you want to do something like ol' biff
> or what we used to do with Asterix 10 years ago (get an email with the
> voicemail as as attachment)?

I guess he is talking about that: 
https://www.gsma.com/newsroom/wp-content/uploads/2012/07/OMTP_VVM_Specification_1_3.pdf
 



> 
>> 
>> BR,
>> 
>> Rajesh Bansal
>> 
>> 

Re: Password issue

[Jean-Daniel via dovecot]

> Le 12 oct. 2019 à 03:26, @lbutlr via dovecot  a écrit :
> 
> On Oct 11, 2019, at 2:00 PM, Joseph Tam  wrote:
>> On Fri, 11 Oct 2019, @lbutlr wrote:
>> 
> Oct 09 16:02:50 imap-login: Info: Aborted login (auth failed, 5 attempts 
> in 33 secs): user=, xx.xx.xx.xx, PLAIN, TLS
>>> 
>>> This turns out to have been caused by the MUA attempting to connect to
>>> port 25 (despite clearly showing port 587 in the MUA settings).  Thanks
>>> to Mac/iOS account syncing, merely trying to change the port never
>>> seemed to work, but removing the account entirely and recreating it got
>>> it to connect to port 587 as configured.
>> 
>> Yes, MacOSX Mail.app seems to bumble around, even ignoring your
>> port settings to find the "correct" configuration.  (This happens,
>> for example, when there is a transient network problem).  You need to
>> disable "Automatically manage connections" to stop these mail readers
>> from wandering around and strictly use your settings.
> 
> There is no such setting in iOS or iPadOS though, and setting the explicit 
> port for SMTP and.or IMAP advanced settings didn’t change the port it 
> actually tried connecting go until I removed the account and re-added it.
> 
> No problems on iOS 12 or macOS 10.14 so far.

I encounter this issue on 10.14 this week, so it is present (with account using 
automatic server settings).

Re: lmtp and virtual users

[Jean-Daniel via dovecot]

You set ‘auth_bind' to ‘no' and  and you make sure ‘dn’ and ‘dnpass’ are 
properly configured with a user with enough privileges to read users passwords.

And also, you make sure your pass_attrs contains a password attributes 
(containing the user password hash).


> Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot 
>  a écrit :
> 
> Is there anywhere an example of how this would be setup? I understand the use 
> of a service account which I already setup but I can't figure out how to use 
> this service account to retrieve information and authenticate users.
> 
> Thanks!
> Best regards,
> David Wells.
> 
> 
> El 02/10/2019 a las 04:29, Aki Tuomi escribió:
>> 
>> On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
>>> Good morning.
>>> 
>>> I was just reading 
>>> https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups 
>>>  and found the 
>>> following statement
 When using LDA  and static userdb, deliver 
 can check if destination user exists. With auth binds this check isn't 
 possible.
>>> 
>>> Is this still relevant? Is there a workaround? It seems like using dovecots 
>>> lmtp in an active directory environment is not possible, is this correct?
>>> 
>> You cannot check user existence with auth binds because auth bind requires 
>> user credentials.
>> 
>> This is why I suggested you use a "service user" in LDAP to perform the 
>> database lookups instead of auth binds. You can still authenticate your 
>> users using kerberos.
>> 
>> Aki
>> 
> 

Re: New to dovecot admin, question about using LDAP for user-specific values

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 12:53, Gerben Wierda via dovecot  a 
> écrit :
> 
> 
>> On 13 Sep 2019, at 11:51, Jean-Daniel Dupas > <mailto:jddu...@xooloo.com>> wrote:
>> 
>> 
>> 
>>> Le 13 sept. 2019 à 09:29, Gerben Wierda via dovecot >> <mailto:dovecot@dovecot.org>> a écrit :
>>> 
>>> Nobody?
>>> 
>>>> On 10 Sep 2019, at 11:58, Gerben Wierda via dovecot >>> <mailto:dovecot@dovecot.org>> wrote:
>>>> 
>>>> I am new to dovecot administration. I’ve read the Wiki but that hasn’t 
>>>> given me the understanding I need.
>>>> 
>>>> When I query my LDAP (on macOS) on a value for user ‘gerben’, I can get 
>>>> that:
>>>> 
>>>> dumbledore:~ gerben$ dscl /LDAPv3/127.0.0.1 -read /users/gerben 
>>>> GeneratedUID
>>>> GeneratedUID: 780D870E-6B00-478E-AB70-3D3307215A82
>>>> 
>>>> I would like to use that value in dovecot settings, e.g. something like
>>>> 
>>>> user_attrs = \
>>>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>>>> 
>>>> 
>>>> Is this possible and if so what do I exactly need to do to get this 
>>>> working?
>> 
>> As the answer is in the question, it is hard to give you any hint about what 
>> should be done.
>> 
>> What is wrong with 
>> 
>> user_attrs = \
>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>> 
>> 
>> Did you try it ? Have you got any issue with it ?
> 
> I haven’t tried anything yet as I am trying to learn before I do anything 
> (and trial and error is a very slow method), but it seems to me that just 
> that line cannot be enough. Because how does “ldap:” know to go looking in 
> the LDAP structure at "/Users//“ in the LDAP “/LDAPv3/127.0.0.1”? 
> Somehow I shall have to tell dovecot that.

OK, so your question is more about how to configure LDAP in dovecot for basic 
usage.

If you want to query the LDAP, you first have to learn what its structure is, 
and then you should tell dovecot where to look at using the 'base' and 'scope' 
parameter and what to look at using the 'user_filter' parameter.

I never tried to access OpenDirectory using LDAP queries, so you will have to 
search online about how it should be done.

Re: Multiple certificate option SNI

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot 
>  a écrit :
> 
> Hi
> I have some problem with SNI and dovecot 2.2.36.4
> 
> Server debian 9.x ad dovecot-2.2.36.4
> 
> default server ssl cert is a wildcard like *.domain.com (digicert)
> 
> ssl_ca = /var/control/cert.pem
> ssl_cert =  
> I added for test another domain (in dns to) for another ssl (letsencrypt)
> 
> from https://wiki.dovecot.org/SSL/DovecotConfiguration
> 
> like:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  < /etc/dovecot/ssl/imap.mail.test.domain.com.key
> }
> 
> 
> doveconf -n:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  # hidden, use -P to show it
> }
> 
> Now I test like:
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
> 
> and dovecot show me default server cert (digicert) but not dedicated
> from letsencrypt
> 
> In DNS domain imap.mail.test.domain.com is not match *.domain.com
> 
> Any idea ?
> 

AFAIK, the -connect option of openssl is not use for SNI, but only for IP 
resolution.
To enable SNI, you have to explicitly pass it using '-servername' parameter.

Re: New to dovecot admin, question about using LDAP for user-specific values

[Jean-Daniel Dupas via dovecot]

> Le 13 sept. 2019 à 09:29, Gerben Wierda via dovecot  a 
> écrit :
> 
> Nobody?
> 
>> On 10 Sep 2019, at 11:58, Gerben Wierda via dovecot > > wrote:
>> 
>> I am new to dovecot administration. I’ve read the Wiki but that hasn’t given 
>> me the understanding I need.
>> 
>> When I query my LDAP (on macOS) on a value for user ‘gerben’, I can get that:
>> 
>> dumbledore:~ gerben$ dscl /LDAPv3/127.0.0.1 -read /users/gerben GeneratedUID
>> GeneratedUID: 780D870E-6B00-478E-AB70-3D3307215A82
>> 
>> I would like to use that value in dovecot settings, e.g. something like
>> 
>> user_attrs = \
>>   =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 
>> 
>> 
>> Is this possible and if so what do I exactly need to do to get this working?

As the answer is in the question, it is hard to give you any hint about what 
should be done.

What is wrong with 

user_attrs = \
  =mail=maildir://Library/Server/Mail/Data/mail/%{ldap:GeneratedUID} 


Did you try it ? Have you got any issue with it ?

Re: TLS not working with iOS beta?

[Jean-Daniel via dovecot]

> Le 4 sept. 2019 à 21:35, Jean-Daniel via dovecot  a 
> écrit :
> 
>> 
>> Le 4 sept. 2019 à 20:11, Henrik Johansson via dovecot  
>> a écrit :
>> 
>> Hi,
>> 
>> Have anyone else experienced problems using Dovecot with the mail app in 
>> beta releases of iOS/iPadOS 13?
>> 
>> TLS is failing for my, it have worked fine for years and I am on the latest 
>> Dovecot version now, it works fine with older clients but not with the ones 
>> upgraded:
>> 
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
>> initialization
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
>> initialization
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
>> client hello A
>> Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal 
>> handshake failure
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
>> error:140800FF:SSL routines:ssl3_accept:unknown state
>> Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): 
>> user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept() 
>> failed: error:140800FF:SSL routines:ssl3_accept:unknown state, 
>> session=
>> 
>> Working client:
>> 
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
>> initialization
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
>> initialization
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
>> client hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> certificate A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
>> exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server done A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client certificate A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client key exchange A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> certificate verify A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> change cipher spec A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
>> finished successfully
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
>> finished successfully
>> Sep 04 19:58:03 imap-login: Info: Login: user=, method=LOGIN, 
>> rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher 
>> DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=
>> 
>> 
>> Config:
>> 
>> # egrep -v "^#|^$" 10-ssl.conf 10-auth.conf
>> 10-ssl.conf:ssl = required
>> 10-ssl.conf:ssl_cert = > 10-ssl.conf:ssl_key = > 10-ssl.conf:ssl_dh = > 10-ssl.conf:ssl_min_protocol = TLSv1.1
>> 10-ssl.conf:ssl_cipher_list = 
>> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
>> 10-auth.conf:disable_plaintext_auth = yes
>> 10-auth.conf

Re: TLS not working with iOS beta?

[Jean-Daniel via dovecot]

> Le 4 sept. 2019 à 20:11, Henrik Johansson via dovecot  a 
> écrit :
> 
> Hi,
> 
> Have anyone else experienced problems using Dovecot with the mail app in beta 
> releases of iOS/iPadOS 13?
> 
> TLS is failing for my, it have worked fine for years and I am on the latest 
> Dovecot version now, it works fine with older clients but not with the ones 
> upgraded:
> 
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A
> Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal 
> handshake failure
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
> error:140800FF:SSL routines:ssl3_accept:unknown state
> Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): 
> user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept() 
> failed: error:140800FF:SSL routines:ssl3_accept:unknown state, 
> session=
> 
> Working client:
> 
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> certificate A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
> exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server done A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client certificate A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> certificate verify A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> change cipher spec A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
> finished successfully
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
> finished successfully
> Sep 04 19:58:03 imap-login: Info: Login: user=, method=LOGIN, 
> rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher 
> DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=
> 
> 
> Config:
> 
> # egrep -v "^#|^$" 10-ssl.conf 10-auth.conf
> 10-ssl.conf:ssl = required
> 10-ssl.conf:ssl_cert =  10-ssl.conf:ssl_key =  10-ssl.conf:ssl_dh =  10-ssl.conf:ssl_min_protocol = TLSv1.1
> 10-ssl.conf:ssl_cipher_list = 
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
> 10-auth.conf:disable_plaintext_auth = yes
> 10-auth.conf:auth_mechanisms = login
> 10-auth.conf:!include auth-system.conf.ext
> 
> # dovecot --version
> 2.3.7.2 (3c910f64b)

Just a wild guess as I didn’t try to configure Mail on Catalina yet, but it 
looks like your server only supports ‘DHE-RSA…’ ciphers.
I think that modern systems prefers using ECDHE key exchange and would not be 
surprise if iOS requires it.

What version of OpenSSL are you using ?

Re: [Bug] Sieve vacation :addresses match only case-sensitive?

[Jean-Daniel via dovecot]

> Le 4 sept. 2019 à 19:37, Roger Klorese via dovecot  a 
> écrit :
> 
> 
> 
> On Wed, Sep 4, 2019 at 8:25 AM Philipp Faeustlin via dovecot 
> mailto:dovecot@dovecot.org>>
> Further investigation showed me that it has to be a bug.
> 
> I tested with Dovecot 2.2.36.3 (a7d78f5a2), Pigeonhole version 0.4.24 
> (5a7e9e62):
> 
> In this version the additional addresses in vacation :addresses 
> ["t...@example.com "] are handled case-insensitive.
> 
> In the new version: Dovecot 2.3.7.2 (3c910f64b), Pigeonhole version 
> 0.5.7.2 (7372921a) installed via https://repo.dovecot.org/ 
> , (same sieve, 
> same configuration) these addresses are handled case-sensitive.
> 
> The case-sensitive matching of mail addresses, doesn't make any sense to me.
> 
> Could someone confirm this behavior?
> 
> 
> Isn’t RFC-compliant behavior to treat the local part as case-sensitive and 
> the domain-part as case-insensitive?

It is not recommended to rely on local-part case, but it is indeed 
case-sensitive.

And this is to avoid such issues that postfix supports address 
cleanup/canonicalisation before forwarding mails to dovecot.

--
RFC 5321:

"Local-part = Dot-string / Quoted-string ; MAY be case-sensitive
[…]
While the above definition for Local-part is relatively permissive, for maximum 
interoperability, a host that expects to receive mail SHOULD avoid defining 
mailboxes where the Local-part requires (or uses) the Quoted-string form or 
where the Local-part is case-sensitive."
 

Re: 2.3.7 + stats

[Jean-Daniel via dovecot]

Some of the behaviours you observe may be due to the same bug I encountered:

https://dovecot.org/pipermail/dovecot/2019-July/116475.html

Especially, regarding the ‘successful' field for auth, which does not exists 
and is really named ‘success', and which is never set anyway.


> Le 15 août 2019 à 23:57, Matt Bryant via dovecot  a 
> écrit :
> 
> Is there any additional documentation/information around the new stats module.
> 
> Have added some metrics just to see what they produce
> 
> ##
> ## Metrics
> ###
> 
> metric imap {
> event_name = imap_command_finished
> #source_location = example.c:123
> 
> #categories =
> 
> fields = name args running_usecs bytes_in bytes_out
> 
> #filter {
> #field_key = wildcard
> #}
> }
> 
> metric sql {
> event_name = sql_query_finished
> }
> 
> metric auth {
> event_name = auth_request_finished
> fields = user transport error successful
> }
> 
> and get the following
> 
> 
> [root@stargate dovecot]# doveadm stats dump
> metric_namefieldcountsumminmaxavg medianstddev
> %95
> imapduration370200790449913062955249 5426768.922068   
>  16436817.3760026465
> imapname3700000.0000.000
> imapargs00000.0000.000
> imaprunning_usecs370200786533081 629551275426663.05
> 199116436816.7660026329
> imapbytes_in3705366217314.508 19.0435
> imapbytes_out37021199710941517 5729.654153760.89  
>   2082
> sqlduration182899199123051610.61 1660377.36
> 2305
> authduration122604698081467079879 2170581.67847730
> 2457811.237079879
> authuser120000.0000.000
> authtransport120000.0000.00 0
> autherror00000.0000.000
> authsuccessful00000.0000.00 0
> 
> the main wiki page on stats/events doesnt really hold much detail whats 
> stores for each event the above fields dont make much sense
> 
> and top no longer works out of the box
> 
> [root@stargate dovecot]# doveadm stats top
> 
> usage: doveadm [-Dv] [-f ] stats  []
>   dump [-s ] [-r] [-f ]
> 
> 
> has is been removed ? do you need to specify something additional now ???
> 
> 
> rgds
> 
> 
> Matt
> 
> 
> 

Re: Solr, Dovecot & macOS / iOS

[Jean-Daniel via dovecot]

> Le 13 août 2019 à 14:53, Sami Ketola  a écrit :
> 
> 
> 
>> On 13 Aug 2019, at 15.37, Jean-Daniel via dovecot > <mailto:dovecot@dovecot.org>> wrote:
>> 
>> 
>> 
>>> Le 13 août 2019 à 14:16, Sami Ketola via dovecot >> <mailto:dovecot@dovecot.org>> a écrit :
>>> 
>>> 
>>> 
>>>> On 13 Aug 2019, at 14.58, James Brown via dovecot >>> <mailto:dovecot@dovecot.org>> wrote:
>>>> 
>>>> I’m thinking of getting Solr working with my Dovecot server. Server is new 
>>>> 6-core Mac Mini, mail store of over 1/2 TB. Mailboxes with 100s of 
>>>> thousands of messages.
>>>> 
>>>> But I’m not sure if:
>>>> 
>>>> a) it will make enough of a difference and
>>> 
>>> Choose mailbox format wisely. sdbox preferred unless HFS+ has problems with 
>>> 100s of thousands of small files in same directory. If so, then use mdbox 
>>> with periodic purges.
>>> 
>>>> 
>>>> b) does Mail.app and other mail clients on Macs or iOS devices perform 
>>>> searches on their local copy of mail or does it just send a search request 
>>>> to the server?
>>> 
>>> None of the apple devices use IMAP SEARCH. They ALL maintain and use their 
>>> own local search database on the device. Also they seem to refresh the 
>>> database every now and then redownloading all emails.
>> 
>> Do you have a source for that. My experience is that without server search 
>> support, iOS is very slow at returning result. Moreover, it keep only latest 
>> messages and never download message until you read them.
> 
> I'm a apple device user myself. I have couple of iPhones, couple of iPads, 
> couple if MacBooks and Mail.app on any of them is not using IMAP SEARCH.
> And I cannot find any configuration option to enable it. Only spotlight index 
> is used. On Mac OS Mail.App seems to store the indexed data to:
> 
> samik@samikworkmac:~>ls -1 Library/Mail/V6/MailData/Envelope\ Index*
> Library/Mail/V6/MailData/Envelope Index
> Library/Mail/V6/MailData/Envelope Index-shm
> Library/Mail/V6/MailData/Envelope Index-wal
> 
> if those files are removed or spotlight search for mails is disabled Mail.App 
> can't find anything anymore. It does not fall back to IMAP SEARCH.
> 

My question was more about iOS. I know that macOS Mail does not rely on any way 
on remote indexing and has it’s own local index, but as it also store all 
messages locally, it’s an easy requirement. For iOS that only download messages 
meta-data by default, I was not so sure. 

I’m accessing my mail server using Apple devices only, and see some imap SEARCH 
requests in dovecot stats, but can’t figure out where they came from though. So 
you may be right.

Re: Solr, Dovecot & macOS / iOS

[Jean-Daniel via dovecot]

> Le 13 août 2019 à 14:16, Sami Ketola via dovecot  a 
> écrit :
> 
> 
> 
>> On 13 Aug 2019, at 14.58, James Brown via dovecot  
>> wrote:
>> 
>> I’m thinking of getting Solr working with my Dovecot server. Server is new 
>> 6-core Mac Mini, mail store of over 1/2 TB. Mailboxes with 100s of thousands 
>> of messages.
>> 
>> But I’m not sure if:
>> 
>> a) it will make enough of a difference and
> 
> Choose mailbox format wisely. sdbox preferred unless HFS+ has problems with 
> 100s of thousands of small files in same directory. If so, then use mdbox 
> with periodic purges.
> 
>> 
>> b) does Mail.app and other mail clients on Macs or iOS devices perform 
>> searches on their local copy of mail or does it just send a search request 
>> to the server?
> 
> None of the apple devices use IMAP SEARCH. They ALL maintain and use their 
> own local search database on the device. Also they seem to refresh the 
> database every now and then redownloading all emails.

Do you have a source for that. My experience is that without server search 
support, iOS is very slow at returning result. Moreover, it keep only latest 
messages and never download message until you read them.

Re: Auth driver

[Jean-Daniel via dovecot]

I’m not familiar with dovecot code, but as I’m using ldap, so I know that the 
ldap authdb support is not part of dovecot-core package, and is provided as a 
plugin in an extra package.

And a quick look at the libauthdb_ldap.so file (installed by the dovecot-ldap 
package) shows me these symbols: authdb_ldap_init / passdb_ldap_plugin

So I guess that you don’t have to search very far to find such examples.


> Le 9 août 2019 à 14:08, Riccardo Paolo Bestetti via dovecot 
>  a écrit :
> 
> (resending to the list; I apologize, I'm not using my usual email client)
> 
> Hello,
> 
> That's actually great news. The perspective of working in-tree didn't make me 
> particularly happy.
> 
> Could you point me to any documentation or examples? While I can find many 
> plugins in the repo and around the Internet, I could find none which add 
> authdb drivers.
> 
> Best Regards,
> Riccardo P. Bestetti
> 
> 
> 
> 
> 
> 
> Da: Aki Tuomi 
> 
> Inviato: venerdì 9 agosto 2019 13:56
> 
> A: Riccardo Paolo Bestetti ; dovecot@dovecot.org 
> 
> 
> Oggetto: Re: Auth driver
> 
> 
> 
> 
> 
> 
> On 9.8.2019 14.51, Riccardo Paolo Bestetti via dovecot wrote:
> 
> > Greetings!
> 
> >
> 
> > I'm planning to implement a new auth driver. It's going to be, in concept, 
> > similar to the Lua and CheckPassword drivers, in that it allows an user 
> > program to carry out the authentication and user enumeration steps.
> 
> 
> 
> If you do this, please make it as 3rd party repository. Dovecot auth
> 
> supports plugins.
> 
> 
> 
> Aki

Re: submission configuration issues

[Jean-Daniel via dovecot]

My configuration has 2 listeners. The default one (submission) on port 587 
(which does not appear on "dovecot -n » output as it is the default)

And a second one on port 465 that is configured to use submission over TLS 
(note the ssl = yes in the configuration and the ’s’ at the end of the name: 
submissions )

According to RFC8314 (https://tools.ietf.org/html/rfc8314), this is now the 
recommended setting:

«  In brief, this memo now recommends that:

…

   o  Connections to Mail Submission Servers and Mail Access Servers be
  made using "Implicit TLS" (as defined below), in preference to
  connecting to the "cleartext" port and negotiating TLS using the
  STARTTLS command or a similar command.

» 



> Le 27 juil. 2019 à 22:39, Bob Gustafson via dovecot  a 
> écrit :
> 
> service submission-login {
>   inet_listener submissions {
> haproxy = no
> port = 465
> reuse_port = no
> ssl = yes
>   }
> }
> 
> Shouldn't the port be 587 here?
> 
> My config file looks like:
> 
> service submission-login {
>   inet_listener submission {
> #port = 587
>   }
> }
> 
> The # comment must also mean something..
> 
> On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
>> 
>> 
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch  a écrit :
>>> 
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>>> Hello,
>>>> 
>>>> I'm having trouble configuring the submission proxy.
>>>> 
>>>> I have configured the submission service as follow:
>>>> 
>>>> submission_host = smtp.example.com
>>>> submission_relay_host = localhost
>>>> submission_relay_port = 8587
>> 
>> 
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch  a écrit :
>>> 
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>>> Hello,
>>>> 
>>>> I'm having trouble configuring the submission proxy.
>>>> 
>>>> I have configured the submission service as follow:
>>>> 
>>>> submission_host = smtp.example.com
>>>> submission_relay_host = localhost
>>>> submission_relay_port = 8587
>>>> submission_relay_rawlog_dir = /var/log/dovecot/
>>>> submission_relay_trusted = yes
>>>> 
>>>> My main issue is that until I login, dovecot-submission won't connect to 
>>>> the backend and query the capabilities and so won't report the right 
>>>> capabilities.
>>>> 
>>>> That mean that the first EHLO message don't get the right capabilities 
>>>> list.
>>>> 
>>>> "
>>>> EHLO example.com
>>>> 
>>>> 250-smtp.example.com
>>>> 250-8BITMIME
>>>> 250-AUTH PLAIN LOGIN
>>>> 250-BURL imap
>>>> 250-CHUNKING
>>>> 250-ENHANCEDSTATUSCODES
>>>> 250-SIZE
>>>> 250 PIPELINING
>>>> "
>>>> 
>>>> This list don't contains VRFY, DNS, and SIZE is not specified (all of 
>>>> these is present in backend EHLO response).
>>>> After login, if I send an new EHLO command, everything is properly 
>>>> reported. The raw log shows that unlike what the documentation says,
>>>> dovecot don't try to connect to the backend until the user is properly 
>>>> logged.
>>>> 
>>>> In my raw log I show that after I logged in dovecot-submission, the later 
>>>> open a connection to the backend and send a X-CLIENT command.
>>>> 
>>>> 
>>>> Now, if I try to force the capabilities by using:
>>>> 
>>>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>>> 
>>>> dovecot properly reports all SMTP capabilities in the first EHLO response, 
>>>> but it completely stops emitting X-CLIENT command to the backend
>>>> and try to simply forward the command without authentication, which result 
>>>> in postfix rejecting the command with an unauthorized user error.
>>>> 
>>>> What is wrong with my configuration ?
>>>> Thanks.
>>> 
>>> Can you send us your complete configuration (output from `dovecot -n`)?
>> 
>> Yes (see below).
>> 
>> Some additional information:
>> 
>> ===
>> 
>> When I connect directly to dovecot-submission using nc and send an EHLO 
>> command, I got the following result (the SIZE is configured in dovecot 
>> config, that’s why it is properly announced), but no

Re: submission configuration issues

[Jean-Daniel via dovecot]

> Le 27 juil. 2019 à 23:13, Stephan Bosch  a écrit :
> 
> 
> 
> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>> Hello,
>> 
>> I'm having trouble configuring the submission proxy.
>> 
>> I have configured the submission service as follow:
>> 
>> submission_host = smtp.example.com
>> submission_relay_host = localhost
>> submission_relay_port = 8587
>> submission_relay_rawlog_dir = /var/log/dovecot/
>> submission_relay_trusted = yes
>> 
>> My main issue is that until I login, dovecot-submission won't connect to the 
>> backend and query the capabilities and so won't report the right 
>> capabilities.
> 
> That is true and expected. No connection to the relay server is made until 
> the user is logged in.
> 
>> That mean that the first EHLO message don't get the right capabilities list.
>> 
>> "
>> EHLO example.com
>> 
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH PLAIN LOGIN
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250 PIPELINING
>> "
>> 
>> This list don't contains VRFY, DNS, and SIZE is not specified (all of these 
>> is present in backend EHLO response).
>> After login, if I send an new EHLO command, everything is properly reported. 
>> The raw log shows that unlike what the documentation says,
>> dovecot don't try to connect to the backend until the user is properly 
>> logged.
> Oh, then we need to adjust the documentation. This is normal behavior.

This is in the default 20-submission.conf file:

# By default, the submission service first connects to the relay server to
# determine the support for such capabilities before sending the initial EHLO
# reply to the client. If the list of capabilities returned by the relay server
# is somehow unreliable or it is undesirable to start the connection to the
# relay server before the first mail transaction is started, the backend
# capabilities can be configured explicitly using the
# submission_backend_capabilities setting.
…
#submission_backend_capabilities =

Re: submission configuration issues

[Jean-Daniel via dovecot]

> Le 27 juil. 2019 à 14:30, Stephan Bosch  a écrit :
> 
> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>> Hello,
>> 
>> I'm having trouble configuring the submission proxy.
>> 
>> I have configured the submission service as follow:
>> 
>> submission_host = smtp.example.com
>> submission_relay_host = localhost
>> submission_relay_port = 8587


> Le 27 juil. 2019 à 14:30, Stephan Bosch  a écrit :
> 
> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>> Hello,
>> 
>> I'm having trouble configuring the submission proxy.
>> 
>> I have configured the submission service as follow:
>> 
>> submission_host = smtp.example.com
>> submission_relay_host = localhost
>> submission_relay_port = 8587
>> submission_relay_rawlog_dir = /var/log/dovecot/
>> submission_relay_trusted = yes
>> 
>> My main issue is that until I login, dovecot-submission won't connect to the 
>> backend and query the capabilities and so won't report the right 
>> capabilities.
>> 
>> That mean that the first EHLO message don't get the right capabilities list.
>> 
>> "
>> EHLO example.com
>> 
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH PLAIN LOGIN
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250 PIPELINING
>> "
>> 
>> This list don't contains VRFY, DNS, and SIZE is not specified (all of these 
>> is present in backend EHLO response).
>> After login, if I send an new EHLO command, everything is properly reported. 
>> The raw log shows that unlike what the documentation says,
>> dovecot don't try to connect to the backend until the user is properly 
>> logged.
>> 
>> In my raw log I show that after I logged in dovecot-submission, the later 
>> open a connection to the backend and send a X-CLIENT command.
>> 
>> 
>> Now, if I try to force the capabilities by using:
>> 
>> submission_backend_capabilities = VRFY 8BITMIME DSN
>> 
>> dovecot properly reports all SMTP capabilities in the first EHLO response, 
>> but it completely stops emitting X-CLIENT command to the backend
>> and try to simply forward the command without authentication, which result 
>> in postfix rejecting the command with an unauthorized user error.
>> 
>> What is wrong with my configuration ?
>> Thanks.
> 
> Can you send us your complete configuration (output from `dovecot -n`)?

Yes (see below).

Some additional information:

===

When I connect directly to dovecot-submission using nc and send an EHLO 
command, I got the following result (the SIZE is configured in dovecot config, 
that’s why it is properly announced), but no raw_log are generated at all.

$ nc smtp.example.com 587

220 smtp.example.com Dovecot ready.
EHLO mydomain.com
250-smtp.example.com
250-8BITMIME
250-AUTH 
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE 41943040
250-STARTTLS
250 PIPELINING
QUIT
221 2.0.0 Bye

===

Ditto if I use openssl s_client -starttls smtp -crlf -connect 
smtp.example.com:587 and send the EHLO after STARTTLS.

===

For the record, here is the result of a direct connect to postfix:

$ nc 127.0.0.1 8587
220 smtp.example.com ESMTP Postfix
EHLO example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

===

And here is the content of the row logs when a mail is sent.

 rawlog.in

1564258521.813430 220 smtp.example.com ESMTP Postfix
1564258521.814206 250-smtp.example.com
1564258521.814206 250-PIPELINING
1564258521.814206 250-SIZE 41943040
1564258521.814206 250-VRFY
1564258521.814206 250-ETRN
1564258521.814206 250-STARTTLS
1564258521.814206 250-AUTH PLAIN LOGIN
1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN 
DESTADDR DESTPORT
1564258521.814206 250-ENHANCEDSTATUSCODES
1564258521.814206 250-8BITMIME
1564258521.814206 250-DSN
1564258521.814206 250 SMTPUTF8
1564258521.848159 220 smtp.example.com ESMTP Postfix
1564258521.849506 250-smtp.example.com
1564258521.849506 250-PIPELINING
1564258521.849506 250-SIZE 41943040
1564258521.849506 250-VRFY
1564258521.849506 250-ETRN
1564258521.849506 250-STARTTLS
1564258521.849506 250-AUTH PLAIN LOGIN
1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN 
DESTADDR DESTPORT
1564258521.849506 250-ENHANCEDSTATUSCODES
1564258521.849506 250-8BITMIME
1564258521.849506 250-DSN
1564258521.849506 250 SMTPUTF8
1564258521.854093 250 2.1.0 Ok
1564258521.909487 250 2.1.5 Ok
1564258521.983093 354 End data with .
15

submission configuration issues

[Jean-Daniel Dupas via dovecot]

Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the 
backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

"
EHLO example.com

250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is 
present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly reported. 
The raw log shows that unlike what the documentation says, 
dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open 
a connection to the backend and send a X-CLIENT command.


Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but 
it completely stops emitting X-CLIENT command to the backend 
and try to simply forward the command without authentication, which result in 
postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ?
Thanks.

Jean-Daniel

Re: Dovecot 2.3.0 TLS

[Jean-Daniel Dupas via dovecot]

> Le 18 juil. 2019 à 11:21, Alexandre Urban via dovecot  a 
> écrit :
> 
> Hello,
>  
> I don’t know who will read this message, but I found this thread: 
> https://www.mail-archive.com/search?l=dovecot@dovecot.org=subject:%22Dovecot+2.3.0+TLS%22=newest
> And I’m expected the same issue, I will try to explain to you (english is not 
> my native language, sorry)
>  
> Since Buster update, so Dovecot update too, I’m not able to connect to my 
> mail server from my iOS mail client (12.2)
> Thunderbird just work fine.
>  
> Here is my configuration:
>  
> Debian Buster (amd64)
> Dovecot: 2.3.4.1
> Postfix : 3.4.5
> OpenSSL: 1.1.1c
>  
> Dovecot configuration file:
>  
> ssl_min_protocol = TLSv1.2 (I tried different version)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2322 bytes and written 392 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 21 (unable to verify the first certificate)
>  
> When I tried to connect with command line: openssl s_client -showcerts 
> -no_tls1_3 -connect server:993
>  
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2423 bytes and written 310 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: ECDHE-RSA-AES256-GCM-SHA384
>  
> I think the “Secure Renegotiation IS NOT supported” with tls 1.3 could be an 
> issue, but I don’t what to do to fix the issue ?
>  
> Could you help me ?
> Let me know if you need more informations.
>  

I would rather look at the "Verify return code: 21 (unable to verify the first 
certificate)" error. 
Is your TLS certificat valid and trusted on your iOS device ?

IIRC, "Secure Renegotiation" is explicitly not supported by TLS1.3 (TLS1.3 
forbids any renegotiation).

Re: Purpose of stats-writer and why doveadm try to open it to dump stats ?

[Jean-Daniel via dovecot]

> Le 14 juil. 2019 à 11:58, Reio Remma  a écrit :
> 
> On 14.07.2019 10:10, Jean-Daniel via dovecot wrote:
>> Hello,
>> 
>> I want to monitor dovecot stats, and so I have an exporter process that run 
>> with limited rights.
>> The monitoring user has only access to /var/run/dovecot/stats-reader and it 
>> works fine.
>> Doveadm stats dump returns the list of all stats as expected.
>> 
>> But each time I run doveadm stats dump, it logs the following error:
>> 
>> Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission 
>> denied
>> 
>> So what is the purpose of the stats-writer socket, and why doveadm try to 
>> open it to simply dump stats ?
>> Is it really something it needs and I should update my user permissions or 
>> is it a doveadm bug ?
>> 
> 
> Hello!
> 
> Depending on the system you're running on, there may be SELinux etc. doing 
> its work.
> 

I know why stats-writer is not accessible, this is on purpose (doveadm run with 
a uid that explicitly don’t have access to stats-writer).

What I want to know is why does doveadm even try to open it to simply dump the 
stats.

Purpose of stats-writer and why doveadm try to open it to dump stats ?

[Jean-Daniel via dovecot]

Hello,

I want to monitor dovecot stats, and so I have an exporter process that run 
with limited rights. 
The monitoring user has only access to /var/run/dovecot/stats-reader and it 
works fine.
Doveadm stats dump returns the list of all stats as expected.

But each time I run doveadm stats dump, it logs the following error:

Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

So what is the purpose of the stats-writer socket, and why doveadm try to open 
it to simply dump stats ? 
Is it really something it needs and I should update my user permissions or is 
it a doveadm bug ?

Re: [bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

Sorry, I forgot to mention this is with the freshly released 2.3.7


> Le 12 juil. 2019 à 16:43, Aki Tuomi via dovecot  a écrit 
> :
> 
> Would you like to try with 2.3.7? It was released today.
> 
> Aki
>> On 12/07/2019 17:05 Jean-Daniel Dupas via dovecot < dovecot@dovecot.org 
>> <mailto:dovecot@dovecot.org>> wrote:
>> 
>> 
>> An other issue is that when 'request->passdb_success' is FALSE, the request 
>> fails but the error field is not set (as it is only set when 
>> request->failure is TRUE), which make it hard to create metrics for failed 
>> login attempts.
>> 
>> We have (assuming success were working as expected):
>> - success = yes -> means auth OK
>> - error is present -> means request failed for some reasons
>> - neither success nor error is present -> means requests failed for other 
>> reasons.
>> 
>> As we can't create metric filter testing field absence, getting the count of 
>> failed requests would mean create 2 metrics (one for success, one for all) 
>> and diff the 2 to get the count of failed attempts.
>> 
>> 
>>> Le 12 juil. 2019 à 15:31, Jean-Daniel Dupas via dovecot < 
>>> dovecot@dovecot.org <mailto:dovecot@dovecot.org>> a écrit :
>>> 
>>> Hi,
>>> 
>>> I'm playing with the new events, and encounter some issues:
>>> 
>>> First the 'auth_request_finished' event is documented as having a 
>>> 'successful' field, but in the code, the field is defined as 'success' 
>>> (e->add_str("success", "yes")).
>>> 
>>> But more important, in the function "auth_request_success_continue()" 
>>> (auth/auth-request.c:288), "auth_request_log_finished(request)" is call 
>>> (line 303) before updating the request status: "request->successful = TRUE" 
>>> (line 312)
>>> 
>>> So the log function never set the success field to "yes" as at this point 
>>> request->successful is still false.
>>> 
>>> Jean-Daniel
>>> 
>>> 
>>> 
> 
> ---
> Aki Tuomi

Re: [bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

An other issue is that when 'request->passdb_success' is FALSE, the request 
fails but the error field is not set (as it is only set when request->failure 
is TRUE), which make it hard to create metrics for failed login attempts.

We have (assuming success were working as expected):
- success = yes -> means auth OK
- error is present -> means request failed for some reasons
- neither success nor error is present -> means requests failed for other 
reasons.

As we can't create metric filter testing field absence, getting the count of 
failed requests would mean create 2 metrics (one for success, one for all) and 
diff the 2 to get the count of failed attempts.


> Le 12 juil. 2019 à 15:31, Jean-Daniel Dupas via dovecot  
> a écrit :
> 
> Hi,
> 
> I'm playing with the new events, and encounter some issues:
> 
> First the 'auth_request_finished' event is documented as having a 
> 'successful' field, but in the code, the field is defined as 'success' 
> (e->add_str("success", "yes")).
> 
> But more important, in the function "auth_request_success_continue()" 
> (auth/auth-request.c:288), "auth_request_log_finished(request)"  is call 
> (line 303) before updating the request status: "request->successful = TRUE" 
> (line 312)
> 
> So the log function never set the success field to "yes" as at this point 
> request->successful is still false.
> 
> Jean-Daniel
> 
> 
> 
> 

[bug] success field never emited in auth_request_finished event

[Jean-Daniel Dupas via dovecot]

Hi,

I'm playing with the new events, and encounter some issues:

First the 'auth_request_finished' event is documented as having a 'successful' 
field, but in the code, the field is defined as 'success' 
(e->add_str("success", "yes")).

But more important, in the function "auth_request_success_continue()" 
(auth/auth-request.c:288), "auth_request_log_finished(request)"  is call (line 
303) before updating the request status: "request->successful = TRUE" (line 312)

So the log function never set the success field to "yes" as at this point 
request->successful is still false.

Jean-Daniel

Re: Getting login stats

[Jean-Daniel Dupas via dovecot]

> Le 11 juil. 2019 à 15:33, Michael Slusarz via dovecot  a 
> écrit :
> 
>> I'm trying to get some IMAP auth stats on a Dovecot 2.3.6 instance, but 
>> whatever I declare in metric, it always show 0.
> 
> None of these auth_* requests exist in 2.3.6.

Thank. So maybe the wiki should be updated as the section title that list 
theses event is:  "Authentication Server (v2.3.6)"

That said, the new documentation is better as it says "New in version v2.3.7".

As a side point, maybe the documentation link at 
"https://www.dovecot.org/documentation; should be updated to point on 
doc.dovecot.org instead of sending to the wiki ;-)


>> I tried using the following metrics:
>> 
>> 
>> 
>> metric auth_request_finished {
>>event_name = auth_request_finished
>> }
>> 
>> metric auth_passdb_request_finished {
>>event_name = auth_passdb_request_finished
>> }
>> 
>> metric auth_userdb_request_finished {
>>event_name = auth_userdb_request_finished
>> }
>> 
>> metric auth_client_request_started {
>> event_name = auth_client_request_started
>> }
>> 
>> metric auth_client_userdb_lookup_started {
>>event_name = auth_client_userdb_lookup_started
>> }
>> 
>> metric auth_client_passdb_lookup_started {
>> event_name = auth_client_passdb_lookup_started
>> }
>> 
>> metric auth_client_cache_flush_started {
>> event_name = auth_client_cache_flush_started
>> }
>> 
>> metric imap_command_finished {
>>event_name = imap_command_finished
>>filter {
>>name = LOGIN
>>}
>> }
>> 
>> 
>> But even after many successful logins, doveadm reports 0 for all events:
>> 
>> metric_name   fieldcount sum min max avg  median 
>> stddev %95   
>>
>> auth_request_finished duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_passdb_request_finished  duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_userdb_request_finished  duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_request_started   duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_userdb_lookup_started duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_passdb_lookup_started duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> auth_client_cache_flush_started   duration 0 0   0   0   0.00 0  
>> 0.00   0 
>>
>> imap_command_finished duration 0 0   0   0   0.00 0  
>> 0.00   0

> 

Getting login stats

[Jean-Daniel Dupas via dovecot]

Hello,

I'm trying to get some IMAP auth stats on a Dovecot 2.3.6 instance, but 
whatever I declare in metric, it always show 0.

What I want basically is how many IMAP auth attempts there was on the server, 
and optional a way to filter on the auth attempt status (successful or failed).

My server uses a simple auth (with LDAP backend) and supports only 
"auth_mechanisms = plain login"



I tried using the following metrics:



metric auth_request_finished {
event_name = auth_request_finished
}

metric auth_passdb_request_finished {
event_name = auth_passdb_request_finished
}

metric auth_userdb_request_finished {
event_name = auth_userdb_request_finished
}

metric auth_client_request_started {
 event_name = auth_client_request_started
}

metric auth_client_userdb_lookup_started {
event_name = auth_client_userdb_lookup_started
}

metric auth_client_passdb_lookup_started {
 event_name = auth_client_passdb_lookup_started
}

metric auth_client_cache_flush_started {
 event_name = auth_client_cache_flush_started
}

metric imap_command_finished {
event_name = imap_command_finished
filter {
name = LOGIN
}
}


But even after many successful logins, doveadm reports 0 for all events:

metric_name   fieldcount sum min max avg  median stddev 
%95 
 
auth_request_finished duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_passdb_request_finished  duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_userdb_request_finished  duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_request_started   duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_userdb_lookup_started duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_passdb_lookup_started duration 0 0   0   0   0.00 0  0.00   
0   
 
auth_client_cache_flush_started   duration 0 0   0   0   0.00 0  0.00   
0   
 
imap_command_finished duration 0 0   0   0   0.00 0  0.00   
0  

Re: Some questions

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 14:06, Bardot Jérôme via dovecot  a 
> écrit :
> 
> Le 09/07/2019 à 17:28, Daniel Miller via dovecot a écrit :
>> 
>> On 7/9/2019 6:17 AM, Jérôme Bardot via dovecot wrote:
>>> Hello,
>>> 
>>> This is my first email here.
>>> I want to understand well how dovecot is integrate with ldap in a
>>> postfix/dovecot/ldap setup.
>>> I use a debian server.
>> 
>> Perfectly!
>> 
>>> 
>>> More specifically what dovecot need in ldap to work.
>>> I saw we can use several "mode" related to virtual domain, etc. For
>>> "start" i only need one domain with several address.
>>> I currently use fusiondirectory for manage my ldap users. i guess i
>>> can use that schema to auto create users email
>>> (name.firstn...@domain.tld for ie) ?
>>> I also want to setup some aliases and share directory based on ldap
>>> group/role can i do it ?
>>> 
>>> An other question is can we have two domain name for imap.domain.tld
>>> && smtp.domain.tld ?
>> 
>> Yes.
> There is some documentation somewhere on it ?
>> 
>> Dovecot & Postfix have no "hard" schema, or database definition, or
>> particular fields. You need to create map files which tell each server
>> how to use the information from LDAP (or any other database). Each
>> server (Postfix & Dovecot) have their own configuration which is
>> separate from each other. So you need to start with one or the other.
>> Postfix questions should be asked on the Postfix list.
>> 
>> Everything you asked for above is easily doable - just start with one
>> step at a time. Ask specific questions when you get stuck.
> 
> The map part stuck me at this time. Can i found somewhere a list of
> field should/can be map ? I think i’m ok with postfix conf if i
> understand well i can delegate pretty all stuff to dovecot/ldap.
> 
> 
> An other question is :
> 
> For all vitual stuff i always use a new user (system) with a custom
> home, all stuff i read are not clear for me about this point. There is
> some diagram with technical stuff about dovecot ?
> 

You should start by reading https://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb

The main point if you use a single user is:

"If you're using a single UID and GID for all the users, you can specify them 
globally with mail_uid and mail_gid settings instead of returning them from 
LDAP."

Re: Dovecot behind Load Balancer

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 11:46, Paolo Daniele  a écrit :
> 
> 
> 
> Il 10/07/19 11:44, Jean-Daniel Dupas ha scritto:
>> 
>>> Le 10 juil. 2019 à 10:24, Paolo Daniele via dovecot  a 
>>> écrit :
>>> 
>>> 
>>> Il 10/07/19 10:20, Aki Tuomi ha scritto:
>>>>> On 12/06/2019 20:02 Paolo Daniele via dovecot  wrote:
>>>>> 
>>>>> 
>>>>>  Hi,
>>>>>  i've a question for you.
>>>>>  I've two dovecot imap/pop server behind a zen load balancer.
>>>>>  Load balancing is made by lx4nat so the public ip address of my load 
>>>>> balancer contact directly the dovecot servers.
>>>>>  Since few months i've a message from thunderbird that i've reached the 
>>>>> imap limit login for ip.
>>>>>  I've triend to increase the max user ip parameter but sometimes i've the 
>>>>> same problem.
>>>>>  It's a strange things that actually i'm able to mitigate by reduce the 
>>>>> number of cached connections in Thunderbird but it's not normal.
>>>>>  What do you think about that?
>>>>>  Maybe there's some tuning that you can suggest.
>>>>>  Thank you,
>>>>>  Paolo
>>>>> 
>>>> Have you ensured, by checking logs, that the connections are seen by 
>>>> dovecot to come from public IP addresses?
>>>> 
>>>> Also, thunderbird is known to open lots of concurrent connections.
>>>> 
>>>> Aki
>>> Yes,
>>> connections are coming from the ip address of load balancer (also checked 
>>> with a netstat -an)
>> If connection are seen as coming from the IP address of the load balancer, 
>> isn't it normal that dovecot complains ?
>> That means that dovecot sees all connections as coming from a single client, 
>> which would explain why you reach that limit.
>> 
>> 
> Yeah of course, but i've checked that i haven't reach the max_user_per_ip 
> limit by counting dovecot process coming from that ip address.
> So the strange and the reason why i'm writing to you :)

Don't know if this is still relevant in your dovecot version, but did you see 
this:

https://serverfault.com/questions/385187/dovecot-ignoring-maximum-number-of-imap-connections
 
<https://serverfault.com/questions/385187/dovecot-ignoring-maximum-number-of-imap-connections>

People had some issue by using the mail_max_userip_connections in the imap 
section and had to set it in the global section instead.

Re: Dovecot behind Load Balancer

[Jean-Daniel Dupas via dovecot]

> Le 10 juil. 2019 à 10:24, Paolo Daniele via dovecot  a 
> écrit :
> 
> 
> Il 10/07/19 10:20, Aki Tuomi ha scritto:
>>> On 12/06/2019 20:02 Paolo Daniele via dovecot  wrote:
>>> 
>>> 
>>>  Hi,
>>>  i've a question for you.
>>>  I've two dovecot imap/pop server behind a zen load balancer.
>>>  Load balancing is made by lx4nat so the public ip address of my load 
>>> balancer contact directly the dovecot servers.
>>>  Since few months i've a message from thunderbird that i've reached the 
>>> imap limit login for ip.
>>>  I've triend to increase the max user ip parameter but sometimes i've the 
>>> same problem.
>>>  It's a strange things that actually i'm able to mitigate by reduce the 
>>> number of cached connections in Thunderbird but it's not normal.
>>>  What do you think about that?
>>>  Maybe there's some tuning that you can suggest.
>>>  Thank you,
>>>  Paolo
>>> 
>> Have you ensured, by checking logs, that the connections are seen by dovecot 
>> to come from public IP addresses?
>> 
>> Also, thunderbird is known to open lots of concurrent connections.
>> 
>> Aki
> Yes,
> connections are coming from the ip address of load balancer (also checked 
> with a netstat -an)

If connection are seen as coming from the IP address of the load balancer, 
isn't it normal that dovecot complains ? 
That means that dovecot sees all connections as coming from a single client, 
which would explain why you reach that limit.

Re: Cannot connect to DOVECOT from Roundcube using SSL on Port 993

[Jean-Daniel Dupas via dovecot]

> Le 19 juin 2019 à 11:34, zahn via dovecot  a écrit :
> 
> Hello
> 
> I try to connect to dovecot from roundcube using this setup:
> 
> $config['default_host'] = 'ssl://chogolisa.akadia.com';
> $config['default_port'] = 993;
> 
> and I get the following error message from dovecot:
> 
> Jun 19 11:30:21 chogolisa dovecot: imap-login: Disconnected (no auth attempts 
> in 0 secs): user=<>, rip=84.253.50.195, lip=84.253.50.195, TLS handshaking: 
> Connection closed, session=
> 
> When I try to connect from:
> 
> $config['default_host'] = 'tls://chogolisa.akadia.com';
> $config['default_port'] = 143;
> 
> it works !
> 
> Roundcube: 1.0.12
> Dovecot: 2.3.6
> 
> Can you help me ?


Look like your using a very old roundcube instance. Maybe you should start by 
updating it.
I'm using the same setting with roundcube 1.3.9 (ssl://hostname 
, port 993), and never had any issue connection dovecot.

Re: Mail account brute force / harassment

[Jean-Daniel Dupas via dovecot]

> Le 11 avr. 2019 à 12:23, Marc Roos via dovecot  a écrit :
> 
> 
> 
> Say for instance you have some one trying to constantly access an 
> account
> 
> 
> Has any of you made something creative like this:
> 
> * configure that account to allow to login with any password
> * link that account to something like /dev/zero that generates infinite 
> amount of messages
>  (maybe send an archive of virusses?)
> * transferring TB's of data to this harassing client.
> 
> I think it would be interesting to be able to do such a thing.

As long as you have infinite bandwidth, that may be fun, but it is not the case 
for most people operating a mail server I think.

For theses clients, I simply have fail2ban and DROP packages of blocked IP (I 
prefer to DROP because I don't want to waste resources responding that the 
connection is refused).

Re: High availability of Dovecot

[Jean-Daniel Dupas via dovecot]

> Le 11 avr. 2019 à 10:44, luckydog xf via dovecot  a 
> écrit :
> 
> Hi, list,
> 
>  I'm going to deploy postfix + dovecot + CephFS( as Mail Storage). 
> Basically I want to use two servers for them, which  is kind of HA.
>  
> My idea is that using keepalived or Pacemaker to host a VIP, which could 
> fail over the other server once one is down. And I'll use Haproxy or Nginx to 
> schedule connections to one of those server based on source IP( Session 
> stickiness),  I'll use VIP as DNS record.etc, is my plan doable?
> 
>I know MX could be server ones with different priority. But I think it 
> brings along shortage that DNS couldn't know Email server is up or down, it 
> just returns results to MUA, right?
> 
>Thanks for any suggestions and ideas. 
> 
> -


If you just want HA and don't have scalability issue, the simplest solution is 
probably to deploy your mail stack on 2 servers, and use pacemaker to make sure 
it run only on one at once (with a VIP managed by pacemaker too).

For the storage, if you have a SAN, go with it, else you may use local DRBD 
partition with replication on the standby server.

Re: Using SHA256/512 for SQL based password

[Jean-Daniel Dupas via dovecot]

> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot  
> a écrit :
> 
> 
> 
> On 2/13/19 8:30 AM, Aki Tuomi wrote:
>> On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote:
>>> 
>>> On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote:
 
 Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz
 :
 
> On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote:
>> Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot:
>>> I have trying to find how to set the dovecot-sql.conf for using
>>> SHA256/512.  I am going to start clean with the stronger format, not
>>> migrate from the old MD5.  It seems all I need is:
>> you maybe would like to have a look to the hashing algo ARGON2I
>> which is
>> currently recommended for new developments and deployments.
> Recommended by whom?
> 
> Can you provide a link?
 Sure, please see here:
 https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
 
> 
> And if I was adventurous about hashes, I would be looking more at
> Keccak.
> 
> 
> Check out my Internet Draft:
> 
> 
> draft-moskowitz-small-crypto-00.txt
 Thanks for the tip, will have a look for into it.
>>> Keccak is a general hashing function.  It was the first? of the
>>> hashing 'sponge' functions, that many have followed.  It is the basis
>>> of SHA3 (at Keccak's greatest strength).
>>> 
>>> Argon2 seems to be special-built for password hashing.  Thing is it is
>>> not supported on my CentOS7 system:
>>> 
>>> # doveadm pw -l
>>> MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN
>>> CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5
>>> PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT
>>> SHA256-CRYPT SHA512-CRYPT
>>> 
>>> Of course SHA3 is not listed either...
>>> 
>>> 
>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled
>> when compiling dovecot, so varying from packagers it might or not be
>> available. The CRYPT ones are available if crypt(3) supports them. In
>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support.
> 
> CentOS7 is on dovecot 2.2.36:
> 
> # doveadm pw -s ARGON2-CRYPT -p secret
> Fatal: Unknown scheme: ARGON2-CRYPT
> # doveadm pw -s ARGON2 -p secret
> Fatal: Unknown scheme: ARGON2
> 
> I tend to stay with the distro's rpms and not take on building and 
> maintaining myself.

And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l )

With dovecot from the dovecot.org repo: 

# doveadm pw -s ARGON2I -p secret
{ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk

Re: Ubuntu 18.04 (Bionic) packages now available

[Jean-Daniel Dupas]

> Le 25 nov. 2018 à 19:25, Michael Ludwig  a écrit 
> :
> 
> 
> Hello Dovecot-List,
> 
> so Ubuntu users now can get the latest dovecot version. As I am just building 
> a production mailserver for customers, this could come in handy, maybe.
> For a live production system, is it reasonable to switch from the main Ubuntu 
> Dovecot release to your newer packages?
> How long will the Dovecot team build these packages? When the team don't want 
> to build these packages anymore, how difficult will it be to switch back to 
> the Ubuntu maintained versions?
> 

I did the switch from mainstream to dovecot repo to upgrade from 2.2 to 2.3 on 
xenial, and appart one or two minor configurations changes, it worked just fine.

And more recently, I switched from a bionic-backport of cosmic release (used to 
get 2.3 on bionic) to this just released version using apt and it was 
transparent.

In my case, switching back to mainstream on the other hand would be harder, as 
I now rely on 2.3 specific features.

So I guess as long as you don't use features that are not yet released 
upstream, switching back should not be difficult.

Re: Ubuntu 18.04 (Bionic) packages now available

[Jean-Daniel]

They are very welcome, especially as Bionic provides only dovecot 2.2.

Thank you :-)


> Le 23 nov. 2018 à 13:44, Aki Tuomi  a écrit :
> 
> Hi!
> 
> We are excited to announce that we are now providing packages for Ubuntu
> 18.04 (Bionic). Please find instructions on how to use them at
> https://repo.dovecot.org/
> 
> Aki Tuomi
> Open-Xchange Oy
> 
> 

Re: v2.3.2 released

[Jean-Daniel]

> Le 29 juin 2018 à 14:51, Timo Sirainen  a écrit :
> 
> https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz
> https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig
> 
> v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as 
> well as a bunch of other fixes (mainly for v2.3-only bugs).

> Binary packages are already in https://repo.dovecot.org/ 
> 

Is there any plan to add bionic version to the ubuntu repo ?

Re: Dovecot send duplicated certificates when using ssl_alt_cert

[Jean-Daniel Dupas]

> Le 24 mai 2018 à 09:55, Aki Tuomi <aki.tu...@dovecot.fi> a écrit :
> 
> 
> 
> On 17.05.2018 16:33, @lbutlr wrote:
>> On 2018-05-16 (08:54 MDT), Jean-Daniel Dupas <jddu...@xooloo.com> wrote:
>>> My problem is that when connecting, dovecot includes 2 copies of Let's 
>>> Encrypt Authority X3 in the certificate chain.
>> I think Dovecot 2.2 also has this issue, if I remember previous posts 
>> accurately. Recommendations to include the full chain in the cert didn't 
>> seem to work.
>> 
> 
> Hi!
> 
> This is a thing that gets fixed in 2.3.2, but it's also OpenSSL version
> dependent, so if you are using older than 1.1.0, you'll get this issue,
> due to how OpenSSL deals with the certs.
> 

OK. Thank you for the (upcoming) fix.
That OpenSSL version limitation shouldn't be an issue for me.

dovecot 2.3 on Ubuntu 18.04 LTS

[Jean-Daniel Dupas]

Hello,

I'm running dovecot 2.3 from repo.dovecot.org  on 
ubuntu 16.04 LTS, and I'm wondering if there is a scheduled date for the 
release of the bionic package in that repository.

The Ubuntu mainstream version is based on the 2.2 branch, which prevent us to 
use it.

Thanks.

Dovecot send duplicated certificates when using ssl_alt_cert

[Jean-Daniel Dupas]

Hello,

I'm running dovecot 2.3.1 (c5a5c0c82) and trying to experiment with using both 
RSA and ECDSA certificates.

My configuration is as follow:

ssl_alt_cert = 

[Dovecot] Howto reindex with solr?

[Jean-Daniel Beaubien]

Hi,

I am currently testing a 2.1 dovecot setup with fts-solr. Search speed is
simply amazing. I decided to try to delete and rebuild the solr indexes,
but i can't seem to rebuild them thru dovecot.


At first, when telnetting to the imap server, the search initially built
the index, and then subsequent searches are blazingly fast.

1- I deleted all the solr indexes with the following query:
deletequery*:*/query/delete
2- Flag the mailbox to be re-indexed: doveadm force-resync INBOX

At this point, it doesn't work. When I telnet into the imap server, the
searches always come back empty

3- I also tried a few other commands: doveadm fts rescan, doveadm index
INBOX.

Still no search results. Nothing seems to be appearing in the logs when I
issue all the doveadm commands.

What did I miss?

Thanks,

-JD

[Dovecot] Single instance storage

[Jean-Daniel Beaubien]

I have read most of the doc on the dovecot website, and couldn't find any
info on the single instance storage feature, so I'm posting my questions
here.

- Are these 3 parameters the only one necessary for single instance
storage? I cannot find any doc on this feature on the website; is there
anything specific I need to know about them? (the last one isn't exactly
self-explanatory).
- mail_attachment_dir = /srv/vmail/attachments
- mail_attachment_hash = %{sha256}
- mail_cache_min_mail_count = 2

- Is this feature ready for production?

Thanks,

-JD

[Dovecot] mdbox + gzip and rsync

[Jean-Daniel Beaubien]

Hi,

After reading the following paragraph from the dovecot doc, I've been
wondering how it would affect rsync (when combined with gzip):

Expunging a message only decreases the message's refcount. The space is
later freed in purge step. This is typically done in a nightly cronjob
when there's less disk I/O activity. The purging first finds all files that
have refcount=0 mails. Then it goes through each file and copies the
refcount0 mails to other mdbox files (to the same files as where newly
saved messages would also go), updates the map index and finally deletes
the original file. So there is never any overwriting or file truncation.

How will the mailbox files (m.X) files be modified when I move or delete
emails using mdbox+gzip. Will the resulting gzipped mdbox files be
rsync-able or will they need a full re-upload?

If I plan on using rsync for backups, am I better off not using the gzip
feature (if i can spare the extra storage)???

Thanks,

-JD

Re: [Dovecot] testing fts-solr?

[Jean-Daniel Beaubien]

Ok, I had to fix a few things. First of all, I had to declare mail_plugins
= fts fts_solr in global file (dovecot.conf). After doing that, running
doveadm fts optimize stopped giving me errors.

I ran doveadm index -user INBOX (and other folders). I'm assuming this
actually did something because java/tomcat6 were really busy for a few mins
and I could see the solr logs going nuts (/var/log/tomcat6/catalina.out).

However, whenever I run a search thru thunderbird (searching the
from/to/subject/body fields), I don't see anything related to solr in the
dovecot logs (I never see the line you mentioned or anything
close: indexer-worker(user@domain): Info: Indexed 1 messages in INBOX).

After playing with the logging level, I manage to see this in the logs:
Feb 27 19:12:19 mba-server dovecot: imap: Debug: Loading modules from
directory: /var/opt/dovecot/lib/dovecot
Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
/var/opt/dovecot/lib/dovecot/lib20_fts_plugin.so
Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
/var/opt/dovecot/lib/dovecot/lib20_zlib_plugin.so
Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
/var/opt/dovecot/lib/dovecot/lib21_fts_solr_plugin.so

But nothing indicating that solr_plugin is being used. Any idea? i'd really
like to be able to clearly see that I'm using solr.

Regards,

-JD




On Mon, Feb 27, 2012 at 5:24 AM, Timo Sirainen t...@iki.fi wrote:

 On Sun, 2012-02-26 at 18:26 -0500, Jean-Daniel Beaubien wrote:
  hi everyone,
 
  However, how can I verify that solr is working properly?

 You should see in logs things like:

 indexer-worker(user@domain): Info: Indexed 1 messages in INBOX

 It should be in Dovecot's info log (see doveadm log find). If you
 can't find it, see if doveadm index -u user@domain INBOX does any
 work.

 Make sure the fts plugin is enabled, doveadm fts optimize shouldn't
 give an error.

Re: [Dovecot] testing fts-solr?

[Jean-Daniel Beaubien]

Btw, since 2.1 is out-performing our old solution so badly, I thought I'd
drop some numbers.

- The old setup takes over ~4.5 seconds to perform our most common
operation.
- The new setup takes ~0.2 second to perform the same operation on the same
dataset.

- approx 22 faster, with less than half the storage; zlib is awesome, for
the test account 15GB transforms into 6.5GB.

Old setup: dovecot 1.0.9 (Athlon X2 processor, standard hdd)
New solution: dovecot 2.1, mdbox, zlib, fts_solr (i think solr works, but
not sure) (core i7-2600, standard hdd).

Thank you very much for the awesome software.





On Mon, Feb 27, 2012 at 7:14 PM, Jean-Daniel Beaubien jd.beaub...@gmail.com
 wrote:

 Ok, I had to fix a few things. First of all, I had to declare mail_plugins
 = fts fts_solr in global file (dovecot.conf). After doing that, running
 doveadm fts optimize stopped giving me errors.

 I ran doveadm index -user INBOX (and other folders). I'm assuming this
 actually did something because java/tomcat6 were really busy for a few mins
 and I could see the solr logs going nuts (/var/log/tomcat6/catalina.out).

 However, whenever I run a search thru thunderbird (searching the
 from/to/subject/body fields), I don't see anything related to solr in the
 dovecot logs (I never see the line you mentioned or anything
 close: indexer-worker(user@domain): Info: Indexed 1 messages in INBOX).

 After playing with the logging level, I manage to see this in the logs:
 Feb 27 19:12:19 mba-server dovecot: imap: Debug: Loading modules from
 directory: /var/opt/dovecot/lib/dovecot
 Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
 /var/opt/dovecot/lib/dovecot/lib20_fts_plugin.so
 Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
 /var/opt/dovecot/lib/dovecot/lib20_zlib_plugin.so
 Feb 27 19:12:19 mba-server dovecot: imap: Debug: Module loaded:
 /var/opt/dovecot/lib/dovecot/lib21_fts_solr_plugin.so

 But nothing indicating that solr_plugin is being used. Any idea? i'd
 really like to be able to clearly see that I'm using solr.

 Regards,

 -JD




 On Mon, Feb 27, 2012 at 5:24 AM, Timo Sirainen t...@iki.fi wrote:

 On Sun, 2012-02-26 at 18:26 -0500, Jean-Daniel Beaubien wrote:
  hi everyone,
 
  However, how can I verify that solr is working properly?

 You should see in logs things like:

 indexer-worker(user@domain): Info: Indexed 1 messages in INBOX

 It should be in Dovecot's info log (see doveadm log find). If you
 can't find it, see if doveadm index -u user@domain INBOX does any
 work.

 Make sure the fts plugin is enabled, doveadm fts optimize shouldn't
 give an error.

[Dovecot] testing fts-solr?

[Jean-Daniel Beaubien]

hi everyone,

However, how can I verify that solr is working properly?

Background:
  - I'm trying to setup 2.1 with fts_solr and eventually test maildir/mdbox.
  - I used the following webpage as reference to setup solr:
http://www.roessner-network-solutions.com/2012/02/19/full-text-search-with-solr-and-dovecot-on-ubuntu-10-04/

I'm looking at /var/log/tomcat6/catalina.out file, but see nothing telling
me that it's being used (same for /var/log/mail.log, etc.)

Any tips?

Thanks

[Dovecot] maildir vs mdbox

[Jean-Daniel Beaubien]

Hi,

I am planning on running on test between maildir and mdbox to see which is
a better fit for my use case. And I'm just looking for general
advice/recommendation. I will post any results I obtain here.

Important question: I have multiple users hitting the same email account at
the same time. Can be a problem with mdbox? (either via thunderbird or with
custom webmail apps). I remember having huge issues with mbox a decade ago
because of this. Maildir fixed this... will mdbox reintroduce this problem?
This is a very important point for me.

Here is my use case:

- Ubuntu server (any specific recommandations on FS to use?)
- Standard PC hardware (core i5 or i7, few gigs of ram, hdds at first,
probably ssd afterwards, nothing very fancy)
- Serving only a hand full of email accounts but some of the accounst have
over 3 millions emails in them (with individual mail folders having 100k+
emails)
- Will use latest dovecot (2.1 when it comes out)
- fts-lucene or fts-solr?

-jd

Re: [Dovecot] maildir vs mdbox

[Jean-Daniel Beaubien]

Wow, incredible response time :)

I have 1 more question which I forgot to put in the initial post.

Considering my use case (small number of accounts but alot of emails per
account, and I should add that they are mostly small emails, most under 5k,
alot under 30k) what mdbox setting would you recommend i start testing with
(mdbox_rotate_size and mdbox_rotate_interval).

-JD


On Sat, Jan 28, 2012 at 11:05 AM, Timo Sirainen t...@iki.fi wrote:

 On 28.1.2012, at 17.59, Jean-Daniel Beaubien wrote:

  I am planning on running on test between maildir and mdbox to see which
 is
  a better fit for my use case. And I'm just looking for general
  advice/recommendation. I will post any results I obtain here.

 Maildir is good for reliability, since it's just about impossible to
 corrupt, and even in case of filesystem corruption it's easier to recover
 than other formats. mdbox is good if you want the best performance.

  Important question: I have multiple users hitting the same email account
 at
  the same time. Can be a problem with mdbox?

 No problem.

  - Serving only a hand full of email accounts but some of the accounst
 have
  over 3 millions emails in them (with individual mail folders having 100k+
  emails)

 Maildir gets slow with that many mails in one folder.

  - fts-lucene or fts-solr?


 fts-lucene uses the latest CLucene version, which is a little old. With
 fts-solr you can use the latest Solr/Lucene. So as long as you don't mind
 setting up a Solr instance it should be better. The good thing about
 fts-lucene is that you can simply enable it and it works without any
 external servers.

Re: [Dovecot] maildir vs mdbox

[Jean-Daniel Beaubien]

On Sat, Jan 28, 2012 at 11:37 AM, Timo Sirainen t...@iki.fi wrote:

 On 28.1.2012, at 18.13, Jean-Daniel Beaubien wrote:

  Considering my use case (small number of accounts but alot of emails per
  account, and I should add that they are mostly small emails, most under
 5k,
  alot under 30k) what mdbox setting would you recommend i start testing
 with
  (mdbox_rotate_size and mdbox_rotate_interval).

 mdbox_rotate_interval is useful only if you want smaller incremental
 backups (so files that are backed up no longer change unless messages are
 deleted). Its default is 0 (I just fixed example-config, which showed it as
 1day).

 To be honest, the smaller incremental backup part is interesting. That
along with auto-gzip of the mdbox files are very interesting for me.



 I don't really know about mdbox_rotate_size. It would be nice if someone
 were to test different values over longer period and report how it affects
 disk IO.


I was thinking on doing a test with 20MB and 80MB, look at the results and
go from there.

Btw, when I migrate my emails from Maildir to mdbox, dsync should take into
account the rotate_size parameter. If I want to change the rotate_size
parameter, I simply edit the config file, change the parameter (erase the
mdbox folder?) and re-run dsync. Is that correct?

Re: [Dovecot] Persistence of UIDs

[Jean-Daniel Beaubien]

On Wed, Jan 25, 2012 at 7:45 AM, Timo Sirainen t...@iki.fi wrote:

 On 25.1.2012, at 5.22, Jean-Daniel Beaubien wrote:

  I have a question concerning UIDs. How persistant are they?

 With Dovecot persistent enough. But as Michael said, check UIDVALIDITY.

  I am thinking about building some form of webmail specialized for some
  specific business purpose and I am thinking of building a sort of cache
 in
  a DB by storing the email addr, date, subject and UID for quick lookups
 and
  search of correspondance.

 Dovecot should already have such cache. If there are problems with that, I
 think it would be better to fix it on Dovecot's side rather than adding a
 second cache.


Very true.  Has there been many search/index improvements since 1.0.9? I
read thru the release notes but nothing jumped out at me.


  I am doing this because I am having issue with multiple people searching
  thru email folders that have 100k+ emails (which is another problem in
  itself, searches don't seem to scale well when folder goes above 60k
  emails).

 Maybe enable fts-solr or fts-lucene? (Both work much better in v2.1.)


I was under the impression that lucene was for full-text search. I'm just
doing simple from/to field searches.

I will get a few numbers together about folder_size -- search time and I
will post them tonight.

-jd

Re: [Dovecot] Persistence of UIDs

[Jean-Daniel Beaubien]

On Wed, Jan 25, 2012 at 8:47 AM, Timo Sirainen t...@iki.fi wrote:

 On 25.1.2012, at 15.34, Jean-Daniel Beaubien wrote:

  I am thinking about building some form of webmail specialized for some
  specific business purpose and I am thinking of building a sort of cache
  in
  a DB by storing the email addr, date, subject and UID for quick lookups
  and
  search of correspondance.
 
  Dovecot should already have such cache. If there are problems with
 that, I
  think it would be better to fix it on Dovecot's side rather than adding
 a
  second cache.
 
 
  Very true.  Has there been many search/index improvements since 1.0.9? I
  read thru the release notes but nothing jumped out at me.

 Disk I/O usage is the same probably, CPU usage is less in newer versions.

  I am doing this because I am having issue with multiple people
 searching
  thru email folders that have 100k+ emails (which is another problem in
  itself, searches don't seem to scale well when folder goes above 60k
  emails).
 
  Maybe enable fts-solr or fts-lucene? (Both work much better in v2.1.)
 
 
  I was under the impression that lucene was for full-text search. I'm just
  doing simple from/to field searches.

 In v2.1 from/to fields are also searched via FTS.


Ok, I managed to compile 2.1 rc5 on an old ubuntu 8.04 without any issue.
However, the config file is giving me a bit of a hard time, I'll figure
this part out tomorrow.

I'd just like to confirm that there is no risk to the actual mail data is
ever something is badly configured when I start dovecot 2.1.  I am managing
this old server on my spare time for a friend, so I don't want to loose
2million+ emails and have to deal with those consequences :)

[Dovecot] Persistence of UIDs

[Jean-Daniel Beaubien]

Hi everyone,

I have a question concerning UIDs. How persistant are they?

I am thinking about building some form of webmail specialized for some
specific business purpose and I am thinking of building a sort of cache in
a DB by storing the email addr, date, subject and UID for quick lookups and
search of correspondance.

I am doing this because I am having issue with multiple people searching
thru email folders that have 100k+ emails (which is another problem in
itself, searches don't seem to scale well when folder goes above 60k
emails).

So to come back to my question, can I store the UIDs and reuse those UIDs
later on to obtain the body of the email??? Or can the UIDs change on the
server and they will not be valid anymore?.

My setup is:
- dovecot 1.x (will migrate to 2.x soon)
- maildir
- everything stored on an intel 320 SSD (index and maildir folder)


Thanks,

-JD