Re: [Dovecot] POP3 sessions
doc...@doctor.nl2k.ab.ca writes: Is their a way in the config file to not lock POP3 sessions in dovecot for only 1 user? That ought to be the default: http://wiki2.dovecot.org/POP3Server (Section Session locking) Did you set pop3_lock_session=yes somewhere? Locking is good if the client connection is stable: if you disable locking, you could end up with a scrambled mailbox as two or more users access it at the same time. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
On Thu, 3 Apr 2014, Jouko Nikula wrote: I now used: mail_location = maildir:~/mail:INDEX=MEMORY:CONTROL=/var/mail/%d/ctrl/%u and for sieve: plugin { sieve = /var/mail/%d/ctrl/%u/dovecot.sieve sieve_dir = /var/mail/%d/ctrl/%u/ } I also have two dovecot instances. One is responsible for imap/pop3 and other is responsible for sasl and and lmtp. The latter uses configuration above and the former differs on the mail location so that it does not have the INDEX=MEMORY setting: mail_location = maildir:~/mail:CONTROL=/var/mail/%d/ctrl/%u Do you see problems in this setup? No, but I don't use sieve (nor INDEX=MEMORY for that matter), so my knowledge is limited here. My understanding is that now I'm wasting little bit CPU on creating indices for new mail, but I nevertheless have working and stored indices on the dovecot's imap instance. I/O is more precious than CPU, and that's what indices tries to conserve. I don't know how much performance degradation append operations (i.e. new mail) has on index updates, but it's probably proportional to mailbox size. If your mailboxes are small, it's probably negligible. However, I would look at the cause of the insufficient privileges: it is a symptom of something that could lead to other problems. The cause is that I have not given lmtp read access to mail/home dir. :-) So this is intentional. That is bizarre -- I can't think of how you can profit from denying read access to indices, but allow write access, and also allow read access to the mailboxes. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
Jouko Nikula jonik...@gmail.com writes: Is there a way to use LMTP (or LDA) so that maildir index and dovecot-uidlist are not updated? My setup is such that mail delivery sees user's maildir as write only. This setup works well when using postfix for mail delivery, but when I try to switch to dovecot LMTP the lmtp process wants to read the dovecot-uidlist and fails on insufficient privileges. Is there a way around this without exposing the maildir and mail home for read access? You could create MEMORY indices e.g. mail_location = maildir:~/Maildir:INDEX=MEMORY which will allow all the other processing like sieve to work. However, I would look at the cause of the insufficient privileges: it is a symptom of something that could lead to other problems. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes: passdb { args = /var/mail/%d/users driver = passwd-file } ... userdb { driver = passwd } Your userdb and passdb are not using the same DB: did you intend this? Does the userdb have user@domain entries, rather than just user entries? The diagnostics I referred to in my last post would have been helpful here. # postconf -n If you're having problems authenticating to the IMAP service, then you ought to concentrate on that problem: it's likely your LDA problem is dependent on that solution. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Tue, 1 Apr 2014, Jeffrey Walton wrote: Related: what does the bang mean? I've got a programming background, and to me its a NOT. So I would read that as don't include conf.d/ It would have the same effect as commenting it out. I guess it's the semi-arbitray syntax Timo chose for the include directive. Maybe it came from the bang syntax for Unix scripts. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
Jeffrey Walton noloa...@gmail.com writes: I specified the following in my dovecot.conf. passdb { args = /var/mail/%d/users driver = passwd-file } Attempts to use the configuration result in an authentication failure. Here's an entry from dovecot.log when the failure happens: Mar 31 16:04:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=j...@foo.com, method=PLAIN, rip=127.0.0.1, lip=127.0.1.1, secured, session=n5/ajez1FgB/AAAB Just to confirm, your user specified in the passdb corresponds to what is being authenticated (i.e. client is authenticating as j...@foo.com, not jeff)? Otherwise, you'll need to add domains to your passdb, or configure username_format=%n Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot not honoring configuration settings (auth failure)
On Mon, 31 Mar 2014, Jeffrey Walton wrote: Just to confirm, your user specified in the passdb corresponds to what is being authenticated (i.e. client is authenticating as j...@foo.com, not jeff)? Otherwise, you'll need to add domains to your passdb, or configure username_format=%n Yes, I believe so: $ sudo cat /var/mail/foo.com/users # Generate passwords with: # doveadm pw -s PLAIN -p password # Real users t...@foo.com:{PLAIN}some-password j...@foo.com:{PLAIN}some-password OK, I guess the next step is to see whether the dovecot auth process is able to read the passdb file. Does your dovecot auth process have enough authorization to get/read to these files (check what dovecot/auth runs as versus the file permissions of your passdb)? doveadm user j...@foo.com checks the userdb, and if it coincides with your passdb, might point out a problem. Tracing the auth process might also help. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Weird Authentication behaviour
Reindl Harald h.rei...@thelounge.net writes: frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 10 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack (Off-topic) Not that I disagree with the conclusion that 8 character passwords are weak by todays standards, but there seems to be something wrong with your generator (weak PRNG? limited character set?). 13 collisions in 10^5 passwords is terrible, even by 1980 Unix standards. The keyspace for an 8-character alphanumeric password is 62^8, and assuming a random selection of keys, you would need to generate 17,397,806 keys before expecting a 50% probability of finding one collision: (Ref: http://en.wikipedia.org/wiki/Birthday_problem#Cast_as_a_collision_problem) p=0.5, d=62^8, n=sqrt(2*62^8*log(1/(1-0.5)) ~= 1.7E7 A hash collision (again, assuming crypt is a halfway decent hasher) is even more unlikely, as the hash space is even larger (4096 salts * 64^11). Jiri Bourek added Yes, AFAIK DES encryption is obsolete for very long time and if you know hash, it's quite easy to generate a secret which will match the hash ... Quite easy? Maybe if you could find a crypt rainbow tables for crypt(). Go ahead and invert LXE5F6d8FPOa.. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Help connecting from remote client (no auth attempts
Blake McBride writes: Thanks. The current version of Thunderbird auto-detects connection parameters - presumably by trying every combination. All I give is an email address and a password. They also have a manual configuration that I spent a lot of time with. I was never able to do any better than their auto-config. That's usually the cause of many problems I see with log entries like yours. It could happen when client and server disagree on using STARTTLS or SSL, so hardwiring your client to use whatever your server supports stops the client from fumbling around (and getting it wrong). Given my experience with all this, I feel confident that Thunderbird is not a factor in the problem. A network trace could clear that up, but auto-configure is problematic. In terms of the config, I really don't know what I am doing. I think what I want is clear text passwords sent over an SSL connection. Isn't that secure? I don't know the difference between SSL and that TTSL thing. I really don't care how it is setup. I just want it to be reasonably secure and simple. You'll need to know these things in order to understand the problem. The essential difference, as far as your concerned, is that TLS (or STARTTLS or SSLv(some-number-I-forget)) starts out in plain text, then the client issues a command (STARTTLS) to commence the secure (encrypted) communication handshake, whereas SSL dives right in and expects the client to negotiate SSL parameters immediately. These two variations of SSL listen on two distinct ports. If you get these cross up, you'll get the above error log. In my experiments: SSL client - TLS server port: Aborted login (no auth attempts) TLS client - SSL server port: client hangs, Disconnected: Inactivity (no auth attempts in 180 secs) SSL/TLS + clear-text password is secure. If you do not use SSL/TLS, you'll have to use CRAM-MD5 or some challenge-response authentication to defeat password snooping. You could use both, but that's overkill. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Trying to get Centos5 set up with dovecot
DCA dovecotad...@silverservers.com writes: I am trying to set up dovecot to replace an older POP3 server in an existing set up. Currently the server uses sendmail to handle incoming mail. users are in /etc/mail and their incoming eMail lands in the /var/mail/username in /var/mail the username file is owned by username:mail I have dovecot configured to create the imap folders in /home/username/mail/ on existing accounts login attempts fail with errors such as: chown /home/username/mail/.imap/INBOX failed: Operation not permitted egid=500(username), group based on /var/mail/username mkdir /home/username/mail/imap/INBOX failed: Operation not permitted. Everything seems to work as expected but only if I add username into the mail group OR if I have all mailboxes chowned to username:username Is there any way to tell dovecot to ignore the group ownership of /var/mail/username and focus instead on using username:username for everything in /home/username ? If I have to add every user to the mail group I can but this seems messy. Geez, I must have answered the same query 3 or 4 times. I need to write an entry in wiki somewhere: http://www.dovecot.org/list/dovecot/2013-August/092299.html Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Disconnected (auth failed, 1 attempts)
ldaamandy amandy_...@outlook.com writes: {username:q...@t.com,password:{CRYPT}$1$d5ef98b7$brWKOJiUiqII3DysGzsfl\/, ... Dovecot uses the uses the native crypt() which ought to recognize $1$ hashes, but maybe try changing it to {MD5-CRYPT}. http://wiki2.dovecot.org/Authentication/PasswordSchemes Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot/Django authentication
Thomas Johnson t...@terramar.net writes: We've got an application in django that has passwords stored in both sha1 and pbkdf2_sha256 form. We need dovecot to be able to authenticate against the django database (we can't modify django to store passwords in dovecot's form, I'm afraid). Has anyone done a dovecot authentication plugin to support these password forms (and/or any other forms that django supports)? You can always fall back on http://wiki2.dovecot.org/AuthDatabase/CheckPassword to implement any wild and woolly scheme you got going. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Sieve vacation attach original message
azurIt azu...@pobox.sk writes: is it, somehow, possible to attach the original message to the vacation autoreply? Hmm. Allowing a sender control over both the recipient (via spoofing), and the content seems like perfect recipe to turn your mail server into a spam relay cannon. If you do do this, you should hedge this by only allowing it from known trusted senders (e.g. local network). Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Can't get authentication for masterusers on Mac OS X Server 10.6.8
On Tue, 4 Mar 2014, dovecot-requ...@dovecot.org wrote: #telnet mailserv.example.com 143 Connected to mailserv.example.com. Escape character is '^]'. * OK Dovecot ready. 1 login myusername myPassword 1 OK Logged in. 1 logout * BYE Logging out 1 OK Logout completed. Connection closed by foreign host. This does not test what you want, which is trying to authenticate the master user, not the regular user. From what I remember of your config, you have another passdb which holds the credentials of your master user: you need to check that file to make sure the master user's password (hash) matches what you think the master password ought to be. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Error Initializing mail storage ... after upgrading to 2.2.10
G?tz Reinicke - IT Koordinator goetz.reini...@filmakademie.de wrote: But on one mailbox I do get an error: Error: user rechnnugseingang-animationsinstitut: Initialization failed: Initializing mail storage from mail_location setting failed Error: Invalid user settings. Refer to server log for more information. And the server logs says ...? Maybe the '-' is not one of the allowed characters (is there a missing 'e' at the end?) Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Error Initializing mail storage ... after upgrading to 2.2.10
G?tz Reinicke writes: mail_location = mbox:~/:INBOX=/var/mail/%u ... Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mbox:~/:INBOX=/var/mail/rechnungseingang-animationsinstitut Feb 27 17:02:11 imap(rechnungseingang-animationsinstitut): Error: user rechnungseingang-animationsinstitut: Initialization failed: Namespace '': Home directory not set for user. Can't expand ~/ for mail root dir in: ~/:INBOX=/var/mail/rechnungseingang-animationsinstitut Hmm, I don't have a trialing '/' in my mail_location, so maybe you can try leaving it off too just to check. mbox:~:INBOX=/var/mail/%u Also, is your home directory well defined in your userdb? Check output of doveadm user rechnungseingang-animationsinstitut Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot 2.2.10 shared mailbox
Florin Portase writes: type of error: COREDUMP Feb 04 11:49:59 imap(portase.flo...@medianetork.ro): Fatal: master: service(imap): child 23391 killed with signal 11 (core dumped) Disabling of shared mailbox results in correct functioning of dovecot. To mention again: dovecot version previous to 2.2 was working OK. Debugging of this sort usually requires submitting a core dump traceback http://dovecot.org/bugreport.html This might be a known issue (check the Dovecot archives). Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Architecture for large Dovecot cluster
Just a guess, but I expect the difference is because NetApp de-dupes by checksumming blocks and mark whole blocks as duplicates if they have the same checksum. True, the start of the message is always at byte 0, but because of different header length per user for the same message (different mail address with different lengths) the body will never start at the same byte. Oh yes, that's right. I confused maildir format with sendmail queue files that separates header and body. There is still some similarlity for mass mailouts to the same mail domain: they will have almost identical headers +/- message IDs and a few bytes here and there, but as you say, SiS is the way to go for deduping bulky message attachments. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Architecture for large Dovecot cluster
Sven Hartge s...@svenhartge.de wrote: Interesting datapoint: NetApp Deduplication did only recover about 1% of storage space with mdbox-based mail storage, while on an maildir-based mail storage, the rate was about 15%. (This was tested with a copy of real user data, so is accurate for my workload.) Just a guess, but I expect the difference is because NetApp de-dupes by checksumming blocks and mark whole blocks as duplicates if they have the same checksum. The message body has the same block offset in maildir (i.e. the start of a message is at byte 0), whereas mdbox might align message body anywhere in a block, so you might have 512 different block configurations for the same message. I don't know whether message alignment would be a worthwhile optimization for mdbox. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Couldn't drop privileges
From: CM Reddy cmre...@armor5.com userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } ... Log information: ... Jan 13 16:42:44 cmreddy-Lenovo-G500s dovecot: imap(armor5): Error: user armor5: Couldn't drop privileges: User is missing GID (see mail_gid setting) Fairly self-explanatory, isn't it? It appears your userdb does not specify GID for a user. Either define it, or ... In share/doc/dovecot/example-config/conf.d/10-mail.conf: # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. doc/wiki/UserIds.txt #mail_uid = ... if all your users share the the same GID, set it here. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] imap auto create mailbox: we're not in group 8(mail)
Adrian Zaugg writes: How can I configure the auto create mailbox feature that it works and let run LMTP and IMAP process as user %u and group mail and let create the mailboxes in /var/mail as (example user tester) with the following permissions: /var/mail: drwxrwx--x root mail3072 Dec 18 01:43 . drwx-- tester tester 1024 Jan 09 12:53 tester This is probably what you need: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to mail to give access to /var/mail. mail_privileged_group = mail ...or do I need a different approach? You could also chmod 1777 /var/mail but this will allow arbitrary uses who have filesystem access to create their own files here, and maybe DoS a new user from being created (or maybe even anticipate a new mailbox, create one with mode 0777 and wait to intercept mail?). Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] BUG report: doveadm HEADER field pattern when concatenating with another Search key
So E.g. When doing doveadm fetch -u exampleuser hdr SUBJECT Silvester HEADER Return-Path someu...@example.com it initially outputs 13 headers (same as when using with SUBJECT Silvester only) , when piping it to grep -i 'Return-Path' it even found only 3 out of 13 headers containing a Return-Path at all, 2 of them different than someu...@example.com - so SAME behaviour as with search. I tried using logical conjections of header searches and it works with my installation of dovecot, so either it's a bug introduced later than 2.1.16, or perhaps it from the different search engine you use (I use the default that comes with dovecot -- squat?). Sorry, can't help you out further. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] using OR in doveadm search query
This works for me (at least with tcsh): $ doveadm search mailbox shared/* OR (SUBJECT a) (SUBJECT b) doveadm does not complain anymore but it does not find anything. I guess because now the query has become a mailbox name that does not exist. ( I am using dovecot 2.2.9) Each search token ought to be a command line argument to doveadm, so if you're looking for all message with the string a or b in the subject in mailboxes shared/*, then this should be the correct syntax, with all arguments sufficiently escaped from shell interpretation: doveadm search mailbox shared/\* \( SUBJECT a OR SUBJECT b \) (Delete OR if both strings must be in the subject: expressions are implicitly AND'd if not OR'd. In fact, you can also remove the parenthesis since precedence doesn't matter anymore.) You can check the search query by fetching some values using the same query: doveadm fetch 'mailbox hdr' mailbox shared/\* \( SUBJECT a OR SUBJECT b \) Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] BUG report: doveadm HEADER field pattern when concatenating with another Search key
On Wed, 8 Jan 2014, dovecot-requ...@dovecot.org wrote: doveadm search -u exampleuser SUBJECT Silvester (outputs correctly 10 matches) ... doveadm search -u exampleuser SUBJECT Silvester HEADER Return-Path someu...@example.com (gives exactly the same output - but this is WRONG, as the given Subject AND Return-Path is really only found in 1 Message - uid 15697) I couldn't recreate this with 2.1.16. Also, my version of doveadm search does not accept missing header patterns. Is this corroborated by dumping out the header with this same search query? doveadm fetch -u exampleuser hdr SUBJECT Silvester \ HEADER Return-Path someu...@example.com Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dsync error: Couldn't drop privileges: getgrnam
Alan McGinlay wrote: Can't believe I'm the only one with this error, googled it and there is nothing. Sorry to whine but I am getting desperate here! I googled safe_mkstemp permission denied and first hit is this thread dovecot.org/list/dovecot/2010-August/052319.html which mentions this error coming about from chrooting users. Looking back on your post, I see http://www.dovecot.org/list/dovecot/2013-December/093900.html mail_chroot = /var/vmail As long as your desperate, maybe try leaving this setting empty? (This doesn't explain why it's not deterministic though.) Try process traces -- I do when I'm stumped. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot's brittle configuration syntax
Kai Hendry hen...@dabase.com wrote: Whilst trying to come up with a minimal configuration for Dovecot: http://dabase.com/blog/Minimal_Dovecot/ I think your characterization of the complexity of dovecot configuration by simply counting configuration lines to get it working is off base. It's conceivable to have all the default values work for you and only specify those that differ from defaults (or configure your system to conform to defaults if you want to place the proverbial cart before the horse), but that doesn't make it less complex -- it just hides it. (See doveconf -a if you want to see what you're shorthanding). If you want minimal configuration fuss, you can try uw-imapd. Not a lot of knobs to twist on that thing, but you'll have to accept all its limitations as well. A well chosen set of defaults that works for most people is a good design decision, but I've seen plenty of different and oddball layouts (including the sneakernet post preceding this one) that requires a lot of flexibility, which necessarily requires a lot of configuration to express them. The sample configuration is verbose because it doubles as documentation: you can use it as a starting point and remove the parts you don't need, or start from the documentation and move forward. I agree, though, that the documentation needs an editorial overhaul -- it's a little bewildering to find what you need along with the contextual information. I noticed the configuration syntax is a bit admin unfriendly. It's easy to get an infamous Error code 89. Is there any back story to the grammar or language this configuration is in? It appears to me to have grown organically, and maybe will need pruning some day. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Permissions problems
md.ben...@gmail.com wrote: Nov 24 17:34:27 proliant-1 dovecot: [ID 583609 mail.error] imap(mark): Error: rename(/mpool/mail/mark/dovecot.index.log.newlock, /mpool/mail/mark/dovecot.index.log) failed: Permission denied ... This is what the directory currently looks like: mark@proliant-1:~$ ls -la /mpool/mail total 6 drwxrwxrwx+ 3 root root 3 2013-11-24 17:17 . drwxr-xr-x+ 5 root root 5 2013-11-24 13:50 .. drwxrwxrwx+ 5 mark staff 9 2013-11-24 22:20 mark I'm think the + is the problem: you have, in the words of the manpage for ls, ... this character is a plus sign (+) character if a non-trivial ACL is associated with the file ... Try ls -alv /mpool/mail I don't use ACLs, so I can help you how to modify them. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot login slow
ssl_ca = /usr/share/ssl/certs/rapidssl.crt ssl_cert = /usr/share/ssl/certs/imapd.pem ssl_key = /usr/share/ssl/certs/imapd.pem These lines look weird to me. Why do they have a ? Red herring; this is standard. I think it means feed this file into stdin. On 11/13/2013 12:41 PM, Marc Perkel wrote: Takes about 10 seconds and it lets me in. I'm using MYSQL and it's a small indexed database on a fast server so it's not the mysql query that's slowing it down. At least I don't think it is. But - kind of stumped. Just wondering if there's something obvious I'm overlooking. I think maybe turning up the verbosity on logging will help. If that doesn't, try process tracing the dovecot auth process. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Issue with postfix not handing over e-mails to dovecot
Tru Pheenix writes: posftconf output: https://gist.github.com/anonymous/7318863 doveconf output: https://gist.github.com/anonymous/7318896 tail -f /var/log/mail.* output (when receiving mail): https://gist.github.com/anonymous/7318945 Unless these are exceeding long, you probably should inline the contents to save people from having to jump around to get the information to help you. It will also properly archive the context to the solution. From your logs, it appears your mail system does not know what user is mapped to some...@mydomain.com: Nov 5 13:21:06 localhost postfix/local[11185]: 5716D8007B: to=some...@mydomain.com, relay=local, delay=0.59, delays=0.57/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: someone) I don't know whether this message is produced by postfix or by dovecot, but one thing I did notice is that your postfix configuration mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m ${EXTENSION} has upper-case EXTENSION, whereas the Dovecot wiki uses lower case: http://wiki2.dovecot.org/LDA/Postfix If that's not it, maybe it's your SQL. You can also ask dovecot to look up user somebody and debug your way from there: doveadm user somebody Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Logging in to a virtual users Maildir
Steve Downes st...@kingswayelec.co.uk writes: When I open a local mutt I get the following:- 1) could not connect to vmail-s (connection refused) (vmail-s is the mailserver host) Full stop, anything past here and you're debugging noise. You've configured out SSL/TLS on dovecot ... /etc/dovecot/dovecot.conf # disable ssl for now ssl = no ... but your Mutt configuration has ... ~/.mutt.muttrc set spoolfile=imaps://steve@vmail-s/ ... and your debug logs state ... [2013-10-31 14:35:23] Reading imaps://steve@vmail-s/... [2013-10-31 14:35:23] Looking up vmail-s... [2013-10-31 14:35:23] Connecting to vmail-s... [2013-10-31 14:35:23] Connection failed. errno: 111... [2013-10-31 14:35:23] Could not connect to vmail-s (Connection refused). [2013-10-31 14:35:25] Connected to vmail-s:993 on fd=-1 You configured dovecot to accept only plain IMAP (on port 143), but your mail reader is configured to connect to an IMAP/SSL service (port 993). Maybe it will start working if you configure Mutt set spoolfile=imap://steve@vmail-s/ (Just guessing -- I don't use Mutt.) Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Proxy to gmail not working
On Mon, 7 Oct 2013, Alex Wanderley writes: passdb { args = proxy=y nopassword=y user=remotemail destuser=remotemail@gmail.comhost= pop.gmail.com port=995 proxy_timeout=15 starttls=y driver = static } ... Oct 7 09:33:13 dserver dovecot: auth: Debug: client passdb out: OK 2 user=remotemailproxy nopassword=ydestuser= remotem...@gmail.comhost=pop.gmail.com port=995proxy _timeout=15starttls=y hostip=74.125.142.108 pass=123456789 Oct 7 09:33:13 dserver dovecot: pop3-login: Debug: Ignoring unknown passdb extra field: nopassword Oct 7 09:33:28 dserver dovecot: pop3-login: Error: proxy(remotemail): Login for pop.gmail.com:995 timed out in state=0 (after 15 secs, local=162.106.yyy.zzz:59282) Idle speculation, but remote port 995 usually means SSL type connection (i.e. dive right into SSL protocol), whereas starttls=y starts out in plaintext, and SSL negotiations starts after a STARTTLS directive. Looking at http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy methinks you want to replace starttls=y with ssl=yes. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] New install not working.
Rhorer, Leslie leslie.rho...@twtelecom.com writes: At first things were looking much better, except that most of my folders, other than the Inbox, were not showing up. I started changing both the dovecot configuration and the folder structure of my mail files, but now I can't even get the Inbox to populate. Outlooks says it is there, along with any folders I create new in Outlook, plus the Trash folder, which is the only non-local folder with anything in it. Try what I might, I can't get my Inbox to populate or any of the existing folders to show up at all. Here is the current output from dovecot -n: mail_location = mbox:/RAID/home/%u/mail Maybe try mail_location = mbox:/RAID/home/%n/mail:INBOX=/RAID/home/%n/mail/inbox (%n does not include the domain part, but it might be the same as %u). Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Is dovecot locking properly?
Scott Galambos writes: Hello, I'm attempting to move form qpopper 4.1 to Dovecot 2.2.5 on Linux. When a user checks POP mail qpopper seems to make a .username.pop temporary file in the same /var/mail directory as the mbox INBOX file. Watching what dovecot does I don't see this happening. Probably too quick (or perhaps you haven't configured dotlocking). Qpopper locks the INBOX when it creates a drop copy: this can be a time consuming operation, during which you can see the .$user.pop lock file. Dovecot is more intelligent: it doesn't create copies, and goes out of its way to avoid grautitous I/O. Most of the operations can be done by consulting the indices. However, I did contrive a situation to observe lock files being created. 1) Create large INBOX file test user (assuming mbox /inbox/testuser) 2a) In one window, run a shell loop monitor while : ; do ls -al /inbox/testuser.lock done 2b) In another window, create a POP3 session and do an operation that would require a lock: telnet pop-server 110 USER testuser PASS testpassword DELE 1 ... this still won't need locking -- not until ... QUIT If you use maildir format, it may still be too quick to catch. in this situation, you can process trace the pop3 worker process to verify a lock file is created. Is this .pop file a lock file or just a temporary file? Temporary. If you have them lying around, qpopper crashed. Note: dovecot makes lockfiles of the form $user.lock. If its a temp file does dovecot do the same thing elsewhere? I'm concerned dovecot is not locking properly and there will be mailbox corruption, so I'm trying to get dovecot to mimic what qpopper does as much as possible. By mimic you mean that locking works, but otherwise, you don't want dovecot to mimic qpopper: the former is much better. I have not had problems with users complaining about scrambled files. As I said, process trace your pop3 worker process if you need to verify the locking process. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] More fine-grained connection limitations?
There is the mail_max_userip_connections setting, which helps for dealing with number of connections at any given time, but I'm looking for something that will help deal with users who configure their mail clients to connect too frequently. ... It would be really great if there were a way to tarpit those users to slow them down, or send them an imap message saying they are connecting to often and connections have been disabled for the next 5 minutes or something. There might be an unintended consequence: I see connection spikes when users try to do a global string search across mailboxes. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] doveadm expunge problems
nicolasfo wrote: doveadm search -u *@mydomain.fr MAILBOX Junk savedbefore 1d : don't lists anything.. What am I missed ? Is this the good way to change file date (touch) and by this way, have results to savedbefore command ? No. The date.saved value is (I think) stored in its indices, and is updated via IMAP operations. This value is not derived from file timestamps. You can use doveadm fetch to get the values that dovecot uses dovecot -ftab fetch -A 'mailbox date.saved' mailbox Junk If you actually use IMAP operations to move messages from INBOX to Junk, I think you'll find that date.saved reflects the correct value. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Bizarre permissions problem
Bill Oliver writes: There's *one* user I can't get it to work on without a workaround. The user is newuser and the uid is (actual name and number changed to protect the innocent). The error I get in my maillog is: The error I get in may maillog is: Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: chown(/home/newuser/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=(newuser), group based on /var/mail/newuser) Aug 29 16:02:11 localbox dovecot: imap(newuser): Error: mkdir(/home/newuser/mail/.imap/INBOX) failed: Operation not permitted Now, it looks to me like dovecot is saying that the user newuser can't get to the /home/newuser/mail/.imap directory because it doesn't have permission. However, the user newuser has all the permissions it needs: $ ls -la /home/newuser/mail total 20 drwxrw 3 newuser newuser 4096 Aug 29 15:01 . drwxrw 6 newuser newuser 4096 Aug 29 12:16 .. drwxrwx--- 2 newuser newuser 4096 Aug 29 16:05 .imap -rw-rw 1 newuser newuser 499 Aug 13 07:56 saved-messages -rw-rw 1 newuser newuser 1756 Aug 16 11:15 sent-mail The output of doveconf -n would have been useful, especially as it relates to your mail_location value, but I can make a pretty good guess at what is happening. Dovecot is trying to create indices with analogous permissions to your mailbox files. Your user's INBOX (/var/mail/newuser) has permission user:group:mode = :12:0660 *but* newuser is not in group mail (GID 12), hence it cannot do the required chown operations. (Notice the mode of .imap/: the group write is on so the chmod worked.) Your INBOX ended up this way because some LDA's auto-create new INBOX's with these permissions (to allow access to other part of the mail sysyem that are set-gid mail). Options: 1) chmod g-rwx /var/mail/newuser - assumes you have no other parts of your mailsystem that needs access to all user INBOX by assuming group mail. - dovecot is smart enough to figure out group membersip is irrelevant is groups access is nil. 2) chgrp newuser /var/mail/newuser 3) To avoid future problems: make sure new mailboxes are created with workable permissions. There are also dovecot configs that loosen up some group access, but you'll have to investigate that yourself. Joseph Tam t...@math.ubc.ca
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
Michael Smith writes: We're already running fail2ban, but it doesn't seem that effective against botnets, when they only do one attempt per IP. Yeah, distributed BFDs are tough to block unless you can characterize the clients well. That leaves us back to getting dovecot to log the tried password for unknown users. Another tactic might be to hook in a authentication script: http://wiki2.dovecot.org/AuthDatabase/CheckPassword You can run this as an external plugin and won't have to muck into the dovecot innards. From here, you can log attempts, keep track of bad IPs, or take action if you spot a username/password combination that merits instant blacklisting. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Log successful login plain text password
Marco Fretz writes: Maybe you can find a way in this direction http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes I've sync'd a separate password system by process tracing dovecot's auth process and dumping out the arguments of read() calls for some fixed set of descriptors and piping it into password synching script. A bit of a hack, but it works without having to touch dovecot. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] mailbox_list_index, stops showing new mails in mailboxes
Anton Lundin writes: I'm using 2.2.4 over imap and ssh/imap, and after a while dovecot stops noticing new mail in some folders. Its always the same 2-3 folders of about 30. ... This is dovecot 2.2.4, running on Solaris 10 x86_64 to homedirs on zfs, where procmail is used to deliver mail to mailboxes in mbox-format. What's your procmail recipe for delivering messages? If you're storing it directly to a mbox file, dovecot will never get a chance to see it and update the indices. An example of invoking LDA to store messages :0 Hw * /^From:.*dummy@/ | dovecot-lda -d yourusername -m dummybox # Dump mail into my INBOX using dovecot's LDA :0 w | dovecot-lda -d yourusername Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Logging passwords on auth failure/dealing with botnets
Michael Smith (DF) writes: Or another option, is there any good DNS based RBLs for botnet IPs, and is there any way to tie that in to the dovecot auth system? I've been looking for botnet rbls, but what I've found so far doesn't seem to work very well. Most of the IPs that I've had to firewall don't exist in them. /dev/rob0 writes: The problem with using XBL, anyway, is that you might have legitimate logins from listed hosts. Example: a traveler using hotel wifi. We (TINW) really would need a new DNSBL type (or a special result) for this sort of abuse. It's a nice idea, worth building upon, if someone can fund it (or find the time to develop it, which really amounts to the same thing.) Imagine also a Dovecot network of reporters, where brute force attempts worldwide are reported from Dovecots to the DNSBL, not merely a one-way tie in. I'd also suggest listing SSH brute force attacks in the same DNSBL, possibly with a different result (127.0.0.$port, so IMAP attackers list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to incorporate the third quad for ports 255, but the general idea is for result codes to be both machine and human readable as much as possible.) I use bl.blocklist.de as a DNSRBL for ssh BFD, but I think it also detects BFD for other protocols: http://www.blocklist.de/en/index.html The nice thing about this RBL is that you can also contribute by configuring your Fail2Ban/DenyHost to forward logs to the maintainers, to widen the detection network. I get about a 60% hit on ssh BFD attacks. I also found http://openbl.org but they distribute it as a downloadable file rather than as a DNSRBL. Maybe I can introduce the latter to the former. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] prevent dovecot from modifying maildirs
In order to save space I prefer no to have such half-files (mails) , and it is for this reason that I am asking if there is any way to prevent this. I'm not an expert in field of file systems, so I can be asking very naive questions... but I appreciate your comments on this topic. Filesystem consistency is different than, for lack of a better term, dovecot consistency. The latter places additional constraints on the content of files, rather than treating them as sequences of disk blocks. I don't think you can ensure the latter without stopping all dovecot processes (and maybe the MTA/LDA as well), which will be much more difficult and disruptive than just taking a snapshot. (I think some snapshot aware application like databases and hypervisors allows the operator to put the application in a state of acquiesence, long enough to take a snapshot, then unblock all processes after the snapshot.) I'd take the suggestion of the previous poster: take snapshots, don't worry, be happy. The small amount of inconsistencies is trivial compared with quickly recovering a mail store after disaster. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] How to troubleshoot LDA or LMTP?
John Williams writes: *What doesn't work* I thought the next step would be to execute dovecot-lda manually (as is suggested on the wiki and in numerous newsgroup posts), but I can't figure out how to do this. When I execute it as root and provide my non-root username via the -u option, it hangs. I can see that it spawns a child process that executes as the non-root user (specified with the -u option). So, could someone tell how to execute dovecot-lda manually please? Maybe use -d? I had no trouble invoking dovecot-lda -c config-file -d user mailfile If it doesn't work for you, I suggest process tracing it. Also, when does LMTP process messages? When sending mail via SMTP, or when reading mail via IMAP? I would prefer to use LMTP rather than LDA. The former. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] LDA vs. LMTP
(Weird: this message digest got dumped into Google's spam folder. Maybe it didn't like the string in a later post (obfuscated here) master(dot)cf, which in the context of this mailing list is a postfix configuration file, but which Gmail interpret as a website. However, that domain is a SURBL/DBL blacklisted URI). Ben Morrow writes: And when it's running as root there is always the danger of privilege escalation. LDA only runs when it's needed and since it uses only user rights it shoudbe more harmless. ... (I'm assuming LMTP stays as root, and not spawning off user processes to do the real work.) It doesn't stay as root; Dovecot's LMTP switches down to the user's uid to perform delivery, including sieve scripts. I stand corrected. This removes the other objection that the original poster for running a peristent LMTP process. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] LDA vs. LMTP
Martin Burgraf writes: I don't know why you would consider a background process inferior to a run-on-demand executable. Well, the background process is hogging CPU and RAM while it basically does nothing. Hogging CPU and memory is putting it strongly, as it is basically suspended while blocked on waiting for a connection, and if left for a long time in an idle state, might be swapped out to disk and not consuming (real) memory, or consuming real memory that isn't in use otherwise. As I stated before, the resource usage is small compared with all the other stuff going on, so if you don't have a busy mail server, I don't think you should sweat the difference. The benefits of LMTP should increase with load, as having LMTP resident will save you the overhead of repeatedly loading/unloading LDA, and I'm sure the CPU and memory usage of servicing that overhead will be non-trivial. If you have oodles of memory, then it's no problem keeping a LMTP resident. If you don't have enough memory and are VM disk thrashing, you'll have other problems and LDA/LMTP is the least of your worries. And when it's running as root there is always the danger of privilege escalation. LDA only runs when it's needed and since it uses only user rights it shoudbe more harmless. I didn't contest the privilege separation aspect, as it a necessary design trade-off that one daemon doing things for all user will need overriding access. However, if this is a concern, you can virtualize all your users. LMTP can theoretically be subverted, but at least won't be as root. (I'm assuming LMTP stays as root, and not spawning off user processes to do the real work.) Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Maildir permissions and Solr re-indexing
Michael Welsh Duggan writes: All the files in my Maildir are owned by md5i:mail (I am md5i), and have 660 permissions. All directories have the same user:group permissions, and 770 with the setguid bit set. (That last may not be necessary, but ... doveadm(md5i): Error: fchown(/home/md5i/Maildir/.mail.test/dovecot.index.log.newlock, group=8(mail)) failed: Operation not permitted (egid=1000(md5i), group based on /home/md5i/Maildir/.mail.test - see http://wiki2.dovecot.org/Errors/ChgrpNoPerm) After this, each directory has a dovecot.index.log with md5i:md5i 600 permissions. I think the cause is clear enough: you (user=md5i/uid=1000) are not part of group mail (gid=8), so the dovecot user process doing things on your behalf cannot create index files that are anlogous to the mailbox it's indexing. You can either 1) add md5i to group mail 2) remove g+w permission on your mail files (making group membership irrelevant) 3) fiddle with mail_privileged_group = mail, but I'm a little hazy on all the ramifications of this. I don't know your particular circumstances, so I don't know which is best. If (big if) nothing on your system (particularly the MTA) requires access to your mail spool files by running as group=mail, probably 2) is your best option. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] LDA vs. LMTP
Martin Burgraf martin...@web.de writes: According to http://wiki2.dovecot.org/LDA the recommended way is to use LMTP, since it's supposed to have a better performance. The performance gains comes mostly from avoiding the overhead of invoking an executable and spawning a new process for each delivery. If your mail system isn't stressed, I don't think it matters much. On the other hand, http://wiki2.dovecot.org/LMTP says, that LMTP is a backgound process, while LDA is only called when needed. I've also read, that LDA only uses the users privileges, which both means, that LDA should be better. I don't know why you would consider a background process inferior to a run-on-demand executable. I've also noticed, that LMTP adds an additional Recieved:-Header to the mail. Are there any other differences? From a past discussion on this topic, I think Timo stated that if you use SIS (single-instance storage or de-duping), it's more efficient using LMTP since it knows all message bodies to multiple recipients will be identical. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot: imap-login: Aborted login
From: Adnane m...@adnane.me writes: Jul 22 22:32:53 mailer dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=196.217.182.199, lip=5.135.151.43 Jul 22 22:36:04 mailer dovecot: pop3(adn...@mailer.adnane.me): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Looks like a mail client issue: you're not enabling STARTTLS on port 110. Fiddle with the SSL configuration. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot: imap-login: Aborted login
Adnane m...@adnane.me writes: but I cant send mails Jul 23 03:01:34 mailer postfix/anvil[9245]: statistics: max connection rate 1/60s for (smtp:209.85.220.177) at Jul 23 02:58:13 Jul 23 03:01:34 mailer postfix/anvil[9245]: statistics: max connection count 1 for (smtp:209.85.220.177) at Jul 23 02:58:13 Jul 23 03:01:34 mailer postfix/anvil[9245]: statistics: max cache size 1 at Jul 23 02:58:13 Not a dovecot issue. In fact, neither was your previous problem, which was a mail reader configuration problem. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dnsbl feature for dovecot
Professa Dementia writes: 2) Fail2Ban with rules that seem like they are pretty weak, but trust me, they work fine and you limit complaints from users. a) If you get 3 invalid login attempts within a minute from more than 1 IP address, block that login for 10 minutes. If you have blocked a login and another attempt to log in to that account is made then tarpit that connection. Usually 60 seconds is sufficient. Do not extend the original block time past the original 10 minutes. b) If you get 5 invalid login attempts within a minute from the same IP, block that IP for 5 minutes. This is usually a valid user who forgot their password, as opposed to a) which is usually a malicious third party. Looking at my POP3/IMAP logs, users enter wrong passwords all the time, then their mail client keeps trying to re-authenticate, giving the appearance of a slow rolling BFD. For example, I just grabbed this typical sample Jul 2 13:24:48 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:26:03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:26:13 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 9 secs): user=x ... Jul 2 13:26:37 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:26:43 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:27:08 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:27:14 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:27:30 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:27:36 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Jul 2 13:27:51 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 5 secs): user=x ... Brute force attempts are more intense, so I think these rules can be set harder to not risk plunking your users into blacklist hell. Also, some common role account (that don't exist on my system e.g. admin) will trigger an immediate blacklist here -- an easy way to shortcut the process. I feel your pain and frustration. I do not believe there is an RBL list of offending IP's for brute force attacks ... Maybe http://www.blocklist.de/en/index.html I use it for ssh BFD blocking, and it detects 2/3 of the IPs trying to do attempts. On their web page, they also list FTP, Web, and Mail login brute forcers, although I'm not sure whether Mail logins means IMAP, POP, SMTP-AUTH, or all of them. You can also integrate this with fail2ban so that not only can you use it to block, but can also contribute to the global detection of brute forcers. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Calling dovecot-lda from within Antispam pipe script (bash) seems to have no effect
Ben Johnson b...@indietorrent.org writes: I added debugging output to the script, which now prints the environment variables. My script now outputs the following: ... CONFIG_FILE=/var/run/dovecot/config ... Does anything jump-out at you? You didn't provide the analogous output from the interactive shell to see the differences (for example, USER might be being used), but from your later strace, I guess CONFIG_FILE has something to do with it. These threads seems relevant http://www.dovecot.org/list/dovecot/2011-May/059127.html http://www.mail-archive.com/dovecot@dovecot.org/msg38349.html That thread poster solved his problem by commenting out service imap-postlogin { # user = $default_internal_user ... } but I have no idea if it works, or whether it's a good idea, for your case. More docs http://wiki2.dovecot.org/PostLoginScripting Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Calling dovecot-lda from within Antispam pipe script (bash) seems to have no effect
Ben Johnson writes: It really boils-down to the fact that I can call the following on the command-line and it functions as expected: su vmail -c '/usr/lib/dovecot/deliver -a sa-train...@example.com -d sa-train...@example.com -m Training.SPAM -p /tmp/sendmail-msg-25794.txt' Yet, when I attempt to do the exact same thing from within the pipe script that Dovecot Antispam calls, I receive exit code 75 from deliver/dovecot-lda and absolutely nothing is logged, with exception of the information of which I'm already aware (logged to syslog). Have you also checked the environment variables? I think dovecot-lda gets some information from them. Also, it's possible the PATH or some other critical environment variables is different, causing the difference in outcome. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] question about /var/spool/mail/xxx
Richard Feng@eBay writes: this is Redhat 6.3 I installed sendmail and dovecot. but sendmail can continue send mail as MTA all mails go to /var/spool/mail OK. this is problem for dovecot. dovecot cannot get it goto dovecot inbox. if setup mailbox poing to /var/spool/mail/%u, it is workable I'm guessing that you're sending new mail to mbox formatted files in /var/spool/mail/%u (using dovecot LDA?). but if set up maildir to somewhere else ,I cannot receive mail by dovecot. You lost me. How did you set up maildir to somewhere else? You ought to supply configurations (output of dovecot -n), and log entries of the problem. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Any way to let dovecot block pop3 attempts?
Steve Campbell writes: I use Centos and the default dovecot RPM. I seem to recall there was a way to determine if dovecot was built with --with-libwrap. Can anyone shed light on how to determine this, please? Maybe dovecot --build-options Or you can just test it directly by denying a connection to a test host. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Using dsync to export mail to remote IMAP account
Timo Sirainen writes: I've read the web/man pages on dsync, but it's not clear to me whether dsync can be used to export (rather than import) a user's mailbox to a remote non-dovecot IMAP account. It should be possible at some point, but currently probably won't work very well. Ah, thanks for the clarification. dsync(localuser): Error: user localuser: Initialization failed: Namespace '': Unknown mail storage driver imapc dsync(localuser): Fatal: User init failed But this looks like you simply haven't compiled Dovecot with imapc support. See if dovecot --build-options|grep storage returns imapc. Right you are. Joseph Tam jtam.h...@gmail.com
[Dovecot] Using dsync to export mail to remote IMAP account
I've read the web/man pages on dsync, but it's not clear to me whether dsync can be used to export (rather than import) a user's mailbox to a remote non-dovecot IMAP account. (The intention is to use it whenever a user leaves and wants to copy their local mail to Google or whatever. I currently use uw-imapd's mailutil -- it works, but it's dreadfully slow.) As a first crack at it, I tried (on the dovecot server) dsync -o imapc_user=remoteuser -o imapc_password=remotepassword -o imapc_host=remote-imap-server -o imapc_port=993 -o imapc_ssl=imaps -o imapc_features=rfc822.size -o imapc_list_prefix=remoteprefix -o mailbox_list_index=no backup -f -u localuser imapc: I got this error: dsync(localuser): Error: user localuser: Initialization failed: Namespace '': Unknown mail storage driver imapc dsync(localuser): Fatal: User init failed Is exporting mail to a remote (non-dovecot) IMAP account even doable with dsync, or am I completely off-track? Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] IMAP monitoring
From: pvsuja pvs...@gmail.com I want to get some statistics of dovecot IMAP server like the number of current IMAP connections, who is logged in to the Dovecot server, doveadm who bandwidth usage. You can sort of get that from the logs. For example, from my logs Apr 18 23:08:19 server dovecot: imap(user): Disconnected: Logged out in=9516 out=89038 telling you how many bytes tranferred in and out during the session. Is there any utility which does this sort of full monitoring? I tried doveadm who to get the details of logged in users. but its not returning any output even though i am logged in to the server. doveadm who ought to work. What does it return? Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot 2.1.16: Quota plugin compile fails: Solaris 10
Stephen Usher writes: quota-status.c: In function `main': quota-status.c:200: error: `optarg' undeclared (first use in this function) ... It seems that the following C standard header files need to be included in quota-status.c: #include stdio.h #include stdlib.h #include unistd.h It was mentioned a few weeks back (check the archives), but you only need one of them (which may include the others). My patch to cope with this --- a/src/plugins/quota/quota-status.c Sat Apr 13 02:18:40 2013 +++ b/src/plugins/quota/quota-status.c Sat Apr 13 02:18:56 2013 @@ -14,0 +14,1 @@ +#include stdio.h This worked for me. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] How to manually generate a password hash
David Murphy writes: http://en.wikipedia.org/wiki/Salt_%28cryptography%29 So... what am I missing? If the hash was salted, it would seem the hashes in the database would be longer than the ones generated at the command line, but that isn't the case. I'm out of ideas. Any guidance appreciated. The hashes are salted, and that is why the hashes are different, even though the same password is used. (Test it by using the output of doveadm pw and plugging it into your test account). The hashes ought to be the same length. The out would be proportional to the length of your input password if the were encrypting, rathher than hashing. But the length of the hash is consant + encoded(salt) + encoded (hash(password)), all of which ought to be fixed lengths. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Configuring dovecot to use tcp wrappers
Max Pyziur p...@brama.com wrote: I've put in a test ip address in /etc/hosts.deny like so: dovecot: 166.84.1.2 Maybe imap: 166.84.1.2 imaps: 166.84.1.2 pop3: 166.84.1.2 pop3s: 166.84.1.2 Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Any simple way to block logins by IP address?
Steve Campbel writes: Does Dovecot have a facility to block pop3 and imap logins by IP address. I usually do this by putting the IPs in my border firewall, but it's in transition currently to a new one, and I'd like to end connection fairly fast. You probably want to compile in tcp_wrapper support and handle it that way http://wiki2.dovecot.org/LoginProcess You might also hook into a the post-login script if you need some bizarre logic to determine whether to allow a login or not, but this is later in the session setup rather than block-on-sight like a firewall. http://wiki2.dovecot.org/PostLoginScripting Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Migrating password scheme
I tried the userdb prefetch / postlogin script method to do some password manipulation, but it doesn't appear to work for me. In particular, I don't think this method works with userdb { driver = passwd-file args = /path/to/passwd-file userdb_pw=%w } because it doesn't understand arbitrary var=value in the args configuration. Dvoecot seems to accept the entire string as the pathname for a password file. Is there a way to pass the plaintext password to a post-login script using passwd-file userdb? Before this, I managed password manipulation by process tracing dovecot's auth process read() syscalls and parsing out the user/password from the second buffer argument. Quite a hack but it worked. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Imap process crash: assertion failed: (full_fs_access)
On Wed, 13 Feb 2013, dovecot-requ...@dovecot.org wrote: Timo Sirainen t...@iki.fi writes: Any guess at what would cause this? Feb 7 21:20:53 server dovecot: imap(user): Panic: file mailbox-list-fs-iter.c: line 447 (fs_list_get_roots): assertion failed: (full_fs_access) LIST command that had invalid parameters that somehow got through the first validity check. What namespace config do you have? namespace { alias_for = hidden = yes list = no location = prefix = / separator = / } This one causes these crashes. Fixed in v2.2 now: http://hg.dovecot.org/dovecot-2.2/rev/fb367a977077 Thanks for diagnosing this. I'll probably remove this namespace or limp along until 2.2 becomes the latest stable release. I added this namespace alias in an abundance of caution: this was to prevent users from trying to peruse the entire file space e.g. /etc. A poor man's chroot. I didn't test this thoroughly to see if it actually did what it was supposed to. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Imap process crash: assertion failed: (full_fs_access)
On Mon, 11 Feb 2013, Joseph Tam wrote: Timo Sirainen t...@iki.fi writes: Any guess at what would cause this? Feb 7 21:20:53 server dovecot: imap(user): Panic: file mailbox-list-fs-iter.c: line 447 (fs_list_get_roots): assertion failed: (full_fs_access) LIST command that had invalid parameters that somehow got through the first validity check. What namespace config do you have? I got more info from the user that had this problem. He reported that he was was setting up a new Email client (Nexus4 Android) and he sent me a screenshot of his setup. Everything look ordinary except perhaps the IMAP prefix set to mail. ... I've asked the user to change his prefix, and he'll probably report back. He reported that removing the mail prefix solved it for him. I then proceeded to update dovecot from 2.1.14 - 2.1.15, and asked him to change it back to the previoux prefix (mail). That also worked. So I don't know what unwedged him, but it's working now. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Imap process crash: assertion failed: (full_fs_access)
Timo Sirainen t...@iki.fi writes: Any guess at what would cause this? Feb 7 21:20:53 server dovecot: imap(user): Panic: file mailbox-list-fs-iter.c: line 447 (fs_list_get_roots): assertion failed: (full_fs_access) LIST command that had invalid parameters that somehow got through the first validity check. What namespace config do you have? I got more info from the user that had this problem. He reported that he was was setting up a new Email client (Nexus4 Android) and he sent me a screenshot of his setup. Everything look ordinary except perhaps the IMAP prefix set to mail. My setup documents inform users to leave it blank, but sometimes they use mail/, a holdover from the uw-imapd days. I provide some aliases for that, but I don't know what would happen if you leave off the trailing /. My namespace settings as reported by dovecot -n: namespace { inbox = yes location = prefix = separator = / } (The following are aliases to keep backward compatibility) namespace { alias_for = hidden = yes list = no location = prefix = / separator = / } namespace { alias_for = hidden = yes list = no location = prefix = mail/ separator = / } namespace { alias_for = hidden = yes list = no location = prefix = ~/mail/ separator = / } namespace { alias_for = hidden = yes list = no location = prefix = ~%u/mail/ separator = / } I've asked the user to change his prefix, and he'll probably report back. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Imap process crash: assertion failed: (full_fs_access)
Any guess at what would cause this? Feb 7 21:20:53 server dovecot: imap(user): Panic: file mailbox-list-fs-iter.c: line 447 (fs_list_get_roots): assertion failed: (full_fs_access) (Sorry, no core dump) According to my logs, this user couldn't start an IMAP session for a 2 hour stretch for hundreds of connections. Then the problem seemed to have went away. I logged back as that user using a master password, but couldn't recreate this problem. The backtrace is just hex numbers (stripped executables) and I didn't drop privileges, so it refused to drop core, so that's no help. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Per user special-use folder names
On Wed, 6 Feb 2013, Timo Sirainen wrote: On a related topic, what's the easiest way to alias various common mailbox names to one physical mailbox? For example, mapping Trash, Deleted Messages, Junk to the same mailbox? Would you use the SPECIAL-USE, or is there a better way to do this? Namescape configuration? Virtual plugin? Ideally SPECIAL-USE will take care of it in future. For now you should configure it, but also realize that it won't work for all clients. There's also mailbox_alias plugin in v2.1.10+: http://wiki2.dovecot.org/Plugins/MailboxAlias (the link will work in a few minutes). Perfect. I added a link to this page to the parent Plugins page Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Per user special-use folder names
On Wed, 6 Feb 2013, Michael M Slusarz wrote: Quoting Patrick Ben Koetter p...@sys4.de: That's part of what makes SPECIAL-USE so sexy. It is language independent. All it does is say This mailbox is reserved for that particular usage. How you call it, is up to you (client). Well not quite. The problem comes when you have *multiple* sent mailboxes on your server, which is perfectly acceptable and quite useful (e.g. an MUA allows multiple identities, and each identity uses a separate sent-mail mailbox). You can't just blindly show the local translation for Sent for all of the mailboxes, or else you've now eliminated the user's ability to differentiate between them. On a related topic, what's the easiest way to alias various common mailbox names to one physical mailbox? For example, mapping Trash, Deleted Messages, Junk to the same mailbox? Would you use the SPECIAL-USE, or is there a better way to do this? Namescape configuration? Virtual plugin? Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] deleting duplicate mail?
On Mon, 14 Jan 2013, joa...@verona.se writes: Due to a misstake I got many duplicate emails in my inbox folder. Ironic mispeling. They are stored in maildir format, so my initial thought was do simply md5sum the mail files and remove the duplicates. This doesnt work because the mails has differinf uids. Any other hints? If the UIDs are just headers, why don't you simply checksum without them: sed -e '/^Whatever-header:/d' $file | md5sum grep -Ev '^Whatever-header:' $file | md5sum Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Problem setting up dovecot on Debian: telnet: Unable to connect to remote host: Connection refused
Noel Butler writes: I build from sources all key daemon software anyway, package maintainers can only account for so many configurations. Its not so critical with dovecot now since v2, because, regrettably, Timo removed a lot of fine tune config options that allowed us to only build in what we wanted, now, tuff, most the auth methods and stuff must be built even if we dont want them. That hasn't been my experience, but maybe because the non-optional stuff are what I need. For example, my configure for v2.1.x summarizes Install prefix . : /opt/dovecot File offsets ... : 64bit I/O polling : poll I/O notifys : none SSL : yes (OpenSSL) GSSAPI . : no passdbs : static passwd passwd-file checkpassword : -shadow -pam -bsdauth -sia -ldap -sql -vpopmail userdbs : static prefetch passwd passwd-file checkpassword : -ldap -sql -vpopmail -nss SQL drivers : : -pgsql -mysql -sqlite Full text search : squat : -lucene -solr A few auth methods, which even if you don't use, is a nice fallback for exceptions or niche caches, no dbs, one mandatory text search method. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot-lda (2.1.12) segfaults
ctx = (struct mail_save_context *) 0x5e6e0 pmail = (struct mail_private *) 0x54cd8 input = (struct istream *) 0x637c8 from_envelope = 0x13d90 MAILER-DAEMON guid = 0xff2f0ec0 received_date = -1 #13 0xff23f23c in mail_storage_copy (ctx=0x5e6e0, mail=0x54cd8) at mail-copy.c:93 No locals. #14 0xff24ec28 in mailbox_copy (_ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1721 ctx = (struct mail_save_context *) 0x5e6e0 box = (struct mailbox *) 0x594e8 keywords = (struct mail_keywords *) 0x0 ret = 389032 #15 0xff24ec98 in mailbox_save_using_mail (ctx=0xffbff670, mail=0x54cd8) at mail-storage.c:1730 No locals. #16 0xff388070 in mail_deliver_save (ctx=0xffbff8a8, mailbox=0x13fe8 INBOX, flags=0, keywords=0x0, storage_r=0xffbff83c) at mail-deliver.c:317 open_ctx = {user = 0x3d3a8, lda_mailbox_autocreate = true, lda_mailbox_autosubscribe = false} box = (struct mailbox *) 0x594e8 trans_flags = MAILBOX_TRANSACTION_FLAG_EXTERNAL t = (struct mailbox_transaction_context *) 0x5de88 save_ctx = (struct mail_save_context *) 0x0 headers_ctx = (struct mailbox_header_lookup_ctx *) 0x0 kw = (struct mail_keywords *) 0x0 error = MAIL_ERROR_NONE mailbox_name = 0x13fe8 INBOX errstr = 0x0 guid = 0xff3f73b0 changes = {pool = 0x13e38, uid_validity = 0, saved_uids = {arr = {buffer = 0x13e28, element_size = 1}, v = 0x13e28, v_modifiable = 0x13e28}, ignored_modseq_changes = 4282350008, changed = false} range = (const struct seq_range *) 0xff1d3580 default_save = true ret = 0 __FUNCTION__ = mail_deliver_save #17 0xff38869c in mail_deliver (ctx=0xffbff8a8, storage_r=0xffbff83c) at mail-deliver.c:403 ret = -1 #18 0x00012d08 in main (argc=3, argv=0xffbff964) at main.c:434 set_roots = {0x24b48, 0x0} ctx = {pool = 0x2eaf0, set = 0x30440, session = 0x2eb00, dup_ctx = 0x0, session_id = 0x0, src_mail = 0x54cd8, src_envelope_sender = 0x0, dest_user = 0x3d3a8, dest_addr = 0x25828 testuser@domain, final_dest_addr = 0x25828 testuser@domain, dest_mailbox_name = 0x13fe8 INBOX, dest_mail = 0x5efa8, var_expand_table = 0x0, tried_default_save = true, saved_mail = false, save_dest_mail = false, mailbox_full = false, dsn = false} service_flags = 1027 user = 0xffbffad0 testuser errstr = 0xff3f48e8 path = 0x0 storage_service = (struct mail_storage_service_ctx *) 0x2f650 service_user = (struct mail_storage_service_user *) 0x2fe88 service_input = {module = 0x13fd0 lda, service = 0x13fd0 lda, username = 0xffbffad0 testuser, session_id = 0x0, local_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' repeats 15 times, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0, remote_ip = {family = 0, u = {ip6 = { _S6_un = {_S6_u8 = '\0' repeats 15 times, _S6_u32 = {0, 0, 0, 0}, __S6_align = 0}}, ip4 = {S_un = {S_un_b = {s_b1 = 0 '\0', s_b2 = 0 '\0', s_b3 = 0 '\0', s_b4 = 0 '\0'}, S_un_w = {s_w1 = 0, s_w2 = 0}, S_addr = 0, local_port = 0, remote_port = 0, userdb_fields = 0x0, flags_override_add = 0, flags_override_remove = 0, no_userdb_lookup = 0} storage = (struct mail_storage *) 0x39330 user_source = 0x13f30 destaddr_source = 0x13f30 process_euid = 0 stderr_rejection = false ret = 1 c = -1 error = MAIL_ERROR_NONE Joseph Tam t...@math.ubc.ca
Re: [Dovecot] migration to dovecot pop3
Rajesh M writes: i am planning to migrate from qmail pop3 to dovecot pop3 the number of users on the server is large over 5000 ... also data volume is large - over 3.5 tb -- ie many users several 1000s of emails in their inbox If you stay on the list, you might find some people here whose mail metrics are several orders of magnitude larger than this. 1) will the migration cause all the emails on the server to re-download ... 4) has anybody migrated from qmail pop3 to dovecot pop3 successfully without emails being downloaded again A proper migration will avoid this. Google is your friend http://lmgtfy.com/q=POP+qmail+to+dovecot+migration The top hits provide exactly what you're looking for. 2) can dovecot be configured to allow only one download at a time - pop3 locking with time out setting that can be customized 3) can dovecot pop3 be configured so that it will allow download of emails only of the last say 15 days ie even if the same pop3 user is configure on another machine it will download only messages of the last 15 days I can't answer this, but if this is an attempt to prevent mass download, the answer to 1+4 makes these questions irrelevant. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot-lda (2.1.12) segfaults
Timo Sirainen writes: Date: Wed, 19 Dec 2012 12:59:54 +0200 Could you send me those files? Would be the easiest and quickest way to get it fixed :) Date: Wed, 19 Dec 2012 15:02:25 +0200 Okay, fixed: http://hg.dovecot.org/dovecot-2.1/rev/32ce915e046a Yes it is does, and it stops crashing for the other 5 sets of indices. A 2-hour turnaround, of which an hour was spent packing up the index files. Amazing. Thanks. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Non-dovecot user looking for feedback
On Mon, 17 Dec 2012, Chris Ross wrote: I've been using UW-IMAPd for neigh on forever (at least since 2001). But, as it's basically stalled, and I'm about to update the hardware that is my mail server, I thought it was time to review existing open-source IMAP servers. Dovecot is the top three in my looking. I converted a few years ago and never looked back. So, am I right that dovecot supports only the one big full file mbox format, and the maildir format? And if so, is it known to allow multiple simultaneous IMAP clients to access and monitor and/or modify the same folder simultaneously? I still run using mbox, and have not had a problem with corruption, however, this is probably owing to our modest IMAP demand and careful coordination of file locks among all the different MUAs. You're better off with Maildir and other formats, that are better designed for simultaneous access. There are other good reasons to switch formats. Dovecot also supports its own mdbox/sdbox for high performance: its a hybrid that tries to incorporate the best of both words. More info http://wiki2.dovecot.org/MailboxFormat After those questions, it's just a what do you think the pros and cons of each are? I can't speak to the other software you are looking at, but two factors I found to be particularly good: - flexibility: you can get almost every oddball setup to work. Migration from uw-imapd is fairly easy, but then again, uw-imapd didn't have a lot of knobs to turn. Plugins are available that extends its functionality. - support: this mailing list is great, and Timo is an absolute wizard in getting bugs fixed. (Note: I am shamelessly buttering him up so that he fixes the outstanding bug I reported!) Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] number of imap connection
klimenk...@theitidea.ru writes: how to calculate the expected number of imap processes? Set your mail_max_userip_connections to a large value (~20) and run doveadm who periodically to look at your user's actual connection counts. how many imap processes must be used for each user? i have 6-7 connection for each one user is it normal behavior? It's typical. Some popular mail readers open about 5, some more, some less. I set my mail_max_userip_connections at 12 even though there are some users who regularly bump up against this. They don't seem to notice -- dovecot probably bumps off the least recently used connection and their mail reader reconnects if it needs to open that mailbox again. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Automatically Cleaning Kerberos Credential Cache Files
Ben Morrow writes: In any case, it's likely that the delivery process looks in the user's home directory even if delivery is to a separate mail spool, unless you've taken steps to prevent this. I can confirm this. I think the reason is that dovecot changes to the user's home directory so that it has a place to dump core. This causes problem for my setup since I user per-user NFS mounts, so a delivery to an internal mailing list caused hundreds of NFS automounts. I patched this behaviour out, but there is probably a more elegant solution (unset MAIL_STORAGE_SERVICE_FLAG_ENABLE_CORE_DUMPS? How?). Joseph Tam jtam.h...@gmail.com --- ./src/lib-storage/mail-storage-service.c~ Sat May 19 08:42:12 2012 +++ ./src/lib-storage/mail-storage-service.cMon Jun 25 22:00:57 2012 @@ -615,21 +615,21 @@ - if ((user-flags MAIL_STORAGE_SERVICE_FLAG_TEMP_PRIV_DROP) != 0 - (user-flags MAIL_STORAGE_SERVICE_FLAG_ENABLE_CORE_DUMPS) == 0) { - /* we don't want to write core files to any users' home - directories since they could contain information about other - users' mails as well. so do no chdiring to home. */ - } else if (*home != '\0' - (user-flags MAIL_STORAGE_SERVICE_FLAG_NO_CHDIR) == 0) { - /* If possible chdir to home directory, so that core file - could be written in case we crash. */ - if (chdir(home) 0) { - if (errno == EACCES) { - i_error(%s, eacces_error_get(chdir, - t_strconcat(home, /, NULL))); - } if (errno != ENOENT) - i_error(chdir(%s) failed: %m, home); - else if (mail_set-mail_debug) - i_debug(Home dir not found: %s, home); - } - } +// if ((user-flags MAIL_STORAGE_SERVICE_FLAG_TEMP_PRIV_DROP) != 0 +// (user-flags MAIL_STORAGE_SERVICE_FLAG_ENABLE_CORE_DUMPS) == 0) { +// /* we don't want to write core files to any users' home +//directories since they could contain information about other +//users' mails as well. so do no chdiring to home. */ +// } else if (*home != '\0' +//(user-flags MAIL_STORAGE_SERVICE_FLAG_NO_CHDIR) == 0) { +// /* If possible chdir to home directory, so that core file +//could be written in case we crash. */ +// if (chdir(home) 0) { +// if (errno == EACCES) { +// i_error(%s, eacces_error_get(chdir, +// t_strconcat(home, /, NULL))); +// } if (errno != ENOENT) +// i_error(chdir(%s) failed: %m, home); +// else if (mail_set-mail_debug) +// i_debug(Home dir not found: %s, home); +// } +// }
Re: [Dovecot] LMTP benefit vs LDA
Daniel Parthey writes: Davide wrote: my question is what is benefit implementing LMTP service replacing LDA i have dovecot 2.1.8 with vpoipmail+qmail and about 500 users now i'm using LDA and i'm interested on LMTP service. with LMTP... * you dont need to care about mail filesystem permissions * you can use dovecot lmtp proxy and/or director * you don't need to spawn a new process for each message One of the (potential) benefit is that a LMTP, because it can handle multiple recipients, has the ability to optimize I/O (or storage?) by using hardlinking to a single copy of a message (deduping). I don't know if Dovecot takes advantage of this in any way though. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Changing password for users
Ben Morrow wrote: Maybe replace /usr/bin/passwd with htpasswd? Try pam_pwdfile with poppwd or some other poppassd that supports PAM. That's it! I was trying to remember the name of this PAM module. and is there another way other than poppassd? Write your own PHP script -- it couldn't be more than a few dozen lines of code for a working skeleton. Or Google php change password htpasswd. It's not as simple as you seem to think. Quite apart from getting the password-changing itself right (have you considered what happens when two users change their passwords at the same time? when Dovecot tries to read the password file at the same time as you are changing it? when the system crashes when you are halfway through rewriting the password file?), you really shouldn't be running PHP as a user with write access to a password file (even a virtual password file) in any case. I did consider it, and you're right, it is tricky to get it absolutely right. If robusteness and security was of utmost importance, I would abandon PHP too. I was scaling the solution to the OP's technical ability and apparent size of their operation -- if poppwd passes muster, this wouldn't be too far off. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Changing password for users
From: Mike John m...@alaadin.org I know about poppassd , but it works only for /etc/passwd , /etc/shadow, but my dovecot virtual users password files are in different location and i do not know how to modify poppassd, any idea how can i do that? I downloaded and examined it; it's just a wrapper for /usr/bin/passwd, and there doesn't seem an easy way to modify it to use something other than the system password file. Maybe replace /usr/bin/passwd with htpasswd? and is there another way other than poppassd? Write your own PHP script -- it couldn't be more than a few dozen lines of code for a working skeleton. Or Google php change password htpasswd. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Disconnected for inactivity time.
Robert JR writes: After 10 mins of unactivity of pop3 , dovecot disconnect the user (-ERR Disconnected for inactivity.) What is the option in the config file which control the unactivity logout time ? becuase i want to decrease the inactivity time To 5 mins instead of 10 mins Looks like it's set in the source code pop3-client.c:#define CLIENT_IDLE_TIMEOUT_MSECS (10*60*1000) but the output of # doveconf -a ... service pop3 { ... idle_kill = 0 ... } maybe points to the config that overrides this. Easy enough to test. It's non-RFC compliant as one poster points out, so unless you got a good reason to do this like lots of zombie pop3 processes, leave it alone. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Logging IP address for failed login
Scott Neville dovecot...@keystealth.org writes: I am trying to use the logs to show the IP that brute force activity comes from, but Im not succeeding. I have read the archives and seen the advice others have had. I can see logs for repeated bad logins, but I need the IP address from the attempts. ... but only for successful logins. The brute force attempts dont log like that: Sep 16 00:02:58 olive dovecot: auth: pam(backup): unknown user This was similar to another complaint several months ago. I conjectured that these attempts are SMTP AUTH, not IMAP, brute forcing. Are you using the dovecot's SASL feature to authenticate outgoing Email (i.e. via Postfix?). Maybe you verify this hypothesis by checking the Postfix logs. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] ChgrpNoPerm issue
Robert JR roundcube...@alaadin.org writes: The problem is /var/mail (Owner is useraccount and the group us mail) , and here comes the problem Dovecot keeps trying to chown the imap folder inside the homedirectory with user:mail account and since And this is the reason of error that appears in my log file. Dovecot is trying to keep the permission of your index caches consistent with that of your mailbox it indexes. The INBOX index cache is kept in your user's mail directory (as per your default settings), although you can change that location. The option mail_access_groups=mail solve the problem.. but I read it is not secure.. With my current configutation, users login with imap to read mail , can they use any the mail_access_groups=mail and read other poeple mail ? Yes, that's the security problem. does my configutation is a shard mailbox and could be unsecure.. Could not parse your question/comment. why didnot have this issue with uw-imapd? and why dovecot try to chown the .imap folder with the mail group ? uw-imapd was not as picky. The extra consideration for group ownership is so that shared access to mailbox files, and their associated index caches, remain consistent. For example, if you shared a mailbox among your colleagues in group staff and the mailbox has group=staff,perm=g+rw, then the index caches will inherit those permissions, and members of group staff can access mailbox and indices alike. [You later write ...] Sep 9 11:22:30 dovecot: pop3(r): Error: fchown(/home/r/.imap/INBOX/dovecot.index.log.newlock, -1, 12(mail)) failed: Operation not permitted (egid=501(r), group based on /var/mail/r) i know that chmod 0600 /var/mail , will solve the problem and i will no longer receive the above errors again You also have to make sure that autocreated INBOXs (i.e. a brand new account) does not start out with anything other than 0600. You may have to use dovecot's LDA or twist your LDA's arm to create mailboxes that way. I guess you can also avoid these errors by using memory indices, but you forego the advantages of persistent indices. But my question is that incase i did not set chmod /var/mail 0600, can i ignore such errors, is these errors harmful ? if this errors keep coming and i ignored them would this cause mbx corruption .. please advise No, you can't ignore these errors. They will break IMAP access to those mailboxes (as you will find out). Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] thunderbird not connecting
On Wed, 5 Sep 2012, Charles Marcus wrote On 2012-09-05 6:23 AM, cc maco young bangkokm...@gmail.com wrote: On Wed, Sep 5, 2012 at 12:02 AM, Stan Hoeppners...@hardwarefreak.comwrote: What does TB activity manager say? Activity Manager is blank as an update, went to Claws email client. it had enough feedback and gave me enough ways to tweak - got everything going. went back to TB. recognized server, but no username/password. perhaps it's not letting the full email - which is the user name - through. but who knows? no feedback. You're looking at the wrong end. You need to be looking at your SERVER logs, not the Clients. Actually, I think he did supply that and it showed imap and pop3 not getting any auth information. dovecot: pop3-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx dovecot: imap-login: Aborted login (no auth attempts): rip=223.205.150.234, lip=xxx.xx.xx.xx There are other log options to verbosely log auth and ssl information, and that might help. I frequently see the above log messages when the client and the server get their security protocol (SSL/TLS) and ports crossed up (i.e. trying IMAP/SSL on port 143 or trying IMAP/TLS on port 993). Try fiddling with TB's setting here and see if anything shakes loose. You can also use openssl and simulate the server end and maybe that will shed light on the situation: (You'll have to read the man page yourself to find all the options) openssl s_server -accept 993 ... Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] finding messages deleted before timespec
On Tue, 4 Sep 2012, Sven Hartge wrote: I am searching for a search_query which only matches messages with the flag \Deleted whose flag has been set 24h or longer ago. Doing something like doveadm expunge -A mailbox \* DELETED is not the solution, since it will expunge all deleted mails without looking at the time when they have been deleted. Using savedbefore does not work either, since a message may have been saved 2 years ago but only recently deleted. You could work out a cron job that does a doveadm search ..., then diff it with one generated 24 hours ago, extract the common GID/UUIDs, then do a second pass to delete them. Not elegant, but it would probably work. (I just read the man page, and there doesn't seem to be an option to pipe the search like doveadm search ... | doveadm expunge You'll have to expunge one message at a time. Ugh.) Or maybe the advice don't worry, be happy applies here. I find that too many mistake mitigation features is counterproductive as users habitually relying on them, rather than being careful. Extending your grace period to a week will lessen the probability of this race condition. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Hostname Based forwarding
Merrickville merrickvi...@gmail.com writes: Is there a way to proxy based on the host name the client has configured in his/her email client? (Like Apache VirtualHosts) I doubt it; the virtual name is not part of the IMAP protocol as it is in HTTP. The IMAP server is not told which hostname was mapped to its IP. You'll either have to add the @domain, or perhaps multi-home your host, remap one of your domains to the new IP, and add another running instance of dovecot to listen on that interface. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] about postlogin in dovecot2
bma...@ihlas.net.tr writes: where do i have to locate the passwd-file in dovecot2 For what purpose? Master user? Password/user lookup? passdb { driver = passwd-file master = yes args = /anywhere/you/want/master-users pass = yes } passdb { driver = passwd-file args = /anywhere/you/want/passwd } userdb { driver = passwd-file args = /anywhere/you/want/passwd } Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] connectionlimit for pop3s?
On Tue, 7 Aug 2012, dovecot-requ...@dovecot.org wrote: When switching to port 995 to use pop3s he is limited at connection count. Some people can reach pop3s-server successful, some getting a timeout. ... Somebody knows some typical clientside problems when this problem occurs? Do the same user(s) have this problem and/or do each user have their own mail configuration for their mail readers? If yes, I would also check that the port and security protocol matches (i.e. clear/TLS/SSL on ports 110/110/995 respectively). Mismatched configurations could cause what you describe. Log messages could also be helpful here. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] getting rid of old spam from +spam Maildir ?
Charles Marcus cmar...@media-brokers.com writes: On 2012-08-03 6:33 PM, Voytek Eymont voy...@sbt.net.au wrote: don't know, looking this morning it shows like below, the 00:05:05 is probably last time I did 'ls'? I was doing 'ls' or web mail refresh, to see what gets removed from 'spam' box, before and after each attempt to expunge : date.saved: 2012-08-03 00:05:05 The 'date.saved:' is the date/time that the message was moved into that folder. Perhaps this related thread starting at http://dovecot.org/list/dovecot/2012-July/067199.html and ending with the patch by Timo http://dovecot.org/list/dovecot/2012-July/067423.html may be of interest to the OP. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] expire-tool stops on first box with nothing to expire in it
Timo Sirainen writes: In practice, if this query is done on a periodic interval (e.g. daily), the date.saved will be roughly correct, and is usable as an age test for expungement. Is there a way to force this value to be cached when the client actually saves or moves a message? Done for save: http://hg.dovecot.org/dovecot-2.1/rev/c598f76d Fixed copy: http://hg.dovecot.org/dovecot-2.1/rev/b13b8267999d It still doesn't add it to cache if it's not already cached in both the source and destination mailbox, but usually it should be after initial doveadm run. Thanks, Timo. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot configuration changes
From: Rups2603 shewalkar.rup...@gmail.com I planning to migrate my Mail server by IRedmail automatic configuration shell script,but my some of Users using pine as Mail user agent.(First They login to Mailserver using SSH with own User Name Password which is same as mail UserID PASSWORD then they do Pine). In IRedmail Their is single mail management user vmail,so How I will change dovecot setting in IRedmail so it will fit in my setup From your brief description, you're going from a virtual user setup to a real user setup, with perhaps direct file access to boot (otherwise, you don't need users to be able to log in to the mail server), in which case, IMAP/POP may be irrelevant. I don't think anybody can give you any concrete idea of how to change your dovecot setup without a lot more information. It appears to me you'll have to do a clean re-do of your dovecot setup, using your old configuration as a reference. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] lock file strangeness
From: McGraw, Robert P rmcg...@purdue.edu We are running dovecot-1.2.10 on a Solaris 10 x86 host. Starting on July 24 I started seeing the following type lock files I the /var/mail directory. -rw-rw-rw- 1 agab mail 0 Jul 24 10:08 agabriel.lock.1343138908.28535.hardy.purdue.edu Hmm, are you sure these are dovecot locks? They look sort of like what alpine would produce. Do your clients have direct filesystem access to the INBOX spool? Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] what best for anti-spam filter?
Morten Stevens mstev...@imt-systems.com writes: So it is now RFC compliant. Anyway I think delaying mail traffic is not a good solution. Well, OK, if you not keen on greylisting, you can try greet pausing, which introduces a shorter delay. It tests a bot's patience by inserting a pre-HELO pause. RFC allows 5 minutes before timeout. This is last week's stat for one of my mail server and the count of early-talker or early-disconnecter, almost all of which are bots. A greet pause of over 20s dumps a lot of bots. Expect to whitelist the odd server here and there because they've tuned their servers to some aggressively small RFC non-compliant timeouts. Delay Disconnect/early-talkers 00 = 9 01 = 1 02 = 1 03 =11 04 =34 05 = 5 06 = 1 07 = 1 08 = 3 09 = 3 10 = 9 11 = 1 12 = 2 16 = 7 17 =10 18 = 4 19 =17 20 = 1161 21 = 431 22 =61 23 =43 24 =13 Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] expire-tool stops on first box with nothing to expire in it
Michael Wessel writes: When I run for example: doveadm -D search -A mailbox Trash savedbefore 60d /tmp/discard I previously observed that the date.saved field (tested by savedbefore) seems to be clustered around particular timestamps. Dumping out this field using doveadm -ftab fetch -A \ mailbox date.saved \ \( mailbox Trash OR mailbox Junk OR mailbox Deleted Items \) it seems the timestamps do not actually correspond to when the client moves messages to their trash folder, but rather, to the time I query for it i.e. a query instantiates this value. This timestamp is then retained. In practice, if this query is done on a periodic interval (e.g. daily), the date.saved will be roughly correct, and is usable as an age test for expungement. Is there a way to force this value to be cached when the client actually saves or moves a message? Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Dovecot 2.1.8 crashes when doing POP3 UIDL on empty INBOX
Timo Sirainen t...@iki.fi writes: #0 i_panic (format=0xff2302f8 Trying to allocate %u bytes) at failures.c:259 #1 0xff2068a4 in pool_alloconly_malloc (pool=0x60330, size=0) at mempool-alloconly.c:259 #2 0x00018248 in client_uidls_save (client=0x54d28) at pop3-commands.c:761 #3 0x00018444 in cmd_uidl_init (client=0x54d28, seq=0) at pop3-commands.c:793 #4 0x000185a8 in cmd_uidl (client=0x54d28, args=0x19eb8 ) at pop3-commands.c:824 #5 0x00018a24 in client_command_execute (client=0x54d28, name=0x2b550 UIDL, args=0x19eb8 ) at pop3-commands.c:889 Fixed: http://hg.dovecot.org/dovecot-2.1/rev/ea18b2ddb67b Date: Sat, 7 Jul 2012 05:52:03 +0300 2 hours after I reported it; do you ever sleep?! Thanks. Joseph Tam jtam.h...@gmail.com
[Dovecot] Dovecot 2.1.8 crashes when doing POP3 UIDL on empty INBOX
I noticed a bunch of crashes when Gmail users tried to slurp up their (empty) mailboxes. The problem is not noticed by clients though, but it crashes the pop3 process. POP3 session S: +OK Ready. C: USER user S: +OK C: PASS password S: +OK Logged in. C: UIDL ... server crash and disconnects ... Resulting log Jul 06 16:58:05 pop3(user): Panic: Trying to allocate 0 bytes Jul 06 16:58:05 pop3(user): Error: Raw backtrace: 0xff1e6454 - 0xff1e4f78 - 0xff20689c - 0x18240 - 0x1843c - 0x185a0 - 0x18a1c - 0x1576c - 0x159cc - 0xff1fee6c - 0xff200e24 - 0xff1fef60 - 0xff1d8010 - 0x13584 - 0x1285c Jul 06 16:58:14 pop3(user): Fatal: master: service(pop3): child 24972 killed with signal 6 (core dumps disabled) GDB traceback: #0 i_panic (format=0xff2302f8 Trying to allocate %u bytes) at failures.c:259 #1 0xff2068a4 in pool_alloconly_malloc (pool=0x60330, size=0) at mempool-alloconly.c:259 #2 0x00018248 in client_uidls_save (client=0x54d28) at pop3-commands.c:761 #3 0x00018444 in cmd_uidl_init (client=0x54d28, seq=0) at pop3-commands.c:793 #4 0x000185a8 in cmd_uidl (client=0x54d28, args=0x19eb8 ) at pop3-commands.c:824 #5 0x00018a24 in client_command_execute (client=0x54d28, name=0x2b550 UIDL, args=0x19eb8 ) at pop3-commands.c:889 #6 0x00015774 in client_handle_input (client=0x54d28) at pop3-client.c:629 #7 0x000159d4 in client_input (client=0x54d28) at pop3-client.c:682 #8 0xff1fee74 in io_loop_call_io (io=0x37298) at ioloop.c:379 #9 0xff200e2c in io_loop_handler_run (ioloop=0x34138) at ioloop-poll.c:211 #10 0xff1fef68 in io_loop_run (ioloop=0x34138) at ioloop.c:398 #11 0xff1d8018 in master_service_run (service=0x33c88, callback=0x13120 client_connected) at master-service.c:543 #12 0x0001358c in main (argc=1, argv=0xffbffe0c) at main.c:268 Some non-trivial changes in pop3-commands.c were done between 2.1.3 and 2.1.8 (expecially pop3_uidl_duplicates changes in 2.1.7). I guess this bug has crept in there. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Removing specific entry in user/auth cache
Francisco Wagner C. Freire wgrcu...@gmail.com writes: On Wed, Jun 27, 2012 at 9:24 AM, Timo Sirainen t...@iki.fi wrote: On 27.6.2012, at 14.10, Angel L. Mateo wrote: We have dovecot configured with auth cache. Is there any way to remove a specific entry (not all) from this cache? Nope. What do you need it for? I dont known about Angel, but for me is useful because sometimes i need to deactivate smtp/imap/pop access from accounts, or change their home after storage migration, and removing a specific record i can use a long time cache. I'm not sure that the auth cache holds that information, but I think you can at least invalidate a particular auth cache entry by 1) Changing the user password (and save the previous hash) 2) Authenticate using the new credentials (and invalidate the auth cache entry). For example, you can just do a manual connection on your dovecot server x login someuser newpassword This will replace the cache entry with a new one. 3) When you are ready to put the account back online, change the password back to the original. A password mismatch forces a resync to your authentication system which will restore the auth cache. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] auth trouble
Glenn English wrote: Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework. and for the suggestion -- I do have Postfix using Dovecot-Auth checking for SASL. I think I'm going to re-install and run Tripwire... Tripwire? If the purpose of your query is to automate blocking of brute forcers, this software is not what you want (which detects tampering of critical system files). I suggest trying to find where Postfix failed login reports go, then use your fail2ban or what-have-you to detect and block hosts that repeatedly fail authentication. (First Google hit I did on this subject) http://scottlinux.com/2011/05/26/prevent-postfix-brute-force/ The log entries might look like {timestamp} {servername} postfix/smtpd[{pid}]: lost connection after AUTH from {remote-hostname}[{remote-ip}] Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] auth trouble
Glenn English writes: I'm getting a lot of what I think is a local socket asking dovecot:auth to verify username/passwords: May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost= If dovecot-auth is getting input from a local socket, then rhost information is irrelevant since the host doing the asking is the server itself (maybe from another daemon connected to a remote host). Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] Can we know when a user read our email?
On Tue, 15 May 2012, Stan Hoeppner writes This unsend feature was created to protect idiots from themselves, nothing more. Which is why the IETF draft went nowhere. You can only fix some types of human stupidity with software. This is not one of them. I thought someone could make money coming up with an unsend and untwitter service that all it does is to queue the outgoing message for 5 minutes, during which the sender can re-consider and remove it from the queue. Sorot of like the kill-switch for live broadcasts. But as the saying goes, you can't make things foolproof, as they keep making better fools. As to the OP trying to determine whether an Email message has been read, an indirect and imperfect technique, used by spammers and marketing critters, is to web bug http://en.wikipedia.org/wiki/Web_bugs It works by placing innocuous individualized tags in HTML formatted Email e.g. img src=http://your.domain/?id={hash} that downloads a 1x1 dot). You can then correlate web logs with the hashes to see which messages got rendered. A hit does not necessarily mean it got read, and the absense does not mean it was ignored, but it's better than nothing. If you value your privacy, turn off HTML rendering on your Email reader. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot LDA with sendmail
Timo, in response to Hadi, wrote: Apr 24 20:25:46 lda(ja...@example.com): Fatal: setgid(5000(vmail) from userdb lo okup) failed with euid=8(mail), gid=12(mail), egid=12(mail): Operation not permi tted (This binary should probably be called with process group set to 5000(vmail ) instead of 12(mail)) Configure your MTA to run dovecot-lda as vmail instead of as mail. Yeah, what he said. Someone helpfully added documentation on how to do this at the end of Dovecot1's wiki (http://wiki.dovecot.org/LDA/Sendmail), which probably should be copied to Dovecot 2's wiki. So that's what I did. Joseph Tam jtam.h...@gmail.com
Re: [Dovecot] dovecot LDA with sendmail
i installed new version 2.0.20. but its the same problem args = username_format=%u /etc/dovecot/users ... Apr 21 17:47:16 host1 sendmail[32561]: q3LElF79032559: to=ja...@example.com, ctladdr=r...@host1.bigmama.com (0/0), delay=00:00:00, xdelay=00:00:00, mailer=dovecot, pri=120292, relay=dovecot, dsn=4.0.0, stat=Deferred: dovecot mailer (/usr/local/libexec/dovecot/dovecot-lda) exited with EX_TEMPFAIL Any logs for dovecot? Same sendmail configs as before or did you try the extra flag I suggested? Joseph Tam jtam.h...@gmail.com