Re: BINARY capability not working correctly?
On Sat, Sep 19, 2015 at 6:27 PM, Michael M Slusarz wrote: > > Probably this: http://markmail.org/message/abjg72sw7ii5ty5x > > Trivial to workaround in client code, so no need to disable BINARY outright > on a client. > It seems that you were right. Updating dovecot from version 2.2.10 to 2.2.18 corrected the problem. The fix is in 2.2.13. Thanks a lot! - Jouko
BINARY capability not working correctly?
Hello, I have trouble with some attachments not working on Horde and Roundcube. I made a ticket to Roundcube webmail and they tracked down it to Dovecot not responding correctly to BINARY FETCH: http://trac.roundcube.net/ticket/1490532 What is causing Dovecot to answer NIL? Is there an issue in Dovecot? If I want to disable to BINARY capability in Dovecot I need to use imap_capabilities. I found out that I could add capabilities with syntax imap_capabilities= +FOO but it seems I can't use similar syntax (imap_capabilities= -FOO) to remove capabilities? If I list all capabilities like: imap_capabilities= IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE MOVE QUOTA I understood that this will result in listing all capabilities already pre-login. Is this a problem? Thanks, Jouko Nikula
Re: [Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
>>> However, I would look at the cause of the "insufficient privileges": >>> it is a symptom of something that could lead to other problems. >> >> >> The cause is that I have not given lmtp read access to mail/home dir. >> :-) So this is intentional. > > > That is bizarre -- I can't think of how you can profit from denying read > access to indices, but allow write access, and also allow read access > to the mailboxes. > > Joseph Tam Now in my configuration LMTP does not have read access to the mailboxes. So it can only read the CONTROL files and write all files. In my opinion this means added security. And thanks a lot to everyone for your help!
Re: [Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
On Thu, Apr 3, 2014 at 1:36 AM, Joseph Tam wrote:
>
> Jouko Nikula writes:
>
>> Is there a way to use LMTP (or LDA) so that maildir index and
>> dovecot-uidlist are not updated?
>>
>> My setup is such that mail delivery sees user's maildir as write only. This
>> setup works well when using postfix for mail delivery, but when I try to
>> switch to dovecot LMTP the lmtp process wants to read the dovecot-uidlist
>> and fails on insufficient privileges. Is there a way around this without
>> exposing the maildir and mail home for read access?
>
>
> You could create MEMORY indices e.g.
>
> mail_location = maildir:~/Maildir:INDEX=MEMORY
>
> which will allow all the other processing like sieve to work.
>
I now used:
mail_location = maildir:~/mail:INDEX=MEMORY:CONTROL=/var/mail/%d/ctrl/%u
and for sieve:
plugin {
sieve = /var/mail/%d/ctrl/%u/dovecot.sieve
sieve_dir = /var/mail/%d/ctrl/%u/
}
I also have two dovecot instances. One is responsible for imap/pop3 and other
is responsible for sasl and and lmtp. The latter uses configuration above and
the former differs on the mail location so that it does not have the
INDEX=MEMORY setting:
mail_location = maildir:~/mail:CONTROL=/var/mail/%d/ctrl/%u
Do you see problems in this setup? My understanding is that now I'm wasting
little bit CPU on creating indices for new mail, but I nevertheless
have working and
stored indices on the dovecot's imap instance.
> However, I would look at the cause of the "insufficient privileges":
> it is a symptom of something that could lead to other problems.
>
> Joseph Tam
The cause is that I have not given lmtp read access to mail/home dir.
:-) So this is intentional.
Re: [Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
I would like to use sieve plugin for server side filtering and I've understood that LMTP/LDA is required for this. On Wed, Apr 2, 2014 at 5:48 PM, Tom Hendrikx wrote: > On 04/02/2014 12:27 PM, Jouko Nikula wrote: > > Hello all, > > > > Is there a way to use LMTP (or LDA) so that maildir index and > > dovecot-uidlist are not updated? > > > > My setup is such that mail delivery sees user's maildir as write only. > This > > setup works well when using postfix for mail delivery, but when I try to > > switch to dovecot LMTP the lmtp process wants to read the dovecot-uidlist > > and fails on insufficient privileges. Is there a way around this without > > exposing the maildir and mail home for read access? > > > > Regards, > > Jouko Nikula > > > > When indexes cannot be updated upon delivery, there is no real benefit > in using dovecot's delivery mechanisms. So you could just simply let > postfix deliver the messages. > > Tom >
[Dovecot] Disable maildir indexing and dovecot-uidlist on LMTP/LDA delivery
Hello all, Is there a way to use LMTP (or LDA) so that maildir index and dovecot-uidlist are not updated? My setup is such that mail delivery sees user's maildir as write only. This setup works well when using postfix for mail delivery, but when I try to switch to dovecot LMTP the lmtp process wants to read the dovecot-uidlist and fails on insufficient privileges. Is there a way around this without exposing the maildir and mail home for read access? Regards, Jouko Nikula
Re: [Dovecot] SHA512-CRYPT scheme fails password verification
On Wed, Dec 25, 2013 at 2:07 PM, Darren Pilgrim wrote: > > You're being bitten by shell interpretation/expansion. You need to make the > hash an uninterpretted literal (in bourne-type shells, wrap it in single > quotes): > Ah, yes of course. Works now. Thanks!
[Dovecot] SHA512-CRYPT scheme fails password verification
Hello,
If I try to use the crypt schemes provided by libc. I fail as follows:
jnikula@jlaptop:~/$ doveadm pw -s SHA512-CRYPT -p 123456
{SHA512-CRYPT}$6$to2umWLDtqvzS8SV$ZGpBeGNKuUN/2HKG6I2BEAt.Gzrz/y.SZDkos2GT2ik8obnp3XCFWfVsKVriJa6jjHULmLIqCSSyaF5YrTH7u.
jnikula@jlaptop:~/$ doveadm pw -t
{SHA512-CRYPT}$6$to2umWLDtqvzS8SV$ZGpBeGNKuUN/2HKG6I2BEAt.Gzrz/y.SZDkos2GT2ik8obnp3XCFWfVsKVriJa6jjHULmLIqCSSyaF5YrTH7u.
-p 123456
doveadm(jnikula): Fatal: reverse password verification check failed:
Password mismatch
Using SHA512 sum scheme (-s SHA512) works ok in the same manner.
I have dovecot version 2.2.9 on Linux 3.11.0-14-generic x86_64 Ubuntu
13.10 and I get the same results on 32-bit Debian as well. Does anyone
have idea what's wrong?
Thanks in advance,
Jouko Nikula
[Dovecot] Ignoring mount points for secondary dovecot instance does not seem to work
Hello,
I tried to ignore all mountpoints in Dovecot. I have two dovecot
instances running:
root@fileserver# doveadm instance list
path
name last used running
/usr/local/var/run/dovecot
dovecot 2013-12-21 08:09:34 yes
/var/run/dovecot.smtp
smtp-auth 2013-12-21 08:09:34 yes
I give commands:
root@fileserver# doveadm mount add '/*' ignore
root@fileserver# doveadm -i smtp-auth mount add '/*' ignore
And then restart dovecot. In the log I can see that the main instance
is now ignoring my mountpoints, but the smtp-auth instance is still
warning about my mountpoints. Is this a bug or am I missing something?
My configurations are as follows:
root@fileserver# doveconf -ni smtp-auth
# 2.2.9: /usr/local/etc/dovecot/dovecot.conf.smtp
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.1
auth_mechanisms = plain login
base_dir = /var/run/dovecot.smtp/
first_valid_uid = 123
instance_name = smtp-auth
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = mail
mail_location = maildir:~/mail
mail_uid = vmail
passdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
args = dovecot
driver = pam
}
protocols =
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl_cert =
[Dovecot] multiple passdbs and auth sockets
Hello,
I want to use different authentication arguments for smtp and imap/pop3.
In the dovecot list I found this:
http://www.dovecot.org/list/dovecot/2013-August/091960.html
I tried to follow these instructions but dovecot refuses to find the
auth executable:
Dec 12 10:36:18 jlaptop postfix/smtpd[7302]: connect from localhost[127.0.0.1]
Dec 12 10:36:18 jlaptop dovecot: auth-10: Error: doveconf: Fatal:
execvp(/usr/local/var/run/dovecot/dovecot/auth) failed: No such file
or directory
Dec 12 10:36:18 jlaptop dovecot: master: Error: service(auth-10):
command startup failed, throttling for 2 secs
Dec 12 10:36:18 jlaptop dovecot: auth-10: Fatal: master:
service(auth-10): child 7304 returned error 89 (Fatal failure)
Dec 12 10:36:18 jlaptop postfix/smtpd[7302]: fatal: no SASL
authentication mechanisms
Dec 12 10:36:19 jlaptop postfix/master[7046]: warning: process
/usr/lib/postfix/smtpd pid 7302 exit status 1
Dec 12 10:36:19 jlaptop postfix/master[7046]: warning:
/usr/lib/postfix/smtpd: bad command startup -- throttling
My settings for postfix and dovecot are as follows:
root@jlaptop:/usr/local/etc/dovecot/conf.d# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_transport = error
home_mailbox = Maildir/
inet_interfaces = loopback-only
mailbox_command =
mailbox_size_limit = 0
myhostname = jlaptop
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_transport = error
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-10
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_gid_maps = static:8
virtual_mailbox_base = /var/mail/smtp
virtual_mailbox_domains = jlaptop.com
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 100
virtual_uid_maps = static:124
root@jlaptop:/usr/local/etc/dovecot/conf.d# doveconf -n
# 2.2.9: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.11.0-13-generic x86_64 Ubuntu 13.10
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
first_valid_uid = 124
mail_gid = mail
mail_home = /var/mail/imap/%n
mail_location = maildir:~/mail
mail_plugin_dir = /usr/local/lib/dovecot/
mail_plugins = gpgfuse_umount
mail_uid = vmail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = session=yes dovecot
driver = pam
}
protocols = imap pop3 lmtp imap pop3
service auth-10 {
executable = auth -c /usr/local/etc/dovecot-auth-smtp.conf
process_limit = 1
unix_listener /var/spool/postfix/private/auth-10 {
group = postfix
mode = 0666
user = postfix
}
}
ssl_cert =
Re: [Dovecot] post-logout scripting
On Mon, Dec 9, 2013 at 4:49 AM, Timo Sirainen wrote: > > No, doesn’t work that way anymore. You could instead use this: > http://dovecot.org/patches/2.2/imap-logout-plugin.c > Thanks for your reply! This works for me. However, if I want to do the same for pop3 logout do I need a separate plugin for it or can I do both in same plugin? If I try to include both "imap-common.h" "pop3-common.h" in same plugin I get type conflicts.
[Dovecot] post-logout scripting
Hi all, I found this (http://www.dovecot.org/list/dovecot/2010-January/045717.html) describing how to do a post-logout script. But is this valid anymore? It seems I'm getting error when trying to execute imap process in post-logout script and post logout documentation does not talk about executing imap. I'm trying to umount (virtual) user home directory when user logs out. Thanks, - Jouko
Re: [Dovecot] Checkpassword interface for custom password check and home mounting
On Mon, Nov 25, 2013 at 10:57 AM, Kai Hendry wrote: > May I ask why you mount the user directory? Couldn't it just be already > mounted and you simply use the PAM interface? First of all, sorry about the double post. Yes I believe I could use the PAM interface. It looks more suitable to this. I will look into it. Thanks for pointing me to right direction!
[Dovecot] Checkpassword interface for custom password check and home mounting
Hi, I'm trying to use the checkpassword interface to do a password check and if the check succeeds I mount the user home directory (including mail) using the users login password and uid. Things work well if I do the mount manually, but when I add the home directory mounting to checkpassword things seem to stop. Dovecot logs the result of the password check, but doesn't send the result to client. Here's the log: Nov 25 10:32:05 jlaptop dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Nov 25 10:32:05 jlaptop dovecot: auth: Debug: auth client connected (pid=27551) Nov 25 10:32:05 jlaptop dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=8HsMAvjrvgB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=39614 Nov 25 10:32:05 jlaptop dovecot: auth: Debug: client out: CONT#0111#011 Nov 25 10:32:05 jlaptop dovecot: auth: Debug: client in: CONT Nov 25 10:32:05 jlaptop dovecot: auth: Debug: checkpassword(jouko.nikula,127.0.0.1,<8HsMAvjrvgB/AAAB>): execute: /usr/sbin/gpgfusemount /usr/lib/dovecot/checkpassword-reply Nov 25 10:32:05 jlaptop dovecot: auth: Debug: checkpassword(jouko.nikula,127.0.0.1,<8HsMAvjrvgB/AAAB>): exit_status=0 My dovecot version is 2.1.7. My checkpassword is a setuid binary and the mount is a self made fuse-fs. Any ideas what happens? Are there better ways to do this? Thanks, - Jouko
[Dovecot] Checkpassword interface for custom password check and home mounting
Hi, I'm trying to use the checkpassword interface to do a password check and if the check succeeds I mount the user home directory (including mail) using the users login password and uid. My password check seems to work, but when I add the home directory mounting things seem to stop. Dovecot never logs the result of the password check and nothing happens until the client gets bored and tries again. I added trace to the dovecot's checkpassword-reply and I see that it's really executed, it writes the reply and returns 0 for successful authentication. My dovecot version is 2.1.7. My checkpassword is a setuid binary and the mount is a self made fuse-fs. Any ideas what happens? Are there better ways to do this? Thanks, - Jouko
