Extra listener for client cert ?
Is it possible to, and (if yes) has anyone had experience with setting up an extra listener that requires client certs. The problem I've got is I still need to support Outlook clients. Fortunately these are located in fixed locations on desktop computers. Meanwhile, I would like to harden the configuration for road warriors who are all using devices and OSs that play nicer with client certs than Outlook does (well, Outlook doesn't play at all !). So I was thinking of opening 993 on a seperate IP address with that listener requiring client certificates. The alternative is, of course a VPN, which is still under consideration as an option. But even then, with the security onion, I'd still rather have both :) ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
My understanding was that OX were hoping for a 6-figure sum, or, at best, a high 5-figure. Certainly as far as I am aware nothing was ever going to be on the table for 4-figures or below. If sales have changed their mind and introduced affordable options for non-large-scale deployments then that’s great. But I know at least 10 people who all had the same experience as me, $ or nothing. On Thu, Jun 27, 2024 at 09:33, Aki Tuomi via dovecot wrote: Although things do change in our sales too and things are not set in stone. There are some floor limit, but I know that megabucks are not needed to buy pro licenses. Aki > On 27/06/2024 11:03 EEST Laura Smith via dovecot wrote: > > > Perhaps try reading my last post Scott. > > Perhaps especially the bit where I said OX were offered money but they were > not interested without megabucks being spent. > > As others have said, take your cheap, unsubstatiated, attacks elsewhere chum. > > > > On Wednesday, 26 June 2024 at 21:24, Scott Q. via dovecot > wrote: > > > What's her point really ? That someone owes her up to date, > > FREE, secure software that she wants to use in a commercial setting > > ? > > > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Perhaps try reading my last post Scott. Perhaps especially the bit where I said OX were offered money but they were not interested without megabucks being spent. As others have said, take your cheap, unsubstatiated, attacks elsewhere chum. On Wednesday, 26 June 2024 at 21:24, Scott Q. via dovecot wrote: > What's her point really ? That someone owes her up to date, > FREE, secure software that she wants to use in a commercial setting > ? > ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> Why do you care about the repo then ? Use the patch locally, > publish it, etc. You care about OpenSSL 3.0 compatibility right ? What > do you care if it's in the public tree or not. Because Aki has been shouting from the rooftops here that "beware, its not that easy, Dovecot crashes with OpenSSL 3.0". Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu and Fedora, its the same code) and supposedly that causes crashes. I'm sure the people who submitted code to the Fedora tree are much better programmers than I am, and if their efforts are not good enough, then, well... So, if we rephrase it, Aki is effectively telling people not to waste their time trying to patch OpenSSL 3.0 compatibility into 2.3 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
I suggest you descent rapidly off your high horse Scott, for two reasons: 1. I know people how have approached OpenXChange for commercial Dovecot support. TL;DR OpenXChange are basically not interested unless you're going to spend the big-bucks (i.e. if you're not a major ISP/Telco or something, forget about it). 2. As Aki has demonstrated with his denigration of the 2.3 patches in the Debian tree, they are clearly not particularly interested in contributions to make 2.3 OpenSSL 3.0 compatible. 3. Perhaps most importantly, As Aki has stated, they have no intention in making 2.3 OpenSSL 3.0 compatible ... ergo they would never merge my patch into the tree ... ergo it will never be on the Dovecot repo ... ergo I would have wasted my time. On Wednesday, 26 June 2024 at 14:47, Scott Q. wrote: > Hi Laura, > I understand your frustration but if you are relying on Dovecot for a > commercial solution, I believe your anger is misguided. The open source > project has no duty nor do they have to guarantee anything. Open source means > everyone can contribute, but in this case, only one major contributor exists. > > My advice for anyone facing similar frustrations is to contribute the proper > code to 2.3 to make it compatible with OpenSSL 3.0. Failing that, you can > hire competent programmers and have them contribute the code to the public > GitHub repository. > > No, I don't work for OpenXChange but I do maintain a few open source projects > and am accustomed to people's expectations to get commercial grade > software...for free. > > Cheers > > On Wednesday, 26/06/2024 at 08:34 Laura Smith via dovecot wrote: > > > You are conflating OS with packages. I don't think you'll find any OS > > making promises about packages. > > > > And even if it were the case, you are expecting a community patch based on > > what exactly ? OpenSSL are not releasing the code to non-premium customers, > > and as Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to > > 1.1.1, so its not like you can expect to magically invent patch based on > > the OpenSSL 3.0 code (even if it may be true for a limited number of > > circumstances, it won't be true for all 1.1.1 patches). > > > > The sensible thing to do is to run a current OS with a current version of > > OpenSSL, anything else is wishful thinking based on excess expectations, > > frankly. > > > > > > On Wednesday, 26 June 2024 at 13:11, Lucas Rolff > > wrote: > > > > > They likely do not, but vulnerabilities reported are also patched for the > > > duration of the OS lifecycle. With or without premium access. Since > > > that's what the OS has committed to, unless they pull a redhat and > > > deprecate an OS before initial EOL date. > > > > > > Sent from Outlook for iOS > > > > > > From: Laura Smith > > > Sent: Wednesday, June 26, 2024 2:06:44 PM > > > To: Lucas Rolff > > > Cc: Aki Tuomi ; Laura Smith via dovecot > > > ; Michael > > > Subject: Re: Debian Bookworm packages, please ! > > > > > > So you're saying other operating systems magically get access to OpenSSL > > > premium ? I somehow doubt it. > > > > > > > > > > > > > > > On Wednesday, 26 June 2024 at 13:01, Lucas Rolff > > > wrote: > > > > > > > That Debian doesn't patch their LTS releases properly like other > > > > operating systems, should probably be brought up with the Debian > > > > release and security teams. > > > > > > > > Sent from Outlook for iOS > > > > > > > > From: Laura Smith via dovecot > > > > Sent: Wednesday, June 26, 2024 1:31:48 PM > > > > To: Aki Tuomi > > > > Cc: Laura Smith via dovecot ; Michael > > > > > > > > Subject: Re: Debian Bookworm packages, please ! > > > > > > > > The fundamental problem here is that this turns into a security > > > > problem, which in 2024 is not a nice thing to have. > > > > > > > > Yes, theoretically I could run the previous Debian release, 11 Bullseye > > > > which is now EOL but in LTS until 2026. > > > > > > > > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches > > > > delivered by Debian are based on public patches, so basically there > > > > will be no OpenSSL patches because OpenSSL moved 1.1.1 to premium > > > > support only, *INCLUDING* security patches, as described on thei
Re: Debian Bookworm packages, please !
You are conflating OS with packages. I don't think you'll find any OS making
promises about packages.
And even if it were the case, you are expecting a community patch based on what
exactly ? OpenSSL are not releasing the code to non-premium customers, and as
Aki has repeatedly told us here, OpenSSL 3.0 is vastly different to 1.1.1, so
its not like you can expect to magically invent patch based on the OpenSSL 3.0
code (even if it may be true for a limited number of circumstances, it won't be
true for all 1.1.1 patches).
The sensible thing to do is to run a current OS with a current version of
OpenSSL, anything else is wishful thinking based on excess expectations,
frankly.
On Wednesday, 26 June 2024 at 13:11, Lucas Rolff wrote:
> They likely do not, but vulnerabilities reported are also patched for the
> duration of the OS lifecycle. With or without premium access. Since that's
> what the OS has committed to, unless they pull a redhat and deprecate an OS
> before initial EOL date.
>
> Sent from Outlook for iOS
>
> From: Laura Smith
> Sent: Wednesday, June 26, 2024 2:06:44 PM
> To: Lucas Rolff
> Cc: Aki Tuomi ; Laura Smith via dovecot
> ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> So you're saying other operating systems magically get access to OpenSSL
> premium ? I somehow doubt it.
>
>
>
>
> On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
>
> > That Debian doesn't patch their LTS releases properly like other operating
> > systems, should probably be brought up with the Debian release and security
> > teams.
> >
> > Sent from Outlook for iOS
> >
> > From: Laura Smith via dovecot
> > Sent: Wednesday, June 26, 2024 1:31:48 PM
> > To: Aki Tuomi
> > Cc: Laura Smith via dovecot ; Michael
> >
> > Subject: Re: Debian Bookworm packages, please !
> >
> > The fundamental problem here is that this turns into a security problem,
> > which in 2024 is not a nice thing to have.
> >
> > Yes, theoretically I could run the previous Debian release, 11 Bullseye
> > which is now EOL but in LTS until 2026.
> >
> > However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> > delivered by Debian are based on public patches, so basically there will be
> > no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> > *INCLUDING* security patches, as described on their website ("It will no
> > longer be receiving publicly available security fixes after that date")
> > https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
> >
> > Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> > package. "be careful it's broken" is not a warning a good sysadmin takes
> > lightly.
> >
> > Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
> >
> > Its all a bit of a mess. Its all a bit worrying.
> >
> > Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> > that ! The Dovecot community are left between the proverbial rock and a
> > hard place.
> >
> > Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> > thoughts of comparisons with Dovecot and OpenXChange.
> >
> > Stalwart, whilst extraordinarily promising, needs another year or so of
> > development to reach v1 and mature the code.
> > ___
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
To support my prior comment, FreeBSD are quite clear about it (see below
explicit statement on one of their previous Security Advisories) and I expect
it to be the same with Debian and any other FOSS operating system.
Security Advisory FreeBSD-SA-20:33.openssl CVE-2020-1971: "However, the OpenSSL
project is only giving patches for that version to premium support contract
holders. The FreeBSD project does not have access to these patches"
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff via dovecot
wrote:
> That Debian doesn't patch their LTS releases properly like other operating
> systems, should probably be brought up with the Debian release and security
> teams.
>
> Sent from Outlook for iOShttps://aka.ms/o0ukef
>
> ____________
> From: Laura Smith via dovecot dovecot@dovecot.org
>
> Sent: Wednesday, June 26, 2024 1:31:48 PM
> To: Aki Tuomi aki.tu...@open-xchange.com
>
> Cc: Laura Smith via dovecot dovecot@dovecot.org; Michael m...@hemathor.de
>
> Subject: Re: Debian Bookworm packages, please !
>
> The fundamental problem here is that this turns into a security problem,
> which in 2024 is not a nice thing to have.
>
> Yes, theoretically I could run the previous Debian release, 11 Bullseye which
> is now EOL but in LTS until 2026.
>
> However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> delivered by Debian are based on public patches, so basically there will be
> no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> INCLUDING security patches, as described on their website ("It will no longer
> be receiving publicly available security fixes after that date")
> https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
>
> Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> package. "be careful it's broken" is not a warning a good sysadmin takes
> lightly.
>
> Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
>
> Its all a bit of a mess. Its all a bit worrying.
>
> Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> that ! The Dovecot community are left between the proverbial rock and a hard
> place.
>
> Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> thoughts of comparisons with Dovecot and OpenXChange.
>
> Stalwart, whilst extraordinarily promising, needs another year or so of
> development to reach v1 and mature the code.
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
So you're saying other operating systems magically get access to OpenSSL
premium ? I somehow doubt it.
On Wednesday, 26 June 2024 at 13:01, Lucas Rolff wrote:
> That Debian doesn't patch their LTS releases properly like other operating
> systems, should probably be brought up with the Debian release and security
> teams.
>
> Sent from Outlook for iOS
>
> From: Laura Smith via dovecot
> Sent: Wednesday, June 26, 2024 1:31:48 PM
> To: Aki Tuomi
> Cc: Laura Smith via dovecot ; Michael
> Subject: Re: Debian Bookworm packages, please !
>
> The fundamental problem here is that this turns into a security problem,
> which in 2024 is not a nice thing to have.
>
> Yes, theoretically I could run the previous Debian release, 11 Bullseye which
> is now EOL but in LTS until 2026.
>
> However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
> delivered by Debian are based on public patches, so basically there will be
> no OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
> *INCLUDING* security patches, as described on their website ("It will no
> longer be receiving publicly available security fixes after that date")
> https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
>
> Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
> package. "be careful it's broken" is not a warning a good sysadmin takes
> lightly.
>
> Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
>
> Its all a bit of a mess. Its all a bit worrying.
>
> Meanwhile alternatives are few and far between, and I suspect Dovecot knows
> that ! The Dovecot community are left between the proverbial rock and a
> hard place.
>
> Cyrus is now dependent on the commercial goodwill of FastMail, which brings
> thoughts of comparisons with Dovecot and OpenXChange.
>
> Stalwart, whilst extraordinarily promising, needs another year or so of
> development to reach v1 and mature the code.
> ___
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
The fundamental problem here is that this turns into a security problem, which
in 2024 is not a nice thing to have.
Yes, theoretically I could run the previous Debian release, 11 Bullseye which
is now EOL but in LTS until 2026.
However, the OpenSSL delivered with Bullseye is 1.1.1. Any LTS patches
delivered by Debian are based on public patches, so basically there will be no
OpenSSL patches because OpenSSL moved 1.1.1 to premium support only,
*INCLUDING* security patches, as described on their website ("It will no longer
be receiving publicly available security fixes after that date")
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/index.html.
Meanwhile, we are being spoonfed FUD/semi-FUD about the Debian provided 2.3
package. "be careful it's broken" is not a warning a good sysadmin takes
lightly.
Meanwhile, if we're lucky, we might get 2.4 this side of Christmas 2024.
Its all a bit of a mess. Its all a bit worrying.
Meanwhile alternatives are few and far between, and I suspect Dovecot knows
that ! The Dovecot community are left between the proverbial rock and a hard
place.
Cyrus is now dependent on the commercial goodwill of FastMail, which brings
thoughts of comparisons with Dovecot and OpenXChange.
Stalwart, whilst extraordinarily promising, needs another year or so of
development to reach v1 and mature the code.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> > could you please elaborate on this? are there any security issues with > > using the debian version? what are the problems you are implicating with > > your above statement, that it's 'not fully working either'? > > > > greetings... > > > It can sometimes crash. > > Aki Does Dovecot even care about its open-source community any more ? We know you've opted to focus on your commercial efforts, that's fine, that's you prerogative. But at the moment it is feeling like "go closed source or show some more feeling towards the open-source side". I mean seriously, "it can sometimes crash", is that all ? Does it mean people should not use the Debian packages full stop ? Does it mean people can use the Debian packages but not certain configurations ? "it can sometimes crash" is basically the same thing as not bothering to post anything at all. shrug. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
> > We can already see that the Debian/RedHat patched 2.3 which is offered is > broken because there is more than just "making it compile" with things like > OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not > fully working either. Yeah, that's sort of what's holding me back from just blindly installing the Debian distro package. Whilst I'm no expert, I did spot some OpenSSL3 mentions looking briefly through the Debian bug tracker. Do you have any opinion on the FreeBSD dovecot ? I'd rather stick with Debian but having a working mailserver on a current version of an OS is a somewhat higher importance. If Stalwart was more mature than it currently is, I would have moved over to that already. Sadly that will have to wait for the next round of server refreshes in a few years time. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tuesday, 25 June 2024 at 15:06, Aki Tuomi via dovecot wrote: > > On 25/06/2024 16:58 EEST Laura Smith via dovecot dovecot@dovecot.org wrote: > > > > Debian Bookworm (12) was released June 2023. > > > > It is therefore somewhat disappointing to see no Bookworm packages in > > https://repo.dovecot.org/ce-2.3-latest/debian/ > > > We are going to add support for Debian Bookworm to Dovecot 2.4 version. > > Is there any more concrete news on the mysterious 2.4 ? I found an old post from you from 2023 which said "soon" ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Debian Bookworm packages, please !
Debian Bookworm (12) was released June 2023. It is therefore somewhat disappointing to see no Bookworm packages in https://repo.dovecot.org/ce-2.3-latest/debian/ ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replicator service in Dovecot 2.4 CE
> Are you completely removing support for 'replication-with-dsync' starting > from version 2.4? > Are there any plans for built-in tools to implement an active/active or > active/passive cluster in the community edition? kv See the long discussion "the future of SIS" (https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/2CPFZ5OXVA2QYHQBWH7P6QM4J4D7FEYE/) ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
--- Original Message --- On Tuesday, October 17th, 2023 at 15:27, Filip Hanes via dovecot wrote: > Other S3 implementation is Minio on top of any posix filesystem - you can > choose which fills your needs. Minio is great in general, the only thing I would say it its a little bit weird to setup if you're in a VM environment. It was really based around physical hosts, so you need to replicate that on VMs (i.e. 3 x virtual disks per VM so that the error encoding stuff works just like it would on physical hosts). But certainly compared to Ceph its a lot easier on the sysadmin side ! ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
--- Original Message --- On Tuesday, October 17th, 2023 at 06:46, Jean-Daniel Dupas wrote: > > If you are using Ubuntu, OpenZFS is readily available, and support > deduplication natively. I thought nobody sane actually used ZFS dedup because it eats RAM for breakfast, lunch and dinner ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: The future of SIS
> Is s3 not to slow for this? > I think the clue is in the name "s3-compatible". Clearly calling out to "real" (AWS) S3 would be a non-starter. But a local installation of something like CEPH, MinIO or whatever on the same LAN ? I'd think that should be workable, no ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: The future of SIS
> > Interesting, nice they use this rust, I am curious how they define this > scaling. What I don't get is why are they messing with smtp. I always get a > bad feeling when a company is trying to do everything. Good they are using rust and even better they've had an independent security audit (https://www.stalw.art/blog/security-audit). On the scaling side, maybe see the storage page ? (https://www.stalw.art/docs/storage/overview). The metadata is stored in a database which can be replicated. And the mails themselves can be stored in filesystem or "S3-compatible" storage, and so there are scaling options there too ? But clearly some experimentation is required to see how it works in practice. Are they messing with SMTP ? As I understand it its an IMAP/JMAP server. And (like Dovecot) it has LMTP for getting mail into it from e.g. Postfix ? From my reading of the docs it looks like SMTP is only there if you don't want to use LMTP to get mail into it ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
> > Well, so Laura is absolutely right ... > > > "Things like dsync will be GONE in the community version." > > That's not right, dsync is still there. Replicator is not, so dsync can't be > triggered automatically by dovecot after changes to the mailbox Well, to be fair : 1. I said what I said based on the video. And the video seemed pretty clear cut to me ? 2. Its not there in the form that many (most ?) people would use it for (i.e. with Replicator). 3. Then Aki came along and said "there is no hidden cache of code going into 3.0 that will not be open source". When the video kind of makes it clear 3.0 Pro with all its new features (e.g. multi-server) is very much going to be a closed-source job. And that the present open-source version is, just like they say in the video, is going to be "supported for single-server use only". Therefore the waters are still very much muddy overall. The dsync question might well have now been clarified somewhat. But the rest of "how much 3.0 Pro will we see in open source" ? If we're being generous we would say muddy waters, but my gut feeling is the video made clear their direction of travel in that the present Open Source version will continue as-is with updates and support, bu won't be getting any of the fancy new features and functionality that 3.0 Pro is. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
> > If that is the case, well then I have to find another way to keep mails in > sync between 2 mailservers. Hope the community will find a new solution! > I have been keeping one eye on Stalwart (https://stalw.art/) for a while now. I haven't tested it as yet, but I'm very much tempted to get a test instance up and running. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
FUD ? I knew someone would accuse me of that which is why I linked to the video from the horse's mouth, I transcribe what the speaker said: "there will be an open source version, but that open source version will be maintained for single server use only. we are actually taking out anything any actually kinda' involves multiple servers, dsync replication and err some other stuff. so dovecot will be a fully-featured single node server" --- Original Message --- On Friday, October 13th, 2023 at 19:37, Aki Tuomi wrote: > Dear Laura, please don't spread FUD that you made up. > > Dsync is not going anywhere, and we are not close-sourcing Dovecot Core. > There is not a trove of code going into Dovecot 3.0 that "never sees the > daylight". > > Thank you, > Aki > > > On 13/10/2023 21:10 EEST Laura Smith via dovecot dovecot@dovecot.org wrote: > > > > TL;DR If you are a Dovecot Community user, don't waste your time reading > > the Dovecot Pro release notes. > > > > To expand: > > > > I think you have to understand that lots of things that are going into > > Dovecot 3 (Pro) will never see the light of day in the community edition. > > > > In addition, Dovecot have publicly quite plainly announced in public that > > they are actively removing all multi-server related functionality from > > Dovecot Community. > > > > I don't think the community has quite yet grasped it. Things like dsync > > will be GONE in the community version. > > > > If you don't believe me, look at this video, about 15 minutes in: > > https://youtu.be/s-JYrjCKshA?feature=shared&t=912 > > > > --- Original Message --- > > On Friday, October 13th, 2023 at 17:15, Sebastian Marsching > > sebast...@marsching.com wrote: > > > > > Hi, > > > > > > I am currently in the process of planning a new deployment of Dovecot. I > > > was planning to use mdbox or sdbox with “mail_attachment_fs = sis posix”, > > > but I stumbled across the following notice in the documentation for > > > Dovecot 3.0 > > > ___ > > > dovecot mailing list -- dovecot@dovecot.org > > > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
TL;DR If you are a Dovecot Community user, don't waste your time reading the Dovecot Pro release notes. To expand: I think you have to understand that lots of things that are going into Dovecot 3 (Pro) will never see the light of day in the community edition. In addition, Dovecot have publicly quite plainly announced in public that they are actively removing all multi-server related functionality from Dovecot Community. I don't think the community has quite yet grasped it. Things like dsync will be GONE in the community version. If you don't believe me, look at this video, about 15 minutes in: https://youtu.be/s-JYrjCKshA?feature=shared&t=912 --- Original Message --- On Friday, October 13th, 2023 at 17:15, Sebastian Marsching wrote: > Hi, > > I am currently in the process of planning a new deployment of Dovecot. I was > planning to use mdbox or sdbox with “mail_attachment_fs = sis posix”, but I > stumbled across the following notice in the documentation for Dovecot 3.0 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Outlook and IMAP Flags
Hi I've tried searching the internet, but the only thing I can find is a post on a MIcrosoft forum where a Microsoft reps claims flags are not supported on IMAP (I thought it was an RFC3501 feature ?). Anyway, I have a user who has Outlook/Windows on desktop and iOS (iPhone/iPad) for remote. On the iOS devices, the user can happily set flags against messages with zero issues. And indeed, when they set these flags, they are shown in Outlook. However if they attempt to set the flag in Outlook, nothing happens. Outlook continues showing the message as if it was unflagged. Any ideas ? Laura ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Any need to be worried about occasional dsync errors ?
I am occasionally (maybe every 4 hours or less frequently) seeing the following two errors appear in my logs. Are they any cause for concern ? Error: Timeout during state=sync_mails (send=done recv=mails) I/O has stalled, no activity for 600 seconds (last sent=mail_request (EOL)
dsync not replicatiing .dovecot.sieve
There was a post on this topic to the list Aug 06, 2018 to which Aki replied "Thank you for reporting this, we'll take a look at this.". But its not clear what (if anything) has happened since ? The problem still seems to exist in 2.3.3 (original report by previous poster was for 2.3.2.1) The scenario I'm seeing is pretty much identical to the original poster's. Mail seems to be replicating fine, but sieve doesn't replicate at all.
Warning: Failed to do incremental sync
Setup dovecot sync along the lines of (https://wiki2.dovecot.org/Replication). I am doing one way replication. The initial full replication happened without issue, but now I'm seeing these errors on the slave server: doveadm: Warning: /data/mail/foo/bar/Maildir/dovecot-uidlist: Duplicate file entry at line 26397: 1562173159.M215923P17350.mxp,S=2290,W=2339 (uid 143128 -> 143142) Warning: Failed to do incremental sync for mailbox Sent Messages, retry with a full sync (Modseq 1766 no longer in transaction log (highest=17617, last_common_uid=17559, nextuid=17560)) Warning: Failed to do incremental sync for mailbox INBOX, retry with a full sync (Modseq 2540 no longer in transaction log (highest=13870, last_common_uid=19912, nextuid=19913)) I guess dovecot automatically tries a full replication because eventually the messages get pushed and "sync failed" status changes from 'y' to '-'
mail_replica equivalent to replicator_host/replicator_port
Silly question but regarding https://wiki.dovecot.org/Replication, is the mail_replica parameter shown in the docs equivalent to replicator_host and replicator_port in 2.3.3 ? 2.3.3 doesn't seem to like the mail_replica param (and indeed doveconf -a doesn't show it as an option) Thanks !
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐ On Thursday, April 11, 2019 9:01 PM, John Fawcett via dovecot wrote: > On 11/04/2019 10:02, Laura Smith via dovecot wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot > > dovecot@dovecot.org wrote: > > > > > On 11/04/2019 00:51, Laura Smith via dovecot wrote: > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot > > > > dovecot@dovecot.org wrote: > > > > > > > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote: > > > > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < > > > > > > > > dovecot@dovecot.org> wrote: > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < > > > > > > > > aki.tu...@open-xchange.com> wrote: > > > > > > > > > > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > Sent with ProtonMail Secure Email. > > > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi > > > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot > > > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi > > > > > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot > > > > > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > == > > > > > > > > > > > > > > > > > > > > > > > > > > > > dsync( foo...@example.com): Error: > > > > > > > > > > > > > > imapc(foobar.example.com:993): > > > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: > > > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: > > > > > > > > > > > > > > read(size=512) failed: Connection reset by peer > > > > > > > > > > > > > > This is dovecot's internal dns-client, and > > > > > > > > > > > > > > something goes wrong when talking to the service. > > > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to > > > > > > > > > > > > > > initialize user: imapc: Login to foobar.example.com > > > > > > > > > > > > > > failed: Disconnected from server > > > > > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > > > > > > > > > > > > > > > > > > === > > > > > > > > > > > > > > > > > > > > > > > > > > > > Initially I thought "oh no, not a
Re: auth-worker unknown user
On Thursday, April 11, 2019 5:49 PM, Aki Tuomi
wrote:
> > On 11 April 2019 17:56 Laura Smith via dovecot dovecot@dovecot.org wrote:
> > On Thursday, April 11, 2019 3:07 PM, Aki Tuomi aki.tu...@open-xchange.com
> > wrote:
> >
> > > > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org>
> > > > wrote:
> > > > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi <
> > > > aki.tu...@open-xchange.com> wrote:
> > > >
> > > > > PAM is trying to lookup user@domain while you probably only have
> > > > > user. PAM driver does not yet support username_format.
> > > >
> > > > > Aki
> > > >
> > > > But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm
> > > > using /etc/dovecot/users ? Or am I understanding you wrong?
> > >
> > > you have passdb block using pam. it is involved in the lookup process.
> > >
> > > Aki Tuomi
> >
> > > doveconf -n passdb userdb
> > > passdb {
> > > args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
> > > auth_verbose = yes
> > > driver = passwd-file
> > > }
> > > userdb {
> > > args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
> > > auth_verbose = yes
> > > driver = passwd-file
> > > }
>
> Looks OK now. PAM is quite often the culprit as it's part of the default
> shipped config and can be often missed when setting things up.
>
> Aki
I guess for the future it might be nice to have an options in the params to
enable overrides for shipped configs (e.g. something similar to '!important' in
CSS land).
It would be nice to be able to make local.conf the source of truth instead of
having to say 97.5% local.conf and then these few hacks of shipped configs
(which may or may not get overwritten by package updates from the distros)
Re: auth-worker unknown user
On Thursday, April 11, 2019 3:07 PM, Aki Tuomi
wrote:
> > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
> >
> > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi <
> > aki.tu...@open-xchange.com> wrote:
> >
> > > PAM is trying to lookup user@domain while you probably only have user.
> > > PAM driver does not yet support username_format.
> >
> > > Aki
> >
> > But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using
> > /etc/dovecot/users ? Or am I understanding you wrong?
>
> you have passdb block using pam. it is involved in the lookup process.
>
> ---
> Aki Tuomi
> doveconf -n passdb userdb
passdb {
args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
auth_verbose = yes
driver = passwd-file
}
userdb {
args = scheme=ARGON2ID username_format=%u /etc/dovecot/users
auth_verbose = yes
driver = passwd-file
}
Re: auth-worker unknown user
‐‐‐ Original Message ‐‐‐ On Thursday, April 11, 2019 3:07 PM, Aki Tuomi wrote: > > On 11 April 2019 16:45 Laura Smith via dovecot < dovecot@dovecot.org> wrote: > > > > On Thursday, April 11, 2019 2:02 PM, Aki Tuomi < > > aki.tu...@open-xchange.com> wrote: > > > > > PAM is trying to lookup user@domain while you probably only have user. > > > PAM driver does not yet support username_format. > > > > > Aki > > > > But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using > > /etc/dovecot/users ? Or am I understanding you wrong? > > you have passdb block using pam. it is involved in the lookup process. Well, I didn't but it seems to be the default example config (i.e its in auth-system.conf.ext, not my local.cf). I commented it out, but now I get "auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one" What am I missing to make it look in /etc/dovecot/users ? My local.cf came from a known-good server so I don't understand why it hasn't implemented the changes that need to be done on this new one ? What parameters am I missing ? I'm lost and exhausted by struggling with dovecot these last few days.
Re: auth-worker unknown user
On Thursday, April 11, 2019 2:02 PM, Aki Tuomi wrote: > PAM is trying to lookup user@domain while you probably only have user. PAM > driver does not yet support username_format. > > Aki But /etc/dovecot/users file isn't pam ? I don't need pam if if I'm using /etc/dovecot/users ? Or am I understanding you wrong?
auth-worker unknown user
pam(foo...@example.com,192.0.1.1,<9zMTUUCGNfHZzMpL>): unknown user (SHA1 of
given password: ff75068c2f4d700a49dae204d56477a5ffa5d23d)
The password is correct, i.e. 'echo -n 'passed' | openssl dgst -sha1' matches.
The user is setup correctly in /etc/dovecot/users (the /etc/dovecot/users was
copied from another known-good server, so the syntax is correct and appropriate
adjustments have been made for chmod and directory).
doveconf -N follows:
# 2.3.3 (dcead646b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.3 (f018bbab)
# OS: Linux 4.12.14-lp150.12.48-default x86_64
# Hostname: foobar
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = sha1
doveadm_password = # hidden, use -P to show it
first_valid_uid = 471
imapc_features = rfc822.size fetch-headers
imapc_host = foobar.example.com
imapc_password = # hidden, use -P to show it
imapc_port = 993
imapc_ssl = imaps
imapc_user = %u
mail_location = maildir:~/Maildir
mail_plugin_dir = /usr/lib64/dovecot/modules
mail_prefetch_count = 20
mailbox_list_index = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body environment mailbox date ihave enotify
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
name =
}
plugin {
sieve = file:~/.dovecot.sieve
}
protocols = imap lmtp
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
process_min_avail = 3
}
service lmtp {
process_min_avail = 5
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
user = my_virtmailuser
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieves {
address =
port = 5190
ssl = yes
}
}
ssl = required
ssl_ca = was automatically rejected:%n%r
}
protocol imap {
mail_max_userip_connections = 20
}
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐ On Thursday, April 11, 2019 9:05 AM, Aki Tuomi wrote: > > On 11 April 2019 11:02 Laura Smith via dovecot dovecot@dovecot.org wrote: > > ‐‐‐ Original Message ‐‐‐ > > On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot > > dovecot@dovecot.org wrote: > > > > > On 11/04/2019 00:51, Laura Smith via dovecot wrote: > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot > > > > dovecot@dovecot.org wrote: > > > > > > > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote: > > > > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < > > > > > > > > dovecot@dovecot.org> wrote: > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < > > > > > > > > aki.tu...@open-xchange.com> wrote: > > > > > > > > > > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > Sent with ProtonMail Secure Email. > > > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi > > > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot > > > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi > > > > > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot > > > > > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > == > > > > > > > > > > > > > > > > > > > > > > > > > > > > dsync( foo...@example.com): Error: > > > > > > > > > > > > > > imapc(foobar.example.com:993): > > > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: > > > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: > > > > > > > > > > > > > > read(size=512) failed: Connection reset by peer > > > > > > > > > > > > > > This is dovecot's internal dns-client, and > > > > > > > > > > > > > > something goes wrong when talking to the service. > > > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to > > > > > > > > > > > > > > initialize user: imapc: Login to foobar.example.com > > > > > > > > > > > > > > failed: Disconnected from server > > > > > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > > > > > > > > > > > > > > > > > > === > > > > > > > > > > > > > > > > > > > > > > > > > > > > Initially I thought "oh no, not a
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐ On Thursday, April 11, 2019 12:55 AM, John Fawcett via dovecot wrote: > On 11/04/2019 00:51, Laura Smith via dovecot wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot > > dovecot@dovecot.org wrote: > > > > > On 11/04/2019 00:18, Laura Smith via dovecot wrote: > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < > > > > > > dovecot@dovecot.org> wrote: > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < > > > > > > aki.tu...@open-xchange.com> wrote: > > > > > > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > Sent with ProtonMail Secure Email. > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi > > > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot > > > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > == > > > > > > > > > > > > dsync( foo...@example.com): Error: > > > > > > > > > > > > imapc(foobar.example.com:993): > > > > > > > > > > > > dns_lookup(foobar.example.com) failed: > > > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: > > > > > > > > > > > > read(size=512) failed: Connection reset by peer > > > > > > > > > > > > This is dovecot's internal dns-client, and something > > > > > > > > > > > > goes wrong when talking to the service. > > > > > > > > > > > > dsync( foo...@example.com): Error: Failed to initialize > > > > > > > > > > > > user: imapc: Login to foobar.example.com failed: > > > > > > > > > > > > Disconnected from server > > > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > > === > > > > > > > > > > > > Initially I thought "oh no, not another AppArmor block". > > > > > > > > > > > > But then surely the second message would not appear if > > > > > > > > > > > > the DNS lookup was not successful ? > > > > > > > > > > > > Also "dig foobar.example.com" works fine. > > > > > > > > > > > > How should I be troubleshooting this ? And if it is > > > > > > > > > > > > still likely to be AppArmor, what is calling it ? > > > > > > > > > > > > "doveadm" itself or something else ? What does > > > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't > > > > > > > > > > > > dovecot use standard OS calls like everyone else ? > > > > > > > > > >
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐ On Wednesday, April 10, 2019 11:48 PM, John Fawcett via dovecot wrote: > On 11/04/2019 00:18, Laura Smith via dovecot wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi aki.tu...@open-xchange.com > > wrote: > > > > > > On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> > > > > wrote: > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi < > > > > aki.tu...@open-xchange.com> wrote: > > > > > > > > > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org > > > > > > wrote: > > > > > > Sent with ProtonMail Secure Email. > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi > > > > > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot > > > > > > > > > > dovecot@dovecot.org wrote: > > > > > > > > > > > > > > > > > > > > == > > > > > > > > > > > > > > > > > > > > dsync( foo...@example.com): Error: > > > > > > > > > > imapc(foobar.example.com:993): > > > > > > > > > > dns_lookup(foobar.example.com) failed: > > > > > > > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) > > > > > > > > > > failed: Connection reset by peer > > > > > > > > > > This is dovecot's internal dns-client, and something goes > > > > > > > > > > wrong when talking to the service. > > > > > > > > > > dsync( foo...@example.com): Error: Failed to initialize > > > > > > > > > > user: imapc: Login to foobar.example.com failed: > > > > > > > > > > Disconnected from server > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > > > > > > > > > > === > > > > > > > > > > > > > > > > > > > > Initially I thought "oh no, not another AppArmor block". > > > > > > > > > > But then surely the second message would not appear if the > > > > > > > > > > DNS lookup was not successful ? > > > > > > > > > > Also "dig foobar.example.com" works fine. > > > > > > > > > > How should I be troubleshooting this ? And if it is still > > > > > > > > > > likely to be AppArmor, what is calling it ? "doveadm" > > > > > > > > > > itself or something else ? What does > > > > > > > > > > "/var/run/dovecot/dns-client" do and why doesn't dovecot > > > > > > > > > > use standard OS calls like everyone else ? > > > > > > > > > > Because the "standard OS call" is blocking and we would > > > > > > > > > > prefer it to not block everything else. > > > > > > > > > > So many questions ! > > > > > > > > > > Aki > > > > > > > > > > Thanks for your reply, but both those message are generated > > > > > > > > > > from a simple : > > > > > > > > > > doveadm
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐
On Wednesday, April 10, 2019 10:24 PM, Aki Tuomi
wrote:
> > On 10 April 2019 23:56 Laura Smith via dovecot < dovecot@dovecot.org> wrote:
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi <
> > aki.tu...@open-xchange.com> wrote:
> >
> > > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org
> > > > wrote:
> > > > Sent with ProtonMail Secure Email.
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi
> > > > aki.tu...@open-xchange.com wrote:
> > >
> > > > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org
> > > > > > wrote:
> > > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi
> > > > > > aki.tu...@open-xchange.com wrote:
> > > > >
> > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot
> > > > > > > > dovecot@dovecot.org wrote:
> > > > > > > > ==
> > > > > > > > dsync( foo...@example.com): Error:
> > > > > > > > imapc(foobar.example.com:993): dns_lookup(foobar.example.com)
> > > > > > > > failed: read(/var/run/dovecot/dns-client) failed:
> > > > > > > > read(size=512) failed: Connection reset by peer
> > > > > >
> > > > > > > This is dovecot's internal dns-client, and something goes wrong
> > > > > > > when talking to the service.
> > > > > >
> > > > > > > > dsync( foo...@example.com): Error: Failed to initialize user:
> > > > > > > > imapc: Login to foobar.example.com failed: Disconnected from
> > > > > > > > server
> > > > > >
> > > > > > > This is btw dsync service, not imap service.
> > > > > >
> > > > > > > > ===
> > > > > > > > Initially I thought "oh no, not another AppArmor block".
> > > > > > > > But then surely the second message would not appear if the DNS
> > > > > > > > lookup was not successful ?
> > > > > > > > Also "dig foobar.example.com" works fine.
> > > > > > > > How should I be troubleshooting this ? And if it is still
> > > > > > > > likely to be AppArmor, what is calling it ? "doveadm" itself or
> > > > > > > > something else ? What does "/var/run/dovecot/dns-client" do and
> > > > > > > > why doesn't dovecot use standard OS calls like everyone else ?
> > > > > >
> > > > > > > Because the "standard OS call" is blocking and we would prefer it
> > > > > > > to not block everything else.
> > > > > >
> > > > > > > > So many questions !
> > > > > >
> > > > > > > Aki
> > > > >
> > > > > > Thanks for your reply, but both those message are generated from a
> > > > > > simple :
> > > > > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com
> > > > > > imapc:
> > > > > > So I don't know what you mean about dsync service failing ? Surely
> > > > > > the DNS lookup succeeded if the 'dsync service' failed due to
> > > > > > remote disconnect ?
> > > > > > I'm still none the wiser as to where to start looking for
> > > > > > troubleshoting ?
> > > >
> > > > > Did you check dovecot logs? Maybe there is something useful?
> > > > > Aki
> > >
> > > > Only the same old cryptic message about dns-client ?
> > > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission
> > > > denied
> >
> > > Something prevents executing the dns-client binary.
> >
> > > > master: Error: service(dns_client): command startup failed, throttling
> > > > for 16 secs
> > > > dns_client: Fatal: master: service(dns_client): child 14293 returned
> > > > error 84 (exec() failed)
> >
> > > Aki
> >
> > Yes but is it being called by doveadm directly or by some other dovecot
> > program ? If I'm going to have to go down the AppArmor route, then I would
> > prefer if you told me what was calling it instead of me having to
> > un-necessarily spend time doing straces !
> >
> > Also, should I be able to call dns-client directly myself ? (or is there a
> > way to do so to enable testing ?
>
> It is started by dovecot's master process when you connect to dns-client unix
> socket. You can try
>
> socat stdio unix-connect:/var/run/dovecot/dns-client
>
> I thought apparmor tells when something is blocked into kernel log? have you
> checked dmesg?
>
> Apologies for your frustration.
> ---
Yeah nothing in dmesg. I'm still hunting around to find some log somewhere but
so far silence.
"socat stdio unix-connect:/var/run/dovecot/dns-client" runs but returns
nothing. Is that expected ?
When you say "dovecot's master process", so doveadm sync talks to the master
process ? So in terms of apparmor I would therefore be looking at
/usr/sbin/dovecot ? If that's the case, the relevant apparmor permisssions are
already provided :
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
Re: failed: read(/var/run/dovecot/dns-client)
‐‐‐ Original Message ‐‐‐ On Wednesday, April 10, 2019 9:14 PM, Aki Tuomi wrote: > > On 10 April 2019 23:13 Laura Smith via dovecot dovecot@dovecot.org wrote: > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi aki.tu...@open-xchange.com > > wrote: > > > > > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org > > > > wrote: > > > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi > > > > aki.tu...@open-xchange.com wrote: > > > > > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org > > > > > > wrote: > > > > > > == > > > > > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): > > > > > > dns_lookup(foobar.example.com) failed: > > > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) failed: > > > > > > Connection reset by peer > > > > > > > > > > This is dovecot's internal dns-client, and something goes wrong when > > > > > talking to the service. > > > > > > > > > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: > > > > > > Login to foobar.example.com failed: Disconnected from server > > > > > > > > > > This is btw dsync service, not imap service. > > > > > > > > > > > === > > > > > > Initially I thought "oh no, not another AppArmor block". > > > > > > But then surely the second message would not appear if the DNS > > > > > > lookup was not successful ? > > > > > > Also "dig foobar.example.com" works fine. > > > > > > How should I be troubleshooting this ? And if it is still likely to > > > > > > be AppArmor, what is calling it ? "doveadm" itself or something > > > > > > else ? What does "/var/run/dovecot/dns-client" do and why doesn't > > > > > > dovecot use standard OS calls like everyone else ? > > > > > > > > > > Because the "standard OS call" is blocking and we would prefer it to > > > > > not block everything else. > > > > > > > > > > > So many questions ! > > > > > > > > > > Aki > > > > > > > > Thanks for your reply, but both those message are generated from a > > > > simple : > > > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc: > > > > So I don't know what you mean about dsync service failing ? Surely the > > > > DNS lookup succeeded if the 'dsync service' failed due to remote > > > > disconnect ? > > > > I'm still none the wiser as to where to start looking for > > > > troubleshoting ? > > > > > > Did you check dovecot logs? Maybe there is something useful? > > > Aki > > > > Only the same old cryptic message about dns-client ? > > master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied > > Something prevents executing the dns-client binary. > > > master: Error: service(dns_client): command startup failed, throttling for > > 16 secs > > dns_client: Fatal: master: service(dns_client): child 14293 returned error > > 84 (exec() failed) > > Aki Yes but is it being called by doveadm directly or by some other dovecot program ? If I'm going to have to go down the AppArmor route, then I would prefer if you told me what was calling it instead of me having to un-necessarily spend time doing straces ! Also, should I be able to call dns-client directly myself ? (or is there a way to do so to enable testing ?) # /usr/lib/dovecot/dns-client Panic: BUG: No IOs or timeouts set. Not waiting for infinity. Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0xd879e) [0x7f582c65f79e] -> /usr/lib64/dovecot/libdovecot.so.0(+0xd87e1) [0x7f582c65f7e1] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7f582c5c9024] -> /usr/lib64/dovecot/libdovecot.so.0(+0xf045c) [0x7f582c67745c] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0x36) [0x7f582c679e96] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run+0x4c) [0x7f582c6786ec] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f582c678908] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f582c5ee203] -> /usr/lib/dovecot/dns-client(main+0x8d) [0x55866c96050d] -> /lib64/libc.so.6(__libc_start_main+0xea) [0x7f582c1edf4a] -> /usr/lib/dovecot/dns-client(_start+0x2a) [0x55866c96055a]
Re: failed: read(/var/run/dovecot/dns-client)
Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, April 10, 2019 8:20 PM, Aki Tuomi wrote: > > On 10 April 2019 22:13 Laura Smith via dovecot dovecot@dovecot.org wrote: > > On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi aki.tu...@open-xchange.com > > wrote: > > > > > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org > > > > wrote: > > > > > > > > == > > > > > > > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): > > > > dns_lookup(foobar.example.com) failed: > > > > read(/var/run/dovecot/dns-client) failed: read(size=512) failed: > > > > Connection reset by peer > > > > > > This is dovecot's internal dns-client, and something goes wrong when > > > talking to the service. > > > > > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: > > > > Login to foobar.example.com failed: Disconnected from server > > > > > > This is btw dsync service, not imap service. > > > > > > > === > > > > Initially I thought "oh no, not another AppArmor block". > > > > But then surely the second message would not appear if the DNS lookup > > > > was not successful ? > > > > Also "dig foobar.example.com" works fine. > > > > How should I be troubleshooting this ? And if it is still likely to be > > > > AppArmor, what is calling it ? "doveadm" itself or something else ? > > > > What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use > > > > standard OS calls like everyone else ? > > > > > > Because the "standard OS call" is blocking and we would prefer it to not > > > block everything else. > > > > > > > So many questions ! > > > > > > Aki > > > > Thanks for your reply, but both those message are generated from a simple : > > doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc: > > So I don't know what you mean about dsync service failing ? Surely the DNS > > lookup succeeded if the 'dsync service' failed due to remote disconnect ? > > I'm still none the wiser as to where to start looking for troubleshoting ? > > Did you check dovecot logs? Maybe there is something useful? > > Aki Only the same old cryptic message about dns-client ? master: Fatal: execv(/usr/lib/dovecot/dns-client) failed: Permission denied master: Error: service(dns_client): command startup failed, throttling for 16 secs dns_client: Fatal: master: service(dns_client): child 14293 returned error 84 (exec() failed)
Re: failed: read(/var/run/dovecot/dns-client)
On Wednesday, April 10, 2019 7:57 PM, Aki Tuomi wrote: > > On 10 April 2019 21:26 Laura Smith via dovecot dovecot@dovecot.org wrote: > > === > > dsync(foo...@example.com): Error: imapc(foobar.example.com:993): > > dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) > > failed: read(size=512) failed: Connection reset by peer > > This is dovecot's internal dns-client, and something goes wrong when talking > to the service. > > > dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login > > to foobar.example.com failed: Disconnected from server > > This is btw dsync service, not imap service. > > > === > > Initially I thought "oh no, not another AppArmor block". > > But then surely the second message would not appear if the DNS lookup was > > not successful ? > > Also "dig foobar.example.com" works fine. > > How should I be troubleshooting this ? And if it is still likely to be > > AppArmor, what is calling it ? "doveadm" itself or something else ? What > > does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard > > OS calls like everyone else ? > > Because the "standard OS call" is blocking and we would prefer it to not > block everything else. > > > So many questions ! > > Aki Thanks for your reply, but both those message are generated from a simple : doveadm -v -o mail_fsync=never backup -R -u foo...@example.com imapc: So I don't know what you mean about dsync service failing ? Surely the DNS lookup succeeded if the 'dsync service' failed due to remote disconnect ? I'm still none the wiser as to where to start looking for troubleshoting ?
Re: ssl_cert: Can't open file permission denied
‐‐‐ Original Message ‐‐‐ On Wednesday, April 10, 2019 1:08 PM, Michael Orlitzky via dovecot wrote: > On 4/10/19 6:39 AM, Dmitry Donskih via dovecot wrote: > > > `chmod -R 655 /etc/foobar/ssl' drops x attribute from`ssl' itself. > > Use `chmod -R 755' or`chmod +x' or similar. > > Your private keys should be... private. Use 750 instead. You are teaching granny to suck eggs. Sometimes granny needs to do troubleshooting (especially when neither Dovecot or the Operating System are generating any sort of useful log entries to help granny... it means granny needs to resort to real basics like file permissions and then work upwards).
failed: read(/var/run/dovecot/dns-client)
=== dsync(foo...@example.com): Error: imapc(foobar.example.com:993): dns_lookup(foobar.example.com) failed: read(/var/run/dovecot/dns-client) failed: read(size=512) failed: Connection reset by peer dsync(foo...@example.com): Error: Failed to initialize user: imapc: Login to foobar.example.com failed: Disconnected from server === Initially I thought "oh no, not another AppArmor block". But then surely the second message would not appear if the DNS lookup was not successful ? Also "dig foobar.example.com" works fine. How should I be troubleshooting this ? And if it is still likely to be AppArmor, what is calling it ? "doveadm" itself or something else ? What does "/var/run/dovecot/dns-client" do and why doesn't dovecot use standard OS calls like everyone else ? So many questions !
Re: ssl_cert: Can't open file permission denied
On Wednesday, April 10, 2019 11:40 AM, Gerald Galster via dovecot wrote: > > Am 10.04.2019 um 11:59 schrieb Laura Smith via dovecot > > : > > > > On Wednesday, April 10, 2019 10:52 AM, Aki Tuomi via dovecot > > wrote: > > > > > On 10.4.2019 12.36, Laura Smith via dovecot wrote: > > > > > > > Dovecot 2.3.3 (dcead646b) > > > > openSUSE Leap 15.0 > > > > I am getting a weird error message: > > > > Fatal: Error in configuration file /etc/dovecot/local.conf line 16: > > > > ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied > > > > I have tried the following: > > > > > > > > - chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755) > > > > - create "ssl_users" group add dovecot to it chown -R > > > > dovecot:ssl_users /etc/foobar/ssl > > > > > > > > How can I fix this ? There's no obvious solution ? > > > > > > Are you by chance using selinux? If you are, you might need to relabel > > > the files. > > > > > > Aki > > > > This is openSUSE, not Centos, I don't think it even comes with selinux. > > Maybe apparmor? > > https://git.ispconfig.org/ispconfig/ispconfig3/issues/5071 > > > OpenSuSE and apparmor expect dovecot certs to be in /etc/ssl/private > > ISPConfig setup script expects SSL certs to be in /etc/postfix but > apparmor prevents dovecot from reading them in that directory > > Otherwise you could login as dovecot user (temporarily change the shell to > bash if needed; usermod -s /bin/bash) and see if you can access the > certificate. > Check all directory/file permissions, including acls (man getfacl), along the > path. > > Best regards > Gerald @Gerald Spot on with apparmor !
Re: ssl_cert: Can't open file permission denied
On Wednesday, April 10, 2019 10:52 AM, Aki Tuomi via dovecot wrote: > On 10.4.2019 12.36, Laura Smith via dovecot wrote: > > > Dovecot 2.3.3 (dcead646b) > > openSUSE Leap 15.0 > > I am getting a weird error message: > > Fatal: Error in configuration file /etc/dovecot/local.conf line 16: > > ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied > > I have tried the following: > > > > - chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755) > > - create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users > > /etc/foobar/ssl > > > > How can I fix this ? There's no obvious solution ? > > Are you by chance using selinux? If you are, you might need to relabel > the files. > > Aki This is openSUSE, not Centos, I don't think it even comes with selinux.
ssl_cert: Can't open file permission denied
Dovecot 2.3.3 (dcead646b) openSUSE Leap 15.0 I am getting a weird error message: Fatal: Error in configuration file /etc/dovecot/local.conf line 16: ssl_cert: Can't open file /etc/foobar/ssl/certbot.pem: Permission denied I have tried the following: - chmod -R 655 /etc/foobar/ssl (/etc/foobar is 755) - create "ssl_users" group add dovecot to it chown -R dovecot:ssl_users /etc/foobar/ssl How can I fix this ? There's no obvious solution ?
