RE: Re[2]: Lightweight LMTP daemon to avoid overkill MTA
Yes I am running sendmail next to dovecot on backend servers. That works
ok. I have some problems with re-routing mail in a proxy setup.
-Original Message-
To: Marc Roos; dovecot
Subject: Re[2]: Lightweight LMTP daemon to avoid overkill MTA
Hi,
I was unclear in my question. The spam filter is only able to deliver
mail over SMTP, not over LMTP.. So I would still need some kind of
daemon that listens for SMTP and then offers incoming email to Dovecot's
LMTP socket.
Met vriendelijke groeten,
William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl
- Original Message -
From: Marc Roos (m.r...@f1-outsourcing.eu)
Date: 12/11/19 18:59
To: dovecot (dovecot@dovecot.org), wedwards (wedwa...@cyberfusion.nl)
Subject: RE: Lightweight LMTP daemon to avoid overkill MTA
Yes dovecot, /etc/dovecot/conf.d/20-lmtp.conf ;)
service lmtp {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
extra_groups = $default_internal_group
group =
idle_kill = 0
inet_listener lmtp {
address =
haproxy = no
port = 24
reuse_port = no
ssl = no
}
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
type =
unix_listener lmtp {
group =
mode = 0666
user =
}
user =
vsz_limit = 18446744073709551615 B
}
-Original Message-
To: dovecot@dovecot.org
Subject: Lightweight LMTP daemon to avoid overkill MTA
Hi,
My situation is as follows.
-An internet-facing spam filter relays email to destination mail server
(Dovecot) with SMTP.
- Dovecot should take email and deliver it to user's mailboxes. I guess
I'd need LMTP for this.
- An external SMTP relay is already in place. I am thinking of using
Dovecot submission to relay to the external relaying cluster.
So, both relaying and routing are done externally - the Dovecot machine
should only store mail. Of course, there should also be a mechanism that
takes care of local delivery to Dovecot, like LMTP. Usually, I would use
an MTA like Exim to take care of local delivery. I feel like a
fully-featured MTA is overkill, though, as all other roles such an MTA
would fulfill - relaying and spam filtering - are fulfilled on external
servers.
Q: Does anyone know of a lightweight LMTP daemon that can take care of
local delivery to Dovecot without the need for a full MTA?
With kind regards,
William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl
RE: Lightweight LMTP daemon to avoid overkill MTA
Yes dovecot, /etc/dovecot/conf.d/20-lmtp.conf ;)
service lmtp {
chroot =
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
extra_groups = $default_internal_group
group =
idle_kill = 0
inet_listener lmtp {
address =
haproxy = no
port = 24
reuse_port = no
ssl = no
}
privileged_group =
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
type =
unix_listener lmtp {
group =
mode = 0666
user =
}
user =
vsz_limit = 18446744073709551615 B
}
-Original Message-
To: dovecot@dovecot.org
Subject: Lightweight LMTP daemon to avoid overkill MTA
Hi,
My situation is as follows.
-An internet-facing spam filter relays email to destination mail server
(Dovecot) with SMTP.
- Dovecot should take email and deliver it to user's mailboxes. I guess
I'd need LMTP for this.
- An external SMTP relay is already in place. I am thinking of using
Dovecot submission to relay to the external relaying cluster.
So, both relaying and routing are done externally - the Dovecot machine
should only store mail. Of course, there should also be a mechanism that
takes care of local delivery to Dovecot, like LMTP. Usually, I would use
an MTA like Exim to take care of local delivery. I feel like a
fully-featured MTA is overkill, though, as all other roles such an MTA
would fulfill - relaying and spam filtering - are fulfilled on external
servers.
Q: Does anyone know of a lightweight LMTP daemon that can take care of
local delivery to Dovecot without the need for a full MTA?
With kind regards,
William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl
How to rewrite local_lmpt ipc to tcp port 24
How to change this line in sendmail.mc, to the tcp port 24 on eg 127.0.0.1? FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl
Rootless wiki page is not up to date?
If I run a docker image with the mesos containerizer and altering the dovecot config mentioned here[1] I think the root detection is incorrect because it looks like dovecot is still thinking it is root. I still get errors like: >> log(829825): Fatal: We couldn't drop root group privileges (wanted=10053(dovecot), gid=0(root), egid=0(root)) Why does it want to drop to root, if we are not even running as root? >> Error: service(ipc): chown(/var/dovecot/login/ipc-proxy, 91, 4294967295) failed: Operation not permitted Why does it want to chown, when it is not root? pop3-login: Fatal: setgid(101(dovenull)) failed with euid=10053(dovecot), gid=10053(dovecot), egid=10053(dovecot): Operation not permitted (This binary should probably be called with process group set to 101(dovenull) instead of 10053(dovecot)) [1] https://wiki.dovecot.org/HowTo/Rootless?action=edit&editor=text
RE: running dovecot under different user
Unless you run with linux capability net_bind_service. But I just found this page[1] maybe those user options help. [1] https://wiki.dovecot.org/HowTo/Rootless -Original Message- From: Benny Pedersen via dovecot [mailto:dovecot@dovecot.org] Sent: maandag 2 december 2019 20:21 To: dovecot@dovecot.org Subject: Re: running dovecot under different user On 2019-12-02 20:08, Marc Roos via dovecot wrote: > Did anyone ever managed to run dovecot as a non-root user? basic: all ports below 1024 need to be setup from root unix system user so yes dovecot can run non rooted if all binded ports is over 1023 if thats practical
running dovecot under different user
Did anyone ever managed to run dovecot as a non-root user?
Running dovecot proxy as different user
I thought, I read somewhere I could prevent chroot with[1] but I am
still getting chroot errors[2].
drwxrwxr-x 2 10053 101 6 Dec 2 16:54 empty
drwxr-x--- 2 10053 101 73 Dec 2 17:00 login
drwxr-x--- 2 10053 101 44 Dec 2 17:00 token-login
[1]
service anvil {
chroot =
}
[2]
Dec 2 17:07:07 c04 dovecot: stats: Fatal: chroot(/var/dovecot/empty)
failed: Operation not permitted
Dec 2 17:07:07 c04 dovecot: master: Error: service(stats): command
startup failed, throttling for 16 secs
Dec 2 17:07:07 c04 dovecot: pop3-login: Fatal: setgid(101(dovenull))
failed with euid=10053(dovecot), gid=10053(dovecot),
egid=10053(dovecot): Operation not permitted (This binary should
probably be called with process group set to 101(dovenull) instead of
10053(dovecot))
Dec 2 17:07:07 c04 dovecot: master: Error: service(pop3-login): command
startup failed, throttling for 16 secs
RE: Cert for ip range?
How can I bind the managesieve to the internal use network/interface?
service managesieve-login {
inet_listener sieve {
address = 192.168.10.0/24
port = 4190
}
-Original Message-
From: Mark Moseley via dovecot [mailto:dovecot@dovecot.org]
Sent: woensdag 27 november 2019 22:06
To: Aki Tuomi
Cc: Mark Moseley via dovecot
Subject: Re: Cert for ip range?
On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi
wrote:
> On 27/11/2019 21:28 Mark Moseley via dovecot
wrote:
>
>
> On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot
wrote:
> >
> > On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > > Is it possible to configure a network for a cert instead of
an ip?
> > >
> > > Something like this:
> > >
> > > local 192.0.2.0 {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > Or
> > >
> > > local 192.0.2.0/24 (http://192.0.2.0/24) {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > https://wiki.dovecot.org/SSL/DovecotConfiguration
> > >
> > >
> > >
> >
> > Local part supports that.
> >
> > Aki
>
>
> On the same topic (though I can start a new thread if
preferable), it doesn't appear that you can use wildcards/patterns in
the 'local' name, unless I'm missing something--which is quite likely.
>
> If it's not possible currently, can I suggest adding that as a
feature? That is, instead of having to list out all the various SNI
hostnames that a cert should be used for (e.g. "local pop3.example.com
(http://pop3.example.com) imap.example.com (http://imap.example.com)
pops.example.com (http://pops.example.com) pop.example.com
(http://pop.example.com) {" -- and on and on), it'd be handy to be
able to just say "local *.example.com (http://example.com) {" and call
it a day. I imagine there'd be a bit of a slowdown, since you'd have to
loop through patterns on each connection (instead of what I assume is a
hash lookup), esp for people with significant amounts of 'local's.
>
Actually that is supported, but you need to use v2.2.35 or later.
Ha, it literally *never* fails (that there's some option I've overlooked
10 times, before asking on the list)
'local' vs 'local_name'. Never noticed the difference before in the
docs. Might be worth adding a blurb in
https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name'
takes '*'-style wildcard (at least in the beginning of the hostname).
I'll resume my embarrassed silence now. :)
RE: Error: proxy: Remote returned invalid banner: 220
I started over and ended up adding this homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid to the pass_attrs ldap entry. Now the proxy seems to work. pass_attrs = uid=user,userPassword=password,host=host,homeDirectory=userdb_home,uidNu mber=userdb_uid,gidNumber=userdb_gid -Original Message- From: Stephan Bosch [mailto:step...@rename-it.nl] Sent: zondag 1 december 2019 16:30 To: Marc Roos; dovecot Subject: Re: Error: proxy: Remote returned invalid banner: 220 On 29/11/2019 19:01, Marc Roos via dovecot wrote: > I had a working proxy setup added sieve to it, and out of the blue I > get this > > Error: proxy: Remote returned invalid banner: 220 > > No idea what to do, nothing even in the mail list archive Looks a lot like you're mixing up protocols, but I need your configuration to confirm (output from `dovecot -n`). Regards, Stephan.
RE: dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
I am sure resolving works fine. I tested this in a running mesos
container, but also in docker run[1]. I need to have the search local
option in resolve.conf.
It was actually working, until I started adding the proxy for
managesieve, but when I reverted, it still does not work. I think the
building from cache mislead me.
I suspect this is a different problem, that at some point is giving this
error. Maybe I need some specific config for the dns-client socket.
PS. This is just a proxy I need temporary. But I am thinking of creating
a container that directly connects to ceph storage so you do not need
any local storage.
[1]
docker run --dns-search='local' -v /dev/log:/dev/log -it dovecot-proxy
bash
[2]
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = proxy=y host=svr1
}
-Original Message-
From: John Stoffel [mailto:j...@stoffel.org]
Sent: zaterdag 30 november 2019 20:51
To: Marc Roos
Cc: dovecot
Subject: Re: dovecot: auth: Error: DNS lookup for xxx failed: Name does
not resolve
Marc> I had a working container with dovecot configured as proxy. And
Marc> all of a sudden I am getting these messages 'dovecot: auth:
Marc> Error: DNS lookup for roosit03 failed: Name does not resolve'
Marc> Pinging/nslookup these hostnames is ok
Does nslookup work inside the container? Sounds to me like the setup
isn't working properly, but it's hard to know unless you give us more
details. Can you spin up another container with the same config but not
running dovecot to do a check on DNS resolution?
Does the container's logs give you more details? How often do you
stop/restart the container? I would think that Dovecot in a container
isn't really ideal since you need to access the mailstores, and somehow
you get email delivered to the mailstore by postfix/sendmail/exim or
some other tool.
John
dovecot: auth: Error: DNS lookup for xxx failed: Name does not resolve
I had a working container with dovecot configured as proxy. And all of a sudden I am getting these messages 'dovecot: auth: Error: DNS lookup for roosit03 failed: Name does not resolve' Pinging/nslookup these hostnames is ok
RE: Error: proxy: Remote returned invalid banner: 220
With a telnet to port 110 on the proxy -Original Message- To: dovecot Subject: Error: proxy: Remote returned invalid banner: 220 I had a working proxy setup added sieve to it, and out of the blue I get this Error: proxy: Remote returned invalid banner: 220 No idea what to do, nothing even in the mail list archive
Error: proxy: Remote returned invalid banner: 220
I had a working proxy setup added sieve to it, and out of the blue I get this Error: proxy: Remote returned invalid banner: 220 No idea what to do, nothing even in the mail list archive
RE: sendmail -> lmtp 501 5.6.0 Data format error
Yes you were right, I asked also at sendmail and they also told me the smtp should stay. Seems to be working now with lmtp and sieve. -Original Message- To: Dovecot Subject: RE: sendmail -> lmtp 501 5.6.0 Data format error On Thu, 28 Nov 2019, Marc Roos wrote: > When changing in a working setup sendmail.mc > > From this > MAILER(smtp)dnl > MAILER(procmail)dnl > > To this > FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl > MAILER(local)dnl > > I am getting these errors '501 5.6.0 Data format error' and ' > Unrecognized host name'. > ... > Eg. When I send email from gmail it looks like this >(reason: 553 5.1.2 ... Unrecognized host name > gmail.com.) Just a stab (I toyed around with LMTP for a while and probably will eventually use it), but you probably need to retain MAILER(smtp)dnl Sendmail has semi-cryptic documentation on what it does https://www.sendmail.org/~ca/email/doc8.12/cf/m4/mailers.html Joseph Tam
Sendmail + lmtp
Is there any guide like this https://wiki.dovecot.org/HowTo/PostfixDovecotLMTP for configuring sendmail?
RE: sendmail -> lmtp 501 5.6.0 Data format error
Eg. When I send email from gmail it looks like this (reason: 553 5.1.2 ... Unrecognized host name gmail.com.) -Original Message- To: dovecot Subject: sendmail -> lmtp 501 5.6.0 Data format error When changing in a working setup sendmail.mc From this MAILER(smtp)dnl MAILER(procmail)dnl To this FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl MAILER(local)dnl I am getting these errors '501 5.6.0 Data format error' and ' Unrecognized host name'. What should I change in my lmtp config? Could this be related that messages are being relayed from other servers? lmtp_address_translate = lmtp_hdr_delivery_address = final lmtp_proxy = no lmtp_rcpt_check_quota = no lmtp_save_to_detail_mailbox = no lmtp_user_concurrency_limit = 0
sendmail -> lmtp 501 5.6.0 Data format error
When changing in a working setup sendmail.mc From this MAILER(smtp)dnl MAILER(procmail)dnl To this FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl MAILER(local)dnl I am getting these errors '501 5.6.0 Data format error' and ' Unrecognized host name'. What should I change in my lmtp config? Could this be related that messages are being relayed from other servers? lmtp_address_translate = lmtp_hdr_delivery_address = final lmtp_proxy = no lmtp_rcpt_check_quota = no lmtp_save_to_detail_mailbox = no lmtp_user_concurrency_limit = 0
Performance mdbox vs mbox
If I do the same test[1] with mbox I can store around 31k messages and mdbox 16k messages. I noticed also that cpu and disk utilization with mdbox was not very high, while disk utilization on mbox was much higher. That makes me wonder if I can tune mdbox to have better performance? [1] imaptest - append=100,0 logout=0 host=svr port=143 user=test pass=xxx seed=100 secs=240 clients=1 mbox=64kb.mbox box=inbox/test [2] mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot/%u/index:LAYOUT=maildir++ mail_location = mdbox:~/mdbox:INDEX=/home/popindex/%u/index - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. F1 Outsourcing Development Sp. z o.o. Poland t: +48 (0)124466845 f: +48 (0)124466843 e: m...@f1-outsourcing.eu
RE: Health check curl example
I can't yet use -p, the version I have is not supporting it still :(
Maybe it is better to wait until alpine linux updates the package.
-Original Message-
Subject: RE: Health check curl example
No worries. Now you are not using the passthrough(-p) mode. That is why
dovecot is telling you that your client is not compatible.
Using "script" without -p would require you to implement that protocol:
http://doc.dovecot.org/admin_manual/health_check.html#script-protocol.
I believe all you want to do is to keep this line
executable = script -p health-check.sh
and just replace health-check.sh with the script that you implemented.
> On November 25, 2019 11:48 AM Marc Roos via dovecot
wrote:
>
>
> :) I really starting to feel a bit like an idiot, but all these 3
> configs[0] give error 'Client not compatible with this binary'
>
> [0]
> service health-check {
> executable = script /bin/health-check.sh
> inet_listener health-check {
> port = 5001
> }
> }
>
> service health-check {
> executable = script -e "HOME PATH" /bin/health-check.sh
> inet_listener health-check {
> port = 5001
> }
> }
>
> service health-check {
> executable = script -e HOME PATH /bin/health-check.sh
> inet_listener health-check {
> port = 5001
> }
> }
>
>
> Nov 25 11:44:52 test2 dovecot: script: Fatal: Client not compatible
> with this binary (connecting to wrong socket?)
>
>
> -Original Message-
> Subject: RE: Health check curl example
>
> The -e parameter is used to define a "list of environment variables",
> so the error message telling you that you did not define a script is
right.
>
>
> So far i understood that you wanted to use passthrough mode, so do not
> use -e but -p. (except you need to define some environment-variables
> for your script).
>
> Executing the script executable standalone does not work it must be
> started from the dovecot master process, that is why you are getting
> the Panic.
>
> Markus
>
> > On November 25, 2019 10:06 AM Marc Roos
> wrote:
> >
> >
> > Thanks, Markus, maybe we should add this to the admin_manual?
> > However I am now getting the error 'script: Fatal: Missing script
path'
> >
> > Similar as when I try via the command line bash-5.0#
> > /usr/libexec/dovecot/script -e /bin/health-check.sh
> > Fatal: Missing script path
> >
> >
> > bash-5.0# /usr/libexec/dovecot/script -e /bin/ health-check.sh
> > Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
> > Aborted (core dumped)
> >
> >
> >
> >
> > -Original Message-
> > Subject: Re: Health check curl example
> >
> > Hi,
> >
> > you can use telnet or netcat to send input to that port and receive
> > the answer.
> >
> > echo "PING" | nc localhost 5001
> >
> > Best regards
> >
> > Markus
> >
> >
> > On 11/24/19 2:43 PM, Marc Roos via dovecot wrote:
> > >
> > > How do I check the standard script then on this port 5001 from the
> > > command line?
> > >
> > >
> > > This one of alpine linux also does not have it yet bash-5.0#
> > > dovecot
>
> > > --version
> > > 2.3.7.2 (3c910f64b)
> > >
> > >
> > >
> > >
> > >
> > > -Original Message-
> > > Subject: RE: Health check curl example
> > >
> > > Yes. The passthrough option is rather new.
> > >
> > > Aki
> > >
> > > On 24/11/2019 15:28 Marc Roos via dovecot <
> dovecot@dovecot.org>
> > > wrote:
> > >
> > >
> > > I think I already have that, I am having this configured
> > >
> > > service health-check {
> > > # this is the default configuration using the simple
PING->PONG
>
> > > # example health-check.
> > > executable = script -p /bin/health-check.sh
> > > inet_listener health-check {
> > > port = 5001
> > > }
> > > }
> > >
> > > bash-5.0# /bin/health-check.sh
> > > HTTP/1.1 200 OK
> > > Connection: keep-alive
> > >
> > > OK
> > >
> > >
> > >
> > >
> > >
> > > -Original Message-
> > > Subject: Re: Health check curl example
> > >
> > > Your health check script should implement HTTP protocol. Then
> you
> > can
> > > use passthrough mode and use cURL.
> > >
> > > The provided script does not speak HTTP.
> > >
> > > Aki
> > >
> > > On 24/11/2019 15:12 Marc Roos via dovecot <
> dovecot@dovecot.org>
> > > wrote:
> > >
> > >
> > > I am not understanding how this health check[1] script should
> > work.
> > >
> > > From
> > > the commandline it works fine when I type a PING I get a
PONG.
> > But
> > > how
> > > do I do a curl to this 5001 port?
> > >
> > > Tried something like this:
> > >
> > > bash-5.0# curl http://localhost:5001/
> > > curl: (56) Recv failure: Connection reset by peer
> > >
> > > bash-5.0# curl http://localhost:5001/PING
> > > curl: (56) Recv failure: Connection reset by peer
> > >
> > > [1]
> > > https://doc.dovecot.org/admin_manual/health_check/
> > >
> > >
> > > ---
> > > Aki Tuomi
> > >
> > >
> > > ---
> > > Aki Tuomi
> > >
> > >
Lmtp logging, does not log
Looks like dovecot is not sending stuff to syslog anymore I am getting
some message in /tmp/dovecot.log. However the lmtp log files are not
even created.
bash-5.0# doveconf | grep log_
auth_policy_log_only = no
debug_log_path =
deliver_log_format = msgid=%m: %$
doveadm_http_rawlog_dir =
imapc_rawlog_dir =
info_log_path =
lmtp_proxy_rawlog_dir = /tmp/lmtp-proxy.log
lmtp_rawlog_dir = /tmp/lmtp.log
log_core_filter =
log_debug =
log_path = /tmp/dovecot.log
log_timestamp = "%b %d %H:%M:%S "
login_log_format = %$: %s
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
session=<%{session}>
mail_index_log_rotate_max_size = 1 M
mail_index_log_rotate_min_age = 5 mins
mail_index_log_rotate_min_size = 32 k
mail_index_rewrite_max_log_bytes = 128 k
mail_index_rewrite_min_log_bytes = 8 k
mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
pop3c_rawlog_dir =
rawlog_dir =
submission_relay_rawlog_dir =
syslog_facility = mail
RE: Health check curl example
:) I really starting to feel a bit like an idiot, but all these 3
configs[0] give error 'Client not compatible with this binary'
[0]
service health-check {
executable = script /bin/health-check.sh
inet_listener health-check {
port = 5001
}
}
service health-check {
executable = script -e "HOME PATH" /bin/health-check.sh
inet_listener health-check {
port = 5001
}
}
service health-check {
executable = script -e HOME PATH /bin/health-check.sh
inet_listener health-check {
port = 5001
}
}
Nov 25 11:44:52 test2 dovecot: script: Fatal: Client not compatible with
this binary (connecting to wrong socket?)
-Original Message-
Subject: RE: Health check curl example
The -e parameter is used to define a "list of environment variables", so
the error message telling you that you did not define a script is right.
So far i understood that you wanted to use passthrough mode, so do not
use -e but -p. (except you need to define some environment-variables for
your script).
Executing the script executable standalone does not work it must be
started from the dovecot master process, that is why you are getting the
Panic.
Markus
> On November 25, 2019 10:06 AM Marc Roos
wrote:
>
>
> Thanks, Markus, maybe we should add this to the admin_manual? However
> I am now getting the error 'script: Fatal: Missing script path'
>
> Similar as when I try via the command line bash-5.0#
> /usr/libexec/dovecot/script -e /bin/health-check.sh
> Fatal: Missing script path
>
>
> bash-5.0# /usr/libexec/dovecot/script -e /bin/ health-check.sh
> Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
> Aborted (core dumped)
>
>
>
>
> -Original Message-
> Subject: Re: Health check curl example
>
> Hi,
>
> you can use telnet or netcat to send input to that port and receive
> the answer.
>
> echo "PING" | nc localhost 5001
>
> Best regards
>
> Markus
>
>
> On 11/24/19 2:43 PM, Marc Roos via dovecot wrote:
> >
> > How do I check the standard script then on this port 5001 from the
> > command line?
> >
> >
> > This one of alpine linux also does not have it yet bash-5.0# dovecot
> > --version
> > 2.3.7.2 (3c910f64b)
> >
> >
> >
> >
> >
> > -Original Message-
> > Subject: RE: Health check curl example
> >
> > Yes. The passthrough option is rather new.
> >
> > Aki
> >
> > On 24/11/2019 15:28 Marc Roos via dovecot <
dovecot@dovecot.org>
> > wrote:
> >
> >
> > I think I already have that, I am having this configured
> >
> > service health-check {
> > # this is the default configuration using the simple PING->PONG
> > # example health-check.
> > executable = script -p /bin/health-check.sh
> > inet_listener health-check {
> > port = 5001
> > }
> > }
> >
> > bash-5.0# /bin/health-check.sh
> > HTTP/1.1 200 OK
> > Connection: keep-alive
> >
> > OK
> >
> >
> >
> >
> >
> > -Original Message-
> > Subject: Re: Health check curl example
> >
> > Your health check script should implement HTTP protocol. Then
you
> can
> > use passthrough mode and use cURL.
> >
> > The provided script does not speak HTTP.
> >
> > Aki
> >
> > On 24/11/2019 15:12 Marc Roos via dovecot <
dovecot@dovecot.org>
> > wrote:
> >
> >
> > I am not understanding how this health check[1] script should
> work.
> >
> > From
> > the commandline it works fine when I type a PING I get a PONG.
> But
> > how
> > do I do a curl to this 5001 port?
> >
> > Tried something like this:
> >
> > bash-5.0# curl http://localhost:5001/
> > curl: (56) Recv failure: Connection reset by peer
> >
> > bash-5.0# curl http://localhost:5001/PING
> > curl: (56) Recv failure: Connection reset by peer
> >
> > [1]
> > https://doc.dovecot.org/admin_manual/health_check/
> >
> >
> > ---
> > Aki Tuomi
> >
> >
> > ---
> > Aki Tuomi
> >
> >
RE: proxy dual server setup clarification
Hi Sami,
I have this proxy on pop3/imap working however, I can't get this lmtp to
work.
In theory only these configuration changes, should allow messages to be
directed for account: test to server svr1 not?
lmtp_proxy = yes
protocol lmtp {
# Space separated list of plugins to load (default is global
mail_plugins).
passdb {
driver = passwd-file
args = /etc/dovecot/special-passdb
default_fields = proxy=y host=svr1
}
}
bash-5.0# cat /etc/dovecot/special-passdb
test:password:1000:1000:(gecos):home:/bin/false:host=svr1
bash-5.0# cat /tmp/test.msg | /usr/libexec/dovecot/lmtp
Info: Connect from local
220 081b883fa2bc Dovecot ready.
250 2.1.0 OK
Panic: file connection.c: line 380 (connection_update_properties):
assertion failed: (conn->remote_port != 0)
Aborted (core dumped)
-Original Message-
Subject: Re: proxy dual server setup clarification
> On 12 Nov 2019, at 16.03, Marc Roos via dovecot
wrote:
>
>
>
>
> I want to migrate mail users to a new environment.
>
> If I setup a new server next to the old server, and enable proxy on
> both. Is this then enough to migrate user by user with the passdb
> host=newsvr option to the new environment?
>
> Eg. I do not need to configure a director setup?
> I only need to enable proxy for imap and lmtp on both servers?
> (messages on the oldsvr will be proxied to the newsvr?)
You need just one proxy where the user session is authenticated and then
forwarded to either backend depending on the host value. You don't need
to "enable proxy" on any backend or use director.
Sami
RE: Health check curl example
Thanks, Markus, maybe we should add this to the admin_manual? However I
am now getting the error 'script: Fatal: Missing script path'
Similar as when I try via the command line
bash-5.0# /usr/libexec/dovecot/script -e /bin/health-check.sh
Fatal: Missing script path
bash-5.0# /usr/libexec/dovecot/script -e /bin/ health-check.sh
Panic: BUG: No IOs or timeouts set. Not waiting for infinity.
Aborted (core dumped)
-Original Message-
Subject: Re: Health check curl example
Hi,
you can use telnet or netcat to send input to that port and receive the
answer.
echo "PING" | nc localhost 5001
Best regards
Markus
On 11/24/19 2:43 PM, Marc Roos via dovecot wrote:
>
> How do I check the standard script then on this port 5001 from the
> command line?
>
>
> This one of alpine linux also does not have it yet bash-5.0# dovecot
> --version
> 2.3.7.2 (3c910f64b)
>
>
>
>
>
> -Original Message-
> Subject: RE: Health check curl example
>
> Yes. The passthrough option is rather new.
>
> Aki
>
> On 24/11/2019 15:28 Marc Roos via dovecot < dovecot@dovecot.org>
> wrote:
>
>
> I think I already have that, I am having this configured
>
> service health-check {
> # this is the default configuration using the simple PING->PONG
> # example health-check.
> executable = script -p /bin/health-check.sh
> inet_listener health-check {
> port = 5001
> }
> }
>
> bash-5.0# /bin/health-check.sh
> HTTP/1.1 200 OK
> Connection: keep-alive
>
> OK
>
>
>
>
>
> -Original Message-
> Subject: Re: Health check curl example
>
> Your health check script should implement HTTP protocol. Then you
can
> use passthrough mode and use cURL.
>
> The provided script does not speak HTTP.
>
> Aki
>
> On 24/11/2019 15:12 Marc Roos via dovecot < dovecot@dovecot.org>
> wrote:
>
>
> I am not understanding how this health check[1] script should
work.
>
> From
> the commandline it works fine when I type a PING I get a PONG.
But
> how
> do I do a curl to this 5001 port?
>
> Tried something like this:
>
> bash-5.0# curl http://localhost:5001/
> curl: (56) Recv failure: Connection reset by peer
>
> bash-5.0# curl http://localhost:5001/PING
> curl: (56) Recv failure: Connection reset by peer
>
> [1]
> https://doc.dovecot.org/admin_manual/health_check/
>
>
> ---
> Aki Tuomi
>
>
> ---
> Aki Tuomi
>
>
Lmtp proxy help assertion failed: (conn->remote_port != 0
I have this in my 20-lmtp.conf file and created passdb-file, this should
be enough to route a message to svr1? The port 24 is reachable from the
proxy.
bash-5.0# cat 20-lmtp.conf
lmtp_proxy = yes
protocol lmtp {
# Space separated list of plugins to load (default is global
mail_plugins).
passdb {
driver = passwd-file
args = /etc/dovecot/special-passdb
default_fields = proxy=y host=svr1
}
}
bash-5.0# cat /etc/dovecot/special-passdb
test:password:1000:1000:(gecos):home:/bin/false:host=svr1
RE: lmtp proxy 'Invalid FROM: Missing domain'
If I add a domain, error changes in: connection.c: line 380 (connection_update_properties): assertion failed: (conn->remote_port != 0) -Original Message- Subject: lmtp proxy 'Invalid FROM: Missing domain' Looks like I have a correct working proxy on pop3. On both backend servers I can run cat /tmp/test.msg | /usr/libexec/dovecot/lmtp Giving 250 2.1.5 OK 354 OK Info: Disconnect from local: Connection closed (in DATA) However if I run the same command on the proxy, I am getting this error 'Invalid FROM: Missing domain'. How is this FROM even relevant if message just needs to be delivered to RCPT TO.
lmtp proxy 'Invalid FROM: Missing domain'
Looks like I have a correct working proxy on pop3. On both backend servers I can run cat /tmp/test.msg | /usr/libexec/dovecot/lmtp Giving 250 2.1.5 OK 354 OK Info: Disconnect from local: Connection closed (in DATA) However if I run the same command on the proxy, I am getting this error 'Invalid FROM: Missing domain'. How is this FROM even relevant if message just needs to be delivered to RCPT TO.
RE: Health check curl example
How do I check the standard script then on this port 5001 from the
command line?
This one of alpine linux also does not have it yet
bash-5.0# dovecot --version
2.3.7.2 (3c910f64b)
-Original Message-
Subject: RE: Health check curl example
Yes. The passthrough option is rather new.
Aki
On 24/11/2019 15:28 Marc Roos via dovecot < dovecot@dovecot.org>
wrote:
I think I already have that, I am having this configured
service health-check {
# this is the default configuration using the simple PING->PONG
# example health-check.
executable = script -p /bin/health-check.sh
inet_listener health-check {
port = 5001
}
}
bash-5.0# /bin/health-check.sh
HTTP/1.1 200 OK
Connection: keep-alive
OK
-Original Message-
Subject: Re: Health check curl example
Your health check script should implement HTTP protocol. Then you
can
use passthrough mode and use cURL.
The provided script does not speak HTTP.
Aki
On 24/11/2019 15:12 Marc Roos via dovecot < dovecot@dovecot.org>
wrote:
I am not understanding how this health check[1] script should work.
From
the commandline it works fine when I type a PING I get a PONG. But
how
do I do a curl to this 5001 port?
Tried something like this:
bash-5.0# curl http://localhost:5001/
curl: (56) Recv failure: Connection reset by peer
bash-5.0# curl http://localhost:5001/PING
curl: (56) Recv failure: Connection reset by peer
[1]
https://doc.dovecot.org/admin_manual/health_check/
---
Aki Tuomi
---
Aki Tuomi
RE: Health check curl example
I think I already have that, I am having this configured
service health-check {
# this is the default configuration using the simple PING->PONG
# example health-check.
executable = script -p /bin/health-check.sh
inet_listener health-check {
port = 5001
}
}
bash-5.0# /bin/health-check.sh
HTTP/1.1 200 OK
Connection: keep-alive
OK
-Original Message-
Subject: Re: Health check curl example
Your health check script should implement HTTP protocol. Then you can
use passthrough mode and use cURL.
The provided script does not speak HTTP.
Aki
On 24/11/2019 15:12 Marc Roos via dovecot < dovecot@dovecot.org>
wrote:
I am not understanding how this health check[1] script should work.
From
the commandline it works fine when I type a PING I get a PONG. But
how
do I do a curl to this 5001 port?
Tried something like this:
bash-5.0# curl http://localhost:5001/
curl: (56) Recv failure: Connection reset by peer
bash-5.0# curl http://localhost:5001/PING
curl: (56) Recv failure: Connection reset by peer
[1]
https://doc.dovecot.org/admin_manual/health_check/
---
Aki Tuomi
Health check curl example
I am not understanding how this health check[1] script should work. From the commandline it works fine when I type a PING I get a PONG. But how do I do a curl to this 5001 port? Tried something like this: bash-5.0# curl http://localhost:5001/ curl: (56) Recv failure: Connection reset by peer bash-5.0# curl http://localhost:5001/PING curl: (56) Recv failure: Connection reset by peer [1] https://doc.dovecot.org/admin_manual/health_check/
RE: Dovecot proxy with ldap, complains about 'host not given'
Thanks!! Added this. pass_attrs = uid=user,userPassword=password,host=host -Original Message- Subject: RE: Dovecot proxy with ldap, complains about 'host not given' You need to specify fields you want. Fields are not imported automatically. See https://doc.dovecot.org/configuration_manual/authentication/ldap/ Aki On 24/11/2019 11:34 Marc Roos via dovecot < dovecot@dovecot.org> wrote: My query? Is dovecot not getting this field automatically? -Original Message- Subject: Re: Dovecot proxy with ldap, complains about 'host not given' On 23 Nov 2019, at 16:11, Marc Roos < m.r...@f1-outsourcing.eu> wrote: It looks like the dovecot proxy can authenticate correctly but fails then on with this message Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not given: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session= I have configured a host= in ldap for this user But is your query properly getting the host? (I don’t use ldap., but this is a common issue with sql lookups, so I assume that is a likely problem). -- ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But I don't usually see you!’ --- Aki Tuomi
RE: Dovecot proxy with ldap, complains about 'host not given'
My query? Is dovecot not getting this field automatically? -Original Message- Subject: Re: Dovecot proxy with ldap, complains about 'host not given' On 23 Nov 2019, at 16:11, Marc Roos wrote: > It looks like the dovecot proxy can authenticate correctly but fails > then on with this message > > Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not given: > user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, > session= > > I have configured a host= in ldap for this user But is your query properly getting the host? (I don’t use ldap., but this is a common issue with sql lookups, so I assume that is a likely problem). -- ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But I don't usually see you!’
Dovecot proxy with ldap, complains about 'host not given'
It looks like the dovecot proxy can authenticate correctly but fails then on with this message Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not given: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session= I have configured a host= in ldap for this user
RE: chown(/var/dovecot/login/ipc-proxy
Thought about creating the socket via some setuid c source temporarily, but now this, g bash-5.0$ dovecot -F Fatal: Dovecot is already running? Socket already exists: /var/dovecot/login/ipc-proxy -Original Message- To: dovecot Subject: chown(/var/dovecot/login/ipc-proxy Can we remove/change this in the source? So we do not have to add the CAP_CHOWN with containers. chown(/var/dovecot/login/ipc-proxy) When run as root this has user dovenull, maybe this can be resolved by using a group dovenull? bash-5.0# ls -arlt total 4 srw-rw-rw-1 root root 0 Nov 21 22:27 pop3 srw-rw-rw-1 root root 0 Nov 21 22:27 login srw---1 dovenull root 0 Nov 21 22:27 ipc-proxy srw-rw-rw-1 root root 0 Nov 21 22:27 imap drwxr-xr-x1 dovecot dovecot 4096 Nov 21 22:27 .. drwxr-x---1 root dovenull60 Nov 21 22:27 . Maybe this would work srw-rw1 root dovenull 0 Nov 21 22:27 ipc-proxy
chown(/var/dovecot/login/ipc-proxy
Can we remove/change this in the source? So we do not have to add the CAP_CHOWN with containers. chown(/var/dovecot/login/ipc-proxy) When run as root this has user dovenull, maybe this can be resolved by using a group dovenull? bash-5.0# ls -arlt total 4 srw-rw-rw-1 root root 0 Nov 21 22:27 pop3 srw-rw-rw-1 root root 0 Nov 21 22:27 login srw---1 dovenull root 0 Nov 21 22:27 ipc-proxy srw-rw-rw-1 root root 0 Nov 21 22:27 imap drwxr-xr-x1 dovecot dovecot 4096 Nov 21 22:27 .. drwxr-x---1 root dovenull60 Nov 21 22:27 . Maybe this would work srw-rw1 root dovenull 0 Nov 21 22:27 ipc-proxy
Cert for ip range?
Is it possible to configure a network for a cert instead of an ip?
Something like this:
local 192.0.2.0 {
ssl_cert = https://wiki.dovecot.org/SSL/DovecotConfiguration
ios12 clients not getting correct certificate, sni supported not? or config error?
I am having an ios12.4.1 client whine about access problems. He is getting the 'default' self signed ceritificate instead of the hostname alias. openssl s_client -servername mail.x.com -connect x.x.x.x:pop3s gives a 'Verify return code: 0 (ok)' I can't imagine this sni support is not available in recent versions. Should I remove this default certificate in the main section of 10-ssl.conf? These lines I have added to 10-ssl.conf ssl_cert =
Feature request: ssl-cert config
I am not sure why this
proxy dual server setup clarification
I want to migrate mail users to a new environment. If I setup a new server next to the old server, and enable proxy on both. Is this then enough to migrate user by user with the passdb host=newsvr option to the new environment? Eg. I do not need to configure a director setup? I only need to enable proxy for imap and lmtp on both servers? (messages on the oldsvr will be proxied to the newsvr?)
RE: How to send a test message directly to lmtp, to test proxying
Thanks! I am now doing it like this cat test.msg | /usr/libexec/dovecot/lmtp [@~]# cat test.msg MAIL FROM: RCPT TO: DATA Subject: AAA subject 977 This is the message 977 body . -Original Message- Subject: Re: How to send a test message directly to lmtp, to test proxying On 12.11.2019 15.26, Marc Roos via dovecot wrote: > > How to send a test message directly to lmtp, to test proxying? Using LMTP protocol: LHLO localhost MAIL FROM: RCPT TO: DATA ... . Aki
How to send a test message directly to lmtp, to test proxying
How to send a test message directly to lmtp, to test proxying?
Howto pin user in proxy/director <-> backend server setup
I have 1x proxy/director server 2x backend mail server The backend servers are using a ldap database and do not have the option to put a proxy=y value. So I put this as a default in the passdb option in the proxy/director config. When I do telnet localhost 110 on the proxy/director, I can authenticate with a test account on svr1.local 1. Will automatically all users be directed to the first server configured in director_mail_servers = svr1.local svr2.local, when the do not have a proxy=y or host=? If this is the case maybe, we should write this somewhere on https://wiki2.dovecot.org/Director https://doc.dovecot.org/configuration_manual/authentication/proxies/ 2. If I change the host= in the ldap server, I think the proxy/director has archived the previous host and still redirects to the old value. Is there a way around this? (stopping/starting dovecot -F resolves this) 3. Do I need the director even in this setup?
RE: Login/director not created
Hi Yarema, you are right, the mode setting enabled indeed the socket.
-Original Message-
Subject: Re: Login/director not created
I too assume this socket should be in the login dir.
I am suggesting that maybe the socket is not being created because of
permissions.
Therefore if you explicitly set { group = dovenull } you may fix the
permissions issue.
I am not running director in my setup, just pointing out what jumped out
at me.
On 11/11/2019 1:24 PM, Marc Roos via dovecot wrote:
>
> But if in the configuration of the director is stated login/director.
> Than I assume this socket should be in the login dir not? You have
> also the director activate with executable = imap-login director?
>
>
>
>
> -Original Message-
> Subject: Re: Login/director not created
>
> On my install the login/ dir is:
>
> drwxr-x--- 2 root dovenull 8 Nov 10 18:14:00 login/
> srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/dns-client=
> srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/imap=
> srw--- 1 dovenull dovenull 0 Nov 10 18:14:00 login/ipc-proxy=
> srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/login=
> srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/pop3=
> srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/sieve=
>
> Maybe setting { group = dovenull } is what's needed?
>
> --
> Yarema
>
> On 11/11/2019 11:15 AM, Marc Roos via dovecot wrote:
>> I have this[0] config, yet the /var/run/dovecot/login/director is not
>> created, what to check in the config?
>>
>> dovecot: imap-login: Error: auth: connect(director) failed: No such
>> file or directory
>>
>>
>> [0]
>> service director {
>> unix_listener login/director {
>> #mode = 0666
>> }
>> fifo_listener login/proxy-notify {
>> #mode = 0666
>> }
>> unix_listener director-userdb {
>> #mode = 0600
>> }
>> inet_listener {
>> #port =
>> }
>> }
>>
> --
> Yarema
>
>
--
Yarema
RE: Login/director not created
But if in the configuration of the director is stated login/director.
Than I assume this socket should be in the login dir not? You have also
the director activate with executable = imap-login director?
-Original Message-
Subject: Re: Login/director not created
On my install the login/ dir is:
drwxr-x--- 2 root dovenull 8 Nov 10 18:14:00 login/
srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/dns-client=
srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/imap=
srw--- 1 dovenull dovenull 0 Nov 10 18:14:00 login/ipc-proxy=
srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/login=
srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/pop3=
srw-rw-rw- 1 root dovenull 0 Nov 10 18:14:00 login/sieve=
Maybe setting { group = dovenull } is what's needed?
--
Yarema
On 11/11/2019 11:15 AM, Marc Roos via dovecot wrote:
>
> I have this[0] config, yet the /var/run/dovecot/login/director is not
> created, what to check in the config?
>
> dovecot: imap-login: Error: auth: connect(director) failed: No such
> file or directory
>
>
> [0]
> service director {
> unix_listener login/director {
> #mode = 0666
> }
> fifo_listener login/proxy-notify {
> #mode = 0666
> }
> unix_listener director-userdb {
> #mode = 0600
> }
> inet_listener {
> #port =
> }
> }
>
--
Yarema
Login/director not created
I have this[0] config, yet the /var/run/dovecot/login/director is not
created, what to check in the config?
dovecot: imap-login: Error: auth: connect(director) failed: No such file
or directory
[0]
service director {
unix_listener login/director {
#mode = 0666
}
fifo_listener login/proxy-notify {
#mode = 0666
}
unix_listener director-userdb {
#mode = 0600
}
inet_listener {
#port =
}
}
RE: Proxy testing in container( chown failed /var/dovecot/login)
I managed to work around this by putting these in the Dockerfile
(umask 027 ; mkdir /var/dovecot/login) && chown $DOVECOT_USER.dovenull
/var/dovecot/login
(umask 027 ; mkdir /var/dovecot/token-login) && chown
$DOVECOT_USER.dovenull /var/dovecot/token-login
But now I am stuck with this socket
service(ipc): chown(/var/dovecot/login/ipc-proxy,
Is there a way around this?
-Original Message-
Subject: RE: Proxy testing in container( chown failed
/var/dovecot/login)
I added this to the 10-master imap-login, pop3-login and
submission-login, but keep this message
Doveconf still lists imap-urlauth-login with chroot = token-login, also
when changing this one to chroot = the error persists.
Fatal: fchown() failed for /var/dovecot/login: Operation not permitted
-Original Message-
Subject: Re: Proxy testing in container( chown failed
/var/dovecot/login)
You should probably disable chrooting for login services if you are
running as non-root...
service imap-login {
chroot =
}
Aki
On 11.11.2019 14.59, Marc Roos via dovecot wrote:
> I am testing a bit with the proxy, and trying to run dovecot as a
> normal user. (with cap bind_service). I was wondering what the minimum
> configuration is for running like a proxy.
>
> I am now getting issues like unable to chown on /var/dovecot/login,
> but I do not need this in such a setup do I?
>
> passdb {
> driver = static
> args = proxy=y host=192.168.11.10 nopassword=y }
>
>
>
RE: Proxy testing in container( chown failed /var/dovecot/login)
I added this to the 10-master imap-login, pop3-login and
submission-login, but keep this message
Doveconf still lists imap-urlauth-login with chroot = token-login, also
when changing this one to chroot = the error persists.
Fatal: fchown() failed for /var/dovecot/login: Operation not permitted
-Original Message-
Subject: Re: Proxy testing in container( chown failed
/var/dovecot/login)
You should probably disable chrooting for login services if you are
running as non-root...
service imap-login {
chroot =
}
Aki
On 11.11.2019 14.59, Marc Roos via dovecot wrote:
> I am testing a bit with the proxy, and trying to run dovecot as a
> normal user. (with cap bind_service). I was wondering what the minimum
> configuration is for running like a proxy.
>
> I am now getting issues like unable to chown on /var/dovecot/login,
> but I do not need this in such a setup do I?
>
> passdb {
> driver = static
> args = proxy=y host=192.168.11.10 nopassword=y }
>
>
>
Proxy testing in container( chown failed /var/dovecot/login)
I am testing a bit with the proxy, and trying to run dovecot as a normal
user. (with cap bind_service). I was wondering what the minimum
configuration is for running like a proxy.
I am now getting issues like unable to chown on /var/dovecot/login, but
I do not need this in such a setup do I?
passdb {
driver = static
args = proxy=y host=192.168.11.10 nopassword=y
}
Sendmail lmtp delivery and director
If I have sendmail configured to deliver to dovecot lmpt and use the director are incoming messages directed to the correct/configured server? Sendmail.mc with: FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl
Re: Dovecot HSM
you can also create an archive namespace, and put that on your cheap storage. On Oct 30, 2019 22:09, Júlio Covolato via dovecot wrote: Hi. I'm looking for a tutorial/how-to for a HSM (Hierarchical Storage Management). keeping old messages for a user in a cheap storage and recent messages in a faster one. I see on dovecot2 wiki an alternative for hsm as "Alternate storage", but I don't now if it's a good solution for me. The expected result is a faster imap/pop access for new messages on a "heavy mail users" mailbox, and obviously low cost! Thanks in advance. -- -- _Engº Julio Cesar Covolato 0v0 /(_)\ F: +55 11 99175-9260 ^ ^ PSI INTERNET --
RE: dovecot disk space settings
Ok, what about placing a dummy file of 5GB or so on the partition, that you can remove when necessary? -Original Message- Subject: Re: dovecot disk space settings >> I don't want to restrict each mailbox size. It's just to prevent > running out space completely. > > Why? (If I may ask) > > To provide mailboxes with unlimited space. And to make it easier to administrate. My question is about an emergency option if someone has forgotten to migrate to new hardware. It's possible but a bit harder if the partition is out of space and there is no free byte left. Best, Marcel
RE: dovecot disk space settings
> I don't want to restrict each mailbox size. It's just to prevent running out space completely. Why? (If I may ask)
RE: Mail received but not indexed?
You recommend I should change this? I have already a new setup where I am using[0]. But the current setup I have now was ok for many many years. [0] FEATURE(`local_lmtp',`[IPC]',`FILE /var/run/dovecot/lmtp')dnl -Original Message- Subject: RE: Mail received but not indexed? No, it is still old sendmail to /var/spool/mail/ -Original Message- From: Sami Ketola [mailto:sami.ket...@dovecot.fi] Sent: vrijdag 27 september 2019 15:17 To: dovecot Cc: Marc Roos Subject: Re: Mail received but not indexed? > On 27 Sep 2019, at 16.06, Marc Roos via dovecot wrote: > CentOS Linux release 7.6.1810 (Core) > dovecot-2.2.36-3.el7.x86_64 > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var > /d > ovecot2/%u/index:LAYOUT=maildir++ How do you deliver the emails then? dovecot-lda? Sami
RE: Mail received but not indexed?
No, it is still old sendmail to /var/spool/mail/ -Original Message- From: Sami Ketola [mailto:sami.ket...@dovecot.fi] Sent: vrijdag 27 september 2019 15:17 To: dovecot Cc: Marc Roos Subject: Re: Mail received but not indexed? > On 27 Sep 2019, at 16.06, Marc Roos via dovecot wrote: > CentOS Linux release 7.6.1810 (Core) > dovecot-2.2.36-3.el7.x86_64 > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var > /d > ovecot2/%u/index:LAYOUT=maildir++ How do you deliver the emails then? dovecot-lda? Sami
Debug one user possible?
Is it possible to mail debug just one user? Maybe via the userdb?
Mail received but not indexed?
I have recently that some users are complaining about that they are not getting emails. While I see that they are delivered and in the inbox. When I do a doveadm force-resync -u INBOX it resolves the problem. I think this is something recent. Where/how should I resolve this issue? Recent changes 1. did some os updates 2019-08-27 2. provider took away the ssd for index storage (maybe config issue having less iops storage?) CentOS Linux release 7.6.1810 (Core) dovecot-2.2.36-3.el7.x86_64 mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot2/%u/index:LAYOUT=maildir++ PS during force-resync, I am getting these "index/.INBOX/dovecot.index.log was locked for 176 seconds" on some users
RE: Imaptest stall
I am not able to conclude that yet because my 'base' test against the mbox already stalls. I also have to empty the mailbox/folder before testing, to get a better chance of finishing the test. So maybe it is related to some 'reading' being done in the append test? Below test results from a 1s, 2s, 3s test that finish and a 4s test that stalls. mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot/%u/index:LAYOUT=maildir++ == test 1s finishes == [@mail04 ~]# ./imaptest - append=100,0 logout=0 host=192.168.x.x port=143 user=test2 pass=testtest secs=1 clients=1 mbox=64kb.mbox box=INBOX/test Logi Sele Appe 100% 100% 100% 117 1/ 1 380 773 ms/cmd avg Totals: Logi Sele Appe 100% 100% 100% 11 17 Sep 18 09:46:06 mail04 dovecot: imap(test2): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mbox:~/mail:INBOX=/var/spool/mail/test2:CONTROL=~/mail/control: INDEX=/var/dovecot/test2/index:LAYOUT=maildir++ Sep 18 09:46:06 mail04 dovecot: imap(test2): Debug: maildir++: =/home/popusers/test2/mail, index=/var/dovecot/test2/index, indexpvt=, control=/home/popusers/test2/mail/control, inbox=/var/spool/mail/test2, alt= Sep 18 09:46:06 mail04 dovecot: imap(test2): Debug: INBOX/test: Mailbox opened because: SELECT Sep 18 09:46:07 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=378 because: full mail Sep 18 09:46:07 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=375 because: full mail Sep 18 09:46:07 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=377 because: full mail Sep 18 09:46:07 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=376 because: full mail Sep 18 09:46:07 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=379 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Logged out in=1504944 out=2958 Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=386 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=381 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=380 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=384 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=387 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=385 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=382 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=388 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=389 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=391 because: full mail Sep 18 09:46:08 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=390 because: full mail Sep 18 09:46:09 mail04 dovecot: imap(test2): Debug: Mailbox INBOX/test: Opened mail UID=383 because: full mail == test 2s finishes == [@mail04 ~]# ./imaptest - append=100,0 logout=0 host=192.168.x.x port=143 user=test2 pass=testtest secs=2 clients=1 mbox=64kb.mbox box=INBOX/test Logi Sele Appe 100% 100% 100% 116 1/ 1 007 1/ 1 58 84 1025 ms/cmd avg Totals: Logi Sele Appe 100% 100% 100% 11 23 Sep 18 09:51:11 mail04 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 18 09:51:11 mail04 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Sep 18 09:51:11 mail04 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Sep 18 09:51:11 mail04 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Sep 18 09:51:11 mail04 dovecot: auth: Debug: passwd-file /etc/dovecot/special-userdb: Read 2 users in 0 secs Sep 18 09:51:11 mail04 dovecot: auth: Debug: auth client connected (pid=14466) Sep 18 09:51:11 mail04 dovecot: auth: Debug: client in: AUTH#0113#011PLAIN#011service=imap#011secured#011session=yBa9Gc+SBMvAqAo s#011lip=192.168.x.x#011rip=192.168.x.x#011lport=143#011rport=51972#011r esp= Sep 18 09:51:11 mail04 dovecot: auth-worker(14530): Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 18 09:51:11 mail04 dovecot: auth-worker(14530): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so Sep 18 09:51:11 mail04 dovecot: auth-worker(14530): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Sep 18 09:51:11 mail04 dovecot: auth-worker(14530): Debug: passwd-file /etc/dovecot/special-userdb: Read 2 users
RE: Imaptest stall
I am also testing rbox plugin ;) So I would like just the imaptest tool to work. No one else ever run into this? I saw something similar on the mailing list a long time ago. -Original Message- From: Daniel Miller via dovecot [mailto:dovecot@dovecot.org] To: dovecot@dovecot.org Subject: Re: Imaptest stall If you're just speed testing for writing probably sdbox or maildir would be the fastest. Daniel On 9/17/2019 1:09 PM, Marc Roos via dovecot wrote: > > Yes dovecot is showing the inserted messages until the stall. Looks > like it is an issue with imap test because I am able to empty the > mailbox again via thunderbird. I am comparing write tests to different backends. > > > > -Original Message- > From: Daniel Miller [mailto:dmil...@amfes.com] > Sent: dinsdag 17 september 2019 22:06 > To: Marc Roos; dovecot > Subject: Re: Imaptest stall > > On 9/17/2019 12:58 AM, Marc Roos via dovecot wrote: >> >> I have been testing with imaptest and getting 'stalls', I tried even >> building from source and static. Even running it on the same host. >> Anyone knows what I could doing wrong? >> >> [@~]# ./imaptest - append=100,0 logout=0 host=192.168.10.44 port=143 >> user=test2 pass= seed=100 secs=240 clients=1 mbox=64kb.mbox >> box=INBOX/test > > What are you trying to test? Do the Dovecot logs show any connections? > > > -- > Daniel > > > >
RE: Imaptest stall
Yes dovecot is showing the inserted messages until the stall. Looks like it is an issue with imap test because I am able to empty the mailbox again via thunderbird. I am comparing write tests to different backends. -Original Message- From: Daniel Miller [mailto:dmil...@amfes.com] Sent: dinsdag 17 september 2019 22:06 To: Marc Roos; dovecot Subject: Re: Imaptest stall On 9/17/2019 12:58 AM, Marc Roos via dovecot wrote: > > I have been testing with imaptest and getting 'stalls', I tried even > building from source and static. Even running it on the same host. > Anyone knows what I could doing wrong? > > [@~]# ./imaptest - append=100,0 logout=0 host=192.168.10.44 port=143 > user=test2 pass= seed=100 secs=240 clients=1 mbox=64kb.mbox > box=INBOX/test What are you trying to test? Do the Dovecot logs show any connections? -- Daniel
RE: Imaptest stall
Anyone? Or maybe another tool? -Original Message- From: Marc via dovecot [mailto:dovecot@dovecot.org] To: dovecot Subject: Imaptest stall I have been testing with imaptest and getting 'stalls', I tried even building from source and static. Even running it on the same host. Anyone knows what I could doing wrong? [@~]# ./imaptest - append=100,0 logout=0 host=192.168.10.44 port=143 user=test2 pass= seed=100 secs=240 clients=1 mbox=64kb.mbox box=INBOX/test Logi Sele Appe 100% 100% 100% 115 1/ 1 009 1/ 1 00 13 1/ 1 005 1/ 1
Imaptest stall
I have been testing with imaptest and getting 'stalls', I tried even building from source and static. Even running it on the same host. Anyone knows what I could doing wrong? [@~]# ./imaptest - append=100,0 logout=0 host=192.168.10.44 port=143 user=test2 pass= seed=100 secs=240 clients=1 mbox=64kb.mbox box=INBOX/test Logi Sele Appe 100% 100% 100% 115 1/ 1 009 1/ 1 00 13 1/ 1 005 1/ 1
RE: Server administration
> Since local users open a security hole into your mail server, I would argue that virtual users Can you elaborate on that? I would argue exactly the oposite. Having your virtual users in a 3rd party environment, adds only security exploits of that 3rd party environment. I guess most run dovecot with mysql? So how many issues have been found in mysql compared to linux os user accounts. Linux is designed as multi user environment and most other 3rd party software not. Most secure IS running with linux user accounts, you can even enhance this security with selinux. How are you ever going to realize this in something like mysql? If something goes wrong there everything under the mysql uid is accessible. Thus all accounts. > *is* keeping it simple, also, if you end up with many users in the future you will need to got > to a database of some sort anyway, whether SQL-like or LDAP like,
RE: Server administration
Is it not better you either employ a proper educated/trained person or outsouce the work to a company that has the know how? -Original Message- From: Aleksandr Mette via dovecot [mailto:dovecot@dovecot.org] Sent: zondag 1 september 2019 14:42 To: dovecot@dovecot.org Subject: Server administration Dear Sirs, There is Postfix+Dovecot+Sogo installation in our company. I have attentively red Installation and Configuration Guide. However, I could not find some information. Could you give me an advise how to: 1. Add/remove e-mail address 2. Change user e-mail address password 3. Add user e-mail address into mail alias 4. Forward e-mail 5. List all users e-mails What is the best GUI interface for Dovecot administration? With kind regards, Alex
Should dovecot not be using different logging facility and severity levels?
Should dovecot not be using different severity levels like auth.warn? On my system everything goes to loglevel info: lev_info:Aug 9 16:18:24 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session= lev_info:Aug 9 16:18:29 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,): unknown user lev_info:Aug 9 16:18:50 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 25 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS: Disconnected, session= lev_info:Aug 9 16:18:53 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,): unknown user lev_info:Aug 9 16:19:01 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 8 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session= lev_info:Aug 9 16:19:13 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,): unknown user lev_info:Aug 9 16:19:15 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session= lev_info:Aug 9 16:19:24 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,): unknown user lev_info:Aug 9 16:19:26 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session= lev_info:Aug 9 16:19:27 mail03 dovecot: auth-worker(28656): pam(krinfo,188.206.104.240,): unknown user lev_info:Aug 9 16:19:29 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session= lev_info:Aug 9 16:19:47 mail03 dovecot: auth-worker(29664): pam(krinfo,188.206.104.240,<14Pb3a+Pih68zmjw>): unknown user lev_info:Aug 9 16:19:49 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<14Pb3a+Pih68zmjw> lev_info:Aug 9 16:19:51 mail03 dovecot: auth-worker(29664): pam(krinfo,188.206.104.240,<99cO3q+Pix68zmjw>): unknown user lev_info:Aug 9 16:19:53 mail03 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, TLS, session=<99cO3q+Pix68zmjw> This is how failed attempts are logged by vsftpd fac_authpriv:Aug 9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): Authentication failure; user=x fac_authpriv:Aug 9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=x rhost=x user=x fac_ftp:Aug 9 16:24:44 web01 vsftpd[7255]: [x] FAIL LOGIN: Client "x.x.x.x" lev_notice:Aug 9 16:24:42 web01 vsftpd[7255]: pam_ldap(vsftpd:auth): Authentication failure; user=x lev_notice:Aug 9 16:24:42 web01 vsftpd[7255]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=x rhost=x user=x lev_warn:Aug 9 16:24:44 web01 vsftpd[7255]: [x] FAIL LOGIN: Client "x.x.x.x" Using dovecot-2.2.36-3.el7.x86_64 on CentOS7
RE: Email encryption and key protection
What I can think of without any experience using mail-crypt - who says they need to be stored on the server? They need to be available on the server when you start dovecot. - and if you are using 3rd party external storage mounted on your server. At least this 3rd party cannot access the email -Original Message- From: Chris Narkiewicz via dovecot [mailto:dovecot@dovecot.org] Sent: vrijdag 5 juli 2019 7:11 To: dovecot@dovecot.org Subject: Email encryption and key protection I was reading through Dovecot mail-crypt plugin documentation and I'm wondering what is the benefit of turning the encryption on if private and public keys are both stored on the server? What are the benefits and how the key can be protected (apart from file permissions). Cheers, Chris
RE: Catch all for dovecot authentication?
No, And you incorrectly assume, that I am not taking such things into account. But I can excuse this type of reply, due to the mere fact that IT is saturated with "dumb fucks" (like to quote Zuckerberg). Don't the Americans have a nice saying for this "Assumption is the mother of all fuckups". If I am writing I want to send a user 5GB, I want to send a user 5GB. -Original Message- From: @lbutlr via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 23 mei 2019 10:06 To: @lbutlr via dovecot Subject: Re: Catch all for dovecot authentication? On 23 May 2019, at 01:44, Marc Roos via dovecot wrote: > I would like to redirect sometimes a user to a 5GB garbage messages mailbox. So you want to setup a service where random spammer/hacker can trivially DDOS your system? How many simultaneous 5GB streams can you handle? How much will your bandwidth bill be if you send 5GB a million times in a month? -- Over 3,500 gay marriages and, what, no hellfire? I was promise hellfire. And riots. What gives? -- Mark Morford
RE: Catch all for dovecot authentication?
I have the same, create your own dns blacklist. And have fail2ban add entries to it. The only problem I have on CentOS6 is that you need to combine log files for this, but it should be do-able. But I am also for this option, maybe it can be done via this userdb, specify an account where auth is not necessary. I would like to redirect sometimes a user to a 5GB garbage messages mailbox. Or if someone has collection of emails with virusses, available to download? -Original Message- From: Tobi via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 23 mei 2019 9:12 To: dovecot@dovecot.org Subject: Catch all for dovecot authentication? Hi I'm aware that there are several good reasons not to do what I want, but in my use-case it would be an interesting feature. So please no discussions about the reasonableness I have some spamtrap SMTP servers (postfix). Currently SMTP AUTH is disabled. But as I daily have thousands of AUTH tries I thought it would be nice to be able to accept any AUTH request from postfix in dovecot. Is something like this possible with dovecot? If so any good description available on how to achieve? Thanks -- tobi
Integrity check mdbox?
Is it possible to do some sort of integrity check on mdbox's
RE: Converting user mailboxes from maildir to sdbox
Let me know if you find a nice solution to migrate mailboxes per user, without downtime. I tried the use of the adviced userdb and using the override of the maillocation. But that doesn’t work with my mbox inbox. I wanted to migrate then per user to an new server environment but still did not find a definitive guide on how to do this. -Original Message- From: David Mehler via dovecot [mailto:dovecot@dovecot.org] Sent: woensdag 22 mei 2019 2:31 To: dovecot Subject: Converting user mailboxes from maildir to sdbox Hello, I've got a Postfix/Dovecot server setup. Currently Dovecot is version 2.3.6, and it's using Maildir storage. The mailbox is: mail_home = /home/vmail/mailboxes/%d/%n mail_location = maildir:~/mail:LAYOUT=fs I'm wanting to convert from Maildir to sdbox. I looked at: https://wiki2.dovecot.org/MailboxFormat I was initially thinking mdbox but that's multiple messages per file, which I do not believe is what I want. Am I correct that in the sdbox format if a single message file is corrupted only that message is corrupt and not the rest of the messages as would be the case in a mdbox setup? On the page: https://wiki2.dovecot.org/Migration/MailFormat " maildir -> sdbox migration. Set mail_location=sdbox:~/sdbox and run dsync -u username mirror maildir:~/Maildir " If I set mail_location=sdbox:~/sdbox will that put the user mailboxes in mail_home/sdbox? So it would be: /home/vmail/mailboxes/example.com/username/sdbox I am needing to do this migration, but am paranoid about loosing mail or corrupting mailboxes. All of my users are virtual users and they are stored in a mysql database. Thanks. Dave.
RE: Merging existing mailboxes to aliases
The alias plugin does not work properly afaik, I have been trying to use it on a default centos6/7 release. If I remember correctly it messes up with sub folders. Check mailing list archive. -Original Message- From: Lefteris Tsintjelis via dovecot [mailto:dovecot@dovecot.org] Sent: zondag 19 mei 2019 6:09 To: Dovecot Mailing List Subject: Merging existing mailboxes to aliases I am trying to merge all, existing or not, different mailboxes in one with the mailbox alias plugin. If I add the following lines, will the existing mailboxes automatically merge in one mailbox and corresponding links auto create? If not, do I have to do this manually? mailbox_alias_new = Spam mailbox_alias_new2 = Junk E-mail mailbox_alias_new3 = Sent Items mailbox_alias_new4 = Sent Messages mailbox_alias_new5 = Deleted Items mailbox_alias_old = Junk mailbox_alias_old2 = Junk mailbox_alias_old3 = Sent mailbox_alias_old4 = Sent mailbox_alias_old5 = Trash Lefteris
Is it possible to (re)direct only 1 imap user to the new server
I haven't used dovecot proxy or director. If I have a setup where all my users are connecting to HOSTNAMEOLD, is it possible to have 1 imap user that is connecting to HOSTNAMEOLD directed/forwarded to HOSTNAMENEW? Without changing my dns settings and preferably without creating any new servers. I think I can route one users mail to HOSTNAMENEW with sendmail ldap routing. So the only thing I need to be able to do is have the incoming imap requests on HOSTNAMEOLD been handled by HOSTNAMENEW. HOSTNAMEOLD HOSTNAMENEW +--+ +--+ | SENDMAIL | | SENDMAIL | | | | | | | | | | | V | | V | |--| |--| |lmtp | | NS /INBOX | | | | |mbox on | | V | | block device | |--| | | | NS /INBOX | |--| | mdbox on | | NS /ARCHIVE | | block device | |mdbox on | | | | clustered fs | |--| | | | NS /ARCHIVE | +--+ |mdbox on | | clustered fs | | | +--+
Anyone using object storage ceph?
Just curious if there are already people actively using object storage? https://github.com/ceph-dovecot/dovecot-ceph-plugin https://docplayer.net/docs-images/40/9935441/images/page_13.jpg
RE: Userdb userdb_mail=, error Mailbox list driver maildir++: maildir_name not supported by this driver
With this setting, all folders are empty, I guess understandable, because the mdbox has its own indexes stored locally with it. Does not explain though why inbox is empty. [@ dovecot]# cat special-userdb test:x:8267:231:Account with special settings for dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox:INBOX=/ var/spool/mail/%u:INDEX=/var/dovecot/%u/index With this setting (withouth the INDEX set), mdbox folders are accessible and not empty, but I get of course the error on the index of mbox [@ dovecot]# cat special-userdb test:x:8267:231:Account with special settings for dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox:INBOX=/ var/spool/mail/%u May 14 12:40:41 mail04 dovecot: imap(test): Debug: INBOX: Mailbox opened because: SELECT May 14 12:40:41 mail04 dovecot: imap(test): Error: open() failed with file /var/spool/mail/test/dovecot.index.log: Not a directory May 14 12:40:41 mail04 dovecot: imap(test): Debug: INBOX/test2: Mailbox opened because: SELECT Is there a possibility of specifying only a index location for the inbox? It looks like if you add INDEX it is being used for everything. -Original Message- From: Aki Tuomi Sent: dinsdag 14 mei 2019 9:43 To: Marc Roos; dovecot Subject: Re: Userdb userdb_mail=, error Mailbox list driver maildir++: maildir_name not supported by this driver mdbox:~/mdbox:INBOX=/ var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/dovecot/%u/index:LAY OUT=maildir++ You can't use LAYOUT=maildir++ here. Aki On 14.5.2019 10.38, Marc Roos wrote: > Yes, I have still inbox mbox format because I have sendmail delivering > there. I trying to migrate/convert step by step, with least possible > impact for users. > > > > -Original Message- > From: Aki Tuomi > Sent: dinsdag 14 mei 2019 6:19 > To: Marc Roos; Marc Roos via dovecot > Subject: Re: Userdb userdb_mail=, error Mailbox list driver maildir++: > maildir_name not supported by this driver > > >> On 14 May 2019 00:05 Marc Roos via dovecot > wrote: >> >> I have this default configuration [0], when use the userdb_mail to >> point to the mdbox location, the inbox subfolders show differently in >> a firebird client. So I decided to copy the whole default >> mail_location into the userdb_mail configuration [2]. But then I get > errors [3]. >> Should I change the namespace configuration here, how? My default >> namespaces are inbox and 4archives >> >> [0] >> [@ ]# doveconf | grep mail_loc >> mail_location = >> mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var >> /d >> ovecot/%u/index:LAYOUT=maildir++ >> >> [1] >> [@dovecot]# cat special-userdb >> test:x:8267:231:Account with special settings for >> dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox >> >> [2] >> [@dovecot]# cat special-userdb >> test:x:8267:231:Account with special settings for >> dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox:INBOX >> =/ >> var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/dovecot/%u/index:L >> AY >> OUT=maildir++ >> > Are you intentionally mixing mbox and mdbox? You see that [0] has mbox, > and [2] has mdbox. > > Aki > >
doveadm 2.2.36-3.el7.x86_64 mailbox list -u test, does not use symlinked mailboxes
Maybe this has been already fixed, but symlinked mailboxes are not shown by [@ dovecot]# doveadm mailbox list -u test | sort Archive Archive/2018 Archive/2019 Archive/2019old Archive/Archive Drafts INBOX INBOX/test1 INBOX/test2 INBOX/test3 Junk Sent test testing-folder-home testing-folder-home/another folder Trash dovecot-2.2.36-3.el7.x86_64 CentOS Linux release 7.6.1810 (Core)
RE: Userdb userdb_mail=, error Mailbox list driver maildir++: maildir_name not supported by this driver
Yes, I have still inbox mbox format because I have sendmail delivering there. I trying to migrate/convert step by step, with least possible impact for users. -Original Message- From: Aki Tuomi Sent: dinsdag 14 mei 2019 6:19 To: Marc Roos; Marc Roos via dovecot Subject: Re: Userdb userdb_mail=, error Mailbox list driver maildir++: maildir_name not supported by this driver > On 14 May 2019 00:05 Marc Roos via dovecot wrote: > > > I have this default configuration [0], when use the userdb_mail to > point to the mdbox location, the inbox subfolders show differently in > a firebird client. So I decided to copy the whole default > mail_location into the userdb_mail configuration [2]. But then I get errors [3]. > Should I change the namespace configuration here, how? My default > namespaces are inbox and 4archives > > [0] > [@ ]# doveconf | grep mail_loc > mail_location = > mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var > /d > ovecot/%u/index:LAYOUT=maildir++ > > [1] > [@dovecot]# cat special-userdb > test:x:8267:231:Account with special settings for > dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox > > [2] > [@dovecot]# cat special-userdb > test:x:8267:231:Account with special settings for > dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox:INBOX > =/ > var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/dovecot/%u/index:L > AY > OUT=maildir++ > Are you intentionally mixing mbox and mdbox? You see that [0] has mbox, and [2] has mdbox. Aki
Userdb userdb_mail=, error Mailbox list driver maildir++: maildir_name not supported by this driver
I have this default configuration [0], when use the userdb_mail to point to the mdbox location, the inbox subfolders show differently in a firebird client. So I decided to copy the whole default mail_location into the userdb_mail configuration [2]. But then I get errors [3]. Should I change the namespace configuration here, how? My default namespaces are inbox and 4archives [0] [@ ]# doveconf | grep mail_loc mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot/%u/index:LAYOUT=maildir++ [1] [@dovecot]# cat special-userdb test:x:8267:231:Account with special settings for dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox [2] [@dovecot]# cat special-userdb test:x:8267:231:Account with special settings for dovecot:/home/popusers/test:/bin/false:userdb_mail=mdbox:~/mdbox:INBOX=/ var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/dovecot/%u/index:LAY OUT=maildir++ [3] May 13 22:41:32 mail04 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.10.219, lip=192.168.10.44, mpid=1138, TLS, session= May 13 22:41:32 mail04 dovecot: imap(test): Debug: Loading modules from directory: /usr/lib64/dovecot May 13 22:41:32 mail04 dovecot: imap(test): Debug: Module loaded: /usr/lib64/dovecot/lib15_notify_plugin.so May 13 22:41:32 mail04 dovecot: imap(test): Debug: Module loaded: /usr/lib64/dovecot/lib20_listescape_plugin.so May 13 22:41:32 mail04 dovecot: imap(test): Debug: Added userdb setting: mail=mdbox:~/mdbox:INBOX=/var/spool/mail/test:CONTROL=~/mail/control:IND EX=/var/dovecot/test/index:LAYOUT=maildir++ May 13 22:41:32 mail04 dovecot: imap(test): Debug: Effective uid=8267, gid=231, home=/home/popusers/test May 13 22:41:32 mail04 dovecot: imap(test): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=mdbox:~/mdbox:INBOX=/var/spool/mail/test:CONTROL=~/mail/control :INDEX=/var/dovecot/test/index:LAYOUT=maildir++ May 13 22:41:32 mail04 dovecot: imap(test): Error: Namespace '': Mailbox list driver maildir++: maildir_name not supported by this driver May 13 22:41:32 mail04 dovecot: imap(test): Namespace '': Mailbox list driver maildir++: maildir_name not supported by this driver in=0 out=378
RE: Doveadm sync, Error: read(remote) failed: EOF, Error: read(remote) failed: EOF
Indeed, Thanks!!! :) -Original Message- From: Aki Tuomi [mailto:aki.tu...@open-xchange.com] Sent: maandag 13 mei 2019 19:48 To: Marc Roos; Marc Roos via dovecot Subject: Re: Doveadm sync, Error: read(remote) failed: EOF, Error: read(remote) failed: EOF Hi, you need to put mdbox parameter as last. Aki On 13 May 2019 18:55 Marc Roos via dovecot < dovecot@dovecot.org> wrote: In the manual page this command is used for converting a mailbox doveadm sync -u test mdbox:~/mdbox -x INBOX -x INBOX/* Yet I am getting this error and the mdbox folder is not created. dsync-local(test): (version not received) doveadm(test): Fatal: execvp(mdbox:~/mdbox) failed: No such file or directory [@ dovecot]# doveconf | grep mail_locat mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/ var/d ovecot/%u/index:LAYOUT=maildir++ Users are not having shell access so something like su test -c '' will also not work. What would be a work-around for this? --- Aki Tuomi
Doveadm sync, Error: read(remote) failed: EOF, Error: read(remote) failed: EOF
In the manual page this command is used for converting a mailbox doveadm sync -u test mdbox:~/mdbox -x INBOX -x INBOX/* Yet I am getting this error and the mdbox folder is not created. dsync-local(test): (version not received) doveadm(test): Fatal: execvp(mdbox:~/mdbox) failed: No such file or directory [@ dovecot]# doveconf | grep mail_locat mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u:CONTROL=~/mail/control:INDEX=/var/d ovecot/%u/index:LAYOUT=maildir++ Users are not having shell access so something like su test -c '' will also not work. What would be a work-around for this?
RE: Mail account brute force / harassment
> >> B. With 500GB dump >> - the owner of the attacking server (probably hacked) will notice it >> will be forced to take action. > >Unlikely. What is very likely is that your ISP shuts you don for network abuse. If you not block the request, but allow it, and redirect to a /dev/zero device that generates 500GB of messages. How can I ever be accused of network abuse. Since your logics is not correct on this, how can I assume anything you write is correct? >> If abuse clouds are smart (most are) they would notice that attacking >> my servers, will result in the loss of abuse nodes, hence they will >> not bother me anymore. > >Not at all the case. > >> If every one would apply strategy B, the abuse problem would get less. > >No. The abuse problem wold be far worse. > -Original Message- From: @lbutlr via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 11 april 2019 19:11 To: Peter via dovecot Subject: Re: Mail account brute force / harassment On 11 Apr 2019, at 04:43, Marc Roos via dovecot wrote: > B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action. Unlikely. What is very likely is that your ISP shuts you don for network abuse. > If abuse clouds are smart (most are) they would notice that attacking > my servers, will result in the loss of abuse nodes, hence they will > not bother me anymore. Not at all the case. > If every one would apply strategy B, the abuse problem would get less. No. The abuse problem wold be far worse. -- I thank my lucky stars I'm not superstitious.
RE: Mail account brute force / harassment
How long have we been using the current strategy? Do we have less or
more abuse clouds operating?
"Let the others bother with their own problems." is a bit narrow minded
view. If every one on this mailing list would have this attitude, there
would be no single answer to your question.
-Original Message-
From: Odhiambo Washington [mailto:odhia...@gmail.com]
Sent: donderdag 11 april 2019 12:54
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment
Marc,
There is a strategy loosely referred to as "choose your battles well"
:-)
If you can, hack the server and dump the 500GB - you'll be using
resources transferring the 500GB as the other server receives it. Two
servers wasting resources because you think you are punishing an
offender!
On Thu, 11 Apr 2019 at 13:43, wrote:
Please do not assume anything other than what is written, it is a
hypothetical situation
A. With the fail2ban solution
- you 'solve' that the current ip is not able to access you
- it will continue bothering other servers and admins
- you get the next abuse host to give a try.
B. With 500GB dump
- the owner of the attacking server (probably hacked) will notice
it
will be forced to take action.
If abuse clouds are smart (most are) they would notice that
attacking my
servers, will result in the loss of abuse nodes, hence they will
not
bother me anymore.
If every one would apply strategy B, the abuse problem would get
less.
Don't you agree??
-Original Message-
From: Odhiambo Washington
Sent: donderdag 11 april 2019 12:28
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment
On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot
wrote:
Say for instance you have some one trying to constantly
access an
account
Has any of you made something creative like this:
* configure that account to allow to login with any
password
* link that account to something like /dev/zero that
generates
infinite
amount of messages
(maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.
I think it would be interesting to be able to do such a
thing.
Instead of being evil, just use fail2ban to address this problem
:-)
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
RE: Mail account brute force / harassment
Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? -Original Message- From: James via dovecot [mailto:dovecot@dovecot.org] Sent: donderdag 11 april 2019 13:25 To: dovecot@dovecot.org Subject: Re: Mail account brute force / harassment On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the fail2ban solution >- you 'solve' that the current ip is not able to access you It is only a solution if there are subsequent attempts from the same address. I currently have several thousand addresses blocked due to dovecot login failures. My firewall is set to log these so I can see that few repeat, those that do repeat have intervals of >1 week. Blocking these has minimal effect (other than to clog fail12ban and the firewall). >- it will continue bothering other servers and admins Which is why a dnsbl for dovecot is a good idea. I do not believe the agents behind these login attempts are only targeting me, hence the addresses should be shared via a dnsbl.
RE: Mail account brute force / harassment
If I am not mistaken dovecot has already limited concurrent
accounts/ips. Furthermore I thought it would be obvious of course to
utilize for this only unused resources and don't jeopardize a production
environment.
Furthermore it is logical to assume that one abuse host is not dedicated
to me. So it probably has 50? other connections for every one of mine.
So if it would be common practice to dump abuse to /dev/zero, the abuse
host would be the first to 'die'.
-Original Message-
From: Gerald Galster via dovecot [mailto:dovecot@dovecot.org]
Sent: donderdag 11 april 2019 12:57
To: dovecot@dovecot.org
Subject: Re: Mail account brute force / harassment
Am 11.04.2019 um 12:43 schrieb Marc Roos via dovecot
:
Please do not assume anything other than what is written, it is a
hypothetical situation
A. With the fail2ban solution
- you 'solve' that the current ip is not able to access you
- it will continue bothering other servers and admins
- you get the next abuse host to give a try.
B. With 500GB dump
- the owner of the attacking server (probably hacked) will notice
it
will be forced to take action.
If abuse clouds are smart (most are) they would notice that
attacking my
servers, will result in the loss of abuse nodes, hence they will
not
bother me anymore.
If every one would apply strategy B, the abuse problem would get
less.
Don't you agree??
I disagree. If 100 servers "hack" your imap account and fetch 500GB then
most likely your server is unreachable. If this is done over many
servers then your rack switches become the bottleneck and uninvolved
servers are affected too.
Your solution may work if traffic is expensive and limited but we're
heading in the other direction: you can rent a server for 50 bucks with
1gbit bandwidth and unmetered traffic e.g. at hetzner.de
Maybe you want to look into a solution like weakforced:
https://github.com/PowerDNS/weakforced
Wforce is a project by Dovecot, PowerDNS and Open-Xchange
Best regards
Gerald
-Original Message-
From: Odhiambo Washington
Sent: donderdag 11 april 2019 12:28
To: Marc Roos
Cc: dovecot
Subject: Re: Mail account brute force / harassment
On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot
wrote:
Say for instance you have some one trying to constantly access an
account
Has any of you made something creative like this:
* configure that account to allow to login with any password
* link that account to something like /dev/zero that generates
infinite
amount of messages
(maybe send an archive of virusses?)
* transferring TB's of data to this harassing client.
I think it would be interesting to be able to do such a thing.
Instead of being evil, just use fail2ban to address this problem
:-)
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
RE: Mail account brute force / harassment
Please do not assume anything other than what is written, it is a hypothetical situation A. With the fail2ban solution - you 'solve' that the current ip is not able to access you - it will continue bothering other servers and admins - you get the next abuse host to give a try. B. With 500GB dump - the owner of the attacking server (probably hacked) will notice it will be forced to take action. If abuse clouds are smart (most are) they would notice that attacking my servers, will result in the loss of abuse nodes, hence they will not bother me anymore. If every one would apply strategy B, the abuse problem would get less. Don't you agree?? -Original Message- From: Odhiambo Washington Sent: donderdag 11 april 2019 12:28 To: Marc Roos Cc: dovecot Subject: Re: Mail account brute force / harassment On Thu, 11 Apr 2019 at 13:24, Marc Roos via dovecot wrote: Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite amount of messages (maybe send an archive of virusses?) * transferring TB's of data to this harassing client. I think it would be interesting to be able to do such a thing. Instead of being evil, just use fail2ban to address this problem :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Mail account brute force / harassment
Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite amount of messages (maybe send an archive of virusses?) * transferring TB's of data to this harassing client. I think it would be interesting to be able to do such a thing.
RE: Archive maildir
I have made something for archiving that you can supply with an array of mail folders and it wil move messages of a specific year to a folder ARCHIVE/YEAR. If you only have 180GB I would not make subdivision in months. Just put everything in a year folder sent and and received combined. Also use doveadm in your script, that wil work on any type of storage and you do not want to risk loosing email, because someone is not 'coding' properly. -Original Message- From: Gandalf Corvotempesta via dovecot [mailto:dovecot@dovecot.org] Sent: 13 February 2019 10:23 To: Dovecot Mailing List Subject: Archive maildir Hi to all We have a maildir with about 180GB of emails. We have to archive them to a structure like: .Archive.YYY./MM.folder Are you aware of a script doing this ? I've found a perl script that doesn't spit in year and month and a very, very, very, very, very old python script that: 1) doesn't manage base64 encoded subject properly 2) doesn't work with python 3.x (that is able to manage base64 encoded subject properly Any idea ?
