Re: Compiling Dovecot on Solaris 10
Hello, I don't have problems building 2.2.27 on Solaris 10 (using Sun Workshop compiler 5.11). The configuration is the same as your. Maybe a compiler/version problem on your system ? Regards, Martin Mantas Gegužis wrote: Hello, I am tying to compile Dovecot 2.2.27 on Solaris 10, and I get this error: test-ioloop.c: In function `test_ioloop_pending_io': test-ioloop.c:188: error: size of array `type name' is negative My configuration is like this: Install prefix . : /usr/local File offsets ... : 64bit I/O polling : poll I/O notifys : none SSL : yes (OpenSSL) GSSAPI . : no passdbs : static passwd passwd-file shadow pam checkpassword dcrypt ..: yes : -bsdauth -sia -ldap -sql -vpopmail userdbs : static prefetch passwd passwd-file checkpassword : -ldap -sql -vpopmail -nss SQL drivers : : -pgsql -mysql -sqlite -cassandra Full text search : squat : -lucene -solr Last version that I have compiled was 2.2.24, version 2.2.25 failed with error: In file included from guid.c:6: sha1.h:80: error: static or type qualifiers in abstract declarator Is there anyone who can help me? ------ Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany phone: ++49 761 203-8250pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242 swt.informatik.uni-freiburg.de/staff/preen smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] Solaris hardware crypto engines
Timo Sirainen wrote: On Mon, 2011-11-21 at 23:49 +0100, Martin Preen wrote: # /usr/sfw/bin/openssl engine (pkcs11) PKCS #11 engine support ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e); in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit() the crypto device gets used. I'm sure that this is not the whole story since this only seems to affect the IMAP login. It should work for POP3 as well, all of the SSL code is shared. I couldn't find the EncryptUpdate call which has to be changed too (due to the howto documents). Maybe some other call needs e patch. But I don't know which. What EncryptUpdate?.. I've anyway added the engine init/deinit calls in your email to v2.1 hg. Lets hope it works :) At least it didn't break when I tried it with "dynamic" value (which is the only engine my OpenSSL supports). Probably I'm wrong (I have no experience with SSL programming). I thught the EncryptUpdate was necessary for the encoding of the SSL data stream. But maybe there has to be a link between engine initialization and the SSL contexts ? Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242swt.informatik.uni-freiburg.de/~preen smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] Solaris hardware crypto engines
Timo Sirainen wrote:
On Mon, 2011-11-21 at 10:18 +0100, Martin Preen wrote:
Hello,
after serveral tests (and reading a lot of howto's) I'm now fairly convinced
that the Solaris HW-crypto engine is not automatically used. Even when dovecot
ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e;
ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
Does "openssl engine" return this "pkcs11" string?
This requires the Solaris OpenSSL version
(or another version using the pkcs11 patch).
# /usr/sfw/bin/openssl engine
(pkcs11) PKCS #11 engine support
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
the crypto device gets used. I'm sure that this is not the whole story since
this only seems to affect the IMAP login.
It should work for POP3 as well, all of the SSL code is shared.
I couldn't find the EncryptUpdate call which has to be changed too
(due to the howto documents). Maybe some other call needs e patch.
But I don't know which.
Martin
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
the various articles). Is there any chance that Dovecot gets updated/patched
for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
I guess I could add ssl_crypto_device setting for this. But I'll need to
figure out proper ifdefs to avoid compile failures with older OpenSSL
versions.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [Dovecot] Solaris hardware crypto engines
Hello,
after serveral tests (and reading a lot of howto's) I'm now fairly convinced
that the Solaris HW-crypto engine is not automatically used. Even when dovecot
ist compiled with the OpenSSL version provided by Solaris.
Currently I have only a T1-CPU available for testing (Sun Fire T2000) and
after patching src/login-common/ssl-proxy-openssl.c (Dovecot 1.2.17) with
ENGINE *e;
ENGINE_load_builtin_engines(); ENGINE_init((e=ENGINE_by_id("pkcs11")));
ENGINE_set_default_RSA(e); ENGINE_set_default_DSA(e);
ENGINE_set_default_ciphers(e);
in ssl_proxy_init() and inserting ENGINE_cleanup(); in ssl_proxy_deinit()
the crypto device gets used. I'm sure that this is not the whole story since
this only seems to affect the IMAP login.
One has to use the specific SSL-engine and the ENGINE/EVP calls (as stated in
the various articles). Is there any chance that Dovecot gets updated/patched
for this ? E.g. Like the SSLCryptoDevice setting in Apache's mod_ssl.
Regards.
Martin
Chris Hoogendyk wrote:
On 4/18/11 6:30 AM, Martin Preen wrote:
Hello,
I tried to find out how about to use the hardware crypto engines under
Solaris (Sun Fire T2000). It seems, that its not just a compilation
issue:
For operations that are to be offloaded, it is necessary to restrict
use to subset
> of OpenSSL functions (the EVP_ functions) and explicitly indicate
the use of the PKCS11
> engine; something like the following works for bulk ciphers (the
process for RSA is similar):
ENGINE *e;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
ENGINE_set_default_ciphers(e);
EVP_CIPHER_CTX_init (&ctx);
EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
EVP_EncryptUpdate (.);
Since I'm not familiar with SSL programming, I wonder if it's possible to
modify the dovecot 1.2.x source code. Maybe someone has already tried
this
or can give me hint.
You don't want to do that.
The objective is for the ssl engine to be low level and basically
invisible to layers of application above that use it. So, build openssl
properly and it just works for everything else.
I'm not at work today, so I don't have reference to my notes. Ah, just
found an email I sent to my colleagues -- copied it below.
---
Martin Preen, Universität Freiburg, Institut für Informatik
Georges-Koehler-Allee 52, Raum EG-006, 79110 Freiburg, Germany
phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de
fax: ++49 761 203-8242swt.informatik.uni-freiburg.de/~preen
smime.p7s
Description: S/MIME Cryptographic Signature
[Dovecot] Solaris hardware crypto engines
Hello,
I tried to find out how about to use the hardware crypto engines under
Solaris (Sun Fire T2000). It seems, that its not just a compilation issue:
For operations that are to be offloaded, it is necessary to restrict use to
subset
> of OpenSSL functions (the EVP_ functions) and explicitly indicate the use of
the PKCS11
> engine; something like the following works for bulk ciphers (the process for
RSA is similar):
ENGINE *e;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("pkcs11");
ENGINE_set_default_ciphers(e);
EVP_CIPHER_CTX_init (&ctx);
EVP_EncryptInit (&ctx, EVP_des_cbc (), key, iv);
EVP_EncryptUpdate (.);
Since I'm not familiar with SSL programming, I wonder if it's possible to
modify the dovecot 1.2.x source code. Maybe someone has already tried this
or can give me hint.
Regards.
Martin
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [Dovecot] Panic: Trying to allocate 2147483648 bytes
Timo Sirainen wrote: On Mar 26, 2009, at 1:00 PM, David Halik wrote: Any thoughts on this Timo? Just wondering if you were able to reproduce the problem and saw the same behavior. We can look into it more if need be, but since I can replicate it on both Fedora and Solaris, I'm guessing it's a fundamental bug with how certain malformed emails are searched. Interesting that the only two people who reported this were running on Solaris. Anyway, fixed: http://hg.dovecot.org/dovecot-1.1/rev/a2013dedbad0 In my case the error occured only sometimes. I made several tests with the patch applied and the errror seems to be gone. Thanks. Martin I suppose that could be thought of as a DoS attack, but since it requires user to search messages and have a very special kind of email, and by default imap process size is limited to 256 MB, I don't think I'll bother releasing v1.1.14 because of it. ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242www.informatik.uni-freiburg.de
[Dovecot] largefile question
Hello, currently we're using version 1.0.13 with 32bit file offsets. Is it safe to switch to a new version with largefile support enabled ? We want to reuse existing index/cache or do we have to expect errors with that ? Regards. Martin --- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242www.informatik.uni-freiburg.de
[Dovecot] panic in dovecot 1.1.12
Hello, with some mbox folders I got this error: Mar 18 14:48:12 imap2 dovecot: [ID 107833 mail.crit] Panic: IMAP(xyz): file charset-iconv.c: line 122: unreached I assume that this is related to the folder contents (and not the configration). What does that mean to me ? Martin --- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242www.informatik.uni-freiburg.de
[Dovecot] NFS-error with dovecot 1.1.12
Hello, I'm testing version 1.1.12 and occasionally there is Mar 18 14:40:44 imap2 dovecot: [ID 107833 mail.error] IMAP(xyz): nfs_flush_file_handle_cache_dir: rmdir(/home/xyz) failed: Device busy It seems that it is related to a crash of the previous imap process of that user. And it doesn't seem to cause any problems. So can it safely be ignored ? It is on Solaris 10. Index storage is local (UFS) and mailbox storage is NFS (mail_nfs_storage=yes). Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 pr...@informatik.uni-freiburg.de fax: ++49 761 203-8242www.informatik.uni-freiburg.de
Re: [Dovecot] Unknown internal error
Martin Preen wrote: Hello, I just found this message in our dovecot logfiles: "Disconnected: BUG: Unknown internal error" Should I worry about this ? There are no complaints yet (although it is not limited to one user). It seems to occur with different clients (Apple/MacOS mail, Windows/Thunderbird, Pine). We're running dovecot 1.0.10 on Solaris 10 with mboxes (NFS) and local index storage. There are no such messages before the upgrade (from version 1.0.5). Hello, I still don't know the source or reason for that. Updating to 1.0.13 solved this issue (in my case). The BUG-messages disappeared. Greetings. Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 [EMAIL PROTECTED] fax: ++49 761 203-8242www.informatik.uni-freiburg.de
[Dovecot] Unknown internal error
Hello, I just found this message in our dovecot logfiles: "Disconnected: BUG: Unknown internal error" Should I worry about this ? There are no complaints yet (although it is not limited to one user). It seems to occur with different clients (Apple/MacOS mail, Windows/Thunderbird, Pine). We're running dovecot 1.0.10 on Solaris 10 with mboxes (NFS) and local index storage. There are no such messages before the upgrade (from version 1.0.5). Regards. Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 [EMAIL PROTECTED] fax: ++49 761 203-8242www.informatik.uni-freiburg.de
Re: [Dovecot] symbolic links to root node
Timo Sirainen wrote: On Fri, 2008-01-25 at 14:48 +0100, Martin Preen wrote: Hello, I have a question about the way Dovecot limits file system access. Currently we're using Dovecot 1.0.5 (Solaris 10). In some cases users have a symbolic link like "z: -> /" in their mail directory. As a result there are log entries like Jan 25 13:30:31 imap1 dovecot: [ID 107833 mail.error] IMAP(xyz): stat(/home/xyz/.wine/dosdevices/c:/windows/profiles/xyz/.../z:/proc/28381/root/proc/28381/.../root/proc/28381/Player/#SharedObje Jan 25 13:30:31 imap1 dovecot: [ID 107833 mail.error] IMAP(xyz): x) failed: File name too long So you're exposing the entire home directory to Dovecot? Everything would go a lot more nicely (and faster) if Dovecot would have access only to actual mailboxes. Can't you just force everyone to use e.g. ~/mail/ directory (mail_location = mbox:~/mail)? It is on my long term ToDo list (I would prefer that). But actually it is very difficult to realize that in our environment. Currently we're saying that one should configure an IMAP server directory (but most users don't want to read the documentation). Is there something I can do (these links should be ignored) ? Or is it a bug ? I don't think Dovecot should ignore those kind of errors, because if it happens on a normal mail directory, it's most likely a problem sysadmin should know about and fix. But in this kind of a mixed system.. well, modifying sources would be the only solution. Ok. Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 [EMAIL PROTECTED] fax: ++49 761 203-8242www.informatik.uni-freiburg.de
[Dovecot] symbolic links to root node
Hello, I have a question about the way Dovecot limits file system access. Currently we're using Dovecot 1.0.5 (Solaris 10). In some cases users have a symbolic link like "z: -> /" in their mail directory. As a result there are log entries like Jan 25 13:30:31 imap1 dovecot: [ID 107833 mail.error] IMAP(xyz): stat(/home/xyz/.wine/dosdevices/c:/windows/profiles/xyz/.../z:/proc/28381/root/proc/28381/.../root/proc/28381/Player/#SharedObje Jan 25 13:30:31 imap1 dovecot: [ID 107833 mail.error] IMAP(xyz): x) failed: File name too long We know the reason (the links are create by Wine) but unfortunately we cannot get rid of them. Is there something I can do (these links should be ignored) ? Or is it a bug ? Greetings. Martin ------- Martin Preen, Universität Freiburg, Institut für Informatik Georges-Koehler-Allee 52, Raum 00-006, 79110 Freiburg, Germany phone: ++49 761 203-8250 [EMAIL PROTECTED] fax: ++49 761 203-8242www.informatik.uni-freiburg.de
