Re: dovecot replication
> On 07/12/2024 1:14 PM MDT James Cook via dovecot wrote: > > On Fri, Jul 12, 2024 at 06:28:13PM GMT, John Fawcett via dovecot wrote: > >Hi James > > > >I want to avoid the -1 parameter because it doesn't do deletes in the > >target. > > -l, not -1. No, it's -1 - as in one(1)-way sync. -l (lowercase L) is for locking. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot imap_zlib
> On 07/09/2024 6:42 AM MDT Bjoern Franke via dovecot > wrote: > > >> I tested teh git version of dovecot. It seems the IMAP Compress plugin > >> (imap_zlib) has disappeared. > > > > https://github.com/dovecot/core/commit/5f27e25c64555dcaae6cb00c479cd05bc2638081 > > so the zlib plugin is also deprecated and clients should run compress > themselves? These are two distinct plugins. imap-zlib = compression of the IMAP protocol stream zlib = mailbox storage compression on the Dovecot server For 2.4, "zlib" plugin has been renamed to "mail-compress". https://doc.dovecot.org/2.4/core/plugins/mail_compress.html michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot imap_zlib
> On 07/07/2024 8:09 AM MDT Joan Moreau via dovecot wrote: > > I tested teh git version of dovecot. It seems the IMAP Compress plugin > (imap_zlib) has disappeared. https://github.com/dovecot/core/commit/5f27e25c64555dcaae6cb00c479cd05bc2638081 michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
Can we please stop this thread here? Clearly, Laura does not seek solutions, the intention seems to be shouting at people. As they say, don't feed the trolls, - don't give more caises fpr shouting. Let this thread die in peace. Thanks, /mjt 26.06.2024 22:26, Laura Smith via dovecot wrote: Why do you care about the repo then ? Use the patch locally, publish it, etc. You care about OpenSSL 3.0 compatibility right ? What do you care if it's in the public tree or not. Because Aki has been shouting from the rooftops here that "beware, its not that easy, Dovecot crashes with OpenSSL 3.0". Aki has seen the OpenSSL 3 code already present in Debian (and Ubuntu and Fedora, its the same code) and supposedly that causes crashes. I'm sure the people who submitted code to the Fedora tree are much better programmers than I am, and if their efforts are not good enough, then, well... So, if we rephrase it, Aki is effectively telling people not to waste their time trying to patch OpenSSL 3.0 compatibility into 2.3 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian Bookworm packages, please !
On Tuesday, June 25, 2024 5:08:15 PM CEST, Aki Tuomi via dovecot wrote: We can already see that the Debian/RedHat patched 2.3 which is offered is broken because there is more than just "making it compile" with things like OpenSSL3, and yes, I can appreciate that it's not fully broken, but it's not fully working either. could you please elaborate on this? are there any security issues with using the debian version? what are the problems you are implicating with your above statement, that it's 'not fully working either'? greetings... ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: AW: [EXT] Re: Dovecot community repositories
> On 06/13/2024 2:33 AM MDT MK via dovecot wrote: > > What is the reason that Debian 12/Ubuntu 22.04/RHEL 9 are not supported by CE > 2.3? OS-provided dependencies that won't work with 2.3 code (e.g., OpenSSL). michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Dovecot community repositories
> On 06/12/2024 5:37 AM MDT MK via dovecot wrote: > > just a short question to the dovecot people, maybe Aki or someone else can > answer this. > Will there be an update to the Dovecot community repositories in the near > future? > The repositories are lagging behind the current distributions. Just as an > example: Debian 12 has been released in 06/2023, this is one year ago and > there are still no packages for it. > Same for Ubutun 22.04, RHEL 9... Is there still any interest from dovecot > side to continue to maintain the community repostitorys? The community repositories continue to be maintained. Debian 12/Ubuntu 22.04/RHEL 9 are not supported by CE 2.3 so we don't build packages for them. They will be supported in CE 2.4. Distros may have done their own work to modify Dovecot source to get 2.3 to build/package on these systems. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Log detective help
> On 06/05/2024 1:22 PM MDT GDS via dovecot wrote: > > Hello all, I am seeing hundreds of lines like the one below in my mail.log > from this specific IP address, which belongs to Google. Is there a way to > determine why this "deferred (delivery temporarily suspended)" is happening? > > Jun 5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: > to=, orig_to=, relay=none, delay=4099, > delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily > suspended: connect to localhost.com[74.125.224.72]:25: Connection timed out) "localhost.com" - you almost certainly are intending to connect to localhost (i.e. the local loopback address, 127.0.0.1) rather than the remote domain localhost.com. So it looks like a configuration error. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: After user disconnect run the custom script
> On 05/20/2024 9:43 AM MDT Alexey Krylov via dovecot > wrote: > > Please, send me the link, where I can find the info about configuring > firing script after dovecot client is disconnected. > > I found post-login scripting. Than's cool, but... I need to fire script > a little bit later. See https://doc.dovecot.org/admin_manual/list_of_events/#mail-user-session-finished You will need to build a event listener for this event, and then do your scripting in there. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: temporary auth errors
> On 05/02/2024 7:48 AM MDT Marc via dovecot wrote: > > > auth_failure_delay = 2 secs ? > > > > That will still simply wait before *rejecting* the login, compared to > > *dropping the connection*. > > > > We are thus looking for three different behaviours: > > > > 1. If backend confrims auth, ACK auth + proceed (grant access) to email. > > > > 2. If backend confirm "no such user" or "invalid creds", wait for > > auth_failure_delay and then *reject* the login. > > > > 3. If the backend fails (ie, can neither confirm nor deny), simply drop > > the connection. > > > > I hope this is more clear. > > > > Yes that is more clear, but no idea (seems a little out of scope to support > by design) In complicated, localized authentication scenarios, Lua auth is likely the best answer. https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/ michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: server migration
Of course, anyone who is stilling using POP (Leave on Server) presents a different challenge.. Depending on the client, and how the client treated the UID of the message.. The rest should present no issue.. On 2024-04-10 14:25, Kirill Miazine via dovecot wrote: • Gandalf Corvotempesta via dovecot [2024-04-10 23:18]: Il giorno mer 10 apr 2024 alle ore 23:12 Kirill Miazine via dovecot ha scritto: UIDVALIDITY change In which case uidvalidity would change ? if you do rsync, it doesn't. UIDVALIDITY is stored in dovecot-uidlist in maildirs, as described in https://doc.dovecot.org/admin_manual/mailbox_formats/maildir/#imap-uid-mapping ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re[4]: panics
>Am 27.03.24 um 18:49 schrieb Michael Grant via dovecot: >>I could really use some help debugging issue. > >Timo gave some debugging tips in a similar case cf. >https://dovecot.org/pipermail/dovecot/2023-March/126229.html > >In case you know how to use gdb, that should work and might get a reproducer so this error can be mended for everybody. This was helpful thanks. I do know how to use gdb, but hoping it won't come to this. I was thinking of how to do that anyway. There must be way to start dovecot (in gdb) so it does not fork and runs on a non-standard port so I could configure the imap client to contact it on, for example, port 1993. If someone knows how to do that, let me know. gdb /usr/lib/dovecot/imap r -u username I tried what you said above. It seems to start IMAP running on stdin connected to my username. It's not clear to me how to debug this like that. Any recommendation? In the client, I can easily set a different port like 1993. What I was imagining was to start dovecot (or imap?) in gdb then connect with the client, authenticate as myself, let it sync up it's folders, and then watch the crash and poke around and try to print out the message and folder. Would it be easy for you to maybe print out the message and folder in the assertion that is failing? Maybe this is easier for me to recompile dovecot with that instead of trying to get into debug in the correct child and all? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: panics
I could really use some help debugging issue. It seems like dovecot is panicing because of some specific message(s) in my inbox. I can't find any easy way to get either my mail client or dovecot to tell me what it doesn't like. The mail client just says dovecot disconnects in the middle of the conversation. Meanwhile, dovecot panics. Is there some way to turn on imap logging so dovecot tells me step by step which message got requested and which one it's sending to the client? I've run 'doveadm -v force-resync -u m...@myserver.com me' many times. It returns very fast. I don't know if that's normal or not. Regardless, it does not help. Is there some method to go through a mailbox (it's an mbox single-file mailbox) and sort out any problems? Clearly dovecot is freaked by something in there, I just can't figure out what. I can not migrate the entire server to maildir. I would be willing to migrate just my inbox to maildir to see if this fixes it. Any help on how to do this? Can this be done such that my ~/mail/* files remain as mbox files? Michael Grant ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
dovecot panic
I'm running dovecot 2.3.19.1 on debian stable. I just started seeing a slew of these in my log: Mar 14 10:02:38 strange.networkguild.org dovecot[865654]: imap (mgrant)<1939553>: Panic: file istream-header-filter.c: line 663 (i_stream_header_filter_snapshot_free): assertion failed: (snapshot- >mstream->snapshot_pending) Mar 14 10:02:38 strange.networkguild.org dovecot[865654]: imap (mgrant)<1939553>: Error: Raw backtrace: #0 test_subprocess_fork[0x7f1a33d7ca20] -> #1 backtrace_append[0x7f1a33d7cc90] - > #2 backtrace_get[0x7f1a33d7ce20] -> #3 execvp_const[0x7f1a33d89f90] -> #4 i_syslog_fatal_handler[0x7f1a33d8a900] -> #5 i_panic[0x7f1a33ce00a4] -> #6 fs_wrapper_unlock[0x7f1a33cdb71d] -> #7 i_stream_snapshot_free[0x7f1a33d96110] -> #8 i_stream_unref[0x7f1a33d96180] -> #9 index_mail_get_virtual_size [0x7f1a33f2d190] -> #10 index_mail_save_finish[0x7f1a33f2d470] -> #11 index_mail_get_special[0x7f1a33f2d690] -> #12 mail_get_special[0x7f1a33eaf950] -> #13 cmd_select[0x560714f983e0] -> #14 imap_fetch_begin[0x560714f9d170] - > #15 imap_fetch_more[0x560714f9d550] -> #16 cmd_fetch[0x560714f91c00] -> #17 command_exec[0x560714f9a880] -> #18 cmd_x_cancel[0x560714fa0510] -> #19 cmd_x_cancel[0x560714fa0510] -> #20 cmd_x_cancel[0x560714fa0510] -> #21 client_handle_input[0x560714fa0880] -> #22 client_input[0x560714fa0d80] -> #23 io_loop_call_io[0x7f1a33da1c70] -> #24 io_loop_handler_run_internal [0x7f1a33da3970] -> #25 io_loop_handler_run[0x7f1a33da3b00] -> #26 io_loop_run [0x7f1a33da3cd0] -> #27 master_service_run[0x7f1a33d14180] -> #28 main [0x560714f8ca00] -> #29 __libc_init_first[0x7f1a33ac51d0] -> #30 __libc_start_main[0x7f1a33ac5280] -> #31 _start[0x560714f8d000] I realize this is a slightly old version of dovecot but this is what's in debian's stable package repository. I see 2.3.21+dfsg1-2 in testing and 2.3.21+dfsg1-3 in unstable. I really try to avoid installing this on production. I didn't recently change anything in my configs on the server. I did start recently using 'eM Client' on Windows a couple days ago, could that have caused this? Mail seems to continue to come in to my imap clients, but these errors in the log are worrying! Michael Grant ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Auth USER lookup failed
> On 02/05/2024 10:17 PM MST thecou...@gmail.com wrote: > > I have dovecot working with PAM and Samba DC authentication for IMAP. However > when I'm attempting to pass emails from postfix via LMTP > I don't actually need to authenticate LMTP I'm happy to check for valid users > upstream. > > I'm getting the error: > Feb 06 15:11:39 Debian-server postfix/local[178200]: ADF0E78713C: passing > to transport=lmtp > Feb 06 15:11:39 Debian-server dovecot[178075]: auth: Error: > static(dom.username): passdb doesn't support lookups, can't verify user's > existence > Feb 06 15:11:39 Debian-server dovecot[178075]: > lmtp(dom.usern...@debian-server.sr.local)<178233>: > Error: auth-master: userdb lookup(dom.usern...@debian-server.sr.local): Auth > USER lookup failed You need to define a userdb to return user information. Since LMTP doesn't require auth, it can't use the passdb so that's what the error message is saying. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: submission_add_received_header option?
For the record, you should never 'hide' the connecting IP, that information is very valuable for all abuse handling, and so you can quickly see when someone reports spam from your network, who is abusing it.. the whole privacy vs security debates aside please.. And it also allows other spam protections to better act on it, eg if the IP is on a DROP rbl, or an auth RBL like RATS-AUTH, etc.. A lot of information can be gathered on the actor behind BEC if the authenticating IP is part of that data.. And given that much of the world uses a NAT connection, it's not like the IP is really PPI.. There is a lot more PPI being gathered from other parts of the email. On 2024-02-02 10:25, Ellie McNeill wrote: Hi, I've recently upgraded my mail server from Debian 11 to Debian 12. It now runs dovecot 2.3.19.1 (verified with dovecot --version). According to the "Dovecot Core Settings" page, a new setting 'submission_add_received_header' was added in dovecot 2.3.19 to give admins the option of hiding the IP of the sending client when using dovecot's submissiond: https://doc.dovecot.org/3.0/settings/core/ However, when I place this option in my config, dovecot refuses to start and says that the option is not recognised: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/20-submission.conf line 92: Unknown setting: submission_add_received_header Can anyone help me with this? Ellie ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." ---- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
RE: Please do not remove replication
I keep seeing this come up over and over. My understanding is it’s not getting removed, it’s just moving to the paid version of Dovecot. What is the cost for a small user license of dovecot that incudes replication anyway? Is the price that outrageous? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Please do not remove replication
On 2024-01-24 16:35, Steven Varco wrote: Although I’m also a very happy dovecot replication user, I don’t think this decision will be reverted, sadly. However, despite of messing with NFS, I will try setting up a three-node GlusterFS Cluster to give redundant storage to dovecote as mail store and hope it performs well enough… Has anyone else such a setup (or alternatively with Ceph) in production? Steven Seen some Gluster backends blow up spectacularly.. Always say.. keep it simple. Every thought of NFS backend, and let the NetApp do the job? Scales well, and haven't seen one go down in production yet.. knock on wood.. and the costs have really dropped. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: lda or lmtp for sieve?
On 2024-01-21 09:29, Michael Peddemors wrote: On 2024-01-21 04:43, Patrick Domack via dovecot wrote: Quoting Benny Pedersen : Christian Kivalo skrev den 2024-01-21 02:08: Just wish LMTP would not end up with duplicate Return-Path headers.. Duplicate return path headers? I don't see them on my system. All mail is sent from postfix to dovecot with lmtp it simply works better with lda ? :) return-path is std postfix envelope sender pseudo header, bugs ? it's not a pseudo header, it is defined starting in rfc-822, as to be added at time of delievery. The LDA should add it, postfix lda add it (virtual/local) and dovecots do also (lda/lmtp) I have used most postfix versions from 2.1 to 3.8 and dovecot lda and lmtp and haven't have never seen duplicate headers Maybe it is just a Zimbra thing.. but we definitely see this occurring in the wild.. Maybe just poor configuration, but of course as per RFC, to be clear, is only supposed to be added by the 'final' delivery mechanism. So, the logic that implies duplicate Return-Path either indicates a broken system, looping issue, or email replay fails in those situations. Postfix adds... Return-path: Envelope-to: Delivery-date: Fri, 06 Oct 2023 08:56:07 -0300 After which it get handled by lmtp, which adds the following.. Return-Path: Delivered-To: Received: from by with LMTP id CMvDLNf1H2UcHQAAJRWI5g (envelope-from ) for ; Fri, 06 Oct 2023 08:56:07 -0300 I guess this is a double issue, postfix should know that in this case, it is not the final delivery, lmtp is.. and lmtp should probably either remove the previous Return-Path, or copy that to a new header.. since it was not supposed to be there (but that has ramifications too. Also just observed in DirectAdmin, Exim->LMTP as well, but since this is a bit off topic for this list, just mentioning it quickly.. Return-Path: Delivered-To: re...@recipdomain.com Received: from by with LMTP id IdtjNTOesWWKyQUA9oBGDw (envelope-from ) for ; Wed, 24 Jan 2024 15:33:07 -0800 Return-path: Envelope-to: re...@recipdomain.com Delivery-date: Wed, 24 Jan 2024 15:33:07 -0800 Received: from mail.remote.com ([REMOTE_IP]) by with esmtp (Exim 4.97.1) (envelope-from ) id 1rSmjz-0001amd-3RDT for re...@recipdomain.com; Wed, 24 Jan 2024 15:33:07 -0800 -- "Catch the Magic of Linux..." ---- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: "Connection reset by peer" errors with Outlook
On Mon, Jan 22, 2024 at 04:28:09PM -0500, Steve Dondley via dovecot wrote: > OK, I was chasing log ghosts. What was actually going on was fail2ban was > kicking on for users and banning them for 10 min. > > I have no idea what is triggering it for so many different users from legit > email addresses. Still investigating. But this appears to be a fail2ban > problem, not a dovecot problem. Oh you have my sympathies. fail2ban-client banned ipaddr. Get the ip addr of your users and see if they're banned like th is. Then use fail2ban-client unban. I can't tell you how often this happens to me. What happens is users have phones and laptops and they then add a tablet and want their email on it so they end up messing up their password on their tablet, or worse, resetting their password in order to get mail on their tablet and then it screws up the other devices and it's an absolute nightmare to continually debug. It happens to multiple users who are at the same address, as in, my parents because they're all behind the same address in the router. It happens to multiple people who use New Outlook which insists on sucking all the mail into Microsoft's servers and then one user bans a swatch of addrs of those servers and random things break everywhere. I ended up whitelisting all of microsoft's mail servers in my jail.local: 40.80.0.0/12 40.74.0.0/15 40.120.0.0/14 40.125.0.0/17 40.76.0.0/14 40.96.0.0/12 40.124.0.0/16 40.112.0.0/13 Hope this helps. I have been there so many times and it's a regular occurance in my tech life chasing these ghosts. Michael Grant signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: lda or lmtp for sieve?
On 2024-01-21 04:43, Patrick Domack via dovecot wrote: Quoting Benny Pedersen : Christian Kivalo skrev den 2024-01-21 02:08: Just wish LMTP would not end up with duplicate Return-Path headers.. Duplicate return path headers? I don't see them on my system. All mail is sent from postfix to dovecot with lmtp it simply works better with lda ? :) return-path is std postfix envelope sender pseudo header, bugs ? it's not a pseudo header, it is defined starting in rfc-822, as to be added at time of delievery. The LDA should add it, postfix lda add it (virtual/local) and dovecots do also (lda/lmtp) I have used most postfix versions from 2.1 to 3.8 and dovecot lda and lmtp and haven't have never seen duplicate headers Maybe it is just a Zimbra thing.. but we definitely see this occurring in the wild.. Maybe just poor configuration, but of course as per RFC, to be clear, is only supposed to be added by the 'final' delivery mechanism. So, the logic that implies duplicate Return-Path either indicates a broken system, looping issue, or email replay fails in those situations. Postfix adds... Return-path: Envelope-to: Delivery-date: Fri, 06 Oct 2023 08:56:07 -0300 After which it get handled by lmtp, which adds the following.. Return-Path: Delivered-To: Received: from by with LMTP id CMvDLNf1H2UcHQAAJRWI5g (envelope-from ) for ; Fri, 06 Oct 2023 08:56:07 -0300 I guess this is a double issue, postfix should know that in this case, it is not the final delivery, lmtp is.. and lmtp should probably either remove the previous Return-Path, or copy that to a new header.. since it was not supposed to be there (but that has ramifications too. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: lda or lmtp for sieve?
On 2024-01-19 16:12, Peter wrote: On 20/01/24 12:28, Joe Acquisto wrote: I noticed that many places in the documentation and in examples gleaned from the wilderness, refer to the LDA protocol when discussing sieve. The documentation also mentions that lmtp is preferred over lda, and seems to say in places that sieve will operate without issue in either case. Does it matter to sieve implementation if one uses only lmtp? LDA is older, think of LMTP as a more modern replacement. LDA has to launch a separate process and process one message at a time. LMTP maintains a running service and can stream multiple messages in a single connection, therefore LMTP is a lot more efficient. You will see a lot of bad advice on the internet, or old outdated advice. Tutorials that use LDA is an example of old, outdated advice. Sieve itself doesn't care which one you use, but there are other reasons to prefer LMTP. Just wish LMTP would not end up with duplicate Return-Path headers.. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: ARM support
14.01.2024 18:39, Benny Pedersen: dovecot developers do a repo, but debian maintainers could help arm64 precompiled problem solving, why not ask ? Well, debian doesn't work like that. But once the package is in debian, you can ship either the dockerfile or whole image using just the debian components without any extra repository. /mjt ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: ARM support
14.01.2024 17:46, peter+dovecot--- via dovecot: Isn't https://github.com/dovecot/docker the source for the official docker images? Docker images of dovecot, most likely yes (I don't know). /mjt ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: ARM support
14.01.2024 12:46, peter+dovecot--- via dovecot : I would be fantastic if dovecot could release arm64 debian packages to the community repo, as it would allow fixing a lot of downstream problems: Shouldn't debian packaging be part of debian, not dovecot? Quite often (but definitely not always), upstream does not know how to package for a given distribution, and the resulting packages becomes quite a bit messy. I'd expect debian to prepare current packages of dovecot (for all architectures it support), not dovecot itself... /mjt ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: 2 users who are the same user
> > Error: Mailbox INBOX: Sync failed for mbox: UID inserted in the middle of > mailbox (4315358 > 4312144, seq=1, idx_msgs=3212) > > Maildir to the rescue? > > https://doc.dovecot.org/admin_manual/known_issues/mbox_problems/ I really want to migrate to maildir. Is it possible for me to migrate one user at a time? I want to get it working for just me first and then slowly move people over. Oddly, I am the only one who has this weird setup which is causing this error. If maildir can fix this and leave it as 2 users (both me!) accessing the same maildir, then that's great. I see how to override to use maildir for the user in the users file, but not for a user in the system /etc/passwd file. signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: 2 users who are the same user
> Do these two share a single user ID, or do they use separate IDs? Think > about file/directory ownership and permissions. If user IDs 123 and 234 > attempt use the same directory, things will break. User 123 should not > be able to delete a file owned by user 234, for example. yes, same UID/GID because they are infact the same user. What I was hoping to do was to either tell dovecot they are infact the same or mask one of them so dovecot ignored one. I guess that's not possible? > Perhaps have a look at your setup, and verify that you are matching > multiple logins to a single OS user ID only. For example, you can use > LDAP login to map an arbitrary login name to a given UID. This works > nicely with Dovecot. I am trying to keep things simple. I would rather drop support for the system /etc/passwd file and move every user into the dovecot users file before moving to ldap. My setup would not warrent that. Dave McGuire had a similar idea of using an SQL stored proc which also probably would have worked but just too complicated for what i'm doing. signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
2 users who are the same user
I have been using system users (/etc/passwd). I recently started using, in addition, passwd-file with a separate dovecot password database so that I could have user@domainname users with a different password as their shell login password. This means I have dovecot authenticating on users in both /etc/passwd and /etc/dovecot/users. If I have a user in /etc/passwd, for example 'joe' and a user in /etc/dovecot/users, j...@example.org, and both of these users are in fact the same user but different password. They use the same inbox and the same mail files. Dovecot does not seem to like this very much. I am seeing many errors like this: Error: Mailbox INBOX: Sync failed for mbox: UID inserted in the middle of mailbox (4315358 > 4312144, seq=1, idx_msgs=3212) I think I'm causing this by having 2 users that are in fact the same user and dovecot is stepping on itself. Is it possible to tell Dovecot that these 2 users are in fact the same, as in like an alias user? Or is it possible to tell dovecot not to process mail for say for 'joe' the system user? Michael Grant signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Avoiding POODLE vulnerability
On Sun, 2023-11-19 at 18:28 -0500, Steve Litt wrote: > > doveconf -d shows that I have no such config key as ssl_protocols, my > ssl_min_protocol is TLSv1.2, and the default ssl_cipher_list is the > following huge string: > > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH > > Is the preceding the safest and most bug free, or should I modify it in > dovecot.conf? > That's the dovecot default and it's reasonably safe. If you're the only user, you can play around with it and watch the logs to see if it changes the cipher that your mail client negotiates... but otherwise you're more likely to create obscure problems than you are to improve anything. The string above is intended to enable all ciphers and then blacklist the weak ones. A few are excluded by name, but most are excluded via the LOW and EXPORT groups. (Newer versions of OpenSSL once again do this for you; man openssl-ciphers tells me that LOW, EXPORT, kDHd, and DES have all been removed as of openssl-1.1.0.) You could try to improve this by excluding (say) the MEDIUM group, but you risk breaking clients. The list above ends with @STRENGTH to prefer stronger ciphers. That means that if you have any clients connecting with a MEDIUM strength cipher, it's because they can't use anything better -- disabling MEDIUM will cause problems. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
passdb doesn't support credential lookups
I'm having trouble authenticating certain users. I see this in the logs: Nov 19 16:26:40 auth: Debug: pam(jane,192.168.2.83,<...>): Performing passdb lookup Nov 19 16:26:40 auth: Debug: pam(jane,192.168.2.83,<...>): passdb doesn't support credential lookups Nov 19 16:26:40 auth: Debug: pam(jane,192.168.2.83,<...>): Finished passdb lookup at the command line, if I run this: % doveadm auth login jane Password: passdb: jane auth succeeded Oddly, I have a handfull of users that are failing and others that are not and I don't see the difference. signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Avoiding POODLE vulnerability
On Sun, 2023-11-19 at 15:33 -0500, Steve Litt wrote: > > Thanks Bernardo, > > I use Void Linux, not Debian. Is there a command that tells me the > defaults? > The one I typed :) The doveconf command has a few flags that control what settings are displayed, and "-d" tells it to show the defaults as opposed to what is currently in use. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Avoiding POODLE vulnerability
On Sat, 2023-11-18 at 16:54 -0500, Steve Litt wrote: > > I forgot to say: I'm using Dovecot 2.3.21 on an up to date 64 bit > x86_64 Void Linux computer using runit for its init system. I populate > Dovecot's Maildir via fetchmail and procmail. > You probably don't have to do anything. SSLv2 and SSLv3 have been disabled by default in OpenSSL for a while, and my dovecot default is, # doveconf -d | grep ssl_min_protocol ssl_min_protocol = TLSv1.2 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Geofencing
On 2023-11-17 02:18, Nick Lockheart wrote: My original reason for asking was, in addition to setting up a new mail server, there was a topic that came up about port scanning. My thought was, if the only people that need email services on ports 587 and 993 are employees, there might be a way to close down access to those ports to reasonable ranges that employees might actually use. However, for most people, not really worth the time to re-invent the wheel, but most people pay attention to spam tools and filters, but don't consider tools for testing authentication sources.. As a commercial provider, don't mind passing on 'tips'.. but it is a multi-tiered approach. One that is often easier dealt with by commercial products, public RBL's etc, designed for authentication restrictions, but the ONLY real way to deal with AUTH attacks, is 2FA of some sort.. But other than that, their are two things you are trying to address. Bot's & Hackers.. Bot traffic, will 'probably' not bother someone with good password policies, unless of course you allow clients to send passwords plain text, or a case of password re-use.. Still, you can address 'overhead' and the less you have in the logs, the easier it is to see real threats. Country AUTH restrictions ARE simply, and there ARE some countries that your clients will never travel to.. but this won't stop hackers that simply use VPN/Proxies/Compromised Servers to access you accounts. This applies to 465/587 as well as Dovecot AUTH mechanism's. Rate Limiters of course are ALWAYS important.. However, you have to realize that IP rate limiters CAN cause problems, when trying to deal with CGN's, shared IPs, etc.. And of course, as someone else pointed out, your 'clients' usually use carrier networks to access email, NOT cloud providers. Hackers LOVE using the cloud, eg Amazon, gCloud, Azure for their attacks, but your clients don't come from there.. so block those IP spaces by default, but allow an override in case there is a real reason to access email from there (desktop in a cloud?, data monitoring scripts, SaaS which monitors your mailbox?) And what about the other clouds.. Hackers are often getting VPS's strictly for hacking purposes, or to put up open proxies to get around country blocking.. (or hacking servers for that purpose) Should any of your clients need to log in from an OVH or Digital Ocean or ColoCrossing IP? But as you can see, this starts to become a lot of work to consider all the risk factors, and we all have too many things to do.. Consider looking at tools that do this for you, unless you want to make a hobby out of looking at AUTH logs.. As well, there are several RBL's out there strictly monitoring hacking sources, including one of own partners .. SpamRats RATS-AUTH and RATS-NULL... Many of these are free to use, and either update regularly, or are available as realtime RBL's.. Our spam auditors.. it's amazing how often they see the same IPs used in email compromises all over the world.. make sure that you clearly show the IP address in your Received headers as well, will help others help you.. Received: from [10.NNN.NNN.NNN] (unknown [37.NNN.NNN.NNN]) by youserver.com (Postfix) with ESMTPSA But of course, again .. off topic.. but hackers OFTEN will eavesdrop on your customers IMAP accounts just to steal data, way before they start abusing it for sending spam.. IMAP authentication, and BEC (Business Email Compromise) in general are some of our biggest threats, so all users of dovecot have a role to play in securing access.. but again ... Transparent 2FA first and foremost ;) Again, hoping more of our patches for Dovecot 2FA ClientID make the light of day, and we are willing to work with anyone to help make that happen for ANY platform.. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?
There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks). https://www.abuseipdb.com/check/104.156.155.21 Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company... Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list. Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections... Anyone with more information? NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName:ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType:Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate:2022-01-07 Updated:2022-01-07 Ref:https://rdap.arin.net/registry/ip/104.156.155.0 OrgName:Academy of Internet Research Limited Liability Company OrgId: AIRLL Address:#A1- 5436 Address:1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country:US RegDate:2021-10-15 Updated:2022-11-06 Ref:https://rdap.arin.net/registry/entity/AIRLL -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: mail boxes on net mounted filesystem with multiple Dovecots
Different opinion, we successfully use NFS in most of our large scale deployments of MagicMail, with little or no issues, but you do have to have a proper NFS server. You can never go wrong with NetApp, and they aren't that expensive any more.. have deployments working like that for almost 20 years.. On 11/6/23 07:25, Paul Kudla wrote: Ok (My Opinion Only) NFS in general does not work well on active servers, although dovecot allows for various locking mech's they do generally trip over each other. This occurs on NFS mounts using a single server and just goes down hill from there if you have 2 servers talking to the same NFS file mount. Simply put its a crap shoot what will work and when I know this is a touchy subject but this is what replication was used for and works well between 2 or more servers updating email boxes in real time It does require a proper database (MySql or Postgresql) and prefereably a dedicated private network between the two mail servers running dovecot. I tried everything noted in this post and it just does not work. Have A Happy Monday !!! Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.) Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email p...@scom.ca On 11/6/2023 9:54 AM, Aki Tuomi via dovecot wrote: On 06/11/2023 16:48 EET lejeczek via dovecot wrote: Hi guys. I see that with mailboxes stored on a network mount-point and more than one box with Dovecot using such a mailbox, Dovecots step on each others toes. ... lmtp(minem...@lemko.xyz)<2674357>: Error: lmtp-server: conn unix:pid=2600068,uid=89 [2]: rcpt minemail@my.private: Mailbox INBOX: Corrupted transaction log file /VMAIL/my.private/minemail/dovecot.index.log seq 4: ext intro: name_size too large (sync_offset=6368) ... Above happened if the same one user was having mail delivered on two Postfix+Dovecot servers at the same time. I hope experts who know Dovecot's internals better can tell... having such multiple node/server Dovecots "talking" to that same network mount-point but!.. only one Dovecot being active - having Postfix using it and other, however many, Dovecots only "idling" - not having Postifx using it (+ no client connections is a goal too) Would that make such multi-Dovecot setup safe & free from errors as above & any storage related ones? Or perhaps there are other ways to have many Dovecots with the same user-base, using same networked storage simultaneously? many thanks, L. Hi guys. I see that with mailboxes stored on a network mount-point and more than one box with Dovecot using such a mailbox, Dovecots step on each others toes. ... lmtp(minem...@lemko.xyz)<2674357>: Error: lmtp-server: conn unix:pid=2600068,uid=89 [2]: rcpt minemail@my.private: Mailbox INBOX: Corrupted transaction log file /VMAIL/my.private/minemail/dovecot.index.log seq 4: ext intro: name_size too large (sync_offset=6368) ... Above happened if the same one user was having mail delivered on two Postfix+Dovecot servers at the same time. I hope experts who know Dovecot's internals better can tell... having such multiple node/server Dovecots "talking" to that same network mount- point but!.. only one Dovecot being active - having Postfix using it and other, however many, Dovecots only "idling" - not having Postifx using it (+ no client connections is a goal too) Would that make such multi-Dovecot setup safe & free from errors as above & any storage related ones? Or perhaps there are other ways to have many Dovecots with the same user-base, using same networked storage simultaneously? many thanks, L. Hi! See https://doc.dovecot.org/configuration_manual/nfs/ This applies to other shared mountpoints too. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Minimum configuration for Dovecot SASL only?
Why use Dovecot/IMAP at all for the SMTP Authentication, can't you simply go direct to your database? On 2023-11-03 09:55, Nick Lockheart wrote: I have a Dovecot IMAP server and a Postfix server on separate machines. The user information is stored in a MariaDB database that is replicated on both servers. Postfix needs to authenticate outgoing mail against our valid user database. I believe this requires us to install a "dummy" Dovecot on the Postfix server so that Dovecot SASL can provide authentication to Postfix from the database. I think Cyrus had a standalone Cyrus-SASL package, but Dovecot doesn't? If I wanted to setup a Dovecot instance on the Postfix server just for the purposes of SMTP authentication, and not use it to handle any mail, what is the minimum configuration required to make that work? Is the dovecot-common package (Debian) enough? Or do I need the full dovecot-imap package? What protocols go in the protocols directive? Can you just make it "protocols = auth" to disable IMAP connections? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Correct sizing of CPU and RAM
On 2023-10-26 05:07, DeJa Wu wrote: How to correctly calculate the number of CPUs and memory required for 1000 client mailboxes and beyond? Given that 30-50% of users will be constantly connected via IMAP. I looked for information and did not find any sizing in the documentation anywhere. Is there a way to calculate my required resources? There are so many variables, that is almost impossible to calculate, eg are you using Anti-Spam technology? And what kind? Rate Limiters? et al... However, anything you can buy off the shelf nowadays will be overkill for 1000 users.. just make sure you have good RAID ;) -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: submission server relay to localhost
I think I just figured this out myself On Fri, Oct 20, 2023 at 09:47:28AM -0400, Michael Grant via dovecot wrote: > How do I stop dovecot from proposing AUTH to the relay server? submission_relay_port = 25 I was using port 587. Michael Grant signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
submission server relay to localhost
I'm trying to set up dovecot-submission server which will listen on external ports 465 (SSL) and 587 (StartTLS) and relay mail to sendmail waiting on localhost port 587. I have dovecot submission listening on the external ports and sendmail listening on the localhost port. I want dovecot-submission doing the authentication on the external ports because sendmail doesn't use the /etc/dovecot/users file. I can authenticate to dovecot: auth: Debug: client in: CONT auth: Debug: passwd-file(mgr...@top.networkguild.org,217.35.29.56,): Performing passdb lookup auth: Debug: passwd-file(mgr...@top.networkguild.org,217.35.29.56,): lookup: user=mgr...@top.networkguild.org file=/etc/dovecot/users auth: Debug: passwd-file(mgr...@top.networkguild.org,217.35.29.56,): Finished passdb lookup auth: Debug: auth(mgr...@top.networkguild.org,217.35.29.56,): Auth request finished auth: Debug: client passdb out: OK 1 user=mgr...@top.networkguild.org But in the sendmail logs, dovecot *is* trying to authenticate and it's trying to use a username that sendmail can't look up in the password file: top sm-mta[1012721]: 39KCg8h31012721: --- 220 top.networkguild.org ESMTP Sendmail 8.17.2/8.17.2/Debian-1~bpo12+1; Fri, 20 Oct 2023 12:42:08 GMT; (No UCE/UBE) logging access from: localhost(OK)-localhost [IPv6:0:0:0:0:0:0:0:1] top sm-mta[1012721]: 39KCg8h31012721: <-- EHLO top.networkguild.org top sm-mta[1012721]: 39KCg8h31012721: --- 250-top.networkguild.org Hello localhost [IPv6:0:0:0:0:0:0:0:1], pleased to meet you top sm-mta[1012721]: 39KCg8h31012721: --- 250-ENHANCEDSTATUSCODES top sm-mta[1012721]: 39KCg8h31012721: --- 250-PIPELINING top sm-mta[1012721]: 39KCg8h31012721: --- 250-EXPN top sm-mta[1012721]: 39KCg8h31012721: --- 250-VERB top sm-mta[1012721]: 39KCg8h31012721: --- 250-8BITMIME top sm-mta[1012721]: 39KCg8h31012721: --- 250-SIZE top sm-mta[1012721]: 39KCg8h31012721: --- 250-AUTH DIGEST-MD5 CRAM-MD5 top sm-mta[1012721]: 39KCg8h31012721: --- 250-STARTTLS top sm-mta[1012721]: 39KCg8h31012721: --- 250-DELIVERBY top sm-mta[1012721]: 39KCg8h31012721: --- 250 HELP top sm-mta[1012721]: 39KCg8h31012721: <-- MAIL FROM: AUTH=mgr...@top.networkguild.org top sm-mta[1012721]: 39KCg8h31012721: --- 530 5.7.0 Authentication required top dovecot: submission(mgr...@top.networkguild.org)<1012719>: Error: Relay server requires authentication: 530 5.7.0 Authentication required top dovecot: submission(mgr...@top.networkguild.org)<1012719>: Disconnected: Internal error occurred. Refer to server log for more information. (unfinished MAIL command) (state=MAIL FROM) in=41 out=121 top sm-mta[1012721]: 39KCg8h31012721: <-- QUIT How do I stop dovecot from proposing AUTH to the relay server? Once I am authenticated via dovecot, the relay which is only available on localhost, doesn't need to authenticate. It should be as if bin-mail is submitting to localhost. I tried setting up a user with a password but no shell and configure this into submission_relay_master_user and submission_relay_password but this leads to other problems. Dovecot wants to do PLAIN auth, so I then enable starttls, but then the ssl certificate doesn't match because I'm connecting to localhost, not top.networkguild.org. So it seems clear, the relay should a) not auth, and b) not do ssl. Note that this is not an open relay, it's only open on the loopback interface. Michael Grant signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: The future of SIS
Aki is correct and is consistent with what I said in the video, although I could have phrased my explanation better. "dsync" refers to the tool/utility (part of doveadm) that does mail synchronization between a source account to a destination account. As Aki said, this is not going anywhere. This is a necessary tool for any kind of migrations, for example. dsync is under active maintenance, as we heavily use this tool internally. What is being removed is the replicator plugin (that used dsync). That's what is being referred to in the video. Replicator hasn't been actively maintained for years now so this was dead code anyway. To answer the OP: sis is also being removed and should not be used by any new installation. Code remains to read data written by the old plug-in so that these installations don't require a migration between 2.3 and 2.4. This is another plugin that hasn't be actively maintained in years, and has all kinds of limitations that prevent it from running at scale. Neither replicator nor sis is code that is moving from open to closed source. These plugins aren't used in Pro. They are unmaintained so they are being removed, as happens with any kind of old code. michael > On 10/13/2023 1:26 PM MDT Laura Smith via dovecot wrote: > > > FUD ? > > I knew someone would accuse me of that which is why I linked to the video > from the horse's mouth, I transcribe what the speaker said: > > "there will be an open source version, but that open source version will be > maintained for single server use only. we are actually taking out anything > any actually kinda' involves multiple servers, dsync replication and err some > other stuff. so dovecot will be a fully-featured single node server" > > > > > --- Original Message --- > On Friday, October 13th, 2023 at 19:37, Aki Tuomi > wrote: > > > > Dear Laura, please don't spread FUD that you made up. > > > > Dsync is not going anywhere, and we are not close-sourcing Dovecot Core. > > There is not a trove of code going into Dovecot 3.0 that "never sees the > > daylight". > > > > Thank you, > > Aki > > > > > On 13/10/2023 21:10 EEST Laura Smith via dovecot dovecot@dovecot.org > > > wrote: > > > > > > TL;DR If you are a Dovecot Community user, don't waste your time reading > > > the Dovecot Pro release notes. > > > > > > To expand: > > > > > > I think you have to understand that lots of things that are going into > > > Dovecot 3 (Pro) will never see the light of day in the community edition. > > > > > > In addition, Dovecot have publicly quite plainly announced in public that > > > they are actively removing all multi-server related functionality from > > > Dovecot Community. > > > > > > I don't think the community has quite yet grasped it. Things like dsync > > > will be GONE in the community version. > > > > > > If you don't believe me, look at this video, about 15 minutes in: > > > https://youtu.be/s-JYrjCKshA?feature=shared=912 > > > > > > --- Original Message --- > > > On Friday, October 13th, 2023 at 17:15, Sebastian Marsching > > > sebast...@marsching.com wrote: > > > > > > > Hi, > > > > > > > > I am currently in the process of planning a new deployment of Dovecot. > > > > I was planning to use mdbox or sdbox with “mail_attachment_fs = sis > > > > posix”, but I stumbled across the following notice in the documentation > > > > for Dovecot 3.0 > > > > ___ > > > > dovecot mailing list -- dovecot@dovecot.org > > > > To unsubscribe send an email to dovecot-le...@dovecot.org > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: spool move/rename question
On Sun, 2023-10-08 at 11:27 -0400, Dave McGuire wrote: >We have an existing user with a lot of mail that we need to move from > one domain to another. Our mail system is database-backed so changing > the account is trivial, but can I just move the directory from > the structure above from one directory to another and expect > everything to be ok? Or is there a better approach? (of course I'll do > a backup first) > Moving the directory works fine. The database part can be trickier than it seems at first. Don't forget to update the aliases both to and from the renamed user. You might also need to update the databases for any webmail or caldav/carddav applications you run. And if you're using mysql, I haven't checked in a few years, but it didn't used to enforce foreign key constraints or support cascading updates, so beware that updating one table may not automatically update dependent tables. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot username with domain
> Heya mgrant, been a long time! Very! Will hit you off-list. > If you're using a database for authentication, you can do this sort of > translation past using stored functions in MySQL. Queries look something > like this: > > password_query = SELECT userid AS username, domain, password FROM mail_users > WHERE userid = addr_to_uname('%u') AND domain = > addr_to_domain_or_default('%u', 'domain.com') ... Thanks, I was hoping for something less complicated. I found auth_username_format %n which drops the domain if supplied. Unfortunately my imap username isn't 'mgrant'. Probably i could make this work if there was no other way. This forces me to have my IMAP password the same as my unix password. I probably should move to virtual users for everyone on my box but that's not so easy. I was hoping there was some way i could translate individual users which would make this transition easier. signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
dovecot username with domain
I've been using dovecot using system usernames (my unix uname as my IMAP username). But today I tried New Outlook which requires the imap username match my email address. Is there some way to tell dovecot that username@host is the same as uname? (where username@host is an email address and uname is a unix login which might be completely different). Michael Grant signature.asc Description: PGP signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: DOvecot requires both IPv4 and IPV6 to start
04.09.2023 23:23, gene heskett wrote: .. Ah contraire, Eduardo. My location since 1984 is in the middle northern area of WV, USA, And I am a minimum of 150 kilometers from the nearest ipv6 enabled network connection. I'm not even sure my cable modem, furnished by Shentel about 7 to 10 years ago, even can be configured to handle ipv6. Not my choice, except where I live, place is free & clear & has been for 24 years now, good neighbors in a small county seat town. Retired for 21 years, no reason to move unless I leave in a box. By not accommodating the ipv6-less yet masses with a too bad, so sad attitude is unbecoming. You may have ipv6 at your router input, but there are millions not so lucky. You apparently have the power to fix it, please do so. This is apples and oranges. Lack of IPv6 conectivity might be quite common still, I dunno. But lack of IPv6 *support* in the system is very uncommon. For many years v6 worked to co-exists with v4 nicely, and if there's no v6 connectivity, to fall back to v4 transparently. It just works (but I must admit, this works less and less good, since fallback code paths are tested less and less often). If you disable something on your own system which is commonly used (v6 support), it is your task to deal with the consequences. Maintainers can help in some cases or can make this easier, but this is definitely not a priority, esp. once a trivial work-around exists (to configure a package to use v4-only). /mjt ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: DOvecot requires both IPv4 and IPV6 to start
On 2023-09-04 08:58, Eduardo M KALINOWSKI via dovecot wrote: On 04/09/2023 11:12, TWHG Technical via dovecot wrote: But that is not this issue. The issue is that dovecot is assuming that IPV6 is there and crashes out if it's not. Hacking the config to only listen on IP4 solves the problem but not while installing from standard repos to install the currently supported version. dovecot can handle an IPv4-only setup, you just have to tell it to (by setting a custom 'listen' config entry, as you have already found out). Your setup is non-standard, so it's expected that you'll have to make changes to accommodate that. Expecting that dovecot changes its default because of your particularities may be asking a little too much. PS: It would be easier to follow the discussion if you actually replied to the messages (quoting the relevant parts) instead of sending a new message. But be sure to use a client that sets in-reply-to: or references: headers so that the thread is not broken. However, I 'get' this persons' opinion, from a developers perspective. The system should either run, or provide a clear reason why it didn't startup (that reason could be .. You have selected * but IPv6 is not available). Doesn't really matter what the dependency is, whether a missing package, or a service not responding, there should be sane checks, and turning off IPv6 is probably a lot more popular than you think, given the increased attack vector and other observed issues. But of course, the listen directive can easily be modified. Just harder for newbies looking for an 'out of the box' solution. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Dovecot director and backend on same server
Hi, I'm attempting to run both the director and the backend under the same configuration on the same server. When I run doveadm director map I don't get any output. I have a shared file system between servers and clients can access any server. I was running without a director in front and seeing index corruption so I'm now attempting to use a director. I enabled additional logging for now but that didn't explain much. Dovecot version: 2.3.20 (80a5ac675d) on Alpine Linux v3.18.2 Dovecot configuration (doveconf -n) with some bits removed. # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 6.1.43-0-lts x86_64 # Hostname: auth_debug = yes auth_socket_path = director-userdb director_mail_servers = 192.168.252.2 192.168.252.3 192.168.252.4 192.168.252.5 192.168.252.20 director_servers = 192.168.252.2 192.168.252.3 192.168.252.4 192.168.252.5 192.168.252.20 imap_hibernate_timeout = 5 secs log_debug = events=* login_trusted_networks = 192.168.252.0/24 mail_debug = yes mail_fsync = always mail_gid = vmail mail_location = maildir:~/Maildir:LAYOUT=fs mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = acl quota mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve mmap_disable = yes namespace inbox { inbox = yes location = mailbox Bin { auto = subscribe autoexpunge = 30 days special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile quota = maildir:quota quota_rule = *:storage=5G quota_rule2 = Bin:ignore quota_rule3 = Spam:ignore sieve = file: ~/sieve;active=~/dovecot.sieve sieve_plugins = sieve_imapsieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service director { fifo_listener login/proxy-notify { mode = 0600 user = $default_login_user } inet_listener { port = 9090 } unix_listener director-admin { mode = 0600 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director } service imap { user = vmail } service ipc { unix_listener ipc { user = dovecot } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } user = vmail } service managesieve-login { executable = managesieve-login director inet_listener sieve { port = 4190 } } ssl = required ssl_cert = /fullchain.pem ssl_cipher_list = HIGH:!SSLv3:!aNULL ssl_key = # hidden, use -P to show it userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = acl quota sieve } protocol imap { mail_plugins = acl quota imap_acl imap_quota imap_sieve imap_zlib } Regards, Michael Cassaniti OpenPGP_signature Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Accessing SSL parameters via dovecot variables
On 2023-07-21 06:42, Graham Leggett via dovecot wrote: Hi all, Dovecot supports variables, which can be used in filters. Does the SSL code expose variables linked to the client certificate? The answer today appears to be no, and if that’s true I plan to patch it, but just need to confirm I am not missing something. A little more in-site into what you are looking for might help. Dovecot does expose a method, we use if for our 'Fingerprinting' system.. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
> On 07/19/2023 2:54 PM MDT Michael Grimm via dovecot > wrote: > > Michael Slusarz via dovecot wrote: > >> On 07/18/2023 9:00 AM MDT Gerald Galster wrote: > > >> While I understand it takes effort to maintain the replication plugin, > >> this is especially problematic for small active/active high-availability > >> deployments. > > > > To clarify: replication absolutely does not provide "active/active". > > Replication was meant to copy data to a standby server, but you can't have > > concurrent mailbox access. This is why directors existed. > > That simply isn't true, and I am baffled that you don't know that replication > works with a two server active/active setup for years now! Two separate > instances (active/active) on two different continents are a completely > reliable failover scenario for years now. > > Very irritating to read such a statement. You may be irritated, but my statement is accurate. Eventually consistent replication is *NOT* active/active. active/active has a very specific meaning (and is not the same as master/master). Quotas and shared mailboxes are two troublesome concepts with replicator. Inconsistent mailbox views are a call center driver. Neither of these would be an issue in a true active/active setup. Forcing a user to a single node at any given time will prevent some (but not all) issues. Replicator's scaling issue can't really be worked around, and was a main driver why Dovecot Pro was developed (example: one Pro customer migrating from CE/replicators saw a 90% decrease in server count). Your positive individual experience does not change the inherent characteristics, and limitations, of the design. If your setup works for you, in your particular circumstances, great! But it doesn't work for everyone. There is a reason Dovecot development moved on from replicator based architecture 10+ years ago. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
Marc wrote: >> That simply isn't true, and I am baffled that you don't know that >> replication works with a two server active/active setup for years now! >> Two separate instances (active/active) on two different continents are a >> completely reliable failover scenario for years now. > > Maybe it works like this in your environment? Maybe if the load increases you > run into trouble? The director is making sure you never utilize an > active/active situation from the perspective of user access. The user is only > accessing one server. It is quite a different story when the same user starts > writing to both servers at the same time. If I do rapidly inject tens of thousands of mails locally on both servers SIMULTANEOUSLY for the very same user I never ever loose one of it. Tested numerous times before rolling it out. In the very beginning of Timo's publishing replication it had had flaws, but other users and myself tested it while Timo enhances his code (and IIRC once even rewrote it from scratch). For years now it runs as expected and documented. As mentioned in this thread this ist true for small setups. Regards, Michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
On 2023-07-19 12:55, Gerald Galster wrote: Le 19/07/2023 à 19:53, Michael Peddemors a écrit : Real world is a bit different.. DNS Caching.. While DNS Round Robin is good enough to distribute loads, it isnt' a very good method for failover, even with a very short TTL. Many home routers, still insist on caching results for a long time, no matter what the TTL says, and of course Windows internal caching etc.. Should not confuse the issue.. call it a 'poor man's load balancer' if you will, but it more of a last line failover, and during the time it takes for DNS to retry, and find another active node, an AWFUL lot of disgruntled customers will be calling ;) Also so interesting to see some resolvers that don't think of using the second record, if the first one is down.. You're mixing things : DNS and Mail client behavior. It is a non sense. A resolver will serve records, It does not use them and do not care of what is behind the record. A good client use the lists (of A or ) records to connect to the server and will iterate on the list if the server behind the record is down. And DNS caching do it job nothing less, nothing more and is out of the picture. Emmanuel is right. Here's an example to clarify: $ dig imap.web.de ;; ANSWER SECTION: imap.web.de.226 IN A 212.227.17.178 imap.web.de.226 IN A 212.227.17.162 A dns query for imap.web.de address records (IN A) returns two ip addresses. A local resolver receives those two ip addresses and usually passes them on to clients while it may rotate the order, so that some clients will see 212.227.17.178, 212.227.17.162 and others will see 212.227.17.162, 212.227.17.178. It is possible to get the same order for subsequent requests but on a *global* scale that roughly equals 50/50 loadbalancing. Mail clients then connect to e.g. 212.227.17.178 and try 212.227.17.162 on connection failure without any further dns involvement. Dns caching (ttl) is irrelevant in that case. In theory, that is how it is SUPPOSED to work, in practice (and we have lots of history where customers ran into this problem when one went down), I believe that it was Outlook that didn't try an alternative IP address for a 20 min internal cache for instance, before a requery of the DNS was done, at which time it again would choose which IP to connect to. As well, SOME modems would get the two results, and return only one to the client. And lots of libraries we see, do the DNS query, get two IP results, but then only use the first one returned, etc.. Not arguing how it is supposed to work, just forewarning those to be ready when it doesn't work like the manual says.. (Everyone hates phone calls about email being down). If you want to be certain, only a true load balancer will fit the bill. Oh, and another PS.. IF you are going to do round robin, suggest you make two (2) MX records, and put two IPs in both, and then equal weight the two MX's. Keeps a more even load, given those that only prefer the first MX returned, and those that prefer the last (spammers) -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
Michael Slusarz via dovecot wrote: >> On 07/18/2023 9:00 AM MDT Gerald Galster wrote: >> While I understand it takes effort to maintain the replication plugin, this >> is especially problematic for small active/active high-availability >> deployments. > > To clarify: replication absolutely does not provide "active/active". > Replication was meant to copy data to a standby server, but you can't have > concurrent mailbox access. This is why directors existed. That simply isn't true, and I am baffled that you don't know that replication works with a two server active/active setup for years now! Two separate instances (active/active) on two different continents are a completely reliable failover scenario for years now. Very irritating to read such a statement. Regards, Michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: [EXT] RE: Replication going away?
> On 07/19/2023 12:51 PM MDT Marc wrote: > > > A 50-100 mailbox user server will run Dovecot CE just fine. Pro would > > be overkill. > > What is overkill? I always thought it had a bit more features and support. For Pro 2.3, you need (at minimum) 7 Dovecot nodes + HA authentication + HA storage + (minimum) 3 Cassandra nodes if using object storage. This is per site; most of our customers require data center redundancy as well, so multiply as needed. And this is only email retrieval; this doesn't even begin to touch upon email transfer. Email high availability isn't cheap. (I would argue that if you truly need this sort of carrier-grade HA for 50 users, it makes much more sense to use email as-a-service than trying to do it yourself these days. Unless you have very specific reasons and a ton of cash.) michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
> On 07/18/2023 9:00 AM MDT Gerald Galster wrote: > > While I understand it takes effort to maintain the replication plugin, this > is especially problematic for small active/active high-availability > deployments. To clarify: replication absolutely does not provide "active/active". Replication was meant to copy data to a standby server, but you can't have concurrent mailbox access. This is why directors existed. > I guess there are lots of servers that use replication for just 50 or 100 > mailboxes. Cloudstorage (like S3) would be overkill for these. > > Do you provide dovecot pro subscriptions for such small deployments? A 50-100 mailbox user server will run Dovecot CE just fine. Pro would be overkill. All current Dovecot development assumes that storage is decoupled from the system. Shared (as in network available) storage is what you need if you want high availability, whether in Pro or CE. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
Real world is a bit different.. DNS Caching.. While DNS Round Robin is good enough to distribute loads, it isnt' a very good method for failover, even with a very short TTL. Many home routers, still insist on caching results for a long time, no matter what the TTL says, and of course Windows internal caching etc.. Should not confuse the issue.. call it a 'poor man's load balancer' if you will, but it more of a last line failover, and during the time it takes for DNS to retry, and find another active node, an AWFUL lot of disgruntled customers will be calling ;) Also so interesting to see some resolvers that don't think of using the second record, if the first one is down.. On 2023-07-18 17:09, Gerald Galster wrote: While I understand it takes effort to maintain the replication plugin, this is especially problematic for small active/active high-availability deployments. I guess there are lots of servers that use replication for just 50 or 100 mailboxes. Cloudstorage (like S3) would be overkill for these. Even without active/active, it's super useful for the simple active/backup configuration which I use on my personal mail server This depends heavily on individual usage. Coming from an active/active deployment it's a major step backwards though: usually two servers are running independently in geographically dispersed datacenters. High-availabilty is achieved by a simple DNS entry that returns two ip addresses, one from each datacenter. Under normal circumstances that gives you 50/50 loadbalancing without loadbalancers, without additional components that can fail. In case one datacenter goes down, and that happens to every datacenter at some time, the other datacenter takes over - automatically, without any configuration changes. Additionally mail user agents (Outlook, Thunderbird, ...) don't need special configuration. If one ip address is unrechable they connect to the other one obtained via DNS and users can quite seemlessly send and receive email again. After the outage ceased and the other datacenter is back online again, there is nothing to do. No configuration changes, no error prone manual synchronization or promoting passive to active - it just works and heals itself. Being used to a carefree setup like that you don't want to go back. Of course there are other possibilities like nfs, glusterfs, gfs2, zfs snapshots, ceph, minio or dsync backup but they all have their own drawbacks. For small mailservers that want high availability dsync replication is quite the perfect solution. setup (one colo box, one home server) and a small company mail server; as such I'm pretty sad to see it go. Still, it is up to OX where they want to put their resources. Well, it seems the dsync replication function is still there, just the replication plugin that notifies what to replicate is deprectated. Of course it's OX's decision, I'm just hoping they were not aware how useful replication is in the before mentioned scenario. Moreover I'm quite sure this kind of small-scale replication does not have any impact on customers upgrading to the new cloud architecture. Big customers will go for cloud because it scales way better and does not have replication induced performance penalties and small customers probably can't afford to upgrade because it's too pricey. I guess losing repl probably doesn't affect larger ISP type setups so much; it seems a bit more common to use shared storage (e.g. maildirs on an nfs appliance or similar) in those cases if they're actually running their own storage. Do you provide dovecot pro subscriptions for such small deployments? Unless I misunderstood the message (and I don't think I did), repl was removed in pro too. (I don't expect that pro is available on my usual choice of OS anyway..). As I understood it dsync is still working. Replication configured via ssh is calling dsync under the hood, so if local storage and index/log formats don't change for single deployments, it seems to be more of a political decision. I know maintenance is not for free, that's why I suggested to think about a dovecot small/medium business edition with a more affordable price tag. Best regards, Gerald ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please
Re: Replication going away?
Hello all, I want to provide a brief overview regarding various questions surrounding features that are being removed from Dovecot CE going forward. We are currently working on providing updated/improved website info and documentation that will better explain exactly what is being maintained in CE. However, the desire to have unified messaging clashes with the Engineering Team's desire to continue to push code to the open source repository when it is ready... So I want to educate on just a few points here, with the promise that further information will be provided in the future. A reminder that Dovecot is commercial software, and has been since Timo made this decision 13 years ago. Dovecot is not maintained by a community of volunteers. We continue to be lucky that Timo remains Dovecot's Chief Architect today, but there are 20 dedicated Dovecot employees, plus additional Open-Xchange support staff, that are working on the software everyday. This is carrier-grade software, which requires significant resources to maintain. Dovecot CE is the open source version of this commercial product (currently, Dovecot Pro). Dovecot CE is not a separate project - it is maintained as part of the day-to-day maintenance of Pro. Every single person that works for Dovecot/OX is extremely proud and dedicated to releasing as much software as we can to open source. CE is able to take advantage of this situation to provide features that would not be allowed in a purely voluntary project (for example, there are 5 full time QA people working on what is eventually released as Dovecot CE). However, there remains a delicate balance of what we can openly release and what we need to be able to commercially provide in order to keep the lights on (which allows us to continue to provide open releases...). This is a difficult juggling act, and is one that is always prone to recalibration in any open software product, not just Dovecot. Dovecot CE has always been 100% open source, and will continue to be so. Nothing is changing in the future. Dovecot CE has been, and will always continue to be, fully compliant with open source principles (see https://opensource.org/osd/). For a variety of software, maintenance, and (yes) business reasons, there comes a time when decisions need to be made to move beyond existing software. This is completely normal in software development, and there is no "open source" duty to continue to maintain software that is no longer useful (or, is broken or is unmaintained or is not longer best practices or is no longer commercially viable or is duplicative of other features that exist or ) That decision is what is being done for a selection of longstanding Dovecot features. It is time to move on from them. There are valid reasons to do so. If you disagree: the software is open source. You can continue to use the existing software, adapt it to your needs, move to a different solution, or whatever else. To focus development efforts, and to provide extreme clarity for users going forward, Dovecot CE for the first time has adopted a defined Vision Statement: "To provide the world's premier open source, standards compliant, full-featured, single node email backend server." This vision formulation was made to ensure that CE users continue to receive world class, stable, tested, modern, secure email software going forward. Maintaining features that have existed since the mid-2000s (replication, Directors), at the expense of moving the software forward to adapt to new paradigms (cloud, containers, storage-layer replication, statelessness) is not the proper choice. These Dovecot CE feature decisions are mine. If you are unhappy with them, I ask that you direct your vitriol directly (and privately) to me. The Dovecot Team does fantastic work and has provided software, under open source principles, that runs millions of email servers around the world. They continue to provide invaluable feedback internally in determining the proper balance between open and commercial considerations. They deserve to be thanked by the community, not vilified. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
Emmanuel Fusté wrote: > Le dim. 16 juil. 2023, 18:55, Aki Tuomi via dovecot a > écrit : > >> Yes, director and replicator are removed, and won't be available for pro >> users either. Why in hell would one remove replicator? It's working for years now. Yes, I recall issues in the beginning, and others and me helped Timo in debugging/testing. After that it runs without any flaws. So why removing it? >> Regards to replication, doveadm sync is not being removed. So you can still >> run >> doveadm sync on your system to have a primary / backup setup AND: What do you believe an alternative should be, for a failover scenario of two IMAP servers? doveadm sync is not! That's why replicator has been implemented! > That's completely crazy ! +1 Regards, Michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Postfix: running a script on authentication failure
On 2023-06-26 17:17, Joseph Tam wrote: On Thu, 22 Jun 2023, Michael Peddemors wrote: * Use services like RATS-AUTH to block IPs that can safely be blocked as known hackers.. Cool. Are there other DNSRBLs (apart from bl.blocklist.de) that list BFD attack IPs? * Use services like RATS-NULL (or SpamHaus DROP lists) right in the firewall level. There are SOME networks that should simply be 'unplugged' Can't find it in https://spamrats.com/. Is it an DNSRBL or downloadable file? Assuming you mean RATS-NULL, it's available as both a restricted DNSRBL and in BMS format under subscription. There is interest in having it as an API as well, but that will be next quarter. * Turn off port 110 (well, all plain text authentication) 90% less email compromise reports when you do.. That will disable STARTTLS though. Even though it's not plaintext, maybe that is a good thing as it avoids MITM banner stripping attacks. Use ports 993/995 for email, instead of ports 110/143, but if you HAVE to leave them open, ensure that you force TLS. But the more standard way is to just use SSL on 993/995. Joseph Tam ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Postfix: running a script on authentication failure
Their is more and more reasons to use 3rd party network reputation at the authentication level. While our platforms have pretty sophisticated combination, that includes of course transparent 2FA, but a very granular set of rules for stopping BEC (Business Email Compromise), and dropping obvious attacks into the firewall (ipset) but not meaning to be blowing our own horn, just pointing out that while this problems is a multi-layer approach, there are SOME things everyone can do... * Use services like RATS-AUTH to block IPs that can safely be blocked as known hackers.. * Use services like RATS-NULL (or SpamHaus DROP lists) right in the firewall level. There are SOME networks that should simply be 'unplugged' * Block authentication from certain cloud platforms Very few mail servers have authentication from Azure, GoogleCloud, AWS, Digital Ocean and several others.. Your clients are using using their phones, offices, and home connections. You can always exempt blocking for the 'odd' client/customer IP that needs to relay from a cloud server. * Turn off port 110 (well, all plain text authentication) 90% less email compromise reports when you do.. If you want more helpful tips, you can always ping me off list, and if I have time, can offer some advice. BEC compromise is still one of the biggest threats.. ... Nice to see Dovecot also following in our footsteps and looking at things like JA3 and other network level identifiers .. many windows botnets and routers botnets can be thwarted or at least identified without having to risk blocking shared IPs.. Fail2ban has been a great tool for many years for many people and purposes, but a lot more logic is needed now in that layer to safer block authentication attacks. Hope this message helps members of the list. Some things should be made to help everyone, no matter what kind of email platform they use.. -- Michael, Happy Summer Solstice -- eg.. IPs you can't block, but individual connections you can.. grep Marai mail.info | wc -l == 14485 On 2023-06-22 04:58, André Rodier via dovecot wrote: Hello, all. I just set-up a new server, running postfix, with submission(s) activated on standard ports (587, 465) Shortly after it has been setup, I see brute force attacks (not surprising) from a whole /24 network (more surprising). I carefully checked the logs, and see the modus operandi, which basically loop across the IP addresses in the network, to avoid being blacklisted by tools like fail2ban. And it is true, even with fail2ban activated, no IP is blacklisted. By activating verbose logging, I see multiple user names are tried, not only passwords. Is there any way, with postfix, to run a script on authentication failure, with information like the IP address and the username passed, for instance. I basically need features that fail2ban doesn't offer - I would like to not rely on reading logs, removing one step and acting more pro-actively. - If a script is called on authentication failure, it is fairly easy to use a Levenshtein distance to differentiate between a user having lost his password and a brute force attack. - If I log all the failure in a database, with the IP address, and the whois information, the script would take decision according to the whois information. What are you using on your side ? - Do you know any service, that I could use, to get the network to ban from an IP address reputation, something like crowdsec, for instance ? - Anyone has success with Suricata, Snort, or a tool like this ? Please, do not suggest third party hosted services, I want to be part of my self-hosting solution. Kind regards, André ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Debian package for bookworm
> On 06/16/2023 9:59 AM MDT Claudio Corvino wrote: > > I updated to Debian 12 but I can't find repo for bookworm on > https://repo.dovecot.org/. > When it will be released? There will not be any releases of 2.3 for Debian 12. You will need to wait for 2.4. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: zlib compressed folders
15.06.2023 19:30, Michael Grant via dovecot wrote: This morning, it looks like it’s working. It took a long time to decompress the compressed mail folder. You’re right, it shows up in imap as “2021.gz”. Up to now, I was decompressing it if I needed it, this is great, saves me a step. I don’t need to modify it, just search it sometimes. FWIW, I found modern filesystems (such as btrfs) does an excellent job at compressing files. It is more, modern compression algorithms (such as zstd) compresses better than gzip and does it faster. And when the compression support is part of the filesystem, you don't need to worry about decompressing it anymore or check if the tools you're using support (de)compression or not, - it just works. btrfs itself has its own interesting.. properties, one has to be careful and know a few easy rules when using its advanced features. For example, in context of compression, when compression is enabled but the data is written to a given file in small portions and especially with fsyncs in between, btrfs will mark this file as "not compressible" (m attribute), even if the data itself is actually well-compressible. This is an optimization by btrfs to avoid spending time compressing this stuff. If you know the data is compressible, you'll have to set +c attribute instead (like force-compress) and recompress it as a whole with btrfs filesystem defrag -czstd filename (this operation is safe wrt fsyncs, due to CoW features). So this is something to keep an eye on, but once you know how it works, and do some book-keeping, it works fine. /mjt ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
imap syncing issues
I’m having synchronization issues in imap. I am accessing my mail from several different imap clients: K9 on Android, Windows 11 and 10 mail client, and Android Gmail app. Both desktop and laptop, tablet, phone. I know I have more than the usual number of imap connections... Often when I delete a message in one place, it doesn’t get deleted in another. For example, if I delete a message on K9 then open my laptop, it’s still there in W11 Mail. But just now, I deleted some messages on my laptop and swiped down on K9 and the message disappeared on K9. But K9 shows other messages which have been deleted in Windows 11 Mail. I’ve not yet been able to figure out a pattern. It’s annoying me. I have to delete messages in several different places. Messages not coming back, they’re just not being deleted in one place and that delete operation is not syncing to the others. Messages seem to be being marked as read properly across devices. This seems to be an issue with delete only, so far as I’ve noticed. I’ve long been using multiple imap clients, this syncing issue started maybe 6 to 8 months ago. Is there a good way to get debugging info out of dovecot as to what the clients are doing? Or does anyone have any advise which might help resolve this without resorting to me digging into the imap protocol? Michael Grant ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
zlib compressed folders
I’ve been playing with zlib compressed mail archives. I can’t seem to get it to work. I followed the instructions here: https://doc.dovecot.org/configuration_manual/zlib_plugin/ I’m not interested in being able to save, just read-only would be great. I have some compressed mail archives, for example 2020.gz in my ~/mail/ directory. I have some uncompressed ones too like 2021. Both are mbox formatted. In my imap client, I see both 2020.gz and 2021 as imap folders. I can access mail in 2021 but not in 2020.gz. It just says it’s empty. My local.conf has this in it: mail_plugins = $mail_plugins zlib I know for sure this is being read because if I change this to some non-existent plugin, I see an in the log complaining about a non-existent plugin. I’ve tried also adding in the lines for saving but no difference. Would love to know if there’s something more I need to do. Also, should I expect to see a folder named 2020 instead of 2020.gz in my imap clients? My suspicion is that dovecot is treating these as uncompressed imap folders which it can’t read because they look like garbage. Is there some doveadm command to get it to re-scan folders that I need to run and then realize this is a folder using zlib? Michael Grant ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI auth Line too long
submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: command [unknown]: 500 reply: Destroy May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Trigger output May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Sending replies May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: No more commands pending May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Remote closed connection: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Disconnected: Connection closed May 30 17:13:00 submission-login: Debug: smtp-server: conn 10.200.114.128:13587 [1]: Connection state reset My guess is that it's due to https://github.com/dovecot/core/blob/main/src/lib-smtp/smtp-common.h#L10 being too low (is it configurable ?), but I didn't read the code thoroughly. Red Hat IDM now activates MS-PAC by default, so any installation based on IDM (or FreeIPA) may have the same problem. What's your opinion ? Bug ? Mail sent using password auth :'( -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Inaccurate results while searching for a phrase in subject (fts-flatcurve)
See below. > On 05/23/2023 2:14 AM MDT s...@fea.st wrote: > > I had been using the lucene FTS plugin since a decade now and it has done me > well. Thought of upgrading to the new & current stuff and came across the > flatcurve plugin which seems very promising (xapian on the other hand was > creating indexes larger than my mailboxes themselves). I am using following > configuration in dovecot.conf: > > fts = flatcurve > fts_filters_en = lowercase english-possessive stopwords > fts_languages = en > fts_tokenizers = generic email-address ^^^ FTS input is being tokenized, so the phrase "/home/johndoe/render.php" will be indexed not as a full string but instead separately as "home", "johndoe", "render", and "php". See: https://doc.dovecot.org/settings/plugin/fts-plugin/#plugin_setting-fts-fts_tokenizers This has nothing to do with flatcurve (or any FTS driver) - Dovecot will never send the full "/home/johndoe/render.php" to the driver to be indexed. > fts_autoindex = no > fts_enforced = yes > > A search command like this: > > doveadm -D search -u j...@doe.com mailbox INBOX SUBJECT > "/home/johndoe/render.php" > > should show the messages with subject: "CRON: /home/johndoe/render.php OK" > but produces a lot of extra undesired results and I think the second line in > this debug output indicates the reason: > > May 23 07:44:13 doveadm(j...@doe.com): Debug: fts-flatcurve(INBOX): Query > (hdr_subject:/home/johndoe/render.php*) matches=0 uids= This is correct, since "/home/johndoe/render.php" was not indexed so there should be zero results. > May 23 07:44:13 doveadm(j...@doe.com): Debug: fts-flatcurve(INBOX): Query > (hdr_subject:php* AND hdr_subject:render* AND hdr_subject:johndoe* AND > hdr_subject:home*) matches=272 And this is also correct, as the search phrase is attempted by searching both its full string and also all of its tokenized components. (Both the original text and all search terms are processed through the tokenizer before passing to a FTS driver.) > I tried rebuilding the indexes with "fts_flatcurve_substring_search = yes" > too but that didn't change anything. It works as expected with lucene plugin > because in that case header search is performed via dovecot indexes instead > of FTS. May be I am not doing something right in configuring this new FTS? I'm not a lucene expert... but with the old lucene plugin, you were almost certainly using it without Dovecot tokenization support, since the plugin predates it (I think) - using Dovecot tokenization would have required 'use_libfts' to be present in the fts_lucene setting (which I doubt was ever documented). I believe Dovecot was just doing simple white-space tokenization instead, so lucene code/library was likely receiving the full string and doing internal tokenization. michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Multiple backends with NFSv4.1 (supports file locking): should work without Director, right?
+1 NFSv3 has always been more stable in our testing.. Will have to put it on the road map to run full testing again, but you know the old adage, if it ain't broke, don't fix it.. ;) On 2023-05-19 08:23, Adrian Minta wrote: Hi Pierre, when we tested NFSv4 couple of years ago, we found out that NFSv4 has a caching feature witch delegate file caching to a specific client. This was a problem with same share mounted on multiple servers. The contention will explode the load on the clients due to I/O waits and in some cases crash the dovecot servers. We didn't use dovecot director at that time since NFSv3 was behaving more nicely and just worked on our tests. It seem that some NFSv4 flags exists and could mitigate this behaviour making it resemble NFSv3 but we didn't test them. On 5/19/23 17:21, pierre.alle...@gmail.com wrote: Hi Dovecot community, We're looking at running multiple Dovecot backend servers in parallel, all using the same shared NFSv4.1 mount to store mailboxes in the maildir format. We've read in multiple places that running multiple backends with a shared NFS can result in issues like index files corruption. The standard solution seems to use the Director feature, or some kind of IP based proxy/load balancer. But: 1 - The Director feature will be removed in future free versions of Dovecot (https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/ILA3C6DF46ETWPCJJLENVHVFNFZFMU2Q/#JC5TRSQEGXVZCSZADHPY3GSXHYEXYAK7). 2 - NFSv4 and above support file locking (flock and fcntl, flock being emulated using fcntl). 3 - It looks like Dovecot does use file locking, though we're unsure if it does on everything and in particular on index files. Thus, we are wondering if the need for Director is still relevant with NFSv4? Shouldn't it work without Director thanks to file locking? Has anyone tried it? We're thinking that the documentation and various threads on the subject may be outdated, based on NFSv3 and lower (no file locking). If it doesn't work, anybody knows why? Isn't file locking there precisely to handle concurrency? Thanks! ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot sasl with postfix, smtp auth not available
On 2023-04-23 11:53, Benny Pedersen wrote: dovecot--- via dovecot skrev den 2023-04-23 20:25: I tried to enable it on postfix smtp_sasl_auth_enable, but it is was not advertise. That is because "smtp" is not the same as "smtpd". http://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable port 25 should not support sasl auth, make this a override in master.cf so it only is on port 465, or 587 when remote mta's blindly just try sasl auth on port 25 thay miss a password, and give up, after wasting resourses in both ends ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org FYI, +1... Especially since some email clients STILL fallback to insecure password auth attempts on port 25, resulting in sending email passwords across the internet in plain text. Everyone should adopt this policy by default. Turning off AUTH on insecure connections has shown to reduce email compromise levels by up to 90%. Reminder, this also applies to POP/IMAP. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Blacklistd
Marc wrote: >> Blacklistd places a very short set of code to send a small packet to a >> socket when >> the decision is made to deny access. > And how does blacklistd get fed? Actually, one needs to add a small amount of code to dovecot which writes to a socket. This code needs to be invoked whenever someone tries to "break in" or "abuse" your dovecot server. Thus, the application informs the blacklistd daemon about abuse and who did so. Blacklistd listens to that socket [1]. The running blacklistd then decides what to do with these attempts and uses firewall functionality to block future attempts if wanted. [1] https://github.com/paul-chambers/blacklistd The sources of bind, ftp, sshd, and postfix have already been modified accordingly. Regards, Michael ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Shared / Public mailbox
Curious, what is the use case that you simply can't create three users, and share the password on on of the email accounts? They can simply set up their email clients to check both mailboxes, why would this not work, and what is the use case that requires customizing your MTA? On 2023-04-15 04:22, Stephane MAGNIER wrote: Hi I wish to create a share mailbox ( well.. Apparently, this is a public mailbox). Let's say I have 2 users : user1 & user2 and the need to share a mailbox for "general inquiries" emails.. Despite of the 2 users' account creation ( user1 & user2) , should I create a third email account ( info1) for general inquiries for instance and instruct Dovecot that this mail box has to be shared ? In that case, logically, I have to declare into: "15-Mailboxes.conf" |namespace { type = public separator = / prefix = Public/ location = maildir:|||/var/spool2/mail|/info1/:CONTROL=/var/spool2/mail/Maildir/info1:INDEX=|||/var/spool2/mail|/info1 # Allow users to subscribe to the public folders. subscriptions = yes } | |and add a file : /etc/dovecot/dovecot-acl| || /var/spool2/mail|/info1/| user=user1,user2 lrwstipekxa ||/var/spool2/mail|/info1|/* user=user1,user2 lrwstipekxa and add the plugin : plugin { acl = vfile }|| Is that the way to do it ? 2) Now what is the difference between a shared and Public mailbox ? I can see that the plugin is slightly different : |acl_shared_dict| <https://doc.dovecot.org/settings/plugin/acl-plugin/#plugin_setting-acl-acl_shared_dict> For me a "public"email folder is for sharing emails.. My understanding is: general email account can be shared ( like info1 in my example).. this is called a public mailbox.( specific email account, shared between users). So what is called a "Shared mailbox" ? Thanks for your help ? ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- "Catch the Magic of Linux..." ---- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Email not working
Hi, First of all may I say I am not an expert on Dovecot so please forgive me if the answer to my query is obvious. After upgrading from Ubuntu 20.04 to 22.04 my email is not working. root@mail:~# doveconf -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-60-generic x86_64 Ubuntu 22.04.1 LTS # Hostname: mail.odysseytours.nz auth_debug = yes auth_mechanisms = plain login auth_username_format = %{if;%d;eq;mail.odysseytours.nz;%Ln;%Lu} listen = *, :: mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve pop3" service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } ssl_cert = https://serverfault.com/questions/260488/dovecot-user-lookup-fails-when-using-usernamedomain-format auth_mechanisms = plain login !include auth-system.conf.ext Contents of /etc/dovecot/conf.d/auth-system.conf.ext with all comments removed: passdb { driver = pam } userdb { driver = passwd ##https://doc.dovecot.org/configuration_manual/authentication/passwd/#authentication-passwd args = blocking=no } It says "Authentication failure (Password mismatch?)" but its definitely the correct password. root@mail:/home/mike# doveadm log errors Feb 22 02:43:48 Error: auth: passwd(postmas...@odysseytours.nz): getpwnam() failed: Address Don't know what this error means. root@mail:/home/mike# doveadm log errors Feb 22 02:43:48 Error: auth: passwd(postmas...@odysseytours.nz): getpwnam() failed: Address family not supported by protocol Don't know what this error means. Any help would be greatly appreciated.
[OFF TOPIC] Re: Pigeonhole Sieve Vacation Reply-To peculiarity with inbound AWS-SES
TOP POSTING for clarity I think this is getting off topic for the dovecot list. Vacation messaging is a complex topic, and for the record it does seem that the way they are doing vacation messages could use improvement. This should NOT be sent as a BOUNCE <>, and it should NOT come from MAILER-DAEMON, as it is actually from the person with the vacation message. It also should NOT have a precedence header of BULK. In the short term, you might need to reconsider how you handle vacation messages, in the long term you should file a bug report through the appropriate channels. The REAL problem of course stems from the MAIL FROM via SES. Return-Path: <010701863b42f48e-59d7870d-22cc-4dfe-a34f-0415ac334045-000...@eu-central-1.amazonses.com> This is long a pet peeve, where systems don't utilize the actual sender address in the MAIL FROM. There are many things I would like to do based on the data in the MAIL FROM, but this is obfuscation for obfuscation sake.. I would expect that to be.. Return-Path: Simply put, fix that, and you fix your problem ;) This is why vacation messages need filters, so they don't respond to mailing lists, bulk mailers, automated emails, etc. On 2023-02-10 04:18, Dr. Rolf Jansen wrote: Am 08.02.2023 um 20:03 schrieb Michael Peddemors : Dovecot vacation message issues.. Tough for any system to do correctly. The problem here is that inbound mails from third parties utilizing AWS-SES come in with an unpersonalized envelope address and SES takes returns to this as bounce messages and changes the body's From: to „mailer-dae...@xx--1.amazonses.com“, which is not even our MAILER-DAEMON but the one of the receiver of our reply. So the receiver gets no chance to know from the headers the identity of whom replied - he may assume it from the context the actual message, though. We addressed this by NOT returning vacation messages to systems that don't use 'proper' values in the MAIL FROM.. Eg Mailing Lists, Sender Rewrite schemes, and a slurry of other rules. Who is we? Your organization or the Pigeonhole developers? Actually, the question is, whether this is addressed somewhere in Pigeonhole’s code already? But the problem is that if you are using the header From, or Reply-To etc, it's too easy to be sending to forged email addresses. Vacation bombing attacks for instance.. You got a point here, and of course I want to prevent this. Now, there are legitimate cases of the MAIL FROM and header from not aligning, so it is best to send to the MAIL FROM addresses.. IF you don't send it to certain MAIL FROM formats, usually by not responding to anything with mailing list identifiers, auto-suppress headers, and a few others, you only end up with clean MAIL FROM to respond to. From the point of the view of our industrial customers, who are operating processes with our chemicals, this consideration is irrelevant. If they inform a production issue by mail to the responsible service technician, they expect an immediate response, since a production stop is unacceptable. OoO notices play a role here, because we would inform alternative addresses and fone numbers for attending the support case. That said, with Pigeonhole, we are almost there. But if you have an example that is particularly bothering you, and represents your problem, we can walk through that as an example. I send an email from an account of a mail server (Postfix/Dovecot - outbound relay SES) running on an AWS-EC2 instance in São Paulo (Brazil) to another mail address of mine of a mail server (Postfix/Dovecot direct MX) on an AWS-EC2 instance in Frankfurt Germany, and here the Pigeonhole’s vacation reply is activated. In the following I changed my real mail address in Brazil to r...@example.br and the real one in Germany to r...@example.de: The Point of view of the both involved Postfixes of said transactions are: Sender (Brazil): postfix/submission/smtpd[29165]: 97006638E8: client=201-68-62-42.dsl.telesp.net.br[201.68.62.42], sasl_method=CRAM-MD5, sasl_username=r...@example.br postfix/cleanup[29182]: 97006638E8: message-id=<707a1777-8f09-4335-99ba-70c0367c1...@example.br> postfix/qmgr[2058]: 97006638E8: from=, size=39626, nrcpt=1 (queue active) postfix/smtp[29183]: 97006638E8: to=, relay=email-smtp.sa-east-1.amazonaws.com[52.67.192.29]:587, delay=0.37, delays=0.05/0.01/0.13/0.18, dsn=2.0.0, status=sent (250 Ok 010301863b0211fe-9416f5b2-7e18-4c03-a5e5-2204dd7946f8-00) Receiver (Germany): postfix/smtpd[86956]: connect from d215-2.smtp-out.sa-east-1.amazonses.com[23.249.215.2] postfix/smtpd[86956]: A44AB676E3: client=d215-2.smtp-out.sa-east-1.amazonses.com[23.249.215.2] postfix/cleanup[86957]: A44AB676E3: message-id=<010301863b0211fe-9416f5b2-7e18-4c03-a5e5-2204dd7946f8-000...@sa-east-1.amazonses.com> postfix/qmgr[915]: A44AB676E3: from=<010301863b0211fe-9416f5b2-7e18-4c03-a5e5-2204dd7946f8-000...@sa-east-1.amazonses.com>
[OFF TOPIC] Re: Pigeonhole Sieve Vacation Reply-To peculiarity with inbound AWS-SES
On 2023-02-07 13:33, jeremy ardley wrote: On 8/2/23 05:08, Dr. Rolf Jansen wrote: Am 07.02.2023 um 17:54 schrieb jeremy ardley: On 7/2/23 22:01, Dr. Rolf Jansen wrote: To begin with, usage of Amazons Simple Email Service (SES) is mandatory for outgoing mails from AWS-EC2 instances. I run AWS-EC2 instances using postfix to send a receive mail. They can send direct assuming I set up suitable SPF, but they typically forward mail to another host under my control that is not on AWS to use as the outgoing server. OK, that’s another use case. Many do use a full fledged Postfix/Dovecot installation. However the outgoing port 25 into the internet is blocked by AWS, and therefore we may either use a third party relay for our outgoing emails or may use SES, which is not that bad - except some unusual peculiarities. This is off topic, but to be precise: - AWS throttles but does not block traffic to a *destination* port 25. - The *origin* port on the EC2 instance is an unprivilged port, not port 25 - If you use a relayhost you typically send from an unprivilged EC2 port to port 587 on the relay host Jeremy And if you DO intend to send out to port 25, remember to update the PTR on your EC2 instance. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: sasl service for other app
On 2022-12-07 20:53, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. Almost anything can use dovecot (or any other system) as an authentication SASL service, but it is the 'gotchas' that you have to think about. * Does this open your SASL mechanism to new brute force attacks? * How do you pass additional information to the SASL, eg country of origin, IP Address * How do you pass 2FA through? * Rate Limiting? * What about policies such as the use of TOR Proxies? * Will this create excessive demand on dovecot? On the surface, the authentication part is the most simple. However, you might want to consider connecting directly to the underlying mechanism that your dovecot is using. With a middle layer of course, that addresses all of the other issues. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: bug: ARGON2 hash selection incompatible with LDAP
On 11/15/22 13:45, Krisztián Szegi wrote: I'd like to report that non-binding auth to (Open)LDAP doesn't work if the latter hashes passwords with ARGON2. Could you please elaborate why using LDAP bind is a problem for you? Ciao, Michael.
Re: The end of Dovecot Director?
On 2022-10-20 22:19, Zhang Huangbin wrote: On Oct 21, 2022, at 4:19 AM, Antonio Leding wrote: My understanding is that Director is targeted toward large enterprise mail installations that will incorporate several servers for a given function. In such an environment, Director would be the fore-person\traffic-cop keeping things organized & squared-away. Director is used when you setup frontend servers in a load-balance cluster, proxy imap/pop3/lmtp/managesieve requests to backend Dovecot servers. I setup load-balance cluster for clients with HAProxy + KeepAlived + Dovecot Director running in frontend servers, so sad we have to find an alternative to replace Director in such case. It's not about "small/medium" servers, but the demand of imap/pop3/lmtp proxy service, especially in load-balance cluster. Zhang Huangbin, founder of: - iRedMail: Open source email server solution: https://www.iredmail.org/ - Spider: Lightweight, on-premises Email Archiving Software: https://spiderd.io Curious, trying to understand.. Why would not a true load balancer not be an attractive option for those that need to load balance services across multiple front ends? It is the model we use with most of our ISP's and scales very well. The choice of load balancer is important, but with HA load balancers, you are assured that you don't have a single point of failure, and you can spread loads more granularly, eg POP, IMAP and other services. Not to mention, you can use the same load balancer from many other traffic shaping solutions. -- "Catch the Magic of Linux..." ---- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
mdbox vs. maildir format
hey, i am considering changing my mailbox format from maildir to mdbox. the reason for this is mainly, b/c i have (a) multiple large mailboxes with tens of thousands of mail files, and (b) most of these mails files have a size significantly smaller than the sector size of the disk. so, since the emails themselves are only about nGB large, the disk space used is at least twice as much, if not even three times. i know, hard disk space is 'cheap', but still... but then i read at https://doc.dovecot.org/admin_manual/mailbox_formats/dbox/ the following: [...] you must not lose the dbox index files, as they can’t be regenerated without data loss. so, raid is mandatory, which is already the case, but what about backup? how can i achieve a backup/snapshot of both, the mdbox (nfs share) and the index files (local raid) and assure they are consistent? greetings...
Re: Pigeonhole redirect is adding a message-id header when it already exists
This should almost be an RFC discussion, rather than a dovecot discussion, for clarity on what to do with a malformed Message-Id. For the record, if you start modifying it by deleting the bad message id, and adding your own, you can start breaking other things, such as DKIM signing etc.. IMHO, Dovecot should simply refuse to accept or deliver a message with a 'bad' message id, so that the sending system can identify and correct the problem. That way Dovecot doesn't need to address/modify the email message. -- Michael -- On 2022-10-01 21:35, Sébastien Riccio wrote: Hi, After reading a bit the code and trying to understand it, here is what I think happens here: Given a bogus Message-ID, for example (notice it's missing angle brackets < >: Message-ID: 1883biz_pay_after_purchase:0:0_572392900$ae7ed6e4d53b424c84aaf83b30c507e7 Dovecot is parsing Message-ID headers and is looking for the angle bracket as the begining of the Message-ID: https://github.com/dovecot/core/blob/d2ff32792ac052610cea7d65f30de1ee139cb55c/src/lib-mail/message-id.c#L75 <https://github.com/dovecot/core/blob/d2ff32792ac052610cea7d65f30de1ee139cb55c/src/lib-mail/message-id.c#L75> As none is found it will act as if there was no Message-ID header in the mail (even that the header is present). Then, pigeonhole's redirect function is told to generate a new Message-ID if none was previously detected: https://github.com/dovecot/pigeonhole/blob/5a3f4bd672cc2fb9e755a4b09c4753ac86e15f99/src/lib-sieve/cmd-redirect.c#L569 <https://github.com/dovecot/pigeonhole/blob/5a3f4bd672cc2fb9e755a4b09c4753ac86e15f99/src/lib-sieve/cmd-redirect.c#L569> The result is the mail being forwarded, in this case, is now having dual Message-ID and is not RFC 5322 compliant anymore and can be rejected for this reason (hi, gmail?) https://www.spamresource.com/2022/08/gmail-weird-rfc-5322-bounces-and-what.html <https://www.spamresource.com/2022/08/gmail-weird-rfc-5322-bounces-and-what.html> Some thoughts: - First, to be honest, I'm not sure gmail would accept the original mail with the bogus Message-ID sent directly to their servers, but if it was refused, I would assume that these senders would have fixed the issue on their side so their message are delivered (unless there is some whitelisting going on?) - What options could we have to resolve this? a) Having dovecot core to remove the Message-ID header line from the mail if it is not going to consider it valid ? (So there is no dupe headers when pigeonhole adds one?) b) Having pigeonhole check, when adding a new valid Message-ID, if there is already one existing, and remove the bogus one ? For now, to workaround this, I'm trying to find a way in the mail flow on our servers to keep only the top most Message-ID when more than one exists. Maybe using: https://www.postfix.org/postconf.5.html#smtp_header_checks <https://www.postfix.org/postconf.5.html#smtp_header_checks> but I'm not sure how to achieve it yet or even if it's possible. Kind regards *Sébastien RICCIO* *SYSTEM ADMINISTRATOR* *P* +41 840 888 888 *F***+41 840 888 000 *Msric...@swisscenter.com <mailto:sric...@swisscenter.com>* * * -- Message d'origine -- De "michael.z...@feierfighter.de <mailto:michael.z...@feierfighter.de>" mailto:michael.z...@feierfighter.de>> À "dovecot@dovecot.org <mailto:dovecot@dovecot.org>" mailto:dovecot@dovecot.org>> Date 01.10.2022 14:49:13 Objet Re: Re[6]: Pigeonhole redirect is adding a message-id header when it already exists Hi there, I can confirm this behavior. A few months ago I introduced a milter which is checking for multiple headers when the RFC says that there just should be one of them For example "Message-Id". I found the described problem in an email coming from Alibaba, which had an invalid "Message-Id" header. It didn't contain an "@" sign or similar. It was RFC-invalid. This email was sent from Alibaba to a German email provider. There was a redirect at that email provider, pointing to my mailserver. My server rejected the email because there were 2 "Message-Id" headers: The original invalid "Message-Id" header from Alibaba, and a new "Message-Id" header from the German provider, which seems to have been added during the redirect. There were "Dovecot-sieve" headers in that mail, so my guess was that it happened because of Dovecot-sieve/pigeonhole implementation. I contacted the email provider, asking for help. Asking if it really is a bug in pigeonhole (or maybe some other system at that provider, who knows). And I contacted Alibaba, so they fix the invalid "Message-Id". I got responses from both, but until now, as far as I can see, it has not been fixed. The best fix would be (if it really is a bug in pigeonhole), if pigeonhole fixes the problem, then it's f
Re: Re[6]: Pigeonhole redirect is adding a message-id header when it already exists
Hi there, I can confirm this behavior. A few months ago I introduced a milter which is checking for multiple headers when the RFC says that there just should be one of them For example "Message-Id". I found the described problem in an email coming from Alibaba, which had an invalid "Message-Id" header. It didn't contain an "@" sign or similar. It was RFC-invalid. This email was sent from Alibaba to a German email provider. There was a redirect at that email provider, pointing to my mailserver. My server rejected the email because there were 2 "Message-Id" headers: The original invalid "Message-Id" header from Alibaba, and a new "Message-Id" header from the German provider, which seems to have been added during the redirect. There were "Dovecot-sieve" headers in that mail, so my guess was that it happened because of Dovecot-sieve/pigeonhole implementation. I contacted the email provider, asking for help. Asking if it really is a bug in pigeonhole (or maybe some other system at that provider, who knows). And I contacted Alibaba, so they fix the invalid "Message-Id". I got responses from both, but until now, as far as I can see, it has not been fixed. The best fix would be (if it really is a bug in pigeonhole), if pigeonhole fixes the problem, then it's fixed for all users of Dovecot. I guess Alibaba is not the only sender with an invalid "Message-ID" header, but that's the only one I saw. Michael Am 01-Oct-2022 14:00:45 +0200 schrieb sric...@swisscenter.com: >You wrote in the original email the message was rejected. Sorry I don't have >login access to my gmail test account anymore since the google @#$%@#$% wanted >to have me add a phone number. In my original post I said that gmail was rejecting the forwards because of duplicate headers, and that the duplicate header seems to be a Message-ID added by pigeonhole when it's "not happy" with the original mail Message-ID. I probably failed to explain the issue clearly and sorry for that. Thank you anyway for trying to help :)
Re: convert mdbox to maildir
2nd idea (see below) > On 14. Aug 2022, at 21:15, Michael Grimm wrote: > > lutz.niede...@gmx.net wrote: > >> Yes, you are right. The problems are not of technical nature. The reason >> seems to be some sort of fear (and "admins"). >> We have all we need. We have the old dovecot config, we have the mdbox >> files and the complete directory structure. We are simply not allowed to do >> all the stuff on the live system. Even if dsync backup exists that does not >> modify anything. > > Would they allow a backup to your remote system aka: > > doveadm backup -u XYZ -f -d destination > > Have a look at man dovedam-backup for the specifics. Haven't done that before. > > You have to run dovecot at the old server and the new server. The new server > has to have maildir set as mail storage. Start with an initial remote backup > and incoming mail running at the old server, because that will take some > time. At the weekend cut of incoming mail and repeat the backup. Finally you > have to redirect mail to the new server. Haven't done that before to a remote > server but to different filesystems at one host, instead. > > If I might have misunderstood what you need to achieve, forget about this > mail ;-) > > Regards, > Michael Or set up replication between old and new server. If all mail is relicated redirect mail to the new server. With this setup they can even continue to use their old server for a while ;-)
Re: convert mdbox to maildir
lutz.niede...@gmx.net wrote: > Yes, you are right. The problems are not of technical nature. The reason > seems to be some sort of fear (and "admins"). > We have all we need. We have the old dovecot config, we have the mdbox files > and the complete directory structure. We are simply not allowed to do all > the stuff on the live system. Even if dsync backup exists that does not > modify anything. Would they allow a backup to your remote system aka: doveadm backup -u XYZ -f -d destination Have a look at man dovedam-backup for the specifics. Haven't done that before. You have to run dovecot at the old server and the new server. The new server has to have maildir set as mail storage. Start with an initial remote backup and incoming mail running at the old server, because that will take some time. At the weekend cut of incoming mail and repeat the backup. Finally you have to redirect mail to the new server. Haven't done that before to a remote server but to different filesystems at one host, instead. If I might have misunderstood what you need to achieve, forget about this mail ;-) Regards, Michael
Re: rawlog data in a lua script
Hi Aki, On 08.08.22 13:54, Aki Tuomi wrote: Hi, Michael, did you consider my suggestion to use raw events instead of rawlogs for this? I was writing an answer to you next :-) As far as I can see, the "Event Export" only exports events of the requests, but not the full raw responses, correct? https://doc.dovecot.org/configuration_manual/event_export/ I need the complete rawlog that currently is written to the rawlog directory, which means the raw requests (IMAP, POP3 commands), and the raw response lines (for example a FETCH response -> a 20 MB mail content). Everything that could be seen on the wire via tcpdump after authentication (which is the rawlog of Dovecot as far as I can see). I need the rawlog feature, but not written to multiple files (which I have to collect in realtime with some black magic), but for example in a lua-script, which would make it a lot easier to analyse and/or send it to an HTTP endpoint. Maybe there are other possibilities, for example sending the rawlog of a user to a single file (or pipe/socket), where I can easily receive the raw logs for that user and send it to an HTTP endpoint. That's a lot easier than to "watch" a directory for new files, detect changes to existing files, collect them and send them via HTTP. I somehow need to send the raw log of specific users in realtime (maybe with a few seconds delay) to an HTTP endpoint (where each request or response is a single HTTP request, maybe we could also batch some requests and responses to reduce the HTTP requests to the endpoint). The current implementation of the rawlog feature is nice for manually debugging a single user, but when debugging/monitoring multiple users automatically, collect the logs and send them to a central place, it's hard to use ("watching" directories for changes via inotify, and run "tail" on the files for hours and days is not fun and can easily break). Michael On 08/08/2022 14:52 eestmichael.z...@feierfighter.de wrote: Hi, as far as I know I cannot configure Dovecot to pipe the rawlog into rsyslog. Or can I, how? The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. Even if it works, I'm not sure if syslog (rsyslog or syslog-ng) should be (ab)used to collect the rawlog file contents, which might be hundreds of MB per minute if someone FETCHes all his emails while setting up a new account in Thunderbird or so. That sounds like a suboptional idea. Syslog cannot handle binary text I guess, and it might have limits like "line length limits" or similar. It sounds like the wrong tool for the job. Michael Am 28-Jul-2022 15:28:16 +0200 schriebdove...@ptld.com: I'm searching for a possibility to have the rawlog feature in lua, which would be much easier for processing. It would be much easier to hook to the "raw request and response events" inside Dovecot and have the rawlog-data in a lua script, where I can prepare it and send it to another maschine for monitoring/collection/analysis/statistics or similar, for example via HTTP. rsyslog has this feature (omprog) allowing you to setup any script/program for it to pipe logs to in real time. https://www.rsyslog.com/doc/master/configuration/modules/omprog.html https://github.com/rsyslog/rsyslog/blob/master/plugins/external/INTERFACE.md Works similar in concept to postfix policy servers if you are familiar with them.
Re: rawlog data in a lua script
Hi, as far as I know I cannot configure Dovecot to pipe the rawlog into rsyslog. Or can I, how? The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. Even if it works, I'm not sure if syslog (rsyslog or syslog-ng) should be (ab)used to collect the rawlog file contents, which might be hundreds of MB per minute if someone FETCHes all his emails while setting up a new account in Thunderbird or so. That sounds like a suboptional idea. Syslog cannot handle binary text I guess, and it might have limits like "line length limits" or similar. It sounds like the wrong tool for the job. Michael Am 28-Jul-2022 15:28:16 +0200 schrieb dove...@ptld.com: > I'm searching for a possibility to have the rawlog feature in lua, which > would be much easier for processing. > > It would be much easier to hook to the "raw request and response events" > inside Dovecot and have the rawlog-data in a lua script, > where I can prepare it and send it to another maschine for > monitoring/collection/analysis/statistics or similar, for example via HTTP. rsyslog has this feature (omprog) allowing you to setup any script/program for it to pipe logs to in real time. https://www.rsyslog.com/doc/master/configuration/modules/omprog.html https://github.com/rsyslog/rsyslog/blob/master/plugins/external/INTERFACE.md Works similar in concept to postfix policy servers if you are familiar with them.
Re: rawlog data in a lua script
Hi Paul, I don't understand how to use your idea/script together with the rawlog feature of Dovecot. The rawlog feature in Dovecot writes multiple files (two for each connection, one for raw requests and one for raw responses) into a predefined directory for the user. This generates dozens or hundreds of files per user per day, each file with a timestamp in it, so the filename is not predictable. How should I create "a socket" for that to capture the file contents if I don't know the filenames that will be used? Michael Am 28-Jul-2022 13:02:16 +0200 schrieb p...@scom.ca: Hi - I use this python script to capture a socket (ie the log file) and then send it to syslog, i use this for all the systems that do not really support syslogging (apache etc) basic useage /usr/bin/nohup /programs/common/capture -s /usr/local/apache2/logs/httpd-access.log -l httpd -d 10.228.0.6:514 -p httpd & > /dev/null i typically run this at startup in rc.local hope this helps
rawlog data in a lua script
Hi, I'm searching for a possibility to have the rawlog feature in lua, which would be much easier for processing. Currently Dovecot, when activating rawlog for a user, writes everything to disk (which creates I/O), and I have to somehow read it from there. That's a bit complicated, because I have to get notified via inotify or similar when there are new files created, and then I have to start a "tail" or "epoll" mechanism on the files to get the contents in more or less real time (IMAP sessions can be multiple hours or days). It would be much easier to hook to the "raw request and response events" inside Dovecot and have the rawlog-data in a lua script, where I can prepare it and send it to another maschine for monitoring/collection/analysis/statistics or similar, for example via HTTP. Having the rawlog data available in lua would make things a lot easier. Is there any possibility at the moment to create a lua script and "hook" to those "request and response events"? If not, would it be possible to add that feature in the future? Kind regards Michael
Re: RHEL9 Latest Repo?
> On 07/27/2022 12:55 PM MDT dove...@ptld.com wrote: > > Any plans or timeline for when there will be a latest repo for RHEL9? There are no plans to provide RHEL9 packages in Dovecot CE 2.3.x. RHEL9 packages will likely be provided for 2.4. (Before it is asked, there is no timeline for 2.4 release.) michael
Re: test-crypto.c - Assert failed
> On 07/27/2022 12:50 AM MDT Tamsy wrote: > > On a new standard Ubuntu 22.04 LTS installation Dovecot's "configure && > make" runs through but "make check" fails. > > Is dovecot-2.3.19.1 not yet compatible with openSSL 3.0.2 (openssl > 3.0.2-0ubuntu1.6) or is this just happening here? As has been discussed on this list previously, Dovecot 2.3.x is not (yet) fully compatible with openSSL 3. michael
Re: large search indexer tasks, submitted to flatcurve+tika+tesseract backend for attachment scanning, timeout even with "fts_index_timeout = 0"; how to increase/remove timeouts?
> On 07/23/2022 8:25 AM MDT PGNet Dev wrote: > > i'm running dovecot 2.3.19.1 [snip] > when i exec large reindex jobs, i get occassional timeout errors on dovecot's > indexer-worker connection to tiks backend, e.g., > > 2022-07-23 09:54:43 > indexer-worker(postmas...@example.com): Error: > fts_tika: PUT http://127.0.0.1:9998/tika/ failed: Request timed out (Request > queued 61.031 secs ago, 1 send attempts in 60.103 secs, 60.080 in http > ioloop, 0.000 in other ioloops, connected 60.103 secs ago) > 2022-07-23 09:54:43 > indexer-worker(postmas...@example.com): Error: > Mailbox Sent: Precache for UID=90782 failed: Internal error occurred. Refer > to server log for more information. [2022-07-23 09:54:43] (attempted to index > 2 messages between UIDs 90778..90782) > > i don't see any fts timeout info @ > > https://wiki.dovecot.org/Timeouts > > here > > > https://doc.dovecot.org/settings/plugin/fts-plugin/#plugin_setting-fts-fts_index_timeout > > " > fts_index_timeout > > Default: 0 > > Values: Unsigned integer > > When the full text search backend detects that the index > isn’t up-to-date, the indexer is told to index the messages and is given this > much time to do so. If this time limit is reached, an error is returned, > indicating that the search timed out during waiting for the indexing to > complete: NO [INUSE] Timeout while waiting for indexing to finish > > A value of 0 means no timeout. > " [snip] > where do I set that timeout to not fail, as above, on large index tasks? You need to change the source, as Tika has a hardcoded 60 second HTTP request limit. https://github.com/dovecot/core/blob/release-2.3.19/src/plugins/fts/fts-parser-tika.c#L76 michael
Re: Is multi factor authentication practical/feasible?
On 2022-07-14 10:12, Michael Slusarz wrote: On 07/07/2022 5:24 AM Aki Tuomi wrote: FWIW I think OAuth2 is the modern way to do actually MFA authentication. There is some progress in Mozilla world (and hopefully other mail clients) to allow OAuth2 to work outside the "big three" circle. Mostly this is *client development issue*, the server-side already mostly supports all the bits you need to roll your own MFA with OAuth2 using off the shelf components. No need to pay microsoft or google. Alternate to OAuth2, which works pretty well today, is to use device passwords. A bit late to the game, but wanted to expand a bit on Aki's comments. It's good that this topic is being discussed. We've long felt that email authentication (and, related, client auto-configuration) is one of the biggest weaknesses of email as compared to more "modern" messaging technologies. However, discussions around this topic tend to get sidetracked as everyone wants to try to design their own technical solutions. However, all the necessary technologies exist and are standardized. Token auth is handled by OAuth2. MFA ,and more generally authentication UI, is handled by OpenID Connect. At the mail protocol levels, token auth is handled by SASL. Additionally, SASL supports auto-discovery of authentication providers so there is no need to "hard-code" OAuth2 providers (the unfortunate way that some clients are currently handling OAuth2). Dovecot supports all of these technologies already, so there's nothing left to do on the server side. (Side note: client auto-configuration is also already fully supported using existing technologies as well.) Instead, the issue is chicken/egg - all of this is worthless until clients/providers start implementing this. That's where the focus of efforts need to be, not in trying to determine which technologies to use. Admittedly, this not insignificant paradigm shift can be a bit confusing technically. It's been a long-standing TODO to create some kind of implementation guide to help server/client/auth providers to understand what they need to do to create this new "modern email authentication" ecosystem. This is a classic example of a situation where necessary standards exist, but the education about these standards are lacking AND there remains open questions about how those standards should interact with each other in real-world scenarios. Dynamic client registration in OpenID Connect, in particular, is a key component to make this work but is somewhat under documented and lesser known, so it will take community involvement, and likely trial and error, to determine best practices. TL;DR from a Dovecot perspective: we feel we have all the necessary components needed to enable "modern email auth" in the current product, so we don't see any additional engineering efforts needed in Dovecot. We instead are focusing our attention in building and supporting a broader community of client authors and authentication providers to push for implementation in order to accomplish the goal. michael p.s. As mentioned by Aki, app-specific/device passwords is a perfectly acceptable solution, although a bit of an end-user usability nightmare. It's a hack to improve security today, but not a proper long-term answer. Thanks for weighing in Michael, .. but if you wish to enable developers and innovation, you do need to foster the ability for other parties to use plugins, advertise other methods, etc.. there are still many that feel oAuth might not be the right approach, and while anyone can be an oAuth provider, that this might centralize.. As it is, we already see in North America the insurance companies wording for '2FA' requirements check boxes sounds a lot like 'Are you using o356?'. I believe Dovecot can be a leader, in ensuring that the future doesn't just consist of a few central players.. You might 'feel' that you have all the necessary components, but of course that does come from a business perspective, and it doesn't allow for new, novel, or innovative ways that 3rd parties are coming up with everyday. (and in the case that we are working with, there are already several clients and servers that support it) Dovecot I personally believe, given it's over 70% market share, does have a responsibility to remain open and collaborative, otherwise it risks being perceived as rigid as some of the big commercial proprietary products. By 'deciding' for the world what is sufficient for 'modern email auth', this is limiting.. IMHO To quote that old Linux Torvald saying.. "Let a thousand flower bloom.." Noone has to agree on everything, or approaches.. but enable them to get out into the real world, and amazing things may happen.. Have a great weekend everyone.. get out in the sun.. -- "Catch the Magic of Linux..." ------
Re: Is multi factor authentication practical/feasible?
> On 07/07/2022 5:24 AM Aki Tuomi wrote: > > FWIW I think OAuth2 is the modern way to do actually MFA authentication. > There is some progress in Mozilla world (and hopefully other mail clients) to > allow OAuth2 to work outside the "big three" circle. Mostly this is *client > development issue*, the server-side already mostly supports all the bits you > need to roll your own MFA with OAuth2 using off the shelf components. No need > to pay microsoft or google. > > Alternate to OAuth2, which works pretty well today, is to use device > passwords. A bit late to the game, but wanted to expand a bit on Aki's comments. It's good that this topic is being discussed. We've long felt that email authentication (and, related, client auto-configuration) is one of the biggest weaknesses of email as compared to more "modern" messaging technologies. However, discussions around this topic tend to get sidetracked as everyone wants to try to design their own technical solutions. However, all the necessary technologies exist and are standardized. Token auth is handled by OAuth2. MFA ,and more generally authentication UI, is handled by OpenID Connect. At the mail protocol levels, token auth is handled by SASL. Additionally, SASL supports auto-discovery of authentication providers so there is no need to "hard-code" OAuth2 providers (the unfortunate way that some clients are currently handling OAuth2). Dovecot supports all of these technologies already, so there's nothing left to do on the server side. (Side note: client auto-configuration is also already fully supported using existing technologies as well.) Instead, the issue is chicken/egg - all of this is worthless until clients/providers start implementing this. That's where the focus of efforts need to be, not in trying to determine which technologies to use. Admittedly, this not insignificant paradigm shift can be a bit confusing technically. It's been a long-standing TODO to create some kind of implementation guide to help server/client/auth providers to understand what they need to do to create this new "modern email authentication" ecosystem. This is a classic example of a situation where necessary standards exist, but the education about these standards are lacking AND there remains open questions about how those standards should interact with each other in real-world scenarios. Dynamic client registration in OpenID Connect, in particular, is a key component to make this work but is somewhat under documented and lesser known, so it will take community involvement, and likely trial and error, to determine best practices. TL;DR from a Dovecot perspective: we feel we have all the necessary components needed to enable "modern email auth" in the current product, so we don't see any additional engineering efforts needed in Dovecot. We instead are focusing our attention in building and supporting a broader community of client authors and authentication providers to push for implementation in order to accomplish the goal. michael p.s. As mentioned by Aki, app-specific/device passwords is a perfectly acceptable solution, although a bit of an end-user usability nightmare. It's a hack to improve security today, but not a proper long-term answer.
Re: Is multi factor authentication practical/feasible?
On 2022-07-06 10:17, gene heskett wrote: As far as I can see from what I tested today (mainly switching my Thunderbird from "Normal Password" to "OAuth"), Clients effectively *have* to be "also a browser" (rendering the HTML for O365's login prompts, accepting and sending user input, storing the OAuth token as a HTTP cookie) to be able to do that. SMTP remains exempt from the requirement for now, on the theory that printers and the like may want to use it, and not be up to implementing the new stuff. (Otherwise, MS' position can be summarized as "our clients work great, Thunderbird succeded in implementing it, if your client doesn't, go nag the vendor".) And one more time we have allowed a sworn enemy to set the standard, shame on us. Getting a little off topic, but yes.. I believe Dovecot also sees the threat for all it's users, if authentication processes are forced in a direction that only favours the big three. Which is why I hope it gets more open with allowing 3rd parties to contribute to Dovecot as plugins, that support other methods of 2FA.. Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. These are smart business moves to consolidate the market for them, which in turn means stock prices go up. But it will be a terrible world, if interoperability between independent email providers, and the big three area threatened, or if they are forced to 'drink the koolaid'. But it is nice to see products like Thunderbird and other supporting alternative means of 2FA, just like to see Dovecot support them as well natively, or through plugins. Just my two bits.. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Is multi factor authentication practical/feasible?
It IS possible to use 2FA on Dovecot, but it would be better if Dovecot supported options by Plugins to control what supported 2FA options are supported in the CAPABILITIES string. (Ongoing problem getting more power in the handles of 3rd party plugins for Dovecot, politics.. ) HOWEVER, there are many ways if you 'roll your own' dovecot, eg can apply patches to the build process. We do this. Having said that, yes.. especially in North America this push by insurance agents for 2FA, is driven by the RansomWare problems, and gives an insurance company a way out.. The only problem is, having looked at several of these insurance companies forms, it is almost as if a o365 sales person wrote the requirements. And even IF you apply a 2FA, (eg a 2nd factor) you might find that the insurance documents will not accept anything other than what their legal department defined as 2FA.. The biggest problem, is not the use of 2FA, it is making 2FA transparent and simple enough for end users to adopt. End users don't want to mess with a second factor they have to add, or a hardware dongle, or giving their cel# out.. And the industry has to come together, otherwise you will quickly find out insurance companies ONLY accept 2FA from one or two closed source companies.. Which is why once again, I wish that Dovecot would take a leadership role in this, and allow more 3rd party plugins to be available to address this business need. (Oh, on the side, there ARE some ways you actually do 2FA transparently, but of course the email client has to understand it. But while you can do 'tricks' even in IMAP for 2FA, we need to think that the same method should work for ALL communication channels which utilize the same credentials, eg IMAP/SMTP/POP, even other things like caldav/carddav etc) -- Michael -- On 2022-06-27 07:53, justina colmena ~biz wrote: I don't see why not. Dovecot and Postfix are entirely configurable to connect to and use any desired authentication mechanism through certain basic interfaces. The main problem I have experienced with MFA is a continual battle with extortion, "long cons," and thievery in law -- that the thieves are able to obtain one of the necessary factors for authentication -- a dongle or cell phone app or access to a cell phone number, or surveillance intelligence on calls or texts, whatnot -- whether by force or deception -- and then deny the targeted individual access to his or her own account. Later on, after the victim has given up, the thieves are able to obtain the other factors for authentication, and then proceed to social-engineer a false account recovery using the victim's stolen I.D. -- and then they often as not falsely report the victim to gullible or complicit police forces as the thief. If the victim cannot be successfully accused of theft in court, the "thieves in law" at work with inside help in government and law enforcement communities are able to cast identity theft as a mental illness akin to dissociative identity disorder -- to which the government offers nothing but a mental health "recovery" plan which does not include any actual recovery of the stolen assets in a person's name. * https://www.identitytheft.gov/ * https://www.robodeidentidad.gov/ Casting identity theft as a mental health issue further enables thieves to take control of a victim's finances by possibly being appointed as guardians or payees in court. For the same reasons of legalized theft, extortion, and wrongful appropriation through state, local, military and federal court systems, individuals with similar names to known criminals are not allowed to hold significant assets in their names or possess firearms or obtain employment in sensitive positions in the United States. * https://en.wikipedia.org/wiki/Thief_in_law On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote: I have a small client whose insurance company insists they have MFA for their email to be covered under some kind of data protection policy. Currently I have the client set up on a Debian box for the email server coupled with roundcube for webmail. Most the users just use roundcube but some also use their mobile devices to check email. Maybe one person uses outlook. There’s about 5 to 10 users total. I know roundcube offers a MFA plugin. But I don’t have the foggiest idea how of an iPhone, Android device, or Outlook could all be set up to work with MFA with a standard dovecot/postfix setup. Are there any practical solutions for easily implementing MFA that could work across multiple devices? -- "Catch the Magic of Linux..." ---- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Regis
Re: enable/control fts-tika debug logging in Dovecot 2.3.18 + Tika Server 2.4.0?
> On 05/23/2022 5:27 PM PGNet Dev wrote: > > how to correctly turn on debug/verbose logging for fts-tika use in/by dovecot? mail_debug = yes This turns on HTTP debugging for the outgoing Tika requests. Unfortunately, Tika has not yet been converted to events/categories with the ability to more granularly enable debugging just for this component. It's probably easier to just look at tika's debugging logs. The default log level (at least in Tika 2.3) will output an INFO line for every attachment indexed: INFO [qtp235162442-22] 16:15:19,905 org.apache.tika.server.core.resource.TikaResource /tika (text/calendar) michael
Re: Dovecot and RFC6856
> On 05/17/2022 6:00 AM Tan Mientras wrote: > > Does dovecot also implement RFC8656? Will the same happen if we migrate to > dovecot? Any plans for future adoption of that RFC? > EAI/UTF-8 support (RFC 6530 is the better, generalized document to point at) has been on the TODO list for a long time for Dovecot. It simply has not yet risen to be a priority over other things we are working on. michael
Re: [EXT] Re: Dovecot v2.3.19 released
11.05.2022 08:15, Aki Tuomi wrote: On 11/05/2022 08:12 A. Schulze wrote: Am 11.05.22 um 06:52 schrieb Aki Tuomi: What ssl library are you using? It's what Debian provides: https://packages.debian.org/bullseye/libssl1.1 Andreas You are using something like `libssl-dv` instead of libssl, hence me asking. It does not appear to be using the stock libssl. Google has just one relevant hint for openssl-dv. And guess who this person is? :) https://www.mail-archive.com/search?l=openldap-...@openldap.org=subject:%22Re%5C%3A+%5C%28ITS%238533%5C%29+Support+OpenSSL%5C-1.1.0c%22=newest=1 Thanks, /mjt
Re: JMAP Support Status
> On 04/14/2022 11:31 AM Benny Pedersen wrote: > > > On 2022-04-14 19:11, Michael Slusarz wrote: > >> On 04/13/2022 2:24 AM David Klingenberg > >> wrote: > >> > >> has there been any development on JMAP support in Dovecot? > > > > JMAP is not currently being developed. > > oh :) > > cyrus-imapd have it The cyrus developers created JMAP, so that makes sense. michael
Re: JMAP Support Status
> On 04/13/2022 2:24 AM David Klingenberg wrote: > > > has there been any development on JMAP support in Dovecot? JMAP is not > currently being developed. michael
Re: resend whole inbox to user
> On 04/06/2022 1:29 PM Marc wrote: > > I was wondering if there is some way to force an imap client to 're-download' > all the messages from the inbox. I can remember in the 'old days' that when > the connection was dropped during a pop download, the whole inbox was > re-downloaded, resulting in quite a lot of duplicates. I am looking for such > action. You can change the UIDVALIDITY of the mailbox. This invalidates the client cache which would cause a (well-behaving) client to rebuild that mailbox from current server state. https://datatracker.ietf.org/doc/html/rfc3501#section-2.3.1.1 michael
Re: resend whole inbox to user
On 2022-04-06 12:29, Marc wrote: I was wondering if there is some way to force an imap client to 're-download' all the messages from the inbox. I can remember in the 'old days' that when the connection was dropped during a pop download, the whole inbox was re-downloaded, resulting in quite a lot of duplicates. I am looking for such action. While not a 'dovecot' question.. IMAP does NOT download messages in the first place, so there is no such thing as re-download. You simply set the IMAP client to 'synchronize' if you want a copy stored locally. Eg, in Thunderbird, click on properties, synchronization, Select this folder for offline use, download. Every email client calls this something else, but the idea is the same. 'Keep local copy' is another common term. Please check the help documentation on the email client of choice. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Dupliate-ish email search?
> On 03/02/2022 12:00 PM @lbutlr wrote: > > I'm mulling over writing some code to find emails in a maildir that are > duplicates, ish. That is to say that sometimes the same message doesn't quite > show up as an exact match. Like some ad company may send you three identical > messages, except they aren't actually EXACTLY identical, the message-IDs are > different, and may the to address quoted part is different, so normal > duplicate finders fail to find them. > > Before I start, is this a solved problem? Besides the fact that you've pretty much described how modern AV/AS systems work? :) Joking aside, isn't this what Bayesian classification is essentially doing? Comparing the similarities between text (via tokens) in messages and then using Bayesian probabilities to emphasize certain terms/relationships? Although this requires training and is not comparing any messages directly... Maybe some form of perceptual hashing (or similar idea) would work? E.g. http://phash.org/ michael
Re: Sv: Does disabling POP3 just mean removing it from the protocols list?
On 2022-03-01 4:23 p.m., Sebastian Nielsen wrote: By locking access for POP3 by Google IP, you ensure it can only be used with the fetch feature of Gmail (which do have account-wise rate-limits to prevent password hacking). In this way, you increase security. Of course it must be combined with IP restrictions and firewalling for IMAP and Auth on 587 aswell. No one commented, that ONLY POP3/SSL should be allowed, otherwise Gmail (or any other similar service) could simply expose the passwords over the clear, allowing those credentials to be sniffed. -- "Catch the Magic of Linux..." -------- Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: postfix, dovecot-lda, /run/dovecot/stats-writer socket permission and local user delivery, again
22.02.2022 10:49, Aki Tuomi wrote: The most simple fix which usually works is service stats { unix_listener stats-writer { mode = 0666 } } Yes, that obviously works, and this is what I ended up with, for now. My question was more about how it is SUPPOSED to be set up. It is restricted for a reason. For example, it'd be nice to have it chgrp to users, - but postfix does not do initgroups() so this wont work. And the more interesting question is why sgid dovecot-lda does not work, why it tries to setUID (to wrong value!) when it gets sticky bit? Thanks, /mjt